Citrix Metaframe is an add-on that can be used on Windows 2000 terminal services. It has the following extra abilities :
| Digital independence (Any client, any network and seamless desktop integration) |
| ICA instead of RDP. See heading ICA instead of RDP. |
| Application and content (FR1) publishing. |
| Program Neighborhoord, Program Neighborhoord agent (FR1) and Pass-thru ICA client. Environments that offer the desktops and published applications to Citrix users. |
| NFuse. Offers desktops and applications via a web interface. |
| Better printer driver management. Universal printer driver with FR1. |
| Installation management services. Can be used to deploy applications within a Citrix farm. (Citrix XPe only) |
| Real load balancing instead of Microsoft Network Load Balancing. (Citrix XPa en XPe only) |
| Resource management options. Report server status and application usage. (Citrix XPe only) |
| SNMP management options. (Citrix XPe only) |
| Application CPU priorization. (FR1) |
Citrix uses the Independent Computer Architecture protocol instead of Microsoft' Remote Desktop Protocol. Differences are :
| ICA | RDP |
| Owned by Citrix. | Based on T.120 protocol. Owned by Microsoft |
| ICA version 3 on Metaframe XP | Version 4.0 (NT 4.0 TS), 5.0 (Windows 2000) and 5.1 (Windows XP/2003 server) available. |
| Can be used over TCP/IP, NetBIOS, IPX, SPX and direct serial. | Can only be used over TCP/IP. |
| ICA clients are available for MS-Dos 4.0 or later, Microsoft 16-bit, 32-bit and CE operating systems, OS/2, Unix, Linux, Java, Epoc/Symbian, Macintosh and Web browsers like Internet Explorer and Netscape. | Microsoft offers clients for Microsoft' 16- and 32-bit
clients and Internet Explorer. (TSAC) Macintosh RDP 5.1 client available at Microsoft. Unix, Linux, Java, Apple and MS-DOS RDP clients offered by third-parties. |
| Application and desktop publishing. | Desktop publishing. |
| 24-bit color (Metaframe XP FR1) at 64000*64000 resolution. | 256 colors via RDP 5.0 at 1024*768 resolution. 24-bit colors via RDP 5.1 at 1600*1200 resolution |
| Smart card authentication | Smart card authentication via RDP 5.1 |
| Integrated local drive redirection. | Local drive redirection via RDP 5.1 or via drmapsrv resource kit utility |
| Local and network printer redirection. | Local printer redirection via RDP 5.0 and later. |
| Sound redirection | Sound redirection via RDP 5.1 |
| COM port redirection | COM port redirection via RDP 5.0 or later. |
| Multiple session shadowing from various servers. | Single shadowing from server where user is logged on via RDP 5.0 or later. |
| Integrated clipboard redirection. | Clipboard redirection van rdpclip resource kit utility or integrated via RDP 5.0 or later. |
| Bitmap cache size and location can be changed. ICA client uses SpeedScreen 3 to reduce latency on screen updates. | 10 Mbit bitmap cache on fixed location via RDP 5.0 or later. |
| 128-bit RC5 encryption MetaFrame XP FR1 or later | Encryption 128-bit RC4 via RDP 5.0 or later |
| Network load balancing based on desktops and/or application. | Network load balancing based on desktop via RDP 5.0 and Windows 2000. Session directory via Windows RDP 5.1 and Windows 2003 server. |
There are three versions of Citrix XP available :
| Metaframe XPs. |
| Metaframe XPa. Advanced version. Includes Metaframe XPs functionality and adds the Load manager. |
| Metaframe XPe. Enterprise version. Includes Metaframe XPs functionality and adds the Load manager, Resource manager, Installation manager and Network Manager. |
When you buy Citrix XP for the first time it offers a product license and 20 connection licenses. You can install Citrix XP on multiple servers within the same farm with one product license. Only additional connection licenses must be bought when there are more than 20 concurrent connections required. A new Citrix product license is not required for an editional server.
The Citrix Management Console should be used to add licenses and to activate the license and machine code at Citrix. (within 35 days)
The Citrix management console and Qfarm- and Qserver tool give an overview of the licenses installed and in use.
The ICA client can be installed in various ways :
| Use the ICA Client Creator to create installation floppies. (3 disks) |
| Install it from the Client install cd. (icainst\en\ica32) |
| Install it from the Citrix server. (%systemroot%\system32\clients\ica folder) |
| Download the latest version of the ICA client from www.citrix.com/download and install it. (msi version available) |
The appsrv.ini and pn.ini files can be used to customize the ica connections and applications sets, to lock down the client, to maintain the ica settings and to give disaster recovery information. These files should be modified in the folder from which the client is installed. After the installation the files are stored in the \application data\ica client folder of the users' profile.
The pn.ini file contains the information of the application set connections and published applications.
The appsrv.ini file contains the information of the custom ica connections and the general ica settings.
For more information about the ini-files see ini file reference.pdf
Example of items that can be customized are :
| Client name. |
| Serial number. |
| Keyboard layout and keyboard type. |
| Display connect to screen before making dial-in connnections. |
| Display terminal windows when making dial-in connections. |
| Allow automatic client updates. |
| Pass-through authentication. |
| Event logging. |
| Hotkeys. |
| Server (farm) or application to connect to. In the earlier version
of the ICA client (before 6.2) broadcasts where used to connect to a Citrix
Metaframe XP server. If this server was reached, it would not respond by
default. This can be changed by enabling the 'Data Collectors Responds to
ICA Client Broadcast Messsages' on the Metaframe settings tab of the farm
properties. Another way is to use the TCP/IP + HTTPS browsing option. (This option is used by default in version 6.2 or later from the ICA client) This option lets the clients connect to a server called ica.[default client domain name] to request the browser information. Use WINS and DNS to forward these calls to a data store server. |
| Connection method. LAN (no local cache), WAN, Dial-up, ICA dial-in. |
| Seamless windows. This can be used for a custom ICA application or application set. It offers the application in a scalable window just as if it's running on the locak machine. |
| Encryption level. |
| Color depth. |
| Data compression. |
| Disk cache for bitmaps. |
| Queue mouse movement and keystrokes. |
| Speedscreen latency reduction. |
| Sound quality. |
| Windows size. |
| Pass-thru authentication. The credentials that the user used to logon to the workstation are used to logon to Citrix. |
The program neighborhood contains the connections to custom ica desktops or applications and published application sets. A published application set offers the user a set of applications that is published to him. This set of applications is refreshed every time the program neighborhood is started. This offers a very flexible solution.
By using the Citrix Client Update feature you can update the ICA clients automatically to the latest version when they connect to a server :
| Download and expand the ICA client to an empty folder on the server. |
| Start the ICA client update utility. |
| Choose the New option. |
| Open the update.ini file in the folder where the new client is stored. |
| Select the required update options. |
| Select the required event logging. |
| Check the Enable check box to enable the client. |
After the installation of the ICA client, the ICA connection center is available in the taskbar. The utility has the following abilities :
| Disconnect. Disconnect from a server. |
| Full screen. Switch to full screen mode. |
| Properties. Statistics about the connections. |
| Logoff. |
| Terminate. Terminate an application on the server. This option is available when running a published application in Seamless window mode. |
| Install Windows 2000 with Terminal server, Terminal server licensing and the latest service packs. |
| Install the data store on a Oracle or SQL server when the MS Access database is not used. (recommended) |
| Create an ODBC connection to the data store is the MS Access datasbase is not used as data store. |
| Start the Metaframe XP procedure from cd-rom. (autoroot.exe) |
| Ignore the warning about Nfuse Requirements. It is given if IIS is not installed. |
| Accept the license statement. |
| Create a new farm or join an existing farm. |
| Select Use a Local database or Use a Third Party Database to set the Data store configuration. (only when creating a new farm) |
| Select the Zone name. Create a new zone or join an existing zone. |
| Select an ODBC connection when using a third-party database as data store. |
| Enter a user-id and password to access the third-party database. |
| Enter the Server Farm name. |
| Choose to run in Native IMA mode (Metaframe XP servers only) or mixed mode. (Metaframe XP and 1.8 servers) |
| Username and password for the farm administrator. |
| Select which protocols to use for Citrix. (only when multiple protocols are available on the server) |
| Use the TAPI modem setup screen to add a modem for dial-up users. |
| Choose to allow or not to allow shadowing on the server. |
| Choose to use Server Drive Reassignment. When using this option the server will not use the C-drive. The ICA client can now use the C-driveletter to connect to the user' local harddisk. |
| Enter the XML service port. Default port 80 used for Nfuse and web-based ICA sessions. |
| Install the latest service pack and required feature releases. |
The Citrix management console is a Jav-based modular console to manage the Citrix environment within the enterprise. It is recommended to use it as a published application (\citrix\administration\ctxload.exe) but it can also be installed autoroot.exe file on the Citrix cd. The console has the following functions :
| Application distribution. (XPe only) |
| Application publishing. |
| License management. |
| Load balancing. (XPa en XPe only) |
| Printer driver management. |
| Resouce monitoring. (XPe only) |
| Server monitoring. |
| Shadowing. |
| Security. (Citrix administrators) |
After the applications are installed they can be published by using the Application folder\Publish application option within the Citrix management console. Now you can customize the following settings per published application :
| Application name tab
| ||||||||
| Application location tab
| ||||||||
| Program neighborhood settings tab
| ||||||||
| Application apperance settings tab
| ||||||||
| ICA client options tab
| ||||||||
| Servers tab
| ||||||||
| Users tab
| ||||||||
| Application limits tab (FR1 only)
|
When an application is published on more than one server, it is load
balanced. The users will be spread over the servers by the load evaluators.
These load evaluators exists of a set of customized load evaluation rules. Each
server has such an evalution rule which is by default based on the number of
connected users. A load evaluator can be assigned to a server or to specific
applications running on a server. The highest value of both determines the load
value.
The following load evaluator rules are available :
| Application user load. Only for applications. Number of users connected to an application. |
| Server user load. Only for servers. Number of users connected to a server. |
| Context switches. Only for servers. You can set a maximum value for the CPU content switches. If the current load is above this value the server is reported is fully loaded. |
| CPU utilization. Only for servers. You can set a maximum value for the CPU usage. If the current load is above this value the server is reported is fully loaded. |
| Disk data I/O. Only for servers. Load evaluator based on the throughput in kilobytes. |
| Disk data operations. Only for servers. Load evaluator based on the data transactions per second. |
| IP range. Specifies from which ip range a client can connect to the server or application. |
| License treshold. Only for servers. Load evaluator based on the number of pooled licenses available. |
| Memory usage. Only for servers. Load evaluator based on the percentage of free memory. |
| Page fault. Only for servers. Load evaluator based on the number of page faults. |
| Page swap. Only for servers. Load evaluator based on the amount of data that has to be swapped to the page file. |
| Schedule. Sets at which time users can connect to a server or application. |
The load is calculated within a scale of 0 to 10000 :
| 0. No load on application or server. |
| 1-99999. Current load value of the application or server. |
| 10000. Application or server is fully loaded. |
Special values are :
| 20000. Licensing is not correct for load balancing. (XPa or XPe required) |
| 99990. Load management problems. |
| 99999. Application to which no load evaluator is assigned. |
| 10000!. Application is disabled. |
When a client connects to a load balanced application the following actions happen :
A load evaluator can be assigned to a server via the Load Manage Server
option available for each server in the Servers folders.
You can assign load evaluators to applications by using the Load Manage
Application option in the Applications folders.
New load evaluators can be created by using the New Load Evaluator option under the farm name.
Load monitoring can be done via the Load Manager Monitor available under the Servers folder. It can also be done with the Query Farm /App command.
This console is used to manage the connections to the Citrix server. By default it contains the ICA connections for all available protocols and a RDP connection over TCP. Most of these settings can also be set at user or client level. When they are set on multiple levels, the settings on the server overrule the settings on the user or client level. Within Windows .NET server 2003, it is also possible to manage these settings via the group policies.
For each connection you can modify the following tabs :
| Shows name and type of connection. |
| Comment. |
| Lan adapter. Network card used for this connect. (Default is all cards) |
| Maximum connection count. Maximum number of connections. (Default is unlimited) |
| Logon. Allow or disable logons to the machine via this protocol. |
| Auto-logon. Provide a domain, username and password to let users automatically logon. This settings can also be inherited from the client configuration. |
| Time-out settings. You can override the user settings about when to end a disconnected session, the active session limit and the idle session limit. You can also set if you want to disconnect the session or to end it. Finally you can set if you allow reconnection from any client or from the previous client. |
| Security. Set the encryption level. By default basic encryption is used. You can also choose to use no encryption, use RC5 128-bit logon only, or to use RC5, 40, 56 or 128-bit encryption. |
| Use default NT authentication. Select this option if another authentication mechanism is installed and you still want to use Windows authentication. Do not use this option with Citrix as it has its own GINA. |
| Initial program. Specify a program (and working directory) to run when a user logs on. This setting can also be set at client or user level. |
| Only run published applications. Allows users only to run published applications or desktops. |
| Disable wallpaper. |
| Shadowing. Choose if shadowing is allowed. This setting overrule the setting at the user level. |
| Connect client drives at logon. Make local drives available. Overrules settings at user level. By default the first local drive as mapped as V:, the next will be U: etc. It is also possible to re-map the drives of the server to M: and higher. In this case the user will see his local drive as C: |
| Connect client printers at logon. Make local printers available. Overrules settings at user level. |
| Default to main client printer. Changes the default printer to the
local printer of the user. Overrules settings at user level. |
| Disable Windows client printe mapping. Overrules the client setting to auto-create printers at logon. |
| Disable client LPT port mapping. Overrules the client setting to make LPT ports available. |
| Disable client COM part mapping. Overrules the client setting to COM ports available. |
| Disable client clipboard mapping. Overrules the client setting to make the clipboard available to use between the local client and terminal server or Citrix client. |
| Disable client drive mapping. Overrules the client setting to map the client's local disks. |
| Disable client audio mapping. Overrules the client setting to map audio. |
| Client audio quality. Three options are possible. Low offers a maximum of 16 Kb for transmission, medium (default selection) offers 64 Kb and high offers 1.3 Mb. |
The Citrix Connection Configuration can also be used to create an async connection via a modem(-pool) :
| Name. Name of the async connection. |
| Type. Citrix ICA 3.0 |
| Transport. Async |
| Comment. |
| Device. Modem(s) to use. |
| Device connect on. CTS,DSR, RI, DCD, first character, always connected. |
| Baud. Connection speed. |
| Advanced button. Advanced modem settings. |
The independent management architecture is the architecture of Citrix Metaframe. It has its own service and protocol that is running on each Citrix Metaframe server. The architecture has the following items :
A set of Citrix servers can be part of a farm. A farm is established when the first Citrix Metaframe server is installed. A new farm should only be established if there a specific administration need. A new farm also requires a new 'start' license.
Each form has a central data store. This store can be a MS Access, SQL or Oracle database. This store contains the following information :
| Citrix administrators. People who can log on to the Citrix Management Console to administrate the server farm. |
| Licensing information. |
| Printer information. |
| Published applications. |
| Server information and configuration. |
Each server in the farm can access and modify this information. This can be done in two ways :
| Direct access. The server uses its own ODBC drivers (to be installed) to access the data store. |
| Indirect access. The server connects to another server to access the data store. |
To have this information available when the data store not available, each
server has its own Local Host Cache. This cache contains a subset of the
information available in the data store and is stored in the MS Access imalhc.mdb file.
With this information, the server can run 48 hours without the data store. When
information changes in the data store it is replicated to the local host caches.
The data store can be maintained with the dsmaint utility.
The data collector maintains all Citrix farm related information like :
| Server information. |
| Application publishing information. |
| License information. |
| User- and session information. |
| Load-balancing information. |
Each zone elects one server as the data collector which communicates with the server that contains the data store. This data store contains all the information and can be a MS Access, MS SQL server or Oracle database.
Servers in different areas can be put into different zones. (max. of 256 servers per zone) When the first server is installed, the first zone named by the subnet of the server, is created. An additional server can add an existing zone or create a new zone. Zones are created to reduce network traffic between different areas and to reduce processor usage caused by large information available about the other servers.
Each zone has a zone data collector that collects and shares information with the server with its zone. It also exchanges information with the zone data collectors of the other zones in the farm. Information that is shared :
| Client connections. Client logon/logoff and session reconnect or disconnect. |
| License usage. |
| Published applications. |
| Server changes. E.g. server start-up, shutdown or IP- or MAC address change. Checked every minute. |
| Server load. |
When using an MS Access database as data store, this server becomes automatically the zone data collector for that zone. It is recommended to run the data store and zone data collector on the same server when using a MS Access database as data store. When possible use a dedicated server as data store and zone data collector. Citrix uses the following procedure to select a zone data collector :
An election for a zone data collector is started when :
| A new server is add to the server farm. |
| The zone configuration changes. (name, new server) |
| A member server cannot connect with the data collector. |
| The data collector shuts down. |
| Querydc -e command. |
The Qfarm utility can be used to see which server is the zone data collector.
Within Citrix you can publish a desktop or application and allow anonymous login. For these logons the automatically created account Anon000 to Anon014 are used. These accounts are member of the Guests group and the Anonymous group that was created by Citrix.
SpeedScreen arranges that only that part of the screen is refreshed that is changed. This decreases the required bandwidth. It also offers SpeedScreen Latency Reduction which exists of two parts :
| Local text echo. This service pushes screen images with screenfonts to a client when the user logs on. These images are used to create fast screen updates when the user types text. |
| Mouse click feedback. The service arranges that the mouse turns into an hourglass when the user presses a mouse button. This will show the user that the system did react on the click. So it prevents the user from clicking twice on the same button. |
Citrix uses to different ports. The first port-set is for the ICA traffic that contains the screen updates, mouse movement, printer-data, sound etc. (traffic port) The second port-set is to browse for ICA services like applications, servers, etc. (browsing port) The following traffic ports are used :
| TCP 1494. Inbound ICA traffic. This port can be changed with the icaport command and a reboot. On the client use the :[port number] or icaportnumber= in the appsrv.ini file option to connect to the new port. |
| TCP high ports. (>1023) Outbound ICA traffic. |
These are the browsing ports :
| UDP 1604. Client setup for TCP/IP. Metaframe XP server must have the
'Data collectors respond to ICA broadcast messages' option activated on the
MetaFrame Settings tab of the farm properties. or |
| TCP 80. ICA browsing and gateways via XML. Client setup for TCP/IP+HTTP (default on version 6.20 and later). By default services are requested from the host with the DNS record ica.<rest of DNS FQDN>. This record should reffer to the server hosting the data collector. This port can be changed with the ctxxmlss command and a reboot. |
Other management-related ports are :
| TCP 2512. IMA traffic between Citrix Metaframe servers for data collector updates. |
| TCP 2513. IMA traffic between CMC and Citrix Metaframe XP servers Management ports can be changed with the imaport command available in FR1. |
With Citrix Metaframe FR1 and clients with version 6.20 or later, you can encrypt all ICA traffic with SSL. All traffic uses than port 443. This requires the following actions :
| The clients must trust the root-certificate authoritity. |
| Make the servers available by FQDN. Select the Enable DNS Resolution option on the MetaFrame Settings tab of the farm properties. |
| A server certificate in .PEM format must be stored in the %systemroot%\sslrelay\keystore\certs folder. (The keytopem command can be used to convert a certificate to the .PEM format) |
| Use the Citrix SSL relay configuration tool to select the certificate. |
| Use client with version 6.20 or later and use the SSL+HTTPS protocol for the connections and connect by using the FQDN. |
When Network Address Translation (NAT) is used to access the servers changes on the server and client side have to be made. On the server side, the altaddr command must be used to connect the external ip addresses to the Citrix Metaframe servers. In the Citrix Program Neighborhood you have to use he Firewall button and the 'Use alternate address for firewall connection'-option when you add an application set.
| Altaddr. Servers will report an alternate address to the clients. This should be used if the servers a behind a firewall. |
| App. Runs a batchfile from the %systemroot%\scripts folder in the background. |
| Clicense. Shows licensing information. |
| Ctlprint. Changes to number of virtual pipes or channels available for print jobs. |
| Ctxxmlss. Changes the port of the XML service. |
| Dsmaint. Data store maintenance. (e.g. backup, compactdb, migrate, recover) |
| Query farm. Displays information about the farm and the servers within it. (e.g. applications available, network address, load) |
| Query server. Displays information about the server. |
| Thethin.net |
| Citrix FAQ on Thethin.net |
| Citrixxperience.com for CCA and CCEA preparation |
Last update : 15 February 2003
