Citrix Receiver for Windows
Transcript of Citrix Receiver for Windows
Receiver for Windows
© 2011 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Contents
Receiver for Windows 21
Receiver for Windows 3.2 22
Receiver for Windows 3.2 23
About Receiver for Windows 3.2 24
System Requirements 27
Get Started 31
Citrix Connection Center Overview 33
Providing Virtual Desktops to Receiver Users 34
Install and Uninstall 35
Installing and Uninstalling Receiver for Windows Manually 37
Upgrading the Desktop Viewer and Desktop Appliance Lock 39
To install the Citrix Desktop Lock 40
User Accounts Used to Install the Citrix Desktop Lock 41
To remove the Citrix Desktop Lock 42
To configure and install the Citrix Receiver for Windows usingcommand-line parameters 43
Delivering Receiver Using Active Directory and Sample Startup Scripts 48
Using the Per-User Sample Startup Scripts 50
Deploying CitrixReceiver.exe from Receiver for Web 51
Deploying the CitrixReceiver.exe from a Web Interface Logon Screen 52
Configure 53
Using the Group Policy Object Template to Customize Receiver 54
Configuring Access to Accounts Manually 56
To customize user preferences for the Receiver (Enterprise) 57
Configuring USB Support for XenDesktop Connections 58
How USB Support Works 59
Mass Storage Devices 60
USB Device Classes Allowed by Default 61
USB Device Classes Denied by Default 63
2
Updating the List of USB Devices Available for Remoting 64
Configuring Bloomberg Keyboards 65
Configuring User-Driven Desktop Restart 66
To prevent the Desktop Viewer window from dimming 67
To configure the Citrix Desktop Lock 68
To configure settings for multiple users and devices 70
Canadian Keyboard Layouts and Updating from Presentation ServerClients Version 10.200 71
Auto-Repair 72
Optimize 73
Improving Receiver Performance 74
Reducing Application Launch Time 75
Reconnecting Users Automatically 78
Providing HDX Broadcast Session Reliability 79
Improving Performance over Low-Bandwidth Connections 80
Connecting User Devices and Published Resources 82
Configuring Workspace Control Settings to Provide Continuity forRoaming Users 83
Making Scanning Transparent for Users 85
Mapping User Devices 86
Mapping Client Drives to XenApp Server Drive Letters 87
HDX Plug-n-Play for USB Storage Devices 89
HDX Plug-n-Play USB Device Redirection for XenAppConnections 90
Mapping Client Printers for More Efficiency 92
To map a client COM port to a server COM port 94
Mapping Client Audio to Play Sound on the User Device 95
Associating User Device File Types with PublishedApplications 96
Using the Window Manager when Connecting to Citrix XenApp forUNIX 97
Terminating and Disconnecting Sessions 98
Using ctxgrab and ctxcapture to Cut and Paste Graphics WhenConnected to XenApp for UNIX 99
Using the ctxgrab Utility to Cut and Paste Graphics 100
Using the ctxcapture Utility to Cut and Paste Graphics 101
Matching Client Names and Computer Names 103
DNS Name Resolution 104
Using Proxy Servers with XenDesktop Connections 105
User Experience 106
3
ClearType Font Smoothing in Sessions 107
Client-Side Microphone Input 108
Configuring HDX Plug-n-Play Multi-monitor Support 109
Printing Performance 111
To override the printer settings configured on the server 113
To set keyboard shortcuts 114
Keyboard Input in XenDesktop Sessions 115
Receiver Support for 32-Bit Color Icons 117
Connecting to Virtual Desktops 118
Secure Connections 119
To enable certificate revocation list checking for improved securitywith Receiver (CitrixReceiver.exe) 120
Smart Card Support for Improved Security 122
To enable pass-through authentication when sites are not in TrustedSites or Intranet zones 123
Using Security Support Provider Interface/Kerberos Pass-ThroughAuthentication for Improved Security 124
To configure Kerberos with pass-through authentication 126
Secure Communications 127
Support for Microsoft Security Templates 128
Connecting with Access Gateway Enterprise Edition 129
Connecting with Access Gateway 5.0 132
Connecting with Secure Gateway 137
Connecting the Citrix Receiver through a Proxy Server 138
Connecting with Secure Sockets Layer Relay 139
Connecting with Citrix SSL Relay 140
User Device Requirements 141
To apply a different listening port number for allconnections 142
To apply a different listening port number to particularconnections only 143
Configuring and Enabling Receivers for SSL and TLS 144
Installing Root Certificates on the User Devices 145
To configure Web Interface to use SSL/TLS for Receiver 146
To configure TLS support 147
To use the Group Policy template on Web Interface to meet FIPS140 security requirements 148
To configure the Web Interface to use SSL/TLS whencommunicating with Citrix Receiver 149
To configure Citrix XenApp to use SSL/TLS when communicatingwith Citrix Receiver 150
4
To configure Citrix Receiver to use SSL/TLS when communicatingwith the server running the Web Interface 151
ICA File Signing - Protection Against Application or Desktop LaunchesFrom Untrusted Servers 152
Selecting and Distributing a Digital Signature Certificate 154
Configuring a Web Browser and ICA File to Enable Single Sign-on andManage Secure Connections to Trusted Servers 155
To set client resource permissions 157
Enabling Smart Card Logon 159
Enforcing Trust Relations 160
Elevation Level and wfcrun32.exe 162
Receiver for Windows 3.1 163
Receiver for Windows 3.1 164
About Citrix Receiver for Windows 3.1 165
System Requirements 169
Get Started 173
Citrix Connection Center Overview 175
Providing Virtual Desktops to Receiver Users 176
Install and Uninstall 177
Installing and Uninstalling Receiver for Windows Manually 179
Upgrading the Desktop Viewer and Desktop Appliance Lock 181
To install the Citrix Desktop Lock 182
User Accounts Used to Install the Citrix Desktop Lock 183
To remove the Citrix Desktop Lock 184
To configure and install the Citrix Receiver for Windows usingcommand-line parameters 185
Delivering Receiver Using Active Directory and Sample Startup Scripts 190
Using the Per-User Sample Startup Scripts 192
Deploying CitrixReceiver.exe from Receiver for Web 193
Deploying the CitrixReceiver.exe from a Web Interface Logon Screen 194
Configure 195
Using the Group Policy Object Template to Customize the Receiver 196
Configuring Access to Accounts Manually 198
To customize user preferences for the Receiver (Enterprise) 199
Configuring USB Support for XenDesktop Connections 200
How USB Support Works 201
Mass Storage Devices 202
USB Device Classes Allowed by Default 203
USB Device Classes Denied by Default 205
5
Updating the List of USB Devices Available for Remoting 206
Configuring Bloomberg Keyboards 207
Configuring User-Driven Desktop Restart 208
To prevent the Desktop Viewer window from dimming 209
To configure the Citrix Desktop Lock 210
To configure settings for multiple users and devices 212
Canadian Keyboard Layouts and Updating from Presentation ServerClients Version 10.200 213
Auto-Repair 214
Optimize 215
Improving Receiver Performance 216
Reducing Application Launch Time 217
Reconnecting Users Automatically 220
Providing HDX Broadcast Session Reliability 221
Improving Performance over Low-Bandwidth Connections 222
Connecting User Devices and Published Resources 224
Configuring Workspace Control Settings to Provide Continuity forRoaming Users 225
Making Scanning Transparent for Users 227
Mapping User Devices 228
Mapping Client Drives to XenApp Server Drive Letters 229
HDX Plug-n-Play for USB Storage Devices 231
HDX Plug-n-Play USB Device Redirection for XenAppConnections 232
Mapping Client Printers for More Efficiency 234
To map a client COM port to a server COM port 236
Mapping Client Audio to Play Sound on the User Device 237
Associating User Device File Types with PublishedApplications 238
Using the Window Manager when Connecting to Citrix XenApp forUNIX 239
Terminating and Disconnecting Sessions 240
Using ctxgrab and ctxcapture to Cut and Paste Graphics WhenConnected to XenApp for UNIX 241
Using the ctxgrab Utility to Cut and Paste Graphics 242
Using the ctxcapture Utility to Cut and Paste Graphics 243
Matching Client Names and Computer Names 245
DNS Name Resolution 246
Using Proxy Servers with XenDesktop Connections 247
User Experience 248
6
ClearType Font Smoothing in Sessions 249
Client-Side Microphone Input 250
Configuring HDX Plug-n-Play Multi-monitor Support 251
Printing Performance 253
To override the printer settings configured on the server 255
To set keyboard shortcuts 256
Keyboard Input in XenDesktop Sessions 257
Receiver Support for 32-Bit Color Icons 259
Connecting to Virtual Desktops 260
Secure Connections 261
To enable certificate revocation list checking for improved securitywith Receiver (CitrixReceiver.exe) 262
Smart Card Support for Improved Security 264
To enable pass-through authentication when sites are not in TrustedSites or Intranet zones 265
Using Security Support Provider Interface/Kerberos Pass-ThroughAuthentication for Improved Security 266
To configure Kerberos with pass-through authentication 268
Secure Communications 269
Support for Microsoft Security Templates 270
Connecting with Access Gateway Enterprise Edition 271
Connecting with Access Gateway 5.0 274
Connecting with Secure Gateway 279
Connecting the Citrix Receiver through a Proxy Server 280
Connecting with Secure Sockets Layer Relay 281
Connecting with Citrix SSL Relay 282
User Device Requirements 283
To apply a different listening port number for allconnections 284
To apply a different listening port number to particularconnections only 285
Configuring and Enabling Receivers for SSL and TLS 286
Installing Root Certificates on the User Devices 287
To configure Web Interface to use SSL/TLS for Receiver 288
To configure TLS support 289
To use the Group Policy template on Web Interface to meet FIPS140 security requirements 290
To configure the Web Interface to use SSL/TLS whencommunicating with Citrix Receiver 291
To configure Citrix XenApp to use SSL/TLS when communicatingwith Citrix Receiver 292
7
To configure Citrix Receiver to use SSL/TLS when communicatingwith the server running the Web Interface 293
ICA File Signing - Protection Against Application or Desktop LaunchesFrom Untrusted Servers 294
Selecting and Distributing a Digital Signature Certificate 296
Configuring a Web Browser and ICA File to Enable Single Sign-on andManage Secure Connections to Trusted Servers 297
To set client resource permissions 299
Enabling Smart Card Logon 301
Enforcing Trust Relations 302
Elevation Level and wfcrun32.exe 304
Receiver for Windows 3.0 305
Citrix Receiver for Windows 3.0 306
About Receiver for Windows 3.0 307
System Requirements 311
Get Started 314
Citrix Receiver for Windows Overview 316
Citrix Connection Center Overview 318
Providing Virtual Desktops to Receiver Users 319
Install and Uninstall 320
Installing and Uninstalling Receiver for Windows Manually 322
Upgrading the Desktop Viewer and Desktop Appliance Lock 324
To install the Citrix Desktop Lock 325
User Accounts Used to Install the Citrix Desktop Lock 326
To remove the Citrix Desktop Lock 327
To configure and install the Citrix Receiver for Windows usingcommand-line parameters 328
To extract, install, and remove the individual Receiver (Enterprise).msi files 331
Delivering Receiver Using Active Directory and Sample Startup Scripts 333
Using the Per-User Sample Startup Scripts 335
Deploying the CitrixReceiver.exe from a Web Interface Logon Screen 336
Configure 337
Using the Group Policy Object Template to Customize the Receiver 338
To customize user preferences for the Receiver (Enterprise) 340
Configuring USB Support for XenDesktop Connections 341
How USB Support Works 342
Mass Storage Devices 343
USB Device Classes Allowed by Default 344
USB Device Classes Denied by Default 346
8
Updating the List of USB Devices Available for Remoting 347
Configuring Bloomberg Keyboards 348
Configuring User-Driven Desktop Restart 349
To prevent the Desktop Viewer window from dimming 350
To configure the Citrix Desktop Lock 351
To configure settings for multiple users and devices 353
Canadian Keyboard Layouts and Updating from Presentation ServerClients Version 10.200 354
Auto-Repair 355
Optimize 356
Improving Receiver Performance 357
Reducing Application Launch Time 358
Reconnecting Users Automatically 361
Providing HDX Broadcast Session Reliability 362
Improving Performance over Low-Bandwidth Connections 363
Connecting User Devices and Published Resources 365
To enable pass-through authentication when sites are not inTrusted Sites or Intranet zones 366
Configuring Workspace Control Settings to Provide Continuity forRoaming Users 367
Making Scanning Transparent for Users 369
Mapping User Devices 370
Mapping Client Drives to XenApp Server Drive Letters 371
HDX Plug-n-Play for USB Storage Devices 373
HDX Plug-n-Play USB Device Redirection for XenAppConnections 374
Mapping Client Printers for More Efficiency 376
To map a client COM port to a server COM port 378
Mapping Client Audio to Play Sound on the User Device 379
Associating User Device File Types with PublishedApplications 380
Using the Window Manager when Connecting to Citrix XenApp forUNIX 381
Terminating and Disconnecting Sessions 382
Using ctxgrab and ctxcapture to Cut and Paste Graphics WhenConnected to XenApp for UNIX 383
Using the ctxgrab Utility to Cut and Paste Graphics 384
Using the ctxcapture Utility to Cut and Paste Graphics 385
Matching Client Names and Computer Names 387
Providing Support for NDS Users 388
9
Specifying Windows Credentials with the NovellClient and Pass-Through Authentication 389
DNS Name Resolution 390
Using Proxy Servers with XenDesktop Connections 391
User Experience 392
ClearType Font Smoothing in Sessions 393
Client-Side Microphone Input 394
Configuring HDX Plug-n-Play Multi-monitor Support 395
Printing Performance 397
To override the printer settings configured on the server 399
To set keyboard shortcuts 400
Keyboard Input in XenDesktop Sessions 401
Receiver Support for 32-Bit Color Icons 403
Connecting to Virtual Desktops 404
Secure Connections 405
To enable certificate revocation list checking for improved securitywith Receiver (CitrixReceiver.exe) 406
Smart Card Support for Improved Security 408
To enable pass-through authentication when sites are not in TrustedSites or Intranet zones 409
Using Security Support Provider Interface/Kerberos Pass-ThroughAuthentication for Improved Security 410
To configure Kerberos with pass-through authentication 412
Secure Communications 413
Support for Microsoft Security Templates 414
Connecting the Citrix Receiver through a Proxy Server 415
Connecting with the Secure Gateway or Citrix Secure Sockets LayerRelay 416
Connecting with the Secure Gateway 417
Connecting with Citrix SSL Relay 418
User Device Requirements 419
To apply a different listening port number for allconnections 420
To apply a different listening port number to particularconnections only 421
Configuring and Enabling Receivers for SSL and TLS 422
Installing Root Certificates on the User Devices 423
To configure Citrix Receiver to use SSL/TLS 424
To configure TLS support 425
To use the Group Policy template to meet FIPS 140 securityrequirements 426
10
To configure the Web Interface to use SSL/TLS whencommunicating with Citrix Receiver 427
To configure Citrix XenApp to use SSL/TLS when communicatingwith Citrix Receiver 428
To configure Citrix Receiver to use SSL/TLS when communicatingwith the server running the Web Interface 429
ICA File Signing - Protection Against Application or Desktop LaunchesFrom Untrusted Servers 430
Selecting and Distributing a Digital Signature Certificate 432
Configuring a Web Browser and ICA File to Enable Single Sign-on andManage Secure Connections to Trusted Servers 433
To set client resource permissions 435
Enabling Smart Card Logon 437
Enforcing Trust Relations 438
Elevation Level and wfcrun32.exe 439
ICA Settings Reference 440
ICA Settings Reference 447
AcceptURLType 454
Address(2) 455
AECD 457
AllowAudioInput 458
AllowVirtualDriverEx 459
AllowVirtualDriverExLegacy 460
AltProxyAutoConfigURL(2) 461
AltProxyBypassList(2) 462
AltProxyHost(2) 464
AltProxyPassword(2) 465
AltProxyType(2) 466
AlwaysSendPrintScreen 468
AppendUsername 469
AudioBandwidthLimit 470
AudioDevice(2) 472
AudioDuringDetach 473
AudioHWSection 474
AudioInWakeOnInput 475
AudioOutWakeOnOutput 476
AUTHPassword 477
AUTHUserName 478
AutoLogonAllowed 479
BrowserProtocol 480
11
BrowserRetry(2) 481
BrowserTimeout(2) 482
BUCC(2) 483
BufferLength 484
BufferLength2 485
BypassSmartcardDomain 486
BypassSmartcardPassword 487
BypassSmartcardUsername 488
CbChainInterval 489
CDMAllowed 490
CDMReadOnly 491
CFDCD 493
CGPAddress 494
ChannelName 495
ClearPassword 496
ClientAudio 497
ClientName 499
ClipboardAllowed 500
COCD 501
ColorMismatchPrompt_Have16M_Want256 502
ColorMismatchPrompt_Have16_Want256 503
ColorMismatchPrompt_Have64k_Want256 504
COMAllowed(2) 505
Command 507
CommandAckThresh 508
CommPollSize 509
CommPollWaitInc 510
CommPollWaitIncTime 511
CommPollWaitMax 512
CommPollWaitMin 513
CommWakeOnInput 514
ConnectionFriendlyName 515
ContentRedirectionScheme 516
ControlPollTime 517
ConverterSection 518
CPMAllowed 519
CRBrowserAcceptURLtype 520
12
CRBrowserCommand 521
CRBrowserPath 522
CRBrowserPercentS 523
CRBrowserRejectURLtype 524
CREnabled 525
CRPlayerAcceptURLtype 526
CRPlayerCommand 527
CRPlayerPath 528
CRPlayerPercentS 529
CRPlayerRejectURLtype 530
DataAckThresh 531
DataBits 532
DefaultHttpBrowserAddress 533
DeferredUpdateMode 534
DesiredColor(5) 535
DeviceName 537
DisableCtrlAltDel 538
DisableDrives 539
DisableMMMaximizeSupport 541
DisableSound 542
DisableUPDOptimizationFlag 543
Domain 544
DriverNameAlt 546
DriverNameAltWin32 547
DriverNameWin32(12) 548
DTR 553
DynamicCDM 554
EmulateMiddleMouseButton 555
EmulateMiddleMouseButtonDelay 556
EnableAsyncWrites 557
EnableAudioInput 558
EnableClientSelectiveTrust 559
EnableInputLanguageToggle 561
EnableOSS 562
EnableReadAhead 563
EnableRtpAudio 564
EnableSessionSharing 565
13
EnableSessionSharingClient 567
EnableSessionSharingHost(2) 568
EnableSSOThruICAFile 569
EncryptionLevelSession 571
endIFDCD 572
FONTSMOOTHINGTYPE 573
ForceLVBMode 574
FriendlyName 575
FullScreenBehindLocalTaskbar 576
FullScreenOnly 577
HotKey10Char 578
HotKey10Shift 579
HotKey1Char 581
HotKey1Shift 583
HotKey2Char 584
HotKey2Shift 586
HotKey3Char 588
HotKey3Shift 589
HotKey4Char 590
HotKey4Shift 592
HotKey5Char 594
HotKey5Shift 595
HotKey6Char 597
HotKey6Shift 599
HotKey7Char 600
HotKey7Shift 602
HotKey8Char 604
HotKey8Shift 606
HotKey9Char 608
HotKey9Shift 610
HotKeyJPN%dChar 612
HowManySkipRedrawPerPaletteChange 613
HttpBrowserAddress 614
ICAHttpBrowserAddress 616
ICAKeepAliveEnabled 617
ICAKeepAliveInterval 619
ICAPortNumber 620
14
ICAPrntScrnKey 622
ICASOCKSProtocolVersion(2) 623
ICASOCKSProxyHost(2) 625
ICASOCKSProxyPortNumber(2) 627
InitialProgram 629
InitialProgram(2) 631
InputEncoding 633
InstallColormap 634
IOBase 635
KeyboardLayout 636
KeyboardSendLocale 637
KeyboardTimer(2) 638
KeyboardType 639
Launcher 642
LaunchReference 643
LicenseType 644
LocalIME 645
LocHttpBrowserAddress 646
LockdownProfiles 648
LogAppend 649
LogConfigurationAccess 650
LogConnect 651
LogErrors 652
LogEvidence 653
LogFile 654
LogFileGlobalPath 655
LogFileWin32 656
LogFlush 657
LogonTicket 658
LogonTicketType 659
LongCommandLine 660
Lpt1 662
Lpt2 663
Lpt3 664
LPWD 665
LvbMode2 666
MaxDataBufferSize 667
15
MaxMicBufferSize 668
MaxOpenContext 669
MaxPort 670
MaxWindowSize 671
MinimizeOwnedWindows 672
MissedKeepaliveWarningMsg 673
MissedKeepaliveWarningTime 674
MouseTimer 675
MouseWheelMapping 677
MSIEnabled 678
NativeDriveMapping 679
NDS 681
NRUserName 682
NRWD 683
NumCommandBuffers 684
NumDataBuffers 685
OutBufCountClient 686
OutBufCountClient2 688
OutBufCountHost 690
OutBufCountHost2 692
OutBufLength 694
PassThroughLogoff 696
Password 697
Path 699
PCSCCodePage 700
PCSCLibraryName 701
PercentS 702
PersistentCacheEnabled 703
PersistentCacheGlobalPath 705
PersistentCacheMinBitmap(2) 706
PersistentCachePath 708
PersistentCachePercent 710
PersistentCacheSize(2) 711
PersistentCacheUsrRelPath 713
PingCount 714
PlaybackDelayThresh 715
PNPDeviceAllowed 716
16
pnStartSCD 717
Port1 718
Port2 719
POSDeviceAllowed 720
PrinterFlowControl 722
PrinterResetTime 723
PrinterThreadPriority 724
PrintMaxRetry 725
ProxyAuthenticationBasic(2) 726
ProxyAuthenticationKerberos 728
ProxyAuthenticationNTLM(2) 729
ProxyAuthenticationPrompt(2) 731
ProxyAutoConfigURL(2) 733
ProxyBypassList 735
ProxyFallback(2) 737
ProxyFavorIEConnectionSetting(2) 739
ProxyHost(3) 741
ProxyPassword(2) 743
ProxyPort 745
ProxyTimeout 746
ProxyType 747
ProxyUseDefault 749
ProxyUseFQDN(2) 750
ProxyUsername 752
ReadersStatusPollPeriod 754
RECD(2) 756
RegionIdentification 757
RejectURLType 759
RemoveICAFile 760
ResMngrRunningPollPeriod 762
REWD(2) 763
RtpAudioHighestPort 764
RtpAudioLowestPort 765
ScalingHeight 766
ScalingMode 767
ScalingPercent 769
ScalingWidth 770
17
Schedule 771
ScreenPercent 772
SecureChannelProtocol(2) 774
SecurityTicket 777
SessionReliabilityTTL 778
SessionSharingKey 779
SessionSharingLaunchOnly 780
SFRAllowed 781
SkipRedrawPerPaletteChange 782
SmartCardAllowed 783
SpeedScreenMMA 784
SpeedScreenMMAAudioEnabled 786
SpeedScreenMMAMaxBufferThreshold 787
SpeedScreenMMAMaximumBufferSize 788
SpeedScreenMMAMinBufferThreshold 789
SpeedScreenMMASecondsToBuffer 790
SpeedScreenMMAVideoEnabled 791
SSLCACert 792
SSLCertificateRevocationCheckPolicy(2) 793
SSLCiphers 796
SSLCommonName 798
SSLEnable 800
SSLProxyHost(2) 803
SSOnCredentialType(3) 805
SSOnDetected 807
SSOnUserSetting 808
SSPIEnabled 810
startIFDCD(3) 812
startSCD(2) 813
State 814
SucConnTimeout 815
SwapButtons 816
TransparentKeyPassthrough 817
TransportReconnectDelay 819
TransportReconnectEnabled 821
TransportReconnectRetries 823
TransportSilentDisconnect 825
18
TRWD 826
Tw2CachePower 827
TW2StopwatchMinimum 828
TW2StopwatchScale 829
TwainAllowed 830
TWIEmulateSystray 831
TWIFullScreenMode 832
TWIIgnoreWorkArea 834
TWIMode 836
TWISeamlessFlag 838
TWIShrinkWorkArea 839
TWISuppressZZEcho 840
TWITaskbarGroupingMode 841
UnicodeEnabled 843
UseAlternateAddress(3) 844
UseDefaultEncryption 847
UseLocalUserAndPassword(2) 849
UseMRUBrowserPrefs 851
Username(3) 852
UserOverride 854
UsersShareIniFiles 855
UseSSPIOnly 856
VariantName 858
VirtualChannels 859
VirtualCOMPortEmulation 860
VirtualDriver 862
VirtualDriverEx 864
VSLAllowed(2) 865
Win32FavorRetainedPrinterSettings 867
WindowManagerMoveIgnored 869
WindowManagerMoveTimeout 870
WindowsCache 871
WindowSize 872
WindowSize 874
WindowSize 876
WindowSize2 878
WindowsPrinter 879
19
WindowsPrinter 880
WorkDirectory 881
WpadHost 882
XmlAddressResolutionType 883
ZLAutoHiLimit 884
ZLAutoLowLimit 885
ZLDiskCacheSize 886
ZLFntMemCacheSize 887
ZLKeyboardMode 888
ZLMouseMode 890
20
21
Receiver for Windows
Citrix Receiver for Windows delivers a common user interface whether using only Receiveror with any other Citrix Plug-ins and provides secure, simple, high-performance, on-demandaccess to virtual desktops, enterprise applications, and IT services by enabling:
● Delivery of business applications to any user on any device
● Secure access and complete IT control and visibility
Quick Links● Receiver for Windows 3.2
● About Receiver for Windows 3.2
● System Requirements and Compatibility for Receiver for Windows 3.2
● Receiver for Windows Overview
22
Receiver for Windows 3.2
Quick Links
About this Release Using the Receiver with XenDesktopConnections
Issues Fixed in Receiver for Windows 3.2 Optimizing the Receiver Environment
System Requirements and Compatibility Improving the Receiver User Experience
Licensing Your Product Securing Your Connections
Overview of Citrix Receiver for WindowsInstallation Packages
Securing Citrix Receiver Communication
To configure and install the Citrix Receiverfor Windows using command-lineparameters
23
Receiver for Windows 3.2
Quick Links
About this Release Using the Receiver with XenDesktopConnections
Issues Fixed in Receiver for Windows 3.2 Optimizing the Receiver Environment
System Requirements and Compatibility Improving the Receiver User Experience
Licensing Your Product Securing Your Connections
Overview of Citrix Receiver for WindowsInstallation Packages
Securing Citrix Receiver Communication
To configure and install the Citrix Receiverfor Windows using command-lineparameters
24
About Receiver for Windows 3.2
What's New in this ReleaseWhen used with Citrix Storefront 1.1, this release of Receiver for Windows (standard,CitrixReceiver.exe) supports single authentication to Receiver and the browser for Web andSaaS apps published through AppController 1.1. Receiver users will now authenticate withthose apps as they have for published Windows apps. No Receiver-specific administration isneeded to use the additional single authentication support.
The Receiver Enterprise package did not change for this release. It is required only tosupport applications that use Smart Card authentication.
Known IssuesThis section contains:
● General issues
● Known issues - Desktop connections
● Third-party issues
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
General Issues
● When configured with multiple stores, Receiver might confuse the gateways required toconnect to a store causing incorrect apps being available to users. Work around:Configure only one store. [#263165]
● When Receiver Storefront is configured with multiple external beacon points, Receiverfor Windows does not enumerate applications if all of the beacons respond with thesame URL. Workaround: Retain the configuration for only one external beacon.Alternatively, keep all beacons and add a beacon that points to a non-existing URL.[#299560]
● If you use the Receiver with XenApp 5.0 Feature Pack 2 for Windows Server 2003 (32- or64-bit editions), the Receiver plays audio even when you configure the Turn offspeakers policy setting to disable the audio. [#242703]
● You might receive an error message when trying to launch an application with WebInterface after installing a previous version of the Receiver (Online plug-in) while
logged in as one user, upgrading with CitrixReceiver.exe as another user, logging off theReceiver, and logging back on with the previous user name. The error message is: Citrixonline plug-in Configuration Manager: No value could be found for (ClientHostedApps)that satisfies all lock down requirements. The lockdown requirements in force may beconflicting. [#261877]
As a workaround, set the following registry key:
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\Lockdown Profiles\AllRegions\Lockdown\Virtual Channels\Control
Name: ClientHostedApps
Value: FALSE (or set to * / TRUE if you have overridden the defaults inHKEY_LOCAL_MACHINE)
● If you use Web Interface with Internet Explorer 8 and Windows 7 to upgrade to thisversion of Citrix Receiver, the upgrade finishes, but the Upgrade in Progress messageremains on the screen and the log on screen does not appear. Workaround: Restart thebrowser [#247858]
● When you launch applications using the Web Interface, Connection Center does notenumerate the sessions. [#261177]
● After you launch a published application that is filtered by XenApp for Access Gateway,other published applications do not launch. [#263003]
● In some environments, content redirection may not work until the published applicationis launched for the first time. [#252515]
● Before installing Receiver for Windows on a Windows XP Embedded thin client device,increase the RAM disk limit of the device to 100 MB. [#266384]
● When versions of Receiver are localized in Traditional Chinese, Korean, or Russian andintegrated with Access Gateway Standard Edition, the Receiver log on screen displays inEnglish because of an Access Gateway Standard Edition language limitation. [#263442]
● After a silent installation of Receiver, the Receiver Preferences > Plug-in status pagemight not list the plug-ins. [302588]
● When the offline plug-in is not installed and a streamed application is configured tofallback to ICA and the XenApp server is down, an incorrect error message appearsinforming you that the correct plug-in is not installed. [#273813]
● If Certificate Revocation List (CRL) checking is disabled in Internet Options on the userdevice, this overrides the CertificateRevocationCheck registry setting for Receiver forWindows. This means users may be able to access Web sites that do not have validcertificates. As a workaround, ensure that the Check server revocation option locatedat Settings > Control Panel > Internet Options > Advanced is enabled. [#32682]
● Receiver does not support the VPN keyword in Access Gateway ClientChoices mode.[#274828]
● If the VPN keyword is removed from an application after a user subscribes to it,Receiver continues to attempt an Access Gateway connection for the application.Workaround: Unsubscribe and then re-subscribe to the application to synchronize the
About Receiver for Windows 3.2
25
VPN keyword removal on Receiver. [#298387]
Desktop Connections
● Loss of video is experienced if files are being played with a published version ofWindows Media Player through a virtual desktop session, and the Desktop Viewerwindow is changed from full-screen to window mode. As a workaround, minimize andrestore the Media Player window, and then pause and resume the application (or stopand restart it). [#246230]
● You cannot log off normally from Windows XP 32-bit virtual desktops if you start (but donot log on to) the Receiver in the desktop session. If the Receiver logon dialog box isnot completed, you cannot log off from the desktop. To work around the issue,complete the logon dialog box or close it. This issue is not observed on other virtualdesktop operating systems. [#246516]
● If virtual desktops are installed with the Virtual Desktop Agent supplied withXenDesktop 5.0, Receiver for Windows 3.0 displays an error if the user starts apublished application from the desktop. The workaround is to use the Virtual DesktopAgent supplied with XenDesktop 5.5. [#263079]
● The Citrix Desktop Lock does not redirect Adobe Flash content to domain-joined userdevices. The content can be viewed but is rendered on the server, not locally. As aworkaround, Adobe Flash redirection can be configured for server-side content fetchingto pass the content from the server to the user device. This issue does not occur onnon-domain-joined devices or when the content is viewed with the Desktop Viewer.[#263092]
● The Desktop Viewer Devices menu may not close when the user clicks the Devices icon.It also may remain open after its corresponding dialog box closes. If this occurs, clickthe Devices icon again. [#262202]
● Windows Media Player, when displayed in the non-primary monitor of a two-monitorWindows user device, may not work as expected. Due to an issue with the DirectX videomixing renderer filter VMR-9, the screen is black and there is no sound, although theplayer's progress bar advances. To correct this issue, edit the registry on the userdevice from which the XenDesktop connection is launched. In theHKEY_CURRENT_USER\Software\Citrix subkey, create the HdxMediaStream key. Namethe key DisableVMRSupport. Set the type as REG_DWORD. Give the key the value 3.[#262852]
Third-Party Issues
● When using Internet Explorer to open a Microsoft Office document in Edit mode fromSharePoint, Microsoft Office might display the message, “Access denied.” Workaround:Go to the SharePoint site and check out the document, edit it, and check the file backin to SharePoint. [#258725]
About Receiver for Windows 3.2
26
27
System Requirements and Compatibilityfor Receiver for Windows
● Supported Windows Operating Systems:
● Windows 7, 32-bit and 64-bit editions (including Embedded Edition)
● Windows XP Professional, 32-bit and 64-bit editions
● Windows XP Embedded
● Windows Vista, 32-bit and 64-bit editions
● Windows Thin PC
● Windows Server 2008 R1, 32-bit and 64-bit editions (not supported by XenDesktopconnections)
● Windows Server 2008 R2, 64-bit edition (not supported by XenDesktop connections)
● Windows Server 2003, 32-bit and 64-bit editions (not supported by XenDesktopconnections)
Important: For XenDesktop connections, be aware that the Citrix Desktop Lock isonly supported on Windows XP Professional, Windows XP Embedded, Windows 7,and Windows Embedded Standard 7. If your deployment includes smart cards, andWindows 7 or Windows Embedded Standard 7, see the additional requirements inthis topic.
● Server support:
● XenApp (any of the following products):
● Citrix XenApp 6.5 for Windows Server 2008 R2
● Citrix XenApp 6 for Windows Server 2008 R2
● Citrix XenApp 5 for Windows Server 2008
● Citrix XenApp 5 for Windows Server 2003● XenDesktop (any of the following products):
● XenDesktop 5.5
● XenDesktop 5
● XenDesktop 4● To manage connections to apps and desktops, Citrix Receiver supports Cloud
Gateway or Web Interface :
● CloudGateway Express, with Receiver Storefront 1.1 or 1.0 and, for optionalaccess to resources from a web page, Receiver for Web
● CloudGateway Enterprise 1.0, with Receiver Storefront 1.1 or 1.0, for appshosted on a network, on an Infrastructure as a Service (IaaS) platform, orconfigured as Software as a Service (SaaS)
● Web Interface 5.x for Windows with a XenApp Services and XenDesktop Web site
● Merchandising Server 2.x
● Connectivity
Citrix Receiver supports HTTPS and ICA-over-SSL connections through any one of thefollowing configurations.
● For LAN connections:
● Receiver Storefront 1.1 or 1.0, using Storefront services or Receiver for Websites
Single sign on to Web and SaaS apps published through AppController requiresReceiver Storefront 1.1.
● Web Interface 5.x for Windows, using XenApp Services and XenDesktop Websites (Program Neighborhood Agent sites are also supported for legacyinstallations)
● For secure remote or local connections:
● Citrix Access Gateway VPX
● Citrix Access Gateway 5.0
● Citrix Access Gateway Enterprise Edition 9.x
● Citrix Secure Gateway 3.xYou can use Access Gateway with Receiver Storefront or Web Interface. You can useSecure Gateway only with Web Interface.
● Authentication
Receiver for Windows 3.2, when used with Receiver Storefront 1.1 or 1.0, supports thefollowing authentication methods:
● Domain
● Domain pass-through
Receiver for Web sites do not support domain pass-through authentication.
● Security token
● Two-factor (domain plus security token)*
● Client certificate (requires Access Gateway Enterprise Edition; can be used alone orwith other authentication methods)
System Requirements
28
Receiver for Windows 3.2, when used with Web Interface 5.X, supports the followingauthentication methods:
● Domain
● Security token
● Two-factor (domain plus security token)*
● SMS*
● Smart card (with or without Access Gateway)
Requires Receiver (Enterprise)
● Client certificate (requires Access Gateway Enterprise Edition; can be used alone orwith other authentication methods)
* Available only in deployments that include Access Gateway.
For more information about authentication, refer to the Access Gateway documentationand the "Manage" topics in the Receiver Storefront documentation in eDocs. Forinformation about other authentication methods supported by Web Interface, refer to"Configuring Authentication for the Web Interface" in the Web Interface documentationin eDocs.
● Certificates
For information about security certificates, refer to topics under Secure Connectionsand Secure Communications.
● Upgrades. Upgrades are supported only for Citrix XenApp Plugin for Hosted Apps 11.0,Desktop Receiver 11.1, and Citrix online plug-in 11.1,11.2, 12.0, and 12.1, and Receiverfor Windows 3.0 releases.
● Availability of the Receiver for Windows 3.2 features. Some of the features andfunctionality of Receiver are available only when connecting to newer XenApp andXenDesktop versions and might require the latest hotfixes for XenApp, XenDesktop, andSecure Gateway.
● Previous versions of the Presentation Server Client/Online Plug-in and the currenticaclient.adm file. Previous versions of the Presentation Server Client and OnlinePlug-in are not compatible with the Receiver for Windows 3.2 icaclient.adm file.
● Supported Browsers:
● Internet Explorer Version 6.0 through 9.0
● Mozilla Firefox Version 1.x through 5.x
● Google Chrome Version 10.0 and later● .NET Framework Requirements
● The Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package is required toensure that the Receiver icon displays correctly. The package is included with .NET2.0 Service Pack 1, .NET 3.5, and .NET 3.5 Service Pack 1; it is also availableseparately.
System Requirements
29
● For XenDesktop connections: To use the Desktop Viewer, .NET 2.0 Service Pack 1 orlater is required. This version is required because, if Internet access is notavailable, certificate revocation checks slow down connection startup times. Thechecks can be turned off and startup times improved with this version of theFramework but not with .NET 2.0. Use of the Citrix Desktop Lock does not requirethe .NET Framework to be installed.
● Hardware Requirements:
● VGA or SVGA video adapter with color monitor
● Windows-compatible sound card for sound support (optional)
● For network connections to the server farm, a network interface card (NIC) and theappropriate network transport software
● Supported Connection Methods and Network Transports:
● TCP/IP+HTTP
● SSL/TLS+HTTPS● HDX MediaStream Multimedia Acceleration
Applications and media formats supported by HDX MediaStream Multimedia Accelerationare:
● Applications based on Microsoft’s DirectShow, DirectX Media Objects (DMO), andMedia Foundation filter technologies such as Windows Media Player and RealPlayer.
● Applications like Internet Explorer and Microsoft Encarta are also supported, as theyleverage Windows Media Player.
● Both file-based and streaming (URL-based) media formats: WAV, all variations ofMPEG, unprotected Windows Media Video (WMV), and Windows Media Audio (WMA).
Note: HDX MediaStream Multimedia Acceleration does not support media filesprotected with Digital Rights Management (DRM).
Smart Cards and the Citrix Desktop Lock
The Citrix Desktop Lock can be used with smart cards connected to domain-joined userdevices running Windows XP or Windows XPe but not Windows 7 or Windows EmbeddedStandard 7. This limitation does not apply to non-domain-joined user devices.
System Requirements
30
31
Citrix Receiver for Windows Overview
Citrix Receiver for Windows (Citrix Receiver) delivers apps, desktops, and IT services toWindows PCs. Citrix Receiver supports Citrix CloudGateway:
● CloudGateway Express enables XenApp and XenDesktop customers to deliver Windowsapps and desktops by using a unified Storefront with self-service.
● CloudGateway Enterprise enables enterprises to aggregate, control, and deliver all oftheir Windows, web and SaaS apps.
Receiver also supports Citrix Web Interface for legacy deployments.
Receiver handles the following functions:
● User authentication. Receiver provides user credentials to CloudGateway or WebInterface when users try to connect and every time they launch published resources.
● Application and content enumeration. Receiver presents users with their individualset of published resources.
● Application launching. Receiver is the local engine used to launch publishedapplications.
● Desktop integration. Receiver integrates a user’s set of published resources (includingvirtual desktops) with the user’s physical desktop.
● User preferences. Receiver validates and implements local user preferences.
Two Citrix Receiver packages are available.
● Citrix Receiver (standard, CitrixReceiver.exe) supports Citrix CloudGateway and, forlegacy deployments, Web Interface. Standard Receiver features include:
● Receiver Experience, enabling users to seamlessly transition between devices andconnection types
● Web plug-in
● Authentication Manager
● Single sign-on/pass-through authentication
● Self-service
● Generic USB (XenDesktop)
● Desktop Viewer (XenDesktop)
● HDX Media Stream for Flash
● Aero desktop experience (for operating systems that support it)
● Citrix Receiver (enterprise, CitrixReceiverEnterprise.exe) is required only forapplications that use Smart Card authentication. It supports Web Interface only andincludes the same features as the standard package except for Authentication Managerand self-service.
Using the Citrix CloudGatewayCitrixReceiver.exe enables access to Storefront published resources and virtual desktopsfrom anywhere. Configure a provisioning file to provide native self-service access orconfigure a Receiver for Web site to provide web browser access to Storefront-publishedresources and virtual desktops.
Using with XenAppBoth Receiver packages support the XenApp feature set. Centrally administer and configurethe Receiver in the Receiver Storefront management console (or, if using Web Interface, inthe Web Interface Management Console using a Receiver site created in association with asite for the server running the Web Interface).
You can use both Receiver packages with the Citrix offline plug-in to provide applicationstreaming to the user desktop. For more information about the streamed applicationfeature, see the Application Streaming documentation in eDocs.
The Desktop Viewer is not supported with XenApp connections.
Using with XenDesktopReceiver includes the Desktop Viewer, the client-side software that supports XenDesktop.Users running the Desktop Viewer on their devices access virtual desktops created withXenDesktop in addition to their local desktop. Users running the Citrix Desktop Lock (whichyou install in addition to the Desktop Viewer) interact only with the virtual desktop not thelocal desktop.
Get Started
32
33
Citrix Connection Center Overview
The Citrix Connection Center displays all connections established from the Receiver.
The ICA Connections window displays a list of active sessions. Each server entry in the listrepresents a session. For each seamless session, below each server entry, a list of thepublished resources you are running on that server appears.
After you launch a published resource, you can access the Connection Center by rightclicking the Receiver icon in your Windows notification area and choose Online Sessions >Connection Center. You can also access the Connection Center from the Preferences >Plug-in Status screen.
The Connection Center offers various options to view statistics and control sessions andapplications:
● Disconnect a session from a server but leave the session running on it
● End a server session
● Switch from seamless mode to full screen mode
● Seamless mode. Published applications and desktops are not contained within asession window. Each published application and desktop appears in its ownresizable window, as if it is physically installed on your user device. You can switchbetween published applications and the local desktop.
● Full screen mode. Published applications are placed in a full screen-sized desktop.● Show connection status details like frames sent and received
● Terminate an indivual published application
● Set access permissions
34
Providing Virtual Desktops to ReceiverUsers
This topic applies to XenDesktop deployments only.
Different enterprises have different corporate needs, and your requirements for the wayusers access virtual desktops may vary from user to user, and as your corporate needsevolve. The user experience of connecting to virtual desktops and the extent of userinvolvement in configuring the connections depend on how you set up the Citrix Receiverfor Windows. You have two options for providing users with access to virtual desktops: usingthe Desktop Viewer or the Citrix Desktop Lock.
Important: Do not attempt to use the Desktop Viewer or the Desktop Lock to connect todesktops published with XenApp.
Desktop ViewerUse the Desktop Viewer when users need to interact with their local desktop as well as thevirtual one. In this access scenario, the Desktop Viewer toolbar functionality allows the userto open a virtual desktop in a window and pan and scale that desktop inside their localdesktop. Users can set preferences and work with more than one desktop using multipleXenDesktop connections on the same user device.
Citrix Desktop LockUse the Desktop Lock when users do not need to interact with the local desktop. In thisaccess scenario, the Desktop Viewer is not available and the virtual desktop effectivelyreplaces the local one, allowing the user to interact with the virtual desktop as if it is local.This provides the best user experience in a XenDesktop environment.
To decide which option best suits your deployment, consider how you want users to accessand interact with virtual desktops.
To understand the user experience of connecting to desktops created with XenDesktop,consult the planning topics in the XenDesktop documentation.
35
Overview of Citrix Receiver for WindowsInstallation Packages
This release contains two installation packages and offers several options for installing theCitrix Receiver for Windows. You can install the two Receiver installer packages with almostno user interaction.
● CitrixReceiver.exe - This Receiver (standard) does not require administrator rights toinstall unless it will use pass-through authentication. It can be installed:
● Automatically from Receiver for Web or from Web Interface
● By the user
● Using an Electronic Software Distribution (ESD) tool● CitrixReceiverEnterprise.exe - This Receiver (Enterprise) requires administrator rights
to install. Although the user can install Receiver (Enterprise), it is usually installed withan ESD tool. Uninstall other Receiver versions before installing Receiver (Enterprise).
Important: Upgrades are supported only from Citrix online plug-in 11.2 and 12.x. Removeany earlier versions before installing this version.
Considerations When UpgradingBecause there are two Citrix Receiver installation packages and there were two onlineplug-in packages (web and full) in previous releases, each having different options, youhave to consider the previously installed package when planning your upgrade. Use thistable to determine how to proceed with your upgrade.
Currently installed Upgrade Package Result
No Online plug-in installed CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) - web access- but manuallyconfigurable for PNA
No Online plug-in installed CitrixReceiver.exe Citrix Receiver (standard)- web access
Online plug-in fullconfigured for PNA or SSO
CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) configuredfor PNA or SSO
Online plug-in web CitrixReceiver.exe Citrix Receiver (standard)- web access
Online plug-in web CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) - web access- but manuallyconfigurable for PNA
The CitrixReceiver.exe upgrade package cannot be used to upgrade the online plug-in fullconfigured for PNA or Citrix Receiver (Enterprise). In both cases, the installer displays anerror message and does not alter the previously installed client.
How Installation Outcomes Differ Based on theOperating System, User Type, and InstallationPackage
The outcome of CitrixReceiver.exe or CitrixReceiverEnterprise.exe package installationsdiffers based on the combination of the operating system on the user device, user type,whether User Account Control (UAC) is enabled or disabled on Windows Vista, Windows 7,and Windows 2008 computers, and which installation package is used.
Operating system and usertype
CitrixReceiver.exe CitrixReceiverEnterprise.exe
OS: Windows XP, andWindows Server 2003
User: Administrator
Installation type:per-computer
Installation type:per-computer
OS: Windows XP, andWindows Server 2003
User: Standard user
Installation type: per-user Not supported
OS: Windows Vista,Windows 7, and WindowsServer 2008
User: Administrator with orwithout UAC disabled
Installation type:per-computer
Installation type:per-computer
OS: Windows Vista,Windows 7, and WindowsServer 2008
User: Standard user
Installation type: per-user Not supported
Install and Uninstall
36
37
Installing and Uninstalling Receiver forWindows Manually
Users can install the Receiver from Receiver for Web, the Web Interface, the installationmedia, a network share, Windows Explorer, or a command line by running theCitrixReceiverEnterprise.exe or CitrixReceiver.exe installer package. Because the installerpackages are self-extracting installations that extract to the user's temp directory beforelaunching the setup program, ensure that there is enough free space available in the%temp% directory.
When the user runs one of the Receiver installation .exe files, a message box immediatelyappears displaying the progress of the installation.
When you cancel the installation before completion, some components might be installed.In that case, remove the Receiver with the Add/Remove Programs utility from the ControlPanel on Windows XP or Windows Server 2003 (Programs and Features utility from theControl Panel on Windows Vista, Windows 7, and Windows Server 2008).
Upgrades are supported only from the Citrix XenApp Plugin for Hosted Apps 11.0, DesktopReceiver 11.1, and Citrix online plug-in 11.1, 11.2, and 12.x. Remove any earlier versionsbefore installing this current version.
For command line installation parameters, see To configure and install the Citrix Receiverfor Windows using command-line parameters.
If company policies prohibit you from using an .exe file, refer to How to Manually Extract,Install, and Remove Individual .msi Files from ReceiverEnterprise.exe.
Removing the ReceiverYou can also use the Citrix Receiver Updater to install and uninstall Receiver. If CitrixReceiver Updater was not used to install the Receiver, you can uninstall Receiver byrunning the Add/Remove Programs utility from the Control Panel on Windows XP orWindows Server 2003 (Programs and Features utility from the Control Panel on WindowsVista, Windows 7, and Windows Server 2008).
If you delete Receiver related files or registry entries just before uninstalling Receiver withAdd/Remove Programs or Programs and Features, uninstall might fail. The MicrosoftWindows Installer (MSI) is trying to repair and uninstall at the same time. If this occurs, usethe Receiver to start an auto-repair. After the auto-repair completes, you can cleanlyuninstall Receiver from Add/Remove Programs or Programs and Features.
Auto-repair occurs if there is a problem with Receiver; however, there is no Add/RemovePrograms or Programs and Features Repair option.
To remove Receiver using the command line
You can also uninstall Receiver from a command line by typing the appropriate command.
CitrixReceiverEnterprise.exe /uninstall
or
CitrixReceiver.exe /uninstall
Caution: Using Registry Editor incorrectly can cause serious problems that can requireyou to reinstall the operating system. Citrix cannot guarantee that problems resultingfrom incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Make sure you back up the registry before you edit it.
After uninstalling the Receiver software from a user device, the custom Receiver-settingregistry keys created by icaclient.adm remain in the Software\Policies\Citrix\ICA Clientdirectory under HKEY_LOCAL_MACHINE and HKEY_LOCAL_USER. If you reinstall Receiver,these policies might be enforced, possibly causing unexpected behavior. If you want toremove these customizations, delete them manually.
Installing and Uninstalling Receiver for Windows Manually
38
39
Upgrading the Desktop Viewer andDesktop Appliance Lock
You can upgrade the Desktop Viewer component contained in Citrix online plug-in 12.1 byinstalling this version of the Citrix Receiver for Windows.
To upgrade the Desktop Appliance Lock, remove Citrix online plug-in 12.1 and the DesktopAppliance Lock, and then install this version of the Receiver and the Citrix Desktop Lock.
40
To install the Citrix Desktop Lock
Important: Log on using a local administrator account to carry out this installationprocedure. In addition, consult About Citrix Receiver for Windows 3.1 for workarounds toany known issues with the Desktop Lock.
This procedure installs the plug-in so that virtual desktops are displayed using the CitrixDesktop Lock. Do not use this procedure if you want the Desktop Viewer to be available tousers.
1. On the installation media, navigate to the folder called Citrix Receiver andPlug-ins\Windows\Receiver, and run CitrixReceiverEnterprise.exe from the commandline using the following syntax:
CitrixReceiverEnterprise.exe ADDLOCAL="ICA_Client,SSON,USB,DesktopViewer,Flash,PN_Agent,Vd3d" SERVER_LOCATION="my.server" ENABLE_SSON="Yes"
For information about the properties used in this command, see To configure and installthe Citrix Receiver for Windows using command-line parameters
2. Enter the URL of the XenDesktop Services site where your virtual desktops are located.The URL must be in the format http://servername or https://servername. If you areusing hardware or software for load balancing or failover, you can enter aload-balanced address.
Important: Check that the URL you enter is correct. If the URL is incorrectly typed,or you leave the field empty and the user does not enter a valid URL when promptedafter installation, no virtual desktop or local desktop will be available.
3. On the XenDesktop installation media, navigate to the Citrix Receiver andPlug-ins\Windows\Receiver folder and double-click CitrixDesktopLock.msi. The CitrixDesktop Lock wizard appears.
4. On the License Agreement page, read and accept the Citrix license agreement andclick Install. The Installation Progress page appears.
5. In the Installation Completed dialog box, click Close.
6. When prompted, restart the user device. If you have been granted access to a desktopand you log on as a domain user, the restarted device is displayed using the DesktopLock.
41
User Accounts Used to Install the CitrixDesktop Lock
When you install the Citrix Desktop Lock, a replacement shell is used. To allowadministration of the user device after you complete the installation, the account used toinstall CitrixDesktopLock.msi is excluded from the shell replacement. If the account used toinstall CitrixDesktopLock.msi is later deleted, you will not be able to log on and administerthe device.
Note that because a replacement shell is used, Citrix does not recommend the use ofcustom shells with desktops accessed through the Desktop Lock.
42
To remove the Citrix Desktop Lock
If you installed the Citrix Desktop Lock, two separate items are displayed in Add/RemovePrograms. You must remove both to complete the removal process.
1. Log on with the same local administrator credentials that were used to install theDesktop Lock.
2. Run the Add/Remove programs utility from the Control Panel.
3. Remove Citrix Desktop Lock.
4. Remove Citrix Receiver or Citrix Receiver (Enterprise).
43
To configure and install the CitrixReceiver for Windows usingcommand-line parameters
You or your users can customize the Receiver installer by specifying command line options.Because the installer packages are self-extracting installations that extract to the user'stemp directory before launching the setup program, ensure that there is enough free spaceavailable in the %temp% directory.
Space Requirements
Receiver (standard) - 78.8 Mbytes
Receiver (Enterprise) - 93.6 Mbytes
This includes program files, user data, and temp directories after launching severalapplications.
1. On the computer where you want to install the Receiver for Windows package, type thefollowing at a command prompt:
CitrixReceiver.exe [Options]
or
CitrixReceiverEnterprise.exe [Options]
2. Set your options as needed.
● /? or /help displays usage information.
● /noreboot suppresses reboot during UI installations. This option is not necessaryduring silent installs.
● /silent disables the error and progress dialogs to execute a completely silentinstallation.
● /includeSSON enables single sign on for Receiver (standard, CitrixReceiver.exe).This option is not supported for Receiver (enterprise, CitrixReceiverEnterprise.exe),which installs single sign on by default. If you are using ADDLOCAL= to specifyfeatures and you want to install single sign on, you must also specify the SSONvalue. Requires administrator rights.
● PROPERTY=Value
Where PROPERTY is one of the following all-uppercase variables (keys) and Value isthe value the user should specify.
● INSTALLDIR=Installation directory, where Installation directory is the locationwhere the Receiver software is installed. The default value is C:\ProgramFiles\Citrix\ICA Client. If you use this option and specify an Installationdirectory, you must install the RIInstaller.msi in the Installationdirectory\Receiver directory and the other .msi files in the Installationdirectory.
● CLIENT_NAME=ClientName, where ClientName is the name used to identify theuser device to the server farm. The default value is %COMPUTERNAME%.
● ENABLE_DYNAMIC_CLIENT_NAME={Yes | No} The dynamic client name featureallows the client name to be the same as the computer name. When userschange their computer name, the client name changes to match. To enabledynamic client name support during silent installation, the value of theproperty ENABLE_DYNAMIC_CLIENT_NAME in your installation file must be Yes.To disable dynamic client name support, set this property to No.
● ADDLOCAL=feature[,...] Install one or more of the specified components. Whenspecifying multiple parameters, separate each parameter with a comma andwithout spaces. The names are case sensitive. If you do not specify thisparameter, all components included in the CitrixReceiverEnterprise.exe orCitrixReceiver.exe are installed by default.
Note: ReceiverInside and ICA_Client are prerequisites for all othercomponents and must be installed.
ReceiverInside – Installs the Receiver experience. (Required)
ICA_Client – Installs the standard Receiver. (Required)
SSON – Installs single sign on. Requires administrator rights.
AM – Installs the Authentication Manager. This value is supported only withCitrixReceiver.exe.
SELFSERVICE – Installs the Self-Service Plug-in. This value is supported onlywith CitrixReceiver.exe. The AM value must be specified on the command lineand .NET 3.5 Service Pack 1 must be installed.
USB – Installs USB.
DesktopViewer – Installs the Desktop Viewer.
Flash – Installs HDX media stream for flash.
PN_Agent – Installs Receiver (Enterprise). This value is supported only withCitrixReceiverEnterprise.exe.
Vd3d – Enables the Windows Aero experience (for operating systems thatsupport it)
● ALLOWADDSTORE={N | S | A} – The default depends on the followingsituations:
To configure and install the Citrix Receiver for Windows using command-line parameters
44
N if Merchandising Server is used or stores are specified on the installationcommand line.
S if Receiver is installed per machine.
A if Receiver is installed per user.
Specifies whether or not users can add and remove stores not configuredthrough Merchandising Server deliveries. (Users can enable or disable storesconfigured through Merchandising Server deliveries, but they cannot removethese stores or change the names or the URLs.) This option is supported onlywith CitrixReceiver.exe.
● ALLOWSAVEPWD={N | S | A} – The default is the value specified from thePNAgent server at run time. Specifies whether or not users can save credentialsfor stores locally on their computers and applies only to stores using thePNAgent protocol. Setting this argument to N prevents users from saving theircredentials. If the argument is set to S, users can only save credentials forstores accessed through HTTPS connections. Using the value A allows users tosave credentials for all their stores. This option is supported only withCitrixReceiver.exe.
● ENABLE_SSON={Yes | No} – The default value is Yes. Note that users must logoff and log back onto their devices after an installation with pass-throughauthentication enabled. Requires administrator rights.
Important: If you disable single sign on pass-through authentication, usersmust reinstall Receiver if you decide to use pass-through authentication at alater time.
● ENABLE_KERBEROS={Yes | No} – The default value is No. Specifies thatKerberos should be used; applies only when pass-through authentication (SSON)is enabled.
● DEFAULT_NDSCONTEXT=Context1 [,…] – Include this parameter to set a defaultcontext for Novell Directory Services (NDS). To include more than one context,place the entire value in quotation marks and separate the contexts by acomma. This option is supported only with CitrixReceiverEnterprise.exe.Examples of correct parameters:
DEFAULT_NDSCONTEXT="Context1"
DEFAULT_NDSCONTEXT=“Context1,Context2”
● LEGACYFTAICONS={False | True} – The default value is False. Specifieswhether or not application icons are displayed for documents that have filetype associations with subscribed applications. When the argument is set tofalse, Windows generates icons for documents that do not have a specific iconassigned to them. The icons generated by Windows consist of a genericdocument icon overlaid with a smaller version of the application icon. Citrixrecommends enabling this option if you plan on delivering Microsoft Officeapplications to users running Windows 7. This option is supported only withCitrixReceiver.exe.
● SERVER_LOCATION=Server_URL – The default value is blank. Provide the URL of the server running the Web Interface. The URL must be in the format
To configure and install the Citrix Receiver for Windows using command-line parameters
45
http://servername or https://servername.
The Receiver appends the default path and file name of the configuration fileto the server URL. If you change the default location of the configuration file,enter the entire new path in the SERVER_LOCATION key. This option issupported only with CitrixReceiverEnterprise.exe.
● STARTMENUDIR=Text string – The default is to put applications under Start >All Programs. Specifies the name of the default folder added to users' Startmenus to hold the shortcuts to their subscribed applications. Users can changethe folder name and/or move the folder at any time. This option is supportedonly with CitrixReceiver.exe.
● STOREx="storename;http[s]://servername.domain/IISLocation/resources/v1;[On| Off];[storedescription]"[ STOREy="..."] – Specifies up to 10 stores to use withReceiver. Values:
● x and y – Integers 0 through 9.
● storename – Defaults to store. This must match the name configured on theStorefront server.
● servername.domain – The fully qualified domain name of the server hostingthe store.
● IISLocation – the path to the store within IIS. The store URL must match theURL in Storefront provisioning files. The store URLs are of the form“/Citrix/MyStore/resources/v1” (for Storefront 1.0). To obtain the URL,export a provisioning file from Storefront, open it in notepad and copy theURL from the <Address> element.
● On | Off – The optional Off configuration setting enables you to deliverdisabled stores, giving users the choice of whether or not they access them.When the store status is not specified, the default setting is On.
● storedescription – An optional description of the store, such as Apps onXenApp.
If there is a problem with the installation, search in the user's %TEMP% directory for the logswith the prefix CtxInstall- or TrollyExpress- . For example:
CtxInstall-ICAWebWrapper.log
TrollyExpress-20090807-123456.log
Examples of a Command-Line Installation
CitrixReceiver.exe /includeSSONSTORE0="AppStore;https://testserver.net/Citrix/MyStore/resources/v1;on;Appson XenApp"STORE1="BackUpAppStore;https://testserver.net/Citrix/MyBackupStore/resources/v1;on;BackupStore Apps on XenApp"
This example:
● Installs Receiver (standard).
To configure and install the Citrix Receiver for Windows using command-line parameters
46
● Installs single sign on.
● Specifies two application stores.
CitrixReceiverEnterprise.exe /silentADDLOCAL="ReceiverInside,ICA_Client,PN_Agent" ENABLE_SSON=noINSTALLDIR="c:\test" ENABLE_DYNAMIC_CLIENT_NAME=YesDEFAULT_NDSCONTEXT="Context1,Context2"SERVER_LOCATION="http://testserver.net" CLIENT_NAME="Modified"
This example:
● Installs Receiver (Enterprise) without visible progress dialog boxes.
● Installs only Receiver Inside, the standard Receiver (ICA_Client), and enterpriseReceiver (PN_Agent).
● Disables pass-through authentication.
● Specifies the location where the software is installed.
● Enables dynamic client naming.
● Specifies the default context for NDS.
● Specifies the URL (http://testserver.net) of the server running the Web Interface,which Receiver will reference.
● Specifies the name used to identify the user device to the server farm.
To configure and install the Citrix Receiver for Windows using command-line parameters
47
48
Delivering Receiver Using ActiveDirectory and Sample Startup Scripts
You can use Active Directory Group Policy scripts to pre-deploy Receiver on systems basedon your Active Directory organizational structure. Citrix recommends using the scriptsrather than extracting the .msi files because the scripts allow for a single point forinstallation, upgrade, and uninstall, they consolidate the Citrix entries in Programs andFeatures, and make it easier to detect the version of Receiver that is deployed. Use theScripts setting in the Group Policy Management Console (GPMC) under ComputerConfiguration or User Configuration. Microsoft documents the advantages anddisadvantages of using scripts at Microsoft Technet - Use Group Policy to assign computerstartup scripts.
Citrix includes sample per-computer startup scripts to install and uninstallCitrixReceiver.exe and Citrix ReceiverEnterprise.exe. The scripts are located on the XenAppmedia in the Citrix Receiver and Plug-ins\Windows\Receiver\Startup_Logon_Scripts folder.
● CheckAndDeployReceiverEnterpriseStartupScript.bat
● CheckAndDeployReceiverPerMachineStartupScript.bat
● CheckAndRemoveReceiverEnterpriseStartupScript.bat
● CheckAndRemoveReceiverPerMachineStartupScript.bat
When the scripts are executed during Startup or Shutdown of an Active Directory GroupPolicy, custom configuration files might be created in the Default User profile of a system.If not removed, these configuration files can prevent some users from accessing theReceiver logs directory. The Citrix sample scripts include functionality to properly removethese configuration files.
To use the startup scripts to deploy Receiver with Active Directory
1. Create the Organizational Unit (OU) for each script.
2. Create a Group Policy Object (GPO) for the newly created OU.
To modify the sample scriptsModify the scripts by editing these parameters in the header section of each file:
● Current Version of package. The specified version number is validated and if it is notpresent, the deployment proceeds. For example, set DesiredVersion=3.0.0.XXXX to exactly match the version specified. If you specify a partial version, forexample 3.0.0, it matches any version with that prefix (3.0.0.1111, 3.0.0.7777, and soforth).
● Package Location/Deployment directory. This specifies the network share containingthe packages and is not authenticated by the script. The shared folder must have Readpermission for EVERYONE.
● Script Logging Directory. This specifies the network share where the install logs arecopied and is not authenticated by the script. The shared folder must have Read andWrite permissions for EVERYONE.
● Package Installer Command Line Options. These command line options are passed tothe installer. For the command line syntax, see To configure and install the CitrixReceiver for Windows using command-line parameters
To add the per-computer startup scripts1. Open the Group Policy Management Console.
2. Select Computer Configuration > Policies > Windows Settings > Scripts(Startup/Shutdown).
3. In the right-hand pane of the Group Policy Management Console, select Startup.
4. In the Properties menu, click Show Files, copy the appropriate script to the folderdisplayed, and then close the window.
5. In the Properties menu, click Add and use Browse to find and add the newly createdscript.
To deploy Receiver per-computer1. Move the user devices designated to receive this deployment to the OU you created.
2. Reboot the user device and log on as any user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions)contains the newly installed package.
To remove Receiver per-computer1. Move the user devices designated for the removal to the OU you created.
2. Reboot the user device and log on as any user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions)removed the previously installed package.
Delivering Receiver Using Active Directory and Sample Startup Scripts
49
50
Using the Per-User Sample StartupScripts
Citrix recommends using per-computer startup scripts but does include two Citrix Receiverper-user scripts on the XenApp media in the Citrix Receiver andPlug-ins\Windows\Receiver\Startup_Logon_Scripts folder for situations where you requireReceiver (standard) per-user deployments.
● CheckAndDeployReceiverPerUserLogonScript.bat
● CheckAndRemoveReceiverPerUserLogonScript.bat
To set up the per-user startup scripts1. Open the Group Policy Management Console.
2. Select User Configuration > Policies > Windows Settings > Scripts.
3. In the right-hand pane of the Group Policy Management Console, select Logon
4. In the Logon Properties menu, click Show Files, copy the appropriate script to thefolder displayed, and then close the window.
5. In the Logon Properties menu, click Add and use Browse to find and add the newlycreated script.
To deploy Receiver per-user1. Move the users designated to receive this deployment to the OU you created.
2. Reboot the user device and log on as the specified user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions)contains the newly installed package.
To remove Receiver per-user1. Move the users designated for the removal to the OU you created.
2. Reboot the user device and log on as the specified user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions)removed the previously installed package.
51
Deploying CitrixReceiver.exe fromReceiver for Web
You can deploy CitrixReceiver.exe from Receiver for Web to ensure that users have theReceiver installed before they try to connect to an application from a browser. For details,refer to the Receiver Storefront documentation on Citrix eDocs.
52
Deploying the CitrixReceiver.exe from aWeb Interface Logon Screen
You can deploy the CitrixReceiver.exe from a Web page to ensure that users have theReceiver installed before they try to use the Web Interface. Create a home page and run anInternet Explorer script to download the CitrixReceiver.exe package automatically from theWeb server and install it for the user.
To install the Receiver software using CitrixReceiver.exe, the Windows Installer Servicemust be installed on the user device. This service is present by default on systems runningWindows XP, Windows Vista, Windows 7, Windows Server 2003, or Windows Server 2008.
Add the sites from which the CitrixReceiver.exe file is downloaded to the Trusted Siteszone.
In the webinterface.conf file for your XenApp websites, edit the ClientIcaWin32= line tospecify the CitrixReceiver.exe installation file and remove the comment character (#).
For more information, see the Web Interface documentation.
53
Configuring Citrix Receiver for Windows
You can configure Citrix Receiver operations for deployments that use Receiver Storefrontor a legacy PNA Services site. For information about configuring deployments using ReceiverStorefront, refer to the Storefront documentation on Citrix eDocs.
From the Citrix management console for the XenApp server, configure the options andsettings for Receiver using the associated Receiver site. Each time users log on to theReceiver, they see the most recent configuration. Changes made while users are connectedtake effect when the Receiver configuration is refreshed manually or automatically after adesignated interval.
54
Using the Group Policy Object Templateto Customize Receiver
Citrix recommends using the Group Policy Object icaclient.adm template file to configurerules for securing Receiver connections. The rules include network routing, proxy servers,trusted server configuration, user routing, remote client devices, and the user experience.
You can use the icaclient.adm template file with domain policies and local computerpolicies. For domain policies, import the template file using the Group Policy ManagementConsole. This is especially useful for applying Receiver settings to a number of differentuser devices throughout the enterprise. To affect a single user device, import the templatefile using the local Group Policy Editor on the device.
For details about Group Policy management, see the Microsoft Group Policy documentation.
To import the icaclient template using the GroupPolicy Management Console
To affect domain-based group policies, import the icaclient.adm file with the Group PolicyManagement Console.
1. As an administrator, open the Group Policy Management Console.
2. In the left pane, select a group policy and from the Action menu, choose Edit.
3. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
4. From the Action menu, choose Add/Remove Templates.
5. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
6. Select Open to add the template and then Close to return to the Group Policy Editor.
To import the icaclient template using the local GroupPolicy Editor
To affect the policies on a local computer, import the icaclient.adm file with the localGroup Policy Editor.
1. As an administrator, open the Group Policy Editor by running gpedit.msc from the Startmenu.
2. In the left pane, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
Using the Group Policy Object Template to Customize Receiver
55
56
Configuring Access to Accounts Manually
When users launch Receiver for the first time, they have the option to set up a newaccount, unless Receiver was distributed using Merchandising Server, a Receiver for Webconfiguration file, or a GPO or similar method. To set up a new account, a user entersinformation about the XenApp farm or XenDesktop site hosting the resources.
When a user enters the details for a new account, Receiver attempts to verify theconnection. If successful, Receiver prompts the user to log on to the account.
To add a new account1. Click the gear icon in the Receiver window and choose Edit Accounts.2. Click Add.
3. Enter the information provided by your organization and click OK.
To remove an account1. Click the gear icon in the Receiver window and choose Edit Accounts.2. Select the account from the list and click Remove and Yes.
To edit the details of an account1. Click the gear icon in the Receiver window and choose Edit Accounts.2. Select the account that you want to edit from the list and double-click.
3. Edit the details in Name, the Description, and/or the URL fields, as required.
4. Click OK.
57
To customize user preferences for theReceiver (Enterprise)
Users can customize their preferences. For example, they can define window sizes forpublished applications, choose when to refresh the list of available published resources,and specify where the available published resources appear.
1. In the Windows notification area, right-click the Receiver icon and choosePreferences.
2. Right-click the Online Plug-in entry in the Plug-in Status and choose Options, select aproperty, and make the desired configuration changes.
If you configure seamless windows and set the task bar to Auto-hide, you cannot access thetaskbar when you maximize published applications. To access the taskbar, resize thepublished application.
For more detailed information, see the online help for Receiver.
To change the server URL in the Receiver (Enterprise)Receiver requires that you specify the location of a configuration file (Config.xml is thedefault configuration file) on the server running the Web Interface. You can ask your usersto change the server URL as you create new configuration files or delete old ones.
Note: To prevent users from accidentally changing their server URL, disable the option.
1. In the Windows notification area, right-click the Receiver icon and choose Preferences.
2. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.
3. Type or select the server URL in the format http://servername or, to encrypt theconfiguration data using SSL, https://servername.
58
Configuring USB Support for XenDesktopConnections
USB support enables users to interact with a wide range of USB devices when connected toa virtual desktop. Users can plug USB devices into their computers and the devices areremoted to their virtual desktop. USB devices available for remoting include flash drives,smartphones, PDAs, printers, scanners, MP3 players, security devices, and tablets. DesktopViewer users can control whether USB devices are available on the virtual desktop using apreference in the toolbar.
Isochronous features in USB devices such as webcams, microphones, speakers, and headsetsare supported in typical low latency/high speed LAN environments. This allows thesedevices to interact with packages such as Microsoft Office Communicator and Skype.
The following types of device are supported directly in a XenDesktop session, and so do notuse USB support:
● Keyboards
● Mice
● Smart cards
Note: Specialist USB devices (for example, Bloomberg keyboards and 3D mice) can beconfigured to use USB support. For information on configuring Bloomberg keyboards, seeConfiguring Bloomberg Keyboards. For information on configuring policy rules for otherspecialist USB devices, see CTX 119722.
By default, certain types of USB devices are not supported for remoting throughXenDesktop. For example, a user may have a network interface card attached to the systemboard by internal USB. Remoting this would not be appropriate. The following types of USBdevice are not supported by default for use in a XenDesktop session:
● Bluetooth dongles
● Integrated network interface cards
● USB hubs
● USB graphics adaptors
USB devices connected to a hub can be remoted, but the hub itself cannot be remoted.
For instructions on modifying the range of USB devices that are available to users, seeUpdating the List of USB Devices Available for Remoting.
For instructions on automatically redirecting specific USB devices, see CTX123015.
59
How USB Support Works
When a user plugs in a USB device, it is checked against the USB policy, and, if allowed,remoted to the virtual desktop. If the device is denied by the default policy, it is availableonly to the local desktop.
The user experience depends upon the type of desktop to which users are connecting.
For desktops accessed through the Citrix Desktop Lock, when a user plugs in a USB device,that device is automatically remoted to the virtual desktop. No user interaction is required.The virtual desktop is responsible for controlling the USB device and displaying it in the userinterface.
For desktops accessed through the Desktop Viewer, when a user plugs in a USB device, adialog box appears asking the user if they want that device remoted to the virtual desktop.The user can decide which USB devices are remoted to the virtual desktop by selectingdevices from the list each time they connect. Alternatively, the user can configure USBsupport so that all USB devices plugged in both before and/or during a session areautomatically remoted to the virtual desktop that is in focus.
60
Mass Storage Devices
For mass storage devices only, in addition to USB support, remote access is availablethrough client drive mapping, which you configure through the Citrix Mappings rule. Whenthis rule is applied, the drives on the user device are automatically mapped to drive letterson the virtual desktop when users log on. The drives are displayed as shared folders withmapped drive letters. The Citrix Mappings rule is in the Drives subfolder of the ClientDevices Resources folder in the Presentation Server Console.
The main differences between the two types of remoting policy are:
Feature Client Drive Mapping USB Rule
Enabled by default Yes No
Read-only accessconfigurable
Yes No
Safe to remove deviceduring a session
No Yes, if the user clicksSafely Remove Hardwarein the notification area
If both USB support and the Citrix Mappings rule are enabled and a mass storage device isinserted before a session starts, it will be redirected using client drive mapping first, beforebeing considered for redirection through USB support. If it is inserted after a session hasstarted, it will be considered for redirection using USB support before client drive mapping.
61
USB Device Classes Allowed by Default
Different classes of USB device are allowed by the default USB policy rules.
Although they are on this list, some classes are only available for remoting in XenDesktopsessions after additional configuration. These are noted below.
● Audio (Class 01). Includes audio input devices (microphones), audio output devices,and MIDI controllers. Modern audio devices generally use isochronous transfers, which issupported by XenDesktop 4 or later.
Note: Some specialty devices (for example, VOIP phones) require additionalconfiguration. For instructions on this, see CTX123015.
● Physical Interface Devices(Class 05). These devices are similar to Human InterfaceDevices (HIDs), but generally provide "real-time" input or feedback and include forcefeedback joysticks, motion platforms, and force feedback exoskeletons.
● Still Imaging (Class 06). Includes digital cameras and scanners. Digital cameras oftensupport the still imaging class which uses the Picture Transfer Protocol (PTP) or MediaTransfer Protocol (MTP) to transfer images to a computer or other peripheral. Camerasmay also appear as mass storage devices and it may be possible to configure a camerato use either class, through setup menus provided by the camera itself.
Note that if a camera appears as a mass storage device, client drive mapping is usedand USB support is not required.
● Printers (Class 07). In general most printers are included in this class, although someuse vendor-specific protocols (class ff). Multi-function printers may have an internalhub or be composite devices. In both cases the printing element generally uses thePrinters class and the scanning or fax element uses another class; for example, StillImaging.
Printers normally work appropriately without USB support.
Note: This class of device (in particular printers with scanning functions) requiresadditional configuration. For instructions on this, see CTX123015.
● Mass Storage (Class 08). The most common mass storage devices are USB flash drives;others include USB-attached hard drives, CD/DVD drives, and SD/MMC card readers.There are a wide variety of devices with internal storage that also present a massstorage interface; these include media players, digital cameras, and mobile phones.Known subclasses include:
● 01 Limited flash devices
● 02 Typically CD/DVD devices (ATAPI/MMC-2)
● 03 Typically tape devices (QIC-157)
● 04 Typically floppy disk drives (UFI)
● 05 Typically floppy disk drives (SFF-8070i)
● 06 Most mass storage devices use this variant of SCSI
Mass storage devices can often be accessed through client drive mapping, and so USBsupport is not required.
Important: Some viruses are known to propagate actively using all types of massstorage. Carefully consider whether or not there is a business need to permit the useof mass storage devices, either through client drive mapping or USB support.
● Content Security (Class 0d). Content security devices enforce content protection,typically for licensing or digital rights management. This class includes dongles.
● Video (Class 0e). The video class covers devices that are used to manipulate video orvideo-related material, such as webcams, digital camcorders, analog video converters,some television tuners, and some digital cameras that support video streaming.
Note: Most video streaming devices use isochronous transfers, which is supported byXenDesktop 4 or later. Some video devices (for example webcams with motiondetection) require additional configuration. For instructions on this, see CTX123015.
● Personal Healthcare (Class 0f). These devices include personal healthcare devices suchas blood pressure sensors, heart rate monitors, pedometers, pill monitors, andspirometers.
● Application and Vendor Specific (Classes fe and ff). Many devices use vendor specificprotocols or protocols not standardized by the USB consortium, and these usuallyappear as vendor-specific (class ff).
USB Device Classes Allowed by Default
62
63
USB Device Classes Denied by Default
Different classes of USB device are denied by the default USB policy rules.
● Communications and CDC Control (Classes 02 and 0a). The default USB policy doesnot allow these devices, because one of them may be providing the connection to thevirtual desktop itself.
● Human Interface Devices (Class 03). Includes a wide variety of both input and outputdevices. Typical Human Interface Devices (HIDs) are keyboards, mice, pointing devices,graphic tablets, sensors, game controllers, buttons, and control functions.
Subclass 01 is known as the "boot interface" class and is used for keyboards and mice.
The default USB policy does not allow USB keyboards (class 03, subclass 01, protocol 1),or USB mice (class 03, subclass 01, protocol 2). This is because most keyboards andmice are handled appropriately without USB support and it is normally necessary to usethese devices locally as well remotely when connecting to a virtual desktop.
● USB Hubs (Class 09). USB hubs allow extra devices to be connected to the localcomputer. It is not neccessary to access these devices remotely.
● Smart Card (Class 0b). Smart card readers include contactless and contact smart cardreaders, and also USB tokens with an embedded smart card-equivalent chip.
Smart card readers are accessed using smart card remoting and do not require USBsupport.
● Wireless Controller (Class e0). Some of these devices may be providing criticalnetwork access, or connecting critical peripherals such as Bluetooth keyboards or mice.
The default USB policy does not allow these devices. However, there may be particulardevices it is appropriate to provide access to using USB support.
64
Updating the List of USB DevicesAvailable for Remoting
You can update the range of USB devices available for remoting to desktops by editing thefile icaclient_usb.adm. This allows you to make changes to the Receiver using Group Policy.The file is located in the following installed folder:
<root drive>:\Program Files\Citrix\ICA Client\Configuration\en
Alternatively, you can edit the registry on each user device, adding the following registrykey:
HKLM\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB Type=String Name="DeviceRules"Value=
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
The product default rules are stored in:
HKLM\SOFTWARE\Citrix\ICA Client\GenericUSB Type=MultiSz Name=“DeviceRules” Value=
Do not edit the product default rules.
For details of the rules and their syntax, see http://support.citrix.com/article/ctx119722/.
65
Configuring Bloomberg Keyboards
Bloomberg keyboards are supported by XenDestkop sessions (but not other USB keyboards).The required components are installed automatically when the plug-in is installed, but youmust enable this feature either during the installation or later by changing a registry key.
On any one user device, multiple sessions to Bloomberg keyboards are not recommended.The keyboard only operates correctly in single-session environments.
To turn Bloomberg keyboard support on or off
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
1. Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB
2. Do one of the following:
● To turn on this feature, for the entry with Type DWORD and NameEnableBloombergHID, set Value to 1.
● To turn off this feature, set the Value to 0.
66
Configuring User-Driven Desktop Restart
You can allow users to restart their desktops themselves. They may need to do this if adesktop fails to connect or becomes unresponsive.
This feature is disabled by default. You enable user-driven desktop restart for a desktopgroup in Desktop Studio. For information on this, see the XenDesktop documentation.
The procedures for restarting desktops differ depending on whether users are connecting todesktops through the Desktop Viewer or the Citrix Desktop Lock.
67
To prevent the Desktop Viewer windowfrom dimming
If users have multiple Desktop Viewer windows, by default the desktops that are not activeare dimmed. If users need to view multiple desktops simultaneously, this can make theinformation on them unreadable. You can disable the default behavior and prevent theDesktop Viewer window from dimming by editing the Registry.
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
1. On the user device, create a REG_DWORD entry called DisableDimming in one of thefollowing keys, depending on whether you want to prevent dimming for the current userof the device or the device itself. An entry already exists if the Desktop Viewer hasbeen used on the device:
● HKCU\Software\Citrix\XenDesktop\DesktopViewer
● HKLM\Software\Citrix\XenDesktop\DesktopViewerOptionally, instead of controlling dimming with the above user or device settings, youcan define a local policy by creating the same REG_WORD entry in one of the followingkeys:
● HKCU\Software\Policies\Citrix\XenDesktop\DesktopViewer
● HKLM\Software\Policies\Citrix\XenDesktop\DesktopViewerThe use of these keys is optional because XenDesktop administrators, rather thanplug-in administrators or users, typically control policy settings using Group Policy. So,before using these keys, check whether your XenDesktop administrator has set a policyfor this feature.
2. Set the entry to any non-zero value such as 1 or true.
If no entries are specified or the entry is set to 0, the Desktop Viewer window is dimmed. Ifmultiple entries are specified, the following precedence is used. The first entry that islocated in this list, and its value, determine whether the window is dimmed:
1. HKCU\Software\Policies\Citrix\...
2. HKLM\Software\Policies\Citrix\...
3. HKCU\Software\Citrix\...
4. HKLM\Software\Citrix\...
68
To configure the Citrix Desktop Lock
This topic contains instructions for configuring USB preferences, drive mappings, andmicrophones for a virtual desktop accessed through the Citrix Desktop Lock. In addition,some general advice on configuring the Desktop Lock is also provided.
Typically, this is used in non-domain-joined environments such as on a thin client ordesktop appliance. In this access scenario, the Desktop Viewer is unavailable, so onlyadministrators (not users) can perform the configuration.
Two .adm files are provided that allow you to perform this task using policies:
● icaclient.adm. For information on obtaining this file, see To configure settings formultiple users and devices.
● icaclient_usb.adm. The file is located in the following installed folder: <rootdrive>:\Program Files\Citrix\ICA Client\Configuration\en.
This topic assumes you have loaded both files into Group Policy, where the policies appearin Computer Configuration or User Configuration > Administrative Templates > ClassicAdministrative Templates (ADM) > Citrix Components.
To configure USB preferencesAs a prerequisite, you must turn on USB support in XenDesktop deployments by enabling theUSB policy rule. For information on this, see the XenDesktop documentation.
In Citrix Receiver > Remoting client devices > Generic USB Remoting, enable andconfigure as desired the Existing USB Devices, New USB Devices, and USB Devices List InDesktop Viewer policies. You can use the Show All Devices policy to display all connectedUSB devices, including those using the Generic USB virtual channel (for example, webcamsand memory sticks).
To configure drive mappingIn Citrix Receiver > Remoting client devices, enable and configure as desired the Clientdrive mapping policy.
To configure a microphoneIn Citrix Receiver > Remoting client devices, enable and configure as desired the Clientmicrophone policy.
General Advice On Configuring the Desktop LockGrant access to only one virtual desktop running the Desktop Lock per user.
Do not allow users to hibernate virtual desktops. Use Active Directory policies appropriatelyto prevent this.
To configure the Citrix Desktop Lock
69
70
To configure settings for multiple usersand devices
In addition to the configuration options offered by the Receiver user interface, you can usethe Group Policy Editor and the icaclient.adm template file to configure settings. Using theGroup Policy Editor, you can:
● Extend the icaclient template to cover any Receiver setting by editing theicaclient.adm file. See the Microsoft Group Policy documentation for more informationabout editing .adm files and about applying settings to a particular computer.
● Make changes that apply only to either specific users or all users of a client device.
● Configure settings for multiple user devices
Citrix recommends using Group Policy to configure user devices remotely; however you canuse any method, including the Registry Editor, which updates the relevant registry entries.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. Under the User Configuration node or the Computer Configuration node, edit therelevant settings as required.
71
Canadian Keyboard Layouts andUpdating from Presentation ServerClients Version 10.200
The Canadian keyboard layouts are aligned with those supported by Microsoft. If usersinstall Receivers without uninstalling the Presentation Server Clients Version 10.200 first,they must manually edit the module.ini file (usually in C:\Program Files\Citrix\ICA Client) toupgrade the keyboard layout settings:
Replace:
Canadian English (Multilingual)=0x00001009
Canadian French=0x00000C0C
Canadian French (Multilingual)=0x00010C0C
With:
Canadian French=0x00001009
Canadian French (Legacy)=0x00000C0C
Canadian Multilingual Standard=0x00011009
72
Auto-Repair File Locations
Auto-repair occurs if there is a problem with Receiver; however, there is no Add/RemovePrograms or Programs and Features Repair option. If the Receiver repair option prompts forthe location of the .msi file, browse to one of these locations to find the file:
● For CitrixReceiverEnterprise.exe
● Operating system: Windows XP and Windows 2003
C:\Documents and Settings\All Users\application data\Citrix\Citrix Receiver(Enterprise)\
● Operating system: Windows Vista and Windows 7
C:\ProgramData\Citrix\Citrix Receiver (Enterprise)\● For CitrixReceiver.exe installed per computer
● Operating system: Windows XP and Windows 2003
C:\Documents and Settings\All Users\Application Data\Citrix\Citrix Receiver\
● Operating system: Windows Vista and Windows 7
C:\ProgramData\Citrix\Citrix Receiver\● For CitrixReceiver.exe installed per user
● Operating system: Windows XP and Windows 2003
%USERPROFILE%\Local Settings\Application Data\Citrix\Citrix Receiver\
● Operating system: Windows Vista and Windows 7
%USERPROFILE%\Appdata\local\Citrix\Citrix Receiver\
73
Optimizing the Receiver Environment
The ways you can optimize the environment in which your Receiver operates for your usersinclude:
● Improving performance
● Improving performance over low bandwidth
● Facilitating the connection of numerous types of client devices to published resources
● Providing support for NDS users
● Using connections to Citrix XenApp for UNIX
● Supporting naming conventions
● Supporting DNS naming resolution
74
Improving Receiver Performance
You can improve the performance of your Receiver software by:
● Reducing Application Launch Time
● Reconnecting Users Automatically
● Providing session reliability
● Improving Performance over Low-Bandwidth Connections
75
Reducing Application Launch Time
Use the session pre-launch feature to reduce application launch time during normal or hightraffic periods; thus, giving the user a better experience. The pre-launch feature allows apre-launch session to be created when a user logs on to Receiver, or at a scheduled time ifthe user is already logged on. This pre-launch session reduces the launch time of the firstapplication. The default application ctxprelaunch.exe is running in the session, but it is notvisible to the user.
There are two types of pre-launch:
● Just-in-time pre-launch. Pre-Launch starts immediately after the user's credentials areauthenticated whether or not it is a high-traffic period.
● Scheduled pre-launch. Pre-launch starts at a scheduled time. Scheduled pre-launchstarts only when the user device is already running and authenticated. If those twoconditions are not met when the scheduled pre-launch time arrives, a session does notlaunch. To spread network and server load, the session launches within a window ofwhen it is scheduled. For example, if the scheduled pre-launch is scheduled for 1:45p.m., the session actually launches between 1:15 p.m. and 1:45 p.m.
Typically, you can use just-in-time pre-launch for normal traffic periods and scheduledpre-launch for known high-traffic periods.
An example of a high-traffic period - if your environment includes a large number of userswho launch applications during peak periods such as when users start work or return fromlunch, the rapid succession of logon requests might overwhelm servers and slow downapplication launch for all users.
Configuring pre-launch on the XenApp server consists of creating, modifying, or deletingpre-launch applications, as well as updating user policy settings that control the pre-launchapplication. See To pre-launch applications to user devices for information aboutconfiguring session pre-launch on the XenApp server.
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
Customizing the pre-launch feature using the icaclient.adm file is not supported. However,you can change the pre-launch configuration by modifying registry values during or afterReceiver installation.
Registry value for Windows 7, 64-bit
The value for Windows 7, 64-bit, is:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch - Enablesdifferent users on the same user device to have different settings. It also allows a user tochange the configuration without administrative permission. You can provide your userswith scripts to accomplish this.
Name: State
Values:
0 - Disable pre-launch.
1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)
2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)
Name: Schedule
Value:
The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:
HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.
Registry values for other Windows systems
The values for all other supported Windows operating systems are:HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Prelaunch andHKEY_CURRENT_USER\Software\Citrix\ICA Client\Prelaunch.
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Prelaunch - Written at installation,with default values.
Name: UserOverride
Values:
0 - Use the HKEY_LOCAL_MACHINE values even if HKEY_CURRENT_USER values are alsopresent.
1 - Use HKEY_CURRENT_USER values if they exist; otherwise, use the HKEY_LOCAL_MACHINEvalues.
Name: State
Values:
0 - Disable pre-launch.
1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)
2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)
Name: Schedule
Value:
Reducing Application Launch Time
76
The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:
HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.
HKEY_CURRENT_USER\SOFTWARE\Citrix\ICA Client\Prelaunch - Enables different users onthe same user device to have different settings. It also allows a user to change theconfiguration without administrative permission. You can provide your users with scripts toaccomplish this.
Name: State
Values:
0 - Disable pre-launch.
1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)
2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)
Name: Schedule
Value:
The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:
HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.
Reducing Application Launch Time
77
78
Reconnecting Users Automatically
Users can be disconnected from their sessions because of unreliable networks, highlyvariable network latency, or range limitations of wireless devices. With the HDX Broadcastauto-client reconnection feature, Receiver can detect unintended disconnections of ICAsessions and reconnect users to the affected sessions automatically.
When this feature is enabled on the server, users do not have to reconnect manually tocontinue working. The Receiver attempts to reconnect to the session until there is asuccessful reconnection or the user cancels the reconnection attempts. If userauthentication is required, a dialog box requesting credentials appears to a user duringautomatic reconnection. Automatic reconnection does not occur if users exit applicationswithout logging off. Users can reconnect only to disconnected sessions.
To disable HDX Broadcast auto-client reconnect for a particular user
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network Routing > Session reliability andautomatic reconnection. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Action menu, choose Properties and select Disabled.
79
Providing HDX Broadcast SessionReliability
With the HDX Broadcast Session Reliability feature, users continue to see a publishedapplication’s window if the connection to the application experiences an interruption. Forexample, wireless users entering a tunnel may lose their connection when they enter thetunnel and regain it when they emerge on the other side. During such interruptions, thesession reliability feature enables the session window to remain displayed while theconnection is being restored.
You can configure your system to display a warning dialog box to users when the connectionis unavailable.
You set HDX Broadcast Session Reliability with policy settings on the server. Receiver userscannot override the server settings for HDX Broadcast Session Reliability.
Important: If HDX Broadcast Session Reliability is enabled, the default port used forsession communication switches from 1494 to 2598.
80
Improving Performance overLow-Bandwidth Connections
Citrix recommends that you use the latest version of XenApp or XenDesktop on the server.Citrix continually enhances and improves performance with each release. Manyperformance features require the latest Receiver and server software to function.
If you are using a low-bandwidth connection, you can make a number of changes to yourReceiver configuration and the way you use the Receiver to improve performance.
Changing Your Receiver ConfigurationOn devices with limited processing power or in circumstances where only limited bandwidthis available, there is a trade-off between performance and functionality. Receiver providesboth user and administrator with the ability to choose an acceptable mixture of richfunctionality and interactive performance. Making one or more of these changes on theserver or user device can reduce the bandwidth your connection requires and improveperformance:
● Enable SpeedScreen Latency Reduction. SpeedScreen Latency Reduction improvesperformance over high latency connections by providing instant feedback to the user inresponse to typed data or mouse clicks.
User's side: icaclient.adm file.
Server side: SpeedScreen Latency Reduction Manager.
● Reduce the window size. Change the window size to the minimum size you cancomfortably use.
User side: icaclient.adm file or use the Receiver icon in the notification area andchoose Preferences and right-click the Online Plug-in entry in the Plug-in Status andchoose Options > Session Options.
Server side: XenApp services site > Session Options.
● Reduce the number of colors. Reduce the number of colors to 256.
User side: icaclient.adm file or use the Receiver icon in the notification area andchoose Preferences and right-click the Online Plug-in entry in the Plug-in Status andchoose Options > Session Options.
Server side: XenApp services site > Session Options.
● Reduce sound quality. If Receiver audio mapping is enabled, reduce the sound qualityto the minimum setting.
User's side: icaclient.adm file.
Server side: Citrix Audio quality policy setting.
Changing Receiver UseICA technology is highly optimized and typically does not have high CPU and bandwidthrequirements. However, if you are using a very low-bandwidth connection, the followingtasks can impact performance:
● Accessing large files using client drive mapping. When you access a large file withclient drive mapping, the file is transferred over the ICA connection. On slowconnections, this may take a long time.
● Playing multimedia content. Playing multimedia content uses a lot of bandwidth andcan cause reduced performance.
Improving Performance over Low-Bandwidth Connections
81
82
Connecting User Devices and PublishedResources
You can facilitate sessions and optimize the connection of your user devices to resourcespublished in the server farm by:
● Configuring workspace control settings to provide continuity for roaming users
● Making scanning transparent for users
● Mapping client devices
● Associating user device file types with published applications
83
Configuring Workspace Control Settingsto Provide Continuity for Roaming Users
The workspace control feature provides users with the ability to disconnect quickly from allrunning applications, reconnect to applications, or log off from all running applications. Youcan move among user devices and gain access to all of your applications when you log on.For example, health care workers in a hospital can move quickly among workstations andaccess the same set of applications each time they log on to XenApp. These users candisconnect from multiple applications at one user device and open all the same applicationswhen they reconnect at a different user device.
Workspace control is available only to users connecting to published resources with CitrixXenApp or through Storefront, Receiver for Web, or the Web Interface.
Policies and client drive mappings change appropriately when you move to a new userdevice. Policies and mappings are applied according to the user device where you arecurrently logged on to the session. For example, if a health care worker logs off from a userdevice in the emergency room of a hospital and then logs on to a workstation in thehospital’s X-ray laboratory, the policies, printer mappings, and client drive mappingsappropriate for the session in the X-ray laboratory go into effect for the session as soon asthe user logs on to the user device in the X-ray laboratory.
Important: Workspace control is not available for Online Plug-in versions earlier than11.x; it works only with sessions connected to computers running Citrix PresentationServer Version 3.0, 4.0, or 4.5 or Citrix XenApp 5.0, 6.0, or 6.5.
If workspace control configuration settings allow users to override the server settings, userscan configure workspace control on the Receiver Reconnect Options page:
● Enable automatic reconnection at logon allows users to reconnect to onlydisconnected applications or to both disconnected and active applications
● Enable reconnection from the menu allows users to reconnect to only disconnectedapplications or to both disconnected and active sessions
To configure workspace control settings through Storefront or Receiver for Web
For information about configuring Receiver Storefront and Receiver for Web for workspacecontrol and user roaming, refer to the "Manage" topics in the Receiver Storefrontdocumentation in Citrix eDocs.
To configure workspace control settings through Web Interface
For users launching applications through the Web Interface, these options are in Settings:
● Enable automatic reconnection at logon allows users to reconnect to onlydisconnected applications or both disconnected and active applications
● Enable automatic reconnection from Reconnect menu allows users to reconnect toonly disconnected applications or both disconnected and active sessions
● Customize Log Off button allows users to configure whether or not the log offcommand will include logging them off from applications that are running in the session
If users log on with smart cards or smart cards with pass-through authentication, set up atrust relationship between the server running the Web Interface and any other server in thefarm that the Web Interface accesses for published applications. For more informationabout workspace control requirements, see the Citrix XenApp and Web InterfaceAdministrator documentation.
Configuring Workspace Control Settings to Provide Continuity for Roaming Users
84
85
Making Scanning Transparent for Users
If you enable HDX Plug-n-Play TWAIN image scanning device support, users can controlclient-attached TWAIN imaging devices transparently with applications that reside on theserver farm. To use this feature, a TWAIN device must be attached to the user device andthe associated 32-bit TWAIN driver must also be installed on the user device.
To enable or disable this feature, configure the Citrix policy Client TWAIN deviceredirection setting.
The following policy settings allow you to specify the maximum amount of bandwidth (inkilobits per second or as a percentage) and the compression level of images from client toserver used for TWAIN redirection:
● TWAIN device redirection bandwidth limit
● TWAIN device redirection bandwidth limit percent
● TWAIN compression level
86
Mapping User Devices
The Receiver supports mapping devices on user devices so they are available from within asession. Users can:
● Transparently access local drives, printers, and COM ports
● Cut and paste between the session and the local Windows clipboard
● Hear audio (system sounds and .wav files) played from the session
During logon, Receiver informs the XenApp server of the available client drives, COM ports,and LPT ports. By default, client drives are mapped to server drive letters and server printqueues are created for client printers so they appear to be directly connected to theXenApp server. These mappings are available only for the current user during the currentsession. They are deleted when the user logs off and recreated the next time the user logson.
You can use the the Citrix policy redirection settings on the XenApp server to map userdevices not automatically mapped at logon. For more information, see the XenAppadministration documentation.
Turning off User Device MappingsYou can configure user device mapping including options for drives, printers, and ports,using the Windows Server Manager tool. For more information about the available options,see your Remote Desktop Services documentation.
87
Mapping Client Drives to XenApp ServerDrive Letters
Client drive mapping allows drive letters on the XenApp server to be redirected to drivesthat exist on the client device. For example, drive H in a Citrix user session can be mappedto drive C of the local device running the plug-in.
Client drive mapping is built into the standard Citrix device redirection facilitiestransparently. To File Manager, Windows Explorer, and your applications, these mappingsappear like any other network mappings.
Note that Client drive mapping is not supported when connecting to MetaFrame Server 1.0for UNIX operating systems.
The XenApp server can be configured during installation to map client drives automaticallyto a given set of drive letters. The default installation mapping maps drive letters assignedto client drives starting with V and works backward, assigning a drive letter to each fixeddrive and CD-ROM drive. (Floppy drives are assigned their existing drive letters.) Thismethod yields the following drive mappings in a session:
Client drive letter Is accessed by the XenApp server as:
A A
B B
C V
D UThe XenApp server can be configured so that the server drive letters do not conflict withthe client drive letters; in this case the server drive letters are changed to higher driveletters. For example, changing server drives C to M and D to N allows client devices toaccess their C and D drives directly. This method yields the following drive mappings in asession:
Client drive letter Is accessed by the XenApp server as:
A A
B B
C C
D DThe drive letter used to replace the server drive C is defined during Setup. All other fixeddrive and CD-ROM drive letters are replaced with sequential drive letters (for example; C >M, D > N, E > O). These drive letters must not conflict with any existing network drivemappings. If a network drive is mapped to the same drive letter as a server drive letter, thenetwork drive mapping is not valid.
When a client device connects to a XenApp server, client mappings are reestablished unlessautomatic client device mapping is disabled. You can use the Terminal ServicesConfiguration tool to configure automatic client device mapping for ICA connections andusers. You can also use policies to give you more control over how client device mapping isapplied. For more information about policies, see the Citrix XenApp Administrator'sdocumentation at Citrix eDocs.
Mapping Client Drives to XenApp Server Drive Letters
88
89
HDX Plug-n-Play for USB StorageDevices
HDX Plug-n-Play for USB storage devices enables users to interact with USB mass storagedevices connected to their user devices when connected to XenApp sessions. When HDXPlug-n-Play for USB storage devices is enabled, users can connect or disconnect a USBdevice from a session at anytime, regardless of whether the session was started before orafter the drive connection.
HDX Plug-n-Play for USB storage devices is enabled by default and can be disabled orenabled by editing the ICA\File Redirection - Client removable drives policy setting. Formore information, see the XenApp documentation.
Supported Mass Storage Devices with XenAppMass storage devices, including USB thumbdrives, USB-attached hard drives, CD-DVD drives,and SD card readers are supported.
Not supported:
● U3 smart drives and devices with similar autorun behavior
● Explorer.exe published as a seamless application
Mass storage devices can often be accessed through client drive mapping, and so USBsupport is not required.
Important: Some viruses are known to propagate actively using all types of mass storage.Carefully consider whether or not there is a business need to permit the use of massstorage devices, either through client drive mapping or USB support.
90
HDX Plug-n-Play USB Device Redirectionfor XenApp Connections
HDX Plug-n-Play USB Device Redirection on computers running Vista and Windows 7 enablesdynamic redirection of media devices, including cameras, scanners, media players, andpoint of sale (POS) devices to the server. You or the user can restrict redirection of all orsome of the devices. Edit policies on the server or apply group policies on the user deviceto configure the redirection settings. Three methods can enforce HDX Plug-n-Play USBdevice redirection policies:
● Server side. The administrator can enable or disable all device redirections for aspecific user or user group using the Active Directory policies available in XenApp. Thepolicy controls redirection of all devices and is not specific to a device. For moreinformation, see the XenApp administration documentation.
● Plug-in side. The administrator can enable or disable all device redirection for aspecific user or computer by using the group policy editor. There are two policy settings- the USB Plug-n-Play Devices policy setting controls redirection of all devices and theUSB Point of Sale Devices policy setting controls POS devices only. If USB Plug-n-PlayDevices allows devices to be redirected, you can use the USB Point of Sale Devices,which is a subset of USB Plug-n-Play Devices, to control only POS devices.
● Plug-in side. The user can allow or reject device redirection. When a device is going tobe redirected, the permission set by the user in the Connection Center is applied (thesetting applies to the current session). If the permission is set to Full Access, devicesare always redirected. If the permission is set to No Access, devices are not redirected.If the permission is set to Ask Permission, a dialog box appears before redirectionoccurs requiring the user to make a selection. Depending on the answer, the device isredirected or not. If the user is prompted with any of the device security dialog boxes(for example, file security or audio security) and instructs the system to remember thedecision, applications launched in subsequent ICA sessions load and use these settings.
This setting affects only devices plugged in after the user changes the setting. Devicesthat are already plugged in when the user changes the setting are unaffected by thenew setting.
Important: If you prohibit Plug-n-Play USB device redirection in a server policy, theuser cannot override that policy setting with the plug-in side policy.
Plug-in Group PoliciesAccess the plug-in policies using the Group Policy Editor available through gpedit.msc fromthe Start menu's Run dialog box. You can apply the policies to both users and computers.Two policies are available:
● USB Plug-n-Play Devices is the main policy that turns HDX Plug-n-Play USB deviceredirection on or off. Enabling redirection allows any Media Transfer Protocol (MTP),Picture Transfer Protocol (PTP), and Point of Sale (POS) device connected to the userdevice to be redirected in the session. The policy has three values: Not Configured,Enabled, and Disabled. The default is Not Configured, which allows redirection.
● USB Point of Sale Devices controls the redirection of POS devices and USB Plug-n-PlayDevices must be Enabled to enable this policy. The policy can have three values: NotConfigured, Enabled, and Disabled. The default is Not Configured, which allowsredirection of POS devices.
HDX Plug-n-Play USB Device Redirection for XenApp Connections
91
92
Mapping Client Printers for MoreEfficiency
The Receiver support printing to network printers and printers that are attached locally touser devices. By default, unless you create policies to change this, XenApp lets users:
● Print to all printing devices accessible from the user device
● Add printers (but it does not retain settings configured for these printers or save themfor the next session)
However, these settings might not be the optimum in all environments. For example, thedefault setting that allows users to print to all printers accessible from the user device isthe easiest to administer initially, but might create slower logon times in someenvironments.
Likewise, your organization’s security policies might require that you prevent users frommapping local printing ports. To do so, configure the Citrix policy Auto connect client COMports setting to Disabled.
To change default printing settings, configure policy settings on the server. For moreinformation, see the XenApp administration topics.
To view mapped client printersWhile connected to the XenApp server, from the Start menu, choose Printers in the ControlPanel.
The Printers window displays the local printers mapped to the session. When connecting toservers running Citrix Presentation Server 4.0 or 4.5 or Citrix XenApp, by default the nameof the printer takes the form:
printername (from clientname) in session x
where:
● printername is the name of the printer on the user device.
● clientname is the unique name given to the user device or the Web Interface.
● x is the SessionID of the user’s session on the server.
For example, printer01 (from computer01) in session 7
When connecting to servers running Presentation Server 3.0 or earlier, or when the Legacy printer name option from the Citrix policy Client printer names setting is enabled on the
server, a different naming convention is used. The name of the printer takes the form:
Client/clientname#/printername
where:
● clientname is the unique name given to the user device during client setup.
● printername is the Windows printer name. Because the Windows printer name is usedand not the port name, multiple printers can share a printer port without conflict.
For more information about printing, and about managing printing using policies, see theCitrix XenApp Administrator's documentation.
Mapping Client Printers for More Efficiency
93
94
To map a client COM port to a serverCOM port
Client COM port mapping allows devices attached to the COM ports of the user device to beused during sessions on a XenApp server. These mappings can be used like any othernetwork mappings.
Important: Client COM port mapping is not supported when connecting to MetaFrameServer 1.0 and 1.1 for UNIX Operating Systems.
You can map client COM ports at the command prompt. You can also control client COMport mapping from the Terminal Services Configuration tool or using policies. See the CitrixXenApp Administrator’s documentation for more information about policies.
1. Start Receiver and log on to the XenApp server.
2. At a command prompt, type: net use comx: \\client\comz: where x is the number ofthe COM port on the server (ports 1 through 9 are available for mapping) and z is thenumber of the client COM port you want to map.
3. To confirm the operation, type: net use at a command prompt. The list that appearscontains mapped drives, LPT ports, and mapped COM ports. To use this COM port in asession on a XenApp server, install your device to the mapped name. For example, ifyou map COM1 on the client to COM5 on the server, install your COM port device onCOM5 during the session on the server. Use this mapped COM port as you would a COMport on the user device.
Important: COM port mapping is not TAPI-compatible. TAPI devices cannot bemapped to client COM ports.
95
Mapping Client Audio to Play Sound onthe User Device
Client audio mapping enables applications executing on the XenApp server to play soundsthrough Windows-compatible sound devices installed on the user device. You can set audioquality on a per-connection basis on the XenApp server and users can set it on their device.If the user device and server audio quality settings are different, the lower setting is used.
Client audio mapping can cause excessive load on servers and the network. The higher theaudio quality, the more bandwidth is required to transfer the audio data. Higher qualityaudio also uses more server CPU to process.
Important: Client sound support mapping is not supported when connecting to CitrixXenApp for UNIX.
96
Associating User Device File Types withPublished Applications
Receiver supports HDX Plug-n-Play content redirection. Functionally equivalent to extendedparameter passing, content redirection allows you to enforce all underlying file typeassociations from the server, eliminating the need to configure extended parameter passingon individual user devices.
To associate file types on the user device with applications published on the server,configure Plug-n-Play content redirection on the server. For more information, see theXenApp adminstration topics.
97
Using the Window Manager whenConnecting to Citrix XenApp for UNIX
This topic does not apply to XenDesktop connections.
You can use the window manager to change the session display when connecting topublished resources on XenApp servers for UNIX. With the window manager, users canminimize, resize, position, and close windows, as well as access full screen mode.
About Seamless WindowsIn seamless window mode, published applications and desktops are not contained within asession window. Each published application and desktop appears in its own resizablewindow, as if it is physically installed on the user device. Users can switch betweenpublished applications and the local desktop.
You can also display seamless windows in “full screen” mode, which places the publishedapplication in a full screen-sized desktop. This mode lets you access the ctxwm menusystem.
To switch between seamless and full screen modes
Press SHIFT+F2 to switch between seamless and full screen modes.
Minimizing, Resizing, Positioning, and ClosingWindows
When users connect to published resources, window manager provides buttons to minimize,resize, position, and close windows. Windows are minimized as buttons on the taskbar.
When the user closes the last application in a session, the session is logged offautomatically after twenty seconds.
98
Terminating and Disconnecting Sessions
This topic does not apply to XenDesktop connections.
In remote desktop and seamless full screen windows, you can use the ctxwm menu systemto log off, disconnect, and exit from published applications and connection sessions.
To access the ctxwm menu system1. On a blank area of the remote desktop window, click and hold down the left mouse
button. The ctxwm menu appears.
2. Drag the mouse pointer over Shutdown to display the shutdown options.
To choose an option from the ctxwm menuDrag the pointer over the required option to select it. Release the mouse button to selectthe option.
To Choose
Terminate the connection and all running applications Logoff
Disconnect the session but leave the application running Disconnect
Disconnect the session and terminate the application Exit
Note: The server can be configured to terminate any applications that are running if asession is disconnected.
99
Using ctxgrab and ctxcapture to Cut andPaste Graphics When Connected toXenApp for UNIX
If you are connected to an application published on a XenApp server for UNIX, use ctxgrabor ctxcapture to cut and paste graphics between the session and the local desktop. Theseutilities are configured and deployed from the server.
Important: You might need to deploy UNIX applications that are designed for use with a3‑button mouse. Use ctx3bmouse on the XenApp for UNIX server to configure 3-buttonmouse emulation. For more information, see the XenApp for UNIX administrationdocumentation.
● ctxgrab
● ctxcapture
100
Using the ctxgrab Utility to Cut and PasteGraphics
This topic does not apply to XenDesktop connections.
The ctxgrab utility is a simple tool you use to cut and paste graphics from publishedapplications to applications running on the local user device. This utility is available from acommand prompt or, if you are using a published application, from the ctxwm windowmanager.
Important: Use ctx3bmouse on the XenApp for UNIX server to configure 3-button mouseemulation. For more information, see the XenApp for UNIX administrationdocumentation.
To access the ctxgrab utility from the windowmanager
● In seamless mode, right-click the ctxgrab button in the top, left-hand corner of thescreen to display a menu and choose the grab option
● In full screen mode, left-click to display the ctxwm menu and choose the grab option
To copy from an application in a plug-in window to alocal application
1. From the ctxgrab dialog box, click From screen.
2. To select a window, move the cursor over the window you want to copy and click themiddle mouse button. To select a region, hold down the left mouse button and drag thecursor to select the area you want to copy. To cancel the selection, click the rightmouse button. While dragging, click the right mouse button before releasing the leftbutton.
3. Use the appropriate command in the local application to paste the object.
101
Using the ctxcapture Utility to Cut andPaste Graphics
This topic does not apply to XenDesktop connections.
The ctxcapture utility is a more fully-featured utility for cutting and pasting graphicsbetween published applications and applications running on the local user device.
With ctxcapture you can:
● Grab dialog boxes or screen areas and copy them between an application in a Receiverwindow and an application running on the local user device, includingnon-ICCCM-compliant applications
● Copy graphics between the Receiver and the X graphics manipulation utility xvf
If you are connected to a published desktop, ctxcapture is available from a commandprompt. If you are connected to a published application and the administrator makes itavailable, you can access ctxcapture through the ctxwm window manager.
Important: Use ctx3bmouse on the XenApp for UNIX server to configure 3-button mouseemulation. For more information, see the XenApp for UNIX administrationdocumentation.
To access the ctxcapture utility from the windowmanager
Left-click to display the ctxwm menu and choose the screengrab option.
To copy from a local application to an application in aReceiver window
1. From the ctxcapture dialog box, click From screen.
2. To select a window, move the cursor over the window you want to copy and click themiddle mouse button. To select a region, hold down the left mouse button and drag thecursor to select the area you want to copy. To cancel the selection: click the rightmouse button. While dragging, click the right mouse button before releasing the leftbutton.
3. From the ctxcapture dialog box, click To ICA. The xcapture button changes color toindicate that it is processing the information.
4. When the transfer is complete, use the appropriate command in the publishedapplication window to paste the information.
To copy from an application in a Receiver window to alocal application
1. From the application in the Receiver window, copy the graphic.
2. From the ctxcapture dialog box, click From ICA.
3. When the transfer is complete, use the appropriate command in the local application topaste the information.
To copy from xv to an application in a Receiverwindow or local application
1. From xv, copy the graphic.
2. From the ctxcapture dialog box, click From xv and To ICA.
3. When the transfer is complete, use the appropriate command in the Receiver windowto paste the information.
To copy from an application in a Receiver window toxv
1. From the application in the Receiver window, copy the graphic.
2. From the ctxcapture dialog box, click From ICA and To xv.
3. When the transfer is complete, use the paste command in xv.
Using the ctxcapture Utility to Cut and Paste Graphics
102
103
Matching Client Names and ComputerNames
The dynamic client name feature allows the client name to be the same as the computername. When users change their computer name, the client name changes to match. Thisallows you to name computers to suit your naming scheme and find connections more easilywhen managing your server farm.
If the client name is not set to match the computer name during installation, the clientname does not change when the computer name is changed.
Users enable dynamic client name support by selecting Enable Dynamic Client Name duringReceiver installation.
To enable dynamic client name support during silent command line installation, the valueof the property ENABLE_DYNAMIC_CLIENT_NAME must be Yes. Set the property to No todisable dynamic client name support.
104
DNS Name Resolution
You can configure Receivers that use the Citrix XML Service to request a Domain NameService (DNS) name for a server instead of an IP address.
Important: Unless your DNS environment is configured specifically to use this feature,Citrix recommends that you do not enable DNS name resolution in the server farm.
Receivers connecting to published applications through the Web Interface also use theCitrix XML Service. For Receivers connecting through the Web Interface, the Web serverresolves the DNS name on behalf of the Receiver.
DNS name resolution is disabled by default in the server farm and enabled by default on theReceiver. When DNS name resolution is disabled in the farm, any Receiver request for a DNSname returns an IP address. There is no need to disable DNS name resolution on Receiver.
To disable DNS name resolution for specific clientdevices
If you are using DNS name resolution in the server farm and are having problems withspecific user devices, you can disable DNS name resolution for those devices.
Caution: Using Registry Editor incorrectly can cause serious problems that can requireyou to reinstall the operating system. Citrix cannot guarantee that problems resultingfrom incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Make sure you back up the registry before you edit it.
1. Add a string registry key xmlAddressResolutionType toHKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing.
2. Set the value to IPv4-Port.
3. Repeat for each user of the user devices.
105
Using Proxy Servers with XenDesktopConnections
If you do not use proxy servers in your environment, correct the Internet Explorer proxysettings on any user devices running Internet Explorer 7.0 on Windows XP. By default, thisconfiguration automatically detects proxy settings. If proxy servers are not used, users willexperience unnecessary delays during the detection process. For instructions on changingthe proxy settings, consult your Internet Explorer documentation. Alternatively, you canchange proxy settings using the Web Interface. For more information, consult the WebInterface documentation.
106
Improving the Receiver User Experience
You can improve your users’ experiences with the following supported features:
● ClearType font smoothing
● Client-side microphone input for digital dictation
● Multiple monitor support
● Printing performance enhancements
● To set keyboard shortcuts
● 32-bit color icons
Topics that support users with the Desktop Viewer and the Desktop Lock are available athttp://support.citrix.com/help/receiver/en/receiverHelpWin.htm.
107
ClearType Font Smoothing in Sessions
This topic does not apply to XenDesktop connections.
XenApp server supports ClearType font smoothing with Receiver for users on computersrunning Windows XP, Windows 7, and Windows Vista. ClearType font smoothing is set bydefault in Windows 7 and Windows Vista, but Standard font smoothing is set by default inWindows XP.
If you enable ClearType font smoothing on Receiver, you are not forcing the user devices touse ClearType font smoothing. You are enabling the server to support ClearType fontsmoothing on user devices that have it set and are using Receiver. By disabling it forsessions, you are specifying that sessions launched from that Receiver do not remote thefont smoothing setting.
Receiver automatically detects the user device’s font smoothing setting and sends it to theserver. The session connects using this setting. When the session is disconnected orterminated, the user's profile setting on the server is set to original setting unless the userspecifically changed it in the control panel in the session; then the server uses the newsetting.
Older Receivers (plug-ins) connect using the font smoothing setting configured in that user’sprofile on the server.
When ClearType font smoothing is enabled, three times more data is sent across the virtualchannel, which might cause a decrease in performance.
Font smoothing must be enabled on users’ operating systems, the Receiver, the WebInterface site, and the server farm.
To enable or disable ClearType font smoothing forsessions
In Web Interface environments, use the Session Preferences task in the Citrix WebInterface Management console to enable or disable font smoothing for XenApp Web sitesand the Session Options task for XenApp Services sites.
108
Client-Side Microphone Input
Receiver supports multiple client-side microphone input. Locally installed microphones canbe used for:
● Real-time activities, such as softphone calls and Web conferences.
● Hosted recording applications, such as dictation programs.
● Video and audio recordings.
Digital dictation support is available with Receiver. For information about configuring thisfeature, see the administrator's documentation for Citrix XenApp or Citrix XenDesktop.
Receiver (Enterprise) users can disable their microphones by selecting No Access in theMicrophones/Webcams menu choice available from the Citrix Connection Center, or fromthe Receiver’s system menu (for non-seamless connections). Receiver (standard) users arepresented with the same dialog box automatically at the beginning of their sessions.XenDesktop users can also use the XenDesktop Viewer Preferences to disable theirmicrophones.
Note: Selecting No Access also disables any attached Webcams.
On the user device, users control audio input and output in a single step—by selecting anaudio quality level from the Options dialog box.
109
Configuring HDX Plug-n-PlayMulti-monitor Support
Multiple monitors are fully supported by Receiver. As many as eight monitors are supported.
Each monitor in a multiple monitor configuration has its own resolution designed by itsmanufacturer. Monitors can have different resolutions and orientations during sessions.
Sessions can span multiple monitors in two ways:
● Full screen mode, with multiple monitors shown inside the session; applications snap tomonitors as they would locally.
XenDesktop: If users access a desktop through the Citrix Desktop Lock, the desktop isdisplayed across all monitors. The primary monitor on the device becomes the primarymonitor in the XenDesktop session. You can display the Desktop Viewer toolbar acrossany rectangular subset of monitors by resizing the window across any part of thosemonitors and pressing the Maximize button.
● Windowed mode, with one single monitor image for the session; applications do notsnap to individual monitors.
XenDesktop: When any desktop in the same assignment (formerly "desktop group") islaunched subsequently, the window setting is preserved and the toolbar is displayed acrossthe same monitors. Multiple virtual desktops can be displayed on one device provided themonitor arrangement is rectangular. If the primary monitor on the device is used by theXenDesktop session, it becomes the primary monitor in the session. Otherwise, thenumerically lowest monitor in the session becomes the primary monitor.
To enable multi-monitor support, ensure the following:
● The user device must have a single video board that can support connections to morethan one monitor or multiple video boards compatible with the Receiver on theappropriate platform.
● The user device operating system must be able to detect each of the monitors. OnWindows platforms, to verify that this detection occurs, on the user device, view theSettings tab in the Display Settings dialog box and confirm that each monitor appearsseparately.
● After your monitors are detected:
● XenDesktop: Configure the graphics memory limit using the Citrix Machine Policysetting Display memory limit.
● XenApp: Depending on the version of the XenApp server you have installed:
● Configure the graphics memory limit using the Citrix Computer Policy settingDisplay memory limit.
● From the Citrix management console for the XenApp server, select the farm andin the task pane, select Modify Server Properties > Modify all properties >Server Default > HDX Broadcast > Display (or Modify Server Properties >Modify all properties > Server Default > ICA > Display) and set the Maximummemory to use for each session’s graphics.
Ensure the setting is large enough (in kilobytes) to provide sufficient graphic memory. Ifthis setting is not high enough, the published resource is restricted to the subset of themonitors that fits within the size specified.
For information about calculating the session's graphic memory requirements for XenAppand XenDesktop, see ctx115637.
Configuring HDX Plug-n-Play Multi-monitor Support
110
111
Printing Performance
Printing performance can play a vital role in your users’ experiences. The printingconfiguration you create affects these aspects of the user’s experience:
● User ease and comfort level
● Logon times
● Ability to print to a nearby printer when traveling or when moving between clientdevices in a building
You configure printer policy settings on the server.
User Ease and Comfort LevelIn environments with novice users, consider changing the following potentially confusingdefault printing behaviors:
● Printer names change at the start of each session. When, by default, client printersare auto-created, the printer name is appended with the name of the user device andsession. For example, auto-created client printers appear in the Print dialog box with aname like HP LaserJet 1018 (from clientname) in session 35.
To resolve this problem, you can either reduce the number of printers auto-created orprovision printers using another method. To control printer auto-creation, configure theCitrix policy setting Auto-create client printers and select one of the followingoptions:
● Do not auto-create client printers. Client printers are not auto-created.
● Auto-create the client’s default printer only. Only the client’s default printerattached to or mapped from the client preconfigured in the Control Panel isauto-created in the session.
● Auto-create local (non-network) client printers only. Any non-network printersattached to the client device preconfigured in the Control Panel are auto-createdin the session.
● Auto-create all client printers. All network printers and any printers attached to ormapped from the user device preconfigured in the Control Panel are auto-createdin the session.
● If many printers are installed by default on user devices, your users might be confusedby the large number of available printers. You can limit the printers that appear tothem in sessions.
● HDX Plug-n-Play Universal Printer uses a nonstandard printing dialog box. If your users have trouble learning new features on their own, you might not want to use the
the Universal Printer as the default printer in a session. The user interface for thisprinter is slightly different from the standard Windows print dialog box.
Logon TimesThe printing configuration you select can impact how long it takes users to start a session.When Receiver is configured to provision printers by creating them automatically at thebeginning of each session, it increases the amount of time to build the session environment.In this case, Receiver has to rebuild every printer found on the user device. You candecrease logon time by specifying any of the following on the XenApp server:
● Auto-create only the the Universal Printer. This is done automatically when youconfigure the the Universal Printer.
● Auto-create only the default printer for the client device by using the Auto-createclient printers policy setting.
● Do not auto-create any client printers through the Auto-create client printers policysetting and route print jobs to network printers by configuring the Session printerspolicy setting
Configuring Printers for Mobile WorkersIf you have users who move among workstations in the same building (for example, in ahospital setting) or move among different offices, you might want to configure ProximityPrinting. The Proximity Printing solution ensures that the closest printer is presented to theusers in their sessions, even when they change user devices during a session.
Printing Performance
112
113
To override the printer settings configuredon the server
To improve printing performance, you can configure various printing policy settings on theserver:
● Universal printing optimization defaults
● Universal printing EMF processing mode
● Universal printing image compression limit
● Universal printing print quality limit
● Printer driver mapping and compatibility
● Session printers
If you enabled Allow non-admins to modify these settings in the Universal printingoptional defaults policy setting on the server, users on their user devices can override theImage Compression and Image and Font Caching options specified in that policy setting.
To override the printer settings on the user device
1. From the Print menu available from an application on the user device, chooseProperties.
2. On the Client Settings tab, click Advanced Optimizations and make changes to theImage Compression and Image and Font Caching options.
114
To set keyboard shortcuts
You can configure combinations of keys that Receiver interprets as having specialfunctionality. When the keyboard shortcuts policy is enabled, you can specify Citrix Hotkeymappings, behavior of Windows hotkeys, and keyboard layout for sessions.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User Experience > Keyboard shortcuts. InWindows 7 and Windows Server 2008, expand Administrative Templates and navigatethrough Classic Administrative Templates (ADM) > Citrix Components to the desiredconfiguration option.
7. From the Action menu, choose Properties, select Enabled, and choose the desiredoptions.
115
Keyboard Input in XenDesktop Sessions
Note the following about how keyboard combinations are processed in XenDesktop sessions:
● Windows logo key+L is directed to the local computer.
● CTRL+ALT+DELETE is directed to the local computer except in some cases if you use theCitrix Desktop Lock.
● Key presses that activate StickyKeys, FilterKeys, and ToggleKeys (Microsoft accessibilityfeatures) are normally directed to the local computer.
● As an accessibility feature of the Desktop Viewer, pressing CTRL+ALT+BREAK displaysthe Desktop Viewer toolbar buttons in a pop-up window.
● Windows key combinations (for example, CTRL+ESC and ALT+TAB) are directedaccording to the settings that your helpdesk has selected. For more information, seethe table below.
Note: By default, if the Desktop Viewer is maximized, ALT+TAB switches focusbetween windows inside the session. If the Desktop Viewer is displayed in a window,ALT+TAB switches focus between windows outside the session.
Hotkey sequences are key combinations designed by Citrix. For example, the CTRL+F1sequence reproduces CTRL+ALT+DELETE, and SHIFT+F2 switches applications betweenfull-screen and windowed mode. You cannot use hotkey sequences with virtual desktopsdisplayed in the Desktop Viewer (that is, with XenDesktop sessions), but you can use themwith published applications (that is, with XenApp sessions).
The table shows the remoting behavior of other Windows key combinations. The behaviordepends on whether a Desktop Viewer or a Desktop Lock session is used, and is controlledby the Local resources setting, avaliable from the Session Options task on the XenDesktopsite. XenApp settings are also shown for reference. For more information on configuring thissetting, see the Web Interface documentation.
With Localresources set to
Desktop Viewersessions have thisbehavior
Desktop Locksessions have thisbehavior
XenApp (or disabledDesktop Viewer)sessions have thisbehavior
Full screen desktopsonly
Key combinationsare sent to theremote, virtualdesktop only if theDesktop Viewerwindow has focusand is maximized(full-screen).
Key combinationsare always sent tothe remote, virtualdesktop.
Key combinationsare sent to theremote XenAppserver if the sessionis maximized(full-screen).
Remote desktop Key combinationsare sent to theremote, virtualdesktop only if theDesktop Viewerwindow has focus.
Key combinationsare always sent tothe remote, virtualdesktop.
Key combinationsare sent to theremote XenAppserver if the sessionor application hasfocus.
Local desktop Key combinationsare always kept onthe local userdevice.
Key combinationsare always kept onthe local userdevice.
Citrix does notrecommend settingLocal resources toLocal desktop if theDesktop Lock isused.
Key combinationsare always kept onthe local userdevice.
Keyboard Input in XenDesktop Sessions
116
117
Receiver Support for 32-Bit Color Icons
Receiver supports high color icons (32x32 bit) and automatically selects the color depth forapplications visible in the Citrix Connection Center dialog box, the Start menu, and task barto provide for seamless applications.
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
To set a preferred depth, you can add a string registry key named TWIDesiredIconColor toHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Preferences and set it to the desired value. The possible color depthsfor icons are 4, 8, 16, 24, and 32 bits-per-pixel. The user can select a lower color depth foricons if the network connection is slow.
118
Connecting to Virtual Desktops
From within a desktop session, users cannot connect to the same virtual desktop.Attempting to do so will disconnect the existing desktop session. Therefore, Citrixrecommends:
● Administrators should not configure the clients on a desktop to point to a site thatpublishes the same desktop
● Users should not browse to a site that hosts the same desktop if the site is configured toautomatically reconnect users to existing sessions
● Users should not browse to a site that hosts the same desktop and try to launch it
Be aware that a user who logs on locally to a computer that is acting as a virtual desktopblocks connections to that desktop.
If your users connect to virtual applications (published with XenApp) from within a virtualdesktop and your organization has a separate XenApp administrator, Citrix recommendsworking with them to define device mapping such that desktop devices are mappedconsistently within desktop and application sessions. Because local drives are displayed asnetwork drives in desktop sessions, the XenApp administrator needs to change the drivemapping policy to include network drives.
119
Securing Your Connections
To maximize the security of your environment, the connections between Receiver and theresources you publish must be secured. You can configure various types of authenticationfor your Receiver software, including enabling certificate revocation list checking, enablingsmart card support, and using Security Support Provider Interface/Kerberos Pass-ThroughAuthentication.
Windows NT Challenge/Response (NTLM) Support forImproved Security
Windows NT Challenge/Response (NTLM) authentication is supported by default oncomputers running Windows NT, Windows 2000, Windows XP, Windows 7, Windows Vista,Windows Server 2003, and Windows Server 2008.
120
To enable certificate revocation listchecking for improved security withReceiver (CitrixReceiver.exe)
When certificate revocation list (CRL) checking is enabled, Receiver checks whether or notthe server’s certificate is revoked. By forcing Receiver to check this, you can improve thecryptographic authentication of the server and the overall security of the SSL/TLSconnections between a user device and a server.
You can enable several levels of CRL checking. For example, you can configure Receiver tocheck only its local certificate list or to check the local and network certificate lists. Inaddition, you can configure certificate checking to allow users to log on only if all CRLs areverified.
Important: This option is available only with the standard Receiver (CitrixReceiver.exe)and not Receiver (Enterprise).
If you are making this change on a local computer, exit Receiver if it is running. Make sureall Receiver components, including the Connection Center, are closed.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for the Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Action menu, choose Properties and select Enabled.
8. From the CRL verification drop-down menu, select one of the options.
● Disabled. No certificate revocation list checking is performed.
● Only check locally stored CRLs. CRLs that were installed or downloaded previouslyare used in certificate validation. Connection fails if the certificate is revoked.
● Require CRLs for connection. CRLs locally and from relevant certificate issuers onthe network are checked. Connection fails if the certificate is revoked or not found.
● Retrieve CRLs from network. CRLs from the relevant certificate issuers arechecked. Connection fails if the certificate is revoked.
If you do not set CRL verification, it defaults to Only check locally stored CRLs.
To enable certificate revocation list checking for improved security with Receiver (CitrixReceiver.exe)
121
122
Smart Card Support for Improved Security
You must use Receiver (Enterprise) for Smart Card support.
Receiver smart card support is based on Microsoft Personal Computer/Smart Card (PC/SC)standard specifications. Receiver supports only smart cards and smart card devices thatare, themselves, supported by the underlying Windows operating system. A discussion ofsecurity issues related to PC/SC standards compliance is beyond the scope of thisdocument.
Enabling smart card support for Receiver is done through the Web Interface. For moreinformation, see the Web Interface documentation.
Note: Microsoft strongly recommends that only smart card readers tested and approvedby the Microsoft Windows Hardware Quality Lab (WHQL) be used on computers runningqualifying Windows operating systems. See http://www.microsoft.com for additionalinformation about hardware PC/SC compliance.
Receiver does not control smart card PIN management. PIN management is controlled bythe cryptographic service provider for your cards.
123
To enable pass-through authenticationwhen sites are not in Trusted Sites orIntranet zones
Your users might require pass-through authentication to the server using their user logoncredentials but cannot add sites to the Trusted Sites or Intranet zones. Enable this settingto allow pass-through authentication on all but Restricted sites.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.
7. From the Local user name and password Properties menu, select Enabled, and thenselect the Enable pass-through authentication and Allow pass-through authenticationfor all ICA connections check boxes.
124
Using Security Support ProviderInterface/Kerberos Pass-ThroughAuthentication for Improved Security
This topic does not apply to XenDesktop connections.
Rather than sending user passwords over the network, Kerberos pass-through authenticationleverages Kerberos authentication in combination with Security Support Provider Interface(SSPI) security exchange mechanisms. Kerberos is an industry-standard networkauthentication protocol built into Microsoft Windows operating systems.
Kerberos logon offers security-minded users or administrators the convenience ofpass-through authentication combined with secret-key cryptography and data integrityprovided by industry-standard network security solutions. With Kerberos logon, the Receiverdoes not need to handle the password and thus prevents Trojan horse-style attacks on theuser device to gain access to users’ passwords.
Users can log on to the user device with any authentication method; for example, abiometric authenticator such as a fingerprint reader, and still access published resourceswithout further authentication.
System requirements. Kerberos logon requires Citrix Presentation Server 3.0, 4.0, or 4.5,Citrix XenApp 5.0, 6.x and Citrix Presentation Server Clients for Windows 8.x, 9.x, 10.x,XenApp Hosted Plug-in 11.x, online plug-in 12.0, 12.1, or Receiver 3.x. Kerberos works onlybetween Client/plug-ins/Receiver and servers that belong to the same or to trustedWindows 2000, Windows Server 2003, or Windows Server 2008 domains. Servers must alsobe trusted for delegation, an option you configure through the Active Directory Users andComputers management tool.
Kerberos logon is not available in the following circumstances:
● Connections configured with any of the following options in Remote Desktop Services(formerly known as Terminal Services) Configuration:
● On the General tab, the Use standard Windows authentication option
● On the Logon Settings tab, the Always use the following logon information optionor the Always prompt for password option
● Connections you route through the Secure Gateway
● If the server requires smart card logon
● If the authenticated user account requires a smart card for interactive logon
Important: SSPI requires XML Service DNS address resolution to be enabled for the serverfarm, or reverse DNS resolution to be enabled for the Active Directory domain. For moreinformation, see the Citrix XenApp administrator documentation.
Configuring Kerberos AuthenticationReceiver, by default, is not configured to use Kerberos authentication when logging on tothe server. You can set the Receiver configuration to use Kerberos with pass-throughauthentication or Kerberos with smart card pass-through authentication.
To use Kerberos authentication for your connections, you can either specify Kerberos usinga command line installation or configure Receiver using the Group Policy Editor. See theMicrosoft Group Policy documentation for more information about editing .adm files
Using Security Support Provider Interface/Kerberos Pass-Through Authentication for Improved Security
125
126
To configure Kerberos with pass-throughauthentication
This topic does not apply to XenDesktop connections.
Use Kerberos with pass-through authentication if you want to use Kerberos with Receiver.
When Receiver configurations are set to use Kerberos with pass-through authentication,Receiver uses Kerberos authentication first and uses pass-through authentication if Kerberosfails.
The user cannot disable this Receiver configuration from the user interface.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates, navigate throughCitrix Components > Citrix Receiver > User authentication, double click Kerberosauthentication and select Enabled. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.
8. From the Action menu, choose Properties and select Enabled > Enable pass-throughauthentication.
To apply the setting, close and restart Receiver on the user device.
127
Securing Citrix Receiver Communication
To secure the communication between your server farm and Receiver, you can integrateyour Receiver connections to the server farm with a range of security technologies,including:
● Citrix Access Gateway. For information about configuring Access Gateway with ReceiverStorefront, refer to the "Manage" topics in the Receiver Storefront documentation ineDocs. For information about configuring Access Gateway or Secure Gateway with WebInterface, refer to topics in this section.
● A SOCKS proxy server or secure proxy server (also known as security proxy server,HTTPS proxy server, or SSL tunneling proxy server). You can use proxy servers to limitaccess to and from your network and to handle connections between Receiver andservers. Receiver supports SOCKS and secure proxy protocols.
● SSL Relay solutions with Secure Sockets Layer (SSL) and Transport Layer Security (TLS)protocols.
● A firewall. Network firewalls can allow or block packets based on the destinationaddress and port. If you are using Receiver through a network firewall that maps theserver's internal network IP address to an external Internet address (that is, networkaddress translation, or NAT), configure the external address.
● Trusted server configuration.
Note: For information about increasing security in application streaming for desktops, seethe Citrix Knowledge Base article Enhancing Security in Application Streaming forDesktops.
Receiver is compatible with and functions in environments where the Microsoft SpecializedSecurity - Limited Functionality (SSLF) desktop security templates are used. Thesetemplates are supported on the Microsoft Windows XP, Windows Vista, and Windows 7platforms. Refer to the Windows XP, Windows Vista, and Windows 7 security guidesavailable at http://technet.microsoft.com for more information about the templates andrelated settings.
128
Support for Microsoft Security Templates
Receiver is compatible with and functions in environments where the Microsoft SpecializedSecurity - Limited Functionality (SSLF) desktop security templates are used. Thesetemplates are supported on the Microsoft Windows XP, Windows Vista, and Windows 7platforms. Refer to the Windows XP, Windows Vista, and Windows 7 security guidesavailable at http://technet.microsoft.com for more information about the templates andrelated settings.
129
Connecting with Access GatewayEnterprise Edition
This topic applies only to deployments using the Web Interface.
Configure the XenApp Services site for the Receiver to support connections from an AccessGateway connection.
1. In the XenApp Services site, select Manage secure client access > Edit secure clientaccess settings.
2. Change the Access Method to Gateway Direct.
3. Enter the FQDN of the Access Gateway appliance.
4. Enter the Secure Ticket Authority (STA) information.
To configure the Access Gateway appliance1. Configure authentication policies to authenticate users connecting to the Access
Gateway by using the Access Gateway Plug-in. Bind each authentication policy to avirtual server.
● If double-source authentication is required (such as RSA SecurID and ActiveDirectory), RSA SecurID authentication must be the primary authentication type.Active Directory authentication must be the secondary authentication type.
● RSA SecurID uses a RADIUS server to enable token authentication.
● Active Directory authentication can use either LDAP or RADIUS.Test a connection from a user device to verify that the Access Gateway is configuredcorrectly in terms of networking and certificate allocation.
2. Create a session policy on the Access Gateway to allow incoming XenApp connectionsfrom the Receiver, and specify the location of your newly created XenApp Services site.
● Create a new session policy to identify that the connection is from the Receiver. Asyou create the session policy, configure the following expression and select MatchAll Expressions as the operator for the expression:
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
Connecting with Access Gateway Enterprise Edition
130
● In the associated profile configuration for the session policy, on the Security tab,set Default Authorization to Allow.
On the Published Applications tab, if this is not a global setting (you selected theOverride Global check box), ensure the ICA Proxy field is set to ON.
In the Web Interface Address field, enter the URL including the config.xml for theXenApp Services site that the device users use, such ashttp://XenAppServerName/Citrix/PNAgent/config.xml orhttp://XenAppServerName/CustomPath/config.xml.
● Bind the session policy to a virtual server.
● Create authentication policies for RADIUS and Active Directory.
● Bind the authentication policies to the virtual server.
Important: If the server certificate used on the Access Gateway is part of acertificate chain (with an intermediate certificate), make sure that the intermediatecertificates are also installed correctly on the Access Gateway. For information aboutinstalling certificates, see the Access Gateway documentation.
Connecting with Access Gateway Enterprise Edition
131
132
Connecting with Access Gateway 5.0
This topic applies only to deployments using the Web Interface.
Access Gateway setup requires that you configure a basic or a SmartAccess logon point onAccess Gateway and use the Web address for the XenApp Services site.
Before you configure a logon point, install the Web Interface and verify that it iscommunicating with the network. When you configure a logon point, you must alsoconfigure at least one Secure Ticket Authority (STA) server and ICA Access Control in AccessGateway. For more information, expand Access Gateway 5.0 in eDocs, and locate the topicTo configure Access Gateway to use the Secure Ticket Authority.
To configure the Access Gateway 5.0 appliance1. Configure Authentication profiles to authenticate users connecting to the Access
Gateway using the Receiver.
● If double source authentication is required (such as Active Directory and RSASecurID), Active Directory authentication must be the primary authentication type.RSA SecurID authentication must be the secondary authentication type.
● RSA SecurID can use either RADIUS or an sdconf.rec file to enable tokenauthentication.
● You can configure Active Directory authentication on Access Controller. You can useActive Directory on the Access Gateway appliance by using either an LDAP orRADIUS authentication profile.
Test a connection from a user device to verify that the Access Gateway is configuredcorrectly in terms of networking and certificate allocation.
2. To establish communication with XenApp servers and the Web Interface, configure theAccess Gateway with STA servers and the ICA Access Control list on Access Gateway. Formore information, see the Access Gateway section of eDocs.
3. Configure logon points on the Access Gateway. Configure the Access Gateway to allowincoming XenApp connections from the Receiver, and specify the location of your WebInterface site.
a. In the Access Gateway Management Console, click Management.
b. Under Access Control, click Logon Points > New.
c. In the Logon Points Properties dialog box, in Name, type a unique name for thelogon point.
d. Select the Type:
● For a Basic logon point, in the Web Interface field, type the fully qualifieddomain name (FQDN) of the Web Interface, such ashttp://xenapp.domain.com/citrix/apps. You cannot configure aSmartGroup with a basic logon point. Select the authentication type, or clickAuthenticate with the Web Interface.
If you select Authenticate with the Web Interface, when users type the URL toAccess Gateway and enter credentials, the credentials are passed to the WebInterface for authentication.
● For a SmartGroup to use the settings in a SmartAccess logon point, you mustselect the logon point within the SmartGroup. Select the authenticationprofiles. If you configure a SmartAccess logon point, Access Gatewayauthenticates users. You cannot configure authentication by using the WebInterface.
If you select Single Sign-on to Web Interface, users do not have to log on tothe Web Interface after logging on to the Access Gateway. If not selected, usersmust log on to both the Access Gateway and Web Interface.
Connecting with Access Gateway 5.0
133
e. Under Applications and Desktops, click Secure Ticket Authority and add the STAdetails. Make sure the STA information is the same as the Web Interface site.
f. Finally, under Applications and Desktops, click XenApp or XenDesktop to add theICA control list (required for Access Gateway 5.0). For more information, expandAccess Gateway 5.0 in eDocs, and locate To configure ICA Access Control.
Important: If the server certificate used on the Access Gateway is part of acertificate chain (with an intermediate certificate), make sure that the intermediatecertificates are also installed correctly on the Access Gateway. For information aboutinstalling certificates, see the Access Gateway section on Configuring IntermediateCertificates.
Connecting with Access Gateway 5.0
134
To configure Access Controller1. Configure Authentication profiles to authenticate users connecting to the Access
Gateway using the Receiver.
● If double source authentication is required (such as Active Directory and RSASecurID), Active Directory authentication must be the primary authentication type.RSA SecurID authentication must be the secondary authentication type.
● RSA SecurID can use either RADIUS or an sdconf.rec file to enable tokenauthentication.
● You can configure Active Directory authentication on Access Controller. You can useActive Directory on the Access Gateway appliance by using either an LDAP orRADIUS authentication profile.
Test a connection from a user device to verify that the Access Gateway is configuredcorrectly in terms of networking and certificate allocation.
2. To establish communication with XenApp servers and the Web Interface, configureAccess Controller to recognize the servers. Configure Access Controller to allowincoming XenApp connections from the Receiver and specify the location of your WebInterface site.
a. In the Deliver Services Console, expand Citrix Resources > Access Gateway, andthen click the Access Controller on which you want to create the Web resource.
b. Expand Resources, click Web Resources, and then under Common tasks, clickCreate Web resource. In the wizard, enter a unique name. On the New WebAddress page, enter the Web address URL of the XenApp Web site.
c. In Application type, select Citrix Web Interface and click the Enable SingleSign-on check box.
d. After you click OK, click Publish for users in their list of resources , and then inHome page, enter the URL of the XenApp Web Site, such ashttp://xenapp.domain.com/citrix/apps, and finish the wizard.
e. In the navigation pane, click Logon Points, click Create logon point, and in thewizard, enter a unique name, and select the type:
● For a Basic logon point, in the Web Interface field, type the fully qualifieddomain name (FQDN) of the Web Interface, such ashttp://xenapp.domain.com/citrix/apps. Select the Home page, andthen select the authentication profile. Leave the remaining options as defaultvalues, and click Enable this logon point check box at the end of the wizard.
● For a SmartAccess logon point, on Select Home Page, select the Display theWeb resource with the highest priority. Click Set Display Order, and movethe Web Interface Web resource to the top.
Select the Authentication Profiles for both authentication and group extraction.Leave the remaining options as default values, and click Enable this logonpoint check box at the end of the wizard.
f. In the navigation pane, under Policies > Access Policies, select Create access policy and on the Select Resources page, expand Web Resources to select the
Connecting with Access Gateway 5.0
135
Web Interface web resource.
g. In Configure Policy Settings, select the settings, click Enable this policy to controlthis setting, and select Extended access, unless denied by another policy. Addthe users allowed to access this resource and finish the wizard.
h. In the navigation pane, under Access Gateway appliances, select Edit AccessGateway appliance properties, click Secure Ticket Authority and add the STAdetails. Make sure the STA information is the same as the Web Interface site.
i. Finally, click ICA Access Control to add the ICA control list (required for AccessGateway 5.0). For more information, expand Access Gateway 5.0 in eDocs, andlocate To configure ICA Access Control in the Access Controller documentation.
Important: If the server certificate used on the Access Gateway is part of acertificate chain (with an intermediate certificate), make sure that the intermediatecertificates are also installed correctly on the Access Gateway. For information aboutinstalling certificates, see the Access Gateway section on Configuring IntermediateCertificates.
Connecting with Access Gateway 5.0
136
137
Connecting with Secure Gateway
This topic applies only to deployments using the Web Interface.
You can use the Secure Gateway in either Normal mode or Relay mode to provide a securechannel for communication between Receiver and the server. No Receiver configuration isrequired if you are using the Secure Gateway in Normal mode and users are connectingthrough the Web Interface.
Receiver uses settings that are configured remotely on the server running the Web Interfaceto connect to servers running the Secure Gateway. See the topics for the Web Interface forinformation about configuring proxy server settings for Receiver.
If the Secure Gateway Proxy is installed on a server in the secure network, you can use theSecure Gateway Proxy in Relay mode. See the topics for the Secure Gateway for moreinformation about Relay mode.
If you are using Relay mode, the Secure Gateway server functions as a proxy and you mustconfigure Receiver to use:
● The fully qualified domain name (FQDN) of the Secure Gateway server.
● The port number of the Secure Gateway server. Note that Relay mode is not supportedby Secure Gateway Version 2.0.
The FQDN must list, in sequence, the following three components:
● Host name
● Intermediate domain
● Top-level domain
For example: my_computer.my_company.com is an FQDN, because it lists, in sequence, ahost name (my_computer), an intermediate domain (my_company), and a top-level domain(com). The combination of intermediate and top-level domain (my_company.com) isgenerally referred to as the domain name.
138
Connecting the Citrix Receiver through aProxy Server
Proxy servers are used to limit access to and from your network, and to handle connectionsbetween Receivers and servers. Receiver supports SOCKS and secure proxy protocols.
When communicating with the server farm, Receiver uses proxy server settings that areconfigured remotely on the server running Receiver for Web or the Web Interface. Forinformation about proxy server configuration, refer to Receiver Storefront or Web Interfacedocumentation.
In communicating with the Web server, Receiver uses the proxy server settings that areconfigured through the Internet settings of the default Web browser on the user device.You must configure the Internet settings of the default Web browser on the user deviceaccordingly.
139
Connecting with Secure Sockets LayerRelay
You can integrate Receiver with the Secure Sockets Layer (SSL) Relay service. Receiversupports both SSL and TLS protocols.
● SSL provides strong encryption to increase the privacy of your ICA connections andcertificate-based server authentication to ensure the server you are connecting to is agenuine server.
● TLS (Transport Layer Security) is the latest, standardized version of the SSL protocol.The Internet Engineering Taskforce (IETF) renamed it TLS when it took overresponsibility for the development of SSL as an open standard. TLS secures datacommunications by providing server authentication, encryption of the data stream, andmessage integrity checks. Because there are only minor technical differences betweenSSL Version 3.0 and TLS Version 1.0, the certificates you use for SSL in your softwareinstallation will also work with TLS. Some organizations, including U.S. governmentorganizations, require the use of TLS to secure data communications. Theseorganizations may also require the use of validated cryptography, such as FIPS 140(Federal Information Processing Standard). FIPS 140 is a standard for cryptography.
140
Connecting with Citrix SSL Relay
By default, Citrix SSL Relay uses TCP port 443 on the XenApp server for SSL/TLS-securedcommunication. When the SSL Relay receives an SSL/TLS connection, it decrypts the databefore redirecting it to the server, or, if the user selects SSL/TLS+HTTPS browsing, to theCitrix XML Service.
If you configure SSL Relay to listen on a port other than 443, you must specify thenonstandard listening port number to the plug-in.
You can use Citrix SSL Relay to secure communications:
● Between an SSL/TLS-enabled client and a server. Connections using SSL/TLS encryptionare marked with a padlock icon in the Citrix Connection Center.
● With a server running the Web Interface, between the XenApp server and the Webserver.
For information about configuring and using SSL Relay to secure your installation, see theCitrix XenApp administrator’s documentation. For information about configuring the serverrunning the Web Interface to use SSL/TLS encryption, see the Web Interface administrator’sdocumentation.
141
User Device Requirements
In addition to the System Requirements, you also must ensure that:
● The user device supports 128-bit encryption
● The user device has a root certificate installed that can verify the signature of theCertificate Authority on the server certificate
● Receiver is aware of the TCP listening port number used by the SSL Relay service in theserver farm
● Any service packs or upgrades that Microsoft recommends are applied
If you are using Internet Explorer and you are not certain about the encryption level of yoursystem, visit the Microsoft Web site at http://www.microsoft.com to install a service packthat provides 128-bit encryption.
Important: Receiver supports certificate key lengths of up to 4096 bits. Ensure that thebit lengths of your Certificate Authority root and intermediate certificates, and those ofyour server certificates, do not exceed the bit length your Receiver supports orconnection might fail.
142
To apply a different listening port numberfor all connections
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the plug-in Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Action menu, choose Properties, select Enabled, and type a new portnumber in the Allowed SSL servers text box in the following format: server:SSL relayport number where SSL relay port number is the number of the listening port. You canuse a wildcard to specify multiple servers. For example, *.Test.com:SSL relay portnumber matches all connections to Test.com through the specified port.
143
To apply a different listening port numberto particular connections only
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already added the icaclient template to the Group Policy Editor, you canomit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Action menu, choose Properties, select Enabled, and type acomma-separated list of trusted servers and the new port number in the Allowed SSLservers text box in the following format: servername:SSL relay portnumber,servername:SSL relay port number where SSL relay port number is the numberof the listening port. You can specify a comma-separated list of specific trusted SSLservers similar to this example:
csghq.Test.com:443,fred.Test.com:443,csghq.Test.com:444
which translates into the following in an example appsrv.ini file: [Word]SSLProxyHost=csghq.Test.com:443
[Excel]
SSLProxyHost=csghq.Test.com:444
[Notepad]
SSLProxyHost=fred.Test.com:443
144
Configuring and Enabling Receivers forSSL and TLS
SSL and TLS are configured in the same way, use the same certificates, and are enabledsimultaneously.
When SSL and TLS are enabled, each time you initiate a connection, Receiver tries to useTLS first and then tries SSL. If it cannot connect with SSL, the connection fails and an errormessage appears.
To force Receiver to connect with TLS, you must specify TLS on the Secure Gateway serveror SSL Relay service. See the topics for the Secure Gateway or your SSL Relay servicedocumentation for more information.
In addition, make sure the user device meets all system requirements.
To use SSL/TLS encryption for all Receiver communications, configure the user device,Receiver, and, if using Web Interface, the server running the Web Interface. Forinformation about securing Receiver Storefront communications, refer to topics under"Secure" in the Receiver Storefront documentation in eDocs.
145
Installing Root Certificates on the UserDevices
To use SSL/TLS to secure communications between a SSL/TLS-enabled Receiver and theserver farm, you need a root certificate on the user device that can verify the signature ofthe Certificate Authority on the server certificate.
Receiver supports the Certificate Authorities that are supported by the Windows operatingsystem. The root certificates for these Certificate Authorities are installed with Windowsand managed using Windows utilities. They are the same root certificates that are used byMicrosoft Internet Explorer.
If you use your own Certificate Authority, you must obtain a root certificate from thatCertificate Authority and install it on each user device. This root certificate is then usedand trusted by both Microsoft Internet Explorer and Receiver.
You might be able to install the root certificate using other administration or deploymentmethods, such as:
● Using the Microsoft Internet Explorer Administration Kit (IEAK) Configuration Wizard andProfile Manager
● Using third-party deployment tools
Make sure that the certificates installed by your Windows operating system meet thesecurity requirements for your organization or use the certificates issued by yourorganization’s Certificate Authority.
146
To configure Web Interface to useSSL/TLS for Receiver
1. To use SSL/TLS to encrypt application enumeration and launch data passed betweenReceiver and the server running the Web Interface, configure the appropriate settingsusing the Web Interface. You must include the computer name of the XenApp serverthat is hosting the SSL certificate.
2. To use secure HTTP (HTTPS) to encrypt the configuration information passed betweenReceiver and the server running the Web Interface, enter the server URL in the formathttps://servername. In the Windows notification area, right-click the Receiver icon andchoose Preferences.
3. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.
147
To configure TLS support
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
1. As an administrator, open the Group Policy Editor by running gpedit.msc locally fromthe Start menu when applying this to a single computer or by using the Group PolicyManagement Console when using Active Directory.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification.
7. From the Action menu, choose Properties, select Enabled, and from the drop-downmenus, select the TLS settings.
● Set SSL/TLS Version to TLS or Detect all to enable TLS. If Detect all is selected,Receiver connects using TLS encryption. If a connection using TLS fails, Receiverconnects using SSL.
● Set SSL ciphersuite to Detect version to have Receiver negotiate a suitableciphersuite from the Government and Commercial ciphersuits. You can restrict theciphersuites to either Government or Commercial.
● Set CRL verification to Require CRLs for connection requiring Receiver to try toretrieve Certificate Revocation Lists (CRLs) from the relevant certificate issuers.
148
To use the Group Policy template on WebInterface to meet FIPS 140 securityrequirements
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
To meet FIPS 140 security requirements, use the Group Policy template to configure theparameters or include the parameters in the Default.ica file on the server running the WebInterface. See the information about Web Interface for additional information about theDefault.ica file.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 3 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification.
7. From the Action menu, choose Properties, select Enabled, and from the drop-downmenus, select the correct settings.
● Set SSL/TLS Version to TLS or Detect all to enable TLS. If Detect all is selected,Receiver tries to connect using TLS encryption. If a connection using TLS fails,Receiver tries to connect using SSL.
● Set SSL ciphersuite to Government.● Set CRL verification to Require CRLs for connection.
149
To configure the Web Interface to useSSL/TLS when communicating with CitrixReceiver
When using the Web Interface, specify the computer name of the server hosting the SSLcertificate. See the information about Web Interface for more details about using SSL/TLSto secure communications between Receiver and the Web server.
1. From the Configuration settings menu, select Server Settings.
2. Select Use SSL/TLS for communications between clients and the Web server.
3. Save your changes.
Selecting SSL/TLS changes all URLs to use HTTPS protocol.
150
To configure Citrix XenApp to useSSL/TLS when communicating with CitrixReceiver
You can configure the XenApp server to use SSL/TLS to secure the communications betweenReceiver and the server.
1. From the Citrix management console for the XenApp server, open the Properties dialogbox for the application you want to secure.
2. Select Advanced > Client options and ensure that you select Enable SSL and TLSprotocols.
3. Repeat these steps for each application you want to secure.
When using the Web Interface, specify the computer name of the server hosting the SSLcertificate. See the information about Web Interface for more details about using SSL/TLSto secure communications between Receiver and the Web server.
151
To configure Citrix Receiver to useSSL/TLS when communicating with theserver running the Web Interface
You can configure Receiver to use SSL/TLS to secure the communications between Receiverand the server running the Web Interface.
Ensure that a valid root certificate is installed on the user device. For more information,see Installing Root Certificates on the User Devices.
1. In the Windows notification area, right-click the Receiver icon and choosePreferences.
2. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.
3. The Change Server screen displays the currently configured URL. Enter the server URLin the text box in the format https://servername to encrypt the configuration datausing SSL/TLS.
4. Click Update to apply the change.
5. Enable SSL/TLS in the client device browser. For more information about enablingSSL/TLS in the browser, see the online Help for the browser.
152
ICA File Signing - Protection AgainstApplication or Desktop Launches FromUntrusted Servers
The ICA File Signing feature helps protect users from unauthorized application or desktoplaunches.Citrix Receiver verifies that a trusted source generated the application or desktoplaunch based on administrative policy and protects against launches from untrusted servers.You can configure this Receiver security policy for application or desktop launch signatureverification using Group Policy Objects, Receiver Storefront, or Citrix Merchandising Server.ICA file signing is not enabled by default. For information about enabling ICA file signing forReceiver Storefront, refer to the Receiver Storefront documentation.
For Web Interface deployments, the Web Interface enables and configures application ordesktop launches to include a signature during the launch process using the Citrix ICA FileSigning Service. The service can sign ICA files using a certificate from the computer'spersonal certificate store.
The Citrix Merchandising Server with Receiver enables and configures launch signatureverification using the Citrix Merchandising Server Adminstrator Console > Deliverieswizard to add trusted certificate thumbprints.
To use Group Policy Objects to enable and configure application or desktop launchsignature verification, follow this procedure:
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the ica-file-signing.adm template into the Group PolicyEditor, you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select ica-file-signing.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Enable ICA File Signing. In Windows 7 and Windows Server 2008,expand Administrative Templates and navigate through Classic AdministrativeTemplates (ADM) > Citrix Components to the desired configuration option.
7. If you choose Enabled, you can add signing certificate thumbprints to the white list of trusted certificate thumbprints or remove signing certificate thumbprints from the
white list by clicking Show and using the Show Contents screen. You can copy andpaste the signing certificate thumbprints from the signing certificate properties. Usethe Policy drop-down menu to select Only allow signed launches (more secure) orPrompt user on unsigned launches (less secure).
Option Description
Only allow signed launches (moresecure)
Allows only properly signed applicationor desktop launches from a trustedserver. The user sees a Security Warningmessage in Receiver if an application ordesktop launch has an invalid signature.The user cannot continue and theunauthorized launch is blocked.
Prompt user on unsigned launches (lesssecure)
Prompts the user every time an unsignedor invalidly signed application or desktopattempts to launch. The user can eithercontinue the application launch or abortthe launch (default).
ICA File Signing - Protection Against Application or Desktop Launches From Untrusted Servers
153
154
Selecting and Distributing a DigitalSignature Certificate
When selecting a digital signature certificate, Citrix recommends you choose from thisprioritized list:
1. Buy a code-signing certificate or SSL signing certificate from a public CertificateAuthority (CA).
2. If your enterprise has a private CA, create a code-signing certificate or SSL signingcertificate using the private CA.
3. Use an existing SSL certificate, such as the Web Interface or Self-service Plug-in servercertificate.
4. Create a new root CA certificate and distribute it to user devices using GPO or manualinstallation.
155
Configuring a Web Browser and ICA Fileto Enable Single Sign-on and ManageSecure Connections to Trusted Servers
To use Single sign-on (SSO) and to manage secure connections to trusted servers, add theCitrix server's site address to the Local intranet or Trusted sites zones in Internet Explorerunder Tools > Internet Options > Security on the user device. The address can include thewildcard (*) formats supported by the Internet Security Manager (ISM) or be as specific asprotocoll://URL[:port].
The same format must be used in both the ICA file and the sites entries. For example, if youuse a fully qualified domain name (FQDN) in the ICA file, you must use an FQDN in the siteszone entry. XenDesktop connections use only a desktop group name format.
Supported Formats (Including Wildcards)http[s]://10.2.3.4
http[s]://10.2.3.*
http[s]://hostname
http[s]://fqdn.example.com
http[s]://*.example.com
http[s]://cname.*.example.com
http[s]://*.example.co.uk
desktop://group-20name
ica[s]://xaserver1
ica[s]://xaserver1.example.com
Launching SSO or Using Secure Connections with aweb site
Add the exact address of the Receiver for Web or the Web Interface site in the sites zone.
Example Web Site Addresses
https://my.company.com
http://10.20.30.40
http://server-hostname:8080
https://SSL-relay:444
XenDesktop Connections with Desktop ViewerAdd the address in the form desktop://Desktop Group Name. If the desktop group namecontains spaces, replace each space with -20.
Custom ICA Entry FormatsUse one of the following formats in the ICA file for the Citrix server site address. Use thesame format to add it to the Local intranet or Trusted sites zones in Internet Explorerunder Tools > Internet Options > Security on the user device:
Example of ICA File HttpBrowserAddress Entry
HttpBrowserAddress=XMLBroker.XenappServer.example.com:8080
Examples of ICA File XenApp Server Address Entry
If the ICA file contains only the XenApp server Address field, use one of the following entryformats:
icas://10.20.30.40:1494
icas://my.xenapp-server.company.com
ica://10.20.30.40
Configuring a Web Browser and ICA File to Enable Single Sign-on and Manage Secure Connections to Trusted Servers
156
157
To set client resource permissions
You can set client resource permissions using trusted and restricted site regions by:
● Adding the Receiver for Web or the Web Interface site to the Trusted Site list
● Making changes to new registry settings
Note: Due to enhancements to Receiver, the .ini procedure available in earlier versionsof the plug-in/Receiver is replaced with these procedures.
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
To add the web site to the trusted site list1. From the Internet Explorer Tools menu, choose Internet Options > Security.
2. Select the Trusted sites icon and click the Sites button.
3. In the Add this website to the zone text field, type the URL to your Receiver for Webor Web Interface site and click Add.
4. Download the registry settings from http://support.citrix.com/article/CTX124871.htmland make any registry changes. Use SsonRegUpx86.reg for Win32 user devices andSsonRegUpx64.reg for Win64 user devices.
5. Log off and then log on to the user device.
To change client resource permissions in the registry1. Download the registry settings from http://support.citrix.com/article/CTX124871.html
and import the settings on each user device. Use SsonRegUpx86.reg for Win32 userdevices and SsonRegUpx64.reg for Win64 user devices.
2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Client Selective Trust and in the appropriate regions, change the default value tothe required access values for any of the following resources:
Resource key Resource description
FileSecurityPermission Client drives
MicrophoneAndWebcamSecurityPermission Microphones and webcams
PdaSecurityPermission PDA devices
ScannerAndDigitalCameraSecurityPermission USB and other devices
Value Description
0 No Access
1 Read-only access
2 Full access
3 Prompt user for access
To set client resource permissions
158
159
Enabling Smart Card Logon
You must use Receiver (Enterprise) for smart card support.
Enabling smart card logon allows users to use smart cards instead of passwords toauthenticate to XenApp servers. You can use smart card logon either with or withoutpass-through authentication.
You must enable smart card support on the server and set up and configure the user deviceproperly with third-party smart card hardware and software. Refer to the documentationthat came with your smart card equipment for instructions about deploying smart cardswithin your network.
The smart card removal policy set on XenApp determines what happens if you remove thesmart card from the reader during an ICA session. The smart card removal policy isconfigured through and handled by the Windows operating system.
● Kerberos pass-through authentication requires a smart card inserted in the smart cardreader at logon time only. With this logon mode selected, the plug-in prompts the userfor a smart card PIN (Personal Identification Number) when it starts up. Kerberospass-through authentication then caches the PIN and passes it to the server every timethe user requests a published resource. The user does not have to subsequently reentera PIN to access published resources or have the smart card continuously inserted. Ifauthentication based on the cached PIN fails or if a published resource itself requiresuser authentication, the user continues to be prompted for a PIN.
● Disabling pass-through authentication requires a smart card to be present in the smartcard reader whenever the user accesses a server. With pass-through disabled, theplug-in prompts the user for a smart card PIN when it starts up and every time the userrequests a published resource.
160
Enforcing Trust Relations
Trusted server configuration is designed to identify and enforce trust relations involved inReceiver connections. This trust relationship increases the confidence of Receiveradministrators and users in the integrity of data on user devices and prevents the malicioususe of Receiver connections.
When this feature is enabled, Receivers can specify the requirements for trust anddetermine whether or not they trust a connection to the server. For example, a Receiverconnecting to a certain address (such as https://*.citrix.com) with a specific connectiontype (such as SSL) is directed to a trusted zone on the server.
When trusted server configuration is enabled, XenApp servers or the Access Gateway mustreside in a Windows Trusted Sites zone. (For step-by-step instructions about adding serversto the Windows Trusted Sites zone, see the Internet Explorer online help.)
If you connect using SSL, add the server name in the format https://CN, where CN is theCommon Name shown on the SSL certificate. Otherwise, use the format that Receiver usesto connect; for example if Receiver connects using an IP address, add the server’s IPaddress.
To enable trusted server configuration
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. Expand the Administrative Templates folder under the User Configuration node.
7. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network Routing > Configure trusted serverconfiguration. In Windows 7 and Windows Server 2008, expand AdministrativeTemplates and navigate through Classic Administrative Templates (ADM) > CitrixComponents to the desired configuration option.
8. From the Action menu, choose Properties and select Enabled.
Enforcing Trust Relations
161
162
Elevation Level and wfcrun32.exe
When User Access Control (UAC) is enabled on devices running Windows Vista or Windows 7,only processes at the same elevation/integrity level as wfcrun32.exe can launch publishedapplications.
Example 1:
When wfcrun32.exe is running as a normal user (un-elevated), other processes such asReceiver must be running as a normal user to launch applications through wfcrun32.
Example 2:
When wfcrun32.exe is running in elevated mode, other processes such as ConnectionCenter, Receiver, and third party applications using the ICA Client Object that are runningin non-elevated mode cannot communicate with wfcrun32.exe.
163
Receiver for Windows 3.1
Quick Links
About this Release Using the Receiver with XenDesktopConnections
System Requirements and Compatibility forReceiver for Windows 3.1
Optimizing the Receiver Environment
Licensing Your Product Improving the Receiver User Experience
Overview of Citrix Receiver for WindowsInstallation Packages
Securing Your Connections
To configure and install the Citrix Receiverfor Windows using command-lineparameters
Securing Citrix Receiver Communication
164
Receiver for Windows 3.1
Quick Links
About this Release Using the Receiver with XenDesktopConnections
System Requirements and Compatibility forReceiver for Windows 3.1
Optimizing the Receiver Environment
Licensing Your Product Improving the Receiver User Experience
Overview of Citrix Receiver for WindowsInstallation Packages
Securing Your Connections
To configure and install the Citrix Receiverfor Windows using command-lineparameters
Securing Citrix Receiver Communication
165
About Citrix Receiver for Windows 3.1
What's New in the Citrix Receiver Standard PackageCitrix Receiver (CitrixReceiver.exe) has been enhanced for on-demand access to Windows,Web, and Software as a Service (SaaS) applications. You can now configure it for use withCitrix CloudGateway.
● CloudGateway Express Interoperability - Enables existing XenApp and XenDesktopcustomers to deliver all their Windows apps and desktops to any device using a unifiedStoreFront with self-service.
● CloudGateway Enterprise Interoperability - Enables enterprises to aggregate, control,and deliver all of their Windows, web and SaaS apps to any user on any device.
● Flexible installation methods - You can install CitrixReceiver.exe from Receiver forWeb and Web Interface with or without administrator rights or you can use electronicsoftware distribution (ESD) tools like Active Directory Group Policy Objects (GPO) orSCCM. Administrator rights are required to install CitrixReceiver.exe if it will usepass-through authentication. (Receiver for Web sites do not support domainpass-through authentication.)
● Self-service - Citrix Receiver displays all the resources that you make available tousers. Users can browse the list or search for the resources they require and subscribewith a single click. Enabled using one-click configuration and CloudGateway.
● One-click configuration - Opening a configuration file after installing Citrix Receiveractivates self-service access to CloudGateway-published resources. You can publish theconfiguration file on a web site or email it to multiple users.
● Secure, remote access through Access Gateway - Integration with Access Gatewayprovides users with secure access to all enterprise applications, virtual desktops, anddata.
● Domain pass-through authentication - Users already logged on to their domain accountdo not need to authenticate to access applications.
Enable this functionality using a command line switch.
● Auto-provisioned applications - Receiver automatically adds administrator-designatedapplications when users first authenticate. Requires CloudGateway StoreFront.
● CloudGateway internal URL redirection - When a URL is redirected, Receiver checks akeyword to determine if the URL requires an Access Gateway VPN connection foraccess. If the VPN client is installed, it starts the VPN client and opens the page.
● Receiver for all devices - User experience is consistent across Receiver platforms anddevices.
● Follow-me subscriptions - Users selected applications follow them across devices.Requires CloudGateway StoreFront.
● Work space control improvements - Active sessions follow users as they roam from onedevice to another. Previously, the Self-Service Plug-in disabled workspace control.
● Multiple account support - Users can access applications and desktops from multipledata centers using different security provisions.
● Expanded browser support - Chrome versions 10.0 and later are supported.Pre-installation of Firefox is no longer required.
Citrix Receiver supports Web Interface for legacy deployments.
What's New in the Citrix Receiver Enterprise PackageThe Citrix Receiver Enterprise package does not contain any new features. With theupgrade in features in the standard Receiver, the Receiver Enterprise package is requiredonly to support applications that use Smart Card authentication.
Known IssuesThis section contains:
● General issues
● Known issues - Desktop connections
● Third-party issues
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
General Issues
● When configured with multiple stores, Receiver might confuse the gateways required toconnect to a store causing incorrect apps being available to users. Work around:Configure only one store. [#0263165]
● If you use the Receiver with XenApp 5.0 Feature Pack 2 for Windows Server 2003 (32- or64-bit editions), the Receiver plays audio even when you configure the Turn offspeakers policy setting to disable the audio. [#242703]
● You might receive an error message when trying to launch an application with WebInterface after installing a previous version of the Receiver (Online plug-in) whilelogged in as one user, upgrading with CitrixReceiver.exe as another user, logging off theReceiver, and logging back on with the previous user name. The error message is: Citrixonline plug-in Configuration Manager: No value could be found for (ClientHostedApps)that satisfies all lock down requirements. The lockdown requirements in force may beconflicting. [#261877]
About Citrix Receiver for Windows 3.1
166
As a workaround, set the following registry key:
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\Lockdown Profiles\AllRegions\Lockdown\Virtual Channels\Control
Name: ClientHostedApps
Value: FALSE (or set to * / TRUE if you have overridden the defaults inHKEY_LOCAL_MACHINE)
● If you use Web Interface with Internet Explorer 8 and Windows 7 to upgrade to thisversion of Citrix Receiver, the upgrade finishes, but the Upgrade in Progress messageremains on the screen and the log on screen does not appear. Workaround: Restart thebrowser [#247858]
● When you launch applications using the Web Interface, Connection Center does notenumerate the sessions. [#261177]
● After you launch a published application that is filtered by XenApp for Access Gateway,other published applications do not launch. [#263003]
● In some environments, content redirection may not work until the published applicationis launched for the first time. [#0252515]
● When versions of Receiver are localized in Traditional Chinese, Korean, or Russian andintegrated with Access Gateway Standard Edition, the Receiver log on screen displays inEnglish because of an Access Gateway Standard Edition language limitation. [#0263442]
● When the offline plug-in is not installed and a streamed application is configured tofallback to ICA and the XenApp server is down, an incorrect error message appearsinforming you that the correct plug-in is not installed. [#0273813]
● If Certificate Revocation List (CRL) checking is disabled in Internet Options on the userdevice, this overrides the CertificateRevocationCheck registry setting for Receiver forWindows. This means users may be able to access Web sites that do not have validcertificates. As a workaround, ensure that the Check server revocation option locatedat Settings > Control Panel > Internet Options > Advanced is enabled. [#0032682]
● Receiver does not support the VPN keyword in Access Gateway ClientChoices mode.[#0274828]
Desktop Connections
● Loss of video is experienced if files are being played with a published version ofWindows Media Player through a virtual desktop session, and the Desktop Viewerwindow is changed from full-screen to window mode. As a workaround, minimize andrestore the Media Player window, and then pause and resume the application (or stopand restart it). [#246230]
● You cannot log off gracefully from Windows XP 32-bit virtual desktops if you start (butdo not log on to) the Receiver in the desktop session. If the Receiver logon dialog box isnot completed, you cannot log off from the desktop. To work around the issue,complete the logon dialog box or close it. This issue is not observed on other virtual
About Citrix Receiver for Windows 3.1
167
desktop operating systems. [#246516]
● If virtual desktops are installed with the Virtual Desktop Agent supplied withXenDesktop 5.0, Receiver for Windows 3.0 displays an error if the user starts apublished application from the desktop. The workaround is to use the Virtual DesktopAgent supplied with XenDesktop 5.5. [#263079]
● The Citrix Desktop Lock does not redirect Adobe Flash content to domain-joined userdevices. The content can be viewed but is rendered on the server, not locally. As aworkaround, Adobe Flash redirection can be configured for server-side content fetchingto pass the content from the server to the user device. This issue does not occur onnon-domain-joined devices or when the content is viewed with the Desktop Viewer.[#263092]
● The Desktop Viewer Devices menu may not close when the user clicks the Devices icon.It also may remain open after its corresponding dialog box closes. If this occurs, clickthe Devices icon again. [#262202]
● Windows Media Player, when displayed in the non-primary monitor of a two-monitorWindows user device, may not work as expected. Due to an issue with the DirectX videomixing renderer filter VMR-9, the screen is black and there is no sound, although theplayer's progress bar advances. To correct this issue, edit the registry on the userdevice from which the XenDesktop connection is launched. In theHKEY_CURRENT_USER\Software\Citrix subkey, create the HdxMediaStream key. Namethe key DisableVMRSupport. Set the type as REG_DWORD. Give the key the value 3.[#262852]
Third-Party Issues
When using Internet Explorer to open a Microsoft Office document in Edit mode fromSharePoint, Microsoft Office might display the message, “Access denied.” Workaround:Go to the SharePoint site and check out the document, edit it, and check the file backin to SharePoint. [#258725]
About Citrix Receiver for Windows 3.1
168
169
System Requirements and Compatibilityfor the Citrix Receiver for Windows
● Supported Windows Operating Systems:
● Windows 7, 32-bit and 64-bit editions (including Embedded Edition)
● Windows XP Professional, 32-bit and 64-bit editions
● Windows XP Embedded
● Windows Vista, 32-bit and 64-bit editions
● Windows Thin PC
● Windows Server 2008 R1, 32-bit and 64-bit editions (not supported by XenDesktopconnections)
● Windows Server 2008 R2, 64-bit edition (not supported by XenDesktop connections)
● Windows Server 2003, 32-bit and 64-bit editions (not supported by XenDesktopconnections)
Important: For XenDesktop connections, be aware that the Citrix Desktop Lock isonly supported on Windows XP Professional, Windows XP Embedded, Windows 7,and Windows Embedded Standard 7. If your deployment includes smart cards, andWindows 7 or Windows Embedded Standard 7, see the additional requirements inthis topic.
● Server support:
● XenApp (any of the following products):
● Citrix XenApp 6.5 for Windows Server 2008 R2
● Citrix XenApp 6 for Windows Server 2008 R2
● Citrix XenApp 5 for Windows Server 2008
● Citrix XenApp 5 for Windows Server 2003● XenDesktop (any of the following products):
● XenDesktop 5.5
● XenDesktop 5
● XenDesktop 4● To manage connections to apps and desktops, Citrix Receiver supports Cloud
Gateway or Web Interface :
● CloudGateway Express, with Receiver Storefront 1.0 and, for optional access toresources from a web page, Receiver for Web 1.0
● CloudGateway Enterprise 1.0, for apps hosted on a network, on anInfrastructure as a Service (IaaS) platform, or configured as Software as aService (SaaS)
● Web Interface 5.x for Windows with a XenApp Services and XenDesktop Web site
● Merchandising Server 2.x
● Connectivity
Citrix Receiver supports HTTPS and ICA-over-SSL connections through any one of thefollowing configurations.
● For LAN connections:
● Receiver StoreFront 1.0, using StoreFront services or Receiver for Web sites
● Web Interface 5.x for Windows, using XenApp Services and XenDesktop Websites (Program Neighborhood Agent sites are also supported for legacyinstallations)
● For secure remote or local connections:
● Citrix Access Gateway VPX
● Citrix Access Gateway 5.0
● Citrix Access Gateway Enterprise Edition 9.x
● Citrix Secure Gateway 3.xYou can use Access Gateway with Receiver StoreFront or Web Interface. You can useSecure Gateway only with Web Interface.
● Authentication
Receiver for Windows 3.1, when used with Receiver StoreFront 1.0, supports thefollowing authentication methods:
● Domain
● Domain pass-through**
● Security token
● Two-factor (domain plus security token)*Receiver for Windows 3.1, when used with Web Interface 5.X, supports the followingauthentication methods:
● Domain
● Security token
● Two-factor (domain plus security token)*
System Requirements
170
● SMS*
● Smart card (with or without Access Gateway)
* These authentication methods are available only in deployments that include AccessGateway.
** Receiver for Web sites do not support domain pass-through authentication.
For more information about authentication, including certificate requirements, refer tothe "Manage" topics in the Receiver StoreFront documentation.
If your site requires Smart Card authentication for connections to applications, useReceiver (Enterprise) with Web Interface. For information about other authenticationmethods supported by Web Interface, refer to "Configuring Authentication for the WebInterface" in the Web Interface documentation.
● Certificates
For information about security certificates, refer to topics under Secure Connectionsand Secure Communications.
● Upgrades. Upgrades are supported only for Citrix XenApp Plugin for Hosted Apps 11.0,Desktop Receiver 11.1, and Citrix online plug-in 11.1,11.2, 12.0, and 12.1, and Receiverfor Windows 3.0 releases.
● Availability of the Receiver for Windows 3.1 features. Some of the features andfunctionality of Receiver are available only when connecting to newer XenApp andXenDesktop versions and might require the latest hotfixes for XenApp, XenDesktop, andSecure Gateway.
● Previous versions of the Presentation Server Client/Online Plug-in and the currenticaclient.adm file. Previous versions of the Presentation Server Client and OnlinePlug-in are not compatible with the Receiver for Windows 3.1 icaclient.adm file.
● Supported Browsers:
● Internet Explorer Version 6.0 through 9.0
● Mozilla Firefox Version 1.x through 5.x
● Google Chrome Version 10.0 and later● .NET Framework Requirements (XenDesktop Connections Only)
To use the Desktop Viewer, .NET 2.0 Service Pack 1 or later is required. This version isrequired because, if Internet access is not available, certificate revocation checks slowdown connection startup times. The checks can be turned off and startup timesimproved with this version of the Framework but not with .NET 2.0. Use of the CitrixDesktop Lock does not require the .NET Framework to be installed.
● Hardware Requirements:
● VGA or SVGA video adapter with color monitor
● Windows-compatible sound card for sound support (optional)
System Requirements
171
● For network connections to the server farm, a network interface card (NIC) and theappropriate network transport software
● Supported Connection Methods and Network Transports:
● TCP/IP+HTTP
● SSL/TLS+HTTPS● HDX MediaStream Multimedia Acceleration
Applications and media formats supported by HDX MediaStream Multimedia Accelerationare:
● Applications based on Microsoft’s DirectShow, DirectX Media Objects (DMO), andMedia Foundation filter technologies such as Windows Media Player and RealPlayer.
● Applications like Internet Explorer and Microsoft Encarta are also supported, as theyleverage Windows Media Player.
● Both file-based and streaming (URL-based) media formats: WAV, all variations ofMPEG, unprotected Windows Media Video (WMV), and Windows Media Audio (WMA).
Note: HDX MediaStream Multimedia Acceleration does not support media filesprotected with Digital Rights Management (DRM).
● Smart Cards and the Citrix Desktop Lock
The Citrix Desktop Lock can be used with smart cards connected to domain-joined userdevices running Windows XP or Windows XPe but not Windows 7 or Windows EmbeddedStandard 7. This limitation does not apply to non-domain-joined user devices.
System Requirements
172
173
Citrix Receiver for Windows Overview
Citrix Receiver for Windows (Citrix Receiver) delivers apps, desktops, and IT services toWindows PCs. Citrix Receiver supports Citrix CloudGateway:
● CloudGateway Express enables XenApp and XenDesktop customers to deliver Windowsapps and desktops by using a unified StoreFront with self-service.
● CloudGateway Enterprise enables enterprises to aggregate, control, and deliver all oftheir Windows, web and SaaS apps.
Receiver also supports Citrix Web Interface for legacy deployments.
Receiver handles the following functions:
● User authentication. Receiver provides user credentials to CloudGateway or WebInterface when users try to connect and every time they launch published resources.
● Application and content enumeration. Receiver presents users with their individualset of published resources.
● Application launching. Receiver is the local engine used to launch publishedapplications.
● Desktop integration. Receiver integrates a user’s set of published resources (includingvirtual desktops) with the user’s physical desktop.
● User preferences. Receiver validates and implements local user preferences.
Two Citrix Receiver packages are available.
● Citrix Receiver (standard, CitrixReceiver.exe) supports Citrix CloudGateway and, forlegacy deployments, Web Interface. Standard Receiver features include:
● Receiver Experience, enabling users to seamlessly transition between devices andconnection types
● Web plug-in
● Authentication Manager
● Single sign-on/pass-through authentication
● Self-service
● Generic USB (XenDesktop)
● Desktop Viewer (XenDesktop)
● HDX Media Stream for Flash
● Aero desktop experience (for operating systems that support it)
● Citrix Receiver (enterprise, CitrixReceiverEnterprise.exe) is required only forapplications that use Smart Card authentication. It supports Web Interface only andincludes the same features as the standard package except for Authentication Managerand self-service.
Using the Citrix CloudGatewayCitrixReceiver.exe enables access to StoreFront published resources and virtual desktopsfrom anywhere. Configure a provisioning file to provide native self-service access orconfigure a Receiver for Web site to provide web browser access to StoreFront-publishedresources and virtual desktops.
Using with XenAppBoth Receiver packages support the XenApp feature set. Centrally administer and configurethe Receiver in the Receiver Storefront management console (or, if using Web Interface, inthe Web Interface Management Console using a Receiver site created in association with asite for the server running the Web Interface).
You can use both Receiver packages with the Citrix offline plug-in to provide applicationstreaming to the user desktop. For more information about the streamed applicationfeature, see the Application Streaming documentation in eDocs.
The Desktop Viewer is not supported with XenApp connections.
Using with XenDesktopReceiver includes the Desktop Viewer, the client-side software that supports XenDesktop.Users running the Desktop Viewer on their devices access virtual desktops created withXenDesktop in addition to their local desktop. Users running the Citrix Desktop Lock (whichyou install in addition to the Desktop Viewer) interact only with the virtual desktop not thelocal desktop.
Get Started
174
175
Citrix Connection Center Overview
The Citrix Connection Center displays all connections established from the Receiver.
The ICA Connections window displays a list of active sessions. Each server entry in the listrepresents a session. For each seamless session, below each server entry, a list of thepublished resources you are running on that server appears.
After you launch a published resource, you can access the Connection Center by rightclicking the Receiver icon in your Windows notification area and choose Online Sessions >Connection Center. You can also access the Connection Center from the Preferences >Plug-in Status screen.
The Connection Center offers various options to view statistics and control sessions andapplications:
● Disconnect a session from a server but leave the session running on it
● End a server session
● Switch from seamless mode to full screen mode
● Seamless mode. Published applications and desktops are not contained within asession window. Each published application and desktop appears in its ownresizable window, as if it is physically installed on your user device. You can switchbetween published applications and the local desktop.
● Full screen mode. Published applications are placed in a full screen-sized desktop.● Show connection status details like frames sent and received
● Terminate an indivual published application
● Set access permissions
176
Providing Virtual Desktops to ReceiverUsers
This topic applies to XenDesktop deployments only.
Different enterprises have different corporate needs, and your requirements for the wayusers access virtual desktops may vary from user to user, and as your corporate needsevolve. The user experience of connecting to virtual desktops and the extent of userinvolvement in configuring the connections depend on how you set up the Citrix Receiverfor Windows. You have two options for providing users with access to virtual desktops: usingthe Desktop Viewer or the Citrix Desktop Lock.
Important: Do not attempt to use the Desktop Viewer or the Desktop Lock to connect todesktops published with XenApp.
Desktop ViewerUse the Desktop Viewer when users need to interact with their local desktop as well as thevirtual one. In this access scenario, the Desktop Viewer toolbar functionality allows the userto open a virtual desktop in a window and pan and scale that desktop inside their localdesktop. Users can set preferences and work with more than one desktop using multipleXenDesktop connections on the same user device.
Citrix Desktop LockUse the Desktop Lock when users do not need to interact with the local desktop. In thisaccess scenario, the Desktop Viewer is not available and the virtual desktop effectivelyreplaces the local one, allowing the user to interact with the virtual desktop as if it is local.This provides the best user experience in a XenDesktop environment.
To decide which option best suits your deployment, consider how you want users to accessand interact with virtual desktops.
To understand the user experience of connecting to desktops created with XenDesktop,consult the planning topics in the XenDesktop documentation.
177
Overview of Citrix Receiver for WindowsInstallation Packages
This release contains two installation packages and offers several options for installing theCitrix Receiver for Windows. You can install the two Receiver installer packages with almostno user interaction.
● CitrixReceiver.exe - This Receiver (standard) does not require administrator rights toinstall unless it will use pass-through authentication. It can be installed:
● Automatically from Receiver for Web or from Web Interface
● By the user
● Using an Electronic Software Distribution (ESD) tool● CitrixReceiverEnterprise.exe - This Receiver (Enterprise) requires administrator rights
to install. Although the user can install Receiver (Enterprise), it is usually installed withan ESD tool. Uninstall other Receiver versions before installing Receiver (Enterprise).
Important: Upgrades are supported only from Citrix online plug-in 11.2 and 12.x. Removeany earlier versions before installing this version.
Considerations When UpgradingBecause there are two Citrix Receiver installation packages and there were two onlineplug-in packages (web and full) in previous releases, each having different options, youhave to consider the previously installed package when planning your upgrade. Use thistable to determine how to proceed with your upgrade.
Currently installed Upgrade Package Result
No Online plug-in installed CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) - web access- but manuallyconfigurable for PNA
No Online plug-in installed CitrixReceiver.exe Citrix Receiver (standard)- web access
Online plug-in fullconfigured for PNA or SSO
CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) configuredfor PNA or SSO
Online plug-in web CitrixReceiver.exe Citrix Receiver (standard)- web access
Online plug-in web CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) - web access- but manuallyconfigurable for PNA
The CitrixReceiver.exe upgrade package cannot be used to upgrade the online plug-in fullconfigured for PNA or Citrix Receiver (Enterprise). In both cases, the installer displays anerror message and does not alter the previously installed client.
How Installation Outcomes Differ Based on theOperating System, User Type, and InstallationPackage
The outcome of CitrixReceiver.exe or CitrixReceiverEnterprise.exe package installationsdiffers based on the combination of the operating system on the user device, user type,whether User Account Control (UAC) is enabled or disabled on Windows Vista, Windows 7,and Windows 2008 computers, and which installation package is used.
Operating system and usertype
CitrixReceiver.exe CitrixReceiverEnterprise.exe
OS: Windows XP, andWindows Server 2003
User: Administrator
Installation type:per-computer
Installation type:per-computer
OS: Windows XP, andWindows Server 2003
User: Standard user
Installation type: per-user Not supported
OS: Windows Vista,Windows 7, and WindowsServer 2008
User: Administrator with orwithout UAC disabled
Installation type:per-computer
Installation type:per-computer
OS: Windows Vista,Windows 7, and WindowsServer 2008
User: Standard user
Installation type: per-user Not supported
Install and Uninstall
178
179
Installing and Uninstalling Receiver forWindows Manually
Users can install the Receiver from Receiver for Web, the Web Interface, the installationmedia, a network share, Windows Explorer, or a command line by running theCitrixReceiverEnterprise.exe or CitrixReceiver.exe installer package. Because the installerpackages are self-extracting installations that extract to the user's temp directory beforelaunching the setup program, ensure that there is enough free space available in the%temp% directory.
When the user runs one of the Receiver installation .exe files, a message box immediatelyappears displaying the progress of the installation.
When you cancel the installation before completion, some components might be installed.In that case, remove the Receiver with the Add/Remove Programs utility from the ControlPanel on Windows XP or Windows Server 2003 (Programs and Features utility from theControl Panel on Windows Vista, Windows 7, and Windows Server 2008).
Upgrades are supported only from the Citrix XenApp Plugin for Hosted Apps 11.0, DesktopReceiver 11.1, and Citrix online plug-in 11.1, 11.2, and 12.x. Remove any earlier versionsbefore installing this current version.
For command line installation parameters, see To configure and install the Citrix Receiverfor Windows using command-line parameters.
If company policies prohibit you from using an .exe file, refer to How to Manually Extract,Install, and Remove Individual .msi Files from ReceiverEnterprise.exe.
Removing the ReceiverYou can also use the Citrix Receiver Updater to install and uninstall Receiver. If CitrixReceiver Updater was not used to install the Receiver, you can uninstall Receiver byrunning the Add/Remove Programs utility from the Control Panel on Windows XP orWindows Server 2003 (Programs and Features utility from the Control Panel on WindowsVista, Windows 7, and Windows Server 2008).
If you delete Receiver related files or registry entries just before uninstalling Receiver withAdd/Remove Programs or Programs and Features, uninstall might fail. The MicrosoftWindows Installer (MSI) is trying to repair and uninstall at the same time. If this occurs, usethe Receiver to start an auto-repair. After the auto-repair completes, you can cleanlyuninstall Receiver from Add/Remove Programs or Programs and Features.
Auto-repair occurs if there is a problem with Receiver; however, there is no Add/RemovePrograms or Programs and Features Repair option.
To remove Receiver using the command line
You can also uninstall Receiver from a command line by typing the appropriate command.
CitrixReceiverEnterprise.exe /uninstall
or
CitrixReceiver.exe /uninstall
Caution: Using Registry Editor incorrectly can cause serious problems that can requireyou to reinstall the operating system. Citrix cannot guarantee that problems resultingfrom incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Make sure you back up the registry before you edit it.
After uninstalling the Receiver software from a user device, the custom Receiver-settingregistry keys created by icaclient.adm remain in the Software\Policies\Citrix\ICA Clientdirectory under HKEY_LOCAL_MACHINE and HKEY_LOCAL_USER. If you reinstall Receiver,these policies might be enforced, possibly causing unexpected behavior. If you want toremove these customizations, delete them manually.
Installing and Uninstalling Receiver for Windows Manually
180
181
Upgrading the Desktop Viewer andDesktop Appliance Lock
You can upgrade the Desktop Viewer component contained in Citrix online plug-in 12.1 byinstalling this version of the Citrix Receiver for Windows.
To upgrade the Desktop Appliance Lock, remove Citrix online plug-in 12.1 and the DesktopAppliance Lock, and then install this version of the Receiver and the Citrix Desktop Lock.
182
To install the Citrix Desktop Lock
Important: Log on using a local administrator account to carry out this installationprocedure. In addition, consult About Citrix Receiver for Windows 3.1 for workarounds toany known issues with the Desktop Lock.
This procedure installs the plug-in so that virtual desktops are displayed using the CitrixDesktop Lock. Do not use this procedure if you want the Desktop Viewer to be available tousers.
1. On the installation media, navigate to the folder called Citrix Receiver andPlug-ins\Windows\Receiver, and run CitrixReceiverEnterprise.exe from the commandline using the following syntax:
CitrixReceiverEnterprise.exe ADDLOCAL="ICA_Client,SSON,USB,DesktopViewer,Flash,PN_Agent,Vd3d" SERVER_LOCATION="my.server" ENABLE_SSON="Yes"
For information about the properties used in this command, see To configure and installthe Citrix Receiver for Windows using command-line parameters
2. Enter the URL of the XenDesktop Services site where your virtual desktops are located.The URL must be in the format http://servername or https://servername. If you areusing hardware or software for load balancing or failover, you can enter aload-balanced address.
Important: Check that the URL you enter is correct. If the URL is incorrectly typed,or you leave the field empty and the user does not enter a valid URL when promptedafter installation, no virtual desktop or local desktop will be available.
3. On the XenDesktop installation media, navigate to the Citrix Receiver andPlug-ins\Windows\Receiver folder and double-click CitrixDesktopLock.msi. The CitrixDesktop Lock wizard appears.
4. On the License Agreement page, read and accept the Citrix license agreement andclick Install. The Installation Progress page appears.
5. In the Installation Completed dialog box, click Close.
6. When prompted, restart the user device. If you have been granted access to a desktopand you log on as a domain user, the restarted device is displayed using the DesktopLock.
183
User Accounts Used to Install the CitrixDesktop Lock
When you install the Citrix Desktop Lock, a replacement shell is used. To allowadministration of the user device after you complete the installation, the account used toinstall CitrixDesktopLock.msi is excluded from the shell replacement. If the account used toinstall CitrixDesktopLock.msi is later deleted, you will not be able to log on and administerthe device.
Note that because a replacement shell is used, Citrix does not recommend the use ofcustom shells with desktops accessed through the Desktop Lock.
184
To remove the Citrix Desktop Lock
If you installed the Citrix Desktop Lock, two separate items are displayed in Add/RemovePrograms. You must remove both to complete the removal process.
1. Log on with the same local administrator credentials that were used to install theDesktop Lock.
2. Run the Add/Remove programs utility from the Control Panel.
3. Remove Citrix Desktop Lock.
4. Remove Citrix Receiver or Citrix Receiver (Enterprise).
185
To configure and install the CitrixReceiver for Windows usingcommand-line parameters
You or your users can customize the Receiver installer by specifying command line options.Because the installer packages are self-extracting installations that extract to the user'stemp directory before launching the setup program, ensure that there is enough free spaceavailable in the %temp% directory.
Space Requirements
Receiver (standard) - 78.8 Mbytes
Receiver (Enterprise) - 93.6 Mbytes
This includes program files, user data, and temp directories after launching severalapplications.
1. On the computer where you want to install the Receiver for Windows package, type thefollowing at a command prompt:
CitrixReceiver.exe [Options]
or
CitrixReceiverEnterprise.exe [Options]
2. Set your options as needed.
● /? or /help displays usage information.
● /noreboot suppresses reboot during UI installations. This option is not necessaryduring silent installs.
● /silent disables the error and progress dialogs to execute a completely silentinstallation.
● /includeSSON enables single sign on for Receiver (standard, CitrixReceiver.exe).This option is not supported for Receiver (enterprise, CitrixReceiverEnterprise.exe),which installs single sign on by default. If you are using ADDLOCAL= to specifyfeatures and you want to install single sign on, you must also specify the SSONvalue. Requires administrator rights.
● PROPERTY=Value
Where PROPERTY is one of the following all-uppercase variables (keys) and Value isthe value the user should specify.
● INSTALLDIR=Installation directory, where Installation directory is the locationwhere the Receiver software is installed. The default value is C:\ProgramFiles\Citrix\ICA Client. If you use this option and specify an Installationdirectory, you must install the RIInstaller.msi in the Installationdirectory\Receiver directory and the other .msi files in the Installationdirectory.
● CLIENT_NAME=ClientName, where ClientName is the name used to identify theuser device to the server farm. The default value is %COMPUTERNAME%.
● ENABLE_DYNAMIC_CLIENT_NAME={Yes | No} The dynamic client name featureallows the client name to be the same as the computer name. When userschange their computer name, the client name changes to match. To enabledynamic client name support during silent installation, the value of theproperty ENABLE_DYNAMIC_CLIENT_NAME in your installation file must be Yes.To disable dynamic client name support, set this property to No.
● ADDLOCAL=feature[,...] Install one or more of the specified components. Whenspecifying multiple parameters, separate each parameter with a comma andwithout spaces. The names are case sensitive. If you do not specify thisparameter, all components included in the CitrixReceiverEnterprise.exe orCitrixReceiver.exe are installed by default.
Note: ReceiverInside and ICA_Client are prerequisites for all othercomponents and must be installed.
ReceiverInside – Installs the Receiver experience. (Required)
ICA_Client – Installs the standard Receiver. (Required)
SSON – Installs single sign on. Requires administrator rights.
AM – Installs the Authentication Manager. This value is supported only withCitrixReceiver.exe.
SELFSERVICE – Installs the Self-Service Plug-in. This value is supported onlywith CitrixReceiver.exe. The AM value must be specified on the command lineand .NET 3.5 Service Pack 1 must be installed.
USB – Installs USB.
DesktopViewer – Installs the Desktop Viewer.
Flash – Installs HDX media stream for flash.
PN_Agent – Installs Receiver (Enterprise). This value is supported only withCitrixReceiverEnterprise.exe.
Vd3d – Enables the Windows Aero experience (for operating systems thatsupport it)
● ALLOWADDSTORE={N | S | A} – The default depends on the followingsituations:
To configure and install the Citrix Receiver for Windows using command-line parameters
186
N if Merchandising Server is used or stores are specified on the installationcommand line.
S if Receiver is installed per machine.
A if Receiver is installed per user.
Specifies whether or not users can add and remove stores not configuredthrough Merchandising Server deliveries. (Users can enable or disable storesconfigured through Merchandising Server deliveries, but they cannot removethese stores or change the names or the URLs.) This option is supported onlywith CitrixReceiver.exe.
● ALLOWSAVEPWD={N | S | A} – The default is the value specified from thePNAgent server at run time. Specifies whether or not users can save credentialsfor stores locally on their computers and applies only to stores using thePNAgent protocol. Setting this argument to N prevents users from saving theircredentials. If the argument is set to S, users can only save credentials forstores accessed through HTTPS connections. Using the value A allows users tosave credentials for all their stores. This option is supported only withCitrixReceiver.exe.
● ENABLE_SSON={Yes | No} – The default value is Yes. Note that users must logoff and log back onto their devices after an installation with pass-throughauthentication enabled. Requires administrator rights.
Important: If you disable single sign on pass-through authentication, usersmust reinstall Receiver if you decide to use pass-through authentication at alater time.
● ENABLE_KERBEROS={Yes | No} – The default value is No. Specifies thatKerberos should be used; applies only when pass-through authentication (SSON)is enabled.
● DEFAULT_NDSCONTEXT=Context1 [,…] – Include this parameter to set a defaultcontext for Novell Directory Services (NDS). To include more than one context,place the entire value in quotation marks and separate the contexts by acomma. This option is supported only with CitrixReceiverEnterprise.exe.Examples of correct parameters:
DEFAULT_NDSCONTEXT="Context1"
DEFAULT_NDSCONTEXT=“Context1,Context2”
● LEGACYFTAICONS={False | True} – The default value is False. Specifieswhether or not application icons are displayed for documents that have filetype associations with subscribed applications. When the argument is set tofalse, Windows generates icons for documents that do not have a specific iconassigned to them. The icons generated by Windows consist of a genericdocument icon overlaid with a smaller version of the application icon. Citrixrecommends enabling this option if you plan on delivering Microsoft Officeapplications to users running Windows 7. This option is supported only withCitrixReceiver.exe.
● SERVER_LOCATION=Server_URL – The default value is blank. Provide the URL of the server running the Web Interface. The URL must be in the format
To configure and install the Citrix Receiver for Windows using command-line parameters
187
http://servername or https://servername.
The Receiver appends the default path and file name of the configuration fileto the server URL. If you change the default location of the configuration file,enter the entire new path in the SERVER_LOCATION key. This option issupported only with CitrixReceiverEnterprise.exe.
● STARTMENUDIR=Text string – The default is to put applications under Start >All Programs. Specifies the name of the default folder added to users' Startmenus to hold the shortcuts to their subscribed applications. Users can changethe folder name and/or move the folder at any time. This option is supportedonly with CitrixReceiver.exe.
● STOREx="storename;http[s]://servername.domain/IISLocation/resources/v1;[On| Off];[storedescription]"[ STOREy="..."] – Specifies up to 10 stores to use withReceiver. Values:
● x and y – Integers 0 through 9.
● storename – Defaults to store. This must match the name configured on theStoreFront server.
● servername.domain – The fully qualified domain name of the server hostingthe store.
● IISLocation – the path to the store within IIS. The store URL must match theURL in StoreFront provisioning files. The store URLs are of the form“/Citrix/MyStore/resources/v1” (for StoreFront 1.0). To obtain the URL,export a provisioning file from StoreFront, open it in notepad and copy theURL from the <Address> element.
● On | Off – The optional Off configuration setting enables you to deliverdisabled stores, giving users the choice of whether or not they access them.When the store status is not specified, the default setting is On.
● storedescription – An optional description of the store, such as Apps onXenApp.
If there is a problem with the installation, search in the user's %TEMP% directory for the logswith the prefix CtxInstall- or TrollyExpress- . For example:
CtxInstall-ICAWebWrapper.log
TrollyExpress-20090807-123456.log
Examples of a Command-Line Installation
CitrixReceiver.exe /includeSSONSTORE0="AppStore;https://testserver.net/Citrix/MyStore/resources/v1;on;Appson XenApp"STORE1="BackUpAppStore;https://testserver.net/Citrix/MyBackupStore/resources/v1;on;BackupStore Apps on XenApp"
This example:
● Installs Receiver (standard).
To configure and install the Citrix Receiver for Windows using command-line parameters
188
● Installs single sign on.
● Specifies two application stores.
CitrixReceiverEnterprise.exe /silentADDLOCAL="ReceiverInside,ICA_Client,PN_Agent" ENABLE_SSON=noINSTALLDIR="c:\test" ENABLE_DYNAMIC_CLIENT_NAME=YesDEFAULT_NDSCONTEXT="Context1,Context2"SERVER_LOCATION="http://testserver.net" CLIENT_NAME="Modified"
This example:
● Installs Receiver (Enterprise) without visible progress dialog boxes.
● Installs only Receiver Inside, the standard Receiver (ICA_Client), and enterpriseReceiver (PN_Agent).
● Disables pass-through authentication.
● Specifies the location where the software is installed.
● Enables dynamic client naming.
● Specifies the default context for NDS.
● Specifies the URL (http://testserver.net) of the server running the Web Interface,which Receiver will reference.
● Specifies the name used to identify the user device to the server farm.
To configure and install the Citrix Receiver for Windows using command-line parameters
189
190
Delivering Receiver Using ActiveDirectory and Sample Startup Scripts
You can use Active Directory Group Policy scripts to pre-deploy Receiver on systems basedon your Active Directory organizational structure. Citrix recommends using the scriptsrather than extracting the .msi files because the scripts allow for a single point forinstallation, upgrade, and uninstall, they consolidate the Citrix entries in Programs andFeatures, and make it easier to detect the version of Receiver that is deployed. Use theScripts setting in the Group Policy Management Console (GPMC) under ComputerConfiguration or User Configuration. Microsoft documents the advantages anddisadvantages of using scripts at Microsoft Technet - Use Group Policy to assign computerstartup scripts.
Citrix includes sample per-computer startup scripts to install and uninstallCitrixReceiver.exe and Citrix ReceiverEnterprise.exe. The scripts are located on the XenAppmedia in the Citrix Receiver and Plug-ins\Windows\Receiver\Startup_Logon_Scripts folder.
● CheckAndDeployReceiverEnterpriseStartupScript.bat
● CheckAndDeployReceiverPerMachineStartupScript.bat
● CheckAndRemoveReceiverEnterpriseStartupScript.bat
● CheckAndRemoveReceiverPerMachineStartupScript.bat
When the scripts are executed during Startup or Shutdown of an Active Directory GroupPolicy, custom configuration files might be created in the Default User profile of a system.If not removed, these configuration files can prevent some users from accessing theReceiver logs directory. The Citrix sample scripts include functionality to properly removethese configuration files.
To use the startup scripts to deploy Receiver with Active Directory
1. Create the Organizational Unit (OU) for each script.
2. Create a Group Policy Object (GPO) for the newly created OU.
To modify the sample scriptsModify the scripts by editing these parameters in the header section of each file:
● Current Version of package. The specified version number is validated and if it is notpresent, the deployment proceeds. For example, set DesiredVersion=3.0.0.XXXX to exactly match the version specified. If you specify a partial version, forexample 3.0.0, it matches any version with that prefix (3.0.0.1111, 3.0.0.7777, and soforth).
● Package Location/Deployment directory. This specifies the network share containingthe packages and is not authenticated by the script. The shared folder must have Readpermission for EVERYONE.
● Script Logging Directory. This specifies the network share where the install logs arecopied and is not authenticated by the script. The shared folder must have Read andWrite permissions for EVERYONE.
● Package Installer Command Line Options. These command line options are passed tothe installer. For the command line syntax, see To configure and install the CitrixReceiver for Windows using command-line parameters
To add the per-computer startup scripts1. Open the Group Policy Management Console.
2. Select Computer Configuration > Policies > Windows Settings > Scripts(Startup/Shutdown).
3. In the right-hand pane of the Group Policy Management Console, select Startup.
4. In the Properties menu, click Show Files, copy the appropriate script to the folderdisplayed, and then close the window.
5. In the Properties menu, click Add and use Browse to find and add the newly createdscript.
To deploy Receiver per-computer1. Move the user devices designated to receive this deployment to the OU you created.
2. Reboot the user device and log on as any user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions)contains the newly installed package.
To remove Receiver per-computer1. Move the user devices designated for the removal to the OU you created.
2. Reboot the user device and log on as any user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions)removed the previously installed package.
Delivering Receiver Using Active Directory and Sample Startup Scripts
191
192
Using the Per-User Sample StartupScripts
Citrix recommends using per-computer startup scripts but does include two Citrix Receiverper-user scripts on the XenApp media in the Citrix Receiver andPlug-ins\Windows\Receiver\Startup_Logon_Scripts folder for situations where you requireReceiver (standard) per-user deployments.
● CheckAndDeployReceiverPerUserLogonScript.bat
● CheckAndRemoveReceiverPerUserLogonScript.bat
To set up the per-user startup scripts1. Open the Group Policy Management Console.
2. Select User Configuration > Policies > Windows Settings > Scripts.
3. In the right-hand pane of the Group Policy Management Console, select Logon
4. In the Logon Properties menu, click Show Files, copy the appropriate script to thefolder displayed, and then close the window.
5. In the Logon Properties menu, click Add and use Browse to find and add the newlycreated script.
To deploy Receiver per-user1. Move the users designated to receive this deployment to the OU you created.
2. Reboot the user device and log on as the specified user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions)contains the newly installed package.
To remove Receiver per-user1. Move the users designated for the removal to the OU you created.
2. Reboot the user device and log on as the specified user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions)removed the previously installed package.
193
Deploying CitrixReceiver.exe fromReceiver for Web
You can deploy CitrixReceiver.exe from Receiver for Web to ensure that users have theReceiver installed before they try to connect to an application from a browser. For details,refer to the Receiver StoreFront documentation on Citrix eDocs.
194
Deploying the CitrixReceiver.exe from aWeb Interface Logon Screen
You can deploy the CitrixReceiver.exe from a Web page to ensure that users have theReceiver installed before they try to use the Web Interface. Create a home page and run anInternet Explorer script to download the CitrixReceiver.exe package automatically from theWeb server and install it for the user.
To install the Receiver software using CitrixReceiver.exe, the Windows Installer Servicemust be installed on the user device. This service is present by default on systems runningWindows XP, Windows Vista, Windows 7, Windows Server 2003, or Windows Server 2008.
Add the sites from which the CitrixReceiver.exe file is downloaded to the Trusted Siteszone.
In the webinterface.conf file for your XenApp websites, edit the ClientIcaWin32= line tospecify the CitrixReceiver.exe installation file and remove the comment character (#).
For more information, see the Web Interface documentation.
195
Configuring Citrix Receiver for Windows
You can configure Citrix Receiver operations for deployments that use Receiver StoreFrontor a legacy PNA Services site.
From the Citrix management console for the XenApp server, configure the options andsettings for Receiver using the associated Receiver site. Each time users log on to theReceiver, they see the most recent configuration. Changes made while users are connectedtake effect when the Receiver configuration is refreshed manually or automatically after adesignated interval.
196
Using the Group Policy Object Templateto Customize the Receiver
Citrix recommends using the Group Policy Object icaclient.adm template file to configurethe Receiver options and settings.
You can use the icaclient.adm template file with domain policies and local computerpolicies. For domain policies, import the template file using the Group Policy ManagementConsole. This is especially useful for applying Receiver settings to a number of differentuser devices throughout the enterprise. To affect a single user device, import the templatefile using the local Group Policy Editor on the device.
For details about Group Policy management, see the Microsoft Group Policy documentation.
To import the icaclient template using the GroupPolicy Management Console
To affect domain-based group policies, import the icaclient.adm file with the Group PolicyManagement Console.
1. As an administrator, open the Group Policy Management Console.
2. In the left pane, select a group policy and from the Action menu, choose Edit.
3. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
4. From the Action menu, choose Add/Remove Templates.
5. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
6. Select Open to add the template and then Close to return to the Group Policy Editor.
To import the icaclient template using the local GroupPolicy Editor
To affect the policies on a local computer, import the icaclient.adm file with the localGroup Policy Editor.
1. As an administrator, open the Group Policy Editor by running gpedit.msc from the Startmenu.
2. In the left pane, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
Using the Group Policy Object Template to Customize the Receiver
197
198
Configuring Access to Accounts Manually
When users launch Receiver for the first time, they have the option to set up a newaccount. To do this, they must enter information about the XenApp farm or XenDesktop sitehosting the resources they want to access.
When a user enters the details for a new account, Receiver attempts to verify theconnection. If successful, Receiver prompts the user to log on to the account.
To add a new account1. Click the gear icon in the Receiver window and choose Edit Accounts.2. Click Add.
3. Enter the information provided by your organization and click OK.
To remove an account1. Click the gear icon in the Receiver window and choose Edit Accounts.2. Select the account from the list and click Remove and Yes.
To edit the details of an account1. Click the gear icon in the Receiver window and choose Edit Accounts.2. Select the account that you want to edit from the list and double-click.
3. Edit the details in Name, the Description, and/or the URL fields, as required.
4. Click OK.
199
To customize user preferences for theReceiver (Enterprise)
Users can customize their preferences. For example, they can define window sizes forpublished applications, choose when to refresh the list of available published resources,and specify where the available published resources appear.
1. In the Windows notification area, right-click the Receiver icon and choosePreferences.
2. Right-click the Online Plug-in entry in the Plug-in Status and choose Options, select aproperty, and make the desired configuration changes.
If you configure seamless windows and set the task bar to Auto-hide, you cannot access thetaskbar when you maximize published applications. To access the taskbar, resize thepublished application.
For more detailed information, see the online help for Receiver.
To change the server URL in the Receiver (Enterprise)Receiver requires that you specify the location of a configuration file (Config.xml is thedefault configuration file) on the server running the Web Interface. You can ask your usersto change the server URL as you create new configuration files or delete old ones.
Note: To prevent users from accidentally changing their server URL, disable the option.
1. In the Windows notification area, right-click the Receiver icon and choose Preferences.
2. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.
3. Type or select the server URL in the format http://servername or, to encrypt theconfiguration data using SSL, https://servername.
200
Configuring USB Support for XenDesktopConnections
USB support enables users to interact with a wide range of USB devices when connected toa virtual desktop. Users can plug USB devices into their computers and the devices areremoted to their virtual desktop. USB devices available for remoting include flash drives,smartphones, PDAs, printers, scanners, MP3 players, security devices, and tablets. DesktopViewer users can control whether USB devices are available on the virtual desktop using apreference in the toolbar.
Isochronous features in USB devices such as webcams, microphones, speakers, and headsetsare supported in typical low latency/high speed LAN environments. This allows thesedevices to interact with packages such as Microsoft Office Communicator and Skype.
The following types of device are supported directly in a XenDesktop session, and so do notuse USB support:
● Keyboards
● Mice
● Smart cards
Note: Specialist USB devices (for example, Bloomberg keyboards and 3D mice) can beconfigured to use USB support. For information on configuring Bloomberg keyboards, seeConfiguring Bloomberg Keyboards. For information on configuring policy rules for otherspecialist USB devices, see CTX 119722.
By default, certain types of USB devices are not supported for remoting throughXenDesktop. For example, a user may have a network interface card attached to the systemboard by internal USB. Remoting this would not be appropriate. The following types of USBdevice are not supported by default for use in a XenDesktop session:
● Bluetooth dongles
● Integrated network interface cards
● USB hubs
● USB graphics adaptors
USB devices connected to a hub can be remoted, but the hub itself cannot be remoted.
For instructions on modifying the range of USB devices that are available to users, seeUpdating the List of USB Devices Available for Remoting.
For instructions on automatically redirecting specific USB devices, see CTX123015.
201
How USB Support Works
When a user plugs in a USB device, it is checked against the USB policy, and, if allowed,remoted to the virtual desktop. If the device is denied by the default policy, it is availableonly to the local desktop.
The user experience depends upon the type of desktop to which users are connecting.
For desktops accessed through the Citrix Desktop Lock, when a user plugs in a USB device,that device is automatically remoted to the virtual desktop. No user interaction is required.The virtual desktop is responsible for controlling the USB device and displaying it in the userinterface.
For desktops accessed through the Desktop Viewer, when a user plugs in a USB device, adialog box appears asking the user if they want that device remoted to the virtual desktop.The user can decide which USB devices are remoted to the virtual desktop by selectingdevices from the list each time they connect. Alternatively, the user can configure USBsupport so that all USB devices plugged in both before and/or during a session areautomatically remoted to the virtual desktop that is in focus.
202
Mass Storage Devices
For mass storage devices only, in addition to USB support, remote access is availablethrough client drive mapping, which you configure through the Citrix Mappings rule. Whenthis rule is applied, the drives on the user device are automatically mapped to drive letterson the virtual desktop when users log on. The drives are displayed as shared folders withmapped drive letters. The Citrix Mappings rule is in the Drives subfolder of the ClientDevices Resources folder in the Presentation Server Console.
The main differences between the two types of remoting policy are:
Feature Client Drive Mapping USB Rule
Enabled by default Yes No
Read-only accessconfigurable
Yes No
Safe to remove deviceduring a session
No Yes, if the user clicksSafely Remove Hardwarein the notification area
If both USB support and the Citrix Mappings rule are enabled and a mass storage device isinserted before a session starts, it will be redirected using client drive mapping first, beforebeing considered for redirection through USB support. If it is inserted after a session hasstarted, it will be considered for redirection using USB support before client drive mapping.
203
USB Device Classes Allowed by Default
Different classes of USB device are allowed by the default USB policy rules.
Although they are on this list, some classes are only available for remoting in XenDesktopsessions after additional configuration. These are noted below.
● Audio (Class 01). Includes audio input devices (microphones), audio output devices,and MIDI controllers. Modern audio devices generally use isochronous transfers, which issupported by XenDesktop 4 or later.
Note: Some specialty devices (for example, VOIP phones) require additionalconfiguration. For instructions on this, see CTX123015.
● Physical Interface Devices(Class 05). These devices are similar to Human InterfaceDevices (HIDs), but generally provide "real-time" input or feedback and include forcefeedback joysticks, motion platforms, and force feedback exoskeletons.
● Still Imaging (Class 06). Includes digital cameras and scanners. Digital cameras oftensupport the still imaging class which uses the Picture Transfer Protocol (PTP) or MediaTransfer Protocol (MTP) to transfer images to a computer or other peripheral. Camerasmay also appear as mass storage devices and it may be possible to configure a camerato use either class, through setup menus provided by the camera itself.
Note that if a camera appears as a mass storage device, client drive mapping is usedand USB support is not required.
● Printers (Class 07). In general most printers are included in this class, although someuse vendor-specific protocols (class ff). Multi-function printers may have an internalhub or be composite devices. In both cases the printing element generally uses thePrinters class and the scanning or fax element uses another class; for example, StillImaging.
Printers normally work appropriately without USB support.
Note: This class of device (in particular printers with scanning functions) requiresadditional configuration. For instructions on this, see CTX123015.
● Mass Storage (Class 08). The most common mass storage devices are USB flash drives;others include USB-attached hard drives, CD/DVD drives, and SD/MMC card readers.There are a wide variety of devices with internal storage that also present a massstorage interface; these include media players, digital cameras, and mobile phones.Known subclasses include:
● 01 Limited flash devices
● 02 Typically CD/DVD devices (ATAPI/MMC-2)
● 03 Typically tape devices (QIC-157)
● 04 Typically floppy disk drives (UFI)
● 05 Typically floppy disk drives (SFF-8070i)
● 06 Most mass storage devices use this variant of SCSI
Mass storage devices can often be accessed through client drive mapping, and so USBsupport is not required.
Important: Some viruses are known to propagate actively using all types of massstorage. Carefully consider whether or not there is a business need to permit the useof mass storage devices, either through client drive mapping or USB support.
● Content Security (Class 0d). Content security devices enforce content protection,typically for licensing or digital rights management. This class includes dongles.
● Video (Class 0e). The video class covers devices that are used to manipulate video orvideo-related material, such as webcams, digital camcorders, analog video converters,some television tuners, and some digital cameras that support video streaming.
Note: Most video streaming devices use isochronous transfers, which is supported byXenDesktop 4 or later. Some video devices (for example webcams with motiondetection) require additional configuration. For instructions on this, see CTX123015.
● Personal Healthcare (Class 0f). These devices include personal healthcare devices suchas blood pressure sensors, heart rate monitors, pedometers, pill monitors, andspirometers.
● Application and Vendor Specific (Classes fe and ff). Many devices use vendor specificprotocols or protocols not standardized by the USB consortium, and these usuallyappear as vendor-specific (class ff).
USB Device Classes Allowed by Default
204
205
USB Device Classes Denied by Default
Different classes of USB device are denied by the default USB policy rules.
● Communications and CDC Control (Classes 02 and 0a). The default USB policy doesnot allow these devices, because one of them may be providing the connection to thevirtual desktop itself.
● Human Interface Devices (Class 03). Includes a wide variety of both input and outputdevices. Typical Human Interface Devices (HIDs) are keyboards, mice, pointing devices,graphic tablets, sensors, game controllers, buttons, and control functions.
Subclass 01 is known as the "boot interface" class and is used for keyboards and mice.
The default USB policy does not allow USB keyboards (class 03, subclass 01, protocol 1),or USB mice (class 03, subclass 01, protocol 2). This is because most keyboards andmice are handled appropriately without USB support and it is normally necessary to usethese devices locally as well remotely when connecting to a virtual desktop.
● USB Hubs (Class 09). USB hubs allow extra devices to be connected to the localcomputer. It is not neccessary to access these devices remotely.
● Smart Card (Class 0b). Smart card readers include contactless and contact smart cardreaders, and also USB tokens with an embedded smart card-equivalent chip.
Smart card readers are accessed using smart card remoting and do not require USBsupport.
● Wireless Controller (Class e0). Some of these devices may be providing criticalnetwork access, or connecting critical peripherals such as Bluetooth keyboards or mice.
The default USB policy does not allow these devices. However, there may be particulardevices it is appropriate to provide access to using USB support.
206
Updating the List of USB DevicesAvailable for Remoting
You can update the range of USB devices available for remoting to desktops by editing thefile icaclient_usb.adm. This allows you to make changes to the Receiver using Group Policy.The file is located in the following installed folder:
<root drive>:\Program Files\Citrix\ICA Client\Configuration\en
Alternatively, you can edit the registry on each user device, adding the following registrykey:
HKLM\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB Type=String Name="DeviceRules"Value=
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
The product default rules are stored in:
HKLM\SOFTWARE\Citrix\ICA Client\GenericUSB Type=MultiSz Name=“DeviceRules” Value=
Do not edit the product default rules.
For details of the rules and their syntax, see http://support.citrix.com/article/ctx119722/.
207
Configuring Bloomberg Keyboards
Bloomberg keyboards are supported by XenDestkop sessions (but not other USB keyboards).The required components are installed automatically when the plug-in is installed, but youmust enable this feature either during the installation or later by changing a registry key.
On any one user device, multiple sessions to Bloomberg keyboards are not recommended.The keyboard only operates correctly in single-session environments.
To turn Bloomberg keyboard support on or off
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
1. Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB
2. Do one of the following:
● To turn on this feature, for the entry with Type DWORD and NameEnableBloombergHID, set Value to 1.
● To turn off this feature, set the Value to 0.
208
Configuring User-Driven Desktop Restart
You can allow users to restart their desktops themselves. They may need to do this if adesktop fails to connect or becomes unresponsive.
This feature is disabled by default. You enable user-driven desktop restart for a desktopgroup in Desktop Studio. For information on this, see the XenDesktop documentation.
The procedures for restarting desktops differ depending on whether users are connecting todesktops through the Desktop Viewer or the Citrix Desktop Lock.
209
To prevent the Desktop Viewer windowfrom dimming
If users have multiple Desktop Viewer windows, by default the desktops that are not activeare dimmed. If users need to view multiple desktops simultaneously, this can make theinformation on them unreadable. You can disable the default behavior and prevent theDesktop Viewer window from dimming by editing the Registry.
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
1. On the user device, create a REG_DWORD entry called DisableDimming in one of thefollowing keys, depending on whether you want to prevent dimming for the current userof the device or the device itself. An entry already exists if the Desktop Viewer hasbeen used on the device:
● HKCU\Software\Citrix\XenDesktop\DesktopViewer
● HKLM\Software\Citrix\XenDesktop\DesktopViewerOptionally, instead of controlling dimming with the above user or device settings, youcan define a local policy by creating the same REG_WORD entry in one of the followingkeys:
● HKCU\Software\Policies\Citrix\XenDesktop\DesktopViewer
● HKLM\Software\Policies\Citrix\XenDesktop\DesktopViewerThe use of these keys is optional because XenDesktop administrators, rather thanplug-in administrators or users, typically control policy settings using Group Policy. So,before using these keys, check whether your XenDesktop administrator has set a policyfor this feature.
2. Set the entry to any non-zero value such as 1 or true.
If no entries are specified or the entry is set to 0, the Desktop Viewer window is dimmed. Ifmultiple entries are specified, the following precedence is used. The first entry that islocated in this list, and its value, determine whether the window is dimmed:
1. HKCU\Software\Policies\Citrix\...
2. HKLM\Software\Policies\Citrix\...
3. HKCU\Software\Citrix\...
4. HKLM\Software\Citrix\...
210
To configure the Citrix Desktop Lock
This topic contains instructions for configuring USB preferences, drive mappings, andmicrophones for a virtual desktop accessed through the Citrix Desktop Lock. In addition,some general advice on configuring the Desktop Lock is also provided.
Typically, this is used in non-domain-joined environments such as on a thin client ordesktop appliance. In this access scenario, the Desktop Viewer is unavailable, so onlyadministrators (not users) can perform the configuration.
Two .adm files are provided that allow you to perform this task using policies:
● icaclient.adm. For information on obtaining this file, see To configure settings formultiple users and devices.
● icaclient_usb.adm. The file is located in the following installed folder: <rootdrive>:\Program Files\Citrix\ICA Client\Configuration\en.
This topic assumes you have loaded both files into Group Policy, where the policies appearin Computer Configuration or User Configuration > Administrative Templates > ClassicAdministrative Templates (ADM) > Citrix Components.
To configure USB preferencesAs a prerequisite, you must turn on USB support in XenDesktop deployments by enabling theUSB policy rule. For information on this, see the XenDesktop documentation.
In Citrix Receiver > Remoting client devices > Generic USB Remoting, enable andconfigure as desired the Existing USB Devices, New USB Devices, and USB Devices List InDesktop Viewer policies. You can use the Show All Devices policy to display all connectedUSB devices, including those using the Generic USB virtual channel (for example, webcamsand memory sticks).
To configure drive mappingIn Citrix Receiver > Remoting client devices, enable and configure as desired the Clientdrive mapping policy.
To configure a microphoneIn Citrix Receiver > Remoting client devices, enable and configure as desired the Clientmicrophone policy.
General Advice On Configuring the Desktop LockGrant access to only one virtual desktop running the Desktop Lock per user.
Do not allow users to hibernate virtual desktops. Use Active Directory policies appropriatelyto prevent this.
To configure the Citrix Desktop Lock
211
212
To configure settings for multiple usersand devices
In addition to the configuration options offered by the Receiver user interface, you can usethe Group Policy Editor and the icaclient.adm template file to configure settings. Using theGroup Policy Editor, you can:
● Extend the icaclient template to cover any Receiver setting by editing theicaclient.adm file. See the Microsoft Group Policy documentation for more informationabout editing .adm files and about applying settings to a particular computer.
● Make changes that apply only to either specific users or all users of a client device.
● Configure settings for multiple user devices
Citrix recommends using Group Policy to configure user devices remotely; however you canuse any method, including the Registry Editor, which updates the relevant registry entries.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. Under the User Configuration node or the Computer Configuration node, edit therelevant settings as required.
213
Canadian Keyboard Layouts andUpdating from Presentation ServerClients Version 10.200
The Canadian keyboard layouts are aligned with those supported by Microsoft. If usersinstall Receivers without uninstalling the Presentation Server Clients Version 10.200 first,they must manually edit the module.ini file (usually in C:\Program Files\Citrix\ICA Client) toupgrade the keyboard layout settings:
Replace:
Canadian English (Multilingual)=0x00001009
Canadian French=0x00000C0C
Canadian French (Multilingual)=0x00010C0C
With:
Canadian French=0x00001009
Canadian French (Legacy)=0x00000C0C
Canadian Multilingual Standard=0x00011009
214
Auto-Repair File Locations
Auto-repair occurs if there is a problem with Receiver; however, there is no Add/RemovePrograms or Programs and Features Repair option. If the Receiver repair option prompts forthe location of the .msi file, browse to one of these locations to find the file:
● For CitrixReceiverEnterprise.exe
● Operating system: Windows XP and Windows 2003
C:\Documents and Settings\All Users\application data\Citrix\Citrix Receiver(Enterprise)\
● Operating system: Windows Vista and Windows 7
C:\ProgramData\Citrix\Citrix Receiver (Enterprise)\● For CitrixReceiver.exe installed per computer
● Operating system: Windows XP and Windows 2003
C:\Documents and Settings\All Users\Application Data\Citrix\Citrix Receiver\
● Operating system: Windows Vista and Windows 7
C:\ProgramData\Citrix\Citrix Receiver\● For CitrixReceiver.exe installed per user
● Operating system: Windows XP and Windows 2003
%USERPROFILE%\Local Settings\Application Data\Citrix\Citrix Receiver\
● Operating system: Windows Vista and Windows 7
%USERPROFILE%\Appdata\local\Citrix\Citrix Receiver\
215
Optimizing the Receiver Environment
The ways you can optimize the environment in which your Receiver operates for your usersinclude:
● Improving performance
● Improving performance over low bandwidth
● Facilitating the connection of numerous types of client devices to published resources
● Providing support for NDS users
● Using connections to Citrix XenApp for UNIX
● Supporting naming conventions
● Supporting DNS naming resolution
216
Improving Receiver Performance
You can improve the performance of your Receiver software by:
● Reducing Application Launch Time
● Reconnecting Users Automatically
● Providing session reliability
● Improving Performance over Low-Bandwidth Connections
217
Reducing Application Launch Time
Use the session pre-launch feature to reduce application launch time during normal or hightraffic periods; thus, giving the user a better experience. The pre-launch feature allows apre-launch session to be created when a user logs on to Receiver, or at a scheduled time ifthe user is already logged on. This pre-launch session reduces the launch time of the firstapplication. The default application ctxprelaunch.exe is running in the session, but it is notvisible to the user.
There are two types of pre-launch:
● Just-in-time pre-launch. Pre-Launch starts immediately after the user's credentials areauthenticated whether or not it is a high-traffic period.
● Scheduled pre-launch. Pre-launch starts at a scheduled time. Scheduled pre-launchstarts only when the user device is already running and authenticated. If those twoconditions are not met when the scheduled pre-launch time arrives, a session does notlaunch. To spread network and server load, the session launches within a window ofwhen it is scheduled. For example, if the scheduled pre-launch is scheduled for 1:45p.m., the session actually launches between 1:15 p.m. and 1:45 p.m.
Typically, you can use just-in-time pre-launch for normal traffic periods and scheduledpre-launch for known high-traffic periods.
An example of a high-traffic period - if your environment includes a large number of userswho launch applications during peak periods such as when users start work or return fromlunch, the rapid succession of logon requests might overwhelm servers and slow downapplication launch for all users.
Configuring pre-launch on the XenApp server consists of creating, modifying, or deletingpre-launch applications, as well as updating user policy settings that control the pre-launchapplication. See To pre-launch applications to user devices for information aboutconfiguring session pre-launch on the XenApp server.
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
Customizing the pre-launch feature using the icaclient.adm file is not supported. However,you can change the pre-launch configuration by modifying registry values during or afterReceiver installation.
Registry value for Windows 7, 64-bit
The value for Windows 7, 64-bit, is:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch - Enablesdifferent users on the same user device to have different settings. It also allows a user tochange the configuration without administrative permission. You can provide your userswith scripts to accomplish this.
Name: State
Values:
0 - Disable pre-launch.
1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)
2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)
Name: Schedule
Value:
The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:
HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.
Registry values for other Windows systems
The values for all other supported Windows operating systems are:HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Prelaunch andHKEY_CURRENT_USER\Software\Citrix\ICA Client\Prelaunch.
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Prelaunch - Written at installation,with default values.
Name: UserOverride
Values:
0 - Use the HKEY_LOCAL_MACHINE values even if HKEY_CURRENT_USER values are alsopresent.
1 - Use HKEY_CURRENT_USER values if they exist; otherwise, use the HKEY_LOCAL_MACHINEvalues.
Name: State
Values:
0 - Disable pre-launch.
1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)
2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)
Name: Schedule
Value:
Reducing Application Launch Time
218
The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:
HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.
HKEY_CURRENT_USER\SOFTWARE\Citrix\ICA Client\Prelaunch - Enables different users onthe same user device to have different settings. It also allows a user to change theconfiguration without administrative permission. You can provide your users with scripts toaccomplish this.
Name: State
Values:
0 - Disable pre-launch.
1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)
2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)
Name: Schedule
Value:
The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:
HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.
Reducing Application Launch Time
219
220
Reconnecting Users Automatically
Users can be disconnected from their sessions because of unreliable networks, highlyvariable network latency, or range limitations of wireless devices. With the HDX Broadcastauto-client reconnection feature, Receiver can detect unintended disconnections of ICAsessions and reconnect users to the affected sessions automatically.
When this feature is enabled on the server, users do not have to reconnect manually tocontinue working. The Receiver attempts to reconnect to the session until there is asuccessful reconnection or the user cancels the reconnection attempts. If userauthentication is required, a dialog box requesting credentials appears to a user duringautomatic reconnection. Automatic reconnection does not occur if users exit applicationswithout logging off. Users can reconnect only to disconnected sessions.
To disable HDX Broadcast auto-client reconnect for a particular user
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network Routing > Session reliability andautomatic reconnection. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Action menu, choose Properties and select Disabled.
221
Providing HDX Broadcast SessionReliability
With the HDX Broadcast Session Reliability feature, users continue to see a publishedapplication’s window if the connection to the application experiences an interruption. Forexample, wireless users entering a tunnel may lose their connection when they enter thetunnel and regain it when they emerge on the other side. During such interruptions, thesession reliability feature enables the session window to remain displayed while theconnection is being restored.
You can configure your system to display a warning dialog box to users when the connectionis unavailable.
You set HDX Broadcast Session Reliability with policy settings on the server. Receiver userscannot override the server settings for HDX Broadcast Session Reliability.
Important: If HDX Broadcast Session Reliability is enabled, the default port used forsession communication switches from 1494 to 2598.
222
Improving Performance overLow-Bandwidth Connections
Citrix recommends that you use the latest version of XenApp or XenDesktop on the server.Citrix continually enhances and improves performance with each release. Manyperformance features require the latest Receiver and server software to function.
If you are using a low-bandwidth connection, you can make a number of changes to yourReceiver configuration and the way you use the Receiver to improve performance.
Changing Your Receiver ConfigurationOn devices with limited processing power or in circumstances where only limited bandwidthis available, there is a trade-off between performance and functionality. Receiver providesboth user and administrator with the ability to choose an acceptable mixture of richfunctionality and interactive performance. Making one or more of these changes on theserver or user device can reduce the bandwidth your connection requires and improveperformance:
● Enable SpeedScreen Latency Reduction. SpeedScreen Latency Reduction improvesperformance over high latency connections by providing instant feedback to the user inresponse to typed data or mouse clicks.
User's side: icaclient.adm file.
Server side: SpeedScreen Latency Reduction Manager.
● Reduce the window size. Change the window size to the minimum size you cancomfortably use.
User side: icaclient.adm file or use the Receiver icon in the notification area andchoose Preferences and right-click the Online Plug-in entry in the Plug-in Status andchoose Options > Session Options.
Server side: XenApp services site > Session Options.
● Reduce the number of colors. Reduce the number of colors to 256.
User side: icaclient.adm file or use the Receiver icon in the notification area andchoose Preferences and right-click the Online Plug-in entry in the Plug-in Status andchoose Options > Session Options.
Server side: XenApp services site > Session Options.
● Reduce sound quality. If Receiver audio mapping is enabled, reduce the sound qualityto the minimum setting.
User's side: icaclient.adm file.
Server side: Citrix Audio quality policy setting.
Changing Receiver UseICA technology is highly optimized and typically does not have high CPU and bandwidthrequirements. However, if you are using a very low-bandwidth connection, the followingtasks can impact performance:
● Accessing large files using client drive mapping. When you access a large file withclient drive mapping, the file is transferred over the ICA connection. On slowconnections, this may take a long time.
● Playing multimedia content. Playing multimedia content uses a lot of bandwidth andcan cause reduced performance.
Improving Performance over Low-Bandwidth Connections
223
224
Connecting User Devices and PublishedResources
You can facilitate sessions and optimize the connection of your user devices to resourcespublished in the server farm by:
● Configuring workspace control settings to provide continuity for roaming users
● Making scanning transparent for users
● Mapping client devices
● Associating user device file types with published applications
225
Configuring Workspace Control Settingsto Provide Continuity for Roaming Users
The workspace control feature provides users with the ability to disconnect quickly from allrunning applications, reconnect to applications, or log off from all running applications. Youcan move among user devices and gain access to all of your applications when you log on.For example, health care workers in a hospital can move quickly among workstations andaccess the same set of applications each time they log on to XenApp. These users candisconnect from multiple applications at one user device and open all the same applicationswhen they reconnect at a different user device.
Workspace control is available only to users connecting to published resources with CitrixXenApp or through StoreFront, Receiver for Web, or the Web Interface.
Policies and client drive mappings change appropriately when you move to a new userdevice. Policies and mappings are applied according to the user device where you arecurrently logged on to the session. For example, if a health care worker logs off from a userdevice in the emergency room of a hospital and then logs on to a workstation in thehospital’s X-ray laboratory, the policies, printer mappings, and client drive mappingsappropriate for the session in the X-ray laboratory go into effect for the session as soon asthe user logs on to the user device in the X-ray laboratory.
Important: Workspace control can be used only with Version 11.x and later of theclient/plug-in/Receiver, and works only with sessions connected to computers runningCitrix Presentation Server Version 3.0, 4.0, or 4.5 or Citrix XenApp 5.0, 6.0, or 6.5.
If workspace control configuration settings allow users to override the server settings, userscan configure workspace control on the Receiver Reconnect Options page:
● Enable automatic reconnection at logon allows users to reconnect to onlydisconnected applications or to both disconnected and active applications
● Enable reconnection from the menu allows users to reconnect to only disconnectedapplications or to both disconnected and active sessions
To configure workspace control settings through StoreFront or Receiver for Web
For information about configuring Receiver StoreFront and Receiver for Web for workspacecontrol and user roaming, refer to the "Manage" topics in the Receiver StoreFrontdocumentation in Citrix eDocs.
To configure workspace control settings through Web Interface
For users launching applications through the Web Interface, these options are in Settings:
● Enable automatic reconnection at logon allows users to reconnect to onlydisconnected applications or both disconnected and active applications
● Enable automatic reconnection from Reconnect menu allows users to reconnect toonly disconnected applications or both disconnected and active sessions
● Customize Log Off button allows users to configure whether or not the log offcommand will include logging them off from applications that are running in the session
If users log on with smart cards or smart cards with pass-through authentication, set up atrust relationship between the server running the Web Interface and any other server in thefarm that the Web Interface accesses for published applications. For more informationabout workspace control requirements, see the Citrix XenApp and Web InterfaceAdministrator documentation.
Configuring Workspace Control Settings to Provide Continuity for Roaming Users
226
227
Making Scanning Transparent for Users
If you enable HDX Plug-n-Play TWAIN image scanning device support, users can controlclient-attached TWAIN imaging devices transparently with applications that reside on theserver farm. To use this feature, a TWAIN device must be attached to the user device andthe associated 32-bit TWAIN driver must also be installed on the user device.
To enable or disable this feature, configure the Citrix policy Client TWAIN deviceredirection setting.
The following policy settings allow you to specify the maximum amount of bandwidth (inkilobits per second or as a percentage) and the compression level of images from client toserver used for TWAIN redirection:
● TWAIN device redirection bandwidth limit
● TWAIN device redirection bandwidth limit percent
● TWAIN compression level
228
Mapping User Devices
The Receiver supports mapping devices on user devices so they are available from within asession. Users can:
● Transparently access local drives, printers, and COM ports
● Cut and paste between the session and the local Windows clipboard
● Hear audio (system sounds and .wav files) played from the session
During logon, Receiver informs the XenApp server of the available client drives, COM ports,and LPT ports. By default, client drives are mapped to server drive letters and server printqueues are created for client printers so they appear to be directly connected to theXenApp server. These mappings are available only for the current user during the currentsession. They are deleted when the user logs off and recreated the next time the user logson.
You can use the the Citrix policy redirection settings on the XenApp server to map userdevices not automatically mapped at logon. For more information, see the XenAppadministration documentation.
Turning off User Device MappingsYou can configure user device mapping including options for drives, printers, and ports,using the Windows Server Manager tool. For more information about the available options,see your Remote Desktop Services documentation.
229
Mapping Client Drives to XenApp ServerDrive Letters
Client drive mapping allows drive letters on the XenApp server to be redirected to drivesthat exist on the client device. For example, drive H in a Citrix user session can be mappedto drive C of the local device running the plug-in.
Client drive mapping is built into the standard Citrix device redirection facilitiestransparently. To File Manager, Windows Explorer, and your applications, these mappingsappear like any other network mappings.
Note that Client drive mapping is not supported when connecting to MetaFrame Server 1.0for UNIX operating systems.
The XenApp server can be configured during installation to map client drives automaticallyto a given set of drive letters. The default installation mapping maps drive letters assignedto client drives starting with V and works backward, assigning a drive letter to each fixeddrive and CD-ROM drive. (Floppy drives are assigned their existing drive letters.) Thismethod yields the following drive mappings in a session:
Client drive letter Is accessed by the XenApp server as:
A A
B B
C V
D UThe XenApp server can be configured so that the server drive letters do not conflict withthe client drive letters; in this case the server drive letters are changed to higher driveletters. For example, changing server drives C to M and D to N allows client devices toaccess their C and D drives directly. This method yields the following drive mappings in asession:
Client drive letter Is accessed by the XenApp server as:
A A
B B
C C
D DThe drive letter used to replace the server drive C is defined during Setup. All other fixeddrive and CD-ROM drive letters are replaced with sequential drive letters (for example; C >M, D > N, E > O). These drive letters must not conflict with any existing network drivemappings. If a network drive is mapped to the same drive letter as a server drive letter, thenetwork drive mapping is not valid.
When a client device connects to a XenApp server, client mappings are reestablished unlessautomatic client device mapping is disabled. You can use the Terminal ServicesConfiguration tool to configure automatic client device mapping for ICA connections andusers. You can also use policies to give you more control over how client device mapping isapplied. For more information about policies, see the Citrix XenApp Administrator'sdocumentation at Citrix eDocs.
Mapping Client Drives to XenApp Server Drive Letters
230
231
HDX Plug-n-Play for USB StorageDevices
HDX Plug-n-Play for USB storage devices enables users to interact with USB mass storagedevices connected to their user devices when connected to XenApp sessions. When HDXPlug-n-Play for USB storage devices is enabled, users can connect or disconnect a USBdevice from a session at anytime, regardless of whether the session was started before orafter the drive connection.
HDX Plug-n-Play for USB storage devices is enabled by default and can be disabled orenabled by editing the ICA\File Redirection - Client removable drives policy setting. Formore information, see the XenApp documentation.
Supported Mass Storage Devices with XenAppMass storage devices, including USB thumbdrives, USB-attached hard drives, CD-DVD drives,and SD card readers are supported.
Not supported:
● U3 smart drives and devices with similar autorun behavior
● Explorer.exe published as a seamless application
Mass storage devices can often be accessed through client drive mapping, and so USBsupport is not required.
Important: Some viruses are known to propagate actively using all types of mass storage.Carefully consider whether or not there is a business need to permit the use of massstorage devices, either through client drive mapping or USB support.
232
HDX Plug-n-Play USB Device Redirectionfor XenApp Connections
HDX Plug-n-Play USB Device Redirection on computers running Vista and Windows 7 enablesdynamic redirection of media devices, including cameras, scanners, media players, andpoint of sale (POS) devices to the server. You or the user can restrict redirection of all orsome of the devices. Edit policies on the server or apply group policies on the user deviceto configure the redirection settings. Three methods can enforce HDX Plug-n-Play USBdevice redirection policies:
● Server side. The administrator can enable or disable all device redirections for aspecific user or user group using the Active Directory policies available in XenApp. Thepolicy controls redirection of all devices and is not specific to a device. For moreinformation, see the XenApp administration documentation.
● Plug-in side. The administrator can enable or disable all device redirection for aspecific user or computer by using the group policy editor. There are two policy settings- the USB Plug-n-Play Devices policy setting controls redirection of all devices and theUSB Point of Sale Devices policy setting controls POS devices only. If USB Plug-n-PlayDevices allows devices to be redirected, you can use the USB Point of Sale Devices,which is a subset of USB Plug-n-Play Devices, to control only POS devices.
● Plug-in side. The user can allow or reject device redirection. When a device is going tobe redirected, the permission set by the user in the Connection Center is applied (thesetting applies to the current session). If the permission is set to Full Access, devicesare always redirected. If the permission is set to No Access, devices are not redirected.If the permission is set to Ask Permission, a dialog box appears before redirectionoccurs requiring the user to make a selection. Depending on the answer, the device isredirected or not. If the user is prompted with any of the device security dialog boxes(for example, file security or audio security) and instructs the system to remember thedecision, applications launched in subsequent ICA sessions load and use these settings.
This setting affects only devices plugged in after the user changes the setting. Devicesthat are already plugged in when the user changes the setting are unaffected by thenew setting.
Important: If you prohibit Plug-n-Play USB device redirection in a server policy, theuser cannot override that policy setting with the plug-in side policy.
Plug-in Group PoliciesAccess the plug-in policies using the Group Policy Editor available through gpedit.msc fromthe Start menu's Run dialog box. You can apply the policies to both users and computers.Two policies are available:
● USB Plug-n-Play Devices is the main policy that turns HDX Plug-n-Play USB deviceredirection on or off. Enabling redirection allows any Media Transfer Protocol (MTP),Picture Transfer Protocol (PTP), and Point of Sale (POS) device connected to the userdevice to be redirected in the session. The policy has three values: Not Configured,Enabled, and Disabled. The default is Not Configured, which allows redirection.
● USB Point of Sale Devices controls the redirection of POS devices and USB Plug-n-PlayDevices must be Enabled to enable this policy. The policy can have three values: NotConfigured, Enabled, and Disabled. The default is Not Configured, which allowsredirection of POS devices.
HDX Plug-n-Play USB Device Redirection for XenApp Connections
233
234
Mapping Client Printers for MoreEfficiency
The Receiver support printing to network printers and printers that are attached locally touser devices. By default, unless you create policies to change this, XenApp lets users:
● Print to all printing devices accessible from the user device
● Add printers (but it does not retain settings configured for these printers or save themfor the next session)
However, these settings might not be the optimum in all environments. For example, thedefault setting that allows users to print to all printers accessible from the user device isthe easiest to administer initially, but might create slower logon times in someenvironments.
Likewise, your organization’s security policies might require that you prevent users frommapping local printing ports. To do so, configure the Citrix policy Auto connect client COMports setting to Disabled.
To change default printing settings, configure policy settings on the server. For moreinformation, see the XenApp administration topics.
To view mapped client printersWhile connected to the XenApp server, from the Start menu, choose Printers in the ControlPanel.
The Printers window displays the local printers mapped to the session. When connecting toservers running Citrix Presentation Server 4.0 or 4.5 or Citrix XenApp, by default the nameof the printer takes the form:
printername (from clientname) in session x
where:
● printername is the name of the printer on the user device.
● clientname is the unique name given to the user device or the Web Interface.
● x is the SessionID of the user’s session on the server.
For example, printer01 (from computer01) in session 7
When connecting to servers running Presentation Server 3.0 or earlier, or when the Legacy printer name option from the Citrix policy Client printer names setting is enabled on the
server, a different naming convention is used. The name of the printer takes the form:
Client/clientname#/printername
where:
● clientname is the unique name given to the user device during client setup.
● printername is the Windows printer name. Because the Windows printer name is usedand not the port name, multiple printers can share a printer port without conflict.
For more information about printing, and about managing printing using policies, see theCitrix XenApp Administrator's documentation.
Mapping Client Printers for More Efficiency
235
236
To map a client COM port to a serverCOM port
Client COM port mapping allows devices attached to the COM ports of the user device to beused during sessions on a XenApp server. These mappings can be used like any othernetwork mappings.
Important: Client COM port mapping is not supported when connecting to MetaFrameServer 1.0 and 1.1 for UNIX Operating Systems.
You can map client COM ports at the command prompt. You can also control client COMport mapping from the Terminal Services Configuration tool or using policies. See the CitrixXenApp Administrator’s documentation for more information about policies.
1. Start Receiver and log on to the XenApp server.
2. At a command prompt, type: net use comx: \\client\comz: where x is the number ofthe COM port on the server (ports 1 through 9 are available for mapping) and z is thenumber of the client COM port you want to map.
3. To confirm the operation, type: net use at a command prompt. The list that appearscontains mapped drives, LPT ports, and mapped COM ports. To use this COM port in asession on a XenApp server, install your device to the mapped name. For example, ifyou map COM1 on the client to COM5 on the server, install your COM port device onCOM5 during the session on the server. Use this mapped COM port as you would a COMport on the user device.
Important: COM port mapping is not TAPI-compatible. TAPI devices cannot bemapped to client COM ports.
237
Mapping Client Audio to Play Sound onthe User Device
Client audio mapping enables applications executing on the XenApp server to play soundsthrough Windows-compatible sound devices installed on the user device. You can set audioquality on a per-connection basis on the XenApp server and users can set it on their device.If the user device and server audio quality settings are different, the lower setting is used.
Client audio mapping can cause excessive load on servers and the network. The higher theaudio quality, the more bandwidth is required to transfer the audio data. Higher qualityaudio also uses more server CPU to process.
Important: Client sound support mapping is not supported when connecting to CitrixXenApp for UNIX.
238
Associating User Device File Types withPublished Applications
Receiver supports HDX Plug-n-Play content redirection. Functionally equivalent to extendedparameter passing, content redirection allows you to enforce all underlying file typeassociations from the server, eliminating the need to configure extended parameter passingon individual user devices.
To associate file types on the user device with applications published on the server,configure Plug-n-Play content redirection on the server. For more information, see theXenApp adminstration topics.
239
Using the Window Manager whenConnecting to Citrix XenApp for UNIX
This topic does not apply to XenDesktop connections.
You can use the window manager to change the session display when connecting topublished resources on XenApp servers for UNIX. With the window manager, users canminimize, resize, position, and close windows, as well as access full screen mode.
About Seamless WindowsIn seamless window mode, published applications and desktops are not contained within asession window. Each published application and desktop appears in its own resizablewindow, as if it is physically installed on the user device. Users can switch betweenpublished applications and the local desktop.
You can also display seamless windows in “full screen” mode, which places the publishedapplication in a full screen-sized desktop. This mode lets you access the ctxwm menusystem.
To switch between seamless and full screen modes
Press SHIFT+F2 to switch between seamless and full screen modes.
Minimizing, Resizing, Positioning, and ClosingWindows
When users connect to published resources, window manager provides buttons to minimize,resize, position, and close windows. Windows are minimized as buttons on the taskbar.
When the user closes the last application in a session, the session is logged offautomatically after twenty seconds.
240
Terminating and Disconnecting Sessions
This topic does not apply to XenDesktop connections.
In remote desktop and seamless full screen windows, you can use the ctxwm menu systemto log off, disconnect, and exit from published applications and connection sessions.
To access the ctxwm menu system1. On a blank area of the remote desktop window, click and hold down the left mouse
button. The ctxwm menu appears.
2. Drag the mouse pointer over Shutdown to display the shutdown options.
To choose an option from the ctxwm menuDrag the pointer over the required option to select it. Release the mouse button to selectthe option.
To Choose
Terminate the connection and all running applications Logoff
Disconnect the session but leave the application running Disconnect
Disconnect the session and terminate the application Exit
Note: The server can be configured to terminate any applications that are running if asession is disconnected.
241
Using ctxgrab and ctxcapture to Cut andPaste Graphics When Connected toXenApp for UNIX
If you are connected to an application published on a XenApp server for UNIX, use ctxgrabor ctxcapture to cut and paste graphics between the session and the local desktop. Theseutilities are configured and deployed from the server.
Important: You might need to deploy UNIX applications that are designed for use with a3‑button mouse. Use ctx3bmouse on the XenApp for UNIX server to configure 3-buttonmouse emulation. For more information, see the XenApp for UNIX administrationdocumentation.
● ctxgrab
● ctxcapture
242
Using the ctxgrab Utility to Cut and PasteGraphics
This topic does not apply to XenDesktop connections.
The ctxgrab utility is a simple tool you use to cut and paste graphics from publishedapplications to applications running on the local user device. This utility is available from acommand prompt or, if you are using a published application, from the ctxwm windowmanager.
Important: Use ctx3bmouse on the XenApp for UNIX server to configure 3-button mouseemulation. For more information, see the XenApp for UNIX administrationdocumentation.
To access the ctxgrab utility from the windowmanager
● In seamless mode, right-click the ctxgrab button in the top, left-hand corner of thescreen to display a menu and choose the grab option
● In full screen mode, left-click to display the ctxwm menu and choose the grab option
To copy from an application in a plug-in window to alocal application
1. From the ctxgrab dialog box, click From screen.
2. To select a window, move the cursor over the window you want to copy and click themiddle mouse button. To select a region, hold down the left mouse button and drag thecursor to select the area you want to copy. To cancel the selection, click the rightmouse button. While dragging, click the right mouse button before releasing the leftbutton.
3. Use the appropriate command in the local application to paste the object.
243
Using the ctxcapture Utility to Cut andPaste Graphics
This topic does not apply to XenDesktop connections.
The ctxcapture utility is a more fully-featured utility for cutting and pasting graphicsbetween published applications and applications running on the local user device.
With ctxcapture you can:
● Grab dialog boxes or screen areas and copy them between an application in a Receiverwindow and an application running on the local user device, includingnon-ICCCM-compliant applications
● Copy graphics between the Receiver and the X graphics manipulation utility xvf
If you are connected to a published desktop, ctxcapture is available from a commandprompt. If you are connected to a published application and the administrator makes itavailable, you can access ctxcapture through the ctxwm window manager.
Important: Use ctx3bmouse on the XenApp for UNIX server to configure 3-button mouseemulation. For more information, see the XenApp for UNIX administrationdocumentation.
To access the ctxcapture utility from the windowmanager
Left-click to display the ctxwm menu and choose the screengrab option.
To copy from a local application to an application in aReceiver window
1. From the ctxcapture dialog box, click From screen.
2. To select a window, move the cursor over the window you want to copy and click themiddle mouse button. To select a region, hold down the left mouse button and drag thecursor to select the area you want to copy. To cancel the selection: click the rightmouse button. While dragging, click the right mouse button before releasing the leftbutton.
3. From the ctxcapture dialog box, click To ICA. The xcapture button changes color toindicate that it is processing the information.
4. When the transfer is complete, use the appropriate command in the publishedapplication window to paste the information.
To copy from an application in a Receiver window to alocal application
1. From the application in the Receiver window, copy the graphic.
2. From the ctxcapture dialog box, click From ICA.
3. When the transfer is complete, use the appropriate command in the local application topaste the information.
To copy from xv to an application in a Receiverwindow or local application
1. From xv, copy the graphic.
2. From the ctxcapture dialog box, click From xv and To ICA.
3. When the transfer is complete, use the appropriate command in the Receiver windowto paste the information.
To copy from an application in a Receiver window toxv
1. From the application in the Receiver window, copy the graphic.
2. From the ctxcapture dialog box, click From ICA and To xv.
3. When the transfer is complete, use the paste command in xv.
Using the ctxcapture Utility to Cut and Paste Graphics
244
245
Matching Client Names and ComputerNames
The dynamic client name feature allows the client name to be the same as the computername. When users change their computer name, the client name changes to match. Thisallows you to name computers to suit your naming scheme and find connections more easilywhen managing your server farm.
If the client name is not set to match the computer name during installation, the clientname does not change when the computer name is changed.
Users enable dynamic client name support by selecting Enable Dynamic Client Name duringReceiver installation.
To enable dynamic client name support during silent command line installation, the valueof the property ENABLE_DYNAMIC_CLIENT_NAME must be Yes. Set the property to No todisable dynamic client name support.
246
DNS Name Resolution
You can configure Receivers that use the Citrix XML Service to request a Domain NameService (DNS) name for a server instead of an IP address.
Important: Unless your DNS environment is configured specifically to use this feature,Citrix recommends that you do not enable DNS name resolution in the server farm.
Receivers connecting to published applications through the Web Interface also use theCitrix XML Service. For Receivers connecting through the Web Interface, the Web serverresolves the DNS name on behalf of the Receiver.
DNS name resolution is disabled by default in the server farm and enabled by default on theReceiver. When DNS name resolution is disabled in the farm, any Receiver request for a DNSname returns an IP address. There is no need to disable DNS name resolution on Receiver.
To disable DNS name resolution for specific clientdevices
If you are using DNS name resolution in the server farm and are having problems withspecific user devices, you can disable DNS name resolution for those devices.
Caution: Using Registry Editor incorrectly can cause serious problems that can requireyou to reinstall the operating system. Citrix cannot guarantee that problems resultingfrom incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Make sure you back up the registry before you edit it.
1. Add a string registry key xmlAddressResolutionType toHKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing.
2. Set the value to IPv4-Port.
3. Repeat for each user of the user devices.
247
Using Proxy Servers with XenDesktopConnections
If you do not use proxy servers in your environment, correct the Internet Explorer proxysettings on any user devices running Internet Explorer 7.0 on Windows XP. By default, thisconfiguration automatically detects proxy settings. If proxy servers are not used, users willexperience unnecessary delays during the detection process. For instructions on changingthe proxy settings, consult your Internet Explorer documentation. Alternatively, you canchange proxy settings using the Web Interface. For more information, consult the WebInterface documentation.
248
Improving the Receiver User Experience
You can improve your users’ experiences with the following supported features:
● ClearType font smoothing
● Client-side microphone input for digital dictation
● Multiple monitor support
● Printing performance enhancements
● To set keyboard shortcuts
● 32-bit color icons
Topics that support users with the Desktop Viewer and the Desktop Lock are available athttp://support.citrix.com/help/receiver/en/receiverHelpWin.htm.
249
ClearType Font Smoothing in Sessions
This topic does not apply to XenDesktop connections.
XenApp server supports ClearType font smoothing with Receiver for users on computersrunning Windows XP, Windows 7, and Windows Vista. ClearType font smoothing is set bydefault in Windows 7 and Windows Vista, but Standard font smoothing is set by default inWindows XP.
If you enable ClearType font smoothing on Receiver, you are not forcing the user devices touse ClearType font smoothing. You are enabling the server to support ClearType fontsmoothing on user devices that have it set and are using Receiver. By disabling it forsessions, you are specifying that sessions launched from that Receiver do not remote thefont smoothing setting.
Receiver automatically detects the user device’s font smoothing setting and sends it to theserver. The session connects using this setting. When the session is disconnected orterminated, the user's profile setting on the server is set to original setting unless the userspecifically changed it in the control panel in the session; then the server uses the newsetting.
Older Receivers (plug-ins) connect using the font smoothing setting configured in that user’sprofile on the server.
When ClearType font smoothing is enabled, three times more data is sent across the virtualchannel, which might cause a decrease in performance.
Font smoothing must be enabled on users’ operating systems, the Receiver, the WebInterface site, and the server farm.
To enable or disable ClearType font smoothing forsessions
In Web Interface environments, use the Session Preferences task in the Citrix WebInterface Management console to enable or disable font smoothing for XenApp Web sitesand the Session Options task for XenApp Services sites.
250
Client-Side Microphone Input
Receiver supports multiple client-side microphone input. Locally installed microphones canbe used for:
● Real-time activities, such as softphone calls and Web conferences.
● Hosted recording applications, such as dictation programs.
● Video and audio recordings.
Digital dictation support is available with Receiver. For information about configuring thisfeature, see the administrator's documentation for Citrix XenApp or Citrix XenDesktop.
Receiver (Enterprise) users can disable their microphones by selecting No Access in theMicrophones/Webcams menu choice available from the Citrix Connection Center, or fromthe Receiver’s system menu (for non-seamless connections). Receiver (standard) users arepresented with the same dialog box automatically at the beginning of their sessions.XenDesktop users can also use the XenDesktop Viewer Preferences to disable theirmicrophones.
Note: Selecting No Access also disables any attached Webcams.
On the user device, users control audio input and output in a single step—by selecting anaudio quality level from the Options dialog box.
251
Configuring HDX Plug-n-PlayMulti-monitor Support
Multiple monitors are fully supported by Receiver. As many as eight monitors are supported.
Each monitor in a multiple monitor configuration has its own resolution designed by itsmanufacturer. Monitors can have different resolutions and orientations during sessions.
Sessions can span multiple monitors in two ways:
● Full screen mode, with multiple monitors shown inside the session; applications snap tomonitors as they would locally.
XenDesktop: If users access a desktop through the Citrix Desktop Lock, the desktop isdisplayed across all monitors. The primary monitor on the device becomes the primarymonitor in the XenDesktop session. You can display the Desktop Viewer toolbar acrossany rectangular subset of monitors by resizing the window across any part of thosemonitors and pressing the Maximize button.
● Windowed mode, with one single monitor image for the session; applications do notsnap to individual monitors.
XenDesktop: When any desktop in the same assignment (formerly "desktop group") islaunched subsequently, the window setting is preserved and the toolbar is displayed acrossthe same monitors. Multiple virtual desktops can be displayed on one device provided themonitor arrangement is rectangular. If the primary monitor on the device is used by theXenDesktop session, it becomes the primary monitor in the session. Otherwise, thenumerically lowest monitor in the session becomes the primary monitor.
To enable multi-monitor support, ensure the following:
● The user device must have a single video board that can support connections to morethan one monitor or multiple video boards compatible with the Receiver on theappropriate platform.
● The user device operating system must be able to detect each of the monitors. OnWindows platforms, to verify that this detection occurs, on the user device, view theSettings tab in the Display Settings dialog box and confirm that each monitor appearsseparately.
● After your monitors are detected:
● XenDesktop: Configure the graphics memory limit using the Citrix Machine Policysetting Display memory limit.
● XenApp: Depending on the version of the XenApp server you have installed:
● Configure the graphics memory limit using the Citrix Computer Policy settingDisplay memory limit.
● From the Citrix management console for the XenApp server, select the farm andin the task pane, select Modify Server Properties > Modify all properties >Server Default > HDX Broadcast > Display (or Modify Server Properties >Modify all properties > Server Default > ICA > Display) and set the Maximummemory to use for each session’s graphics.
Ensure the setting is large enough (in kilobytes) to provide sufficient graphic memory. Ifthis setting is not high enough, the published resource is restricted to the subset of themonitors that fits within the size specified.
For information about calculating the session's graphic memory requirements for XenAppand XenDesktop, see ctx115637.
Configuring HDX Plug-n-Play Multi-monitor Support
252
253
Printing Performance
Printing performance can play a vital role in your users’ experiences. The printingconfiguration you create affects these aspects of the user’s experience:
● User ease and comfort level
● Logon times
● Ability to print to a nearby printer when traveling or when moving between clientdevices in a building
You configure printer policy settings on the server.
User Ease and Comfort LevelIn environments with novice users, consider changing the following potentially confusingdefault printing behaviors:
● Printer names change at the start of each session. When, by default, client printersare auto-created, the printer name is appended with the name of the user device andsession. For example, auto-created client printers appear in the Print dialog box with aname like HP LaserJet 1018 (from clientname) in session 35.
To resolve this problem, you can either reduce the number of printers auto-created orprovision printers using another method. To control printer auto-creation, configure theCitrix policy setting Auto-create client printers and select one of the followingoptions:
● Do not auto-create client printers. Client printers are not auto-created.
● Auto-create the client’s default printer only. Only the client’s default printerattached to or mapped from the client preconfigured in the Control Panel isauto-created in the session.
● Auto-create local (non-network) client printers only. Any non-network printersattached to the client device preconfigured in the Control Panel are auto-createdin the session.
● Auto-create all client printers. All network printers and any printers attached to ormapped from the user device preconfigured in the Control Panel are auto-createdin the session.
● If many printers are installed by default on user devices, your users might be confusedby the large number of available printers. You can limit the printers that appear tothem in sessions.
● HDX Plug-n-Play Universal Printer uses a nonstandard printing dialog box. If your users have trouble learning new features on their own, you might not want to use the
the Universal Printer as the default printer in a session. The user interface for thisprinter is slightly different from the standard Windows print dialog box.
Logon TimesThe printing configuration you select can impact how long it takes users to start a session.When Receiver is configured to provision printers by creating them automatically at thebeginning of each session, it increases the amount of time to build the session environment.In this case, Receiver has to rebuild every printer found on the user device. You candecrease logon time by specifying any of the following on the XenApp server:
● Auto-create only the the Universal Printer. This is done automatically when youconfigure the the Universal Printer.
● Auto-create only the default printer for the client device by using the Auto-createclient printers policy setting.
● Do not auto-create any client printers through the Auto-create client printers policysetting and route print jobs to network printers by configuring the Session printerspolicy setting
Configuring Printers for Mobile WorkersIf you have users who move among workstations in the same building (for example, in ahospital setting) or move among different offices, you might want to configure ProximityPrinting. The Proximity Printing solution ensures that the closest printer is presented to theusers in their sessions, even when they change user devices during a session.
Printing Performance
254
255
To override the printer settings configuredon the server
To improve printing performance, you can configure various printing policy settings on theserver:
● Universal printing optimization defaults
● Universal printing EMF processing mode
● Universal printing image compression limit
● Universal printing print quality limit
● Printer driver mapping and compatibility
● Session printers
If you enabled Allow non-admins to modify these settings in the Universal printingoptional defaults policy setting on the server, users on their user devices can override theImage Compression and Image and Font Caching options specified in that policy setting.
To override the printer settings on the user device
1. From the Print menu available from an application on the user device, chooseProperties.
2. On the Client Settings tab, click Advanced Optimizations and make changes to theImage Compression and Image and Font Caching options.
256
To set keyboard shortcuts
You can configure combinations of keys that Receiver interprets as having specialfunctionality. When the keyboard shortcuts policy is enabled, you can specify Citrix Hotkeymappings, behavior of Windows hotkeys, and keyboard layout for sessions.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User Experience > Keyboard shortcuts. InWindows 7 and Windows Server 2008, expand Administrative Templates and navigatethrough Classic Administrative Templates (ADM) > Citrix Components to the desiredconfiguration option.
7. From the Action menu, choose Properties, select Enabled, and choose the desiredoptions.
257
Keyboard Input in XenDesktop Sessions
Note the following about how keyboard combinations are processed in XenDesktop sessions:
● Windows logo key+L is directed to the local computer.
● CTRL+ALT+DELETE is directed to the local computer except in some cases if you use theCitrix Desktop Lock.
● Key presses that activate StickyKeys, FilterKeys, and ToggleKeys (Microsoft accessibilityfeatures) are normally directed to the local computer.
● As an accessibility feature of the Desktop Viewer, pressing CTRL+ALT+BREAK displaysthe Desktop Viewer toolbar buttons in a pop-up window.
● Windows key combinations (for example, CTRL+ESC and ALT+TAB) are directedaccording to the settings that your helpdesk has selected. For more information, seethe table below.
Note: By default, if the Desktop Viewer is maximized, ALT+TAB switches focusbetween windows inside the session. If the Desktop Viewer is displayed in a window,ALT+TAB switches focus between windows outside the session.
Hotkey sequences are key combinations designed by Citrix. For example, the CTRL+F1sequence reproduces CTRL+ALT+DELETE, and SHIFT+F2 switches applications betweenfull-screen and windowed mode. You cannot use hotkey sequences with virtual desktopsdisplayed in the Desktop Viewer (that is, with XenDesktop sessions), but you can use themwith published applications (that is, with XenApp sessions).
The table shows the remoting behavior of other Windows key combinations. The behaviordepends on whether a Desktop Viewer or a Desktop Lock session is used, and is controlledby the Local resources setting, avaliable from the Session Options task on the XenDesktopsite. XenApp settings are also shown for reference. For more information on configuring thissetting, see the Web Interface documentation.
With Localresources set to
Desktop Viewersessions have thisbehavior
Desktop Locksessions have thisbehavior
XenApp (or disabledDesktop Viewer)sessions have thisbehavior
Full screen desktopsonly
Key combinationsare sent to theremote, virtualdesktop only if theDesktop Viewerwindow has focusand is maximized(full-screen).
Key combinationsare always sent tothe remote, virtualdesktop.
Key combinationsare sent to theremote XenAppserver if the sessionis maximized(full-screen).
Remote desktop Key combinationsare sent to theremote, virtualdesktop only if theDesktop Viewerwindow has focus.
Key combinationsare always sent tothe remote, virtualdesktop.
Key combinationsare sent to theremote XenAppserver if the sessionor application hasfocus.
Local desktop Key combinationsare always kept onthe local userdevice.
Key combinationsare always kept onthe local userdevice.
Citrix does notrecommend settingLocal resources toLocal desktop if theDesktop Lock isused.
Key combinationsare always kept onthe local userdevice.
Keyboard Input in XenDesktop Sessions
258
259
Receiver Support for 32-Bit Color Icons
Receiver supports high color icons (32x32 bit) and automatically selects the color depth forapplications visible in the Citrix Connection Center dialog box, the Start menu, and task barto provide for seamless applications.
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
To set a preferred depth, you can add a string registry key named TWIDesiredIconColor toHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Preferences and set it to the desired value. The possible color depthsfor icons are 4, 8, 16, 24, and 32 bits-per-pixel. The user can select a lower color depth foricons if the network connection is slow.
260
Connecting to Virtual Desktops
From within a desktop session, users cannot connect to the same virtual desktop.Attempting to do so will disconnect the existing desktop session. Therefore, Citrixrecommends:
● Administrators should not configure the clients on a desktop to point to a site thatpublishes the same desktop
● Users should not browse to a site that hosts the same desktop if the site is configured toautomatically reconnect users to existing sessions
● Users should not browse to a site that hosts the same desktop and try to launch it
Be aware that a user who logs on locally to a computer that is acting as a virtual desktopblocks connections to that desktop.
If your users connect to virtual applications (published with XenApp) from within a virtualdesktop and your organization has a separate XenApp administrator, Citrix recommendsworking with them to define device mapping such that desktop devices are mappedconsistently within desktop and application sessions. Because local drives are displayed asnetwork drives in desktop sessions, the XenApp administrator needs to change the drivemapping policy to include network drives.
261
Securing Your Connections
To maximize the security of your environment, the connections between Receiver and theresources you publish must be secured. You can configure various types of authenticationfor your Receiver software, including enabling certificate revocation list checking, enablingsmart card support, and using Security Support Provider Interface/Kerberos Pass-ThroughAuthentication.
Windows NT Challenge/Response (NTLM) Support forImproved Security
Windows NT Challenge/Response (NTLM) authentication is supported by default oncomputers running Windows NT, Windows 2000, Windows XP, Windows 7, Windows Vista,Windows Server 2003, and Windows Server 2008.
262
To enable certificate revocation listchecking for improved security withReceiver (CitrixReceiver.exe)
When certificate revocation list (CRL) checking is enabled, Receiver checks whether or notthe server’s certificate is revoked. By forcing Receiver to check this, you can improve thecryptographic authentication of the server and the overall security of the SSL/TLSconnections between a user device and a server.
You can enable several levels of CRL checking. For example, you can configure Receiver tocheck only its local certificate list or to check the local and network certificate lists. Inaddition, you can configure certificate checking to allow users to log on only if all CRLs areverified.
Important: This option is available only with the standard Receiver (CitrixReceiver.exe)and not Receiver (Enterprise).
If you are making this change on a local computer, exit Receiver if it is running. Make sureall Receiver components, including the Connection Center, are closed.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for the Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Action menu, choose Properties and select Enabled.
8. From the CRL verification drop-down menu, select one of the options.
● Disabled. No certificate revocation list checking is performed.
● Only check locally stored CRLs. CRLs that were installed or downloaded previouslyare used in certificate validation. Connection fails if the certificate is revoked.
● Require CRLs for connection. CRLs locally and from relevant certificate issuers onthe network are checked. Connection fails if the certificate is revoked or not found.
● Retrieve CRLs from network. CRLs from the relevant certificate issuers arechecked. Connection fails if the certificate is revoked.
If you do not set CRL verification, it defaults to Only check locally stored CRLs.
To enable certificate revocation list checking for improved security with Receiver (CitrixReceiver.exe)
263
264
Smart Card Support for Improved Security
You must use Receiver (Enterprise) for Smart Card support.
Receiver smart card support is based on Microsoft Personal Computer/Smart Card (PC/SC)standard specifications. Receiver supports only smart cards and smart card devices thatare, themselves, supported by the underlying Windows operating system. A discussion ofsecurity issues related to PC/SC standards compliance is beyond the scope of thisdocument.
Enabling smart card support for Receiver is done through the Web Interface. For moreinformation, see the Web Interface documentation.
Note: Microsoft strongly recommends that only smart card readers tested and approvedby the Microsoft Windows Hardware Quality Lab (WHQL) be used on computers runningqualifying Windows operating systems. See http://www.microsoft.com for additionalinformation about hardware PC/SC compliance.
Receiver does not control smart card PIN management. PIN management is controlled bythe cryptographic service provider for your cards.
265
To enable pass-through authenticationwhen sites are not in Trusted Sites orIntranet zones
Your users might require pass-through authentication to the server using their user logoncredentials but cannot add sites to the Trusted Sites or Intranet zones. Enable this settingto allow pass-through authentication on all but Restricted sites.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.
7. From the Local user name and password Properties menu, select Enabled, and thenselect the Enable pass-through authentication and Allow pass-through authenticationfor all ICA connections check boxes.
266
Using Security Support ProviderInterface/Kerberos Pass-ThroughAuthentication for Improved Security
This topic does not apply to XenDesktop connections.
Rather than sending user passwords over the network, Kerberos pass-through authenticationleverages Kerberos authentication in combination with Security Support Provider Interface(SSPI) security exchange mechanisms. Kerberos is an industry-standard networkauthentication protocol built into Microsoft Windows operating systems.
Kerberos logon offers security-minded users or administrators the convenience ofpass-through authentication combined with secret-key cryptography and data integrityprovided by industry-standard network security solutions. With Kerberos logon, the Receiverdoes not need to handle the password and thus prevents Trojan horse-style attacks on theuser device to gain access to users’ passwords.
Users can log on to the user device with any authentication method; for example, abiometric authenticator such as a fingerprint reader, and still access published resourceswithout further authentication.
System requirements. Kerberos logon requires Citrix Presentation Server 3.0, 4.0, or 4.5,Citrix XenApp 5.0, 6.x and Citrix Presentation Server Clients for Windows 8.x, 9.x, 10.x,XenApp Hosted Plug-in 11.x, online plug-in 12.0, 12.1, or Receiver 3.x. Kerberos works onlybetween Client/plug-ins/Receiver and servers that belong to the same or to trustedWindows 2000, Windows Server 2003, or Windows Server 2008 domains. Servers must alsobe trusted for delegation, an option you configure through the Active Directory Users andComputers management tool.
Kerberos logon is not available in the following circumstances:
● Connections configured with any of the following options in Remote Desktop Services(formerly known as Terminal Services) Configuration:
● On the General tab, the Use standard Windows authentication option
● On the Logon Settings tab, the Always use the following logon information optionor the Always prompt for password option
● Connections you route through the Secure Gateway
● If the server requires smart card logon
● If the authenticated user account requires a smart card for interactive logon
Important: SSPI requires XML Service DNS address resolution to be enabled for the serverfarm, or reverse DNS resolution to be enabled for the Active Directory domain. For moreinformation, see the Citrix XenApp administrator documentation.
Configuring Kerberos AuthenticationReceiver, by default, is not configured to use Kerberos authentication when logging on tothe server. You can set the Receiver configuration to use Kerberos with pass-throughauthentication or Kerberos with smart card pass-through authentication.
To use Kerberos authentication for your connections, you can either specify Kerberos usinga command line installation or configure Receiver using the Group Policy Editor. See theMicrosoft Group Policy documentation for more information about editing .adm files
Using Security Support Provider Interface/Kerberos Pass-Through Authentication for Improved Security
267
268
To configure Kerberos with pass-throughauthentication
This topic does not apply to XenDesktop connections.
Use Kerberos with pass-through authentication if you want to use Kerberos with Receiver.
When Receiver configurations are set to use Kerberos with pass-through authentication,Receiver uses Kerberos authentication first and uses pass-through authentication if Kerberosfails.
The user cannot disable this Receiver configuration from the user interface.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates, navigate throughCitrix Components > Citrix Receiver > User authentication, double click Kerberosauthentication and select Enabled. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.
8. From the Action menu, choose Properties and select Enabled > Enable pass-throughauthentication.
To apply the setting, close and restart Receiver on the user device.
269
Securing Citrix Receiver Communication
To secure the communication between your server farm and Receiver, you can integrateyour Receiver connections to the server farm with a range of security technologies,including:
● Citrix Access Gateway. For information about configuring Access Gateway with ReceiverStoreFront, refer to the "Manage" topics in the Receiver StoreFront documentation ineDocs. For information about configuring Access Gateway or Secure Gateway with WebInterface, refer to topics in this section.
● A SOCKS proxy server or secure proxy server (also known as security proxy server,HTTPS proxy server, or SSL tunneling proxy server). You can use proxy servers to limitaccess to and from your network and to handle connections between Receiver andservers. Receiver supports SOCKS and secure proxy protocols.
● SSL Relay solutions with Secure Sockets Layer (SSL) and Transport Layer Security (TLS)protocols.
● A firewall. Network firewalls can allow or block packets based on the destinationaddress and port. If you are using Receiver through a network firewall that maps theserver's internal network IP address to an external Internet address (that is, networkaddress translation, or NAT), configure the external address.
● Trusted server configuration.
Note: For information about increasing security in application streaming for desktops, seethe Citrix Knowledge Base article Enhancing Security in Application Streaming forDesktops.
Receiver is compatible with and functions in environments where the Microsoft SpecializedSecurity - Limited Functionality (SSLF) desktop security templates are used. Thesetemplates are supported on the Microsoft Windows XP, Windows Vista, and Windows 7platforms. Refer to the Windows XP, Windows Vista, and Windows 7 security guidesavailable at http://technet.microsoft.com for more information about the templates andrelated settings.
270
Support for Microsoft Security Templates
Receiver is compatible with and functions in environments where the Microsoft SpecializedSecurity - Limited Functionality (SSLF) desktop security templates are used. Thesetemplates are supported on the Microsoft Windows XP, Windows Vista, and Windows 7platforms. Refer to the Windows XP, Windows Vista, and Windows 7 security guidesavailable at http://technet.microsoft.com for more information about the templates andrelated settings.
271
Connecting with Access GatewayEnterprise Edition
This topic applies only to deployments using the Web Interface.
Configure the XenApp Services site for the Receiver to support connections from an AccessGateway connection.
1. In the XenApp Services site, select Manage secure client access > Edit secure clientaccess settings.
2. Change the Access Method to Gateway Direct.
3. Enter the FQDN of the Access Gateway appliance.
4. Enter the Secure Ticket Authority (STA) information.
To configure the Access Gateway appliance1. Configure authentication policies to authenticate users connecting to the Access
Gateway by using the Access Gateway Plug-in. Bind each authentication policy to avirtual server.
● If double-source authentication is required (such as RSA SecurID and ActiveDirectory), RSA SecurID authentication must be the primary authentication type.Active Directory authentication must be the secondary authentication type.
● RSA SecurID uses a RADIUS server to enable token authentication.
● Active Directory authentication can use either LDAP or RADIUS.Test a connection from a user device to verify that the Access Gateway is configuredcorrectly in terms of networking and certificate allocation.
2. Create a session policy on the Access Gateway to allow incoming XenApp connectionsfrom the Receiver, and specify the location of your newly created XenApp Services site.
● Create a new session policy to identify that the connection is from the Receiver. Asyou create the session policy, configure the following expression and select MatchAll Expressions as the operator for the expression:
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
Connecting with Access Gateway Enterprise Edition
272
● In the associated profile configuration for the session policy, on the Security tab,set Default Authorization to Allow.
On the Published Applications tab, if this is not a global setting (you selected theOverride Global check box), ensure the ICA Proxy field is set to ON.
In the Web Interface Address field, enter the URL including the config.xml for theXenApp Services site that the device users use, such ashttp://XenAppServerName/Citrix/PNAgent/config.xml orhttp://XenAppServerName/CustomPath/config.xml.
● Bind the session policy to a virtual server.
● Create authentication policies for RADIUS and Active Directory.
● Bind the authentication policies to the virtual server.
Important: If the server certificate used on the Access Gateway is part of acertificate chain (with an intermediate certificate), make sure that the intermediatecertificates are also installed correctly on the Access Gateway. For information aboutinstalling certificates, see the Access Gateway documentation.
Connecting with Access Gateway Enterprise Edition
273
274
Connecting with Access Gateway 5.0
This topic applies only to deployments using the Web Interface.
Access Gateway setup requires that you configure a basic or a SmartAccess logon point onAccess Gateway and use the Web address for the XenApp Services site.
Before you configure a logon point, install the Web Interface and verify that it iscommunicating with the network. When you configure a logon point, you must alsoconfigure at least one Secure Ticket Authority (STA) server and ICA Access Control in AccessGateway. For more information, expand Access Gateway 5.0 in eDocs, and locate the topicTo configure Access Gateway to use the Secure Ticket Authority.
To configure the Access Gateway 5.0 appliance1. Configure Authentication profiles to authenticate users connecting to the Access
Gateway using the Receiver.
● If double source authentication is required (such as Active Directory and RSASecurID), Active Directory authentication must be the primary authentication type.RSA SecurID authentication must be the secondary authentication type.
● RSA SecurID can use either RADIUS or an sdconf.rec file to enable tokenauthentication.
● You can configure Active Directory authentication on Access Controller. You can useActive Directory on the Access Gateway appliance by using either an LDAP orRADIUS authentication profile.
Test a connection from a user device to verify that the Access Gateway is configuredcorrectly in terms of networking and certificate allocation.
2. To establish communication with XenApp servers and the Web Interface, configure theAccess Gateway with STA servers and the ICA Access Control list on Access Gateway. Formore information, see the Access Gateway section of eDocs.
3. Configure logon points on the Access Gateway. Configure the Access Gateway to allowincoming XenApp connections from the Receiver, and specify the location of your WebInterface site.
a. In the Access Gateway Management Console, click Management.
b. Under Access Control, click Logon Points > New.
c. In the Logon Points Properties dialog box, in Name, type a unique name for thelogon point.
d. Select the Type:
● For a Basic logon point, in the Web Interface field, type the fully qualifieddomain name (FQDN) of the Web Interface, such ashttp://xenapp.domain.com/citrix/apps. You cannot configure aSmartGroup with a basic logon point. Select the authentication type, or clickAuthenticate with the Web Interface.
If you select Authenticate with the Web Interface, when users type the URL toAccess Gateway and enter credentials, the credentials are passed to the WebInterface for authentication.
● For a SmartGroup to use the settings in a SmartAccess logon point, you mustselect the logon point within the SmartGroup. Select the authenticationprofiles. If you configure a SmartAccess logon point, Access Gatewayauthenticates users. You cannot configure authentication by using the WebInterface.
If you select Single Sign-on to Web Interface, users do not have to log on tothe Web Interface after logging on to the Access Gateway. If not selected, usersmust log on to both the Access Gateway and Web Interface.
Connecting with Access Gateway 5.0
275
e. Under Applications and Desktops, click Secure Ticket Authority and add the STAdetails. Make sure the STA information is the same as the Web Interface site.
f. Finally, under Applications and Desktops, click XenApp or XenDesktop to add theICA control list (required for Access Gateway 5.0). For more information, expandAccess Gateway 5.0 in eDocs, and locate To configure ICA Access Control.
Important: If the server certificate used on the Access Gateway is part of acertificate chain (with an intermediate certificate), make sure that the intermediatecertificates are also installed correctly on the Access Gateway. For information aboutinstalling certificates, see the Access Gateway section on Configuring IntermediateCertificates.
Connecting with Access Gateway 5.0
276
To configure Access Controller1. Configure Authentication profiles to authenticate users connecting to the Access
Gateway using the Receiver.
● If double source authentication is required (such as Active Directory and RSASecurID), Active Directory authentication must be the primary authentication type.RSA SecurID authentication must be the secondary authentication type.
● RSA SecurID can use either RADIUS or an sdconf.rec file to enable tokenauthentication.
● You can configure Active Directory authentication on Access Controller. You can useActive Directory on the Access Gateway appliance by using either an LDAP orRADIUS authentication profile.
Test a connection from a user device to verify that the Access Gateway is configuredcorrectly in terms of networking and certificate allocation.
2. To establish communication with XenApp servers and the Web Interface, configureAccess Controller to recognize the servers. Configure Access Controller to allowincoming XenApp connections from the Receiver and specify the location of your WebInterface site.
a. In the Deliver Services Console, expand Citrix Resources > Access Gateway, andthen click the Access Controller on which you want to create the Web resource.
b. Expand Resources, click Web Resources, and then under Common tasks, clickCreate Web resource. In the wizard, enter a unique name. On the New WebAddress page, enter the Web address URL of the XenApp Web site.
c. In Application type, select Citrix Web Interface and click the Enable SingleSign-on check box.
d. After you click OK, click Publish for users in their list of resources , and then inHome page, enter the URL of the XenApp Web Site, such ashttp://xenapp.domain.com/citrix/apps, and finish the wizard.
e. In the navigation pane, click Logon Points, click Create logon point, and in thewizard, enter a unique name, and select the type:
● For a Basic logon point, in the Web Interface field, type the fully qualifieddomain name (FQDN) of the Web Interface, such ashttp://xenapp.domain.com/citrix/apps. Select the Home page, andthen select the authentication profile. Leave the remaining options as defaultvalues, and click Enable this logon point check box at the end of the wizard.
● For a SmartAccess logon point, on Select Home Page, select the Display theWeb resource with the highest priority. Click Set Display Order, and movethe Web Interface Web resource to the top.
Select the Authentication Profiles for both authentication and group extraction.Leave the remaining options as default values, and click Enable this logonpoint check box at the end of the wizard.
f. In the navigation pane, under Policies > Access Policies, select Create access policy and on the Select Resources page, expand Web Resources to select the
Connecting with Access Gateway 5.0
277
Web Interface web resource.
g. In Configure Policy Settings, select the settings, click Enable this policy to controlthis setting, and select Extended access, unless denied by another policy. Addthe users allowed to access this resource and finish the wizard.
h. In the navigation pane, under Access Gateway appliances, select Edit AccessGateway appliance properties, click Secure Ticket Authority and add the STAdetails. Make sure the STA information is the same as the Web Interface site.
i. Finally, click ICA Access Control to add the ICA control list (required for AccessGateway 5.0). For more information, expand Access Gateway 5.0 in eDocs, andlocate To configure ICA Access Control in the Access Controller documentation.
Important: If the server certificate used on the Access Gateway is part of acertificate chain (with an intermediate certificate), make sure that the intermediatecertificates are also installed correctly on the Access Gateway. For information aboutinstalling certificates, see the Access Gateway section on Configuring IntermediateCertificates.
Connecting with Access Gateway 5.0
278
279
Connecting with Secure Gateway
This topic applies only to deployments using the Web Interface.
You can use the Secure Gateway in either Normal mode or Relay mode to provide a securechannel for communication between Receiver and the server. No Receiver configuration isrequired if you are using the Secure Gateway in Normal mode and users are connectingthrough the Web Interface.
Receiver uses settings that are configured remotely on the server running the Web Interfaceto connect to servers running the Secure Gateway. See the topics for the Web Interface forinformation about configuring proxy server settings for Receiver.
If the Secure Gateway Proxy is installed on a server in the secure network, you can use theSecure Gateway Proxy in Relay mode. See the topics for the Secure Gateway for moreinformation about Relay mode.
If you are using Relay mode, the Secure Gateway server functions as a proxy and you mustconfigure Receiver to use:
● The fully qualified domain name (FQDN) of the Secure Gateway server.
● The port number of the Secure Gateway server. Note that Relay mode is not supportedby Secure Gateway Version 2.0.
The FQDN must list, in sequence, the following three components:
● Host name
● Intermediate domain
● Top-level domain
For example: my_computer.my_company.com is an FQDN, because it lists, in sequence, ahost name (my_computer), an intermediate domain (my_company), and a top-level domain(com). The combination of intermediate and top-level domain (my_company.com) isgenerally referred to as the domain name.
280
Connecting the Citrix Receiver through aProxy Server
Proxy servers are used to limit access to and from your network, and to handle connectionsbetween Receivers and servers. Receiver supports SOCKS and secure proxy protocols.
When communicating with the server farm, Receiver uses proxy server settings that areconfigured remotely on the server running Receiver for Web or the Web Interface. Forinformation about proxy server configuration, refer to Receiver StoreFront or Web Interfacedocumentation.
In communicating with the Web server, Receiver uses the proxy server settings that areconfigured through the Internet settings of the default Web browser on the user device.You must configure the Internet settings of the default Web browser on the user deviceaccordingly.
281
Connecting with Secure Sockets LayerRelay
You can integrate Receiver with the Secure Sockets Layer (SSL) Relay service. Receiversupports both SSL and TLS protocols.
● SSL provides strong encryption to increase the privacy of your ICA connections andcertificate-based server authentication to ensure the server you are connecting to is agenuine server.
● TLS (Transport Layer Security) is the latest, standardized version of the SSL protocol.The Internet Engineering Taskforce (IETF) renamed it TLS when it took overresponsibility for the development of SSL as an open standard. TLS secures datacommunications by providing server authentication, encryption of the data stream, andmessage integrity checks. Because there are only minor technical differences betweenSSL Version 3.0 and TLS Version 1.0, the certificates you use for SSL in your softwareinstallation will also work with TLS. Some organizations, including U.S. governmentorganizations, require the use of TLS to secure data communications. Theseorganizations may also require the use of validated cryptography, such as FIPS 140(Federal Information Processing Standard). FIPS 140 is a standard for cryptography.
282
Connecting with Citrix SSL Relay
By default, Citrix SSL Relay uses TCP port 443 on the XenApp server for SSL/TLS-securedcommunication. When the SSL Relay receives an SSL/TLS connection, it decrypts the databefore redirecting it to the server, or, if the user selects SSL/TLS+HTTPS browsing, to theCitrix XML Service.
If you configure SSL Relay to listen on a port other than 443, you must specify thenonstandard listening port number to the plug-in.
You can use Citrix SSL Relay to secure communications:
● Between an SSL/TLS-enabled client and a server. Connections using SSL/TLS encryptionare marked with a padlock icon in the Citrix Connection Center.
● With a server running the Web Interface, between the XenApp server and the Webserver.
For information about configuring and using SSL Relay to secure your installation, see theCitrix XenApp administrator’s documentation. For information about configuring the serverrunning the Web Interface to use SSL/TLS encryption, see the Web Interface administrator’sdocumentation.
283
User Device Requirements
In addition to the System Requirements, you also must ensure that:
● The user device supports 128-bit encryption
● The user device has a root certificate installed that can verify the signature of theCertificate Authority on the server certificate
● Receiver is aware of the TCP listening port number used by the SSL Relay service in theserver farm
● Any service packs or upgrades that Microsoft recommends are applied
If you are using Internet Explorer and you are not certain about the encryption level of yoursystem, visit the Microsoft Web site at http://www.microsoft.com to install a service packthat provides 128-bit encryption.
Important: Receiver supports certificate key lengths of up to 4096 bits. Ensure that thebit lengths of your Certificate Authority root and intermediate certificates, and those ofyour server certificates, do not exceed the bit length your Receiver supports orconnection might fail.
284
To apply a different listening port numberfor all connections
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the plug-in Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Action menu, choose Properties, select Enabled, and type a new portnumber in the Allowed SSL servers text box in the following format: server:SSL relayport number where SSL relay port number is the number of the listening port. You canuse a wildcard to specify multiple servers. For example, *.Test.com:SSL relay portnumber matches all connections to Test.com through the specified port.
285
To apply a different listening port numberto particular connections only
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already added the icaclient template to the Group Policy Editor, you canomit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Action menu, choose Properties, select Enabled, and type acomma-separated list of trusted servers and the new port number in the Allowed SSLservers text box in the following format: servername:SSL relay portnumber,servername:SSL relay port number where SSL relay port number is the numberof the listening port. You can specify a comma-separated list of specific trusted SSLservers similar to this example:
csghq.Test.com:443,fred.Test.com:443,csghq.Test.com:444
which translates into the following in an example appsrv.ini file: [Word]SSLProxyHost=csghq.Test.com:443
[Excel]
SSLProxyHost=csghq.Test.com:444
[Notepad]
SSLProxyHost=fred.Test.com:443
286
Configuring and Enabling Receivers forSSL and TLS
SSL and TLS are configured in the same way, use the same certificates, and are enabledsimultaneously.
When SSL and TLS are enabled, each time you initiate a connection, Receiver tries to useTLS first and then tries SSL. If it cannot connect with SSL, the connection fails and an errormessage appears.
To force Receiver to connect with TLS, you must specify TLS on the Secure Gateway serveror SSL Relay service. See the topics for the Secure Gateway or your SSL Relay servicedocumentation for more information.
In addition, make sure the user device meets all system requirements.
To use SSL/TLS encryption for all Receiver communications, configure the user device,Receiver, and, if using Web Interface, the server running the Web Interface. Forinformation about securing Receiver Storefront communications, refer to topics under"Secure" in the Receiver StoreFront documentation in eDocs.
287
Installing Root Certificates on the UserDevices
To use SSL/TLS to secure communications between a SSL/TLS-enabled Receiver and theserver farm, you need a root certificate on the user device that can verify the signature ofthe Certificate Authority on the server certificate.
Receiver supports the Certificate Authorities that are supported by the Windows operatingsystem. The root certificates for these Certificate Authorities are installed with Windowsand managed using Windows utilities. They are the same root certificates that are used byMicrosoft Internet Explorer.
If you use your own Certificate Authority, you must obtain a root certificate from thatCertificate Authority and install it on each user device. This root certificate is then usedand trusted by both Microsoft Internet Explorer and Receiver.
You might be able to install the root certificate using other administration or deploymentmethods, such as:
● Using the Microsoft Internet Explorer Administration Kit (IEAK) Configuration Wizard andProfile Manager
● Using third-party deployment tools
Make sure that the certificates installed by your Windows operating system meet thesecurity requirements for your organization or use the certificates issued by yourorganization’s Certificate Authority.
288
To configure Web Interface to useSSL/TLS for Receiver
1. To use SSL/TLS to encrypt application enumeration and launch data passed betweenReceiver and the server running the Web Interface, configure the appropriate settingsusing the Web Interface. You must include the computer name of the XenApp serverthat is hosting the SSL certificate.
2. To use secure HTTP (HTTPS) to encrypt the configuration information passed betweenReceiver and the server running the Web Interface, enter the server URL in the formathttps://servername. In the Windows notification area, right-click the Receiver icon andchoose Preferences.
3. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.
289
To configure TLS support
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
1. As an administrator, open the Group Policy Editor by running gpedit.msc locally fromthe Start menu when applying this to a single computer or by using the Group PolicyManagement Console when using Active Directory.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification.
7. From the Action menu, choose Properties, select Enabled, and from the drop-downmenus, select the TLS settings.
● Set SSL/TLS Version to TLS or Detect all to enable TLS. If Detect all is selected,Receiver connects using TLS encryption. If a connection using TLS fails, Receiverconnects using SSL.
● Set SSL ciphersuite to Detect version to have Receiver negotiate a suitableciphersuite from the Government and Commercial ciphersuits. You can restrict theciphersuites to either Government or Commercial.
● Set CRL verification to Require CRLs for connection requiring Receiver to try toretrieve Certificate Revocation Lists (CRLs) from the relevant certificate issuers.
290
To use the Group Policy template on WebInterface to meet FIPS 140 securityrequirements
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
To meet FIPS 140 security requirements, use the Group Policy template to configure theparameters or include the parameters in the Default.ica file on the server running the WebInterface. See the information about Web Interface for additional information about theDefault.ica file.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 3 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification.
7. From the Action menu, choose Properties, select Enabled, and from the drop-downmenus, select the correct settings.
● Set SSL/TLS Version to TLS or Detect all to enable TLS. If Detect all is selected,Receiver tries to connect using TLS encryption. If a connection using TLS fails,Receiver tries to connect using SSL.
● Set SSL ciphersuite to Government.● Set CRL verification to Require CRLs for connection.
291
To configure the Web Interface to useSSL/TLS when communicating with CitrixReceiver
When using the Web Interface, specify the computer name of the server hosting the SSLcertificate. See the information about Web Interface for more details about using SSL/TLSto secure communications between Receiver and the Web server.
1. From the Configuration settings menu, select Server Settings.
2. Select Use SSL/TLS for communications between clients and the Web server.
3. Save your changes.
Selecting SSL/TLS changes all URLs to use HTTPS protocol.
292
To configure Citrix XenApp to useSSL/TLS when communicating with CitrixReceiver
You can configure the XenApp server to use SSL/TLS to secure the communications betweenReceiver and the server.
1. From the Citrix management console for the XenApp server, open the Properties dialogbox for the application you want to secure.
2. Select Advanced > Client options and ensure that you select Enable SSL and TLSprotocols.
3. Repeat these steps for each application you want to secure.
When using the Web Interface, specify the computer name of the server hosting the SSLcertificate. See the information about Web Interface for more details about using SSL/TLSto secure communications between Receiver and the Web server.
293
To configure Citrix Receiver to useSSL/TLS when communicating with theserver running the Web Interface
You can configure Receiver to use SSL/TLS to secure the communications between Receiverand the server running the Web Interface.
Ensure that a valid root certificate is installed on the user device. For more information,see Installing Root Certificates on the User Devices.
1. In the Windows notification area, right-click the Receiver icon and choosePreferences.
2. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.
3. The Change Server screen displays the currently configured URL. Enter the server URLin the text box in the format https://servername to encrypt the configuration datausing SSL/TLS.
4. Click Update to apply the change.
5. Enable SSL/TLS in the client device browser. For more information about enablingSSL/TLS in the browser, see the online Help for the browser.
294
ICA File Signing - Protection AgainstApplication or Desktop Launches FromUntrusted Servers
The ICA File Signing feature helps protect users from unauthorized application or desktoplaunches.Citrix Receiver verifies that a trusted source generated the application or desktoplaunch based on administrative policy and protects against launches from untrusted servers.You can configure this Receiver security policy for application or desktop launch signatureverification using Group Policy Objects, Receiver StoreFront, or Citrix Merchandising Server.ICA file signing is not enabled by default. For information about enabling ICA file signing forReceiver StoreFront, refer to the Receiver StoreFront documentation.
For Web Interface deployments, the Web Interface enables and configures application ordesktop launches to include a signature during the launch process using the Citrix ICA FileSigning Service. The service can sign ICA files using a certificate from the computer'spersonal certificate store.
The Citrix Merchandising Server with Receiver enables and configures launch signatureverification using the Citrix Merchandising Server Adminstrator Console > Deliverieswizard to add trusted certificate thumbprints.
To use Group Policy Objects to enable and configure application or desktop launchsignature verification, follow this procedure:
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the ica-file-signing.adm template into the Group PolicyEditor, you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select ica-file-signing.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Enable ICA File Signing. In Windows 7 and Windows Server 2008,expand Administrative Templates and navigate through Classic AdministrativeTemplates (ADM) > Citrix Components to the desired configuration option.
7. If you choose Enabled, you can add signing certificate thumbprints to the white list of trusted certificate thumbprints or remove signing certificate thumbprints from the
white list by clicking Show and using the Show Contents screen. You can copy andpaste the signing certificate thumbprints from the signing certificate properties. Usethe Policy drop-down menu to select Only allow signed launches (more secure) orPrompt user on unsigned launches (less secure).
Option Description
Only allow signed launches (moresecure)
Allows only properly signed applicationor desktop launches from a trustedserver. The user sees a Security Warningmessage in Receiver if an application ordesktop launch has an invalid signature.The user cannot continue and theunauthorized launch is blocked.
Prompt user on unsigned launches (lesssecure)
Prompts the user every time an unsignedor invalidly signed application or desktopattempts to launch. The user can eithercontinue the application launch or abortthe launch (default).
ICA File Signing - Protection Against Application or Desktop Launches From Untrusted Servers
295
296
Selecting and Distributing a DigitalSignature Certificate
When selecting a digital signature certificate, Citrix recommends you choose from thisprioritized list:
1. Buy a code-signing certificate or SSL signing certificate from a public CertificateAuthority (CA).
2. If your enterprise has a private CA, create a code-signing certificate or SSL signingcertificate using the private CA.
3. Use an existing SSL certificate, such as the Web Interface or Self-service Plug-in servercertificate.
4. Create a new root CA certificate and distribute it to user devices using GPO or manualinstallation.
297
Configuring a Web Browser and ICA Fileto Enable Single Sign-on and ManageSecure Connections to Trusted Servers
To use Single sign-on (SSO) and to manage secure connections to trusted servers, add theCitrix server's site address to the Local intranet or Trusted sites zones in Internet Explorerunder Tools > Internet Options > Security on the user device. The address can include thewildcard (*) formats supported by the Internet Security Manager (ISM) or be as specific asprotocoll://URL[:port].
The same format must be used in both the ICA file and the sites entries. For example, if youuse a fully qualified domain name (FQDN) in the ICA file, you must use an FQDN in the siteszone entry. XenDesktop connections use only a desktop group name format.
Supported Formats (Including Wildcards)http[s]://10.2.3.4
http[s]://10.2.3.*
http[s]://hostname
http[s]://fqdn.example.com
http[s]://*.example.com
http[s]://cname.*.example.com
http[s]://*.example.co.uk
desktop://group-20name
ica[s]://xaserver1
ica[s]://xaserver1.example.com
Launching SSO or Using Secure Connections with aweb site
Add the exact address of the Receiver for Web or the Web Interface site in the sites zone.
Example Web Site Addresses
https://my.company.com
http://10.20.30.40
http://server-hostname:8080
https://SSL-relay:444
XenDesktop Connections with Desktop ViewerAdd the address in the form desktop://Desktop Group Name. If the desktop group namecontains spaces, replace each space with -20.
Custom ICA Entry FormatsUse one of the following formats in the ICA file for the Citrix server site address. Use thesame format to add it to the Local intranet or Trusted sites zones in Internet Explorerunder Tools > Internet Options > Security on the user device:
Example of ICA File HttpBrowserAddress Entry
HttpBrowserAddress=XMLBroker.XenappServer.example.com:8080
Examples of ICA File XenApp Server Address Entry
If the ICA file contains only the XenApp server Address field, use one of the following entryformats:
icas://10.20.30.40:1494
icas://my.xenapp-server.company.com
ica://10.20.30.40
Configuring a Web Browser and ICA File to Enable Single Sign-on and Manage Secure Connections to Trusted Servers
298
299
To set client resource permissions
You can set client resource permissions using trusted and restricted site regions by:
● Adding the Receiver for Web or the Web Interface site to the Trusted Site list
● Making changes to new registry settings
Note: Due to enhancements to Receiver, the .ini procedure available in earlier versionsof the plug-in/Receiver is replaced with these procedures.
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
To add the web site to the trusted site list1. From the Internet Explorer Tools menu, choose Internet Options > Security.
2. Select the Trusted sites icon and click the Sites button.
3. In the Add this website to the zone text field, type the URL to your Receiver for Webor Web Interface site and click Add.
4. Download the registry settings from http://support.citrix.com/article/CTX124871.htmland make any registry changes. Use SsonRegUpx86.reg for Win32 user devices andSsonRegUpx64.reg for Win64 user devices.
5. Log off and then log on to the user device.
To change client resource permissions in the registry1. Download the registry settings from http://support.citrix.com/article/CTX124871.html
and import the settings on each user device. Use SsonRegUpx86.reg for Win32 userdevices and SsonRegUpx64.reg for Win64 user devices.
2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Client Selective Trust and in the appropriate regions, change the default value tothe required access values for any of the following resources:
Resource key Resource description
FileSecurityPermission Client drives
MicrophoneAndWebcamSecurityPermission Microphones and webcams
PdaSecurityPermission PDA devices
ScannerAndDigitalCameraSecurityPermission USB and other devices
Value Description
0 No Access
1 Read-only access
2 Full access
3 Prompt user for access
To set client resource permissions
300
301
Enabling Smart Card Logon
You must use Receiver (Enterprise) for smart card support.
Enabling smart card logon allows users to use smart cards instead of passwords toauthenticate to XenApp servers. You can use smart card logon either with or withoutpass-through authentication.
You must enable smart card support on the server and set up and configure the user deviceproperly with third-party smart card hardware and software. Refer to the documentationthat came with your smart card equipment for instructions about deploying smart cardswithin your network.
The smart card removal policy set on XenApp determines what happens if you remove thesmart card from the reader during an ICA session. The smart card removal policy isconfigured through and handled by the Windows operating system.
● Kerberos pass-through authentication requires a smart card inserted in the smart cardreader at logon time only. With this logon mode selected, the plug-in prompts the userfor a smart card PIN (Personal Identification Number) when it starts up. Kerberospass-through authentication then caches the PIN and passes it to the server every timethe user requests a published resource. The user does not have to subsequently reentera PIN to access published resources or have the smart card continuously inserted. Ifauthentication based on the cached PIN fails or if a published resource itself requiresuser authentication, the user continues to be prompted for a PIN.
● Disabling pass-through authentication requires a smart card to be present in the smartcard reader whenever the user accesses a server. With pass-through disabled, theplug-in prompts the user for a smart card PIN when it starts up and every time the userrequests a published resource.
302
Enforcing Trust Relations
Trusted server configuration is designed to identify and enforce trust relations involved inReceiver connections. This trust relationship increases the confidence of Receiveradministrators and users in the integrity of data on user devices and prevents the malicioususe of Receiver connections.
When this feature is enabled, Receivers can specify the requirements for trust anddetermine whether or not they trust a connection to the server. For example, a Receiverconnecting to a certain address (such as https://*.citrix.com) with a specific connectiontype (such as SSL) is directed to a trusted zone on the server.
When trusted server configuration is enabled, XenApp servers or the Access Gateway mustreside in a Windows Trusted Sites zone. (For step-by-step instructions about adding serversto the Windows Trusted Sites zone, see the Internet Explorer online help.)
If you connect using SSL, add the server name in the format https://CN, where CN is theCommon Name shown on the SSL certificate. Otherwise, use the format that Receiver usesto connect; for example if Receiver connects using an IP address, add the server’s IPaddress.
To enable trusted server configuration
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. Expand the Administrative Templates folder under the User Configuration node.
7. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network Routing > Configure trusted serverconfiguration. In Windows 7 and Windows Server 2008, expand AdministrativeTemplates and navigate through Classic Administrative Templates (ADM) > CitrixComponents to the desired configuration option.
8. From the Action menu, choose Properties and select Enabled.
Enforcing Trust Relations
303
304
Elevation Level and wfcrun32.exe
When User Access Control (UAC) is enabled on devices running Windows Vista or later, onlyprocesses at the same elevation/integrity level as wfcrun32.exe can launch publishedapplications.
Example 1:
When wfcrun32.exe is running as a normal user (un-elevated), other processes such asReceiver must be running as a normal user to launch applications through wfcrun32.
Example 2:
When wfcrun32.exe is running in elevated mode, other processes such as ConnectionCenter, Receiver, and third party applications using the ICA Client Object that are runningin non-elevated mode cannot communicate with wfcrun32.exe.
305
Citrix Receiver for Windows 3.0
About this Release To configure and install Receiver usingcommand-line parameters
Issues fixed in Receiver for Windows 3.0 Using the Receiver with XenDesktopConnections
System Requirements and Compatibility forReceiver for Windows 3.0
Optimizing the Receiver Environment
Licensing Your Product Improving the Receiver User Experience
Deciding Which Receiver to Use Securing Your Connections
Overview of Receiver Installation Packages Securing Receiver Communication
306
Citrix Receiver for Windows 3.0
About this Release To configure and install Receiver usingcommand-line parameters
Issues fixed in Receiver for Windows 3.0 Using the Receiver with XenDesktopConnections
System Requirements and Compatibility forReceiver for Windows 3.0
Optimizing the Receiver Environment
Licensing Your Product Improving the Receiver User Experience
Deciding Which Receiver to Use Securing Your Connections
Overview of Receiver Installation Packages Securing Receiver Communication
307
About the Citrix Receiver for Windows 3.0
Version 1.0
Notes:
For Issues Fixed in Citrix Receiver for Windows 3.0, go to:http://support.citrix.com/article/CTX124164
What's New● Citrix Receiver for Windows.The Citrix Receiver replaces the Citrix Online Plug-in for
Windows. The Online Plug-in 13.0 is embedded in Receiver.
● Unified user experience. Gives end users a common user interface whether using onlyCitrix Receiver or with any other Citrix Plug-ins.
● Improved user experience. Improved application launching and reconnection.
● Internet Explorer 9 support.
● Simplified listing of devices in the Desktop Viewer. To simplify the display of USBdevices, by default any that use the Generic USB virtual channel (for example,webcams and memory sticks) are not displayed on the Devices tab of the DesktopViewer Preferences dialog box. Users can view the complete list of devices using acheckbox on the tab.
● Enhanced Desktop Viewer user interface. The Preferences dialog box in the DesktopViewer has been redesigned, and the USB button on the toolbar is now called Devices.
● Windows 7 support. The Citrix Desktop Lock (formerly called the Desktop ApplianceLock) now supports Windows 7.
● RemoteFX support. As an alternative to the Desktop Viewer UI, you can formconnections to XenDesktop VDAs using Microsoft RemoteFX. For instructions on this, seeCTX129509.
● Session pre-launch. Reduced application launch time at high-traffic periods. Configurethis feature on the server and client sides.
● Multi-stream ICA. Improved QoS support by allowing Branch Repeater and third partyrouters to apply QoS policies across multiple ICA connections.
● Multiple audio device redirection. Enables remoting of multiple audio devices presenton the user device.
● New Single Sign-On Plug-in. Simplified password management.
● Seamless Taskbar Grouping. Taskbar icons associated with applications published withXenApp 6 or later are grouped by application similar to how local application icons aregrouped.
● Aero support. Receiver now supports the display of Windows Aero theme on virtualdesktops. A new .msi file is included that works with the Virtual Desktop Agent (part ofXenDesktop) to provide the support.
● User documentation. Topics that describe how users interact with their virtualdesktops and control the Desktop Viewer have been moved from eDocs to the Receiverfor Windows online help, which also includes the Connection Center help. This isavailable at http://support.citrix.com/help/receiver/en/receiverHelpWin.htm.
About Receiver for Windows 3.0
308
Known IssuesThis section contains:
● General issues
● Known issues - Desktop connections
● Third-party issues
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
General Issues
● If you use the Receiver with XenApp 5.0 Feature Pack 2 for Windows Server 2003 (32- or64-bit editions), the Receiver plays audio even when you configure the Turn offspeakers policy setting to disable the audio. [#242703]
● You might receive an error message when trying to launch an application with WebInterface after installing a previous version of the Receiver (Online plug-in) whilelogged in as one user, upgrading with CitrixReceiver.exe as another user, logging off theReceiver, and logging back on with the previous user name. The error message is: Citrixonline plug-in Configuration Manager: No value could be found for (ClientHostedApps)that satisfies all lock down requirements. The lockdown requirements in force may beconflicting. [#261877]
As a workaround, set the following registry key:
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\Lockdown Profiles\AllRegions\Lockdown\Virtual Channels\Control
Name: ClientHostedApps
Value: FALSE (or set to * / TRUE if you have overridden the defaults inHKEY_LOCAL_MACHINE)
● If you use Web Interface with Internet Explorer 8 and Windows 7 to upgrade to thisversion of Citrix Receiver, the upgrade finishes, but the Upgrade in Progress messageremains on the screen and the log on screen does not appear. Workaround: Restart thebrowser [#247858]
● When you launch applications using the Web Interface, Connection Center does notenumerate the sessions. [#261177]
● After you launch a published application that is filtered by XenApp for Access Gateway,other published applications do not launch. [#263003]
About Receiver for Windows 3.0
309
Desktop Connections
● Loss of video is experienced if files are being played with a published version ofWindows Media Player through a virtual desktop session, and the Desktop Viewerwindow is changed from full-screen to window mode. As a workaround, minimize andrestore the Media Player window, and then pause and resume the application (or stopand restart it). [#246230]
● You cannot log off gracefully from Windows XP 32-bit virtual desktops if you start (butdo not log on to) the Receiver in the desktop session. If the Receiver logon dialog box isnot completed, you cannot log off from the desktop. To work around the issue,complete the logon dialog box or close it. This issue is not observed on other virtualdesktop operating systems. [#246516]
● When using Receiver for Windows 3.0 with a Windows XP virtual desktop created withXenDesktop 5, an error occurs if the user starts a published application from thedesktop. This issue does not occur on desktops created with XenDesktop 5.5 or on otherdesktop operating systems created with XenDesktop 5. The workaround is to useReceiver for Windows 3.0 with XenDesktop 5.5. [#263079]
● The Citrix Desktop Lock (formerly the Citrix Desktop Appliance Lock), which is installedusing DesktopApplianceLock.msi, does not redirect Adobe Flash content todomain-joined user devices. The content can be viewed but is rendered on the server,not locally. As a workaround, Adobe Flash redirection can be configured for server-sidecontent fetching to pass the content from the server to the user device. This issue doesnot occur on non-domain-joined devices or when the content is viewed with theDesktop Viewer. [#263092]
● The Desktop Viewer Devices menu may not close when the user clicks the Devices icon.It also may remain open after its corresponding dialog box closes. If this occurs, clickthe Devices icon again. [#262202]
● Windows Media Player, when displayed in the non-primary monitor of a two-monitorWindows user device, may not work as expected. Due to an issue with the DirectX videomixing renderer filter VMR-9, the screen is black and there is no sound, although theplayer's progress bar advances. To correct this issue, edit the registry on the userdevice from which the XenDesktop connection is launched. In theHKEY_CURRENT_USER\Software\Citrix subkey, create the HdxMediaStream key. Namethe key DisableVMRSupport. Set the type as REG_DWORD. Give the key the value 3.[#262852]
Third-Party Issues● When using Internet Explorer to open a Microsoft Office document in Edit mode from
SharePoint, Microsoft Office might display the message, “Access denied.” Workaround:Go to the SharePoint site and check out the document, edit it, and check the file backin to SharePoint. [#258725]
About Receiver for Windows 3.0
310
311
System Requirements and Compatibilityfor the Citrix Receiver for Windows
● Supported Windows Operating Systems:
● Windows 7, 32-bit and 64-bit editions (including Embedded Edition)
● Windows XP Professional, 32-bit and 64-bit editions
● Windows XP Embedded
● Windows Vista, 32-bit and 64-bit editions
● Windows Thin PC
● Windows Server 2008 R1, 32-bit and 64-bit editions (not supported by XenDesktopconnections)
● Windows Server 2008 R2, 64-bit edition (not supported by XenDesktop connections)
● Windows Server 2003, 32-bit and 64-bit editions (not supported by XenDesktopconnections)
Important: For XenDesktop connections, be aware that the Citrix Desktop Lock isonly supported on Windows XP Professional, Windows XP Embedded, Windows 7,and Windows Embedded Standard 7. If your deployment includes smart cards, andWindows 7 or Windows Embedded Standard 7, see the additional requirements inthis topic.
● Server support:
● Web Interface 5.x for Windows with a XenApp Services or XenDesktop Web site
● XenApp (any of the following products):
● Citrix XenApp 6.5 for Windows Server 2008 R2
● Citrix XenApp 6 for Windows Server 2008 R2
● Citrix XenApp 5 for Windows Server 2008
● Citrix XenApp 5 for Windows Server 2003● XenDesktop (any of the following products):
● XenDesktop 5.5
● XenDesktop 5
● XenDesktop 4● Delivery Services 1.0
● Merchandising Server 2.x
● Dazzle and ICA File Signing Support. ICA File Signing is not supported with Dazzle 1.1.
● Upgrades. Upgrades are supported only for Citrix XenApp Plugin for Hosted Apps 11.0,Desktop Receiver 11.1, and Citrix online plug-in 11.1,11.2, 12.0, and 12.1 releases.
● Availability of the Receiver for Windows 3.0 features. Some of the features andfunctionality of Receiver are available only when connecting to newer XenApp andXenDesktop versions and might require the latest hotfixes for XenApp, XenDesktop, andSecure Gateway.
● Previous versions of the Presentation Server Client/Online Plug-in and the currenticaclient.adm file. Previous versions of the Presentation Server Client and OnlinePlug-in are not compatible with the Receiver for Windows 3.0 icaclient.adm file.
● Supported Browsers:
● Internet Explorer Version 6.0 through 9.0
● Mozilla Firefox Version 1.x through 5.x● .NET Framework Requirements (XenDesktop Connections Only)
To use the Desktop Viewer, .NET 2.0 Service Pack 1 or later is required. This version isrequired because, if Internet access is not available, certificate revocation checks slowdown connection startup times. The checks can be turned off and startup timesimproved with this version of the Framework but not with .NET 2.0. Use of the CitrixDesktop Lock does not require the .NET Framework to be installed.
● Hardware Requirements:
● VGA or SVGA video adapter with color monitor
● Windows-compatible sound card for sound support (optional)
● For network connections to the server farm, a network interface card (NIC) and theappropriate network transport software
● Supported Connection Methods and Network Transports:
Protocol Citrix Receiver
TCP/IP+HTTP X
SSL/TLS+HTTPS X● HDX MediaStream Multimedia Acceleration
Applications and media formats supported by HDX MediaStream Multimedia Accelerationare:
● Applications based on Microsoft’s DirectShow, DirectX Media Objects (DMO), andMedia Foundation filter technologies such as Windows Media Player and RealPlayer.
● Applications like Internet Explorer and Microsoft Encarta are also supported, as theyleverage Windows Media Player.
System Requirements
312
● Both file-based and streaming (URL-based) media formats: WAV, all variations ofMPEG, unprotected Windows Media Video (WMV), and Windows Media Audio (WMA).
Note: HDX MediaStream Multimedia Acceleration does not support media filesprotected with Digital Rights Management (DRM).
● Smart Cards and the Citrix Desktop Lock
The Citrix Desktop Lock can be used with smart cards connected to domain-joined userdevices running Windows XP or Windows XPe but not Windows 7 or Windows EmbeddedStandard 7. This limitation does not apply to non-domain-joined user devices.
System Requirements
313
314
Deciding Which Receiver to Use
Different enterprises have different corporate needs, and your expectations andrequirements for the way users access your published resources and virtual desktops canshift as your corporate needs evolve and grow.
The Receivers and their internal features are:
● Citrix Receiver ( CitrixReceiver.exe) - Smaller package that you can deploy from a Webpage.
● Receiver Experience
● Web plug-in
● Generic USB (XenDesktop)
● Desktop Viewer (XenDesktop)
● HDX Media Stream for Flash
● Aero desktop experience (for operating systems that support it)
Important: To use single sign-on, you must install CitrixReceiverEnterprise.exe.
● Citrix Receiver (Enterprise) (CitrixReceiverEnterprise.exe)
● Receiver Experience
● Web plug-in
● PNA plug-in
● Single sign-on/pass-through authentication
● Generic USB (XenDesktop)
● Desktop Viewer (XenDesktop)
● HDX Media Stream for Flash
● Aero desktop experience (for operating systems that support it)See the specific product documentation for information about Receivers for other userdevices and operating systems.
The Receivers differ in terms of:
● Access method by which published resources and virtual desktops are delivered tousers. Resources and desktops can be delivered to users on the desktop or through aWeb browser.
● Installation packages. For more information about the installation packages, seeOverview of Receiver Installation Packages.
To decide which Receiver best fits your needs, consider the way you want users to accessyour published resources and virtual desktops, the way you want to manage this access, andthe feature set that your users will need.
Receiver Access method User involvement Receiver features
CitrixReceiver
Web browser-basedaccess to publishedresources and virtualdesktops.
● Minimal userinteractionduringinstallation
● Centraladministration ofuser settings
● Does not requireadministratorprivileges toinstall
● Hosted applicationsand desktops
● Desktop Viewer USB
● HDX Media Streamfor Flash
● Integration withother Plug-ins
CitrixReceiver(Enterprise)
Transparentintegration ofpublished resourcesand virtual desktopsinto user’s desktop.
● Minimal userinteractionduringinstallation
● Centraladministration ofuser settings
● Requiresadministratorprivileges toinstall
● Hosted applicationsand desktops
● Desktop Viewer USB
● HDX Media Streamfor Flash
● Applications in theStart menu
● PNAgent support
● Pass-throughauthenticationintegration withother Plug-ins
Get Started
315
316
Citrix Receiver for Windows Overview
Citrix Receiver supports XenApp and XenDesktop connections.
XenApp ConnectionsCitrix Receiver for Windows supports the XenApp feature set. Centrally administer andconfigure the Receiver in the Delivery Services Console or the Web Interface ManagementConsole using a Receiver site created in association with a site for the server running theWeb Interface.
Citrix Receiver (standard) is a smaller package that is installed with the CitrixReceiver.exeinstaller file. Administrative rights are not required to install this package, enablinginstallation by standard users.
Citrix Receiver (Enterprise) operates with the Citrix offline plug-in, to provide applicationstreaming to the user desktop. Install the Receiver (Enterprise) on user devices running theoffline plug-in to take advantage of the full set of application streaming features of theplug-in and Citrix XenApp. For more information about the streamed application feature,see the Application Streaming documentation.
The Desktop Viewer is not supported with XenApp connections.
Important: The Receiver requires the Citrix Web Interface.
XenDesktop ConnectionsCitrix Receiver includes the Desktop Viewer, the client-side software that supportsXenDesktop. Users running the Desktop Viewer on their devices access virtual desktopscreated with XenDesktop in addition to their local desktop. Users running the Citrix DesktopLock (which you install in addition to the Desktop Viewer) interact only with the virtualdesktop not the local desktop.
How Published Resources are Accessed withReceiver (standard)
If you want users to access published resources and virtual desktops from within a familiarbrowser environment, use this Receiver. Users access published resources and desktops byclicking links on a Web page you publish on your corporate intranet or the Internet. Thepublished resource or desktop launches either in the same window or in a new, separatebrowser window. This version of Receiver does not require user configuration and does nothave a user interface.
How Published Resources are Accessed withReceiver (Enterprise)
The Receiver (Enterprise) allows your XenApp users to access all of their publishedresources from a familiar Windows desktop environment. Users work with publishedresources the same way they work with local applications and files. Published resources arerepresented throughout the user desktop, including the Start menu and by icons thatbehave just like local icons. Users can double-click, move, and copy icons, and createshortcuts in their locations of choice. The Receiver (Enterprise) works in the background.Except for a menu available from the notification area and the Start menu, Receiver(Enterprise) does not have a user interface.
Receiver (standard) Management and AdministrationYou can use this Receiver to access resources and desktops available from the WebInterface and for access to resources published with traditional Application Launching andEmbedding (ALE). Publish links to your resources with the Web Interface or by using anHTML wizard.
In the webinterface.conf file for your XenApp websites, edit the ClientIcaWin32= line tospecify the CitrixReceiver.exe installation file and remove the comment character (#).
This Receiver requires the presence on user devices of any of these browsers: MicrosoftInternet Explorer 6.0 through 9.0; or Mozilla Firefox 1.0 through 3.x.
Receiver (Enterprise) Management and AdministrationYou configure the Receiver (Enterprise) at a site created in the consoles and associatedwith the site for the server running the Web Interface. By using the consoles in this way,you can manage and control your Receiver (Enterprise) population dynamically throughoutyour network from a single location and in real time.
Citrix Receiver for Windows Overview
317
318
Citrix Connection Center Overview
The Citrix Connection Center displays all connections established from the Receiver.
The ICA Connections window displays a list of active sessions. Each server entry in the listrepresents a session. For each seamless session, below each server entry, a list of thepublished resources you are running on that server appears.
After you launch a published resource, you can access the Connection Center by rightclicking the Receiver icon in your Windows notification area and choose Online Sessions >Connection Center. You can also access the Connection Center from the Preferences >Plug-in Status screen.
The Connection Center offers various options to view statistics and control sessions andapplications:
● Disconnect a session from a server but leave the session running on it
● End a server session
● Switch from seamless mode to full screen mode
● Seamless mode. Published applications and desktops are not contained within asession window. Each published application and desktop appears in its ownresizable window, as if it is physically installed on your user device. You can switchbetween published applications and the local desktop.
● Full screen mode. Published applications are placed in a full screen-sized desktop.● Show connection status details like frames sent and received
● Terminate an indivual published application
● Set access permissions
319
Providing Virtual Desktops to ReceiverUsers
This topic applies to XenDesktop deployments only.
Different enterprises have different corporate needs, and your requirements for the wayusers access virtual desktops may vary from user to user, and as your corporate needsevolve. The user experience of connecting to virtual desktops and the extent of userinvolvement in configuring the connections depend on how you set up the Citrix Receiverfor Windows. You have two options for providing users with access to virtual desktops: usingthe Desktop Viewer or the Citrix Desktop Lock.
Important: Do not attempt to use the Desktop Viewer or the Desktop Lock to connect todesktops published with XenApp.
Desktop ViewerUse the Desktop Viewer when users need to interact with their local desktop as well as thevirtual one. In this access scenario, the Desktop Viewer toolbar functionality allows the userto open a virtual desktop in a window and pan and scale that desktop inside their localdesktop. Users can set preferences and work with more than one desktop using multipleXenDesktop connections on the same user device.
Citrix Desktop LockUse the Desktop Lock when users do not need to interact with the local desktop. In thisaccess scenario, the Desktop Viewer is not available and the virtual desktop effectivelyreplaces the local one, allowing the user to interact with the virtual desktop as if it is local.This provides the best user experience in a XenDesktop environment.
To decide which option best suits your deployment, consider how you want users to accessand interact with virtual desktops.
To understand the user experience of connecting to desktops created with XenDesktop,consult the planning topics in the XenDesktop documentation.
320
Overview of Citrix Receiver for WindowsInstallation Packages
This release contains two installation packages and offers several options for installing theCitrix Receiver for Windows. You can install the two Receiver installer packages with almostno user interaction.
● CitrixReceiver.exe - General purpose package that enables web access to hostedapplications and desktops. This Receiver (standard) does not require administratorrights to install and can be installed:
● Automatically from Web Interface
● By the user
● Using an Electronic Software Distribution (ESD) tool● CitrixReceiverEnterprise.exe - Specific purpose package that enables native Windows
access to hosted applications and pass-through authentication. Requires administratorrights to install and though the user can install it, Receiver (Enterprise) is usuallyinstalled with an ESD tool.
Important: Upgrades are supported only from the Citrix XenApp Plugin for Hosted Apps11.0, Desktop Receiver 11.1, and Citrix online plug-in 11.1, 11.2, and 12.x. Remove anyearlier versions before installing this version.
Considerations When UpgradingBecause there are two Citrix Receiver installation packages and there were two onlineplug-in packages (web and full) in previous releases, each having different options, youhave to consider the previously installed package when planning your upgrade. Use thistable to determine how to procede with your upgrade.
Currently installed Upgrade Package Result
No Online plug-in installed CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) - web access- but manuallyconfigurable for PNA
No Online plug-in installed CitrixReceiver.exe Citrix Receiver (standard)- web access
Online plug-in fullconfigured for PNA or SSO
CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) configuredfor PNA or SSO
Online plug-in web CitrixReceiver.exe Citrix Receiver (standard)- web access
Online plug-in web CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) - web access- but manuallyconfigurable for PNA
The following upgrade scenarios are not supported:
Currently installed Upgrade Package Result
Online plug-in fullconfigured for PNA or SSO
CitrixReceiver.exe Installer displays an errormessage and does not alterthe previously installedclient.
Citrix Receiver (Enterprise) CitrixReceiver.exe Installer displays an errormessage and does not alterthe previously installedclient.
How Installation Outcomes Differ Based on theOperating System, User Type, and InstallationPackage
The outcome of CitrixReceiver.exe or CitrixReceiverEnterprise.exe package installationsdiffers based on the combination of the operating system on the user device, user type,whether User Account Control (UAC) is enabled or disabled on Windows Vista, Windows 7,and Windows 2008 computers, and which installation package is used.
Operating system and usertype
CitrixReceiver.exe CitrixReceiverEnterprise.exe
OS: Windows XP, andWindows Server 2003
User: Administrator
Installation type:per-computer
Installation type:per-computer
OS: Windows XP, andWindows Server 2003
User: Standard user
Installation type: per-user Not supported
OS: Windows Vista,Windows 7, and WindowsServer 2008
User: Administrator with orwithout UAC disabled
Installation type:per-computer
Installation type:per-computer
OS: Windows Vista,Windows 7, and WindowsServer 2008
User: Standard user
Installation type: per-user Not supported
Install and Uninstall
321
322
Installing and Uninstalling Receiver forWindows Manually
Users can install the Receiver from the Web Interface, the installation media, a networkshare, Windows Explorer, or a command line by running the CitrixReceiverEnterprise.exe orCitrixReceiver.exe installer package. Because the installer packages are self-extractinginstallations that extract to the user's temp directory before launching the setup program,ensure that there is enough free space available in the %temp% directory.
When the user runs one of the Receiver installation .exe files, a message box immediatelyappears displaying the progress of the installation.
When you cancel the installation before completion, some components might be installed.In that case, remove the Receiver with the Add/Remove Programs utility from the ControlPanel on Windows XP or Windows Server 2003 (Programs and Features utility from theControl Panel on Windows Vista, Windows 7, and Windows Server 2008).
Upgrades are supported only from the Citrix XenApp Plugin for Hosted Apps 11.0, DesktopReceiver 11.1, and Citrix online plug-in 11.1, 11.2, and 12.x. Remove any earlier versionsbefore installing this current version.
For command line installation parameters, see To configure and install the Citrix Receiverfor Windows using command-line parameters.
Important: For Firefox to work correctly with Receiver for Windows, ensure that you orthe user install Firefox before installing Receiver. If Receiver is already installed,uninstall it, install Firefox, and reinstall Receiver. Also ensure that the whitelists oftrusted and untrusted servers contain the XenApp and Web Interface server names.
Removing the ReceiverYou can also use the Citrix Receiver Updater to install and uninstall Receiver. If CitrixReceiver Updater was not used to install the Receiver, you can uninstall Receiver byrunning the Add/Remove Programs utility from the Control Panel on Windows XP orWindows Server 2003 (Programs and Features utility from the Control Panel on WindowsVista, Windows 7, and Windows Server 2008).
If you delete Receiver related files or registry entries just before uninstalling Receiver withAdd/Remove Programs or Programs and Features, uninstall might fail. The MicrosoftWindows Installer (MSI) is trying to repair and uninstall at the same time. If this occurs, usethe Receiver to start an auto-repair. After the auto-repair completes, you can cleanlyuninstall Receiver from Add/Remove Programs or Programs and Features.
Auto-repair occurs if there is a problem with Receiver; however, there is no Add/RemovePrograms or Programs and Features Repair option.
To remove Receiver using the command line
You can also uninstall Receiver from a command line by typing the appropriate command.
CitrixReceiverEnterprise.exe /uninstall
or
CitrixReceiver.exe /uninstall
Caution: Using Registry Editor incorrectly can cause serious problems that can requireyou to reinstall the operating system. Citrix cannot guarantee that problems resultingfrom incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Make sure you back up the registry before you edit it.
After uninstalling the Receiver software from a user device, the custom Receiver-settingregistry keys created by icaclient.adm remain in the Software\Policies\Citrix\ICA Clientdirectory under HKEY_LOCAL_MACHINE and HKEY_LOCAL_USER. If you reinstall Receiver,these policies might be enforced, possibly causing unexpected behavior. If you want toremove these customizations, delete them manually.
Installing and Uninstalling Receiver for Windows Manually
323
324
Upgrading the Desktop Viewer andDesktop Appliance Lock
You can upgrade the Desktop Viewer component contained in Citrix online plug-in 12.1 byinstalling this version of the Citrix Receiver for Windows.
To upgrade the Desktop Appliance Lock, remove Citrix online plug-in 12.1 and the DesktopAppliance Lock, and then install this version of the Receiver and the Citrix Desktop Lock.
325
To install the Citrix Desktop Lock
Important: Log on using a local administrator account to carry out this installationprocedure. In addition, consult About the Citrix Receiver for Windows 3.0 forworkarounds to any known issues with the Desktop Lock.
This procedure installs the plug-in so that virtual desktops are displayed using the CitrixDesktop Lock. Do not use this procedure if you want the Desktop Viewer to be available tousers.
1. On the installation media, navigate to the folder called Citrix Receiver andPlug-ins\Windows\Receiver, and run CitrixReceiverEnterprise.exe from the commandline using the following syntax:
CitrixReceiverEnterprise.exe ADDLOCAL="ICA_Client,SSON,USB,DesktopViewer,Flash,PN_Agent,Vd3d" SERVER_LOCATION="my.server" ENABLE_SSON="Yes"
For information about the properties used in this command, see To configure and installthe Citrix Receiver for Windows using command-line parameters
2. Enter the URL of the XenDesktop Services site where your virtual desktops are located.The URL must be in the format http://servername or https://servername. If you areusing hardware or software for load balancing or failover, you can enter aload-balanced address.
Important: Check that the URL you enter is correct. If the URL is incorrectly typed,or you leave the field empty and the user does not enter a valid URL when promptedafter installation, no virtual desktop or local desktop will be available.
3. On the XenDesktop installation media, navigate to the Citrix Receiver andPlug-ins\Windows\Receiver folder and double-click CitrixDesktopLock.msi. The CitrixDesktop Lock wizard appears.
4. On the License Agreement page, read and accept the Citrix license agreement andclick Install. The Installation Progress page appears.
5. In the Installation Completed dialog box, click Close.
6. When prompted, restart the user device. If you have been granted access to a desktopand you log on as a domain user, the restarted device is displayed using the DesktopLock.
326
User Accounts Used to Install the CitrixDesktop Lock
When you install the Citrix Desktop Lock, a replacement shell is used. To allowadministration of the user device after you complete the installation, the account used toinstall CitrixDesktopLock.msi is excluded from the shell replacement. If the account used toinstall CitrixDesktopLock.msi is later deleted, you will not be able to log on and administerthe device.
Note that because a replacement shell is used, Citrix does not recommend the use ofcustom shells with desktops accessed through the Desktop Lock.
327
To remove the Citrix Desktop Lock
If you installed the Citrix Desktop Lock, two separate items are displayed in Add/RemovePrograms. You must remove both to complete the removal process.
1. Log on with the same local administrator credentials that were used to install theDesktop Lock.
2. Run the Add/Remove programs utility from the Control Panel.
3. Remove Citrix Desktop Lock.
4. Remove Citrix Receiver or Citrix Receiver (Enterprise).
328
To configure and install the CitrixReceiver for Windows usingcommand-line parameters
You or your users can customize the Receiver installer by specifying command line options.Because the installer packages are self-extracting installations that extract to the user'stemp directory before launching the setup program, ensure that there is enough free spaceavailable in the %temp% directory.
Important: For Firefox to work correctly with Receiver for Windows, ensure that you orthe user install Firefox before installing Receiver. If Receiver is already installed,uninstall it, install Firefox, and reinstall Receiver. Also ensure that the whitelists oftrusted and untrusted servers contain the XenApp and Web Interface server names.
Space Requirements
Receiver (standard) - 78.8 Mbytes
Receiver (Enterprise) - 93.6 Mbytes
This includes program files, user data, and temp directories after launching severalapplications.
1. On the computer where you want to install the Receiver for Windows package, type thefollowing at a command prompt:
CitrixReceiverEnterprise.exe [Options]
or
CitrixReceiver.exe [Options]
2. Set your options as needed.
● /? or /help displays usage information.
● /noreboot suppresses reboot during UI installations. This option is not necessaryduring silent installs.
● /silent disables the error and progress dialogs to execute a completely silentinstallation.
● PROPERTY=Value
Where PROPERTY is one of the following all-uppercase variables (keys) and Value isthe value the user should specify.
● INSTALLDIR=Installation directory, where Installation directory is the locationwhere the Receiver software is installed. The default value is C:\ProgramFiles\Citrix\ICA Client. If you use this option and specify an Installationdirectory, you must install the RIInstaller.msi in the Installationdirectory\Receiver directory and the other .msi files in the Installationdirectory.
● CLIENT_NAME=ClientName, where ClientName is the name used to identify theuser device to the server farm. The default value is %COMPUTERNAME%.
● ENABLE_DYNAMIC_CLIENT_NAME={Yes | No} The dynamic client name featureallows the client name to be the same as the computer name. When userschange their computer name, the client name changes to match. To enabledynamic client name support during silent installation, the value of theproperty ENABLE_DYNAMIC_CLIENT_NAME in your installation file must be Yes.To disable dynamic client name support, set this property to No.
● ADDLOCAL=feature[,...]. Install one or more of the specified components.When specifying multiple parameters, separate each parameter with a commaand without spaces. The names are case sensitive. If you do not specify thisparameter, all components included in the CitrixReceiverEnterprise.exe orCitrixReceiver.exe are installed by default.
Note: ReceiverInside and ICA_Client are prerequisites for all othercomponents and must be installed.
ReceiverInside. Installs the Receiver experience. (Required)
ICA_Client. Installs the standard Receiver. (Required)
SSON. Installs single sign on. This value is supported only withCitrixReceiverEnterprise.exe. For more information, seehttp://support.citrix.com/article/CTX122676.
USB. Installs USB.
DesktopViewer. Installs the Desktop Viewer.
Flash. Installs HDX media stream for flash.
PN_Agent. Installs Receiver (Enterprise). This value is supported only withCitrixReceiverEnterprise.exe.
Vd3d. Enables the Windows Aero experience (for operating systems thatsupport it)
● ENABLE_SSON={Yes | No}. The default value is Yes. Note that users must logoff and log back onto their devices after an installation with pass-throughauthentication enabled.
Important: If you disable single sign on pass-through authentication, usersmust reinstall Receiver if you decide to use pass-through authentication at alater time.
● ENABLE_KERBEROS={Yes | No}. The default value is No. Specifies that Kerberos should be used; applies only when pass-through authentication (SSON)
To configure and install the Citrix Receiver for Windows using command-line parameters
329
is enabled.
● DEFAULT_NDSCONTEXT=Context1 [,…]. Include this parameter to set a defaultcontext for Novell Directory Services (NDS). To include more than one context,place the entire value in quotation marks and separate the contexts by acomma. Examples of correct parameters:
DEFAULT_NDSCONTEXT="Context1"
DEFAULT_NDSCONTEXT=“Context1,Context2”
● SERVER_LOCATION=Server_URL. The default value is blank. Provide the URL ofthe server running the Web Interface. The URL must be in the formathttp://servername or https://servername.
The Receiver appends the default path and file name of the configuration fileto the server URL. If you change the default location of the configuration file,enter the entire new path in the SERVER_LOCATION key.
If there is a problem with the installation, search in the user's %TEMP% directory for the logswith the prefix CtxInstall- or TrollyExpress- . For example:
CtxInstall-ICAWebWrapper.log
TrollyExpress-20090807-123456.log
Example of a Command-Line Installation
CitrixReceiverEnterprise.exe /silentADDLOCAL="ReceiverInside,ICA_Client,PN_Agent" ENABLE_SSON=noINSTALLDIR="c:\test" ENABLE_DYNAMIC_CLIENT_NAME=YesDEFAULT_NDSCONTEXT="Context1,Context2"SERVER_LOCATION="http://testserver.net" CLIENT_NAME="Modified"
This example:
● Installs Receiver (Enterprise) without visible progress dialog boxes
● Installs only Receiver Inside, the standard Receiver (ICA_Client), and enterpriseReceiver (PN_Agent)
● Disables pass-through authentication
● Specifies the location where the software is installed
● Enables dynamic client naming
● Specifies the default context for NDS
● Specifies the URL (http://testserver.net) of the server running the Web Interface,which Receiver will reference
● Specifies the name used to identify the user device to the server farm
To configure and install the Citrix Receiver for Windows using command-line parameters
330
331
To extract, install, and remove theindividual Receiver (Enterprise) .msi files
Citrix does not recommend extracting the .msi files in place of running the installerpackages. However, there might be times when you have to extract the Receiver(Enterprise) .msi files from CitrixReceiverEnterprise.exe manually, rather than running theinstaller package (for example, company policy prohibits using the .exe file). If you use theextracted .msi files for your installation, using the .exe installer package to upgrade oruninstall and reinstall might not work properly.
For Citrix-recommended Receiver (Enteprise) installation information, see To configure andinstall Receiver for Windows using the command-line parameters and Delivering ReceiverUsing Active Directory and Sample Startup Scripts.
1. To extract the .msi files, type the following at a command prompt:
CitrixReceiverEnterprise.exe /extract [Destination_name]
where Destination _name is a complete pathname to the directory into which the .msifiles are extracted. The directory must exist already and /extract adds a subfoldercalled extract to that directory. For example, you create a C:\test directory and whenyou run /extract, the extracted .msi files are put in C:\test\extract.
2. To install the .msi files, double click each file.
Note: If User Access Control (UAC) is enabled, Citrix advises that you install the .msifiles in elevated mode. The .msi files are supported per-machine and requireadministrator privileges to deploy them.
When installing the Receiver (Enterprise) components, run the .msi files in this order:
a. RIInstaller.msi
b. ICAWebWrapper.msi
c. SSONWrapper.msi
d. GenericUSB.msi
e. DesktopViewer.msi
f. CitrixHDXMediaStreamForFlash-ClientInstall.msi
g. PNAWrapper.msi
h. Vd3d.msi
To remove the componentsWhen removing the components, remove them in this order:
1. Vd3d.msi
2. PNAWrapper.msi
3. CitrixHDXMediaStreamForFlash-ClientInstall.msi
4. DesktopViewer.msi
5. GenericUSB.msi
6. SSONWrapper.msi
7. ICAWebWrapper.msi
8. RIInstaller.msi
Each .msi file has an Add/Remove (Control Panel on Windows XP or Windows Server 2003)or Programs and Features (Control Panel on Windows Vista, Windows 7, and Windows Server2008) entry in the following format:
Name of package Name displayed in Add/Remove orPrograms and Features
RIInstaller.msi Citrix Receiver Inside
ICAWebWrapper.msi Online Plug-in
PNAWrapper.msi Citrix Receiver (PNA)
SSONWrapper.msi Citrix Receiver (SSON)
CitrixHDXMediaStreamForFlash-ClientInstall.msi Citrix Receiver (HDX FlashRedirection)
DesktopViewer.msi Citrix Receiver (DV)
GenericUSB.msi Citrix Receiver (USB)
Vd3d.msi Citrix Receiver (Aero)
To extract, install, and remove the individual Receiver (Enterprise) .msi files
332
333
Delivering Receiver Using ActiveDirectory and Sample Startup Scripts
You can use Active Directory Group Policy scripts to pre-deploy Receiver on systems basedon your Active Directory organizational structure. Citrix recommends using the scriptsrather than extracting the .msi files because the scripts allow for a single point forinstallation, upgrade, and uninstall, they consolidate the Citrix entries in Programs andFeatures, and make it easier to detect the version of Receiver that is deployed. Use theScripts setting in the Group Policy Management Console (GPMC) under ComputerConfiguration or User Configuration. Microsoft documents the advantages anddisadvantages of using scripts at Microsoft Technet - Use Group Policy to assign computerstartup scripts.
Citrix includes sample per-computer startup scripts to install and uninstallCitrixReceiver.exe and Citrix ReceiverEnterprise.exe. The scripts are located on the XenAppmedia in the Citrix Receiver and Plug-ins\Windows\Receiver\Startup_Logon_Scripts folder.
● CheckAndDeployReceiverEnterpriseStartupScript.bat
● CheckAndDeployReceiverPerMachineStartupScript.bat
● CheckAndRemoveReceiverEnterpriseStartupScript.bat
● CheckAndRemoveReceiverPerMachineStartupScript.bat
When the scripts are executed during Startup or Shutdown of an Active Directory GroupPolicy, custom configuration files might be created in the Default User profile of a system.If not removed, these configuration files can prevent some users from accessing theReceiver logs directory. The Citrix sample scripts include functionality to properly removethese configuration files.
To use the startup scripts to deploy Receiver with Active Directory
1. Create the Organizational Unit (OU) for each script.
2. Create a Group Policy Object (GPO) for the newly created OU.
To modify the sample scriptsModify the scripts by editing these parameters in the header section of each file:
● Current Version of package. The specified version number is validated and if it is notpresent, the deployment proceeds. For example, set DesiredVersion=3.0.0.XXXX to exactly match the version specified. If you specify a partial version, forexample 3.0.0, it matches any version with that prefix (3.0.0.1111, 3.0.0.7777, and soforth).
● Package Location/Deployment directory. This specifies the network share containingthe packages and is not authenticated by the script. The shared folder must have Readpermission for EVERYONE.
● Script Logging Directory. This specifies the network share where the install logs arecopied and is not authenticated by the script. The shared folder must have Read andWrite permissions for EVERYONE.
● Package Installer Command Line Options. These command line options are passed tothe installer. For the command line syntax, see To configure and install the CitrixReceiver for Windows using command-line parameters
To add the per-computer startup scripts1. Open the Group Policy Management Console.
2. Select Computer Configuration > Policies > Windows Settings > Scripts(Startup/Shutdown).
3. In the right-hand pane of the Group Policy Management Console, select Startup.
4. In the Properties menu, click Show Files, copy the appropriate script to the folderdisplayed, and then close the window.
5. In the Properties menu, click Add and use Browse to find and add the newly createdscript.
To deploy Receiver per-computer1. Move the user devices designated to receive this deployment to the OU you created.
2. Reboot the user device and log on as any user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions)contains the newly installed package.
To remove Receiver per-computer1. Move the user devices designated for the removal to the OU you created.
2. Reboot the user device and log on as any user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions)removed the previously installed package.
Delivering Receiver Using Active Directory and Sample Startup Scripts
334
335
Using the Per-User Sample StartupScripts
Citrix recommends using per-computer startup scripts but does include two Citrix Receiverper-user scripts on the XenApp media in the Citrix Receiver andPlug-ins\Windows\Receiver\Startup_Logon_Scripts folder for situations where you requireReceiver (standard) per-user deployments.
● CheckAndDeployReceiverPerUserLogonScript.bat
● CheckAndRemoveReceiverPerUserLogonScript.bat
To set up the per-user startup scripts1. Open the Group Policy Management Console.
2. Select User Configuration > Policies > Windows Settings > Scripts.
3. In the right-hand pane of the Group Policy Management Console, select Logon
4. In the Logon Properties menu, click Show Files, copy the appropriate script to thefolder displayed, and then close the window.
5. In the Logon Properties menu, click Add and use Browse to find and add the newlycreated script.
To deploy Receiver per-user1. Move the users designated to receive this deployment to the OU you created.
2. Reboot the user device and log on as the specified user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions)contains the newly installed package.
To remove Receiver per-user1. Move the users designated for the removal to the OU you created.
2. Reboot the user device and log on as the specified user.
3. Verify that Program and Features (Add or Remove Programs in previous OS versions)removed the previously installed package.
336
Deploying the CitrixReceiver.exe from aWeb Interface Logon Screen
You can deploy the CitrixReceiver.exe from a Web page to ensure that users have theReceiver installed before they try to use the Web Interface. Create a home page and run anInternet Explorer script to download the CitrixReceiver.exe package automatically from theWeb server and install it for the user.
To install the Receiver software using CitrixReceiver.exe, the Windows Installer Servicemust be installed on the user device. This service is present by default on systems runningWindows XP, Windows Vista, Windows 7, Windows Server 2003, or Windows Server 2008.
Add the sites from which the CitrixReceiver.exe file is downloaded to the Trusted Siteszone.
In the webinterface.conf file for your XenApp websites, edit the ClientIcaWin32= line tospecify the CitrixReceiver.exe installation file and remove the comment character (#).
For more information, see the Web Interface documentation.
337
Configuring the Citrix Receiver forWindows
After the Receiver software is deployed to your users and they install it, there areconfiguration steps that can be performed for the Receiver. The Receiver (standard,CitrixReceiver.exe) does not require configuration.
From the Citrix management console for the XenApp server, configure the options andsettings for Receiver using the associated Receiver site. Each time users log on to theReceiver, they see the most recent configuration. Changes made while users are connectedtake effect when the Receiver configuration is refreshed manually or automatically after adesignated interval.
Important: Receiver requires the Citrix Web Interface.
Receiver handles the following functions:
● User authentication. Receiver provides user credentials to the Web Interface whenusers try to connect and every time they launch published resources.
● Application and content enumeration. Receiver presents users with their individualset of published resources.
● Application launching. Receiver is the local engine used to launch publishedapplications.
● Desktop integration. Receiver integrates a user’s set of published resources (includingvirtual desktops) with the user’s physical desktop.
● User preferences. Receiver validates and implements local user preferences.
338
Using the Group Policy Object Templateto Customize the Receiver
Citrix recommends using the Group Policy Object icaclient.adm template file to configurethe Receiver options and settings.
You can use the icaclient.adm template file with domain policies and local computerpolicies. For domain policies, import the template file using the Group Policy ManagementConsole. This is especially useful for applying Receiver settings to a number of differentuser devices throughout the enterprise. To affect a single user device, import the templatefile using the local Group Policy Editor on the device.
For details about Group Policy management, see the Microsoft Group Policy documentation.
To import the icaclient template using the GroupPolicy Management Console
To affect domain-based group policies, import the icaclient.adm file with the Group PolicyManagement Console.
1. As an administrator, open the Group Policy Management Console.
2. In the left pane, select a group policy and from the Action menu, choose Edit.
3. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
4. From the Action menu, choose Add/Remove Templates.
5. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
6. Select Open to add the template and then Close to return to the Group Policy Editor.
To import the icaclient template using the local GroupPolicy Editor
To affect the policies on a local computer, import the icaclient.adm file with the localGroup Policy Editor.
1. As an administrator, open the Group Policy Editor by running gpedit.msc from the Startmenu.
2. In the left pane, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
Using the Group Policy Object Template to Customize the Receiver
339
340
To customize user preferences for theReceiver (Enterprise)
Users can customize their preferences. For example, they can define window sizes forpublished applications, choose when to refresh the list of available published resources,and specify where the available published resources appear.
1. In the Windows notification area, right-click the Receiver icon and choosePreferences.
2. Right-click the Online Plug-in entry in the Plug-in Status and choose Options, select aproperty, and make the desired configuration changes.
If you configure seamless windows and set the task bar to Auto-hide, you cannot access thetaskbar when you maximize published applications. To access the taskbar, resize thepublished application.
For more detailed information, see the online help for Receiver.
To change the server URL in the Receiver (Enterprise)Receiver requires that you specify the location of a configuration file (Config.xml is thedefault configuration file) on the server running the Web Interface. You can ask your usersto change the server URL as you create new configuration files or delete old ones.
Note: To prevent users from accidentally changing their server URL, disable the option.
1. In the Windows notification area, right-click the Receiver icon and choose Preferences.
2. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.
3. Type or select the server URL in the format http://servername or, to encrypt theconfiguration data using SSL, https://servername.
341
Configuring USB Support for XenDesktopConnections
USB support enables users to interact with a wide range of USB devices when connected toa virtual desktop. Users can plug USB devices into their computers and the devices areremoted to their virtual desktop. USB devices available for remoting include flash drives,smartphones, PDAs, printers, scanners, MP3 players, security devices, and tablets. DesktopViewer users can control whether USB devices are available on the virtual desktop using apreference in the toolbar.
Isochronous features in USB devices such as webcams, microphones, speakers, and headsetsare supported in typical low latency/high speed LAN environments. This allows thesedevices to interact with packages such as Microsoft Office Communicator and Skype.
The following types of device are supported directly in a XenDesktop session, and so do notuse USB support:
● Keyboards
● Mice
● Smart cards
Note: Specialist USB devices (for example, Bloomberg keyboards and 3D mice) can beconfigured to use USB support. For information on configuring Bloomberg keyboards, seeConfiguring Bloomberg Keyboards. For information on configuring policy rules for otherspecialist USB devices, see CTX 119722.
By default, certain types of USB devices are not supported for remoting throughXenDesktop. For example, a user may have a network interface card attached to the systemboard by internal USB. Remoting this would not be appropriate. The following types of USBdevice are not supported by default for use in a XenDesktop session:
● Bluetooth dongles
● Integrated network interface cards
● USB hubs
● USB graphics adaptors
USB devices connected to a hub can be remoted, but the hub itself cannot be remoted.
For instructions on modifying the range of USB devices that are available to users, seeUpdating the List of USB Devices Available for Remoting.
For instructions on automatically redirecting specific USB devices, see CTX123015.
342
How USB Support Works
When a user plugs in a USB device, it is checked against the USB policy, and, if allowed,remoted to the virtual desktop. If the device is denied by the default policy, it is availableonly to the local desktop.
The user experience depends upon the type of desktop to which users are connecting.
For desktops accessed through the Citrix Desktop Lock, when a user plugs in a USB device,that device is automatically remoted to the virtual desktop. No user interaction is required.The virtual desktop is responsible for controlling the USB device and displaying it in the userinterface.
For desktops accessed through the Desktop Viewer, when a user plugs in a USB device, adialog box appears asking the user if they want that device remoted to the virtual desktop.The user can decide which USB devices are remoted to the virtual desktop by selectingdevices from the list each time they connect. Alternatively, the user can configure USBsupport so that all USB devices plugged in both before and/or during a session areautomatically remoted to the virtual desktop that is in focus.
343
Mass Storage Devices
For mass storage devices only, in addition to USB support, remote access is availablethrough client drive mapping, which you configure through the Citrix Mappings rule. Whenthis rule is applied, the drives on the user device are automatically mapped to drive letterson the virtual desktop when users log on. The drives are displayed as shared folders withmapped drive letters. The Citrix Mappings rule is in the Drives subfolder of the ClientDevices Resources folder in the Presentation Server Console.
The main differences between the two types of remoting policy are:
Feature Client Drive Mapping USB Rule
Enabled by default Yes No
Read-only accessconfigurable
Yes No
Safe to remove deviceduring a session
No Yes, if the user clicksSafely Remove Hardwarein the notification area
If both USB support and the Citrix Mappings rule are enabled and a mass storage device isinserted before a session starts, it will be redirected using client drive mapping first, beforebeing considered for redirection through USB support. If it is inserted after a session hasstarted, it will be considered for redirection using USB support before client drive mapping.
344
USB Device Classes Allowed by Default
Different classes of USB device are allowed by the default USB policy rules.
Although they are on this list, some classes are only available for remoting in XenDesktopsessions after additional configuration. These are noted below.
● Audio (Class 01). Includes audio input devices (microphones), audio output devices,and MIDI controllers. Modern audio devices generally use isochronous transfers, which issupported by XenDesktop 4 or later.
Note: Some specialty devices (for example, VOIP phones) require additionalconfiguration. For instructions on this, see CTX123015.
● Physical Interface Devices(Class 05). These devices are similar to Human InterfaceDevices (HIDs), but generally provide "real-time" input or feedback and include forcefeedback joysticks, motion platforms, and force feedback exoskeletons.
● Still Imaging (Class 06). Includes digital cameras and scanners. Digital cameras oftensupport the still imaging class which uses the Picture Transfer Protocol (PTP) or MediaTransfer Protocol (MTP) to transfer images to a computer or other peripheral. Camerasmay also appear as mass storage devices and it may be possible to configure a camerato use either class, through setup menus provided by the camera itself.
Note that if a camera appears as a mass storage device, client drive mapping is usedand USB support is not required.
● Printers (Class 07). In general most printers are included in this class, although someuse vendor-specific protocols (class ff). Multi-function printers may have an internalhub or be composite devices. In both cases the printing element generally uses thePrinters class and the scanning or fax element uses another class; for example, StillImaging.
Printers normally work appropriately without USB support.
Note: This class of device (in particular printers with scanning functions) requiresadditional configuration. For instructions on this, see CTX123015.
● Mass Storage (Class 08). The most common mass storage devices are USB flash drives;others include USB-attached hard drives, CD/DVD drives, and SD/MMC card readers.There are a wide variety of devices with internal storage that also present a massstorage interface; these include media players, digital cameras, and mobile phones.Known subclasses include:
● 01 Limited flash devices
● 02 Typically CD/DVD devices (ATAPI/MMC-2)
● 03 Typically tape devices (QIC-157)
● 04 Typically floppy disk drives (UFI)
● 05 Typically floppy disk drives (SFF-8070i)
● 06 Most mass storage devices use this variant of SCSI
Mass storage devices can often be accessed through client drive mapping, and so USBsupport is not required.
Important: Some viruses are known to propagate actively using all types of massstorage. Carefully consider whether or not there is a business need to permit the useof mass storage devices, either through client drive mapping or USB support.
● Content Security (Class 0d). Content security devices enforce content protection,typically for licensing or digital rights management. This class includes dongles.
● Video (Class 0e). The video class covers devices that are used to manipulate video orvideo-related material, such as webcams, digital camcorders, analog video converters,some television tuners, and some digital cameras that support video streaming.
Note: Most video streaming devices use isochronous transfers, which is supported byXenDesktop 4 or later. Some video devices (for example webcams with motiondetection) require additional configuration. For instructions on this, see CTX123015.
● Personal Healthcare (Class 0f). These devices include personal healthcare devices suchas blood pressure sensors, heart rate monitors, pedometers, pill monitors, andspirometers.
● Application and Vendor Specific (Classes fe and ff). Many devices use vendor specificprotocols or protocols not standardized by the USB consortium, and these usuallyappear as vendor-specific (class ff).
USB Device Classes Allowed by Default
345
346
USB Device Classes Denied by Default
Different classes of USB device are denied by the default USB policy rules.
● Communications and CDC Control (Classes 02 and 0a). The default USB policy doesnot allow these devices, because one of them may be providing the connection to thevirtual desktop itself.
● Human Interface Devices (Class 03). Includes a wide variety of both input and outputdevices. Typical Human Interface Devices (HIDs) are keyboards, mice, pointing devices,graphic tablets, sensors, game controllers, buttons, and control functions.
Subclass 01 is known as the "boot interface" class and is used for keyboards and mice.
The default USB policy does not allow USB keyboards (class 03, subclass 01, protocol 1),or USB mice (class 03, subclass 01, protocol 2). This is because most keyboards andmice are handled appropriately without USB support and it is normally necessary to usethese devices locally as well remotely when connecting to a virtual desktop.
● USB Hubs (Class 09). USB hubs allow extra devices to be connected to the localcomputer. It is not neccessary to access these devices remotely.
● Smart Card (Class 0b). Smart card readers include contactless and contact smart cardreaders, and also USB tokens with an embedded smart card-equivalent chip.
Smart card readers are accessed using smart card remoting and do not require USBsupport.
● Wireless Controller (Class e0). Some of these devices may be providing criticalnetwork access, or connecting critical peripherals such as Bluetooth keyboards or mice.
The default USB policy does not allow these devices. However, there may be particulardevices it is appropriate to provide access to using USB support.
347
Updating the List of USB DevicesAvailable for Remoting
You can update the range of USB devices available for remoting to desktops by editing thefile icaclient_usb.adm. This allows you to make changes to the Receiver using Group Policy.The file is located in the following installed folder:
<root drive>:\Program Files\Citrix\ICA Client\Configuration\en
Alternatively, you can edit the registry on each user device, adding the following registrykey:
HKLM\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB Type=String Name="DeviceRules"Value=
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
The product default rules are stored in:
HKLM\SOFTWARE\Citrix\ICA Client\GenericUSB Type=MultiSz Name=“DeviceRules” Value=
Do not edit the product default rules.
For details of the rules and their syntax, see http://support.citrix.com/article/ctx119722/.
348
Configuring Bloomberg Keyboards
Bloomberg keyboards are supported by XenDestkop sessions (but not other USB keyboards).The required components are installed automatically when the plug-in is installed, but youmust enable this feature either during the installation or later by changing a registry key.
On any one user device, multiple sessions to Bloomberg keyboards are not recommended.The keyboard only operates correctly in single-session environments.
To turn Bloomberg keyboard support on or off
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
1. Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB
2. Do one of the following:
● To turn on this feature, for the entry with Type DWORD and NameEnableBloombergHID, set Value to 1.
● To turn off this feature, set the Value to 0.
349
Configuring User-Driven Desktop Restart
You can allow users to restart their desktops themselves. They may need to do this if adesktop fails to connect or becomes unresponsive.
This feature is disabled by default. You enable user-driven desktop restart for a desktopgroup in Desktop Studio. For information on this, see the XenDesktop documentation.
The procedures for restarting desktops differ depending on whether users are connecting todesktops through the Desktop Viewer or the Citrix Desktop Lock.
350
To prevent the Desktop Viewer windowfrom dimming
If users have multiple Desktop Viewer windows, by default the desktops that are not activeare dimmed. If users need to view multiple desktops simultaneously, this can make theinformation on them unreadable. You can disable the default behavior and prevent theDesktop Viewer window from dimming by editing the Registry.
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
1. On the user device, create a REG_DWORD entry called DisableDimming in one of thefollowing keys, depending on whether you want to prevent dimming for the current userof the device or the device itself. An entry already exists if the Desktop Viewer hasbeen used on the device:
● HKCU\Software\Citrix\XenDesktop\DesktopViewer
● HKLM\Software\Citrix\XenDesktop\DesktopViewerOptionally, instead of controlling dimming with the above user or device settings, youcan define a local policy by creating the same REG_WORD entry in one of the followingkeys:
● HKCU\Software\Policies\Citrix\XenDesktop\DesktopViewer
● HKLM\Software\Policies\Citrix\XenDesktop\DesktopViewerThe use of these keys is optional because XenDesktop administrators, rather thanplug-in administrators or users, typically control policy settings using Group Policy. So,before using these keys, check whether your XenDesktop administrator has set a policyfor this feature.
2. Set the entry to any non-zero value such as 1 or true.
If no entries are specified or the entry is set to 0, the Desktop Viewer window is dimmed. Ifmultiple entries are specified, the following precedence is used. The first entry that islocated in this list, and its value, determine whether the window is dimmed:
1. HKCU\Software\Policies\Citrix\...
2. HKLM\Software\Policies\Citrix\...
3. HKCU\Software\Citrix\...
4. HKLM\Software\Citrix\...
351
To configure the Citrix Desktop Lock
This topic contains instructions for configuring USB preferences, drive mappings, andmicrophones for a virtual desktop accessed through the Citrix Desktop Lock. In addition,some general advice on configuring the Desktop Lock is also provided.
Typically, this is used in non-domain-joined environments such as on a thin client ordesktop appliance. In this access scenario, the Desktop Viewer is unavailable, so onlyadministrators (not users) can perform the configuration.
Two .adm files are provided that allow you to perform this task using policies:
● icaclient.adm. For information on obtaining this file, see To configure settings formultiple users and devices.
● icaclient_usb.adm. The file is located in the following installed folder: <rootdrive>:\Program Files\Citrix\ICA Client\Configuration\en.
This topic assumes you have loaded both files into Group Policy, where the policies appearin Computer Configuration or User Configuration > Administrative Templates > ClassicAdministrative Templates (ADM) > Citrix Components.
To configure USB preferencesAs a prerequisite, you must turn on USB support in XenDesktop deployments by enabling theUSB policy rule. For information on this, see the XenDesktop documentation.
In Citrix Receiver > Remoting client devices > Generic USB Remoting, enable andconfigure as desired the Existing USB Devices, New USB Devices, and USB Devices List InDesktop Viewer policies. You can use the Show All Devices policy to display all connectedUSB devices, including those using the Generic USB virtual channel (for example, webcamsand memory sticks).
To configure drive mappingIn Citrix Receiver > Remoting client devices, enable and configure as desired the Clientdrive mapping policy.
To configure a microphoneIn Citrix Receiver > Remoting client devices, enable and configure as desired the Clientmicrophone policy.
General Advice On Configuring the Desktop LockGrant access to only one virtual desktop running the Desktop Lock per user.
Do not allow users to hibernate virtual desktops. Use Active Directory policies appropriatelyto prevent this.
To configure the Citrix Desktop Lock
352
353
To configure settings for multiple usersand devices
In addition to the configuration options offered by the Receiver user interface, you can usethe Group Policy Editor and the icaclient.adm template file to configure settings. Using theGroup Policy Editor, you can:
● Extend the icaclient template to cover any Receiver setting by editing theicaclient.adm file. See the Microsoft Group Policy documentation for more informationabout editing .adm files and about applying settings to a particular computer.
● Make changes that apply only to either specific users or all users of a client device.
● Configure settings for multiple user devices
Citrix recommends using Group Policy to configure user devices remotely; however you canuse any method, including the Registry Editor, which updates the relevant registry entries.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. Under the User Configuration node or the Computer Configuration node, edit therelevant settings as required.
354
Canadian Keyboard Layouts andUpdating from Presentation ServerClients Version 10.200
The Canadian keyboard layouts are aligned with those supported by Microsoft. If usersinstall Receivers without uninstalling the Presentation Server Clients Version 10.200 first,they must manually edit the module.ini file (usually in C:\Program Files\Citrix\ICA Client) toupgrade the keyboard layout settings:
Replace:
Canadian English (Multilingual)=0x00001009
Canadian French=0x00000C0C
Canadian French (Multilingual)=0x00010C0C
With:
Canadian French=0x00001009
Canadian French (Legacy)=0x00000C0C
Canadian Multilingual Standard=0x00011009
355
Auto-Repair File Locations
Auto-repair occurs if there is a problem with Receiver; however, there is no Add/RemovePrograms or Programs and Features Repair option. If the Receiver repair option prompts forthe location of the .msi file, browse to one of these locations to find the file:
● For CitrixReceiverEnterprise.exe
● Operating system: Windows XP and Windows 2003
C:\Documents and Settings\All Users\application data\Citrix\Citrix Receiver(Enterprise)\
● Operating system: Windows Vista and Windows 7
C:\ProgramData\Citrix\Citrix Receiver (Enterprise)\● For CitrixReceiver.exe installed per computer
● Operating system: Windows XP and Windows 2003
C:\Documents and Settings\All Users\Application Data\Citrix\Citrix Receiver\
● Operating system: Windows Vista and Windows 7
C:\ProgramData\Citrix\Citrix Receiver\● For CitrixReceiver.exe installed per user
● Operating system: Windows XP and Windows 2003
%USERPROFILE%\Local Settings\Application Data\Citrix\Citrix Receiver\
● Operating system: Windows Vista and Windows 7
%USERPROFILE%\Appdata\local\Citrix\Citrix Receiver\
356
Optimizing the Receiver Environment
The ways you can optimize the environment in which your Receiver operates for your usersinclude:
● Improving performance
● Improving performance over low bandwidth
● Facilitating the connection of numerous types of client devices to published resources
● Providing support for NDS users
● Using connections to Citrix XenApp for UNIX
● Supporting naming conventions
● Supporting DNS naming resolution
357
Improving Receiver Performance
You can improve the performance of your Receiver software by:
● Reducing Application Launch Time
● Reconnecting Users Automatically
● Providing session reliability
● Improving Performance over Low-Bandwidth Connections
358
Reducing Application Launch Time
Use the session pre-launch feature to reduce application launch time during normal or hightraffic periods; thus, giving the user a better experience. The pre-launch feature allows apre-launch session to be created when a user logs on to Receiver, or at a scheduled time ifthe user is already logged on. This pre-launch session reduces the launch time of the firstapplication. The default application ctxprelaunch.exe is running in the session, but it is notvisible to the user.
There are two types of pre-launch:
● Just-in-time pre-launch. Pre-Launch starts immediately after the user's credentials areauthenticated whether or not it is a high-traffic period.
● Scheduled pre-launch. Pre-launch starts at a scheduled time. Scheduled pre-launchstarts only when the user device is already running and authenticated. If those twoconditions are not met when the scheduled pre-launch time arrives, a session does notlaunch. To spread network and server load, the session launches within a window ofwhen it is scheduled. For example, if the scheduled pre-launch is scheduled for 1:45p.m., the session actually launches between 1:15 p.m. and 1:45 p.m.
Typically, you can use just-in-time pre-launch for normal traffic periods and scheduledpre-launch for known high-traffic periods.
An example of a high-traffic period - if your environment includes a large number of userswho launch applications during peak periods such as when users start work or return fromlunch, the rapid succession of logon requests might overwhelm servers and slow downapplication launch for all users.
Configuring pre-launch on the XenApp server consists of creating, modifying, or deletingpre-launch applications, as well as updating user policy settings that control the pre-launchapplication. See To pre-launch applications to user devices for information aboutconfiguring session pre-launch on the XenApp server.
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
Customizing the pre-launch feature using the icaclient.adm file is not supported. However,you can change the pre-launch configuration by modifying registry values during or afterReceiver installation.
Registry value for Windows 7, 64-bit
The value for Windows 7, 64-bit, is:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch - Enablesdifferent users on the same user device to have different settings. It also allows a user tochange the configuration without administrative permission. You can provide your userswith scripts to accomplish this.
Name: State
Values:
0 - Disable pre-launch.
1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)
2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)
Name: Schedule
Value:
The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:
HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.
Registry values for other Windows systems
The values for all other supported Windows operating systems are:HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Prelaunch andHKEY_CURRENT_USER\Software\Citrix\ICA Client\Prelaunch.
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Prelaunch - Written at installation,with default values.
Name: UserOverride
Values:
0 - Use the HKEY_LOCAL_MACHINE values even if HKEY_CURRENT_USER values are alsopresent.
1 - Use HKEY_CURRENT_USER values if they exist; otherwise, use the HKEY_LOCAL_MACHINEvalues.
Name: State
Values:
0 - Disable pre-launch.
1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)
2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)
Name: Schedule
Value:
Reducing Application Launch Time
359
The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:
HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.
HKEY_CURRENT_USER\SOFTWARE\Citrix\ICA Client\Prelaunch - Enables different users onthe same user device to have different settings. It also allows a user to change theconfiguration without administrative permission. You can provide your users with scripts toaccomplish this.
Name: State
Values:
0 - Disable pre-launch.
1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)
2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)
Name: Schedule
Value:
The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:
HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.
Reducing Application Launch Time
360
361
Reconnecting Users Automatically
Users can be disconnected from their sessions because of unreliable networks, highlyvariable network latency, or range limitations of wireless devices. With the HDX Broadcastauto-client reconnection feature, Receiver can detect unintended disconnections of ICAsessions and reconnect users to the affected sessions automatically.
When this feature is enabled on the server, users do not have to reconnect manually tocontinue working. The Receiver attempts to reconnect to the session until there is asuccessful reconnection or the user cancels the reconnection attempts. If userauthentication is required, a dialog box requesting credentials appears to a user duringautomatic reconnection. Automatic reconnection does not occur if users exit applicationswithout logging off. Users can reconnect only to disconnected sessions.
To disable HDX Broadcast auto-client reconnect for a particular user
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network Routing > Session reliability andautomatic reconnection. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Action menu, choose Properties and select Disabled.
362
Providing HDX Broadcast SessionReliability
With the HDX Broadcast Session Reliability feature, users continue to see a publishedapplication’s window if the connection to the application experiences an interruption. Forexample, wireless users entering a tunnel may lose their connection when they enter thetunnel and regain it when they emerge on the other side. During such interruptions, thesession reliability feature enables the session window to remain displayed while theconnection is being restored.
You can configure your system to display a warning dialog box to users when the connectionis unavailable.
You set HDX Broadcast Session Reliability with policy settings on the server. Receiver userscannot override the server settings for HDX Broadcast Session Reliability.
Important: If HDX Broadcast Session Reliability is enabled, the default port used forsession communication switches from 1494 to 2598.
363
Improving Performance overLow-Bandwidth Connections
Citrix recommends that you use the latest version of XenApp or XenDesktop on the server.Citrix continually enhances and improves performance with each release. Manyperformance features require the latest Receiver and server software to function.
If you are using a low-bandwidth connection, you can make a number of changes to yourReceiver configuration and the way you use the Receiver to improve performance.
Changing Your Receiver ConfigurationOn devices with limited processing power or in circumstances where only limited bandwidthis available, there is a trade-off between performance and functionality. Receiver providesboth user and administrator with the ability to choose an acceptable mixture of richfunctionality and interactive performance. Making one or more of these changes on theserver or user device can reduce the bandwidth your connection requires and improveperformance:
● Enable SpeedScreen Latency Reduction. SpeedScreen Latency Reduction improvesperformance over high latency connections by providing instant feedback to the user inresponse to typed data or mouse clicks.
User's side: icaclient.adm file.
Server side: SpeedScreen Latency Reduction Manager.
● Reduce the window size. Change the window size to the minimum size you cancomfortably use.
User side: icaclient.adm file or use the Receiver icon in the notification area andchoose Preferences and right-click the Online Plug-in entry in the Plug-in Status andchoose Options > Session Options.
Server side: XenApp services site > Session Options.
● Reduce the number of colors. Reduce the number of colors to 256.
User side: icaclient.adm file or use the Receiver icon in the notification area andchoose Preferences and right-click the Online Plug-in entry in the Plug-in Status andchoose Options > Session Options.
Server side: XenApp services site > Session Options.
● Reduce sound quality. If Receiver audio mapping is enabled, reduce the sound qualityto the minimum setting.
User's side: icaclient.adm file.
Server side: Citrix Audio quality policy setting.
Changing Receiver UseICA technology is highly optimized and typically does not have high CPU and bandwidthrequirements. However, if you are using a very low-bandwidth connection, the followingtasks can impact performance:
● Accessing large files using client drive mapping. When you access a large file withclient drive mapping, the file is transferred over the ICA connection. On slowconnections, this may take a long time.
● Playing multimedia content. Playing multimedia content uses a lot of bandwidth andcan cause reduced performance.
Improving Performance over Low-Bandwidth Connections
364
365
Connecting User Devices and PublishedResources
You can facilitate sessions and optimize the connection of your user devices to resourcespublished in the server farm by:
● Configuring workspace control settings to provide continuity for roaming users
● Making scanning transparent for users
● Mapping client devices
● Associating user device file types with published applications
366
To enable pass-through authenticationwhen sites are not in Trusted Sites orIntranet zones
Your users might require pass-through authentication to the server using their user logoncredentials but cannot add sites to the Trusted Sites or Intranet zones. Enable this settingto allow pass-through authentication on all but Restricted sites.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.
7. From the Local user name and password Properties menu, select Enabled, and thenselect the Enable pass-through authentication and Allow pass-through authenticationfor all ICA connections check boxes.
367
Configuring Workspace Control Settingsto Provide Continuity for Roaming Users
The workspace control feature provides users with the ability to disconnect quickly from allrunning applications, reconnect to applications, or log off from all running applications. Youcan move among user devices and gain access to all of your applications when you log on.For example, health care workers in a hospital can move quickly among workstations andaccess the same set of applications each time they log on to XenApp. These users candisconnect from multiple applications at one user device and open all the same applicationswhen they reconnect at a different user device.
Workspace control is available only to users connecting to published resources with CitrixXenApp or through the Web Interface.
Policies and client drive mappings change appropriately when you move to a new userdevice. Policies and mappings are applied according to the user device where you arecurrently logged on to the session. For example, if a health care worker logs off from a userdevice in the emergency room of a hospital and then logs on to a workstation in thehospital’s X-ray laboratory, the policies, printer mappings, and client drive mappingsappropriate for the session in the X-ray laboratory go into effect for the session as soon asthe user logs on to the user device in the X-ray laboratory.
Important: Workspace control can be used only with Version 11.x and later of theclient/plug-in/Receiver, and works only with sessions connected to computers runningCitrix Presentation Server Version 3.0, 4.0, or 4.5 or Citrix XenApp 5.0, 6.0, or 6.5.
If the workspace control configuration settings of the Web Interface are configured to allowusers to override the server settings, users can configure workspace control in the AccountSettings options of the Web Interface Preference menu or the Reconnect Options page ofthe Receiver Options. The following options are available in the Receiver Options on theReconnect Options page:
● Enable automatic reconnection at logon allows users to reconnect to onlydisconnected applications or both disconnected and active applications
● Enable reconnection from the menu allows users to reconnect to only disconnectedapplications or both disconnected and active sessions
To configure workspace control settings
For users launching applications through the Web Interface, similar options are availablefrom the Settings page:
● Enable automatic reconnection at logon allows users to reconnect to onlydisconnected applications or both disconnected and active applications
● Enable automatic reconnection from Reconnect menu allows users to reconnect toonly disconnected applications or both disconnected and active sessions
● Customize Log Off button allows users to configure whether or not the log offcommand will include logging them off from applications that are running in the session
If users log on with smart cards or smart cards with pass-through authentication, set up atrust relationship between the server running the Web Interface and any other server in thefarm that the Web Interface accesses for published applications. For more informationabout workspace control requirements, see the Citrix XenApp and Web InterfaceAdministrator documentation.
Configuring Workspace Control Settings to Provide Continuity for Roaming Users
368
369
Making Scanning Transparent for Users
If you enable HDX Plug-n-Play TWAIN image scanning device support, users can controlclient-attached TWAIN imaging devices transparently with applications that reside on theserver farm. To use this feature, a TWAIN device must be attached to the user device andthe associated 32-bit TWAIN driver must also be installed on the user device.
To enable or disable this feature, configure the Citrix policy Client TWAIN deviceredirection setting.
The following policy settings allow you to specify the maximum amount of bandwidth (inkilobits per second or as a percentage) and the compression level of images from client toserver used for TWAIN redirection:
● TWAIN device redirection bandwidth limit
● TWAIN device redirection bandwidth limit percent
● TWAIN compression level
370
Mapping User Devices
The Receiver supports mapping devices on user devices so they are available from within asession. Users can:
● Transparently access local drives, printers, and COM ports
● Cut and paste between the session and the local Windows clipboard
● Hear audio (system sounds and .wav files) played from the session
During logon, Receiver informs the XenApp server of the available client drives, COM ports,and LPT ports. By default, client drives are mapped to server drive letters and server printqueues are created for client printers so they appear to be directly connected to theXenApp server. These mappings are available only for the current user during the currentsession. They are deleted when the user logs off and recreated the next time the user logson.
You can use the the Citrix policy redirection settings on the XenApp server to map userdevices not automatically mapped at logon. For more information, see the XenAppadministration documentation.
Turning off User Device MappingsYou can configure user device mapping including options for drives, printers, and ports,using the Windows Server Manager tool. For more information about the available options,see your Remote Desktop Services documentation.
371
Mapping Client Drives to XenApp ServerDrive Letters
Client drive mapping allows drive letters on the XenApp server to be redirected to drivesthat exist on the client device. For example, drive H in a Citrix user session can be mappedto drive C of the local device running the plug-in.
Client drive mapping is built into the standard Citrix device redirection facilitiestransparently. To File Manager, Windows Explorer, and your applications, these mappingsappear like any other network mappings.
Note that Client drive mapping is not supported when connecting to MetaFrame Server 1.0for UNIX operating systems.
The XenApp server can be configured during installation to map client drives automaticallyto a given set of drive letters. The default installation mapping maps drive letters assignedto client drives starting with V and works backward, assigning a drive letter to each fixeddrive and CD-ROM drive. (Floppy drives are assigned their existing drive letters.) Thismethod yields the following drive mappings in a session:
Client drive letter Is accessed by the XenApp server as:
A A
B B
C V
D UThe XenApp server can be configured so that the server drive letters do not conflict withthe client drive letters; in this case the server drive letters are changed to higher driveletters. For example, changing server drives C to M and D to N allows client devices toaccess their C and D drives directly. This method yields the following drive mappings in asession:
Client drive letter Is accessed by the XenApp server as:
A A
B B
C C
D DThe drive letter used to replace the server drive C is defined during Setup. All other fixeddrive and CD-ROM drive letters are replaced with sequential drive letters (for example; C >M, D > N, E > O). These drive letters must not conflict with any existing network drivemappings. If a network drive is mapped to the same drive letter as a server drive letter, thenetwork drive mapping is not valid.
When a client device connects to a XenApp server, client mappings are reestablished unlessautomatic client device mapping is disabled. You can use the Terminal ServicesConfiguration tool to configure automatic client device mapping for ICA connections andusers. You can also use policies to give you more control over how client device mapping isapplied. For more information about policies, see the Citrix XenApp Administrator'sdocumentation at Citrix eDocs.
Mapping Client Drives to XenApp Server Drive Letters
372
373
HDX Plug-n-Play for USB StorageDevices
HDX Plug-n-Play for USB storage devices enables users to interact with USB mass storagedevices connected to their user devices when connected to XenApp sessions. When HDXPlug-n-Play for USB storage devices is enabled, users can connect or disconnect a USBdevice from a session at anytime, regardless of whether the session was started before orafter the drive connection.
HDX Plug-n-Play for USB storage devices is enabled by default and can be disabled orenabled by editing the ICA\File Redirection - Client removable drives policy setting. Formore information, see the XenApp documentation.
Supported Mass Storage Devices with XenAppMass storage devices, including USB thumbdrives, USB-attached hard drives, CD-DVD drives,and SD card readers are supported.
Not supported:
● U3 smart drives and devices with similar autorun behavior
● Explorer.exe published as a seamless application
Mass storage devices can often be accessed through client drive mapping, and so USBsupport is not required.
Important: Some viruses are known to propagate actively using all types of mass storage.Carefully consider whether or not there is a business need to permit the use of massstorage devices, either through client drive mapping or USB support.
374
HDX Plug-n-Play USB Device Redirectionfor XenApp Connections
HDX Plug-n-Play USB Device Redirection on computers running Vista and Windows 7 enablesdynamic redirection of media devices, including cameras, scanners, media players, andpoint of sale (POS) devices to the server. You or the user can restrict redirection of all orsome of the devices. Edit policies on the server or apply group policies on the user deviceto configure the redirection settings. Three methods can enforce HDX Plug-n-Play USBdevice redirection policies:
● Server side. The administrator can enable or disable all device redirections for aspecific user or user group using the Active Directory policies available in XenApp. Thepolicy controls redirection of all devices and is not specific to a device. For moreinformation, see the XenApp administration documentation.
● Plug-in side. The administrator can enable or disable all device redirection for aspecific user or computer by using the group policy editor. There are two policy settings- the USB Plug-n-Play Devices policy setting controls redirection of all devices and theUSB Point of Sale Devices policy setting controls POS devices only. If USB Plug-n-PlayDevices allows devices to be redirected, you can use the USB Point of Sale Devices,which is a subset of USB Plug-n-Play Devices, to control only POS devices.
● Plug-in side. The user can allow or reject device redirection. When a device is going tobe redirected, the permission set by the user in the Connection Center is applied (thesetting applies to the current session). If the permission is set to Full Access, devicesare always redirected. If the permission is set to No Access, devices are not redirected.If the permission is set to Ask Permission, a dialog box appears before redirectionoccurs requiring the user to make a selection. Depending on the answer, the device isredirected or not. If the user is prompted with any of the device security dialog boxes(for example, file security or audio security) and instructs the system to remember thedecision, applications launched in subsequent ICA sessions load and use these settings.
This setting affects only devices plugged in after the user changes the setting. Devicesthat are already plugged in when the user changes the setting are unaffected by thenew setting.
Important: If you prohibit Plug-n-Play USB device redirection in a server policy, theuser cannot override that policy setting with the plug-in side policy.
Plug-in Group PoliciesAccess the plug-in policies using the Group Policy Editor available through gpedit.msc fromthe Start menu's Run dialog box. You can apply the policies to both users and computers.Two policies are available:
● USB Plug-n-Play Devices is the main policy that turns HDX Plug-n-Play USB deviceredirection on or off. Enabling redirection allows any Media Transfer Protocol (MTP),Picture Transfer Protocol (PTP), and Point of Sale (POS) device connected to the userdevice to be redirected in the session. The policy has three values: Not Configured,Enabled, and Disabled. The default is Not Configured, which allows redirection.
● USB Point of Sale Devices controls the redirection of POS devices and USB Plug-n-PlayDevices must be Enabled to enable this policy. The policy can have three values: NotConfigured, Enabled, and Disabled. The default is Not Configured, which allowsredirection of POS devices.
HDX Plug-n-Play USB Device Redirection for XenApp Connections
375
376
Mapping Client Printers for MoreEfficiency
The Receiver support printing to network printers and printers that are attached locally touser devices. By default, unless you create policies to change this, XenApp lets users:
● Print to all printing devices accessible from the user device
● Add printers (but it does not retain settings configured for these printers or save themfor the next session)
However, these settings might not be the optimum in all environments. For example, thedefault setting that allows users to print to all printers accessible from the user device isthe easiest to administer initially, but might create slower logon times in someenvironments.
Likewise, your organization’s security policies might require that you prevent users frommapping local printing ports. To do so, configure the Citrix policy Auto connect client COMports setting to Disabled.
To change default printing settings, configure policy settings on the server. For moreinformation, see the XenApp administration topics.
To view mapped client printersWhile connected to the XenApp server, from the Start menu, choose Printers in the ControlPanel.
The Printers window displays the local printers mapped to the session. When connecting toservers running Citrix Presentation Server 4.0 or 4.5 or Citrix XenApp, by default the nameof the printer takes the form:
printername (from clientname) in session x
where:
● printername is the name of the printer on the user device.
● clientname is the unique name given to the user device or the Web Interface.
● x is the SessionID of the user’s session on the server.
For example, printer01 (from computer01) in session 7
When connecting to servers running Presentation Server 3.0 or earlier, or when the Legacyprinter name option from the Citrix policy Client printer names setting is enabled on theserver, a different naming convention is used. The name of the printer takes the form:
Client/clientname#/printername
where:
● clientname is the unique name given to the user device during client setup.
● printername is the Windows printer name. Because the Windows printer name is usedand not the port name, multiple printers can share a printer port without conflict.
For more information about printing, and about managing printing using policies, see theCitrix XenApp Administrator's documentation.
Mapping Client Printers for More Efficiency
377
378
To map a client COM port to a serverCOM port
Client COM port mapping allows devices attached to the COM ports of the user device to beused during sessions on a XenApp server. These mappings can be used like any othernetwork mappings.
Important: Client COM port mapping is not supported when connecting to MetaFrameServer 1.0 and 1.1 for UNIX Operating Systems.
You can map client COM ports at the command prompt. You can also control client COMport mapping from the Terminal Services Configuration tool or using policies. See the CitrixXenApp Administrator’s documentation for more information about policies.
1. Start Receiver and log on to the XenApp server.
2. At a command prompt, type: net use comx: \\client\comz: where x is the number ofthe COM port on the server (ports 1 through 9 are available for mapping) and z is thenumber of the client COM port you want to map.
3. To confirm the operation, type: net use at a command prompt. The list that appearscontains mapped drives, LPT ports, and mapped COM ports. To use this COM port in asession on a XenApp server, install your device to the mapped name. For example, ifyou map COM1 on the client to COM5 on the server, install your COM port device onCOM5 during the session on the server. Use this mapped COM port as you would a COMport on the user device.
Important: COM port mapping is not TAPI-compatible. TAPI devices cannot bemapped to client COM ports.
379
Mapping Client Audio to Play Sound onthe User Device
Client audio mapping enables applications executing on the XenApp server to play soundsthrough Windows-compatible sound devices installed on the user device. You can set audioquality on a per-connection basis on the XenApp server and users can set it on their device.If the user device and server audio quality settings are different, the lower setting is used.
Client audio mapping can cause excessive load on servers and the network. The higher theaudio quality, the more bandwidth is required to transfer the audio data. Higher qualityaudio also uses more server CPU to process.
Important: Client sound support mapping is not supported when connecting to CitrixXenApp for UNIX.
380
Associating User Device File Types withPublished Applications
Receiver supports HDX Plug-n-Play content redirection. Functionally equivalent to extendedparameter passing, content redirection allows you to enforce all underlying file typeassociations from the server, eliminating the need to configure extended parameter passingon individual user devices.
To associate file types on the user device with applications published on the server,configure Plug-n-Play content redirection on the server. For more information, see theXenApp adminstration topics.
381
Using the Window Manager whenConnecting to Citrix XenApp for UNIX
This topic does not apply to XenDesktop connections.
You can use the window manager to change the session display when connecting topublished resources on XenApp servers for UNIX. With the window manager, users canminimize, resize, position, and close windows, as well as access full screen mode.
About Seamless WindowsIn seamless window mode, published applications and desktops are not contained within asession window. Each published application and desktop appears in its own resizablewindow, as if it is physically installed on the user device. Users can switch betweenpublished applications and the local desktop.
You can also display seamless windows in “full screen” mode, which places the publishedapplication in a full screen-sized desktop. This mode lets you access the ctxwm menusystem.
To switch between seamless and full screen modes
Press SHIFT+F2 to switch between seamless and full screen modes.
Minimizing, Resizing, Positioning, and ClosingWindows
When users connect to published resources, window manager provides buttons to minimize,resize, position, and close windows. Windows are minimized as buttons on the taskbar.
When the user closes the last application in a session, the session is logged offautomatically after twenty seconds.
382
Terminating and Disconnecting Sessions
This topic does not apply to XenDesktop connections.
In remote desktop and seamless full screen windows, you can use the ctxwm menu systemto log off, disconnect, and exit from published applications and connection sessions.
To access the ctxwm menu system1. On a blank area of the remote desktop window, click and hold down the left mouse
button. The ctxwm menu appears.
2. Drag the mouse pointer over Shutdown to display the shutdown options.
To choose an option from the ctxwm menuDrag the pointer over the required option to select it. Release the mouse button to selectthe option.
To Choose
Terminate the connection and all running applications Logoff
Disconnect the session but leave the application running Disconnect
Disconnect the session and terminate the application Exit
Note: The server can be configured to terminate any applications that are running if asession is disconnected.
383
Using ctxgrab and ctxcapture to Cut andPaste Graphics When Connected toXenApp for UNIX
If you are connected to an application published on a XenApp server for UNIX, use ctxgrabor ctxcapture to cut and paste graphics between the session and the local desktop. Theseutilities are configured and deployed from the server.
Important: You might need to deploy UNIX applications that are designed for use with a3‑button mouse. Use ctx3bmouse on the XenApp for UNIX server to configure 3-buttonmouse emulation. For more information, see the XenApp for UNIX administrationdocumentation.
● ctxgrab
● ctxcapture
384
Using the ctxgrab Utility to Cut and PasteGraphics
This topic does not apply to XenDesktop connections.
The ctxgrab utility is a simple tool you use to cut and paste graphics from publishedapplications to applications running on the local user device. This utility is available from acommand prompt or, if you are using a published application, from the ctxwm windowmanager.
Important: Use ctx3bmouse on the XenApp for UNIX server to configure 3-button mouseemulation. For more information, see the XenApp for UNIX administrationdocumentation.
To access the ctxgrab utility from the windowmanager
● In seamless mode, right-click the ctxgrab button in the top, left-hand corner of thescreen to display a menu and choose the grab option
● In full screen mode, left-click to display the ctxwm menu and choose the grab option
To copy from an application in a plug-in window to alocal application
1. From the ctxgrab dialog box, click From screen.
2. To select a window, move the cursor over the window you want to copy and click themiddle mouse button. To select a region, hold down the left mouse button and drag thecursor to select the area you want to copy. To cancel the selection, click the rightmouse button. While dragging, click the right mouse button before releasing the leftbutton.
3. Use the appropriate command in the local application to paste the object.
385
Using the ctxcapture Utility to Cut andPaste Graphics
This topic does not apply to XenDesktop connections.
The ctxcapture utility is a more fully-featured utility for cutting and pasting graphicsbetween published applications and applications running on the local user device.
With ctxcapture you can:
● Grab dialog boxes or screen areas and copy them between an application in a Receiverwindow and an application running on the local user device, includingnon-ICCCM-compliant applications
● Copy graphics between the Receiver and the X graphics manipulation utility xvf
If you are connected to a published desktop, ctxcapture is available from a commandprompt. If you are connected to a published application and the administrator makes itavailable, you can access ctxcapture through the ctxwm window manager.
Important: Use ctx3bmouse on the XenApp for UNIX server to configure 3-button mouseemulation. For more information, see the XenApp for UNIX administrationdocumentation.
To access the ctxcapture utility from the windowmanager
Left-click to display the ctxwm menu and choose the screengrab option.
To copy from a local application to an application in aReceiver window
1. From the ctxcapture dialog box, click From screen.
2. To select a window, move the cursor over the window you want to copy and click themiddle mouse button. To select a region, hold down the left mouse button and drag thecursor to select the area you want to copy. To cancel the selection: click the rightmouse button. While dragging, click the right mouse button before releasing the leftbutton.
3. From the ctxcapture dialog box, click To ICA. The xcapture button changes color toindicate that it is processing the information.
4. When the transfer is complete, use the appropriate command in the publishedapplication window to paste the information.
To copy from an application in a Receiver window to alocal application
1. From the application in the Receiver window, copy the graphic.
2. From the ctxcapture dialog box, click From ICA.
3. When the transfer is complete, use the appropriate command in the local application topaste the information.
To copy from xv to an application in a Receiverwindow or local application
1. From xv, copy the graphic.
2. From the ctxcapture dialog box, click From xv and To ICA.
3. When the transfer is complete, use the appropriate command in the Receiver windowto paste the information.
To copy from an application in a Receiver window toxv
1. From the application in the Receiver window, copy the graphic.
2. From the ctxcapture dialog box, click From ICA and To xv.
3. When the transfer is complete, use the paste command in xv.
Using the ctxcapture Utility to Cut and Paste Graphics
386
387
Matching Client Names and ComputerNames
The dynamic client name feature allows the client name to be the same as the computername. When users change their computer name, the client name changes to match. Thisallows you to name computers to suit your naming scheme and find connections more easilywhen managing your server farm.
If the client name is not set to match the computer name during installation, the clientname does not change when the computer name is changed.
Users enable dynamic client name support by selecting Enable Dynamic Client Name duringReceiver installation.
To enable dynamic client name support during silent command line installation, the valueof the property ENABLE_DYNAMIC_CLIENT_NAME must be Yes. Set the property to No todisable dynamic client name support.
388
Providing Support for NDS Users
This topic does not apply to XenDesktop connections.
When launching Receiver software, users can log on and be authenticated using their NovellDirectory Services (NDS) credentials. Supported NDS credentials are user name (ordistinguished name), password, directory tree, and context.
NDS support is integrated into the following:
● Citrix Receiver. If NDS is enabled in the server farm, NDS users enter their credentialson an NDS tab on the Receiver logon screen. If users have the Novell Client (Version 4.8)installed, they can browse the NDS tree to choose their context.
● Pass-Through Authentication. If users have the Novell Client (Version 4.8) installed,you can pass their credentials to the XenApp server, eliminating the need for multiplesystem and application authentications.
To enable pass-through authentication, configure the following policy options in theUser Package in ZENworks for Desktops:
● Enable the Dynamic Local User policy option
● Set the Use NetWare Credentials value to On● The Citrix Web Interface. NDS users enter their credentials on an NDS logon screen
provided by the Web Interface. See the Web Interface Administrator’s documentationfor information about configuring your server for NDS.
Note: To use NDS logon information with earlier versions of the clients, enter the NDStree name in the Domain field and a distinguished name in the User field on theclient logon screen.
Setting a Default Context for NDSYou can set a default context for NDS for Receiver. To set a default context for NDS, youmust configure the particular installer file you are using to deploy Receiver.
389
Specifying Windows Credentials with theNovellClient and Pass-Through Authentication
This topic does not apply to XenDesktop connections.
If the Novell client is installed and you want the Receiver to use the user’s Windowscredentials with pass-through authentication rather than the Novell Directory Server (NDS)credentials, use the Group Policy Editor to enable pass-through authentication without NDScredentials.
To configure Receiver after installation
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates, navigate throughCitrix Components > Citrix Receiver > User authentication, double click Local username and password and select Enabled > Enable pass-through authentication. InWindows 7 and Windows Server 2008, expand Administrative Templates and navigatethrough Classic Administrative Templates (ADM) > Citrix Components to the desiredconfiguration option.
Do not select Use Novell Directory Server credentials.
390
DNS Name Resolution
You can configure Receivers that use the Citrix XML Service to request a Domain NameService (DNS) name for a server instead of an IP address.
Important: Unless your DNS environment is configured specifically to use this feature,Citrix recommends that you do not enable DNS name resolution in the server farm.
Receivers connecting to published applications through the Web Interface also use theCitrix XML Service. For Receivers connecting through the Web Interface, the Web serverresolves the DNS name on behalf of the Receiver.
DNS name resolution is disabled by default in the server farm and enabled by default on theReceiver. When DNS name resolution is disabled in the farm, any Receiver request for a DNSname returns an IP address. There is no need to disable DNS name resolution on Receiver.
To disable DNS name resolution for specific clientdevices
If you are using DNS name resolution in the server farm and are having problems withspecific user devices, you can disable DNS name resolution for those devices.
Caution: Using Registry Editor incorrectly can cause serious problems that can requireyou to reinstall the operating system. Citrix cannot guarantee that problems resultingfrom incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Make sure you back up the registry before you edit it.
1. Add a string registry key xmlAddressResolutionType toHKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing.
2. Set the value to IPv4-Port.
3. Repeat for each user of the user devices.
391
Using Proxy Servers with XenDesktopConnections
If you do not use proxy servers in your environment, correct the Internet Explorer proxysettings on any user devices running Internet Explorer 7.0 on Windows XP. By default, thisconfiguration automatically detects proxy settings. If proxy servers are not used, users willexperience unnecessary delays during the detection process. For instructions on changingthe proxy settings, consult your Internet Explorer documentation. Alternatively, you canchange proxy settings using the Web Interface. For more information, consult the WebInterface documentation.
392
Improving the Receiver User Experience
You can improve your users’ experiences with the following supported features:
● ClearType font smoothing
● Client-side microphone input for digital dictation
● Multiple monitor support
● Printing performance enhancements
● To set keyboard shortcuts
● 32-bit color icons
Topics that support users with the Desktop Viewer and the Desktop Lock are available athttp://support.citrix.com/help/receiver/en/receiverHelpWin.htm.
393
ClearType Font Smoothing in Sessions
This topic does not apply to XenDesktop connections.
XenApp server supports ClearType font smoothing with Receiver for users on computersrunning Windows XP, Windows 7, and Windows Vista. ClearType font smoothing is set bydefault in Windows 7 and Windows Vista, but Standard font smoothing is set by default inWindows XP.
If you enable ClearType font smoothing on Receiver, you are not forcing the user devices touse ClearType font smoothing. You are enabling the server to support ClearType fontsmoothing on user devices that have it set and are using Receiver. By disabling it forsessions, you are specifying that sessions launched from that Receiver do not remote thefont smoothing setting.
Receiver automatically detects the user device’s font smoothing setting and sends it to theserver. The session connects using this setting. When the session is disconnected orterminated, the user's profile setting on the server is set to original setting unless the userspecifically changed it in the control panel in the session; then the server uses the newsetting.
An older Receiver (plug-in) connects using the font smoothing setting configured in thatuser’s profile on the server.
When ClearType font smoothing is enabled, three times more data is sent across the virtualchannel, which might cause a decrease in performance.
Font smoothing must be enabled on users’ operating systems, the Receiver, the WebInterface site, and the server farm.
To enable or disable ClearType font smoothing forsessions
Use the Session Preferences task in the Citrix Web Interface Management console toenable or disable font smoothing for XenApp Web sites and the Session Options task forXenApp Services sites.
394
Client-Side Microphone Input
Receiver supports multiple client-side microphone input. Locally installed microphones canbe used for:
● Real-time activities, such as softphone calls and Web conferences.
● Hosted recording applications, such as dictation programs.
● Video and audio recordings.
Digital dictation support is available with Receiver. For information about configuring thisfeature, see the administrator's documentation for Citrix XenApp or Citrix XenDesktop.
Receiver (Enterprise) users can disable their microphones by selecting No Access in theMicrophones/Webcams menu choice available from the Citrix Connection Center, or fromthe Receiver’s system menu (for non-seamless connections). Receiver (standard) users arepresented with the same dialog box automatically at the beginning of their sessions.XenDesktop users can also use the XenDesktop Viewer Preferences to disable theirmicrophones.
Note: Selecting No Access also disables any attached Webcams.
On the user device, users control audio input and output in a single step—by selecting anaudio quality level from the Options dialog box.
395
Configuring HDX Plug-n-PlayMulti-monitor Support
Multiple monitors are fully supported by Receiver. As many as eight monitors are supported.
Each monitor in a multiple monitor configuration has its own resolution designed by itsmanufacturer. Monitors can have different resolutions and orientations during sessions.
Sessions can span multiple monitors in two ways:
● Full screen mode, with multiple monitors shown inside the session; applications snap tomonitors as they would locally.
XenDesktop: If users access a desktop through the Citrix Desktop Lock, the desktop isdisplayed across all monitors. The primary monitor on the device becomes the primarymonitor in the XenDesktop session. You can display the Desktop Viewer toolbar acrossany rectangular subset of monitors by resizing the window across any part of thosemonitors and pressing the Maximize button.
● Windowed mode, with one single monitor image for the session; applications do notsnap to individual monitors.
XenDesktop: When any desktop in the same assignment (formerly "desktop group") islaunched subsequently, the window setting is preserved and the toolbar is displayed acrossthe same monitors. Multiple virtual desktops can be displayed on one device provided themonitor arrangement is rectangular. If the primary monitor on the device is used by theXenDesktop session, it becomes the primary monitor in the session. Otherwise, thenumerically lowest monitor in the session becomes the primary monitor.
To enable multi-monitor support, ensure the following:
● The user device must have a single video board that can support connections to morethan one monitor or multiple video boards compatible with the Receiver on theappropriate platform.
● The user device operating system must be able to detect each of the monitors. OnWindows platforms, to verify that this detection occurs, on the user device, view theSettings tab in the Display Settings dialog box and confirm that each monitor appearsseparately.
● After your monitors are detected:
● XenDesktop: Configure the graphics memory limit using the Citrix Machine Policysetting Display memory limit.
● XenApp: Depending on the version of the XenApp server you have installed:
● Configure the graphics memory limit using the Citrix Computer Policy settingDisplay memory limit.
● From the Citrix management console for the XenApp server, select the farm andin the task pane, select Modify Server Properties > Modify all properties >Server Default > HDX Broadcast > Display (or Modify Server Properties >Modify all properties > Server Default > ICA > Display) and set the Maximummemory to use for each session’s graphics.
Ensure the setting is large enough (in kilobytes) to provide sufficient graphic memory. Ifthis setting is not high enough, the published resource is restricted to the subset of themonitors that fits within the size specified.
For information about calculating the session's graphic memory requirements for XenAppand XenDesktop, see ctx115637.
Configuring HDX Plug-n-Play Multi-monitor Support
396
397
Printing Performance
Printing performance can play a vital role in your users’ experiences. The printingconfiguration you create affects these aspects of the user’s experience:
● User ease and comfort level
● Logon times
● Ability to print to a nearby printer when traveling or when moving between clientdevices in a building
You configure printer policy settings on the server.
User Ease and Comfort LevelIn environments with novice users, consider changing the following potentially confusingdefault printing behaviors:
● Printer names change at the start of each session. When, by default, client printersare auto-created, the printer name is appended with the name of the user device andsession. For example, auto-created client printers appear in the Print dialog box with aname like HP LaserJet 1018 (from clientname) in session 35.
To resolve this problem, you can either reduce the number of printers auto-created orprovision printers using another method. To control printer auto-creation, configure theCitrix policy setting Auto-create client printers and select one of the followingoptions:
● Do not auto-create client printers. Client printers are not auto-created.
● Auto-create the client’s default printer only. Only the client’s default printerattached to or mapped from the client preconfigured in the Control Panel isauto-created in the session.
● Auto-create local (non-network) client printers only. Any non-network printersattached to the client device preconfigured in the Control Panel are auto-createdin the session.
● Auto-create all client printers. All network printers and any printers attached to ormapped from the user device preconfigured in the Control Panel are auto-createdin the session.
● If many printers are installed by default on user devices, your users might be confusedby the large number of available printers. You can limit the printers that appear tothem in sessions.
● HDX Plug-n-Play Universal Printer uses a nonstandard printing dialog box. If your users have trouble learning new features on their own, you might not want to use the
the Universal Printer as the default printer in a session. The user interface for thisprinter is slightly different from the standard Windows print dialog box.
Logon TimesThe printing configuration you select can impact how long it takes users to start a session.When Receiver is configured to provision printers by creating them automatically at thebeginning of each session, it increases the amount of time to build the session environment.In this case, Receiver has to rebuild every printer found on the user device. You candecrease logon time by specifying any of the following on the XenApp server:
● Auto-create only the the Universal Printer. This is done automatically when youconfigure the the Universal Printer.
● Auto-create only the default printer for the client device by using the Auto-createclient printers policy setting.
● Do not auto-create any client printers through the Auto-create client printers policysetting and route print jobs to network printers by configuring the Session printerspolicy setting
Configuring Printers for Mobile WorkersIf you have users who move among workstations in the same building (for example, in ahospital setting) or move among different offices, you might want to configure ProximityPrinting. The Proximity Printing solution ensures that the closest printer is presented to theusers in their sessions, even when they change user devices during a session.
Printing Performance
398
399
To override the printer settings configuredon the server
To improve printing performance, you can configure various printing policy settings on theserver:
● Universal printing optimization defaults
● Universal printing EMF processing mode
● Universal printing image compression limit
● Universal printing print quality limit
● Printer driver mapping and compatibility
● Session printers
If you enabled Allow non-admins to modify these settings in the Universal printingoptional defaults policy setting on the server, users on their user devices can override theImage Compression and Image and Font Caching options specified in that policy setting.
To override the printer settings on the user device
1. From the Print menu available from an application on the user device, chooseProperties.
2. On the Client Settings tab, click Advanced Optimizations and make changes to theImage Compression and Image and Font Caching options.
400
To set keyboard shortcuts
You can configure combinations of keys that Receiver interprets as having specialfunctionality. When the keyboard shortcuts policy is enabled, you can specify Citrix Hotkeymappings, behavior of Windows hotkeys, and keyboard layout for sessions.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User Experience > Keyboard shortcuts. InWindows 7 and Windows Server 2008, expand Administrative Templates and navigatethrough Classic Administrative Templates (ADM) > Citrix Components to the desiredconfiguration option.
7. From the Action menu, choose Properties, select Enabled, and choose the desiredoptions.
401
Keyboard Input in XenDesktop Sessions
Note the following about how keyboard combinations are processed in XenDesktop sessions:
● Windows logo key+L is directed to the local computer.
● CTRL+ALT+DELETE is directed to the local computer except in some cases if you use theCitrix Desktop Lock.
● Key presses that activate StickyKeys, FilterKeys, and ToggleKeys (Microsoft accessibilityfeatures) are normally directed to the local computer.
● As an accessibility feature of the Desktop Viewer, pressing CTRL+ALT+BREAK displaysthe Desktop Viewer toolbar buttons in a pop-up window.
● Windows key combinations (for example, CTRL+ESC and ALT+TAB) are directedaccording to the settings that your helpdesk has selected. For more information, seethe table below.
Note: By default, if the Desktop Viewer is maximized, ALT+TAB switches focusbetween windows inside the session. If the Desktop Viewer is displayed in a window,ALT+TAB switches focus between windows outside the session.
Hotkey sequences are key combinations designed by Citrix. For example, the CTRL+F1sequence reproduces CTRL+ALT+DELETE, and SHIFT+F2 switches applications betweenfull-screen and windowed mode. You cannot use hotkey sequences with virtual desktopsdisplayed in the Desktop Viewer (that is, with XenDesktop sessions), but you can use themwith published applications (that is, with XenApp sessions).
The table shows the remoting behavior of other Windows key combinations. The behaviordepends on whether a Desktop Viewer or a Desktop Lock session is used, and is controlledby the Local resources setting, avaliable from the Session Options task on the XenDesktopsite. XenApp settings are also shown for reference. For more information on configuring thissetting, see the Web Interface documentation.
With Localresources set to
Desktop Viewersessions have thisbehavior
Desktop Locksessions have thisbehavior
XenApp (or disabledDesktop Viewer)sessions have thisbehavior
Full screen desktopsonly
Key combinationsare sent to theremote, virtualdesktop only if theDesktop Viewerwindow has focusand is maximized(full-screen).
Key combinationsare always sent tothe remote, virtualdesktop.
Key combinationsare sent to theremote XenAppserver if the sessionis maximized(full-screen).
Remote desktop Key combinationsare sent to theremote, virtualdesktop only if theDesktop Viewerwindow has focus.
Key combinationsare always sent tothe remote, virtualdesktop.
Key combinationsare sent to theremote XenAppserver if the sessionor application hasfocus.
Local desktop Key combinationsare always kept onthe local userdevice.
Key combinationsare always kept onthe local userdevice.
Citrix does notrecommend settingLocal resources toLocal desktop if theDesktop Lock isused.
Key combinationsare always kept onthe local userdevice.
Keyboard Input in XenDesktop Sessions
402
403
Receiver Support for 32-Bit Color Icons
Receiver supports high color icons (32x32 bit) and automatically selects the color depth forapplications visible in the Citrix Connection Center dialog box, the Start menu, and task barto provide for seamless applications.
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
To set a preferred depth, you can add a string registry key named TWIDesiredIconColor toHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Preferences and set it to the desired value. The possible color depthsfor icons are 4, 8, 16, 24, and 32 bits-per-pixel. The user can select a lower color depth foricons if the network connection is slow.
404
Connecting to Virtual Desktops
From within a desktop session, users cannot connect to the same virtual desktop.Attempting to do so will disconnect the existing desktop session. Therefore, Citrixrecommends:
● Administrators should not configure the clients on a desktop to point to a site thatpublishes the same desktop
● Users should not browse to a site that hosts the same desktop if the site is configured toautomatically reconnect users to existing sessions
● Users should not browse to a site that hosts the same desktop and try to launch it
Be aware that a user who logs on locally to a computer that is acting as a virtual desktopblocks connections to that desktop.
If your users connect to virtual applications (published with XenApp) from within a virtualdesktop and your organization has a separate XenApp administrator, Citrix recommendsworking with them to define device mapping such that desktop devices are mappedconsistently within desktop and application sessions. Because local drives are displayed asnetwork drives in desktop sessions, the XenApp administrator needs to change the drivemapping policy to include network drives.
405
Securing Your Connections
To maximize the security of your environment, the connections between Receiver and theresources you publish must be secured. You can configure various types of authenticationfor your Receiver software, including enabling certificate revocation list checking, enablingsmart card support, and using Security Support Provider Interface/Kerberos Pass-ThroughAuthentication.
Windows NT Challenge/Response (NTLM) Support forImproved Security
Windows NT Challenge/Response (NTLM) authentication is supported by default oncomputers running Windows NT, Windows 2000, Windows XP, Windows 7, Windows Vista,Windows Server 2003, and Windows Server 2008.
406
To enable certificate revocation listchecking for improved security withReceiver (CitrixReceiver.exe)
When certificate revocation list (CRL) checking is enabled, Receiver checks whether or notthe server’s certificate is revoked. By forcing Receiver to check this, you can improve thecryptographic authentication of the server and the overall security of the SSL/TLSconnections between a user device and a server.
You can enable several levels of CRL checking. For example, you can configure Receiver tocheck only its local certificate list or to check the local and network certificate lists. Inaddition, you can configure certificate checking to allow users to log on only if all CRLs areverified.
Important: This option is available only with the standard Receiver (CitrixReceiver.exe)and not Receiver (Enterprise).
If you are making this change on a local computer, exit Receiver if it is running. Make sureall Receiver components, including the Connection Center, are closed.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for the Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Action menu, choose Properties and select Enabled.
8. From the CRL verification drop-down menu, select one of the options.
● Disabled. No certificate revocation list checking is performed.
● Only check locally stored CRLs. CRLs that were installed or downloaded previouslyare used in certificate validation. Connection fails if the certificate is revoked.
● Require CRLs for connection. CRLs locally and from relevant certificate issuers onthe network are checked. Connection fails if the certificate is revoked or not found.
● Retrieve CRLs from network. CRLs from the relevant certificate issuers arechecked. Connection fails if the certificate is revoked.
If you do not set CRL verification, it defaults to Only check locally stored CRLs.
To enable certificate revocation list checking for improved security with Receiver (CitrixReceiver.exe)
407
408
Smart Card Support for Improved Security
Receiver smart card support is based on Microsoft Personal Computer/Smart Card (PC/SC)standard specifications. Receiver supports only smart cards and smart card devices thatare, themselves, supported by the underlying Windows operating system. A discussion ofsecurity issues related to PC/SC standards compliance is beyond the scope of thisdocument.
Enabling smart card support for Receiver is done through the Web Interface. For moreinformation, see the Web Interface Administrator’s documentation.
Note: Microsoft strongly recommends that only smart card readers tested and approvedby the Microsoft Windows Hardware Quality Lab (WHQL) be used on computers runningqualifying Windows operating systems. See http://www.microsoft.com for additionalinformation about hardware PC/SC compliance.
Receiver does not control smart card PIN management. PIN management is controlled bythe cryptographic service provider for your cards.
409
To enable pass-through authenticationwhen sites are not in Trusted Sites orIntranet zones
Your users might require pass-through authentication to the server using their user logoncredentials but cannot add sites to the Trusted Sites or Intranet zones. Enable this settingto allow pass-through authentication on all but Restricted sites.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.
7. From the Local user name and password Properties menu, select Enabled, and thenselect the Enable pass-through authentication and Allow pass-through authenticationfor all ICA connections check boxes.
410
Using Security Support ProviderInterface/Kerberos Pass-ThroughAuthentication for Improved Security
This topic does not apply to XenDesktop connections.
Rather than sending user passwords over the network, Kerberos pass-through authenticationleverages Kerberos authentication in combination with Security Support Provider Interface(SSPI) security exchange mechanisms. Kerberos is an industry-standard networkauthentication protocol built into Microsoft Windows operating systems.
Kerberos logon offers security-minded users or administrators the convenience ofpass-through authentication combined with secret-key cryptography and data integrityprovided by industry-standard network security solutions. With Kerberos logon, the Receiverdoes not need to handle the password and thus prevents Trojan horse-style attacks on theuser device to gain access to users’ passwords.
Users can log on to the user device with any authentication method; for example, abiometric authenticator such as a fingerprint reader, and still access published resourceswithout further authentication.
System requirements. Kerberos logon requires Citrix Presentation Server 3.0, 4.0, or 4.5,Citrix XenApp 5.0, 6.x and Citrix Presentation Server Clients for Windows 8.x, 9.x, 10.x,XenApp Hosted Plug-in 11.x, online plug-in 12.0, 12.1, or Receiver 3.0. Kerberos works onlybetween Client/plug-ins/Receiver and servers that belong to the same or to trustedWindows 2000, Windows Server 2003, or Windows Server 2008 domains. Servers must alsobe trusted for delegation, an option you configure through the Active Directory Users andComputers management tool.
Kerberos logon is not available in the following circumstances:
● Connections configured with any of the following options in Remote Desktop Services(formerly known as Terminal Services) Configuration:
● On the General tab, the Use standard Windows authentication option
● On the Logon Settings tab, the Always use the following logon information optionor the Always prompt for password option
● Connections you route through the Secure Gateway
● If the server requires smart card logon
● If the authenticated user account requires a smart card for interactive logon
Important: SSPI requires XML Service DNS address resolution to be enabled for the serverfarm, or reverse DNS resolution to be enabled for the Active Directory domain. For moreinformation, see the Citrix XenApp administrator documentation.
Configuring Kerberos AuthenticationReceiver, by default, is not configured to use Kerberos authentication when logging on tothe server. You can set the Receiver configuration to use Kerberos with pass-throughauthentication or Kerberos with smart card pass-through authentication.
To use Kerberos authentication for your connections, you can either specify Kerberos usinga command line installation or configure Receiver using the Group Policy Editor. See theMicrosoft Group Policy documentation for more information about editing .adm files
Using Security Support Provider Interface/Kerberos Pass-Through Authentication for Improved Security
411
412
To configure Kerberos with pass-throughauthentication
This topic does not apply to XenDesktop connections.
Use Kerberos with pass-through authentication if you want to use Kerberos with Receiver.
When Receiver configurations are set to use Kerberos with pass-through authentication,Receiver uses Kerberos authentication first and uses pass-through authentication if Kerberosfails.
The user cannot disable this Receiver configuration from the user interface.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates, navigate throughCitrix Components > Citrix Receiver > User authentication, double click Kerberosauthentication and select Enabled. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.
8. From the Action menu, choose Properties and select Enabled > Enable pass-throughauthentication.
To apply the setting, close and restart Receiver on the user device.
413
Securing Citrix Receiver Communication
To secure the communication between your server farm and Receiver, you can integrateyour Receiver connections to the server farm with a range of security technologies,including:
● A SOCKS proxy server or secure proxy server (also known as security proxy server,HTTPS proxy server, or SSL tunneling proxy server). You can use proxy servers to limitaccess to and from your network and to handle connections between Receiver andservers. Receiver supports SOCKS and secure proxy protocols.
● Secure Gateway for Citrix XenApp or SSL Relay solutions with Secure Sockets Layer (SSL)and Transport Layer Security (TLS) protocols.
● A firewall. Network firewalls can allow or block packets based on the destinationaddress and port. If you are using Receiver through a network firewall that maps theserver's internal network IP address to an external Internet address (that is, networkaddress translation, or NAT), configure the external address.
● Trusted server configuration.
Note: For information about increasing security in application streaming for desktops, seethe Citrix Knowledge Base article Enhancing Security in Application Streaming forDesktops.
Receiver is compatible with and functions in environments where the Microsoft SpecializedSecurity - Limited Functionality (SSLF) desktop security templates are used. Thesetemplates are supported on the Microsoft Windows XP, Windows Vista, and Windows 7platforms. Refer to the Windows XP, Windows Vista, and Windows 7 security guidesavailable at http://technet.microsoft.com for more information about the templates andrelated settings.
414
Support for Microsoft Security Templates
Receiver is compatible with and functions in environments where the Microsoft SpecializedSecurity - Limited Functionality (SSLF) desktop security templates are used. Thesetemplates are supported on the Microsoft Windows XP, Windows Vista, and Windows 7platforms. Refer to the Windows XP, Windows Vista, and Windows 7 security guidesavailable at http://technet.microsoft.com for more information about the templates andrelated settings.
415
Connecting the Citrix Receiver through aProxy Server
Proxy servers are used to limit access to and from your network, and to handle connectionsbetween Receivers and servers. Receiver supports SOCKS and secure proxy protocols.
When communicating with the server farm, Receiver uses proxy server settings that areconfigured remotely on the server running the Web Interface. See the topics for WebInterface for information about configuring proxy server settings.
In communicating with the Web server, Receiver uses the proxy server settings that areconfigured through the Internet settings of the default Web browser on the user device.You must configure the Internet settings of the default Web browser on the user deviceaccordingly.
416
Connecting with the Secure Gateway orCitrix Secure Sockets Layer Relay
You can integrate Receiver with the Secure Gateway or Secure Sockets Layer (SSL) Relayservice. Receiver supports both SSL and TLS protocols.
● SSL provides strong encryption to increase the privacy of your ICA connections andcertificate-based server authentication to ensure the server you are connecting to is agenuine server.
● TLS (Transport Layer Security) is the latest, standardized version of the SSL protocol.The Internet Engineering Taskforce (IETF) renamed it TLS when it took overresponsibility for the development of SSL as an open standard. TLS secures datacommunications by providing server authentication, encryption of the data stream, andmessage integrity checks. Because there are only minor technical differences betweenSSL Version 3.0 and TLS Version 1.0, the certificates you use for SSL in your softwareinstallation will also work with TLS. Some organizations, including U.S. governmentorganizations, require the use of TLS to secure data communications. Theseorganizations may also require the use of validated cryptography, such as FIPS 140(Federal Information Processing Standard). FIPS 140 is a standard for cryptography.
417
Connecting with the Secure Gateway
You can use the Secure Gateway in either Normal mode or Relay mode to provide a securechannel for communication between Receiver and the server. No Receiver configuration isrequired if you are using the Secure Gateway in Normal mode and users are connectingthrough the Web Interface.
Receiver uses settings that are configured remotely on the server running the Web Interfaceto connect to servers running the Secure Gateway. See the topics for the Web Interface forinformation about configuring proxy server settings for Receiver.
If the Secure Gateway Proxy is installed on a server in the secure network, you can use theSecure Gateway Proxy in Relay mode. See the topics for the Secure Gateway for moreinformation about Relay mode.
If you are using Relay mode, the Secure Gateway server functions as a proxy and you mustconfigure Receiver to use:
● The fully qualified domain name (FQDN) of the Secure Gateway server.
● The port number of the Secure Gateway server. Note that Relay mode is not supportedby Secure Gateway Version 2.0.
The FQDN must list, in sequence, the following three components:
● Host name
● Intermediate domain
● Top-level domain
For example: my_computer.my_company.com is an FQDN, because it lists, in sequence, ahost name (my_computer), an intermediate domain (my_company), and a top-level domain(com). The combination of intermediate and top-level domain (my_company.com) isgenerally referred to as the domain name.
418
Connecting with Citrix SSL Relay
By default, Citrix SSL Relay uses TCP port 443 on the XenApp server for SSL/TLS-securedcommunication. When the SSL Relay receives an SSL/TLS connection, it decrypts the databefore redirecting it to the server, or, if the user selects SSL/TLS+HTTPS browsing, to theCitrix XML Service.
If you configure SSL Relay to listen on a port other than 443, you must specify thenonstandard listening port number to the plug-in.
You can use Citrix SSL Relay to secure communications:
● Between an SSL/TLS-enabled client and a server. Connections using SSL/TLS encryptionare marked with a padlock icon in the Citrix Connection Center.
● With a server running the Web Interface, between the XenApp server and the Webserver.
For information about configuring and using SSL Relay to secure your installation, see theCitrix XenApp administrator’s documentation. For information about configuring the serverrunning the Web Interface to use SSL/TLS encryption, see the Web Interface administrator’sdocumentation.
419
User Device Requirements
In addition to the requirements contained in the System Requirements and Compatibility forCitrix Receiver for Windows 3.0, you also must ensure that:
● The user device supports 128-bit encryption
● The user device has a root certificate installed that can verify the signature of theCertificate Authority on the server certificate
● Receiver is aware of the TCP listening port number used by the SSL Relay service in theserver farm
● Any service packs or upgrades that Microsoft recommends are applied
If you are using Internet Explorer and you are not certain about the encryption level of yoursystem, visit the Microsoft Web site at http://www.microsoft.com to install a service packthat provides 128-bit encryption.
Important: Receiver supports certificate key lengths of up to 4096 bits. Ensure that thebit lengths of your Certificate Authority root and intermediate certificates, and those ofyour server certificates, do not exceed the bit length your Receiver supports orconnection might fail.
420
To apply a different listening port numberfor all connections
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the plug-in Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Action menu, choose Properties, select Enabled, and type a new portnumber in the Allowed SSL servers text box in the following format: server:SSL relayport number where SSL relay port number is the number of the listening port. You canuse a wildcard to specify multiple servers. For example, *.Test.com:SSL relay portnumber matches all connections to Test.com through the specified port.
421
To apply a different listening port numberto particular connections only
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already added the icaclient template to the Group Policy Editor, you canomit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.
7. From the Action menu, choose Properties, select Enabled, and type acomma-separated list of trusted servers and the new port number in the Allowed SSLservers text box in the following format: servername:SSL relay portnumber,servername:SSL relay port number where SSL relay port number is the numberof the listening port. You can specify a comma-separated list of specific trusted SSLservers similar to this example:
csghq.Test.com:443,fred.Test.com:443,csghq.Test.com:444
which translates into the following in an example appsrv.ini file: [Word]SSLProxyHost=csghq.Test.com:443
[Excel]
SSLProxyHost=csghq.Test.com:444
[Notepad]
SSLProxyHost=fred.Test.com:443
422
Configuring and Enabling Receivers forSSL and TLS
SSL and TLS are configured in the same way, use the same certificates, and are enabledsimultaneously.
When SSL and TLS are enabled, each time you initiate a connection, Receiver tries to useTLS first and then tries SSL. If it cannot connect with SSL, the connection fails and an errormessage appears.
To force Receiver to connect with TLS, you must specify TLS on the Secure Gateway serveror SSL Relay service. See the topics for the Secure Gateway or your SSL Relay servicedocumentation for more information.
In addition, make sure the user device meets all system requirements.
To use SSL/TLS encryption for all Receiver communications, configure the user device,Receiver, and the server running the Web Interface.
423
Installing Root Certificates on the UserDevices
To use SSL/TLS to secure communications between a SSL/TLS-enabled Receiver and theserver farm, you need a root certificate on the user device that can verify the signature ofthe Certificate Authority on the server certificate.
Receiver supports the Certificate Authorities that are supported by the Windows operatingsystem. The root certificates for these Certificate Authorities are installed with Windowsand managed using Windows utilities. They are the same root certificates that are used byMicrosoft Internet Explorer.
If you use your own Certificate Authority, you must obtain a root certificate from thatCertificate Authority and install it on each user device. This root certificate is then usedand trusted by both Microsoft Internet Explorer and Receiver.
You might be able to install the root certificate using other administration or deploymentmethods, such as:
● Using the Microsoft Internet Explorer Administration Kit (IEAK) Configuration Wizard andProfile Manager
● Using third-party deployment tools
Make sure that the certificates installed by your Windows operating system meet thesecurity requirements for your organization or use the certificates issued by yourorganization’s Certificate Authority.
424
To configure Citrix Receiver to useSSL/TLS
1. To use SSL/TLS to encrypt application enumeration and launch data passed betweenReceiver and the server running the Web Interface, configure the appropriate settingsusing the Web Interface. You must include the computer name of the XenApp serverthat is hosting the SSL certificate.
2. To use secure HTTP (HTTPS) to encrypt the configuration information passed betweenReceiver and the server running the Web Interface, enter the server URL in the formathttps://servername. In the Windows notification area, right-click the Receiver icon andchoose Preferences.
3. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.
425
To configure TLS support
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
1. As an administrator, open the Group Policy Editor by running gpedit.msc locally fromthe Start menu when applying this to a single computer or by using the Group PolicyManagement Console when using Active Directory.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification.
7. From the Action menu, choose Properties, select Enabled, and from the drop-downmenus, select the TLS settings.
● Set SSL/TLS Version to TLS or Detect all to enable TLS. If Detect all is selected,Receiver connects using TLS encryption. If a connection using TLS fails, Receiverconnects using SSL.
● Set SSL ciphersuite to Detect version to have Receiver negotiate a suitableciphersuite from the Government and Commercial ciphersuits. You can restrict theciphersuites to either Government or Commercial.
● Set CRL verification to Require CRLs for connection requiring Receiver to try toretrieve Certificate Revocation Lists (CRLs) from the relevant certificate issuers.
426
To use the Group Policy template to meetFIPS 140 security requirements
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
To meet FIPS 140 security requirements, use the Group Policy template to configure theparameters or include the parameters in the Default.ica file on the server running the WebInterface. See the information about Web Interface for additional information about theDefault.ica file.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 3 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification.
7. From the Action menu, choose Properties, select Enabled, and from the drop-downmenus, select the correct settings.
● Set SSL/TLS Version to TLS or Detect all to enable TLS. If Detect all is selected,Receiver tries to connect using TLS encryption. If a connection using TLS fails,Receiver tries to connect using SSL.
● Set SSL ciphersuite to Government.● Set CRL verification to Require CRLs for connection.
427
To configure the Web Interface to useSSL/TLS when communicating with CitrixReceiver
When using the Web Interface, specify the computer name of the server hosting the SSLcertificate. See the information about Web Interface for more details about using SSL/TLSto secure communications between Receiver and the Web server.
1. From the Configuration settings menu, select Server Settings.
2. Select Use SSL/TLS for communications between clients and the Web server.
3. Save your changes.
Selecting SSL/TLS changes all URLs to use HTTPS protocol.
428
To configure Citrix XenApp to useSSL/TLS when communicating with CitrixReceiver
You can configure the XenApp server to use SSL/TLS to secure the communications betweenReceiver and the server.
1. From the Citrix management console for the XenApp server, open the Properties dialogbox for the application you want to secure.
2. Select Advanced > Client options and ensure that you select Enable SSL and TLSprotocols.
3. Repeat these steps for each application you want to secure.
When using the Web Interface, specify the computer name of the server hosting the SSLcertificate. See the information about Web Interface for more details about using SSL/TLSto secure communications between Receiver and the Web server.
429
To configure Citrix Receiver to useSSL/TLS when communicating with theserver running the Web Interface
You can configure Receiver to use SSL/TLS to secure the communications between Receiverand the server running the Web Interface.
Ensure that a valid root certificate is installed on the user device. For more information,see Installing Root Certificates on the User Devices.
1. In the Windows notification area, right-click the Receiver icon and choosePreferences.
2. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.
3. The Change Server screen displays the currently configured URL. Enter the server URLin the text box in the format https://servername to encrypt the configuration datausing SSL/TLS.
4. Click Update to apply the change.
5. Enable SSL/TLS in the client device browser. For more information about enablingSSL/TLS in the browser, see the online Help for the browser.
430
ICA File Signing - Protection AgainstApplication or Desktop Launches FromUntrusted Servers
The ICA File Signing feature helps protect users from unauthorized application or desktoplaunches.Citrix Receiver verifies that a trusted source generated the application or desktoplaunch based on administrative policy and protects against launches from untrusted servers.You can configure this Receiver security policy for application or desktop launch signatureverification using Group Policy Objects or Citrix Merchandising Server. ICA file signing is notenabled by default and is not supported with Dazzle 1.1 or earlier.
The Web Interface enables and configures application or desktop launches to include asignature during the launch process using the Citrix ICA File Signing Service. The service cansign ICA files using a certificate from the computer's personal certificate store.
The Citrix Merchandising Server with Receiver enables and configures launch signatureverification using the Citrix Merchandising Server Adminstrator Console > Deliverieswizard to add trusted certificate thumbprints.
To use Group Policy Objects to enable and configure application or desktop launchsignature verification, follow this procedure:
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the ica-file-signing.adm template into the Group PolicyEditor, you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select ica-file-signing.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Enable ICA File Signing. In Windows 7 and Windows Server 2008,expand Administrative Templates and navigate through Classic AdministrativeTemplates (ADM) > Citrix Components to the desired configuration option.
7. If you choose Enabled, you can add signing certificate thumbprints to the white list of trusted certificate thumbprints or remove signing certificate thumbprints from the white list by clicking Show and using the Show Contents screen. You can copy and paste the signing certificate thumbprints from the signing certificate properties. Use
the Policy drop-down menu to select Only allow signed launches (more secure) orPrompt user on unsigned launches (less secure).
Option Description
Only allow signed launches (moresecure)
Allows only properly signed applicationor desktop launches from a trustedserver. The user sees a Security Warningmessage in Receiver if an application ordesktop launch has an invalid signature.The user cannot continue and theunauthorized launch is blocked.
Prompt user on unsigned launches (lesssecure)
Prompts the user every time an unsignedor invalidly signed application or desktopattempts to launch. The user can eithercontinue the application launch or abortthe launch (default).
ICA File Signing - Protection Against Application or Desktop Launches From Untrusted Servers
431
432
Selecting and Distributing a DigitalSignature Certificate
When selecting a digital signature certificate, Citrix recommends you choose from thisprioritized list:
1. Buy a code-signing certificate or SSL signing certificate from a public CertificateAuthority (CA).
2. If your enterprise has a private CA, create a code-signing certificate or SSL signingcertificate using the private CA.
3. Use an existing SSL certificate, such as the Web Interface or Self-service Plug-in servercertificate.
4. Create a new root CA certificate and distribute it to user devices using GPO or manualinstallation.
433
Configuring a Web Browser and ICA Fileto Enable Single Sign-on and ManageSecure Connections to Trusted Servers
To use Single sign-on (SSO) and to manage secure connections to trusted servers, add theCitrix server's site address to the Local intranet or Trusted sites zones in Internet Explorerunder Tools > Internet Options > Security on the user device. The address can include thewildcard (*) formats supported by the Internet Security Manager (ISM) or be as specific asprotocoll://URL[:port].
The same format must be used in both the ICA file and the sites entries. For example, if youuse a fully qualified domain name (FQDN) in the ICA file, you must use an FQDN in the siteszone entry. XenDesktop connections use only a desktop group name format.
Supported Formats (Including Wildcards)http[s]://10.2.3.4
http[s]://10.2.3.*
http[s]://hostname
http[s]://fqdn.example.com
http[s]://*.example.com
http[s]://cname.*.example.com
http[s]://*.example.co.uk
desktop://group-20name
ica[s]://xaserver1
ica[s]://xaserver1.example.com
Launching SSO or Using Secure Connections withWeb Interface
Add the exact address of the Web Interface site in the sites zone.
Example Web Interface Site Addresses
https://my.company.com
http://10.20.30.40
http://server-hostname:8080
https://SSL-relay:444
XenDesktop Connections with Desktop ViewerAdd the address in the form desktop://Desktop Group Name. If the desktop group namecontains spaces, replace each space with -20.
Custom ICA Entry FormatsUse one of the following formats in the ICA file for the Citrix server site address. Use thesame format to add it to the Local intranet or Trusted sites zones in Internet Explorerunder Tools > Internet Options > Security on the user device:
Example of ICA File HttpBrowserAddress Entry
HttpBrowserAddress=XMLBroker.XenappServer.example.com:8080
Examples of ICA File XenApp Server Address Entry
If the ICA file contains only the XenApp server Address field, use one of the following entryformats:
icas://10.20.30.40:1494
icas://my.xenapp-server.company.com
ica://10.20.30.40
Configuring a Web Browser and ICA File to Enable Single Sign-on and Manage Secure Connections to Trusted Servers
434
435
To set client resource permissions
You can set client resource permissions using trusted and restricted site regions by:
● Adding the Web Interface site to the Trusted Site list
● Making changes to new registry settings
Note: Due to enhancements to Receiver, the .ini procedure available in earlier versionsof the plug-in/Receiver is replaced with these procedures.
Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.
To add the Web Interface site to the trusted site list1. From the Internet Explorer Tools menu, choose Internet Options > Security.
2. Select the Trusted sites icon and click the Sites button.
3. In the Add this website to the zone text field, type the URL to your Web Interface siteand click Add.
4. Download the registry settings from http://support.citrix.com/article/CTX124871.htmland make any registry changes. Use SsonRegUpx86.reg for Win32 user devices andSsonRegUpx64.reg for Win64 user devices.
5. Log off and then log on to the user device.
To change client resource permissions in the registry1. Download the registry settings from http://support.citrix.com/article/CTX124871.html
and import the settings on each user device. Use SsonRegUpx86.reg for Win32 userdevices and SsonRegUpx64.reg for Win64 user devices.
2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Client Selective Trust and in the appropriate regions, change the default value tothe required access values for any of the following resources:
Resource key Resource description
FileSecurityPermission Client drives
MicrophoneAndWebcamSecurityPermission Microphones and webcams
PdaSecurityPermission PDA devices
ScannerAndDigitalCameraSecurityPermission USB and other devices
Value Description
0 No Access
1 Read-only access
2 Full access
3 Prompt user for access
To set client resource permissions
436
437
Enabling Smart Card Logon
Enabling smart card logon allows users to use smart cards instead of passwords toauthenticate to XenApp servers. You can use smart card logon either with or withoutpass-through authentication.
You must enable smart card support on the server and set up and configure the user deviceproperly with third-party smart card hardware and software. Refer to the documentationthat came with your smart card equipment for instructions about deploying smart cardswithin your network.
The smart card removal policy set on XenApp determines what happens if you remove thesmart card from the reader during an ICA session. The smart card removal policy isconfigured through and handled by the Windows operating system.
● Kerberos pass-through authentication requires a smart card inserted in the smart cardreader at logon time only. With this logon mode selected, the plug-in prompts the userfor a smart card PIN (Personal Identification Number) when it starts up. Kerberospass-through authentication then caches the PIN and passes it to the server every timethe user requests a published resource. The user does not have to subsequently reentera PIN to access published resources or have the smart card continuously inserted. Ifauthentication based on the cached PIN fails or if a published resource itself requiresuser authentication, the user continues to be prompted for a PIN.
● Disabling pass-through authentication requires a smart card to be present in the smartcard reader whenever the user accesses a server. With pass-through disabled, theplug-in prompts the user for a smart card PIN when it starts up and every time the userrequests a published resource.
438
Enforcing Trust Relations
Trusted server configuration is designed to identify and enforce trust relations involved inReceiver connections. This trust relationship increases the confidence of Receiveradministrators and users in the integrity of data on user devices and prevents the malicioususe of Receiver connections.
When this feature is enabled, Receivers can specify the requirements for trust anddetermine whether or not they trust a connection to the server. For example, a Receiverconnecting to a certain address (such as https://*.citrix.com) with a specific connectiontype (such as SSL) is directed to a trusted zone on the server.
When trusted server configuration is enabled, XenApp servers or the Access Gateway mustreside in a Windows Trusted Sites zone. (For step-by-step instructions about adding serversto the Windows Trusted Sites zone, see the Internet Explorer online help.)
If you connect using SSL, add the server name in the format https://CN, where CN is theCommon Name shown on the SSL certificate. Otherwise, use the format that Receiver usesto connect; for example if Receiver connects using an IP address, add the server’s IPaddress.
To enable trusted server configuration
If you are changing this on a local computer, close all Receiver components, including theConnection Center.
1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.
Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.
2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3. From the Action menu, choose Add/Remove Templates.
4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.
5. Select Open to add the template and then Close to return to the Group Policy Editor.
6. Expand the Administrative Templates folder under the User Configuration node.
7. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network Routing > Configure trusted serverconfiguration. In Windows 7 and Windows Server 2008, expand AdministrativeTemplates and navigate through Classic Administrative Templates (ADM) > CitrixComponents to the desired configuration option.
8. From the Action menu, choose Properties and select Enabled.
439
Elevation Level and wfcrun32.exe
When User Access Control (UAC) is enabled on devices running Windows Vista or later, onlyprocesses at the same elevation/integrity level as wfcrun32.exe can launch publishedapplications.
Example 1:
When wfcrun32.exe is running as a normal user (un-elevated), other processes such asReceiver must be running as a normal user to launch applications through wfcrun32.
Example 2:
When wfcrun32.exe is running in elevated mode, other processes such as ConnectionCenter, Receiver, and third party applications using the ICA Client Object that are runningin non-elevated mode cannot communicate with wfcrun32.exe.
440
ICA Settings Reference
ChannelNameChannelName
ClientAudioAudioDevice(2) AudioHWSection AudioInWakeOnInput AudioOutWakeOnOutput
CommandAckThresh ControlPollTime ConverterSection DataAckThresh
MaxDataBufferSize MaxMicBufferSize NumCommandBuffers NumDataBuffers
PlaybackDelayThresh VariantName
ClientCommCOMAllowed(2) CommPollSize CommPollWaitInc CommPollWaitIncTime
CommPollWaitMax CommPollWaitMin CommWakeOnInput MaxPort, WindowSize
ClientDriveCDMReadOnly DisableDrives EnableAsyncWrites EnableReadAhead
MaxOpenContext MaxWindowSize NativeDriveMapping SFRAllowed
ClientPrinterPortPrinterThreadPriority PrintMaxRetry WindowSize WindowsPrinter
ClientPrinterQueuePrinterResetTime UnicodeEnabled VSLAllowed(2) WindowSize
WindowsPrinter WindowSize2
CompressDriverNameWin32(12)
DefaultSerialConnectionDTR
DelegationLockdownProfiles, RegionIdentification
DynamicAcceptURLType Address(2) BUCC(2) Command
DesiredColor(5) DriverNameAlt DriverNameAltWin32 DriverNameWin32(12)
InitialProgram(2) LongCommandLine(2) Path ProxyHost(3)
RECD(2) RejectURLType REWD(2) RtpAudioLowestPort
SessionSharingLaunchOnly SSOnCredentialType(3) startIFDCD(3) startSCD(2)
UseAlternateAddress(3) Username(3)
EncodingInputEncoding
EncRC-5-0, EncRC-5-40, EncRC-5-56, andEncRC-5-128
DriverNameWin32(12)
ICA 3.0BufferLength BufferLength2 DriverNameWin32(12) VirtualDriver
VirtualDriverEx
LoggingLogConfigurationAccess, LogEvidence, LogFile
PingPingCount
ICA Settings Reference
441
PrelaunchApplicationState Schedule UserOverride
qwertyLicenseType, startIFDCD(3)
ICA Settings Reference
442
ServerAddress(2) InitialProgram(2) ScalingWidth
AECD IOBase Schedule
AltProxyAutoConfigURL(2) KeyboardTimer(2) ScreenPercent
AltProxyBypassList(2) Launcher SecureChannelProtocol(2)
AltProxyHost(2) LaunchReference SecurityTicket
AltProxyPassword(2) LocHttpBrowserAddress SessionSharingKey
AltProxyType(2) LogFlush SessionSharingName
AudioBandwidthLimit LogonTicket SmartcardRequired(2)
AudioDuringDetach LogonTicketType SpeedScreenMMA
AUTHPassword LongCommandLine(2) SpeedScreenMMAAudioEnabled
AUTHUserName LPWD SpeedScreenMMAMaxBufferThreshold
AutoLogonAllowed LVBMode(2) SpeedScreenMMAMaximumBufferSize
BrowserProtocol MouseTimer SpeedScreenMMAMinBufferThreshold
BUCC(2) MSIEnabled SpeedScreenMMASecondsToBuffer
CFDCD NDS SpeedScreenMMAVideoEnabled
ClearPassword NRUserName SSLCACert
ClientAudio NRWD SSLCertificateRevocationCheckPolicy(2)
Password SSLCommonName
COCD PersistentCacheEnabled SSLEnable
ConnectionFriendlyName pnStartSCD SSLNoCACerts(2)
DataBits ProxyAuthenticationBasic(2) SSLProxyHost(2)
DesiredColor(5) ProxyAuthenticationNTLM(2) SSOnCredentialType(3)
DeviceName ProxyAuthenticationPrompt(2) SSOnDetected
DisableCtrlAltDel ProxyAutoConfigURL(2) startIFDCD(3)
DisableMMMaximizeSupport ProxyBypassList startSCD(2)
Domain ProxyFallback(2) TRWD
DoNotUseDefaultCSL ProxyFavorIEConnectionSetting(2) TWIEmulateSystray
EnableAudioInput ProxyHost(3) TWIMode
EnableClientSelectiveTrust ProxyPassword(2) TWISuppressZZEcho
EnableOSS ProxyTimeout TWITaskbarGroupingMode
EnableRtpAudio ProxyUseDefault UseAlternateAddress(3)
EnableSessionSharing ProxyUseFQDN(2) UseDefaultEncryption
EnableSessionSharingClient ProxyUsername UseLocalUserAndPassword(2)
EnableSessionSharingHost(2) RECD(2) UseMRUBrowserPrefs
EncryptionLevelSession REWD(2) Username(3)
ICA Settings Reference
443
endIFDCD RtpAudioHighestPort VirtualChannels
FONTSMOOTHINGTYPE WorkDirectory
FriendlyName ScalingHeight ZLAutoHiLimit
ICASOCKSProtocolVersion(2) ScalingHeight ZLAutoLowLimit
ICASOCKSProxyHost(2) ScalingMode ZLKeyboardMode
ICASOCKSProxyPortNumber(2) ScalingPercent ZLMouseMode
InitialProgram
SmartcardBypassSmartcardDomain BypassSmartcardPassword BypassSmartcardUsername PCSCCodePage
PCSCLibraryName SmartcardRequired(2) Username(3)
TCP/IPDefaultHttpBrowserAddress, DriverNameWin32(12), ICAPortNumber
Thinwire 3.0DesiredColor(5) InstallColormap PersistentCacheMinBitmap(2) PersistentCacheSize(2)
Tw2CachePower TW2StopwatchMinimum TW2StopwatchScale TWIFullScreenMode
WindowManagerMoveIgnored WindowManagerMoveTimeout WindowsCache
TransportBrowserRetry(2) BrowserTimeout(2) HttpBrowserAddress OutBufCountClient
OutBufCountClient2 OutBufCountHost OutBufCountHost2 OutBufLength
ICA Settings Reference
444
WFClientAllowAudioInput Hotkey1Shift PNPDeviceAllowed
AllowVirtualDriverEx Hotkey2Char Port1
AllowVirtualDriverExLegacy Hotkey2Shift Port2
AltProxyAutoConfigURL(2) Hotkey3Char POSDeviceAllowed
AltProxyBypassList(2) Hotkey3Shift PrinterFlowControl
AltProxyHost(2) Hotkey4Char ProxyAuthenticationBasic(2)
AltProxyPassword(2) Hotkey4Shift ProxyAuthenticationKerberos
AltProxyType(2) Hotkey5Char ProxyAuthenticationNTLM(2)
AlwaysSendPrintScreen Hotkey5Shift ProxyAuthenticationPrompt(2)
AppendUsername Hotkey6Char ProxyAutoConfigURL(2)
BrowserRetry(2) Hotkey6Shift ProxyBypassList
BrowserTimeout(2) Hotkey7Char ProxyFallback(2)
CbChainInterval Hotkey7Shift ProxyFavorIEConnectionSetting(2)
CDMAllowed Hotkey8Char ProxyHost(3)
CGPAddress Hotkey8Shift ProxyPassword(2)
ClientName Hotkey9Char ProxyPort
ClipboardAllowed Hotkey9Shift ProxyType
ColorMismatchPrompt_Have16_Want256 HotkeyJPN%dChar ProxyUseFQDN(2)
ColorMismatchPrompt_Have16M_Want256 HowManySkipRedrawPerPaletteChange ReadersStatusPollPeriod
ColorMismatchPrompt_Have64K_Want256 ICAHttpBrowserAddress RemoveICAFile
COMAllowed(2) ICAKeepAliveEnabled ResMngrRunningPollPeriod
ContentRedirectionScheme ICAKeepAliveInterval SecureChannelProtocol(2)
CPMAllowed ICAPrntScrnKey SessionReliabilityTTL
CRBrowserAcceptURLtype ICASOCKSProtocolVersion(2) SkipRedrawPerPaletteChange
CRBrowserCommand ICASOCKSProxyHost(2) SmartCardAllowed
CRBrowserPath ICASOCKSProxyPortNumber(2) SSLCertificateRevocationCheckPolicy(2)
CRBrowserPercentS KeyboardLayout SSLCiphers
CRBrowserRejectURLtype KeyboardSendLocale SSLNoCACerts(2)
CREnabled KeyboardType SSLProxyHost(2)
CRPlayerAcceptURLtype KeyboardTimer(2) SSOnCredentialType(3)
CRPlayerCommand LocalIME SSOnUserSetting
CRPlayerPath LogAppend SSPIEnabled
CRPlayerPercentS LogConnect SucConnTimeout
CRPlayerRejectURLtype LogErrors SwapButtons
CustomConnectionsIconOff LogFileGlobalPath TransparentKeyPassthrough
ICA Settings Reference
445
DeferredUpdateMode LogFileWin32 TransportReconnectDelay
DesiredColor(5) Lpt1 TransportReconnectEnabled
DisableSound Lpt2 TransportReconnectRetries
DisableUPDOptimizationFlag Lpt3 TransportSilentDisconnect
DynamicCDM LVBMode(2) TwainAllowed
EmulateMiddleMouseButton MinimizeOwnedWindows TWIIgnoreWorkArea
EmulateMiddleMouseButtonDelay MissedKeepaliveWarningMsg TWISeamlessFlag
EnableInputLanguageToggle MissedKeepaliveWarningTime TWIShrinkWorkArea
EnableSessionSharingHost(2) MouseWheelMapping UseAlternateAddress(3)
EnableSSOnThruICAFile PassThroughLogoff UsersShareIniFiles
FastIdlePollDelay PercentS VirtualCOMPortEmulation
ForceLVBMode PersistentCacheGlobalPath VSLAllowed(2)
FullScreenBehindLocalTaskbar PersistentCacheMinBitmap(2) Win32FavorRetainedPrinterSettings
FullScreenOnly PersistentCachePath WpadHost
Hotkey10Char PersistentCachePercent XmlAddressResolutionType
Hotkey10Shift PersistentCacheSize(2) ZLDiskCacheSize
Hotkey1Char PersistentCacheUsrRelPath ZLFntMemCacheSize
ICA Settings Reference
446
447
ICA Settings Reference
ChannelNameChannelName
ClientAudioAudioDevice(2) AudioHWSection AudioInWakeOnInput AudioOutWakeOnOutput
CommandAckThresh ControlPollTime ConverterSection DataAckThresh
MaxDataBufferSize MaxMicBufferSize NumCommandBuffers NumDataBuffers
PlaybackDelayThresh VariantName
ClientCommCOMAllowed(2) CommPollSize CommPollWaitInc CommPollWaitIncTime
CommPollWaitMax CommPollWaitMin CommWakeOnInput MaxPort, WindowSize
ClientDriveCDMReadOnly DisableDrives EnableAsyncWrites EnableReadAhead
MaxOpenContext MaxWindowSize NativeDriveMapping SFRAllowed
ClientPrinterPortPrinterThreadPriority PrintMaxRetry WindowSize WindowsPrinter
ClientPrinterQueuePrinterResetTime UnicodeEnabled VSLAllowed(2) WindowSize
WindowsPrinter WindowSize2
CompressDriverNameWin32(12)
DefaultSerialConnectionDTR
DelegationLockdownProfiles, RegionIdentification
DynamicAcceptURLType Address(2) BUCC(2) Command
DesiredColor(5) DriverNameAlt DriverNameAltWin32 DriverNameWin32(12)
InitialProgram(2) LongCommandLine(2) Path ProxyHost(3)
RECD(2) RejectURLType REWD(2) RtpAudioLowestPort
SessionSharingLaunchOnly SSOnCredentialType(3) startIFDCD(3) startSCD(2)
UseAlternateAddress(3) Username(3)
EncodingInputEncoding
EncRC-5-0, EncRC-5-40, EncRC-5-56, andEncRC-5-128
DriverNameWin32(12)
ICA 3.0BufferLength BufferLength2 DriverNameWin32(12) VirtualDriver
VirtualDriverEx
LoggingLogConfigurationAccess, LogEvidence, LogFile
PingPingCount
ICA Settings Reference
448
PrelaunchApplicationState Schedule UserOverride
qwertyLicenseType, startIFDCD(3)
ICA Settings Reference
449
ServerAddress(2) InitialProgram(2) ScalingWidth
AECD IOBase Schedule
AltProxyAutoConfigURL(2) KeyboardTimer(2) ScreenPercent
AltProxyBypassList(2) Launcher SecureChannelProtocol(2)
AltProxyHost(2) LaunchReference SecurityTicket
AltProxyPassword(2) LocHttpBrowserAddress SessionSharingKey
AltProxyType(2) LogFlush SessionSharingName
AudioBandwidthLimit LogonTicket SmartcardRequired(2)
AudioDuringDetach LogonTicketType SpeedScreenMMA
AUTHPassword LongCommandLine(2) SpeedScreenMMAAudioEnabled
AUTHUserName LPWD SpeedScreenMMAMaxBufferThreshold
AutoLogonAllowed LVBMode(2) SpeedScreenMMAMaximumBufferSize
BrowserProtocol MouseTimer SpeedScreenMMAMinBufferThreshold
BUCC(2) MSIEnabled SpeedScreenMMASecondsToBuffer
CFDCD NDS SpeedScreenMMAVideoEnabled
ClearPassword NRUserName SSLCACert
ClientAudio NRWD SSLCertificateRevocationCheckPolicy(2)
Password SSLCommonName
COCD PersistentCacheEnabled SSLEnable
ConnectionFriendlyName pnStartSCD SSLNoCACerts(2)
DataBits ProxyAuthenticationBasic(2) SSLProxyHost(2)
DesiredColor(5) ProxyAuthenticationNTLM(2) SSOnCredentialType(3)
DeviceName ProxyAuthenticationPrompt(2) SSOnDetected
DisableCtrlAltDel ProxyAutoConfigURL(2) startIFDCD(3)
DisableMMMaximizeSupport ProxyBypassList startSCD(2)
Domain ProxyFallback(2) TRWD
DoNotUseDefaultCSL ProxyFavorIEConnectionSetting(2) TWIEmulateSystray
EnableAudioInput ProxyHost(3) TWIMode
EnableClientSelectiveTrust ProxyPassword(2) TWISuppressZZEcho
EnableOSS ProxyTimeout TWITaskbarGroupingMode
EnableRtpAudio ProxyUseDefault UseAlternateAddress(3)
EnableSessionSharing ProxyUseFQDN(2) UseDefaultEncryption
EnableSessionSharingClient ProxyUsername UseLocalUserAndPassword(2)
EnableSessionSharingHost(2) RECD(2) UseMRUBrowserPrefs
EncryptionLevelSession REWD(2) Username(3)
ICA Settings Reference
450
endIFDCD RtpAudioHighestPort VirtualChannels
FONTSMOOTHINGTYPE WorkDirectory
FriendlyName ScalingHeight ZLAutoHiLimit
ICASOCKSProtocolVersion(2) ScalingHeight ZLAutoLowLimit
ICASOCKSProxyHost(2) ScalingMode ZLKeyboardMode
ICASOCKSProxyPortNumber(2) ScalingPercent ZLMouseMode
InitialProgram
SmartcardBypassSmartcardDomain BypassSmartcardPassword BypassSmartcardUsername PCSCCodePage
PCSCLibraryName SmartcardRequired(2) Username(3)
TCP/IPDefaultHttpBrowserAddress, DriverNameWin32(12), ICAPortNumber
Thinwire 3.0DesiredColor(5) InstallColormap PersistentCacheMinBitmap(2) PersistentCacheSize(2)
Tw2CachePower TW2StopwatchMinimum TW2StopwatchScale TWIFullScreenMode
WindowManagerMoveIgnored WindowManagerMoveTimeout WindowsCache
TransportBrowserRetry(2) BrowserTimeout(2) HttpBrowserAddress OutBufCountClient
OutBufCountClient2 OutBufCountHost OutBufCountHost2 OutBufLength
ICA Settings Reference
451
WFClientAllowAudioInput Hotkey1Shift PNPDeviceAllowed
AllowVirtualDriverEx Hotkey2Char Port1
AllowVirtualDriverExLegacy Hotkey2Shift Port2
AltProxyAutoConfigURL(2) Hotkey3Char POSDeviceAllowed
AltProxyBypassList(2) Hotkey3Shift PrinterFlowControl
AltProxyHost(2) Hotkey4Char ProxyAuthenticationBasic(2)
AltProxyPassword(2) Hotkey4Shift ProxyAuthenticationKerberos
AltProxyType(2) Hotkey5Char ProxyAuthenticationNTLM(2)
AlwaysSendPrintScreen Hotkey5Shift ProxyAuthenticationPrompt(2)
AppendUsername Hotkey6Char ProxyAutoConfigURL(2)
BrowserRetry(2) Hotkey6Shift ProxyBypassList
BrowserTimeout(2) Hotkey7Char ProxyFallback(2)
CbChainInterval Hotkey7Shift ProxyFavorIEConnectionSetting(2)
CDMAllowed Hotkey8Char ProxyHost(3)
CGPAddress Hotkey8Shift ProxyPassword(2)
ClientName Hotkey9Char ProxyPort
ClipboardAllowed Hotkey9Shift ProxyType
ColorMismatchPrompt_Have16_Want256 HotkeyJPN%dChar ProxyUseFQDN(2)
ColorMismatchPrompt_Have16M_Want256 HowManySkipRedrawPerPaletteChange ReadersStatusPollPeriod
ColorMismatchPrompt_Have64K_Want256 ICAHttpBrowserAddress RemoveICAFile
COMAllowed(2) ICAKeepAliveEnabled ResMngrRunningPollPeriod
ContentRedirectionScheme ICAKeepAliveInterval SecureChannelProtocol(2)
CPMAllowed ICAPrntScrnKey SessionReliabilityTTL
CRBrowserAcceptURLtype ICASOCKSProtocolVersion(2) SkipRedrawPerPaletteChange
CRBrowserCommand ICASOCKSProxyHost(2) SmartCardAllowed
CRBrowserPath ICASOCKSProxyPortNumber(2) SSLCertificateRevocationCheckPolicy(2)
CRBrowserPercentS KeyboardLayout SSLCiphers
CRBrowserRejectURLtype KeyboardSendLocale SSLNoCACerts(2)
CREnabled KeyboardType SSLProxyHost(2)
CRPlayerAcceptURLtype KeyboardTimer(2) SSOnCredentialType(3)
CRPlayerCommand LocalIME SSOnUserSetting
CRPlayerPath LogAppend SSPIEnabled
CRPlayerPercentS LogConnect SucConnTimeout
CRPlayerRejectURLtype LogErrors SwapButtons
CustomConnectionsIconOff LogFileGlobalPath TransparentKeyPassthrough
ICA Settings Reference
452
DeferredUpdateMode LogFileWin32 TransportReconnectDelay
DesiredColor(5) Lpt1 TransportReconnectEnabled
DisableSound Lpt2 TransportReconnectRetries
DisableUPDOptimizationFlag Lpt3 TransportSilentDisconnect
DynamicCDM LVBMode(2) TwainAllowed
EmulateMiddleMouseButton MinimizeOwnedWindows TWIIgnoreWorkArea
EmulateMiddleMouseButtonDelay MissedKeepaliveWarningMsg TWISeamlessFlag
EnableInputLanguageToggle MissedKeepaliveWarningTime TWIShrinkWorkArea
EnableSessionSharingHost(2) MouseWheelMapping UseAlternateAddress(3)
EnableSSOnThruICAFile PassThroughLogoff UsersShareIniFiles
FastIdlePollDelay PercentS VirtualCOMPortEmulation
ForceLVBMode PersistentCacheGlobalPath VSLAllowed(2)
FullScreenBehindLocalTaskbar PersistentCacheMinBitmap(2) Win32FavorRetainedPrinterSettings
FullScreenOnly PersistentCachePath WpadHost
Hotkey10Char PersistentCachePercent XmlAddressResolutionType
Hotkey10Shift PersistentCacheSize(2) ZLDiskCacheSize
Hotkey1Char PersistentCacheUsrRelPath ZLFntMemCacheSize
ICA Settings Reference
453
454
AcceptURLType
Specifies the acceptable URL types for the Content Redirection scheme.
Section Dynamic
Feature ContentRedirection
Attribute Name INI_CR_ACCEPT_URL_TYPE
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
"" None rejected - Default
http
https
INI LocationN/A
Registry LocationN/A
455
Address(2)
Address of the target server.
Gives application server host name. It is also used to check whether it is a dialup or lanconnection. For TCP/IP connections, this can be the DNS name of a XenApp server, the IPaddress of a XenApp server, or the name of a published application.
Section Server,dynamic
Feature Misc
Attribute Name INI_ADDRESS
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
"" DNS name or IP Address of a Citrix server - Default
INI LocationINI File Section Value
Module.ini TCP/IP
Module.ini TCP/IP - FTP
Module.ini TCP/IP - Novell Lan WorkPlace
Module.ini TCP/IP - Microsoft
Module.ini TCP/IP - VSL
All_Regions.ini Network\Protocols
canonicalization.ini TCP/IP Address
Registry LocationThis key must be specified for .ica files.
Registry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\TCP/IP
Address
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - FTP
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - Novell LanWorkPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - VSL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Protocols
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Protocols
Address(2)
456
457
AECD
End User Experience Monitoring APPLICATION_ENUM_CLIENT (AECD).
End User Experience Monitoring (EUEM) startup data. The time it takes to get the list ofapplications.
Section Server
Feature EUEM
Attribute Name INI_EUEM_AECD
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
-1 Initial reset value - Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\End User Experience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
458
AllowAudioInput
Allows the audio input for client audio.
Gives a boolean value specifying whether audio input is allowed or not.
Note: UNIX specific implemenation.
Section WFClient
Feature Audio
Attribute Name INI_ALLOWAUDIOINPUT
Data Type Boolean
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
False Client audio input is not allowed - Default
True Client audio input is allowed
INI LocationN/A
Registry LocationN/A
459
AllowVirtualDriverEx
Allows third party virtual Driver Extention.
Used to check whether virtual driver extension is allowed and if yes, appends third partyvirtual channels.
To append a third-party virtual channel list to current virtual drivers, setAllowVirtualDriverEx to TRUE.
Section WFClient
Feature Core
Attribute Name INI_ALLOW_VIRTUALDRIVER_THIRDPARTY
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
TRUE Allows third-party virtual Driver Extention - Default
FALSE Does not allow third-party virtual driver extention
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Third Party *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Third Party
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Third Party
*
460
AllowVirtualDriverExLegacy
Allows legacy third-party virtual drivers.
Specifies whether (TRUE) or not (FALSE) to load legacy third-party virtual driver.
If this is set, the client parses the INI_ICA30 section for value INI_VIRTUALDRIVER, which is alist of Virtual Drivers separated by commas; ICA client attempts to load each Virtual Driverin this list. In order to successfully load, the .ini file must contain a section name thatmatches the Virtual Driver, and has correct Virtual Driver entries in the section.
Section WFClient
Feature Core
Attribute Name INI_ALLOW_VIRTUALDRIVER_THIRDPARTY_LEGACY
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
TRUE Allow third-party legacy virtual drivers - Default
FALSE Do not allow third-party legacy virtual drivers
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Third Party *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Third Party
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Third Party
*
461
AltProxyAutoConfigURL(2)
URLs for proxy auto detection script. Gives the URL (location) of proxy auto detection(.pac)script. Automatic Proxy Configuration is a proxy mode where the proxy configuration isdescribed in a file, called a PAC (.pac) file.
It must be set if the value of "AltProxyType" is Script; otherwise, it is ignored.
ADM UI Element : Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient failover proxy settings > Proxy script URLs
Section WFClient,Server
Feature Proxy
Attribute Name INI_ALTPROXYAUTOCONFIGURL
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" URL for proxy auto detection script - Default
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
3
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
462
AltProxyBypassList(2)
List of servers that do not traverse the failover proxy.
Specifies a list of hosts for which to bypass proxy connections. For any proxy type, you canprovide a list of servers that do not traverse the proxy. These should be placed in the"Bypass server list."
An asterisk (*) included in a host name acts as a wildcard (for example, *.widgets.com).Multiple hosts must be separated by a semicolon (;) or comma (,).
The bypass list can be up to 4096 characters. This parameter is ignored if the value ofProxyType is None or Auto.
ADM UI Element : Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient failover proxy settings > Bypass server list.
Section WFClient, Server
Feature Proxy
Attribute Name INI_ALTPROXYBYPASSLIST
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" List of hosts, seperated by semi-colon (;) or comma (,) - Default
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
AltProxyBypassList(2)
463
464
AltProxyHost(2)
Address of alternate (failover) proxy server.
Specifies the address of the proxy server. It is required if the value of ProxyType is any ofthe following: Socks, SocksV4, SocksV5, Tunnel(Secure); otherwise, ProxyHost is ignored.
To indicate a port number other than 1080 (default for SOCKS) or 8080 (default for Secure),append the appropriate port number to the value after a colon (:).
ADM UI Element : Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient failover proxy settings > Proxy host names
Section WFClient,Server
Feature Proxy
Attribute Name INI_ALTPROXYHOST
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" Proxy Server Address - Default
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
465
AltProxyPassword(2)
Failover proxy server password for user. Holds the clear text password to be used toautomatically authenticate the client to the failover proxy.
Section WFClient,Server
Feature Proxy
Attribute Name INI_ALTPROXYPASSWORD
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" Prompt the user for the proxy password - Default
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
466
AltProxyType(2)
Failover proxy type requested for connection.
Specifies what type of failover proxy server a host session uses. When AltProxyType ="Secure", the client contacts the proxy identified by the "AltProxyHost" and "AltProxyPort"settings. The negotiation protocol uses an "HTTP CONNECT" header request specifying thedesired destination.
ADM UI Element : Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient failover proxy settings > Proxy types
Section Server, WFClient
Feature Proxy
Attribute Name INI_ALTPROXYTYPE
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
None Use Direct Connection - Default
Auto Auto Detect from Web browser
Tunnel(Secure)
Wpad
Socks
Socks v4
Socks v5
Script Interpret proxy auto-configuration script
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
Trusted_Region.ini Network\Proxy Auto
Untrusted_Region.ini Network\Proxy Auto
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\Trusted Region\Lockdown\Network\Proxy
Auto
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\Untrusted Region\Lockdown\Network\Proxy
Auto
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
AltProxyType(2)
467
468
AlwaysSendPrintScreen
Turns on or off the " AlwaysSendPrintScreen" attrtibute in seamless application. By enablingthe key, user can use the " Print Screen" key on the keyboard while an ICA session is runningwith seamless application.
Section WFClient
Feature Seamless
Attribute Name INI_ALWAYSSENDPRNTSCRN
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Off Print Screen key cannot be used - Default
On Print Screen key can be used
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Keyboard
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\
469
AppendUsername
Specifies whether or not user can append user name to the window title bar. If theattribute is non zero, user can concatenate the user name with the regular text for thewindow title bar (very long window titles will be truncated).
Section WFClient
Feature CoreUI
Attribute Name INI_APPEND_USERNAME
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Do not append the username - Default
1 Add the username to the window title
INI LocationINI File Section Value
All_Regions.ini Client Engine\GUI
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\GUI
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\GUI
470
AudioBandwidthLimit
Specifies the audio bandwidth limit and, by extension, the audio quality for the connection.Higher audio quality requires more bandwidth. The bandwidth requirements for high qualityaudio might make this setting unsuitable for many deployments.
Corresponding UI Element:
For applicationsetname: SETTINGS dialog box > DEFALUT OPTION tab > SOUND QUALITYmenu
For applicationservername: PROPERTIES dialog box > OPTIONS tab > SOUND QUALITY menu
ADM UI Element: Citrix Components > Citrix Receiver > User experience > Client audiosettings.
Section Server
Feature Audio
Attribute Name INI_AUDIOBANDWIDTHLIMIT
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
1 Medium: 64 kilobits per second (network Connection) - Default
2 Low: 4 Kbps (serial Connection)
0 High : 1.4 megabits per second (Mbps)
INI LocationINI File Section Value
All_Regions.ini Virtual Channels
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Audio
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Audio
*
AudioBandwidthLimit
471
472
AudioDevice(2)
Specifies the output device when there is more than one audio device available. It shoulddefault to the name that is standard for each UNIX variant.
Section ClientAudio
Feature Audio
Attribute Name INI_AUDIODEVICE
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
/dev/dsp For Linux, LinuxArm, or UCLinux - Default
/dev/audio For Solaris, SolarisX86, or netbsd - Default
<none> For any other platform - Default
INI LocationN/A
Registry LocationN/A
473
AudioDuringDetach
Specifies audio behavior when the ICO is detached from the page. Controls the audiobehavior when a user navigates to a page with an ICA session, starts playing a wave file,and then navigates away.
If AudioDuringDetach is false and the ICO is detached from the page, the audio stops. If it istrue, the audio continues even after the detach.
Section Server
Feature Audio
Attribute Name INI_AUDIODURINGDETACH
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
False The audio will stop when ICO is detached - Default
True Audio will continue even after ICO is detached
INI LocationN/A
Registry LocationN/A
474
AudioHWSection
Used to locate the driver module in the [AudioConverter] section.
Section ClientAudio
Feature Audio
Attribute Name INI_CAM_AUDHW_SECTIONNAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
AudioConverterDefault
INI LocationINI File Section Value
Module.ini AudioConverter AudioHardware
Module.ini ClientAudio AudioConverter
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\AudioConverter
AudioHardware
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientAudio
AudioConverter
475
AudioInWakeOnInput
Enable/Disable audio input. Audio is on when audio is detected on input channel.
Linux only platform.
Section ClientAudio
Feature Audio
Attribute Name INI_CAM_AUDIOIN_WAKE_ON_INPUT
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
1 Enable audio input - Default
0 Disable audio input
INI LocationN/A
Registry LocationN/A
476
AudioOutWakeOnOutput
Enable/Disable audio output. Audio is enabled when audio is detected on output channel.
Linux only platform.
Section ClientAudio
Feature Audio
Attribute Name INI_CAM_AUDIOOUT_WAKE_ON_OUTPUT
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1 Enable audio input - Default
0 Disable audio input
INI LocationN/A
Registry LocationN/A
477
AUTHPassword
Specifies SSL authorization password.
Section Server
Feature SSL
Attribute Name INI_AUTHPASSWORD
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" If present, any valid string representing password for authentication -Default
INI LocationN/A
Registry LocationN/A
478
AUTHUserName
Specifies the SSL authorization username.
Section Server
Feature SSL
Attribute Name INI_AUTHUSERNAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" If present, the valid string representing username for authentication -Default
INI LocationN/A
Registry LocationN/A
479
AutoLogonAllowed
Specifies whether or not autologon is allowed for Secure ICA client; specifies whether (Off)or not (On) to require users to enter their user name, domain name, and password whenconnecting using encryption levels greater than Basic. By default, users are required toenter this information, even if it is present in appsrv.ini.
Section Server
Feature SSL
Attribute Name AUTOLOGON
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Does not allow autologon for secure ICA client - Default
TRUE Allows autologon for secure ICA client
INI LocationINI File Section Value
All_Regions.ini Login *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\Logon
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon
*
480
BrowserProtocol
Specifies the network protocol used for ICA browsing.
Value contains the borwser-s protocol to use of either HTTP on TCP or UDP.
Note: IPX, SPX, and NetBIOS are no longer supported.
Section Server
Feature EnumRes
Attribute Name INI_BROWSEPROTOCOL
Data Type String
Access Type Read/Write
UNIX Specific No
Present in ADM No
ValuesValue Description
UDP Default
HTTPonTCP
INI LocationINI File Section Value
All_Regions.ini Application Browsing
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing
481
BrowserRetry(2)
Specifies the number of times the ICA Client device will resubmit an ICA Master Browserrequest that has timed out.
Section Transport,WFClient
Feature EnumRes
Attribute Name INI_BROWSERRETRY
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
3 Default
INI LocationINI File Section Value
Module.ini TCP/IP 3
All_Regions.ini Application Browsing *
appsrv.ini WFClient 3
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
3
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing
*
482
BrowserTimeout(2)
Specifies the number of milliseconds the ICA Client will wait for a response after making arequest to the ICA Master Browser.
Section Transport,WFClient
Feature EnumRes
Attribute Name INI_BROWSERTIMEOUT
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1000 Timeout (ms) - Default
INI LocationINI File Section Value
Module.ini TCP/IP 1000
All_Regions.ini Application Browsing *
appsrv.ini WFClient 1000
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
1000
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing
*
483
BUCC(2)
The number of backup URL retries before success. This is one of the Session Client startupdata while End User Experience Monitoring (EUEM) metrics are stored.
Note: This is the only start-up metric that is a count of attempts, rather than a duration.
Section Server, Dynamic
Feature EUEM
Attribute Name INI_EUEM_BUCC
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Number of backup URL retries before success - Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\End User Experience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
484
BufferLength
Specifies the input buffer length in bytes for connections to MetaFrame XP, Feature Release1 or earlier servers.
Section ICA 3.0
Feature Core
Attribute Name INI_BUFFERLENGTH
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
2048 Buffer Length (Bytes) - Default
INI LocationINI File Section Value
Module.ini ICA 3.0 2048
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ICA 3.0
2048
485
BufferLength2
Specifies the input buffer length in bytes for connections to MetaFrame XP, Feature Release2 or later servers.
Section ICA 3.0
Feature Core
Attribute Name INI_BUFFERLENGTH2
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
5000 Buffer Length (Bytes) - Default
INI LocationINI File Section Value
Module.ini ICA 3.0 5000
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ICA 3.0
5000
486
BypassSmartcardDomain
Enable/Disable bypass switch for domain name. Specifies whether (FALSE) or not (TRUE) touse smartcard to get the domain name or get it from appsrv.ini file.
Section Smartcard
Feature Smartcard
Attribute Name INI_DOMAINBYPASS
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
False Does not bypass smartcard to get domain information - Default
True Bypass smartcard for domain information
INI LocationN/A
Registry LocationN/A
487
BypassSmartcardPassword
Specifies whether (FALSE) or not (TRUE) to get password from smartcard.
Section Smartcard
Feature Smartcard
Attribute Name INI_DOMAINBYPASS
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
False Does not bypass smartcard to get user information - Default
True Bypass smartcard for user information
INI LocationN/A
Registry LocationN/A
488
BypassSmartcardUsername
Specifies whether (FALSE) or not (TRUE) to use smartcard to get username or get it fromappsrv.ini file.
Section Server
Feature Smartcard
Attribute Name INI_USERNAMEBYPASS
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
False Does not bypass smartcard to get user information - Default
True Bypass smartcard for user information
INI LocationN/A
Registry LocationN/A
489
CbChainInterval
Specifies the number of milliseconds before testing if clipboard viewer chain is broken. Setto a positive number or to 0 to disable testing.
Copying content from the user device and pasting it in a published application failed. Thisissue was caused by a third party application that prevented the client from receivingnotification when new content was copied to the local clipboard. This attribute introducessupport for a mechanism to check at periodic intervals the client`s ability to receiveclipboard change notifications. If the mechanism finds the client cannot receive thenotifications, the client attempts to register itself to receive future notifications. To enablethis functionality, add in appsrv.ini files as follows:
[WFClient]
CbChainInterval=<value>, where value is the interval, in milliseconds, at which checks areto be performed.
Section WFClient
Feature Clipboard
Attribute Name INI_VCLIPBOARD_VIEWER_CHAIN_TEST_INTERVAL
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Disable testing - Default
2000 Minimum (ms)
INI LocationN/A
Registry LocationN/A
490
CDMAllowed
Specifies whether Client Drive Mapping is allowed or not.
ADM UI Element : Citrix Components > Citrix Receiver > Remoting client devices > Clientdrive mapping > Enable client drive mapping
Section WFClient
Feature CDM
Attribute Name INI_CDMALLOWED
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
True Allow Client Drive Mapping - Default
False Do not allow Client Drive Mapping
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Drives *
appsrv.ini WFClient On
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Drives
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Drives
*
491
CDMReadOnly
Specifies that the CDM virtual channel permits read-only access to client drives.
ADM UI Element : Citrix Components > Citrix Receiver > Remoting client devices > Clientdrive mapping > Read-only client drives
Section ClientDrive
Feature CDM
Attribute Name INI_CDMREADONLY
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
False CDM is not read-only - Default
True CDM is read-only
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Drives *
Module.ini ClientDrive False
canonicalization.ini ClientDrive CDMReadOnly
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\ClientDrive
CDMReadOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientDrive
False
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Drives
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Drives
*
CDMReadOnly
492
493
CFDCD
Configuration File Download Client Duration (CFDCD) is the time it takes to get theconfiguration file from the XML server.
This is one of the Session Client startup data while End User Experience Monitoring (EUEM)metrics are stored.
Section Server
Feature EUEM
Attribute Name INI_EUEM_CFDCD
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
-1 Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\End User Experience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
494
CGPAddress
Specifies the CGP address. It is in "hostname:port" form. Rather than specifying thehostname, you can type an asterisk (*) to use the Address parameter value as the host(session reliability server).
The port value is optional. If you do not specify a port value, the default 2598 is used. If aconnection on port 2598 fails, the client tries to establish a standard (non-sessionreliability) connection on port 1494.
Section WFClient
Feature CGP
Attribute Name INI_CGPADDRESS
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
"" If present, some valid CGP address - Default
0.0.0.0 Bad CGP Address, use it as a marker for testing
INI LocationN/A
Registry LocationN/A
495
ChannelName
Specifies a name for the static virtual channel to use for a specific DVC plug-in. By defaultthe static channel name is automatically generated using the module file name of the DVCplug-in. To ensure that a unique name is generated, upon collision one or two digits can beused at the end of the name to make it unique while keeping the name length at amaximum of seven characters.
Section ChannelName
Feature DVC
Attribute Name INI_DVC_PLUGIN_<DVC plugin name>
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Static virtual channel name
INI LocationINI File Section Value
Module.ini [DVC_Plugin_<DVC plugin name> ]
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\DVC_Plugin_<DVC pluginname>
*
496
ClearPassword
Specifies the clear password to automatically authenticate the client. It is a plain textpassword. It overrides the Password parameter, but it only overrides the Passwordparameter if the EncryptionLevel of Password is basic or the AutoLogonAllowed = On in theINI file.
Legacy Web Interface ticketing was implemented by passing a single-use authenticationcookie to the server in the Clear Text password field.
ADM UI Element : Citirix Components > Citrix Receiver > User authentication > WebInterface authentication ticket > Legacy ticket handling
Section Server
Feature Core
Attribute Name INI_CLEAR_PASSWORD
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" Clear Password - Default
INI LocationINI File Section Value
All_Regions.ini Logon\Saved Credentials
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Saved Credentials
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Saved Credentials
497
ClientAudio
Specifies whether (On) or not (Off) to enable client audio mapping.
Use this policy to control how sound effects and music produced by remote applications ordesktops are directed to the client computer. When this policy is enabled, the "Enableaudio" check box can be used to completely disable client audio mapping. This does notaffect the client to server audio data, which is controlled through the "Remoting clientdevices" policy. It is also possible to control the audio quality.
Three quality levels are supported: low, medium, and high. This setting affects both serverto client and client to server audio quality. Note that the bandwidth requirements for highquality audio could make this setting unsuitable for many deployments.
ADM UI Element : Citrix Components > Citrix Receiver > User experience > Client audiosettings > Enable audio
Section Server
Feature Audio
Attribute Name INI_CAM
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
Off Disables client audio mapping - Default
On Enables client audio mapping
INI LocationINI File Section Value
Module.ini VirtualDriver
All_Regions.ini Virtual Channels\Audio *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\VirtualDriver
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Audio
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Audio
*
ClientAudio
498
499
ClientName
Specifies the client name used to get serial number.
Clients prior to Version 6.30 store the client name in the [WFClient] section of wfcname.ini.As of Version 6.30, clients retrieve the client name from the system registry. As of Version6.03 or later, any ClientName setting in wfcname.ini is used only for migrating the clientname to the registry during client install; for example, when upgrading from orauto-updating a pre-Version 6.30 client.
The ClientName setting in the .ica file overrides the default way of retrieving the clientname as described in Default Value.
Section WFClient
Feature Core
Attribute Name INI_CLIENTNAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" Client name - Default
INI LocationINI File Section Value
All_Regions.ini Client Engine
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine
500
ClipboardAllowed
Enable or disable access to the client clipboard. Use this policy to enable and restrict theremote application or desktop`s access to the client clipboard contents.
ADM UI Element: Citrix Components > Citrix Receiver > Remoting client devices > Clipboard> Enable/Disable
Section WFClient
Feature Clipboard
Attribute Name INI_CLIPBOARDALLOWED
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
True Enable access to clipboard - default
False Disable access to clipboard
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Clipboard *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Clipboard
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Clipboard
*
501
COCD
End User Experience Monitoring (EUEM) COCD - CREDENTIALS_OBTENTION_CLIENT
The time it takes to get the user credentials. COCD is measured only when credentials areentered manually by the user.
Section Server
Feature EUEM
Attribute Name INI_EUEM_COCD
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
-1 Initial reset value - default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\End User Experience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
502
ColorMismatchPrompt_Have16M_Want256
Specifies whether or not to display a warning if the client device’s color depth is high color(16-bit) and the connection configuration is for 256 colors.
Section WFClient
Feature Core
Attribute Name INI_HAVE16M_WANT256
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
On Enable device color depth warning display - default
Off Disable device color depth warning display
INI LocationINI File Section Value
appsrv.ini WFClient On
Registry LocationN/A
503
ColorMismatchPrompt_Have16_Want256
Specifies whether or not to display a warning if the client device’s color depth is 16 colorsand the connection configuration is for 256 colors.
Not implemented in Program Neighborhood Client.
Section WFClient
Feature Core
Attribute Name INI_HAVE16_WANT256
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
On Displays a warning message in case of color depth error - default
Off Does not display a warning message in case of color depth error
INI LocationINI File Section Value
appsrv.ini WFClient On
Registry LocationN/A
504
ColorMismatchPrompt_Have64k_Want256
Specifies whether or not to display a warning if the client device’s color depth is true color(32-bit) and the connection configuration is for 256 colors.
Not implemented in Program Neighborhood Client.
Section WFClient
Feature Core
Attribute Name INI_HAVE64K_WANT256
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
On Displays a warning message in case of low color depth error - default
Off Does not display a warning message in case of color depth error
INI LocationINI File Section Value
appsrv.ini WFClient On
Registry LocationN/A
505
COMAllowed(2)
Specifies whether or not COM port mapping is permitted.
Use this policy to enable and restrict the remote application or desktop`s access to theclient’s serial ports. This allows the server to use locally attached hardware.
Troubleshooting: Remote PDA synchronization uses "virtual COM ports." These are serialport connections that are routed through USB connections. For this reason, it is necessaryto enable serial port access to use PDA synchronization.
ADM UI Element: Citrix Components > Citrix Receiver > Remoting client devices > ClientHardware Access > Map Serial Ports
Section WFClient,ClientComm
Feature COMPortMapping
Attribute Name INI_COMALLOWED
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
On COM Port mapping is permitted - default
Off COM Port mapping is disabled
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Serial Port *
appsrv.ini WFClient On
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Serial Port
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Serial Port
*
COMAllowed(2)
506
507
Command
Specify the command for Content Redirection.
This is the command that runs the executable used for server to client redirection. There isno default value for this attribute.
Section dynamic
Feature ContentRedirection
Attribute Name INI_CR_CMD
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
"" Content Redirection Command - default
INI LocationN/A
Registry LocationN/A
508
CommandAckThresh
Command ACKs sent - threshold; the number of outstanding ACKs queued before aCommand ACK is sent.
ACKs are sent in the following situations:
● The time since the last ACK was sent is at or above the delay threshold (time inmilliseconds), OR
● The number of outstanding ACKs to be sent is at or above the threshold (Number ofCommand ACKs).
Section ClientAudio
Feature Audio
Attribute Name INI_CAM_CMDACK_THRESH
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1 Number of command ACKs sent threshold - default
INI LocationINI File Section Value
Module.ini ClientAudio 1
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientAudio
1
509
CommPollSize
Turns On or Off COM (communication) port polling for CCM (Citrix Client port Mapping).
Section ClientComm
Feature COMPortmapping
Attribute Name INI_CCMCOMMPOLLSIZE
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
On Enable Com port polling (for wince) - default
Off Disable com port polling (for any other
INI LocationINI File Section Value
Module.ini ClientComm On
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientComm
On
510
CommPollWaitInc
Amount of time to slow down rate of COM polling. This setting is used to slow down the ratefor polling of the COM port by the specified number of milliseconds.
Section ClientComm
Feature COMPortmapping
Attribute Name INI_CCMCOMMPOLLWAITINC
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1 default
INI LocationINI File Section Value
Module.ini ClientComm 1
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientComm
1
511
CommPollWaitIncTime
Specifies the number of times to poll the COM port at the current poll rate before slowingthe poll rate by "CommPollWaitInc" milliseconds.
Section ClientComm
Feature COMPortmapping
Attribute Name INI_CCMCOMMPOLLWAITINCTIME
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
20 default
INI LocationINI File Section Value
Module.ini ClientComm 20
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientComm
20
512
CommPollWaitMax
Specifies the maximum wait time (in milliseconds) for COM polling.
Section ClientComm
Feature COMPortmapping
Attribute Name INI_CCMCOMMPOLLWAITMAX
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
500 default
INI LocationINI File Section Value
Module.ini ClientComm 500
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientComm
500
513
CommPollWaitMin
Specifies the minimum wait time (in milliseconds) for COM polling.
Section ClientComm
Feature COMPortmapping
Attribute Name INI_CCMCOMMPOLLWAITMIN
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1 1 millisecond timeout
0 No delay - default
INI LocationINI File Section Value
Module.ini ClientComm
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientComm
514
CommWakeOnInput
This setting is used to wake the client upon COM port activity. Only used if pooling isallowed. These settings configure the client to be a bit more responsive to incoming serialport data and information.
Setting this parameter causes the Unix clients (Linux and Solaris) to wake-up immediatelywhen the system receives a byte on a serial port.
Section ClientComm
Feature COMPortmapping
Attribute Name INI_CCM_WAKE_ON_INPUT
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
TRUE Allows wake on input from a serial line - default
FALSE Does not allow wake on input form a serial line
INI LocationN/A
Registry LocationN/A
515
ConnectionFriendlyName
Specifies the connection friendly name string for the server. This is the user-defined servername.
Section Server
Feature Core
Attribute Name INI_CONNECTIONFRIENDLYNAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" Friendly name string for the server - default
INI LocationINI File Section Value
All_Regions.ini Client Engine\GUI
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\GUI
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\GUI
516
ContentRedirectionScheme
Specifies the list of new schemes. Each scheme is added as new scheme.
This is done as a part of setting up Content Redirection for a Unix client.
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_SCHEME
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
"" default
INI LocationN/A
Registry LocationN/A
517
ControlPollTime
This setting is used as a timer, in milliseconds, to poll client audio control values. If anycontrol value changes, the new value is sent to the server.
Section ClientAudio
Feature Audio
Attribute Name INI_CAM_CONTROLPOLLTIME
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1000 1 sec (1000 msec) - default
INI LocationN/A
Registry LocationN/A
518
ConverterSection
Audio converter list. Used to get the [AudioConverterList] section
Section ClientAudio
Feature Audio
Attribute Name INI_CAM_AUDCVT_LIST_SECTIONNAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
AudioConverterList default
INI LocationINI File Section Value
Module.ini AudioConverter AudioConverterList
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\AudioConverter
AudioConverterList
519
CPMAllowed
Specifies whether (On) or not (Off) parallel port mapping is allowed. Enable and restrict theremote application or desktop`s access to the client’s parallel ports. This allows the serverto use locally attached hardware.
ADM UI Element: Citrix Component > Citrix Receiver > Remoting client devices > Clienthardware access > Map parallel ports
Section WFClient
Feature ParallelPortMapping
Attribute Name INI_CPMALLOWED
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
true Enable parallel port mapping - default
false Disable parallel port mapping
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Printing *
appsrv.ini WFClient On
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Printing
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Printing
*
520
CRBrowserAcceptURLtype
Specify the acceptable browser URL types. Provides acceptable browser URL types forspecific content redirection scheme.
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_BROWSER_ACCEPT_URL
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
http,https
default
Browser
INI LocationN/A
Registry LocationN/A
521
CRBrowserCommand
Name of the browser executable used to handle redirected browser URLs and it is appendedwith %s (for example, netscape %s).
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_BROWSER_CMD
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
$ICAROOT/util/nslaunch %s ${BROWSER:=netscape}%s mozilla %s default
INI LocationN/A
Registry LocationN/A
522
CRBrowserPath
Server to client content redirection browser path, that is, the directory where the browserexecutable is located.
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_BROWSER_PATH
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
"" Browser path - default
INI LocationN/A
Registry LocationN/A
523
CRBrowserPercentS
The number of occurrences of %s in the CRBrowserCommand setting
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_N_BROWSER_PERCENT_S
Data Type Integer
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
3 default
INI LocationN/A
Registry LocationN/A
524
CRBrowserRejectURLtype
Specifies the browser URL types that should be rejected for the specific content redirectionscheme.
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_BROWSER_REJECT_URL
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
"" Browser URL to reject - default
INI LocationN/A
Registry LocationN/A
525
CREnabled
Specifies whether server to client content redirection is enabled.
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_ENABLED
Data Type Boolean
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
TRUE Enable Content redirection - default
FALSE Disable content redirection
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Control *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Control
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Control
*
526
CRPlayerAcceptURLtype
Specifies which types of strings are acceptable for RealPlayer Schemes for contentredirection setting of the Unix client.
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_PLAYER_ACCEPT_URL
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
"rtsp,rtspu,pnm" default
INI LocationN/A
Registry LocationN/A
527
CRPlayerCommand
Specifies the name of the executable used to handle the redirected multimedia URLs,appended with %s during RealPlayer content redirection for the Unix client.
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_PLAYER_CMD
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
realplay %s default
INI LocationN/A
Registry LocationN/A
528
CRPlayerPath
Specifies the directory where the RealPlayer executable is located during contentredirection for the Unix client.
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_PLAYER_PATH
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
""
INI LocationN/A
Registry LocationN/A
529
CRPlayerPercentS
The number of occurrences of %s in the CRPlayerCommand setting
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_N_PLAYER_PERCENT_S
Data Type Integer
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
1 default
INI LocationN/A
Registry LocationN/A
530
CRPlayerRejectURLtype
Specifies which type of strings will be rejected for RealPlayer Schemes for contentredirection setting of the UNIX client.
The reason there is both an accept and reject is that the code that tests them matches justto the length of the definition. So if you accept HTTP, it also means that HTTPS will beaccepted. In case you wanted only HTTP, there is the option to explicitly reject HTTPS.
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_PLAYER_REJECT_URL
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
* The type of string to reject for content redirection - No default value.
INI LocationN/A
Registry LocationN/A
531
DataAckThresh
Data acknowledgment threshold value, which represents the maximum number of commandacknowledgments that can accumulate before sending an acknowledgment (purging thequeue).
Section ClientAudio
Feature Audio
Attribute Name INI_CAM_DATAACK_THRESH
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1 Do not send any other command until you get the ack - default
INI LocationINI File Section Value
Module.ini ClientAudio 1
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientAudio
1
532
DataBits
Specifies the number of data bits used for serial connections.
Section Server
Feature SerialPort
Attribute Name INI_DATA
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
8 Number of data bits for serial connection - default
INI LocationN/A
Registry LocationN/A
533
DefaultHttpBrowserAddress
Default HTTP browser address for TCP.
Section TCP/IP
Feature EnumRes
Attribute Name INI_DEFHTTPBROWSERADDRESS
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" Default HTTP browser address - default
INI LocationINI File Section Value
Module.ini TCP/IP
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
534
DeferredUpdateMode
Enables or disables deferred screen update mode.
Add this value and the ForceLVBMode value to the [WFClient] section of the Appsrv.ini filelocated in the user’s profile directory on the computer running Citrix XenApp to addressrepaint issues due to a poor refresh rate. This may occur with some applications whenrunning the application in seamless mode while utilizing the pass-through client on theserver.
Section WFClient
Feature Graphics
Attribute Name INI_DEFERRED_UPDATE_MODE
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
False Disable deferred screen updates - default
True Enable deferred screen updates
INI LocationN/A
Registry LocationN/A
535
DesiredColor(5)
Specifies the preferred color depth for a session. In general, low color depths give betterperformance over low bandwidth; however some of the compression technologies availablecan only be used with full color, so the effective performance depends on the individualapplication and usage pattern. The server may choose not to honor the color depth settingchosen because higher color depths result in heavy memory usage on the servers.
256 or greater colors are supported only for Windows clients.
The value of 8 is treated as "true color" which is 32-bit, unless the administrator explicitlyprohibits a server from supporting a 32-bit session. In that case, the session is downgradedto 24-bit.
ADM UI Element: Citrix Components > Citrix Receiver > User experience > Client graphicssettings > Color depth
Interface Element:
● For applicationsetname: Settings dialog box > Default Options tab > Window Properties> Window Colors menu
● For applicationservername: Properties dialog box > Options tab > Window Properties >Window Colors menu
Section dynamic,WFClient,Thinwire3.0,Thinwire3.0,Server
Feature Graphics
Attribute Name INI_DESIREDCOLOR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
1 16 colors - default
2 256 colors
4 high color
8 true color
INI LocationINI File Section Value
Module.ini Thinwire3.0 8
All_Regions.ini Virtual Channels\Thinwire Graphics *
canonicalization.ini Thinwire3.0 DesiredColor
wfclient.ini Thinwire3.0 0x0002
appsrv.ini WFClient 2
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\Thinwire3.0
DesiredColor
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Thinwire3.0
8
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
DesiredColor(5)
536
537
DeviceName
Specifies the device name for serial connections (COM1, COM2, etc). If this value is notNULL, it is assumed that a serial port connection is being used. If this value is NULL (emptystring), the network transport driver is used.
Section Server
Feature SerialPort
Attribute Name INI_DEVICE
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
COM1 Name of COM port
INI LocationN/A
Registry LocationN/A
538
DisableCtrlAltDel
Enables (Off) or disables (On) the Ctrl+Alt+Del key combination within the ICA session toprevent users from shutting down the Citrix server.
ADM UI element: Citrix Components -> Presentation Server Client -> User Authentication ->Smartcard Authentication-> Passthrough Authentication for PIN
Section Server
Feature Keyboard
Attribute Name INI_CTRLALTDEL
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM Yes
ValuesValue Description
On Disables the Ctrl+Alt+Del key combination - default
Off Enables the Ctrl+Alt+Del key combination
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Smartcard *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Smartcard
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Smartcard
*
539
DisableDrives
Gives the list of the client drives that should not be mapped to the server.
Access to Windows drives can be disabled by entering the relevant drive letter in the "Donot map drives" box. This is a concatenation of all drives that should not be mapped whenconnecting to a published application or desktop, for example "ABFK" disables the drives A,B, F and K. (DisableDrives = "A,B,F,K")
ADM UI Element : Citrix Components > Citrix Receiver > Remoting client devices > Clientdrive mapping > Do not map drives
Section ClientDrive
Feature CDM
Attribute Name INI_DISABLEDRIVES
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" Client drives to map - default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Drives
Module.ini ClientDrive
canonicalization.ini ClientDrive DisableDrives
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\ClientDrive
DisableDrives
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientDrive
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\VirtualChannels\Drives
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\VirtualChannels\Drives
DisableDrives
540
541
DisableMMMaximizeSupport
Enable/disable desktop maximize capability. This setting is used by monitor layout todisable maximize capability. MonitorLayout is the data that is sent to the server to describethe layout of the client`s desktop in a multi-monitor environment.
Section Server
Feature MultiMonitor
Attribute Name INI_DISABLE_MAXIMIZE
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
False Enables maximize capability - default
True Disables maximize capability
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\SeamlessWindows
*
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Seamless Windows
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Seamless Windows
*
542
DisableSound
Disables Windows alert sounds (the Windows "Asterisk" event). If client audio mapping isdisabled with the ClientAudio parameter, this setting has no effect.
Section WFClient
Feature Audio
Attribute Name INI_SOUND
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Off Enable windows alert sounds - default
On Disable windows alert sounds
INI LocationINI File Section Value
appsrv.ini WFClient Off
Registry LocationN/A
543
DisableUPDOptimizationFlag
Disables the universal printer driver (UPD) bitmap compression (only) or both thecompression and optimization.
When printing to certain printers using the UPD, letters might be printed faded and barelylegible. The issue occurs because certain print drivers do not work well with XenApp UPDoptimization, which compresses the bitmap to use fewer bits whenever possible.
To disable this optimization, modify the user’s appsrv.ini file using a text editor and insertthis parameter in the [WFClient] section.
Section WFClient
Feature Printing
Attribute Name INI_UPD_OPTIMIZATION_DISABLE_FLAG
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Do not disable UPD compression and optimization - default
1 Disables bitmap compression, which attempts to use fewer bits to encodethe bitmap
2 Disables optimization that skips spaces; it also disables bitmap compression
INI LocationN/A
Registry LocationN/A
544
Domain
XenApp domain name.
This is the domain name that appears in the Domain text box if the user selects theuser-specified credentials option for the associated custom ICA connection.
"Domain" can be used to restrict or override which users can be automatically authenticatedto servers. These can be specified as comma-separated lists.
Corresponding UI Element Properties dialog box > Logon Information tab > Userspecifiedcredentials option > Domain text box
ADM UI Element: Citrix Components > Citrix Receiver > User Authentication > Locally StoredCredentials > Domain
Section Server
Feature Core
Attribute Name INI_DOMAIN
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" Domain name - default
INI LocationINI File Section Value
All_Regions.ini Logon\Saved Credentials
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Saved Credentials
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Saved Credentials
Domain
545
546
DriverNameAlt
Specifies the name of the Unix/Mac alternate virtual driver.
Section dynamic
Feature Core
Attribute Name INI_DRIVERNAMEALT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
DriverName default
INI LocationN/A
Registry LocationN/A
547
DriverNameAltWin32
Specifies the name of the Win32 alternate virtual driver.
Section dynamic
Feature Core
Attribute Name INI_DRIVERNAMEALT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
DriverNameWin32 default
INI LocationN/A
Registry LocationN/A
548
DriverNameWin32(12)
Specifies the name of the Win32 driver file to load for the specified driver. The driver couldbe one of the following. depending on the section name from where this attribute is beingread.
● ClientAudio HW driver
● Transport driver
● TCP/IP transport driver
● ICA 3.0 Winstation driver
● ClientAudio driver
● Compress driver
● EncRC5-0 driver
● EncRC5-128 driver
● EncRC5-40 driver
● EncRC5-56 driver
● EncryptionLevelSession driver
Section Compress,dynamic,EncRC5-56,EncRC5-40,EncRC5-128,EncRC5-0,dynamic,ICA3.0,TCP/IP,dynamic,dynamic,dynamic
Feature Core
Attribute Name INI_DRIVERNAMEWIN32
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
"" For ClientAudio HW, Transport, TCP/IP, ICA 3.0, ClientAudio,EncryptionLevelSession drivers - default
pdcompn.dll For Compress driver - default
pdc0n.dll For EncRC5-0 driver - default
pdc128n.dll For EncRC5-128 driver - default
pdc40n.dll For EncRC5-40 driver - default
pdc56n.dll For EncRC5-56 driver - default
INI LocationINI File Section Value
Module.ini TCP/IP TDWSTCPN.DLL
Module.ini ICA 3.0 WDICA30N.DLL
Module.ini RFrame PDRFRAMN.DLL
Module.ini Frame PDFRAMEN.DLL
Module.ini Reliable PDRELIN.DLL
Module.ini EncRC5-0 PDC0N.DLL
Module.ini Encrypt PDCRYPTN.DLL
Module.ini EncRC5-40 PDC40N.DLL
Module.ini EncRC5-56 PDC56N.DLL
Module.ini EncRC5-128 PDC128N.DLL
Module.ini Thinwire3.0 VDTW30N.DLL
Module.ini ClientDrive VDCDM30N.DLL
Module.ini ClientPrinterQueue VDSPL30N.DLL
Module.ini ClientPrinterPort VDCPM30N.DLL
Module.ini ClientComm VDCOM30N.DLL
Module.ini Clipboard VDCLIPN.DLL
Module.ini TWI VDTWIN.DLL
Module.ini ZL_FONT VDFON30N.DLL
Module.ini ZLC VDZLCN.DLL
Module.ini ICACTL VDCTLN.DLL
Module.ini LicenseHandler VDLICN.DLL
Module.ini ClientAudio VDCAMN.DLL
Module.ini AudioConverter AUDCVTN.DLL
DriverNameWin32(12)
549
Module.ini AudioHardware AUDHALN.DLL
Module.ini ConverterADPCM ADPCM.DLL
Module.ini SmartCard VDSCARDN.DLL
Module.ini Multimedia VDMMN.DLL
Module.ini SpeechMike VDSPMIKE.DLL
Module.ini TwainRdr VDTWN.DLL
Module.ini SSPI VDSSPIN.DLL
Module.ini UserExperience VDEUEMN.DLL
Module.ini Compress PDCOMPN.DLL
DriverNameWin32(12)
550
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\AudioConverter
AUDCVTN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\AudioHardware
AUDHALN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientAudio
VDCAMN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientComm
VDCOM30N.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientDrive
VDCDM30N.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterPort
VDCPM30N.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterQueue
VDSPL30N.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Clipboard
VDCLIPN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Compress
PDCOMPN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ConverterADPCM
ADPCM.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\EncRC5-0
PDC0N.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\EncRC5-128
PDC128N.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\EncRC5-40
PDC40N.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\EncRC5-56
PDC56N.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Encrypt
PDCRYPTN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Frame
PDFRAMEN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ICA 3.0
WDICA30N.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ICACTL
VDCTLN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\LicenseHandler
VDLICN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Multimedia
VDMMN.DLL
DriverNameWin32(12)
551
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Reliable
PDRELIN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\RFrame
PDRFRAMN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\SmartCard
VDSCARDN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\SpeechMike
VDSPMIKE.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\SSPI
VDSSPIN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
TDWSTCPN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Thinwire3.0
VDTW30N.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TwainRdr
VDTWN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TWI
VDTWIN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\UserExperience
VDEUEMN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ZLC
VDZLCN.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ZL_FONT
VDFON30N.DLL
DriverNameWin32(12)
552
553
DTR
Set the Default state of the COM port DTR.
Section Default Serial Connection
Feature COMPortMapping
Attribute Name INI_DTR
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
On Set DTR ON by default - default
Off Set DTR OFF by default
INI LocationINI File Section Value
Module.ini Hardware Receive Flow Control
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Hardware Receive FlowControl
554
DynamicCDM
Specifies whether Dynamic Client Drive Mapping is allowed or not. This setting enables ordisables PnP support for USB thumb drives.
Section WFClient
Feature USB Thumb Drive Support
Attribute Name INI_DYNAMIC_CDM
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
true Dynamic Client Drive Mapping is allowed - default
false Dynamic Client Drive Mapping is not allowed
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Drives *
Appsrv.ini WFClient On
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Drives
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Drives
*
555
EmulateMiddleMouseButton
Emulate middle mouse button on a system with a two-button mouse. This setting is usedwith EmulateMiddleMouseButtonDelay.
Section WFClient
Feature Mouse
Attribute Name INI_EMULATE_MIDDLE_MOUSE_BUTTON
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
TRUE Emulate middle mouse button - default
FALSE Do not emulate middle mouse button (default for Win16)
INI LocationN/A
Registry LocationN/A
556
EmulateMiddleMouseButtonDelay
Specifies timer used in middle mouse button emulation. When middle-mouse buttonemulation is enabled (EmulateMiddleMouseButton set to True), holding left and right mousebuttons down together for the specified timeout emulates the pressing of the middlebutton.
Section WFClient
Feature Mouse
Attribute Name INI_EMULATE_MIDDLE_MOUSE_BUTTON_DELAY
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
100 Time in milliseconds.
INI LocationINI File Section Value
n/a
Registry LocationRegistry Key Value
n/a
557
EnableAsyncWrites
Section ClientDrive
Feature CDM
Attribute Name INI_ENABLE_ASYNCWRITES
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
On Enable async disk write.
Off Disable disk write.
INI LocationINI File Section Value
n/a
Registry LocationRegistry Key Value
n/a
558
EnableAudioInput
Enable access to audio capture devices. Use this policy to enable and restrict the remoteapplication or desktop access to local audio capture devices (microphones).
ADM Interface Element: Remoting Client Devices->Client Microphone->Enable ClientMicrophone
Section Server
Feature Audio
Attribute Name INI_AUDIOINPUTENABLE
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
True Allow use of audio capture devices (microphone).
False Disallow use of audio capture devices (microphone).
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Audio *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Audio
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Audio
*
559
EnableClientSelectiveTrust
Enables Trusted Server Configuration.
Use this policy to control how the client identifies the published application or desktop towhich it is connecting. The client determines a trust level, known as a trust region with aconnection. The trust region then determines how the client is configured for theconnection.
When this policy is enabled, the client can perform region identification by using theEnforce trusted server configuration option.
By default, region identification is based on the address of the server the client isconnecting to. To be a member of the trusted region, the server must be a member of theWindows Trusted Sites zone. You can configure this using the Windows Internet Explorer >Internet Options > Trusted sites setting.
Alternatively, for compatibility with non-Windows clients, the server address can bespecifically trusted using the Address setting. This is a comma-separated list of servers,which also supports the use of wildcards; for example, cps*.citrix.com.
ADM UI Element : Citrix Components > Citrix Receiver > Network Routing > ConfigureTrusted Server Configuration > Enforce Trusted Server Configuration
Section Server
Feature CST
Attribute Name INI_CLIENTSELECTIVETRUST_ENABLED
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
0 Default
1
INI LocationINI File Section Value
All_Regions.ini Network\ClientSelectiveTrust *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\ClientSelective
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\ClientSelectiveTrust
*
TroubleshootingIn the default configuration, when trusted server configuration prevents the client fromconnecting, the following error message is displayed:
<Server> ERROR: Cannot connect to the Citrix XenApp Server. Theserver (xxx) is not trusted for ICA connections. Connections to the(Untrusted Region) Region are not allowed by lockdown settings.Please contact your administrator.
The server identified in the "xxx" must be added to the Windows Trusted Sites zone (aseither http:// or https:// for SSL connections) for the connection to succeed.
For the SSL connections, add the certificate common name to the Windows Trusted Siteszone. For non-SSL connections, all servers that are contacted must be individually trusted.When using application browsing, include both the XML Service and the server it redirectsto in the Windows Trusted Sites zone.
EnableClientSelectiveTrust
560
561
EnableInputLanguageToggle
Allows users to define and use hotkeys, such as the grave accent or the Ctrl + Shift keycombination to switch between allowed input languages.
For Win32 only.
Section WFClient
Feature Keyboard
Attribute Name INI_INPUTLANGUAGETOGGLE
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Disabled - Default
TRUE Enabled
INI LocationN/A
Registry LocationN/A
562
EnableOSS
Specifies whether or not to enable Off Screen Surface (OSS). Enables the server tocommand the creation and use of X pixmaps for off-screen drawing.
Reduces bandwidth in 15 and 24-bit color at the expense of X server memory and processortime.
Section Server
Feature Graphics
Attribute Name INI_ENABLE_OSS
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
TRUE Enable OSS - Default
FALSE Disable OSS
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Thinwire Graphics *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
563
EnableReadAhead
Enables read-ahead for processing the request.
Memory-constrained clients may allocate less memory for this purpose. This attributesindicates that whether drive mapping acceleration is supported or not.
Section ClientDrive
Feature CDM
Attribute Name INI_ENABLE_READAHEAD
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
TRUE Enable read-ahead - Default
FALSE Disable read-ahead
INI LocationN/A
Registry LocationN/A
564
EnableRtpAudio
Enables or disables the real-time transport of audio over UDP.
ADM UI Element: Citrix Components > Citrix Receiver > User experience > Client audiosettings
Section Server
Feature Audio
Attribute Name INI_RTPAUDIOENABLE
Definition Location inc\icaini.h
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
TRUE Enables Rtp Audio Default
FALSE Disables Rtp Audio
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Audio *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Audio
*
HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Audio
*
565
EnableSessionSharing
Use this policy to configure the client handling of remote applications. When enabled, thispolicy uses the list in the "Application" box to determine which published applications canbe directly launched by the client.
You can request that remote applications share sessions (run in a single ICA connection).This provides a better user experience, but is sometimes not desirable. The session sharingfeature can be disabled by clearing the "Session sharing" check box.
ADM UI Element : Citrix Components > Citrix Receiver > User experience > Remoteapplications
Section Server
Feature SessionSharing
Attribute Name INI_ENABLE_SESSIONSHARING
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
On Enable session sharing - Default
Off Disable session sharing
INI LocationINI File Section Value
All_Regions.ini Client Engine\Session Sharing *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Session Sharing
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Session Sharing
*
TroubleshootingPublished applications are denoted by a # in front of the application name. Omitting the #symbol attempts to launch a particular program or desktop. A computer running XenAppwill not allow this by default, and rejects the connection, displaying: "You do not haveaccess to this session."
Session sharing is controlled by the SessionSharingKey that prevents applications launchedfrom different Web Interface servers from sharing sessions. In addition, applications withdifferent graphics or security settings are prevented from sharing sessions.
EnableSessionSharing
566
567
EnableSessionSharingClient
Enables or disables seamless applications to operate using the same session on the sameterminal server.
Section Server
Feature SessionSharing
Attribute Name INI_SESSION_SHARING_CLIENT
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Disable session sharing - Default
TRUE Enable session sharing
INI LocationINI File Section Value
All_Regions.ini Client Engine\Session Sharing *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Session Sharing
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Session Sharing
*
568
EnableSessionSharingHost(2)
Specifies whether or not to accept the session sharing requests from other ICA sessions onthe same X display.
Section WFClient, Server
Feature SessionSharing
Attribute Name INI_SESSION_SHARING_HOST
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Does not accept session sharing requests from other ICA session - Default
TRUE Accepts session sharing requests from other ICA session
INI LocationINI File Section Value
All_Regions.ini Client Engine\Session Sharing
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Session Sharing
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Session Sharing
569
EnableSSOThruICAFile
Specifies whether or not to use the same user name and password the user used to log on tothe client device for authentication through .ica files. For security reasons, users cannot beauthenticated to the server unless this parameter is present and its value set to On, even ifUseLocalUserAndPassword and SSOnUserSetting are specified in the .ica file.
The EnableSSOnThruICAFile entry should be present in the APPSRV.INI file to respect theother SSON entries in the ICA File.
Used in three User Authentication policies in ADM file.
Smart card authentication: Use this policy to control how the client uses smart cardsattached to the client device.
When enabled, this policy allows the remote server to access smart cards attached to theclient device for authentication and other purposes. When disabled, the server cannotaccess smart cards attached to the client device.
ADM UI Element : Citrix Components > Citrix Receiver > User authentication > Smart cardauthentication > Use pass-through authentication for PIN
Kerberos authentication: Use this policy to control how the client uses Kerberos toauthenticate the user to the remote application or desktop. When enabled, this policyallows the client to authenticate the user using the Kerberos protocol. Kerberos is a DomainController authorised authentication transaction that avoids the need to transmit the realuser credential data to the server. When disabled, the client will not attempt Kerberosauthentication.
ADM UI Element : Citrix Components > Citrix Receiver > User authentication > Kerberosauthentication
Local user name and password: Use this policy to instruct the client to use the same logoncredentials (pass-through authentication) for the XenApp server as the client machine.When this policy is enabled, the client can be prevented from using the current user's logoncredentials to authenticate to the remote server by clearing the "Enable pass-throughauthentication" check box.
ADM UI Element : Citrix Components > Citrix Receiver > User authentication > Local username and password
Section WFClient
Feature SSON
Attribute Name INI_ENABLE_SSON_THRU_ICA_FILE
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
FALSE Do not use same user name and password - Default
TRUE Use same user name and password
Off Do not use same user name and password
On Use same user name and password
0 Do not use same user name and password
1 Use same user name and password
no Do not use same user name and password
yes Use same user name and password
INI LocationINI File Section Value
All_Regions.ini Logon\Local Credentials *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Local Credentials
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Local Credentials
*
EnableSSOThruICAFile
570
571
EncryptionLevelSession
Specifies the encryption level of the ICA connection.
Section Server
Feature SecureICA
Attribute Name INI_ENCRYPTIONLEVELSESSION
Data Type String
Access Type Read and write
UNIX Specific No
Present in ADM No
ValuesValue Description
Basic Encryption level - Default
RC5 (128 bit -Logon Only)
Encryption level
RC5 (40-bit) Encryption level
RC5 (56-bit) Encryption level
RC5 (128 bit) Encryption level
INI LocationINI File Section Value
All_Regions.ini Network\Encryption
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Encryption
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Encryption
572
endIFDCD
End User Experience Monitoring EUEM ENDIFDCD ICA File download.
ENDIFDCD the time at which the ICA file download was finished.
Section Server
Feature EUEM
Attribute Name INI_EUEM_ENDIFDCD
Data Type Integer
Access Type Read and write
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Initial time value - Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\End User Experience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
573
FONTSMOOTHINGTYPE
Specifies the font smoothing type for the session. The value is only set at connection timewhether it's a new connection or for a reconnect.
The Web plug-in and Receiver only set the value to client default or none.
Section Server
Feature FontSmoothing
Attribute Name INI_FONTSMOOTHINGTYPE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Client default uses the user profile setting for font smoothing - Default
1 None
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Thinwire Graphics *
appsvr.ini application/server value
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
574
ForceLVBMode
Address repaint issues due to a poor refresh rate.
Add this value and the DeferredUpdateMode value to the [WFClient] section of theAppsrv.ini file located in the user’s profile directory on the computer running XenApp toaddress repaint issues due to a poor refresh rate. This may happen with some applicationswhen running an application in seamless mode while utilizing the pass-through client on theserver.
Section WFClient
Feature Graphics
Attribute Name INI_FORCELVB_MODE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Do not force LVBMode - Default
1 Force LVBMode
INI LocationN/A
Registry LocationN/A
575
FriendlyName
Specifies user native language type (friendly name) for communication.
Section Server
Feature Core
Attribute Name INI_FRIENDLYNAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" User's language setting - Default
INI LocationN/A
Registry LocationN/A
576
FullScreenBehindLocalTaskbar
Allows you to enable true full screen mode for a WBT session. Used on WINCE platform.
Section WFClient
Feature Core
Attribute Name INI_FULL_SCREEN_BEHIND_LOCAL_TASKBAR
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE ICA session is sized according to the size of the local taskbar - Default
TRUE Full screen mode is enabled and the ICA session is behind the local taskbar
INI LocationN/A
Registry LocationN/A
577
FullScreenOnly
Specifies the default value for TransparentKeyPassthrough attribute.
When no TransparentKeyPassthrough setting in the ICA file is passed to the ICA Engine, thekeyboard transparent feature behaves as if FullScreenOnly is set.
Section WFClient
Feature Keyboard
Attribute Name INI_TPKEYPASSTHRU_FULLSCRNONLY
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
3 Full Screen (default). Key combinations apply to non-seamless ICA sessionsin full-screen mode.
2 Remote. Key combinations apply to seamless and non-seamless ICA sessionswhen their windows have the keyboard focus.
1 Local. Key combinations apply to the local desktop.
INI LocationINI File Section Value
Module.ini TransparentKeyPassthrough 3
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TransparentKeyPassthrough
3
578
HotKey10Char
Specifies the keys to use for mapping hotkey sequence.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey10 - Toggle Latency Reduction.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY10_CHAR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
F10 Mac and UNIX platforms default
F5 Win32 platform default
1 WinCE platform default
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient F5
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
579
HotKey10Shift
Specifies the keys to use for mapping hotkey sequence.
Along with Hotkey10Char, specifies the key combinations to use for the various hotkeysequences.
Hotkey10 is used for Toggle Latency Reduction action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY10_SHIFT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Alt+Ctrl Mac and UNIX platforms default
Ctrl Win32 platform default
Alt WinCE platform default
Shift
none
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient Ctrl
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey10Shift
580
581
HotKey1Char
Specifies the keys to use for mapping hotkey sequence.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey1 is used for "Task List" action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY1_CHAR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
F1 Mac, UNIX, and Win32 platforms default
6 WinCE platform default
(none)
F2
F3
F4
F5
F6
F7
F8
F9
F10
F11
F12
ESC
minus
plus
star
tab
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient F1
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey1Char
582
583
HotKey1Shift
Specifies the keys to use for mapping hotkey sequence.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey1 is used for "Task List" action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY1_SHIFT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Alt+Ctrl Mac and UNIX platforms default
Shift Win32 platform default
Ctrl WinCE platform default
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient Shift
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
584
HotKey2Char
Specifies the keys to use for mapping hotkey sequence.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey2 is used for Close Remote Application action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY2_CHAR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
F2 Mac and UNIX platforms default
F3 Win32 platform default
2 WinCE platform default
(none)
F1
F4
F5
F6
F7
F8
F9
F10
F11
F12
ESC
minus
plus
star
tab
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient F3
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey2Char
585
586
HotKey2Shift
Along with Hotkey2Char, specifies the key combinations to use for the various hotkeysequences.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey2 is "Close Remote Application" action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY2_SHIFT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Alt+Ctrl Mac and UNIX platforms default
Shift Win32 platform default
Ctrl WinCE platform default
(none)
Alt
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient Shift
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey2Shift
587
588
HotKey3Char
Specifies the keys to use for mapping hotkey sequence.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey10 - Toggle Title Bar.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY3_CHAR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
F3 Mac and UNIX platforms default
F2 Win32 platform default
3 WinCE platform default
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient F2
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
589
HotKey3Shift
Along with Hotkey3Char, specifies the key combinations to use for the various hotkeysequences.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey3 is "Toggle Title Bar" action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY3_SHIFT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Alt+Ctrl Mac and UNIX platforms default
Shift Win32 platform default
Ctrl WinCE platform default
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient Shift
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
590
HotKey4Char
Specifies the keys to use for mapping hotkey sequence.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey4 is "CTRL-ALT-DEL" action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY4_CHAR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
F4 Mac and UNIX platforms default
F1 Win32 platform default
4 WinCE platform default
(none)
F2
F3
F5
F6
F7
F8
F9
F10
F11
F12
ESC
minus
plus
star
tab
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient F1
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey4Char
591
592
HotKey4Shift
Along with Hotkey4Char, specifies the key combinations to use for the various hotkeysequences.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey4 is used for "CTRL-ALT-DEL" action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY4_SHIFT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Alt+Ctrl Mac and UNIX platforms default
Ctrl Win32 and WinCE platforms default
Shift
(none)
Alt
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient Ctrl
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey4Shift
593
594
HotKey5Char
Specifies the keys to use for mapping hotkey sequence.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey5 - CTRL-ESC.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY5_CHAR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
F5 Mac and UNIX platforms default
F2 Win32 platform default
5 WinCE platform default
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient F2
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
595
HotKey5Shift
Along with Hotkey5Char, specifies the key combinations to use for the various hotkeysequences.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey5 is used for "CTRL-ESC" action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY5_SHIFT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Alt+Ctrl Mac and UNIX platforms default
Ctrl Win32 and WinCE platforms default
Shift
(none)
Alt
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient Ctrl
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey5Shift
596
597
HotKey6Char
Specifies the keys to use for mapping hotkey sequence.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey6 is used for "ALT-ESC" action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY6_CHAR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
F6 Mac and UNIX platforms default
F2 Win32 platform default
7 WinCE platform default
(none)
F1
F3
F4
F5
F7
F8
F9
F10
F11
F12
ESC
minus
plus
star
tab
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient F2
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey6Char
598
599
HotKey6Shift
Along with Hotkey6Char, specifies the key combinations to use for the various hotkeysequences.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey6 - ALT-ESC
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY6_SHIFT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Alt+Ctrl Mac and UNIX platforms default
Alt Win32 platform default
Ctrl WinCE platform default
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient Alt
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
600
HotKey7Char
Specifies the keys to use for mapping hotkey sequence.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey7 is used for "ALT-TAB" action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY7_CHAR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
F7 Mac and UNIX platforms default
plus Win32 platform default
8 WinCE platform default
(none)
F1
F2
F3
F4
F5
F6
F8
F9
F10
F11
F12
ESC
minus
star
tab
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient plus
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey7Char
601
602
HotKey7Shift
Along with Hotkey7Char, specifies the key combinations to use for the various hotkeysequences.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey7 is used for "ALT-TAB" action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY7_SHIFT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Alt+Ctrl Mac and UNIX platforms default
Alt Win32 platform default
Ctrl WinCE platform default
(none)
Shift
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient Alt
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey7Shift
603
604
HotKey8Char
Specifies the keys to use for mapping hotkey sequence.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey8 is used for ALT-BACKTAB action.
Corresponding UI element ICA Settings dialog box > Hotkeys tab > right menu column
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY8_CHAR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
F8 Mac and UNIX platforms default
minus Win32 platform default
9 WinCE platform default
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient minus
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey8Char
605
606
HotKey8Shift
Along with Hotkey8Char, specifies the key combinations to use for the various hotkeysequences.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey8 is used for ALT-BACKTAB action.
Corresponding UI element ICA Settings dialog box > Hotkeys tab > right menu column
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY8_SHIFT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Alt+Ctrl Mac and UNIX platforms default
Alt Win32 platform default
Ctrl WinCE platform default
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient Alt
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey8Shift
607
608
HotKey9Char
Specifies the keys to use for mapping hotkey sequence.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey9 is used for CTRL-SHIFT-ESC action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY9_CHAR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
F9 Mac and UNIX platforms default
F3 Win32 platform default
1 WinCE platform default
(none)
F1
F2
F4
F5
F6
F7
F8
F10
F11
F12
ESC
minus
plus
star
tab
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient F3
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey9Char
609
610
HotKey9Shift
Along with Hotkey9Char, specifies the key combinations to use for the various hotkeysequences.
Each action is defined by a combination of a character and a shift state. To disable aparticular hotkey, set both its character and shift state parameters to (none).
Hotkey9 is used for CTRL-SHIFT-ESC action.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEY9_SHIFT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Alt+Ctrl Mac and UNIX platforms default
Ctrl Win32 and WinCE platforms default
(none)
Shift
Alt
INI LocationINI File Section Value
All_Regions.ini Client Engine\Hot Keys
appsrv.ini WFClient Ctrl
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Hot Keys
HotKey9Shift
611
612
HotKeyJPN%dChar
Specifies the hotkeyJPN I key.
Used to form a strings like HotkeyJPN1Char, HotkeyJPN2Char, HotkeyJPN3Char.
Section WFClient
Feature Keyboard
Attribute Name INI_HOTKEYJPN_CHAR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesN/A
INI LocationN/A
Registry LocationN/A
613
HowManySkipRedrawPerPaletteChange
Specifies the number of consecutive redraw requests to skip before redrawing the screen.See SkipRedrawPerPaletteChange for more information.
Section WFClient
Feature Graphics
Attribute Name INI_NUMSKIPREDRAWPERPALETTECHANGE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
9 Number of times to skip redraw request - Default
INI LocationN/A
Registry LocationN/A
614
HttpBrowserAddress
Specifies the location of the browser used in conjunction with the particular networkprotocol specified for browsing in BrowserProtocol. If BrowserProtocol value is HTTPonTCP,then parameter used to locate the browser is HttpBrowserAddress orLocHttpBrowserAddress
Whether [Protocol]BrowserAddress or Loc[Protocol]BrowserAddress is used depends on thevalue of DoNotUseDefaultCSL.
● If DoNotUseDefaultCSL value is FALSE (default) then parameter used to locate thebrowser is [Protocol]BrowserAddress.
● If DoNotUseDefaultCSL value is TRUE then parameter used to locate the browser isLoc[Protocol]BrowserAddress (overriding any existing [Protocol]BrowserAddresssettings).
Section : All [Protocol]BrowserAddress settings:
WFClient for all custom ICA connections unless otherwise overridden
Section : applicationsetname for each applicable published applicationset
Corresponding UI Element For applicationsetname:
Settings dialog box > Connection tab > Server Location >Network Protocol
Published application sets do not use Loc[Protocol]BrowserAddress
Section : All Loc[Protocol]BrowserAddress settings:
applicationservername for each custom ICA connection
Corresponding UI Element For applicationservername:
Properties dialog box > Connection tab > Server Location >Network Protocol
Section Transport
Feature EnumRes
Attribute Name INI_HTTPBROWSERADDRESS
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" Any valid server name or address - Default
INI LocationINI File Section Value
Module.ini TCP/IP
All_Regions.ini Application Browsing\HTTP Addresses
canonicalization.ini TCP/IP HttpBrowserAddress
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\TCP/IP
HttpBrowserAddress
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing\HTTP Addresses
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing\HTTP Addresses
HttpBrowserAddress
615
616
ICAHttpBrowserAddress
Specifies the browser address. Used for HTTP or HTTPS browsing(BrowserProtocol=HTTPonTCP) if the browser address is not set through theHttpBrowserAddress or the Loc[Protocol]BrowserAddress parameters.
Section Transport
Feature EnumRes
Attribute Name INI_ICADOMAINNAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
ica Any valid server name or address - Default
INI LocationINI File Section Value
All_Regions.ini Application Browsing
appsrv.ini WFClient ica
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing
617
ICAKeepAliveEnabled
Use this parameter to notify users when inactive seamless applications are disconnectedfrom the server under the following scenarios:
● Users are using a published application that displays dynamic information
● The client auto-reconnect feature is disabled
● Applications for users of multi-monitors are out of focus
If ICAKeepAliveEnabled is set to On, it enables a timer in the ICA Client Engine. This timerchecks every N milliseconds (where N is set by ICAKeepAliveInterval) to determine if anydata was sent by the server. If no data was sent, the timer pings the server, to which itexpects a response after N milliseconds. If the server responds, the connection is stillpresent. If there is no response or the ping request fails, the client displays an errormessage and the connection is terminated.
To enable this enhancement, add the following two values to the [WFClient] section of theAppsrv.ini file:
● ICAKeepAliveEnabled=On
● ICAKeepAliveInterval =<time in milliseconds for an ICA ping>
If the connection to the server goes down and these values were added to the Appsrv.inifile, the user receives an error message and the session terminates. The user mustreconnect manually to the session.
Section WFClient
Feature Core
Attribute Name INI_PING_ENABLED
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Off Disable ICA Keep Alive - Default
On Enable ICA Keep Alive
INI LocationN/A
Registry LocationN/A
ICAKeepAliveEnabled
618
619
ICAKeepAliveInterval
Specifies the interval that is used for the ICAKeepAliveEnabled setting.
Section WFClient
Feature Core
Attribute Name INI_PING_RETRY_INTERVAL
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
180000 milliseconds - Default
10000 milliseconds - UNIX platform default
INI LocationN/A
Registry LocationN/A
620
ICAPortNumber
Specifies the TCP port used for the ICA protocol. Change the port on all Citrix servers in thefarm using the ICAPORT command-line utility before you change this parameter on clients.
Section TCP/IP
Feature Core
Attribute Name INI_ICAPORTNUMBER
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1494 TCP network port number - Default
INI LocationINI File Section Value
Module.ini TCP/IP - FTP
Module.ini TCP/IP - Novell Lan WorkPlace
Module.ini TCP/IP - Microsoft
Module.ini TCP/IP - VSL
All_Regions.ini Network\Protocols
Module.ini TCP/IP 1494
canonicalization.ini TCP/IP ICAPortNumber
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\TCP/IP
ICAPortNumber
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
1494
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - FTP
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - Novell LanWorkPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - VSL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Protocols
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Protocols
ICAPortNumber
621
622
ICAPrntScrnKey
Key mapping for the hotkey for PrntScrn.
Section WFClient
Feature Keyboard
Attribute Name INI_VK_PRNTSCRN_CHAR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" Default
INI LocationN/A
Registry LocationN/A
623
ICASOCKSProtocolVersion(2)
Specifies which version of the SOCKS protocol to use for the connection.
If ICASOCKSProtocolVersion is set, the following parameters are used to specify SOCKS proxysettings:
● ICASOCKSProxyHost
● ICASOCKSPortNumber
● ICASOCKSrfc1929Password
● ICASOCKSrfc1929UserName
● ICASOCKSTimeout
Used only if ProxyType = ProxySocks.
Configure SOCKS proxy settings: Use to configure the use of additional SOCKS proxiesrequired for some advanced network topologies.
When enabled, the client examines the "SOCKS protocol version" setting. If connection viaSOCKS is not disabled, the client connects using the SOCKS proxy specified by the "Proxyhost names" and "Proxy ports" settings.
The client supports connections using either SOCKS v4 or SOCKS v5 proxy servers.Alternatively, it can automatically detect the version being used by the proxy server.
ADM UI Element : Citrix Components > Citrix Receiver > Network routing > Proxy > ConfigureSOCKS proxy settings > SOCKS protocol version
Section Server, WFClient
Feature Proxy
Attribute Name INI_SOCKSPROTOCOLVERSION
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
5 Use SOCKS version 5
5 Use SOCKS version 5
5 Use SOCKS version 5
5 Use SOCKS version 5
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
appsrv.ini WFClient -1
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
TroubleshootingThe SOCKS proxy settings are designed for traversing a proxy in addition to the primary oralternative proxy server. When traversing only a single proxy, these SOCKS proxy settingsshould be disabled.
ICASOCKSProtocolVersion(2)
624
625
ICASOCKSProxyHost(2)
Specifies the DNS name or IP address of the SOCKS proxy to use.
Configure SOCKS proxy settings : Use this policy to configure the use of additional SOCKSproxies required for some advanced network topologies.
When enabled, the client examines the "SOCKS protocol version" setting. If connection viaSOCKS is not disabled, the client connects using the SOCKS proxy specified by the "Proxyhost names" and "Proxy ports" settings.
The client supports connections using either SOCKS v4 or SOCKS v5 proxy servers.Alternatively, it can automatically detect the version being used by the proxy server.
ADM UI Element : Citrix Components > Citrix Receiver > Network routing > Proxy > ConfigureSOCKS proxy settings > Proxy host names
Section Server, WFClient
Feature Proxy
Attribute Name INI_SOCKSPROXYHOST
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" DNS name or IP address of proxy host
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
appsrv.ini WFClient
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
TroubleshootingThe SOCKS proxy settings are designed for traversing a proxy in addition to the primary oralternative proxy server. When traversing only a single proxy, these SOCKS proxy settingsshould be disabled.
ICASOCKSProxyHost(2)
626
627
ICASOCKSProxyPortNumber(2)
Specifies the port number of the SOCKS proxy server.
This parameter is deprecated by ProxyType, but maintained to ensure backwardcompatibility with older .ini/.ica files that do not contain ProxyType.
Use this policy to configure the use of additional SOCKS proxies that are required for someadvanced network topologies.
When enabled, the client will examine the "SOCKS protocol version" setting. If connectionvia SOCKS is not disabled, the client will attempt to connect using the SOCKS proxyspecified by the "Proxy host names" and "Proxy ports" settings.
The client supports connections using either SOCKS v4 or SOCKS v5 proxy servers.Alternatively, it can attempt to automatically detect the version being used by the proxyserver.
ADM UI Element : Citrix Components > Citrix Receiver > Network routing > Proxy
Section Server, WFClient
Feature Proxy
Attribute Name INI_SOCKSPROXYPORTNUMBER
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
1080 Port number - Default
INI LocationINI File Section Value
All_Regions.ini Network\Proxy *
appsrv.ini WFClient 1080
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
TroubleshootingThe SOCKS proxy settings are designed for traversing a proxy in addition to the primary oralternative proxy server. When traversing only a single proxy, these SOCKS proxy settingsshould be disabled.
ICASOCKSProxyPortNumber(2)
628
629
InitialProgram
Specifies the initial program to start after establishing the associated custom ICAconnection. For server connections, this is the full path and file name. For publishedapplications, this is the name of the published application preceded by the pound (#)symbol. Omitting the # symbol attempts to launch a particular program or desktop. Acomputer running Citrix XenApp will not allow this by default, and rejects the connection,displaying: "You do not have access to this session."
This key must be specified for .ica files. InitialProgram takes initial app and also someparameters up to the length of a single INI line length.
Syntax: InitialProgram=#<AppName> <parameters> For example: InitialProgram=#Notepad“\\Client\V:\folder\file.txt”
If longer parameters have to be passed, then the following should be used:
● LongCommandLine=”…first part..” LongCommandLine000=”continuation”
In this case anything passed after InitialProgram is ignored.
Related Parameters: LongCommandLine
Corresponding UI Element: Properties dialog box > Application tab > Application text box
ADM UI Element: Citrix Receiver > User Experience > Remote Applications > Application
Section Server
Feature Core
Attribute Name INI_INITIALPROGRAM
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" Initial Program - Default
INI LocationINI File Section Value
All_Regions.iniClient Engine\Application Launching
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Application Launching
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Application Launching
InitialProgram
630
631
InitialProgram(2)
Specifies the initial program to start after establishing the associated custom ICAconnection. For server connections, this is the full path and file name. For publishedapplications, this is the name of the published application preceded by the pound (#)symbol. Omitting the # symbol attempts to launch a particular program or desktop. Acomputer running Citrix XenApp will not allow this by default, and rejects the connection,displaying: "You do not have access to this session."
This key must be specified for .ica files.
Related Parameters: LongCommandLine
Corresponding UI Element: Properties dialog box > Application tab > Application text box
ADM UI Element: Citrix Receiver > User Experience > Remote Applications > Application
Section dynamic,Server
Feature Core
Attribute Name INI_INITIALPROGRAM
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM Yes
ValuesValue Description
Default Initial program
INI LocationINI File Section Value
All_regions.ini Client Engine\Application Launching Notapplicable
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Application Launching
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Application Launching
InitialProgram(2)
632
633
InputEncoding
Describes the character encoding type of the .ica file. This information is used by the clientto convert and understand the .ica file if the Web server that created it used an encodingtype that is different from that of the the client.
Section Encoding
Feature Core
Attribute Name INI_INPUT_ENCODING
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
ISO8859_1 Default
SJIS
EUC-JP
UTF8
INI LocationNot applicable.
Registry LocationNot applicable.
634
InstallColormap
Force colormap installation on UNIX or AIX operating systems if the window has theoverride_redirect attribute. On UNIX or AIX operating systems, window managers installcolormaps rather than having the client device do it. This does not occur if the window hasthe override_redirect attribute set. In this case installation of the colormap is explicitlyforced.
Section Thinwire3.0
Feature Core
Attribute Name INI_INSTALL_COLORMAP
Data Type Boolean
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
TRUE Default - Window colormap is forced
FALSE Window colormap is not forced
INI LocationNot applicable.
Registry LocationNot applicable.
635
IOBase
Specifies the standard COM port I/O base address.
Section Server
Feature COMPortMapping
Attribute Name INI_IOADDR
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Default Default
INI LocationNot applicable.
Registry LocationNot applicable.
636
KeyboardLayout
Specifies the keyboard layout of the client device. The Citrix XenApp server uses thekeyboard layout information to configure the ICA session for the client’s keyboard layout.The default value causes the keyboard layout specified in the user profile to be used.
Section WFClient
Feature Keyboard
Attribute Name INI_KEYBOARDLAYOUT
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" Default is user profile
INI LocationINI File Section Value
All_regions.ini Virtual Channels\Keyboard
wfclient.ini WFClient (UserProfile)
appsrv.ini WFClient (UserProfile)
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
637
KeyboardSendLocale
Send keyboard locale setting. Specifies whether to make the default input locale in an ICAsession the same as the default input locale on the client operating system (Control Panel >Keyboard > Input Locales).
Section WFClient
Feature Keyboard
Attribute Name INI_KEYBOARDSENDLOCALE
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Off Default - Disable using the client operating system locale
On Use the client operating system locale
INI LocationINI File Section Value
All_regions.ini Virtual Channels\Keyboard
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
638
KeyboardTimer(2)
Specifies the amount of time, in milliseconds, the client queues keystrokes before passingthem to the server. Use keystroke queueing if bandwidth limitations require a reduction ofnetwork traffic. Queuing reduces the number of network packets sent from the client to theserver, but also reduces keyboard responsiveness during the session. Higher values improveperformance when connecting over a RAS connection.
Section Server, WFClient
Feature Keyboard
Attribute Name INI_KEYBOARDTIMER
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default - no delay
50 50 milliseconds (default for WinCE)
INI LocationINI File Section Value
All_regions.ini Virtual Channels\Keyboard
appsrv.ini WFClient
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
639
KeyboardType
Specifies the keyboard type of the client device. The Citrix XenApp server uses thisinformation to configure the ICA session for the client’s keyboard type. Use the defaultvalue for most English and European keyboards. When using a Japanese keyboard,specifying the default auto-detects the correct keyboard type.
Section Server, WFClient
Feature Keyboard
Attribute Name INI_KEYBRDTYPESECTION
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
" " Default - Auto-detect
IBM PC/XTorcompatiblekeyboard
101Keyboard(Japanese)
106Keyboard(Japanese)
NECPC-9800onPC98-NX(Japanese)
NECPC-9800onPC98-NX 2(Japanese)
NECPC-9800Windows95 and 98(Japanese)
NECPC-9800WindowsNT(Japanese)
JapaneseKeyboardfor 106n(Japanese)
DECLK411-JJKeyboard(Japanese)
DECLK411-AJKeyboard(Japanese)
KeyboardType
640
INI LocationINI File Section Value
All_regions.ini Virtual Channels\Keyboard
wfclient.ini WFClient (Default)
appsrv.ini WFClient (Default)
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
KeyboardType
641
642
Launcher
Specifies the name of launch mechanism (that is, the client launcher name). Thisparameter is used to launch multiple ICA windows from the startup folder at logon time.
Section Server
Feature Core
Attribute Name INI_LAUNCHER
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
ICA Client Default - launch by using the ICA client
WI Launch through the Web Interface
PN Launch through Program Neighborhood client
PNAgent Launch through Program Neighborhood agent
MSAM Launch through the Metaframe Secure Access Manager
Custom Launch through a custom client
INI LocationINI File Section Value
All_regions.ini Client Engine\ICA File
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\ICA File
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\ICA File
643
LaunchReference
Reference token for a specific session on a Citrix XenApp server.
Section Server
Feature Core
Attribute Name INI_LAUNCHREFERENCE
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
" " Default - Session Launch Token
INI LocationINI File Section Value
All_regions.ini Client Engine\Application Launching
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Application Launching
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Application Launching
644
LicenseType
Specifies the license type. If the user is an offline plug-in user but the requestedapplication is an online application, then add "LicenseType=offline" to the file so that theCitrix XenApp server will request an offline license.
Section qwerty
Feature Core
Attribute Name <LicenseType>
Data Type String
Access Type Write
UNIX Specific No
Present in ADM No
ValuesValue Description
offline Default - an offline application license is requested
online an online application license is requested
INI LocationNot applicable.
Registry LocationNot applicable.
645
LocalIME
Specifies if Local IME (Input Method Editor) is enabled. When local IME is enabled,keyevents that were processed by IME should be ignored.
Section WFClient
Feature Keyboard
Attribute Name INI_USE_LOCAL_IME
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default - disable local IME
1 Enable local IME
INI LocationINI File Section Value
All_regions.ini Virtual Channels\Keyboard
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
646
LocHttpBrowserAddress
Specify the location of the browser used in conjunction with the HTTP specified forbrowsing in BrowserProtocol. If the value of DoNotUseDefaultCSL is = False (default) thenthe parameter used to locate the browser is HttpBrowserAddress. If DoNotUseDefaultCSL is= true then the parameter used to locate the browser is LocHttpBrowserAddress (overridingany existing HttpBrowserAddress settings).
For applicationsetname: Settings dialog box > Connection tab > Server Location > NetworkProtocol
For applicationservername: Properties dialog box > Connection tab > Server Location >Network Protocol
Section Server
Feature EnumRes
Attribute Name INI_LOCHTTPBROWSERADDRESS
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
" " Default - Location of HTTP Browser
INI LocationINI File Section Value
All_regions.ini Application Browsing\HTTP Addresses
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing\HTTP Addresses
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing\HTTP Addresses
LocHttpBrowserAddress
647
648
LockdownProfiles
Specifies whether lockdown profiles should be read from the administrator location or userlocation. This is ignored if there is no administrator configuration. By default lockdownprofiles are read from both locations, administrator and user.
Section Delegation
Feature ClientLockdown
Attribute Name INI_DELEGATION_LOCKDOWNPROFILES
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
administrator Read lockdown profiles from the administrator location
user Read lockdown profiles from the user location
grouppolicy_machine
grouppolicy_user
INI LocationINI File Section Value
Module.ini Delegation administrator, user, grouppolicy_machine,grouppolicy_user
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Delegation
administrator,user,grouppolicy_machine,grouppolicy_user
649
LogAppend
Specifies file open mode for logs. Switches between appending new log file entries to theend of the existing log file (On) and creating a new file (Off). For 16-bit DOS client theexisting log file is the value of "LogFile" attribute and for Win32 the existing log file is thevalue of "LogFileWin32" attribute. Applies only at start of session.
Section WFClient
Feature Core
Attribute Name INI_LOGAPPEND
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Default - Creates a new log file and writes new log entries to it
TRUE Append new log file entries to the end of the existing log file
INI LocationINI File Section Value
appsrv.ini WFClient Off
Registry LocationNot applicable.
650
LogConfigurationAccess
Enable or disable logging of configuration access.
Section Logging
Feature ConfigMgr
Attribute Name INI_LOG_CONFIGURATION_ACCESS
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Default
TRUE
INI LocationINI File Section Value
Module.ini Logging False
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Logging
false
651
LogConnect
Enables or disables the logging of Citrix XenApp server connection status changes(connection and disconnection).
Section WFClient
Feature Core
Attribute Name INI_LOGCONNECT
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
TRUE Default - Logs connections to and disconnections from Citrix servers
FALSE Does not log connections to and disconnections from Citrix servers
INI LocationINI File Section Value
appsrv.ini WFClient On
Registry LocationNot applicable.
652
LogErrors
Enables (On) or disables (Off) the logging of Citrix XenApp server connection errors.
Section WFClient
Feature Core
Attribute Name INI_LOGERRORS
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
On Default - Enables Citrix XenApp server connection error log
Off Disables Citrix XenApp server connection error log
INI LocationINI File Section Value
appsrv.ini WFClient On
Registry LocationNot applicable.
653
LogEvidence
Specifies whether to return a location suitable for writing log entries. This is a log type, notan attribute for itself.
Section Logging
Feature Core
Attribute Name INI_LOG_EVIDENCE
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Default - No file to write log information.
TRUE File location found to write log information
INI LocationINI File Section Value
Module.ini Logging False
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Logging
false
654
LogFile
Specifies the name of the Citrix XenApp plug-in log file. The log file is generated by theplug-in at run-time and is saved in the ICA Client directory. The types of details loggeddepends on the values of the LogConnect, LogErrors, LogReceive, and LogTransmitparameters.
Section Logging
Feature Core
Attribute Name INI_LOG_File
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
" " Default - If present, then any valid file name.
INI LocationINI File Section Value
Module.ini Logging
appsrv.ini WFClient C:\Program Files\Citrix\ICAClient\wfclient.log
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Logging
655
LogFileGlobalPath
Specifies how log files are created. If On, a single log file is used for all users of a givenclient device. LogFileWin32 must specify the entire directory path to the log file, includingthe file name. If Off, a separate log file is created for each user and stored in the user’sprofile directory. In this case, LogFileWin32 specifies the file name only.
Section WFClient
Feature Core
Attribute Name INI_LOGFILEGLOBALPATH
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
off Default - LogWinFile32 specifies the log file name only
on LogFileWin32 specifies the entire directory path to the log file
INI LocationNot applicable.
Registry LocationNot applicable.
656
LogFileWin32
Specifiy the name of the log file. The types of details logged depends on the values of theLogConnect, LogErrors, LogReceive, and LogTransmit parameters. Log data can alternatelybe sent to standard out or standard error by specifying stdout or stderr instead of a filename.
If LogFileGlobalPath=On, a single log file is used for all users of a given client device.LogFileWin32 must specify the entire directory path to the log file, including the file name.If LogFileGlobalPath=Off, a separate log file is created for each user and stored in theuser’s profile directory. In this case, LogFileWin32 specifies the file name only.
Section WFClient
Feature Core
Attribute Name INI_LOGFILE32
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
" " Log file name.
INI LocationINI File Section Value
appsrv.ini WFClient
Registry LocationN/A
657
LogFlush
Specifies whether to flush out log results for each write. All the log data is written out asquickly as possible instead of being cached in memory. This ensures that the log file iscompletely up to date at any given moment.
When set to True, the system writes each log record as it is generated. When set to False,the system buffers log records and writes them periodically for optimal performance.
The log file location is specified in the registry atHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\AppData.
Section Server
Feature Core
Attribute Name INI_LOGFLUSH
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
False Default - Does not flush the log result
True Flush out the log result
INI LocationNot applicable.
Registry LocationNot applicable.
658
LogonTicket
Specifies client authentication token for web interface. The client handles anauthentication token in the form of an opaque LogonTicket with an associatedinterpretation defined by the LogonTicketType. This functionality can be disabled byclearing the Web Interface 4.5 and above check box.
ADM UI Element: Citrix Receiver > User Authentication > Web Interface Authenticationticket > Web interface 4.5 and above
Section Server
Feature Core
Attribute Name INI_LOGONTICKET
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
" " Default.
INI LocationINI File Section Value
All_regions.ini Logon\Ticket
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\AllRegions\Lockdown\Logon\Ticket
HKEY_CURRENT_USER\Software\Citrix\ICAClient\Engine\Lockdown Profiles\AllRegions\Lockdown\Logon\Ticket
659
LogonTicketType
Specifies the logon ticket type for "Web interface authentication ticket". Use this policy tocontrol the ticketing infrastructure used when authenticating through the Web Interface.The client handles an authentication token in the form of an opaque LogonTicket with anassociated interpretation defined by the LogonTicketType.
Section Server
Feature Core
Attribute Name INI_LOGONTICKETTYPE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default - no ticket
1 For Secure Ticketing Authority (STA) version 1 ticket
2 For STA version 4 ticket
INI LocationINI File Section Value
All_regions.ini Logon\Ticket
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\AllRegions\Lockdown\Logon\Ticket
HKEY_CURRENT_USER\Software\Citrix\ICAClient\Engine\Lockdown Profiles\AllRegions\Lockdown\Logon\Ticket
660
LongCommandLine
Allows passing of a very long string of parameters to the program specified inInitialProgram. The value of LongCommandLine replaces any command-line parametersspecified at the end of InitialProgram.
To provide LongCommandLine support without breaking compatibility with older XenAppplug-ins, all lines in the .ica/.ini file must be limited to 255 characters. To support longercommand lines, use a series of LongCommandLine parameters as follows:
LongCommandLine="The beginning of my long command line"
LongCommandLine000="continuation of my long command line"
LongCommandLine001="the rest of my long command line"
Each value must be in quotation marks ("") and must not exceed 224 characters. The ICAClient engine concatenates the values to create a single long command line parameter. Youcan include as many LongCommandLine parameters as necessary.
Section dynamic, Server
Feature Core
Attribute Name INI_LONGPARAMETERS
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
" " Default
INI LocationINI File Section Value
All_regions.ini Client Engine\ApplicationLaunching
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\ClientEngine\Application Launching
HKEY_CURRENT_USER\Software\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\ClientEngine\Application Launching
LongCommandLine
661
662
Lpt1
Specifies the mappping information between host lpt and client port. Both Lpt1 and Port1together specify the mapping information between host lpt and client port. Connect this(1=lpt1...8=lpt8) host lpt to the client port specified by Port1. For example, Lpt1=4 meansconnect host lpt4 to client port specified by Port1. Lpt1=0 means no mapping information isspecified by this attribute but some other attributes like Lpt2-Port2, Lpt3-Port3 may havethis information.
Section WFClient
Feature ParallelportMapping
Attribute Name INI_LPT1
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default - No mapping is specified by this attribute.
1 through8
Connect this host lpt to the client device port specified by Port11 entry
INI LocationNot applicable.
Registry LocationNot applicable.
663
Lpt2
Specifies the mappping information between host lpt and client port. Both Lpt2 and Port2together specify the mapping information between host lpt and client port. Connect this(1=lpt1...8=lpt8) host lpt to the client port specified by Port2. For example, Lpt2=4 meansconnect host lpt4 to client port specified by Port2. Lpt2=0 means no mapping information isspecified by this attribute but some other attributes like Lpt1-Port1, Lpt3-Port3 may havethis information.
Section WFClient
Feature ParallelportMapping
Attribute Name INI_LPT2
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default - No mapping is specified by this attribute.
1 through8
Connect this host lpt to the client device port specified by Port2 entry
INI LocationNot applicable.
Registry LocationNot applicable.
664
Lpt3
Specifies the mappping information between host lpt and client port. Both Lpt3 and Port3together specify the mapping information between host lpt and client port. Connect this(1=lpt1...8=lpt8) host lpt to the client port specified by Port3. For example, Lpt3=4 meansconnect host lpt4 to client port specified by Port3. Lpt3=0 means no mapping information isspecified by this attribute but some other attributes like Lpt1-Port1, Lpt2-Port2 may havethis information.
Section WFClient
Feature ParallelportMapping
Attribute Name INI_LPT3
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default - No mapping is specified by this attribute.
1 through8
Connect this host lpt to the client device port specified by Port3 entry
INI LocationNot applicable.
Registry LocationNot applicable.
665
LPWD
End User Experience Monitoring EUEM LPWD - LAUNCH_PAGE_WEB_SERVER. The time ittakes to process the launch page (launch.aspx) on the Web Interface server.
Section Server
Feature EUEM
Attribute Name INI_EUEM_LPWD
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
-1 Initial reset value
INI LocationINI File Section Value
All_regions.ini Virtual Channels\End UserExperience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\VirtualChannels\End User Experience
HKEY_CURRENT_USER\Software\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\VirtualChannels\End User Experience
666
LvbMode2
Enables or disables local video buffer (LVB) mode. For WINCE, the attribute is read fromServer section.
Section Server, WFClient
Feature Graphics
Attribute Name INI_LVB_MODE
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
False Default - Turns LVB mode off
True Turns LVB mode on
INI LocationNot applicable.
Registry LocationNot applicable.
667
MaxDataBufferSize
Set the maximum client audio data buffer size (that is, the size of the maximum clientaudio data packet the client can accept and/or send).
Section ClientAudio
Feature Audio
Attribute Name INI_CAM_MAXDATABUFFERSIZE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
2048 Default - value for maximum data buffer size for initial
INI LocationINI File Section Value
Module.ini ClientAudio 2048
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientAudio
668
MaxMicBufferSize
Set the maximum data buffer size for audio input (that is, the size of the maximum clientaudio input packet the client can accept and/or send).
Section ClientAudio
Feature Audio
Attribute Name INI_CAM_MAXMICBUFFERSIZE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
256 Default - value for maximum input buffer size
128-256 Value for maximum input buffer size
INI LocationINI File Section Value
Module.ini ClientAudio 256
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientAudio
669
MaxOpenContext
Specifies the number of files that can be opened on a client-mapped drive. "Out of filehandles" message might be encountered when an application running on the server openstoo many files on a client mapped drive and causes the ICA session to run out of filehandles. The operating system does not provide the ICA Client engine sufficient file handleson request. This can be solved by increasing the number of initial file handles available tothe Client by adding the MaxOpenContext parameter to the [ClientDrive] section in theMODULE.INI file . If the user needs to open a large number of files, increase the number ofinitial file handles to 50 or greater. The default value for MaxOpenContext is 20.
Section ClientDrive
Feature CDM
Attribute Name INI_MAXOPENCONTEXT
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
20 Default - Number of initial file handles available to the client
INI LocationNot applicable.
Registry LocationNot applicable.
670
MaxPort
Specify the maximum number of COM ports supported by the client platform.
Section ClientComm
Feature COMPortMapping
Attribute Name INI_CCMMAXPORT
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
5 Default
INI LocationNot applicable.
Registry LocationNot applicable.
671
MaxWindowSize
Set the maximum write window size (in bytes) for flow management (that is, the maximumnumber of bytes writeable for the ClientDrive section).
Section ClientDrive
Feature CDM
Attribute Name INI_MAXWINDOWSIZE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
6276 Default - value for maximum write window size
INI LocationINI File Section Value
Module.ini ClientDrive 8650
Module.ini ClientPrinterPort 2048
Module.ini ClientPrinterQueue 8650
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientDrive
8650
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterPort
2048
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterQueue
8650
672
MinimizeOwnedWindows
Specify whether all child windows are minimized when the parent window is minimized.
Section WFClient
Feature Core
Attribute Name INI_MINIMIZE_OWNED_WINDOWS
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default - disable minimize
1 Enable minimize
INI LocationNot applicable.
Registry LocationNot applicable.
673
MissedKeepaliveWarningMsg
Specify the message displayed when the keep-alive time has expired. It will displayaccording to the amount of time in seconds defined in MissedKeepaliveWarningTime.
Section WFClient
Feature CGP
Attribute Name INI_CGP_WARNMESSAGE
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
" " Default - Keep Alive Expiration Message
INI LocationINI File Section Value
All_regions.ini Network\CGP
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\AllRegions\Lockdown\Network\CGP
HKEY_CURRENT_USER\Software\Citrix\ICAClient\Engine\Lockdown Profiles\AllRegions\Lockdown\Network\CGP
674
MissedKeepaliveWarningTime
Specify the number of seconds to display the message defined inMissedKeepaliveWarningMsg after the keep-alive time has expired.
Section WFClient
Feature CGP
Attribute Name INI_CGP_WARNTIME
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default - off.
1 through 60 Amount of time in seconds to display the message. Maximum value is60.
INI LocationINI File Section Value
All_regions.ini Network\CGP
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\AllRegions\Lockdown\Network\CGP
HKEY_CURRENT_USER\Software\Citrix\ICAClient\Engine\Lockdown Profiles\AllRegions\Lockdown\Network\CGP
675
MouseTimer
Specifies the amount of time, in milliseconds, the client queues mouse events beforepassing them to the server. Use mouse event queueing if bandwidth limitations require areduction of network traffic. Queuing reduces the number of network packets sent from theclient to the server, but also reduces responsiveness to mouse movements during thesession. Higher values improve performance when connecting over a RAS connection.
It is also read from the following sections:
● Thinwire 3.0 (if the operating environment is WinCE). In WinCE, the setting for queuingthe mouse events is not in the UI, so it mustbe set in module.ini. As an internet client,it does not have access to the WFClient section of the module.ini file and is loaded itfrom the Thinwire section.
● WFClient (if the operating environment is other than WinCE)
Section Server
Feature Mouse
Attribute Name INI_MOUSETIMER
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default - off.
1 through 900 Amount of time in milliseconds to queue mouse events. Maximumvalue is 900.
INI LocationINI File Section Value
All_regions.ini Virtual Channels\Mouse
appsrv.ini WFClient
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\VirtualChannels\Mouse
HKEY_CURRENT_USER\Software\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\VirtualChannels\Mouse
MouseTimer
676
677
MouseWheelMapping
Specifies the mouse buttons whose down events are processed as mouse wheel motion. Thisattribute is considered as specific for MacIntosh/UNIX.
Section WFClient
Feature Mouse
Attribute Name INI_MOUSEWHEELMAPPING
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
4,5 Default. mousewheelupmapping is assigned to button 4,mousewheeldownmapping is assigned to button 5.
INI LocationINI File Section Value
All_regions.ini Virtual Channels\Mouse
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\VirtualChannels\Mouse
HKEY_CURRENT_USER\Software\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\VirtualChannels\Mouse
678
MSIEnabled
Allows Multi-Stream ICA connections. Use this setting to enable or disable the Multi-StreamICA feature on the client.
Section WFClient
Feature Multi-Stream ICA
Attribute Name INI_MSIENABLED
Definition Location Client_Ini.h
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
TRUE Allows Multi-Stream ICAconnections.
Default
FALSE Does not allow Multi-Stream ICAconnections.
INI LocationINI File Section Value
All_Regions.ini NetWork\Multi-Stream *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\Lockdown Profiles\AllRegions\Lockdown\Network\Multi-Stream
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\Lockdown Profiles\AllRegions\Lockdown\Network\Multi-Stream
*
679
NativeDriveMapping
Specify the pass-through support for the network drive. Local or network drives configuredon the server running Citrix XenApp can now be mapped by the pass-through client in apass-through session by adding the following line to the [ClientDrive] section of theModule.ini file: NativeDriveMapping=TRUE.
When TRUE, the client drives on the client device are not mapped and are not available.The drives configured on the server are mapped and are available to the pass-throughclient.
Section ClientDrive
Feature CDM
Attribute Name INI_CDMINCLUDENETWORKDRIVEINPASSTHRU
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Default. Native drive mapping is disabled.
TRUE Native drive mapping is enabled.
INI LocationINI File Section Value
All_regions.ini Virtual Channels\Drives *
Module.ini ClientDrive True
canonicalization.iniClientDrive NativeDriveMapping
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\ClientDrive
NativeDriveMapping
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientDrive
TRUE
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\VirtualChannels\Drives
*
HKEY_CURRENT_USER\Software\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\VirtualChannels\Drives
*
NativeDriveMapping
680
681
NDS
Specifies a string representing the single sign-on credential type of NDS (for NovellDirectory Service). Other credential types are NT and Any.
Section Server
Feature SSON
Attribute Name INI_SSON_CREDENTIAL_NDS
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
NDS Default
INI LocationNot applicable.
Registry LocationNot applicable.
682
NRUserName
Indicates a string representing the user name for a XenApp farm connection. If Username orINI_USERNAME for custom connections is not found, NRUserName is retrieved.
Section Server
Feature Core
Attribute Name INI_NR_USERNAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
" " Default
INI LocationNot applicable.
Registry LocationNot applicable.
683
NRWD
Name Resolution Web server Duration (NRWD) is the time it takes the XML Service toresolve the name of a published application to an IP address. This metric is only collectedfor new sessions, and only if the ICA file does not specify a connection to a Citrix XenAppserver with the IP address already provided. This is one of the Session Client startup datawhile End User Experience Monitoring (EUEM) metrics are stored.
Section Server
Feature EUEM
Attribute Name INI_EUEM_NWRD
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
-1 Default.
INI LocationINI File Section Value
All_regions.ini Virtual Channels\End UserExperience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\VirtualChannels\End User Experience
*
HKEY_CURRENT_USER\Software\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\VirtualChannels\End User Experience
*
684
NumCommandBuffers
Set the maximum number of client audio command buffers.
Section ClientAudio
Feature Audio
Attribute Name INI_CAM_NUMCOMMANDBUFFERS
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
64 Default. Number of command buffers.
INI LocationINI File Section Value
Module.ini ClientAudio 64
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientAudio
64
685
NumDataBuffers
Set the maximum number of client audio data buffers created.
Section ClientAudio
Feature Audio
Attribute Name INI_CAM_NUMDATABUFFERS
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
32 Default. Number of data buffers.
INI LocationINI File Section Value
Module.ini ClientAudio 32
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientAudio
32
686
OutBufCountClient
Number of outbuffers allocated on client.
Section Transport
Feature Core
Attribute Name INI_OUTBUFCOUNTCLIENT
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
6 Default
INI LocationINI File Section Value
Module.ini TCP/IP 6
Module.ini TCP/IP – FTP 6
Module.ini TCP/IP – Novell Lan WorkPlace 6
Module.ini TCP/IP – Microsoft 6
Module.ini TCP/IP – VSL 6
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
6
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – FTP
6
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – Microsoft
6
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – Novell LanWorkPlace
6
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – VSL
6
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – FTP
6
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – FTP
6
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – FTP
6
OutBufCountClient
687
688
OutBufCountClient2
Number of outbuffers on client for high throughput.
Used only when PD drivers (Protocol Drivers) supports any high-throughput in the server.
If high throughput is supported then certain drivers should switch to large sizing. For that,OutBufCountClient2 is used.
Section Transport
Feature Core
Attribute Name INI_OUTBUFCOUNTCLIENT2
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
42 Default
INI LocationINI File Section Value
Module.ini TCP/IP 44
Module.ini TCP/IP – FTP 44
Module.ini TCP/IP – Novell Lan WorkPlace 44
Module.ini TCP/IP – Microsoft 44
Module.ini TCP/IP – VSL 44
Registry Location
Registry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
44
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – FTP
44
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – Microsoft
44
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – Novell LanWorkPlace
44
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – VSL
44
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – FTP
44
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – FTP
44
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – FTP
44
OutBufCountClient2
689
690
OutBufCountHost
Specifies the number of server output buffers to allocate.
Section Transport
Feature Core
Attribute Name INI_OUTBUFCOUNTHOST
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
6 Default
12
INI LocationINI File Section Value
Module.ini TCP/IP 6
Module.ini TCP/IP – FTP 6
Module.ini TCP/IP – Novell Lan WorkPlace 6
Module.ini TCP/IP – Microsoft 6
Module.ini TCP/IP – VSL 6
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
6
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – FTP
6
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – Microsoft
6
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – Novell LanWorkPlace
6
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – VSL
6
OutBufCountHost
691
692
OutBufCountHost2
Specifies high performance server buffer count.
Used only when PD drivers (Protocol Drivers) supports any high-throughput in the server. Ifhigh throughput is supported then certain drivers should switch to large sizings. For that,OutBufCountHost2 is used.
Section Transport
Feature Core
Attribute Name INI_OUTBUFCOUNTHOST2
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
42 Default
INI LocationINI File Section Value
Module.ini TCP/IP 44
Module.ini TCP/IP – FTP 44
Module.ini TCP/IP – Novell Lan WorkPlace 44
Module.ini TCP/IP – Microsoft 44
Module.ini TCP/IP – VSL 44
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
44
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – FTP
44
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – Microsoft
44
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – Novell LanWorkPlace
44
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – VSL
44
OutBufCountHost2
693
694
OutBufLength
Specifies the size (in bytes) of the output buffer for transport driver.
Section Transport
Feature Core
Attribute Name INI_OUTBUFLENGTH
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1460 Default for WinCE
530 Default for Wany other platform
INI LocationINI File Section Value
Module.ini TCP/IP 1460
Module.ini TCP/IP – FTP 1460
Module.ini TCP/IP – Novell Lan WorkPlace 1460
Module.ini TCP/IP – Microsoft 1460
Module.ini TCP/IP – VSL 1460
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
1460
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – FTP
1460
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – Microsoft
1460
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – Novell LanWorkPlace
1460
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP – VSL
1460
OutBufLength
695
696
PassThroughLogoff
Enables and disables the posting of a logoff message.
Section WFClient
Feature Core
Attribute Name INI_PASSTHROUGHLOGOFF
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesN/A
INI LocationINI File Section Value
All_Regions.ini
Registry LocationN/A
697
Password
Specifies the encrypted password that appears in the Password text box if the user selectsthe User- specified credentials option for the associated custom ICA connection. Use"Locally stored credentials" policy to control how user credential data stored on usermachines or placed in ICA files is used to authenticate the user to the remote publishedapplication or desktop. When this policy is enabled, you can prevent locally storedpasswords from being automatically sent to remote servers by clearing the Allowauthentication using locally stored credentials check box. This causes any password fieldsto be replaced with dummy data.
ADM UI Element: Citrix Components > Citrix Receiver > User authentication > Locally storedcredentials > Allow authentication using locally stored credentials
Section Server
Feature Core
Attribute Name INI_PASSWORD
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM Yes
ValuesValue Description
" " Default - Any string representing a password
INI LocationINI File Section Value
All_Regions.ini Logon\Saved Credentials
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Saved Credentials
KEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\Lockdown Profiles\AllRegions\Lockdown\Logon\Saved Credentials
Password
698
699
Path
Specify the content redirection path for the executable used for server to clientredirection.
Section dynamic
Feature FeatureRedirection
Attribute Name INI_CR_PATH
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
" " Content Redirection Path (no default path for this attribute)
INI LocationN/A
Registry LocationN/A
700
PCSCCodePage
Specifies smart card code-page identifier for an ANSI-based String encoding system.
Section SmartCard
Feature SmartCard
Attribute Name INI_PCSC_CODEPAGE
Data Type Integer
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
0 Default. Code-page identifier value
INI LocationN/A
Registry LocationN/A
701
PCSCLibraryName
Specifies name of smart card`s dynamic link library name.
Section SmartCard
Feature SmartCard
Attribute Name INI_PCSC_LIBRARY_NAME
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
libpcsclite.soDefault. Dynamic link library name.
INI LocationN/A
Registry LocationN/A
702
PercentS
Number of occurrences of % (percent signs) in the UNIX command settings used to handleredirected browser URLs.
Section WFClient
Feature ContentRedirection
Attribute Name INI_CR_PERCENT_S
Data Type Integer
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
0 Default number of percent signs.
INI LocationN/A
Registry LocationN/A
703
PersistentCacheEnabled
Enables (On) or disables (Off) the persistent disk cache. The persistent disk cache storescommonly used graphical objects such as bitmaps on the hard disk of the client device.Using persistent disk cache increases performance across low-bandwidth connections butreduces the amount of available client disk space. For clients on high-speed LANs, usingpersistent disk cache is, therefore, not warranted. Disk caching is enabled by default fordial-in connections.
ADM UI Element : Citrix Components > Citrix Receiver > User experience > Client graphicssettings > Disk-based caching
Interface Element
For published application sets: Settings dialog box > Default Options tab > Use disk cachefor bitmaps option
For custom ICA connections: Properties dialog box > Options tab > Use disk cache forbitmaps option
For client devices with limited RAM, better compression rates can be achieved by savingtemporary graphics objects to the disk cache.
Section Server
Feature Graphics
Attribute Name INI_DIMCACHEENABLED
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM Yes
ValuesValue Description
0 or OFF Default. Does not use persistent disk cache
1 or ON Uses the persistent disk cache
INI LocationINI File Section Value
Module.ini Thinwire3.0 OFF
All_Regions.ini Virtual Channels\Thinwire Graphics *
appsrv.ini WFClient OFF
canonicalization.ini Thinwire3.0 PersistentCacheEnabled
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Thinwire3.0
OFF
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\Thinwire3.0
PersistentCacheEnabled
PersistentCacheEnabled
704
705
PersistentCacheGlobalPath
Specify the type of cache directory to use.
If On, a single cache directory is used for all users of a given client device.PersistentCachePath must specify the entire directory path to the cache directory,including the cache directory name.
If Off, a separate cache directory is created for each user and stored in the user`s profiledirectory. In this case, PersistentCachePath specifies the cache directory name only.
Note: This is a case sensitive string. Only the On string is verified; if thePersistentCacheEnabled value is "on" or "ON" then the "Off" value is the assumed default.
Section WFClient
Feature Graphics
Attribute Name INI_DIMCACHEPATHGLOBAL
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Off Default. Disable single cache directory.
On Enable single cache directory.
INI LocationN/A
Registry LocationN/A
706
PersistentCacheMinBitmap(2)
Sets the minimum size, in bytes, of a bitmap that is added to the persistent disk cache.Bitmaps that are too small will not be cached.
The persistent disk cache stores commonly used graphical objects such as bitmaps on thehard disk of the client device. Using persistent disk cache increases performance across lowbandwidth connections but reduces the amount of available client disk space.
Section WFClient,Thinwire3.0
Feature Graphics
Attribute Name INI_DIMMINBITMAP
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Size in bytes - Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Thinwire Graphics *
Module.ini Thinwire3.0
canonicalization.ini Thinwire3.0 PersistentCacheMinBitmap
appsrv.ini WFClient 8192
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\Thinwire3.0
PersistentCacheMinBitmap
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Thinwire3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
PersistentCacheMinBitmap(2)
707
708
PersistentCachePath
Specifies the location of the local directory containing the cached image data.
The PersistentCachePath entry specifies where the Cache folder will be created. Create theCache folder under the user's profile under the hidden folder \Application Data\ICAClient\.
Section WFClient
Feature Graphics
Attribute Name INI_DIMCACHEPATH
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
"" Location of Persistent Disk Cache - Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Thinwire Graphics
Module.ini Thinwire3.0
canonicalization.ini Thinwire3.0 PersistentCachePath
appsrv.ini WFClient C:\DocumentsandSettings\userprofilename\ApplicationData\ICAClient\Cache
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\Thinwire3.0
PersistentCachePath
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Thinwire3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
PersistentCachePath
709
710
PersistentCachePercent
Determines what percentage of disk drive to use for persistent cache.
Functionality is obsolete.
Section WFClient
Feature Graphics
Attribute Name INI_DIMCACHEPERCENT_UI
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
3 Percentage to use. (3%) - Default
INI LocationINI File Section Value
appsrv.ini WFClient
Registry LocationRegistry information not found.
711
PersistentCacheSize(2)
Specifies the size of the persistent disk cache in bytes.
Section WFClient,Thinwire3.0
Feature Graphics
Attribute Name INI_DIMCACHESIZE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Disk cache size in bytes. - Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Thinwire Graphics *
Module.ini Thinwire3.0
canonicalization.ini Thinwire3.0 PersistentCacheSize
appsrv.ini WFClient 30000000
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\Thinwire3.0
PersistentCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Thinwire3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
PersistentCacheSize(2)
712
713
PersistentCacheUsrRelPath
Specifies the location of the persistent disk cache.
Used only if PersistentCacheGlobalPath = Off, a separate cache directory is created foreach user and stored in the user’s profile directory, and PersistentCachePath (location ofthe persistent disk cache) specifies the cache directory name only.
Section WFClient
Feature Graphics
Attribute Name INI_DIMCACHEUSRPATH
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" Cache Location - Default
INI LocationINI information not found.
Registry LocationRegistry information not found.
714
PingCount
Specifies the number of times to ping. It is a tunable parameter used by the Ping virtualchannel.
CTXPING sends PingCount separate pings. Each ping consists of a BEGIN packet and an ENDpacket.
Section Ping
Feature Ping
Attribute Name INI_PING_PINGCOUNT
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
3 Pings - Default
INI LocationINI information not found.
Registry LocationRegistry information not found.
715
PlaybackDelayThresh
Delay, in milliseconds, between being asked to open audio device and actually opening it inorder to build up a backlog of sound.
Section ClientAudio
Feature Audio
Attribute Name INI_CAM_PLAYDELAY_THRESH
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
250 Milliseconds - Default
0 Disable audio input
INI LocationINI File Section Value
Module.ini ClientAudio 250
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientAudio
250
716
PNPDeviceAllowed
Use this policy to enable and restrict the remote application or desktop's access to theclient USB PNP devices.
ADM UI Element: Citrix Components > Citrix Receiver > Remoting client devices > USB PNPDevices
Section WFClient
Feature PlugNPlaySupport
Attribute Name INI_DVC_PNPDEVICE
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
True Allows USB PnP device redirection - Default
False Does not allow USB PnP device redirection
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\PNPDeviceAllowed *
Registry LocationRegistry Key Value
HKLM\Software\Citrix\ICA Client\Engine\Lockdown Profiles\AllRegions\Lockdown\Virtual Channels\DVC_PlugAndPlay\PNPDeviceAllowed
*
717
pnStartSCD
New session creation time, from the moment wfica32.exe is launched to when theconnection is established.
This is one of the Session Client startup data while End User Experience Monitoring (EUEM)metrics are captured.
Section Server
Feature EUEM
Attribute Name INI_EUEM_PNSTARTSCD
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\End User Experience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
718
Port1
Specifies the mappping information between the host LPT and client port.
Both Port1 and Lpt1 together specify the mapping information between the host LPT andclient port. Connect the host LPT specified by Lpt1 to this (1=lpt1,...,8=com4) client port.For example, if Port1=2, this means the host LPT specified by Lpt1 is connected to clientport Lpt2. If Port1=0, this means no mapping information is specified by this attribute butsome other attributes like Lpt2-Port2, Lpt3-Port3 may have this information.
Section WFClient
Feature ParallelPortMapping
Attribute Name INI_PORT1
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 No mapping information specified by this attribute - Default
1-8 Connect the host lpt specified by Lpt1 to this client port
INI LocationINI information not found.
Registry LocationRegistry information not found.
719
Port2
Specifies the mapping information between the host LPT and client port.
Both Port2 and Lpt2 together specify the mapping information between the host LPT andclient port. Connect the host LPT specified by Lpt2 to this (1=lpt1,...,8=com4) client port.For example, if Port2=1, this means the host LPT specified by Lpt2 is connected to clientport Lpt1. If Port2=0, this means no mapping information is specified by this attribute butsome other attributes like Lpt1-Port1, Lpt3-Port3 may have this information.
Section WFClient
Feature ParallelPortMapping
Attribute Name INI_PORT2
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 No mapping information specified by this attribute - Default
1-8 Connect the host LPT specified by Lpt2 to this client port
INI LocationINI information not found.
Registry LocationRegistry information not found.
720
POSDeviceAllowed
Use this policy to enable and restrict the remote application or desktop's access to theclient USB POS devices. For this setting to work PNPDeviceAllowed should be set to allowed.
If PNPDeviceAllowed is set to disallowed, POS devices won’t be available in the session,regardless of the POSDeviceAllowed value.
ADM UI Element : Citrix Components > Citrix Receiver > Remoting client devices > POS USBDevices
Section WFClient
Feature PlugNPlaySupport
Attribute Name INI_DVC_POSDEVICE
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
True Allows USB POS device redirection - Default
False Does not allow USB POS device redirection
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\POSDeviceAllowed *
Registry LocationRegistry Key Value
HKLM\Software\Citrix\ICA Client\Engine\Lockdown Profiles\AllRegions\Lockdown\Virtual Channels\DVC_PlugAndPlay\POSDeviceAllowed
*
POSDeviceAllowed
721
722
PrinterFlowControl
Specifies whether flow control on a printer virtual channel is allowed.
Section WFClient
Feature Printing
Attribute Name INI_CPM_FLOW_CONTROL
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
False Disables flow control - Default
True Enable flow control
INI LocationINI information not found.
Registry LocationRegistry information not found.
723
PrinterResetTime
Gives the amount of time (in milliseconds) that the client will wait for a printer to reset.
Section ClientPrinterQueue
Feature Printing
Attribute Name INI_VSLPRINTERRESETTIME
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1100 Wait time (ms) - Default
INI LocationINI File Section Value
Module.ini ClientPrinterPort 1100
Module.ini ClientPrinterQueue 1100
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterPort
1100
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterQueue
1100
724
PrinterThreadPriority
Specify the printer thread priority for CPM. Can be adjusted for performance.
Section ClientPrinterPort
Feature Printing
Attribute Name INI_CPMPRINTERTHREADPRIORITY
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Normal - Default
1 Above Normal
2 Highest
3 Time-critical
INI LocationINI information not found.
Registry LocationRegistry information not found.
725
PrintMaxRetry
Specify the maximum number of times to retry printing.
The number of times to retry sending data to the printer when writing data to the printerfails and elicits an ambigous LastError. Attempts that result in specific errors, such as "Outof Paper," will not be retried.
Section ClientPrinterPort
Feature Printing
Attribute Name INI_CPMPRINTMAXRETRY
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default
1000 PrintMaxRetry variable
INI LocationINI information not found.
Registry LocationRegistry information not found.
726
ProxyAuthenticationBasic(2)
Specifies whether or not the Basic authentication mechanism is allowed.
Configure proxy authentication: Use this policy to control the authentication mechanismsthat the client uses when connecting to a proxy server. Authenticating proxy servers can beused to monitor data traffic in large network deployments.
In general, authentication is handled by the operating system but in some scenarios, theuser may be provided with a specific user name and password. To prevent the user frombeing specifically prompted for these credentials, clear the Prompt user for credentialscheck box. This will force the client to attempt an anonymous connection. Alternatively,you can configure the client to connect using credentials passed to it by the Web Interfaceserver, or these can be explicitly specified via Group Policy using the Explicit user nameand Explicit password options.
Section WFClient,Server
Feature Proxy
Attribute Name INI_PROXYAUTHBASIC
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
True Basic authentication mechanism is allowed - Default
False Basic authentication mechanism is not enabled
INI LocationINI File Section Value
All_Regions.ini Network\Proxy *
Registry Location
Registry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
TroubleshootingIn general, NTLM proxy authentication will be performed under the control of the domaincontroller and cannot be controlled by the client. Both client and proxy will need to beconfigured with the appropriate domain level trust relations.
Proxy authentication cannot be linked to the pass-through authentication feature of theclient. In general, the proxy password will be unrelated to users' passwords.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Proxy > Configureproxy authentication
ProxyAuthenticationBasic(2)
727
728
ProxyAuthenticationKerberos
Specifies whether or not Kerberos authentication is allowed.
This is one of the authentication mechanisms that the client uses when connecting to aproxy server. Authenticating proxy servers can be used to monitor data traffic in largenetwork deployments.
Kerberos is a domain controller authorized authentication transaction that avoids the needto transmit the real user credential data to the server.
Section WFClient
Feature Proxy
Attribute Name INI_PROXYAUTHKERBEROS
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
False Does not allow Kerberos authentication - Default
True Allows Kerberos authentication
INI LocationINI information not found.
Registry LocationRegistry information not found.
729
ProxyAuthenticationNTLM(2)
NT Lan Manager (NTLM) proxy authentication option.
NTLM proxy authentication will be performed under the control of the domain controllerand cannot be controlled by the client. Both client and proxy will need to be configuredwith the appropriate domain level trust relations.
ADM UI Element: Citrix Components > Citrix Receiver > Network Routing > Proxy > Configureproxy authentication
Section WFClient,Server
Feature Proxy
Attribute Name INI_PROXYAUTHNTLM
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
True NTLM proxy authentication option is enabled - Default
False NTLM proxy authentication option is not enabled
INI LocationINI File Section Value
All_Regions.ini Network\Proxy *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
ProxyAuthenticationNTLM(2)
730
731
ProxyAuthenticationPrompt(2)
Specifies whether or not the Prompt proxy authentication mechanism is used.
Configure proxy authentication: Use this policy to control the authentication mechanismsthat the client uses when connecting to a proxy server. Authenticating proxy servers can beused to monitor data traffic in large network deployments.
In general, authentication is handled by the operating system but in some scenarios, theuser may be provided with a specific user name and password. To prevent the user frombeing specifically prompted for these credentials, clear the Prompt user for credentialscheck box. This will force the client to attempt an anonymous connection. Alternatively,you can configure the client to connect using credentials passed to it by the Web Interfaceserver, or these can be explicitly specified via Group Policy using the Explicit user nameand Explicit password options.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Proxy > Configureproxy authentication > Prompt user for credentials
Section WFClient,Server
Feature Proxy
Attribute Name INI_PROXYAUTHPROMPT
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
True Prompt proxy authentication mechanism is used - Default
False Prompt proxy authentication mechanism is not used
INI LocationINI File Section Value
All_Regions.ini Network\Proxy *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
ProxyAuthenticationPrompt(2)
732
733
ProxyAutoConfigURL(2)
Specifies the location of a proxy auto-detection (.pac) script. It must be set if the value ofProxyType is Script. Otherwise, it is ignored.
When ProxyType=Script is selected, the client will retrieve a JavaScript based .pac filefrom the URL specified in the Proxy script URLs policy option. The .pac file is executed toidentify which proxy server should be used for the connection.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient proxy settings > Proxy script URLs
Section WFClient,Server
Feature Proxy
Attribute Name INI_PROXYAUTOCONFIGURL
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" If present then any string giving location of a .pac script - Default
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
ProxyAutoConfigURL(2)
734
735
ProxyBypassList
Specifies a list of hosts for which to bypass proxy connections. An asterisk (*) included in ahost name acts as a wildcard (for example, *.widgets.com). Multiple hosts must beseparated by a semicolon (;) or comma (,). This parameter is ignored if the value ofProxyType is None or Auto.
Configure client proxy settings: Use this policy to configure the primary network proxiesthat the client can use when connecting to a remote application or desktop.
When this policy is not configured, the client will use its own settings to decide whether toconnect through a proxy server. When this policy is enabled, the client will use the proxyconfigured based on the proxy type selected. For any proxy type, you can provide a list ofservers that do not traverse the proxy. These should be placed in the Bypass server list.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient proxy settings > Bypass server list
Section Server
Feature Proxy
Attribute Name INI_PROXYBYPASSLIST
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" Lists of hosts, separated by ";" or ","
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
Registry Location
Registry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
ProxyBypassList
736
737
ProxyFallback(2)
Allows clients to bypass the proxy to connect to servers.
If a Proxy Auto Configuration (PAC) file is used and the client is unable to download the PACfile, for example, due to the client’s location, the client cannot connect to servers. Supportfor a proxy fallback has been added that allows clients to bypass the proxy to connect toservers.
To enable the fallback:
1. Open the Appsrv.ini file in a text editor.
2. Locate the DoNotUseDefaultCSL entry.
3. Perform one of the following actions:
● If set to True, add the following parameter to the [applicationservername] and, ifapplicable, the [applicationsetname] sections:
ProxyFallback=yes
● If set to False, add the following parameter to the [WFClient] section:
ProxyFallback=yes4. Save your changes and close the file.
If both the primary and alternative proxy fail to service the connection, selecting theFailover to direct check box instructs the client to attempt a final direct connection withno proxies.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient failover proxy settings > Failover to direct
Section WFClient,Server
Feature Proxy
Attribute Name INI_PROXYFALLBACK
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
Values
Value Description
0 Not set - Default
INI LocationINI File Section Value
All_Regions.ini Network\Proxy *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
ProxyFallback(2)
738
739
ProxyFavorIEConnectionSetting(2)
Specifies from where the client checks the proxy settings.
Use this setting when the client is used to connect to the Internet and has a proxy serversetting set up for a LAN connection.
By default, the client checks the proxy settings for LAN connections. Setting this value toOn causes the client to check the Internet Explorer connection settings for the proxy serverinformation.
For the Windows CE platform, it will not be read from ini file and its value will be set toTrue. Otherwise, it will be read form the WFClient section. It is used when ProxyType isset to Auto.
Section Server,WFClient
Feature Proxy
Attribute Name INI_PROXYFAVORIECONNECTIONSETTING
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
False Client checks the Internet Explorer connection settings for the proxy serverinformation - Default
True Causes the client to check the Internet Explorer connection settings for
INI LocationINI File Section Value
All_Regions.ini Network\Proxy *
Registry Location
Registry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
ProxyFavorIEConnectionSetting(2)
740
741
ProxyHost(3)
Specifies the address of the proxy server. It is required if ProxyType contains any of thefollowing values:
● SOCKS
● SOCKS V4
● SOCKS V5
● Secure
ProxyHost is otherwise ignored.
To indicate a port number other than 1080 (default for SOCKS) or 8080 (default for Secure),append the appropriate port number to the value after a colon (:).
ADM UI Element: Citrix XenApp > Network Routing > Proxy > Configure client proxy settings
Section WFClient,dynamic,Server
Feature Proxy
Attribute Name INI_PROXYHOST
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" Proxy Server Address - Default
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
ProxyHost(3)
742
743
ProxyPassword(2)
Holds the clear text password to be used to automatically authenticate the client to theproxy.
Use this policy to control the authentication mechanisms that the client uses whenconnecting to a proxy server. Authenticating proxy servers can be used to monitor datatraffic in large network deployments.
In general, authentication is handled by the operating system but in some scenarios, theuser may be provided with a specific user name and password. To prevent the user frombeing specifically prompted for these credentials, clear the Prompt user for credentialscheck box. This will force the client to attempt an anonymous connection. Alternatively,you can configure the client to connect using credentials passed to it by the Web Interfaceserver, or these can be explicitly specified via Group Policy using the Explicit user nameand Explicit password options.
Section WFClient,Server
Feature Proxy
Attribute Name INI_PROXYPASSWORD
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" Password - Default
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
Registry Location
Registry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
TroubleshootingIn general NTLM proxy authentication will be performed under the control of the domaincontroller and cannot be controlled by the client. Both client and proxy will need to beconfigured with the appropriate domain level trust relations.
Proxy authentication cannot be linked to the pass-through authentication feature of theclient. In general, the proxy password will be unrelated to users' passwords.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Proxy > Configureproxy authentication > Explicit password
ProxyPassword(2)
744
745
ProxyPort
Identifies the port number for proxy support. The proxy port number must be a positiveinteger less than 65536. The port number depends on the proxy type.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient proxy settings > Proxy ports
Section WFClient
Feature Proxy
Attribute Name INI_PROXYPORTNUMBER
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
0 Default
65536 Maximum Port Value
INI LocationINI File Section Value
All_Regions.ini Network\Proxy *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
746
ProxyTimeout
Specifies the time, in milliseconds (ms), to wait for browsing requests through a proxyserver to be satisfied.
Uses the value of BrowserTimeout, if specified. Otherwise, it uses the Web browser defaulttimeout (2,000 ms).
Note: This value is ignored if it is less than the Web browser default timeout.
Section Server
Feature Proxy
Attribute Name INI_PROXYTIMEOUT
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
3000 Proxy timeout (ms) - Default
INI LocationINI File Section Value
All_Regions.ini Network\Proxy *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
747
ProxyType
Identifies the proxy type requested for the connection.
When AltProxyType = Secure, the client will contact the proxy identified by theAltProxyHost and AltProxyPort settings. The negotiation protocol will use a HTTPCONNECT header request specifying the desired destination.
Proxy type: None
When None is selected, the client will attempt to connect to the server directly withouttraversing a proxy server.
Proxy type: Auto
When Auto is selected, the client will use the local machine settings to determine whichproxy server to use for a connection. This is usually the settings used by the Web browserinstalled on the machine.
Proxy type: Script
When Script is selected, the client will retrieve a JavaScript based .pac file from the URLspecified in the Proxy script URLs policy option. The .pac file is executed to identifywhich proxy server should be used for the connection.
Proxy type: Secure
When Secure is selected, the client will contact the proxy identified by the Proxy hostnames and Proxy ports settings. The negotiation protocol will use a HTTP CONNECTheader request specifying the desired destination address. This proxy protocol iscommonly used for HTTP based traffic, and supports GSSAPI proxy authentication.
Proxy Type: SOCKS/SOCKS V4/SOCKS V5
When a SOCKS proxy is selected, the client will perform a SOCKS V4 or SOCKS V5handshake to the proxy identified by the Proxy hostnames and Proxy ports settings. TheSOCKS option will detect and use the correct version of SOCKS.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient proxy settings > Proxy types
Section WFClient
Feature Proxy
Attribute Name INI_PROXYTYPE
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM Yes
ValuesValue Description
None Use Direct connection - Default
Tunnel(Secure)
Use secure (HTTPS) proxy
Wpad
Auto Auto detect from Web browser
SOCKS
SOCKS V4
SOCKS V5
Script Interpret proxy auto-configuration script
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
Trusted_Region.ini Network\Proxy Auto
Untrusted_Region.ini Network\Proxy Auto
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\Trusted Region\Lockdown\Network\Proxy
Auto
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\Untrusted Region\Lockdown\Network\Proxy
Auto
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
ProxyType
748
749
ProxyUseDefault
For UNIX and Macintosh, this parameter determines from which section the default proxy ischosen.
If set to True, the section is [WFClient]; otherwise, [serversection].
Section Server
Feature Proxy
Attribute Name INI_PROXYUSEDEFAULT
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
True Default proxy is chosen from WFClient - Default
False Default proxy is chosen from serversection
INI LocationINI File Section Value
All_Regions.ini Network\Proxy *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
750
ProxyUseFQDN(2)
This setting is used in an environment that is set up to connect to applications through aproxy and Secure Gateway. If the proxy is configured to allow only FQDNs, when the clienttries to connect to the applications, the proxy may reject the request.
This happens because the client resolves the Secure Gateway server name to the IP addressbefore trying to connect to the server.
Setting this value to On ensures that the client does not try to resolve the Secure Gatewayserver name to an address but will instead send the name to the proxy. The client should beable to resolve the address and then connect to the Secure Gateway server through theproxy.
Section Server,WFClient
Feature Proxy
Attribute Name INI_PROXYUSEFQDN
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
False Client resolves the Secure Gateway server name to an address - Default
True Client send the servername to the proxy which resove the address
INI LocationINI File Section Value
All_Regions.ini Network\Proxy *
Registry Location
Registry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
*
ProxyUseFQDN(2)
751
752
ProxyUsername
Holds the user name to be used to automatically authenticate the client to the proxy.
Use this policy to control the authentication mechanisms that the client uses whenconnecting to a proxy server. Authenticating proxy servers can be used to monitor datatraffic in large network deployments.
In general, authentication is handled by the operating system but in some scenarios, theuser may be provided with a specific user name and password. To prevent the user frombeing specifically prompted for these credentials, clear the Prompt user for credentialscheck box. This will force the client to attempt an anonymous connection. Alternatively,you can configure the client to connect using credentials passed to it by the Web Interfaceserver, or these can be explicitly specified via Group Policy using the Explicit user nameand Explicit password options.
Proxy authentication cannot be linked to the pass-through authentication feature of theclient. In general, the proxy password will be unrelated to users' passwords.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Proxy > Configureproxy authentication >Explicit user name
Section Server
Feature Proxy
Attribute Name INI_PROXYUSERNAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" User Name (prompt given) - Default
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
ProxyUsername
753
754
ReadersStatusPollPeriod
Specifies the delay, in milliseconds, for reading information from a smart card after thecard is inserted or removed, or a reader is disconnected, etc.
When inserting a smart card into the reader there is a two- to five-second delay before theinformation from the card is read. This delay occurs by design, but it is configurable. Theclient polls the card for events and the default value for this is five seconds.
Section WFClient
Feature SmartCard
Attribute Name INI_READERS_STATUS_POLL_PERIOD
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
500 For WinCE only - Default
5000 For any other platforms
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Smartcard
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Smartcard
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Smartcard
ReadersStatusPollPeriod
755
756
RECD(2)
Reconnection Enumeration Client Duration (RECD) is the time it takes a client to get a listof reconnections.
This is one of the Session Client startup data while End User Experience Monitoring (EUEM)metrics are stored.
Section Server,dynamic
Feature EUEM
Attribute Name INI_EUEM_RECD
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
-1 Initial reset value - Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\End User Experience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
757
RegionIdentification
Specifies whether regions.ini should be read from the administrator location or userlocation. This is ignored if there is no administrator configuration. Regions.ini is used toperform region identification of client connections to servers.
Section Delegation
Feature ClientLockdown
Attribute Name INI_DELEGATION_REGIONIDENTIFICATION
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
administratorDefault
user
INI LocationINI File Section Value
All_Regions.ini Delegation administrator
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Delegation
administrator
TroubleshootingNot applicable.
RegionIdentification
758
759
RejectURLType
Specifies URLs that are explicitly rejected for content redirection.
The reason there is both an accepturltype and a rejecturltype setting is that the code thattests them matches just to the length of the definition. So if you accept HTTP, it alsomeans that HTTPS will also be accepted. In case you wanted only HTTP, there is the optionto explicitly reject HTTPS.
Section dynamic
Feature ContentRedirection
Attribute Name INI_CR_REJECT_URL_TYPE
Data Type String
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
"" Reject URL
INI LocationINI information not found.
Registry LocationRegistry information not found.
760
RemoveICAFile
Specifies whether or not the ICA file should be deleted after the session is finished.
Section WFClient
Feature Core
Attribute Name INI_REMOVEICAFILE
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
Off Does not remove ICA file - Default
On Removes ICA file
True Removes ICA file
False Does not remove ICA file
yes Removes ICA file
no Does not remove ICA file
1 Removes ICA file
0 Does not remove ICA file
INI LocationINI File Section Value
All_Regions.ini Client Engine\ICA File *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\ICA File
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\ICA File
*
RemoveICAFile
761
762
ResMngrRunningPollPeriod
Specifies the time, in milliseconds, of polling for a restart of the Smart Card ResourceManager. Used only when there is an outstanding query for that Smart Card ResourceManager availability.
Used to create a timer for polling for a restart of the Smart Card Resource Manager.
Section WFClient
Feature SmartCard
Attribute Name INI_RES_MNGR_RUNNING_POLL_PERIOD
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
10000 Time in milliseconds - Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Smartcard
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Smartcard
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Smartcard
763
REWD(2)
Specifies the time it takes Web Interface to get the list of reconnections from the XMLService. REWD stands for Reconnection Enumeration Web server Duration.
Section dynamic,Server
Feature EUEM
Attribute Name INI_EUEM_REWD
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
-1 Initial reset value
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\End User Experience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
764
RtpAudioHighestPort
Specifies the highest UDP port that the client can attempt to use for transmission ofReal-time Transport Protocol (RTP) audio.
ADM UI Element: Citrix Components > Citrix Receiver > User experience > Client audiosettings
Section Server
Feature Audio
Attribute Name INI_RTPAUDIOHIGHESTPORT
Definition Location inc\icaini.h
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
16509 Default Value
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Audio *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\Software\Policies\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\VirtualChannels\Audio
RtpAudioHighestPort
HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Audio
RtpAudioHighestPort
765
RtpAudioLowestPort
Specifies the lowest UDP port that the client can attempt to use for transmission ofReal-time Transport Protocol (RTP) audio.
ADM UI Element: Citrix Components > Citrix Receiver > User experience > Client audiosettings
Section Dynamic, Server
Feature Audio
Attribute Name INI_RTPAUDIOLOWESTPORT
Definition Location inc\icaini.h
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
16500 Default Value
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Audio *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\Software\Policies\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\VirtualChannels\Audio
RtpAudioLowestPort
HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Audio
RtpAudioLowestPort
766
ScalingHeight
Specifies the height of scaled window. This is one of the scaling properties (ScalingMode,ScalingPercent, ScalingHeight, and ScalingWidth) which is used to determine the initial"scaled"state of the session.
Only used when ScalingMode=2. ScalingMode=2 setting instructs ICO (ICA Client Object) touse the ScalingHeight and ScalingWidth properties. It ignores the ScalingPercent property.The width and height of the scaling area are checked against the size of the controlwindow. The size cannot be bigger than the control window area. If the width and height isnot less than the session size it means that scaling should not be enabled.
This property is the initial settings. Changes made to property during a connected sessionwill not have any effect. When the session is established, use scaling methods to change thescaling attributes of the session.
Section Server
Feature Core
Attribute Name INI_SCALING_HEIGHT
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 No scaling - Default
INI LocationN/A
Registry LocationN/A
767
ScalingMode
Specifies the scaling mode that will be used for the initial connection. ScalingMode can beset to one of four possible initial states.
● 0 (Disabled): This is the default setting and means that scaling is not enabled atinitialization.
● 1 (Percent): This setting instructs ICO to use the ScalingPercent property to determinethe size of the scaling area. It ignores ScalingWidth and ScalingHeight. One hundredpercent means that the area of the scaling is the same as the area of the controlwindow. Fifty percent means that the scaling area is fifty percent of the controlwindow.
● 2 (Size): This setting instructs ICO to use the ScalingHeight and ScalingWidth properties.It ignores the ScalingPercent property. The width and height of the scaling area arechecked against the size of the control window. The size cannot be bigger than thecontrol window area.
● 3 (To fit Window): This setting instructs ICO to fit the session into the existing controlwindow. This is the easiest to do for a script because it forces the session to show itscomplete yet scaled area inside the control window.
This mode ignores the three other properties ScalingPercent, ScalingWidth, andScalingHeight.
This property is the initial settings. Changes made to property during a connected sessionwill not have any effect. When the session is established, use scaling methods to change thescaling attributes of the session.
Section Server
Feature Core
Attribute Name INI_SCALING_MODE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Disabled - Default
1 Percent
2 Size
3 To fit window (autosize)
INI LocationN/A
Registry LocationN/A
ScalingMode
768
769
ScalingPercent
Specifies scaling percentage to calculate the width and height of the ICA client`s window.
This setting instructs ICO to use the ScalingPercent property to determine the size of thescaling area. It ignores ScalingWidth and ScalingHeight. One hundred percent means thatthe area of the scaling is the same as the area of the control window. Fifty percent meansthat the scaling area is fifty percent of the control window.
This percentage should be between the minimum scaling percentage (10) and maximumscaling percentage (100).
Section Server
Feature Core
Attribute Name INI_SCALING_PERCENT
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
100 Maximum scaling (percent) - Default
10-99 Scaling (percent)
INI LocationN/A
Registry LocationN/A
770
ScalingWidth
Specifies the scaling factor to adjust Client window width. The purpose is to adjust thedimensions to fit the client LVB model. This is used only when ScalingMode=2.
It ignores the ScalingPercent property. The width and height of the scaling area arechecked against the size of the control window. The size cannot be bigger than the controlwindow area. So if the width and height is not less than the session size, scaling should notbe enabled.
Section Server
Feature Core
Attribute Name INI_SCALING_WIDTH
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
) No scaling is done - Default
>= 0 Disable audio input
INI LocationN/A
Registry LocationN/A
771
Schedule
If the value for the application pre-launch setting State is 2 (pre-launch scheduled), use thissetting to schedule the application session to prelaunch on specific days and times.
Section PrelaunchApplication
Feature Pre-Launch
Attribute Name PRELAUNCH_TIME
Definition Location prelaunch.h
Data Type String
Access Type Read/Write
UNIX Specific No
Present in ADM No
ValuesThe value specifies the time (in 24-hour format) and the days of the week for theapplication session to prelaunch.
HH:MM|M:T:W:Th:F:S:Su HH:MM - Hours and Minutes in 24 hour format M:T:W:Th:F:S:Su - Days of the week. A value of 1 to enable and 0 to disable. Example: 08:30|1:1:1:1:0:0:0 - Enables Pre-Launch Monday through Thursday at 8:30 AM
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\Software\Citrix\ICAClient\Prelaunch
HKEY_CURRENT_USER\Software\Citrix\ICAClient\Prelaunch
772
ScreenPercent
Specifies the size of the ICA session as a percentage of total screen size.
If DesiredWinType is set to 5, this parameter is used to specify the size of the ICA session asa percentage of total screen size.
Client Display Setting: Use this policy to control how the client presents remoteapplications and desktops to the end user. Remote applications can be seamlesslyintegrated with local applications, or the entire local environment can be replaced with aremote desktop.
Window Percent can be used as an alternative to manually choosing the width and height. Itselects a window size as a fixed percentage of the entire screen. The server may choose toignore this value. This setting is ignored when seamless windows is in use.
ADM UI Element: Citrix Components > Citrix Receiver > User experience > Client displaysettings > Window percent
Section Server
Feature Core
Attribute Name INI_SCREENPERCENT
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM Yes
ValuesValue Description
75 Default screen size when the setting is enabled.
0 Disables the setting.
1-100
INI LocationINI File Section Value
Module.ini Thinwire3.0
All_Regions.ini Virtual Channels\Thinwire Graphics *
canonicalization.ini Thinwire3.0 ScreenPercent
appsrv.ini WFClient
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\Thinwire3.0
ScreenPercent
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Thinwire3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
ScreenPercent
773
774
SecureChannelProtocol(2)
Specifies which secure channel protocol to use.
Use this policy to configure the TLS/SSL options that help to ensure that the client connectsto genuine remote applications and desktops. TLS and SSL encrypt the transferred data toprevent third-parties viewing or modifying the data traffic. Citrix recommends that anyconnections over untrusted networks use TLS/SSL or another encryption solution with atleast the same level of protection.
When this policy is enabled, the client will apply these settings to all TLS/SSL connectionsperformed by the client. The Require SSL for all connections check box can be used toforce the client to use the TLS or SSL protocol for all connections that it performs.
TLS and SSL identify remote servers by the common name on the security certificate sentby the server during connection negotiation. Usually the common name is the DNS name ofthe server, for example www.citrix.com. It is possible to restrict the common names towhich the client will connect by specifying a comma-separated list in the "Allowed SSLservers" setting. Note that a wildcard address, for example *.citrix.com:443 will match allcommon names that end with .citrix.com. The information contained in a certificate isguaranteed to be correct by the certificate`s issuer.
Some security policies have requirements related to the exact choice of cryptography usedfor a connection. By default the client will automatically select either TLS v1.0 or SSL v3.0(with preference for TLS v1.0) depending on what the server supports. This can berestricted to only TLS v1.0 or SSL v3.0 using the "SSL/TLS version" setting.
Similarly, certain security policies have requirements relating to the cryptographicciphersuites used for a connection. By default the client will automatically negotiate asuitable ciphersuite from the five listed below. If necessary, it is possible to restrict to justthe ciphersuites in one of the two lists.
● Government Ciphersuites:
● TLS_RSA_WITH_AES_256_CBC_SHA
● TLS_RSA_WITH_3DES_EDE_CBC_SHA● Commercial Ciphersuites:
● TLS_RSA_WITH_AES_128_CBC_SHA
● TLS_RSA_WITH_RC4_128_SHA
● TLS_RSA_WITH_RC4_128_MD5Certificate Revocation List (CRL) checking is an advanced feature supported by somecertificate issuers. It allows security certificates to be revoked (invalidated before theirexpiry date) in the case of cryptographic compromise of the certificate private key, orsimply an unexpected change in DNS name.
Valid CRLs must be downloaded periodically from the certificate issuer and stored locally.This can be controlled through the selection made in "CRL verification."
● Disabled: When selected, no CRL checking will be performed.
● Only check locally stored CRLs: When selected, any CRLs that have been previouslyinstalled or downloaded will be used in certificate validation. If a certificate is found tobe revoked, the connection will fail.
● Retrieve CRLs from network: When selected, the client will attempt to retrieve CRLsfrom the relevant certificate issuers. If a certificate is found to be revoked, theconnection will fail.
● Require CRLs for connection: When selected, the client will attempt to retrieve CRLsfrom the relevant certificate issuers. If a certificate is found to be revoked, theconnection will fail. If the client is unable to retrieve a valid CRL, the connection willfail.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing
Section WFClient,Server
Feature SSL
Attribute Name INI_SSLPROTOCOLS
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
Detect Protocol value - Default
TLS Protocol value
SSL Protocol value
INI LocationINI File Section Value
All_Regions.ini Network\SSL
SecureChannelProtocol(2)
775
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\SSL
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\SSL
TroubleshootingError Message: "SSL Error 61: You have not chosen to trust "<xxx>" the issuer of the server`ssecurity certificate". The common name and other information on a security certificate isguaranteed to be accurate by the certificate`s issuer. For a connection to be successful,the client must trust the certificate`s issuer to make that guarantee.
Error Message: "SSL Error 59: The server sent a security certificate identifying `xxx`. TheSSL connection was to `yyy`". The common name did not match the server the client wasexpecting to connect to.
SecureChannelProtocol(2)
776
777
SecurityTicket
Specifies whether (On) or not (Off) CGP security ticket is turned on. WhenCGPSecurityTicket is turned on, use CGP through SG.
Section Server
Feature CPG
Attribute Name INI_CGPSECURITYTICKET
Data Type inc\cgpini.h
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Off CGP security ticket is turned off - Default
On CGP security ticket is on
INI LocationINI File Section Value
All_Regions.ini Network\CGP *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\AllRegions\Lockdown\Network\CGPHKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\Network\CGP
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\CGP
*
778
SessionReliabilityTTL
Specifies the session reliability timeout in number of seconds. This attribute allows you toconfigure Session Reliability Time To Live (TTL).
Section WFClient
Feature SessionReliability
Attribute Name INI_SESSIONRELIABILITY_TTL
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
180 Seconds - Default
INI LocationINI File Section Value
All_Regions.ini Network\CGP *
Module.ini WFClient
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
3
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\CGP
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\CGP
*
779
SessionSharingKey
Specifies the session sharing key.
Session sharing key takes priority over all other checks. If it matches you share, if it doesnot you do not. It is up to the server to set the session sharing key correctly. Session sharingkey is created from (Neighborhood Name, Color Depth, Username/Domain, EncryptionLevel, Audio BandWidth). If the key is not present, go through the old checks.
Section Server
Feature SessionSharing
Attribute Name INI_SESSIONKEY_NAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
oLdWaY Default
Off Launch failed because session key is set to Off
INI LocationINI File Section Value
All_Regions.ini Client Engine\Session Sharing
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Session Sharing
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Session Sharing
780
SessionSharingLaunchOnly
Specifies the name of the session to be shared.
Section Server
Feature SessionSharing
Attribute Name INI_SESSION_SHARING_NAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" If present then any string representing the name of the session
INI LocationINI File Section Value
All_Regions.ini Client Engine\Session Sharing
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Session Sharing
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Session Sharing
781
SFRAllowed
Specifies whether Special folder direction is allowed or not. If it is enabled, client sends theDesktop and Documents folder paths to the server side SFR as part of CDM VC data. SFRredirects the logged on user’s document and desktop folders to client’s document anddesktop folders respectively.
Section ClientDrive
Feature SFR
Attribute Name INI_SFRALLOWED
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
Off Disables SFR - Default
On Enables SFR
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\ Drives *
Canonicalization.ini ClientDrive SFRAllowed
Module.ini ClientDrive FALSE
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientDrive
FALSE
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Drives
*
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\ClientDrive
SFRALLOWED
782
SkipRedrawPerPaletteChange
Specifies whether (On) or not (Off) to skip redrawing the screen after a palette change. Ifthis parameter is enabled, HowManySkipRedrawPerPaletteChange specifies how manypalette changes are skipped before each redraw. Use this only as directed by CitrixTechnical Support.
Section WFClient
Feature Graphics
Attribute Name INI_SKIPREDRAWPERPALETTECHANGE
Data Type Boolean
Access Type Reed
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Does not skip redrawing the screen after a palette change - Default
1 Skips redrawing the screen after a palette change
INI LocationN/A
Registry LocationN/A
783
SmartCardAllowed
Specifies whether or not Smartcard virtual channel has been enabled.
When enabled, this policy allows the remote server to access smart cards attached to theclient device for authentication and other purposes.
When disabled, the server cannot access smart cards attached to the client device.
ADM UI Element: Citrix Components > Citrix Receiver > User authentication > Smart cardauthentication > Allow smart card authentication
Section Smartcard,Server
Feature SmartCard
Attribute Name INI_SMARTCARDSWITCH
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Disable the requirement for a smart card. - Default
NO Enable the requirement for a smart card.
INI LocationN/A
Registry LocationN/A
784
SpeedScreenMMA
Specifies whether(On) or not(Off) to enable the HDX MediaStream Multimedia Acceleration.
It is used to decide the default value of Tw2CachePower. If SpeedScreenMMA = On thenTw2CachePower = 19 else Tw2CachePower = 22.
Remote Video: The remote video option allows the server to directly stream certain videodata to the client. This provides better performance than decompressing and recompressingvideo data on the computer running Citrix XenApp.
ADM UI Element : Citrix Components > Citrix Receiver > User experience > Client graphicssettings
Section Server
Feature RAVE
Attribute Name INI_MM
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
oLdWaY Default
Off Launch failed because session key is set to Off
INI LocationINI File Section Value
All_Regions.ini Client Engine\Session Sharing
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Session Sharing
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Session Sharing
SpeedScreenMMA
785
786
SpeedScreenMMAAudioEnabled
Specifies whether (True) or not (False) audio playback will occur through HDX MediaStreamMultimedia Acceleration.
Section Server
Feature RAVE
Attribute Name INI_MM_AUDIO_ENABLED
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
TRUE Audio playback will occur through HDX MediaStream MultimediaAcceleration - Default
FALSE Audio playback will not occur through HDX MediaStream MultimediaAcceleration
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Multimedia *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Multimedia
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Multimedia
*
787
SpeedScreenMMAMaxBufferThreshold
Specifies (as a percentage) the amount of data in the media queue before the clientrequests that the server stops sending data until the data in the queue levels off.
Section Server
Feature RAVE
Attribute Name INI_MM_MAX_THRESHOLD
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
90 Percent - Default
85-90 Percent
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Multimedia *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Multimedia
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Multimedia
*
788
SpeedScreenMMAMaximumBufferSize
Specifies the maximum size in kilobytes of the media queue that the client can create. Thisis per stream, so the client could create a 30240KB queue for audio and a 30240 queue forvideo.
Section Server
Feature RAVE
Attribute Name INI_MM_MAX_BUFFER_SIZE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
30240 Size in KB - Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Multimedia *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Multimedia
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Multimedia
*
789
SpeedScreenMMAMinBufferThreshold
Specifies what percent value the data in the media queue will be when the client requestsa burst from the server to replenish its media queue.
Section Server
Feature RAVE
Attribute Name INI_MM_MIN_THRESHOLD
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
10 Default
5-15
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Multimedia *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Multimedia
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Multimedia
*
790
SpeedScreenMMASecondsToBuffer
Specifies the number of seconds of MMA data to buffer. The value is set on both the serverand client and the connection is set up with the smaller of these values.
Section Server
Feature RAVE
Attribute Name INI_MM_SECONDS_TO_BUFFER
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1 Default
10 (wince default)
1-10
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Multimedia *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Multimedia
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Multimedia
*
791
SpeedScreenMMAVideoEnabled
Specifies whether (True) or not (False) video playback will occur through HDX MediaStreamMultimedia Acceleration.
Section Server
Feature RAVE
Attribute Name INI_MM_VIDEO_ENABLED
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
TRUE Video playback will occur through HDX MediaStream MultimediaAcceleration - Default
FALSE Video playback will not occur through HDX MediaStream MultimediaAcceleration
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Multimedia *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Multimedia
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Multimedia
*
792
SSLCACert
Specifies a Certificate Authority Certificates count and a string.
The attribute CACerts (Certificate Authority Certificates) is stored and read with thecurrent CACerts count and string containing the certificate name. Specific to SSL (SecureSockets Layer).
Only present if there are any Certificate Authority Certificates to store.
Section Server
Feature SSL
Attribute Name INI_SSLCACERT
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM No
INI LocationINI information not found.
Registry LocationRegistry information not found.
793
SSLCertificateRevocationCheckPolicy(2)
Governs how a given trusted root certificate authority is treated during an attempt to opena remote session through SSL when using the client for 32-bit Windows.
When certificate revocation list checking is enabled, the client checks whether or not theserver’s certificate is revoked. This feature improves the cryptographic authentication ofthe Citrix server and improves the overall security of the SSL/TLS connections between aclient and a server. There are several levels of certificate revocation list checking. Forexample, the client can be configured to check only its local certificate list, or to check thelocal and network certificate lists. In addition, certificate checking can be configured toallow users to log on only if all Certificate Revocation lists are verified.
The client checks SSL certificate revocation only when the underlying operating system isWindows 2000 or later. When this setting is not configured in the Appsrv.ini and .ica files,NoCheck is used as the default value for Windows NT4/9x and CheckWithNoNetworkAccessis used as the default value for Windows 2000/XP. When theCertificateRevocationCheckPolicy setting is configured in the Appsrv.ini file of a user’sprofile and the .ica file, the value in the Appsrv.ini file takes precedence when attemptingto launch a remote session using the .ica file.
This behavior is the reverse of that displayed with most other parameters shared betweenthe two file types.
Possible values for the parameter SSLCertificateRevocationCheckPolicy in theAppsrv.ini/.ica file are as follows:
● NoCheck. No Certificate Revocation List check is performed.
● CheckWithNoNetworkAccess. Certificate revocation list check is performed. Only localcertificate revocation list stores are used. All distribution points are ignored. Finding aCertificate Revocation List is not critical for verification of the server certificatepresented by the target SSL Relay/Secure Gateway server.
● FullAccessCheck. Certificate Revocation List check is performed. Local CertificateRevocation List stores and all distribution points are used. Finding a CertificateRevocation List is not critical for verification of the server certificate presented by thetarget SSL Relay/Secure Gateway server.
● FullAccessCheckAndCRLRequired. Certificate Revocation List check is performed. LocalCertificate Revocation List stores and all distribution points are used. Finding allrequired Certificate Revocation Lists is critical for verification.
Certificate Revocation List (CRL) checking is an advanced feature supported by somecertificate issuers. It allows security certificates to be revoked (invalidated before theirexpiry date) in the case of cryptographic compromise of the certificate private key, orsimply an unexpected change in DNS name.
Valid CRLs must be downloaded periodically from the certificate issuer and stored locally.This can be controlled through the selection made in "CRL verification":
● Disabled: When selected, no CRL checking will be performed.
● Only check locally stored CRLs: When selected, any CRLs that have been previouslyinstalled or downloaded will be used in certificate validation. If a certificate is found tobe revoked, the connection will fail.
● Retrieve CRLs from network: When selected, the client will attempt to retrieve CRLsfrom the relevant certificate issuers. If a certificate is found to be revoked, theconnection will fail.
● Require CRLs for connection: When selected, the client will attempt to retrieve CRLsfrom the relevant certificate issuers. If a certificate is found to be revoked, theconnection will fail. If the client is unable to retrieve a valid CRL, the connection willfail.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing
Section WFClient,Server
Feature SSL
Attribute Name INI_SSLCERTREVCHECKPOLICY
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" Policy value - Default
NoCheck No Certificate Revocation List check is performed
CheckWithNoNetworkAccessOnly local certificate revocation list stores are used. All distribution pointsare ignored
FullAccessCheckLocal Certificate Revocation List stores and all distribution points are used
FullAccessCheckAndCRLRequiredLocal Certificate Revocation List stores and all distribution points are used
INI LocationINI File Section Value
All_Regions.ini Network\SSL
SSLCertificateRevocationCheckPolicy(2)
794
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\SSL
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\SSL
TroubleshootingError Message: "SSL Error 61: You have not chosen to trust "<xxx>" the issuer of the server`ssecurity certificate". The common name and other information on a security certificate isguaranteed to be accurate by the certificate`s issuer. For a connection to be successful,the client must trust the certificate`s issuer to make that guarantee.
Error Message: "SSL Error 59: The server sent a security certificate identifying `xxx`. TheSSL connection was to `yyy`". The common name did not match the server the client wasexpecting to connect to.
SSLCertificateRevocationCheckPolicy(2)
795
796
SSLCiphers
On platforms that support multiple SSL cipher suites (currently 32-bit editions of Windowsonly), this parameter determines which cipher suite(s) the client is permitted to use toestablish an SSL connection. Non-32-bit Windows platforms are locked (hard-coded) to COM.
ADM UI: Citrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification > SSL ciphersuite
Section WFClient
Feature SSL
Attribute Name INI_SSLCIPHERS
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
ALL Either - Default
RC4 COM
GOV 3DES
INI LocationINI File Section Value
All_Regions.ini Network\SSL
appsrv.ini WFClient ALL
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\SSL
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\SSL
SSLCiphers
797
798
SSLCommonName
Specifies the server name as it appears on the SSL certificate.
If the value of SSLProxyHost is not identical to that of the server name as it appears on theSSL certificate, this parameter is required, and its value must specify the server name as itappears on the SSL certificate.
Section name would be WFClient for all custom ICA connections unless otherwiseoverridden.
Section name would be applicationservername for each custom ICA connection whereDoNotUseDefaultCSL=On.
Section Server
Feature SSL
Attribute Name INI_SSLCOMMONNAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" Server name - Default
INI LocationINI File Section Value
All_Regions.ini Network\SSL
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\SSL
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\SSL
SSLCommonName
799
800
SSLEnable
Specifies whether or not SSL is enabled.
The value of this parameter must be On to enable SSL. This setting is ignored by networkprotocols other than TCP/IP.
Use this policy to configure the TLS/SSL options that help to ensure that the client connectsto genuine remote applications and desktops. TLS and SSL encrypt the transferred data toprevent third-parties viewing or modifying the data traffic. Citrix recommends that anyconnections over untrusted networks use TLS/SSL or another encryption solution with atleast the same level of protection.
When this policy is enabled, the client will apply these settings to all TLS/SSL connectionsperformed by the client. The Require SSL for all connections check box can be used toforce the client to use the TLS or SSL protocol for all connections that it performs.
TLS and SSL identify remote servers by the common name on the security certificate sentby the server during connection negotiation. Usually the common name is the DNS name ofthe server, for example www.citrix.com. It is possible to restrict the common names towhich the client will connect by specifying a comma-separated list in the "Allowed SSLservers" setting. Note that a wildcard address, for example, *.citrix.com:443, will match allcommon names that end with .citrix.com. The information contained in a certificate isguaranteed to be correct by the certificate`s issuer.
Some security policies have requirements related to the exact choice of cryptography usedfor a connection. By default the client will automatically select either TLS v1.0 or SSL v3.0(with preference for TLS v1.0) depending on what the server supports. This can berestricted to only TLS v1.0 or SSL v3.0 using the "SSL/TLS version" setting.
Similarly, certain security policies have requirements relating to the cryptographicciphersuites used for a connection. By default the client will automatically negotiate asuitable ciphersuite from the five listed below. If necessary, it is possible to restrict to justthe ciphersuites in one of the two lists.
● Government Ciphersuites:
● TLS_RSA_WITH_AES_256_CBC_SHA
● TLS_RSA_WITH_3DES_EDE_CBC_SHA● Commercial Ciphersuites:
● TLS_RSA_WITH_AES_128_CBC_SHA
● TLS_RSA_WITH_RC4_128_SHA
● TLS_RSA_WITH_RC4_128_MD5Certificate Revocation List (CRL) checking is an advanced feature supported by somecertificate issuers. It allows security certificates to be revoked (invalidated before theirexpiry date) in the case of cryptographic compromise of the certificate private key, orsimply an unexpected change in DNS name.
Valid CRLs must be downloaded periodically from the certificate issuer and stored locally.This can be controlled through the selection made in "CRL verification."
● Disabled: When selected, no CRL checking will be performed.
● Only check locally stored CRLs: When selected, any CRLs that have been previouslyinstalled or downloaded will be used in certificate validation. If a certificate is found tobe revoked, the connection will fail.
● Retrieve CRLs from network: When selected, the client will attempt to retrieve CRLsfrom the relevant certificate issuers. If a certificate is found to be revoked, theconnection will fail.
● Require CRLs for connection: When selected, the client will attempt to retrieve CRLsfrom the relevant certificate issuers. If a certificate is found to be revoked, theconnection will fail. If the client is unable to retrieve a valid CRL, the connection willfail.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing
Section Server,WFClient
Feature SSL
Attribute Name INI_SSLNOCACERTS
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Number of CACerts. (Certificate Authority Certificates) - Default
INI LocationINI File Section Value
All_Regions.ini Network\SSL *
appsrv.ini WFClient
SSLEnable
801
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\SSL
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\SSL
*
TroubleshootingError Message: "SSL Error 61: You have not chosen to trust "<xxx>" the issuer of the server`ssecurity certificate". The common name and other information on a security certificate isguaranteed to be accurate by the certificate`s issuer. For a connection to be successful,the client must trust the certificate`s issuer to make that guarantee.
Error Message: "SSL Error 59: The server sent a security certificate identifying `xxx`. TheSSL connection was to `yyy`". The common name did not match the server the client wasexpecting to connect to.
SSLEnable
802
803
SSLProxyHost(2)
Specifies the server name value.
By default, this parameter is not present, or, if present, the value is set to *:443.
Assuming that every Citrix server in a server farm has its own SSL relay, the asterisk meansthat the address of the SSL relay is the same as that of the Citrix server.
If not every Citrix server in a given server farm has its own relay, the value can specify anexplicit server name in place of the asterisk. If the value is an explicit server name, SSLtraffic enters the server farm through the server whose name is specified by the value. Theserver name value must match the server name in the server’s SSL certificate; otherwise,SSL communications fail. For listening port numbers other than 443, the port number isappended to the server name following a colon (:):SSLProxyHost=*:SSL relay port number,where SSL relay port number is the number of the listening port. Related parameter:SSLCommonName.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing
Section Server,WFClient
Feature SSL
Attribute Name INI_SSLPROXYHOST
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM Yes
ValuesValue Description
*.443 SSL Proxy host string - Default
INI LocationINI File Section Value
All_Regions.ini Network\SSL
appsrv.ini WFClient *:443
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\SSL
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\SSL
SSLProxyHost(2)
804
805
SSOnCredentialType(3)
Specifies the credential type to used with pass-through authentication.
Allows particular credentials (Windows, NetWare, either) to be used with pass-throughauthentication on client devices that have the Novell Client installed.
Local user name and password: Use this policy to instruct the client to use the same logoncredentials (pass-through authentication) for Citrix XenApp as the client machine.
When this policy is enabled, the client can be prevented from using the current user`slogon credentials to authenticate to the remote server by clearing the Enable pass-throughauthentication check box.
When run in a Novell Directory Server environment, selecting the Use Novell DirectoryServer credentials check box requests that the client uses the user’s NDS credentials.
ADM UI Element: Citrix Components > Citrix Receiver > User authentication > Local username and password -> Use Novell Directory Server credentials
Section WFClient,dynamic,Server
Feature SSON
Attribute Name INI_SSON_CREDENTIAL_TYPE
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
Any Windows, NetWare, either - Default
NT
NDS
INI LocationINI File Section Value
All_Regions.ini Logon\Local Credentials
appsrv.ini WFClient Any
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Local Credentials
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Local Credentials
SSOnCredentialType(3)
806
807
SSOnDetected
A boolean setting enabled when (Single Sign-On) is being used.
(Single Sign-On) setting handles authentication to servers.
SSOnDetected Citrix pass-through authentication (Single Sign-On) is being used.
Section Server
Feature SSON
Attribute Name INI_SSON_DETECTED
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Disable single sign-on detected - Default
TRUE Enable single sign-on detected
INI LocationINI File Section Value
All_Regions.ini Logon *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon
*
808
SSOnUserSetting
Selects (On) or clears (Off) the Use local credentials to log on option. Choose usepass-through authentication when installing the ICA Client for this parameter to have aneffect.
This attribute is used for 3 types of User authentications in ADM file: "Smart CardAuthentication", "Kerberos authentication" and "Local user name and password".
● "Smart Card Authentication": Use Smart Card Authentication to control how the clientuses smart cards attached to the client device. When enabled, this policy allows theremote server to access smart cards attached to the client device for authenticationand other purposes. When disabled, the server cannot access smart cards attached tothe client device.
ADM UI Element: Citrix Components > Citrix Receiver > User authentication > Smartcard authentication > Use pass-through authentication for PIN
● "Kerberos authentication": Use this policy to control how the client uses Kerberos toauthenticate the user to the remote application or desktop. When enabled, this policyallows the client to authenticate the user using the Kerberos protocol. Kerberos is aDomain Controller authorised authentication transaction that avoids the need totransmit the real user credential data to the server. When disabled, the client will notattempt Kerberos authentication.
ADM UI Element: Citrix Components > Citrix Receiver > User authentication > Kerberosauthentication
● "Local user name and password": Use this policy to instruct the client to use the samelogon credentials (pass-through authentication) for Citrix XenApp as the client machine.When this policy is enabled, the client can be prevented from using the current user`slogon credentials to authenticate to the remote server by clearing the Enablepass-through authentication check box.
ADM UI Element: Citrix Components > Citrix Receiver > User authentication > Local username and password
Section WFClient
Feature SSON
Attribute Name INI_USER_SETTING_SINGLE_SIGN_ON
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM Yes
ValuesValue Description
Off Clear the user local credentials to log on option - Default
On Selects the use local credentials to log on option
INI LocationINI File Section Value
All_Regions.ini Logon\Local Credentials *
appsrv.ini WFClient On
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Local Credentials
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Local Credentials
*
SSOnUserSetting
809
810
SSPIEnabled
Enables and disables Kerberos authentication protocol.
Use this policy to control how the client uses Kerberos to authenticate the user to theremote application or desktop.
When enabled, this policy allows the client to authenticate the user using the Kerberosprotocol. Kerberos is a Domain Controller authorised authentication transaction that avoidsthe need to transmit the real user credential data to the server.
When disabled, the client will not attempt Kerberos authentication.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Userauthentication
Section WFClient
Feature SSPI
Attribute Name INI_SSPI_ENABLED
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM Yes
ValuesValue Description
On Enable Kerberos authentication protocol- Default
Off Disable Kerberos authentication protocol
INI LocationINI File Section Value
All_Regions.ini Logon\Kerberos *
wfclient.ini WFClient On
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Kerberos
*
0x1 HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Kerberos
*
TroubleshootingThe machine running the client and the server running the remote application must be indomains that have a trust relationship. The Domain Controller must be aware that CitrixXenApp will be performing a full user logon (interactive logon) using Kerberos. This isconfigured using the "Trust for Delegated Authentication" settings on the Domain Controller.
When connecting using Web Interface, Web Interface server must be aware that the clientwill connect using Kerberos authentication. This is necessary because by default WebInterface server will use an IP address for the destination server whereas Kerberosauthentication requires a Fully Qualified Domain Name.
Both client and server machines must have correctly registered DNS entries. This isnecessary because endpoints will authenticate each other during connection.
SSPIEnabled
811
812
startIFDCD(3)
This is an End User Experience Monitoring (EUEM) metric. This metric tracks the time ittakes the client to download the ICA file from the Web server for Program NeighborhoodAgent or Web Interface.
Section qwerty,dynamic,Server
Feature EUEM
Attribute Name INI_EUEM_STARTIFDCD
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
-1 Initial reset value - Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\End User Experience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
813
startSCD(2)
New session creation time (SCD), from the moment wfica32.exe is launched to when theconnection is established
An ICA session may be started by different launchers, all of the launchers use the sameengine wfica32.exe. This is specific to the ICA launcher when it is not ProgramNeighborhood Classic.
Section dynamic,Server
Feature EUEM
Attribute Name INI_EUEM_STARTSCD
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Session Creation Time (ms) - Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\End User Experience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
814
State
Specifies whether or not to launch a pre-launched application session at user logon. Whenset to 1 (default setting), the session is enabled at user logon. When set to 2, thepre-launched application session is launched at the
When set to 2, the pre-launched application session launches at the specified Schedule; ifthe schedule is not set, the session is disabled.
To enable users to override this administrator's configuration, enable the UserOverridesetting.
Section PrelaunchApplication
Feature Pre-Launch
Attribute Name PRELAUNCH_STATE
Definition Location prelaunch.h
Data Type string
Access Type Read/Write
UNIX Specific No
Present in ADM No
ValuesValue Description
1 Pre-Launch enabled default
0 Pre-Launch disabled
2 Pre-Launch scheduled
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\Software\Citrix\ICAClient\PreLaunch
HKEY_CURRENT_USER\Software\Citrix\ICAClient\PreLaunch
815
SucConnTimeout
Specifies the number of seconds to wait for a recently started session to become availablefor session sharing.
Multiple sessions can be opened if multiple configured seamless Window applications arestarted in rapid succession and the server has custom logon scripts that take longer than 20seconds to complete. To extend this time-out value, enter this setting in the Appsrv.ini fileunder the [WFClient] section.
Section WFClient
Feature SessionSharing
Attribute Name INI_SUCCONNTIMEOUT
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
20 Wait for Session Sharing (seconds) - Default
INI LocationN/A
Registry LocationN/A
816
SwapButtons
Specifies whether (On) or not (Off) to swap the function of the client device’s mousebuttons within the ICA session.
Section WFClient
Feature Mouse
Attribute Name INI_SWAPBUTTONS
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Off Disable swap function - Default
On Enable the swap function
INI LocationN/A
Registry LocationN/A
817
TransparentKeyPassthrough
Determines how the mapping of certain Windows key combinations are used whenconnecting to ICA sessions.
This setting appears in the Citrix Receiver user interface under Session Options page and inthe Web Interface for Citrix XenApp Settings page.
● When Local is set, the key combinations apply to the local desktop.
● When Remote is set, the key combinations apply to seamless and non-seamless ICAsessions when their windows have the keyboard focus.
● When FullScreenOnly is set, the key combinations apply to the non-seamless ICA sessionin full screen mode.
The default value is FullScreenOnly. When no TransparentKeyPassthrough setting in the ICAfile is passed to the ICA Engine, the keyboard transparent feature behave’s as ifFullScreenOnly is set.
Section WFClient
Feature Keyboard
Attribute Name INI_TPKEYPASSTHRU
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FullScreenOnlyDefault
Local
Remote
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Keyboard
wfclient.ini WFClient FullScreenOnly
appsrv.ini WFClient FullScreenOnly
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard
TransparentKeyPassthrough
818
819
TransportReconnectDelay
Specifies the number of seconds to wait before attempting to reconnect to thedisconnected session.
When a network error occurs, the auto client reconnect feature normally displays a dialogbox asking whether or not to try to reconnect. The TransportReconnectDelay=delay settingreplaces this display with a delay (in seconds) followed by an automatic reconnectionattempt.
Specifies the number of retries the client will attempt to reconnect to the disconnectedsession. If the TransportReconnectEnabled value is set to On or is not present in the .inifile, the number that is specified for this value is used.
Use "Session reliability and automatic reconnection" policy to control how the clientbehaves when a network failure causes the connection to be dropped.
When this policy is enabled, the client will attempt to reconnect to a server only if "Enablereconnection" is selected. By default three reconnection attempts are made, but this canbe altered using the "Number of retries" setting. Similarly the delay between retries can bealtered from the default of 30 seconds using the "Retry delay" setting.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Session reliabilityand automatic reconnection > Retry delay (seconds)
Section WFClient
Feature ACR
Attribute Name INI_TRANSPORT_RECONNECT_DELAY
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
30 Seconds - Default
INI LocationINI File Section Value
All_Regions.ini Network\Reconnection *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Reconnection
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Reconnection
*
TroubleshootingSome proxy servers will automatically disconnect connections that are idle for a certainlength of time. This can cause client sessions to be disconnected when not in use. Aserver-side option "ICA Keep-Alive" is available to send extra data packets during periods ofinactivity that can be used prevent proxies from closing connections.
TransportReconnectDelay
820
821
TransportReconnectEnabled
Specifies whether (On) or not (Off) the Auto Client Reconnect is enabled. By default if theclient connects to a server that is enabled for AutoClientReconnect and a disconnectionoccurs, the client tries indefinitely to reconnect to the disconnected session until the userclicks the Cancel button in the AutoClientReconnect dialog box.
Session reliability and automatic reconnection: Use this policy to control how the clientbehaves when a network failure causes the connection to be dropped.
When this policy is enabled, the client will attempt to reconnect to a server only if "Enablereconnection" is selected. By default three reconnection attempts are made, but this canbe altered using the "Number of retries" setting. Similarly the delay between retries can bealtered from the default of 30 seconds using the "Retry delay" setting.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Session reliabilityand automatic reconnection > Enable reconnection
Section WFClient
Feature ACR
Attribute Name INI_TRANSPORT_RECONNECT_ENABLED
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
1 Enables Auto Client Reconnect - Default
0 Disables Auto Client Reconnect
On Enables Auto Client Reconnect
Off Disables Auto Client Reconnect
true Enables Auto Client Reconnect
false Disables Auto Client Reconnect
yes Enables Auto Client Reconnect
no Disables Auto Client Reconnect
INI LocationINI File Section Value
All_Regions.ini Network\Reconnection *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Reconnection
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Reconnection
*
TransportReconnectEnabled
822
823
TransportReconnectRetries
Specifies the number of times the client will attempt to reconnect to the disconnectedsession. If the TransportReconnectEnabled value is set to On or is not present in the .inifile, the number that is specified for this value is used.
Use the Session reliability and automatic reconnection policy settings to control how theclient behaves when a network failure causes the connection to be dropped.
When these policy settings are enabled, the client will attempt to reconnect to a serveronly if Enable Reconnection is selected in the Citrix User policy setting for Auto ClientReconnect. By default three reconnection attempts are made, but this can be altered usingthe Number of retries setting. Similarly the delay between retries can be altered from thedefault of 30 seconds using the Retry delay setting. Retry delay is supported only on WinCE.
ADM UI Element: Citrix Components > Citrix Receiver > Network routing > Session reliabilityand automatic reconnection > Number of retries
Section WFClient
Feature ACR
Attribute Name INI_TRANSPORT_RECONNECT_RETRIES
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
0xFFFFFFFF For Win32 (infinite) - Default
3 (default for non-windows)
1 -0xFFFFFFFF
1 or higher
INI LocationINI File Section Value
All_Regions.ini Network\Reconnection *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Reconnection
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Reconnection
*
TroubleshootingSome proxy servers will automatically disconnect connections that are idle for a certainlength of time. This can cause client sessions to be disconnected when not in use. Theserver-side policy setting for ICA Keep Alives is available to send extra data packets duringperiods of inactivity that can be used to prevent proxies from closing connections.
TransportReconnectRetries
824
825
TransportSilentDisconnect
Specifies whether or not silent disconnect is enabled.
This setting hides the network error message that appears when the client is disconnected.Instead of showing the error message, the client just exits silently.
Section WFClient
Feature ACR
Attribute Name INI_TRANSPORT_SILENT_DISCONNECT
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Disable silent disconnect - Default
TRUE Enable silent disconnect
INI LocationN/A
Registry LocationN/A
826
TRWD
EUEM: End User Experience Monitoring .
TRWD: TICKET_RESPONSE_WEB_SERVER
The time it takes to get a ticket (if required) from the STA server or XML Service. Thismetric is collected when the application is launched via the Citrix Receiver or WebInterface.
Section Server
Feature EUEM
Attribute Name INI_EUEM_TRWD
Data Type Integer
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
-1 Initial reset value - Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\End User Experience
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience
827
Tw2CachePower
Specifies, in powers of 2 bytes, the size of the ThinWire cache. For example, aTW2CachePower value of 23 creates an 8MB (2^23 bytes) ThinWire cache. Set it in therange of 19 to 25. Any value less than 19 is reset to 19; any value greater than 25 is reset to25. If you do not specify a value, the ThinWire driver automatically computes the initialsize based on connection resolution and color depth, applying a value in the range of 22 to25. If the required memory space cannot be allocated, the value is gradually lowered untilit matches the actual amount of available memory space. If memory space equivalent to avalue of 19 (512KB) cannot be allocated, the connection is dropped.
Section Thinwire3.0
Feature Graphics
Attribute Name INI_TW2_CACHE_POWER
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
19 Default
19-25
INI LocationN/A
Registry LocationN/A
828
TW2StopwatchMinimum
Sets a minimum return value for TW2 stopwatch timers.
TW2`s stopwatch timers can return meaningless results when the underlying graphicssystem is not synchronous, for example X11 on Unix. This option allows an implementationto set a minimum value that will be returned for a stopwatch timer period. The minimumvalue used is taken from the configuration files and scaled by the size of the last imagecopy.
Section Thinwire3.0
Feature Graphics
Attribute Name INI_TW2_STOPWATCH_MINIMUM
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Thinwire Graphics *
canonicalization.ini Thinwire3.0 TW2StopwatchMinimum
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\Thinwire3.0
TW2StopwatchMinimum
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
829
TW2StopwatchScale
Sets a scale factor to be applied to TW2 stopwatch timers.
TW2`s stopwatch timers can return over-optimistic results when there is a large disparitybetween the speed of different graphics operations; for example, some WinCE terminalscan scroll quickly but draw relatively slowly. This option allows a scale factor to be appliedto values returned by the stopwatch timers in an attempt to correct this.
Section Thinwire3.0
Feature Graphics
Attribute Name INI_TW2_STOPWATCH_SCALE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1 Scale Factor - Default
INI LocationN/A
Registry LocationN/A
830
TwainAllowed
Specifies whether (TRUE) or not (FALSE) Image capture is enabled.
Image Capture: Use this policy to enable and restrict the remote application or desktop`saccess to scanners, webcams, and other imaging devices on the client device (TWAIN).
ADM UI Element: Citrix Components > Citrix Receiver > Remoting client devices > Imagecapture
Section WFClient
Feature Twain
Attribute Name INI_TWAINALLOWED
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
TRUE Enables Image capture (TWAIN) - Default
FALSE Disables Image capture (TWAIN)
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Image Capture *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Image Capture
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Image Capture
*
831
TWIEmulateSystray
Specifies whether (TRUE) or not (FALSE) to do system tray emulation on non-windowsclients.
Controls the creation of a system emulation window to display notification area icons whenusing seamless mode.
Section Server
Feature Seamless
Attribute Name INI_TWI_SYSTRAY_EMULATION
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
TRUE Do system tray emulation on non-Windows clients - Default
FALSE Does not do system tray emulation on non-Windows clients
INI LocationN/A
Registry LocationN/A
832
TWIFullScreenMode
This setting switches the client to full screen mode.
The server display will completely cover the client display.
ADM UI Element: Citrix Components > Citrix Receiver > User experience > Client displaysettings
Section Thinwire3.0
Feature Keyboard
Attribute Name INI_FULLSCREENMODE
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
0 Disable client full screen mode - Default
1 Enable client full screen mode
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Thinwire Graphics *
Module.ini Thinwire3.0
canonicalization.ini Thinwire3.0 TWIFullScreenMode
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\Thinwire3.0
TWIFullScreenMode
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Thinwire3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Thinwire Graphics
*
TWIFullScreenMode
833
834
TWIIgnoreWorkArea
Enable/Disable sending only desktop work area.
Specifies whether (True) or not (False) the entire desktop area will be sent to the server.By default when the client connects to the server it sends the entire desktop area(including the taskbar) of the client display to the server. Setting this value to True sendsonly the desktop work area (area where shortcuts are placed, for example).
Section WFClient
Feature Seamless
Attribute Name INI_OVERRIDE_WORKAREA_SETTING
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Disable sending only desktop work area.
1 Enable sending only desktop work area.
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Seamless Windows *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Seamless Windows
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Seamless Windows
*
TWIIgnoreWorkArea
835
836
TWIMode
Specifies whether (On) or not (Off) to use seamless mode for all connections in theassociated application set or for the associated custom ICA connection. Set the parametersDesiredVRES, DesiredHRES, and DesiredWinType accordingly.
Client display settings: Use this policy to control how the client presents remoteapplications and desktops to the end user. Remote applications can be seamlesslyintegrated with local applications, or the entire local environment can be replaced with aremote desktop.
Seamless windows: When set to False this setting allows the client to disable the use ofseamless windows, instead displaying a fixed size window. When set to True it forces theclient to request seamless windows, although the server may choose to reject this request.
ADM UI Element: Citrix Components > Citrix Receiver > User experience > Client displaysettings > Seamless windows
Section Server
Feature Seamless
Attribute Name INI_TWI_MODE
Data Type Boolean
Access Type Read & Write
UNIX Specific No
Present in ADM Yes
ValuesValue Description
FALSE Disables the seamless mode for all connections - default
TRUE Enables the seamless mode for all connections
Off Disables seamless mode for all connections
On Enables seamless mode for all connections
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Seamless Windows *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Seamless Windows
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Seamless Windows
*
TWIMode
837
838
TWISeamlessFlag
Enable/Disable seamless applications launch.
Starting with Version 9.x of the Citrix Receiver for Windows, when an application launchesseamlessly, if focus is shifted away from the Logon Status dialog boxes before theapplication is displayed, the application launches behind whichever window has focus.
By setting this value to 1, seamless applications launch in the foreground and have focus,even if the focus shifted away from the Logon Status dialog boxes.
Section WFClient
Feature Seamless
Attribute Name INI_SEAMLESS_FLAG
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Disable seamless application launch - default
1 Enable seamless application launch.
INI LocationINI information not found.
Registry LocationRegistry information not found.
839
TWIShrinkWorkArea
Specifies the value that the work area will be minimized. By specifying this users can makework area for seamless windows smaller.
Seamless applications cover the local taskbar on Windows 2000, 2003, and XP workstationcomputers when Auto hide is selected in the taskbar and Start Menu Properties dialog box.If the user selects to auto hide the local taskbar and a seamless ICA session is run, the localtaskbar may not be accessible. If the seamless application is minimized, the local taskbarcan be accessed. To avoid this problem, set the setting to a value of 3 or more.
Section WFClient
Feature Seamless
Attribute Name INI_WORKAREA_TOSHRINK
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Default
greaterthan 0
INI LocationINI information not found.
Registry LocationRegistry information not found.
840
TWISuppressZZEcho
Suppress post-move jiggle of seamless window.
By setting this property to True, any attempt by the server to move a seamless window tothe top left corner of the screen is ignored after the window is moved locally. This affectsWindows servers only.
Section Server
Feature Seamless
Attribute Name INI_TWI_SUPPRESS_ZZ_ECHO
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Does not suppress post-move jiggle - default
TRUE Suppress post move jiggle
INI LocationINI information not found.
Registry LocationRegistry information not found.
841
TWITaskbarGroupingMode
Mode used for Seamless Taskbar Grouping of hosted, published applications.
Set this parameter to the desired value for Seamless Taskbar Grouping support. If GroupAllis specified, hosted, published app instances are grouped together on the Windows Taskbarby app. Likewise, these app instances are grouped together with corresponding local appinstances. If GroupNone is specified, the Seamless Taskbar Grouping feature is disabled. Asa result, all instances of all hosted apps are grouped together in the Windows Taskbar inthe same group, and not with local apps.
Section Server
Feature Seamless
Attribute Name INI_TWI_TASKBAR_GRP_MODE
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
GroupAll Specifies that published app instances should be grouped withcorresponding local app instances on the Windows Taskbar - default
GroupNone Disables taskbar button grouping support
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Seamless Windows *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Seamless Windows
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Seamless Windows
*
TroubleshootingNot applicable.
TWITaskbarGroupingMode
842
843
UnicodeEnabled
Enable UNICODE printer names.
Section ClientPrinterQueue
Feature Printing
Attribute Name INI_CPMUNICODEENABLED
Data Type Integer
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
TRUE Default
FALSE
INI LocationINI information not found.
Registry LocationRegistry information not found.
844
UseAlternateAddress(3)
Selects (1) or clears (0) the Use alternate address for firewall connection option.
Selects (1) or clears (0) the Use alternate address for firewall connection option. Used toperform Network Address Translation (NAT).
Firewalls use IP address translation to convert public (Internet) IP addresses into private(intranet) IP addresses. Public IP addresses are called external addresses because they areexternal to the firewall, while private IP addresses are called internal addresses. In thiscontext, alternate means external.
A client configured to use the TCP/IP server location network protocol sends a directed UDPdatagram to the server IP address, using TCP/IP port 1604. Any intervening firewall must beconfigured to allow UDP packets to pass port 1604 or client-server communication fails.
If a fixed server location address is specified, the client contacts that server to determinethe address of the ICA master browser. When the client connects by server or publishedapplication name, the ICA master browser returns the address of the requested server orpublished application.
You can use UseAlternateAddress for TCP/IP connections only. To specify the server’s IPaddress, you must include the following statement in the [WFClient] section of the ICA file:
TcpBrowserAddress=ipaddress, where ipaddress is the IP address of the Citrix server.
You must also use the ALTADDR command on the Citrix server with the IP address that isaccessed by the ICA file (specified byipaddress). See the XenApp Administration guide formore information about the ALTADDR command.
Note: WFClient is used as section for all custom ICA connections unless otherwiseoverridden.
Corresponding UI Element:
● For applicationsetname: Settings dialog box > Connection tab > Firewalls > Usealternate address for firewall connection option
● For applicationservername: Properties dialog box > Connection tab > Firewalls >Usealternate address for firewall connection option
Section WFClient,dynamic,Server
Feature NATSupport
Attribute Name INI_USEALTERNATEADDRESS
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Do not use the alternate address for firewall connection option - default
1 Use alternate address for firewall connection option.
INI LocationINI File Section Value
Module.ini TCP/IP
Module.ini TCP/IP - FTP
Module.ini TCP/IP - Novell Lan WorkPlace
Module.ini TCP/IP - Microsoft
Module.ini TCP/IP - VSL
All_Regions.ini Network\Protocols *
Module.ini WFClient
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - FTP
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - Novell LanWorkPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - VSL
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\WFClient
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Protocols
*
UseAlternateAddress(3)
845
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Protocols
*
UseAlternateAddress(3)
846
847
UseDefaultEncryption
Specifies from where to use the default encryption setting.
In applicationsetname: Specifies whether to use the server-side default encryption setting(On) or the setting specified in applicationsetname (Off). EncryptionLevel must be specifiedin applicationsetname if the value of UseDefaultEncryption in applicationsetname is Off.
In applicationservername: Specifies whether to use the custom default encryption setting inWFClient (On) or the setting specified in applicationservername (Off). EncryptionLevel mustbe specified in applicationservername if the value of UseDefaultEncryption inapplicationservername is Off.
Interface Element:
● For applicationsetname: Settings dialog box > Default Options tab > Encryption Level >Use Server Default option
● For applicationservername: Properties dialog box > Options tab > Encryption Level > UseCustom Default option
Section Server
Feature Misc
Attribute Name INI_USEDEFENCRYPT
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Use the default encrypting setting from applicationsetname /applicationservername - default
TRUE Use default encryption setting from server side or from WFClient
INI LocationINI information not found.
Registry LocationRegistry information not found.
UseDefaultEncryption
848
849
UseLocalUserAndPassword(2)
Specifies whether (On) or not (Off) to use the same user name and password the user usedto log on to the client computer for authentication to the Citrix server.
SSOnUserSetting must be set to On.
Use the Local username and password policy to instruct the client to use the same logoncredentials (pass-through authentication) for the XenApp server as the client machine.When this policy is enabled, the client can be prevented from using the current user`slogon credentials to authenticate to the remote server by clearing the Enable pass-throughauthentication check box.
ADM UI Element : Citrix Components > Citrix Receiver > User authentication > Local username and password > Enable pass-through authentication
Section Server,Server
Feature SSON
Attribute Name INI_USE_LOCAL_USER_AND_PASSWORD
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
On Use pass-through authentication
Off Does not use pass-through authentication
INI LocationINI File Section Value
All_Regions.ini Logon\Local Credentials *
Registry Location
Registry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Local Credentials
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Local Credentials
*
UseLocalUserAndPassword(2)
850
851
UseMRUBrowserPrefs
Specifies how it will be determined which browser's preferences will be used for the proxysettings.
It is used when the client finds more than one browser preferences file when processing theProxyType=Auto setting to find network proxy settings. If this is set, it uses the one thatchanged most recently.
If the parameter is False the client uses its old method: it looks first for Firefox browsersettings, then Mozilla, then Netscape, and uses the first one found.
Section Server
Feature Proxy
Attribute Name INI_USEMRUBROWSERPREFS
Data Type Boolean
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
True Proxy setting is the one changed most recently - default
False Uses old method: look first for Firefox browser settings, then Mozilla, theNetscape, and use the first one found
INI LocationINI information not found.
Registry LocationRegistry information not found.
852
Username(3)
Specifies the user name that appears in the User name text box if the user selects theUser-specified credentials option for the associated custom ICA connection.
Use this policy to control how user credentials data stored on users’ machines or placed inICA files is used to authenticate the user to the remote published application or desktop.When this policy is enabled, you can prevent locally stored passwords being automaticallysent to remote servers by clearing the Allow authentication using locally storedcredentials check box. This causes any password fields to be replaced with dummy data. Inaddition, the User name and Domain options can be used to restrict or override whichusers can be automatically authenticate to servers. These can be specified ascomma-separated lists.
Properties dialog box > Logon Information tab > User-specified credentials option > Username text box
ADM UI Element : Citrix Component > Citrix Receiver > User Authentication > Locally storedcredential > User name
Section Smartcard,dynamic,Server
Feature Core
Attribute Name INI_USERNAME
Data Type String
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
"" User name - Default
INI LocationINI File Section Value
All_Regions.ini Logon\Saved Credentials
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Saved Credentials
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Saved Credentials
Username(3)
853
854
UserOverride
Specifies whether the users can override the Pre-Launch configuration set by theadministrator (see settings State and Schedule). If enabled, but the user configurationsetting is not present on the client, the Pre-Launch configuration specified by theadministrator is enabled.
Section PrelaunchApplication
Feature Pre-Launch
Attribute Name PRELAUNCH_USER_OVERRIDE
Definition Location prelaunch.h
Data Type string
Access Type Read/Write
UNIX Specific No
Present in ADM No
ValuesValue Description
0 Disable users override default
1 Enable users override
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\Software\Citrix\ICAClient\PreLaunch
855
UsersShareIniFiles
Specifies whether (On) or not (Off) users shares .ini files or they have their own .ini files.
Section WFClient
Feature Core
Attribute Name INI_USERS_SHAREINIFILES
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Off Users have their own ini files - default
On Users shares ini file
INI LocationINI information not found.
Registry LocationRegistry information not found.
TroubleshootingNot applicable.
856
UseSSPIOnly
Specifies whether to use only Kerberos authentication or to get credentials from the Singlesign-on service. Authentication will fail if Kerberos authentication fails. This preventsfallback to using passthrough.
If set to True, only Kerberos authentication is used and credentials are not retrieved fromthe Single sign-on service.
Section WFClient
Feature SSPI
Attribute Name INI_SSPI_ONLY
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
FALSE Use Kerberos authentication or get credentials from Single sign-on service -Default
TRUE Use only Kerberos authentication
INI LocationINI File Section Value
All_Regions.ini Logon\Kerberos *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Kerberos
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon\Kerberos
*
UseSSPIOnly
857
858
VariantName
Identify that the client is a variant of the regular client.
If Module.ini or Appsrv.ini contain a line named "VariantName=[ ]" it designates the client isnot a regular Win32 client (OEMs).
Section ClientAudio
Feature Core
Attribute Name INI_CM_VARIANTNAME
Data Type String
Access Type Write
UNIX Specific No
Present in ADM No
ValuesValue Description
Base Default
INI LocationINI information not found.
Registry LocationRegistry information not found.
859
VirtualChannels
List of virtual channel names to create.
Specifies the virtual channels to be opened on connection. You can specify multiple channelnames as a comma separated list. Names must be restricted to seven characters or less.
Section Server
Feature Core
Attribute Name INI_VIRTUALCHANNELS
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" If present then any possible virtual channel list
INI LocationINI information not found.
Registry LocationRegistry information not found.
860
VirtualCOMPortEmulation
Specifies whether virtual COM ports are enabled or not.
Remote PDA synchronization uses virtual COM ports. These are serial port connections thatare routed through USB connections. It is necessary to enable serial port access to use PDAsynchronization for this reason.
ADM UI: Citrix Receiver > Remote Client Devices > Client hardware Access > Allow PDASynchronizaton.
Section WFClient
Feature PDASync
Attribute Name INI_VCOM_EMULATION
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
On Virtual COM ports are enabled - Default
Off Virtual COM ports are not enabled
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Serial Port *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Serial Port
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Serial Port
*
VirtualCOMPortEmulation
861
862
VirtualDriver
Specifies a list of virtual drivers to load, in sequence. The listed items correspond tosection names containing parameters for each specific virtual driver. Individual features canbe disabled by removing their drivers from this list (for example, remove ClientDrive todisable client drive mapping).
Section ICA 3.0
Feature Core
Attribute Name INI_VIRTUALDRIVER
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
Thinwire3.0, ClientDrive,ClientPrinterQueue,ClientPrinterPort, Clipboard,ClientComm, ClientAudio,LicenseHandler,ProgramNeighborhood,TWI,ZL_FONT,ZLC,SmartCard,Multimedia,ICACTL,SpeechMike,SSPI,TwainRdr,UserExperience
Default
INI LocationINI File Section Value
Module.ini ICA 3.0 Thinwire3.0, ClientDrive,ClientPrinterQueue,ClientPrinterPort, Clipboard,ClientComm, ClientAudio,LicenseHandler,ProgramNeighborhood,TWI,ZL_FONT,ZLC,SmartCard,Multimedia,ICACTL,SpeechMike,SSPI,TwainRdr,UserExperience
Registry Location
Registry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ICA3.0
Thinwire3.0, ClientDrive,ClientPrinterQueue,ClientPrinterPort, Clipboard,ClientComm, ClientAudio,LicenseHandler,ProgramNeighborhood,TWI,ZL_FONT,ZLC,SmartCard,Multimedia,ICACTL,SpeechMike,SSPI,TwainRdr,UserExperience
VirtualDriver
863
864
VirtualDriverEx
Specifies the list of third party virtual channels.
Set AllowVirtualDriverEx to True to append the third party virtual channel list to thecurrent virtual drivers.
Section ICA 3.0
Feature Core
Attribute Name INI_VIRTUALDRIVER_THIRDPARTY
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" If present then any possible virtual channels
INI LocationINI File Section Value
Module.ini ICA 3.0
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ICA 3.0
865
VSLAllowed(2)
Specifies whether or not client printer queue mapping has been enabled.
Enables (On) or disables (Off) client printer spooling by controlling whether (On) or not(Off) the client printer mapping virtual driver in ClientPrinterQueue is loaded.
Use this policy to enable and restrict the remote application or desktop`s access to clientprinters.
When this policy is disabled, the client prevents the server from accessing or printing toprinters available to the client device.
ADM UI Element : Citrix Components > Citrix Receiver > Remoting client devices > Clientprinters
Section WFClient,ClientPrinterQueue
Feature Printing
Attribute Name INI_VSLALLOWED
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
TRUE Enables client printer queue mapping - Default
FALSE Disable client printer queue mapping
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Printing *
appsrv.ini WFClient On
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Printing
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Printing
*
VSLAllowed(2)
866
867
Win32FavorRetainedPrinterSettings
Specifies whether (False) or not (True) to prevent the system from retaining any changes tothe properties store.
The Win32FavorRetainedPrinterSettings=Off setting in the client’s appsrv.ini file (under the[WFClient] section) prevents the system from retaining any changes to the properties store.
For certain printer drivers, changes made to printer properties or advanced printer settingswithin a session do not persist between sessions. This is the server-side component of anenhancement that allows to modify the client-side appsrv.ini file to set the client to alwaysuse the printer settings from the actual printer rather than the retained settings in theproperties store. This setting also forces the client to attempt to write settings modifiedwithin a client session to the client printer if the drivers are determined to be equivalent.
Win32FavorRetainedPrinterSettings = TRUE implies that the client shall service propertiesrequests from the client's private printer properties store in the client-side user profile atHKCU\Software\Citrix\PrinterProperties. If there are no retained properties for the printerin question, real properties should be returned from the real Windows printer objectinstead. FALSE implies client shall service properties enumerations and saves to/from thereal printer first. When client and server drivers are equivalent, all properties would beread from (written to) the real printer. When server and client driver are not equivalent,device dependent properties will still be serviced from retained settings since the devicespecific settings of the real printer are not useable.
Section WFClient
Feature Printing
Attribute Name INI_VSLPROPSFROMPROFILE
Data Type Boolean
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
TRUE Client shall service properties requests from the clients private printerproperties store - Default
FALSE Prevents the system from retaining any changes to the properties store
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Printing *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Printing
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Printing
*
Win32FavorRetainedPrinterSettings
868
869
WindowManagerMoveIgnored
Flag to indicate that the Window Manager's initial move should be ignored for the UNIXclient.
If this flag is set to True, dubious window configuration messages from WM at start-up areacknowledged and Window Manager's initial move should be ignored.
Section Thinwire3.0
Feature Graphics
Attribute Name INI_WINDOW_MANAGER_MOVE_IGNORED
Data Type Boolean
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
False Window Manager's initial move should be not be ignored - Default
True Window Manager's initial move should be ignored.
INI LocationINI information not found.
Registry LocationRegistry information not found.
870
WindowManagerMoveTimeout
Time period in milliseconds for WindowManagerMoveIgnored, which ignores local changes inwindow size and position for a short period after creation of a seamless window.
Section Thinwire3.0
Feature Graphics
Attribute Name INI_WINDOW_MANAGER_MOVE_TIMEOUT
Data Type Integer
Access Type Read
UNIX Specific Yes
Present in ADM No
ValuesValue Description
500 Window Manager Timeout (ms) - Default
INI LocationINI information not found.
Registry LocationRegistry information not found.
871
WindowsCache
Specifies the size of the Receiver's Thinwire memory (in 1KB chunks). The maximum size ofthe Thinwire cache is 8192KB.
Section Thinwire3.0
Feature Graphics
Attribute Name INI_LARGECACHE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
3072 KB - Default
8192 Maximum cache size (KB)
INI LocationINI File Section Value
Module.ini Thinwire3.0 3072
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\Thinwire3.0
3072
872
WindowSize
Gives the write window size, in bytes, for flow management for ClientComm section.
Section ClientComm
Feature Printing
Attribute Name INI_CCMWINDOWSIZE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
1024 Write window size in bytes - Default
512 Write window size in bytes
INI LocationINI File Section Value
Module.ini ClientPrinterQueue 1440
Module.ini ClientPrinterPort 1024
Module.ini ClientComm 1024
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientComm
1024
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterPort
1024
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterQueue
1440
WindowSize
873
874
WindowSize
Gives the maximum write window size (in bytes) for flow management; i.e., the maximumnumber bytes that can be written for the ClientPrinterQueue section.
Section ClientPrinterPort
Feature Printing
Attribute Name INI_CPMWINDOWSIZE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
512 Default
1024
INI LocationINI File Section Value
Module.ini ClientPrinterQueue 1440
Module.ini ClientComm 1024
Module.ini ClientPrinterPort 1024
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientComm
1024
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterPort
1024
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterQueue
1440
WindowSize
875
876
WindowSize
Specifies the write window size (in bytes) for flow management for the ClientPrinterQueuedriver.
Section ClientPrinterQueue
Feature Graphics
Attribute Name INI_VSLWINDOWSIZE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
512 Window Size (Bytes) - Default
1024 Window Size (Bytes)
INI LocationINI File Section Value
Module.ini ClientPrinterPort 1024
Module.ini ClientComm 1024
Module.ini ClientPrinterQueue 1440
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientComm
1024
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterPort
1024
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterQueue
1440
WindowSize
877
878
WindowSize2
Specifies the larger window size for flow management for ClientPrinterQueue driver.
This virtual driver is responsible for providing client printer queue access to supplement theICA 3.0 driver.
If this window size is not suitable, then smaller size (WindowSize) is used.
Section ClientPrinterQueue
Feature Printing
Attribute Name INI_VSLWINDOWSIZE2
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
4102 Window Size (Bytes) - Default
INI LocationINI File Section Value
Module.ini ClientPrinterQueue 4102
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterQueue
4102
879
WindowsPrinter
Specifies the queue name displayed for the available printer.
Section ClientPrinterPort
Feature Printing
Attribute Name INI_CPMQUEUE
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" Default Windows Printer Name - Default
INI LocationINI File Section Value
Module.ini ClientPrinterPort
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterPort
880
WindowsPrinter
Specifies a queue name to print to.
Section ClientPrinterQueue
Feature Printing
Attribute Name INI_VSLQUEUE
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
"" Queue name - Default
INI LocationINI File Section Value
Module.ini ClientPrinterPort
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientPrinterPort
881
WorkDirectory
Specifies the working directory after logon.
Section Server
Feature Core
Attribute Name INI_WORKDIRECTORY
Data Type String
Access Type Read & Write
UNIX Specific No
Present in ADM No
ValuesValue Description
"" Directory location of working directory
INI LocationINI File Section Value
All_Regions.ini Client Engine\Application Launching
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Application Launching
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\Application Launching
882
WpadHost
Specifies the URL to query for the automatic proxy detection configuration file todetermine proxy settings.
Section WFClient
Feature Proxy
Attribute Name INI_WPADHOST
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
http://wpad/wpad.datDefault
INI LocationINI File Section Value
All_Regions.ini Network\Proxy
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy
883
XmlAddressResolutionType
Specifies the address resolution method used for XML requests. Address resolution is theprocess of resolving server and published application names to network addresses that thenetwork driver can understand and use.
Section WFClient
Feature EnumRes
Attribute Name INI_XMLADDRESSRESTYPE
Data Type String
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
DNS-Port Address name - Default
IPv4-Port Address name
INI LocationINI File Section Value
appsrv.ini WFClient DNS-Port
Registry LocationRegistry information not found.
884
ZLAutoHiLimit
Zero-Latency Mouse Threshold Upper Limit.
The Mouse Threshold Upper Limit is compared with the average response time of ICA todetermine if the mouse zero latency feature playback is turned on.
The zero latency feature monitors the response time of keyboard and mouse inputs on theReceiver and enables playback features to make ICA seem more responsive to the userwhen necessary. This is determined by keeping track of ICA’s average response time andcomparing the average response time to the IZLAutoLowLimit and the ZLAutoHiLimit.
If the average response time is greater than or equal to ZLAutoHiLimit, then ICA isresponding at an unacceptable speed and the zero latency feature turns on the mouse zerolatency playback and the keyboard zero latency playback features.
Section Server
Feature ZLC
Attribute Name INI_AUTO_ZLHILIMIT
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
250 Mouse zero latency playback turns on if average response time is greaterthan this limit - Default
INI LocationINI information not found.
Registry LocationRegistry information not found.
885
ZLAutoLowLimit
Zero-latency Mouse Threshold Lower Limit.
Mouse Threshold Lower Limit that is compared with average response time of ICA todetermine if the mouse zero latency playback feature is turned off.
The zero latency feature monitors the response time of keyboard and mouse inputs on theReceiver, and enables playback features to make ICA seem more responsive to the userwhen necessary. This is determined by keeping track of ICA’s average response time andcomparing the average response time to the IZLAutoLowLimit and the ZLAutoHiLimit.
If the average response time is less than ZLAutoLowLimit, then ICA is responding at anacceptable speed and the zero latency feature turns off the mouse zero latency playbackfeature and continues to monitor the average response time.
Section Server
Feature ZLC
Attribute Name INI_AUTO_ZLLOWLIMIT
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
150 Lower limit threshold - Default
INI LocationINI information not found.
Registry LocationRegistry information not found.
886
ZLDiskCacheSize
Specifies the cache size, in bytes, on disk for latency reduction.
Section WFClient
Feature ZLC
Attribute Name INI_ZLDISK_CACHE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
-1 Disk free space will be used - Default
INI LocationINI information not found.
Registry LocationRegistry information not found.
887
ZLFntMemCacheSize
Specifies a memory size value to create a cache directory.
This attribute is for Zero Latency Window - Virtual Font driver interface.
Section WFClient
Feature ZLC
Attribute Name INI_ZLMEM_CACHE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM No
ValuesValue Description
512000 Cache Directory Size (Bytes) - Default
0 Disable audio input
INI LocationINI information not found.
Registry LocationRegistry information not found.
888
ZLKeyboardMode
Specifies whether or not to use local text echo.
For 2 (Auto), local text echo is used if the connection latency exceeds the high latencythreshold set using the SpeedScreen Latency Reduction Manager. The Citrix server mustsupport SpeedScreen Latency Reduction for this setting to take effect.
Corresponding UI Element:
● For applicationsetname: Settings dialog box > Default Options tab > SpeedScreenLatency Reduction menu; Local text echo option
● For applicationservername: Properties dialog box > Options tab > SpeedScreen LatencyReduction menu; Local Text Echo option
ADM UI Element: XenApp server > User Experience > Client graphic settings > Speed ScreenLatency Reduction - keyboard Local echo
Section Server
Feature ZLC
Attribute Name INI_ZLC_MODE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
0 Always off - Default
1 Always on
2 Auto
INI LocationINI File Section Value
All_Regions.ini Virtual Channels\Zero Latency *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Zero Latency
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Zero Latency
*
ZLKeyboardMode
889
890
ZLMouseMode
Specifies whether or not to use mouse click feedback.
Set a value for mouse zero latency (mouse pointer prediction), 2, 1 or 0.
For ZLMouseMode=2 (Auto), mouse click feedback is used if the connection latency exceedsthe high latency threshold set using the SpeedScreen Latency Reduction Manager. The Citrixserver must support SpeedScreen Latency Reduction for this setting to take effect.
Interface Element:
● For applicationsetname: Settings dialog box > Default Options tab > SpeedScreenLatency Reduction menu; Mouse Click Feedback option
Enabling SpeedScreen Latency Reduction settings allows the client to predict how mousemovement and text entry will appear on the server. This results in the user gettingimmediate feedback when typing or moving the mouse pointer.
ADM UI Element: Citrix Components > Citrix Receiver > User experience > Client graphicssettings > SpeedScreen Latency Reduction - mouse pointer prediction
Section Server
Feature ZLC
Attribute Name INI_MOUSEZLMODE
Data Type Integer
Access Type Read
UNIX Specific No
Present in ADM Yes
ValuesValue Description
2 Auto - Default
0 Always Off
1 Always On
INI Location
INI File Section Value
All_Regions.ini Virtual Channels\Zero Latency *
Registry LocationRegistry Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Zero Latency
*
HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Zero Latency
*
ZLMouseMode
891