Learning the Basics of Citrix XenApp 5 for Windows Server 2003 (Part 6 of 7)
If you would like to read the other parts in this article series, please go to:
- Learning the Basics of XenApp 5 (Part 1)
- Learning the Basics of XenApp 5 (Part 2)
- Learning the Basics of XenApp 5 (Part 3)
- Learning the Basics of XenApp 5 (Part 4)
- Learning the Basics of XenApp 5 (Part 5)
- Learning the Basics of XenApp 5 (Part 7)
In Part 5 of this series, you successfully updated the License Server to version 11.5, installed the Microsoft Visual C++ 2005 SP1 Redistributable Package, upgraded the Access Management Console to version 4.6.2 and installed Hotfix Rollup Pack 3 for XenApp 5 for Server 2003.
In Part 6, you will learn to create a Web Interface site and do basic configuration of that site to allow users access.
At the end of Part 5, you restarted your Virtual Machine (VM). Login to Windows and you are at the server’s desktop with the Citrix ICA Toolbar at the far right.
Since the ICA Toolbar has been removed from XenApp 5 for Server 2008 and all future XenApp versions, you will not use it in the article. This will also give you more space on your screen for the management consoles. Right-click an empty spot on the toolbar and select Exit.
What is ICA? Independent Computing Architecture (ICA) is a proprietary protocol designed by Citrix for application servers. The ICA protocol lays down a specification for passing data between server and clients, but is not bound to any one platform.
Click No on the ICA Administrator Toolbar popup.
To start the Access Management Console, click Start -> All Programs -> Citrix -> Management Consoles -> Access Management Console.
The first time you start the Access Management Console, the Configure and Run Discovery process starts. This process discovers all the Citrix Products, Components, XenApp Servers and Web Interface sites that are installed on this server. Click Next.
In a Best Practice scenario, the Web Interface component would be installed on a separate server in the DMZ. In that case, on the XenApp server, you would uncheck to discover Web Interface sites. Then on the Web Interface server, you would uncheck discovering Presentation Servers. Click Next.
The Configuration Servers screen is used to discover Web Interface Configuration Servers. Configuration Servers are an attempt by Citrix to ease the deployment of multiple Web Interface servers so that all sites maintain the same configuration. This central Configuration Server, while a good idea, rarely worked and was hard for Citrix to support. In XenApp 5 for Server 2008, and all future versions of XenApp, the Configuration Server has been removed. Since this article is using only one server, click Next to accept the default of Discover sites installed on this computer.
Click Add Local Computer.
For your production Farm, you would then click the Add button and add every server in your Farm you wanted to manage from this XenApp server.
You are now at the Citrix Access Management Console (AMC).
There are three ways to accomplish the same task in the AMC:
- Right-click an item and select an action
- Click the AMC Action menu and select an action
- Click an Action in the middle column of the AMC in either the Common Tasks or Other Tasks areas.
You will use the last of these methods in this article.
Click Web Interface in the left column under Citrix Resources -> Configuration Tools and then click Create site in the middle column under Common Tasks.
The Create Site wizard starts. Click Next to accept the default of XenApp Web.
The XenApp Services site is what is created to use the PNAgent client. Conferencing Manager has been discontinued with XenApp 5 for Server 2008.
Click Next on the Specify IIS Location screen.
You can create separate IIS sites, for example, to have different sites for Internal and External users. With different sites you can configure different authentications methods. Users internal to your network can enter their username and password but you can require external users to use Smart Cards, Two Factor Authentication or one of several other authentication methods.
If you create separate IIS sites, you would enter their paths in the Path box.
In a Best Practice scenario where Web Interface is installed on a separate server, you would check the box for Set as the default page for the IIS site. Since you have both the License Management Console and Web Interface installed on the same server you must not check that box. Doing so will break the License Management Console.
Next is the Specify Point of Authentication. There are two options: At Web Interface and At Microsoft AD FS account partner. The default is At Web Interface. The two screen shots explain the two options better than I can. Click Next to accept the default of At Web Interface.
Click Next on the Confirm Settings screen.
Make sure Configure this site now is checked. Click Next.
Change the Farm name from Farm1 to Learning and then click the Add… button.
Enter CITRIXONE for the server name and click OK.
In Part 4, you selected to share the XML Service Port between IIS and the XML Service. If the port number had been changed during install, or from the command line after installation, you would enter the new port number here.
This information is taken from the Web Interface Administrator’s Guide for Web Interface 4.6 pages 72 and 73.
You can configure the following authentication methods for the Web Interface:
Explicit. Users are required to log on by supplying a user name and password. User principal names, Microsoft domain-based authentication and Novell Directory Service are available. For XenApp Web sites, RSA SecurID and SafeWord authentication are also available.
Pass-through. Users can authenticate using the credentials they provided when they logged on to their Windows desktop. Users do not need to reenter their credentials and their application set appears automatically. Additionally, you can use Kerberos authentication to connect to servers. If you specify the Kerberos authentication option and Kerberos fails, pass-through authentication also fails and users cannot log on.
Pass-through with smartcard. Users can authenticate by inserting a smart card into a smart card reader attached to the client device. The Program Neighborhood Agent prompts you for a smart card PIN when you log on. After logon, you can access your set of published applications and content without further logon prompts. Users connecting to XenApp Web sites are not prompted for a PIN.
Smart card. Users can authenticate using a smart card. The user is prompted for a PIN.
Anonymous. Anonymous users can log on without supplying a user name and password and launch applications published for anonymous users on the server.
Click Next to accept the default of Explicit.
When users go to the Web Interface site, they will need to enter a user name, password and a domain name. You may not want your users having to know or remember the domain name. You can pre fill-in the domain name to keep users from having to know this information. For this article, you will enter the domain name, which is the server name, of CITRIXONE.
Click Restrict domains to the following click the Add button.
Enter CITRIXONE for the logon domain name and click OK.
Your users can access your Web Interface site directly, using a URL like http://citrix.domain.com/ or using Advanced Access Control.
You can also allow your users to save links to Published Applications in their Favorites list, shortcuts list or on their desktop.
From the Web Interface Administrator’s Guide, page 52:
“Using Advanced Access Control as your access method controls user access to resources through the use of access control policies and filters. This permits the use of endpoint analysis as a condition for application access, along with other factors.
By default, pass-through authentication is enabled for users accessing the Web Interface using Advanced Access Control. Users log on using Advanced Access Control and do not have to reauthenicate to the Web Interface to access their applications. To increase security, you can disable pass-through authentication by selecting the Prompt user for password before displaying the application list check box.
You can update these settings at any time using the Manage access method task.”
Using Advanced Access Control is beyond the scope of this article.
Click Finish on the Confirm Settings screen.
You are now back at the AMC with your Web Interface site created. Click the “+” next to Web Interface.
You now see your Web Interface site. Since this is not the default site for IIS you, and your users, will have have to enter the entire site URL of http://CitrixONE/Citrix/XenApp.
The Create Site wizard has completed the basic configuration. Now you need to test whether your site will load and display the log in page.
Start Internet Explorer and go to http://CitrixONE/Citrix/XenApp. You will see a link that says “Please click here if you are not automatically redirected”. Do not click that link. Wait for the log in page to display.
On my VM, it took 33 seconds for the log in screen to appear.
Why so long? It takes a long time because the web site has to be compiled before it can be displayed the first time it is accessed each day.
Will your users have to wait that long? Yes, but only their first time each day.
By default, the site is set to be recompiled every day at 2AM. The only way to speed up getting to the log in page is to click the link to be automatically redirected. The site will continue to compile in the background.
Hint: An Exchange MVP friend showed me how to get around this delay. Change to c:\Windows\Microsoft.NET\Framework\v2.0.50727 and type in aspnet_compile -v /Citrix/XenApp (ignore all the “value is never used” messages). The web site access should now take less than 2 seconds. This is only valid when done immediately after creating the site.
Enter the Administrator’s name and password.
At this point, there are no Published Applications to run. You have verified your site was created, loaded and logged into successfully.
To verify there is no 33 second wait to get back into the site, click the Log Off button and exit Internet Explorer. Start Internet Explorer again and go back to http://CitrixONE/Citrix/XenApp. The log in screen appears very quickly now. Exit Internet Explorer.
This process took me 3 minutes and 43 seconds. With the times from Parts 2 through 5 the total time is 1 hour 51 minutes and 52 seconds.
You learned to create a Web Interface site and do basic configuration of that site to allow users access. In Part 7, you will create a test user account, learn to publish applications, test access to the published applications from the Web Interface site and to perform other basic XenApp server administrative tasks.