+ All Categories
Home > Documents > Citrix Receiver for Windows

Citrix Receiver for Windows

Date post: 24-Oct-2014
Category:
Upload: kersic1
View: 3,667 times
Download: 31 times
Share this document with a friend
891
Receiver for Windows © 2011 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Transcript
Page 1: Citrix Receiver for Windows

Receiver for Windows

© 2011 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement

Page 2: Citrix Receiver for Windows

Contents

Receiver for Windows 21

Receiver for Windows 3.2 22

Receiver for Windows 3.2 23

About Receiver for Windows 3.2 24

System Requirements 27

Get Started 31

Citrix Connection Center Overview 33

Providing Virtual Desktops to Receiver Users 34

Install and Uninstall 35

Installing and Uninstalling Receiver for Windows Manually 37

Upgrading the Desktop Viewer and Desktop Appliance Lock 39

To install the Citrix Desktop Lock 40

User Accounts Used to Install the Citrix Desktop Lock 41

To remove the Citrix Desktop Lock 42

To configure and install the Citrix Receiver for Windows usingcommand-line parameters 43

Delivering Receiver Using Active Directory and Sample Startup Scripts 48

Using the Per-User Sample Startup Scripts 50

Deploying CitrixReceiver.exe from Receiver for Web 51

Deploying the CitrixReceiver.exe from a Web Interface Logon Screen 52

Configure 53

Using the Group Policy Object Template to Customize Receiver 54

Configuring Access to Accounts Manually 56

To customize user preferences for the Receiver (Enterprise) 57

Configuring USB Support for XenDesktop Connections 58

How USB Support Works 59

Mass Storage Devices 60

USB Device Classes Allowed by Default 61

USB Device Classes Denied by Default 63

2

Page 3: Citrix Receiver for Windows

Updating the List of USB Devices Available for Remoting 64

Configuring Bloomberg Keyboards 65

Configuring User-Driven Desktop Restart 66

To prevent the Desktop Viewer window from dimming 67

To configure the Citrix Desktop Lock 68

To configure settings for multiple users and devices 70

Canadian Keyboard Layouts and Updating from Presentation ServerClients Version 10.200 71

Auto-Repair 72

Optimize 73

Improving Receiver Performance 74

Reducing Application Launch Time 75

Reconnecting Users Automatically 78

Providing HDX Broadcast Session Reliability 79

Improving Performance over Low-Bandwidth Connections 80

Connecting User Devices and Published Resources 82

Configuring Workspace Control Settings to Provide Continuity forRoaming Users 83

Making Scanning Transparent for Users 85

Mapping User Devices 86

Mapping Client Drives to XenApp Server Drive Letters 87

HDX Plug-n-Play for USB Storage Devices 89

HDX Plug-n-Play USB Device Redirection for XenAppConnections 90

Mapping Client Printers for More Efficiency 92

To map a client COM port to a server COM port 94

Mapping Client Audio to Play Sound on the User Device 95

Associating User Device File Types with PublishedApplications 96

Using the Window Manager when Connecting to Citrix XenApp forUNIX 97

Terminating and Disconnecting Sessions 98

Using ctxgrab and ctxcapture to Cut and Paste Graphics WhenConnected to XenApp for UNIX 99

Using the ctxgrab Utility to Cut and Paste Graphics 100

Using the ctxcapture Utility to Cut and Paste Graphics 101

Matching Client Names and Computer Names 103

DNS Name Resolution 104

Using Proxy Servers with XenDesktop Connections 105

User Experience 106

3

Page 4: Citrix Receiver for Windows

ClearType Font Smoothing in Sessions 107

Client-Side Microphone Input 108

Configuring HDX Plug-n-Play Multi-monitor Support 109

Printing Performance 111

To override the printer settings configured on the server 113

To set keyboard shortcuts 114

Keyboard Input in XenDesktop Sessions 115

Receiver Support for 32-Bit Color Icons 117

Connecting to Virtual Desktops 118

Secure Connections 119

To enable certificate revocation list checking for improved securitywith Receiver (CitrixReceiver.exe) 120

Smart Card Support for Improved Security 122

To enable pass-through authentication when sites are not in TrustedSites or Intranet zones 123

Using Security Support Provider Interface/Kerberos Pass-ThroughAuthentication for Improved Security 124

To configure Kerberos with pass-through authentication 126

Secure Communications 127

Support for Microsoft Security Templates 128

Connecting with Access Gateway Enterprise Edition 129

Connecting with Access Gateway 5.0 132

Connecting with Secure Gateway 137

Connecting the Citrix Receiver through a Proxy Server 138

Connecting with Secure Sockets Layer Relay 139

Connecting with Citrix SSL Relay 140

User Device Requirements 141

To apply a different listening port number for allconnections 142

To apply a different listening port number to particularconnections only 143

Configuring and Enabling Receivers for SSL and TLS 144

Installing Root Certificates on the User Devices 145

To configure Web Interface to use SSL/TLS for Receiver 146

To configure TLS support 147

To use the Group Policy template on Web Interface to meet FIPS140 security requirements 148

To configure the Web Interface to use SSL/TLS whencommunicating with Citrix Receiver 149

To configure Citrix XenApp to use SSL/TLS when communicatingwith Citrix Receiver 150

4

Page 5: Citrix Receiver for Windows

To configure Citrix Receiver to use SSL/TLS when communicatingwith the server running the Web Interface 151

ICA File Signing - Protection Against Application or Desktop LaunchesFrom Untrusted Servers 152

Selecting and Distributing a Digital Signature Certificate 154

Configuring a Web Browser and ICA File to Enable Single Sign-on andManage Secure Connections to Trusted Servers 155

To set client resource permissions 157

Enabling Smart Card Logon 159

Enforcing Trust Relations 160

Elevation Level and wfcrun32.exe 162

Receiver for Windows 3.1 163

Receiver for Windows 3.1 164

About Citrix Receiver for Windows 3.1 165

System Requirements 169

Get Started 173

Citrix Connection Center Overview 175

Providing Virtual Desktops to Receiver Users 176

Install and Uninstall 177

Installing and Uninstalling Receiver for Windows Manually 179

Upgrading the Desktop Viewer and Desktop Appliance Lock 181

To install the Citrix Desktop Lock 182

User Accounts Used to Install the Citrix Desktop Lock 183

To remove the Citrix Desktop Lock 184

To configure and install the Citrix Receiver for Windows usingcommand-line parameters 185

Delivering Receiver Using Active Directory and Sample Startup Scripts 190

Using the Per-User Sample Startup Scripts 192

Deploying CitrixReceiver.exe from Receiver for Web 193

Deploying the CitrixReceiver.exe from a Web Interface Logon Screen 194

Configure 195

Using the Group Policy Object Template to Customize the Receiver 196

Configuring Access to Accounts Manually 198

To customize user preferences for the Receiver (Enterprise) 199

Configuring USB Support for XenDesktop Connections 200

How USB Support Works 201

Mass Storage Devices 202

USB Device Classes Allowed by Default 203

USB Device Classes Denied by Default 205

5

Page 6: Citrix Receiver for Windows

Updating the List of USB Devices Available for Remoting 206

Configuring Bloomberg Keyboards 207

Configuring User-Driven Desktop Restart 208

To prevent the Desktop Viewer window from dimming 209

To configure the Citrix Desktop Lock 210

To configure settings for multiple users and devices 212

Canadian Keyboard Layouts and Updating from Presentation ServerClients Version 10.200 213

Auto-Repair 214

Optimize 215

Improving Receiver Performance 216

Reducing Application Launch Time 217

Reconnecting Users Automatically 220

Providing HDX Broadcast Session Reliability 221

Improving Performance over Low-Bandwidth Connections 222

Connecting User Devices and Published Resources 224

Configuring Workspace Control Settings to Provide Continuity forRoaming Users 225

Making Scanning Transparent for Users 227

Mapping User Devices 228

Mapping Client Drives to XenApp Server Drive Letters 229

HDX Plug-n-Play for USB Storage Devices 231

HDX Plug-n-Play USB Device Redirection for XenAppConnections 232

Mapping Client Printers for More Efficiency 234

To map a client COM port to a server COM port 236

Mapping Client Audio to Play Sound on the User Device 237

Associating User Device File Types with PublishedApplications 238

Using the Window Manager when Connecting to Citrix XenApp forUNIX 239

Terminating and Disconnecting Sessions 240

Using ctxgrab and ctxcapture to Cut and Paste Graphics WhenConnected to XenApp for UNIX 241

Using the ctxgrab Utility to Cut and Paste Graphics 242

Using the ctxcapture Utility to Cut and Paste Graphics 243

Matching Client Names and Computer Names 245

DNS Name Resolution 246

Using Proxy Servers with XenDesktop Connections 247

User Experience 248

6

Page 7: Citrix Receiver for Windows

ClearType Font Smoothing in Sessions 249

Client-Side Microphone Input 250

Configuring HDX Plug-n-Play Multi-monitor Support 251

Printing Performance 253

To override the printer settings configured on the server 255

To set keyboard shortcuts 256

Keyboard Input in XenDesktop Sessions 257

Receiver Support for 32-Bit Color Icons 259

Connecting to Virtual Desktops 260

Secure Connections 261

To enable certificate revocation list checking for improved securitywith Receiver (CitrixReceiver.exe) 262

Smart Card Support for Improved Security 264

To enable pass-through authentication when sites are not in TrustedSites or Intranet zones 265

Using Security Support Provider Interface/Kerberos Pass-ThroughAuthentication for Improved Security 266

To configure Kerberos with pass-through authentication 268

Secure Communications 269

Support for Microsoft Security Templates 270

Connecting with Access Gateway Enterprise Edition 271

Connecting with Access Gateway 5.0 274

Connecting with Secure Gateway 279

Connecting the Citrix Receiver through a Proxy Server 280

Connecting with Secure Sockets Layer Relay 281

Connecting with Citrix SSL Relay 282

User Device Requirements 283

To apply a different listening port number for allconnections 284

To apply a different listening port number to particularconnections only 285

Configuring and Enabling Receivers for SSL and TLS 286

Installing Root Certificates on the User Devices 287

To configure Web Interface to use SSL/TLS for Receiver 288

To configure TLS support 289

To use the Group Policy template on Web Interface to meet FIPS140 security requirements 290

To configure the Web Interface to use SSL/TLS whencommunicating with Citrix Receiver 291

To configure Citrix XenApp to use SSL/TLS when communicatingwith Citrix Receiver 292

7

Page 8: Citrix Receiver for Windows

To configure Citrix Receiver to use SSL/TLS when communicatingwith the server running the Web Interface 293

ICA File Signing - Protection Against Application or Desktop LaunchesFrom Untrusted Servers 294

Selecting and Distributing a Digital Signature Certificate 296

Configuring a Web Browser and ICA File to Enable Single Sign-on andManage Secure Connections to Trusted Servers 297

To set client resource permissions 299

Enabling Smart Card Logon 301

Enforcing Trust Relations 302

Elevation Level and wfcrun32.exe 304

Receiver for Windows 3.0 305

Citrix Receiver for Windows 3.0 306

About Receiver for Windows 3.0 307

System Requirements 311

Get Started 314

Citrix Receiver for Windows Overview 316

Citrix Connection Center Overview 318

Providing Virtual Desktops to Receiver Users 319

Install and Uninstall 320

Installing and Uninstalling Receiver for Windows Manually 322

Upgrading the Desktop Viewer and Desktop Appliance Lock 324

To install the Citrix Desktop Lock 325

User Accounts Used to Install the Citrix Desktop Lock 326

To remove the Citrix Desktop Lock 327

To configure and install the Citrix Receiver for Windows usingcommand-line parameters 328

To extract, install, and remove the individual Receiver (Enterprise).msi files 331

Delivering Receiver Using Active Directory and Sample Startup Scripts 333

Using the Per-User Sample Startup Scripts 335

Deploying the CitrixReceiver.exe from a Web Interface Logon Screen 336

Configure 337

Using the Group Policy Object Template to Customize the Receiver 338

To customize user preferences for the Receiver (Enterprise) 340

Configuring USB Support for XenDesktop Connections 341

How USB Support Works 342

Mass Storage Devices 343

USB Device Classes Allowed by Default 344

USB Device Classes Denied by Default 346

8

Page 9: Citrix Receiver for Windows

Updating the List of USB Devices Available for Remoting 347

Configuring Bloomberg Keyboards 348

Configuring User-Driven Desktop Restart 349

To prevent the Desktop Viewer window from dimming 350

To configure the Citrix Desktop Lock 351

To configure settings for multiple users and devices 353

Canadian Keyboard Layouts and Updating from Presentation ServerClients Version 10.200 354

Auto-Repair 355

Optimize 356

Improving Receiver Performance 357

Reducing Application Launch Time 358

Reconnecting Users Automatically 361

Providing HDX Broadcast Session Reliability 362

Improving Performance over Low-Bandwidth Connections 363

Connecting User Devices and Published Resources 365

To enable pass-through authentication when sites are not inTrusted Sites or Intranet zones 366

Configuring Workspace Control Settings to Provide Continuity forRoaming Users 367

Making Scanning Transparent for Users 369

Mapping User Devices 370

Mapping Client Drives to XenApp Server Drive Letters 371

HDX Plug-n-Play for USB Storage Devices 373

HDX Plug-n-Play USB Device Redirection for XenAppConnections 374

Mapping Client Printers for More Efficiency 376

To map a client COM port to a server COM port 378

Mapping Client Audio to Play Sound on the User Device 379

Associating User Device File Types with PublishedApplications 380

Using the Window Manager when Connecting to Citrix XenApp forUNIX 381

Terminating and Disconnecting Sessions 382

Using ctxgrab and ctxcapture to Cut and Paste Graphics WhenConnected to XenApp for UNIX 383

Using the ctxgrab Utility to Cut and Paste Graphics 384

Using the ctxcapture Utility to Cut and Paste Graphics 385

Matching Client Names and Computer Names 387

Providing Support for NDS Users 388

9

Page 10: Citrix Receiver for Windows

Specifying Windows Credentials with the NovellClient and Pass-Through Authentication 389

DNS Name Resolution 390

Using Proxy Servers with XenDesktop Connections 391

User Experience 392

ClearType Font Smoothing in Sessions 393

Client-Side Microphone Input 394

Configuring HDX Plug-n-Play Multi-monitor Support 395

Printing Performance 397

To override the printer settings configured on the server 399

To set keyboard shortcuts 400

Keyboard Input in XenDesktop Sessions 401

Receiver Support for 32-Bit Color Icons 403

Connecting to Virtual Desktops 404

Secure Connections 405

To enable certificate revocation list checking for improved securitywith Receiver (CitrixReceiver.exe) 406

Smart Card Support for Improved Security 408

To enable pass-through authentication when sites are not in TrustedSites or Intranet zones 409

Using Security Support Provider Interface/Kerberos Pass-ThroughAuthentication for Improved Security 410

To configure Kerberos with pass-through authentication 412

Secure Communications 413

Support for Microsoft Security Templates 414

Connecting the Citrix Receiver through a Proxy Server 415

Connecting with the Secure Gateway or Citrix Secure Sockets LayerRelay 416

Connecting with the Secure Gateway 417

Connecting with Citrix SSL Relay 418

User Device Requirements 419

To apply a different listening port number for allconnections 420

To apply a different listening port number to particularconnections only 421

Configuring and Enabling Receivers for SSL and TLS 422

Installing Root Certificates on the User Devices 423

To configure Citrix Receiver to use SSL/TLS 424

To configure TLS support 425

To use the Group Policy template to meet FIPS 140 securityrequirements 426

10

Page 11: Citrix Receiver for Windows

To configure the Web Interface to use SSL/TLS whencommunicating with Citrix Receiver 427

To configure Citrix XenApp to use SSL/TLS when communicatingwith Citrix Receiver 428

To configure Citrix Receiver to use SSL/TLS when communicatingwith the server running the Web Interface 429

ICA File Signing - Protection Against Application or Desktop LaunchesFrom Untrusted Servers 430

Selecting and Distributing a Digital Signature Certificate 432

Configuring a Web Browser and ICA File to Enable Single Sign-on andManage Secure Connections to Trusted Servers 433

To set client resource permissions 435

Enabling Smart Card Logon 437

Enforcing Trust Relations 438

Elevation Level and wfcrun32.exe 439

ICA Settings Reference 440

ICA Settings Reference 447

AcceptURLType 454

Address(2) 455

AECD 457

AllowAudioInput 458

AllowVirtualDriverEx 459

AllowVirtualDriverExLegacy 460

AltProxyAutoConfigURL(2) 461

AltProxyBypassList(2) 462

AltProxyHost(2) 464

AltProxyPassword(2) 465

AltProxyType(2) 466

AlwaysSendPrintScreen 468

AppendUsername 469

AudioBandwidthLimit 470

AudioDevice(2) 472

AudioDuringDetach 473

AudioHWSection 474

AudioInWakeOnInput 475

AudioOutWakeOnOutput 476

AUTHPassword 477

AUTHUserName 478

AutoLogonAllowed 479

BrowserProtocol 480

11

Page 12: Citrix Receiver for Windows

BrowserRetry(2) 481

BrowserTimeout(2) 482

BUCC(2) 483

BufferLength 484

BufferLength2 485

BypassSmartcardDomain 486

BypassSmartcardPassword 487

BypassSmartcardUsername 488

CbChainInterval 489

CDMAllowed 490

CDMReadOnly 491

CFDCD 493

CGPAddress 494

ChannelName 495

ClearPassword 496

ClientAudio 497

ClientName 499

ClipboardAllowed 500

COCD 501

ColorMismatchPrompt_Have16M_Want256 502

ColorMismatchPrompt_Have16_Want256 503

ColorMismatchPrompt_Have64k_Want256 504

COMAllowed(2) 505

Command 507

CommandAckThresh 508

CommPollSize 509

CommPollWaitInc 510

CommPollWaitIncTime 511

CommPollWaitMax 512

CommPollWaitMin 513

CommWakeOnInput 514

ConnectionFriendlyName 515

ContentRedirectionScheme 516

ControlPollTime 517

ConverterSection 518

CPMAllowed 519

CRBrowserAcceptURLtype 520

12

Page 13: Citrix Receiver for Windows

CRBrowserCommand 521

CRBrowserPath 522

CRBrowserPercentS 523

CRBrowserRejectURLtype 524

CREnabled 525

CRPlayerAcceptURLtype 526

CRPlayerCommand 527

CRPlayerPath 528

CRPlayerPercentS 529

CRPlayerRejectURLtype 530

DataAckThresh 531

DataBits 532

DefaultHttpBrowserAddress 533

DeferredUpdateMode 534

DesiredColor(5) 535

DeviceName 537

DisableCtrlAltDel 538

DisableDrives 539

DisableMMMaximizeSupport 541

DisableSound 542

DisableUPDOptimizationFlag 543

Domain 544

DriverNameAlt 546

DriverNameAltWin32 547

DriverNameWin32(12) 548

DTR 553

DynamicCDM 554

EmulateMiddleMouseButton 555

EmulateMiddleMouseButtonDelay 556

EnableAsyncWrites 557

EnableAudioInput 558

EnableClientSelectiveTrust 559

EnableInputLanguageToggle 561

EnableOSS 562

EnableReadAhead 563

EnableRtpAudio 564

EnableSessionSharing 565

13

Page 14: Citrix Receiver for Windows

EnableSessionSharingClient 567

EnableSessionSharingHost(2) 568

EnableSSOThruICAFile 569

EncryptionLevelSession 571

endIFDCD 572

FONTSMOOTHINGTYPE 573

ForceLVBMode 574

FriendlyName 575

FullScreenBehindLocalTaskbar 576

FullScreenOnly 577

HotKey10Char 578

HotKey10Shift 579

HotKey1Char 581

HotKey1Shift 583

HotKey2Char 584

HotKey2Shift 586

HotKey3Char 588

HotKey3Shift 589

HotKey4Char 590

HotKey4Shift 592

HotKey5Char 594

HotKey5Shift 595

HotKey6Char 597

HotKey6Shift 599

HotKey7Char 600

HotKey7Shift 602

HotKey8Char 604

HotKey8Shift 606

HotKey9Char 608

HotKey9Shift 610

HotKeyJPN%dChar 612

HowManySkipRedrawPerPaletteChange 613

HttpBrowserAddress 614

ICAHttpBrowserAddress 616

ICAKeepAliveEnabled 617

ICAKeepAliveInterval 619

ICAPortNumber 620

14

Page 15: Citrix Receiver for Windows

ICAPrntScrnKey 622

ICASOCKSProtocolVersion(2) 623

ICASOCKSProxyHost(2) 625

ICASOCKSProxyPortNumber(2) 627

InitialProgram 629

InitialProgram(2) 631

InputEncoding 633

InstallColormap 634

IOBase 635

KeyboardLayout 636

KeyboardSendLocale 637

KeyboardTimer(2) 638

KeyboardType 639

Launcher 642

LaunchReference 643

LicenseType 644

LocalIME 645

LocHttpBrowserAddress 646

LockdownProfiles 648

LogAppend 649

LogConfigurationAccess 650

LogConnect 651

LogErrors 652

LogEvidence 653

LogFile 654

LogFileGlobalPath 655

LogFileWin32 656

LogFlush 657

LogonTicket 658

LogonTicketType 659

LongCommandLine 660

Lpt1 662

Lpt2 663

Lpt3 664

LPWD 665

LvbMode2 666

MaxDataBufferSize 667

15

Page 16: Citrix Receiver for Windows

MaxMicBufferSize 668

MaxOpenContext 669

MaxPort 670

MaxWindowSize 671

MinimizeOwnedWindows 672

MissedKeepaliveWarningMsg 673

MissedKeepaliveWarningTime 674

MouseTimer 675

MouseWheelMapping 677

MSIEnabled 678

NativeDriveMapping 679

NDS 681

NRUserName 682

NRWD 683

NumCommandBuffers 684

NumDataBuffers 685

OutBufCountClient 686

OutBufCountClient2 688

OutBufCountHost 690

OutBufCountHost2 692

OutBufLength 694

PassThroughLogoff 696

Password 697

Path 699

PCSCCodePage 700

PCSCLibraryName 701

PercentS 702

PersistentCacheEnabled 703

PersistentCacheGlobalPath 705

PersistentCacheMinBitmap(2) 706

PersistentCachePath 708

PersistentCachePercent 710

PersistentCacheSize(2) 711

PersistentCacheUsrRelPath 713

PingCount 714

PlaybackDelayThresh 715

PNPDeviceAllowed 716

16

Page 17: Citrix Receiver for Windows

pnStartSCD 717

Port1 718

Port2 719

POSDeviceAllowed 720

PrinterFlowControl 722

PrinterResetTime 723

PrinterThreadPriority 724

PrintMaxRetry 725

ProxyAuthenticationBasic(2) 726

ProxyAuthenticationKerberos 728

ProxyAuthenticationNTLM(2) 729

ProxyAuthenticationPrompt(2) 731

ProxyAutoConfigURL(2) 733

ProxyBypassList 735

ProxyFallback(2) 737

ProxyFavorIEConnectionSetting(2) 739

ProxyHost(3) 741

ProxyPassword(2) 743

ProxyPort 745

ProxyTimeout 746

ProxyType 747

ProxyUseDefault 749

ProxyUseFQDN(2) 750

ProxyUsername 752

ReadersStatusPollPeriod 754

RECD(2) 756

RegionIdentification 757

RejectURLType 759

RemoveICAFile 760

ResMngrRunningPollPeriod 762

REWD(2) 763

RtpAudioHighestPort 764

RtpAudioLowestPort 765

ScalingHeight 766

ScalingMode 767

ScalingPercent 769

ScalingWidth 770

17

Page 18: Citrix Receiver for Windows

Schedule 771

ScreenPercent 772

SecureChannelProtocol(2) 774

SecurityTicket 777

SessionReliabilityTTL 778

SessionSharingKey 779

SessionSharingLaunchOnly 780

SFRAllowed 781

SkipRedrawPerPaletteChange 782

SmartCardAllowed 783

SpeedScreenMMA 784

SpeedScreenMMAAudioEnabled 786

SpeedScreenMMAMaxBufferThreshold 787

SpeedScreenMMAMaximumBufferSize 788

SpeedScreenMMAMinBufferThreshold 789

SpeedScreenMMASecondsToBuffer 790

SpeedScreenMMAVideoEnabled 791

SSLCACert 792

SSLCertificateRevocationCheckPolicy(2) 793

SSLCiphers 796

SSLCommonName 798

SSLEnable 800

SSLProxyHost(2) 803

SSOnCredentialType(3) 805

SSOnDetected 807

SSOnUserSetting 808

SSPIEnabled 810

startIFDCD(3) 812

startSCD(2) 813

State 814

SucConnTimeout 815

SwapButtons 816

TransparentKeyPassthrough 817

TransportReconnectDelay 819

TransportReconnectEnabled 821

TransportReconnectRetries 823

TransportSilentDisconnect 825

18

Page 19: Citrix Receiver for Windows

TRWD 826

Tw2CachePower 827

TW2StopwatchMinimum 828

TW2StopwatchScale 829

TwainAllowed 830

TWIEmulateSystray 831

TWIFullScreenMode 832

TWIIgnoreWorkArea 834

TWIMode 836

TWISeamlessFlag 838

TWIShrinkWorkArea 839

TWISuppressZZEcho 840

TWITaskbarGroupingMode 841

UnicodeEnabled 843

UseAlternateAddress(3) 844

UseDefaultEncryption 847

UseLocalUserAndPassword(2) 849

UseMRUBrowserPrefs 851

Username(3) 852

UserOverride 854

UsersShareIniFiles 855

UseSSPIOnly 856

VariantName 858

VirtualChannels 859

VirtualCOMPortEmulation 860

VirtualDriver 862

VirtualDriverEx 864

VSLAllowed(2) 865

Win32FavorRetainedPrinterSettings 867

WindowManagerMoveIgnored 869

WindowManagerMoveTimeout 870

WindowsCache 871

WindowSize 872

WindowSize 874

WindowSize 876

WindowSize2 878

WindowsPrinter 879

19

Page 20: Citrix Receiver for Windows

WindowsPrinter 880

WorkDirectory 881

WpadHost 882

XmlAddressResolutionType 883

ZLAutoHiLimit 884

ZLAutoLowLimit 885

ZLDiskCacheSize 886

ZLFntMemCacheSize 887

ZLKeyboardMode 888

ZLMouseMode 890

20

Page 21: Citrix Receiver for Windows

21

Receiver for Windows

Citrix Receiver for Windows delivers a common user interface whether using only Receiveror with any other Citrix Plug-ins and provides secure, simple, high-performance, on-demandaccess to virtual desktops, enterprise applications, and IT services by enabling:

● Delivery of business applications to any user on any device

● Secure access and complete IT control and visibility

Quick Links● Receiver for Windows 3.2

● About Receiver for Windows 3.2

● System Requirements and Compatibility for Receiver for Windows 3.2

● Receiver for Windows Overview

Page 22: Citrix Receiver for Windows

22

Receiver for Windows 3.2

Quick Links

About this Release Using the Receiver with XenDesktopConnections

Issues Fixed in Receiver for Windows 3.2 Optimizing the Receiver Environment

System Requirements and Compatibility Improving the Receiver User Experience

Licensing Your Product Securing Your Connections

Overview of Citrix Receiver for WindowsInstallation Packages

Securing Citrix Receiver Communication

To configure and install the Citrix Receiverfor Windows using command-lineparameters

Page 23: Citrix Receiver for Windows

23

Receiver for Windows 3.2

Quick Links

About this Release Using the Receiver with XenDesktopConnections

Issues Fixed in Receiver for Windows 3.2 Optimizing the Receiver Environment

System Requirements and Compatibility Improving the Receiver User Experience

Licensing Your Product Securing Your Connections

Overview of Citrix Receiver for WindowsInstallation Packages

Securing Citrix Receiver Communication

To configure and install the Citrix Receiverfor Windows using command-lineparameters

Page 24: Citrix Receiver for Windows

24

About Receiver for Windows 3.2

What's New in this ReleaseWhen used with Citrix Storefront 1.1, this release of Receiver for Windows (standard,CitrixReceiver.exe) supports single authentication to Receiver and the browser for Web andSaaS apps published through AppController 1.1. Receiver users will now authenticate withthose apps as they have for published Windows apps. No Receiver-specific administration isneeded to use the additional single authentication support.

The Receiver Enterprise package did not change for this release. It is required only tosupport applications that use Smart Card authentication.

Known IssuesThis section contains:

● General issues

● Known issues - Desktop connections

● Third-party issues

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

General Issues

● When configured with multiple stores, Receiver might confuse the gateways required toconnect to a store causing incorrect apps being available to users. Work around:Configure only one store. [#263165]

● When Receiver Storefront is configured with multiple external beacon points, Receiverfor Windows does not enumerate applications if all of the beacons respond with thesame URL. Workaround: Retain the configuration for only one external beacon.Alternatively, keep all beacons and add a beacon that points to a non-existing URL.[#299560]

● If you use the Receiver with XenApp 5.0 Feature Pack 2 for Windows Server 2003 (32- or64-bit editions), the Receiver plays audio even when you configure the Turn offspeakers policy setting to disable the audio. [#242703]

● You might receive an error message when trying to launch an application with WebInterface after installing a previous version of the Receiver (Online plug-in) while

Page 25: Citrix Receiver for Windows

logged in as one user, upgrading with CitrixReceiver.exe as another user, logging off theReceiver, and logging back on with the previous user name. The error message is: Citrixonline plug-in Configuration Manager: No value could be found for (ClientHostedApps)that satisfies all lock down requirements. The lockdown requirements in force may beconflicting. [#261877]

As a workaround, set the following registry key:

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\Lockdown Profiles\AllRegions\Lockdown\Virtual Channels\Control

Name: ClientHostedApps

Value: FALSE (or set to * / TRUE if you have overridden the defaults inHKEY_LOCAL_MACHINE)

● If you use Web Interface with Internet Explorer 8 and Windows 7 to upgrade to thisversion of Citrix Receiver, the upgrade finishes, but the Upgrade in Progress messageremains on the screen and the log on screen does not appear. Workaround: Restart thebrowser [#247858]

● When you launch applications using the Web Interface, Connection Center does notenumerate the sessions. [#261177]

● After you launch a published application that is filtered by XenApp for Access Gateway,other published applications do not launch. [#263003]

● In some environments, content redirection may not work until the published applicationis launched for the first time. [#252515]

● Before installing Receiver for Windows on a Windows XP Embedded thin client device,increase the RAM disk limit of the device to 100 MB. [#266384]

● When versions of Receiver are localized in Traditional Chinese, Korean, or Russian andintegrated with Access Gateway Standard Edition, the Receiver log on screen displays inEnglish because of an Access Gateway Standard Edition language limitation. [#263442]

● After a silent installation of Receiver, the Receiver Preferences > Plug-in status pagemight not list the plug-ins. [302588]

● When the offline plug-in is not installed and a streamed application is configured tofallback to ICA and the XenApp server is down, an incorrect error message appearsinforming you that the correct plug-in is not installed. [#273813]

● If Certificate Revocation List (CRL) checking is disabled in Internet Options on the userdevice, this overrides the CertificateRevocationCheck registry setting for Receiver forWindows. This means users may be able to access Web sites that do not have validcertificates. As a workaround, ensure that the Check server revocation option locatedat Settings > Control Panel > Internet Options > Advanced is enabled. [#32682]

● Receiver does not support the VPN keyword in Access Gateway ClientChoices mode.[#274828]

● If the VPN keyword is removed from an application after a user subscribes to it,Receiver continues to attempt an Access Gateway connection for the application.Workaround: Unsubscribe and then re-subscribe to the application to synchronize the

About Receiver for Windows 3.2

25

Page 26: Citrix Receiver for Windows

VPN keyword removal on Receiver. [#298387]

Desktop Connections

● Loss of video is experienced if files are being played with a published version ofWindows Media Player through a virtual desktop session, and the Desktop Viewerwindow is changed from full-screen to window mode. As a workaround, minimize andrestore the Media Player window, and then pause and resume the application (or stopand restart it). [#246230]

● You cannot log off normally from Windows XP 32-bit virtual desktops if you start (but donot log on to) the Receiver in the desktop session. If the Receiver logon dialog box isnot completed, you cannot log off from the desktop. To work around the issue,complete the logon dialog box or close it. This issue is not observed on other virtualdesktop operating systems. [#246516]

● If virtual desktops are installed with the Virtual Desktop Agent supplied withXenDesktop 5.0, Receiver for Windows 3.0 displays an error if the user starts apublished application from the desktop. The workaround is to use the Virtual DesktopAgent supplied with XenDesktop 5.5. [#263079]

● The Citrix Desktop Lock does not redirect Adobe Flash content to domain-joined userdevices. The content can be viewed but is rendered on the server, not locally. As aworkaround, Adobe Flash redirection can be configured for server-side content fetchingto pass the content from the server to the user device. This issue does not occur onnon-domain-joined devices or when the content is viewed with the Desktop Viewer.[#263092]

● The Desktop Viewer Devices menu may not close when the user clicks the Devices icon.It also may remain open after its corresponding dialog box closes. If this occurs, clickthe Devices icon again. [#262202]

● Windows Media Player, when displayed in the non-primary monitor of a two-monitorWindows user device, may not work as expected. Due to an issue with the DirectX videomixing renderer filter VMR-9, the screen is black and there is no sound, although theplayer's progress bar advances. To correct this issue, edit the registry on the userdevice from which the XenDesktop connection is launched. In theHKEY_CURRENT_USER\Software\Citrix subkey, create the HdxMediaStream key. Namethe key DisableVMRSupport. Set the type as REG_DWORD. Give the key the value 3.[#262852]

Third-Party Issues

● When using Internet Explorer to open a Microsoft Office document in Edit mode fromSharePoint, Microsoft Office might display the message, “Access denied.” Workaround:Go to the SharePoint site and check out the document, edit it, and check the file backin to SharePoint. [#258725]

About Receiver for Windows 3.2

26

Page 27: Citrix Receiver for Windows

27

System Requirements and Compatibilityfor Receiver for Windows

● Supported Windows Operating Systems:

● Windows 7, 32-bit and 64-bit editions (including Embedded Edition)

● Windows XP Professional, 32-bit and 64-bit editions

● Windows XP Embedded

● Windows Vista, 32-bit and 64-bit editions

● Windows Thin PC

● Windows Server 2008 R1, 32-bit and 64-bit editions (not supported by XenDesktopconnections)

● Windows Server 2008 R2, 64-bit edition (not supported by XenDesktop connections)

● Windows Server 2003, 32-bit and 64-bit editions (not supported by XenDesktopconnections)

Important: For XenDesktop connections, be aware that the Citrix Desktop Lock isonly supported on Windows XP Professional, Windows XP Embedded, Windows 7,and Windows Embedded Standard 7. If your deployment includes smart cards, andWindows 7 or Windows Embedded Standard 7, see the additional requirements inthis topic.

● Server support:

● XenApp (any of the following products):

● Citrix XenApp 6.5 for Windows Server 2008 R2

● Citrix XenApp 6 for Windows Server 2008 R2

● Citrix XenApp 5 for Windows Server 2008

● Citrix XenApp 5 for Windows Server 2003● XenDesktop (any of the following products):

● XenDesktop 5.5

● XenDesktop 5

● XenDesktop 4● To manage connections to apps and desktops, Citrix Receiver supports Cloud

Gateway or Web Interface :

Page 28: Citrix Receiver for Windows

● CloudGateway Express, with Receiver Storefront 1.1 or 1.0 and, for optionalaccess to resources from a web page, Receiver for Web

● CloudGateway Enterprise 1.0, with Receiver Storefront 1.1 or 1.0, for appshosted on a network, on an Infrastructure as a Service (IaaS) platform, orconfigured as Software as a Service (SaaS)

● Web Interface 5.x for Windows with a XenApp Services and XenDesktop Web site

● Merchandising Server 2.x

● Connectivity

Citrix Receiver supports HTTPS and ICA-over-SSL connections through any one of thefollowing configurations.

● For LAN connections:

● Receiver Storefront 1.1 or 1.0, using Storefront services or Receiver for Websites

Single sign on to Web and SaaS apps published through AppController requiresReceiver Storefront 1.1.

● Web Interface 5.x for Windows, using XenApp Services and XenDesktop Websites (Program Neighborhood Agent sites are also supported for legacyinstallations)

● For secure remote or local connections:

● Citrix Access Gateway VPX

● Citrix Access Gateway 5.0

● Citrix Access Gateway Enterprise Edition 9.x

● Citrix Secure Gateway 3.xYou can use Access Gateway with Receiver Storefront or Web Interface. You can useSecure Gateway only with Web Interface.

● Authentication

Receiver for Windows 3.2, when used with Receiver Storefront 1.1 or 1.0, supports thefollowing authentication methods:

● Domain

● Domain pass-through

Receiver for Web sites do not support domain pass-through authentication.

● Security token

● Two-factor (domain plus security token)*

● Client certificate (requires Access Gateway Enterprise Edition; can be used alone orwith other authentication methods)

System Requirements

28

Page 29: Citrix Receiver for Windows

Receiver for Windows 3.2, when used with Web Interface 5.X, supports the followingauthentication methods:

● Domain

● Security token

● Two-factor (domain plus security token)*

● SMS*

● Smart card (with or without Access Gateway)

Requires Receiver (Enterprise)

● Client certificate (requires Access Gateway Enterprise Edition; can be used alone orwith other authentication methods)

* Available only in deployments that include Access Gateway.

For more information about authentication, refer to the Access Gateway documentationand the "Manage" topics in the Receiver Storefront documentation in eDocs. Forinformation about other authentication methods supported by Web Interface, refer to"Configuring Authentication for the Web Interface" in the Web Interface documentationin eDocs.

● Certificates

For information about security certificates, refer to topics under Secure Connectionsand Secure Communications.

● Upgrades. Upgrades are supported only for Citrix XenApp Plugin for Hosted Apps 11.0,Desktop Receiver 11.1, and Citrix online plug-in 11.1,11.2, 12.0, and 12.1, and Receiverfor Windows 3.0 releases.

● Availability of the Receiver for Windows 3.2 features. Some of the features andfunctionality of Receiver are available only when connecting to newer XenApp andXenDesktop versions and might require the latest hotfixes for XenApp, XenDesktop, andSecure Gateway.

● Previous versions of the Presentation Server Client/Online Plug-in and the currenticaclient.adm file. Previous versions of the Presentation Server Client and OnlinePlug-in are not compatible with the Receiver for Windows 3.2 icaclient.adm file.

● Supported Browsers:

● Internet Explorer Version 6.0 through 9.0

● Mozilla Firefox Version 1.x through 5.x

● Google Chrome Version 10.0 and later● .NET Framework Requirements

● The Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package is required toensure that the Receiver icon displays correctly. The package is included with .NET2.0 Service Pack 1, .NET 3.5, and .NET 3.5 Service Pack 1; it is also availableseparately.

System Requirements

29

Page 30: Citrix Receiver for Windows

● For XenDesktop connections: To use the Desktop Viewer, .NET 2.0 Service Pack 1 orlater is required. This version is required because, if Internet access is notavailable, certificate revocation checks slow down connection startup times. Thechecks can be turned off and startup times improved with this version of theFramework but not with .NET 2.0. Use of the Citrix Desktop Lock does not requirethe .NET Framework to be installed.

● Hardware Requirements:

● VGA or SVGA video adapter with color monitor

● Windows-compatible sound card for sound support (optional)

● For network connections to the server farm, a network interface card (NIC) and theappropriate network transport software

● Supported Connection Methods and Network Transports:

● TCP/IP+HTTP

● SSL/TLS+HTTPS● HDX MediaStream Multimedia Acceleration

Applications and media formats supported by HDX MediaStream Multimedia Accelerationare:

● Applications based on Microsoft’s DirectShow, DirectX Media Objects (DMO), andMedia Foundation filter technologies such as Windows Media Player and RealPlayer.

● Applications like Internet Explorer and Microsoft Encarta are also supported, as theyleverage Windows Media Player.

● Both file-based and streaming (URL-based) media formats: WAV, all variations ofMPEG, unprotected Windows Media Video (WMV), and Windows Media Audio (WMA).

Note: HDX MediaStream Multimedia Acceleration does not support media filesprotected with Digital Rights Management (DRM).

Smart Cards and the Citrix Desktop Lock

The Citrix Desktop Lock can be used with smart cards connected to domain-joined userdevices running Windows XP or Windows XPe but not Windows 7 or Windows EmbeddedStandard 7. This limitation does not apply to non-domain-joined user devices.

System Requirements

30

Page 31: Citrix Receiver for Windows

31

Citrix Receiver for Windows Overview

Citrix Receiver for Windows (Citrix Receiver) delivers apps, desktops, and IT services toWindows PCs. Citrix Receiver supports Citrix CloudGateway:

● CloudGateway Express enables XenApp and XenDesktop customers to deliver Windowsapps and desktops by using a unified Storefront with self-service.

● CloudGateway Enterprise enables enterprises to aggregate, control, and deliver all oftheir Windows, web and SaaS apps.

Receiver also supports Citrix Web Interface for legacy deployments.

Receiver handles the following functions:

● User authentication. Receiver provides user credentials to CloudGateway or WebInterface when users try to connect and every time they launch published resources.

● Application and content enumeration. Receiver presents users with their individualset of published resources.

● Application launching. Receiver is the local engine used to launch publishedapplications.

● Desktop integration. Receiver integrates a user’s set of published resources (includingvirtual desktops) with the user’s physical desktop.

● User preferences. Receiver validates and implements local user preferences.

Two Citrix Receiver packages are available.

● Citrix Receiver (standard, CitrixReceiver.exe) supports Citrix CloudGateway and, forlegacy deployments, Web Interface. Standard Receiver features include:

● Receiver Experience, enabling users to seamlessly transition between devices andconnection types

● Web plug-in

● Authentication Manager

● Single sign-on/pass-through authentication

● Self-service

● Generic USB (XenDesktop)

● Desktop Viewer (XenDesktop)

● HDX Media Stream for Flash

Page 32: Citrix Receiver for Windows

● Aero desktop experience (for operating systems that support it)

● Citrix Receiver (enterprise, CitrixReceiverEnterprise.exe) is required only forapplications that use Smart Card authentication. It supports Web Interface only andincludes the same features as the standard package except for Authentication Managerand self-service.

Using the Citrix CloudGatewayCitrixReceiver.exe enables access to Storefront published resources and virtual desktopsfrom anywhere. Configure a provisioning file to provide native self-service access orconfigure a Receiver for Web site to provide web browser access to Storefront-publishedresources and virtual desktops.

Using with XenAppBoth Receiver packages support the XenApp feature set. Centrally administer and configurethe Receiver in the Receiver Storefront management console (or, if using Web Interface, inthe Web Interface Management Console using a Receiver site created in association with asite for the server running the Web Interface).

You can use both Receiver packages with the Citrix offline plug-in to provide applicationstreaming to the user desktop. For more information about the streamed applicationfeature, see the Application Streaming documentation in eDocs.

The Desktop Viewer is not supported with XenApp connections.

Using with XenDesktopReceiver includes the Desktop Viewer, the client-side software that supports XenDesktop.Users running the Desktop Viewer on their devices access virtual desktops created withXenDesktop in addition to their local desktop. Users running the Citrix Desktop Lock (whichyou install in addition to the Desktop Viewer) interact only with the virtual desktop not thelocal desktop.

Get Started

32

Page 33: Citrix Receiver for Windows

33

Citrix Connection Center Overview

The Citrix Connection Center displays all connections established from the Receiver.

The ICA Connections window displays a list of active sessions. Each server entry in the listrepresents a session. For each seamless session, below each server entry, a list of thepublished resources you are running on that server appears.

After you launch a published resource, you can access the Connection Center by rightclicking the Receiver icon in your Windows notification area and choose Online Sessions >Connection Center. You can also access the Connection Center from the Preferences >Plug-in Status screen.

The Connection Center offers various options to view statistics and control sessions andapplications:

● Disconnect a session from a server but leave the session running on it

● End a server session

● Switch from seamless mode to full screen mode

● Seamless mode. Published applications and desktops are not contained within asession window. Each published application and desktop appears in its ownresizable window, as if it is physically installed on your user device. You can switchbetween published applications and the local desktop.

● Full screen mode. Published applications are placed in a full screen-sized desktop.● Show connection status details like frames sent and received

● Terminate an indivual published application

● Set access permissions

Page 34: Citrix Receiver for Windows

34

Providing Virtual Desktops to ReceiverUsers

This topic applies to XenDesktop deployments only.

Different enterprises have different corporate needs, and your requirements for the wayusers access virtual desktops may vary from user to user, and as your corporate needsevolve. The user experience of connecting to virtual desktops and the extent of userinvolvement in configuring the connections depend on how you set up the Citrix Receiverfor Windows. You have two options for providing users with access to virtual desktops: usingthe Desktop Viewer or the Citrix Desktop Lock.

Important: Do not attempt to use the Desktop Viewer or the Desktop Lock to connect todesktops published with XenApp.

Desktop ViewerUse the Desktop Viewer when users need to interact with their local desktop as well as thevirtual one. In this access scenario, the Desktop Viewer toolbar functionality allows the userto open a virtual desktop in a window and pan and scale that desktop inside their localdesktop. Users can set preferences and work with more than one desktop using multipleXenDesktop connections on the same user device.

Citrix Desktop LockUse the Desktop Lock when users do not need to interact with the local desktop. In thisaccess scenario, the Desktop Viewer is not available and the virtual desktop effectivelyreplaces the local one, allowing the user to interact with the virtual desktop as if it is local.This provides the best user experience in a XenDesktop environment.

To decide which option best suits your deployment, consider how you want users to accessand interact with virtual desktops.

To understand the user experience of connecting to desktops created with XenDesktop,consult the planning topics in the XenDesktop documentation.

Page 35: Citrix Receiver for Windows

35

Overview of Citrix Receiver for WindowsInstallation Packages

This release contains two installation packages and offers several options for installing theCitrix Receiver for Windows. You can install the two Receiver installer packages with almostno user interaction.

● CitrixReceiver.exe - This Receiver (standard) does not require administrator rights toinstall unless it will use pass-through authentication. It can be installed:

● Automatically from Receiver for Web or from Web Interface

● By the user

● Using an Electronic Software Distribution (ESD) tool● CitrixReceiverEnterprise.exe - This Receiver (Enterprise) requires administrator rights

to install. Although the user can install Receiver (Enterprise), it is usually installed withan ESD tool. Uninstall other Receiver versions before installing Receiver (Enterprise).

Important: Upgrades are supported only from Citrix online plug-in 11.2 and 12.x. Removeany earlier versions before installing this version.

Considerations When UpgradingBecause there are two Citrix Receiver installation packages and there were two onlineplug-in packages (web and full) in previous releases, each having different options, youhave to consider the previously installed package when planning your upgrade. Use thistable to determine how to proceed with your upgrade.

Currently installed Upgrade Package Result

No Online plug-in installed CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) - web access- but manuallyconfigurable for PNA

No Online plug-in installed CitrixReceiver.exe Citrix Receiver (standard)- web access

Online plug-in fullconfigured for PNA or SSO

CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) configuredfor PNA or SSO

Online plug-in web CitrixReceiver.exe Citrix Receiver (standard)- web access

Page 36: Citrix Receiver for Windows

Online plug-in web CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) - web access- but manuallyconfigurable for PNA

The CitrixReceiver.exe upgrade package cannot be used to upgrade the online plug-in fullconfigured for PNA or Citrix Receiver (Enterprise). In both cases, the installer displays anerror message and does not alter the previously installed client.

How Installation Outcomes Differ Based on theOperating System, User Type, and InstallationPackage

The outcome of CitrixReceiver.exe or CitrixReceiverEnterprise.exe package installationsdiffers based on the combination of the operating system on the user device, user type,whether User Account Control (UAC) is enabled or disabled on Windows Vista, Windows 7,and Windows 2008 computers, and which installation package is used.

Operating system and usertype

CitrixReceiver.exe CitrixReceiverEnterprise.exe

OS: Windows XP, andWindows Server 2003

User: Administrator

Installation type:per-computer

Installation type:per-computer

OS: Windows XP, andWindows Server 2003

User: Standard user

Installation type: per-user Not supported

OS: Windows Vista,Windows 7, and WindowsServer 2008

User: Administrator with orwithout UAC disabled

Installation type:per-computer

Installation type:per-computer

OS: Windows Vista,Windows 7, and WindowsServer 2008

User: Standard user

Installation type: per-user Not supported

Install and Uninstall

36

Page 37: Citrix Receiver for Windows

37

Installing and Uninstalling Receiver forWindows Manually

Users can install the Receiver from Receiver for Web, the Web Interface, the installationmedia, a network share, Windows Explorer, or a command line by running theCitrixReceiverEnterprise.exe or CitrixReceiver.exe installer package. Because the installerpackages are self-extracting installations that extract to the user's temp directory beforelaunching the setup program, ensure that there is enough free space available in the%temp% directory.

When the user runs one of the Receiver installation .exe files, a message box immediatelyappears displaying the progress of the installation.

When you cancel the installation before completion, some components might be installed.In that case, remove the Receiver with the Add/Remove Programs utility from the ControlPanel on Windows XP or Windows Server 2003 (Programs and Features utility from theControl Panel on Windows Vista, Windows 7, and Windows Server 2008).

Upgrades are supported only from the Citrix XenApp Plugin for Hosted Apps 11.0, DesktopReceiver 11.1, and Citrix online plug-in 11.1, 11.2, and 12.x. Remove any earlier versionsbefore installing this current version.

For command line installation parameters, see To configure and install the Citrix Receiverfor Windows using command-line parameters.

If company policies prohibit you from using an .exe file, refer to How to Manually Extract,Install, and Remove Individual .msi Files from ReceiverEnterprise.exe.

Removing the ReceiverYou can also use the Citrix Receiver Updater to install and uninstall Receiver. If CitrixReceiver Updater was not used to install the Receiver, you can uninstall Receiver byrunning the Add/Remove Programs utility from the Control Panel on Windows XP orWindows Server 2003 (Programs and Features utility from the Control Panel on WindowsVista, Windows 7, and Windows Server 2008).

If you delete Receiver related files or registry entries just before uninstalling Receiver withAdd/Remove Programs or Programs and Features, uninstall might fail. The MicrosoftWindows Installer (MSI) is trying to repair and uninstall at the same time. If this occurs, usethe Receiver to start an auto-repair. After the auto-repair completes, you can cleanlyuninstall Receiver from Add/Remove Programs or Programs and Features.

Auto-repair occurs if there is a problem with Receiver; however, there is no Add/RemovePrograms or Programs and Features Repair option.

To remove Receiver using the command line

Page 38: Citrix Receiver for Windows

You can also uninstall Receiver from a command line by typing the appropriate command.

CitrixReceiverEnterprise.exe /uninstall

or

CitrixReceiver.exe /uninstall

Caution: Using Registry Editor incorrectly can cause serious problems that can requireyou to reinstall the operating system. Citrix cannot guarantee that problems resultingfrom incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Make sure you back up the registry before you edit it.

After uninstalling the Receiver software from a user device, the custom Receiver-settingregistry keys created by icaclient.adm remain in the Software\Policies\Citrix\ICA Clientdirectory under HKEY_LOCAL_MACHINE and HKEY_LOCAL_USER. If you reinstall Receiver,these policies might be enforced, possibly causing unexpected behavior. If you want toremove these customizations, delete them manually.

Installing and Uninstalling Receiver for Windows Manually

38

Page 39: Citrix Receiver for Windows

39

Upgrading the Desktop Viewer andDesktop Appliance Lock

You can upgrade the Desktop Viewer component contained in Citrix online plug-in 12.1 byinstalling this version of the Citrix Receiver for Windows.

To upgrade the Desktop Appliance Lock, remove Citrix online plug-in 12.1 and the DesktopAppliance Lock, and then install this version of the Receiver and the Citrix Desktop Lock.

Page 40: Citrix Receiver for Windows

40

To install the Citrix Desktop Lock

Important: Log on using a local administrator account to carry out this installationprocedure. In addition, consult About Citrix Receiver for Windows 3.1 for workarounds toany known issues with the Desktop Lock.

This procedure installs the plug-in so that virtual desktops are displayed using the CitrixDesktop Lock. Do not use this procedure if you want the Desktop Viewer to be available tousers.

1. On the installation media, navigate to the folder called Citrix Receiver andPlug-ins\Windows\Receiver, and run CitrixReceiverEnterprise.exe from the commandline using the following syntax:

CitrixReceiverEnterprise.exe ADDLOCAL="ICA_Client,SSON,USB,DesktopViewer,Flash,PN_Agent,Vd3d" SERVER_LOCATION="my.server" ENABLE_SSON="Yes"

For information about the properties used in this command, see To configure and installthe Citrix Receiver for Windows using command-line parameters

2. Enter the URL of the XenDesktop Services site where your virtual desktops are located.The URL must be in the format http://servername or https://servername. If you areusing hardware or software for load balancing or failover, you can enter aload-balanced address.

Important: Check that the URL you enter is correct. If the URL is incorrectly typed,or you leave the field empty and the user does not enter a valid URL when promptedafter installation, no virtual desktop or local desktop will be available.

3. On the XenDesktop installation media, navigate to the Citrix Receiver andPlug-ins\Windows\Receiver folder and double-click CitrixDesktopLock.msi. The CitrixDesktop Lock wizard appears.

4. On the License Agreement page, read and accept the Citrix license agreement andclick Install. The Installation Progress page appears.

5. In the Installation Completed dialog box, click Close.

6. When prompted, restart the user device. If you have been granted access to a desktopand you log on as a domain user, the restarted device is displayed using the DesktopLock.

Page 41: Citrix Receiver for Windows

41

User Accounts Used to Install the CitrixDesktop Lock

When you install the Citrix Desktop Lock, a replacement shell is used. To allowadministration of the user device after you complete the installation, the account used toinstall CitrixDesktopLock.msi is excluded from the shell replacement. If the account used toinstall CitrixDesktopLock.msi is later deleted, you will not be able to log on and administerthe device.

Note that because a replacement shell is used, Citrix does not recommend the use ofcustom shells with desktops accessed through the Desktop Lock.

Page 42: Citrix Receiver for Windows

42

To remove the Citrix Desktop Lock

If you installed the Citrix Desktop Lock, two separate items are displayed in Add/RemovePrograms. You must remove both to complete the removal process.

1. Log on with the same local administrator credentials that were used to install theDesktop Lock.

2. Run the Add/Remove programs utility from the Control Panel.

3. Remove Citrix Desktop Lock.

4. Remove Citrix Receiver or Citrix Receiver (Enterprise).

Page 43: Citrix Receiver for Windows

43

To configure and install the CitrixReceiver for Windows usingcommand-line parameters

You or your users can customize the Receiver installer by specifying command line options.Because the installer packages are self-extracting installations that extract to the user'stemp directory before launching the setup program, ensure that there is enough free spaceavailable in the %temp% directory.

Space Requirements

Receiver (standard) - 78.8 Mbytes

Receiver (Enterprise) - 93.6 Mbytes

This includes program files, user data, and temp directories after launching severalapplications.

1. On the computer where you want to install the Receiver for Windows package, type thefollowing at a command prompt:

CitrixReceiver.exe [Options]

or

CitrixReceiverEnterprise.exe [Options]

2. Set your options as needed.

● /? or /help displays usage information.

● /noreboot suppresses reboot during UI installations. This option is not necessaryduring silent installs.

● /silent disables the error and progress dialogs to execute a completely silentinstallation.

● /includeSSON enables single sign on for Receiver (standard, CitrixReceiver.exe).This option is not supported for Receiver (enterprise, CitrixReceiverEnterprise.exe),which installs single sign on by default. If you are using ADDLOCAL= to specifyfeatures and you want to install single sign on, you must also specify the SSONvalue. Requires administrator rights.

● PROPERTY=Value

Where PROPERTY is one of the following all-uppercase variables (keys) and Value isthe value the user should specify.

Page 44: Citrix Receiver for Windows

● INSTALLDIR=Installation directory, where Installation directory is the locationwhere the Receiver software is installed. The default value is C:\ProgramFiles\Citrix\ICA Client. If you use this option and specify an Installationdirectory, you must install the RIInstaller.msi in the Installationdirectory\Receiver directory and the other .msi files in the Installationdirectory.

● CLIENT_NAME=ClientName, where ClientName is the name used to identify theuser device to the server farm. The default value is %COMPUTERNAME%.

● ENABLE_DYNAMIC_CLIENT_NAME={Yes | No} The dynamic client name featureallows the client name to be the same as the computer name. When userschange their computer name, the client name changes to match. To enabledynamic client name support during silent installation, the value of theproperty ENABLE_DYNAMIC_CLIENT_NAME in your installation file must be Yes.To disable dynamic client name support, set this property to No.

● ADDLOCAL=feature[,...] Install one or more of the specified components. Whenspecifying multiple parameters, separate each parameter with a comma andwithout spaces. The names are case sensitive. If you do not specify thisparameter, all components included in the CitrixReceiverEnterprise.exe orCitrixReceiver.exe are installed by default.

Note: ReceiverInside and ICA_Client are prerequisites for all othercomponents and must be installed.

ReceiverInside – Installs the Receiver experience. (Required)

ICA_Client – Installs the standard Receiver. (Required)

SSON – Installs single sign on. Requires administrator rights.

AM – Installs the Authentication Manager. This value is supported only withCitrixReceiver.exe.

SELFSERVICE – Installs the Self-Service Plug-in. This value is supported onlywith CitrixReceiver.exe. The AM value must be specified on the command lineand .NET 3.5 Service Pack 1 must be installed.

USB – Installs USB.

DesktopViewer – Installs the Desktop Viewer.

Flash – Installs HDX media stream for flash.

PN_Agent – Installs Receiver (Enterprise). This value is supported only withCitrixReceiverEnterprise.exe.

Vd3d – Enables the Windows Aero experience (for operating systems thatsupport it)

● ALLOWADDSTORE={N | S | A} – The default depends on the followingsituations:

To configure and install the Citrix Receiver for Windows using command-line parameters

44

Page 45: Citrix Receiver for Windows

N if Merchandising Server is used or stores are specified on the installationcommand line.

S if Receiver is installed per machine.

A if Receiver is installed per user.

Specifies whether or not users can add and remove stores not configuredthrough Merchandising Server deliveries. (Users can enable or disable storesconfigured through Merchandising Server deliveries, but they cannot removethese stores or change the names or the URLs.) This option is supported onlywith CitrixReceiver.exe.

● ALLOWSAVEPWD={N | S | A} – The default is the value specified from thePNAgent server at run time. Specifies whether or not users can save credentialsfor stores locally on their computers and applies only to stores using thePNAgent protocol. Setting this argument to N prevents users from saving theircredentials. If the argument is set to S, users can only save credentials forstores accessed through HTTPS connections. Using the value A allows users tosave credentials for all their stores. This option is supported only withCitrixReceiver.exe.

● ENABLE_SSON={Yes | No} – The default value is Yes. Note that users must logoff and log back onto their devices after an installation with pass-throughauthentication enabled. Requires administrator rights.

Important: If you disable single sign on pass-through authentication, usersmust reinstall Receiver if you decide to use pass-through authentication at alater time.

● ENABLE_KERBEROS={Yes | No} – The default value is No. Specifies thatKerberos should be used; applies only when pass-through authentication (SSON)is enabled.

● DEFAULT_NDSCONTEXT=Context1 [,…] – Include this parameter to set a defaultcontext for Novell Directory Services (NDS). To include more than one context,place the entire value in quotation marks and separate the contexts by acomma. This option is supported only with CitrixReceiverEnterprise.exe.Examples of correct parameters:

DEFAULT_NDSCONTEXT="Context1"

DEFAULT_NDSCONTEXT=“Context1,Context2”

● LEGACYFTAICONS={False | True} – The default value is False. Specifieswhether or not application icons are displayed for documents that have filetype associations with subscribed applications. When the argument is set tofalse, Windows generates icons for documents that do not have a specific iconassigned to them. The icons generated by Windows consist of a genericdocument icon overlaid with a smaller version of the application icon. Citrixrecommends enabling this option if you plan on delivering Microsoft Officeapplications to users running Windows 7. This option is supported only withCitrixReceiver.exe.

● SERVER_LOCATION=Server_URL – The default value is blank. Provide the URL of the server running the Web Interface. The URL must be in the format

To configure and install the Citrix Receiver for Windows using command-line parameters

45

Page 46: Citrix Receiver for Windows

http://servername or https://servername.

The Receiver appends the default path and file name of the configuration fileto the server URL. If you change the default location of the configuration file,enter the entire new path in the SERVER_LOCATION key. This option issupported only with CitrixReceiverEnterprise.exe.

● STARTMENUDIR=Text string – The default is to put applications under Start >All Programs. Specifies the name of the default folder added to users' Startmenus to hold the shortcuts to their subscribed applications. Users can changethe folder name and/or move the folder at any time. This option is supportedonly with CitrixReceiver.exe.

● STOREx="storename;http[s]://servername.domain/IISLocation/resources/v1;[On| Off];[storedescription]"[ STOREy="..."] – Specifies up to 10 stores to use withReceiver. Values:

● x and y – Integers 0 through 9.

● storename – Defaults to store. This must match the name configured on theStorefront server.

● servername.domain – The fully qualified domain name of the server hostingthe store.

● IISLocation – the path to the store within IIS. The store URL must match theURL in Storefront provisioning files. The store URLs are of the form“/Citrix/MyStore/resources/v1” (for Storefront 1.0). To obtain the URL,export a provisioning file from Storefront, open it in notepad and copy theURL from the <Address> element.

● On | Off – The optional Off configuration setting enables you to deliverdisabled stores, giving users the choice of whether or not they access them.When the store status is not specified, the default setting is On.

● storedescription – An optional description of the store, such as Apps onXenApp.

If there is a problem with the installation, search in the user's %TEMP% directory for the logswith the prefix CtxInstall- or TrollyExpress- . For example:

CtxInstall-ICAWebWrapper.log

TrollyExpress-20090807-123456.log

Examples of a Command-Line Installation

CitrixReceiver.exe /includeSSONSTORE0="AppStore;https://testserver.net/Citrix/MyStore/resources/v1;on;Appson XenApp"STORE1="BackUpAppStore;https://testserver.net/Citrix/MyBackupStore/resources/v1;on;BackupStore Apps on XenApp"

This example:

● Installs Receiver (standard).

To configure and install the Citrix Receiver for Windows using command-line parameters

46

Page 47: Citrix Receiver for Windows

● Installs single sign on.

● Specifies two application stores.

CitrixReceiverEnterprise.exe /silentADDLOCAL="ReceiverInside,ICA_Client,PN_Agent" ENABLE_SSON=noINSTALLDIR="c:\test" ENABLE_DYNAMIC_CLIENT_NAME=YesDEFAULT_NDSCONTEXT="Context1,Context2"SERVER_LOCATION="http://testserver.net" CLIENT_NAME="Modified"

This example:

● Installs Receiver (Enterprise) without visible progress dialog boxes.

● Installs only Receiver Inside, the standard Receiver (ICA_Client), and enterpriseReceiver (PN_Agent).

● Disables pass-through authentication.

● Specifies the location where the software is installed.

● Enables dynamic client naming.

● Specifies the default context for NDS.

● Specifies the URL (http://testserver.net) of the server running the Web Interface,which Receiver will reference.

● Specifies the name used to identify the user device to the server farm.

To configure and install the Citrix Receiver for Windows using command-line parameters

47

Page 48: Citrix Receiver for Windows

48

Delivering Receiver Using ActiveDirectory and Sample Startup Scripts

You can use Active Directory Group Policy scripts to pre-deploy Receiver on systems basedon your Active Directory organizational structure. Citrix recommends using the scriptsrather than extracting the .msi files because the scripts allow for a single point forinstallation, upgrade, and uninstall, they consolidate the Citrix entries in Programs andFeatures, and make it easier to detect the version of Receiver that is deployed. Use theScripts setting in the Group Policy Management Console (GPMC) under ComputerConfiguration or User Configuration. Microsoft documents the advantages anddisadvantages of using scripts at Microsoft Technet - Use Group Policy to assign computerstartup scripts.

Citrix includes sample per-computer startup scripts to install and uninstallCitrixReceiver.exe and Citrix ReceiverEnterprise.exe. The scripts are located on the XenAppmedia in the Citrix Receiver and Plug-ins\Windows\Receiver\Startup_Logon_Scripts folder.

● CheckAndDeployReceiverEnterpriseStartupScript.bat

● CheckAndDeployReceiverPerMachineStartupScript.bat

● CheckAndRemoveReceiverEnterpriseStartupScript.bat

● CheckAndRemoveReceiverPerMachineStartupScript.bat

When the scripts are executed during Startup or Shutdown of an Active Directory GroupPolicy, custom configuration files might be created in the Default User profile of a system.If not removed, these configuration files can prevent some users from accessing theReceiver logs directory. The Citrix sample scripts include functionality to properly removethese configuration files.

To use the startup scripts to deploy Receiver with Active Directory

1. Create the Organizational Unit (OU) for each script.

2. Create a Group Policy Object (GPO) for the newly created OU.

To modify the sample scriptsModify the scripts by editing these parameters in the header section of each file:

● Current Version of package. The specified version number is validated and if it is notpresent, the deployment proceeds. For example, set DesiredVersion=3.0.0.XXXX to exactly match the version specified. If you specify a partial version, forexample 3.0.0, it matches any version with that prefix (3.0.0.1111, 3.0.0.7777, and soforth).

Page 49: Citrix Receiver for Windows

● Package Location/Deployment directory. This specifies the network share containingthe packages and is not authenticated by the script. The shared folder must have Readpermission for EVERYONE.

● Script Logging Directory. This specifies the network share where the install logs arecopied and is not authenticated by the script. The shared folder must have Read andWrite permissions for EVERYONE.

● Package Installer Command Line Options. These command line options are passed tothe installer. For the command line syntax, see To configure and install the CitrixReceiver for Windows using command-line parameters

To add the per-computer startup scripts1. Open the Group Policy Management Console.

2. Select Computer Configuration > Policies > Windows Settings > Scripts(Startup/Shutdown).

3. In the right-hand pane of the Group Policy Management Console, select Startup.

4. In the Properties menu, click Show Files, copy the appropriate script to the folderdisplayed, and then close the window.

5. In the Properties menu, click Add and use Browse to find and add the newly createdscript.

To deploy Receiver per-computer1. Move the user devices designated to receive this deployment to the OU you created.

2. Reboot the user device and log on as any user.

3. Verify that Program and Features (Add or Remove Programs in previous OS versions)contains the newly installed package.

To remove Receiver per-computer1. Move the user devices designated for the removal to the OU you created.

2. Reboot the user device and log on as any user.

3. Verify that Program and Features (Add or Remove Programs in previous OS versions)removed the previously installed package.

Delivering Receiver Using Active Directory and Sample Startup Scripts

49

Page 50: Citrix Receiver for Windows

50

Using the Per-User Sample StartupScripts

Citrix recommends using per-computer startup scripts but does include two Citrix Receiverper-user scripts on the XenApp media in the Citrix Receiver andPlug-ins\Windows\Receiver\Startup_Logon_Scripts folder for situations where you requireReceiver (standard) per-user deployments.

● CheckAndDeployReceiverPerUserLogonScript.bat

● CheckAndRemoveReceiverPerUserLogonScript.bat

To set up the per-user startup scripts1. Open the Group Policy Management Console.

2. Select User Configuration > Policies > Windows Settings > Scripts.

3. In the right-hand pane of the Group Policy Management Console, select Logon

4. In the Logon Properties menu, click Show Files, copy the appropriate script to thefolder displayed, and then close the window.

5. In the Logon Properties menu, click Add and use Browse to find and add the newlycreated script.

To deploy Receiver per-user1. Move the users designated to receive this deployment to the OU you created.

2. Reboot the user device and log on as the specified user.

3. Verify that Program and Features (Add or Remove Programs in previous OS versions)contains the newly installed package.

To remove Receiver per-user1. Move the users designated for the removal to the OU you created.

2. Reboot the user device and log on as the specified user.

3. Verify that Program and Features (Add or Remove Programs in previous OS versions)removed the previously installed package.

Page 51: Citrix Receiver for Windows

51

Deploying CitrixReceiver.exe fromReceiver for Web

You can deploy CitrixReceiver.exe from Receiver for Web to ensure that users have theReceiver installed before they try to connect to an application from a browser. For details,refer to the Receiver Storefront documentation on Citrix eDocs.

Page 52: Citrix Receiver for Windows

52

Deploying the CitrixReceiver.exe from aWeb Interface Logon Screen

You can deploy the CitrixReceiver.exe from a Web page to ensure that users have theReceiver installed before they try to use the Web Interface. Create a home page and run anInternet Explorer script to download the CitrixReceiver.exe package automatically from theWeb server and install it for the user.

To install the Receiver software using CitrixReceiver.exe, the Windows Installer Servicemust be installed on the user device. This service is present by default on systems runningWindows XP, Windows Vista, Windows 7, Windows Server 2003, or Windows Server 2008.

Add the sites from which the CitrixReceiver.exe file is downloaded to the Trusted Siteszone.

In the webinterface.conf file for your XenApp websites, edit the ClientIcaWin32= line tospecify the CitrixReceiver.exe installation file and remove the comment character (#).

For more information, see the Web Interface documentation.

Page 53: Citrix Receiver for Windows

53

Configuring Citrix Receiver for Windows

You can configure Citrix Receiver operations for deployments that use Receiver Storefrontor a legacy PNA Services site. For information about configuring deployments using ReceiverStorefront, refer to the Storefront documentation on Citrix eDocs.

From the Citrix management console for the XenApp server, configure the options andsettings for Receiver using the associated Receiver site. Each time users log on to theReceiver, they see the most recent configuration. Changes made while users are connectedtake effect when the Receiver configuration is refreshed manually or automatically after adesignated interval.

Page 54: Citrix Receiver for Windows

54

Using the Group Policy Object Templateto Customize Receiver

Citrix recommends using the Group Policy Object icaclient.adm template file to configurerules for securing Receiver connections. The rules include network routing, proxy servers,trusted server configuration, user routing, remote client devices, and the user experience.

You can use the icaclient.adm template file with domain policies and local computerpolicies. For domain policies, import the template file using the Group Policy ManagementConsole. This is especially useful for applying Receiver settings to a number of differentuser devices throughout the enterprise. To affect a single user device, import the templatefile using the local Group Policy Editor on the device.

For details about Group Policy management, see the Microsoft Group Policy documentation.

To import the icaclient template using the GroupPolicy Management Console

To affect domain-based group policies, import the icaclient.adm file with the Group PolicyManagement Console.

1. As an administrator, open the Group Policy Management Console.

2. In the left pane, select a group policy and from the Action menu, choose Edit.

3. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

4. From the Action menu, choose Add/Remove Templates.

5. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

6. Select Open to add the template and then Close to return to the Group Policy Editor.

To import the icaclient template using the local GroupPolicy Editor

To affect the policies on a local computer, import the icaclient.adm file with the localGroup Policy Editor.

1. As an administrator, open the Group Policy Editor by running gpedit.msc from the Startmenu.

Page 55: Citrix Receiver for Windows

2. In the left pane, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

Using the Group Policy Object Template to Customize Receiver

55

Page 56: Citrix Receiver for Windows

56

Configuring Access to Accounts Manually

When users launch Receiver for the first time, they have the option to set up a newaccount, unless Receiver was distributed using Merchandising Server, a Receiver for Webconfiguration file, or a GPO or similar method. To set up a new account, a user entersinformation about the XenApp farm or XenDesktop site hosting the resources.

When a user enters the details for a new account, Receiver attempts to verify theconnection. If successful, Receiver prompts the user to log on to the account.

To add a new account1. Click the gear icon in the Receiver window and choose Edit Accounts.2. Click Add.

3. Enter the information provided by your organization and click OK.

To remove an account1. Click the gear icon in the Receiver window and choose Edit Accounts.2. Select the account from the list and click Remove and Yes.

To edit the details of an account1. Click the gear icon in the Receiver window and choose Edit Accounts.2. Select the account that you want to edit from the list and double-click.

3. Edit the details in Name, the Description, and/or the URL fields, as required.

4. Click OK.

Page 57: Citrix Receiver for Windows

57

To customize user preferences for theReceiver (Enterprise)

Users can customize their preferences. For example, they can define window sizes forpublished applications, choose when to refresh the list of available published resources,and specify where the available published resources appear.

1. In the Windows notification area, right-click the Receiver icon and choosePreferences.

2. Right-click the Online Plug-in entry in the Plug-in Status and choose Options, select aproperty, and make the desired configuration changes.

If you configure seamless windows and set the task bar to Auto-hide, you cannot access thetaskbar when you maximize published applications. To access the taskbar, resize thepublished application.

For more detailed information, see the online help for Receiver.

To change the server URL in the Receiver (Enterprise)Receiver requires that you specify the location of a configuration file (Config.xml is thedefault configuration file) on the server running the Web Interface. You can ask your usersto change the server URL as you create new configuration files or delete old ones.

Note: To prevent users from accidentally changing their server URL, disable the option.

1. In the Windows notification area, right-click the Receiver icon and choose Preferences.

2. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.

3. Type or select the server URL in the format http://servername or, to encrypt theconfiguration data using SSL, https://servername.

Page 58: Citrix Receiver for Windows

58

Configuring USB Support for XenDesktopConnections

USB support enables users to interact with a wide range of USB devices when connected toa virtual desktop. Users can plug USB devices into their computers and the devices areremoted to their virtual desktop. USB devices available for remoting include flash drives,smartphones, PDAs, printers, scanners, MP3 players, security devices, and tablets. DesktopViewer users can control whether USB devices are available on the virtual desktop using apreference in the toolbar.

Isochronous features in USB devices such as webcams, microphones, speakers, and headsetsare supported in typical low latency/high speed LAN environments. This allows thesedevices to interact with packages such as Microsoft Office Communicator and Skype.

The following types of device are supported directly in a XenDesktop session, and so do notuse USB support:

● Keyboards

● Mice

● Smart cards

Note: Specialist USB devices (for example, Bloomberg keyboards and 3D mice) can beconfigured to use USB support. For information on configuring Bloomberg keyboards, seeConfiguring Bloomberg Keyboards. For information on configuring policy rules for otherspecialist USB devices, see CTX 119722.

By default, certain types of USB devices are not supported for remoting throughXenDesktop. For example, a user may have a network interface card attached to the systemboard by internal USB. Remoting this would not be appropriate. The following types of USBdevice are not supported by default for use in a XenDesktop session:

● Bluetooth dongles

● Integrated network interface cards

● USB hubs

● USB graphics adaptors

USB devices connected to a hub can be remoted, but the hub itself cannot be remoted.

For instructions on modifying the range of USB devices that are available to users, seeUpdating the List of USB Devices Available for Remoting.

For instructions on automatically redirecting specific USB devices, see CTX123015.

Page 59: Citrix Receiver for Windows

59

How USB Support Works

When a user plugs in a USB device, it is checked against the USB policy, and, if allowed,remoted to the virtual desktop. If the device is denied by the default policy, it is availableonly to the local desktop.

The user experience depends upon the type of desktop to which users are connecting.

For desktops accessed through the Citrix Desktop Lock, when a user plugs in a USB device,that device is automatically remoted to the virtual desktop. No user interaction is required.The virtual desktop is responsible for controlling the USB device and displaying it in the userinterface.

For desktops accessed through the Desktop Viewer, when a user plugs in a USB device, adialog box appears asking the user if they want that device remoted to the virtual desktop.The user can decide which USB devices are remoted to the virtual desktop by selectingdevices from the list each time they connect. Alternatively, the user can configure USBsupport so that all USB devices plugged in both before and/or during a session areautomatically remoted to the virtual desktop that is in focus.

Page 60: Citrix Receiver for Windows

60

Mass Storage Devices

For mass storage devices only, in addition to USB support, remote access is availablethrough client drive mapping, which you configure through the Citrix Mappings rule. Whenthis rule is applied, the drives on the user device are automatically mapped to drive letterson the virtual desktop when users log on. The drives are displayed as shared folders withmapped drive letters. The Citrix Mappings rule is in the Drives subfolder of the ClientDevices Resources folder in the Presentation Server Console.

The main differences between the two types of remoting policy are:

Feature Client Drive Mapping USB Rule

Enabled by default Yes No

Read-only accessconfigurable

Yes No

Safe to remove deviceduring a session

No Yes, if the user clicksSafely Remove Hardwarein the notification area

If both USB support and the Citrix Mappings rule are enabled and a mass storage device isinserted before a session starts, it will be redirected using client drive mapping first, beforebeing considered for redirection through USB support. If it is inserted after a session hasstarted, it will be considered for redirection using USB support before client drive mapping.

Page 61: Citrix Receiver for Windows

61

USB Device Classes Allowed by Default

Different classes of USB device are allowed by the default USB policy rules.

Although they are on this list, some classes are only available for remoting in XenDesktopsessions after additional configuration. These are noted below.

● Audio (Class 01). Includes audio input devices (microphones), audio output devices,and MIDI controllers. Modern audio devices generally use isochronous transfers, which issupported by XenDesktop 4 or later.

Note: Some specialty devices (for example, VOIP phones) require additionalconfiguration. For instructions on this, see CTX123015.

● Physical Interface Devices(Class 05). These devices are similar to Human InterfaceDevices (HIDs), but generally provide "real-time" input or feedback and include forcefeedback joysticks, motion platforms, and force feedback exoskeletons.

● Still Imaging (Class 06). Includes digital cameras and scanners. Digital cameras oftensupport the still imaging class which uses the Picture Transfer Protocol (PTP) or MediaTransfer Protocol (MTP) to transfer images to a computer or other peripheral. Camerasmay also appear as mass storage devices and it may be possible to configure a camerato use either class, through setup menus provided by the camera itself.

Note that if a camera appears as a mass storage device, client drive mapping is usedand USB support is not required.

● Printers (Class 07). In general most printers are included in this class, although someuse vendor-specific protocols (class ff). Multi-function printers may have an internalhub or be composite devices. In both cases the printing element generally uses thePrinters class and the scanning or fax element uses another class; for example, StillImaging.

Printers normally work appropriately without USB support.

Note: This class of device (in particular printers with scanning functions) requiresadditional configuration. For instructions on this, see CTX123015.

● Mass Storage (Class 08). The most common mass storage devices are USB flash drives;others include USB-attached hard drives, CD/DVD drives, and SD/MMC card readers.There are a wide variety of devices with internal storage that also present a massstorage interface; these include media players, digital cameras, and mobile phones.Known subclasses include:

● 01 Limited flash devices

● 02 Typically CD/DVD devices (ATAPI/MMC-2)

● 03 Typically tape devices (QIC-157)

● 04 Typically floppy disk drives (UFI)

Page 62: Citrix Receiver for Windows

● 05 Typically floppy disk drives (SFF-8070i)

● 06 Most mass storage devices use this variant of SCSI

Mass storage devices can often be accessed through client drive mapping, and so USBsupport is not required.

Important: Some viruses are known to propagate actively using all types of massstorage. Carefully consider whether or not there is a business need to permit the useof mass storage devices, either through client drive mapping or USB support.

● Content Security (Class 0d). Content security devices enforce content protection,typically for licensing or digital rights management. This class includes dongles.

● Video (Class 0e). The video class covers devices that are used to manipulate video orvideo-related material, such as webcams, digital camcorders, analog video converters,some television tuners, and some digital cameras that support video streaming.

Note: Most video streaming devices use isochronous transfers, which is supported byXenDesktop 4 or later. Some video devices (for example webcams with motiondetection) require additional configuration. For instructions on this, see CTX123015.

● Personal Healthcare (Class 0f). These devices include personal healthcare devices suchas blood pressure sensors, heart rate monitors, pedometers, pill monitors, andspirometers.

● Application and Vendor Specific (Classes fe and ff). Many devices use vendor specificprotocols or protocols not standardized by the USB consortium, and these usuallyappear as vendor-specific (class ff).

USB Device Classes Allowed by Default

62

Page 63: Citrix Receiver for Windows

63

USB Device Classes Denied by Default

Different classes of USB device are denied by the default USB policy rules.

● Communications and CDC Control (Classes 02 and 0a). The default USB policy doesnot allow these devices, because one of them may be providing the connection to thevirtual desktop itself.

● Human Interface Devices (Class 03). Includes a wide variety of both input and outputdevices. Typical Human Interface Devices (HIDs) are keyboards, mice, pointing devices,graphic tablets, sensors, game controllers, buttons, and control functions.

Subclass 01 is known as the "boot interface" class and is used for keyboards and mice.

The default USB policy does not allow USB keyboards (class 03, subclass 01, protocol 1),or USB mice (class 03, subclass 01, protocol 2). This is because most keyboards andmice are handled appropriately without USB support and it is normally necessary to usethese devices locally as well remotely when connecting to a virtual desktop.

● USB Hubs (Class 09). USB hubs allow extra devices to be connected to the localcomputer. It is not neccessary to access these devices remotely.

● Smart Card (Class 0b). Smart card readers include contactless and contact smart cardreaders, and also USB tokens with an embedded smart card-equivalent chip.

Smart card readers are accessed using smart card remoting and do not require USBsupport.

● Wireless Controller (Class e0). Some of these devices may be providing criticalnetwork access, or connecting critical peripherals such as Bluetooth keyboards or mice.

The default USB policy does not allow these devices. However, there may be particulardevices it is appropriate to provide access to using USB support.

Page 64: Citrix Receiver for Windows

64

Updating the List of USB DevicesAvailable for Remoting

You can update the range of USB devices available for remoting to desktops by editing thefile icaclient_usb.adm. This allows you to make changes to the Receiver using Group Policy.The file is located in the following installed folder:

<root drive>:\Program Files\Citrix\ICA Client\Configuration\en

Alternatively, you can edit the registry on each user device, adding the following registrykey:

HKLM\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB Type=String Name="DeviceRules"Value=

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

The product default rules are stored in:

HKLM\SOFTWARE\Citrix\ICA Client\GenericUSB Type=MultiSz Name=“DeviceRules” Value=

Do not edit the product default rules.

For details of the rules and their syntax, see http://support.citrix.com/article/ctx119722/.

Page 65: Citrix Receiver for Windows

65

Configuring Bloomberg Keyboards

Bloomberg keyboards are supported by XenDestkop sessions (but not other USB keyboards).The required components are installed automatically when the plug-in is installed, but youmust enable this feature either during the installation or later by changing a registry key.

On any one user device, multiple sessions to Bloomberg keyboards are not recommended.The keyboard only operates correctly in single-session environments.

To turn Bloomberg keyboard support on or off

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

1. Locate the following key in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB

2. Do one of the following:

● To turn on this feature, for the entry with Type DWORD and NameEnableBloombergHID, set Value to 1.

● To turn off this feature, set the Value to 0.

Page 66: Citrix Receiver for Windows

66

Configuring User-Driven Desktop Restart

You can allow users to restart their desktops themselves. They may need to do this if adesktop fails to connect or becomes unresponsive.

This feature is disabled by default. You enable user-driven desktop restart for a desktopgroup in Desktop Studio. For information on this, see the XenDesktop documentation.

The procedures for restarting desktops differ depending on whether users are connecting todesktops through the Desktop Viewer or the Citrix Desktop Lock.

Page 67: Citrix Receiver for Windows

67

To prevent the Desktop Viewer windowfrom dimming

If users have multiple Desktop Viewer windows, by default the desktops that are not activeare dimmed. If users need to view multiple desktops simultaneously, this can make theinformation on them unreadable. You can disable the default behavior and prevent theDesktop Viewer window from dimming by editing the Registry.

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

1. On the user device, create a REG_DWORD entry called DisableDimming in one of thefollowing keys, depending on whether you want to prevent dimming for the current userof the device or the device itself. An entry already exists if the Desktop Viewer hasbeen used on the device:

● HKCU\Software\Citrix\XenDesktop\DesktopViewer

● HKLM\Software\Citrix\XenDesktop\DesktopViewerOptionally, instead of controlling dimming with the above user or device settings, youcan define a local policy by creating the same REG_WORD entry in one of the followingkeys:

● HKCU\Software\Policies\Citrix\XenDesktop\DesktopViewer

● HKLM\Software\Policies\Citrix\XenDesktop\DesktopViewerThe use of these keys is optional because XenDesktop administrators, rather thanplug-in administrators or users, typically control policy settings using Group Policy. So,before using these keys, check whether your XenDesktop administrator has set a policyfor this feature.

2. Set the entry to any non-zero value such as 1 or true.

If no entries are specified or the entry is set to 0, the Desktop Viewer window is dimmed. Ifmultiple entries are specified, the following precedence is used. The first entry that islocated in this list, and its value, determine whether the window is dimmed:

1. HKCU\Software\Policies\Citrix\...

2. HKLM\Software\Policies\Citrix\...

3. HKCU\Software\Citrix\...

4. HKLM\Software\Citrix\...

Page 68: Citrix Receiver for Windows

68

To configure the Citrix Desktop Lock

This topic contains instructions for configuring USB preferences, drive mappings, andmicrophones for a virtual desktop accessed through the Citrix Desktop Lock. In addition,some general advice on configuring the Desktop Lock is also provided.

Typically, this is used in non-domain-joined environments such as on a thin client ordesktop appliance. In this access scenario, the Desktop Viewer is unavailable, so onlyadministrators (not users) can perform the configuration.

Two .adm files are provided that allow you to perform this task using policies:

● icaclient.adm. For information on obtaining this file, see To configure settings formultiple users and devices.

● icaclient_usb.adm. The file is located in the following installed folder: <rootdrive>:\Program Files\Citrix\ICA Client\Configuration\en.

This topic assumes you have loaded both files into Group Policy, where the policies appearin Computer Configuration or User Configuration > Administrative Templates > ClassicAdministrative Templates (ADM) > Citrix Components.

To configure USB preferencesAs a prerequisite, you must turn on USB support in XenDesktop deployments by enabling theUSB policy rule. For information on this, see the XenDesktop documentation.

In Citrix Receiver > Remoting client devices > Generic USB Remoting, enable andconfigure as desired the Existing USB Devices, New USB Devices, and USB Devices List InDesktop Viewer policies. You can use the Show All Devices policy to display all connectedUSB devices, including those using the Generic USB virtual channel (for example, webcamsand memory sticks).

To configure drive mappingIn Citrix Receiver > Remoting client devices, enable and configure as desired the Clientdrive mapping policy.

To configure a microphoneIn Citrix Receiver > Remoting client devices, enable and configure as desired the Clientmicrophone policy.

Page 69: Citrix Receiver for Windows

General Advice On Configuring the Desktop LockGrant access to only one virtual desktop running the Desktop Lock per user.

Do not allow users to hibernate virtual desktops. Use Active Directory policies appropriatelyto prevent this.

To configure the Citrix Desktop Lock

69

Page 70: Citrix Receiver for Windows

70

To configure settings for multiple usersand devices

In addition to the configuration options offered by the Receiver user interface, you can usethe Group Policy Editor and the icaclient.adm template file to configure settings. Using theGroup Policy Editor, you can:

● Extend the icaclient template to cover any Receiver setting by editing theicaclient.adm file. See the Microsoft Group Policy documentation for more informationabout editing .adm files and about applying settings to a particular computer.

● Make changes that apply only to either specific users or all users of a client device.

● Configure settings for multiple user devices

Citrix recommends using Group Policy to configure user devices remotely; however you canuse any method, including the Registry Editor, which updates the relevant registry entries.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. Under the User Configuration node or the Computer Configuration node, edit therelevant settings as required.

Page 71: Citrix Receiver for Windows

71

Canadian Keyboard Layouts andUpdating from Presentation ServerClients Version 10.200

The Canadian keyboard layouts are aligned with those supported by Microsoft. If usersinstall Receivers without uninstalling the Presentation Server Clients Version 10.200 first,they must manually edit the module.ini file (usually in C:\Program Files\Citrix\ICA Client) toupgrade the keyboard layout settings:

Replace:

Canadian English (Multilingual)=0x00001009

Canadian French=0x00000C0C

Canadian French (Multilingual)=0x00010C0C

With:

Canadian French=0x00001009

Canadian French (Legacy)=0x00000C0C

Canadian Multilingual Standard=0x00011009

Page 72: Citrix Receiver for Windows

72

Auto-Repair File Locations

Auto-repair occurs if there is a problem with Receiver; however, there is no Add/RemovePrograms or Programs and Features Repair option. If the Receiver repair option prompts forthe location of the .msi file, browse to one of these locations to find the file:

● For CitrixReceiverEnterprise.exe

● Operating system: Windows XP and Windows 2003

C:\Documents and Settings\All Users\application data\Citrix\Citrix Receiver(Enterprise)\

● Operating system: Windows Vista and Windows 7

C:\ProgramData\Citrix\Citrix Receiver (Enterprise)\● For CitrixReceiver.exe installed per computer

● Operating system: Windows XP and Windows 2003

C:\Documents and Settings\All Users\Application Data\Citrix\Citrix Receiver\

● Operating system: Windows Vista and Windows 7

C:\ProgramData\Citrix\Citrix Receiver\● For CitrixReceiver.exe installed per user

● Operating system: Windows XP and Windows 2003

%USERPROFILE%\Local Settings\Application Data\Citrix\Citrix Receiver\

● Operating system: Windows Vista and Windows 7

%USERPROFILE%\Appdata\local\Citrix\Citrix Receiver\

Page 73: Citrix Receiver for Windows

73

Optimizing the Receiver Environment

The ways you can optimize the environment in which your Receiver operates for your usersinclude:

● Improving performance

● Improving performance over low bandwidth

● Facilitating the connection of numerous types of client devices to published resources

● Providing support for NDS users

● Using connections to Citrix XenApp for UNIX

● Supporting naming conventions

● Supporting DNS naming resolution

Page 74: Citrix Receiver for Windows

74

Improving Receiver Performance

You can improve the performance of your Receiver software by:

● Reducing Application Launch Time

● Reconnecting Users Automatically

● Providing session reliability

● Improving Performance over Low-Bandwidth Connections

Page 75: Citrix Receiver for Windows

75

Reducing Application Launch Time

Use the session pre-launch feature to reduce application launch time during normal or hightraffic periods; thus, giving the user a better experience. The pre-launch feature allows apre-launch session to be created when a user logs on to Receiver, or at a scheduled time ifthe user is already logged on. This pre-launch session reduces the launch time of the firstapplication. The default application ctxprelaunch.exe is running in the session, but it is notvisible to the user.

There are two types of pre-launch:

● Just-in-time pre-launch. Pre-Launch starts immediately after the user's credentials areauthenticated whether or not it is a high-traffic period.

● Scheduled pre-launch. Pre-launch starts at a scheduled time. Scheduled pre-launchstarts only when the user device is already running and authenticated. If those twoconditions are not met when the scheduled pre-launch time arrives, a session does notlaunch. To spread network and server load, the session launches within a window ofwhen it is scheduled. For example, if the scheduled pre-launch is scheduled for 1:45p.m., the session actually launches between 1:15 p.m. and 1:45 p.m.

Typically, you can use just-in-time pre-launch for normal traffic periods and scheduledpre-launch for known high-traffic periods.

An example of a high-traffic period - if your environment includes a large number of userswho launch applications during peak periods such as when users start work or return fromlunch, the rapid succession of logon requests might overwhelm servers and slow downapplication launch for all users.

Configuring pre-launch on the XenApp server consists of creating, modifying, or deletingpre-launch applications, as well as updating user policy settings that control the pre-launchapplication. See To pre-launch applications to user devices for information aboutconfiguring session pre-launch on the XenApp server.

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

Customizing the pre-launch feature using the icaclient.adm file is not supported. However,you can change the pre-launch configuration by modifying registry values during or afterReceiver installation.

Registry value for Windows 7, 64-bit

The value for Windows 7, 64-bit, is:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch - Enablesdifferent users on the same user device to have different settings. It also allows a user tochange the configuration without administrative permission. You can provide your userswith scripts to accomplish this.

Page 76: Citrix Receiver for Windows

Name: State

Values:

0 - Disable pre-launch.

1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)

2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)

Name: Schedule

Value:

The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:

HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.

Registry values for other Windows systems

The values for all other supported Windows operating systems are:HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Prelaunch andHKEY_CURRENT_USER\Software\Citrix\ICA Client\Prelaunch.

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Prelaunch - Written at installation,with default values.

Name: UserOverride

Values:

0 - Use the HKEY_LOCAL_MACHINE values even if HKEY_CURRENT_USER values are alsopresent.

1 - Use HKEY_CURRENT_USER values if they exist; otherwise, use the HKEY_LOCAL_MACHINEvalues.

Name: State

Values:

0 - Disable pre-launch.

1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)

2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)

Name: Schedule

Value:

Reducing Application Launch Time

76

Page 77: Citrix Receiver for Windows

The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:

HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.

HKEY_CURRENT_USER\SOFTWARE\Citrix\ICA Client\Prelaunch - Enables different users onthe same user device to have different settings. It also allows a user to change theconfiguration without administrative permission. You can provide your users with scripts toaccomplish this.

Name: State

Values:

0 - Disable pre-launch.

1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)

2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)

Name: Schedule

Value:

The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:

HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.

Reducing Application Launch Time

77

Page 78: Citrix Receiver for Windows

78

Reconnecting Users Automatically

Users can be disconnected from their sessions because of unreliable networks, highlyvariable network latency, or range limitations of wireless devices. With the HDX Broadcastauto-client reconnection feature, Receiver can detect unintended disconnections of ICAsessions and reconnect users to the affected sessions automatically.

When this feature is enabled on the server, users do not have to reconnect manually tocontinue working. The Receiver attempts to reconnect to the session until there is asuccessful reconnection or the user cancels the reconnection attempts. If userauthentication is required, a dialog box requesting credentials appears to a user duringautomatic reconnection. Automatic reconnection does not occur if users exit applicationswithout logging off. Users can reconnect only to disconnected sessions.

To disable HDX Broadcast auto-client reconnect for a particular user

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network Routing > Session reliability andautomatic reconnection. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Action menu, choose Properties and select Disabled.

Page 79: Citrix Receiver for Windows

79

Providing HDX Broadcast SessionReliability

With the HDX Broadcast Session Reliability feature, users continue to see a publishedapplication’s window if the connection to the application experiences an interruption. Forexample, wireless users entering a tunnel may lose their connection when they enter thetunnel and regain it when they emerge on the other side. During such interruptions, thesession reliability feature enables the session window to remain displayed while theconnection is being restored.

You can configure your system to display a warning dialog box to users when the connectionis unavailable.

You set HDX Broadcast Session Reliability with policy settings on the server. Receiver userscannot override the server settings for HDX Broadcast Session Reliability.

Important: If HDX Broadcast Session Reliability is enabled, the default port used forsession communication switches from 1494 to 2598.

Page 80: Citrix Receiver for Windows

80

Improving Performance overLow-Bandwidth Connections

Citrix recommends that you use the latest version of XenApp or XenDesktop on the server.Citrix continually enhances and improves performance with each release. Manyperformance features require the latest Receiver and server software to function.

If you are using a low-bandwidth connection, you can make a number of changes to yourReceiver configuration and the way you use the Receiver to improve performance.

Changing Your Receiver ConfigurationOn devices with limited processing power or in circumstances where only limited bandwidthis available, there is a trade-off between performance and functionality. Receiver providesboth user and administrator with the ability to choose an acceptable mixture of richfunctionality and interactive performance. Making one or more of these changes on theserver or user device can reduce the bandwidth your connection requires and improveperformance:

● Enable SpeedScreen Latency Reduction. SpeedScreen Latency Reduction improvesperformance over high latency connections by providing instant feedback to the user inresponse to typed data or mouse clicks.

User's side: icaclient.adm file.

Server side: SpeedScreen Latency Reduction Manager.

● Reduce the window size. Change the window size to the minimum size you cancomfortably use.

User side: icaclient.adm file or use the Receiver icon in the notification area andchoose Preferences and right-click the Online Plug-in entry in the Plug-in Status andchoose Options > Session Options.

Server side: XenApp services site > Session Options.

● Reduce the number of colors. Reduce the number of colors to 256.

User side: icaclient.adm file or use the Receiver icon in the notification area andchoose Preferences and right-click the Online Plug-in entry in the Plug-in Status andchoose Options > Session Options.

Server side: XenApp services site > Session Options.

● Reduce sound quality. If Receiver audio mapping is enabled, reduce the sound qualityto the minimum setting.

Page 81: Citrix Receiver for Windows

User's side: icaclient.adm file.

Server side: Citrix Audio quality policy setting.

Changing Receiver UseICA technology is highly optimized and typically does not have high CPU and bandwidthrequirements. However, if you are using a very low-bandwidth connection, the followingtasks can impact performance:

● Accessing large files using client drive mapping. When you access a large file withclient drive mapping, the file is transferred over the ICA connection. On slowconnections, this may take a long time.

● Playing multimedia content. Playing multimedia content uses a lot of bandwidth andcan cause reduced performance.

Improving Performance over Low-Bandwidth Connections

81

Page 82: Citrix Receiver for Windows

82

Connecting User Devices and PublishedResources

You can facilitate sessions and optimize the connection of your user devices to resourcespublished in the server farm by:

● Configuring workspace control settings to provide continuity for roaming users

● Making scanning transparent for users

● Mapping client devices

● Associating user device file types with published applications

Page 83: Citrix Receiver for Windows

83

Configuring Workspace Control Settingsto Provide Continuity for Roaming Users

The workspace control feature provides users with the ability to disconnect quickly from allrunning applications, reconnect to applications, or log off from all running applications. Youcan move among user devices and gain access to all of your applications when you log on.For example, health care workers in a hospital can move quickly among workstations andaccess the same set of applications each time they log on to XenApp. These users candisconnect from multiple applications at one user device and open all the same applicationswhen they reconnect at a different user device.

Workspace control is available only to users connecting to published resources with CitrixXenApp or through Storefront, Receiver for Web, or the Web Interface.

Policies and client drive mappings change appropriately when you move to a new userdevice. Policies and mappings are applied according to the user device where you arecurrently logged on to the session. For example, if a health care worker logs off from a userdevice in the emergency room of a hospital and then logs on to a workstation in thehospital’s X-ray laboratory, the policies, printer mappings, and client drive mappingsappropriate for the session in the X-ray laboratory go into effect for the session as soon asthe user logs on to the user device in the X-ray laboratory.

Important: Workspace control is not available for Online Plug-in versions earlier than11.x; it works only with sessions connected to computers running Citrix PresentationServer Version 3.0, 4.0, or 4.5 or Citrix XenApp 5.0, 6.0, or 6.5.

If workspace control configuration settings allow users to override the server settings, userscan configure workspace control on the Receiver Reconnect Options page:

● Enable automatic reconnection at logon allows users to reconnect to onlydisconnected applications or to both disconnected and active applications

● Enable reconnection from the menu allows users to reconnect to only disconnectedapplications or to both disconnected and active sessions

To configure workspace control settings through Storefront or Receiver for Web

For information about configuring Receiver Storefront and Receiver for Web for workspacecontrol and user roaming, refer to the "Manage" topics in the Receiver Storefrontdocumentation in Citrix eDocs.

To configure workspace control settings through Web Interface

For users launching applications through the Web Interface, these options are in Settings:

● Enable automatic reconnection at logon allows users to reconnect to onlydisconnected applications or both disconnected and active applications

Page 84: Citrix Receiver for Windows

● Enable automatic reconnection from Reconnect menu allows users to reconnect toonly disconnected applications or both disconnected and active sessions

● Customize Log Off button allows users to configure whether or not the log offcommand will include logging them off from applications that are running in the session

If users log on with smart cards or smart cards with pass-through authentication, set up atrust relationship between the server running the Web Interface and any other server in thefarm that the Web Interface accesses for published applications. For more informationabout workspace control requirements, see the Citrix XenApp and Web InterfaceAdministrator documentation.

Configuring Workspace Control Settings to Provide Continuity for Roaming Users

84

Page 85: Citrix Receiver for Windows

85

Making Scanning Transparent for Users

If you enable HDX Plug-n-Play TWAIN image scanning device support, users can controlclient-attached TWAIN imaging devices transparently with applications that reside on theserver farm. To use this feature, a TWAIN device must be attached to the user device andthe associated 32-bit TWAIN driver must also be installed on the user device.

To enable or disable this feature, configure the Citrix policy Client TWAIN deviceredirection setting.

The following policy settings allow you to specify the maximum amount of bandwidth (inkilobits per second or as a percentage) and the compression level of images from client toserver used for TWAIN redirection:

● TWAIN device redirection bandwidth limit

● TWAIN device redirection bandwidth limit percent

● TWAIN compression level

Page 86: Citrix Receiver for Windows

86

Mapping User Devices

The Receiver supports mapping devices on user devices so they are available from within asession. Users can:

● Transparently access local drives, printers, and COM ports

● Cut and paste between the session and the local Windows clipboard

● Hear audio (system sounds and .wav files) played from the session

During logon, Receiver informs the XenApp server of the available client drives, COM ports,and LPT ports. By default, client drives are mapped to server drive letters and server printqueues are created for client printers so they appear to be directly connected to theXenApp server. These mappings are available only for the current user during the currentsession. They are deleted when the user logs off and recreated the next time the user logson.

You can use the the Citrix policy redirection settings on the XenApp server to map userdevices not automatically mapped at logon. For more information, see the XenAppadministration documentation.

Turning off User Device MappingsYou can configure user device mapping including options for drives, printers, and ports,using the Windows Server Manager tool. For more information about the available options,see your Remote Desktop Services documentation.

Page 87: Citrix Receiver for Windows

87

Mapping Client Drives to XenApp ServerDrive Letters

Client drive mapping allows drive letters on the XenApp server to be redirected to drivesthat exist on the client device. For example, drive H in a Citrix user session can be mappedto drive C of the local device running the plug-in.

Client drive mapping is built into the standard Citrix device redirection facilitiestransparently. To File Manager, Windows Explorer, and your applications, these mappingsappear like any other network mappings.

Note that Client drive mapping is not supported when connecting to MetaFrame Server 1.0for UNIX operating systems.

The XenApp server can be configured during installation to map client drives automaticallyto a given set of drive letters. The default installation mapping maps drive letters assignedto client drives starting with V and works backward, assigning a drive letter to each fixeddrive and CD-ROM drive. (Floppy drives are assigned their existing drive letters.) Thismethod yields the following drive mappings in a session:

Client drive letter Is accessed by the XenApp server as:

A A

B B

C V

D UThe XenApp server can be configured so that the server drive letters do not conflict withthe client drive letters; in this case the server drive letters are changed to higher driveletters. For example, changing server drives C to M and D to N allows client devices toaccess their C and D drives directly. This method yields the following drive mappings in asession:

Client drive letter Is accessed by the XenApp server as:

A A

B B

C C

D DThe drive letter used to replace the server drive C is defined during Setup. All other fixeddrive and CD-ROM drive letters are replaced with sequential drive letters (for example; C >M, D > N, E > O). These drive letters must not conflict with any existing network drivemappings. If a network drive is mapped to the same drive letter as a server drive letter, thenetwork drive mapping is not valid.

Page 88: Citrix Receiver for Windows

When a client device connects to a XenApp server, client mappings are reestablished unlessautomatic client device mapping is disabled. You can use the Terminal ServicesConfiguration tool to configure automatic client device mapping for ICA connections andusers. You can also use policies to give you more control over how client device mapping isapplied. For more information about policies, see the Citrix XenApp Administrator'sdocumentation at Citrix eDocs.

Mapping Client Drives to XenApp Server Drive Letters

88

Page 89: Citrix Receiver for Windows

89

HDX Plug-n-Play for USB StorageDevices

HDX Plug-n-Play for USB storage devices enables users to interact with USB mass storagedevices connected to their user devices when connected to XenApp sessions. When HDXPlug-n-Play for USB storage devices is enabled, users can connect or disconnect a USBdevice from a session at anytime, regardless of whether the session was started before orafter the drive connection.

HDX Plug-n-Play for USB storage devices is enabled by default and can be disabled orenabled by editing the ICA\File Redirection - Client removable drives policy setting. Formore information, see the XenApp documentation.

Supported Mass Storage Devices with XenAppMass storage devices, including USB thumbdrives, USB-attached hard drives, CD-DVD drives,and SD card readers are supported.

Not supported:

● U3 smart drives and devices with similar autorun behavior

● Explorer.exe published as a seamless application

Mass storage devices can often be accessed through client drive mapping, and so USBsupport is not required.

Important: Some viruses are known to propagate actively using all types of mass storage.Carefully consider whether or not there is a business need to permit the use of massstorage devices, either through client drive mapping or USB support.

Page 90: Citrix Receiver for Windows

90

HDX Plug-n-Play USB Device Redirectionfor XenApp Connections

HDX Plug-n-Play USB Device Redirection on computers running Vista and Windows 7 enablesdynamic redirection of media devices, including cameras, scanners, media players, andpoint of sale (POS) devices to the server. You or the user can restrict redirection of all orsome of the devices. Edit policies on the server or apply group policies on the user deviceto configure the redirection settings. Three methods can enforce HDX Plug-n-Play USBdevice redirection policies:

● Server side. The administrator can enable or disable all device redirections for aspecific user or user group using the Active Directory policies available in XenApp. Thepolicy controls redirection of all devices and is not specific to a device. For moreinformation, see the XenApp administration documentation.

● Plug-in side. The administrator can enable or disable all device redirection for aspecific user or computer by using the group policy editor. There are two policy settings- the USB Plug-n-Play Devices policy setting controls redirection of all devices and theUSB Point of Sale Devices policy setting controls POS devices only. If USB Plug-n-PlayDevices allows devices to be redirected, you can use the USB Point of Sale Devices,which is a subset of USB Plug-n-Play Devices, to control only POS devices.

● Plug-in side. The user can allow or reject device redirection. When a device is going tobe redirected, the permission set by the user in the Connection Center is applied (thesetting applies to the current session). If the permission is set to Full Access, devicesare always redirected. If the permission is set to No Access, devices are not redirected.If the permission is set to Ask Permission, a dialog box appears before redirectionoccurs requiring the user to make a selection. Depending on the answer, the device isredirected or not. If the user is prompted with any of the device security dialog boxes(for example, file security or audio security) and instructs the system to remember thedecision, applications launched in subsequent ICA sessions load and use these settings.

This setting affects only devices plugged in after the user changes the setting. Devicesthat are already plugged in when the user changes the setting are unaffected by thenew setting.

Important: If you prohibit Plug-n-Play USB device redirection in a server policy, theuser cannot override that policy setting with the plug-in side policy.

Plug-in Group PoliciesAccess the plug-in policies using the Group Policy Editor available through gpedit.msc fromthe Start menu's Run dialog box. You can apply the policies to both users and computers.Two policies are available:

Page 91: Citrix Receiver for Windows

● USB Plug-n-Play Devices is the main policy that turns HDX Plug-n-Play USB deviceredirection on or off. Enabling redirection allows any Media Transfer Protocol (MTP),Picture Transfer Protocol (PTP), and Point of Sale (POS) device connected to the userdevice to be redirected in the session. The policy has three values: Not Configured,Enabled, and Disabled. The default is Not Configured, which allows redirection.

● USB Point of Sale Devices controls the redirection of POS devices and USB Plug-n-PlayDevices must be Enabled to enable this policy. The policy can have three values: NotConfigured, Enabled, and Disabled. The default is Not Configured, which allowsredirection of POS devices.

HDX Plug-n-Play USB Device Redirection for XenApp Connections

91

Page 92: Citrix Receiver for Windows

92

Mapping Client Printers for MoreEfficiency

The Receiver support printing to network printers and printers that are attached locally touser devices. By default, unless you create policies to change this, XenApp lets users:

● Print to all printing devices accessible from the user device

● Add printers (but it does not retain settings configured for these printers or save themfor the next session)

However, these settings might not be the optimum in all environments. For example, thedefault setting that allows users to print to all printers accessible from the user device isthe easiest to administer initially, but might create slower logon times in someenvironments.

Likewise, your organization’s security policies might require that you prevent users frommapping local printing ports. To do so, configure the Citrix policy Auto connect client COMports setting to Disabled.

To change default printing settings, configure policy settings on the server. For moreinformation, see the XenApp administration topics.

To view mapped client printersWhile connected to the XenApp server, from the Start menu, choose Printers in the ControlPanel.

The Printers window displays the local printers mapped to the session. When connecting toservers running Citrix Presentation Server 4.0 or 4.5 or Citrix XenApp, by default the nameof the printer takes the form:

printername (from clientname) in session x

where:

● printername is the name of the printer on the user device.

● clientname is the unique name given to the user device or the Web Interface.

● x is the SessionID of the user’s session on the server.

For example, printer01 (from computer01) in session 7

When connecting to servers running Presentation Server 3.0 or earlier, or when the Legacy printer name option from the Citrix policy Client printer names setting is enabled on the

Page 93: Citrix Receiver for Windows

server, a different naming convention is used. The name of the printer takes the form:

Client/clientname#/printername

where:

● clientname is the unique name given to the user device during client setup.

● printername is the Windows printer name. Because the Windows printer name is usedand not the port name, multiple printers can share a printer port without conflict.

For more information about printing, and about managing printing using policies, see theCitrix XenApp Administrator's documentation.

Mapping Client Printers for More Efficiency

93

Page 94: Citrix Receiver for Windows

94

To map a client COM port to a serverCOM port

Client COM port mapping allows devices attached to the COM ports of the user device to beused during sessions on a XenApp server. These mappings can be used like any othernetwork mappings.

Important: Client COM port mapping is not supported when connecting to MetaFrameServer 1.0 and 1.1 for UNIX Operating Systems.

You can map client COM ports at the command prompt. You can also control client COMport mapping from the Terminal Services Configuration tool or using policies. See the CitrixXenApp Administrator’s documentation for more information about policies.

1. Start Receiver and log on to the XenApp server.

2. At a command prompt, type: net use comx: \\client\comz: where x is the number ofthe COM port on the server (ports 1 through 9 are available for mapping) and z is thenumber of the client COM port you want to map.

3. To confirm the operation, type: net use at a command prompt. The list that appearscontains mapped drives, LPT ports, and mapped COM ports. To use this COM port in asession on a XenApp server, install your device to the mapped name. For example, ifyou map COM1 on the client to COM5 on the server, install your COM port device onCOM5 during the session on the server. Use this mapped COM port as you would a COMport on the user device.

Important: COM port mapping is not TAPI-compatible. TAPI devices cannot bemapped to client COM ports.

Page 95: Citrix Receiver for Windows

95

Mapping Client Audio to Play Sound onthe User Device

Client audio mapping enables applications executing on the XenApp server to play soundsthrough Windows-compatible sound devices installed on the user device. You can set audioquality on a per-connection basis on the XenApp server and users can set it on their device.If the user device and server audio quality settings are different, the lower setting is used.

Client audio mapping can cause excessive load on servers and the network. The higher theaudio quality, the more bandwidth is required to transfer the audio data. Higher qualityaudio also uses more server CPU to process.

Important: Client sound support mapping is not supported when connecting to CitrixXenApp for UNIX.

Page 96: Citrix Receiver for Windows

96

Associating User Device File Types withPublished Applications

Receiver supports HDX Plug-n-Play content redirection. Functionally equivalent to extendedparameter passing, content redirection allows you to enforce all underlying file typeassociations from the server, eliminating the need to configure extended parameter passingon individual user devices.

To associate file types on the user device with applications published on the server,configure Plug-n-Play content redirection on the server. For more information, see theXenApp adminstration topics.

Page 97: Citrix Receiver for Windows

97

Using the Window Manager whenConnecting to Citrix XenApp for UNIX

This topic does not apply to XenDesktop connections.

You can use the window manager to change the session display when connecting topublished resources on XenApp servers for UNIX. With the window manager, users canminimize, resize, position, and close windows, as well as access full screen mode.

About Seamless WindowsIn seamless window mode, published applications and desktops are not contained within asession window. Each published application and desktop appears in its own resizablewindow, as if it is physically installed on the user device. Users can switch betweenpublished applications and the local desktop.

You can also display seamless windows in “full screen” mode, which places the publishedapplication in a full screen-sized desktop. This mode lets you access the ctxwm menusystem.

To switch between seamless and full screen modes

Press SHIFT+F2 to switch between seamless and full screen modes.

Minimizing, Resizing, Positioning, and ClosingWindows

When users connect to published resources, window manager provides buttons to minimize,resize, position, and close windows. Windows are minimized as buttons on the taskbar.

When the user closes the last application in a session, the session is logged offautomatically after twenty seconds.

Page 98: Citrix Receiver for Windows

98

Terminating and Disconnecting Sessions

This topic does not apply to XenDesktop connections.

In remote desktop and seamless full screen windows, you can use the ctxwm menu systemto log off, disconnect, and exit from published applications and connection sessions.

To access the ctxwm menu system1. On a blank area of the remote desktop window, click and hold down the left mouse

button. The ctxwm menu appears.

2. Drag the mouse pointer over Shutdown to display the shutdown options.

To choose an option from the ctxwm menuDrag the pointer over the required option to select it. Release the mouse button to selectthe option.

To Choose

Terminate the connection and all running applications Logoff

Disconnect the session but leave the application running Disconnect

Disconnect the session and terminate the application Exit

Note: The server can be configured to terminate any applications that are running if asession is disconnected.

Page 99: Citrix Receiver for Windows

99

Using ctxgrab and ctxcapture to Cut andPaste Graphics When Connected toXenApp for UNIX

If you are connected to an application published on a XenApp server for UNIX, use ctxgrabor ctxcapture to cut and paste graphics between the session and the local desktop. Theseutilities are configured and deployed from the server.

Important: You might need to deploy UNIX applications that are designed for use with a3‑button mouse. Use ctx3bmouse on the XenApp for UNIX server to configure 3-buttonmouse emulation. For more information, see the XenApp for UNIX administrationdocumentation.

● ctxgrab

● ctxcapture

Page 100: Citrix Receiver for Windows

100

Using the ctxgrab Utility to Cut and PasteGraphics

This topic does not apply to XenDesktop connections.

The ctxgrab utility is a simple tool you use to cut and paste graphics from publishedapplications to applications running on the local user device. This utility is available from acommand prompt or, if you are using a published application, from the ctxwm windowmanager.

Important: Use ctx3bmouse on the XenApp for UNIX server to configure 3-button mouseemulation. For more information, see the XenApp for UNIX administrationdocumentation.

To access the ctxgrab utility from the windowmanager

● In seamless mode, right-click the ctxgrab button in the top, left-hand corner of thescreen to display a menu and choose the grab option

● In full screen mode, left-click to display the ctxwm menu and choose the grab option

To copy from an application in a plug-in window to alocal application

1. From the ctxgrab dialog box, click From screen.

2. To select a window, move the cursor over the window you want to copy and click themiddle mouse button. To select a region, hold down the left mouse button and drag thecursor to select the area you want to copy. To cancel the selection, click the rightmouse button. While dragging, click the right mouse button before releasing the leftbutton.

3. Use the appropriate command in the local application to paste the object.

Page 101: Citrix Receiver for Windows

101

Using the ctxcapture Utility to Cut andPaste Graphics

This topic does not apply to XenDesktop connections.

The ctxcapture utility is a more fully-featured utility for cutting and pasting graphicsbetween published applications and applications running on the local user device.

With ctxcapture you can:

● Grab dialog boxes or screen areas and copy them between an application in a Receiverwindow and an application running on the local user device, includingnon-ICCCM-compliant applications

● Copy graphics between the Receiver and the X graphics manipulation utility xvf

If you are connected to a published desktop, ctxcapture is available from a commandprompt. If you are connected to a published application and the administrator makes itavailable, you can access ctxcapture through the ctxwm window manager.

Important: Use ctx3bmouse on the XenApp for UNIX server to configure 3-button mouseemulation. For more information, see the XenApp for UNIX administrationdocumentation.

To access the ctxcapture utility from the windowmanager

Left-click to display the ctxwm menu and choose the screengrab option.

Page 102: Citrix Receiver for Windows

To copy from a local application to an application in aReceiver window

1. From the ctxcapture dialog box, click From screen.

2. To select a window, move the cursor over the window you want to copy and click themiddle mouse button. To select a region, hold down the left mouse button and drag thecursor to select the area you want to copy. To cancel the selection: click the rightmouse button. While dragging, click the right mouse button before releasing the leftbutton.

3. From the ctxcapture dialog box, click To ICA. The xcapture button changes color toindicate that it is processing the information.

4. When the transfer is complete, use the appropriate command in the publishedapplication window to paste the information.

To copy from an application in a Receiver window to alocal application

1. From the application in the Receiver window, copy the graphic.

2. From the ctxcapture dialog box, click From ICA.

3. When the transfer is complete, use the appropriate command in the local application topaste the information.

To copy from xv to an application in a Receiverwindow or local application

1. From xv, copy the graphic.

2. From the ctxcapture dialog box, click From xv and To ICA.

3. When the transfer is complete, use the appropriate command in the Receiver windowto paste the information.

To copy from an application in a Receiver window toxv

1. From the application in the Receiver window, copy the graphic.

2. From the ctxcapture dialog box, click From ICA and To xv.

3. When the transfer is complete, use the paste command in xv.

Using the ctxcapture Utility to Cut and Paste Graphics

102

Page 103: Citrix Receiver for Windows

103

Matching Client Names and ComputerNames

The dynamic client name feature allows the client name to be the same as the computername. When users change their computer name, the client name changes to match. Thisallows you to name computers to suit your naming scheme and find connections more easilywhen managing your server farm.

If the client name is not set to match the computer name during installation, the clientname does not change when the computer name is changed.

Users enable dynamic client name support by selecting Enable Dynamic Client Name duringReceiver installation.

To enable dynamic client name support during silent command line installation, the valueof the property ENABLE_DYNAMIC_CLIENT_NAME must be Yes. Set the property to No todisable dynamic client name support.

Page 104: Citrix Receiver for Windows

104

DNS Name Resolution

You can configure Receivers that use the Citrix XML Service to request a Domain NameService (DNS) name for a server instead of an IP address.

Important: Unless your DNS environment is configured specifically to use this feature,Citrix recommends that you do not enable DNS name resolution in the server farm.

Receivers connecting to published applications through the Web Interface also use theCitrix XML Service. For Receivers connecting through the Web Interface, the Web serverresolves the DNS name on behalf of the Receiver.

DNS name resolution is disabled by default in the server farm and enabled by default on theReceiver. When DNS name resolution is disabled in the farm, any Receiver request for a DNSname returns an IP address. There is no need to disable DNS name resolution on Receiver.

To disable DNS name resolution for specific clientdevices

If you are using DNS name resolution in the server farm and are having problems withspecific user devices, you can disable DNS name resolution for those devices.

Caution: Using Registry Editor incorrectly can cause serious problems that can requireyou to reinstall the operating system. Citrix cannot guarantee that problems resultingfrom incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Make sure you back up the registry before you edit it.

1. Add a string registry key xmlAddressResolutionType toHKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing.

2. Set the value to IPv4-Port.

3. Repeat for each user of the user devices.

Page 105: Citrix Receiver for Windows

105

Using Proxy Servers with XenDesktopConnections

If you do not use proxy servers in your environment, correct the Internet Explorer proxysettings on any user devices running Internet Explorer 7.0 on Windows XP. By default, thisconfiguration automatically detects proxy settings. If proxy servers are not used, users willexperience unnecessary delays during the detection process. For instructions on changingthe proxy settings, consult your Internet Explorer documentation. Alternatively, you canchange proxy settings using the Web Interface. For more information, consult the WebInterface documentation.

Page 106: Citrix Receiver for Windows

106

Improving the Receiver User Experience

You can improve your users’ experiences with the following supported features:

● ClearType font smoothing

● Client-side microphone input for digital dictation

● Multiple monitor support

● Printing performance enhancements

● To set keyboard shortcuts

● 32-bit color icons

Topics that support users with the Desktop Viewer and the Desktop Lock are available athttp://support.citrix.com/help/receiver/en/receiverHelpWin.htm.

Page 107: Citrix Receiver for Windows

107

ClearType Font Smoothing in Sessions

This topic does not apply to XenDesktop connections.

XenApp server supports ClearType font smoothing with Receiver for users on computersrunning Windows XP, Windows 7, and Windows Vista. ClearType font smoothing is set bydefault in Windows 7 and Windows Vista, but Standard font smoothing is set by default inWindows XP.

If you enable ClearType font smoothing on Receiver, you are not forcing the user devices touse ClearType font smoothing. You are enabling the server to support ClearType fontsmoothing on user devices that have it set and are using Receiver. By disabling it forsessions, you are specifying that sessions launched from that Receiver do not remote thefont smoothing setting.

Receiver automatically detects the user device’s font smoothing setting and sends it to theserver. The session connects using this setting. When the session is disconnected orterminated, the user's profile setting on the server is set to original setting unless the userspecifically changed it in the control panel in the session; then the server uses the newsetting.

Older Receivers (plug-ins) connect using the font smoothing setting configured in that user’sprofile on the server.

When ClearType font smoothing is enabled, three times more data is sent across the virtualchannel, which might cause a decrease in performance.

Font smoothing must be enabled on users’ operating systems, the Receiver, the WebInterface site, and the server farm.

To enable or disable ClearType font smoothing forsessions

In Web Interface environments, use the Session Preferences task in the Citrix WebInterface Management console to enable or disable font smoothing for XenApp Web sitesand the Session Options task for XenApp Services sites.

Page 108: Citrix Receiver for Windows

108

Client-Side Microphone Input

Receiver supports multiple client-side microphone input. Locally installed microphones canbe used for:

● Real-time activities, such as softphone calls and Web conferences.

● Hosted recording applications, such as dictation programs.

● Video and audio recordings.

Digital dictation support is available with Receiver. For information about configuring thisfeature, see the administrator's documentation for Citrix XenApp or Citrix XenDesktop.

Receiver (Enterprise) users can disable their microphones by selecting No Access in theMicrophones/Webcams menu choice available from the Citrix Connection Center, or fromthe Receiver’s system menu (for non-seamless connections). Receiver (standard) users arepresented with the same dialog box automatically at the beginning of their sessions.XenDesktop users can also use the XenDesktop Viewer Preferences to disable theirmicrophones.

Note: Selecting No Access also disables any attached Webcams.

On the user device, users control audio input and output in a single step—by selecting anaudio quality level from the Options dialog box.

Page 109: Citrix Receiver for Windows

109

Configuring HDX Plug-n-PlayMulti-monitor Support

Multiple monitors are fully supported by Receiver. As many as eight monitors are supported.

Each monitor in a multiple monitor configuration has its own resolution designed by itsmanufacturer. Monitors can have different resolutions and orientations during sessions.

Sessions can span multiple monitors in two ways:

● Full screen mode, with multiple monitors shown inside the session; applications snap tomonitors as they would locally.

XenDesktop: If users access a desktop through the Citrix Desktop Lock, the desktop isdisplayed across all monitors. The primary monitor on the device becomes the primarymonitor in the XenDesktop session. You can display the Desktop Viewer toolbar acrossany rectangular subset of monitors by resizing the window across any part of thosemonitors and pressing the Maximize button.

● Windowed mode, with one single monitor image for the session; applications do notsnap to individual monitors.

XenDesktop: When any desktop in the same assignment (formerly "desktop group") islaunched subsequently, the window setting is preserved and the toolbar is displayed acrossthe same monitors. Multiple virtual desktops can be displayed on one device provided themonitor arrangement is rectangular. If the primary monitor on the device is used by theXenDesktop session, it becomes the primary monitor in the session. Otherwise, thenumerically lowest monitor in the session becomes the primary monitor.

To enable multi-monitor support, ensure the following:

● The user device must have a single video board that can support connections to morethan one monitor or multiple video boards compatible with the Receiver on theappropriate platform.

● The user device operating system must be able to detect each of the monitors. OnWindows platforms, to verify that this detection occurs, on the user device, view theSettings tab in the Display Settings dialog box and confirm that each monitor appearsseparately.

● After your monitors are detected:

● XenDesktop: Configure the graphics memory limit using the Citrix Machine Policysetting Display memory limit.

● XenApp: Depending on the version of the XenApp server you have installed:

● Configure the graphics memory limit using the Citrix Computer Policy settingDisplay memory limit.

Page 110: Citrix Receiver for Windows

● From the Citrix management console for the XenApp server, select the farm andin the task pane, select Modify Server Properties > Modify all properties >Server Default > HDX Broadcast > Display (or Modify Server Properties >Modify all properties > Server Default > ICA > Display) and set the Maximummemory to use for each session’s graphics.

Ensure the setting is large enough (in kilobytes) to provide sufficient graphic memory. Ifthis setting is not high enough, the published resource is restricted to the subset of themonitors that fits within the size specified.

For information about calculating the session's graphic memory requirements for XenAppand XenDesktop, see ctx115637.

Configuring HDX Plug-n-Play Multi-monitor Support

110

Page 111: Citrix Receiver for Windows

111

Printing Performance

Printing performance can play a vital role in your users’ experiences. The printingconfiguration you create affects these aspects of the user’s experience:

● User ease and comfort level

● Logon times

● Ability to print to a nearby printer when traveling or when moving between clientdevices in a building

You configure printer policy settings on the server.

User Ease and Comfort LevelIn environments with novice users, consider changing the following potentially confusingdefault printing behaviors:

● Printer names change at the start of each session. When, by default, client printersare auto-created, the printer name is appended with the name of the user device andsession. For example, auto-created client printers appear in the Print dialog box with aname like HP LaserJet 1018 (from clientname) in session 35.

To resolve this problem, you can either reduce the number of printers auto-created orprovision printers using another method. To control printer auto-creation, configure theCitrix policy setting Auto-create client printers and select one of the followingoptions:

● Do not auto-create client printers. Client printers are not auto-created.

● Auto-create the client’s default printer only. Only the client’s default printerattached to or mapped from the client preconfigured in the Control Panel isauto-created in the session.

● Auto-create local (non-network) client printers only. Any non-network printersattached to the client device preconfigured in the Control Panel are auto-createdin the session.

● Auto-create all client printers. All network printers and any printers attached to ormapped from the user device preconfigured in the Control Panel are auto-createdin the session.

● If many printers are installed by default on user devices, your users might be confusedby the large number of available printers. You can limit the printers that appear tothem in sessions.

● HDX Plug-n-Play Universal Printer uses a nonstandard printing dialog box. If your users have trouble learning new features on their own, you might not want to use the

Page 112: Citrix Receiver for Windows

the Universal Printer as the default printer in a session. The user interface for thisprinter is slightly different from the standard Windows print dialog box.

Logon TimesThe printing configuration you select can impact how long it takes users to start a session.When Receiver is configured to provision printers by creating them automatically at thebeginning of each session, it increases the amount of time to build the session environment.In this case, Receiver has to rebuild every printer found on the user device. You candecrease logon time by specifying any of the following on the XenApp server:

● Auto-create only the the Universal Printer. This is done automatically when youconfigure the the Universal Printer.

● Auto-create only the default printer for the client device by using the Auto-createclient printers policy setting.

● Do not auto-create any client printers through the Auto-create client printers policysetting and route print jobs to network printers by configuring the Session printerspolicy setting

Configuring Printers for Mobile WorkersIf you have users who move among workstations in the same building (for example, in ahospital setting) or move among different offices, you might want to configure ProximityPrinting. The Proximity Printing solution ensures that the closest printer is presented to theusers in their sessions, even when they change user devices during a session.

Printing Performance

112

Page 113: Citrix Receiver for Windows

113

To override the printer settings configuredon the server

To improve printing performance, you can configure various printing policy settings on theserver:

● Universal printing optimization defaults

● Universal printing EMF processing mode

● Universal printing image compression limit

● Universal printing print quality limit

● Printer driver mapping and compatibility

● Session printers

If you enabled Allow non-admins to modify these settings in the Universal printingoptional defaults policy setting on the server, users on their user devices can override theImage Compression and Image and Font Caching options specified in that policy setting.

To override the printer settings on the user device

1. From the Print menu available from an application on the user device, chooseProperties.

2. On the Client Settings tab, click Advanced Optimizations and make changes to theImage Compression and Image and Font Caching options.

Page 114: Citrix Receiver for Windows

114

To set keyboard shortcuts

You can configure combinations of keys that Receiver interprets as having specialfunctionality. When the keyboard shortcuts policy is enabled, you can specify Citrix Hotkeymappings, behavior of Windows hotkeys, and keyboard layout for sessions.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User Experience > Keyboard shortcuts. InWindows 7 and Windows Server 2008, expand Administrative Templates and navigatethrough Classic Administrative Templates (ADM) > Citrix Components to the desiredconfiguration option.

7. From the Action menu, choose Properties, select Enabled, and choose the desiredoptions.

Page 115: Citrix Receiver for Windows

115

Keyboard Input in XenDesktop Sessions

Note the following about how keyboard combinations are processed in XenDesktop sessions:

● Windows logo key+L is directed to the local computer.

● CTRL+ALT+DELETE is directed to the local computer except in some cases if you use theCitrix Desktop Lock.

● Key presses that activate StickyKeys, FilterKeys, and ToggleKeys (Microsoft accessibilityfeatures) are normally directed to the local computer.

● As an accessibility feature of the Desktop Viewer, pressing CTRL+ALT+BREAK displaysthe Desktop Viewer toolbar buttons in a pop-up window.

● Windows key combinations (for example, CTRL+ESC and ALT+TAB) are directedaccording to the settings that your helpdesk has selected. For more information, seethe table below.

Note: By default, if the Desktop Viewer is maximized, ALT+TAB switches focusbetween windows inside the session. If the Desktop Viewer is displayed in a window,ALT+TAB switches focus between windows outside the session.

Hotkey sequences are key combinations designed by Citrix. For example, the CTRL+F1sequence reproduces CTRL+ALT+DELETE, and SHIFT+F2 switches applications betweenfull-screen and windowed mode. You cannot use hotkey sequences with virtual desktopsdisplayed in the Desktop Viewer (that is, with XenDesktop sessions), but you can use themwith published applications (that is, with XenApp sessions).

The table shows the remoting behavior of other Windows key combinations. The behaviordepends on whether a Desktop Viewer or a Desktop Lock session is used, and is controlledby the Local resources setting, avaliable from the Session Options task on the XenDesktopsite. XenApp settings are also shown for reference. For more information on configuring thissetting, see the Web Interface documentation.

With Localresources set to

Desktop Viewersessions have thisbehavior

Desktop Locksessions have thisbehavior

XenApp (or disabledDesktop Viewer)sessions have thisbehavior

Full screen desktopsonly

Key combinationsare sent to theremote, virtualdesktop only if theDesktop Viewerwindow has focusand is maximized(full-screen).

Key combinationsare always sent tothe remote, virtualdesktop.

Key combinationsare sent to theremote XenAppserver if the sessionis maximized(full-screen).

Page 116: Citrix Receiver for Windows

Remote desktop Key combinationsare sent to theremote, virtualdesktop only if theDesktop Viewerwindow has focus.

Key combinationsare always sent tothe remote, virtualdesktop.

Key combinationsare sent to theremote XenAppserver if the sessionor application hasfocus.

Local desktop Key combinationsare always kept onthe local userdevice.

Key combinationsare always kept onthe local userdevice.

Citrix does notrecommend settingLocal resources toLocal desktop if theDesktop Lock isused.

Key combinationsare always kept onthe local userdevice.

Keyboard Input in XenDesktop Sessions

116

Page 117: Citrix Receiver for Windows

117

Receiver Support for 32-Bit Color Icons

Receiver supports high color icons (32x32 bit) and automatically selects the color depth forapplications visible in the Citrix Connection Center dialog box, the Start menu, and task barto provide for seamless applications.

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

To set a preferred depth, you can add a string registry key named TWIDesiredIconColor toHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Preferences and set it to the desired value. The possible color depthsfor icons are 4, 8, 16, 24, and 32 bits-per-pixel. The user can select a lower color depth foricons if the network connection is slow.

Page 118: Citrix Receiver for Windows

118

Connecting to Virtual Desktops

From within a desktop session, users cannot connect to the same virtual desktop.Attempting to do so will disconnect the existing desktop session. Therefore, Citrixrecommends:

● Administrators should not configure the clients on a desktop to point to a site thatpublishes the same desktop

● Users should not browse to a site that hosts the same desktop if the site is configured toautomatically reconnect users to existing sessions

● Users should not browse to a site that hosts the same desktop and try to launch it

Be aware that a user who logs on locally to a computer that is acting as a virtual desktopblocks connections to that desktop.

If your users connect to virtual applications (published with XenApp) from within a virtualdesktop and your organization has a separate XenApp administrator, Citrix recommendsworking with them to define device mapping such that desktop devices are mappedconsistently within desktop and application sessions. Because local drives are displayed asnetwork drives in desktop sessions, the XenApp administrator needs to change the drivemapping policy to include network drives.

Page 119: Citrix Receiver for Windows

119

Securing Your Connections

To maximize the security of your environment, the connections between Receiver and theresources you publish must be secured. You can configure various types of authenticationfor your Receiver software, including enabling certificate revocation list checking, enablingsmart card support, and using Security Support Provider Interface/Kerberos Pass-ThroughAuthentication.

Windows NT Challenge/Response (NTLM) Support forImproved Security

Windows NT Challenge/Response (NTLM) authentication is supported by default oncomputers running Windows NT, Windows 2000, Windows XP, Windows 7, Windows Vista,Windows Server 2003, and Windows Server 2008.

Page 120: Citrix Receiver for Windows

120

To enable certificate revocation listchecking for improved security withReceiver (CitrixReceiver.exe)

When certificate revocation list (CRL) checking is enabled, Receiver checks whether or notthe server’s certificate is revoked. By forcing Receiver to check this, you can improve thecryptographic authentication of the server and the overall security of the SSL/TLSconnections between a user device and a server.

You can enable several levels of CRL checking. For example, you can configure Receiver tocheck only its local certificate list or to check the local and network certificate lists. Inaddition, you can configure certificate checking to allow users to log on only if all CRLs areverified.

Important: This option is available only with the standard Receiver (CitrixReceiver.exe)and not Receiver (Enterprise).

If you are making this change on a local computer, exit Receiver if it is running. Make sureall Receiver components, including the Connection Center, are closed.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for the Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Action menu, choose Properties and select Enabled.

8. From the CRL verification drop-down menu, select one of the options.

● Disabled. No certificate revocation list checking is performed.

Page 121: Citrix Receiver for Windows

● Only check locally stored CRLs. CRLs that were installed or downloaded previouslyare used in certificate validation. Connection fails if the certificate is revoked.

● Require CRLs for connection. CRLs locally and from relevant certificate issuers onthe network are checked. Connection fails if the certificate is revoked or not found.

● Retrieve CRLs from network. CRLs from the relevant certificate issuers arechecked. Connection fails if the certificate is revoked.

If you do not set CRL verification, it defaults to Only check locally stored CRLs.

To enable certificate revocation list checking for improved security with Receiver (CitrixReceiver.exe)

121

Page 122: Citrix Receiver for Windows

122

Smart Card Support for Improved Security

You must use Receiver (Enterprise) for Smart Card support.

Receiver smart card support is based on Microsoft Personal Computer/Smart Card (PC/SC)standard specifications. Receiver supports only smart cards and smart card devices thatare, themselves, supported by the underlying Windows operating system. A discussion ofsecurity issues related to PC/SC standards compliance is beyond the scope of thisdocument.

Enabling smart card support for Receiver is done through the Web Interface. For moreinformation, see the Web Interface documentation.

Note: Microsoft strongly recommends that only smart card readers tested and approvedby the Microsoft Windows Hardware Quality Lab (WHQL) be used on computers runningqualifying Windows operating systems. See http://www.microsoft.com for additionalinformation about hardware PC/SC compliance.

Receiver does not control smart card PIN management. PIN management is controlled bythe cryptographic service provider for your cards.

Page 123: Citrix Receiver for Windows

123

To enable pass-through authenticationwhen sites are not in Trusted Sites orIntranet zones

Your users might require pass-through authentication to the server using their user logoncredentials but cannot add sites to the Trusted Sites or Intranet zones. Enable this settingto allow pass-through authentication on all but Restricted sites.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.

7. From the Local user name and password Properties menu, select Enabled, and thenselect the Enable pass-through authentication and Allow pass-through authenticationfor all ICA connections check boxes.

Page 124: Citrix Receiver for Windows

124

Using Security Support ProviderInterface/Kerberos Pass-ThroughAuthentication for Improved Security

This topic does not apply to XenDesktop connections.

Rather than sending user passwords over the network, Kerberos pass-through authenticationleverages Kerberos authentication in combination with Security Support Provider Interface(SSPI) security exchange mechanisms. Kerberos is an industry-standard networkauthentication protocol built into Microsoft Windows operating systems.

Kerberos logon offers security-minded users or administrators the convenience ofpass-through authentication combined with secret-key cryptography and data integrityprovided by industry-standard network security solutions. With Kerberos logon, the Receiverdoes not need to handle the password and thus prevents Trojan horse-style attacks on theuser device to gain access to users’ passwords.

Users can log on to the user device with any authentication method; for example, abiometric authenticator such as a fingerprint reader, and still access published resourceswithout further authentication.

System requirements. Kerberos logon requires Citrix Presentation Server 3.0, 4.0, or 4.5,Citrix XenApp 5.0, 6.x and Citrix Presentation Server Clients for Windows 8.x, 9.x, 10.x,XenApp Hosted Plug-in 11.x, online plug-in 12.0, 12.1, or Receiver 3.x. Kerberos works onlybetween Client/plug-ins/Receiver and servers that belong to the same or to trustedWindows 2000, Windows Server 2003, or Windows Server 2008 domains. Servers must alsobe trusted for delegation, an option you configure through the Active Directory Users andComputers management tool.

Kerberos logon is not available in the following circumstances:

● Connections configured with any of the following options in Remote Desktop Services(formerly known as Terminal Services) Configuration:

● On the General tab, the Use standard Windows authentication option

● On the Logon Settings tab, the Always use the following logon information optionor the Always prompt for password option

● Connections you route through the Secure Gateway

● If the server requires smart card logon

● If the authenticated user account requires a smart card for interactive logon

Important: SSPI requires XML Service DNS address resolution to be enabled for the serverfarm, or reverse DNS resolution to be enabled for the Active Directory domain. For moreinformation, see the Citrix XenApp administrator documentation.

Page 125: Citrix Receiver for Windows

Configuring Kerberos AuthenticationReceiver, by default, is not configured to use Kerberos authentication when logging on tothe server. You can set the Receiver configuration to use Kerberos with pass-throughauthentication or Kerberos with smart card pass-through authentication.

To use Kerberos authentication for your connections, you can either specify Kerberos usinga command line installation or configure Receiver using the Group Policy Editor. See theMicrosoft Group Policy documentation for more information about editing .adm files

Using Security Support Provider Interface/Kerberos Pass-Through Authentication for Improved Security

125

Page 126: Citrix Receiver for Windows

126

To configure Kerberos with pass-throughauthentication

This topic does not apply to XenDesktop connections.

Use Kerberos with pass-through authentication if you want to use Kerberos with Receiver.

When Receiver configurations are set to use Kerberos with pass-through authentication,Receiver uses Kerberos authentication first and uses pass-through authentication if Kerberosfails.

The user cannot disable this Receiver configuration from the user interface.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates, navigate throughCitrix Components > Citrix Receiver > User authentication, double click Kerberosauthentication and select Enabled. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.

8. From the Action menu, choose Properties and select Enabled > Enable pass-throughauthentication.

To apply the setting, close and restart Receiver on the user device.

Page 127: Citrix Receiver for Windows

127

Securing Citrix Receiver Communication

To secure the communication between your server farm and Receiver, you can integrateyour Receiver connections to the server farm with a range of security technologies,including:

● Citrix Access Gateway. For information about configuring Access Gateway with ReceiverStorefront, refer to the "Manage" topics in the Receiver Storefront documentation ineDocs. For information about configuring Access Gateway or Secure Gateway with WebInterface, refer to topics in this section.

● A SOCKS proxy server or secure proxy server (also known as security proxy server,HTTPS proxy server, or SSL tunneling proxy server). You can use proxy servers to limitaccess to and from your network and to handle connections between Receiver andservers. Receiver supports SOCKS and secure proxy protocols.

● SSL Relay solutions with Secure Sockets Layer (SSL) and Transport Layer Security (TLS)protocols.

● A firewall. Network firewalls can allow or block packets based on the destinationaddress and port. If you are using Receiver through a network firewall that maps theserver's internal network IP address to an external Internet address (that is, networkaddress translation, or NAT), configure the external address.

● Trusted server configuration.

Note: For information about increasing security in application streaming for desktops, seethe Citrix Knowledge Base article Enhancing Security in Application Streaming forDesktops.

Receiver is compatible with and functions in environments where the Microsoft SpecializedSecurity - Limited Functionality (SSLF) desktop security templates are used. Thesetemplates are supported on the Microsoft Windows XP, Windows Vista, and Windows 7platforms. Refer to the Windows XP, Windows Vista, and Windows 7 security guidesavailable at http://technet.microsoft.com for more information about the templates andrelated settings.

Page 128: Citrix Receiver for Windows

128

Support for Microsoft Security Templates

Receiver is compatible with and functions in environments where the Microsoft SpecializedSecurity - Limited Functionality (SSLF) desktop security templates are used. Thesetemplates are supported on the Microsoft Windows XP, Windows Vista, and Windows 7platforms. Refer to the Windows XP, Windows Vista, and Windows 7 security guidesavailable at http://technet.microsoft.com for more information about the templates andrelated settings.

Page 129: Citrix Receiver for Windows

129

Connecting with Access GatewayEnterprise Edition

This topic applies only to deployments using the Web Interface.

Configure the XenApp Services site for the Receiver to support connections from an AccessGateway connection.

1. In the XenApp Services site, select Manage secure client access > Edit secure clientaccess settings.

2. Change the Access Method to Gateway Direct.

3. Enter the FQDN of the Access Gateway appliance.

4. Enter the Secure Ticket Authority (STA) information.

Page 130: Citrix Receiver for Windows

To configure the Access Gateway appliance1. Configure authentication policies to authenticate users connecting to the Access

Gateway by using the Access Gateway Plug-in. Bind each authentication policy to avirtual server.

● If double-source authentication is required (such as RSA SecurID and ActiveDirectory), RSA SecurID authentication must be the primary authentication type.Active Directory authentication must be the secondary authentication type.

● RSA SecurID uses a RADIUS server to enable token authentication.

● Active Directory authentication can use either LDAP or RADIUS.Test a connection from a user device to verify that the Access Gateway is configuredcorrectly in terms of networking and certificate allocation.

2. Create a session policy on the Access Gateway to allow incoming XenApp connectionsfrom the Receiver, and specify the location of your newly created XenApp Services site.

● Create a new session policy to identify that the connection is from the Receiver. Asyou create the session policy, configure the following expression and select MatchAll Expressions as the operator for the expression:

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

Connecting with Access Gateway Enterprise Edition

130

Page 131: Citrix Receiver for Windows

● In the associated profile configuration for the session policy, on the Security tab,set Default Authorization to Allow.

On the Published Applications tab, if this is not a global setting (you selected theOverride Global check box), ensure the ICA Proxy field is set to ON.

In the Web Interface Address field, enter the URL including the config.xml for theXenApp Services site that the device users use, such ashttp://XenAppServerName/Citrix/PNAgent/config.xml orhttp://XenAppServerName/CustomPath/config.xml.

● Bind the session policy to a virtual server.

● Create authentication policies for RADIUS and Active Directory.

● Bind the authentication policies to the virtual server.

Important: If the server certificate used on the Access Gateway is part of acertificate chain (with an intermediate certificate), make sure that the intermediatecertificates are also installed correctly on the Access Gateway. For information aboutinstalling certificates, see the Access Gateway documentation.

Connecting with Access Gateway Enterprise Edition

131

Page 132: Citrix Receiver for Windows

132

Connecting with Access Gateway 5.0

This topic applies only to deployments using the Web Interface.

Access Gateway setup requires that you configure a basic or a SmartAccess logon point onAccess Gateway and use the Web address for the XenApp Services site.

Before you configure a logon point, install the Web Interface and verify that it iscommunicating with the network. When you configure a logon point, you must alsoconfigure at least one Secure Ticket Authority (STA) server and ICA Access Control in AccessGateway. For more information, expand Access Gateway 5.0 in eDocs, and locate the topicTo configure Access Gateway to use the Secure Ticket Authority.

Page 133: Citrix Receiver for Windows

To configure the Access Gateway 5.0 appliance1. Configure Authentication profiles to authenticate users connecting to the Access

Gateway using the Receiver.

● If double source authentication is required (such as Active Directory and RSASecurID), Active Directory authentication must be the primary authentication type.RSA SecurID authentication must be the secondary authentication type.

● RSA SecurID can use either RADIUS or an sdconf.rec file to enable tokenauthentication.

● You can configure Active Directory authentication on Access Controller. You can useActive Directory on the Access Gateway appliance by using either an LDAP orRADIUS authentication profile.

Test a connection from a user device to verify that the Access Gateway is configuredcorrectly in terms of networking and certificate allocation.

2. To establish communication with XenApp servers and the Web Interface, configure theAccess Gateway with STA servers and the ICA Access Control list on Access Gateway. Formore information, see the Access Gateway section of eDocs.

3. Configure logon points on the Access Gateway. Configure the Access Gateway to allowincoming XenApp connections from the Receiver, and specify the location of your WebInterface site.

a. In the Access Gateway Management Console, click Management.

b. Under Access Control, click Logon Points > New.

c. In the Logon Points Properties dialog box, in Name, type a unique name for thelogon point.

d. Select the Type:

● For a Basic logon point, in the Web Interface field, type the fully qualifieddomain name (FQDN) of the Web Interface, such ashttp://xenapp.domain.com/citrix/apps. You cannot configure aSmartGroup with a basic logon point. Select the authentication type, or clickAuthenticate with the Web Interface.

If you select Authenticate with the Web Interface, when users type the URL toAccess Gateway and enter credentials, the credentials are passed to the WebInterface for authentication.

● For a SmartGroup to use the settings in a SmartAccess logon point, you mustselect the logon point within the SmartGroup. Select the authenticationprofiles. If you configure a SmartAccess logon point, Access Gatewayauthenticates users. You cannot configure authentication by using the WebInterface.

If you select Single Sign-on to Web Interface, users do not have to log on tothe Web Interface after logging on to the Access Gateway. If not selected, usersmust log on to both the Access Gateway and Web Interface.

Connecting with Access Gateway 5.0

133

Page 134: Citrix Receiver for Windows

e. Under Applications and Desktops, click Secure Ticket Authority and add the STAdetails. Make sure the STA information is the same as the Web Interface site.

f. Finally, under Applications and Desktops, click XenApp or XenDesktop to add theICA control list (required for Access Gateway 5.0). For more information, expandAccess Gateway 5.0 in eDocs, and locate To configure ICA Access Control.

Important: If the server certificate used on the Access Gateway is part of acertificate chain (with an intermediate certificate), make sure that the intermediatecertificates are also installed correctly on the Access Gateway. For information aboutinstalling certificates, see the Access Gateway section on Configuring IntermediateCertificates.

Connecting with Access Gateway 5.0

134

Page 135: Citrix Receiver for Windows

To configure Access Controller1. Configure Authentication profiles to authenticate users connecting to the Access

Gateway using the Receiver.

● If double source authentication is required (such as Active Directory and RSASecurID), Active Directory authentication must be the primary authentication type.RSA SecurID authentication must be the secondary authentication type.

● RSA SecurID can use either RADIUS or an sdconf.rec file to enable tokenauthentication.

● You can configure Active Directory authentication on Access Controller. You can useActive Directory on the Access Gateway appliance by using either an LDAP orRADIUS authentication profile.

Test a connection from a user device to verify that the Access Gateway is configuredcorrectly in terms of networking and certificate allocation.

2. To establish communication with XenApp servers and the Web Interface, configureAccess Controller to recognize the servers. Configure Access Controller to allowincoming XenApp connections from the Receiver and specify the location of your WebInterface site.

a. In the Deliver Services Console, expand Citrix Resources > Access Gateway, andthen click the Access Controller on which you want to create the Web resource.

b. Expand Resources, click Web Resources, and then under Common tasks, clickCreate Web resource. In the wizard, enter a unique name. On the New WebAddress page, enter the Web address URL of the XenApp Web site.

c. In Application type, select Citrix Web Interface and click the Enable SingleSign-on check box.

d. After you click OK, click Publish for users in their list of resources , and then inHome page, enter the URL of the XenApp Web Site, such ashttp://xenapp.domain.com/citrix/apps, and finish the wizard.

e. In the navigation pane, click Logon Points, click Create logon point, and in thewizard, enter a unique name, and select the type:

● For a Basic logon point, in the Web Interface field, type the fully qualifieddomain name (FQDN) of the Web Interface, such ashttp://xenapp.domain.com/citrix/apps. Select the Home page, andthen select the authentication profile. Leave the remaining options as defaultvalues, and click Enable this logon point check box at the end of the wizard.

● For a SmartAccess logon point, on Select Home Page, select the Display theWeb resource with the highest priority. Click Set Display Order, and movethe Web Interface Web resource to the top.

Select the Authentication Profiles for both authentication and group extraction.Leave the remaining options as default values, and click Enable this logonpoint check box at the end of the wizard.

f. In the navigation pane, under Policies > Access Policies, select Create access policy and on the Select Resources page, expand Web Resources to select the

Connecting with Access Gateway 5.0

135

Page 136: Citrix Receiver for Windows

Web Interface web resource.

g. In Configure Policy Settings, select the settings, click Enable this policy to controlthis setting, and select Extended access, unless denied by another policy. Addthe users allowed to access this resource and finish the wizard.

h. In the navigation pane, under Access Gateway appliances, select Edit AccessGateway appliance properties, click Secure Ticket Authority and add the STAdetails. Make sure the STA information is the same as the Web Interface site.

i. Finally, click ICA Access Control to add the ICA control list (required for AccessGateway 5.0). For more information, expand Access Gateway 5.0 in eDocs, andlocate To configure ICA Access Control in the Access Controller documentation.

Important: If the server certificate used on the Access Gateway is part of acertificate chain (with an intermediate certificate), make sure that the intermediatecertificates are also installed correctly on the Access Gateway. For information aboutinstalling certificates, see the Access Gateway section on Configuring IntermediateCertificates.

Connecting with Access Gateway 5.0

136

Page 137: Citrix Receiver for Windows

137

Connecting with Secure Gateway

This topic applies only to deployments using the Web Interface.

You can use the Secure Gateway in either Normal mode or Relay mode to provide a securechannel for communication between Receiver and the server. No Receiver configuration isrequired if you are using the Secure Gateway in Normal mode and users are connectingthrough the Web Interface.

Receiver uses settings that are configured remotely on the server running the Web Interfaceto connect to servers running the Secure Gateway. See the topics for the Web Interface forinformation about configuring proxy server settings for Receiver.

If the Secure Gateway Proxy is installed on a server in the secure network, you can use theSecure Gateway Proxy in Relay mode. See the topics for the Secure Gateway for moreinformation about Relay mode.

If you are using Relay mode, the Secure Gateway server functions as a proxy and you mustconfigure Receiver to use:

● The fully qualified domain name (FQDN) of the Secure Gateway server.

● The port number of the Secure Gateway server. Note that Relay mode is not supportedby Secure Gateway Version 2.0.

The FQDN must list, in sequence, the following three components:

● Host name

● Intermediate domain

● Top-level domain

For example: my_computer.my_company.com is an FQDN, because it lists, in sequence, ahost name (my_computer), an intermediate domain (my_company), and a top-level domain(com). The combination of intermediate and top-level domain (my_company.com) isgenerally referred to as the domain name.

Page 138: Citrix Receiver for Windows

138

Connecting the Citrix Receiver through aProxy Server

Proxy servers are used to limit access to and from your network, and to handle connectionsbetween Receivers and servers. Receiver supports SOCKS and secure proxy protocols.

When communicating with the server farm, Receiver uses proxy server settings that areconfigured remotely on the server running Receiver for Web or the Web Interface. Forinformation about proxy server configuration, refer to Receiver Storefront or Web Interfacedocumentation.

In communicating with the Web server, Receiver uses the proxy server settings that areconfigured through the Internet settings of the default Web browser on the user device.You must configure the Internet settings of the default Web browser on the user deviceaccordingly.

Page 139: Citrix Receiver for Windows

139

Connecting with Secure Sockets LayerRelay

You can integrate Receiver with the Secure Sockets Layer (SSL) Relay service. Receiversupports both SSL and TLS protocols.

● SSL provides strong encryption to increase the privacy of your ICA connections andcertificate-based server authentication to ensure the server you are connecting to is agenuine server.

● TLS (Transport Layer Security) is the latest, standardized version of the SSL protocol.The Internet Engineering Taskforce (IETF) renamed it TLS when it took overresponsibility for the development of SSL as an open standard. TLS secures datacommunications by providing server authentication, encryption of the data stream, andmessage integrity checks. Because there are only minor technical differences betweenSSL Version 3.0 and TLS Version 1.0, the certificates you use for SSL in your softwareinstallation will also work with TLS. Some organizations, including U.S. governmentorganizations, require the use of TLS to secure data communications. Theseorganizations may also require the use of validated cryptography, such as FIPS 140(Federal Information Processing Standard). FIPS 140 is a standard for cryptography.

Page 140: Citrix Receiver for Windows

140

Connecting with Citrix SSL Relay

By default, Citrix SSL Relay uses TCP port 443 on the XenApp server for SSL/TLS-securedcommunication. When the SSL Relay receives an SSL/TLS connection, it decrypts the databefore redirecting it to the server, or, if the user selects SSL/TLS+HTTPS browsing, to theCitrix XML Service.

If you configure SSL Relay to listen on a port other than 443, you must specify thenonstandard listening port number to the plug-in.

You can use Citrix SSL Relay to secure communications:

● Between an SSL/TLS-enabled client and a server. Connections using SSL/TLS encryptionare marked with a padlock icon in the Citrix Connection Center.

● With a server running the Web Interface, between the XenApp server and the Webserver.

For information about configuring and using SSL Relay to secure your installation, see theCitrix XenApp administrator’s documentation. For information about configuring the serverrunning the Web Interface to use SSL/TLS encryption, see the Web Interface administrator’sdocumentation.

Page 141: Citrix Receiver for Windows

141

User Device Requirements

In addition to the System Requirements, you also must ensure that:

● The user device supports 128-bit encryption

● The user device has a root certificate installed that can verify the signature of theCertificate Authority on the server certificate

● Receiver is aware of the TCP listening port number used by the SSL Relay service in theserver farm

● Any service packs or upgrades that Microsoft recommends are applied

If you are using Internet Explorer and you are not certain about the encryption level of yoursystem, visit the Microsoft Web site at http://www.microsoft.com to install a service packthat provides 128-bit encryption.

Important: Receiver supports certificate key lengths of up to 4096 bits. Ensure that thebit lengths of your Certificate Authority root and intermediate certificates, and those ofyour server certificates, do not exceed the bit length your Receiver supports orconnection might fail.

Page 142: Citrix Receiver for Windows

142

To apply a different listening port numberfor all connections

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the plug-in Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Action menu, choose Properties, select Enabled, and type a new portnumber in the Allowed SSL servers text box in the following format: server:SSL relayport number where SSL relay port number is the number of the listening port. You canuse a wildcard to specify multiple servers. For example, *.Test.com:SSL relay portnumber matches all connections to Test.com through the specified port.

Page 143: Citrix Receiver for Windows

143

To apply a different listening port numberto particular connections only

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already added the icaclient template to the Group Policy Editor, you canomit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Action menu, choose Properties, select Enabled, and type acomma-separated list of trusted servers and the new port number in the Allowed SSLservers text box in the following format: servername:SSL relay portnumber,servername:SSL relay port number where SSL relay port number is the numberof the listening port. You can specify a comma-separated list of specific trusted SSLservers similar to this example:

csghq.Test.com:443,fred.Test.com:443,csghq.Test.com:444

which translates into the following in an example appsrv.ini file: [Word]SSLProxyHost=csghq.Test.com:443

[Excel]

SSLProxyHost=csghq.Test.com:444

[Notepad]

SSLProxyHost=fred.Test.com:443

Page 144: Citrix Receiver for Windows

144

Configuring and Enabling Receivers forSSL and TLS

SSL and TLS are configured in the same way, use the same certificates, and are enabledsimultaneously.

When SSL and TLS are enabled, each time you initiate a connection, Receiver tries to useTLS first and then tries SSL. If it cannot connect with SSL, the connection fails and an errormessage appears.

To force Receiver to connect with TLS, you must specify TLS on the Secure Gateway serveror SSL Relay service. See the topics for the Secure Gateway or your SSL Relay servicedocumentation for more information.

In addition, make sure the user device meets all system requirements.

To use SSL/TLS encryption for all Receiver communications, configure the user device,Receiver, and, if using Web Interface, the server running the Web Interface. Forinformation about securing Receiver Storefront communications, refer to topics under"Secure" in the Receiver Storefront documentation in eDocs.

Page 145: Citrix Receiver for Windows

145

Installing Root Certificates on the UserDevices

To use SSL/TLS to secure communications between a SSL/TLS-enabled Receiver and theserver farm, you need a root certificate on the user device that can verify the signature ofthe Certificate Authority on the server certificate.

Receiver supports the Certificate Authorities that are supported by the Windows operatingsystem. The root certificates for these Certificate Authorities are installed with Windowsand managed using Windows utilities. They are the same root certificates that are used byMicrosoft Internet Explorer.

If you use your own Certificate Authority, you must obtain a root certificate from thatCertificate Authority and install it on each user device. This root certificate is then usedand trusted by both Microsoft Internet Explorer and Receiver.

You might be able to install the root certificate using other administration or deploymentmethods, such as:

● Using the Microsoft Internet Explorer Administration Kit (IEAK) Configuration Wizard andProfile Manager

● Using third-party deployment tools

Make sure that the certificates installed by your Windows operating system meet thesecurity requirements for your organization or use the certificates issued by yourorganization’s Certificate Authority.

Page 146: Citrix Receiver for Windows

146

To configure Web Interface to useSSL/TLS for Receiver

1. To use SSL/TLS to encrypt application enumeration and launch data passed betweenReceiver and the server running the Web Interface, configure the appropriate settingsusing the Web Interface. You must include the computer name of the XenApp serverthat is hosting the SSL certificate.

2. To use secure HTTP (HTTPS) to encrypt the configuration information passed betweenReceiver and the server running the Web Interface, enter the server URL in the formathttps://servername. In the Windows notification area, right-click the Receiver icon andchoose Preferences.

3. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.

Page 147: Citrix Receiver for Windows

147

To configure TLS support

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

1. As an administrator, open the Group Policy Editor by running gpedit.msc locally fromthe Start menu when applying this to a single computer or by using the Group PolicyManagement Console when using Active Directory.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification.

7. From the Action menu, choose Properties, select Enabled, and from the drop-downmenus, select the TLS settings.

● Set SSL/TLS Version to TLS or Detect all to enable TLS. If Detect all is selected,Receiver connects using TLS encryption. If a connection using TLS fails, Receiverconnects using SSL.

● Set SSL ciphersuite to Detect version to have Receiver negotiate a suitableciphersuite from the Government and Commercial ciphersuits. You can restrict theciphersuites to either Government or Commercial.

● Set CRL verification to Require CRLs for connection requiring Receiver to try toretrieve Certificate Revocation Lists (CRLs) from the relevant certificate issuers.

Page 148: Citrix Receiver for Windows

148

To use the Group Policy template on WebInterface to meet FIPS 140 securityrequirements

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

To meet FIPS 140 security requirements, use the Group Policy template to configure theparameters or include the parameters in the Default.ica file on the server running the WebInterface. See the information about Web Interface for additional information about theDefault.ica file.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 3 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification.

7. From the Action menu, choose Properties, select Enabled, and from the drop-downmenus, select the correct settings.

● Set SSL/TLS Version to TLS or Detect all to enable TLS. If Detect all is selected,Receiver tries to connect using TLS encryption. If a connection using TLS fails,Receiver tries to connect using SSL.

● Set SSL ciphersuite to Government.● Set CRL verification to Require CRLs for connection.

Page 149: Citrix Receiver for Windows

149

To configure the Web Interface to useSSL/TLS when communicating with CitrixReceiver

When using the Web Interface, specify the computer name of the server hosting the SSLcertificate. See the information about Web Interface for more details about using SSL/TLSto secure communications between Receiver and the Web server.

1. From the Configuration settings menu, select Server Settings.

2. Select Use SSL/TLS for communications between clients and the Web server.

3. Save your changes.

Selecting SSL/TLS changes all URLs to use HTTPS protocol.

Page 150: Citrix Receiver for Windows

150

To configure Citrix XenApp to useSSL/TLS when communicating with CitrixReceiver

You can configure the XenApp server to use SSL/TLS to secure the communications betweenReceiver and the server.

1. From the Citrix management console for the XenApp server, open the Properties dialogbox for the application you want to secure.

2. Select Advanced > Client options and ensure that you select Enable SSL and TLSprotocols.

3. Repeat these steps for each application you want to secure.

When using the Web Interface, specify the computer name of the server hosting the SSLcertificate. See the information about Web Interface for more details about using SSL/TLSto secure communications between Receiver and the Web server.

Page 151: Citrix Receiver for Windows

151

To configure Citrix Receiver to useSSL/TLS when communicating with theserver running the Web Interface

You can configure Receiver to use SSL/TLS to secure the communications between Receiverand the server running the Web Interface.

Ensure that a valid root certificate is installed on the user device. For more information,see Installing Root Certificates on the User Devices.

1. In the Windows notification area, right-click the Receiver icon and choosePreferences.

2. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.

3. The Change Server screen displays the currently configured URL. Enter the server URLin the text box in the format https://servername to encrypt the configuration datausing SSL/TLS.

4. Click Update to apply the change.

5. Enable SSL/TLS in the client device browser. For more information about enablingSSL/TLS in the browser, see the online Help for the browser.

Page 152: Citrix Receiver for Windows

152

ICA File Signing - Protection AgainstApplication or Desktop Launches FromUntrusted Servers

The ICA File Signing feature helps protect users from unauthorized application or desktoplaunches.Citrix Receiver verifies that a trusted source generated the application or desktoplaunch based on administrative policy and protects against launches from untrusted servers.You can configure this Receiver security policy for application or desktop launch signatureverification using Group Policy Objects, Receiver Storefront, or Citrix Merchandising Server.ICA file signing is not enabled by default. For information about enabling ICA file signing forReceiver Storefront, refer to the Receiver Storefront documentation.

For Web Interface deployments, the Web Interface enables and configures application ordesktop launches to include a signature during the launch process using the Citrix ICA FileSigning Service. The service can sign ICA files using a certificate from the computer'spersonal certificate store.

The Citrix Merchandising Server with Receiver enables and configures launch signatureverification using the Citrix Merchandising Server Adminstrator Console > Deliverieswizard to add trusted certificate thumbprints.

To use Group Policy Objects to enable and configure application or desktop launchsignature verification, follow this procedure:

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the ica-file-signing.adm template into the Group PolicyEditor, you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select ica-file-signing.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Enable ICA File Signing. In Windows 7 and Windows Server 2008,expand Administrative Templates and navigate through Classic AdministrativeTemplates (ADM) > Citrix Components to the desired configuration option.

7. If you choose Enabled, you can add signing certificate thumbprints to the white list of trusted certificate thumbprints or remove signing certificate thumbprints from the

Page 153: Citrix Receiver for Windows

white list by clicking Show and using the Show Contents screen. You can copy andpaste the signing certificate thumbprints from the signing certificate properties. Usethe Policy drop-down menu to select Only allow signed launches (more secure) orPrompt user on unsigned launches (less secure).

Option Description

Only allow signed launches (moresecure)

Allows only properly signed applicationor desktop launches from a trustedserver. The user sees a Security Warningmessage in Receiver if an application ordesktop launch has an invalid signature.The user cannot continue and theunauthorized launch is blocked.

Prompt user on unsigned launches (lesssecure)

Prompts the user every time an unsignedor invalidly signed application or desktopattempts to launch. The user can eithercontinue the application launch or abortthe launch (default).

ICA File Signing - Protection Against Application or Desktop Launches From Untrusted Servers

153

Page 154: Citrix Receiver for Windows

154

Selecting and Distributing a DigitalSignature Certificate

When selecting a digital signature certificate, Citrix recommends you choose from thisprioritized list:

1. Buy a code-signing certificate or SSL signing certificate from a public CertificateAuthority (CA).

2. If your enterprise has a private CA, create a code-signing certificate or SSL signingcertificate using the private CA.

3. Use an existing SSL certificate, such as the Web Interface or Self-service Plug-in servercertificate.

4. Create a new root CA certificate and distribute it to user devices using GPO or manualinstallation.

Page 155: Citrix Receiver for Windows

155

Configuring a Web Browser and ICA Fileto Enable Single Sign-on and ManageSecure Connections to Trusted Servers

To use Single sign-on (SSO) and to manage secure connections to trusted servers, add theCitrix server's site address to the Local intranet or Trusted sites zones in Internet Explorerunder Tools > Internet Options > Security on the user device. The address can include thewildcard (*) formats supported by the Internet Security Manager (ISM) or be as specific asprotocoll://URL[:port].

The same format must be used in both the ICA file and the sites entries. For example, if youuse a fully qualified domain name (FQDN) in the ICA file, you must use an FQDN in the siteszone entry. XenDesktop connections use only a desktop group name format.

Supported Formats (Including Wildcards)http[s]://10.2.3.4

http[s]://10.2.3.*

http[s]://hostname

http[s]://fqdn.example.com

http[s]://*.example.com

http[s]://cname.*.example.com

http[s]://*.example.co.uk

desktop://group-20name

ica[s]://xaserver1

ica[s]://xaserver1.example.com

Launching SSO or Using Secure Connections with aweb site

Add the exact address of the Receiver for Web or the Web Interface site in the sites zone.

Example Web Site Addresses

https://my.company.com

Page 156: Citrix Receiver for Windows

http://10.20.30.40

http://server-hostname:8080

https://SSL-relay:444

XenDesktop Connections with Desktop ViewerAdd the address in the form desktop://Desktop Group Name. If the desktop group namecontains spaces, replace each space with -20.

Custom ICA Entry FormatsUse one of the following formats in the ICA file for the Citrix server site address. Use thesame format to add it to the Local intranet or Trusted sites zones in Internet Explorerunder Tools > Internet Options > Security on the user device:

Example of ICA File HttpBrowserAddress Entry

HttpBrowserAddress=XMLBroker.XenappServer.example.com:8080

Examples of ICA File XenApp Server Address Entry

If the ICA file contains only the XenApp server Address field, use one of the following entryformats:

icas://10.20.30.40:1494

icas://my.xenapp-server.company.com

ica://10.20.30.40

Configuring a Web Browser and ICA File to Enable Single Sign-on and Manage Secure Connections to Trusted Servers

156

Page 157: Citrix Receiver for Windows

157

To set client resource permissions

You can set client resource permissions using trusted and restricted site regions by:

● Adding the Receiver for Web or the Web Interface site to the Trusted Site list

● Making changes to new registry settings

Note: Due to enhancements to Receiver, the .ini procedure available in earlier versionsof the plug-in/Receiver is replaced with these procedures.

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

To add the web site to the trusted site list1. From the Internet Explorer Tools menu, choose Internet Options > Security.

2. Select the Trusted sites icon and click the Sites button.

3. In the Add this website to the zone text field, type the URL to your Receiver for Webor Web Interface site and click Add.

4. Download the registry settings from http://support.citrix.com/article/CTX124871.htmland make any registry changes. Use SsonRegUpx86.reg for Win32 user devices andSsonRegUpx64.reg for Win64 user devices.

5. Log off and then log on to the user device.

Page 158: Citrix Receiver for Windows

To change client resource permissions in the registry1. Download the registry settings from http://support.citrix.com/article/CTX124871.html

and import the settings on each user device. Use SsonRegUpx86.reg for Win32 userdevices and SsonRegUpx64.reg for Win64 user devices.

2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Client Selective Trust and in the appropriate regions, change the default value tothe required access values for any of the following resources:

Resource key Resource description

FileSecurityPermission Client drives

MicrophoneAndWebcamSecurityPermission Microphones and webcams

PdaSecurityPermission PDA devices

ScannerAndDigitalCameraSecurityPermission USB and other devices

Value Description

0 No Access

1 Read-only access

2 Full access

3 Prompt user for access

To set client resource permissions

158

Page 159: Citrix Receiver for Windows

159

Enabling Smart Card Logon

You must use Receiver (Enterprise) for smart card support.

Enabling smart card logon allows users to use smart cards instead of passwords toauthenticate to XenApp servers. You can use smart card logon either with or withoutpass-through authentication.

You must enable smart card support on the server and set up and configure the user deviceproperly with third-party smart card hardware and software. Refer to the documentationthat came with your smart card equipment for instructions about deploying smart cardswithin your network.

The smart card removal policy set on XenApp determines what happens if you remove thesmart card from the reader during an ICA session. The smart card removal policy isconfigured through and handled by the Windows operating system.

● Kerberos pass-through authentication requires a smart card inserted in the smart cardreader at logon time only. With this logon mode selected, the plug-in prompts the userfor a smart card PIN (Personal Identification Number) when it starts up. Kerberospass-through authentication then caches the PIN and passes it to the server every timethe user requests a published resource. The user does not have to subsequently reentera PIN to access published resources or have the smart card continuously inserted. Ifauthentication based on the cached PIN fails or if a published resource itself requiresuser authentication, the user continues to be prompted for a PIN.

● Disabling pass-through authentication requires a smart card to be present in the smartcard reader whenever the user accesses a server. With pass-through disabled, theplug-in prompts the user for a smart card PIN when it starts up and every time the userrequests a published resource.

Page 160: Citrix Receiver for Windows

160

Enforcing Trust Relations

Trusted server configuration is designed to identify and enforce trust relations involved inReceiver connections. This trust relationship increases the confidence of Receiveradministrators and users in the integrity of data on user devices and prevents the malicioususe of Receiver connections.

When this feature is enabled, Receivers can specify the requirements for trust anddetermine whether or not they trust a connection to the server. For example, a Receiverconnecting to a certain address (such as https://*.citrix.com) with a specific connectiontype (such as SSL) is directed to a trusted zone on the server.

When trusted server configuration is enabled, XenApp servers or the Access Gateway mustreside in a Windows Trusted Sites zone. (For step-by-step instructions about adding serversto the Windows Trusted Sites zone, see the Internet Explorer online help.)

If you connect using SSL, add the server name in the format https://CN, where CN is theCommon Name shown on the SSL certificate. Otherwise, use the format that Receiver usesto connect; for example if Receiver connects using an IP address, add the server’s IPaddress.

To enable trusted server configuration

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. Expand the Administrative Templates folder under the User Configuration node.

7. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network Routing > Configure trusted serverconfiguration. In Windows 7 and Windows Server 2008, expand AdministrativeTemplates and navigate through Classic Administrative Templates (ADM) > CitrixComponents to the desired configuration option.

8. From the Action menu, choose Properties and select Enabled.

Page 161: Citrix Receiver for Windows

Enforcing Trust Relations

161

Page 162: Citrix Receiver for Windows

162

Elevation Level and wfcrun32.exe

When User Access Control (UAC) is enabled on devices running Windows Vista or Windows 7,only processes at the same elevation/integrity level as wfcrun32.exe can launch publishedapplications.

Example 1:

When wfcrun32.exe is running as a normal user (un-elevated), other processes such asReceiver must be running as a normal user to launch applications through wfcrun32.

Example 2:

When wfcrun32.exe is running in elevated mode, other processes such as ConnectionCenter, Receiver, and third party applications using the ICA Client Object that are runningin non-elevated mode cannot communicate with wfcrun32.exe.

Page 163: Citrix Receiver for Windows

163

Receiver for Windows 3.1

Quick Links

About this Release Using the Receiver with XenDesktopConnections

System Requirements and Compatibility forReceiver for Windows 3.1

Optimizing the Receiver Environment

Licensing Your Product Improving the Receiver User Experience

Overview of Citrix Receiver for WindowsInstallation Packages

Securing Your Connections

To configure and install the Citrix Receiverfor Windows using command-lineparameters

Securing Citrix Receiver Communication

Page 164: Citrix Receiver for Windows

164

Receiver for Windows 3.1

Quick Links

About this Release Using the Receiver with XenDesktopConnections

System Requirements and Compatibility forReceiver for Windows 3.1

Optimizing the Receiver Environment

Licensing Your Product Improving the Receiver User Experience

Overview of Citrix Receiver for WindowsInstallation Packages

Securing Your Connections

To configure and install the Citrix Receiverfor Windows using command-lineparameters

Securing Citrix Receiver Communication

Page 165: Citrix Receiver for Windows

165

About Citrix Receiver for Windows 3.1

What's New in the Citrix Receiver Standard PackageCitrix Receiver (CitrixReceiver.exe) has been enhanced for on-demand access to Windows,Web, and Software as a Service (SaaS) applications. You can now configure it for use withCitrix CloudGateway.

● CloudGateway Express Interoperability - Enables existing XenApp and XenDesktopcustomers to deliver all their Windows apps and desktops to any device using a unifiedStoreFront with self-service.

● CloudGateway Enterprise Interoperability - Enables enterprises to aggregate, control,and deliver all of their Windows, web and SaaS apps to any user on any device.

● Flexible installation methods - You can install CitrixReceiver.exe from Receiver forWeb and Web Interface with or without administrator rights or you can use electronicsoftware distribution (ESD) tools like Active Directory Group Policy Objects (GPO) orSCCM. Administrator rights are required to install CitrixReceiver.exe if it will usepass-through authentication. (Receiver for Web sites do not support domainpass-through authentication.)

● Self-service - Citrix Receiver displays all the resources that you make available tousers. Users can browse the list or search for the resources they require and subscribewith a single click. Enabled using one-click configuration and CloudGateway.

● One-click configuration - Opening a configuration file after installing Citrix Receiveractivates self-service access to CloudGateway-published resources. You can publish theconfiguration file on a web site or email it to multiple users.

● Secure, remote access through Access Gateway - Integration with Access Gatewayprovides users with secure access to all enterprise applications, virtual desktops, anddata.

● Domain pass-through authentication - Users already logged on to their domain accountdo not need to authenticate to access applications.

Enable this functionality using a command line switch.

● Auto-provisioned applications - Receiver automatically adds administrator-designatedapplications when users first authenticate. Requires CloudGateway StoreFront.

● CloudGateway internal URL redirection - When a URL is redirected, Receiver checks akeyword to determine if the URL requires an Access Gateway VPN connection foraccess. If the VPN client is installed, it starts the VPN client and opens the page.

● Receiver for all devices - User experience is consistent across Receiver platforms anddevices.

● Follow-me subscriptions - Users selected applications follow them across devices.Requires CloudGateway StoreFront.

Page 166: Citrix Receiver for Windows

● Work space control improvements - Active sessions follow users as they roam from onedevice to another. Previously, the Self-Service Plug-in disabled workspace control.

● Multiple account support - Users can access applications and desktops from multipledata centers using different security provisions.

● Expanded browser support - Chrome versions 10.0 and later are supported.Pre-installation of Firefox is no longer required.

Citrix Receiver supports Web Interface for legacy deployments.

What's New in the Citrix Receiver Enterprise PackageThe Citrix Receiver Enterprise package does not contain any new features. With theupgrade in features in the standard Receiver, the Receiver Enterprise package is requiredonly to support applications that use Smart Card authentication.

Known IssuesThis section contains:

● General issues

● Known issues - Desktop connections

● Third-party issues

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

General Issues

● When configured with multiple stores, Receiver might confuse the gateways required toconnect to a store causing incorrect apps being available to users. Work around:Configure only one store. [#0263165]

● If you use the Receiver with XenApp 5.0 Feature Pack 2 for Windows Server 2003 (32- or64-bit editions), the Receiver plays audio even when you configure the Turn offspeakers policy setting to disable the audio. [#242703]

● You might receive an error message when trying to launch an application with WebInterface after installing a previous version of the Receiver (Online plug-in) whilelogged in as one user, upgrading with CitrixReceiver.exe as another user, logging off theReceiver, and logging back on with the previous user name. The error message is: Citrixonline plug-in Configuration Manager: No value could be found for (ClientHostedApps)that satisfies all lock down requirements. The lockdown requirements in force may beconflicting. [#261877]

About Citrix Receiver for Windows 3.1

166

Page 167: Citrix Receiver for Windows

As a workaround, set the following registry key:

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\Lockdown Profiles\AllRegions\Lockdown\Virtual Channels\Control

Name: ClientHostedApps

Value: FALSE (or set to * / TRUE if you have overridden the defaults inHKEY_LOCAL_MACHINE)

● If you use Web Interface with Internet Explorer 8 and Windows 7 to upgrade to thisversion of Citrix Receiver, the upgrade finishes, but the Upgrade in Progress messageremains on the screen and the log on screen does not appear. Workaround: Restart thebrowser [#247858]

● When you launch applications using the Web Interface, Connection Center does notenumerate the sessions. [#261177]

● After you launch a published application that is filtered by XenApp for Access Gateway,other published applications do not launch. [#263003]

● In some environments, content redirection may not work until the published applicationis launched for the first time. [#0252515]

● When versions of Receiver are localized in Traditional Chinese, Korean, or Russian andintegrated with Access Gateway Standard Edition, the Receiver log on screen displays inEnglish because of an Access Gateway Standard Edition language limitation. [#0263442]

● When the offline plug-in is not installed and a streamed application is configured tofallback to ICA and the XenApp server is down, an incorrect error message appearsinforming you that the correct plug-in is not installed. [#0273813]

● If Certificate Revocation List (CRL) checking is disabled in Internet Options on the userdevice, this overrides the CertificateRevocationCheck registry setting for Receiver forWindows. This means users may be able to access Web sites that do not have validcertificates. As a workaround, ensure that the Check server revocation option locatedat Settings > Control Panel > Internet Options > Advanced is enabled. [#0032682]

● Receiver does not support the VPN keyword in Access Gateway ClientChoices mode.[#0274828]

Desktop Connections

● Loss of video is experienced if files are being played with a published version ofWindows Media Player through a virtual desktop session, and the Desktop Viewerwindow is changed from full-screen to window mode. As a workaround, minimize andrestore the Media Player window, and then pause and resume the application (or stopand restart it). [#246230]

● You cannot log off gracefully from Windows XP 32-bit virtual desktops if you start (butdo not log on to) the Receiver in the desktop session. If the Receiver logon dialog box isnot completed, you cannot log off from the desktop. To work around the issue,complete the logon dialog box or close it. This issue is not observed on other virtual

About Citrix Receiver for Windows 3.1

167

Page 168: Citrix Receiver for Windows

desktop operating systems. [#246516]

● If virtual desktops are installed with the Virtual Desktop Agent supplied withXenDesktop 5.0, Receiver for Windows 3.0 displays an error if the user starts apublished application from the desktop. The workaround is to use the Virtual DesktopAgent supplied with XenDesktop 5.5. [#263079]

● The Citrix Desktop Lock does not redirect Adobe Flash content to domain-joined userdevices. The content can be viewed but is rendered on the server, not locally. As aworkaround, Adobe Flash redirection can be configured for server-side content fetchingto pass the content from the server to the user device. This issue does not occur onnon-domain-joined devices or when the content is viewed with the Desktop Viewer.[#263092]

● The Desktop Viewer Devices menu may not close when the user clicks the Devices icon.It also may remain open after its corresponding dialog box closes. If this occurs, clickthe Devices icon again. [#262202]

● Windows Media Player, when displayed in the non-primary monitor of a two-monitorWindows user device, may not work as expected. Due to an issue with the DirectX videomixing renderer filter VMR-9, the screen is black and there is no sound, although theplayer's progress bar advances. To correct this issue, edit the registry on the userdevice from which the XenDesktop connection is launched. In theHKEY_CURRENT_USER\Software\Citrix subkey, create the HdxMediaStream key. Namethe key DisableVMRSupport. Set the type as REG_DWORD. Give the key the value 3.[#262852]

Third-Party Issues

When using Internet Explorer to open a Microsoft Office document in Edit mode fromSharePoint, Microsoft Office might display the message, “Access denied.” Workaround:Go to the SharePoint site and check out the document, edit it, and check the file backin to SharePoint. [#258725]

About Citrix Receiver for Windows 3.1

168

Page 169: Citrix Receiver for Windows

169

System Requirements and Compatibilityfor the Citrix Receiver for Windows

● Supported Windows Operating Systems:

● Windows 7, 32-bit and 64-bit editions (including Embedded Edition)

● Windows XP Professional, 32-bit and 64-bit editions

● Windows XP Embedded

● Windows Vista, 32-bit and 64-bit editions

● Windows Thin PC

● Windows Server 2008 R1, 32-bit and 64-bit editions (not supported by XenDesktopconnections)

● Windows Server 2008 R2, 64-bit edition (not supported by XenDesktop connections)

● Windows Server 2003, 32-bit and 64-bit editions (not supported by XenDesktopconnections)

Important: For XenDesktop connections, be aware that the Citrix Desktop Lock isonly supported on Windows XP Professional, Windows XP Embedded, Windows 7,and Windows Embedded Standard 7. If your deployment includes smart cards, andWindows 7 or Windows Embedded Standard 7, see the additional requirements inthis topic.

● Server support:

● XenApp (any of the following products):

● Citrix XenApp 6.5 for Windows Server 2008 R2

● Citrix XenApp 6 for Windows Server 2008 R2

● Citrix XenApp 5 for Windows Server 2008

● Citrix XenApp 5 for Windows Server 2003● XenDesktop (any of the following products):

● XenDesktop 5.5

● XenDesktop 5

● XenDesktop 4● To manage connections to apps and desktops, Citrix Receiver supports Cloud

Gateway or Web Interface :

Page 170: Citrix Receiver for Windows

● CloudGateway Express, with Receiver Storefront 1.0 and, for optional access toresources from a web page, Receiver for Web 1.0

● CloudGateway Enterprise 1.0, for apps hosted on a network, on anInfrastructure as a Service (IaaS) platform, or configured as Software as aService (SaaS)

● Web Interface 5.x for Windows with a XenApp Services and XenDesktop Web site

● Merchandising Server 2.x

● Connectivity

Citrix Receiver supports HTTPS and ICA-over-SSL connections through any one of thefollowing configurations.

● For LAN connections:

● Receiver StoreFront 1.0, using StoreFront services or Receiver for Web sites

● Web Interface 5.x for Windows, using XenApp Services and XenDesktop Websites (Program Neighborhood Agent sites are also supported for legacyinstallations)

● For secure remote or local connections:

● Citrix Access Gateway VPX

● Citrix Access Gateway 5.0

● Citrix Access Gateway Enterprise Edition 9.x

● Citrix Secure Gateway 3.xYou can use Access Gateway with Receiver StoreFront or Web Interface. You can useSecure Gateway only with Web Interface.

● Authentication

Receiver for Windows 3.1, when used with Receiver StoreFront 1.0, supports thefollowing authentication methods:

● Domain

● Domain pass-through**

● Security token

● Two-factor (domain plus security token)*Receiver for Windows 3.1, when used with Web Interface 5.X, supports the followingauthentication methods:

● Domain

● Security token

● Two-factor (domain plus security token)*

System Requirements

170

Page 171: Citrix Receiver for Windows

● SMS*

● Smart card (with or without Access Gateway)

* These authentication methods are available only in deployments that include AccessGateway.

** Receiver for Web sites do not support domain pass-through authentication.

For more information about authentication, including certificate requirements, refer tothe "Manage" topics in the Receiver StoreFront documentation.

If your site requires Smart Card authentication for connections to applications, useReceiver (Enterprise) with Web Interface. For information about other authenticationmethods supported by Web Interface, refer to "Configuring Authentication for the WebInterface" in the Web Interface documentation.

● Certificates

For information about security certificates, refer to topics under Secure Connectionsand Secure Communications.

● Upgrades. Upgrades are supported only for Citrix XenApp Plugin for Hosted Apps 11.0,Desktop Receiver 11.1, and Citrix online plug-in 11.1,11.2, 12.0, and 12.1, and Receiverfor Windows 3.0 releases.

● Availability of the Receiver for Windows 3.1 features. Some of the features andfunctionality of Receiver are available only when connecting to newer XenApp andXenDesktop versions and might require the latest hotfixes for XenApp, XenDesktop, andSecure Gateway.

● Previous versions of the Presentation Server Client/Online Plug-in and the currenticaclient.adm file. Previous versions of the Presentation Server Client and OnlinePlug-in are not compatible with the Receiver for Windows 3.1 icaclient.adm file.

● Supported Browsers:

● Internet Explorer Version 6.0 through 9.0

● Mozilla Firefox Version 1.x through 5.x

● Google Chrome Version 10.0 and later● .NET Framework Requirements (XenDesktop Connections Only)

To use the Desktop Viewer, .NET 2.0 Service Pack 1 or later is required. This version isrequired because, if Internet access is not available, certificate revocation checks slowdown connection startup times. The checks can be turned off and startup timesimproved with this version of the Framework but not with .NET 2.0. Use of the CitrixDesktop Lock does not require the .NET Framework to be installed.

● Hardware Requirements:

● VGA or SVGA video adapter with color monitor

● Windows-compatible sound card for sound support (optional)

System Requirements

171

Page 172: Citrix Receiver for Windows

● For network connections to the server farm, a network interface card (NIC) and theappropriate network transport software

● Supported Connection Methods and Network Transports:

● TCP/IP+HTTP

● SSL/TLS+HTTPS● HDX MediaStream Multimedia Acceleration

Applications and media formats supported by HDX MediaStream Multimedia Accelerationare:

● Applications based on Microsoft’s DirectShow, DirectX Media Objects (DMO), andMedia Foundation filter technologies such as Windows Media Player and RealPlayer.

● Applications like Internet Explorer and Microsoft Encarta are also supported, as theyleverage Windows Media Player.

● Both file-based and streaming (URL-based) media formats: WAV, all variations ofMPEG, unprotected Windows Media Video (WMV), and Windows Media Audio (WMA).

Note: HDX MediaStream Multimedia Acceleration does not support media filesprotected with Digital Rights Management (DRM).

● Smart Cards and the Citrix Desktop Lock

The Citrix Desktop Lock can be used with smart cards connected to domain-joined userdevices running Windows XP or Windows XPe but not Windows 7 or Windows EmbeddedStandard 7. This limitation does not apply to non-domain-joined user devices.

System Requirements

172

Page 173: Citrix Receiver for Windows

173

Citrix Receiver for Windows Overview

Citrix Receiver for Windows (Citrix Receiver) delivers apps, desktops, and IT services toWindows PCs. Citrix Receiver supports Citrix CloudGateway:

● CloudGateway Express enables XenApp and XenDesktop customers to deliver Windowsapps and desktops by using a unified StoreFront with self-service.

● CloudGateway Enterprise enables enterprises to aggregate, control, and deliver all oftheir Windows, web and SaaS apps.

Receiver also supports Citrix Web Interface for legacy deployments.

Receiver handles the following functions:

● User authentication. Receiver provides user credentials to CloudGateway or WebInterface when users try to connect and every time they launch published resources.

● Application and content enumeration. Receiver presents users with their individualset of published resources.

● Application launching. Receiver is the local engine used to launch publishedapplications.

● Desktop integration. Receiver integrates a user’s set of published resources (includingvirtual desktops) with the user’s physical desktop.

● User preferences. Receiver validates and implements local user preferences.

Two Citrix Receiver packages are available.

● Citrix Receiver (standard, CitrixReceiver.exe) supports Citrix CloudGateway and, forlegacy deployments, Web Interface. Standard Receiver features include:

● Receiver Experience, enabling users to seamlessly transition between devices andconnection types

● Web plug-in

● Authentication Manager

● Single sign-on/pass-through authentication

● Self-service

● Generic USB (XenDesktop)

● Desktop Viewer (XenDesktop)

● HDX Media Stream for Flash

Page 174: Citrix Receiver for Windows

● Aero desktop experience (for operating systems that support it)

● Citrix Receiver (enterprise, CitrixReceiverEnterprise.exe) is required only forapplications that use Smart Card authentication. It supports Web Interface only andincludes the same features as the standard package except for Authentication Managerand self-service.

Using the Citrix CloudGatewayCitrixReceiver.exe enables access to StoreFront published resources and virtual desktopsfrom anywhere. Configure a provisioning file to provide native self-service access orconfigure a Receiver for Web site to provide web browser access to StoreFront-publishedresources and virtual desktops.

Using with XenAppBoth Receiver packages support the XenApp feature set. Centrally administer and configurethe Receiver in the Receiver Storefront management console (or, if using Web Interface, inthe Web Interface Management Console using a Receiver site created in association with asite for the server running the Web Interface).

You can use both Receiver packages with the Citrix offline plug-in to provide applicationstreaming to the user desktop. For more information about the streamed applicationfeature, see the Application Streaming documentation in eDocs.

The Desktop Viewer is not supported with XenApp connections.

Using with XenDesktopReceiver includes the Desktop Viewer, the client-side software that supports XenDesktop.Users running the Desktop Viewer on their devices access virtual desktops created withXenDesktop in addition to their local desktop. Users running the Citrix Desktop Lock (whichyou install in addition to the Desktop Viewer) interact only with the virtual desktop not thelocal desktop.

Get Started

174

Page 175: Citrix Receiver for Windows

175

Citrix Connection Center Overview

The Citrix Connection Center displays all connections established from the Receiver.

The ICA Connections window displays a list of active sessions. Each server entry in the listrepresents a session. For each seamless session, below each server entry, a list of thepublished resources you are running on that server appears.

After you launch a published resource, you can access the Connection Center by rightclicking the Receiver icon in your Windows notification area and choose Online Sessions >Connection Center. You can also access the Connection Center from the Preferences >Plug-in Status screen.

The Connection Center offers various options to view statistics and control sessions andapplications:

● Disconnect a session from a server but leave the session running on it

● End a server session

● Switch from seamless mode to full screen mode

● Seamless mode. Published applications and desktops are not contained within asession window. Each published application and desktop appears in its ownresizable window, as if it is physically installed on your user device. You can switchbetween published applications and the local desktop.

● Full screen mode. Published applications are placed in a full screen-sized desktop.● Show connection status details like frames sent and received

● Terminate an indivual published application

● Set access permissions

Page 176: Citrix Receiver for Windows

176

Providing Virtual Desktops to ReceiverUsers

This topic applies to XenDesktop deployments only.

Different enterprises have different corporate needs, and your requirements for the wayusers access virtual desktops may vary from user to user, and as your corporate needsevolve. The user experience of connecting to virtual desktops and the extent of userinvolvement in configuring the connections depend on how you set up the Citrix Receiverfor Windows. You have two options for providing users with access to virtual desktops: usingthe Desktop Viewer or the Citrix Desktop Lock.

Important: Do not attempt to use the Desktop Viewer or the Desktop Lock to connect todesktops published with XenApp.

Desktop ViewerUse the Desktop Viewer when users need to interact with their local desktop as well as thevirtual one. In this access scenario, the Desktop Viewer toolbar functionality allows the userto open a virtual desktop in a window and pan and scale that desktop inside their localdesktop. Users can set preferences and work with more than one desktop using multipleXenDesktop connections on the same user device.

Citrix Desktop LockUse the Desktop Lock when users do not need to interact with the local desktop. In thisaccess scenario, the Desktop Viewer is not available and the virtual desktop effectivelyreplaces the local one, allowing the user to interact with the virtual desktop as if it is local.This provides the best user experience in a XenDesktop environment.

To decide which option best suits your deployment, consider how you want users to accessand interact with virtual desktops.

To understand the user experience of connecting to desktops created with XenDesktop,consult the planning topics in the XenDesktop documentation.

Page 177: Citrix Receiver for Windows

177

Overview of Citrix Receiver for WindowsInstallation Packages

This release contains two installation packages and offers several options for installing theCitrix Receiver for Windows. You can install the two Receiver installer packages with almostno user interaction.

● CitrixReceiver.exe - This Receiver (standard) does not require administrator rights toinstall unless it will use pass-through authentication. It can be installed:

● Automatically from Receiver for Web or from Web Interface

● By the user

● Using an Electronic Software Distribution (ESD) tool● CitrixReceiverEnterprise.exe - This Receiver (Enterprise) requires administrator rights

to install. Although the user can install Receiver (Enterprise), it is usually installed withan ESD tool. Uninstall other Receiver versions before installing Receiver (Enterprise).

Important: Upgrades are supported only from Citrix online plug-in 11.2 and 12.x. Removeany earlier versions before installing this version.

Considerations When UpgradingBecause there are two Citrix Receiver installation packages and there were two onlineplug-in packages (web and full) in previous releases, each having different options, youhave to consider the previously installed package when planning your upgrade. Use thistable to determine how to proceed with your upgrade.

Currently installed Upgrade Package Result

No Online plug-in installed CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) - web access- but manuallyconfigurable for PNA

No Online plug-in installed CitrixReceiver.exe Citrix Receiver (standard)- web access

Online plug-in fullconfigured for PNA or SSO

CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) configuredfor PNA or SSO

Online plug-in web CitrixReceiver.exe Citrix Receiver (standard)- web access

Page 178: Citrix Receiver for Windows

Online plug-in web CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) - web access- but manuallyconfigurable for PNA

The CitrixReceiver.exe upgrade package cannot be used to upgrade the online plug-in fullconfigured for PNA or Citrix Receiver (Enterprise). In both cases, the installer displays anerror message and does not alter the previously installed client.

How Installation Outcomes Differ Based on theOperating System, User Type, and InstallationPackage

The outcome of CitrixReceiver.exe or CitrixReceiverEnterprise.exe package installationsdiffers based on the combination of the operating system on the user device, user type,whether User Account Control (UAC) is enabled or disabled on Windows Vista, Windows 7,and Windows 2008 computers, and which installation package is used.

Operating system and usertype

CitrixReceiver.exe CitrixReceiverEnterprise.exe

OS: Windows XP, andWindows Server 2003

User: Administrator

Installation type:per-computer

Installation type:per-computer

OS: Windows XP, andWindows Server 2003

User: Standard user

Installation type: per-user Not supported

OS: Windows Vista,Windows 7, and WindowsServer 2008

User: Administrator with orwithout UAC disabled

Installation type:per-computer

Installation type:per-computer

OS: Windows Vista,Windows 7, and WindowsServer 2008

User: Standard user

Installation type: per-user Not supported

Install and Uninstall

178

Page 179: Citrix Receiver for Windows

179

Installing and Uninstalling Receiver forWindows Manually

Users can install the Receiver from Receiver for Web, the Web Interface, the installationmedia, a network share, Windows Explorer, or a command line by running theCitrixReceiverEnterprise.exe or CitrixReceiver.exe installer package. Because the installerpackages are self-extracting installations that extract to the user's temp directory beforelaunching the setup program, ensure that there is enough free space available in the%temp% directory.

When the user runs one of the Receiver installation .exe files, a message box immediatelyappears displaying the progress of the installation.

When you cancel the installation before completion, some components might be installed.In that case, remove the Receiver with the Add/Remove Programs utility from the ControlPanel on Windows XP or Windows Server 2003 (Programs and Features utility from theControl Panel on Windows Vista, Windows 7, and Windows Server 2008).

Upgrades are supported only from the Citrix XenApp Plugin for Hosted Apps 11.0, DesktopReceiver 11.1, and Citrix online plug-in 11.1, 11.2, and 12.x. Remove any earlier versionsbefore installing this current version.

For command line installation parameters, see To configure and install the Citrix Receiverfor Windows using command-line parameters.

If company policies prohibit you from using an .exe file, refer to How to Manually Extract,Install, and Remove Individual .msi Files from ReceiverEnterprise.exe.

Removing the ReceiverYou can also use the Citrix Receiver Updater to install and uninstall Receiver. If CitrixReceiver Updater was not used to install the Receiver, you can uninstall Receiver byrunning the Add/Remove Programs utility from the Control Panel on Windows XP orWindows Server 2003 (Programs and Features utility from the Control Panel on WindowsVista, Windows 7, and Windows Server 2008).

If you delete Receiver related files or registry entries just before uninstalling Receiver withAdd/Remove Programs or Programs and Features, uninstall might fail. The MicrosoftWindows Installer (MSI) is trying to repair and uninstall at the same time. If this occurs, usethe Receiver to start an auto-repair. After the auto-repair completes, you can cleanlyuninstall Receiver from Add/Remove Programs or Programs and Features.

Auto-repair occurs if there is a problem with Receiver; however, there is no Add/RemovePrograms or Programs and Features Repair option.

To remove Receiver using the command line

Page 180: Citrix Receiver for Windows

You can also uninstall Receiver from a command line by typing the appropriate command.

CitrixReceiverEnterprise.exe /uninstall

or

CitrixReceiver.exe /uninstall

Caution: Using Registry Editor incorrectly can cause serious problems that can requireyou to reinstall the operating system. Citrix cannot guarantee that problems resultingfrom incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Make sure you back up the registry before you edit it.

After uninstalling the Receiver software from a user device, the custom Receiver-settingregistry keys created by icaclient.adm remain in the Software\Policies\Citrix\ICA Clientdirectory under HKEY_LOCAL_MACHINE and HKEY_LOCAL_USER. If you reinstall Receiver,these policies might be enforced, possibly causing unexpected behavior. If you want toremove these customizations, delete them manually.

Installing and Uninstalling Receiver for Windows Manually

180

Page 181: Citrix Receiver for Windows

181

Upgrading the Desktop Viewer andDesktop Appliance Lock

You can upgrade the Desktop Viewer component contained in Citrix online plug-in 12.1 byinstalling this version of the Citrix Receiver for Windows.

To upgrade the Desktop Appliance Lock, remove Citrix online plug-in 12.1 and the DesktopAppliance Lock, and then install this version of the Receiver and the Citrix Desktop Lock.

Page 182: Citrix Receiver for Windows

182

To install the Citrix Desktop Lock

Important: Log on using a local administrator account to carry out this installationprocedure. In addition, consult About Citrix Receiver for Windows 3.1 for workarounds toany known issues with the Desktop Lock.

This procedure installs the plug-in so that virtual desktops are displayed using the CitrixDesktop Lock. Do not use this procedure if you want the Desktop Viewer to be available tousers.

1. On the installation media, navigate to the folder called Citrix Receiver andPlug-ins\Windows\Receiver, and run CitrixReceiverEnterprise.exe from the commandline using the following syntax:

CitrixReceiverEnterprise.exe ADDLOCAL="ICA_Client,SSON,USB,DesktopViewer,Flash,PN_Agent,Vd3d" SERVER_LOCATION="my.server" ENABLE_SSON="Yes"

For information about the properties used in this command, see To configure and installthe Citrix Receiver for Windows using command-line parameters

2. Enter the URL of the XenDesktop Services site where your virtual desktops are located.The URL must be in the format http://servername or https://servername. If you areusing hardware or software for load balancing or failover, you can enter aload-balanced address.

Important: Check that the URL you enter is correct. If the URL is incorrectly typed,or you leave the field empty and the user does not enter a valid URL when promptedafter installation, no virtual desktop or local desktop will be available.

3. On the XenDesktop installation media, navigate to the Citrix Receiver andPlug-ins\Windows\Receiver folder and double-click CitrixDesktopLock.msi. The CitrixDesktop Lock wizard appears.

4. On the License Agreement page, read and accept the Citrix license agreement andclick Install. The Installation Progress page appears.

5. In the Installation Completed dialog box, click Close.

6. When prompted, restart the user device. If you have been granted access to a desktopand you log on as a domain user, the restarted device is displayed using the DesktopLock.

Page 183: Citrix Receiver for Windows

183

User Accounts Used to Install the CitrixDesktop Lock

When you install the Citrix Desktop Lock, a replacement shell is used. To allowadministration of the user device after you complete the installation, the account used toinstall CitrixDesktopLock.msi is excluded from the shell replacement. If the account used toinstall CitrixDesktopLock.msi is later deleted, you will not be able to log on and administerthe device.

Note that because a replacement shell is used, Citrix does not recommend the use ofcustom shells with desktops accessed through the Desktop Lock.

Page 184: Citrix Receiver for Windows

184

To remove the Citrix Desktop Lock

If you installed the Citrix Desktop Lock, two separate items are displayed in Add/RemovePrograms. You must remove both to complete the removal process.

1. Log on with the same local administrator credentials that were used to install theDesktop Lock.

2. Run the Add/Remove programs utility from the Control Panel.

3. Remove Citrix Desktop Lock.

4. Remove Citrix Receiver or Citrix Receiver (Enterprise).

Page 185: Citrix Receiver for Windows

185

To configure and install the CitrixReceiver for Windows usingcommand-line parameters

You or your users can customize the Receiver installer by specifying command line options.Because the installer packages are self-extracting installations that extract to the user'stemp directory before launching the setup program, ensure that there is enough free spaceavailable in the %temp% directory.

Space Requirements

Receiver (standard) - 78.8 Mbytes

Receiver (Enterprise) - 93.6 Mbytes

This includes program files, user data, and temp directories after launching severalapplications.

1. On the computer where you want to install the Receiver for Windows package, type thefollowing at a command prompt:

CitrixReceiver.exe [Options]

or

CitrixReceiverEnterprise.exe [Options]

2. Set your options as needed.

● /? or /help displays usage information.

● /noreboot suppresses reboot during UI installations. This option is not necessaryduring silent installs.

● /silent disables the error and progress dialogs to execute a completely silentinstallation.

● /includeSSON enables single sign on for Receiver (standard, CitrixReceiver.exe).This option is not supported for Receiver (enterprise, CitrixReceiverEnterprise.exe),which installs single sign on by default. If you are using ADDLOCAL= to specifyfeatures and you want to install single sign on, you must also specify the SSONvalue. Requires administrator rights.

● PROPERTY=Value

Where PROPERTY is one of the following all-uppercase variables (keys) and Value isthe value the user should specify.

Page 186: Citrix Receiver for Windows

● INSTALLDIR=Installation directory, where Installation directory is the locationwhere the Receiver software is installed. The default value is C:\ProgramFiles\Citrix\ICA Client. If you use this option and specify an Installationdirectory, you must install the RIInstaller.msi in the Installationdirectory\Receiver directory and the other .msi files in the Installationdirectory.

● CLIENT_NAME=ClientName, where ClientName is the name used to identify theuser device to the server farm. The default value is %COMPUTERNAME%.

● ENABLE_DYNAMIC_CLIENT_NAME={Yes | No} The dynamic client name featureallows the client name to be the same as the computer name. When userschange their computer name, the client name changes to match. To enabledynamic client name support during silent installation, the value of theproperty ENABLE_DYNAMIC_CLIENT_NAME in your installation file must be Yes.To disable dynamic client name support, set this property to No.

● ADDLOCAL=feature[,...] Install one or more of the specified components. Whenspecifying multiple parameters, separate each parameter with a comma andwithout spaces. The names are case sensitive. If you do not specify thisparameter, all components included in the CitrixReceiverEnterprise.exe orCitrixReceiver.exe are installed by default.

Note: ReceiverInside and ICA_Client are prerequisites for all othercomponents and must be installed.

ReceiverInside – Installs the Receiver experience. (Required)

ICA_Client – Installs the standard Receiver. (Required)

SSON – Installs single sign on. Requires administrator rights.

AM – Installs the Authentication Manager. This value is supported only withCitrixReceiver.exe.

SELFSERVICE – Installs the Self-Service Plug-in. This value is supported onlywith CitrixReceiver.exe. The AM value must be specified on the command lineand .NET 3.5 Service Pack 1 must be installed.

USB – Installs USB.

DesktopViewer – Installs the Desktop Viewer.

Flash – Installs HDX media stream for flash.

PN_Agent – Installs Receiver (Enterprise). This value is supported only withCitrixReceiverEnterprise.exe.

Vd3d – Enables the Windows Aero experience (for operating systems thatsupport it)

● ALLOWADDSTORE={N | S | A} – The default depends on the followingsituations:

To configure and install the Citrix Receiver for Windows using command-line parameters

186

Page 187: Citrix Receiver for Windows

N if Merchandising Server is used or stores are specified on the installationcommand line.

S if Receiver is installed per machine.

A if Receiver is installed per user.

Specifies whether or not users can add and remove stores not configuredthrough Merchandising Server deliveries. (Users can enable or disable storesconfigured through Merchandising Server deliveries, but they cannot removethese stores or change the names or the URLs.) This option is supported onlywith CitrixReceiver.exe.

● ALLOWSAVEPWD={N | S | A} – The default is the value specified from thePNAgent server at run time. Specifies whether or not users can save credentialsfor stores locally on their computers and applies only to stores using thePNAgent protocol. Setting this argument to N prevents users from saving theircredentials. If the argument is set to S, users can only save credentials forstores accessed through HTTPS connections. Using the value A allows users tosave credentials for all their stores. This option is supported only withCitrixReceiver.exe.

● ENABLE_SSON={Yes | No} – The default value is Yes. Note that users must logoff and log back onto their devices after an installation with pass-throughauthentication enabled. Requires administrator rights.

Important: If you disable single sign on pass-through authentication, usersmust reinstall Receiver if you decide to use pass-through authentication at alater time.

● ENABLE_KERBEROS={Yes | No} – The default value is No. Specifies thatKerberos should be used; applies only when pass-through authentication (SSON)is enabled.

● DEFAULT_NDSCONTEXT=Context1 [,…] – Include this parameter to set a defaultcontext for Novell Directory Services (NDS). To include more than one context,place the entire value in quotation marks and separate the contexts by acomma. This option is supported only with CitrixReceiverEnterprise.exe.Examples of correct parameters:

DEFAULT_NDSCONTEXT="Context1"

DEFAULT_NDSCONTEXT=“Context1,Context2”

● LEGACYFTAICONS={False | True} – The default value is False. Specifieswhether or not application icons are displayed for documents that have filetype associations with subscribed applications. When the argument is set tofalse, Windows generates icons for documents that do not have a specific iconassigned to them. The icons generated by Windows consist of a genericdocument icon overlaid with a smaller version of the application icon. Citrixrecommends enabling this option if you plan on delivering Microsoft Officeapplications to users running Windows 7. This option is supported only withCitrixReceiver.exe.

● SERVER_LOCATION=Server_URL – The default value is blank. Provide the URL of the server running the Web Interface. The URL must be in the format

To configure and install the Citrix Receiver for Windows using command-line parameters

187

Page 188: Citrix Receiver for Windows

http://servername or https://servername.

The Receiver appends the default path and file name of the configuration fileto the server URL. If you change the default location of the configuration file,enter the entire new path in the SERVER_LOCATION key. This option issupported only with CitrixReceiverEnterprise.exe.

● STARTMENUDIR=Text string – The default is to put applications under Start >All Programs. Specifies the name of the default folder added to users' Startmenus to hold the shortcuts to their subscribed applications. Users can changethe folder name and/or move the folder at any time. This option is supportedonly with CitrixReceiver.exe.

● STOREx="storename;http[s]://servername.domain/IISLocation/resources/v1;[On| Off];[storedescription]"[ STOREy="..."] – Specifies up to 10 stores to use withReceiver. Values:

● x and y – Integers 0 through 9.

● storename – Defaults to store. This must match the name configured on theStoreFront server.

● servername.domain – The fully qualified domain name of the server hostingthe store.

● IISLocation – the path to the store within IIS. The store URL must match theURL in StoreFront provisioning files. The store URLs are of the form“/Citrix/MyStore/resources/v1” (for StoreFront 1.0). To obtain the URL,export a provisioning file from StoreFront, open it in notepad and copy theURL from the <Address> element.

● On | Off – The optional Off configuration setting enables you to deliverdisabled stores, giving users the choice of whether or not they access them.When the store status is not specified, the default setting is On.

● storedescription – An optional description of the store, such as Apps onXenApp.

If there is a problem with the installation, search in the user's %TEMP% directory for the logswith the prefix CtxInstall- or TrollyExpress- . For example:

CtxInstall-ICAWebWrapper.log

TrollyExpress-20090807-123456.log

Examples of a Command-Line Installation

CitrixReceiver.exe /includeSSONSTORE0="AppStore;https://testserver.net/Citrix/MyStore/resources/v1;on;Appson XenApp"STORE1="BackUpAppStore;https://testserver.net/Citrix/MyBackupStore/resources/v1;on;BackupStore Apps on XenApp"

This example:

● Installs Receiver (standard).

To configure and install the Citrix Receiver for Windows using command-line parameters

188

Page 189: Citrix Receiver for Windows

● Installs single sign on.

● Specifies two application stores.

CitrixReceiverEnterprise.exe /silentADDLOCAL="ReceiverInside,ICA_Client,PN_Agent" ENABLE_SSON=noINSTALLDIR="c:\test" ENABLE_DYNAMIC_CLIENT_NAME=YesDEFAULT_NDSCONTEXT="Context1,Context2"SERVER_LOCATION="http://testserver.net" CLIENT_NAME="Modified"

This example:

● Installs Receiver (Enterprise) without visible progress dialog boxes.

● Installs only Receiver Inside, the standard Receiver (ICA_Client), and enterpriseReceiver (PN_Agent).

● Disables pass-through authentication.

● Specifies the location where the software is installed.

● Enables dynamic client naming.

● Specifies the default context for NDS.

● Specifies the URL (http://testserver.net) of the server running the Web Interface,which Receiver will reference.

● Specifies the name used to identify the user device to the server farm.

To configure and install the Citrix Receiver for Windows using command-line parameters

189

Page 190: Citrix Receiver for Windows

190

Delivering Receiver Using ActiveDirectory and Sample Startup Scripts

You can use Active Directory Group Policy scripts to pre-deploy Receiver on systems basedon your Active Directory organizational structure. Citrix recommends using the scriptsrather than extracting the .msi files because the scripts allow for a single point forinstallation, upgrade, and uninstall, they consolidate the Citrix entries in Programs andFeatures, and make it easier to detect the version of Receiver that is deployed. Use theScripts setting in the Group Policy Management Console (GPMC) under ComputerConfiguration or User Configuration. Microsoft documents the advantages anddisadvantages of using scripts at Microsoft Technet - Use Group Policy to assign computerstartup scripts.

Citrix includes sample per-computer startup scripts to install and uninstallCitrixReceiver.exe and Citrix ReceiverEnterprise.exe. The scripts are located on the XenAppmedia in the Citrix Receiver and Plug-ins\Windows\Receiver\Startup_Logon_Scripts folder.

● CheckAndDeployReceiverEnterpriseStartupScript.bat

● CheckAndDeployReceiverPerMachineStartupScript.bat

● CheckAndRemoveReceiverEnterpriseStartupScript.bat

● CheckAndRemoveReceiverPerMachineStartupScript.bat

When the scripts are executed during Startup or Shutdown of an Active Directory GroupPolicy, custom configuration files might be created in the Default User profile of a system.If not removed, these configuration files can prevent some users from accessing theReceiver logs directory. The Citrix sample scripts include functionality to properly removethese configuration files.

To use the startup scripts to deploy Receiver with Active Directory

1. Create the Organizational Unit (OU) for each script.

2. Create a Group Policy Object (GPO) for the newly created OU.

To modify the sample scriptsModify the scripts by editing these parameters in the header section of each file:

● Current Version of package. The specified version number is validated and if it is notpresent, the deployment proceeds. For example, set DesiredVersion=3.0.0.XXXX to exactly match the version specified. If you specify a partial version, forexample 3.0.0, it matches any version with that prefix (3.0.0.1111, 3.0.0.7777, and soforth).

Page 191: Citrix Receiver for Windows

● Package Location/Deployment directory. This specifies the network share containingthe packages and is not authenticated by the script. The shared folder must have Readpermission for EVERYONE.

● Script Logging Directory. This specifies the network share where the install logs arecopied and is not authenticated by the script. The shared folder must have Read andWrite permissions for EVERYONE.

● Package Installer Command Line Options. These command line options are passed tothe installer. For the command line syntax, see To configure and install the CitrixReceiver for Windows using command-line parameters

To add the per-computer startup scripts1. Open the Group Policy Management Console.

2. Select Computer Configuration > Policies > Windows Settings > Scripts(Startup/Shutdown).

3. In the right-hand pane of the Group Policy Management Console, select Startup.

4. In the Properties menu, click Show Files, copy the appropriate script to the folderdisplayed, and then close the window.

5. In the Properties menu, click Add and use Browse to find and add the newly createdscript.

To deploy Receiver per-computer1. Move the user devices designated to receive this deployment to the OU you created.

2. Reboot the user device and log on as any user.

3. Verify that Program and Features (Add or Remove Programs in previous OS versions)contains the newly installed package.

To remove Receiver per-computer1. Move the user devices designated for the removal to the OU you created.

2. Reboot the user device and log on as any user.

3. Verify that Program and Features (Add or Remove Programs in previous OS versions)removed the previously installed package.

Delivering Receiver Using Active Directory and Sample Startup Scripts

191

Page 192: Citrix Receiver for Windows

192

Using the Per-User Sample StartupScripts

Citrix recommends using per-computer startup scripts but does include two Citrix Receiverper-user scripts on the XenApp media in the Citrix Receiver andPlug-ins\Windows\Receiver\Startup_Logon_Scripts folder for situations where you requireReceiver (standard) per-user deployments.

● CheckAndDeployReceiverPerUserLogonScript.bat

● CheckAndRemoveReceiverPerUserLogonScript.bat

To set up the per-user startup scripts1. Open the Group Policy Management Console.

2. Select User Configuration > Policies > Windows Settings > Scripts.

3. In the right-hand pane of the Group Policy Management Console, select Logon

4. In the Logon Properties menu, click Show Files, copy the appropriate script to thefolder displayed, and then close the window.

5. In the Logon Properties menu, click Add and use Browse to find and add the newlycreated script.

To deploy Receiver per-user1. Move the users designated to receive this deployment to the OU you created.

2. Reboot the user device and log on as the specified user.

3. Verify that Program and Features (Add or Remove Programs in previous OS versions)contains the newly installed package.

To remove Receiver per-user1. Move the users designated for the removal to the OU you created.

2. Reboot the user device and log on as the specified user.

3. Verify that Program and Features (Add or Remove Programs in previous OS versions)removed the previously installed package.

Page 193: Citrix Receiver for Windows

193

Deploying CitrixReceiver.exe fromReceiver for Web

You can deploy CitrixReceiver.exe from Receiver for Web to ensure that users have theReceiver installed before they try to connect to an application from a browser. For details,refer to the Receiver StoreFront documentation on Citrix eDocs.

Page 194: Citrix Receiver for Windows

194

Deploying the CitrixReceiver.exe from aWeb Interface Logon Screen

You can deploy the CitrixReceiver.exe from a Web page to ensure that users have theReceiver installed before they try to use the Web Interface. Create a home page and run anInternet Explorer script to download the CitrixReceiver.exe package automatically from theWeb server and install it for the user.

To install the Receiver software using CitrixReceiver.exe, the Windows Installer Servicemust be installed on the user device. This service is present by default on systems runningWindows XP, Windows Vista, Windows 7, Windows Server 2003, or Windows Server 2008.

Add the sites from which the CitrixReceiver.exe file is downloaded to the Trusted Siteszone.

In the webinterface.conf file for your XenApp websites, edit the ClientIcaWin32= line tospecify the CitrixReceiver.exe installation file and remove the comment character (#).

For more information, see the Web Interface documentation.

Page 195: Citrix Receiver for Windows

195

Configuring Citrix Receiver for Windows

You can configure Citrix Receiver operations for deployments that use Receiver StoreFrontor a legacy PNA Services site.

From the Citrix management console for the XenApp server, configure the options andsettings for Receiver using the associated Receiver site. Each time users log on to theReceiver, they see the most recent configuration. Changes made while users are connectedtake effect when the Receiver configuration is refreshed manually or automatically after adesignated interval.

Page 196: Citrix Receiver for Windows

196

Using the Group Policy Object Templateto Customize the Receiver

Citrix recommends using the Group Policy Object icaclient.adm template file to configurethe Receiver options and settings.

You can use the icaclient.adm template file with domain policies and local computerpolicies. For domain policies, import the template file using the Group Policy ManagementConsole. This is especially useful for applying Receiver settings to a number of differentuser devices throughout the enterprise. To affect a single user device, import the templatefile using the local Group Policy Editor on the device.

For details about Group Policy management, see the Microsoft Group Policy documentation.

To import the icaclient template using the GroupPolicy Management Console

To affect domain-based group policies, import the icaclient.adm file with the Group PolicyManagement Console.

1. As an administrator, open the Group Policy Management Console.

2. In the left pane, select a group policy and from the Action menu, choose Edit.

3. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

4. From the Action menu, choose Add/Remove Templates.

5. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

6. Select Open to add the template and then Close to return to the Group Policy Editor.

To import the icaclient template using the local GroupPolicy Editor

To affect the policies on a local computer, import the icaclient.adm file with the localGroup Policy Editor.

1. As an administrator, open the Group Policy Editor by running gpedit.msc from the Startmenu.

2. In the left pane, select the Administrative Templates folder.

Page 197: Citrix Receiver for Windows

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

Using the Group Policy Object Template to Customize the Receiver

197

Page 198: Citrix Receiver for Windows

198

Configuring Access to Accounts Manually

When users launch Receiver for the first time, they have the option to set up a newaccount. To do this, they must enter information about the XenApp farm or XenDesktop sitehosting the resources they want to access.

When a user enters the details for a new account, Receiver attempts to verify theconnection. If successful, Receiver prompts the user to log on to the account.

To add a new account1. Click the gear icon in the Receiver window and choose Edit Accounts.2. Click Add.

3. Enter the information provided by your organization and click OK.

To remove an account1. Click the gear icon in the Receiver window and choose Edit Accounts.2. Select the account from the list and click Remove and Yes.

To edit the details of an account1. Click the gear icon in the Receiver window and choose Edit Accounts.2. Select the account that you want to edit from the list and double-click.

3. Edit the details in Name, the Description, and/or the URL fields, as required.

4. Click OK.

Page 199: Citrix Receiver for Windows

199

To customize user preferences for theReceiver (Enterprise)

Users can customize their preferences. For example, they can define window sizes forpublished applications, choose when to refresh the list of available published resources,and specify where the available published resources appear.

1. In the Windows notification area, right-click the Receiver icon and choosePreferences.

2. Right-click the Online Plug-in entry in the Plug-in Status and choose Options, select aproperty, and make the desired configuration changes.

If you configure seamless windows and set the task bar to Auto-hide, you cannot access thetaskbar when you maximize published applications. To access the taskbar, resize thepublished application.

For more detailed information, see the online help for Receiver.

To change the server URL in the Receiver (Enterprise)Receiver requires that you specify the location of a configuration file (Config.xml is thedefault configuration file) on the server running the Web Interface. You can ask your usersto change the server URL as you create new configuration files or delete old ones.

Note: To prevent users from accidentally changing their server URL, disable the option.

1. In the Windows notification area, right-click the Receiver icon and choose Preferences.

2. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.

3. Type or select the server URL in the format http://servername or, to encrypt theconfiguration data using SSL, https://servername.

Page 200: Citrix Receiver for Windows

200

Configuring USB Support for XenDesktopConnections

USB support enables users to interact with a wide range of USB devices when connected toa virtual desktop. Users can plug USB devices into their computers and the devices areremoted to their virtual desktop. USB devices available for remoting include flash drives,smartphones, PDAs, printers, scanners, MP3 players, security devices, and tablets. DesktopViewer users can control whether USB devices are available on the virtual desktop using apreference in the toolbar.

Isochronous features in USB devices such as webcams, microphones, speakers, and headsetsare supported in typical low latency/high speed LAN environments. This allows thesedevices to interact with packages such as Microsoft Office Communicator and Skype.

The following types of device are supported directly in a XenDesktop session, and so do notuse USB support:

● Keyboards

● Mice

● Smart cards

Note: Specialist USB devices (for example, Bloomberg keyboards and 3D mice) can beconfigured to use USB support. For information on configuring Bloomberg keyboards, seeConfiguring Bloomberg Keyboards. For information on configuring policy rules for otherspecialist USB devices, see CTX 119722.

By default, certain types of USB devices are not supported for remoting throughXenDesktop. For example, a user may have a network interface card attached to the systemboard by internal USB. Remoting this would not be appropriate. The following types of USBdevice are not supported by default for use in a XenDesktop session:

● Bluetooth dongles

● Integrated network interface cards

● USB hubs

● USB graphics adaptors

USB devices connected to a hub can be remoted, but the hub itself cannot be remoted.

For instructions on modifying the range of USB devices that are available to users, seeUpdating the List of USB Devices Available for Remoting.

For instructions on automatically redirecting specific USB devices, see CTX123015.

Page 201: Citrix Receiver for Windows

201

How USB Support Works

When a user plugs in a USB device, it is checked against the USB policy, and, if allowed,remoted to the virtual desktop. If the device is denied by the default policy, it is availableonly to the local desktop.

The user experience depends upon the type of desktop to which users are connecting.

For desktops accessed through the Citrix Desktop Lock, when a user plugs in a USB device,that device is automatically remoted to the virtual desktop. No user interaction is required.The virtual desktop is responsible for controlling the USB device and displaying it in the userinterface.

For desktops accessed through the Desktop Viewer, when a user plugs in a USB device, adialog box appears asking the user if they want that device remoted to the virtual desktop.The user can decide which USB devices are remoted to the virtual desktop by selectingdevices from the list each time they connect. Alternatively, the user can configure USBsupport so that all USB devices plugged in both before and/or during a session areautomatically remoted to the virtual desktop that is in focus.

Page 202: Citrix Receiver for Windows

202

Mass Storage Devices

For mass storage devices only, in addition to USB support, remote access is availablethrough client drive mapping, which you configure through the Citrix Mappings rule. Whenthis rule is applied, the drives on the user device are automatically mapped to drive letterson the virtual desktop when users log on. The drives are displayed as shared folders withmapped drive letters. The Citrix Mappings rule is in the Drives subfolder of the ClientDevices Resources folder in the Presentation Server Console.

The main differences between the two types of remoting policy are:

Feature Client Drive Mapping USB Rule

Enabled by default Yes No

Read-only accessconfigurable

Yes No

Safe to remove deviceduring a session

No Yes, if the user clicksSafely Remove Hardwarein the notification area

If both USB support and the Citrix Mappings rule are enabled and a mass storage device isinserted before a session starts, it will be redirected using client drive mapping first, beforebeing considered for redirection through USB support. If it is inserted after a session hasstarted, it will be considered for redirection using USB support before client drive mapping.

Page 203: Citrix Receiver for Windows

203

USB Device Classes Allowed by Default

Different classes of USB device are allowed by the default USB policy rules.

Although they are on this list, some classes are only available for remoting in XenDesktopsessions after additional configuration. These are noted below.

● Audio (Class 01). Includes audio input devices (microphones), audio output devices,and MIDI controllers. Modern audio devices generally use isochronous transfers, which issupported by XenDesktop 4 or later.

Note: Some specialty devices (for example, VOIP phones) require additionalconfiguration. For instructions on this, see CTX123015.

● Physical Interface Devices(Class 05). These devices are similar to Human InterfaceDevices (HIDs), but generally provide "real-time" input or feedback and include forcefeedback joysticks, motion platforms, and force feedback exoskeletons.

● Still Imaging (Class 06). Includes digital cameras and scanners. Digital cameras oftensupport the still imaging class which uses the Picture Transfer Protocol (PTP) or MediaTransfer Protocol (MTP) to transfer images to a computer or other peripheral. Camerasmay also appear as mass storage devices and it may be possible to configure a camerato use either class, through setup menus provided by the camera itself.

Note that if a camera appears as a mass storage device, client drive mapping is usedand USB support is not required.

● Printers (Class 07). In general most printers are included in this class, although someuse vendor-specific protocols (class ff). Multi-function printers may have an internalhub or be composite devices. In both cases the printing element generally uses thePrinters class and the scanning or fax element uses another class; for example, StillImaging.

Printers normally work appropriately without USB support.

Note: This class of device (in particular printers with scanning functions) requiresadditional configuration. For instructions on this, see CTX123015.

● Mass Storage (Class 08). The most common mass storage devices are USB flash drives;others include USB-attached hard drives, CD/DVD drives, and SD/MMC card readers.There are a wide variety of devices with internal storage that also present a massstorage interface; these include media players, digital cameras, and mobile phones.Known subclasses include:

● 01 Limited flash devices

● 02 Typically CD/DVD devices (ATAPI/MMC-2)

● 03 Typically tape devices (QIC-157)

● 04 Typically floppy disk drives (UFI)

Page 204: Citrix Receiver for Windows

● 05 Typically floppy disk drives (SFF-8070i)

● 06 Most mass storage devices use this variant of SCSI

Mass storage devices can often be accessed through client drive mapping, and so USBsupport is not required.

Important: Some viruses are known to propagate actively using all types of massstorage. Carefully consider whether or not there is a business need to permit the useof mass storage devices, either through client drive mapping or USB support.

● Content Security (Class 0d). Content security devices enforce content protection,typically for licensing or digital rights management. This class includes dongles.

● Video (Class 0e). The video class covers devices that are used to manipulate video orvideo-related material, such as webcams, digital camcorders, analog video converters,some television tuners, and some digital cameras that support video streaming.

Note: Most video streaming devices use isochronous transfers, which is supported byXenDesktop 4 or later. Some video devices (for example webcams with motiondetection) require additional configuration. For instructions on this, see CTX123015.

● Personal Healthcare (Class 0f). These devices include personal healthcare devices suchas blood pressure sensors, heart rate monitors, pedometers, pill monitors, andspirometers.

● Application and Vendor Specific (Classes fe and ff). Many devices use vendor specificprotocols or protocols not standardized by the USB consortium, and these usuallyappear as vendor-specific (class ff).

USB Device Classes Allowed by Default

204

Page 205: Citrix Receiver for Windows

205

USB Device Classes Denied by Default

Different classes of USB device are denied by the default USB policy rules.

● Communications and CDC Control (Classes 02 and 0a). The default USB policy doesnot allow these devices, because one of them may be providing the connection to thevirtual desktop itself.

● Human Interface Devices (Class 03). Includes a wide variety of both input and outputdevices. Typical Human Interface Devices (HIDs) are keyboards, mice, pointing devices,graphic tablets, sensors, game controllers, buttons, and control functions.

Subclass 01 is known as the "boot interface" class and is used for keyboards and mice.

The default USB policy does not allow USB keyboards (class 03, subclass 01, protocol 1),or USB mice (class 03, subclass 01, protocol 2). This is because most keyboards andmice are handled appropriately without USB support and it is normally necessary to usethese devices locally as well remotely when connecting to a virtual desktop.

● USB Hubs (Class 09). USB hubs allow extra devices to be connected to the localcomputer. It is not neccessary to access these devices remotely.

● Smart Card (Class 0b). Smart card readers include contactless and contact smart cardreaders, and also USB tokens with an embedded smart card-equivalent chip.

Smart card readers are accessed using smart card remoting and do not require USBsupport.

● Wireless Controller (Class e0). Some of these devices may be providing criticalnetwork access, or connecting critical peripherals such as Bluetooth keyboards or mice.

The default USB policy does not allow these devices. However, there may be particulardevices it is appropriate to provide access to using USB support.

Page 206: Citrix Receiver for Windows

206

Updating the List of USB DevicesAvailable for Remoting

You can update the range of USB devices available for remoting to desktops by editing thefile icaclient_usb.adm. This allows you to make changes to the Receiver using Group Policy.The file is located in the following installed folder:

<root drive>:\Program Files\Citrix\ICA Client\Configuration\en

Alternatively, you can edit the registry on each user device, adding the following registrykey:

HKLM\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB Type=String Name="DeviceRules"Value=

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

The product default rules are stored in:

HKLM\SOFTWARE\Citrix\ICA Client\GenericUSB Type=MultiSz Name=“DeviceRules” Value=

Do not edit the product default rules.

For details of the rules and their syntax, see http://support.citrix.com/article/ctx119722/.

Page 207: Citrix Receiver for Windows

207

Configuring Bloomberg Keyboards

Bloomberg keyboards are supported by XenDestkop sessions (but not other USB keyboards).The required components are installed automatically when the plug-in is installed, but youmust enable this feature either during the installation or later by changing a registry key.

On any one user device, multiple sessions to Bloomberg keyboards are not recommended.The keyboard only operates correctly in single-session environments.

To turn Bloomberg keyboard support on or off

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

1. Locate the following key in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB

2. Do one of the following:

● To turn on this feature, for the entry with Type DWORD and NameEnableBloombergHID, set Value to 1.

● To turn off this feature, set the Value to 0.

Page 208: Citrix Receiver for Windows

208

Configuring User-Driven Desktop Restart

You can allow users to restart their desktops themselves. They may need to do this if adesktop fails to connect or becomes unresponsive.

This feature is disabled by default. You enable user-driven desktop restart for a desktopgroup in Desktop Studio. For information on this, see the XenDesktop documentation.

The procedures for restarting desktops differ depending on whether users are connecting todesktops through the Desktop Viewer or the Citrix Desktop Lock.

Page 209: Citrix Receiver for Windows

209

To prevent the Desktop Viewer windowfrom dimming

If users have multiple Desktop Viewer windows, by default the desktops that are not activeare dimmed. If users need to view multiple desktops simultaneously, this can make theinformation on them unreadable. You can disable the default behavior and prevent theDesktop Viewer window from dimming by editing the Registry.

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

1. On the user device, create a REG_DWORD entry called DisableDimming in one of thefollowing keys, depending on whether you want to prevent dimming for the current userof the device or the device itself. An entry already exists if the Desktop Viewer hasbeen used on the device:

● HKCU\Software\Citrix\XenDesktop\DesktopViewer

● HKLM\Software\Citrix\XenDesktop\DesktopViewerOptionally, instead of controlling dimming with the above user or device settings, youcan define a local policy by creating the same REG_WORD entry in one of the followingkeys:

● HKCU\Software\Policies\Citrix\XenDesktop\DesktopViewer

● HKLM\Software\Policies\Citrix\XenDesktop\DesktopViewerThe use of these keys is optional because XenDesktop administrators, rather thanplug-in administrators or users, typically control policy settings using Group Policy. So,before using these keys, check whether your XenDesktop administrator has set a policyfor this feature.

2. Set the entry to any non-zero value such as 1 or true.

If no entries are specified or the entry is set to 0, the Desktop Viewer window is dimmed. Ifmultiple entries are specified, the following precedence is used. The first entry that islocated in this list, and its value, determine whether the window is dimmed:

1. HKCU\Software\Policies\Citrix\...

2. HKLM\Software\Policies\Citrix\...

3. HKCU\Software\Citrix\...

4. HKLM\Software\Citrix\...

Page 210: Citrix Receiver for Windows

210

To configure the Citrix Desktop Lock

This topic contains instructions for configuring USB preferences, drive mappings, andmicrophones for a virtual desktop accessed through the Citrix Desktop Lock. In addition,some general advice on configuring the Desktop Lock is also provided.

Typically, this is used in non-domain-joined environments such as on a thin client ordesktop appliance. In this access scenario, the Desktop Viewer is unavailable, so onlyadministrators (not users) can perform the configuration.

Two .adm files are provided that allow you to perform this task using policies:

● icaclient.adm. For information on obtaining this file, see To configure settings formultiple users and devices.

● icaclient_usb.adm. The file is located in the following installed folder: <rootdrive>:\Program Files\Citrix\ICA Client\Configuration\en.

This topic assumes you have loaded both files into Group Policy, where the policies appearin Computer Configuration or User Configuration > Administrative Templates > ClassicAdministrative Templates (ADM) > Citrix Components.

To configure USB preferencesAs a prerequisite, you must turn on USB support in XenDesktop deployments by enabling theUSB policy rule. For information on this, see the XenDesktop documentation.

In Citrix Receiver > Remoting client devices > Generic USB Remoting, enable andconfigure as desired the Existing USB Devices, New USB Devices, and USB Devices List InDesktop Viewer policies. You can use the Show All Devices policy to display all connectedUSB devices, including those using the Generic USB virtual channel (for example, webcamsand memory sticks).

To configure drive mappingIn Citrix Receiver > Remoting client devices, enable and configure as desired the Clientdrive mapping policy.

To configure a microphoneIn Citrix Receiver > Remoting client devices, enable and configure as desired the Clientmicrophone policy.

Page 211: Citrix Receiver for Windows

General Advice On Configuring the Desktop LockGrant access to only one virtual desktop running the Desktop Lock per user.

Do not allow users to hibernate virtual desktops. Use Active Directory policies appropriatelyto prevent this.

To configure the Citrix Desktop Lock

211

Page 212: Citrix Receiver for Windows

212

To configure settings for multiple usersand devices

In addition to the configuration options offered by the Receiver user interface, you can usethe Group Policy Editor and the icaclient.adm template file to configure settings. Using theGroup Policy Editor, you can:

● Extend the icaclient template to cover any Receiver setting by editing theicaclient.adm file. See the Microsoft Group Policy documentation for more informationabout editing .adm files and about applying settings to a particular computer.

● Make changes that apply only to either specific users or all users of a client device.

● Configure settings for multiple user devices

Citrix recommends using Group Policy to configure user devices remotely; however you canuse any method, including the Registry Editor, which updates the relevant registry entries.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. Under the User Configuration node or the Computer Configuration node, edit therelevant settings as required.

Page 213: Citrix Receiver for Windows

213

Canadian Keyboard Layouts andUpdating from Presentation ServerClients Version 10.200

The Canadian keyboard layouts are aligned with those supported by Microsoft. If usersinstall Receivers without uninstalling the Presentation Server Clients Version 10.200 first,they must manually edit the module.ini file (usually in C:\Program Files\Citrix\ICA Client) toupgrade the keyboard layout settings:

Replace:

Canadian English (Multilingual)=0x00001009

Canadian French=0x00000C0C

Canadian French (Multilingual)=0x00010C0C

With:

Canadian French=0x00001009

Canadian French (Legacy)=0x00000C0C

Canadian Multilingual Standard=0x00011009

Page 214: Citrix Receiver for Windows

214

Auto-Repair File Locations

Auto-repair occurs if there is a problem with Receiver; however, there is no Add/RemovePrograms or Programs and Features Repair option. If the Receiver repair option prompts forthe location of the .msi file, browse to one of these locations to find the file:

● For CitrixReceiverEnterprise.exe

● Operating system: Windows XP and Windows 2003

C:\Documents and Settings\All Users\application data\Citrix\Citrix Receiver(Enterprise)\

● Operating system: Windows Vista and Windows 7

C:\ProgramData\Citrix\Citrix Receiver (Enterprise)\● For CitrixReceiver.exe installed per computer

● Operating system: Windows XP and Windows 2003

C:\Documents and Settings\All Users\Application Data\Citrix\Citrix Receiver\

● Operating system: Windows Vista and Windows 7

C:\ProgramData\Citrix\Citrix Receiver\● For CitrixReceiver.exe installed per user

● Operating system: Windows XP and Windows 2003

%USERPROFILE%\Local Settings\Application Data\Citrix\Citrix Receiver\

● Operating system: Windows Vista and Windows 7

%USERPROFILE%\Appdata\local\Citrix\Citrix Receiver\

Page 215: Citrix Receiver for Windows

215

Optimizing the Receiver Environment

The ways you can optimize the environment in which your Receiver operates for your usersinclude:

● Improving performance

● Improving performance over low bandwidth

● Facilitating the connection of numerous types of client devices to published resources

● Providing support for NDS users

● Using connections to Citrix XenApp for UNIX

● Supporting naming conventions

● Supporting DNS naming resolution

Page 216: Citrix Receiver for Windows

216

Improving Receiver Performance

You can improve the performance of your Receiver software by:

● Reducing Application Launch Time

● Reconnecting Users Automatically

● Providing session reliability

● Improving Performance over Low-Bandwidth Connections

Page 217: Citrix Receiver for Windows

217

Reducing Application Launch Time

Use the session pre-launch feature to reduce application launch time during normal or hightraffic periods; thus, giving the user a better experience. The pre-launch feature allows apre-launch session to be created when a user logs on to Receiver, or at a scheduled time ifthe user is already logged on. This pre-launch session reduces the launch time of the firstapplication. The default application ctxprelaunch.exe is running in the session, but it is notvisible to the user.

There are two types of pre-launch:

● Just-in-time pre-launch. Pre-Launch starts immediately after the user's credentials areauthenticated whether or not it is a high-traffic period.

● Scheduled pre-launch. Pre-launch starts at a scheduled time. Scheduled pre-launchstarts only when the user device is already running and authenticated. If those twoconditions are not met when the scheduled pre-launch time arrives, a session does notlaunch. To spread network and server load, the session launches within a window ofwhen it is scheduled. For example, if the scheduled pre-launch is scheduled for 1:45p.m., the session actually launches between 1:15 p.m. and 1:45 p.m.

Typically, you can use just-in-time pre-launch for normal traffic periods and scheduledpre-launch for known high-traffic periods.

An example of a high-traffic period - if your environment includes a large number of userswho launch applications during peak periods such as when users start work or return fromlunch, the rapid succession of logon requests might overwhelm servers and slow downapplication launch for all users.

Configuring pre-launch on the XenApp server consists of creating, modifying, or deletingpre-launch applications, as well as updating user policy settings that control the pre-launchapplication. See To pre-launch applications to user devices for information aboutconfiguring session pre-launch on the XenApp server.

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

Customizing the pre-launch feature using the icaclient.adm file is not supported. However,you can change the pre-launch configuration by modifying registry values during or afterReceiver installation.

Registry value for Windows 7, 64-bit

The value for Windows 7, 64-bit, is:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch - Enablesdifferent users on the same user device to have different settings. It also allows a user tochange the configuration without administrative permission. You can provide your userswith scripts to accomplish this.

Page 218: Citrix Receiver for Windows

Name: State

Values:

0 - Disable pre-launch.

1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)

2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)

Name: Schedule

Value:

The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:

HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.

Registry values for other Windows systems

The values for all other supported Windows operating systems are:HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Prelaunch andHKEY_CURRENT_USER\Software\Citrix\ICA Client\Prelaunch.

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Prelaunch - Written at installation,with default values.

Name: UserOverride

Values:

0 - Use the HKEY_LOCAL_MACHINE values even if HKEY_CURRENT_USER values are alsopresent.

1 - Use HKEY_CURRENT_USER values if they exist; otherwise, use the HKEY_LOCAL_MACHINEvalues.

Name: State

Values:

0 - Disable pre-launch.

1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)

2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)

Name: Schedule

Value:

Reducing Application Launch Time

218

Page 219: Citrix Receiver for Windows

The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:

HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.

HKEY_CURRENT_USER\SOFTWARE\Citrix\ICA Client\Prelaunch - Enables different users onthe same user device to have different settings. It also allows a user to change theconfiguration without administrative permission. You can provide your users with scripts toaccomplish this.

Name: State

Values:

0 - Disable pre-launch.

1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)

2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)

Name: Schedule

Value:

The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:

HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.

Reducing Application Launch Time

219

Page 220: Citrix Receiver for Windows

220

Reconnecting Users Automatically

Users can be disconnected from their sessions because of unreliable networks, highlyvariable network latency, or range limitations of wireless devices. With the HDX Broadcastauto-client reconnection feature, Receiver can detect unintended disconnections of ICAsessions and reconnect users to the affected sessions automatically.

When this feature is enabled on the server, users do not have to reconnect manually tocontinue working. The Receiver attempts to reconnect to the session until there is asuccessful reconnection or the user cancels the reconnection attempts. If userauthentication is required, a dialog box requesting credentials appears to a user duringautomatic reconnection. Automatic reconnection does not occur if users exit applicationswithout logging off. Users can reconnect only to disconnected sessions.

To disable HDX Broadcast auto-client reconnect for a particular user

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network Routing > Session reliability andautomatic reconnection. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Action menu, choose Properties and select Disabled.

Page 221: Citrix Receiver for Windows

221

Providing HDX Broadcast SessionReliability

With the HDX Broadcast Session Reliability feature, users continue to see a publishedapplication’s window if the connection to the application experiences an interruption. Forexample, wireless users entering a tunnel may lose their connection when they enter thetunnel and regain it when they emerge on the other side. During such interruptions, thesession reliability feature enables the session window to remain displayed while theconnection is being restored.

You can configure your system to display a warning dialog box to users when the connectionis unavailable.

You set HDX Broadcast Session Reliability with policy settings on the server. Receiver userscannot override the server settings for HDX Broadcast Session Reliability.

Important: If HDX Broadcast Session Reliability is enabled, the default port used forsession communication switches from 1494 to 2598.

Page 222: Citrix Receiver for Windows

222

Improving Performance overLow-Bandwidth Connections

Citrix recommends that you use the latest version of XenApp or XenDesktop on the server.Citrix continually enhances and improves performance with each release. Manyperformance features require the latest Receiver and server software to function.

If you are using a low-bandwidth connection, you can make a number of changes to yourReceiver configuration and the way you use the Receiver to improve performance.

Changing Your Receiver ConfigurationOn devices with limited processing power or in circumstances where only limited bandwidthis available, there is a trade-off between performance and functionality. Receiver providesboth user and administrator with the ability to choose an acceptable mixture of richfunctionality and interactive performance. Making one or more of these changes on theserver or user device can reduce the bandwidth your connection requires and improveperformance:

● Enable SpeedScreen Latency Reduction. SpeedScreen Latency Reduction improvesperformance over high latency connections by providing instant feedback to the user inresponse to typed data or mouse clicks.

User's side: icaclient.adm file.

Server side: SpeedScreen Latency Reduction Manager.

● Reduce the window size. Change the window size to the minimum size you cancomfortably use.

User side: icaclient.adm file or use the Receiver icon in the notification area andchoose Preferences and right-click the Online Plug-in entry in the Plug-in Status andchoose Options > Session Options.

Server side: XenApp services site > Session Options.

● Reduce the number of colors. Reduce the number of colors to 256.

User side: icaclient.adm file or use the Receiver icon in the notification area andchoose Preferences and right-click the Online Plug-in entry in the Plug-in Status andchoose Options > Session Options.

Server side: XenApp services site > Session Options.

● Reduce sound quality. If Receiver audio mapping is enabled, reduce the sound qualityto the minimum setting.

Page 223: Citrix Receiver for Windows

User's side: icaclient.adm file.

Server side: Citrix Audio quality policy setting.

Changing Receiver UseICA technology is highly optimized and typically does not have high CPU and bandwidthrequirements. However, if you are using a very low-bandwidth connection, the followingtasks can impact performance:

● Accessing large files using client drive mapping. When you access a large file withclient drive mapping, the file is transferred over the ICA connection. On slowconnections, this may take a long time.

● Playing multimedia content. Playing multimedia content uses a lot of bandwidth andcan cause reduced performance.

Improving Performance over Low-Bandwidth Connections

223

Page 224: Citrix Receiver for Windows

224

Connecting User Devices and PublishedResources

You can facilitate sessions and optimize the connection of your user devices to resourcespublished in the server farm by:

● Configuring workspace control settings to provide continuity for roaming users

● Making scanning transparent for users

● Mapping client devices

● Associating user device file types with published applications

Page 225: Citrix Receiver for Windows

225

Configuring Workspace Control Settingsto Provide Continuity for Roaming Users

The workspace control feature provides users with the ability to disconnect quickly from allrunning applications, reconnect to applications, or log off from all running applications. Youcan move among user devices and gain access to all of your applications when you log on.For example, health care workers in a hospital can move quickly among workstations andaccess the same set of applications each time they log on to XenApp. These users candisconnect from multiple applications at one user device and open all the same applicationswhen they reconnect at a different user device.

Workspace control is available only to users connecting to published resources with CitrixXenApp or through StoreFront, Receiver for Web, or the Web Interface.

Policies and client drive mappings change appropriately when you move to a new userdevice. Policies and mappings are applied according to the user device where you arecurrently logged on to the session. For example, if a health care worker logs off from a userdevice in the emergency room of a hospital and then logs on to a workstation in thehospital’s X-ray laboratory, the policies, printer mappings, and client drive mappingsappropriate for the session in the X-ray laboratory go into effect for the session as soon asthe user logs on to the user device in the X-ray laboratory.

Important: Workspace control can be used only with Version 11.x and later of theclient/plug-in/Receiver, and works only with sessions connected to computers runningCitrix Presentation Server Version 3.0, 4.0, or 4.5 or Citrix XenApp 5.0, 6.0, or 6.5.

If workspace control configuration settings allow users to override the server settings, userscan configure workspace control on the Receiver Reconnect Options page:

● Enable automatic reconnection at logon allows users to reconnect to onlydisconnected applications or to both disconnected and active applications

● Enable reconnection from the menu allows users to reconnect to only disconnectedapplications or to both disconnected and active sessions

To configure workspace control settings through StoreFront or Receiver for Web

For information about configuring Receiver StoreFront and Receiver for Web for workspacecontrol and user roaming, refer to the "Manage" topics in the Receiver StoreFrontdocumentation in Citrix eDocs.

To configure workspace control settings through Web Interface

For users launching applications through the Web Interface, these options are in Settings:

● Enable automatic reconnection at logon allows users to reconnect to onlydisconnected applications or both disconnected and active applications

Page 226: Citrix Receiver for Windows

● Enable automatic reconnection from Reconnect menu allows users to reconnect toonly disconnected applications or both disconnected and active sessions

● Customize Log Off button allows users to configure whether or not the log offcommand will include logging them off from applications that are running in the session

If users log on with smart cards or smart cards with pass-through authentication, set up atrust relationship between the server running the Web Interface and any other server in thefarm that the Web Interface accesses for published applications. For more informationabout workspace control requirements, see the Citrix XenApp and Web InterfaceAdministrator documentation.

Configuring Workspace Control Settings to Provide Continuity for Roaming Users

226

Page 227: Citrix Receiver for Windows

227

Making Scanning Transparent for Users

If you enable HDX Plug-n-Play TWAIN image scanning device support, users can controlclient-attached TWAIN imaging devices transparently with applications that reside on theserver farm. To use this feature, a TWAIN device must be attached to the user device andthe associated 32-bit TWAIN driver must also be installed on the user device.

To enable or disable this feature, configure the Citrix policy Client TWAIN deviceredirection setting.

The following policy settings allow you to specify the maximum amount of bandwidth (inkilobits per second or as a percentage) and the compression level of images from client toserver used for TWAIN redirection:

● TWAIN device redirection bandwidth limit

● TWAIN device redirection bandwidth limit percent

● TWAIN compression level

Page 228: Citrix Receiver for Windows

228

Mapping User Devices

The Receiver supports mapping devices on user devices so they are available from within asession. Users can:

● Transparently access local drives, printers, and COM ports

● Cut and paste between the session and the local Windows clipboard

● Hear audio (system sounds and .wav files) played from the session

During logon, Receiver informs the XenApp server of the available client drives, COM ports,and LPT ports. By default, client drives are mapped to server drive letters and server printqueues are created for client printers so they appear to be directly connected to theXenApp server. These mappings are available only for the current user during the currentsession. They are deleted when the user logs off and recreated the next time the user logson.

You can use the the Citrix policy redirection settings on the XenApp server to map userdevices not automatically mapped at logon. For more information, see the XenAppadministration documentation.

Turning off User Device MappingsYou can configure user device mapping including options for drives, printers, and ports,using the Windows Server Manager tool. For more information about the available options,see your Remote Desktop Services documentation.

Page 229: Citrix Receiver for Windows

229

Mapping Client Drives to XenApp ServerDrive Letters

Client drive mapping allows drive letters on the XenApp server to be redirected to drivesthat exist on the client device. For example, drive H in a Citrix user session can be mappedto drive C of the local device running the plug-in.

Client drive mapping is built into the standard Citrix device redirection facilitiestransparently. To File Manager, Windows Explorer, and your applications, these mappingsappear like any other network mappings.

Note that Client drive mapping is not supported when connecting to MetaFrame Server 1.0for UNIX operating systems.

The XenApp server can be configured during installation to map client drives automaticallyto a given set of drive letters. The default installation mapping maps drive letters assignedto client drives starting with V and works backward, assigning a drive letter to each fixeddrive and CD-ROM drive. (Floppy drives are assigned their existing drive letters.) Thismethod yields the following drive mappings in a session:

Client drive letter Is accessed by the XenApp server as:

A A

B B

C V

D UThe XenApp server can be configured so that the server drive letters do not conflict withthe client drive letters; in this case the server drive letters are changed to higher driveletters. For example, changing server drives C to M and D to N allows client devices toaccess their C and D drives directly. This method yields the following drive mappings in asession:

Client drive letter Is accessed by the XenApp server as:

A A

B B

C C

D DThe drive letter used to replace the server drive C is defined during Setup. All other fixeddrive and CD-ROM drive letters are replaced with sequential drive letters (for example; C >M, D > N, E > O). These drive letters must not conflict with any existing network drivemappings. If a network drive is mapped to the same drive letter as a server drive letter, thenetwork drive mapping is not valid.

Page 230: Citrix Receiver for Windows

When a client device connects to a XenApp server, client mappings are reestablished unlessautomatic client device mapping is disabled. You can use the Terminal ServicesConfiguration tool to configure automatic client device mapping for ICA connections andusers. You can also use policies to give you more control over how client device mapping isapplied. For more information about policies, see the Citrix XenApp Administrator'sdocumentation at Citrix eDocs.

Mapping Client Drives to XenApp Server Drive Letters

230

Page 231: Citrix Receiver for Windows

231

HDX Plug-n-Play for USB StorageDevices

HDX Plug-n-Play for USB storage devices enables users to interact with USB mass storagedevices connected to their user devices when connected to XenApp sessions. When HDXPlug-n-Play for USB storage devices is enabled, users can connect or disconnect a USBdevice from a session at anytime, regardless of whether the session was started before orafter the drive connection.

HDX Plug-n-Play for USB storage devices is enabled by default and can be disabled orenabled by editing the ICA\File Redirection - Client removable drives policy setting. Formore information, see the XenApp documentation.

Supported Mass Storage Devices with XenAppMass storage devices, including USB thumbdrives, USB-attached hard drives, CD-DVD drives,and SD card readers are supported.

Not supported:

● U3 smart drives and devices with similar autorun behavior

● Explorer.exe published as a seamless application

Mass storage devices can often be accessed through client drive mapping, and so USBsupport is not required.

Important: Some viruses are known to propagate actively using all types of mass storage.Carefully consider whether or not there is a business need to permit the use of massstorage devices, either through client drive mapping or USB support.

Page 232: Citrix Receiver for Windows

232

HDX Plug-n-Play USB Device Redirectionfor XenApp Connections

HDX Plug-n-Play USB Device Redirection on computers running Vista and Windows 7 enablesdynamic redirection of media devices, including cameras, scanners, media players, andpoint of sale (POS) devices to the server. You or the user can restrict redirection of all orsome of the devices. Edit policies on the server or apply group policies on the user deviceto configure the redirection settings. Three methods can enforce HDX Plug-n-Play USBdevice redirection policies:

● Server side. The administrator can enable or disable all device redirections for aspecific user or user group using the Active Directory policies available in XenApp. Thepolicy controls redirection of all devices and is not specific to a device. For moreinformation, see the XenApp administration documentation.

● Plug-in side. The administrator can enable or disable all device redirection for aspecific user or computer by using the group policy editor. There are two policy settings- the USB Plug-n-Play Devices policy setting controls redirection of all devices and theUSB Point of Sale Devices policy setting controls POS devices only. If USB Plug-n-PlayDevices allows devices to be redirected, you can use the USB Point of Sale Devices,which is a subset of USB Plug-n-Play Devices, to control only POS devices.

● Plug-in side. The user can allow or reject device redirection. When a device is going tobe redirected, the permission set by the user in the Connection Center is applied (thesetting applies to the current session). If the permission is set to Full Access, devicesare always redirected. If the permission is set to No Access, devices are not redirected.If the permission is set to Ask Permission, a dialog box appears before redirectionoccurs requiring the user to make a selection. Depending on the answer, the device isredirected or not. If the user is prompted with any of the device security dialog boxes(for example, file security or audio security) and instructs the system to remember thedecision, applications launched in subsequent ICA sessions load and use these settings.

This setting affects only devices plugged in after the user changes the setting. Devicesthat are already plugged in when the user changes the setting are unaffected by thenew setting.

Important: If you prohibit Plug-n-Play USB device redirection in a server policy, theuser cannot override that policy setting with the plug-in side policy.

Plug-in Group PoliciesAccess the plug-in policies using the Group Policy Editor available through gpedit.msc fromthe Start menu's Run dialog box. You can apply the policies to both users and computers.Two policies are available:

Page 233: Citrix Receiver for Windows

● USB Plug-n-Play Devices is the main policy that turns HDX Plug-n-Play USB deviceredirection on or off. Enabling redirection allows any Media Transfer Protocol (MTP),Picture Transfer Protocol (PTP), and Point of Sale (POS) device connected to the userdevice to be redirected in the session. The policy has three values: Not Configured,Enabled, and Disabled. The default is Not Configured, which allows redirection.

● USB Point of Sale Devices controls the redirection of POS devices and USB Plug-n-PlayDevices must be Enabled to enable this policy. The policy can have three values: NotConfigured, Enabled, and Disabled. The default is Not Configured, which allowsredirection of POS devices.

HDX Plug-n-Play USB Device Redirection for XenApp Connections

233

Page 234: Citrix Receiver for Windows

234

Mapping Client Printers for MoreEfficiency

The Receiver support printing to network printers and printers that are attached locally touser devices. By default, unless you create policies to change this, XenApp lets users:

● Print to all printing devices accessible from the user device

● Add printers (but it does not retain settings configured for these printers or save themfor the next session)

However, these settings might not be the optimum in all environments. For example, thedefault setting that allows users to print to all printers accessible from the user device isthe easiest to administer initially, but might create slower logon times in someenvironments.

Likewise, your organization’s security policies might require that you prevent users frommapping local printing ports. To do so, configure the Citrix policy Auto connect client COMports setting to Disabled.

To change default printing settings, configure policy settings on the server. For moreinformation, see the XenApp administration topics.

To view mapped client printersWhile connected to the XenApp server, from the Start menu, choose Printers in the ControlPanel.

The Printers window displays the local printers mapped to the session. When connecting toservers running Citrix Presentation Server 4.0 or 4.5 or Citrix XenApp, by default the nameof the printer takes the form:

printername (from clientname) in session x

where:

● printername is the name of the printer on the user device.

● clientname is the unique name given to the user device or the Web Interface.

● x is the SessionID of the user’s session on the server.

For example, printer01 (from computer01) in session 7

When connecting to servers running Presentation Server 3.0 or earlier, or when the Legacy printer name option from the Citrix policy Client printer names setting is enabled on the

Page 235: Citrix Receiver for Windows

server, a different naming convention is used. The name of the printer takes the form:

Client/clientname#/printername

where:

● clientname is the unique name given to the user device during client setup.

● printername is the Windows printer name. Because the Windows printer name is usedand not the port name, multiple printers can share a printer port without conflict.

For more information about printing, and about managing printing using policies, see theCitrix XenApp Administrator's documentation.

Mapping Client Printers for More Efficiency

235

Page 236: Citrix Receiver for Windows

236

To map a client COM port to a serverCOM port

Client COM port mapping allows devices attached to the COM ports of the user device to beused during sessions on a XenApp server. These mappings can be used like any othernetwork mappings.

Important: Client COM port mapping is not supported when connecting to MetaFrameServer 1.0 and 1.1 for UNIX Operating Systems.

You can map client COM ports at the command prompt. You can also control client COMport mapping from the Terminal Services Configuration tool or using policies. See the CitrixXenApp Administrator’s documentation for more information about policies.

1. Start Receiver and log on to the XenApp server.

2. At a command prompt, type: net use comx: \\client\comz: where x is the number ofthe COM port on the server (ports 1 through 9 are available for mapping) and z is thenumber of the client COM port you want to map.

3. To confirm the operation, type: net use at a command prompt. The list that appearscontains mapped drives, LPT ports, and mapped COM ports. To use this COM port in asession on a XenApp server, install your device to the mapped name. For example, ifyou map COM1 on the client to COM5 on the server, install your COM port device onCOM5 during the session on the server. Use this mapped COM port as you would a COMport on the user device.

Important: COM port mapping is not TAPI-compatible. TAPI devices cannot bemapped to client COM ports.

Page 237: Citrix Receiver for Windows

237

Mapping Client Audio to Play Sound onthe User Device

Client audio mapping enables applications executing on the XenApp server to play soundsthrough Windows-compatible sound devices installed on the user device. You can set audioquality on a per-connection basis on the XenApp server and users can set it on their device.If the user device and server audio quality settings are different, the lower setting is used.

Client audio mapping can cause excessive load on servers and the network. The higher theaudio quality, the more bandwidth is required to transfer the audio data. Higher qualityaudio also uses more server CPU to process.

Important: Client sound support mapping is not supported when connecting to CitrixXenApp for UNIX.

Page 238: Citrix Receiver for Windows

238

Associating User Device File Types withPublished Applications

Receiver supports HDX Plug-n-Play content redirection. Functionally equivalent to extendedparameter passing, content redirection allows you to enforce all underlying file typeassociations from the server, eliminating the need to configure extended parameter passingon individual user devices.

To associate file types on the user device with applications published on the server,configure Plug-n-Play content redirection on the server. For more information, see theXenApp adminstration topics.

Page 239: Citrix Receiver for Windows

239

Using the Window Manager whenConnecting to Citrix XenApp for UNIX

This topic does not apply to XenDesktop connections.

You can use the window manager to change the session display when connecting topublished resources on XenApp servers for UNIX. With the window manager, users canminimize, resize, position, and close windows, as well as access full screen mode.

About Seamless WindowsIn seamless window mode, published applications and desktops are not contained within asession window. Each published application and desktop appears in its own resizablewindow, as if it is physically installed on the user device. Users can switch betweenpublished applications and the local desktop.

You can also display seamless windows in “full screen” mode, which places the publishedapplication in a full screen-sized desktop. This mode lets you access the ctxwm menusystem.

To switch between seamless and full screen modes

Press SHIFT+F2 to switch between seamless and full screen modes.

Minimizing, Resizing, Positioning, and ClosingWindows

When users connect to published resources, window manager provides buttons to minimize,resize, position, and close windows. Windows are minimized as buttons on the taskbar.

When the user closes the last application in a session, the session is logged offautomatically after twenty seconds.

Page 240: Citrix Receiver for Windows

240

Terminating and Disconnecting Sessions

This topic does not apply to XenDesktop connections.

In remote desktop and seamless full screen windows, you can use the ctxwm menu systemto log off, disconnect, and exit from published applications and connection sessions.

To access the ctxwm menu system1. On a blank area of the remote desktop window, click and hold down the left mouse

button. The ctxwm menu appears.

2. Drag the mouse pointer over Shutdown to display the shutdown options.

To choose an option from the ctxwm menuDrag the pointer over the required option to select it. Release the mouse button to selectthe option.

To Choose

Terminate the connection and all running applications Logoff

Disconnect the session but leave the application running Disconnect

Disconnect the session and terminate the application Exit

Note: The server can be configured to terminate any applications that are running if asession is disconnected.

Page 241: Citrix Receiver for Windows

241

Using ctxgrab and ctxcapture to Cut andPaste Graphics When Connected toXenApp for UNIX

If you are connected to an application published on a XenApp server for UNIX, use ctxgrabor ctxcapture to cut and paste graphics between the session and the local desktop. Theseutilities are configured and deployed from the server.

Important: You might need to deploy UNIX applications that are designed for use with a3‑button mouse. Use ctx3bmouse on the XenApp for UNIX server to configure 3-buttonmouse emulation. For more information, see the XenApp for UNIX administrationdocumentation.

● ctxgrab

● ctxcapture

Page 242: Citrix Receiver for Windows

242

Using the ctxgrab Utility to Cut and PasteGraphics

This topic does not apply to XenDesktop connections.

The ctxgrab utility is a simple tool you use to cut and paste graphics from publishedapplications to applications running on the local user device. This utility is available from acommand prompt or, if you are using a published application, from the ctxwm windowmanager.

Important: Use ctx3bmouse on the XenApp for UNIX server to configure 3-button mouseemulation. For more information, see the XenApp for UNIX administrationdocumentation.

To access the ctxgrab utility from the windowmanager

● In seamless mode, right-click the ctxgrab button in the top, left-hand corner of thescreen to display a menu and choose the grab option

● In full screen mode, left-click to display the ctxwm menu and choose the grab option

To copy from an application in a plug-in window to alocal application

1. From the ctxgrab dialog box, click From screen.

2. To select a window, move the cursor over the window you want to copy and click themiddle mouse button. To select a region, hold down the left mouse button and drag thecursor to select the area you want to copy. To cancel the selection, click the rightmouse button. While dragging, click the right mouse button before releasing the leftbutton.

3. Use the appropriate command in the local application to paste the object.

Page 243: Citrix Receiver for Windows

243

Using the ctxcapture Utility to Cut andPaste Graphics

This topic does not apply to XenDesktop connections.

The ctxcapture utility is a more fully-featured utility for cutting and pasting graphicsbetween published applications and applications running on the local user device.

With ctxcapture you can:

● Grab dialog boxes or screen areas and copy them between an application in a Receiverwindow and an application running on the local user device, includingnon-ICCCM-compliant applications

● Copy graphics between the Receiver and the X graphics manipulation utility xvf

If you are connected to a published desktop, ctxcapture is available from a commandprompt. If you are connected to a published application and the administrator makes itavailable, you can access ctxcapture through the ctxwm window manager.

Important: Use ctx3bmouse on the XenApp for UNIX server to configure 3-button mouseemulation. For more information, see the XenApp for UNIX administrationdocumentation.

To access the ctxcapture utility from the windowmanager

Left-click to display the ctxwm menu and choose the screengrab option.

Page 244: Citrix Receiver for Windows

To copy from a local application to an application in aReceiver window

1. From the ctxcapture dialog box, click From screen.

2. To select a window, move the cursor over the window you want to copy and click themiddle mouse button. To select a region, hold down the left mouse button and drag thecursor to select the area you want to copy. To cancel the selection: click the rightmouse button. While dragging, click the right mouse button before releasing the leftbutton.

3. From the ctxcapture dialog box, click To ICA. The xcapture button changes color toindicate that it is processing the information.

4. When the transfer is complete, use the appropriate command in the publishedapplication window to paste the information.

To copy from an application in a Receiver window to alocal application

1. From the application in the Receiver window, copy the graphic.

2. From the ctxcapture dialog box, click From ICA.

3. When the transfer is complete, use the appropriate command in the local application topaste the information.

To copy from xv to an application in a Receiverwindow or local application

1. From xv, copy the graphic.

2. From the ctxcapture dialog box, click From xv and To ICA.

3. When the transfer is complete, use the appropriate command in the Receiver windowto paste the information.

To copy from an application in a Receiver window toxv

1. From the application in the Receiver window, copy the graphic.

2. From the ctxcapture dialog box, click From ICA and To xv.

3. When the transfer is complete, use the paste command in xv.

Using the ctxcapture Utility to Cut and Paste Graphics

244

Page 245: Citrix Receiver for Windows

245

Matching Client Names and ComputerNames

The dynamic client name feature allows the client name to be the same as the computername. When users change their computer name, the client name changes to match. Thisallows you to name computers to suit your naming scheme and find connections more easilywhen managing your server farm.

If the client name is not set to match the computer name during installation, the clientname does not change when the computer name is changed.

Users enable dynamic client name support by selecting Enable Dynamic Client Name duringReceiver installation.

To enable dynamic client name support during silent command line installation, the valueof the property ENABLE_DYNAMIC_CLIENT_NAME must be Yes. Set the property to No todisable dynamic client name support.

Page 246: Citrix Receiver for Windows

246

DNS Name Resolution

You can configure Receivers that use the Citrix XML Service to request a Domain NameService (DNS) name for a server instead of an IP address.

Important: Unless your DNS environment is configured specifically to use this feature,Citrix recommends that you do not enable DNS name resolution in the server farm.

Receivers connecting to published applications through the Web Interface also use theCitrix XML Service. For Receivers connecting through the Web Interface, the Web serverresolves the DNS name on behalf of the Receiver.

DNS name resolution is disabled by default in the server farm and enabled by default on theReceiver. When DNS name resolution is disabled in the farm, any Receiver request for a DNSname returns an IP address. There is no need to disable DNS name resolution on Receiver.

To disable DNS name resolution for specific clientdevices

If you are using DNS name resolution in the server farm and are having problems withspecific user devices, you can disable DNS name resolution for those devices.

Caution: Using Registry Editor incorrectly can cause serious problems that can requireyou to reinstall the operating system. Citrix cannot guarantee that problems resultingfrom incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Make sure you back up the registry before you edit it.

1. Add a string registry key xmlAddressResolutionType toHKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing.

2. Set the value to IPv4-Port.

3. Repeat for each user of the user devices.

Page 247: Citrix Receiver for Windows

247

Using Proxy Servers with XenDesktopConnections

If you do not use proxy servers in your environment, correct the Internet Explorer proxysettings on any user devices running Internet Explorer 7.0 on Windows XP. By default, thisconfiguration automatically detects proxy settings. If proxy servers are not used, users willexperience unnecessary delays during the detection process. For instructions on changingthe proxy settings, consult your Internet Explorer documentation. Alternatively, you canchange proxy settings using the Web Interface. For more information, consult the WebInterface documentation.

Page 248: Citrix Receiver for Windows

248

Improving the Receiver User Experience

You can improve your users’ experiences with the following supported features:

● ClearType font smoothing

● Client-side microphone input for digital dictation

● Multiple monitor support

● Printing performance enhancements

● To set keyboard shortcuts

● 32-bit color icons

Topics that support users with the Desktop Viewer and the Desktop Lock are available athttp://support.citrix.com/help/receiver/en/receiverHelpWin.htm.

Page 249: Citrix Receiver for Windows

249

ClearType Font Smoothing in Sessions

This topic does not apply to XenDesktop connections.

XenApp server supports ClearType font smoothing with Receiver for users on computersrunning Windows XP, Windows 7, and Windows Vista. ClearType font smoothing is set bydefault in Windows 7 and Windows Vista, but Standard font smoothing is set by default inWindows XP.

If you enable ClearType font smoothing on Receiver, you are not forcing the user devices touse ClearType font smoothing. You are enabling the server to support ClearType fontsmoothing on user devices that have it set and are using Receiver. By disabling it forsessions, you are specifying that sessions launched from that Receiver do not remote thefont smoothing setting.

Receiver automatically detects the user device’s font smoothing setting and sends it to theserver. The session connects using this setting. When the session is disconnected orterminated, the user's profile setting on the server is set to original setting unless the userspecifically changed it in the control panel in the session; then the server uses the newsetting.

Older Receivers (plug-ins) connect using the font smoothing setting configured in that user’sprofile on the server.

When ClearType font smoothing is enabled, three times more data is sent across the virtualchannel, which might cause a decrease in performance.

Font smoothing must be enabled on users’ operating systems, the Receiver, the WebInterface site, and the server farm.

To enable or disable ClearType font smoothing forsessions

In Web Interface environments, use the Session Preferences task in the Citrix WebInterface Management console to enable or disable font smoothing for XenApp Web sitesand the Session Options task for XenApp Services sites.

Page 250: Citrix Receiver for Windows

250

Client-Side Microphone Input

Receiver supports multiple client-side microphone input. Locally installed microphones canbe used for:

● Real-time activities, such as softphone calls and Web conferences.

● Hosted recording applications, such as dictation programs.

● Video and audio recordings.

Digital dictation support is available with Receiver. For information about configuring thisfeature, see the administrator's documentation for Citrix XenApp or Citrix XenDesktop.

Receiver (Enterprise) users can disable their microphones by selecting No Access in theMicrophones/Webcams menu choice available from the Citrix Connection Center, or fromthe Receiver’s system menu (for non-seamless connections). Receiver (standard) users arepresented with the same dialog box automatically at the beginning of their sessions.XenDesktop users can also use the XenDesktop Viewer Preferences to disable theirmicrophones.

Note: Selecting No Access also disables any attached Webcams.

On the user device, users control audio input and output in a single step—by selecting anaudio quality level from the Options dialog box.

Page 251: Citrix Receiver for Windows

251

Configuring HDX Plug-n-PlayMulti-monitor Support

Multiple monitors are fully supported by Receiver. As many as eight monitors are supported.

Each monitor in a multiple monitor configuration has its own resolution designed by itsmanufacturer. Monitors can have different resolutions and orientations during sessions.

Sessions can span multiple monitors in two ways:

● Full screen mode, with multiple monitors shown inside the session; applications snap tomonitors as they would locally.

XenDesktop: If users access a desktop through the Citrix Desktop Lock, the desktop isdisplayed across all monitors. The primary monitor on the device becomes the primarymonitor in the XenDesktop session. You can display the Desktop Viewer toolbar acrossany rectangular subset of monitors by resizing the window across any part of thosemonitors and pressing the Maximize button.

● Windowed mode, with one single monitor image for the session; applications do notsnap to individual monitors.

XenDesktop: When any desktop in the same assignment (formerly "desktop group") islaunched subsequently, the window setting is preserved and the toolbar is displayed acrossthe same monitors. Multiple virtual desktops can be displayed on one device provided themonitor arrangement is rectangular. If the primary monitor on the device is used by theXenDesktop session, it becomes the primary monitor in the session. Otherwise, thenumerically lowest monitor in the session becomes the primary monitor.

To enable multi-monitor support, ensure the following:

● The user device must have a single video board that can support connections to morethan one monitor or multiple video boards compatible with the Receiver on theappropriate platform.

● The user device operating system must be able to detect each of the monitors. OnWindows platforms, to verify that this detection occurs, on the user device, view theSettings tab in the Display Settings dialog box and confirm that each monitor appearsseparately.

● After your monitors are detected:

● XenDesktop: Configure the graphics memory limit using the Citrix Machine Policysetting Display memory limit.

● XenApp: Depending on the version of the XenApp server you have installed:

● Configure the graphics memory limit using the Citrix Computer Policy settingDisplay memory limit.

Page 252: Citrix Receiver for Windows

● From the Citrix management console for the XenApp server, select the farm andin the task pane, select Modify Server Properties > Modify all properties >Server Default > HDX Broadcast > Display (or Modify Server Properties >Modify all properties > Server Default > ICA > Display) and set the Maximummemory to use for each session’s graphics.

Ensure the setting is large enough (in kilobytes) to provide sufficient graphic memory. Ifthis setting is not high enough, the published resource is restricted to the subset of themonitors that fits within the size specified.

For information about calculating the session's graphic memory requirements for XenAppand XenDesktop, see ctx115637.

Configuring HDX Plug-n-Play Multi-monitor Support

252

Page 253: Citrix Receiver for Windows

253

Printing Performance

Printing performance can play a vital role in your users’ experiences. The printingconfiguration you create affects these aspects of the user’s experience:

● User ease and comfort level

● Logon times

● Ability to print to a nearby printer when traveling or when moving between clientdevices in a building

You configure printer policy settings on the server.

User Ease and Comfort LevelIn environments with novice users, consider changing the following potentially confusingdefault printing behaviors:

● Printer names change at the start of each session. When, by default, client printersare auto-created, the printer name is appended with the name of the user device andsession. For example, auto-created client printers appear in the Print dialog box with aname like HP LaserJet 1018 (from clientname) in session 35.

To resolve this problem, you can either reduce the number of printers auto-created orprovision printers using another method. To control printer auto-creation, configure theCitrix policy setting Auto-create client printers and select one of the followingoptions:

● Do not auto-create client printers. Client printers are not auto-created.

● Auto-create the client’s default printer only. Only the client’s default printerattached to or mapped from the client preconfigured in the Control Panel isauto-created in the session.

● Auto-create local (non-network) client printers only. Any non-network printersattached to the client device preconfigured in the Control Panel are auto-createdin the session.

● Auto-create all client printers. All network printers and any printers attached to ormapped from the user device preconfigured in the Control Panel are auto-createdin the session.

● If many printers are installed by default on user devices, your users might be confusedby the large number of available printers. You can limit the printers that appear tothem in sessions.

● HDX Plug-n-Play Universal Printer uses a nonstandard printing dialog box. If your users have trouble learning new features on their own, you might not want to use the

Page 254: Citrix Receiver for Windows

the Universal Printer as the default printer in a session. The user interface for thisprinter is slightly different from the standard Windows print dialog box.

Logon TimesThe printing configuration you select can impact how long it takes users to start a session.When Receiver is configured to provision printers by creating them automatically at thebeginning of each session, it increases the amount of time to build the session environment.In this case, Receiver has to rebuild every printer found on the user device. You candecrease logon time by specifying any of the following on the XenApp server:

● Auto-create only the the Universal Printer. This is done automatically when youconfigure the the Universal Printer.

● Auto-create only the default printer for the client device by using the Auto-createclient printers policy setting.

● Do not auto-create any client printers through the Auto-create client printers policysetting and route print jobs to network printers by configuring the Session printerspolicy setting

Configuring Printers for Mobile WorkersIf you have users who move among workstations in the same building (for example, in ahospital setting) or move among different offices, you might want to configure ProximityPrinting. The Proximity Printing solution ensures that the closest printer is presented to theusers in their sessions, even when they change user devices during a session.

Printing Performance

254

Page 255: Citrix Receiver for Windows

255

To override the printer settings configuredon the server

To improve printing performance, you can configure various printing policy settings on theserver:

● Universal printing optimization defaults

● Universal printing EMF processing mode

● Universal printing image compression limit

● Universal printing print quality limit

● Printer driver mapping and compatibility

● Session printers

If you enabled Allow non-admins to modify these settings in the Universal printingoptional defaults policy setting on the server, users on their user devices can override theImage Compression and Image and Font Caching options specified in that policy setting.

To override the printer settings on the user device

1. From the Print menu available from an application on the user device, chooseProperties.

2. On the Client Settings tab, click Advanced Optimizations and make changes to theImage Compression and Image and Font Caching options.

Page 256: Citrix Receiver for Windows

256

To set keyboard shortcuts

You can configure combinations of keys that Receiver interprets as having specialfunctionality. When the keyboard shortcuts policy is enabled, you can specify Citrix Hotkeymappings, behavior of Windows hotkeys, and keyboard layout for sessions.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User Experience > Keyboard shortcuts. InWindows 7 and Windows Server 2008, expand Administrative Templates and navigatethrough Classic Administrative Templates (ADM) > Citrix Components to the desiredconfiguration option.

7. From the Action menu, choose Properties, select Enabled, and choose the desiredoptions.

Page 257: Citrix Receiver for Windows

257

Keyboard Input in XenDesktop Sessions

Note the following about how keyboard combinations are processed in XenDesktop sessions:

● Windows logo key+L is directed to the local computer.

● CTRL+ALT+DELETE is directed to the local computer except in some cases if you use theCitrix Desktop Lock.

● Key presses that activate StickyKeys, FilterKeys, and ToggleKeys (Microsoft accessibilityfeatures) are normally directed to the local computer.

● As an accessibility feature of the Desktop Viewer, pressing CTRL+ALT+BREAK displaysthe Desktop Viewer toolbar buttons in a pop-up window.

● Windows key combinations (for example, CTRL+ESC and ALT+TAB) are directedaccording to the settings that your helpdesk has selected. For more information, seethe table below.

Note: By default, if the Desktop Viewer is maximized, ALT+TAB switches focusbetween windows inside the session. If the Desktop Viewer is displayed in a window,ALT+TAB switches focus between windows outside the session.

Hotkey sequences are key combinations designed by Citrix. For example, the CTRL+F1sequence reproduces CTRL+ALT+DELETE, and SHIFT+F2 switches applications betweenfull-screen and windowed mode. You cannot use hotkey sequences with virtual desktopsdisplayed in the Desktop Viewer (that is, with XenDesktop sessions), but you can use themwith published applications (that is, with XenApp sessions).

The table shows the remoting behavior of other Windows key combinations. The behaviordepends on whether a Desktop Viewer or a Desktop Lock session is used, and is controlledby the Local resources setting, avaliable from the Session Options task on the XenDesktopsite. XenApp settings are also shown for reference. For more information on configuring thissetting, see the Web Interface documentation.

With Localresources set to

Desktop Viewersessions have thisbehavior

Desktop Locksessions have thisbehavior

XenApp (or disabledDesktop Viewer)sessions have thisbehavior

Full screen desktopsonly

Key combinationsare sent to theremote, virtualdesktop only if theDesktop Viewerwindow has focusand is maximized(full-screen).

Key combinationsare always sent tothe remote, virtualdesktop.

Key combinationsare sent to theremote XenAppserver if the sessionis maximized(full-screen).

Page 258: Citrix Receiver for Windows

Remote desktop Key combinationsare sent to theremote, virtualdesktop only if theDesktop Viewerwindow has focus.

Key combinationsare always sent tothe remote, virtualdesktop.

Key combinationsare sent to theremote XenAppserver if the sessionor application hasfocus.

Local desktop Key combinationsare always kept onthe local userdevice.

Key combinationsare always kept onthe local userdevice.

Citrix does notrecommend settingLocal resources toLocal desktop if theDesktop Lock isused.

Key combinationsare always kept onthe local userdevice.

Keyboard Input in XenDesktop Sessions

258

Page 259: Citrix Receiver for Windows

259

Receiver Support for 32-Bit Color Icons

Receiver supports high color icons (32x32 bit) and automatically selects the color depth forapplications visible in the Citrix Connection Center dialog box, the Start menu, and task barto provide for seamless applications.

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

To set a preferred depth, you can add a string registry key named TWIDesiredIconColor toHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Preferences and set it to the desired value. The possible color depthsfor icons are 4, 8, 16, 24, and 32 bits-per-pixel. The user can select a lower color depth foricons if the network connection is slow.

Page 260: Citrix Receiver for Windows

260

Connecting to Virtual Desktops

From within a desktop session, users cannot connect to the same virtual desktop.Attempting to do so will disconnect the existing desktop session. Therefore, Citrixrecommends:

● Administrators should not configure the clients on a desktop to point to a site thatpublishes the same desktop

● Users should not browse to a site that hosts the same desktop if the site is configured toautomatically reconnect users to existing sessions

● Users should not browse to a site that hosts the same desktop and try to launch it

Be aware that a user who logs on locally to a computer that is acting as a virtual desktopblocks connections to that desktop.

If your users connect to virtual applications (published with XenApp) from within a virtualdesktop and your organization has a separate XenApp administrator, Citrix recommendsworking with them to define device mapping such that desktop devices are mappedconsistently within desktop and application sessions. Because local drives are displayed asnetwork drives in desktop sessions, the XenApp administrator needs to change the drivemapping policy to include network drives.

Page 261: Citrix Receiver for Windows

261

Securing Your Connections

To maximize the security of your environment, the connections between Receiver and theresources you publish must be secured. You can configure various types of authenticationfor your Receiver software, including enabling certificate revocation list checking, enablingsmart card support, and using Security Support Provider Interface/Kerberos Pass-ThroughAuthentication.

Windows NT Challenge/Response (NTLM) Support forImproved Security

Windows NT Challenge/Response (NTLM) authentication is supported by default oncomputers running Windows NT, Windows 2000, Windows XP, Windows 7, Windows Vista,Windows Server 2003, and Windows Server 2008.

Page 262: Citrix Receiver for Windows

262

To enable certificate revocation listchecking for improved security withReceiver (CitrixReceiver.exe)

When certificate revocation list (CRL) checking is enabled, Receiver checks whether or notthe server’s certificate is revoked. By forcing Receiver to check this, you can improve thecryptographic authentication of the server and the overall security of the SSL/TLSconnections between a user device and a server.

You can enable several levels of CRL checking. For example, you can configure Receiver tocheck only its local certificate list or to check the local and network certificate lists. Inaddition, you can configure certificate checking to allow users to log on only if all CRLs areverified.

Important: This option is available only with the standard Receiver (CitrixReceiver.exe)and not Receiver (Enterprise).

If you are making this change on a local computer, exit Receiver if it is running. Make sureall Receiver components, including the Connection Center, are closed.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for the Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Action menu, choose Properties and select Enabled.

8. From the CRL verification drop-down menu, select one of the options.

● Disabled. No certificate revocation list checking is performed.

Page 263: Citrix Receiver for Windows

● Only check locally stored CRLs. CRLs that were installed or downloaded previouslyare used in certificate validation. Connection fails if the certificate is revoked.

● Require CRLs for connection. CRLs locally and from relevant certificate issuers onthe network are checked. Connection fails if the certificate is revoked or not found.

● Retrieve CRLs from network. CRLs from the relevant certificate issuers arechecked. Connection fails if the certificate is revoked.

If you do not set CRL verification, it defaults to Only check locally stored CRLs.

To enable certificate revocation list checking for improved security with Receiver (CitrixReceiver.exe)

263

Page 264: Citrix Receiver for Windows

264

Smart Card Support for Improved Security

You must use Receiver (Enterprise) for Smart Card support.

Receiver smart card support is based on Microsoft Personal Computer/Smart Card (PC/SC)standard specifications. Receiver supports only smart cards and smart card devices thatare, themselves, supported by the underlying Windows operating system. A discussion ofsecurity issues related to PC/SC standards compliance is beyond the scope of thisdocument.

Enabling smart card support for Receiver is done through the Web Interface. For moreinformation, see the Web Interface documentation.

Note: Microsoft strongly recommends that only smart card readers tested and approvedby the Microsoft Windows Hardware Quality Lab (WHQL) be used on computers runningqualifying Windows operating systems. See http://www.microsoft.com for additionalinformation about hardware PC/SC compliance.

Receiver does not control smart card PIN management. PIN management is controlled bythe cryptographic service provider for your cards.

Page 265: Citrix Receiver for Windows

265

To enable pass-through authenticationwhen sites are not in Trusted Sites orIntranet zones

Your users might require pass-through authentication to the server using their user logoncredentials but cannot add sites to the Trusted Sites or Intranet zones. Enable this settingto allow pass-through authentication on all but Restricted sites.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.

7. From the Local user name and password Properties menu, select Enabled, and thenselect the Enable pass-through authentication and Allow pass-through authenticationfor all ICA connections check boxes.

Page 266: Citrix Receiver for Windows

266

Using Security Support ProviderInterface/Kerberos Pass-ThroughAuthentication for Improved Security

This topic does not apply to XenDesktop connections.

Rather than sending user passwords over the network, Kerberos pass-through authenticationleverages Kerberos authentication in combination with Security Support Provider Interface(SSPI) security exchange mechanisms. Kerberos is an industry-standard networkauthentication protocol built into Microsoft Windows operating systems.

Kerberos logon offers security-minded users or administrators the convenience ofpass-through authentication combined with secret-key cryptography and data integrityprovided by industry-standard network security solutions. With Kerberos logon, the Receiverdoes not need to handle the password and thus prevents Trojan horse-style attacks on theuser device to gain access to users’ passwords.

Users can log on to the user device with any authentication method; for example, abiometric authenticator such as a fingerprint reader, and still access published resourceswithout further authentication.

System requirements. Kerberos logon requires Citrix Presentation Server 3.0, 4.0, or 4.5,Citrix XenApp 5.0, 6.x and Citrix Presentation Server Clients for Windows 8.x, 9.x, 10.x,XenApp Hosted Plug-in 11.x, online plug-in 12.0, 12.1, or Receiver 3.x. Kerberos works onlybetween Client/plug-ins/Receiver and servers that belong to the same or to trustedWindows 2000, Windows Server 2003, or Windows Server 2008 domains. Servers must alsobe trusted for delegation, an option you configure through the Active Directory Users andComputers management tool.

Kerberos logon is not available in the following circumstances:

● Connections configured with any of the following options in Remote Desktop Services(formerly known as Terminal Services) Configuration:

● On the General tab, the Use standard Windows authentication option

● On the Logon Settings tab, the Always use the following logon information optionor the Always prompt for password option

● Connections you route through the Secure Gateway

● If the server requires smart card logon

● If the authenticated user account requires a smart card for interactive logon

Important: SSPI requires XML Service DNS address resolution to be enabled for the serverfarm, or reverse DNS resolution to be enabled for the Active Directory domain. For moreinformation, see the Citrix XenApp administrator documentation.

Page 267: Citrix Receiver for Windows

Configuring Kerberos AuthenticationReceiver, by default, is not configured to use Kerberos authentication when logging on tothe server. You can set the Receiver configuration to use Kerberos with pass-throughauthentication or Kerberos with smart card pass-through authentication.

To use Kerberos authentication for your connections, you can either specify Kerberos usinga command line installation or configure Receiver using the Group Policy Editor. See theMicrosoft Group Policy documentation for more information about editing .adm files

Using Security Support Provider Interface/Kerberos Pass-Through Authentication for Improved Security

267

Page 268: Citrix Receiver for Windows

268

To configure Kerberos with pass-throughauthentication

This topic does not apply to XenDesktop connections.

Use Kerberos with pass-through authentication if you want to use Kerberos with Receiver.

When Receiver configurations are set to use Kerberos with pass-through authentication,Receiver uses Kerberos authentication first and uses pass-through authentication if Kerberosfails.

The user cannot disable this Receiver configuration from the user interface.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates, navigate throughCitrix Components > Citrix Receiver > User authentication, double click Kerberosauthentication and select Enabled. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.

8. From the Action menu, choose Properties and select Enabled > Enable pass-throughauthentication.

To apply the setting, close and restart Receiver on the user device.

Page 269: Citrix Receiver for Windows

269

Securing Citrix Receiver Communication

To secure the communication between your server farm and Receiver, you can integrateyour Receiver connections to the server farm with a range of security technologies,including:

● Citrix Access Gateway. For information about configuring Access Gateway with ReceiverStoreFront, refer to the "Manage" topics in the Receiver StoreFront documentation ineDocs. For information about configuring Access Gateway or Secure Gateway with WebInterface, refer to topics in this section.

● A SOCKS proxy server or secure proxy server (also known as security proxy server,HTTPS proxy server, or SSL tunneling proxy server). You can use proxy servers to limitaccess to and from your network and to handle connections between Receiver andservers. Receiver supports SOCKS and secure proxy protocols.

● SSL Relay solutions with Secure Sockets Layer (SSL) and Transport Layer Security (TLS)protocols.

● A firewall. Network firewalls can allow or block packets based on the destinationaddress and port. If you are using Receiver through a network firewall that maps theserver's internal network IP address to an external Internet address (that is, networkaddress translation, or NAT), configure the external address.

● Trusted server configuration.

Note: For information about increasing security in application streaming for desktops, seethe Citrix Knowledge Base article Enhancing Security in Application Streaming forDesktops.

Receiver is compatible with and functions in environments where the Microsoft SpecializedSecurity - Limited Functionality (SSLF) desktop security templates are used. Thesetemplates are supported on the Microsoft Windows XP, Windows Vista, and Windows 7platforms. Refer to the Windows XP, Windows Vista, and Windows 7 security guidesavailable at http://technet.microsoft.com for more information about the templates andrelated settings.

Page 270: Citrix Receiver for Windows

270

Support for Microsoft Security Templates

Receiver is compatible with and functions in environments where the Microsoft SpecializedSecurity - Limited Functionality (SSLF) desktop security templates are used. Thesetemplates are supported on the Microsoft Windows XP, Windows Vista, and Windows 7platforms. Refer to the Windows XP, Windows Vista, and Windows 7 security guidesavailable at http://technet.microsoft.com for more information about the templates andrelated settings.

Page 271: Citrix Receiver for Windows

271

Connecting with Access GatewayEnterprise Edition

This topic applies only to deployments using the Web Interface.

Configure the XenApp Services site for the Receiver to support connections from an AccessGateway connection.

1. In the XenApp Services site, select Manage secure client access > Edit secure clientaccess settings.

2. Change the Access Method to Gateway Direct.

3. Enter the FQDN of the Access Gateway appliance.

4. Enter the Secure Ticket Authority (STA) information.

Page 272: Citrix Receiver for Windows

To configure the Access Gateway appliance1. Configure authentication policies to authenticate users connecting to the Access

Gateway by using the Access Gateway Plug-in. Bind each authentication policy to avirtual server.

● If double-source authentication is required (such as RSA SecurID and ActiveDirectory), RSA SecurID authentication must be the primary authentication type.Active Directory authentication must be the secondary authentication type.

● RSA SecurID uses a RADIUS server to enable token authentication.

● Active Directory authentication can use either LDAP or RADIUS.Test a connection from a user device to verify that the Access Gateway is configuredcorrectly in terms of networking and certificate allocation.

2. Create a session policy on the Access Gateway to allow incoming XenApp connectionsfrom the Receiver, and specify the location of your newly created XenApp Services site.

● Create a new session policy to identify that the connection is from the Receiver. Asyou create the session policy, configure the following expression and select MatchAll Expressions as the operator for the expression:

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

Connecting with Access Gateway Enterprise Edition

272

Page 273: Citrix Receiver for Windows

● In the associated profile configuration for the session policy, on the Security tab,set Default Authorization to Allow.

On the Published Applications tab, if this is not a global setting (you selected theOverride Global check box), ensure the ICA Proxy field is set to ON.

In the Web Interface Address field, enter the URL including the config.xml for theXenApp Services site that the device users use, such ashttp://XenAppServerName/Citrix/PNAgent/config.xml orhttp://XenAppServerName/CustomPath/config.xml.

● Bind the session policy to a virtual server.

● Create authentication policies for RADIUS and Active Directory.

● Bind the authentication policies to the virtual server.

Important: If the server certificate used on the Access Gateway is part of acertificate chain (with an intermediate certificate), make sure that the intermediatecertificates are also installed correctly on the Access Gateway. For information aboutinstalling certificates, see the Access Gateway documentation.

Connecting with Access Gateway Enterprise Edition

273

Page 274: Citrix Receiver for Windows

274

Connecting with Access Gateway 5.0

This topic applies only to deployments using the Web Interface.

Access Gateway setup requires that you configure a basic or a SmartAccess logon point onAccess Gateway and use the Web address for the XenApp Services site.

Before you configure a logon point, install the Web Interface and verify that it iscommunicating with the network. When you configure a logon point, you must alsoconfigure at least one Secure Ticket Authority (STA) server and ICA Access Control in AccessGateway. For more information, expand Access Gateway 5.0 in eDocs, and locate the topicTo configure Access Gateway to use the Secure Ticket Authority.

Page 275: Citrix Receiver for Windows

To configure the Access Gateway 5.0 appliance1. Configure Authentication profiles to authenticate users connecting to the Access

Gateway using the Receiver.

● If double source authentication is required (such as Active Directory and RSASecurID), Active Directory authentication must be the primary authentication type.RSA SecurID authentication must be the secondary authentication type.

● RSA SecurID can use either RADIUS or an sdconf.rec file to enable tokenauthentication.

● You can configure Active Directory authentication on Access Controller. You can useActive Directory on the Access Gateway appliance by using either an LDAP orRADIUS authentication profile.

Test a connection from a user device to verify that the Access Gateway is configuredcorrectly in terms of networking and certificate allocation.

2. To establish communication with XenApp servers and the Web Interface, configure theAccess Gateway with STA servers and the ICA Access Control list on Access Gateway. Formore information, see the Access Gateway section of eDocs.

3. Configure logon points on the Access Gateway. Configure the Access Gateway to allowincoming XenApp connections from the Receiver, and specify the location of your WebInterface site.

a. In the Access Gateway Management Console, click Management.

b. Under Access Control, click Logon Points > New.

c. In the Logon Points Properties dialog box, in Name, type a unique name for thelogon point.

d. Select the Type:

● For a Basic logon point, in the Web Interface field, type the fully qualifieddomain name (FQDN) of the Web Interface, such ashttp://xenapp.domain.com/citrix/apps. You cannot configure aSmartGroup with a basic logon point. Select the authentication type, or clickAuthenticate with the Web Interface.

If you select Authenticate with the Web Interface, when users type the URL toAccess Gateway and enter credentials, the credentials are passed to the WebInterface for authentication.

● For a SmartGroup to use the settings in a SmartAccess logon point, you mustselect the logon point within the SmartGroup. Select the authenticationprofiles. If you configure a SmartAccess logon point, Access Gatewayauthenticates users. You cannot configure authentication by using the WebInterface.

If you select Single Sign-on to Web Interface, users do not have to log on tothe Web Interface after logging on to the Access Gateway. If not selected, usersmust log on to both the Access Gateway and Web Interface.

Connecting with Access Gateway 5.0

275

Page 276: Citrix Receiver for Windows

e. Under Applications and Desktops, click Secure Ticket Authority and add the STAdetails. Make sure the STA information is the same as the Web Interface site.

f. Finally, under Applications and Desktops, click XenApp or XenDesktop to add theICA control list (required for Access Gateway 5.0). For more information, expandAccess Gateway 5.0 in eDocs, and locate To configure ICA Access Control.

Important: If the server certificate used on the Access Gateway is part of acertificate chain (with an intermediate certificate), make sure that the intermediatecertificates are also installed correctly on the Access Gateway. For information aboutinstalling certificates, see the Access Gateway section on Configuring IntermediateCertificates.

Connecting with Access Gateway 5.0

276

Page 277: Citrix Receiver for Windows

To configure Access Controller1. Configure Authentication profiles to authenticate users connecting to the Access

Gateway using the Receiver.

● If double source authentication is required (such as Active Directory and RSASecurID), Active Directory authentication must be the primary authentication type.RSA SecurID authentication must be the secondary authentication type.

● RSA SecurID can use either RADIUS or an sdconf.rec file to enable tokenauthentication.

● You can configure Active Directory authentication on Access Controller. You can useActive Directory on the Access Gateway appliance by using either an LDAP orRADIUS authentication profile.

Test a connection from a user device to verify that the Access Gateway is configuredcorrectly in terms of networking and certificate allocation.

2. To establish communication with XenApp servers and the Web Interface, configureAccess Controller to recognize the servers. Configure Access Controller to allowincoming XenApp connections from the Receiver and specify the location of your WebInterface site.

a. In the Deliver Services Console, expand Citrix Resources > Access Gateway, andthen click the Access Controller on which you want to create the Web resource.

b. Expand Resources, click Web Resources, and then under Common tasks, clickCreate Web resource. In the wizard, enter a unique name. On the New WebAddress page, enter the Web address URL of the XenApp Web site.

c. In Application type, select Citrix Web Interface and click the Enable SingleSign-on check box.

d. After you click OK, click Publish for users in their list of resources , and then inHome page, enter the URL of the XenApp Web Site, such ashttp://xenapp.domain.com/citrix/apps, and finish the wizard.

e. In the navigation pane, click Logon Points, click Create logon point, and in thewizard, enter a unique name, and select the type:

● For a Basic logon point, in the Web Interface field, type the fully qualifieddomain name (FQDN) of the Web Interface, such ashttp://xenapp.domain.com/citrix/apps. Select the Home page, andthen select the authentication profile. Leave the remaining options as defaultvalues, and click Enable this logon point check box at the end of the wizard.

● For a SmartAccess logon point, on Select Home Page, select the Display theWeb resource with the highest priority. Click Set Display Order, and movethe Web Interface Web resource to the top.

Select the Authentication Profiles for both authentication and group extraction.Leave the remaining options as default values, and click Enable this logonpoint check box at the end of the wizard.

f. In the navigation pane, under Policies > Access Policies, select Create access policy and on the Select Resources page, expand Web Resources to select the

Connecting with Access Gateway 5.0

277

Page 278: Citrix Receiver for Windows

Web Interface web resource.

g. In Configure Policy Settings, select the settings, click Enable this policy to controlthis setting, and select Extended access, unless denied by another policy. Addthe users allowed to access this resource and finish the wizard.

h. In the navigation pane, under Access Gateway appliances, select Edit AccessGateway appliance properties, click Secure Ticket Authority and add the STAdetails. Make sure the STA information is the same as the Web Interface site.

i. Finally, click ICA Access Control to add the ICA control list (required for AccessGateway 5.0). For more information, expand Access Gateway 5.0 in eDocs, andlocate To configure ICA Access Control in the Access Controller documentation.

Important: If the server certificate used on the Access Gateway is part of acertificate chain (with an intermediate certificate), make sure that the intermediatecertificates are also installed correctly on the Access Gateway. For information aboutinstalling certificates, see the Access Gateway section on Configuring IntermediateCertificates.

Connecting with Access Gateway 5.0

278

Page 279: Citrix Receiver for Windows

279

Connecting with Secure Gateway

This topic applies only to deployments using the Web Interface.

You can use the Secure Gateway in either Normal mode or Relay mode to provide a securechannel for communication between Receiver and the server. No Receiver configuration isrequired if you are using the Secure Gateway in Normal mode and users are connectingthrough the Web Interface.

Receiver uses settings that are configured remotely on the server running the Web Interfaceto connect to servers running the Secure Gateway. See the topics for the Web Interface forinformation about configuring proxy server settings for Receiver.

If the Secure Gateway Proxy is installed on a server in the secure network, you can use theSecure Gateway Proxy in Relay mode. See the topics for the Secure Gateway for moreinformation about Relay mode.

If you are using Relay mode, the Secure Gateway server functions as a proxy and you mustconfigure Receiver to use:

● The fully qualified domain name (FQDN) of the Secure Gateway server.

● The port number of the Secure Gateway server. Note that Relay mode is not supportedby Secure Gateway Version 2.0.

The FQDN must list, in sequence, the following three components:

● Host name

● Intermediate domain

● Top-level domain

For example: my_computer.my_company.com is an FQDN, because it lists, in sequence, ahost name (my_computer), an intermediate domain (my_company), and a top-level domain(com). The combination of intermediate and top-level domain (my_company.com) isgenerally referred to as the domain name.

Page 280: Citrix Receiver for Windows

280

Connecting the Citrix Receiver through aProxy Server

Proxy servers are used to limit access to and from your network, and to handle connectionsbetween Receivers and servers. Receiver supports SOCKS and secure proxy protocols.

When communicating with the server farm, Receiver uses proxy server settings that areconfigured remotely on the server running Receiver for Web or the Web Interface. Forinformation about proxy server configuration, refer to Receiver StoreFront or Web Interfacedocumentation.

In communicating with the Web server, Receiver uses the proxy server settings that areconfigured through the Internet settings of the default Web browser on the user device.You must configure the Internet settings of the default Web browser on the user deviceaccordingly.

Page 281: Citrix Receiver for Windows

281

Connecting with Secure Sockets LayerRelay

You can integrate Receiver with the Secure Sockets Layer (SSL) Relay service. Receiversupports both SSL and TLS protocols.

● SSL provides strong encryption to increase the privacy of your ICA connections andcertificate-based server authentication to ensure the server you are connecting to is agenuine server.

● TLS (Transport Layer Security) is the latest, standardized version of the SSL protocol.The Internet Engineering Taskforce (IETF) renamed it TLS when it took overresponsibility for the development of SSL as an open standard. TLS secures datacommunications by providing server authentication, encryption of the data stream, andmessage integrity checks. Because there are only minor technical differences betweenSSL Version 3.0 and TLS Version 1.0, the certificates you use for SSL in your softwareinstallation will also work with TLS. Some organizations, including U.S. governmentorganizations, require the use of TLS to secure data communications. Theseorganizations may also require the use of validated cryptography, such as FIPS 140(Federal Information Processing Standard). FIPS 140 is a standard for cryptography.

Page 282: Citrix Receiver for Windows

282

Connecting with Citrix SSL Relay

By default, Citrix SSL Relay uses TCP port 443 on the XenApp server for SSL/TLS-securedcommunication. When the SSL Relay receives an SSL/TLS connection, it decrypts the databefore redirecting it to the server, or, if the user selects SSL/TLS+HTTPS browsing, to theCitrix XML Service.

If you configure SSL Relay to listen on a port other than 443, you must specify thenonstandard listening port number to the plug-in.

You can use Citrix SSL Relay to secure communications:

● Between an SSL/TLS-enabled client and a server. Connections using SSL/TLS encryptionare marked with a padlock icon in the Citrix Connection Center.

● With a server running the Web Interface, between the XenApp server and the Webserver.

For information about configuring and using SSL Relay to secure your installation, see theCitrix XenApp administrator’s documentation. For information about configuring the serverrunning the Web Interface to use SSL/TLS encryption, see the Web Interface administrator’sdocumentation.

Page 283: Citrix Receiver for Windows

283

User Device Requirements

In addition to the System Requirements, you also must ensure that:

● The user device supports 128-bit encryption

● The user device has a root certificate installed that can verify the signature of theCertificate Authority on the server certificate

● Receiver is aware of the TCP listening port number used by the SSL Relay service in theserver farm

● Any service packs or upgrades that Microsoft recommends are applied

If you are using Internet Explorer and you are not certain about the encryption level of yoursystem, visit the Microsoft Web site at http://www.microsoft.com to install a service packthat provides 128-bit encryption.

Important: Receiver supports certificate key lengths of up to 4096 bits. Ensure that thebit lengths of your Certificate Authority root and intermediate certificates, and those ofyour server certificates, do not exceed the bit length your Receiver supports orconnection might fail.

Page 284: Citrix Receiver for Windows

284

To apply a different listening port numberfor all connections

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the plug-in Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Action menu, choose Properties, select Enabled, and type a new portnumber in the Allowed SSL servers text box in the following format: server:SSL relayport number where SSL relay port number is the number of the listening port. You canuse a wildcard to specify multiple servers. For example, *.Test.com:SSL relay portnumber matches all connections to Test.com through the specified port.

Page 285: Citrix Receiver for Windows

285

To apply a different listening port numberto particular connections only

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already added the icaclient template to the Group Policy Editor, you canomit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Action menu, choose Properties, select Enabled, and type acomma-separated list of trusted servers and the new port number in the Allowed SSLservers text box in the following format: servername:SSL relay portnumber,servername:SSL relay port number where SSL relay port number is the numberof the listening port. You can specify a comma-separated list of specific trusted SSLservers similar to this example:

csghq.Test.com:443,fred.Test.com:443,csghq.Test.com:444

which translates into the following in an example appsrv.ini file: [Word]SSLProxyHost=csghq.Test.com:443

[Excel]

SSLProxyHost=csghq.Test.com:444

[Notepad]

SSLProxyHost=fred.Test.com:443

Page 286: Citrix Receiver for Windows

286

Configuring and Enabling Receivers forSSL and TLS

SSL and TLS are configured in the same way, use the same certificates, and are enabledsimultaneously.

When SSL and TLS are enabled, each time you initiate a connection, Receiver tries to useTLS first and then tries SSL. If it cannot connect with SSL, the connection fails and an errormessage appears.

To force Receiver to connect with TLS, you must specify TLS on the Secure Gateway serveror SSL Relay service. See the topics for the Secure Gateway or your SSL Relay servicedocumentation for more information.

In addition, make sure the user device meets all system requirements.

To use SSL/TLS encryption for all Receiver communications, configure the user device,Receiver, and, if using Web Interface, the server running the Web Interface. Forinformation about securing Receiver Storefront communications, refer to topics under"Secure" in the Receiver StoreFront documentation in eDocs.

Page 287: Citrix Receiver for Windows

287

Installing Root Certificates on the UserDevices

To use SSL/TLS to secure communications between a SSL/TLS-enabled Receiver and theserver farm, you need a root certificate on the user device that can verify the signature ofthe Certificate Authority on the server certificate.

Receiver supports the Certificate Authorities that are supported by the Windows operatingsystem. The root certificates for these Certificate Authorities are installed with Windowsand managed using Windows utilities. They are the same root certificates that are used byMicrosoft Internet Explorer.

If you use your own Certificate Authority, you must obtain a root certificate from thatCertificate Authority and install it on each user device. This root certificate is then usedand trusted by both Microsoft Internet Explorer and Receiver.

You might be able to install the root certificate using other administration or deploymentmethods, such as:

● Using the Microsoft Internet Explorer Administration Kit (IEAK) Configuration Wizard andProfile Manager

● Using third-party deployment tools

Make sure that the certificates installed by your Windows operating system meet thesecurity requirements for your organization or use the certificates issued by yourorganization’s Certificate Authority.

Page 288: Citrix Receiver for Windows

288

To configure Web Interface to useSSL/TLS for Receiver

1. To use SSL/TLS to encrypt application enumeration and launch data passed betweenReceiver and the server running the Web Interface, configure the appropriate settingsusing the Web Interface. You must include the computer name of the XenApp serverthat is hosting the SSL certificate.

2. To use secure HTTP (HTTPS) to encrypt the configuration information passed betweenReceiver and the server running the Web Interface, enter the server URL in the formathttps://servername. In the Windows notification area, right-click the Receiver icon andchoose Preferences.

3. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.

Page 289: Citrix Receiver for Windows

289

To configure TLS support

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

1. As an administrator, open the Group Policy Editor by running gpedit.msc locally fromthe Start menu when applying this to a single computer or by using the Group PolicyManagement Console when using Active Directory.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification.

7. From the Action menu, choose Properties, select Enabled, and from the drop-downmenus, select the TLS settings.

● Set SSL/TLS Version to TLS or Detect all to enable TLS. If Detect all is selected,Receiver connects using TLS encryption. If a connection using TLS fails, Receiverconnects using SSL.

● Set SSL ciphersuite to Detect version to have Receiver negotiate a suitableciphersuite from the Government and Commercial ciphersuits. You can restrict theciphersuites to either Government or Commercial.

● Set CRL verification to Require CRLs for connection requiring Receiver to try toretrieve Certificate Revocation Lists (CRLs) from the relevant certificate issuers.

Page 290: Citrix Receiver for Windows

290

To use the Group Policy template on WebInterface to meet FIPS 140 securityrequirements

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

To meet FIPS 140 security requirements, use the Group Policy template to configure theparameters or include the parameters in the Default.ica file on the server running the WebInterface. See the information about Web Interface for additional information about theDefault.ica file.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 3 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification.

7. From the Action menu, choose Properties, select Enabled, and from the drop-downmenus, select the correct settings.

● Set SSL/TLS Version to TLS or Detect all to enable TLS. If Detect all is selected,Receiver tries to connect using TLS encryption. If a connection using TLS fails,Receiver tries to connect using SSL.

● Set SSL ciphersuite to Government.● Set CRL verification to Require CRLs for connection.

Page 291: Citrix Receiver for Windows

291

To configure the Web Interface to useSSL/TLS when communicating with CitrixReceiver

When using the Web Interface, specify the computer name of the server hosting the SSLcertificate. See the information about Web Interface for more details about using SSL/TLSto secure communications between Receiver and the Web server.

1. From the Configuration settings menu, select Server Settings.

2. Select Use SSL/TLS for communications between clients and the Web server.

3. Save your changes.

Selecting SSL/TLS changes all URLs to use HTTPS protocol.

Page 292: Citrix Receiver for Windows

292

To configure Citrix XenApp to useSSL/TLS when communicating with CitrixReceiver

You can configure the XenApp server to use SSL/TLS to secure the communications betweenReceiver and the server.

1. From the Citrix management console for the XenApp server, open the Properties dialogbox for the application you want to secure.

2. Select Advanced > Client options and ensure that you select Enable SSL and TLSprotocols.

3. Repeat these steps for each application you want to secure.

When using the Web Interface, specify the computer name of the server hosting the SSLcertificate. See the information about Web Interface for more details about using SSL/TLSto secure communications between Receiver and the Web server.

Page 293: Citrix Receiver for Windows

293

To configure Citrix Receiver to useSSL/TLS when communicating with theserver running the Web Interface

You can configure Receiver to use SSL/TLS to secure the communications between Receiverand the server running the Web Interface.

Ensure that a valid root certificate is installed on the user device. For more information,see Installing Root Certificates on the User Devices.

1. In the Windows notification area, right-click the Receiver icon and choosePreferences.

2. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.

3. The Change Server screen displays the currently configured URL. Enter the server URLin the text box in the format https://servername to encrypt the configuration datausing SSL/TLS.

4. Click Update to apply the change.

5. Enable SSL/TLS in the client device browser. For more information about enablingSSL/TLS in the browser, see the online Help for the browser.

Page 294: Citrix Receiver for Windows

294

ICA File Signing - Protection AgainstApplication or Desktop Launches FromUntrusted Servers

The ICA File Signing feature helps protect users from unauthorized application or desktoplaunches.Citrix Receiver verifies that a trusted source generated the application or desktoplaunch based on administrative policy and protects against launches from untrusted servers.You can configure this Receiver security policy for application or desktop launch signatureverification using Group Policy Objects, Receiver StoreFront, or Citrix Merchandising Server.ICA file signing is not enabled by default. For information about enabling ICA file signing forReceiver StoreFront, refer to the Receiver StoreFront documentation.

For Web Interface deployments, the Web Interface enables and configures application ordesktop launches to include a signature during the launch process using the Citrix ICA FileSigning Service. The service can sign ICA files using a certificate from the computer'spersonal certificate store.

The Citrix Merchandising Server with Receiver enables and configures launch signatureverification using the Citrix Merchandising Server Adminstrator Console > Deliverieswizard to add trusted certificate thumbprints.

To use Group Policy Objects to enable and configure application or desktop launchsignature verification, follow this procedure:

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the ica-file-signing.adm template into the Group PolicyEditor, you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select ica-file-signing.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Enable ICA File Signing. In Windows 7 and Windows Server 2008,expand Administrative Templates and navigate through Classic AdministrativeTemplates (ADM) > Citrix Components to the desired configuration option.

7. If you choose Enabled, you can add signing certificate thumbprints to the white list of trusted certificate thumbprints or remove signing certificate thumbprints from the

Page 295: Citrix Receiver for Windows

white list by clicking Show and using the Show Contents screen. You can copy andpaste the signing certificate thumbprints from the signing certificate properties. Usethe Policy drop-down menu to select Only allow signed launches (more secure) orPrompt user on unsigned launches (less secure).

Option Description

Only allow signed launches (moresecure)

Allows only properly signed applicationor desktop launches from a trustedserver. The user sees a Security Warningmessage in Receiver if an application ordesktop launch has an invalid signature.The user cannot continue and theunauthorized launch is blocked.

Prompt user on unsigned launches (lesssecure)

Prompts the user every time an unsignedor invalidly signed application or desktopattempts to launch. The user can eithercontinue the application launch or abortthe launch (default).

ICA File Signing - Protection Against Application or Desktop Launches From Untrusted Servers

295

Page 296: Citrix Receiver for Windows

296

Selecting and Distributing a DigitalSignature Certificate

When selecting a digital signature certificate, Citrix recommends you choose from thisprioritized list:

1. Buy a code-signing certificate or SSL signing certificate from a public CertificateAuthority (CA).

2. If your enterprise has a private CA, create a code-signing certificate or SSL signingcertificate using the private CA.

3. Use an existing SSL certificate, such as the Web Interface or Self-service Plug-in servercertificate.

4. Create a new root CA certificate and distribute it to user devices using GPO or manualinstallation.

Page 297: Citrix Receiver for Windows

297

Configuring a Web Browser and ICA Fileto Enable Single Sign-on and ManageSecure Connections to Trusted Servers

To use Single sign-on (SSO) and to manage secure connections to trusted servers, add theCitrix server's site address to the Local intranet or Trusted sites zones in Internet Explorerunder Tools > Internet Options > Security on the user device. The address can include thewildcard (*) formats supported by the Internet Security Manager (ISM) or be as specific asprotocoll://URL[:port].

The same format must be used in both the ICA file and the sites entries. For example, if youuse a fully qualified domain name (FQDN) in the ICA file, you must use an FQDN in the siteszone entry. XenDesktop connections use only a desktop group name format.

Supported Formats (Including Wildcards)http[s]://10.2.3.4

http[s]://10.2.3.*

http[s]://hostname

http[s]://fqdn.example.com

http[s]://*.example.com

http[s]://cname.*.example.com

http[s]://*.example.co.uk

desktop://group-20name

ica[s]://xaserver1

ica[s]://xaserver1.example.com

Launching SSO or Using Secure Connections with aweb site

Add the exact address of the Receiver for Web or the Web Interface site in the sites zone.

Example Web Site Addresses

https://my.company.com

Page 298: Citrix Receiver for Windows

http://10.20.30.40

http://server-hostname:8080

https://SSL-relay:444

XenDesktop Connections with Desktop ViewerAdd the address in the form desktop://Desktop Group Name. If the desktop group namecontains spaces, replace each space with -20.

Custom ICA Entry FormatsUse one of the following formats in the ICA file for the Citrix server site address. Use thesame format to add it to the Local intranet or Trusted sites zones in Internet Explorerunder Tools > Internet Options > Security on the user device:

Example of ICA File HttpBrowserAddress Entry

HttpBrowserAddress=XMLBroker.XenappServer.example.com:8080

Examples of ICA File XenApp Server Address Entry

If the ICA file contains only the XenApp server Address field, use one of the following entryformats:

icas://10.20.30.40:1494

icas://my.xenapp-server.company.com

ica://10.20.30.40

Configuring a Web Browser and ICA File to Enable Single Sign-on and Manage Secure Connections to Trusted Servers

298

Page 299: Citrix Receiver for Windows

299

To set client resource permissions

You can set client resource permissions using trusted and restricted site regions by:

● Adding the Receiver for Web or the Web Interface site to the Trusted Site list

● Making changes to new registry settings

Note: Due to enhancements to Receiver, the .ini procedure available in earlier versionsof the plug-in/Receiver is replaced with these procedures.

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

To add the web site to the trusted site list1. From the Internet Explorer Tools menu, choose Internet Options > Security.

2. Select the Trusted sites icon and click the Sites button.

3. In the Add this website to the zone text field, type the URL to your Receiver for Webor Web Interface site and click Add.

4. Download the registry settings from http://support.citrix.com/article/CTX124871.htmland make any registry changes. Use SsonRegUpx86.reg for Win32 user devices andSsonRegUpx64.reg for Win64 user devices.

5. Log off and then log on to the user device.

Page 300: Citrix Receiver for Windows

To change client resource permissions in the registry1. Download the registry settings from http://support.citrix.com/article/CTX124871.html

and import the settings on each user device. Use SsonRegUpx86.reg for Win32 userdevices and SsonRegUpx64.reg for Win64 user devices.

2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Client Selective Trust and in the appropriate regions, change the default value tothe required access values for any of the following resources:

Resource key Resource description

FileSecurityPermission Client drives

MicrophoneAndWebcamSecurityPermission Microphones and webcams

PdaSecurityPermission PDA devices

ScannerAndDigitalCameraSecurityPermission USB and other devices

Value Description

0 No Access

1 Read-only access

2 Full access

3 Prompt user for access

To set client resource permissions

300

Page 301: Citrix Receiver for Windows

301

Enabling Smart Card Logon

You must use Receiver (Enterprise) for smart card support.

Enabling smart card logon allows users to use smart cards instead of passwords toauthenticate to XenApp servers. You can use smart card logon either with or withoutpass-through authentication.

You must enable smart card support on the server and set up and configure the user deviceproperly with third-party smart card hardware and software. Refer to the documentationthat came with your smart card equipment for instructions about deploying smart cardswithin your network.

The smart card removal policy set on XenApp determines what happens if you remove thesmart card from the reader during an ICA session. The smart card removal policy isconfigured through and handled by the Windows operating system.

● Kerberos pass-through authentication requires a smart card inserted in the smart cardreader at logon time only. With this logon mode selected, the plug-in prompts the userfor a smart card PIN (Personal Identification Number) when it starts up. Kerberospass-through authentication then caches the PIN and passes it to the server every timethe user requests a published resource. The user does not have to subsequently reentera PIN to access published resources or have the smart card continuously inserted. Ifauthentication based on the cached PIN fails or if a published resource itself requiresuser authentication, the user continues to be prompted for a PIN.

● Disabling pass-through authentication requires a smart card to be present in the smartcard reader whenever the user accesses a server. With pass-through disabled, theplug-in prompts the user for a smart card PIN when it starts up and every time the userrequests a published resource.

Page 302: Citrix Receiver for Windows

302

Enforcing Trust Relations

Trusted server configuration is designed to identify and enforce trust relations involved inReceiver connections. This trust relationship increases the confidence of Receiveradministrators and users in the integrity of data on user devices and prevents the malicioususe of Receiver connections.

When this feature is enabled, Receivers can specify the requirements for trust anddetermine whether or not they trust a connection to the server. For example, a Receiverconnecting to a certain address (such as https://*.citrix.com) with a specific connectiontype (such as SSL) is directed to a trusted zone on the server.

When trusted server configuration is enabled, XenApp servers or the Access Gateway mustreside in a Windows Trusted Sites zone. (For step-by-step instructions about adding serversto the Windows Trusted Sites zone, see the Internet Explorer online help.)

If you connect using SSL, add the server name in the format https://CN, where CN is theCommon Name shown on the SSL certificate. Otherwise, use the format that Receiver usesto connect; for example if Receiver connects using an IP address, add the server’s IPaddress.

To enable trusted server configuration

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. Expand the Administrative Templates folder under the User Configuration node.

7. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network Routing > Configure trusted serverconfiguration. In Windows 7 and Windows Server 2008, expand AdministrativeTemplates and navigate through Classic Administrative Templates (ADM) > CitrixComponents to the desired configuration option.

8. From the Action menu, choose Properties and select Enabled.

Page 303: Citrix Receiver for Windows

Enforcing Trust Relations

303

Page 304: Citrix Receiver for Windows

304

Elevation Level and wfcrun32.exe

When User Access Control (UAC) is enabled on devices running Windows Vista or later, onlyprocesses at the same elevation/integrity level as wfcrun32.exe can launch publishedapplications.

Example 1:

When wfcrun32.exe is running as a normal user (un-elevated), other processes such asReceiver must be running as a normal user to launch applications through wfcrun32.

Example 2:

When wfcrun32.exe is running in elevated mode, other processes such as ConnectionCenter, Receiver, and third party applications using the ICA Client Object that are runningin non-elevated mode cannot communicate with wfcrun32.exe.

Page 305: Citrix Receiver for Windows

305

Citrix Receiver for Windows 3.0

About this Release To configure and install Receiver usingcommand-line parameters

Issues fixed in Receiver for Windows 3.0 Using the Receiver with XenDesktopConnections

System Requirements and Compatibility forReceiver for Windows 3.0

Optimizing the Receiver Environment

Licensing Your Product Improving the Receiver User Experience

Deciding Which Receiver to Use Securing Your Connections

Overview of Receiver Installation Packages Securing Receiver Communication

Page 306: Citrix Receiver for Windows

306

Citrix Receiver for Windows 3.0

About this Release To configure and install Receiver usingcommand-line parameters

Issues fixed in Receiver for Windows 3.0 Using the Receiver with XenDesktopConnections

System Requirements and Compatibility forReceiver for Windows 3.0

Optimizing the Receiver Environment

Licensing Your Product Improving the Receiver User Experience

Deciding Which Receiver to Use Securing Your Connections

Overview of Receiver Installation Packages Securing Receiver Communication

Page 307: Citrix Receiver for Windows

307

About the Citrix Receiver for Windows 3.0

Version 1.0

Notes:

For Issues Fixed in Citrix Receiver for Windows 3.0, go to:http://support.citrix.com/article/CTX124164

Page 308: Citrix Receiver for Windows

What's New● Citrix Receiver for Windows.The Citrix Receiver replaces the Citrix Online Plug-in for

Windows. The Online Plug-in 13.0 is embedded in Receiver.

● Unified user experience. Gives end users a common user interface whether using onlyCitrix Receiver or with any other Citrix Plug-ins.

● Improved user experience. Improved application launching and reconnection.

● Internet Explorer 9 support.

● Simplified listing of devices in the Desktop Viewer. To simplify the display of USBdevices, by default any that use the Generic USB virtual channel (for example,webcams and memory sticks) are not displayed on the Devices tab of the DesktopViewer Preferences dialog box. Users can view the complete list of devices using acheckbox on the tab.

● Enhanced Desktop Viewer user interface. The Preferences dialog box in the DesktopViewer has been redesigned, and the USB button on the toolbar is now called Devices.

● Windows 7 support. The Citrix Desktop Lock (formerly called the Desktop ApplianceLock) now supports Windows 7.

● RemoteFX support. As an alternative to the Desktop Viewer UI, you can formconnections to XenDesktop VDAs using Microsoft RemoteFX. For instructions on this, seeCTX129509.

● Session pre-launch. Reduced application launch time at high-traffic periods. Configurethis feature on the server and client sides.

● Multi-stream ICA. Improved QoS support by allowing Branch Repeater and third partyrouters to apply QoS policies across multiple ICA connections.

● Multiple audio device redirection. Enables remoting of multiple audio devices presenton the user device.

● New Single Sign-On Plug-in. Simplified password management.

● Seamless Taskbar Grouping. Taskbar icons associated with applications published withXenApp 6 or later are grouped by application similar to how local application icons aregrouped.

● Aero support. Receiver now supports the display of Windows Aero theme on virtualdesktops. A new .msi file is included that works with the Virtual Desktop Agent (part ofXenDesktop) to provide the support.

● User documentation. Topics that describe how users interact with their virtualdesktops and control the Desktop Viewer have been moved from eDocs to the Receiverfor Windows online help, which also includes the Connection Center help. This isavailable at http://support.citrix.com/help/receiver/en/receiverHelpWin.htm.

About Receiver for Windows 3.0

308

Page 309: Citrix Receiver for Windows

Known IssuesThis section contains:

● General issues

● Known issues - Desktop connections

● Third-party issues

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

General Issues

● If you use the Receiver with XenApp 5.0 Feature Pack 2 for Windows Server 2003 (32- or64-bit editions), the Receiver plays audio even when you configure the Turn offspeakers policy setting to disable the audio. [#242703]

● You might receive an error message when trying to launch an application with WebInterface after installing a previous version of the Receiver (Online plug-in) whilelogged in as one user, upgrading with CitrixReceiver.exe as another user, logging off theReceiver, and logging back on with the previous user name. The error message is: Citrixonline plug-in Configuration Manager: No value could be found for (ClientHostedApps)that satisfies all lock down requirements. The lockdown requirements in force may beconflicting. [#261877]

As a workaround, set the following registry key:

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\Lockdown Profiles\AllRegions\Lockdown\Virtual Channels\Control

Name: ClientHostedApps

Value: FALSE (or set to * / TRUE if you have overridden the defaults inHKEY_LOCAL_MACHINE)

● If you use Web Interface with Internet Explorer 8 and Windows 7 to upgrade to thisversion of Citrix Receiver, the upgrade finishes, but the Upgrade in Progress messageremains on the screen and the log on screen does not appear. Workaround: Restart thebrowser [#247858]

● When you launch applications using the Web Interface, Connection Center does notenumerate the sessions. [#261177]

● After you launch a published application that is filtered by XenApp for Access Gateway,other published applications do not launch. [#263003]

About Receiver for Windows 3.0

309

Page 310: Citrix Receiver for Windows

Desktop Connections

● Loss of video is experienced if files are being played with a published version ofWindows Media Player through a virtual desktop session, and the Desktop Viewerwindow is changed from full-screen to window mode. As a workaround, minimize andrestore the Media Player window, and then pause and resume the application (or stopand restart it). [#246230]

● You cannot log off gracefully from Windows XP 32-bit virtual desktops if you start (butdo not log on to) the Receiver in the desktop session. If the Receiver logon dialog box isnot completed, you cannot log off from the desktop. To work around the issue,complete the logon dialog box or close it. This issue is not observed on other virtualdesktop operating systems. [#246516]

● When using Receiver for Windows 3.0 with a Windows XP virtual desktop created withXenDesktop 5, an error occurs if the user starts a published application from thedesktop. This issue does not occur on desktops created with XenDesktop 5.5 or on otherdesktop operating systems created with XenDesktop 5. The workaround is to useReceiver for Windows 3.0 with XenDesktop 5.5. [#263079]

● The Citrix Desktop Lock (formerly the Citrix Desktop Appliance Lock), which is installedusing DesktopApplianceLock.msi, does not redirect Adobe Flash content todomain-joined user devices. The content can be viewed but is rendered on the server,not locally. As a workaround, Adobe Flash redirection can be configured for server-sidecontent fetching to pass the content from the server to the user device. This issue doesnot occur on non-domain-joined devices or when the content is viewed with theDesktop Viewer. [#263092]

● The Desktop Viewer Devices menu may not close when the user clicks the Devices icon.It also may remain open after its corresponding dialog box closes. If this occurs, clickthe Devices icon again. [#262202]

● Windows Media Player, when displayed in the non-primary monitor of a two-monitorWindows user device, may not work as expected. Due to an issue with the DirectX videomixing renderer filter VMR-9, the screen is black and there is no sound, although theplayer's progress bar advances. To correct this issue, edit the registry on the userdevice from which the XenDesktop connection is launched. In theHKEY_CURRENT_USER\Software\Citrix subkey, create the HdxMediaStream key. Namethe key DisableVMRSupport. Set the type as REG_DWORD. Give the key the value 3.[#262852]

Third-Party Issues● When using Internet Explorer to open a Microsoft Office document in Edit mode from

SharePoint, Microsoft Office might display the message, “Access denied.” Workaround:Go to the SharePoint site and check out the document, edit it, and check the file backin to SharePoint. [#258725]

About Receiver for Windows 3.0

310

Page 311: Citrix Receiver for Windows

311

System Requirements and Compatibilityfor the Citrix Receiver for Windows

● Supported Windows Operating Systems:

● Windows 7, 32-bit and 64-bit editions (including Embedded Edition)

● Windows XP Professional, 32-bit and 64-bit editions

● Windows XP Embedded

● Windows Vista, 32-bit and 64-bit editions

● Windows Thin PC

● Windows Server 2008 R1, 32-bit and 64-bit editions (not supported by XenDesktopconnections)

● Windows Server 2008 R2, 64-bit edition (not supported by XenDesktop connections)

● Windows Server 2003, 32-bit and 64-bit editions (not supported by XenDesktopconnections)

Important: For XenDesktop connections, be aware that the Citrix Desktop Lock isonly supported on Windows XP Professional, Windows XP Embedded, Windows 7,and Windows Embedded Standard 7. If your deployment includes smart cards, andWindows 7 or Windows Embedded Standard 7, see the additional requirements inthis topic.

● Server support:

● Web Interface 5.x for Windows with a XenApp Services or XenDesktop Web site

● XenApp (any of the following products):

● Citrix XenApp 6.5 for Windows Server 2008 R2

● Citrix XenApp 6 for Windows Server 2008 R2

● Citrix XenApp 5 for Windows Server 2008

● Citrix XenApp 5 for Windows Server 2003● XenDesktop (any of the following products):

● XenDesktop 5.5

● XenDesktop 5

● XenDesktop 4● Delivery Services 1.0

Page 312: Citrix Receiver for Windows

● Merchandising Server 2.x

● Dazzle and ICA File Signing Support. ICA File Signing is not supported with Dazzle 1.1.

● Upgrades. Upgrades are supported only for Citrix XenApp Plugin for Hosted Apps 11.0,Desktop Receiver 11.1, and Citrix online plug-in 11.1,11.2, 12.0, and 12.1 releases.

● Availability of the Receiver for Windows 3.0 features. Some of the features andfunctionality of Receiver are available only when connecting to newer XenApp andXenDesktop versions and might require the latest hotfixes for XenApp, XenDesktop, andSecure Gateway.

● Previous versions of the Presentation Server Client/Online Plug-in and the currenticaclient.adm file. Previous versions of the Presentation Server Client and OnlinePlug-in are not compatible with the Receiver for Windows 3.0 icaclient.adm file.

● Supported Browsers:

● Internet Explorer Version 6.0 through 9.0

● Mozilla Firefox Version 1.x through 5.x● .NET Framework Requirements (XenDesktop Connections Only)

To use the Desktop Viewer, .NET 2.0 Service Pack 1 or later is required. This version isrequired because, if Internet access is not available, certificate revocation checks slowdown connection startup times. The checks can be turned off and startup timesimproved with this version of the Framework but not with .NET 2.0. Use of the CitrixDesktop Lock does not require the .NET Framework to be installed.

● Hardware Requirements:

● VGA or SVGA video adapter with color monitor

● Windows-compatible sound card for sound support (optional)

● For network connections to the server farm, a network interface card (NIC) and theappropriate network transport software

● Supported Connection Methods and Network Transports:

Protocol Citrix Receiver

TCP/IP+HTTP X

SSL/TLS+HTTPS X● HDX MediaStream Multimedia Acceleration

Applications and media formats supported by HDX MediaStream Multimedia Accelerationare:

● Applications based on Microsoft’s DirectShow, DirectX Media Objects (DMO), andMedia Foundation filter technologies such as Windows Media Player and RealPlayer.

● Applications like Internet Explorer and Microsoft Encarta are also supported, as theyleverage Windows Media Player.

System Requirements

312

Page 313: Citrix Receiver for Windows

● Both file-based and streaming (URL-based) media formats: WAV, all variations ofMPEG, unprotected Windows Media Video (WMV), and Windows Media Audio (WMA).

Note: HDX MediaStream Multimedia Acceleration does not support media filesprotected with Digital Rights Management (DRM).

● Smart Cards and the Citrix Desktop Lock

The Citrix Desktop Lock can be used with smart cards connected to domain-joined userdevices running Windows XP or Windows XPe but not Windows 7 or Windows EmbeddedStandard 7. This limitation does not apply to non-domain-joined user devices.

System Requirements

313

Page 314: Citrix Receiver for Windows

314

Deciding Which Receiver to Use

Different enterprises have different corporate needs, and your expectations andrequirements for the way users access your published resources and virtual desktops canshift as your corporate needs evolve and grow.

The Receivers and their internal features are:

● Citrix Receiver ( CitrixReceiver.exe) - Smaller package that you can deploy from a Webpage.

● Receiver Experience

● Web plug-in

● Generic USB (XenDesktop)

● Desktop Viewer (XenDesktop)

● HDX Media Stream for Flash

● Aero desktop experience (for operating systems that support it)

Important: To use single sign-on, you must install CitrixReceiverEnterprise.exe.

● Citrix Receiver (Enterprise) (CitrixReceiverEnterprise.exe)

● Receiver Experience

● Web plug-in

● PNA plug-in

● Single sign-on/pass-through authentication

● Generic USB (XenDesktop)

● Desktop Viewer (XenDesktop)

● HDX Media Stream for Flash

● Aero desktop experience (for operating systems that support it)See the specific product documentation for information about Receivers for other userdevices and operating systems.

The Receivers differ in terms of:

● Access method by which published resources and virtual desktops are delivered tousers. Resources and desktops can be delivered to users on the desktop or through aWeb browser.

Page 315: Citrix Receiver for Windows

● Installation packages. For more information about the installation packages, seeOverview of Receiver Installation Packages.

To decide which Receiver best fits your needs, consider the way you want users to accessyour published resources and virtual desktops, the way you want to manage this access, andthe feature set that your users will need.

Receiver Access method User involvement Receiver features

CitrixReceiver

Web browser-basedaccess to publishedresources and virtualdesktops.

● Minimal userinteractionduringinstallation

● Centraladministration ofuser settings

● Does not requireadministratorprivileges toinstall

● Hosted applicationsand desktops

● Desktop Viewer USB

● HDX Media Streamfor Flash

● Integration withother Plug-ins

CitrixReceiver(Enterprise)

Transparentintegration ofpublished resourcesand virtual desktopsinto user’s desktop.

● Minimal userinteractionduringinstallation

● Centraladministration ofuser settings

● Requiresadministratorprivileges toinstall

● Hosted applicationsand desktops

● Desktop Viewer USB

● HDX Media Streamfor Flash

● Applications in theStart menu

● PNAgent support

● Pass-throughauthenticationintegration withother Plug-ins

Get Started

315

Page 316: Citrix Receiver for Windows

316

Citrix Receiver for Windows Overview

Citrix Receiver supports XenApp and XenDesktop connections.

XenApp ConnectionsCitrix Receiver for Windows supports the XenApp feature set. Centrally administer andconfigure the Receiver in the Delivery Services Console or the Web Interface ManagementConsole using a Receiver site created in association with a site for the server running theWeb Interface.

Citrix Receiver (standard) is a smaller package that is installed with the CitrixReceiver.exeinstaller file. Administrative rights are not required to install this package, enablinginstallation by standard users.

Citrix Receiver (Enterprise) operates with the Citrix offline plug-in, to provide applicationstreaming to the user desktop. Install the Receiver (Enterprise) on user devices running theoffline plug-in to take advantage of the full set of application streaming features of theplug-in and Citrix XenApp. For more information about the streamed application feature,see the Application Streaming documentation.

The Desktop Viewer is not supported with XenApp connections.

Important: The Receiver requires the Citrix Web Interface.

XenDesktop ConnectionsCitrix Receiver includes the Desktop Viewer, the client-side software that supportsXenDesktop. Users running the Desktop Viewer on their devices access virtual desktopscreated with XenDesktop in addition to their local desktop. Users running the Citrix DesktopLock (which you install in addition to the Desktop Viewer) interact only with the virtualdesktop not the local desktop.

How Published Resources are Accessed withReceiver (standard)

If you want users to access published resources and virtual desktops from within a familiarbrowser environment, use this Receiver. Users access published resources and desktops byclicking links on a Web page you publish on your corporate intranet or the Internet. Thepublished resource or desktop launches either in the same window or in a new, separatebrowser window. This version of Receiver does not require user configuration and does nothave a user interface.

Page 317: Citrix Receiver for Windows

How Published Resources are Accessed withReceiver (Enterprise)

The Receiver (Enterprise) allows your XenApp users to access all of their publishedresources from a familiar Windows desktop environment. Users work with publishedresources the same way they work with local applications and files. Published resources arerepresented throughout the user desktop, including the Start menu and by icons thatbehave just like local icons. Users can double-click, move, and copy icons, and createshortcuts in their locations of choice. The Receiver (Enterprise) works in the background.Except for a menu available from the notification area and the Start menu, Receiver(Enterprise) does not have a user interface.

Receiver (standard) Management and AdministrationYou can use this Receiver to access resources and desktops available from the WebInterface and for access to resources published with traditional Application Launching andEmbedding (ALE). Publish links to your resources with the Web Interface or by using anHTML wizard.

In the webinterface.conf file for your XenApp websites, edit the ClientIcaWin32= line tospecify the CitrixReceiver.exe installation file and remove the comment character (#).

This Receiver requires the presence on user devices of any of these browsers: MicrosoftInternet Explorer 6.0 through 9.0; or Mozilla Firefox 1.0 through 3.x.

Receiver (Enterprise) Management and AdministrationYou configure the Receiver (Enterprise) at a site created in the consoles and associatedwith the site for the server running the Web Interface. By using the consoles in this way,you can manage and control your Receiver (Enterprise) population dynamically throughoutyour network from a single location and in real time.

Citrix Receiver for Windows Overview

317

Page 318: Citrix Receiver for Windows

318

Citrix Connection Center Overview

The Citrix Connection Center displays all connections established from the Receiver.

The ICA Connections window displays a list of active sessions. Each server entry in the listrepresents a session. For each seamless session, below each server entry, a list of thepublished resources you are running on that server appears.

After you launch a published resource, you can access the Connection Center by rightclicking the Receiver icon in your Windows notification area and choose Online Sessions >Connection Center. You can also access the Connection Center from the Preferences >Plug-in Status screen.

The Connection Center offers various options to view statistics and control sessions andapplications:

● Disconnect a session from a server but leave the session running on it

● End a server session

● Switch from seamless mode to full screen mode

● Seamless mode. Published applications and desktops are not contained within asession window. Each published application and desktop appears in its ownresizable window, as if it is physically installed on your user device. You can switchbetween published applications and the local desktop.

● Full screen mode. Published applications are placed in a full screen-sized desktop.● Show connection status details like frames sent and received

● Terminate an indivual published application

● Set access permissions

Page 319: Citrix Receiver for Windows

319

Providing Virtual Desktops to ReceiverUsers

This topic applies to XenDesktop deployments only.

Different enterprises have different corporate needs, and your requirements for the wayusers access virtual desktops may vary from user to user, and as your corporate needsevolve. The user experience of connecting to virtual desktops and the extent of userinvolvement in configuring the connections depend on how you set up the Citrix Receiverfor Windows. You have two options for providing users with access to virtual desktops: usingthe Desktop Viewer or the Citrix Desktop Lock.

Important: Do not attempt to use the Desktop Viewer or the Desktop Lock to connect todesktops published with XenApp.

Desktop ViewerUse the Desktop Viewer when users need to interact with their local desktop as well as thevirtual one. In this access scenario, the Desktop Viewer toolbar functionality allows the userto open a virtual desktop in a window and pan and scale that desktop inside their localdesktop. Users can set preferences and work with more than one desktop using multipleXenDesktop connections on the same user device.

Citrix Desktop LockUse the Desktop Lock when users do not need to interact with the local desktop. In thisaccess scenario, the Desktop Viewer is not available and the virtual desktop effectivelyreplaces the local one, allowing the user to interact with the virtual desktop as if it is local.This provides the best user experience in a XenDesktop environment.

To decide which option best suits your deployment, consider how you want users to accessand interact with virtual desktops.

To understand the user experience of connecting to desktops created with XenDesktop,consult the planning topics in the XenDesktop documentation.

Page 320: Citrix Receiver for Windows

320

Overview of Citrix Receiver for WindowsInstallation Packages

This release contains two installation packages and offers several options for installing theCitrix Receiver for Windows. You can install the two Receiver installer packages with almostno user interaction.

● CitrixReceiver.exe - General purpose package that enables web access to hostedapplications and desktops. This Receiver (standard) does not require administratorrights to install and can be installed:

● Automatically from Web Interface

● By the user

● Using an Electronic Software Distribution (ESD) tool● CitrixReceiverEnterprise.exe - Specific purpose package that enables native Windows

access to hosted applications and pass-through authentication. Requires administratorrights to install and though the user can install it, Receiver (Enterprise) is usuallyinstalled with an ESD tool.

Important: Upgrades are supported only from the Citrix XenApp Plugin for Hosted Apps11.0, Desktop Receiver 11.1, and Citrix online plug-in 11.1, 11.2, and 12.x. Remove anyearlier versions before installing this version.

Considerations When UpgradingBecause there are two Citrix Receiver installation packages and there were two onlineplug-in packages (web and full) in previous releases, each having different options, youhave to consider the previously installed package when planning your upgrade. Use thistable to determine how to procede with your upgrade.

Currently installed Upgrade Package Result

No Online plug-in installed CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) - web access- but manuallyconfigurable for PNA

No Online plug-in installed CitrixReceiver.exe Citrix Receiver (standard)- web access

Online plug-in fullconfigured for PNA or SSO

CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) configuredfor PNA or SSO

Online plug-in web CitrixReceiver.exe Citrix Receiver (standard)- web access

Page 321: Citrix Receiver for Windows

Online plug-in web CitrixReceiverEnterprise.exe Citrix Receiver(Enterprise) - web access- but manuallyconfigurable for PNA

The following upgrade scenarios are not supported:

Currently installed Upgrade Package Result

Online plug-in fullconfigured for PNA or SSO

CitrixReceiver.exe Installer displays an errormessage and does not alterthe previously installedclient.

Citrix Receiver (Enterprise) CitrixReceiver.exe Installer displays an errormessage and does not alterthe previously installedclient.

How Installation Outcomes Differ Based on theOperating System, User Type, and InstallationPackage

The outcome of CitrixReceiver.exe or CitrixReceiverEnterprise.exe package installationsdiffers based on the combination of the operating system on the user device, user type,whether User Account Control (UAC) is enabled or disabled on Windows Vista, Windows 7,and Windows 2008 computers, and which installation package is used.

Operating system and usertype

CitrixReceiver.exe CitrixReceiverEnterprise.exe

OS: Windows XP, andWindows Server 2003

User: Administrator

Installation type:per-computer

Installation type:per-computer

OS: Windows XP, andWindows Server 2003

User: Standard user

Installation type: per-user Not supported

OS: Windows Vista,Windows 7, and WindowsServer 2008

User: Administrator with orwithout UAC disabled

Installation type:per-computer

Installation type:per-computer

OS: Windows Vista,Windows 7, and WindowsServer 2008

User: Standard user

Installation type: per-user Not supported

Install and Uninstall

321

Page 322: Citrix Receiver for Windows

322

Installing and Uninstalling Receiver forWindows Manually

Users can install the Receiver from the Web Interface, the installation media, a networkshare, Windows Explorer, or a command line by running the CitrixReceiverEnterprise.exe orCitrixReceiver.exe installer package. Because the installer packages are self-extractinginstallations that extract to the user's temp directory before launching the setup program,ensure that there is enough free space available in the %temp% directory.

When the user runs one of the Receiver installation .exe files, a message box immediatelyappears displaying the progress of the installation.

When you cancel the installation before completion, some components might be installed.In that case, remove the Receiver with the Add/Remove Programs utility from the ControlPanel on Windows XP or Windows Server 2003 (Programs and Features utility from theControl Panel on Windows Vista, Windows 7, and Windows Server 2008).

Upgrades are supported only from the Citrix XenApp Plugin for Hosted Apps 11.0, DesktopReceiver 11.1, and Citrix online plug-in 11.1, 11.2, and 12.x. Remove any earlier versionsbefore installing this current version.

For command line installation parameters, see To configure and install the Citrix Receiverfor Windows using command-line parameters.

Important: For Firefox to work correctly with Receiver for Windows, ensure that you orthe user install Firefox before installing Receiver. If Receiver is already installed,uninstall it, install Firefox, and reinstall Receiver. Also ensure that the whitelists oftrusted and untrusted servers contain the XenApp and Web Interface server names.

Removing the ReceiverYou can also use the Citrix Receiver Updater to install and uninstall Receiver. If CitrixReceiver Updater was not used to install the Receiver, you can uninstall Receiver byrunning the Add/Remove Programs utility from the Control Panel on Windows XP orWindows Server 2003 (Programs and Features utility from the Control Panel on WindowsVista, Windows 7, and Windows Server 2008).

If you delete Receiver related files or registry entries just before uninstalling Receiver withAdd/Remove Programs or Programs and Features, uninstall might fail. The MicrosoftWindows Installer (MSI) is trying to repair and uninstall at the same time. If this occurs, usethe Receiver to start an auto-repair. After the auto-repair completes, you can cleanlyuninstall Receiver from Add/Remove Programs or Programs and Features.

Auto-repair occurs if there is a problem with Receiver; however, there is no Add/RemovePrograms or Programs and Features Repair option.

To remove Receiver using the command line

Page 323: Citrix Receiver for Windows

You can also uninstall Receiver from a command line by typing the appropriate command.

CitrixReceiverEnterprise.exe /uninstall

or

CitrixReceiver.exe /uninstall

Caution: Using Registry Editor incorrectly can cause serious problems that can requireyou to reinstall the operating system. Citrix cannot guarantee that problems resultingfrom incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Make sure you back up the registry before you edit it.

After uninstalling the Receiver software from a user device, the custom Receiver-settingregistry keys created by icaclient.adm remain in the Software\Policies\Citrix\ICA Clientdirectory under HKEY_LOCAL_MACHINE and HKEY_LOCAL_USER. If you reinstall Receiver,these policies might be enforced, possibly causing unexpected behavior. If you want toremove these customizations, delete them manually.

Installing and Uninstalling Receiver for Windows Manually

323

Page 324: Citrix Receiver for Windows

324

Upgrading the Desktop Viewer andDesktop Appliance Lock

You can upgrade the Desktop Viewer component contained in Citrix online plug-in 12.1 byinstalling this version of the Citrix Receiver for Windows.

To upgrade the Desktop Appliance Lock, remove Citrix online plug-in 12.1 and the DesktopAppliance Lock, and then install this version of the Receiver and the Citrix Desktop Lock.

Page 325: Citrix Receiver for Windows

325

To install the Citrix Desktop Lock

Important: Log on using a local administrator account to carry out this installationprocedure. In addition, consult About the Citrix Receiver for Windows 3.0 forworkarounds to any known issues with the Desktop Lock.

This procedure installs the plug-in so that virtual desktops are displayed using the CitrixDesktop Lock. Do not use this procedure if you want the Desktop Viewer to be available tousers.

1. On the installation media, navigate to the folder called Citrix Receiver andPlug-ins\Windows\Receiver, and run CitrixReceiverEnterprise.exe from the commandline using the following syntax:

CitrixReceiverEnterprise.exe ADDLOCAL="ICA_Client,SSON,USB,DesktopViewer,Flash,PN_Agent,Vd3d" SERVER_LOCATION="my.server" ENABLE_SSON="Yes"

For information about the properties used in this command, see To configure and installthe Citrix Receiver for Windows using command-line parameters

2. Enter the URL of the XenDesktop Services site where your virtual desktops are located.The URL must be in the format http://servername or https://servername. If you areusing hardware or software for load balancing or failover, you can enter aload-balanced address.

Important: Check that the URL you enter is correct. If the URL is incorrectly typed,or you leave the field empty and the user does not enter a valid URL when promptedafter installation, no virtual desktop or local desktop will be available.

3. On the XenDesktop installation media, navigate to the Citrix Receiver andPlug-ins\Windows\Receiver folder and double-click CitrixDesktopLock.msi. The CitrixDesktop Lock wizard appears.

4. On the License Agreement page, read and accept the Citrix license agreement andclick Install. The Installation Progress page appears.

5. In the Installation Completed dialog box, click Close.

6. When prompted, restart the user device. If you have been granted access to a desktopand you log on as a domain user, the restarted device is displayed using the DesktopLock.

Page 326: Citrix Receiver for Windows

326

User Accounts Used to Install the CitrixDesktop Lock

When you install the Citrix Desktop Lock, a replacement shell is used. To allowadministration of the user device after you complete the installation, the account used toinstall CitrixDesktopLock.msi is excluded from the shell replacement. If the account used toinstall CitrixDesktopLock.msi is later deleted, you will not be able to log on and administerthe device.

Note that because a replacement shell is used, Citrix does not recommend the use ofcustom shells with desktops accessed through the Desktop Lock.

Page 327: Citrix Receiver for Windows

327

To remove the Citrix Desktop Lock

If you installed the Citrix Desktop Lock, two separate items are displayed in Add/RemovePrograms. You must remove both to complete the removal process.

1. Log on with the same local administrator credentials that were used to install theDesktop Lock.

2. Run the Add/Remove programs utility from the Control Panel.

3. Remove Citrix Desktop Lock.

4. Remove Citrix Receiver or Citrix Receiver (Enterprise).

Page 328: Citrix Receiver for Windows

328

To configure and install the CitrixReceiver for Windows usingcommand-line parameters

You or your users can customize the Receiver installer by specifying command line options.Because the installer packages are self-extracting installations that extract to the user'stemp directory before launching the setup program, ensure that there is enough free spaceavailable in the %temp% directory.

Important: For Firefox to work correctly with Receiver for Windows, ensure that you orthe user install Firefox before installing Receiver. If Receiver is already installed,uninstall it, install Firefox, and reinstall Receiver. Also ensure that the whitelists oftrusted and untrusted servers contain the XenApp and Web Interface server names.

Space Requirements

Receiver (standard) - 78.8 Mbytes

Receiver (Enterprise) - 93.6 Mbytes

This includes program files, user data, and temp directories after launching severalapplications.

1. On the computer where you want to install the Receiver for Windows package, type thefollowing at a command prompt:

CitrixReceiverEnterprise.exe [Options]

or

CitrixReceiver.exe [Options]

2. Set your options as needed.

● /? or /help displays usage information.

● /noreboot suppresses reboot during UI installations. This option is not necessaryduring silent installs.

● /silent disables the error and progress dialogs to execute a completely silentinstallation.

● PROPERTY=Value

Where PROPERTY is one of the following all-uppercase variables (keys) and Value isthe value the user should specify.

Page 329: Citrix Receiver for Windows

● INSTALLDIR=Installation directory, where Installation directory is the locationwhere the Receiver software is installed. The default value is C:\ProgramFiles\Citrix\ICA Client. If you use this option and specify an Installationdirectory, you must install the RIInstaller.msi in the Installationdirectory\Receiver directory and the other .msi files in the Installationdirectory.

● CLIENT_NAME=ClientName, where ClientName is the name used to identify theuser device to the server farm. The default value is %COMPUTERNAME%.

● ENABLE_DYNAMIC_CLIENT_NAME={Yes | No} The dynamic client name featureallows the client name to be the same as the computer name. When userschange their computer name, the client name changes to match. To enabledynamic client name support during silent installation, the value of theproperty ENABLE_DYNAMIC_CLIENT_NAME in your installation file must be Yes.To disable dynamic client name support, set this property to No.

● ADDLOCAL=feature[,...]. Install one or more of the specified components.When specifying multiple parameters, separate each parameter with a commaand without spaces. The names are case sensitive. If you do not specify thisparameter, all components included in the CitrixReceiverEnterprise.exe orCitrixReceiver.exe are installed by default.

Note: ReceiverInside and ICA_Client are prerequisites for all othercomponents and must be installed.

ReceiverInside. Installs the Receiver experience. (Required)

ICA_Client. Installs the standard Receiver. (Required)

SSON. Installs single sign on. This value is supported only withCitrixReceiverEnterprise.exe. For more information, seehttp://support.citrix.com/article/CTX122676.

USB. Installs USB.

DesktopViewer. Installs the Desktop Viewer.

Flash. Installs HDX media stream for flash.

PN_Agent. Installs Receiver (Enterprise). This value is supported only withCitrixReceiverEnterprise.exe.

Vd3d. Enables the Windows Aero experience (for operating systems thatsupport it)

● ENABLE_SSON={Yes | No}. The default value is Yes. Note that users must logoff and log back onto their devices after an installation with pass-throughauthentication enabled.

Important: If you disable single sign on pass-through authentication, usersmust reinstall Receiver if you decide to use pass-through authentication at alater time.

● ENABLE_KERBEROS={Yes | No}. The default value is No. Specifies that Kerberos should be used; applies only when pass-through authentication (SSON)

To configure and install the Citrix Receiver for Windows using command-line parameters

329

Page 330: Citrix Receiver for Windows

is enabled.

● DEFAULT_NDSCONTEXT=Context1 [,…]. Include this parameter to set a defaultcontext for Novell Directory Services (NDS). To include more than one context,place the entire value in quotation marks and separate the contexts by acomma. Examples of correct parameters:

DEFAULT_NDSCONTEXT="Context1"

DEFAULT_NDSCONTEXT=“Context1,Context2”

● SERVER_LOCATION=Server_URL. The default value is blank. Provide the URL ofthe server running the Web Interface. The URL must be in the formathttp://servername or https://servername.

The Receiver appends the default path and file name of the configuration fileto the server URL. If you change the default location of the configuration file,enter the entire new path in the SERVER_LOCATION key.

If there is a problem with the installation, search in the user's %TEMP% directory for the logswith the prefix CtxInstall- or TrollyExpress- . For example:

CtxInstall-ICAWebWrapper.log

TrollyExpress-20090807-123456.log

Example of a Command-Line Installation

CitrixReceiverEnterprise.exe /silentADDLOCAL="ReceiverInside,ICA_Client,PN_Agent" ENABLE_SSON=noINSTALLDIR="c:\test" ENABLE_DYNAMIC_CLIENT_NAME=YesDEFAULT_NDSCONTEXT="Context1,Context2"SERVER_LOCATION="http://testserver.net" CLIENT_NAME="Modified"

This example:

● Installs Receiver (Enterprise) without visible progress dialog boxes

● Installs only Receiver Inside, the standard Receiver (ICA_Client), and enterpriseReceiver (PN_Agent)

● Disables pass-through authentication

● Specifies the location where the software is installed

● Enables dynamic client naming

● Specifies the default context for NDS

● Specifies the URL (http://testserver.net) of the server running the Web Interface,which Receiver will reference

● Specifies the name used to identify the user device to the server farm

To configure and install the Citrix Receiver for Windows using command-line parameters

330

Page 331: Citrix Receiver for Windows

331

To extract, install, and remove theindividual Receiver (Enterprise) .msi files

Citrix does not recommend extracting the .msi files in place of running the installerpackages. However, there might be times when you have to extract the Receiver(Enterprise) .msi files from CitrixReceiverEnterprise.exe manually, rather than running theinstaller package (for example, company policy prohibits using the .exe file). If you use theextracted .msi files for your installation, using the .exe installer package to upgrade oruninstall and reinstall might not work properly.

For Citrix-recommended Receiver (Enteprise) installation information, see To configure andinstall Receiver for Windows using the command-line parameters and Delivering ReceiverUsing Active Directory and Sample Startup Scripts.

1. To extract the .msi files, type the following at a command prompt:

CitrixReceiverEnterprise.exe /extract [Destination_name]

where Destination _name is a complete pathname to the directory into which the .msifiles are extracted. The directory must exist already and /extract adds a subfoldercalled extract to that directory. For example, you create a C:\test directory and whenyou run /extract, the extracted .msi files are put in C:\test\extract.

2. To install the .msi files, double click each file.

Note: If User Access Control (UAC) is enabled, Citrix advises that you install the .msifiles in elevated mode. The .msi files are supported per-machine and requireadministrator privileges to deploy them.

When installing the Receiver (Enterprise) components, run the .msi files in this order:

a. RIInstaller.msi

b. ICAWebWrapper.msi

c. SSONWrapper.msi

d. GenericUSB.msi

e. DesktopViewer.msi

f. CitrixHDXMediaStreamForFlash-ClientInstall.msi

g. PNAWrapper.msi

h. Vd3d.msi

Page 332: Citrix Receiver for Windows

To remove the componentsWhen removing the components, remove them in this order:

1. Vd3d.msi

2. PNAWrapper.msi

3. CitrixHDXMediaStreamForFlash-ClientInstall.msi

4. DesktopViewer.msi

5. GenericUSB.msi

6. SSONWrapper.msi

7. ICAWebWrapper.msi

8. RIInstaller.msi

Each .msi file has an Add/Remove (Control Panel on Windows XP or Windows Server 2003)or Programs and Features (Control Panel on Windows Vista, Windows 7, and Windows Server2008) entry in the following format:

Name of package Name displayed in Add/Remove orPrograms and Features

RIInstaller.msi Citrix Receiver Inside

ICAWebWrapper.msi Online Plug-in

PNAWrapper.msi Citrix Receiver (PNA)

SSONWrapper.msi Citrix Receiver (SSON)

CitrixHDXMediaStreamForFlash-ClientInstall.msi Citrix Receiver (HDX FlashRedirection)

DesktopViewer.msi Citrix Receiver (DV)

GenericUSB.msi Citrix Receiver (USB)

Vd3d.msi Citrix Receiver (Aero)

To extract, install, and remove the individual Receiver (Enterprise) .msi files

332

Page 333: Citrix Receiver for Windows

333

Delivering Receiver Using ActiveDirectory and Sample Startup Scripts

You can use Active Directory Group Policy scripts to pre-deploy Receiver on systems basedon your Active Directory organizational structure. Citrix recommends using the scriptsrather than extracting the .msi files because the scripts allow for a single point forinstallation, upgrade, and uninstall, they consolidate the Citrix entries in Programs andFeatures, and make it easier to detect the version of Receiver that is deployed. Use theScripts setting in the Group Policy Management Console (GPMC) under ComputerConfiguration or User Configuration. Microsoft documents the advantages anddisadvantages of using scripts at Microsoft Technet - Use Group Policy to assign computerstartup scripts.

Citrix includes sample per-computer startup scripts to install and uninstallCitrixReceiver.exe and Citrix ReceiverEnterprise.exe. The scripts are located on the XenAppmedia in the Citrix Receiver and Plug-ins\Windows\Receiver\Startup_Logon_Scripts folder.

● CheckAndDeployReceiverEnterpriseStartupScript.bat

● CheckAndDeployReceiverPerMachineStartupScript.bat

● CheckAndRemoveReceiverEnterpriseStartupScript.bat

● CheckAndRemoveReceiverPerMachineStartupScript.bat

When the scripts are executed during Startup or Shutdown of an Active Directory GroupPolicy, custom configuration files might be created in the Default User profile of a system.If not removed, these configuration files can prevent some users from accessing theReceiver logs directory. The Citrix sample scripts include functionality to properly removethese configuration files.

To use the startup scripts to deploy Receiver with Active Directory

1. Create the Organizational Unit (OU) for each script.

2. Create a Group Policy Object (GPO) for the newly created OU.

To modify the sample scriptsModify the scripts by editing these parameters in the header section of each file:

● Current Version of package. The specified version number is validated and if it is notpresent, the deployment proceeds. For example, set DesiredVersion=3.0.0.XXXX to exactly match the version specified. If you specify a partial version, forexample 3.0.0, it matches any version with that prefix (3.0.0.1111, 3.0.0.7777, and soforth).

Page 334: Citrix Receiver for Windows

● Package Location/Deployment directory. This specifies the network share containingthe packages and is not authenticated by the script. The shared folder must have Readpermission for EVERYONE.

● Script Logging Directory. This specifies the network share where the install logs arecopied and is not authenticated by the script. The shared folder must have Read andWrite permissions for EVERYONE.

● Package Installer Command Line Options. These command line options are passed tothe installer. For the command line syntax, see To configure and install the CitrixReceiver for Windows using command-line parameters

To add the per-computer startup scripts1. Open the Group Policy Management Console.

2. Select Computer Configuration > Policies > Windows Settings > Scripts(Startup/Shutdown).

3. In the right-hand pane of the Group Policy Management Console, select Startup.

4. In the Properties menu, click Show Files, copy the appropriate script to the folderdisplayed, and then close the window.

5. In the Properties menu, click Add and use Browse to find and add the newly createdscript.

To deploy Receiver per-computer1. Move the user devices designated to receive this deployment to the OU you created.

2. Reboot the user device and log on as any user.

3. Verify that Program and Features (Add or Remove Programs in previous OS versions)contains the newly installed package.

To remove Receiver per-computer1. Move the user devices designated for the removal to the OU you created.

2. Reboot the user device and log on as any user.

3. Verify that Program and Features (Add or Remove Programs in previous OS versions)removed the previously installed package.

Delivering Receiver Using Active Directory and Sample Startup Scripts

334

Page 335: Citrix Receiver for Windows

335

Using the Per-User Sample StartupScripts

Citrix recommends using per-computer startup scripts but does include two Citrix Receiverper-user scripts on the XenApp media in the Citrix Receiver andPlug-ins\Windows\Receiver\Startup_Logon_Scripts folder for situations where you requireReceiver (standard) per-user deployments.

● CheckAndDeployReceiverPerUserLogonScript.bat

● CheckAndRemoveReceiverPerUserLogonScript.bat

To set up the per-user startup scripts1. Open the Group Policy Management Console.

2. Select User Configuration > Policies > Windows Settings > Scripts.

3. In the right-hand pane of the Group Policy Management Console, select Logon

4. In the Logon Properties menu, click Show Files, copy the appropriate script to thefolder displayed, and then close the window.

5. In the Logon Properties menu, click Add and use Browse to find and add the newlycreated script.

To deploy Receiver per-user1. Move the users designated to receive this deployment to the OU you created.

2. Reboot the user device and log on as the specified user.

3. Verify that Program and Features (Add or Remove Programs in previous OS versions)contains the newly installed package.

To remove Receiver per-user1. Move the users designated for the removal to the OU you created.

2. Reboot the user device and log on as the specified user.

3. Verify that Program and Features (Add or Remove Programs in previous OS versions)removed the previously installed package.

Page 336: Citrix Receiver for Windows

336

Deploying the CitrixReceiver.exe from aWeb Interface Logon Screen

You can deploy the CitrixReceiver.exe from a Web page to ensure that users have theReceiver installed before they try to use the Web Interface. Create a home page and run anInternet Explorer script to download the CitrixReceiver.exe package automatically from theWeb server and install it for the user.

To install the Receiver software using CitrixReceiver.exe, the Windows Installer Servicemust be installed on the user device. This service is present by default on systems runningWindows XP, Windows Vista, Windows 7, Windows Server 2003, or Windows Server 2008.

Add the sites from which the CitrixReceiver.exe file is downloaded to the Trusted Siteszone.

In the webinterface.conf file for your XenApp websites, edit the ClientIcaWin32= line tospecify the CitrixReceiver.exe installation file and remove the comment character (#).

For more information, see the Web Interface documentation.

Page 337: Citrix Receiver for Windows

337

Configuring the Citrix Receiver forWindows

After the Receiver software is deployed to your users and they install it, there areconfiguration steps that can be performed for the Receiver. The Receiver (standard,CitrixReceiver.exe) does not require configuration.

From the Citrix management console for the XenApp server, configure the options andsettings for Receiver using the associated Receiver site. Each time users log on to theReceiver, they see the most recent configuration. Changes made while users are connectedtake effect when the Receiver configuration is refreshed manually or automatically after adesignated interval.

Important: Receiver requires the Citrix Web Interface.

Receiver handles the following functions:

● User authentication. Receiver provides user credentials to the Web Interface whenusers try to connect and every time they launch published resources.

● Application and content enumeration. Receiver presents users with their individualset of published resources.

● Application launching. Receiver is the local engine used to launch publishedapplications.

● Desktop integration. Receiver integrates a user’s set of published resources (includingvirtual desktops) with the user’s physical desktop.

● User preferences. Receiver validates and implements local user preferences.

Page 338: Citrix Receiver for Windows

338

Using the Group Policy Object Templateto Customize the Receiver

Citrix recommends using the Group Policy Object icaclient.adm template file to configurethe Receiver options and settings.

You can use the icaclient.adm template file with domain policies and local computerpolicies. For domain policies, import the template file using the Group Policy ManagementConsole. This is especially useful for applying Receiver settings to a number of differentuser devices throughout the enterprise. To affect a single user device, import the templatefile using the local Group Policy Editor on the device.

For details about Group Policy management, see the Microsoft Group Policy documentation.

To import the icaclient template using the GroupPolicy Management Console

To affect domain-based group policies, import the icaclient.adm file with the Group PolicyManagement Console.

1. As an administrator, open the Group Policy Management Console.

2. In the left pane, select a group policy and from the Action menu, choose Edit.

3. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

4. From the Action menu, choose Add/Remove Templates.

5. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

6. Select Open to add the template and then Close to return to the Group Policy Editor.

To import the icaclient template using the local GroupPolicy Editor

To affect the policies on a local computer, import the icaclient.adm file with the localGroup Policy Editor.

1. As an administrator, open the Group Policy Editor by running gpedit.msc from the Startmenu.

2. In the left pane, select the Administrative Templates folder.

Page 339: Citrix Receiver for Windows

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

Using the Group Policy Object Template to Customize the Receiver

339

Page 340: Citrix Receiver for Windows

340

To customize user preferences for theReceiver (Enterprise)

Users can customize their preferences. For example, they can define window sizes forpublished applications, choose when to refresh the list of available published resources,and specify where the available published resources appear.

1. In the Windows notification area, right-click the Receiver icon and choosePreferences.

2. Right-click the Online Plug-in entry in the Plug-in Status and choose Options, select aproperty, and make the desired configuration changes.

If you configure seamless windows and set the task bar to Auto-hide, you cannot access thetaskbar when you maximize published applications. To access the taskbar, resize thepublished application.

For more detailed information, see the online help for Receiver.

To change the server URL in the Receiver (Enterprise)Receiver requires that you specify the location of a configuration file (Config.xml is thedefault configuration file) on the server running the Web Interface. You can ask your usersto change the server URL as you create new configuration files or delete old ones.

Note: To prevent users from accidentally changing their server URL, disable the option.

1. In the Windows notification area, right-click the Receiver icon and choose Preferences.

2. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.

3. Type or select the server URL in the format http://servername or, to encrypt theconfiguration data using SSL, https://servername.

Page 341: Citrix Receiver for Windows

341

Configuring USB Support for XenDesktopConnections

USB support enables users to interact with a wide range of USB devices when connected toa virtual desktop. Users can plug USB devices into their computers and the devices areremoted to their virtual desktop. USB devices available for remoting include flash drives,smartphones, PDAs, printers, scanners, MP3 players, security devices, and tablets. DesktopViewer users can control whether USB devices are available on the virtual desktop using apreference in the toolbar.

Isochronous features in USB devices such as webcams, microphones, speakers, and headsetsare supported in typical low latency/high speed LAN environments. This allows thesedevices to interact with packages such as Microsoft Office Communicator and Skype.

The following types of device are supported directly in a XenDesktop session, and so do notuse USB support:

● Keyboards

● Mice

● Smart cards

Note: Specialist USB devices (for example, Bloomberg keyboards and 3D mice) can beconfigured to use USB support. For information on configuring Bloomberg keyboards, seeConfiguring Bloomberg Keyboards. For information on configuring policy rules for otherspecialist USB devices, see CTX 119722.

By default, certain types of USB devices are not supported for remoting throughXenDesktop. For example, a user may have a network interface card attached to the systemboard by internal USB. Remoting this would not be appropriate. The following types of USBdevice are not supported by default for use in a XenDesktop session:

● Bluetooth dongles

● Integrated network interface cards

● USB hubs

● USB graphics adaptors

USB devices connected to a hub can be remoted, but the hub itself cannot be remoted.

For instructions on modifying the range of USB devices that are available to users, seeUpdating the List of USB Devices Available for Remoting.

For instructions on automatically redirecting specific USB devices, see CTX123015.

Page 342: Citrix Receiver for Windows

342

How USB Support Works

When a user plugs in a USB device, it is checked against the USB policy, and, if allowed,remoted to the virtual desktop. If the device is denied by the default policy, it is availableonly to the local desktop.

The user experience depends upon the type of desktop to which users are connecting.

For desktops accessed through the Citrix Desktop Lock, when a user plugs in a USB device,that device is automatically remoted to the virtual desktop. No user interaction is required.The virtual desktop is responsible for controlling the USB device and displaying it in the userinterface.

For desktops accessed through the Desktop Viewer, when a user plugs in a USB device, adialog box appears asking the user if they want that device remoted to the virtual desktop.The user can decide which USB devices are remoted to the virtual desktop by selectingdevices from the list each time they connect. Alternatively, the user can configure USBsupport so that all USB devices plugged in both before and/or during a session areautomatically remoted to the virtual desktop that is in focus.

Page 343: Citrix Receiver for Windows

343

Mass Storage Devices

For mass storage devices only, in addition to USB support, remote access is availablethrough client drive mapping, which you configure through the Citrix Mappings rule. Whenthis rule is applied, the drives on the user device are automatically mapped to drive letterson the virtual desktop when users log on. The drives are displayed as shared folders withmapped drive letters. The Citrix Mappings rule is in the Drives subfolder of the ClientDevices Resources folder in the Presentation Server Console.

The main differences between the two types of remoting policy are:

Feature Client Drive Mapping USB Rule

Enabled by default Yes No

Read-only accessconfigurable

Yes No

Safe to remove deviceduring a session

No Yes, if the user clicksSafely Remove Hardwarein the notification area

If both USB support and the Citrix Mappings rule are enabled and a mass storage device isinserted before a session starts, it will be redirected using client drive mapping first, beforebeing considered for redirection through USB support. If it is inserted after a session hasstarted, it will be considered for redirection using USB support before client drive mapping.

Page 344: Citrix Receiver for Windows

344

USB Device Classes Allowed by Default

Different classes of USB device are allowed by the default USB policy rules.

Although they are on this list, some classes are only available for remoting in XenDesktopsessions after additional configuration. These are noted below.

● Audio (Class 01). Includes audio input devices (microphones), audio output devices,and MIDI controllers. Modern audio devices generally use isochronous transfers, which issupported by XenDesktop 4 or later.

Note: Some specialty devices (for example, VOIP phones) require additionalconfiguration. For instructions on this, see CTX123015.

● Physical Interface Devices(Class 05). These devices are similar to Human InterfaceDevices (HIDs), but generally provide "real-time" input or feedback and include forcefeedback joysticks, motion platforms, and force feedback exoskeletons.

● Still Imaging (Class 06). Includes digital cameras and scanners. Digital cameras oftensupport the still imaging class which uses the Picture Transfer Protocol (PTP) or MediaTransfer Protocol (MTP) to transfer images to a computer or other peripheral. Camerasmay also appear as mass storage devices and it may be possible to configure a camerato use either class, through setup menus provided by the camera itself.

Note that if a camera appears as a mass storage device, client drive mapping is usedand USB support is not required.

● Printers (Class 07). In general most printers are included in this class, although someuse vendor-specific protocols (class ff). Multi-function printers may have an internalhub or be composite devices. In both cases the printing element generally uses thePrinters class and the scanning or fax element uses another class; for example, StillImaging.

Printers normally work appropriately without USB support.

Note: This class of device (in particular printers with scanning functions) requiresadditional configuration. For instructions on this, see CTX123015.

● Mass Storage (Class 08). The most common mass storage devices are USB flash drives;others include USB-attached hard drives, CD/DVD drives, and SD/MMC card readers.There are a wide variety of devices with internal storage that also present a massstorage interface; these include media players, digital cameras, and mobile phones.Known subclasses include:

● 01 Limited flash devices

● 02 Typically CD/DVD devices (ATAPI/MMC-2)

● 03 Typically tape devices (QIC-157)

● 04 Typically floppy disk drives (UFI)

Page 345: Citrix Receiver for Windows

● 05 Typically floppy disk drives (SFF-8070i)

● 06 Most mass storage devices use this variant of SCSI

Mass storage devices can often be accessed through client drive mapping, and so USBsupport is not required.

Important: Some viruses are known to propagate actively using all types of massstorage. Carefully consider whether or not there is a business need to permit the useof mass storage devices, either through client drive mapping or USB support.

● Content Security (Class 0d). Content security devices enforce content protection,typically for licensing or digital rights management. This class includes dongles.

● Video (Class 0e). The video class covers devices that are used to manipulate video orvideo-related material, such as webcams, digital camcorders, analog video converters,some television tuners, and some digital cameras that support video streaming.

Note: Most video streaming devices use isochronous transfers, which is supported byXenDesktop 4 or later. Some video devices (for example webcams with motiondetection) require additional configuration. For instructions on this, see CTX123015.

● Personal Healthcare (Class 0f). These devices include personal healthcare devices suchas blood pressure sensors, heart rate monitors, pedometers, pill monitors, andspirometers.

● Application and Vendor Specific (Classes fe and ff). Many devices use vendor specificprotocols or protocols not standardized by the USB consortium, and these usuallyappear as vendor-specific (class ff).

USB Device Classes Allowed by Default

345

Page 346: Citrix Receiver for Windows

346

USB Device Classes Denied by Default

Different classes of USB device are denied by the default USB policy rules.

● Communications and CDC Control (Classes 02 and 0a). The default USB policy doesnot allow these devices, because one of them may be providing the connection to thevirtual desktop itself.

● Human Interface Devices (Class 03). Includes a wide variety of both input and outputdevices. Typical Human Interface Devices (HIDs) are keyboards, mice, pointing devices,graphic tablets, sensors, game controllers, buttons, and control functions.

Subclass 01 is known as the "boot interface" class and is used for keyboards and mice.

The default USB policy does not allow USB keyboards (class 03, subclass 01, protocol 1),or USB mice (class 03, subclass 01, protocol 2). This is because most keyboards andmice are handled appropriately without USB support and it is normally necessary to usethese devices locally as well remotely when connecting to a virtual desktop.

● USB Hubs (Class 09). USB hubs allow extra devices to be connected to the localcomputer. It is not neccessary to access these devices remotely.

● Smart Card (Class 0b). Smart card readers include contactless and contact smart cardreaders, and also USB tokens with an embedded smart card-equivalent chip.

Smart card readers are accessed using smart card remoting and do not require USBsupport.

● Wireless Controller (Class e0). Some of these devices may be providing criticalnetwork access, or connecting critical peripherals such as Bluetooth keyboards or mice.

The default USB policy does not allow these devices. However, there may be particulardevices it is appropriate to provide access to using USB support.

Page 347: Citrix Receiver for Windows

347

Updating the List of USB DevicesAvailable for Remoting

You can update the range of USB devices available for remoting to desktops by editing thefile icaclient_usb.adm. This allows you to make changes to the Receiver using Group Policy.The file is located in the following installed folder:

<root drive>:\Program Files\Citrix\ICA Client\Configuration\en

Alternatively, you can edit the registry on each user device, adding the following registrykey:

HKLM\SOFTWARE\Policies\Citrix\ICA Client\GenericUSB Type=String Name="DeviceRules"Value=

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

The product default rules are stored in:

HKLM\SOFTWARE\Citrix\ICA Client\GenericUSB Type=MultiSz Name=“DeviceRules” Value=

Do not edit the product default rules.

For details of the rules and their syntax, see http://support.citrix.com/article/ctx119722/.

Page 348: Citrix Receiver for Windows

348

Configuring Bloomberg Keyboards

Bloomberg keyboards are supported by XenDestkop sessions (but not other USB keyboards).The required components are installed automatically when the plug-in is installed, but youmust enable this feature either during the installation or later by changing a registry key.

On any one user device, multiple sessions to Bloomberg keyboards are not recommended.The keyboard only operates correctly in single-session environments.

To turn Bloomberg keyboard support on or off

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

1. Locate the following key in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\GenericUSB

2. Do one of the following:

● To turn on this feature, for the entry with Type DWORD and NameEnableBloombergHID, set Value to 1.

● To turn off this feature, set the Value to 0.

Page 349: Citrix Receiver for Windows

349

Configuring User-Driven Desktop Restart

You can allow users to restart their desktops themselves. They may need to do this if adesktop fails to connect or becomes unresponsive.

This feature is disabled by default. You enable user-driven desktop restart for a desktopgroup in Desktop Studio. For information on this, see the XenDesktop documentation.

The procedures for restarting desktops differ depending on whether users are connecting todesktops through the Desktop Viewer or the Citrix Desktop Lock.

Page 350: Citrix Receiver for Windows

350

To prevent the Desktop Viewer windowfrom dimming

If users have multiple Desktop Viewer windows, by default the desktops that are not activeare dimmed. If users need to view multiple desktops simultaneously, this can make theinformation on them unreadable. You can disable the default behavior and prevent theDesktop Viewer window from dimming by editing the Registry.

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

1. On the user device, create a REG_DWORD entry called DisableDimming in one of thefollowing keys, depending on whether you want to prevent dimming for the current userof the device or the device itself. An entry already exists if the Desktop Viewer hasbeen used on the device:

● HKCU\Software\Citrix\XenDesktop\DesktopViewer

● HKLM\Software\Citrix\XenDesktop\DesktopViewerOptionally, instead of controlling dimming with the above user or device settings, youcan define a local policy by creating the same REG_WORD entry in one of the followingkeys:

● HKCU\Software\Policies\Citrix\XenDesktop\DesktopViewer

● HKLM\Software\Policies\Citrix\XenDesktop\DesktopViewerThe use of these keys is optional because XenDesktop administrators, rather thanplug-in administrators or users, typically control policy settings using Group Policy. So,before using these keys, check whether your XenDesktop administrator has set a policyfor this feature.

2. Set the entry to any non-zero value such as 1 or true.

If no entries are specified or the entry is set to 0, the Desktop Viewer window is dimmed. Ifmultiple entries are specified, the following precedence is used. The first entry that islocated in this list, and its value, determine whether the window is dimmed:

1. HKCU\Software\Policies\Citrix\...

2. HKLM\Software\Policies\Citrix\...

3. HKCU\Software\Citrix\...

4. HKLM\Software\Citrix\...

Page 351: Citrix Receiver for Windows

351

To configure the Citrix Desktop Lock

This topic contains instructions for configuring USB preferences, drive mappings, andmicrophones for a virtual desktop accessed through the Citrix Desktop Lock. In addition,some general advice on configuring the Desktop Lock is also provided.

Typically, this is used in non-domain-joined environments such as on a thin client ordesktop appliance. In this access scenario, the Desktop Viewer is unavailable, so onlyadministrators (not users) can perform the configuration.

Two .adm files are provided that allow you to perform this task using policies:

● icaclient.adm. For information on obtaining this file, see To configure settings formultiple users and devices.

● icaclient_usb.adm. The file is located in the following installed folder: <rootdrive>:\Program Files\Citrix\ICA Client\Configuration\en.

This topic assumes you have loaded both files into Group Policy, where the policies appearin Computer Configuration or User Configuration > Administrative Templates > ClassicAdministrative Templates (ADM) > Citrix Components.

To configure USB preferencesAs a prerequisite, you must turn on USB support in XenDesktop deployments by enabling theUSB policy rule. For information on this, see the XenDesktop documentation.

In Citrix Receiver > Remoting client devices > Generic USB Remoting, enable andconfigure as desired the Existing USB Devices, New USB Devices, and USB Devices List InDesktop Viewer policies. You can use the Show All Devices policy to display all connectedUSB devices, including those using the Generic USB virtual channel (for example, webcamsand memory sticks).

To configure drive mappingIn Citrix Receiver > Remoting client devices, enable and configure as desired the Clientdrive mapping policy.

To configure a microphoneIn Citrix Receiver > Remoting client devices, enable and configure as desired the Clientmicrophone policy.

Page 352: Citrix Receiver for Windows

General Advice On Configuring the Desktop LockGrant access to only one virtual desktop running the Desktop Lock per user.

Do not allow users to hibernate virtual desktops. Use Active Directory policies appropriatelyto prevent this.

To configure the Citrix Desktop Lock

352

Page 353: Citrix Receiver for Windows

353

To configure settings for multiple usersand devices

In addition to the configuration options offered by the Receiver user interface, you can usethe Group Policy Editor and the icaclient.adm template file to configure settings. Using theGroup Policy Editor, you can:

● Extend the icaclient template to cover any Receiver setting by editing theicaclient.adm file. See the Microsoft Group Policy documentation for more informationabout editing .adm files and about applying settings to a particular computer.

● Make changes that apply only to either specific users or all users of a client device.

● Configure settings for multiple user devices

Citrix recommends using Group Policy to configure user devices remotely; however you canuse any method, including the Registry Editor, which updates the relevant registry entries.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. Under the User Configuration node or the Computer Configuration node, edit therelevant settings as required.

Page 354: Citrix Receiver for Windows

354

Canadian Keyboard Layouts andUpdating from Presentation ServerClients Version 10.200

The Canadian keyboard layouts are aligned with those supported by Microsoft. If usersinstall Receivers without uninstalling the Presentation Server Clients Version 10.200 first,they must manually edit the module.ini file (usually in C:\Program Files\Citrix\ICA Client) toupgrade the keyboard layout settings:

Replace:

Canadian English (Multilingual)=0x00001009

Canadian French=0x00000C0C

Canadian French (Multilingual)=0x00010C0C

With:

Canadian French=0x00001009

Canadian French (Legacy)=0x00000C0C

Canadian Multilingual Standard=0x00011009

Page 355: Citrix Receiver for Windows

355

Auto-Repair File Locations

Auto-repair occurs if there is a problem with Receiver; however, there is no Add/RemovePrograms or Programs and Features Repair option. If the Receiver repair option prompts forthe location of the .msi file, browse to one of these locations to find the file:

● For CitrixReceiverEnterprise.exe

● Operating system: Windows XP and Windows 2003

C:\Documents and Settings\All Users\application data\Citrix\Citrix Receiver(Enterprise)\

● Operating system: Windows Vista and Windows 7

C:\ProgramData\Citrix\Citrix Receiver (Enterprise)\● For CitrixReceiver.exe installed per computer

● Operating system: Windows XP and Windows 2003

C:\Documents and Settings\All Users\Application Data\Citrix\Citrix Receiver\

● Operating system: Windows Vista and Windows 7

C:\ProgramData\Citrix\Citrix Receiver\● For CitrixReceiver.exe installed per user

● Operating system: Windows XP and Windows 2003

%USERPROFILE%\Local Settings\Application Data\Citrix\Citrix Receiver\

● Operating system: Windows Vista and Windows 7

%USERPROFILE%\Appdata\local\Citrix\Citrix Receiver\

Page 356: Citrix Receiver for Windows

356

Optimizing the Receiver Environment

The ways you can optimize the environment in which your Receiver operates for your usersinclude:

● Improving performance

● Improving performance over low bandwidth

● Facilitating the connection of numerous types of client devices to published resources

● Providing support for NDS users

● Using connections to Citrix XenApp for UNIX

● Supporting naming conventions

● Supporting DNS naming resolution

Page 357: Citrix Receiver for Windows

357

Improving Receiver Performance

You can improve the performance of your Receiver software by:

● Reducing Application Launch Time

● Reconnecting Users Automatically

● Providing session reliability

● Improving Performance over Low-Bandwidth Connections

Page 358: Citrix Receiver for Windows

358

Reducing Application Launch Time

Use the session pre-launch feature to reduce application launch time during normal or hightraffic periods; thus, giving the user a better experience. The pre-launch feature allows apre-launch session to be created when a user logs on to Receiver, or at a scheduled time ifthe user is already logged on. This pre-launch session reduces the launch time of the firstapplication. The default application ctxprelaunch.exe is running in the session, but it is notvisible to the user.

There are two types of pre-launch:

● Just-in-time pre-launch. Pre-Launch starts immediately after the user's credentials areauthenticated whether or not it is a high-traffic period.

● Scheduled pre-launch. Pre-launch starts at a scheduled time. Scheduled pre-launchstarts only when the user device is already running and authenticated. If those twoconditions are not met when the scheduled pre-launch time arrives, a session does notlaunch. To spread network and server load, the session launches within a window ofwhen it is scheduled. For example, if the scheduled pre-launch is scheduled for 1:45p.m., the session actually launches between 1:15 p.m. and 1:45 p.m.

Typically, you can use just-in-time pre-launch for normal traffic periods and scheduledpre-launch for known high-traffic periods.

An example of a high-traffic period - if your environment includes a large number of userswho launch applications during peak periods such as when users start work or return fromlunch, the rapid succession of logon requests might overwhelm servers and slow downapplication launch for all users.

Configuring pre-launch on the XenApp server consists of creating, modifying, or deletingpre-launch applications, as well as updating user policy settings that control the pre-launchapplication. See To pre-launch applications to user devices for information aboutconfiguring session pre-launch on the XenApp server.

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

Customizing the pre-launch feature using the icaclient.adm file is not supported. However,you can change the pre-launch configuration by modifying registry values during or afterReceiver installation.

Registry value for Windows 7, 64-bit

The value for Windows 7, 64-bit, is:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch - Enablesdifferent users on the same user device to have different settings. It also allows a user tochange the configuration without administrative permission. You can provide your userswith scripts to accomplish this.

Page 359: Citrix Receiver for Windows

Name: State

Values:

0 - Disable pre-launch.

1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)

2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)

Name: Schedule

Value:

The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:

HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.

Registry values for other Windows systems

The values for all other supported Windows operating systems are:HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Prelaunch andHKEY_CURRENT_USER\Software\Citrix\ICA Client\Prelaunch.

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Prelaunch - Written at installation,with default values.

Name: UserOverride

Values:

0 - Use the HKEY_LOCAL_MACHINE values even if HKEY_CURRENT_USER values are alsopresent.

1 - Use HKEY_CURRENT_USER values if they exist; otherwise, use the HKEY_LOCAL_MACHINEvalues.

Name: State

Values:

0 - Disable pre-launch.

1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)

2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)

Name: Schedule

Value:

Reducing Application Launch Time

359

Page 360: Citrix Receiver for Windows

The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:

HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.

HKEY_CURRENT_USER\SOFTWARE\Citrix\ICA Client\Prelaunch - Enables different users onthe same user device to have different settings. It also allows a user to change theconfiguration without administrative permission. You can provide your users with scripts toaccomplish this.

Name: State

Values:

0 - Disable pre-launch.

1 - Enable just-in-time pre-launch. (Pre-Launch starts after the user's credentials areauthenticated.)

2 - Enable scheduled pre-launch. (Pre-launch starts at the time scheduled in Schedule.)

Name: Schedule

Value:

The time (24 hour format) and days of week for scheduled pre-launch entered in thefollowing format:

HH:MM|M:T:W:TH:F:S:SU where HH and MM are hours and minutes. M:T:W:TH:F:S:SU arethe days of the week. For example, to enable scheduled pre-launch on Monday, Wednesday,and Friday at 1:45 p.m., set Schedule as Schedule=13:45|1:0:1:0:1:0:0 . The sessionactually launches between 1:15 p.m. and 1:45 p.m.

Reducing Application Launch Time

360

Page 361: Citrix Receiver for Windows

361

Reconnecting Users Automatically

Users can be disconnected from their sessions because of unreliable networks, highlyvariable network latency, or range limitations of wireless devices. With the HDX Broadcastauto-client reconnection feature, Receiver can detect unintended disconnections of ICAsessions and reconnect users to the affected sessions automatically.

When this feature is enabled on the server, users do not have to reconnect manually tocontinue working. The Receiver attempts to reconnect to the session until there is asuccessful reconnection or the user cancels the reconnection attempts. If userauthentication is required, a dialog box requesting credentials appears to a user duringautomatic reconnection. Automatic reconnection does not occur if users exit applicationswithout logging off. Users can reconnect only to disconnected sessions.

To disable HDX Broadcast auto-client reconnect for a particular user

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network Routing > Session reliability andautomatic reconnection. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Action menu, choose Properties and select Disabled.

Page 362: Citrix Receiver for Windows

362

Providing HDX Broadcast SessionReliability

With the HDX Broadcast Session Reliability feature, users continue to see a publishedapplication’s window if the connection to the application experiences an interruption. Forexample, wireless users entering a tunnel may lose their connection when they enter thetunnel and regain it when they emerge on the other side. During such interruptions, thesession reliability feature enables the session window to remain displayed while theconnection is being restored.

You can configure your system to display a warning dialog box to users when the connectionis unavailable.

You set HDX Broadcast Session Reliability with policy settings on the server. Receiver userscannot override the server settings for HDX Broadcast Session Reliability.

Important: If HDX Broadcast Session Reliability is enabled, the default port used forsession communication switches from 1494 to 2598.

Page 363: Citrix Receiver for Windows

363

Improving Performance overLow-Bandwidth Connections

Citrix recommends that you use the latest version of XenApp or XenDesktop on the server.Citrix continually enhances and improves performance with each release. Manyperformance features require the latest Receiver and server software to function.

If you are using a low-bandwidth connection, you can make a number of changes to yourReceiver configuration and the way you use the Receiver to improve performance.

Changing Your Receiver ConfigurationOn devices with limited processing power or in circumstances where only limited bandwidthis available, there is a trade-off between performance and functionality. Receiver providesboth user and administrator with the ability to choose an acceptable mixture of richfunctionality and interactive performance. Making one or more of these changes on theserver or user device can reduce the bandwidth your connection requires and improveperformance:

● Enable SpeedScreen Latency Reduction. SpeedScreen Latency Reduction improvesperformance over high latency connections by providing instant feedback to the user inresponse to typed data or mouse clicks.

User's side: icaclient.adm file.

Server side: SpeedScreen Latency Reduction Manager.

● Reduce the window size. Change the window size to the minimum size you cancomfortably use.

User side: icaclient.adm file or use the Receiver icon in the notification area andchoose Preferences and right-click the Online Plug-in entry in the Plug-in Status andchoose Options > Session Options.

Server side: XenApp services site > Session Options.

● Reduce the number of colors. Reduce the number of colors to 256.

User side: icaclient.adm file or use the Receiver icon in the notification area andchoose Preferences and right-click the Online Plug-in entry in the Plug-in Status andchoose Options > Session Options.

Server side: XenApp services site > Session Options.

● Reduce sound quality. If Receiver audio mapping is enabled, reduce the sound qualityto the minimum setting.

Page 364: Citrix Receiver for Windows

User's side: icaclient.adm file.

Server side: Citrix Audio quality policy setting.

Changing Receiver UseICA technology is highly optimized and typically does not have high CPU and bandwidthrequirements. However, if you are using a very low-bandwidth connection, the followingtasks can impact performance:

● Accessing large files using client drive mapping. When you access a large file withclient drive mapping, the file is transferred over the ICA connection. On slowconnections, this may take a long time.

● Playing multimedia content. Playing multimedia content uses a lot of bandwidth andcan cause reduced performance.

Improving Performance over Low-Bandwidth Connections

364

Page 365: Citrix Receiver for Windows

365

Connecting User Devices and PublishedResources

You can facilitate sessions and optimize the connection of your user devices to resourcespublished in the server farm by:

● Configuring workspace control settings to provide continuity for roaming users

● Making scanning transparent for users

● Mapping client devices

● Associating user device file types with published applications

Page 366: Citrix Receiver for Windows

366

To enable pass-through authenticationwhen sites are not in Trusted Sites orIntranet zones

Your users might require pass-through authentication to the server using their user logoncredentials but cannot add sites to the Trusted Sites or Intranet zones. Enable this settingto allow pass-through authentication on all but Restricted sites.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.

7. From the Local user name and password Properties menu, select Enabled, and thenselect the Enable pass-through authentication and Allow pass-through authenticationfor all ICA connections check boxes.

Page 367: Citrix Receiver for Windows

367

Configuring Workspace Control Settingsto Provide Continuity for Roaming Users

The workspace control feature provides users with the ability to disconnect quickly from allrunning applications, reconnect to applications, or log off from all running applications. Youcan move among user devices and gain access to all of your applications when you log on.For example, health care workers in a hospital can move quickly among workstations andaccess the same set of applications each time they log on to XenApp. These users candisconnect from multiple applications at one user device and open all the same applicationswhen they reconnect at a different user device.

Workspace control is available only to users connecting to published resources with CitrixXenApp or through the Web Interface.

Policies and client drive mappings change appropriately when you move to a new userdevice. Policies and mappings are applied according to the user device where you arecurrently logged on to the session. For example, if a health care worker logs off from a userdevice in the emergency room of a hospital and then logs on to a workstation in thehospital’s X-ray laboratory, the policies, printer mappings, and client drive mappingsappropriate for the session in the X-ray laboratory go into effect for the session as soon asthe user logs on to the user device in the X-ray laboratory.

Important: Workspace control can be used only with Version 11.x and later of theclient/plug-in/Receiver, and works only with sessions connected to computers runningCitrix Presentation Server Version 3.0, 4.0, or 4.5 or Citrix XenApp 5.0, 6.0, or 6.5.

If the workspace control configuration settings of the Web Interface are configured to allowusers to override the server settings, users can configure workspace control in the AccountSettings options of the Web Interface Preference menu or the Reconnect Options page ofthe Receiver Options. The following options are available in the Receiver Options on theReconnect Options page:

● Enable automatic reconnection at logon allows users to reconnect to onlydisconnected applications or both disconnected and active applications

● Enable reconnection from the menu allows users to reconnect to only disconnectedapplications or both disconnected and active sessions

To configure workspace control settings

For users launching applications through the Web Interface, similar options are availablefrom the Settings page:

● Enable automatic reconnection at logon allows users to reconnect to onlydisconnected applications or both disconnected and active applications

Page 368: Citrix Receiver for Windows

● Enable automatic reconnection from Reconnect menu allows users to reconnect toonly disconnected applications or both disconnected and active sessions

● Customize Log Off button allows users to configure whether or not the log offcommand will include logging them off from applications that are running in the session

If users log on with smart cards or smart cards with pass-through authentication, set up atrust relationship between the server running the Web Interface and any other server in thefarm that the Web Interface accesses for published applications. For more informationabout workspace control requirements, see the Citrix XenApp and Web InterfaceAdministrator documentation.

Configuring Workspace Control Settings to Provide Continuity for Roaming Users

368

Page 369: Citrix Receiver for Windows

369

Making Scanning Transparent for Users

If you enable HDX Plug-n-Play TWAIN image scanning device support, users can controlclient-attached TWAIN imaging devices transparently with applications that reside on theserver farm. To use this feature, a TWAIN device must be attached to the user device andthe associated 32-bit TWAIN driver must also be installed on the user device.

To enable or disable this feature, configure the Citrix policy Client TWAIN deviceredirection setting.

The following policy settings allow you to specify the maximum amount of bandwidth (inkilobits per second or as a percentage) and the compression level of images from client toserver used for TWAIN redirection:

● TWAIN device redirection bandwidth limit

● TWAIN device redirection bandwidth limit percent

● TWAIN compression level

Page 370: Citrix Receiver for Windows

370

Mapping User Devices

The Receiver supports mapping devices on user devices so they are available from within asession. Users can:

● Transparently access local drives, printers, and COM ports

● Cut and paste between the session and the local Windows clipboard

● Hear audio (system sounds and .wav files) played from the session

During logon, Receiver informs the XenApp server of the available client drives, COM ports,and LPT ports. By default, client drives are mapped to server drive letters and server printqueues are created for client printers so they appear to be directly connected to theXenApp server. These mappings are available only for the current user during the currentsession. They are deleted when the user logs off and recreated the next time the user logson.

You can use the the Citrix policy redirection settings on the XenApp server to map userdevices not automatically mapped at logon. For more information, see the XenAppadministration documentation.

Turning off User Device MappingsYou can configure user device mapping including options for drives, printers, and ports,using the Windows Server Manager tool. For more information about the available options,see your Remote Desktop Services documentation.

Page 371: Citrix Receiver for Windows

371

Mapping Client Drives to XenApp ServerDrive Letters

Client drive mapping allows drive letters on the XenApp server to be redirected to drivesthat exist on the client device. For example, drive H in a Citrix user session can be mappedto drive C of the local device running the plug-in.

Client drive mapping is built into the standard Citrix device redirection facilitiestransparently. To File Manager, Windows Explorer, and your applications, these mappingsappear like any other network mappings.

Note that Client drive mapping is not supported when connecting to MetaFrame Server 1.0for UNIX operating systems.

The XenApp server can be configured during installation to map client drives automaticallyto a given set of drive letters. The default installation mapping maps drive letters assignedto client drives starting with V and works backward, assigning a drive letter to each fixeddrive and CD-ROM drive. (Floppy drives are assigned their existing drive letters.) Thismethod yields the following drive mappings in a session:

Client drive letter Is accessed by the XenApp server as:

A A

B B

C V

D UThe XenApp server can be configured so that the server drive letters do not conflict withthe client drive letters; in this case the server drive letters are changed to higher driveletters. For example, changing server drives C to M and D to N allows client devices toaccess their C and D drives directly. This method yields the following drive mappings in asession:

Client drive letter Is accessed by the XenApp server as:

A A

B B

C C

D DThe drive letter used to replace the server drive C is defined during Setup. All other fixeddrive and CD-ROM drive letters are replaced with sequential drive letters (for example; C >M, D > N, E > O). These drive letters must not conflict with any existing network drivemappings. If a network drive is mapped to the same drive letter as a server drive letter, thenetwork drive mapping is not valid.

Page 372: Citrix Receiver for Windows

When a client device connects to a XenApp server, client mappings are reestablished unlessautomatic client device mapping is disabled. You can use the Terminal ServicesConfiguration tool to configure automatic client device mapping for ICA connections andusers. You can also use policies to give you more control over how client device mapping isapplied. For more information about policies, see the Citrix XenApp Administrator'sdocumentation at Citrix eDocs.

Mapping Client Drives to XenApp Server Drive Letters

372

Page 373: Citrix Receiver for Windows

373

HDX Plug-n-Play for USB StorageDevices

HDX Plug-n-Play for USB storage devices enables users to interact with USB mass storagedevices connected to their user devices when connected to XenApp sessions. When HDXPlug-n-Play for USB storage devices is enabled, users can connect or disconnect a USBdevice from a session at anytime, regardless of whether the session was started before orafter the drive connection.

HDX Plug-n-Play for USB storage devices is enabled by default and can be disabled orenabled by editing the ICA\File Redirection - Client removable drives policy setting. Formore information, see the XenApp documentation.

Supported Mass Storage Devices with XenAppMass storage devices, including USB thumbdrives, USB-attached hard drives, CD-DVD drives,and SD card readers are supported.

Not supported:

● U3 smart drives and devices with similar autorun behavior

● Explorer.exe published as a seamless application

Mass storage devices can often be accessed through client drive mapping, and so USBsupport is not required.

Important: Some viruses are known to propagate actively using all types of mass storage.Carefully consider whether or not there is a business need to permit the use of massstorage devices, either through client drive mapping or USB support.

Page 374: Citrix Receiver for Windows

374

HDX Plug-n-Play USB Device Redirectionfor XenApp Connections

HDX Plug-n-Play USB Device Redirection on computers running Vista and Windows 7 enablesdynamic redirection of media devices, including cameras, scanners, media players, andpoint of sale (POS) devices to the server. You or the user can restrict redirection of all orsome of the devices. Edit policies on the server or apply group policies on the user deviceto configure the redirection settings. Three methods can enforce HDX Plug-n-Play USBdevice redirection policies:

● Server side. The administrator can enable or disable all device redirections for aspecific user or user group using the Active Directory policies available in XenApp. Thepolicy controls redirection of all devices and is not specific to a device. For moreinformation, see the XenApp administration documentation.

● Plug-in side. The administrator can enable or disable all device redirection for aspecific user or computer by using the group policy editor. There are two policy settings- the USB Plug-n-Play Devices policy setting controls redirection of all devices and theUSB Point of Sale Devices policy setting controls POS devices only. If USB Plug-n-PlayDevices allows devices to be redirected, you can use the USB Point of Sale Devices,which is a subset of USB Plug-n-Play Devices, to control only POS devices.

● Plug-in side. The user can allow or reject device redirection. When a device is going tobe redirected, the permission set by the user in the Connection Center is applied (thesetting applies to the current session). If the permission is set to Full Access, devicesare always redirected. If the permission is set to No Access, devices are not redirected.If the permission is set to Ask Permission, a dialog box appears before redirectionoccurs requiring the user to make a selection. Depending on the answer, the device isredirected or not. If the user is prompted with any of the device security dialog boxes(for example, file security or audio security) and instructs the system to remember thedecision, applications launched in subsequent ICA sessions load and use these settings.

This setting affects only devices plugged in after the user changes the setting. Devicesthat are already plugged in when the user changes the setting are unaffected by thenew setting.

Important: If you prohibit Plug-n-Play USB device redirection in a server policy, theuser cannot override that policy setting with the plug-in side policy.

Plug-in Group PoliciesAccess the plug-in policies using the Group Policy Editor available through gpedit.msc fromthe Start menu's Run dialog box. You can apply the policies to both users and computers.Two policies are available:

Page 375: Citrix Receiver for Windows

● USB Plug-n-Play Devices is the main policy that turns HDX Plug-n-Play USB deviceredirection on or off. Enabling redirection allows any Media Transfer Protocol (MTP),Picture Transfer Protocol (PTP), and Point of Sale (POS) device connected to the userdevice to be redirected in the session. The policy has three values: Not Configured,Enabled, and Disabled. The default is Not Configured, which allows redirection.

● USB Point of Sale Devices controls the redirection of POS devices and USB Plug-n-PlayDevices must be Enabled to enable this policy. The policy can have three values: NotConfigured, Enabled, and Disabled. The default is Not Configured, which allowsredirection of POS devices.

HDX Plug-n-Play USB Device Redirection for XenApp Connections

375

Page 376: Citrix Receiver for Windows

376

Mapping Client Printers for MoreEfficiency

The Receiver support printing to network printers and printers that are attached locally touser devices. By default, unless you create policies to change this, XenApp lets users:

● Print to all printing devices accessible from the user device

● Add printers (but it does not retain settings configured for these printers or save themfor the next session)

However, these settings might not be the optimum in all environments. For example, thedefault setting that allows users to print to all printers accessible from the user device isthe easiest to administer initially, but might create slower logon times in someenvironments.

Likewise, your organization’s security policies might require that you prevent users frommapping local printing ports. To do so, configure the Citrix policy Auto connect client COMports setting to Disabled.

To change default printing settings, configure policy settings on the server. For moreinformation, see the XenApp administration topics.

To view mapped client printersWhile connected to the XenApp server, from the Start menu, choose Printers in the ControlPanel.

The Printers window displays the local printers mapped to the session. When connecting toservers running Citrix Presentation Server 4.0 or 4.5 or Citrix XenApp, by default the nameof the printer takes the form:

printername (from clientname) in session x

where:

● printername is the name of the printer on the user device.

● clientname is the unique name given to the user device or the Web Interface.

● x is the SessionID of the user’s session on the server.

For example, printer01 (from computer01) in session 7

When connecting to servers running Presentation Server 3.0 or earlier, or when the Legacyprinter name option from the Citrix policy Client printer names setting is enabled on theserver, a different naming convention is used. The name of the printer takes the form:

Page 377: Citrix Receiver for Windows

Client/clientname#/printername

where:

● clientname is the unique name given to the user device during client setup.

● printername is the Windows printer name. Because the Windows printer name is usedand not the port name, multiple printers can share a printer port without conflict.

For more information about printing, and about managing printing using policies, see theCitrix XenApp Administrator's documentation.

Mapping Client Printers for More Efficiency

377

Page 378: Citrix Receiver for Windows

378

To map a client COM port to a serverCOM port

Client COM port mapping allows devices attached to the COM ports of the user device to beused during sessions on a XenApp server. These mappings can be used like any othernetwork mappings.

Important: Client COM port mapping is not supported when connecting to MetaFrameServer 1.0 and 1.1 for UNIX Operating Systems.

You can map client COM ports at the command prompt. You can also control client COMport mapping from the Terminal Services Configuration tool or using policies. See the CitrixXenApp Administrator’s documentation for more information about policies.

1. Start Receiver and log on to the XenApp server.

2. At a command prompt, type: net use comx: \\client\comz: where x is the number ofthe COM port on the server (ports 1 through 9 are available for mapping) and z is thenumber of the client COM port you want to map.

3. To confirm the operation, type: net use at a command prompt. The list that appearscontains mapped drives, LPT ports, and mapped COM ports. To use this COM port in asession on a XenApp server, install your device to the mapped name. For example, ifyou map COM1 on the client to COM5 on the server, install your COM port device onCOM5 during the session on the server. Use this mapped COM port as you would a COMport on the user device.

Important: COM port mapping is not TAPI-compatible. TAPI devices cannot bemapped to client COM ports.

Page 379: Citrix Receiver for Windows

379

Mapping Client Audio to Play Sound onthe User Device

Client audio mapping enables applications executing on the XenApp server to play soundsthrough Windows-compatible sound devices installed on the user device. You can set audioquality on a per-connection basis on the XenApp server and users can set it on their device.If the user device and server audio quality settings are different, the lower setting is used.

Client audio mapping can cause excessive load on servers and the network. The higher theaudio quality, the more bandwidth is required to transfer the audio data. Higher qualityaudio also uses more server CPU to process.

Important: Client sound support mapping is not supported when connecting to CitrixXenApp for UNIX.

Page 380: Citrix Receiver for Windows

380

Associating User Device File Types withPublished Applications

Receiver supports HDX Plug-n-Play content redirection. Functionally equivalent to extendedparameter passing, content redirection allows you to enforce all underlying file typeassociations from the server, eliminating the need to configure extended parameter passingon individual user devices.

To associate file types on the user device with applications published on the server,configure Plug-n-Play content redirection on the server. For more information, see theXenApp adminstration topics.

Page 381: Citrix Receiver for Windows

381

Using the Window Manager whenConnecting to Citrix XenApp for UNIX

This topic does not apply to XenDesktop connections.

You can use the window manager to change the session display when connecting topublished resources on XenApp servers for UNIX. With the window manager, users canminimize, resize, position, and close windows, as well as access full screen mode.

About Seamless WindowsIn seamless window mode, published applications and desktops are not contained within asession window. Each published application and desktop appears in its own resizablewindow, as if it is physically installed on the user device. Users can switch betweenpublished applications and the local desktop.

You can also display seamless windows in “full screen” mode, which places the publishedapplication in a full screen-sized desktop. This mode lets you access the ctxwm menusystem.

To switch between seamless and full screen modes

Press SHIFT+F2 to switch between seamless and full screen modes.

Minimizing, Resizing, Positioning, and ClosingWindows

When users connect to published resources, window manager provides buttons to minimize,resize, position, and close windows. Windows are minimized as buttons on the taskbar.

When the user closes the last application in a session, the session is logged offautomatically after twenty seconds.

Page 382: Citrix Receiver for Windows

382

Terminating and Disconnecting Sessions

This topic does not apply to XenDesktop connections.

In remote desktop and seamless full screen windows, you can use the ctxwm menu systemto log off, disconnect, and exit from published applications and connection sessions.

To access the ctxwm menu system1. On a blank area of the remote desktop window, click and hold down the left mouse

button. The ctxwm menu appears.

2. Drag the mouse pointer over Shutdown to display the shutdown options.

To choose an option from the ctxwm menuDrag the pointer over the required option to select it. Release the mouse button to selectthe option.

To Choose

Terminate the connection and all running applications Logoff

Disconnect the session but leave the application running Disconnect

Disconnect the session and terminate the application Exit

Note: The server can be configured to terminate any applications that are running if asession is disconnected.

Page 383: Citrix Receiver for Windows

383

Using ctxgrab and ctxcapture to Cut andPaste Graphics When Connected toXenApp for UNIX

If you are connected to an application published on a XenApp server for UNIX, use ctxgrabor ctxcapture to cut and paste graphics between the session and the local desktop. Theseutilities are configured and deployed from the server.

Important: You might need to deploy UNIX applications that are designed for use with a3‑button mouse. Use ctx3bmouse on the XenApp for UNIX server to configure 3-buttonmouse emulation. For more information, see the XenApp for UNIX administrationdocumentation.

● ctxgrab

● ctxcapture

Page 384: Citrix Receiver for Windows

384

Using the ctxgrab Utility to Cut and PasteGraphics

This topic does not apply to XenDesktop connections.

The ctxgrab utility is a simple tool you use to cut and paste graphics from publishedapplications to applications running on the local user device. This utility is available from acommand prompt or, if you are using a published application, from the ctxwm windowmanager.

Important: Use ctx3bmouse on the XenApp for UNIX server to configure 3-button mouseemulation. For more information, see the XenApp for UNIX administrationdocumentation.

To access the ctxgrab utility from the windowmanager

● In seamless mode, right-click the ctxgrab button in the top, left-hand corner of thescreen to display a menu and choose the grab option

● In full screen mode, left-click to display the ctxwm menu and choose the grab option

To copy from an application in a plug-in window to alocal application

1. From the ctxgrab dialog box, click From screen.

2. To select a window, move the cursor over the window you want to copy and click themiddle mouse button. To select a region, hold down the left mouse button and drag thecursor to select the area you want to copy. To cancel the selection, click the rightmouse button. While dragging, click the right mouse button before releasing the leftbutton.

3. Use the appropriate command in the local application to paste the object.

Page 385: Citrix Receiver for Windows

385

Using the ctxcapture Utility to Cut andPaste Graphics

This topic does not apply to XenDesktop connections.

The ctxcapture utility is a more fully-featured utility for cutting and pasting graphicsbetween published applications and applications running on the local user device.

With ctxcapture you can:

● Grab dialog boxes or screen areas and copy them between an application in a Receiverwindow and an application running on the local user device, includingnon-ICCCM-compliant applications

● Copy graphics between the Receiver and the X graphics manipulation utility xvf

If you are connected to a published desktop, ctxcapture is available from a commandprompt. If you are connected to a published application and the administrator makes itavailable, you can access ctxcapture through the ctxwm window manager.

Important: Use ctx3bmouse on the XenApp for UNIX server to configure 3-button mouseemulation. For more information, see the XenApp for UNIX administrationdocumentation.

To access the ctxcapture utility from the windowmanager

Left-click to display the ctxwm menu and choose the screengrab option.

Page 386: Citrix Receiver for Windows

To copy from a local application to an application in aReceiver window

1. From the ctxcapture dialog box, click From screen.

2. To select a window, move the cursor over the window you want to copy and click themiddle mouse button. To select a region, hold down the left mouse button and drag thecursor to select the area you want to copy. To cancel the selection: click the rightmouse button. While dragging, click the right mouse button before releasing the leftbutton.

3. From the ctxcapture dialog box, click To ICA. The xcapture button changes color toindicate that it is processing the information.

4. When the transfer is complete, use the appropriate command in the publishedapplication window to paste the information.

To copy from an application in a Receiver window to alocal application

1. From the application in the Receiver window, copy the graphic.

2. From the ctxcapture dialog box, click From ICA.

3. When the transfer is complete, use the appropriate command in the local application topaste the information.

To copy from xv to an application in a Receiverwindow or local application

1. From xv, copy the graphic.

2. From the ctxcapture dialog box, click From xv and To ICA.

3. When the transfer is complete, use the appropriate command in the Receiver windowto paste the information.

To copy from an application in a Receiver window toxv

1. From the application in the Receiver window, copy the graphic.

2. From the ctxcapture dialog box, click From ICA and To xv.

3. When the transfer is complete, use the paste command in xv.

Using the ctxcapture Utility to Cut and Paste Graphics

386

Page 387: Citrix Receiver for Windows

387

Matching Client Names and ComputerNames

The dynamic client name feature allows the client name to be the same as the computername. When users change their computer name, the client name changes to match. Thisallows you to name computers to suit your naming scheme and find connections more easilywhen managing your server farm.

If the client name is not set to match the computer name during installation, the clientname does not change when the computer name is changed.

Users enable dynamic client name support by selecting Enable Dynamic Client Name duringReceiver installation.

To enable dynamic client name support during silent command line installation, the valueof the property ENABLE_DYNAMIC_CLIENT_NAME must be Yes. Set the property to No todisable dynamic client name support.

Page 388: Citrix Receiver for Windows

388

Providing Support for NDS Users

This topic does not apply to XenDesktop connections.

When launching Receiver software, users can log on and be authenticated using their NovellDirectory Services (NDS) credentials. Supported NDS credentials are user name (ordistinguished name), password, directory tree, and context.

NDS support is integrated into the following:

● Citrix Receiver. If NDS is enabled in the server farm, NDS users enter their credentialson an NDS tab on the Receiver logon screen. If users have the Novell Client (Version 4.8)installed, they can browse the NDS tree to choose their context.

● Pass-Through Authentication. If users have the Novell Client (Version 4.8) installed,you can pass their credentials to the XenApp server, eliminating the need for multiplesystem and application authentications.

To enable pass-through authentication, configure the following policy options in theUser Package in ZENworks for Desktops:

● Enable the Dynamic Local User policy option

● Set the Use NetWare Credentials value to On● The Citrix Web Interface. NDS users enter their credentials on an NDS logon screen

provided by the Web Interface. See the Web Interface Administrator’s documentationfor information about configuring your server for NDS.

Note: To use NDS logon information with earlier versions of the clients, enter the NDStree name in the Domain field and a distinguished name in the User field on theclient logon screen.

Setting a Default Context for NDSYou can set a default context for NDS for Receiver. To set a default context for NDS, youmust configure the particular installer file you are using to deploy Receiver.

Page 389: Citrix Receiver for Windows

389

Specifying Windows Credentials with theNovellClient and Pass-Through Authentication

This topic does not apply to XenDesktop connections.

If the Novell client is installed and you want the Receiver to use the user’s Windowscredentials with pass-through authentication rather than the Novell Directory Server (NDS)credentials, use the Group Policy Editor to enable pass-through authentication without NDScredentials.

To configure Receiver after installation

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates, navigate throughCitrix Components > Citrix Receiver > User authentication, double click Local username and password and select Enabled > Enable pass-through authentication. InWindows 7 and Windows Server 2008, expand Administrative Templates and navigatethrough Classic Administrative Templates (ADM) > Citrix Components to the desiredconfiguration option.

Do not select Use Novell Directory Server credentials.

Page 390: Citrix Receiver for Windows

390

DNS Name Resolution

You can configure Receivers that use the Citrix XML Service to request a Domain NameService (DNS) name for a server instead of an IP address.

Important: Unless your DNS environment is configured specifically to use this feature,Citrix recommends that you do not enable DNS name resolution in the server farm.

Receivers connecting to published applications through the Web Interface also use theCitrix XML Service. For Receivers connecting through the Web Interface, the Web serverresolves the DNS name on behalf of the Receiver.

DNS name resolution is disabled by default in the server farm and enabled by default on theReceiver. When DNS name resolution is disabled in the farm, any Receiver request for a DNSname returns an IP address. There is no need to disable DNS name resolution on Receiver.

To disable DNS name resolution for specific clientdevices

If you are using DNS name resolution in the server farm and are having problems withspecific user devices, you can disable DNS name resolution for those devices.

Caution: Using Registry Editor incorrectly can cause serious problems that can requireyou to reinstall the operating system. Citrix cannot guarantee that problems resultingfrom incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Make sure you back up the registry before you edit it.

1. Add a string registry key xmlAddressResolutionType toHKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing.

2. Set the value to IPv4-Port.

3. Repeat for each user of the user devices.

Page 391: Citrix Receiver for Windows

391

Using Proxy Servers with XenDesktopConnections

If you do not use proxy servers in your environment, correct the Internet Explorer proxysettings on any user devices running Internet Explorer 7.0 on Windows XP. By default, thisconfiguration automatically detects proxy settings. If proxy servers are not used, users willexperience unnecessary delays during the detection process. For instructions on changingthe proxy settings, consult your Internet Explorer documentation. Alternatively, you canchange proxy settings using the Web Interface. For more information, consult the WebInterface documentation.

Page 392: Citrix Receiver for Windows

392

Improving the Receiver User Experience

You can improve your users’ experiences with the following supported features:

● ClearType font smoothing

● Client-side microphone input for digital dictation

● Multiple monitor support

● Printing performance enhancements

● To set keyboard shortcuts

● 32-bit color icons

Topics that support users with the Desktop Viewer and the Desktop Lock are available athttp://support.citrix.com/help/receiver/en/receiverHelpWin.htm.

Page 393: Citrix Receiver for Windows

393

ClearType Font Smoothing in Sessions

This topic does not apply to XenDesktop connections.

XenApp server supports ClearType font smoothing with Receiver for users on computersrunning Windows XP, Windows 7, and Windows Vista. ClearType font smoothing is set bydefault in Windows 7 and Windows Vista, but Standard font smoothing is set by default inWindows XP.

If you enable ClearType font smoothing on Receiver, you are not forcing the user devices touse ClearType font smoothing. You are enabling the server to support ClearType fontsmoothing on user devices that have it set and are using Receiver. By disabling it forsessions, you are specifying that sessions launched from that Receiver do not remote thefont smoothing setting.

Receiver automatically detects the user device’s font smoothing setting and sends it to theserver. The session connects using this setting. When the session is disconnected orterminated, the user's profile setting on the server is set to original setting unless the userspecifically changed it in the control panel in the session; then the server uses the newsetting.

An older Receiver (plug-in) connects using the font smoothing setting configured in thatuser’s profile on the server.

When ClearType font smoothing is enabled, three times more data is sent across the virtualchannel, which might cause a decrease in performance.

Font smoothing must be enabled on users’ operating systems, the Receiver, the WebInterface site, and the server farm.

To enable or disable ClearType font smoothing forsessions

Use the Session Preferences task in the Citrix Web Interface Management console toenable or disable font smoothing for XenApp Web sites and the Session Options task forXenApp Services sites.

Page 394: Citrix Receiver for Windows

394

Client-Side Microphone Input

Receiver supports multiple client-side microphone input. Locally installed microphones canbe used for:

● Real-time activities, such as softphone calls and Web conferences.

● Hosted recording applications, such as dictation programs.

● Video and audio recordings.

Digital dictation support is available with Receiver. For information about configuring thisfeature, see the administrator's documentation for Citrix XenApp or Citrix XenDesktop.

Receiver (Enterprise) users can disable their microphones by selecting No Access in theMicrophones/Webcams menu choice available from the Citrix Connection Center, or fromthe Receiver’s system menu (for non-seamless connections). Receiver (standard) users arepresented with the same dialog box automatically at the beginning of their sessions.XenDesktop users can also use the XenDesktop Viewer Preferences to disable theirmicrophones.

Note: Selecting No Access also disables any attached Webcams.

On the user device, users control audio input and output in a single step—by selecting anaudio quality level from the Options dialog box.

Page 395: Citrix Receiver for Windows

395

Configuring HDX Plug-n-PlayMulti-monitor Support

Multiple monitors are fully supported by Receiver. As many as eight monitors are supported.

Each monitor in a multiple monitor configuration has its own resolution designed by itsmanufacturer. Monitors can have different resolutions and orientations during sessions.

Sessions can span multiple monitors in two ways:

● Full screen mode, with multiple monitors shown inside the session; applications snap tomonitors as they would locally.

XenDesktop: If users access a desktop through the Citrix Desktop Lock, the desktop isdisplayed across all monitors. The primary monitor on the device becomes the primarymonitor in the XenDesktop session. You can display the Desktop Viewer toolbar acrossany rectangular subset of monitors by resizing the window across any part of thosemonitors and pressing the Maximize button.

● Windowed mode, with one single monitor image for the session; applications do notsnap to individual monitors.

XenDesktop: When any desktop in the same assignment (formerly "desktop group") islaunched subsequently, the window setting is preserved and the toolbar is displayed acrossthe same monitors. Multiple virtual desktops can be displayed on one device provided themonitor arrangement is rectangular. If the primary monitor on the device is used by theXenDesktop session, it becomes the primary monitor in the session. Otherwise, thenumerically lowest monitor in the session becomes the primary monitor.

To enable multi-monitor support, ensure the following:

● The user device must have a single video board that can support connections to morethan one monitor or multiple video boards compatible with the Receiver on theappropriate platform.

● The user device operating system must be able to detect each of the monitors. OnWindows platforms, to verify that this detection occurs, on the user device, view theSettings tab in the Display Settings dialog box and confirm that each monitor appearsseparately.

● After your monitors are detected:

● XenDesktop: Configure the graphics memory limit using the Citrix Machine Policysetting Display memory limit.

● XenApp: Depending on the version of the XenApp server you have installed:

● Configure the graphics memory limit using the Citrix Computer Policy settingDisplay memory limit.

Page 396: Citrix Receiver for Windows

● From the Citrix management console for the XenApp server, select the farm andin the task pane, select Modify Server Properties > Modify all properties >Server Default > HDX Broadcast > Display (or Modify Server Properties >Modify all properties > Server Default > ICA > Display) and set the Maximummemory to use for each session’s graphics.

Ensure the setting is large enough (in kilobytes) to provide sufficient graphic memory. Ifthis setting is not high enough, the published resource is restricted to the subset of themonitors that fits within the size specified.

For information about calculating the session's graphic memory requirements for XenAppand XenDesktop, see ctx115637.

Configuring HDX Plug-n-Play Multi-monitor Support

396

Page 397: Citrix Receiver for Windows

397

Printing Performance

Printing performance can play a vital role in your users’ experiences. The printingconfiguration you create affects these aspects of the user’s experience:

● User ease and comfort level

● Logon times

● Ability to print to a nearby printer when traveling or when moving between clientdevices in a building

You configure printer policy settings on the server.

User Ease and Comfort LevelIn environments with novice users, consider changing the following potentially confusingdefault printing behaviors:

● Printer names change at the start of each session. When, by default, client printersare auto-created, the printer name is appended with the name of the user device andsession. For example, auto-created client printers appear in the Print dialog box with aname like HP LaserJet 1018 (from clientname) in session 35.

To resolve this problem, you can either reduce the number of printers auto-created orprovision printers using another method. To control printer auto-creation, configure theCitrix policy setting Auto-create client printers and select one of the followingoptions:

● Do not auto-create client printers. Client printers are not auto-created.

● Auto-create the client’s default printer only. Only the client’s default printerattached to or mapped from the client preconfigured in the Control Panel isauto-created in the session.

● Auto-create local (non-network) client printers only. Any non-network printersattached to the client device preconfigured in the Control Panel are auto-createdin the session.

● Auto-create all client printers. All network printers and any printers attached to ormapped from the user device preconfigured in the Control Panel are auto-createdin the session.

● If many printers are installed by default on user devices, your users might be confusedby the large number of available printers. You can limit the printers that appear tothem in sessions.

● HDX Plug-n-Play Universal Printer uses a nonstandard printing dialog box. If your users have trouble learning new features on their own, you might not want to use the

Page 398: Citrix Receiver for Windows

the Universal Printer as the default printer in a session. The user interface for thisprinter is slightly different from the standard Windows print dialog box.

Logon TimesThe printing configuration you select can impact how long it takes users to start a session.When Receiver is configured to provision printers by creating them automatically at thebeginning of each session, it increases the amount of time to build the session environment.In this case, Receiver has to rebuild every printer found on the user device. You candecrease logon time by specifying any of the following on the XenApp server:

● Auto-create only the the Universal Printer. This is done automatically when youconfigure the the Universal Printer.

● Auto-create only the default printer for the client device by using the Auto-createclient printers policy setting.

● Do not auto-create any client printers through the Auto-create client printers policysetting and route print jobs to network printers by configuring the Session printerspolicy setting

Configuring Printers for Mobile WorkersIf you have users who move among workstations in the same building (for example, in ahospital setting) or move among different offices, you might want to configure ProximityPrinting. The Proximity Printing solution ensures that the closest printer is presented to theusers in their sessions, even when they change user devices during a session.

Printing Performance

398

Page 399: Citrix Receiver for Windows

399

To override the printer settings configuredon the server

To improve printing performance, you can configure various printing policy settings on theserver:

● Universal printing optimization defaults

● Universal printing EMF processing mode

● Universal printing image compression limit

● Universal printing print quality limit

● Printer driver mapping and compatibility

● Session printers

If you enabled Allow non-admins to modify these settings in the Universal printingoptional defaults policy setting on the server, users on their user devices can override theImage Compression and Image and Font Caching options specified in that policy setting.

To override the printer settings on the user device

1. From the Print menu available from an application on the user device, chooseProperties.

2. On the Client Settings tab, click Advanced Optimizations and make changes to theImage Compression and Image and Font Caching options.

Page 400: Citrix Receiver for Windows

400

To set keyboard shortcuts

You can configure combinations of keys that Receiver interprets as having specialfunctionality. When the keyboard shortcuts policy is enabled, you can specify Citrix Hotkeymappings, behavior of Windows hotkeys, and keyboard layout for sessions.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User Experience > Keyboard shortcuts. InWindows 7 and Windows Server 2008, expand Administrative Templates and navigatethrough Classic Administrative Templates (ADM) > Citrix Components to the desiredconfiguration option.

7. From the Action menu, choose Properties, select Enabled, and choose the desiredoptions.

Page 401: Citrix Receiver for Windows

401

Keyboard Input in XenDesktop Sessions

Note the following about how keyboard combinations are processed in XenDesktop sessions:

● Windows logo key+L is directed to the local computer.

● CTRL+ALT+DELETE is directed to the local computer except in some cases if you use theCitrix Desktop Lock.

● Key presses that activate StickyKeys, FilterKeys, and ToggleKeys (Microsoft accessibilityfeatures) are normally directed to the local computer.

● As an accessibility feature of the Desktop Viewer, pressing CTRL+ALT+BREAK displaysthe Desktop Viewer toolbar buttons in a pop-up window.

● Windows key combinations (for example, CTRL+ESC and ALT+TAB) are directedaccording to the settings that your helpdesk has selected. For more information, seethe table below.

Note: By default, if the Desktop Viewer is maximized, ALT+TAB switches focusbetween windows inside the session. If the Desktop Viewer is displayed in a window,ALT+TAB switches focus between windows outside the session.

Hotkey sequences are key combinations designed by Citrix. For example, the CTRL+F1sequence reproduces CTRL+ALT+DELETE, and SHIFT+F2 switches applications betweenfull-screen and windowed mode. You cannot use hotkey sequences with virtual desktopsdisplayed in the Desktop Viewer (that is, with XenDesktop sessions), but you can use themwith published applications (that is, with XenApp sessions).

The table shows the remoting behavior of other Windows key combinations. The behaviordepends on whether a Desktop Viewer or a Desktop Lock session is used, and is controlledby the Local resources setting, avaliable from the Session Options task on the XenDesktopsite. XenApp settings are also shown for reference. For more information on configuring thissetting, see the Web Interface documentation.

With Localresources set to

Desktop Viewersessions have thisbehavior

Desktop Locksessions have thisbehavior

XenApp (or disabledDesktop Viewer)sessions have thisbehavior

Full screen desktopsonly

Key combinationsare sent to theremote, virtualdesktop only if theDesktop Viewerwindow has focusand is maximized(full-screen).

Key combinationsare always sent tothe remote, virtualdesktop.

Key combinationsare sent to theremote XenAppserver if the sessionis maximized(full-screen).

Page 402: Citrix Receiver for Windows

Remote desktop Key combinationsare sent to theremote, virtualdesktop only if theDesktop Viewerwindow has focus.

Key combinationsare always sent tothe remote, virtualdesktop.

Key combinationsare sent to theremote XenAppserver if the sessionor application hasfocus.

Local desktop Key combinationsare always kept onthe local userdevice.

Key combinationsare always kept onthe local userdevice.

Citrix does notrecommend settingLocal resources toLocal desktop if theDesktop Lock isused.

Key combinationsare always kept onthe local userdevice.

Keyboard Input in XenDesktop Sessions

402

Page 403: Citrix Receiver for Windows

403

Receiver Support for 32-Bit Color Icons

Receiver supports high color icons (32x32 bit) and automatically selects the color depth forapplications visible in the Citrix Connection Center dialog box, the Start menu, and task barto provide for seamless applications.

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

To set a preferred depth, you can add a string registry key named TWIDesiredIconColor toHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Preferences and set it to the desired value. The possible color depthsfor icons are 4, 8, 16, 24, and 32 bits-per-pixel. The user can select a lower color depth foricons if the network connection is slow.

Page 404: Citrix Receiver for Windows

404

Connecting to Virtual Desktops

From within a desktop session, users cannot connect to the same virtual desktop.Attempting to do so will disconnect the existing desktop session. Therefore, Citrixrecommends:

● Administrators should not configure the clients on a desktop to point to a site thatpublishes the same desktop

● Users should not browse to a site that hosts the same desktop if the site is configured toautomatically reconnect users to existing sessions

● Users should not browse to a site that hosts the same desktop and try to launch it

Be aware that a user who logs on locally to a computer that is acting as a virtual desktopblocks connections to that desktop.

If your users connect to virtual applications (published with XenApp) from within a virtualdesktop and your organization has a separate XenApp administrator, Citrix recommendsworking with them to define device mapping such that desktop devices are mappedconsistently within desktop and application sessions. Because local drives are displayed asnetwork drives in desktop sessions, the XenApp administrator needs to change the drivemapping policy to include network drives.

Page 405: Citrix Receiver for Windows

405

Securing Your Connections

To maximize the security of your environment, the connections between Receiver and theresources you publish must be secured. You can configure various types of authenticationfor your Receiver software, including enabling certificate revocation list checking, enablingsmart card support, and using Security Support Provider Interface/Kerberos Pass-ThroughAuthentication.

Windows NT Challenge/Response (NTLM) Support forImproved Security

Windows NT Challenge/Response (NTLM) authentication is supported by default oncomputers running Windows NT, Windows 2000, Windows XP, Windows 7, Windows Vista,Windows Server 2003, and Windows Server 2008.

Page 406: Citrix Receiver for Windows

406

To enable certificate revocation listchecking for improved security withReceiver (CitrixReceiver.exe)

When certificate revocation list (CRL) checking is enabled, Receiver checks whether or notthe server’s certificate is revoked. By forcing Receiver to check this, you can improve thecryptographic authentication of the server and the overall security of the SSL/TLSconnections between a user device and a server.

You can enable several levels of CRL checking. For example, you can configure Receiver tocheck only its local certificate list or to check the local and network certificate lists. Inaddition, you can configure certificate checking to allow users to log on only if all CRLs areverified.

Important: This option is available only with the standard Receiver (CitrixReceiver.exe)and not Receiver (Enterprise).

If you are making this change on a local computer, exit Receiver if it is running. Make sureall Receiver components, including the Connection Center, are closed.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for the Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Action menu, choose Properties and select Enabled.

8. From the CRL verification drop-down menu, select one of the options.

● Disabled. No certificate revocation list checking is performed.

Page 407: Citrix Receiver for Windows

● Only check locally stored CRLs. CRLs that were installed or downloaded previouslyare used in certificate validation. Connection fails if the certificate is revoked.

● Require CRLs for connection. CRLs locally and from relevant certificate issuers onthe network are checked. Connection fails if the certificate is revoked or not found.

● Retrieve CRLs from network. CRLs from the relevant certificate issuers arechecked. Connection fails if the certificate is revoked.

If you do not set CRL verification, it defaults to Only check locally stored CRLs.

To enable certificate revocation list checking for improved security with Receiver (CitrixReceiver.exe)

407

Page 408: Citrix Receiver for Windows

408

Smart Card Support for Improved Security

Receiver smart card support is based on Microsoft Personal Computer/Smart Card (PC/SC)standard specifications. Receiver supports only smart cards and smart card devices thatare, themselves, supported by the underlying Windows operating system. A discussion ofsecurity issues related to PC/SC standards compliance is beyond the scope of thisdocument.

Enabling smart card support for Receiver is done through the Web Interface. For moreinformation, see the Web Interface Administrator’s documentation.

Note: Microsoft strongly recommends that only smart card readers tested and approvedby the Microsoft Windows Hardware Quality Lab (WHQL) be used on computers runningqualifying Windows operating systems. See http://www.microsoft.com for additionalinformation about hardware PC/SC compliance.

Receiver does not control smart card PIN management. PIN management is controlled bythe cryptographic service provider for your cards.

Page 409: Citrix Receiver for Windows

409

To enable pass-through authenticationwhen sites are not in Trusted Sites orIntranet zones

Your users might require pass-through authentication to the server using their user logoncredentials but cannot add sites to the Trusted Sites or Intranet zones. Enable this settingto allow pass-through authentication on all but Restricted sites.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Configuration folder for Receiver (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.

7. From the Local user name and password Properties menu, select Enabled, and thenselect the Enable pass-through authentication and Allow pass-through authenticationfor all ICA connections check boxes.

Page 410: Citrix Receiver for Windows

410

Using Security Support ProviderInterface/Kerberos Pass-ThroughAuthentication for Improved Security

This topic does not apply to XenDesktop connections.

Rather than sending user passwords over the network, Kerberos pass-through authenticationleverages Kerberos authentication in combination with Security Support Provider Interface(SSPI) security exchange mechanisms. Kerberos is an industry-standard networkauthentication protocol built into Microsoft Windows operating systems.

Kerberos logon offers security-minded users or administrators the convenience ofpass-through authentication combined with secret-key cryptography and data integrityprovided by industry-standard network security solutions. With Kerberos logon, the Receiverdoes not need to handle the password and thus prevents Trojan horse-style attacks on theuser device to gain access to users’ passwords.

Users can log on to the user device with any authentication method; for example, abiometric authenticator such as a fingerprint reader, and still access published resourceswithout further authentication.

System requirements. Kerberos logon requires Citrix Presentation Server 3.0, 4.0, or 4.5,Citrix XenApp 5.0, 6.x and Citrix Presentation Server Clients for Windows 8.x, 9.x, 10.x,XenApp Hosted Plug-in 11.x, online plug-in 12.0, 12.1, or Receiver 3.0. Kerberos works onlybetween Client/plug-ins/Receiver and servers that belong to the same or to trustedWindows 2000, Windows Server 2003, or Windows Server 2008 domains. Servers must alsobe trusted for delegation, an option you configure through the Active Directory Users andComputers management tool.

Kerberos logon is not available in the following circumstances:

● Connections configured with any of the following options in Remote Desktop Services(formerly known as Terminal Services) Configuration:

● On the General tab, the Use standard Windows authentication option

● On the Logon Settings tab, the Always use the following logon information optionor the Always prompt for password option

● Connections you route through the Secure Gateway

● If the server requires smart card logon

● If the authenticated user account requires a smart card for interactive logon

Important: SSPI requires XML Service DNS address resolution to be enabled for the serverfarm, or reverse DNS resolution to be enabled for the Active Directory domain. For moreinformation, see the Citrix XenApp administrator documentation.

Page 411: Citrix Receiver for Windows

Configuring Kerberos AuthenticationReceiver, by default, is not configured to use Kerberos authentication when logging on tothe server. You can set the Receiver configuration to use Kerberos with pass-throughauthentication or Kerberos with smart card pass-through authentication.

To use Kerberos authentication for your connections, you can either specify Kerberos usinga command line installation or configure Receiver using the Group Policy Editor. See theMicrosoft Group Policy documentation for more information about editing .adm files

Using Security Support Provider Interface/Kerberos Pass-Through Authentication for Improved Security

411

Page 412: Citrix Receiver for Windows

412

To configure Kerberos with pass-throughauthentication

This topic does not apply to XenDesktop connections.

Use Kerberos with pass-through authentication if you want to use Kerberos with Receiver.

When Receiver configurations are set to use Kerberos with pass-through authentication,Receiver uses Kerberos authentication first and uses pass-through authentication if Kerberosfails.

The user cannot disable this Receiver configuration from the user interface.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates, navigate throughCitrix Components > Citrix Receiver > User authentication, double click Kerberosauthentication and select Enabled. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > User authentication > Local user name andpassword. In Windows 7 and Windows Server 2008, expand Administrative Templatesand navigate through Classic Administrative Templates (ADM) > Citrix Components tothe desired configuration option.

8. From the Action menu, choose Properties and select Enabled > Enable pass-throughauthentication.

To apply the setting, close and restart Receiver on the user device.

Page 413: Citrix Receiver for Windows

413

Securing Citrix Receiver Communication

To secure the communication between your server farm and Receiver, you can integrateyour Receiver connections to the server farm with a range of security technologies,including:

● A SOCKS proxy server or secure proxy server (also known as security proxy server,HTTPS proxy server, or SSL tunneling proxy server). You can use proxy servers to limitaccess to and from your network and to handle connections between Receiver andservers. Receiver supports SOCKS and secure proxy protocols.

● Secure Gateway for Citrix XenApp or SSL Relay solutions with Secure Sockets Layer (SSL)and Transport Layer Security (TLS) protocols.

● A firewall. Network firewalls can allow or block packets based on the destinationaddress and port. If you are using Receiver through a network firewall that maps theserver's internal network IP address to an external Internet address (that is, networkaddress translation, or NAT), configure the external address.

● Trusted server configuration.

Note: For information about increasing security in application streaming for desktops, seethe Citrix Knowledge Base article Enhancing Security in Application Streaming forDesktops.

Receiver is compatible with and functions in environments where the Microsoft SpecializedSecurity - Limited Functionality (SSLF) desktop security templates are used. Thesetemplates are supported on the Microsoft Windows XP, Windows Vista, and Windows 7platforms. Refer to the Windows XP, Windows Vista, and Windows 7 security guidesavailable at http://technet.microsoft.com for more information about the templates andrelated settings.

Page 414: Citrix Receiver for Windows

414

Support for Microsoft Security Templates

Receiver is compatible with and functions in environments where the Microsoft SpecializedSecurity - Limited Functionality (SSLF) desktop security templates are used. Thesetemplates are supported on the Microsoft Windows XP, Windows Vista, and Windows 7platforms. Refer to the Windows XP, Windows Vista, and Windows 7 security guidesavailable at http://technet.microsoft.com for more information about the templates andrelated settings.

Page 415: Citrix Receiver for Windows

415

Connecting the Citrix Receiver through aProxy Server

Proxy servers are used to limit access to and from your network, and to handle connectionsbetween Receivers and servers. Receiver supports SOCKS and secure proxy protocols.

When communicating with the server farm, Receiver uses proxy server settings that areconfigured remotely on the server running the Web Interface. See the topics for WebInterface for information about configuring proxy server settings.

In communicating with the Web server, Receiver uses the proxy server settings that areconfigured through the Internet settings of the default Web browser on the user device.You must configure the Internet settings of the default Web browser on the user deviceaccordingly.

Page 416: Citrix Receiver for Windows

416

Connecting with the Secure Gateway orCitrix Secure Sockets Layer Relay

You can integrate Receiver with the Secure Gateway or Secure Sockets Layer (SSL) Relayservice. Receiver supports both SSL and TLS protocols.

● SSL provides strong encryption to increase the privacy of your ICA connections andcertificate-based server authentication to ensure the server you are connecting to is agenuine server.

● TLS (Transport Layer Security) is the latest, standardized version of the SSL protocol.The Internet Engineering Taskforce (IETF) renamed it TLS when it took overresponsibility for the development of SSL as an open standard. TLS secures datacommunications by providing server authentication, encryption of the data stream, andmessage integrity checks. Because there are only minor technical differences betweenSSL Version 3.0 and TLS Version 1.0, the certificates you use for SSL in your softwareinstallation will also work with TLS. Some organizations, including U.S. governmentorganizations, require the use of TLS to secure data communications. Theseorganizations may also require the use of validated cryptography, such as FIPS 140(Federal Information Processing Standard). FIPS 140 is a standard for cryptography.

Page 417: Citrix Receiver for Windows

417

Connecting with the Secure Gateway

You can use the Secure Gateway in either Normal mode or Relay mode to provide a securechannel for communication between Receiver and the server. No Receiver configuration isrequired if you are using the Secure Gateway in Normal mode and users are connectingthrough the Web Interface.

Receiver uses settings that are configured remotely on the server running the Web Interfaceto connect to servers running the Secure Gateway. See the topics for the Web Interface forinformation about configuring proxy server settings for Receiver.

If the Secure Gateway Proxy is installed on a server in the secure network, you can use theSecure Gateway Proxy in Relay mode. See the topics for the Secure Gateway for moreinformation about Relay mode.

If you are using Relay mode, the Secure Gateway server functions as a proxy and you mustconfigure Receiver to use:

● The fully qualified domain name (FQDN) of the Secure Gateway server.

● The port number of the Secure Gateway server. Note that Relay mode is not supportedby Secure Gateway Version 2.0.

The FQDN must list, in sequence, the following three components:

● Host name

● Intermediate domain

● Top-level domain

For example: my_computer.my_company.com is an FQDN, because it lists, in sequence, ahost name (my_computer), an intermediate domain (my_company), and a top-level domain(com). The combination of intermediate and top-level domain (my_company.com) isgenerally referred to as the domain name.

Page 418: Citrix Receiver for Windows

418

Connecting with Citrix SSL Relay

By default, Citrix SSL Relay uses TCP port 443 on the XenApp server for SSL/TLS-securedcommunication. When the SSL Relay receives an SSL/TLS connection, it decrypts the databefore redirecting it to the server, or, if the user selects SSL/TLS+HTTPS browsing, to theCitrix XML Service.

If you configure SSL Relay to listen on a port other than 443, you must specify thenonstandard listening port number to the plug-in.

You can use Citrix SSL Relay to secure communications:

● Between an SSL/TLS-enabled client and a server. Connections using SSL/TLS encryptionare marked with a padlock icon in the Citrix Connection Center.

● With a server running the Web Interface, between the XenApp server and the Webserver.

For information about configuring and using SSL Relay to secure your installation, see theCitrix XenApp administrator’s documentation. For information about configuring the serverrunning the Web Interface to use SSL/TLS encryption, see the Web Interface administrator’sdocumentation.

Page 419: Citrix Receiver for Windows

419

User Device Requirements

In addition to the requirements contained in the System Requirements and Compatibility forCitrix Receiver for Windows 3.0, you also must ensure that:

● The user device supports 128-bit encryption

● The user device has a root certificate installed that can verify the signature of theCertificate Authority on the server certificate

● Receiver is aware of the TCP listening port number used by the SSL Relay service in theserver farm

● Any service packs or upgrades that Microsoft recommends are applied

If you are using Internet Explorer and you are not certain about the encryption level of yoursystem, visit the Microsoft Web site at http://www.microsoft.com to install a service packthat provides 128-bit encryption.

Important: Receiver supports certificate key lengths of up to 4096 bits. Ensure that thebit lengths of your Certificate Authority root and intermediate certificates, and those ofyour server certificates, do not exceed the bit length your Receiver supports orconnection might fail.

Page 420: Citrix Receiver for Windows

420

To apply a different listening port numberfor all connections

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the plug-in Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Action menu, choose Properties, select Enabled, and type a new portnumber in the Allowed SSL servers text box in the following format: server:SSL relayport number where SSL relay port number is the number of the listening port. You canuse a wildcard to specify multiple servers. For example, *.Test.com:SSL relay portnumber matches all connections to Test.com through the specified port.

Page 421: Citrix Receiver for Windows

421

To apply a different listening port numberto particular connections only

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already added the icaclient template to the Group Policy Editor, you canomit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification. In Windows 7 and Windows Server 2008, expandAdministrative Templates and navigate through Classic Administrative Templates(ADM) > Citrix Components to the desired configuration option.

7. From the Action menu, choose Properties, select Enabled, and type acomma-separated list of trusted servers and the new port number in the Allowed SSLservers text box in the following format: servername:SSL relay portnumber,servername:SSL relay port number where SSL relay port number is the numberof the listening port. You can specify a comma-separated list of specific trusted SSLservers similar to this example:

csghq.Test.com:443,fred.Test.com:443,csghq.Test.com:444

which translates into the following in an example appsrv.ini file: [Word]SSLProxyHost=csghq.Test.com:443

[Excel]

SSLProxyHost=csghq.Test.com:444

[Notepad]

SSLProxyHost=fred.Test.com:443

Page 422: Citrix Receiver for Windows

422

Configuring and Enabling Receivers forSSL and TLS

SSL and TLS are configured in the same way, use the same certificates, and are enabledsimultaneously.

When SSL and TLS are enabled, each time you initiate a connection, Receiver tries to useTLS first and then tries SSL. If it cannot connect with SSL, the connection fails and an errormessage appears.

To force Receiver to connect with TLS, you must specify TLS on the Secure Gateway serveror SSL Relay service. See the topics for the Secure Gateway or your SSL Relay servicedocumentation for more information.

In addition, make sure the user device meets all system requirements.

To use SSL/TLS encryption for all Receiver communications, configure the user device,Receiver, and the server running the Web Interface.

Page 423: Citrix Receiver for Windows

423

Installing Root Certificates on the UserDevices

To use SSL/TLS to secure communications between a SSL/TLS-enabled Receiver and theserver farm, you need a root certificate on the user device that can verify the signature ofthe Certificate Authority on the server certificate.

Receiver supports the Certificate Authorities that are supported by the Windows operatingsystem. The root certificates for these Certificate Authorities are installed with Windowsand managed using Windows utilities. They are the same root certificates that are used byMicrosoft Internet Explorer.

If you use your own Certificate Authority, you must obtain a root certificate from thatCertificate Authority and install it on each user device. This root certificate is then usedand trusted by both Microsoft Internet Explorer and Receiver.

You might be able to install the root certificate using other administration or deploymentmethods, such as:

● Using the Microsoft Internet Explorer Administration Kit (IEAK) Configuration Wizard andProfile Manager

● Using third-party deployment tools

Make sure that the certificates installed by your Windows operating system meet thesecurity requirements for your organization or use the certificates issued by yourorganization’s Certificate Authority.

Page 424: Citrix Receiver for Windows

424

To configure Citrix Receiver to useSSL/TLS

1. To use SSL/TLS to encrypt application enumeration and launch data passed betweenReceiver and the server running the Web Interface, configure the appropriate settingsusing the Web Interface. You must include the computer name of the XenApp serverthat is hosting the SSL certificate.

2. To use secure HTTP (HTTPS) to encrypt the configuration information passed betweenReceiver and the server running the Web Interface, enter the server URL in the formathttps://servername. In the Windows notification area, right-click the Receiver icon andchoose Preferences.

3. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.

Page 425: Citrix Receiver for Windows

425

To configure TLS support

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

1. As an administrator, open the Group Policy Editor by running gpedit.msc locally fromthe Start menu when applying this to a single computer or by using the Group PolicyManagement Console when using Active Directory.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification.

7. From the Action menu, choose Properties, select Enabled, and from the drop-downmenus, select the TLS settings.

● Set SSL/TLS Version to TLS or Detect all to enable TLS. If Detect all is selected,Receiver connects using TLS encryption. If a connection using TLS fails, Receiverconnects using SSL.

● Set SSL ciphersuite to Detect version to have Receiver negotiate a suitableciphersuite from the Government and Commercial ciphersuits. You can restrict theciphersuites to either Government or Commercial.

● Set CRL verification to Require CRLs for connection requiring Receiver to try toretrieve Certificate Revocation Lists (CRLs) from the relevant certificate issuers.

Page 426: Citrix Receiver for Windows

426

To use the Group Policy template to meetFIPS 140 security requirements

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

To meet FIPS 140 security requirements, use the Group Policy template to configure theparameters or include the parameters in the Default.ica file on the server running the WebInterface. See the information about Web Interface for additional information about theDefault.ica file.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 3 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network routing > TLS/SSL data encryptionand server identification.

7. From the Action menu, choose Properties, select Enabled, and from the drop-downmenus, select the correct settings.

● Set SSL/TLS Version to TLS or Detect all to enable TLS. If Detect all is selected,Receiver tries to connect using TLS encryption. If a connection using TLS fails,Receiver tries to connect using SSL.

● Set SSL ciphersuite to Government.● Set CRL verification to Require CRLs for connection.

Page 427: Citrix Receiver for Windows

427

To configure the Web Interface to useSSL/TLS when communicating with CitrixReceiver

When using the Web Interface, specify the computer name of the server hosting the SSLcertificate. See the information about Web Interface for more details about using SSL/TLSto secure communications between Receiver and the Web server.

1. From the Configuration settings menu, select Server Settings.

2. Select Use SSL/TLS for communications between clients and the Web server.

3. Save your changes.

Selecting SSL/TLS changes all URLs to use HTTPS protocol.

Page 428: Citrix Receiver for Windows

428

To configure Citrix XenApp to useSSL/TLS when communicating with CitrixReceiver

You can configure the XenApp server to use SSL/TLS to secure the communications betweenReceiver and the server.

1. From the Citrix management console for the XenApp server, open the Properties dialogbox for the application you want to secure.

2. Select Advanced > Client options and ensure that you select Enable SSL and TLSprotocols.

3. Repeat these steps for each application you want to secure.

When using the Web Interface, specify the computer name of the server hosting the SSLcertificate. See the information about Web Interface for more details about using SSL/TLSto secure communications between Receiver and the Web server.

Page 429: Citrix Receiver for Windows

429

To configure Citrix Receiver to useSSL/TLS when communicating with theserver running the Web Interface

You can configure Receiver to use SSL/TLS to secure the communications between Receiverand the server running the Web Interface.

Ensure that a valid root certificate is installed on the user device. For more information,see Installing Root Certificates on the User Devices.

1. In the Windows notification area, right-click the Receiver icon and choosePreferences.

2. Right-click the Online Plug-in entry in the Plug-in Status and choose Change Server.

3. The Change Server screen displays the currently configured URL. Enter the server URLin the text box in the format https://servername to encrypt the configuration datausing SSL/TLS.

4. Click Update to apply the change.

5. Enable SSL/TLS in the client device browser. For more information about enablingSSL/TLS in the browser, see the online Help for the browser.

Page 430: Citrix Receiver for Windows

430

ICA File Signing - Protection AgainstApplication or Desktop Launches FromUntrusted Servers

The ICA File Signing feature helps protect users from unauthorized application or desktoplaunches.Citrix Receiver verifies that a trusted source generated the application or desktoplaunch based on administrative policy and protects against launches from untrusted servers.You can configure this Receiver security policy for application or desktop launch signatureverification using Group Policy Objects or Citrix Merchandising Server. ICA file signing is notenabled by default and is not supported with Dazzle 1.1 or earlier.

The Web Interface enables and configures application or desktop launches to include asignature during the launch process using the Citrix ICA File Signing Service. The service cansign ICA files using a certificate from the computer's personal certificate store.

The Citrix Merchandising Server with Receiver enables and configures launch signatureverification using the Citrix Merchandising Server Adminstrator Console > Deliverieswizard to add trusted certificate thumbprints.

To use Group Policy Objects to enable and configure application or desktop launchsignature verification, follow this procedure:

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the ica-file-signing.adm template into the Group PolicyEditor, you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select ica-file-signing.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Enable ICA File Signing. In Windows 7 and Windows Server 2008,expand Administrative Templates and navigate through Classic AdministrativeTemplates (ADM) > Citrix Components to the desired configuration option.

7. If you choose Enabled, you can add signing certificate thumbprints to the white list of trusted certificate thumbprints or remove signing certificate thumbprints from the white list by clicking Show and using the Show Contents screen. You can copy and paste the signing certificate thumbprints from the signing certificate properties. Use

Page 431: Citrix Receiver for Windows

the Policy drop-down menu to select Only allow signed launches (more secure) orPrompt user on unsigned launches (less secure).

Option Description

Only allow signed launches (moresecure)

Allows only properly signed applicationor desktop launches from a trustedserver. The user sees a Security Warningmessage in Receiver if an application ordesktop launch has an invalid signature.The user cannot continue and theunauthorized launch is blocked.

Prompt user on unsigned launches (lesssecure)

Prompts the user every time an unsignedor invalidly signed application or desktopattempts to launch. The user can eithercontinue the application launch or abortthe launch (default).

ICA File Signing - Protection Against Application or Desktop Launches From Untrusted Servers

431

Page 432: Citrix Receiver for Windows

432

Selecting and Distributing a DigitalSignature Certificate

When selecting a digital signature certificate, Citrix recommends you choose from thisprioritized list:

1. Buy a code-signing certificate or SSL signing certificate from a public CertificateAuthority (CA).

2. If your enterprise has a private CA, create a code-signing certificate or SSL signingcertificate using the private CA.

3. Use an existing SSL certificate, such as the Web Interface or Self-service Plug-in servercertificate.

4. Create a new root CA certificate and distribute it to user devices using GPO or manualinstallation.

Page 433: Citrix Receiver for Windows

433

Configuring a Web Browser and ICA Fileto Enable Single Sign-on and ManageSecure Connections to Trusted Servers

To use Single sign-on (SSO) and to manage secure connections to trusted servers, add theCitrix server's site address to the Local intranet or Trusted sites zones in Internet Explorerunder Tools > Internet Options > Security on the user device. The address can include thewildcard (*) formats supported by the Internet Security Manager (ISM) or be as specific asprotocoll://URL[:port].

The same format must be used in both the ICA file and the sites entries. For example, if youuse a fully qualified domain name (FQDN) in the ICA file, you must use an FQDN in the siteszone entry. XenDesktop connections use only a desktop group name format.

Supported Formats (Including Wildcards)http[s]://10.2.3.4

http[s]://10.2.3.*

http[s]://hostname

http[s]://fqdn.example.com

http[s]://*.example.com

http[s]://cname.*.example.com

http[s]://*.example.co.uk

desktop://group-20name

ica[s]://xaserver1

ica[s]://xaserver1.example.com

Launching SSO or Using Secure Connections withWeb Interface

Add the exact address of the Web Interface site in the sites zone.

Example Web Interface Site Addresses

https://my.company.com

Page 434: Citrix Receiver for Windows

http://10.20.30.40

http://server-hostname:8080

https://SSL-relay:444

XenDesktop Connections with Desktop ViewerAdd the address in the form desktop://Desktop Group Name. If the desktop group namecontains spaces, replace each space with -20.

Custom ICA Entry FormatsUse one of the following formats in the ICA file for the Citrix server site address. Use thesame format to add it to the Local intranet or Trusted sites zones in Internet Explorerunder Tools > Internet Options > Security on the user device:

Example of ICA File HttpBrowserAddress Entry

HttpBrowserAddress=XMLBroker.XenappServer.example.com:8080

Examples of ICA File XenApp Server Address Entry

If the ICA file contains only the XenApp server Address field, use one of the following entryformats:

icas://10.20.30.40:1494

icas://my.xenapp-server.company.com

ica://10.20.30.40

Configuring a Web Browser and ICA File to Enable Single Sign-on and Manage Secure Connections to Trusted Servers

434

Page 435: Citrix Receiver for Windows

435

To set client resource permissions

You can set client resource permissions using trusted and restricted site regions by:

● Adding the Web Interface site to the Trusted Site list

● Making changes to new registry settings

Note: Due to enhancements to Receiver, the .ini procedure available in earlier versionsof the plug-in/Receiver is replaced with these procedures.

Caution: Editing the Registry incorrectly can cause serious problems that may require youto reinstall your operating system. Citrix cannot guarantee that problems resulting fromthe incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.Be sure to back up the registry before you edit it.

To add the Web Interface site to the trusted site list1. From the Internet Explorer Tools menu, choose Internet Options > Security.

2. Select the Trusted sites icon and click the Sites button.

3. In the Add this website to the zone text field, type the URL to your Web Interface siteand click Add.

4. Download the registry settings from http://support.citrix.com/article/CTX124871.htmland make any registry changes. Use SsonRegUpx86.reg for Win32 user devices andSsonRegUpx64.reg for Win64 user devices.

5. Log off and then log on to the user device.

Page 436: Citrix Receiver for Windows

To change client resource permissions in the registry1. Download the registry settings from http://support.citrix.com/article/CTX124871.html

and import the settings on each user device. Use SsonRegUpx86.reg for Win32 userdevices and SsonRegUpx64.reg for Win64 user devices.

2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Client Selective Trust and in the appropriate regions, change the default value tothe required access values for any of the following resources:

Resource key Resource description

FileSecurityPermission Client drives

MicrophoneAndWebcamSecurityPermission Microphones and webcams

PdaSecurityPermission PDA devices

ScannerAndDigitalCameraSecurityPermission USB and other devices

Value Description

0 No Access

1 Read-only access

2 Full access

3 Prompt user for access

To set client resource permissions

436

Page 437: Citrix Receiver for Windows

437

Enabling Smart Card Logon

Enabling smart card logon allows users to use smart cards instead of passwords toauthenticate to XenApp servers. You can use smart card logon either with or withoutpass-through authentication.

You must enable smart card support on the server and set up and configure the user deviceproperly with third-party smart card hardware and software. Refer to the documentationthat came with your smart card equipment for instructions about deploying smart cardswithin your network.

The smart card removal policy set on XenApp determines what happens if you remove thesmart card from the reader during an ICA session. The smart card removal policy isconfigured through and handled by the Windows operating system.

● Kerberos pass-through authentication requires a smart card inserted in the smart cardreader at logon time only. With this logon mode selected, the plug-in prompts the userfor a smart card PIN (Personal Identification Number) when it starts up. Kerberospass-through authentication then caches the PIN and passes it to the server every timethe user requests a published resource. The user does not have to subsequently reentera PIN to access published resources or have the smart card continuously inserted. Ifauthentication based on the cached PIN fails or if a published resource itself requiresuser authentication, the user continues to be prompted for a PIN.

● Disabling pass-through authentication requires a smart card to be present in the smartcard reader whenever the user accesses a server. With pass-through disabled, theplug-in prompts the user for a smart card PIN when it starts up and every time the userrequests a published resource.

Page 438: Citrix Receiver for Windows

438

Enforcing Trust Relations

Trusted server configuration is designed to identify and enforce trust relations involved inReceiver connections. This trust relationship increases the confidence of Receiveradministrators and users in the integrity of data on user devices and prevents the malicioususe of Receiver connections.

When this feature is enabled, Receivers can specify the requirements for trust anddetermine whether or not they trust a connection to the server. For example, a Receiverconnecting to a certain address (such as https://*.citrix.com) with a specific connectiontype (such as SSL) is directed to a trusted zone on the server.

When trusted server configuration is enabled, XenApp servers or the Access Gateway mustreside in a Windows Trusted Sites zone. (For step-by-step instructions about adding serversto the Windows Trusted Sites zone, see the Internet Explorer online help.)

If you connect using SSL, add the server name in the format https://CN, where CN is theCommon Name shown on the SSL certificate. Otherwise, use the format that Receiver usesto connect; for example if Receiver connects using an IP address, add the server’s IPaddress.

To enable trusted server configuration

If you are changing this on a local computer, close all Receiver components, including theConnection Center.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locallyfrom the Start menu when applying policies to a single computer or by using the GroupPolicy Management Console when applying domain policies.

Note: If you already imported the icaclient template into the Group Policy Editor,you can omit Steps 2 to 5.

2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.

3. From the Action menu, choose Add/Remove Templates.

4. Choose Add and browse to the Receiver Configuration folder (usually C:\ProgramFiles\Citrix\ICA Client\Configuration) and select icaclient.adm.

5. Select Open to add the template and then Close to return to the Group Policy Editor.

6. Expand the Administrative Templates folder under the User Configuration node.

7. From the Group Policy Editor, expand Administrative Templates and navigate throughCitrix Components > Citrix Receiver > Network Routing > Configure trusted serverconfiguration. In Windows 7 and Windows Server 2008, expand AdministrativeTemplates and navigate through Classic Administrative Templates (ADM) > CitrixComponents to the desired configuration option.

8. From the Action menu, choose Properties and select Enabled.

Page 439: Citrix Receiver for Windows

439

Elevation Level and wfcrun32.exe

When User Access Control (UAC) is enabled on devices running Windows Vista or later, onlyprocesses at the same elevation/integrity level as wfcrun32.exe can launch publishedapplications.

Example 1:

When wfcrun32.exe is running as a normal user (un-elevated), other processes such asReceiver must be running as a normal user to launch applications through wfcrun32.

Example 2:

When wfcrun32.exe is running in elevated mode, other processes such as ConnectionCenter, Receiver, and third party applications using the ICA Client Object that are runningin non-elevated mode cannot communicate with wfcrun32.exe.

Page 440: Citrix Receiver for Windows

440

ICA Settings Reference

ChannelNameChannelName

ClientAudioAudioDevice(2) AudioHWSection AudioInWakeOnInput AudioOutWakeOnOutput

CommandAckThresh ControlPollTime ConverterSection DataAckThresh

MaxDataBufferSize MaxMicBufferSize NumCommandBuffers NumDataBuffers

PlaybackDelayThresh VariantName

ClientCommCOMAllowed(2) CommPollSize CommPollWaitInc CommPollWaitIncTime

CommPollWaitMax CommPollWaitMin CommWakeOnInput MaxPort, WindowSize

ClientDriveCDMReadOnly DisableDrives EnableAsyncWrites EnableReadAhead

MaxOpenContext MaxWindowSize NativeDriveMapping SFRAllowed

ClientPrinterPortPrinterThreadPriority PrintMaxRetry WindowSize WindowsPrinter

ClientPrinterQueuePrinterResetTime UnicodeEnabled VSLAllowed(2) WindowSize

WindowsPrinter WindowSize2

CompressDriverNameWin32(12)

Page 441: Citrix Receiver for Windows

DefaultSerialConnectionDTR

DelegationLockdownProfiles, RegionIdentification

DynamicAcceptURLType Address(2) BUCC(2) Command

DesiredColor(5) DriverNameAlt DriverNameAltWin32 DriverNameWin32(12)

InitialProgram(2) LongCommandLine(2) Path ProxyHost(3)

RECD(2) RejectURLType REWD(2) RtpAudioLowestPort

SessionSharingLaunchOnly SSOnCredentialType(3) startIFDCD(3) startSCD(2)

UseAlternateAddress(3) Username(3)    

EncodingInputEncoding

EncRC-5-0, EncRC-5-40, EncRC-5-56, andEncRC-5-128

DriverNameWin32(12)

ICA 3.0BufferLength BufferLength2 DriverNameWin32(12) VirtualDriver

VirtualDriverEx

LoggingLogConfigurationAccess, LogEvidence, LogFile

PingPingCount

ICA Settings Reference

441

Page 442: Citrix Receiver for Windows

PrelaunchApplicationState Schedule UserOverride

qwertyLicenseType, startIFDCD(3)

ICA Settings Reference

442

Page 443: Citrix Receiver for Windows

ServerAddress(2) InitialProgram(2) ScalingWidth

AECD IOBase Schedule

AltProxyAutoConfigURL(2) KeyboardTimer(2) ScreenPercent

AltProxyBypassList(2) Launcher SecureChannelProtocol(2)

AltProxyHost(2) LaunchReference SecurityTicket

AltProxyPassword(2) LocHttpBrowserAddress SessionSharingKey

AltProxyType(2) LogFlush SessionSharingName

AudioBandwidthLimit LogonTicket SmartcardRequired(2)

AudioDuringDetach LogonTicketType SpeedScreenMMA

AUTHPassword LongCommandLine(2) SpeedScreenMMAAudioEnabled

AUTHUserName LPWD SpeedScreenMMAMaxBufferThreshold

AutoLogonAllowed LVBMode(2) SpeedScreenMMAMaximumBufferSize

BrowserProtocol MouseTimer SpeedScreenMMAMinBufferThreshold

BUCC(2) MSIEnabled SpeedScreenMMASecondsToBuffer

CFDCD NDS SpeedScreenMMAVideoEnabled

ClearPassword NRUserName SSLCACert

ClientAudio NRWD SSLCertificateRevocationCheckPolicy(2)

  Password SSLCommonName

COCD PersistentCacheEnabled SSLEnable

ConnectionFriendlyName pnStartSCD SSLNoCACerts(2)

DataBits ProxyAuthenticationBasic(2) SSLProxyHost(2)

DesiredColor(5) ProxyAuthenticationNTLM(2) SSOnCredentialType(3)

DeviceName ProxyAuthenticationPrompt(2) SSOnDetected

DisableCtrlAltDel ProxyAutoConfigURL(2) startIFDCD(3)

DisableMMMaximizeSupport ProxyBypassList startSCD(2)

Domain ProxyFallback(2) TRWD

DoNotUseDefaultCSL ProxyFavorIEConnectionSetting(2) TWIEmulateSystray

EnableAudioInput ProxyHost(3) TWIMode

EnableClientSelectiveTrust ProxyPassword(2) TWISuppressZZEcho

EnableOSS ProxyTimeout TWITaskbarGroupingMode

EnableRtpAudio ProxyUseDefault UseAlternateAddress(3)

EnableSessionSharing ProxyUseFQDN(2) UseDefaultEncryption

EnableSessionSharingClient ProxyUsername UseLocalUserAndPassword(2)

EnableSessionSharingHost(2) RECD(2) UseMRUBrowserPrefs

EncryptionLevelSession REWD(2) Username(3)

ICA Settings Reference

443

Page 444: Citrix Receiver for Windows

endIFDCD RtpAudioHighestPort VirtualChannels

FONTSMOOTHINGTYPE   WorkDirectory

FriendlyName ScalingHeight ZLAutoHiLimit

ICASOCKSProtocolVersion(2) ScalingHeight ZLAutoLowLimit

ICASOCKSProxyHost(2) ScalingMode ZLKeyboardMode

ICASOCKSProxyPortNumber(2) ScalingPercent ZLMouseMode

InitialProgram  

SmartcardBypassSmartcardDomain BypassSmartcardPassword BypassSmartcardUsername PCSCCodePage

PCSCLibraryName SmartcardRequired(2) Username(3)

TCP/IPDefaultHttpBrowserAddress, DriverNameWin32(12), ICAPortNumber

Thinwire 3.0DesiredColor(5) InstallColormap PersistentCacheMinBitmap(2) PersistentCacheSize(2)

Tw2CachePower TW2StopwatchMinimum TW2StopwatchScale TWIFullScreenMode

WindowManagerMoveIgnored WindowManagerMoveTimeout WindowsCache

TransportBrowserRetry(2) BrowserTimeout(2) HttpBrowserAddress OutBufCountClient

OutBufCountClient2 OutBufCountHost OutBufCountHost2 OutBufLength

ICA Settings Reference

444

Page 445: Citrix Receiver for Windows

WFClientAllowAudioInput Hotkey1Shift PNPDeviceAllowed

AllowVirtualDriverEx Hotkey2Char Port1

AllowVirtualDriverExLegacy Hotkey2Shift Port2

AltProxyAutoConfigURL(2) Hotkey3Char POSDeviceAllowed

AltProxyBypassList(2) Hotkey3Shift PrinterFlowControl

AltProxyHost(2) Hotkey4Char ProxyAuthenticationBasic(2)

AltProxyPassword(2) Hotkey4Shift ProxyAuthenticationKerberos

AltProxyType(2) Hotkey5Char ProxyAuthenticationNTLM(2)

AlwaysSendPrintScreen Hotkey5Shift ProxyAuthenticationPrompt(2)

AppendUsername Hotkey6Char ProxyAutoConfigURL(2)

BrowserRetry(2) Hotkey6Shift ProxyBypassList

BrowserTimeout(2) Hotkey7Char ProxyFallback(2)

CbChainInterval Hotkey7Shift ProxyFavorIEConnectionSetting(2)

CDMAllowed Hotkey8Char ProxyHost(3)

CGPAddress Hotkey8Shift ProxyPassword(2)

ClientName Hotkey9Char ProxyPort

ClipboardAllowed Hotkey9Shift ProxyType

ColorMismatchPrompt_Have16_Want256 HotkeyJPN%dChar ProxyUseFQDN(2)

ColorMismatchPrompt_Have16M_Want256 HowManySkipRedrawPerPaletteChange ReadersStatusPollPeriod

ColorMismatchPrompt_Have64K_Want256 ICAHttpBrowserAddress RemoveICAFile

COMAllowed(2) ICAKeepAliveEnabled ResMngrRunningPollPeriod

ContentRedirectionScheme ICAKeepAliveInterval SecureChannelProtocol(2)

CPMAllowed ICAPrntScrnKey SessionReliabilityTTL

CRBrowserAcceptURLtype ICASOCKSProtocolVersion(2) SkipRedrawPerPaletteChange

CRBrowserCommand ICASOCKSProxyHost(2) SmartCardAllowed

CRBrowserPath ICASOCKSProxyPortNumber(2) SSLCertificateRevocationCheckPolicy(2)

CRBrowserPercentS KeyboardLayout SSLCiphers

CRBrowserRejectURLtype KeyboardSendLocale SSLNoCACerts(2)

CREnabled KeyboardType SSLProxyHost(2)

CRPlayerAcceptURLtype KeyboardTimer(2) SSOnCredentialType(3)

CRPlayerCommand LocalIME SSOnUserSetting

CRPlayerPath LogAppend SSPIEnabled

CRPlayerPercentS LogConnect SucConnTimeout

CRPlayerRejectURLtype LogErrors SwapButtons

CustomConnectionsIconOff LogFileGlobalPath TransparentKeyPassthrough

ICA Settings Reference

445

Page 446: Citrix Receiver for Windows

DeferredUpdateMode LogFileWin32 TransportReconnectDelay

DesiredColor(5) Lpt1 TransportReconnectEnabled

DisableSound Lpt2 TransportReconnectRetries

DisableUPDOptimizationFlag Lpt3 TransportSilentDisconnect

DynamicCDM LVBMode(2) TwainAllowed

EmulateMiddleMouseButton MinimizeOwnedWindows TWIIgnoreWorkArea

EmulateMiddleMouseButtonDelay MissedKeepaliveWarningMsg TWISeamlessFlag

EnableInputLanguageToggle MissedKeepaliveWarningTime TWIShrinkWorkArea

EnableSessionSharingHost(2) MouseWheelMapping UseAlternateAddress(3)

EnableSSOnThruICAFile PassThroughLogoff UsersShareIniFiles

FastIdlePollDelay PercentS VirtualCOMPortEmulation

ForceLVBMode PersistentCacheGlobalPath VSLAllowed(2)

FullScreenBehindLocalTaskbar PersistentCacheMinBitmap(2) Win32FavorRetainedPrinterSettings

FullScreenOnly PersistentCachePath WpadHost

Hotkey10Char PersistentCachePercent XmlAddressResolutionType

Hotkey10Shift PersistentCacheSize(2) ZLDiskCacheSize

Hotkey1Char PersistentCacheUsrRelPath ZLFntMemCacheSize

ICA Settings Reference

446

Page 447: Citrix Receiver for Windows

447

ICA Settings Reference

ChannelNameChannelName

ClientAudioAudioDevice(2) AudioHWSection AudioInWakeOnInput AudioOutWakeOnOutput

CommandAckThresh ControlPollTime ConverterSection DataAckThresh

MaxDataBufferSize MaxMicBufferSize NumCommandBuffers NumDataBuffers

PlaybackDelayThresh VariantName

ClientCommCOMAllowed(2) CommPollSize CommPollWaitInc CommPollWaitIncTime

CommPollWaitMax CommPollWaitMin CommWakeOnInput MaxPort, WindowSize

ClientDriveCDMReadOnly DisableDrives EnableAsyncWrites EnableReadAhead

MaxOpenContext MaxWindowSize NativeDriveMapping SFRAllowed

ClientPrinterPortPrinterThreadPriority PrintMaxRetry WindowSize WindowsPrinter

ClientPrinterQueuePrinterResetTime UnicodeEnabled VSLAllowed(2) WindowSize

WindowsPrinter WindowSize2

CompressDriverNameWin32(12)

Page 448: Citrix Receiver for Windows

DefaultSerialConnectionDTR

DelegationLockdownProfiles, RegionIdentification

DynamicAcceptURLType Address(2) BUCC(2) Command

DesiredColor(5) DriverNameAlt DriverNameAltWin32 DriverNameWin32(12)

InitialProgram(2) LongCommandLine(2) Path ProxyHost(3)

RECD(2) RejectURLType REWD(2) RtpAudioLowestPort

SessionSharingLaunchOnly SSOnCredentialType(3) startIFDCD(3) startSCD(2)

UseAlternateAddress(3) Username(3)    

EncodingInputEncoding

EncRC-5-0, EncRC-5-40, EncRC-5-56, andEncRC-5-128

DriverNameWin32(12)

ICA 3.0BufferLength BufferLength2 DriverNameWin32(12) VirtualDriver

VirtualDriverEx

LoggingLogConfigurationAccess, LogEvidence, LogFile

PingPingCount

ICA Settings Reference

448

Page 449: Citrix Receiver for Windows

PrelaunchApplicationState Schedule UserOverride

qwertyLicenseType, startIFDCD(3)

ICA Settings Reference

449

Page 450: Citrix Receiver for Windows

ServerAddress(2) InitialProgram(2) ScalingWidth

AECD IOBase Schedule

AltProxyAutoConfigURL(2) KeyboardTimer(2) ScreenPercent

AltProxyBypassList(2) Launcher SecureChannelProtocol(2)

AltProxyHost(2) LaunchReference SecurityTicket

AltProxyPassword(2) LocHttpBrowserAddress SessionSharingKey

AltProxyType(2) LogFlush SessionSharingName

AudioBandwidthLimit LogonTicket SmartcardRequired(2)

AudioDuringDetach LogonTicketType SpeedScreenMMA

AUTHPassword LongCommandLine(2) SpeedScreenMMAAudioEnabled

AUTHUserName LPWD SpeedScreenMMAMaxBufferThreshold

AutoLogonAllowed LVBMode(2) SpeedScreenMMAMaximumBufferSize

BrowserProtocol MouseTimer SpeedScreenMMAMinBufferThreshold

BUCC(2) MSIEnabled SpeedScreenMMASecondsToBuffer

CFDCD NDS SpeedScreenMMAVideoEnabled

ClearPassword NRUserName SSLCACert

ClientAudio NRWD SSLCertificateRevocationCheckPolicy(2)

  Password SSLCommonName

COCD PersistentCacheEnabled SSLEnable

ConnectionFriendlyName pnStartSCD SSLNoCACerts(2)

DataBits ProxyAuthenticationBasic(2) SSLProxyHost(2)

DesiredColor(5) ProxyAuthenticationNTLM(2) SSOnCredentialType(3)

DeviceName ProxyAuthenticationPrompt(2) SSOnDetected

DisableCtrlAltDel ProxyAutoConfigURL(2) startIFDCD(3)

DisableMMMaximizeSupport ProxyBypassList startSCD(2)

Domain ProxyFallback(2) TRWD

DoNotUseDefaultCSL ProxyFavorIEConnectionSetting(2) TWIEmulateSystray

EnableAudioInput ProxyHost(3) TWIMode

EnableClientSelectiveTrust ProxyPassword(2) TWISuppressZZEcho

EnableOSS ProxyTimeout TWITaskbarGroupingMode

EnableRtpAudio ProxyUseDefault UseAlternateAddress(3)

EnableSessionSharing ProxyUseFQDN(2) UseDefaultEncryption

EnableSessionSharingClient ProxyUsername UseLocalUserAndPassword(2)

EnableSessionSharingHost(2) RECD(2) UseMRUBrowserPrefs

EncryptionLevelSession REWD(2) Username(3)

ICA Settings Reference

450

Page 451: Citrix Receiver for Windows

endIFDCD RtpAudioHighestPort VirtualChannels

FONTSMOOTHINGTYPE   WorkDirectory

FriendlyName ScalingHeight ZLAutoHiLimit

ICASOCKSProtocolVersion(2) ScalingHeight ZLAutoLowLimit

ICASOCKSProxyHost(2) ScalingMode ZLKeyboardMode

ICASOCKSProxyPortNumber(2) ScalingPercent ZLMouseMode

InitialProgram  

SmartcardBypassSmartcardDomain BypassSmartcardPassword BypassSmartcardUsername PCSCCodePage

PCSCLibraryName SmartcardRequired(2) Username(3)

TCP/IPDefaultHttpBrowserAddress, DriverNameWin32(12), ICAPortNumber

Thinwire 3.0DesiredColor(5) InstallColormap PersistentCacheMinBitmap(2) PersistentCacheSize(2)

Tw2CachePower TW2StopwatchMinimum TW2StopwatchScale TWIFullScreenMode

WindowManagerMoveIgnored WindowManagerMoveTimeout WindowsCache

TransportBrowserRetry(2) BrowserTimeout(2) HttpBrowserAddress OutBufCountClient

OutBufCountClient2 OutBufCountHost OutBufCountHost2 OutBufLength

ICA Settings Reference

451

Page 452: Citrix Receiver for Windows

WFClientAllowAudioInput Hotkey1Shift PNPDeviceAllowed

AllowVirtualDriverEx Hotkey2Char Port1

AllowVirtualDriverExLegacy Hotkey2Shift Port2

AltProxyAutoConfigURL(2) Hotkey3Char POSDeviceAllowed

AltProxyBypassList(2) Hotkey3Shift PrinterFlowControl

AltProxyHost(2) Hotkey4Char ProxyAuthenticationBasic(2)

AltProxyPassword(2) Hotkey4Shift ProxyAuthenticationKerberos

AltProxyType(2) Hotkey5Char ProxyAuthenticationNTLM(2)

AlwaysSendPrintScreen Hotkey5Shift ProxyAuthenticationPrompt(2)

AppendUsername Hotkey6Char ProxyAutoConfigURL(2)

BrowserRetry(2) Hotkey6Shift ProxyBypassList

BrowserTimeout(2) Hotkey7Char ProxyFallback(2)

CbChainInterval Hotkey7Shift ProxyFavorIEConnectionSetting(2)

CDMAllowed Hotkey8Char ProxyHost(3)

CGPAddress Hotkey8Shift ProxyPassword(2)

ClientName Hotkey9Char ProxyPort

ClipboardAllowed Hotkey9Shift ProxyType

ColorMismatchPrompt_Have16_Want256 HotkeyJPN%dChar ProxyUseFQDN(2)

ColorMismatchPrompt_Have16M_Want256 HowManySkipRedrawPerPaletteChange ReadersStatusPollPeriod

ColorMismatchPrompt_Have64K_Want256 ICAHttpBrowserAddress RemoveICAFile

COMAllowed(2) ICAKeepAliveEnabled ResMngrRunningPollPeriod

ContentRedirectionScheme ICAKeepAliveInterval SecureChannelProtocol(2)

CPMAllowed ICAPrntScrnKey SessionReliabilityTTL

CRBrowserAcceptURLtype ICASOCKSProtocolVersion(2) SkipRedrawPerPaletteChange

CRBrowserCommand ICASOCKSProxyHost(2) SmartCardAllowed

CRBrowserPath ICASOCKSProxyPortNumber(2) SSLCertificateRevocationCheckPolicy(2)

CRBrowserPercentS KeyboardLayout SSLCiphers

CRBrowserRejectURLtype KeyboardSendLocale SSLNoCACerts(2)

CREnabled KeyboardType SSLProxyHost(2)

CRPlayerAcceptURLtype KeyboardTimer(2) SSOnCredentialType(3)

CRPlayerCommand LocalIME SSOnUserSetting

CRPlayerPath LogAppend SSPIEnabled

CRPlayerPercentS LogConnect SucConnTimeout

CRPlayerRejectURLtype LogErrors SwapButtons

CustomConnectionsIconOff LogFileGlobalPath TransparentKeyPassthrough

ICA Settings Reference

452

Page 453: Citrix Receiver for Windows

DeferredUpdateMode LogFileWin32 TransportReconnectDelay

DesiredColor(5) Lpt1 TransportReconnectEnabled

DisableSound Lpt2 TransportReconnectRetries

DisableUPDOptimizationFlag Lpt3 TransportSilentDisconnect

DynamicCDM LVBMode(2) TwainAllowed

EmulateMiddleMouseButton MinimizeOwnedWindows TWIIgnoreWorkArea

EmulateMiddleMouseButtonDelay MissedKeepaliveWarningMsg TWISeamlessFlag

EnableInputLanguageToggle MissedKeepaliveWarningTime TWIShrinkWorkArea

EnableSessionSharingHost(2) MouseWheelMapping UseAlternateAddress(3)

EnableSSOnThruICAFile PassThroughLogoff UsersShareIniFiles

FastIdlePollDelay PercentS VirtualCOMPortEmulation

ForceLVBMode PersistentCacheGlobalPath VSLAllowed(2)

FullScreenBehindLocalTaskbar PersistentCacheMinBitmap(2) Win32FavorRetainedPrinterSettings

FullScreenOnly PersistentCachePath WpadHost

Hotkey10Char PersistentCachePercent XmlAddressResolutionType

Hotkey10Shift PersistentCacheSize(2) ZLDiskCacheSize

Hotkey1Char PersistentCacheUsrRelPath ZLFntMemCacheSize

ICA Settings Reference

453

Page 454: Citrix Receiver for Windows

454

AcceptURLType

Specifies the acceptable URL types for the Content Redirection scheme.

Section Dynamic

Feature ContentRedirection

Attribute Name INI_CR_ACCEPT_URL_TYPE

Data Type String

Access Type Read

UNIX Specific Yes

Present in ADM No

ValuesValue Description

"" None rejected - Default

http  

https  

INI LocationN/A

Registry LocationN/A

Page 455: Citrix Receiver for Windows

455

Address(2)

Address of the target server.

Gives application server host name. It is also used to check whether it is a dialup or lanconnection. For TCP/IP connections, this can be the DNS name of a XenApp server, the IPaddress of a XenApp server, or the name of a published application.

Section Server,dynamic

Feature Misc

Attribute Name INI_ADDRESS

Data Type String

Access Type Read & Write

UNIX Specific No

Present in ADM No

ValuesValue Description

"" DNS name or IP Address of a Citrix server - Default

INI LocationINI File Section Value

Module.ini TCP/IP  

Module.ini TCP/IP - FTP  

Module.ini TCP/IP - Novell Lan WorkPlace  

Module.ini TCP/IP - Microsoft  

Module.ini TCP/IP - VSL  

All_Regions.ini Network\Protocols  

canonicalization.ini TCP/IP Address

Registry LocationThis key must be specified for .ica files.

Registry Key Value

Page 456: Citrix Receiver for Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Canonicalization\TCP/IP

Address

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP

 

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - FTP

 

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - Microsoft

 

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - Novell LanWorkPlace

 

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP - VSL

 

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Protocols

 

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Protocols

 

Address(2)

456

Page 457: Citrix Receiver for Windows

457

AECD

End User Experience Monitoring APPLICATION_ENUM_CLIENT (AECD).

End User Experience Monitoring (EUEM) startup data. The time it takes to get the list ofapplications.

Section Server

Feature EUEM

Attribute Name INI_EUEM_AECD

Data Type Integer

Access Type Read & Write

UNIX Specific No

Present in ADM No

ValuesValue Description

-1 Initial reset value - Default

INI LocationINI File Section Value

All_Regions.ini Virtual Channels\End User Experience  

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience

 

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience

 

Page 458: Citrix Receiver for Windows

458

AllowAudioInput

Allows the audio input for client audio.

Gives a boolean value specifying whether audio input is allowed or not.

Note: UNIX specific implemenation.

Section WFClient

Feature Audio

Attribute Name INI_ALLOWAUDIOINPUT

Data Type Boolean

Access Type Read

UNIX Specific Yes

Present in ADM No

ValuesValue Description

False Client audio input is not allowed - Default

True Client audio input is allowed

INI LocationN/A

Registry LocationN/A

Page 459: Citrix Receiver for Windows

459

AllowVirtualDriverEx

Allows third party virtual Driver Extention.

Used to check whether virtual driver extension is allowed and if yes, appends third partyvirtual channels.

To append a third-party virtual channel list to current virtual drivers, setAllowVirtualDriverEx to TRUE.

Section WFClient

Feature Core

Attribute Name INI_ALLOW_VIRTUALDRIVER_THIRDPARTY

Data Type Boolean

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

TRUE Allows third-party virtual Driver Extention - Default

FALSE Does not allow third-party virtual driver extention

INI LocationINI File Section Value

All_Regions.ini Virtual Channels\Third Party *

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Third Party

*

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Third Party

*

Page 460: Citrix Receiver for Windows

460

AllowVirtualDriverExLegacy

Allows legacy third-party virtual drivers.

Specifies whether (TRUE) or not (FALSE) to load legacy third-party virtual driver.

If this is set, the client parses the INI_ICA30 section for value INI_VIRTUALDRIVER, which is alist of Virtual Drivers separated by commas; ICA client attempts to load each Virtual Driverin this list. In order to successfully load, the .ini file must contain a section name thatmatches the Virtual Driver, and has correct Virtual Driver entries in the section.

Section WFClient

Feature Core

Attribute Name INI_ALLOW_VIRTUALDRIVER_THIRDPARTY_LEGACY

Data Type Boolean

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

TRUE Allow third-party legacy virtual drivers - Default

FALSE Do not allow third-party legacy virtual drivers

INI LocationINI File Section Value

All_Regions.ini Virtual Channels\Third Party *

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Third Party

*

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Third Party

*

Page 461: Citrix Receiver for Windows

461

AltProxyAutoConfigURL(2)

URLs for proxy auto detection script. Gives the URL (location) of proxy auto detection(.pac)script. Automatic Proxy Configuration is a proxy mode where the proxy configuration isdescribed in a file, called a PAC (.pac) file.

It must be set if the value of "AltProxyType" is Script; otherwise, it is ignored.

ADM UI Element : Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient failover proxy settings > Proxy script URLs

Section WFClient,Server

Feature Proxy

Attribute Name INI_ALTPROXYAUTOCONFIGURL

Data Type String

Access Type Read

UNIX Specific No

Present in ADM Yes

ValuesValue Description

"" URL for proxy auto detection script - Default

INI LocationINI File Section Value

All_Regions.ini Network\Proxy  

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy

3

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy

 

Page 462: Citrix Receiver for Windows

462

AltProxyBypassList(2)

List of servers that do not traverse the failover proxy.

Specifies a list of hosts for which to bypass proxy connections. For any proxy type, you canprovide a list of servers that do not traverse the proxy. These should be placed in the"Bypass server list."

An asterisk (*) included in a host name acts as a wildcard (for example, *.widgets.com).Multiple hosts must be separated by a semicolon (;) or comma (,).

The bypass list can be up to 4096 characters. This parameter is ignored if the value ofProxyType is None or Auto.

ADM UI Element : Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient failover proxy settings > Bypass server list.

Section WFClient, Server

Feature Proxy

Attribute Name INI_ALTPROXYBYPASSLIST

Data Type String

Access Type Read

UNIX Specific No

Present in ADM Yes

ValuesValue Description

"" List of hosts, seperated by semi-colon (;) or comma (,) - Default

INI LocationINI File Section Value

All_Regions.ini Network\Proxy  

Page 463: Citrix Receiver for Windows

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy

 

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy

 

AltProxyBypassList(2)

463

Page 464: Citrix Receiver for Windows

464

AltProxyHost(2)

Address of alternate (failover) proxy server.

Specifies the address of the proxy server. It is required if the value of ProxyType is any ofthe following: Socks, SocksV4, SocksV5, Tunnel(Secure); otherwise, ProxyHost is ignored.

To indicate a port number other than 1080 (default for SOCKS) or 8080 (default for Secure),append the appropriate port number to the value after a colon (:).

ADM UI Element : Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient failover proxy settings > Proxy host names

Section WFClient,Server

Feature Proxy

Attribute Name INI_ALTPROXYHOST

Data Type String

Access Type Read

UNIX Specific No

Present in ADM Yes

ValuesValue Description

"" Proxy Server Address - Default

INI LocationINI File Section Value

All_Regions.ini Network\Proxy  

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy

 

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy

 

Page 465: Citrix Receiver for Windows

465

AltProxyPassword(2)

Failover proxy server password for user. Holds the clear text password to be used toautomatically authenticate the client to the failover proxy.

Section WFClient,Server

Feature Proxy

Attribute Name INI_ALTPROXYPASSWORD

Data Type String

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

"" Prompt the user for the proxy password - Default

INI LocationINI File Section Value

All_Regions.ini Network\Proxy  

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy

 

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy

 

Page 466: Citrix Receiver for Windows

466

AltProxyType(2)

Failover proxy type requested for connection.

Specifies what type of failover proxy server a host session uses. When AltProxyType ="Secure", the client contacts the proxy identified by the "AltProxyHost" and "AltProxyPort"settings. The negotiation protocol uses an "HTTP CONNECT" header request specifying thedesired destination.

ADM UI Element : Citrix Components > Citrix Receiver > Network routing > Proxy > Configureclient failover proxy settings > Proxy types

Section Server, WFClient

Feature Proxy

Attribute Name INI_ALTPROXYTYPE

Data Type String

Access Type Read

UNIX Specific No

Present in ADM Yes

ValuesValue Description

None Use Direct Connection - Default

Auto Auto Detect from Web browser

Tunnel(Secure)

 

Wpad  

Socks  

Socks v4  

Socks v5  

Script Interpret proxy auto-configuration script

Page 467: Citrix Receiver for Windows

INI LocationINI File Section Value

All_Regions.ini Network\Proxy  

Trusted_Region.ini Network\Proxy Auto

Untrusted_Region.ini Network\Proxy Auto

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy

 

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\Trusted Region\Lockdown\Network\Proxy

Auto

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\Untrusted Region\Lockdown\Network\Proxy

Auto

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Network\Proxy

 

AltProxyType(2)

467

Page 468: Citrix Receiver for Windows

468

AlwaysSendPrintScreen

Turns on or off the " AlwaysSendPrintScreen" attrtibute in seamless application. By enablingthe key, user can use the " Print Screen" key on the keyboard while an ICA session is runningwith seamless application.

Section WFClient

Feature Seamless

Attribute Name INI_ALWAYSSENDPRNTSCRN

Data Type Boolean

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

Off Print Screen key cannot be used - Default

On Print Screen key can be used

INI LocationINI File Section Value

All_Regions.ini Virtual Channels\Keyboard  

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Keyboard

 

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\

 

Page 469: Citrix Receiver for Windows

469

AppendUsername

Specifies whether or not user can append user name to the window title bar. If theattribute is non zero, user can concatenate the user name with the regular text for thewindow title bar (very long window titles will be truncated).

Section WFClient

Feature CoreUI

Attribute Name INI_APPEND_USERNAME

Data Type Integer

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

0 Do not append the username - Default

1 Add the username to the window title

INI LocationINI File Section Value

All_Regions.ini Client Engine\GUI  

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\GUI

 

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Client Engine\GUI

 

Page 470: Citrix Receiver for Windows

470

AudioBandwidthLimit

Specifies the audio bandwidth limit and, by extension, the audio quality for the connection.Higher audio quality requires more bandwidth. The bandwidth requirements for high qualityaudio might make this setting unsuitable for many deployments.

Corresponding UI Element:

For applicationsetname: SETTINGS dialog box > DEFALUT OPTION tab > SOUND QUALITYmenu

For applicationservername: PROPERTIES dialog box > OPTIONS tab > SOUND QUALITY menu

ADM UI Element: Citrix Components > Citrix Receiver > User experience > Client audiosettings.

Section Server

Feature Audio

Attribute Name INI_AUDIOBANDWIDTHLIMIT

Data Type Integer

Access Type Read

UNIX Specific No

Present in ADM Yes

ValuesValue Description

1 Medium: 64 kilobits per second (network Connection) - Default

2 Low: 4 Kbps (serial Connection)

0 High : 1.4 megabits per second (Mbps)

INI LocationINI File Section Value

All_Regions.ini Virtual Channels  

Page 471: Citrix Receiver for Windows

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Audio

*

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\Audio

*

AudioBandwidthLimit

471

Page 472: Citrix Receiver for Windows

472

AudioDevice(2)

Specifies the output device when there is more than one audio device available. It shoulddefault to the name that is standard for each UNIX variant.

Section ClientAudio

Feature Audio

Attribute Name INI_AUDIODEVICE

Data Type String

Access Type Read

UNIX Specific Yes

Present in ADM No

ValuesValue Description

/dev/dsp For Linux, LinuxArm, or UCLinux - Default

/dev/audio For Solaris, SolarisX86, or netbsd - Default

<none> For any other platform - Default

INI LocationN/A

Registry LocationN/A

Page 473: Citrix Receiver for Windows

473

AudioDuringDetach

Specifies audio behavior when the ICO is detached from the page. Controls the audiobehavior when a user navigates to a page with an ICA session, starts playing a wave file,and then navigates away.

If AudioDuringDetach is false and the ICO is detached from the page, the audio stops. If it istrue, the audio continues even after the detach.

Section Server

Feature Audio

Attribute Name INI_AUDIODURINGDETACH

Data Type Boolean

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

False The audio will stop when ICO is detached - Default

True Audio will continue even after ICO is detached

INI LocationN/A

Registry LocationN/A

Page 474: Citrix Receiver for Windows

474

AudioHWSection

Used to locate the driver module in the [AudioConverter] section.

Section ClientAudio

Feature Audio

Attribute Name INI_CAM_AUDHW_SECTIONNAME

Data Type String

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

AudioConverterDefault

INI LocationINI File Section Value

Module.ini AudioConverter AudioHardware

Module.ini ClientAudio AudioConverter

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\AudioConverter

AudioHardware

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\ClientAudio

AudioConverter

Page 475: Citrix Receiver for Windows

475

AudioInWakeOnInput

Enable/Disable audio input. Audio is on when audio is detected on input channel.

Linux only platform.

Section ClientAudio

Feature Audio

Attribute Name INI_CAM_AUDIOIN_WAKE_ON_INPUT

Data Type Boolean

Access Type Read & Write

UNIX Specific No

Present in ADM No

ValuesValue Description

1 Enable audio input - Default

0 Disable audio input

INI LocationN/A

Registry LocationN/A

Page 476: Citrix Receiver for Windows

476

AudioOutWakeOnOutput

Enable/Disable audio output. Audio is enabled when audio is detected on output channel.

Linux only platform.

Section ClientAudio

Feature Audio

Attribute Name INI_CAM_AUDIOOUT_WAKE_ON_OUTPUT

Data Type Boolean

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

1 Enable audio input - Default

0 Disable audio input

INI LocationN/A

Registry LocationN/A

Page 477: Citrix Receiver for Windows

477

AUTHPassword

Specifies SSL authorization password.

Section Server

Feature SSL

Attribute Name INI_AUTHPASSWORD

Data Type String

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

"" If present, any valid string representing password for authentication -Default

INI LocationN/A

Registry LocationN/A

Page 478: Citrix Receiver for Windows

478

AUTHUserName

Specifies the SSL authorization username.

Section Server

Feature SSL

Attribute Name INI_AUTHUSERNAME

Data Type String

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

"" If present, the valid string representing username for authentication -Default

INI LocationN/A

Registry LocationN/A

Page 479: Citrix Receiver for Windows

479

AutoLogonAllowed

Specifies whether or not autologon is allowed for Secure ICA client; specifies whether (Off)or not (On) to require users to enter their user name, domain name, and password whenconnecting using encryption levels greater than Basic. By default, users are required toenter this information, even if it is present in appsrv.ini.

Section Server

Feature SSL

Attribute Name AUTOLOGON

Data Type Boolean

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

FALSE Does not allow autologon for secure ICA client - Default

TRUE Allows autologon for secure ICA client

INI LocationINI File Section Value

All_Regions.ini Login *

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Lockdown Profiles\All Regions\Lockdown\Logon

*

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Logon

*

Page 480: Citrix Receiver for Windows

480

BrowserProtocol

Specifies the network protocol used for ICA browsing.

Value contains the borwser-s protocol to use of either HTTP on TCP or UDP.

Note: IPX, SPX, and NetBIOS are no longer supported.

Section Server

Feature EnumRes

Attribute Name INI_BROWSEPROTOCOL

Data Type String

Access Type Read/Write

UNIX Specific No

Present in ADM No

ValuesValue Description

UDP Default

HTTPonTCP  

INI LocationINI File Section Value

All_Regions.ini Application Browsing  

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing

 

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing

 

Page 481: Citrix Receiver for Windows

481

BrowserRetry(2)

Specifies the number of times the ICA Client device will resubmit an ICA Master Browserrequest that has timed out.

Section Transport,WFClient

Feature EnumRes

Attribute Name INI_BROWSERRETRY

Data Type Integer

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

3 Default

INI LocationINI File Section Value

Module.ini TCP/IP 3

All_Regions.ini Application Browsing *

appsrv.ini WFClient 3

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP

3

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing

*

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing

*

Page 482: Citrix Receiver for Windows

482

BrowserTimeout(2)

Specifies the number of milliseconds the ICA Client will wait for a response after making arequest to the ICA Master Browser.

Section Transport,WFClient

Feature EnumRes

Attribute Name INI_BROWSERTIMEOUT

Data Type Integer

Access Type Read

UNIX Specific No

Present in ADM No

ValuesValue Description

1000 Timeout (ms) - Default

INI LocationINI File Section Value

Module.ini TCP/IP 1000

All_Regions.ini Application Browsing *

appsrv.ini WFClient 1000

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICAClient\Engine\Configuration\Advanced\Modules\TCP/IP

1000

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing

*

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Application Browsing

*

Page 483: Citrix Receiver for Windows

483

BUCC(2)

The number of backup URL retries before success. This is one of the Session Client startupdata while End User Experience Monitoring (EUEM) metrics are stored.

Note: This is the only start-up metric that is a count of attempts, rather than a duration.

Section Server, Dynamic

Feature EUEM

Attribute Name INI_EUEM_BUCC

Data Type Integer

Access Type Read & Write

UNIX Specific No

Present in ADM No

ValuesValue Description

0 Number of backup URL retries before success - Default

INI LocationINI File Section Value

All_Regions.ini Virtual Channels\End User Experience  

Registry LocationRegistry Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience

 

HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\LockdownProfiles\All Regions\Lockdown\Virtual Channels\End User Experience