Logon processApplication Certificaton.Authentication issue.. (if web interface down).

What are the consoles available to manage Citrix server? Resource Manager Resource Manager collects, displays and stores data about system performance, applications or process use. Is this not exactly the same things that Performance Monitor (standard available in Windows) does? Citrix RM definitely has some overlap with Performance Monitor, but adds some extra functionality to it. These additional functionalities are the benefits of Resource Manager. Real Time Watcher, on the monitored counters (called Metrics within Resource Manager) you can assign two thresholds (warning and error). If these thresholds are exceeded Resource Manager can warn you via several methods like SMS, E-mail or SNMP. Resource Manager can store the collected data for a longer time. This makes it possible to generate reports based on current and past activity. Resource Manager has an option to create billing reports based on self defined costs. Resource Manager collects, besides the system counters, also Citrix specific data like Application usage, User activity and Farm information.If your infrastructure already contains Database name of Resources manager: msummerydatabaseNetwork Manager

Load Manager Load Manager ensures that each user connects to the server that is most capable of handling that connection. Load Manager applies load evaluators that consist of rules which govern the way Load Manager determines the resource loading

installation Manager Installation Manager provides an administrator with the ability to package and deploy applications to servers running Presentation Server. An administrator can use Installation Manager to install hotfixes, service packs, application upgrades and new applications on all servers in the farm that have the Installation Manager component.

Web Interface The Web Interface provides users access to published applications through a web browser. The Web Interface allows for multi-farm administration from a single Access Suite Console. Users can log in to the front-end interface with a web browser from a variety of different workstations and operating systems. The administrator can enforce additional authentication checks by configuring the Web Interface to use RSA SecureID or Secure Computing SafeWord for MetaFrame.

Secure Gateway The Secure Gateway provides secure access to published applications and resources on servers running Presentation Server through SSL/TLS encrypted sessions. The Presentation Server uses the Secure Gateway in combination with the Web Interface.

What is content of ICA file?Independent Computing Architecture (ICA) file used by Citrix application servers; contains configuration information for connecting to different servers; can be edited with an ICA Client Editor or a basic text editor.

What is ICA protocol and what are the advantages of ICA

Page 2 of 20

ICA is a general-purpose presentation services protocolA protocol that provides graphical interface screen updates to a client station from an application executing in a multiuser computer system. ICA and T.share are examples for the WinFrame and Windows-based Terminal Server systems. See WinFrame, Windows Terminal Server, ICA and T.share. Click the link for more information. for Microsoft Windows, which allows an application's user interface to execute with minimal resource consumption on a client device, while the application logic executes on ICA-based servers, such as the Citrix WinFrame family of multi-user application servers.Features: SpeedScreen multimedia acceleration (which is now called HDX MediaStream) Smartcard virtual channels PDA sync and TWAIN (both covered by the new, broad support for USB devices called HDX Plug-n-Play, which actually supports more than devices than on XenApp now)ICA perfmon counters (SMC) and end-user experience metrics. Any software running on the Virtual Desktop Agent can consume Perfmon counters.

What is Independent Management Architecture The IMA service allocates and assigns each session a unique IP address at session start-up. The IMA service stores the virtual IP configuration information in the data store database and the local host cache.

Why do we need Zones? What is the purpose of Data Collectors in Zones?1) Zones are primarily used for dividing the citrix servers in a Farm, based on geographic location. 2). Zone Data Collector, keeps track of the load of each Citrix Server in the Zone. This is used for new ICA Connections to the Zone.

What is XML BrokerWhen a user logs on to the web interface, it retrieves list of applications for the authorized user from IMA Data store (via the XML Broker).

I have attached a default evaluator to a server and it reports full load, How many users are logged in does this indicate ? 100 users

what is the command for Force full removal of citrix after uninstalling form Add remove programCTX_MF_FORCE_SUBSYSTEM_UNINSTALL

What is Data Store: Collection of Static Data that don’t changes very often1.Published application information/ configurations2.Farm Configuration3.Printer drivers and mappings.4.Presentation Server administrator accounts

What is Data Zone collectorCollection of dynamic information of farm that changes very oftenServer loadsActive sessionsDisconnected sessionsUsers

What is Application isolation and how to install a application in isolated environment We already have winzip 9 on a server and we wants to installed winzip 10 also then we can use this feature so that both version runs on a same server in isolate environment without interrupting each other. i.e exe. or registry.

2

Page 3 of 20

Go to CMCIsolate environmentNew isolation environment (Provide name i.e SILO2)Go to Cmd Run > AIESETUP “SILO2” C:\WINZIP.EXE (Path of setup file)It will install application in citrx server you can check this on isolation environment >property > applicationsPublish application using isolate environment

Define Functions of the Local Host CacheEach XenApp server stores a subset of the data store in the Local Host Cache (LHC). The LHC performs two primary functions: • Permits a server to function in the absence of a connection to the data store. • Improves performance by caching information used by ICA Clients for enumeration and application resolution. The LHC is an Access database, Imalhc.mdb, stored, by default, in the <ProgramFiles>\Citrix\Independent Management Architecture folder. The following information is contained in the local host cache: • All servers in the farm, and their basic information.• All applications published within the farm and their properties. • All Windows network domain trust relationships within the farm. • All information specific to itself. (product code, SNMP settings, licensing information) On the first startup of the member server, the LHC is populated with a subset of information from the data store. From then on, the IMA service is responsible for keeping the LHC synchronized with the data store. The IMA service performs this task through change notifications and periodic polling of the data store. If the data store is unreachable, the LHC contains enough information about the farm to allow normal operations for an indefinite period of time, if necessary. However, no new static information can be published, or added to the farm, until the farm data store is reachable and operational again. How to Recreate Local Host Cache If the IMA service does not start, the cause may be a corrupt LHC. If you have made extensive changes to the farm data store, such as publishing various applications, adding or removing servers from the farm, or creating new policies.If you must clean the farm data store, using the DSCHECK utility, you should then rebuild the LHC on each of the servers in your farm, once the data store has been cleaned.Steps to recreate the Local Host CacheIMPORTANT: The data store server must be available for dsmaint recreatelhc to work. If the data store is not available, the IMA service cannot start.1. Stop the IMA service on the XenApp server, if it is started. This can be done using the command: net stop imaservice, or from services. 2. Run dsmaint recreatelhc, which renames the existing LHC database, creates a new database, and modifies the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\PSRequired key to 1. Setting the value PSRequired to 1 forces the server to establish communication with the data store in order to populate the Local Host Cache database. When the IMA service is restarted, the LHC is recreated with the current data from the data store.3. Restart the IMA service. This can be done via the command line, net start imaservice, or from services.

The datastore of my citrix farm is down. Assuming that am using MF XP(e), what will be the side-effects of this on the perspective of users connecting to applications and on the perspective of a Citrix Admin? 1. For the users, they will be able to connect to application and work without any hassles for 30 days. After that they wont be able to connect. 2. For Citrix Admins, they wont be able to even login to CMC.3. No activity can be performed on farm like publish application.

3

Page 4 of 20

You have a citrix farm running in an Access Data Store. This farm has only one citrix server. This server has to be replaced for some reason. You have the new hardware which has to be used in place of the existing server. What are the various steps you would take1. Install the required OS.2. Install Citrix.3. Issue the command dsmaint /backup in the old server4. Copy the .mdb file from the old server to the new server5. Issue the command dsmaint /restore with the mdb file as parameter in the new server.

I have configured a critical application on a server and I wish to allow only certain number of IP addresses and only certain number of users access to that application? How can I achieve this?Create a custom Load evaluator with rules Application user load and IP ranges

How to move or recover data store.Restore MF20.mdb from backup to a new server at c:\program files\ citrix \independente management architecture\.Create a file DSN that control Database through : administrative tools > ODBC > file DSN > ADD > choose database type > choose location of MF20.mdb file > choose file name MF20.dsn > next > finishGot to select > choose database file (mf20.mdb) > okGo to CMD:DSMAINT CONFIG /USER:ADMINISTRATOR /PWD:PASSWORD /DSN:“C:\PROGRAME FILES\CITRIX\ INDEPENDENTE MANAGEMENT ARCHITECTURE\MF20.DSN”

Restart IMA service.This server will now become data store but we need to update this information on every server on citrix farm.Login to other citrix server: CMDDSMAINT FAILOVER NEW_DATA_STORE_SERVERNAMERESTART IMA SERVICE.

What is Session printer and how to create a session printerYou can create Session printing policy to apply for the specific Client IP address ranges, thus ensuring that a user is always attached to a nearby network printer.How to set session printing.In Management Console->Policies create a policy called "North Printer". Then goto the properties on that policy->Printing->Session Printers and add a printer. Then go to the "Apply policy to" and add users and/or groups and then that printer will show up in their Citrix session. Assuming this is correct, removing that user or group should then remove that printer from the next session opened. Well, in my case it is not. When I add a group to a policy the printers will show up at next login. The printer does not go away, though, when I remove that group from the policy then log in again.

What are the different ports used in Citrix ICA (Default)…CP: 1494RDP ……3389IMA……….TCP: 2512CMC……TCP: 2513SSL…TCP: 443STA (IIS) ……TCP: 80TCP Browsing.UDP: 1604XML (Default) ..TCP: 80

4

Page 5 of 20

Citrix License Management Console:TCP: 8082Presentation Server Licensing: TCP: 27000ICA session w/ Session Reliability enabled……TCP: 2598Access Gateway Standard and Advanced Editions…TCP: 9001, 9002, 9005Manager service daemon server….TCP: 2897Network Manager SNMP…UDP: 161, 162

What is Mixed mode farm, how it worksSetting a Metaframe XP server farm to mixed mode will enable the XP server to communicate and integrate with 1.8 server, you can then publish and load balance applications across both platfarm. User will see one unified server farm that consists of Metaframe 1.8 and XP servers.For mixed mode farm we will look at the following technocal componentIMA service: Met frame XP uses IMA service but Met frame 1.8 uses Program neighborhood service and ICA browser service, Metaframe 1.8 does not understand IMA service hence Metaframe XP server must run the Legacy ICA browser anf program neighborhood service in addition to IMA service and all of its components.Server Farm Design :

What difference between citrix standard, advance and enterprise version.Presentation Server, Enterprise Edition includes:Resource Manager Network ManagerLoad Manager Installation ManagerWeb InterfaceSecure Gateway Document Center Advance Edition includes.Load ManagerWeb InterfaceSecure GatewayDocument CenterStandard edition includes :Web InterfaceSecure gatewayDocument centre.

What are prerequisites for Citrix presentation server.Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 DatacenterWindows Server 2003, Standard, Enterprise and Datacenter EditionsTerminal Services running in application modeJava Runtime Environment version 1.4.2_06NET Framework version 1.1 with Service Pack 1Microsoft Windows Installer (MSI) 3.0

What is the difference between 2k & 2k3 terminal server licensing?

What is Client Lock Down?

5

Page 6 of 20

How to implement Policy in Citrix .Policies propertyBandwidth= Visual effect/ Speed screen/ session limit con be configured thereClient devices =Resources (microphone, sound quality, turn of speaker)/ Drives/ Port/ PDA Devices/ OtherPrintingUser workspaceSecurity.Polies filters Based on followingsAccess controls == based on access i.e. secure gatewayClient Ip addressClient nameServersUsers

What is Citrix secure / access gateway and how its work?

Which file you need to edit to sepcify the configurations Secure gateway server ?

How the licensing works in Citrix and difference in Citrix Licensing version wise

Application StreamingApplication streaming is an alternative to installing applications locally on individual PC’s.As an alternative to completely installing a Windows® program on a PC, it is streamed from a central server where only the parts of the application required by the user are installed for immediate use. As additional functionality is required by the user it is streamed on demand. When the user has finished with the application and chooses to do so, all components are completely removed - as if the application was never there.

Computer application streaming is a form of on-demand software distribution.The basic concept of application streaming has its foundation in the way modern computer programming languages and operating systems produce and run application code. Only specific parts of a computer program need to be available at any instance for the end user to perform a particular function. This means that a program need not be fully installed on a client computer, but parts of it can be delivered over a low bandwidth network as and when they are required.

Application streaming is usually combined with application virtualization, so that applications are not installed in the traditional sense.

Stream serverAn application is Packaged and stored on a streaming server.[1] Packaging or sequencing produces an image of the application in a way that either orders delivery and/or predictively optimizes delivery to the client.[1]

Launch & Streaming of ApplicationThe initial launch of an application would be important for the end user and the Packaging process might be optimized to achieve this. Once launched, common functions would be followed. As these functions are requested by the end user, these may be Streamed in a similar manner. In this case the client is pulling the application from the stream server. Otherwise, the full application might be delivered from the server to the client in background. In this case, the server pushes the application to the client.

6

Page 7 of 20

AdvantagesGiven the complexity of modern applications, many functions are never or seldomly used and pulling the application on demand, is more efficient in terms of server, client and network usage. Simplified operating system migrations.Accelerated application deployment.Centralized application management, with local executionAbility to continue to use applications when off-line (in contrast to pure web-applications) Delivers fully featured desktop applications (in contrast to browser-driven web-applications) Software license optimization by controlling simultaneous users of software

What is Load evaluator, How many kind of load evaluatorLoad Manager balances server load across the server farm by: Using load evaluator rules to calculate server load Identifying which server is least busy Directing the Client to connect to the least busy server.

Advance: Default Load Evaluator: The Default Load Evaluator uses the user session count for its criteria.

The Default load evaluator is based on the Server User Load rule only. This rule reports a full load when the number of user sessions on the server exceeds 100. After 100 sessions, additional user sessions are not allowed on the server because it has reached its maximum load limit. The Default load evaluator functions best when the server hardware can adequately support up to 100 users without fully consuming server resources. If the server is not able to support at least 100 users, either because of resource-intensive applications or hardware limitations, Citrix recommends that either the Advanced load evaluator or a custom load evaluator be considered for that environment. Note!Load Manager applies the Default load evaluator if the administrator publishes an application to multiple servers and does not specify a load evaluator. An administrator cannot modify the Default andAdvanced load evaluators; however, an administrator can create custom load evaluators based on the same rules or on different rules entirely.

Advanced :Load Evaluator Use the Advanced Load Evaluator to limit memory usage, CPU utilization, and page swaps on a server for load management.

The Advanced load evaluator is based on the following rules:

7

Page 8 of 20

CPU Utilization, which reports a full load when processor utilization is greater than 90% and no load when the processor utilization is less than 10% Memory Usage, which reports a full load when memory usage is greater than 90% and no load when memory usage is less than 10%Page Swaps, which reports a full load when the number of page swaps per second is greater than 100 and no load when the number of page swaps per second is equal to 0

Citrix recommends using the Advanced load evaluator in environments where server resources become overutilized before the maximum number of users connect. The Advanced load evaluator is also ideal when publishing applications that are CPU or memory intensive.Note!Load evaluators that include more than one rule, such as the Advanced load evaluator, calculate their load values by first determining the individual load for each rule within the evaluator. Load Manager then uses a complex algorithm to determine the true load value of the server or application. This algorithm includes all applicable load values and gives the most weight to the load rule with the highest load value.

Custom load evaluatorLoad evaluators are based on system resources and system resource consumption. An administrator can create a custom load evaluator if the Default or Advanced load evaluators are not adequate based on the hardware or application configuration of the servers. To create a custom load evaluator an administrator can either create a new load evaluator or copy an existing load evaluator and modify it.A custom load evaluator is any load evaluator with the exception of the Default or Advanced load evaluators and contains one or more rules. !

Creating load evaluators based on simple rules can provide more accurate results than creating complexload evaluators with multiple rules. rning!

Consider the effect of building custom load evaluators and selecting certain rules. Be sure that all loadevaluator configurations are fully tested prior to implementing the rules in a production environment.For example, CPU utilization can spike for brief moments; therefore, that rule by itself may not providethe best method for load balancing and may not provide a true reflection of CPU usage.

8

Page 9 of 20

What is the difference between the TS Licensing in Windows 2000 and Windows 2003?

Difference between RDP and ICA

Difference between PNA and PN

Services on citrixCitirx Print manager The Citrix Print Manager Service (cpsvc.exe) controls the creation, deletion, and management of all client printersCitix XML Service MetaFrame XP uses the Citrix XML Service to supply servers running the Web Interface for metaFrame XP and ICA Clients with the names of applications published on MetaFrame XP servers. By default, MetaFrame XP Setup configures the Citrix XML Service to share the default TCP/IP communication port (port 80) with Microsoft Internet Information Services. If you intend to send data to the Web Interface for MetaFrame XP over a secure HTTP connection using SSL, be sure that the Citrix XML Service is set to share its port with IIS and that IIS is configured to support HTTPS.Client device users utilize a Web browser to view the Log in page and enter their user credentials. The Web server reads users’ information and uses the Web Interface’s classes to forward the information to the Citrix XML Service on servers in the server farms. The designated server acts as a broker between the Web server and servers. The Citrix XML Service on the designated server then retrieves a list of applications from the servers that users can access. These applications comprise the user’s application set. The Citrix XML Service retrieves the application set from the Independent Management Architecture (IMA) system and Program Neighborhood Service, respectively. In a MetaFrame Presentation Server for UNIX farm, the Citrix XML Service on the designated server uses information gathered from

9

Page 10 of 20

the ICA browser and the local Web Interface configuration file to determine which applications the user can access The Citrix XML Service then returns the user’s application set information to the Web Interface’s classes running on the server. The user initiates the next step by clicking one of the hyperlinks in the HTML page. The Citrix XML Service is contacted to locate the server in the farm that is the least busy. The XML Service requests a ticket from the least busy server corresponding to the user’s credentials. The XML Service returns the least-busy server’s address and ticket to Web Interface. The classes finish parsing the template file and send a customized file to the Web browser. The Web browser receives the file and passes it to the client device. The client receives the file and initiates a client session with a server according to the file’s connection information.

Citrix XTE service Session reliability is provided by the Citrix XTE service through the Common Gateway Protocol (CGP). By default, CGP uses TCP port 2598. Session reliability enables sessions to remain open and on screen when network connectivity is interrupted. Client users can continue to view the application while the network connection is restored. This feature is useful for mobile users with wireless connections.

A user has one printer in his citrix session. However, when he prints to that printer, features like Duplex, Staple, etc are not getting effective in printjobs. But when he prints to the same printer without citrix, these features are available. What could be the issueThe printer in the citrix session is using the UPD (Citrix Universal Print Driver), which donot provide all features of printers. The printer driver of the user's printer is not installed in the citrix server

You have a citrix server with around 200 Print Drivers installed in it. All these drivers has to be made available in another server, which is going to be doing load-balancing with this server. What are the different ways of accomplishing this task? 1. Print Driver Replication through CMC 2. PrintMig

Citrix IMA Service is failing. What will be the troubleshooting steps to resolve this issue?1. Check connectivity to data store.2. Try recreating lhc using the command dsmaint recreatelhc.3. Check for the .dll which is failing to load. (This can be found in HKLM\Software\Citrix\IMA\Runtime\CurrentlyLoadingPlugIn)

The Independent Management Architecture (IMA) service fails to start.CauseThere can be a number of reasons why the IMA Service appears not to have started, including the following: • IMA Service load time• IMA Service subsystem• Missing Temp directory• Print spooler service• ODBC configuration• Roaming Profile• Another server with an identical NetBIOS name on the same networkIMA Service Load TimeIf the Service Control Manager reports that the IMA Service could not be started, but the service eventually starts, ignore the error message. The Service Control Manager has a timeout of 6 minutes. The IMA Service can take longer than 6 minutes to start if the load on the database exceeds the capabilities of the database hardware or if the network has high-latency.

10

Page 11 of 20

IMA Service SubsystemExamine the following Windows Registry setting:HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\CurrentlyLoadingPluginIf there is no value specified in the CurrentlyLoadingPlugin portion of the above Windows Registry entry, then either the IMA Service could not connect to the data store or the local host cache is missing or corrupt. If a CurrentlyLoadingPlugin value is specified, the IMA Service made a connection to the data store and the value displayed is the name of the IMA Service subsystem that failed to load.Missing Temp DirectoryIf administrators see an “IMA Service Failed” error message with an error code of 2147483649 when starting the MetaFrame XP Presentation Server, the local system account may be missing a Temp directory which is required for the IMA Service to run. To gain further insight into the situation, change the IMA Service startup account to the local administrator and restart the server. If the IMA Service is successful in starting under the local administrator’s account, then the odds are greater that a missing Temp directory for the local system account is causing the situation. If the Temp directory is not present, then manually create one as %systemroot%\Temp. For example: C:\Winnt\TempAlso, verify that the TMP and TEMP system environment variables point to the temporary directory. Restart the server to restart the IMA Service. Print Spooler ServiceWhen the MetaFrame XP Presentation Server attempts to start the IMA Service, the “Setup Could Not Start The IMA Service” error message is displayed. This error shows that the IMA Service is not starting, possibly due to the print spooler service not running or being configured incorrectly. In addition, the following error messages appear in the Event Viewer: • Failed to load plugin MfPrintSs.dll with error 80000001h • Failed to load initial plugins with error 80000001h • The Independent Management Architecture service terminated with service-specific error The error occurs because the print spooler service: • Has stopped • Is disabled • Is not configured to run under the Local System AccountTo correct this error, verify that the print spooler service was started in the context of system rather than in the context of a user. A print spooler service that is not running or has been configured incorrectly may cause the printing subsystem to fail to load.To resolve the situation, stop and start the print spooler service, making sure that it is configured to run under the Local System Account. Then once again try to start the IMA Service.ODBC Configuration1. Verify that the Microsoft SQL Server or Oracle server is online.2. Verify the name of the DSN file that the IMA Service is using by looking at the following key in the Windows Registry:HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\DataSourceName.3. Attempt to connect to the database using the DSN file with an ODBC test utility such as Oracle ODBC Test or SQL Server ODBC Test.4. Verify that the correct user name and password are being used for database connectivity.5. Change the user name and password using the DSMAINT CONFIG command, if needed.6. Enable ODBC Tracing for further troubleshooting.Roaming ProfileWhen the MetaFrame XP Presentation Server attempts to start the IMA Service, the “Setup Could Not Start The IMA Service” error message is displayed. In the event viewer you might see the following error: IMA_RESULT_INVALID_MESSAGE or other events related to the IMA Service not being able to start.Verify the size of the roaming profile especially if it is crossing a WAN. Also watch for error messages related to not being able to load the profile. Test with a local user profile or one that is smaller in size.

11

Page 12 of 20

Another server with an identical NetBIOS name on the same networkVerify that there is not another server on the network with the same NetBIOS name on the network. If the CurrentlyLoadingPlugin has the ImaLicSs.dll listed this might be an indication of this condition. Another symptom of ImaLicSs.dll is from the MetaFrame XP SP4 Readme:106. The IMA Service failed to start because of license group corruption in the data store.

You have 1 TS License Server in your Windows 2003 domain. You need to point all your citrix servers to get TS Licenses from this server. How would you accomplish this? HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters\LicenseServers. Here add a key called Servername with value of your TSLicense Server.

When I open CMC, some of the nodes like Printer Management, Licensing, etc are not visible. I have logged onto CMC as a Citrix Administrator. What command needs to be issued to resolve this? The command dscheck /update, will resolve the inconsistencies in the server. This will resolve this issue.

What Citrix Products Interact with the STA?Web Interface, NFuse Classic, NFuse Elite, MetaFrame Secure Access Manager, and Citrix Secure Gateway all share use of the STA. Throughout this document, the following types of servers are grouped into a single category called application enumeration servers:• Web Interface 2.0 or later• Secure Access Manager 2.0 or later• NFuse Classic 1.7 and earlier• Project Columbia 6.01.034 or later• NFuse Elite 1.0Application enumeration servers are responsible for authenticating users, enumerating published application icons, and producing an ICA file for a client that allows them to connect to a published application through a secure gateway server.

Why Is the STA Necessary?In Citrix Secure Gateway deployments, the gateway server does not perform authentication of incoming requests. Instead, the gateway server defers authentication to an application enumeration server and uses the STA to guarantee that each user is authenticated. Application enumeration servers request tickets only for users who are already authenticated to the Web server. If users have valid STA tickets, the gateway assumes that they passed the authentication checks at the Web server and should be permitted access.

This design allows the Citrix Secure Gateway server to inherit whatever authentication methods are in place on your Web server. For example, if your Web Interface server is protected with RSA SecurID, by design only SecurID-authenticated users can traverse the secure gateway server.

How Is the STA Service Implemented?The STA is written as an ISAPI extension for Microsoft Internet Information Services (IIS). The extension is called CtxSta.dll and is hosted in the /Scripts folder by default. Other components communicate with the STA using XML over HTTP.

12

Page 13 of 20

Application enumeration servers request tickets at application launch time by sending data to the STA as part of a ticket request. The data sent to the STA includes the address of the MetaFrame Presentation Server to which the user will connect and, in the case of Web Interface 2.0 and Secure Access Manager 2.0, extended information about the name of the current user and the published application the user wants to run. The STA responds by generating a ticket and sending it back to the application enumeration server. This ticket and its corresponding data remains in memory at the STA for a configurable number of seconds (100 by default).

The application enumeration server constructs an ICA file for the user and inserts the STA ticket in the Address field of the ICA file. When the client connects to the secure gateway, the ticket is presented and the gateway must validate the ticket before establishing a secure session for the client. The gateway performs a data request by sending the ticket back to the STA and asking for its corresponding data in return. If successfully validated, the STA forwards the original data to the gateway and the gateway establishes a relay between the end user and the MetaFrame Presentation Server.Both ticket requests and data requests are carried out as XML request/response documents. The procedure is discussed in greater detail in the Secure Gateway for MetaFrame Administrator’s Guide.Is there a Version of the STA that does not Require IIS?

No, at this time IIS is required to host the STA. Bear in mind that the STA does not have to be exposed to an untrusted network like the Internet; the STA resides on your trusted network and is accessed by the gateway and application enumeration servers only.

Where does the STA Server Reside?The STA server can be placed anywhere as long as the secure gateway and application enumeration servers can reach it. Citrix recommends placing the STA on the trusted network or on a separate leg of your internal firewall, but there are no requirements for the STA server other than IIS. The STA need not belong to any domain, MetaFrame Presentation Server farm, Secure Access Manager farm, or other internal Web server, but sharing the STA with another function is common practice. An STA is included automatically as part of the Secure Access Manager 2.0 setup; many administrators find it convenient to locate the STA on a MetaFrame server.

Security QuestionsHow Is the STA Ticket Generated?

13

Page 14 of 20

The ISAPI extension CtxSta.dll uses pseudo-random number generation to produce a 16-byte hexadecimal string. For security reasons, Citrix does not disclose the exact steps used to produce this random sequence of characters.

Is the Ticket Validated against the Workstation?No, there is nothing that ties a ticket to a particular workstation. It is theoretically possible for a ticket to be requested from Workstation A and then used from Workstation B. To mitigate this risk:• Always use HTTPS between the client and the application enumeration server to prevent an attacker from intercepting the ticket as it travels from server to client• Reduce the ticket time-to-live as much as possible to reduce the amount of time an attacker would have to transfer the ticket from Machine A to Machine BBear in mind that a ticket issued by the STA can be used only once, so if the intended user on Machine A connects successfully, the ticket is invalid for all future connection attempts from Machine A or Machine B.

Is the Ticket Deleted after Use?Yes, tickets are purged immediately after a successful data request so they can be used only once. They are also deleted after a configurable time-out (default 100 seconds) if not used.

Must the STA always be Addressed using a Fully-Qualified Domain Name?If you intend to secure traffic to the STA using SSL, any component that accesses the STA, including your gateway server and application enumeration server, must address the STA using the fully-qualified domain name (FQDN) that matches the subject of the server certificate used by IIS on the STA. For example, in Web Interface 2.0, the STA address would be entered as:

https://sta-server.company.com/Scripts/CtxSta.dllIf you choose not to secure traffic to the STA, you can address the STA using an IP address, host name, or FQDN.

How do I Change the STA Port from 80 to Something Else?Because the STA is served by IIS, you change the STA port when you change the IIS port. Here’s an example of how to change the IIS port from 80 to 81.

14

Page 15 of 20

1. Open Internet Services Manager.2. Right-click Default Web Site and view its Properties.3. On the Web Site tab, change the TCP port number from 80 to 81.4. Click OK.

The above change also affects any other resources you published from the STA Web server. If you want to alter the STA communication port without affecting other Web pages hosted by the same Web server, you can create a new Web site in IIS for the sole purpose of hosting the STA. The following is an example of how you would create a new Web site on port 81 for the STA:

1. Create a new physical folder such as C:\MYSTA on your Web server’s hard drive to serve as the document root for the STA site.2. Create a subdirectory beneath MYSTA called Scripts. Move the following files from your existing STA into the new Scripts folder:

• CtxSta.dll• CtxSta.config• ctxxmlss.txt

3. Open Internet Services Manager.4. Right-click the server name and select New > Web site.5. Create a new Web site called “My STA site” and C:\MYSTA as the document root directory.6. View the properties of your new Web site and change the TCP port to 81.7. Beneath My STA site in Internet Services Manager, right-click the Scripts folder and view its properties. In the Application Settings section, change the Execute permissions to “Scripts and Executables.”Note You can choose a folder name other than “Scripts” but be aware that Secure Gateway and all application enumeration servers such as NFuse Classic and Web Interface assume that the STA is

15

Page 16 of 20

published as /Scripts/CtxSta.dll so you will also need to update the STA URL in the settings on those servers.

What other Information Is Required to Log on other than a Valid STA Ticket?Users also need domain credentials or a MetaFrame Presentation Server ticket that is requested by the application enumeration server. (A MetaFrame Presentation Server ticket is not the same as an STA ticket.) Satisfying the STA opens a path only to the trusted network for a particular server. Once there, the user must still authenticate with valid domain credentials.

How many STA's do I Need?Because the STA is accessed only when a user launches an application, the answer to this question varies from one deployment to the next. Do users log oin through the gateway in the morning and run a single published application all day or do they launch several applications throughout the day?

The duties performed by the STA are not expensive in CPU terms; it is a light XML service limited only by the performance of IIS. In one test, a low-range server with a 1GHz processor and 256MB of RAM supported over 250 ticket requests per second while CPU utilization stayed below 60%.How can I Ensure STA Fault Tolerance?

The following application enumeration servers all allow you to enter multiple STA URLs when configuring the parameters for Secure Gateway:

• Web Interface 2.0• Secure Access Manager 2.0• NFuse Classic 1.7• NFuse Classic 1.61• Project Columbia 6.01.034 and higher

In all cases, if an STA fails to respond, the application enumeration server tries another STA on the list. Each gateway server in turn must be configured with the STA URL and unique STA ID for each ticket authority.

How do I Load Balance Multiple STAs?Special care needs to be taken when load balancing Secure Ticket Authorities. A variety of methods can be used to load-balance the connection between an application enumeration server and the STAs, but a Secure Gateway server must always contact each STA individually based on its STA ID. When configuring the address of each STA in the gateway service configuration tool, each STA address must be the true address of the STA server — do not enter the address of any hardware load balancer, cluster name, or round-robin DNS name here.NFuse Classic 1.7, Web Interface 2.0, and Secure Access Manager 2.0 all support round-robin load balancing of the STAs when multiple STAs are listed. When this option is enabled, no additional load balancing software or hardware are required.

Application enumeration servers can use any form of load balancing for issuing a ticket request because each ticket received contains a field indicating the unique ID of the STA that generated it. As long as each STA ID is unique and all gateway servers can resolve the STA ID to a particular (not load balanced) server address, the operation succeeds and STA traffic is load balanced.Can I use Several STAs with Microsoft Network Load Balancing?

Network load balancing cannot be used between the Secure Gateway server and multiple STAs. If configured this way, users receive intermittent denials because, during the ticket validation process, the gateway might be load balanced to an authority that did not originally generate the user’s ticket.

Can I Share a Single STA with Multiple Farms, Gateways, and Enumeration Servers?Yes, a single STA can be shared among any number of Secure Gateway servers and application enumeration servers. The STA is not restricted to any particular domain, farm, or application enumeration server. It is an anonymous XML service.

Troubleshooting QuestionsHow should IIS be Configured to Host the STA?

• The STA URL /Scripts/CtxSta.dll must be served with Anonymous access enabled. If you point any Web browser to the STA URL you will not be prompted for a password.• You must grant the resource Scripts and Executables permission in the IIS metabase. This permission is not needed for the entire /Scripts folder but can be set for the CtxSta.dll file individually.• For Secure Gateway Version 1.1 and earlier, do not enable the Require SSL and Require 128-bit SSL options.• By default, the following account permissions are needed:

On Windows 2000 serverso The IUSR_MachineName account needs Read access to CtxSta.dll

16

Page 17 of 20

o The IWAM_MachineName account needs Modify access to the log file directory, which is \Inetpub\Scripts by defaultOn Windows 2003 Serverso The IUSR_MachineName account needs Read access to CtxSta.dllo The built-in Network Service account needs Modify access to the log file directory, which is \Inetpub\Scripts by default

How do I Enable Logging at the STA?Using Notepad, edit the file \Inetpub\Scripts\CtxSta.config on the STA server and locate the line that says LogLevel=0. For maximum logging, change this to LogLevel=3. You must restart the World Wide Web Publishing Service for changes to take effect.

Note: After you enable logging, the user account under whose authority the STA executes (IUSR_MachineName on Windows 2000 or Network Service on Windows 2003 by default) must have Write access to the log file directory, which is \Inetpub\Scripts by default. You can also change the log file directory when you edit CtxSta.config.Why does the Microsoft IISLockDown Tool Break the STA?

If you accept all the default settings for the IISLockDown tool, the /Scripts folder is disabled. The STA is implemented as an ISAPI filter published as /Scripts/CtxSta.dll; by disabling the /Scripts directory, you deny access to the STA. Enable the /Scripts folder and allow Scripts and executables access for the STA to function.

How can I Test the STA to be Sure it is Working Properly?If you point a Web browser to the STA URL, you will see either a blank white page or the message “405 Resource Not Allowed.” Either of these results indicates a functioning STA. You can contact the STA in this manner from the console of your Secure Gateway server and also from any application enumeration server configured to use the gateway. If you receive an authentication dialog box prompting you for a password, the STA is not published anonymously and authentication requirements need to be removed.

To verify that the application enumeration server is successfully requesting STA tickets, look at the ICA files it generates. For example, from Web Interface 2.0, you can right-click a published application icon and save the result as launch.ica. Open launch.ica in Notepad and view the Address= line. For normal Secure Gateway operation, the Address parameter will contain a ticket instead of an actual MetaFrame server address.

17

Page 18 of 20

What do you mean by Global Catalog and what are the roles of Global Catalog Server?Global Catalog is a database which contain full replica of current domain and partial replica of other domains. For any user query or authentication/logins, global catalog is mendatory database which should be up all the time.

What should be all steps to know which DC is the schema master for your existing domain? Install adminpack, register schmmgmt.dll, and open the Schema Manager

What do you mean by Universal Group and explain the utilization of it in Live environment?Universal groups are available forest-wide so we can use them forest-wide for permissions etc.Universal Group Caching for branch office is one of the most important utilisation of Universal Groups.

What is the function of KCC?Knowledge Consistency Checker (KCC) automatically manages replication within a site. The KCC uses a bidirectional ring topology that uses remote procedure call (RPC) over TCP/IP without compression. Domain controllers (DCs) within a site are typically on

What is name of active directory database and where it is located?NTDS.DIT, Windows Folder\NTDS

What is SOA record and how its important for AD?The SOA is the first record in every properly configured zone. There is only one SOA record allowed in a zone file. The SOA record contains information about the zone in a string of fields. The SOA record tells the server to be authoritative for the zone.

What are the contents of SYSVOL?Sysvol is a shared directory that stores the server copy of the domain’s public files, which are replicated among all domain controllers in the domain. The Sysvol contains the data in a GPO: the GPT, which includes Administrative Template-based Group Policy

Give your inputs for SYSVOL Vs NETLOGON.Logon scripts are found under the domain controller's NETLOGON admin share for Windows NT, whereas they are found under the SYSVOL share for Windows 2000. This can cause some confusion for Windows NT admins not familiar with the name change. On Windows NT

What are security principals and how its related with SID?Security Principals:1) Any entity that can be authenticated by the system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.2) Security groups of these accounts.

What is the meaning of universal group caching? In which kind of live environment, it is useful?

18

Page 19 of 20

Universal group caching is way to have information about users and their access without having Global Catalog.It is used in multisite environment where link speed of one of more sites are extremely slow (Say 33.6 Kbps or bit higher). In this case we nee

How do you backup the quorum driveOpen Cluster Administrator.If you are not already connected to a cluster, connect to one, In the console tree, click the cluster node.On the File menu, click Properties and verify that the Cluster service is running on the node on which you are performing the backup.Open Backup.

Click Advanced Mode on the Backup or Restore Wizard.Click the Backup tab, then in Click to select the check box for any drive, folder, or file that you want to back up click the box next to System State.

The FSMO RolesThe five FSMO roles are as follows:• Schema master. This role is held by only one domain controller per forest. This rolecoordinates all changes to the Active Directory schema, and is required in order toprocess any schema updates. Only the schema master is permitted to replicate schemachanges to other domain controllers in a forest.• Domain naming master. This role is held by only one domain controller per forest. This role handles all changes to the forest-wide domain namespace, and is the only role that can process the addition or removal of a domain to or from the forest.• RID master. This role is held by only one domain controller per domain. This rolemanages the relative identifier (RID) pool for the domain (for more information aboutRIDs, see the sidebar “Relative Identifiers in a Domain”). This role is also responsible formoving objects from one domain to another within a forest.• PDC emulator. This role is held by only one domain controller per domain. This role isthe central authority for time synchronization within a domain, and emulates thefunctionality of a Windows NT 4.0 Primary Domain Controller (PDC). Any NT BackupDomain Controllers (BDCs) in a domain replicate from the PDC emulator. Pre-Windows2000 (Win2K) clients without the Microsoft Directory Services Client (DSClient) contactthe PDC emulator to change user and computer passwords. The PDC emulator is also responsible for processing account lockouts. Finally, any failed logon attempts are first• Infrastructure master. This role is held by only one domain controller per domain. This role updates object security identifiers (SIDs) and distinguished names (DNs) in crossdomain object references.

To seize the schema master role:1. Open a command prompt window.2. Run Ntdsutil.3. At the Ntdsutil command prompt, enterroles4. Enterconnections5. Enterconnect to server servernameproviding the fully qualified name of the domain controller that you want to seize theschema master role.6. Enterqui7. Enterseize schema master

19

Page 20 of 20

20