Free 1Y0-456 Study Guide

By Jeff Rohrer, on October 21, 2010

1Y0-456 Citrix Access Suite 4.0: Build Test

Building and Testing Citrix Presentation Server

Windows concepts

Group Policy objects allow the administrator to restrict or permit specific user functions and actions without having to change the registry directly.

NTFS Permissions set the level of access user groups have to files and folders on the server.

Profiles provide users with pre-configured or personalized environments, including the Windows desktop and application settings.

Presentation Server testing and developing environments

Testing or development Presentation Server environments should be segregated from the production environment so that they do not impact the existing production environment.

v Testing and development Presentation Servers should not belong to the same farm as the production servers.

v Setting up a separate zone for the test servers in the production farm is not a good option.

Presentation Server features
Session Reliability enables users to continue to view their published applications while the connection to the server is temporarily interrupted. After connectivity is regained, users can resume interaction with the published applications without launching them again.
v Presentation Server uses the Citrix Server XTE Service for session reliability.

v Session reliability uses TCP port 2598.

v Session reliability is tunneled by means of the Citrix Common Gateway Protocol.

v Session reliability is enabled by default in the farm properties of the Presentation Server farm.

Virtual IP addressing assigns an IP address to a session to address some of the issues associated with applications that identify the client connection to the back end of Presentation Server-based applications by an IP address.

v Use virtual IP addressing for:

¨ Applications that require each session to have its own IP address for licensing, routing or addressing purposes.

¨ Network monitoring systems that require each session to have its own IP address in order to track individual user's traffic

Without the use of a virtual IP address, all users appear to have the same IP address when connecting from Presentation Server to a backend application. The virtual IP address feature assigns an IP address to a session, not to a user.

¨ Applications that may be hard-coded to a specific port on a loopback interface or that may be hard-coded to listen to a specific port on all interfaces and require more than one IP address when running multiple instances in a Terminal Server environment

v Virtual IP addressing is only available for ICA sessions, not for RDP sessions.
v Virtual IP addressing is available with the Advanced and Enterprise editions of Presentation Server.

Add groups to Citrix administrators

v Click Start > All Programs > Citrix > Management Consoles > Presentation Server Console.

v Right-click the MetaFrame Administrators node in the left pane.

v Click Add MetaFrame Administrator.

v Double-click the desired domain.

v In the domain, double-click the desired user groups.

v Click Next in the Alert Contact Details screen.

v Click Custom and click Next.

v Select the permissions that the groups will have.

v Click Finish.

Create a Presentation Server policy

v In the Presentation Server Console, right-click the Policies node in the left pane and select Create Policy.

v Type the policy name in the Policy Name field.

v Click OK.

Configure a Presentation Server policy

v In the Presentation Server Console, click the Policies node.

v Right-click the desired policy in the right pane and select Properties.

v Navigate to the desired policy in the left pane of the policy's properties window.

v Configure the policy in the right pane of the policy's properties window.

v After configuring the policy, apply the policy to using Access Control, Client IP Address, Client Name, Servers or Users.

Apply a Presentation Server policy

v In the Presentation Server Console, click the Policies node.

v Right-click the desired policy in the right pane and select Apply this policy to.

v The Policy Filters window launches.

v In the left pane of the Policy Filters window, select from the following:

¨ Access Control

Check Filter based on Access Control.

Check Apply to connections made through MetaFrame Secure Access Manager (version 4.0 or later).

Check either:

Any connection

Any connection that meets any of the following filters

The Add MetaFrame Secure Access Manager Filter window pops up.

× Add the MetaFrame Secure Access Manager farm and MetaFrame Secure Access Manager filter in the drop down lists.

Click OK to close the Add MetaFrame Secure Access Manager Filter window.

If desired, check Apply to all other connections.

¨ Click OK to close the Policy Filters window.

¨ Client IP Address

Check Filter based on client IP address.

Check Apply to all IP addresses.

Click Add.

The Add Client Address to Policy Filter window launches.

Add an IP range or an IP address.

Click OK to close the Add Client Address to Policy Filter window.

¨ Click OK to close the Policy Filters window.

¨ Client Name

Check Filter based on client name.
Check Apply to all client names.

Click Add.

The Add Client Name to Policy Filter window launches.

Type a client name in the Client Name field and click OK to close the Add Client Name to Policy Filter window.

¨ Click OK to close the Policy Filters window.

¨ Servers

Check Filter based on servers.

Select the desired servers and click OK to close the Policy Filters window.

¨ Users

Check Filter based on users.

Select Apply to all explicit (non-anonymous) users.

Select Apply to anonymous users.

If desired, explicitly select groups and/or users and choose to either Allow or Deny them.

¨ Click OK to close the Policy Filters window.

Configure a drive mapping policy

v Create a policy.

v Right-click on the policy and select Properties.
v Navigate to Client Devices > Resources > Drives > Mappings.

v In the mapping policy rule, select Not Configured, Disabled or Enabled.

¨ If Enabled is selected, select the drives you do not want to map to client devices by checking Turn off Floppy disk drives, Turn of Hard drives, Turn off CD-ROM drives and/or Turn off Remote drives.
v Filter the connections that this policy will be applied to by Access Control, Client IP address, Client Name, Servers or Users.

Configure COM and LPT ports in a policy

v Create a policy.

v Right-click on the policy and select Properties.

v Navigate to Client Devices > Resources > Ports.

v Configure the policy rules Turn off COM ports and Turn off LPT ports.

v Filter the connections that this policy will be applied to by Access Control, Client IP address, Client Name, Servers or Users.

Configure a printer auto-creation policy

v Create a policy.

v Right-click on the policy and select Properties.
v Navigate to Printing > Client Printers.

v In the Auto-creation policy rule, select Not Configured, Disabled or Enabled.

¨ If Enabled is selected, select to Auto-create all client printers, Auto-create local (non-network) client printers only, Auto-create the client's default printer only or Do not auto-create client printers.
v Filter the connections that this policy will be applied to by Access Control, Client IP address, Client Name, Servers or Users.

Configure a shadowing policy

v Create a policy.

v Right-click on the policy and select Properties.

v Navigate to User Workspace > Shadowing.

v Configure the Configuration and Permissions policy rules.

v In each policy rule, select Not Configured, Disabled or Enabled.

¨ If the Configuration rule is Enabled, select Do Not Allow Shadowing or Allow Shadowing.

If Allow Shadowing is chosen, check Prohibit Being Shadowed Without Notification and/or Prohibit Remote Input When Being Shadowed.

¨ If the Permissions policy rule is Enabled, select users to give permissions to shadow the connections to which the policy applies.

v Filter the connections that this policy will be applied to by Access Control, Client IP address, Client Name, Servers or Users.

Shadow a user

v Open the Presentation Server Console, expand the Servers node and click a server.

v Select the Users tab.

v Right-click a user and select Shadow.

v Note the shadow termination hotkey setting (CTRL + *) and click OK.

v Authenticate with your username and password.

v When done shadowing, click Stop Shadowing or use the hotkey, CTRL + *.

Configure and verify a Zone Preference and Failover policy

v Create a policy named Zone Preference and Failover.

v Right-click on the Zone Preference and Failover policy and select Properties.

v Navigate to User Workspace > Connections > Zone preference and failover.

v Click Enabled in the right pane.

v Select one primary and up to five backup zones.

v Filter the connections that this policy will be applied to by Access Control, Client IP address, Client Name, Servers or Users.

v In the Presentation Server Console, expand the Servers node, click a server and select the Users tab.

v Verify that the users are connected to the correct servers according to the Zone Preference and Failover policy.

Rename a zone

v Right-click the farm node in the Presentation Server Console and select Properties.

v Select Zones in the left pane of the farm properties.

v Select the desired zone name in the right pane and click Rename.

v Type a new name in the New zone name field and click OK.

Create a new zone

v Right-click the farm node in the Presentation Server Console and select Properties.

v Select Zones in the left pane of the farm properties.

v Click New Zone in the right pane.

v Type a new name in the New zone name field and click OK.

Move a server between zones

v Right-click the farm node in the Presentation Server Console and select Properties.

v Select Zones in the left pane of the farm properties.

v Expand the desired zone in the right pane of the farm properties.

v Click the desired server name under the desired zone.

v Click Move Servers.

v Click Yes in the Server Reboot Required message.

v Verify that the correct zone is selected in the Select Target Zone drop-down list and click OK.

v Reboot the server that was moved.

Change data collector preference

v Right-click the farm node in the Presentation Server Console and select Properties.

v Select Zones in the left pane of the farm properties.

v Expand the desired zone in the right pane of the farm properties.

v Right-click the desired server name under the desired zone.

v Click Set Election Preference.

v Choose among Most Preferred, Preferred, Default Preference and Not Preferred and click OK.

v Reboot the server whose preference was changed.

Publish an application

v To publish an application, right click on the Applications node in the Presentation Server Console and select Publish Application.

v Type the display name in the Display Name field of the Welcome screen and click Next.

v In the Specify What to Publish screen, verify that Application is selected, click Browse and navigate to the application file and click Next.

v Click Next in the Program Neighborhood Settings screen.

v Select the color depth in the Specify Application Appearance screen and click Next.

v Click Next in the Specify Requirements screen, Specify Application Limits Screen and Configure Access Control screen.

v In the Specify Servers screen, click on the first server you desire to run the application, hold down the Control key and click on any other servers you desire to select.

v Click Add to add the servers and click Next.

v Drill down to the correct Organizational Unit and select the groups and/or users that will have access to this published application in the Specify Users screen and click Next.

v Click Finish in the Specify File Type Associations screen.

Publishing multiple applications

To save time publishing multiple applications, use the Copy Published Application feature.

v To use this feature, create the first published application using the Application Publishing Wizard.

v Right-click on the published application and select Copy Published Application.

v Right-click on the copied application and select Rename.

v Type the name of the application in the Display Name field and click OK.

v Right-click the new published application and select Properties.

v In Properties, select Application Location.

v Click Browse, browse to the application you wish to publish and click OK.

v Click Program Neighborhood Settings, click Change Icon, select the correct icon and click OK.

v Configure anything else in the properties that the new published application warrants.

Application isolation environment

An application isolation environment allows an application in Presentation Server to use virtual copies of resources instead of the actual resources by redirecting communication between the application and system resources, such as the file system and registry.

Install an application into an application isolation environment

v In the Presentation Server Console, right-click on the Isolation Environments node and select New isolation environment.

v Type the name of the isolation environment in the Application isolation environment name field and click OK.

v Open a command prompt and type AIESETUP "<isolation environment name>" <path> and press enter.

¨ For example, if you are installing Power Point Viewer 97 and you already created an isolation environment named PowerPointViewer97, you would type the following: AIESETUP "PowerPointViewer97" "c:\Program Files\Microsoft\Power Point Viewer\PPVIEW97.EXE".

v Run through the application installation.

v Press Enter at the command prompt to begin the application discovery process.

v Exit the command prompt after the application discovery completes.

v Right-click the Applications node in the Presentation Server Console and select Publish Application to launch the Application Publishing Wizard.

v Type the display name in the Display Name field and click Next.

v Verify that Application is selected in the Specify What to Publish screen, check Isolate Application and click Settings.

v Click the correct isolation environment name and select Application was installed into environment.

v Click the Application name in the Choose installed application drop-down list and click OK.

v Go through the rest of the Application Publishing Wizard.

Client-to-server redirection

Client-to-server redirection allows a published application to launch when a file with a certain file extension is accessed on a client device.

v To specify client-to-server content redirection, in the Application Publishing Wizard:

¨ In the Specify File Type Associations screen, check the file types that you wish to associate with the application.

v To specify client-to-server redirection in the properties of a published application:

¨ Select Content Redirection in the right pane of Properties and check the file types that you wish to associate with the application.

Server-to-client redirection

Server-to-client redirection allows URL links in a server session to redirect information back to an application on the client device.

v Server-to-client redirection is configured in a policy in User Workspace > Content Redirection > Server to client.

Update file type association data

v In the Presentation Server Console, right-click on the farm node and select Update File Types from Registry.

v In the Update File Type Association screen, select the servers you wish to add to the update and click OK.

v Click OK on the pop-up that says File type association data is being updated. This may take several minutes to complete.

Apply a load evaluator to servers

v To apply a load evaluator to all of the servers in the farm, right-click the Servers node in the Presentation Server Console and select Load Manage Servers.

v Click Add All in the Load Manage Servers screen under Available Servers.

v Verify the correct load evaluator is chosen under Available Load Evaluators and click OK.

v To confirm the load evaluator, click the Load Evaluators node and select the Usage Reports tab.

v Verify that the correct load evaluator is listed for all of the servers.

The scheduling load evaluator

v To create a new load evaluator based on scheduling, right-click the Load Evaluators node in the Presentation Server Console and select New Load Evaluator.

v Select Scheduling in the Available Rules box.

v Select the days of week and times of day under Rule Settings and click OK.

Attach a load evaluator to an application

v To attach a load evaluator to an application and confirm on a server, expand the Applications node in the Presentation Server Console.

v Right-click the desired published application and select Load Manage Application.

v Select the servers that the application will be monitored on in the Available Servers list and click Add, or if all servers, click Add All.

v Select the load evaluator in the Available Load Evaluators list and click OK.

v To verify the configuration, click the Load Evaluators node, select the Usage Reports tab and click By Application.

Enable virtual IP addressing

v Right-click the farm node in the Presentation Server Console and select Properties.

v In Properties, select Virtual IP Address Configuration in the left pane and click Add IP Range in the right pane.

v The Add IP Range window launches.

v Type the IP address range and subnet mask in the Add IP Range window and click OK.

v Click Yes on the Configure Servers pop up.

v The Virtual IP Address Range widow launches.

v Click Add in the Virtual IP Address Range window.

v The Add Server For window launches.

v Select the servers in the Add Server For window and click OK.

Apply and verify virtual IP addressing to an application

v Right-click the farm node in the Presentation Server Console and select Properties.

v Select Virtual IP Processes in the left pane of Properties.

v Click Add Processes in the right pane of Properties.

v The Add Process for Virtual IP window launches.

v Type the application name in the Add Process for Virtual IP window and click OK.

v Restart the server.

v To verify that virtual IP addresses are applied to the application configured for virtual IP addresses, in the Presentation Server Console, expand the Servers node.

v Click a server and select the Sessions tab.

v Verify that virtual IP addresses are assigned for the virtual IP address-configured application sessions.

Use the universal printer driver exclusively

v To use only the universal printer driver and disable automatic printer driver installation in the Presentation Server environment, create a policy in the Presentation Server Console.

v Right-click on the policy and click Properties.

v In the policy properties, expand Printing > Drivers and select Universal Driver in the left pane.

v Select Enabled in the right pane.

v Select Use universal driver only from the When auto-creating client printers drop-down list and click Apply.

v Select Native printer auto-install in the left pane of the policy properties.

v Select Enabled in the right pane.

v Select Do not automatically install drivers and click OK.

Verify the exclusive use of the universal printer driver

v To verify that only the universal printer driver is being used for printing in the Presentation Server environment, first add a printer to use for testing.

¨ To add a printer, click Start > Printers and Faxes.

¨ Click Add a Printer and click Next.

¨ Verify that Local printer attached to this computer is selected.

¨ Deselect Automatically detect and install my Plug and Play printer and click Next.

¨ Verify that Use the following port: LPT1 is selected and click Next.

¨ Select any printer and click Next.

¨ Accept the default printer name and click Next.

¨ Click Next in the Location and Comment screen.

¨ Click No in the Print Test Page screen and click Next.

¨ Click Finish.

v Launch an application from Web Interface.

v In the application, click File > Print.

v Select your printer from the drop-down list.

v Verify that the Citrix Universal Printer is listed as the printer type.

v Close the Print window.

Create a Web Interface site

v Open the Access Suite Console.

v Launch the Configure and run discovery wizard from Common Tasks of the farm node.

v Click Next in the Welcome screen.

v Click Next in the Select Products or Components screen.

v In the Configuration Servers screen, verify Contact the following Web Interface configuration servers is selected and click Add.

v The Add Server window launches.

v Type the server name and click OK.

v Click Next in the Configuration Servers screen.

v Select Add Local Computer if desired and click Next.

v Click Next in the Preview Discovery screen.

v Wait for Discovery to finish running and click Finish.

v Click the Web Interface node in the Access Suite Console.

v Click Create site under Common Tasks.

v In the Select Site Type screen, select MetaFrame Presentation Server and click Next.

v In the IIS Hosting screen, select Set as the default page for the IIS site to apply the path and click Next.

v In the Configuration Source screen, select Use local configuration file(s) or Use centralized configuration and click Next.

v In the Server farm screen, type the name of the server farm.

v Click Add to type the name of any servers desired for failover.

v In the New Site Summary screen, verify the information and click Next.

v After the new site is created, click Finish.

Configure authentication for Web Interface

v In the Access Suite Console, navigate to Suite Components > Configuration Tools > Web Interface and click on the desired Web Interface site.

v Click Configure authentication methods under Common Tasks.

v The Configure Authentication Methods wizard launches.

v In the Specify authentication methods screen, choose Explicit, Pass-through, Pass-through with smart card, Smart card or Anonymous.

¨ If Explicit or Pass-through is chosen, configure the settings.

v Click Next.

v Configure Define selected methods screen and click Next.

v Configure Specify authentication type settings screen and click Next.

v Verify the information in the Check Summary screen and click Finish.

Client for Web deployment

v To configure an English Client for Web deployment, create a new folder named en in C:\Program Files\Citrix\Web Interface\4.0\ICAWEB on the Presentation Server.

v Inside of the en folder, create a new folder named ica32.

¨ Make sure ica32 is typed in lower case.

v Copy the WFICAT.CAB file from the Presentation Server Components CD to the ica32 folder.

v Navigate to the Web Interface site in the Access Suite Console and click Manage client deployment in Common Tasks.

v The Manage Client Deployment wizard launches.

v Select the clients in the Select launch clients screen, choosing among Local client (Default), Native embedded client, Client for Java and Embedded Remote Desktop Connection.

¨ You can also allow the user to select.

v Configure automatic client update, automatic client fallback to Client for Java, installation caption and client version support in the Specify launch client settings screen.

v Specify the file name, version and class ID in the Web Client settings screen.

v In the Client for Java screen, choose packages to include with in the Java Client.

¨ Packages include Audio, Clipboard, Local text echo, SSL/TLS, Encryption, Client drive mapping, Printer mapping and Configuration UI.

You can also let the user choose.

v Select a private root certificate, if desired.

v Review the Preview summary screen and click Finish when satisfied.

Verify the Web Interface automatic Web Client download

v To test the Web Interface configuration for automatic Web Client download, open Internet Explorer and browse to http://<WebInterfaceServer>/Citrix/MetaFrame (replace <WebInterfaceServer> with the name of your Web Interface server).

v Logon as a user, click Yes in the download screen to download the Web Client and click Yes on the Citrix License Agreement.

v The Client software installs without user interaction.

Building and Testing Citrix Password Manager

Using Active Directory for the central store

To use Active Directory as the central store, an administrator must:

v Enable schema updates.

¨ Windows 2000 Server only, not Windows Server 2003.

v Extend the schema.

v Create a central store.

v Assign permissions to the domain.

Password Manager features

The Password Manager Service provides the foundation for the optional features, including Account Self-Service, Automatic Key Recovery, Cryptographic Data Integrity Assurance and Password Provisioning. Password Manager must be installed and configured before implementing any of these features.

v The XTE Service hosts the Password Manager Services.
v The Citrix Password Manager Service is run on a web server that uses SSL to encrypt the data shared by the Citrix Password Manager Service, the console and the agent.

Account Self-Service allows users to reset their Active Directory passwords.

v Self-Service Password Reset is a feature of Account Self-Service which allows Password Manager users in an Active Directory environment to reset their primary domain password without the intervention of the Help Desk or an administrator.

v Self-Service Password Unlock is a feature of Account Self-Service which works in the same way as Self-Service Password reset to unlock domain accounts.

Automatic Key Recovery allows users to log on to the network and have immediate access to applications managed by Password Manager without the need to verify their identity.

Cryptographic Data Integrity Assurance protects the central store data from being compromised while in transit to the agent.

Password Provisioning pre-populates the central store with users' secondary credentials, ensuring that they do not have to provide their credentials to the agent when launching the application for the first time.

Question-based authentication provides an additional layer of security to the Password Manager agent software by protecting against impersonation of unauthorized password changes. This security feature requires that users answer questions in the questionnaire provided by the administrator when they first used the Password Manager agent and when password reset is used. The questionnaire is the same one as used for Account Self-Service.

Password expirations allow administrators to manage regular and transparent changes on applications that do not have password change functionality.

Password Manager used with Java applications

For Java applications, administrators can select the Control ID option instead of the SendKeys option to configure the application definitions. The Control ID option provides visual cues, such as highlighting the selected field, during the configuration process.

Requirements for the Password Manager Service

v A server authentication certificate must be installed on the server hosting the Password Manager Service to enable SSL configuration.

v The certificate common name needs to match the FQDN of the server running the Password Manager Service.

v An administrator must install the certificate in the local machine certificate store on the server running the Password Manager Service and install the trusted root certificate on all systems communicating with the Password Manager Service.

Extend the Schema and verify its success

v Register the Active Directory Schema snap-in by running REGSVR32 SCHMMGMT.DLL in a command prompt.

v Type OK to the RegSvr32 message.

v Open an MMC and add the Active Directory Schema snap-in.

v Expand the Classes and Attributes nodes to verify there are no Citrix-related items (any item names that begin with citrix).

v After verification, insert the Password Manager CD, and when the splash screen appears, click Prerequisite: Create your Central Store.

v In the Prerequisite: Create your Central Store screen, click Active Directory.

v In the Create your Central Store using Active Directory screen, click Extend your Active directory schema for the new directory objects.

¨ This option runs the CitrixSchemaPrep.EXE utility.

v Click Yes in the warning pop-up.

v Press Enter to continue.

v To verify success, open the Active Directory Schema in the MMC and click the Classes node.

¨ Verify that citrix-SSOConfig and citrix-SSOSecret were added.

v Click the Attributes node.

¨ Verify that citrix-SSOConfigData, citrix-SSOConfigType and citrix-SSOSecretData were added.

Create an Active Directory central store

v In the Password Manager CD installation window, click Create your central store in the extended schema.

¨ Clicking this option runs the CtxDomainPrep.EXE utility that updates permissions of the domain root, allowing users to create the objects they need to use Citrix Password Manager.

v Click Yes in the warning pop-up.

v Press Enter to continue when prompted.

Request and install a web certificate

v Connect to the Certificate Authority in Internet Explorer by browsing to http://<ServerName>/certsrv.

¨ Replace <ServerName> with the name of the server running the Certificate Authority.

v Click Request a certificate.

v Click advanced certificate request.

v Click Create and submit a request to this CA.

v Click Web Server from the Certificate Template drop-down list.

v Type the FQDN of the server running the Password Manager Service.

v Verify that 1024 is selected in the Key Size field.

v Select Store certificate in the local computer certificate store.

v Click Submit to generate the server certificate.

v Click Yes in the Potential Scripting Violation warning.

v Click Install this certificate.

v Click Yes in the Potential Scripting Violation warning.

v Close Internet Explorer when the Certificate Installed screen appears.

Verify that a server certificate is installed correctly

v Open the Microsoft Management Console and add the Certificates snap-in.

v Expand the Certificates node.

v Expand the Personal node.

v Click Certificates and confirm that the Password Manager FQDN is listed.

v Double-click the certificate and confirm that:

¨ No errors appear.

¨ The Issued to information is correct.

¨ The Valid dates are correct.

¨ A message states that a private key corresponds to this certificate.

v Click the Certification Path tab and confirm that the FQDN path is correct and click OK.

v Expand the Trusted Root Certificate Authorities node.

v Click Certificates, double-click Enterprise and confirm that there is no private key message and click OK.

v Close the MMC.

Install Password Manager using Active Directory as the central store

v Insert the Password Manager CD and in the Welcome screen, click Advanced Installation Tasks.

v In the Advanced Installation Tasks screen, click Install Citrix Password Manager Service.

v Citrix Password Manager Service Setup launches.

v Click Next in the Welcome screen.

v Accept the agreement in the License Agreement screen and click Next.

v In the Select Modules screen, choose among Key Management, Account Self-Service, Provisioning and Data Integrity, and click Next.

v In the Ready to Install the Application screen, click Install.

v After installation, click Finish.

v A configuration wizard launches after Password Manager Service installation finishes.

v Click Next in the Welcome screen.

v Verify the correct FQDN is selected in the Select local SSL certificate drop-down list.

v Click NT Authority\Network Service from the System account drop-down list and click Next.

v In the Create signing certificate screen, select the certificate expiration and click Next.

v Click Active Directory, click the correct FQDN from the drop-down list and click Next.

v Type your user name in the User name field.

v Type your password in the Password field.

v Type the domain in the Domain field and click Next.

v If desired, configure the Configure data proxy and click Next.

v For data proxy and self-service authentication, type your user name in the User name field and your password in the Password field, and click Next.

v Click Finish.

v Click Finish in the Applying Settings screen.

Install the Password Manager console

v Insert the Password Manager CD and if the Password Manager Main Menu doesn't launch, double-click AUTORUN.EXE in the CD folder.

v On the Main Menu, select Installation Menu.

v On the Installation Menu, select Citrix Password Manager Console.

v Citrix Password Manager Console Setup launches.

v Click Next in the Welcome screen.

v Accept the agreement in the License Agreement screen and click Next.

v Select the components you would like to install.

¨ The choices are Console, Application Definition Tool, Citrix Access Suite - Licensing, and Citrix Access Suite - Diagnostics.

v Click Next in the Install Type screen.

v Click Next in the Ready to Install the Application screen.

v After installation, click Finish.

v To configure the Password Manager console, open the Access Suite Console.

v Launch the Configure and run discovery wizard from Common Tasks of the farm node.

v Click Next in the Welcome screen.

v Click Next in the Select Components screen.

v In the Identify Central Store page, choose among Active Directory, NTFS Network Share and Novell Shared Folder.

v Select and configure the appropriate choice and click Next.

v Choose whether or not to configure Data Integrity in the Configure Data Integrity Options screen and click Next.

¨ Data Integrity must have been chosen upon installation to configure this option.

v Click Next in the Preview Discover screen.

v Click Finish when discover is complete.

Create an identity verification question

v Expand the Identity Verification node in the Access Suite Console.

v Click the Question-Based Authentication node.

v Click Manage Questions in Common Tasks.

v The Manage Questions window launches.

v In the left pane of the Manage Questions window, select Security Questions.

v Click Add Question in the right pane and the Security Question window launches.

v Type the question in the Security Question window.

v Type the number of characters in the User answer must be at least field.

v If desired, check Answer is case sensitive.

v Click OK to close the Security Question window.

Create a new question group

v Expand the Identity Verification node in the Access Suite Console.

v Click the Question-Based Authentication node.

v Click Manage Questions in Common Tasks.

v The Manage Questions window launches.

v In the left pane of the Manage Questions window, select Security Questions.

v Click Add Group in the right pane and the Security Question Group window launches.

v Put a check beside the desired questions.

v Type the number of questions that users are required to answer in the Number of questions from this group that users are required to answer field.

v Click OK to close the Security Question Group window.

Generate a new questionnaire

v Expand the Identity Verification node in the Access Suite Console.

v Click the Question-Based Authentication node.

v Click Manage Questions in Common Tasks.

v The Manage Questions window launches.

v In the left pane of the Manage Questions window, select Questionnaire.

v Click Add in the right pane to open the Add Questions or Question Groups window

v Add questions and question groups and click OK to close the Add Questions or Question Groups window.

v In the right pane, select a question or question group and click Move Up, Move Down or Remove as desired.

v Click Security Questions in the left pane of the Manage Questions window to confirm that new questions are marked Yes in the In Use column.

Configure key recovery

v Expand the Identity Verification node in the Access Suite Console.

v Click the Question-Based Authentication node.

v Click Manage Questions in Common Tasks.

v The Manage Questions window launches.

v In the left pane of the Manage Questions window, select Key Recovery.

v Select the questions and/or question groups that will be used for key recovery.

v Click OK to close the Manage Questions screen.

v Click Yes in the Warning pop-up window.

¨ By clicking Yes in the Warning pop-up window, you are causing users to have to re-enroll. Click No if you do not want them to re-enroll.

Create a password policy

v Click Create a new password policy in Common Tasks in the Password Policies node of the Access Suite Console.

v The Password Policy Wizard launches.

v In the Name the password policy screen, type a name and description for the policy and click Next.

v In the Set basic password rules screen, configure the syntax rules, which include:

¨ Alphabet case usage, Minimum password length, Maximum password length, Number of times a single character can be repeated and Number of times a character can be repeated sequentially.

¨ Also in the Set basic password rules screen, check New password must not be the same as previous password if desired and click Next.

v In the Set numeric character rules screen, configure:

¨ Whether to allow numeric characters in a password.

¨ Whether the numeric characters can be the first or last character of the password.

¨ The minimum number of numeric characters required.

¨ The maximum number of numeric characters allowed.

v In the Set special character rules screen, configure:

¨ Whether to allow special characters in a password.

¨ Whether the special characters can be the first or last character of the password.

¨ The minimum number of special characters required.

¨ The maximum number of special characters allowed.

¨ Also in this screen, type the allowed special characters in the Allowed special characters list.

The special characters allowed by default are: !@#$^&*()-_=+[]\|,? Click Next.

v In the Establish logon preferences screen, configure whether to allow users to reveal passwords for applications or whether to force users to re-authenticate before submitting application credentials.

¨ Also in the Establish logon preferences screen, configure Number of logon retries and Time limit for logon retries and click Next.

v In the Set password expiration options screen, decide whether to use the password expiration settings associated with the application definitions.

¨ If using the password expiration settings associated with the application definitions, configure Number of days until password expires and Number of days to warn users before password expires.

v In the Define Password wizard screen, choose from the following to select how you want new passwords to be generated and submitted to the application:

¨ User prompted for action, User-created only, User-created with system-generated option, System-generated, user informed, System-generated with user-created option, or System-generated, silent. Click Next.

v Confirm the settings and click Finish.

Application definitions

An application definition stores the identifiers the agent software uses to detect credential submission and password change forms to show where to enter the user's credentials and how to submit those credentials.

Application definitions can be created for Windows, Java, host/mainframe and web applications.

v On the Create Application Definition screen, there are three choices: Windows, Web and Host/Mainframe.

¨ To create an application definition for a Java application, choose Windows.

Create an application definition

v Click Create application definition in Common Tasks in the Application Definition node of the Access Suite Console.

v The Create Application Definition window launches.

v Choose among Windows, Web and Host/Mainframe for the application type

v Choose between Create new and Create from an application template.

v Click Start Wizard.

v In the Application Definition Wizard, in the Identify application screen, type a name and description for the application definition and click Next.

v In the Manage forms screen, add and configure the application forms the agent software must recognize for submitting and changing user credentials.

v In the Manage forms screen, click Add Form.

v The Add Form Wizard launches.

v In the Add Form Wizard:

¨ Identify the form.

¨ Select the field detection method.

Send Keys or Control ID,

¨ Set the field detection rules.

¨ Configure whether the agent automatically submits credentials to the application or not.

¨ Configure class information, control matching and initial delay information in the Advanced Settings.

¨ Confirm all choices.

v Click Finish to exit the Add Form Wizard and return to the Application Definition Wizard.

v Name the custom fields in the Name custom field screen and click Next.

v Use the default icon or specify a custom icon in the Specify Icon screen and click Next.

v In the Password Expiration screen, choose to run a script when the password expires and you can choose to use the Citrix Password Manager expiration warning and click Next.

v Confirm the settings and click Finish.

Create a user configuration

v In the Access Suite Console, click Add new user configuration in Common Tasks of the User Configurations node.

v The User Configuration Wizard launches.

v Type a name, description and data location for the user in the Name user configuration screen and click Next.

v Add application groups in the Choose policies and applications screen and click Next.

v Customize how the agent works for this user configuration in the Configure agent interaction screen and click Next.

v Set the licensing model and licensing communication for this user configuration in the Configure licensing screen and click Next.

v Set the method used to verify the user's identity and to retrieve the key for stored credentials in the Configure key management screen and click Next.

v Select self-service features in the Enable self-service screen and click Next.

v Provide the service location for the Key Management module in the Key management module screen and click Next.

v Provide the service location for the Provisioning module in the Provisioning module screen and click Next.

v Confirm the settings in the Confirm settings screen and click Finish.

Create a Password Manager agent installation image

v Click Advanced Installation Tasks on the Main Menu of the Citrix Password Manager CD.

v On the Advanced Installation Tasks menu, click Create Citrix Password Manager Agent Installation Image.

v Click Next in the Welcome screen that launches.

v Select a network installation point and click Next.

v Select the features that you want to install and click Next.

v Select the type of Central Store and click Next.

v Verify your selections and click Next to start the installation.

v Click Finish after the installation is complete.

Enable Self-Service Password Reset on Web Interface

v Publish LOGOFF.EXE, found at c:\windows\system32.

v Create a file for Account Self-Service and save it with a .ICA extension.

v Update the WEB.CONFIG file to add the ICA file name to the <appSettings> section.

v Restart the World Wide Web Publishing Service for the changes to the Web Interface configuration file to take affect.

v Add a URL to the Web Interface site by configuring Customize appearance for user in Common Tasks of the Web Interface node.

Configure password provisioning

Create and edit a provisioning template by clicking Generate provisioning template in Common Tasks of a user configuration node in the Access Suite Console.

Building and Testing Access Gateway Advanced Edition

Access Gateway Advanced Edition concepts

Access policies use filters to identify when a client device meets the criteria necessary to access resources in an access server farm.

Filters check to see whether a condition is true or not.

Policies control access to all resources in the access server farm by using filters to define the conditions that decide when a policy should be applied.

Resources are the tools available on the network that users employ to help them accomplish tasks.

v Access Gateway Advanced Edition provides the following types of resources: Web sites, web pages, web applications, portals, published applications, file shares, networks, subnets, servers, services, email and email synchronization.

v By default, a user cannot access resources until an administrator applies a policy that grants them access permissions through action controls.

Endpoint analysis scans verify whether or not a client device meets the minimum requirements necessary to access the logon page in an access server farm.

v The endpoint analysis scan is performed before the user sees the logon page.

v Endpoint analysis scans are specified in logon points and access policies, control access to the logon page, control access to resources, are configured to run only when specific conditions exist on the client device and require the use of an endpoint analysis scan client on the client device.

Install and configure Access Gateway Advanced Edition

v Insert the Access Gateway Access Control Option CD.

v The Welcome screen will launch.

v In the Welcome screen, click Product Installations.

v In the Product Installations screen, click Advanced Access Control.

v Click Next in the Welcome screen.

v Read the License Agreement, click I accept the license agreement and click Next.

v Click Next to install all components.

v Click OK in the warning message.

v Click Next to begin the installation.

v Click OK in the Advanced Access Control Installation dialog box.

v Verify the selected options are displayed in the Start Installation screen and click Next.

v Ensure that Run Server Configuration is selected and click Finish.

v The Advanced Access Control Server Configuration wizard will launch.

v Select Create a new access server farm and click Next.

v Use administrator credentials for the service account and click Next.

v Choose the database to use (Microsoft SQL or Microsoft SQL Server Database Engine) and click Next.

v Verify that I would like to use an existing license server is selected, type the name of the license server in the Host name field and click Next.

v Verify that the correct options are selected and click Next.

¨ Choose from Agent Server, Web Server and HTML Preview.

v Click Next to use C:\INETPUB\WWWROOT as the default site path.

v Verify the information in the Ready to Configure screen and click Next.

v Click Finish.

v After installation and configuration is finished, run Discover in the Access Suite Console.

Access Suite Console 4.2 update

v Run ASC400W004.MSP to install the Access Suite Console 4.2 update.

¨ Must be done along with version 4.2 of Web Interface and Advanced Gateway with Advanced Access Control.

¨ For more information, see Citrix Knowledge Base article CTX108237.

Specify a Presentation Server farm

v In the Access Suite Console, click the CitrixAAC node and click Edit farm properties in Common Tasks.

v Click Presentation Server Farms in the properties window.

v Click New.

v Type the server farm name in the Citrix Presentation Server farm name field and click Next.

v Click Add to add a farm server.

v Type the farm server's name and click OK.

v Click Next.

v Click Finish in the Configure Address Mode screen.

v Click OK.

Configure event logging

v In the CitrixAAC node of the Access Suite Console, click Edit farm properties in Common Tasks.

v Click Event Logging.

v Select the type of logging desired and click OK.

Create a Web Interface site

v In the Access Suite Console, expand Suite Components > Configuration Tools and click Web Interface.

v Click Create site in Common Tasks.

v The Create Site wizard launches.

v Click MetaFrame Presentation Server and click Next.

v Specify the IIS location and click Next.

v Specify the server farm and click Next.

v Confirm the information and click Next.

v After the new site is created, click Finish.

Create a resource

v To create a resource for access through Access Gateway Advanced Edition, expand the CitrixAAC node in the Access Suite Console.

v Expand the Resources node and click the desired resource node under the Resources node.

v Click the link in Common Tasks to create the resource using the wizard.

Create a web resource

v Open the Access Suite Console.

v Expand the Resources node under the CitrixAAC node.

v Click the Web Resources node.

v Click Create Web resource in Common Tasks.

v The New Web Resource wizard launches.

v In the Name screen, type the name of the web resource in the Name field and a description in the Description field and click Next.

v In the Configure Addresses screen, specify the URL addresses and authentication type to include by clicking the New button and adding the URL addresses and choosing the authentication type.

¨ Authentication types are Basic, Digest authentication or Integrated Windows authentication.

v Also configurable on the Configure Addresses screen:

¨ Publish for users in their list of resources

¨ Bypass Web Proxy URL rewriting

¨ Use the interface that is common for all browser types

v Click Next.

v In the Add Policy screen, choose either:

¨ Create a default policy granting access to all users

¨ I will create a policy to grant access later

v Click Finish.

Web resource application types

When configuring a new web resource, in the New URL pop-up screen, choose Citrix Web Interface 4.2 or later, Share Point, Share Point with Web Interface Web Part, Web Application or Web Application (requires session cookies) in the Application Type drop-down list.

Create a file share resource

v Expand the Resources node in the Access Suite Console, click the File Shares node under the Resources node and click Create file share in Common Tasks.

v The New File Share wizard launches.

v In the Define File Share screen, type the name of the file share name, type a description if desired and click Next.

v In the Configure Share Locations screen, click New.

v The File Share pop-up window launches.

v In the File Share pop-up window, type the display name and type the file share location.

v Select Publish for users in their list of published resources if desired and click OK to close the File Share pop-up window.

v Click Next in the Configure Share Locations screen.

v In the Add Policy screen, select either Create a default policy granting access to all users or I will create a policy to grant access later and click Finish.

Create a default logon point

v Expand the CitrixAAC node in the Access Suite Console and expand the Logon Point node.

v Click the SampleLogonPoint node and click Edit logon point in Common Tasks.

v Click Presentation Server Farms in the left pane of Logon Point Properties.

v Add the appropriate server farm and click OK.

Configure the default logon point

v In the Access Suite Console, under the CitrixAAC node, expand the Logon Points node and click the SampleLogonPoint node.

v Click Presentation Server Farms.

v Select the desired Presentation Server Farm and click Add.

v Click OK.

Delete the default logon point policy

v Expand the CitrixAAC node in the Access Suite Console and click the Polices node.

v Right-click Default Logon Policy for: SampleLogonPoint in the right pane and choose Delete policy.

v Click Yes.

Managing access and connection policies

You may edit, delete, copy or refresh the access and connection policies in the Policy node by right-clicking on them.

Create an access policy

v Click the Policies node in the Access Suite Console.

v Click Create access policy in Common Tasks.

v The New Access Policy Wizard launches.

v In the Define Policy screen, type the policy name and description and click Next.

v In the Select Resources screen, select the resources for which this policy applies and click Next.

v In the Configure Settings screen, configure access settings for each resource type.

¨ Right-click on each setting to enable, disable, allow or deny the setting.

v In the Select Filter screen, select from the available filters in the drop-down list or create a new one by clicking New.

v If you click New to create a filter, the New Filter wizard launches.

v In the Define Filter screen, type the filter name and description, and click Next.

v In the Choose Filter Type screen, select Create a typical filter or Create a custom filter and click Next.

v In the Select Logon Points screen, select logon points and click Next.

v In the Select Authentication Strength screen, select authentication strength and click Next.

¨ Choose among Do not filter by authentication, Windows authentication, Windows authentication with advanced authentication, RSA or SafeWord, RADIUS authentication profile or LDAP authentication profile.

v Click Next in the Select Endpoint Analysis Outputs screen.

v Set the client certificate requirements in the Set Client Certificate Requirements screen and click Finish to close the New Filter wizard.

v Click Next in the Select Filter screen in the New Access Policy Wizard.

v In the Select Users screen, select the users to apply this policy to and click Finish.

Create a connection policy

v Click the Policies node in the Access Suite Console.

v Click Create connection policy in Common Tasks.

v The New Connection Policy Wizard launches.

v In the Define Policy screen, type the policy name and description and click Next.

v Configure the connection policies to be enforced in the Configure Settings screen.

v Assign a unique IP address alias to each client device in the Define IP Pool screen.