| The Web Interface Administrator GUI tool configures such items as the MetaFrame XP Servers, MetaFrame XP Farms, Authentication, Server-Side Firewall, Client side firewall, ICA Client Deployment and ICA Customization. The Web Interface web admin tool is a GUI interface for making changes to the NFUSE.CONF file located in \Program Files\NFuse\Citrix\conf folder. After you have made changes using the Web Administration tool, you save and apply them so your configuration takes effect. The Web Admin tool is only for Windows/IIS machines, and requires Internet Explorer version 5.0 or later. You can browse to the Web Interface Administration tool via: http://web_interface_server/citrix/metaframexp/wiadmin. 
In the Authentication section you can configure the ways in which users can authenticate to Web Interface 2.1 and, subsequently, to MetaFrame XP. Authentication to Web Interface 2.1 takes place when a user accesses Web Interface 2.1 using the Login dialog page and or through another authentication method. If authentication is successful, Web Interface 2.1 returns the users application set. You can configure explicit authentication, guest logins, Desktop Credential Pass-Through (Single Sign On), and smart card authentication to Web Interface 2.1. Use the Methods for authenticating to Web Interface 2.1 section to configure user authentication to Web Interface 2.1. You can also configure how users authenticate to MetaFrame XP. Authentication to MetaFrame XP takes place when a user clicks on a hyperlink in their application set to launch an application. If authentication is successful, an ICA session is initiated in which the application runs. You can configure pass-through authentication and smart card authentication to MetaFrame XP. Use the Authentication for launching applications section to configure authentication to MetaFrame XP. 
Methods for Authenticating to Web Interface 2.1 In this section, you will configure what methods of authentication Web Interface 2.1 will use to login and authenticate users. Note: The type of authentication you specify does not affect the method used for ICA Program Neighborhood Agent Clients. You must edit the Config.xml file or use the Program Neighborhood Agent Web Console to change the authentication method used by the Program Neighborhood Agent Clients. For more information, please refer to the ICA Win32 Client Administrators Guide. I will be adding a How to Configure the Config.xml file in the next release of this document. You can specify the following methods of authentication: 
1. Smart card By selecting this checkbox, users can authenticate to Web Interface 2.1 by inserting a smart card into a smart-card reader attached to the client device. The user is prompted for a PIN. 2. Guest login By selecting this checkbox, you will enable Guest users access through Web Interface 2.1 without supplying a username and password and launch applications published for anonymous use on the MetaFrame XP Server. 3. Desktop Credential Pass-Through By selecting this checkbox, users can authenticate to Web Interface 2.1 using the credentials they provided when they logged into their Windows desktop. Users do not need to re-enter their credentials at the Web Interface 2.1 Login page and their application set is automatically displayed. By combining Desktop Credential Pass-Through with pass-through authentication, you provide users with single sign-on. Pass-through authentication is a feature provided by the Win32 ICA Client. Security Issue - If the pass-through authentication feature is enabled on the Win32 ICA Client, an attacker could send the user an ICA file that causes the users credentials to be misrouted to an unauthorized or counterfeit MetaFrame XP Server. Therefore, I do not recommend you enable the pass-through authentication feature. 4. Explicit authentication By selecting this checkbox, users are required to log into Web Interface 2.1 by supplying a username and password. Microsoft domain-based authentication and Novell Directory Service (NDS) authentication are available. 
The following defines how to configure explicit login: 1. Click Authentication in the panel on the left of the page 2. Click to select the Explicitly login check box. 3. If users will be using User Principle Names (UPN) then click the Use UPN authentication radio button to specify User Principle Names (UPN) authentication. 4. If the users will be logging in to a Microsoft NT domain then click to select Use NT authentication radio button to specify Microsoft domain-based authentication. To force users to log in to a specific domain, select the with force login domain check box and enter the name of the domain. 5. If the users will be logging in to a Novell Netware environment then select the Use NDS authentication radio button. Specify an NDS tree in the tree name field and a context name in the Context name field and click Add. The context name is displayed in the Context list. If you specify more than one context name, highlight a context name in the list and use the Up and Down buttons to place these in the appropriate order. The order you specify determines the order that context names are displayed to users in the user Login dialog box. 
6. If you will be requiring users to login to Web Interface with SecurUD tokens then you will be required to install the Ace Agent on the Web Interface server, do not enable it just install it, and check the Use RSA SecurID(R) box. 
7. In the Allow user to change password section you have the ability to specify whether users can change their login passwords within an Web Interface 2.1 session using the Allow user to change password field: Yes Click the Yes radio button to give users the ability to change their password through Web Interface 2.1. When you enable this option, the change password icon is displayed on users pages. When users click on this icon, a dialog is displayed, in which users can enter a new password. No Click the No radio button to prevent users from changing their login password within Web Interface 2.1. Users must log in to MetaFrame XP to change their passwords. On Expiry Click the On Expiry radio button to let users change their login password only when the password has expired, select On expiry. When you enable this option, if a user fails to log into Web Interface 2.1 due to an expired password, the user is redirected to the change password dialog. After changing the password, the user is automatically logged into Web Interface 2.1 using the new password. The time of expiry is an operating system setting. Authentication for Launching Applications In this section, you can also configure how users authenticate to MetaFrame XP. Authentication to MetaFrame XP takes place when a user clicks on a hyperlink in their application set to launch an application. If authentication is successful, an ICA session is initiated in which the application runs. You can configure pass-through authentication and smart card authentication to MetaFrame XP. 1. To enable pass-through authentication of the users credentials, set Enable ICA Client pass-through authentication to one of the following options: 
Auto. This is the default. If the user authenticated to Web Interface 2.1 using Desktop Credential Pass-Through, Web Interface 2.1 attempts to authenticate to MetaFrame XP using pass-through authentication, and the ICA Client passes the captured credentials to the MetaFrame XP Server. If the user authenticated to Web Interface 2.1 using a smart card, the ICA Client does not pass the captured PIN to the MetaFrame XP Server, and the user is prompted for their PIN. Yes. Web Interface 2.1 always attempts to authenticate to MetaFrame XP using pass-through authentication. The ICA Client passes the captured credentials or PIN to the MetaFrame XP Server. No. Web Interface 2.1 never attempts to authenticate to MetaFrame XP using pass-through authentication. 2. To enable smart card authentication to the MetaFrame XP Server, set Use smart card to log in to MetaFrame to one of the following options: 
Auto. This is the default. If the user authenticated to Web Interface 2.1 using a smart card, Web Interface 2.1 attempts to authenticate to MetaFrame XP using this method. Yes. Web Interface 2.1 always attempts to authenticate to MetaFrame XP using smart card credentials. No. Web Interface 2.1 never attempts to authenticate to MetaFrame XP using smart card credentials. 3. To change the expiry time for the ticket generated by the MetaFrame XP Server. Ticketing provides enhanced authentication security for explicit logins by eliminating user credentials from the ICA files sent from the Web server to the client devices. By default, each Web Interface 2.1 ticket has an expiry time of 200 seconds, but you can change this. To configure the expiry time of tickets 
Enter a value in seconds in the MetaFrame ticket time to live field. By default, the expiry time is 200 seconds. Click Save. The Overview page appears. Click the Apply Changes link. The Apply Changes page appears click the Apply Changes button for the changes to take place.
With the release of Web Interface 2.1 Citrix has added the ability to aggregate multiple farms applications in to one Web Interface application list. Using the Manage Citrix MetaFrame XP farms page, you can create multiple farm names. 
The following defines how to add multiple MetaFrame XP farm names. 1. To create MetaFrame farm names 2. Click Manage farms in the left menu. 3. Enter a name for the MetaFrame XP farm in the Farm name field. 
4. Click Add. The farm name appears in the Citrix MetaFrame Farms list. If you specify more than one farm name, highlight a name in the list and click the Up and Down buttons to place these in the appropriate order. To remove a farm name, highlight the name in the Citrix MetaFrame Farms list and click Remove. Note: The Web Interface acquires application data from all farms before displaying applications; each farm is contacted in the order that it appears in the configuration file. As a result, a farm that is slow to respond will impact overall responsiveness when obtaining application sets.
In the MetaFrame XP Servers section of the Web Interface 2.1 Web Administration tool you have the ability to configure how Web Interface to deal with multiple MetaFrame XP servers and their XML services, what ports are the XML services listening on the desired SSL server port. DABCC - Development Farm 
Server List In this section, you will configure how Web Interface will communicate with the MetaFrame XP XML service of every MetaFrame XP server. By doing this you will not only configure how Web Interface will talk with the Farm but you can also accomplish a bit of load balancing to guarantee high availability and which goes to the goal of high user perception. 1. Click MetaFrame Servers in the panel on the left of the page. 2. Under Serve List, you will need to type the name of a MetaFrame XP server that is running the XML service in the Server address text box and click Add to add it to the list of server addresses. Repeat for every MetaFrame XP server in the farm. The servers are processed from the first server in the list down. You will want to prioritize the MetaFrame XP Server with the data collectors being at the top of the list and then to organize the rest if the order of most available server. 
3. Check the Use the server list for load balancing check box to enable load balancing of the MetaFrame XP Server in the server addresses listbox. NFuse will start with the first server in the list and then move to the next until the end of the list and then back to the beginning. 
4. The Bypass any failed server for X minutes (applies to all servers in the list) setting lets you set the amount of time that a failed server is hidden from the list of available servers. When NFuse fails in connecting to a MetaFrame XML service of a server listed in the Server addresses listbox it will removes it from the list for X amount of minutes. When the specified time limit is meet then the Server in placed back in the list. 
5. In the XML service port text box you can specify the TCP/IP port used by the Citrix XML Service on the MetaFrame XP Servers specified in the Server addresses list. By default, this is the value of the port number entered during Web Interface 2.1 installation. This port number must match the port number used by the Citrix XML Service. 
6. In Transport type - you can specify the protocol used to transport Web Interface 2.1 data between the Web server and MetaFrame XP Server. 
HTTP - Select this to send data over a standard HTTP connection. Use this option when you have made other provision for the security of this link. HTTPS - Select this to send data over a secure HTTP connection using SSL. You must ensure that the Citrix XML Service is set to share its port with IIS, and that IIS has been configured to support HTTPS. SSL Relay - Select this to send data over a secure connection that uses the Citrix SSL Relay running on the MetaFrame XP Server to perform host authentication and data encryption. 7. If you are using SSL Relay, specify the TCP port of the SSL Relay in the SSL server port field (the default port is 443), and the directory containing the certificate authority root certificates in the SSL key store path field. Web Interface 2.1 uses root certificates when authenticating a Citrix SSL Relay server. Ensure all the servers running Citrix SSL Relay are configured to listen on the same port number. 
8. Click Save. The Overview page appears. Click the Apply Changes link. The Apply Changes page appears click the Apply Changes button for the changes to take place.
In the Server-Side Firewall section, you can configure Web Interface 2.1 to include the appropriate IP address in .ICA files, depending upon how you have configured your firewall and youre MetaFrame XP Servers. 
Default Address Translation Setting If you are using a firewall in your MetaFrame XP installation, you can use the Server-side firewall settings page to configure Web Interface 2.1 to include the appropriate IP address in .ICA files, depending upon how you have configured your firewall and youre MetaFrame XP Servers. The following defines how to configure the default address translation settings of addressing within Web Interface 2.1: 
1. Click Server-Side Firewall in the panel on the left of the page. 2. In the Default address translation setting section, select the default method of address translation: Normal address - the IP address given to the client is the actual address of the MetaFrame XP Server specified in the MetaFrame XP Servers page. This is the default setting. Alternate address - the alternate address is given to the client. The MetaFrame XP Server must be configured with an alternate address and the firewall configured for network address translation. Translated address - the address given to the client is determined by the address translation mappings set in Web Interface 2.1. Secure Gateway for MetaFrame - enables Secure Gateway for MetaFrame XP support. 3. One of the features of Web Interface 2.1 is to allow you to specify specific address translation settings per IP network. If you would like to set a specific IP network to utilize a different address translation than the default then you will need to enter the IP network number in the Client address prefix text box select the address translation Option radio button and click Add 
4. Click the Save button to save the above changes. 5. Click Server-Side Firewall in the panel on the left of the page. 6. If you will be using translated addresses then you will need to configure the MetaFrame XP Server address translation map section of the page. 
7. Enter the IP address of the MetaFrame XP server in the server address text box. 8. Enter the TCP port number that the MetaFrame XP server is listening on in the server port text box. 9. Enter the public IP address that translates to the MetaFrame XP server address in the translated address text box. 10. Enter the TCP port number that the public address is listening on in the translated port text box 11. Click Add. You have the ability to add multiple translations and then select the priority order. 12. Click Save. The Overview page appears. Click the Apply Changes link. The Apply Changes page appears click the Apply Changes button for the changes to take place. 13. If you will be using Secure Gateway for MetaFrame (SG) you will need to click the Server-Side Firewall link and scroll down to the Secure Gateway for MetaFrame section of the page. 
14. Enter the FQDN address of the server running the CSG component in the Address (FQDN) text box. 15. Enter the port the CSG component is listening on in the Port text box. 16. If you have a firewall configured to perform network address translation between the Secure Gatway box and the MetaFrame XP server then you will need to check the Use alternate addresses of MetaFrame XP Servers checkbox. An Alternate Address is required to be added to the MetaFrame XP Server if NAT is being used on the firewall between the MetaFrame XP Server and the Secure Gateway / Web Interface server. The IP Address that is assigned on the external interface and that is NATd to the IP Address of the MetaFrame XP Server on the Local LAN, must be added to the MetaFrame XP Server, from the command prompt by typing:- C:\altaddr /set [alternate address i.e., 192.168.5.1] To delete the Alternate Address use C:\altaddr /delete 17. In the Secure Ticket Authorities URL text box enter the NETBIOS name of the server running the STA component in place of <server> and click the Add button. 18. Repeat step 10 in order to add STA server for high availibility. If you will be using multiple STAs then I recommend to check the Use the Secure Ticket Authority list for loal balancing checkbox to enable round robin load balancing. 19. Click Save. The Overview page appears. Click the Apply Changes link. The Apply Changes page appears click the Apply Changes button for the changes to take place.
If the Client-Side Firewall If you are using a SOCKS proxy server at the client side of your Web Interface 2.1 installation, you can configure whether clients must communicate with the MetaFrame XP server via the proxy server or not. From the Client-side firewall settings page, you can: Specify default SOCKS proxy rules for clients, or specify that proxy behavior be controlled by the ICA Client. Configure exceptions to the default behavior by associating client addresses or partial addresses with a particular SOCKS proxy server address. 
Default Proxy Settings If you are using a SOCKS proxy server at the client side of your Web Interface 2.1 installation, you can set default SOCKS proxy rules for clients. Alternatively, you can specify that the proxy behavior be controlled by the ICA Clients. The following defines how to configure default SOCKS proxy settings 1. Click Client-Side Firewall in the panel on the left of the page. 2. Under Default proxy setting, select one of the following: Auto. The ICA Client automatically detects proxy settings. Client. The ICA Clients proxy setting is used. None. No proxy is used. 
3. Use explicit mapping. Specifies the proxy server used. If this option is selected, you must enter the address of the proxy server (an IP address or a DNS name) in the Proxy address field and the port number in the Proxy port field. 4. Under Specific proxy settings, type in the client address in the Client address prefix field. You can enter the IP address of the client or the partial address of the client subnet. Note: If Web browsers connect to the Web Interface through a proxy server or firewall that hides the client's IP address, the Client address prefix must specify the client address, as the Web Interface sees it. For example, if a Web browser connects through a proxy, specify the external address of the proxy in the Client address prefix. This does not apply to Program Neighborhood Agent users. 
5. Under Options, select one of the following: 
Auto. The ICA Client automatically detects proxy settings. Client. The ICA Clients proxy setting is used. None. No proxy is used.
6. Use explicit mapping. Specifies the proxy server used. If this option is selected, enter the address of the proxy server (an IP address or a DNS name) in the Proxy address field and the port number in the Proxy port field. 7. Click Add. The mapping is displayed in the Mapping list. You can control the order in which multiple mappings are applied. Highlight a mapping and use the Up and Down buttons to place the mappings in order of priority. 
8. Click Save when finished.
In the ICA Client Deployment section of the Web Interface 2.1 administration tool you have the ability to define if and how the ICA Client will be deployed, if the application will be an embedded application and what client the end-user will use (local ICA Client or Java Client). 
Client Download Setting In this section, you can configure how Web Interface 2.1 will deploy the ICA Clients. You have three options: one to deploy by displaying a link under the Web Interface 2.1 Message Center and two to try to automatically deploy the ICA Clients to Win32 devices or three, to do nothing. You can configure Web Interface 2.1 to automatically deploy the ICA Win32 Web Client to your Windows users. This installs the ICA Web Client (ica32t.exe) which is smaller and easier to download, so it may be more suitable for users on low bandwidth connections. The following defines how to configure automatic client download settings. 
1. Click ICA Client Deployment in the panel on the left of the page. 2. Under Client download setting, select one of the following options: Auto - This is the default setting. On Windows platforms, if the user does not have an appropriate ICA Client installed, a link to the recommended ICA Client is displayed. On other platforms, the installation caption is always shown. Yes A link to the recommended ICA Client is always displayed, on all platforms. No A link to the recommended ICA Client is never displayed. Note: If a user clicks on the link to the recommended ICA Client, but a client already has the latest ICA client installed then nothing happens. To use Web-based ICA Client installation, you must ensure your Web server contains the appropriate ICA Client installation files. 3. Click the Enable automatic download of ICA Win32 Web Client check box if you want to allow Web Interface 2.1 to analyze the users client device and Web browser and if the user is on a Windows platform and he or she does not have an ICA Client, or their current client is not up to date, Web Interface 2.1 attempts to automatically install the ICA Win32 Web Client on the users client device. Specify the version of the ICA Win32 Web Client to deployby default Web Interface 2.1 configures this setting to the 6,30,1000 version. To stay current with latest and greatest ICA Client I recommend changing this setting to 6,31,1051 and then copy the newly downloaded ICA Client(s) to the \\wwwroot\citrix\icaweb\en\ica32\ directory. 
Note: the commas, rather than decimal points, are used as separators. 4. Click Save. The Overview page appears. Click the Apply Changes link. The Apply Changes page appears click the Apply Changes button for the changes to take place.
Embedded Applications In this section, you can control whether applications run as seamless sessions or are embedded into HTML pages using the ICA Client deployment page. If you choose to embed applications, you can specify the ICA Client that is used to launch the embedded application. You can deploy the ICA Win32 Client or the ICA Java Client, depending on the users platform, or you can use the ICA Java Client for all users. Alternatively, you can enable users to decide how their applications are launched using their Settings page. The following defines how to configure how applications are launched and embedded. 1. Click ICA Client Deployment in the panel on the left of the page. 2. Under Launch application as embedded applications (within a Web browser window), select one of the following options: 
1. No To launch applications in a seamlessly on the local desktop, select No in the Embedded applications section. 2. Yes - To embed applications into Web pages, select Yes in the Embedded applications section. Specify the ICA Client that will be used to launch the embedded application: Auto Choose Auto to automatically detect the users client device and Web browser and deploy the appropriate ICA Client. If a Windows platform is detected, the ICA Win32 Web Client or Netscape plug-in is deployed, depending on the users Web browser. Web Interface 2.1 deploys the Java Client if it detects that the user is not on a Windows platform, or it is unable to detect the users client device and Web browser. Java Client - Choose Java Client to force deployment of the ICA Java Client, regardless of the users platform. The ICA Java Client can be configured to be a small download, so this option is best for users on low bandwidth connections.
3. If you would like to give the end-users the ability to decide how their applications are launched then select the User decides radio button in the Embedded applications section. When you enable this option, users can choose how their applications are launched in their Settings page. You can also specify what happens by default if a user does not decide how their applications are launched, as follows: 
3. To embed applications into Web pages by default, select the By default launch applications as embedded applications radio button. Specify the ICA Client that will be used to launch the embedded application. To launch applications in a separate window on the local desktop by default, deselect the By default launch applications as embedded applications radio button. Auto - Select Auto to automatically detect the users client device and Web browser and deploy the appropriate ICA Client Java Client - Select Java Client to force deployment of the ICA Java Client, regardless of the users platform. 4. You can configure the components included in the deployment of the ICA Java Client in Web Interface 2.1. You can configure the ICA Java Client to be a small download (as small as 300K) by removing unwanted functionality. For example, if you want to reduce the size of the download for users on low bandwidth connections, you can configure Web Interface 2.1 to deploy only a minimum set of components. Alternatively, you can enable your users to control which components are required. To customize ICA Java Client deployment, select the Java Client packages you want to include in the deployment. To allow users to control which Java Client packages are enabled from their Settings page, select the Allow user to choose packages check box. 
|