En este documento se explica cómo configurar ciertos aspectos del cliente de Citrix, esto afectaría a clientes con la versión superior a la 10.x. Lo que habría que hacer es descargarse una plantilla (icaclient.adm – AKI), y agregarla a la directiva que nos interese, editar las configuraciones que deseemos por equipo o por usuario y aplicarla.

Importar la plantilla – AKI
Descripción de la plantilla y sus directivas – AKI

Importar la plantilla ,

En este documento se explica usando la consola de “Administración de directivas de grupo”, esta consola no tienes por que tenerla instalada, daría igual, se accede de forma similar desde la UO en la consola de “Usuarios y equipos de Active Directory”.

Una vez abierta la consola, es ir a la Unidad Organizativa y editar la directiva que nos interese o bien crearnos una para probarla, ese es mi caso, sobre la UO que nos interese con botón derecho “Crear y vincular un GPO aquí…”

Le indicamos un nombre descriptivo, “Aceptar”

Y la editamos, para ello, sobre la directiva con botón derecho “Editar…”,

Ahora vamos a meter la plantilla de Citrix, sobre “Configuración del equipo” > botón derecho en “Plantillas administrativas” > “Agregar o quitar plantillas…”

Veremos las que tenemos, y metemos la nueva con “Agregar…”

Buscamos la plantilla (icaclient.adm – AKI) que nos hemos bajado, la seleccionamos y la abrimos,

Vemos que está ahí, perfecto, cerramos esta ventana,

Descripción de la plantilla y sus directivas,

Ahora ya tenemos diferentes directivas desde “Configuración del equipo” > “Plantillas administrativas” > “Citrix Components”. En “Presentation Server Client” tenemos una directiva llamada:

“Allow client connections”
Use this policy to enable or completely disable connections from the Citrix Presentation Server client.
When this policy is not configured, the client will allow connection to servers.
When this policy is enabled, the client will only connect to a server if the “Enable client” option is selected, and if its version number is greater or equal to the “Minimum client version”.
When the policy is disabled, the client will not allow connections to any servers.

En “Citrix Components” > “Presentation Server Client” > “Network routing” tenemos varias directivas:

“TLS/SSL data encryption and server identification”
Use this policy to configure the TLS/SSL options that help to ensure that the client connects to genuine remote applications and desktops. TLS and SSL encrypt the transferred data to prevent third-parties viewing or modifying the data traffic. Citrix recommends that any connections over untrusted networks use TLS/SSL or another encryption solution with at least the same level of protection.
When this policy is enabled, the client will apply these settings to all TLS/SSL connections performed by the client. The checkbox “Require SSL for all connections” can be used to force the client to use the TLS or SSL protocol for all connections that it performs.
TLS and SSL identify remote servers by the common name on the security certificate sent by the server during connection negotiation. Usually the common name is the DNS name of the server, for example www.citrix.com. It is possible to restrict the common names to which the client will connect by specifying a comma-separated list in the “Allowed SSL servers” setting. Note that a wildcard address, for example “*.citrix.com:443”, will match all common names that end with “.citrix.com”. The information contained in a certificate is guaranteed to be correct by the certificate’s issuer.
Some security policies have requirements related to the exact choice of cryptography used for a connection. By default the client will automatically select either TLS v1.0 or SSL v3.0 (with preference for TLS v1.0) depending on what the server supports. This can be restricted to only TLS v1.0 or SSL v3.0 using the “SSL/TLS version” setting.
Similarly, certain security policies have requirements relating to the cryptographic ciphersuites used for a connection. By default the client will automatically negotiate a suitable ciphersuite from the five listed below. If necessary, it is possible to restrict to just the ciphersuites in one of the two lists.
Government Ciphersuites:
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Commercial Ciphersuites:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
Certificate Revocation List (CRL) checking is an advanced feature supported by some certificate issuers. It allows security certificates to be revoked (invalidated before their expiry date) in the case of cryptographic compromise of the certificate private key, or simply an unexpected change in DNS name.
Valid CRLs must be downloaded periodically from the certificate issuer and stored locally. This can be controlled through the selection made in “CRL verification”
– Disabled: When “Disabled” is selected, no CRL checking will be performed.
– Only check locally stored CRLs: When “Only check locally stored CRLs” is selected, any CRLs that have been previously installed or downloaded will be used in certificate validation. If a certificate is found to be revoked, the connection will fail.
– Retrieve CRLs from network: When “Retrieve CRLs from network” is selected, the client will attempt to retrieve CRLs from the relevant certificate issuers. If a certificate is found to be revoked, the connection will fail.
– Require CRLs for connection: When “Require CRLs for connection” is selected, the client will attempt to retrieve CRLs from the relevant certificate issuers. If a certificate is found to be revoked, the connection will fail. If the client is unable to retrieve a valid CRL, the connection will fail.

“Configure trusted server configuration”
Use this policy to control how the client identifies the published application or desktop it is connecting to. The client will determine a trust level, called a “trust region” with a connection. The trust region will then determine how the client is configured for the connection.
When this policy is enabled, the client can be forced to perform region identification using the “Enforce trusted server configuration” option.
By default, region identification is based on the address of the server the client is connecting to. To be a member of the trusted region, the server must be a member of the Windows Trusted Sites zone. You can configure this using the “Windows Internet zone” setting.
Alternatively, for compatibility with non-Windows clients, the server address can be specifically trusted using the “Address” setting. This is a comma-separated list of servers supporting the use of wildcards, for example, cps*.citrix.com.

“Session reliability and automatic reconnection”
Use this policy to control how the client behaves when a network failure causes the connection to be dropped.
When this policy is enabled, the client will attempt to reconnect to a server only if “Enable reconnection” is selected. By default three reconnection attempts are made, but this can be altered using the “Number of retries” setting. Similarly the delay between retries can be altered from the default of 30 seconds using the “Retry delay” setting.
A separate setting, “Enable SSL/TLS reconnection”, is provided to allow reconnection to an SSL/TLS server. Support for this setting depends on the SSL server configuration.

En “Citrix Components” > “Presentation Server Client” > “Network routing” > “Proxy” tenemos varias directivas:

“Configure client proxy settings”
Use this policy to configure the primary network proxies that the client can use when connecting to a remote application or desktop.
When this policy is not configured, the client will use its own settings to decide whether to connect through a proxy server.
When this policy is enabled, the client will use the proxy configured based on the proxy type selected:
– Proxy type: None: When “None” is selected, the client will attempt to connect to the server directly without traversing a proxy server.
– Proxy type: Auto: When “Auto” is selected, the client will use the local machine settings to determine which proxy server to use for a connection. This is usually the settings used by the Web browser installed on the machine.
– Proxy type: Script: When “Script” is selected, the client will retrieve a JavaScript based “.pac” file from the URL specified in the “Proxy script URLs” policy option. The “.pac” file is executed to identify which proxy server should be used for the connection.
– Proxy type: Secure: When “Secure” is selected, the client will contact the proxy identified by the “Proxy host names” and “Proxy ports” settings. The negotiation protocol will use a “HTTP CONNECT” header request specifying the desired destination address. This proxy protocol is commonly used for HTTP based traffic, and supports GSSAPI proxy authentication.
– Proxy Type: SOCKS/SOCKS V4/SOCKS V5: When a “SOCKS” proxy is selected, the client will perform a SOCKS V4 or SOCKS V5 handshake to the proxy identified by the “Proxy hostnames” and “Proxy ports” settings. The “SOCKS” option will detect and use the correct version of Socks.
For any proxy type, you can provide a list of servers that do not traverse the proxy. These should be placed in the “Bypass server list”.

“Configure client failover proxy settings”
Use this policy to configure alternative network proxies that the client can use if the primary network proxy fails to connect to a remote application or desktop.
When this policy is not configured, the client will use its own settings to decide whether to connect through a proxy server.
When this policy is enabled, the client will attempt a connection using an alternative proxy if connection to a primary proxy fails. The failover proxy settings operate in an identical fashion to the primary proxy settings.
If both the primary and alternative proxy fail to service the connection, selecting the “Failover to direct” check box instructs the client to attempt a final direct connection with no proxies.

“Configure SOCKS proxy settings”
Use this policy to configure the use of additional SOCKS proxies that are required for some advanced network topologies.
When enabled, the client will examine the “SOCKS protocol version” setting. If connection via SOCKS is not disabled, the client will attempt to connect using the SOCKS proxy specified by the “Proxy host names” and “Proxy ports” settings.
The client supports connections using either SOCKS v4 or SOCKS v5 proxy servers. Alternatively, it can attempt to automatically detect the version being used by the proxy server.

“Configure proxy authentication”
Use this policy to control the authentication mechanisms that the client uses when connecting to a proxy server. Authenticating proxy servers can be used to monitor data traffic in large network deployments.
In general, authentication is handled by the operating system but in some scenarios, the user may be provided with a specific user name and password. To prevent the user from being specifically prompted for these credentials, clear the “Prompt user for credentials” check box. This will force the client to attempt an anonymous connection. Alternatively, you can configure the client to connect using credentials passed to it by the Web Interface server, or these can be explicitly specified via Group Policy using the “Explicit user name” and “Explicit password” options.

En “Citrix Components” > “Presentation Server Client” > “User authentication ” tenemos varias directivas:

“Smart card authentication”
Use this policy to control how the client uses smart cards attached to the client device.
When enabled, this policy allows the remote server to access smart cards attached to the client device for authentication and other purposes.
When disabled, the server cannot access smart cards attached to the client device.

“Kerberos authentication”
Use this policy to control how the client uses Kerberos to authenticate the user to the remote application or desktop.
When enabled, this policy allows the client to authenticate the user using the Kerberos protocol. Kerberos is a Domain Controller authorised authentication transaction that avoids the need to transmit the real user credential data to the server.
When disabled, the client will not attempt Kerberos authentication.

“Local user name and password”
Use this policy to instruct the client to use the same logon credentials (pass-through authentication) for the Citrix Presentation Server as the client machine.
When this policy is enabled, the client can be prevented from using the current user’s logon credentials to authenticate to the remote server by clearing the “Enable pass-through authentication” check box.
When run in a Novell Directory Server environment, selecting the “Use Novell Directory Server credentials” check box requests that the client uses the user’s NDS credentials.

“Locally stored credentials”
Use this policy to control how user credentials data stored on users’ machines or placed in ICA files is used to authenticate the user to the remote published application or desktop.
When this policy is enabled, you can prevent locally stored passwords being automatically sent to remote servers by clearing the “Allow authentication using locally stored credentials” check box. This causes any password fields to be replaced with dummy data.
In addition, the “User name” and “Domain” options can be used to restrict or override which users can be automatically authenticate to servers. These can be specified as comma-separated lists.

“Web Interface authentication ticket”
Use this policy to control the ticketing infrastructure used when authenticating through the Web Interface.
When this policy is enabled, legacy Web Interface ticketing can be disabled by clearing the “Legacy ticket handling” check box. Legacy Web Interface ticketing was implemented by passing a single-use authentication cookie to the server in the ClearText password field.
Starting with version 4.5 of the Web Interface, the client handles an authentication token in the form of an opaque LogonTicket with an associated interpretation defined by the LogonTicketType. This functionality can be disabled by clearing the “Web Interface 4.5 and above” check box.

En “Citrix Components” > “Presentation Server Client” > “Remoting client devices” tenemos varias directivas:

“Client drive mapping”
Use this policy to enable and restrict the remote application or desktop’s access to the client file systems.
When enabled, the client will completely deny client drive mapping (CDM) virtual channel access to the client’s file system if the check box “Enable client drive mapping” is not selected. This stops the DLL implementing the client drive mapping virtual channel (vdcdmn.dll) from loading on client start up. At this point, you can delete the DLL from the client package.
If CDM is enabled, further options are available to restrict the type of access available to the server. If the “Read-only client drives” check box is selected, the CDM virtual channel only permits read access to client drives.
Access to Windows drives can be disabled by entering the relevant drive letter in the “Do not map drives” box. This is a concatenation of all drives that should not be mapped when connecting to a published application or desktop, for example “ABFK” disables the drives A, B, F and K.

“Client printers”
Use this policy to enable and restrict the remote application or desktop’s access to client printers.
When this policy is disabled, the client prevents the server from accessing or printing to printers available to the client device.

“Client hardware access”
Use this policy to enable and restrict the remote application or desktop’s access to the client’s serial, USB, and parallel ports. This allows the server to use locally attached hardware.

“Image capture”
Use this policy to enable and restrict the remote application or desktop’s access to scanners, webcams, and other imaging devices on the client device.

“Client microphone”
Use this policy to enable and restrict the remote application or desktop’s access to local audio capture devices (microphones).
The additional controls and indicators provided by the Philips SpeechMike device can be disabled by clearing the “Use remote SpeechMike controls” check box.

“Clipboard”
Use this policy to enable and restrict the remote application or desktop’s access to the client clipboard contents.

En “Citrix Components” > “Presentation Server Client” > “Remoting client devices” tenemos varias directivas:

“Client audio settings”
Use this policy to control how sound effects and music produced by remote applications or desktops are directed to the client machine.
When this policy is enabled, the “Enable audio” check box can be used to completely disable client audio mapping. This does not affect the client to server audio data, which is controlled through the “Remoting client devices” policy.
It is also possible to control the audio quality. Three quality levels are supported: low, medium and high. This setting affects both server to client and client to server audio quality. Note that the bandwidth requirements for high quality audio could make this setting unsuitable for many deployments.

“Client graphics settings”
Use this policy to control the quality of graphics presented by remote applications or desktops. Lower quality graphics can help to improve the user experience when there is restricted bandwidth available.
– Color depth: This specifies the preferred color depth for a session. In general, low color depths give better performance over low bandwidth; however some of the compression technologies available can only be used with full color, so the effective performance depends on the individual application and usage pattern. The server may choose not to honor the color depth setting chosen because higher color depths result in heavy memory usage on the servers.
– Disk-based caching: For client devices with limited RAM, better compression rates can be achieved by saving temporary graphics objects to the disk cache.
– Lossy compression: For maximum compression and responsiveness, the server will sometimes allow the transfered image data to degrade in quality. This usually occurs when the connection is slow, or bandwidth is limited and large area updates are taking place. This is not appropriate for all applications and usages. Clearing this setting forces all image data to be transmitted at full quality.
– SpeedScreen browser acceleration: This feature allows images being displayed by Microsoft Internet Explorer to be specially handled by the SpeedBrowse Browser Acceleration virtual channel. This improves responsiveness when using Microsoft Internet Explorer remotely.
– SpeedScreen browser acceleration lossy compression: This is an extension to the SpeedScreen browser acceleration setting, allowing images displayed by Microsoft Internet Explorer to be degraded before transmission to the client. This is not appropriate for all applications and usages. Clearing this option forces all Web browser image data to be transmitted at full quality.
– Remote Video: The remote video option allows the server to directly stream certain video data to the client. This provides better performance than decompressing and recompressing video data on the computer running Citrix Presentation Server.
– SpeedScreen Latency Reduction: Enabling SpeedScreen Latency Reduction settings allows the client to predict how mouse movement and text entry will appear on the server. This results in the user getting immediate feedback when typing or moving the mouse pointer.

“Client display settings”
Use this policy to control how the client presents remote applications and desktops to the end user. Remote applications can be seamlessly integrated with local applications, or the entire local environment can be replaced with a remote desktop.
– Seamless windows: When set to false this setting allows the client to disable the use of seamless windows, instead displaying a fixed size window. When set to true it forces the client to request seamless windows, although the server may choose to reject this request.
– Window width and height: These settings determine window width and height. It is possible to define ranges of preferred values (for example 800-). The server may choose to ignore this value. This setting is ignored when seamless windows is in use.
– Window percent: This can be used as an alternative to manually choosing the width and height. It selects a window size as a fixed percentage of the entire screen. The server may choose to ignore this value. This setting is ignored when seamless windows is in use.
– Full screen: This setting switches the client to full screen mode. The server display will completely cover the client display.

“Remote applications”
Use this policy to configure the client’s handling of remote applications.
When enabled, this policy uses the list in the “Application” box to determine which published applications can be directly launched by the client.
You can request that remote applications share sessions (run in a single ICA connection). This provides a better user experience, but is sometimes not desirable. The session sharing feature can be disabled by clearing the “Session sharing” check box.

Si queremos también podemos editar estas directivas a nivel de usuario y no hacerlo a nivel de equipo, estaría en “Configuración de usuario” > “Plantillas administrativas” > “Citrix Components” > “Presentation Server Client”.

www.bujarra.com – Héctor Herrero – nh*****@bu*****.com – v 1.0