PDF Writer - Create PDF documents from any Windows application - Supports Citrix MetaFrame, Windows Terminal Server and Windows 7, Windows Vista, 2003, 2000. Works. In this tutorial, I will be going through the steps on how to setup a Raspberry Pi Print Server. The process of getting the software installed is simple.
· This has to be simple to sort out - and searching is failing me. Tons of wrong paths and I'm not a windows expert. I'v. | 10 replies | Microsoft SQL Server.
Virtual Delivery Agent (VDA) 7. Carl Stalhood. Navigation: ? = Recently Updated.
Hardware. If v. Sphere 6, don’t use hardware version 1. NVIDIA GRID. VMware 2. Video playback performance issue with hardware version 1. VMs in 2. D mode. For virtual desktops, give the virtual machine: 2+ v. CPU and 2+ GB of RAMFor Windows 2. R2 RDSH, give the virtual machine 4 v.
CPU and 1. 2- 2. 4 GB of RAMFor Windows 2. R2 RDSH, give the virtual machine 8 v. CPU, and 2. 4- 4. GB of RAMRemove the floppy drive. Remove any serial or LPT ports. If v. Sphere. To reduce disk space, reserve memory. Memory reservations reduce or eliminate the virtual machine .
The NIC should be VMXNET3. If this VDA will boot from Provisioning Services. Give the VDA extra RAM for caching. Do not enable Memory Hot Plug. For v. Sphere, the NIC must be VMXNET3. For v. Sphere, configure the CD- ROM to boot from IDE instead of SATA. SATA comes with VM hardware version 1.
SATA won’t work with Pv. S. Install the latest version of drivers (e. VMware Tools). If Windows 7 on v. Sphere, don’t install the VMware SVGA driver. For more details, see CTX2.
Intermittent Connection Failures/Black Screen Issues When Connecting from Multi- Monitor Client Machines to Windows 7 VDA with VDA 7. Sphere/ESXi. If v. Sphere, disable NIC Hotplug. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
To disable this functionality, power off the virtual machine. Once powered off, right- click the virtual machine and click Edit. Settings. On the VM Options tab, expand Advanced and then click Edit Configuration. Click Add. Row. On the left, enter devices. On the right, enter false. Then click OK a couple times to close the windows.
The VM can then be powered on. Windows Preparation. If RDSH, disable IE Enhanced Security Config. Optionally, go to Action Center (Windows 8. R2) or Security and Maintenance (Windows 1. User Account Control and enable Smart. Screen . Run Windows Update.
If Windows Firewall is enabled. Enable File Sharing so you can access the VDA remotely using SMBEnable COM+ Network Access and the three Remote Event Log rules so you can remotely manage the VDA. Add your Citrix Administrators group to the local Administrators group on the VDA.
The Remote Desktop Services “Prompt for Password” policy prevents Single Sign- on to the Virtual Delivery Agent. Check registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. If f. Prompt. For. Password = 1 then you need to fix group policy.
The following GPO setting will prevent Single Sign- on from working. Computer Configuration \ Policies \ Administrative templates \ Windows Components \ Remotes Desktop Services \ Remote desktop Session Host \ Security \ Always prompt for password upon connection.
Or install VDA hotfix 4 and set the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Portica. Auto. Logon (DWORD) = 0x. For Windows 7 VDAs that will use Personal v. Disk, install Microsoft hotfix 2. A computer stops responding because of a deadlock situation in the Mountmgr. This hotfix solved a Personal v.
Disk Image update issue detailed at Citrix Discussions. If this VDA is Windows Server 2. R2, request and install the Windows hotfixes recommended by Citrix CTX1. Scroll down to see the list of recommended Microsoft hotfixes for Windows Server 2. R2. Ignore the Xen. App 6. x portions of the article.
Also see http: //www. To remove the built- in apps in Windows 1. Robin Hobo How to remove built- in apps in Windows 1. Enterprise. For Remote Assistance in Citrix Director, configure the GPO setting Computer Configuration\Policies\Administrative Templates\System\Remote Assistance\Offer Remote Assistance. See Jason Samuel – How to setup Citrix Director Shadowing with Remote Assistance using Group Policy for more details. Install Virtual Delivery Agent 7.
VDA 7. 6. 3. 00 is newer than what’s on the base Xen. App/Xen. Desktop 7.
ISO. If you install 7. For virtual desktops, make sure you are logged into the console. The VDA won’t install if you are connected using RDP. For Windows 1. 0, you’ll need Citrix Profile Management 5. Make sure 8. 3 file name generation is not disabled. If so, see CTX1. 31.
User Cannot Launch Application in Seamless Mode to fix the App. Init_DLLs registry keys. Make sure . NET Framework 4. Go to the downloaded Virtual Delivery Agent 7.
Xen. Desktop Platinum, Xen. Desktop Enterprise, Xen. App Platinum, or Xen. App Enterprise) and run VDAServer. Setup_7. 6. 3. 00. VDAWorkstation. Setup_7. VDA you are building.
If UAC is enabled then you must right- click the installer and click Run as administrator. In the Environment page, select Create a Master Image and click Next. For virtual desktops, in the HDX 3.
D Pro page, click Next. In the Core Components page, if you don’t need Citrix Receiver installed on your VDA then uncheck the box. Click Next. In the Delivery Controller page, select Do it manually. Enter the FQDN of each Controller.
Click Test connection. And then make sure you click Add. Click Next when done. In the Features page, click Next.
If this is a virtual desktop, you can leave Personal v. Disk unchecked now and enable it later. In the Firewall page, click Next.
In the Summary page, click Install. For RDSH, click Close when you are prompted to restart. After the machine reboots twice, login and installation will continue. After installation, click Finish to restart the machine again. If 8. 3 file name generation is disabled, see CTX1. User Cannot Launch Application in Seamless Mode to fix the App.
Init_DLLs registry keys. Virtual Delivery Agent 7. Hotfixes. Download Virtual Delivery Agent 7. There are Desktop.
VDACore hotfixes and Server. VDACore hotfixes, depending on which type of VDA you are building. Install each hotfix by double- clicking the . In the Welcome to the Citrix HDX TS/WS Setup Wizard page, click Next. In the Ready to update page, click Update. In the Completed the Citrix HDX TS/WS Setup Wizard page, click Finish. When prompted to restart, if you have multiple hotfixes to install, click Cancel.
Continue installing hotfixes. Restart when done. Broker Agent 7. 6. Hotfix 1. Go to the downloaded Broker Agent 7. Hotfix 1 and run Broker. Agent. WX6. 4_7_6_3. Install the hotfix.
Reboot when prompted. The file C: \Program Files\Citrix\Virtual Desktop Agent\Broker. Agent. exe is updated to version 7. Controller Registration Port. Some environments will not accept the default port 8. Virtual Delivery Agent registration. To change the port, do the following on the Virtual Delivery Agent: Open Programs and Features.
Find Citrix Virtual Delivery Agent and click Change. Click Customize Virtual Delivery Agent Settings. Edit the Delivery Controllers and click Next.
On the Configure Delivery Controller page, change the port number and click Next. In the Summary page, click Reconfigure. In the Finish Reconfiguration page, click Finish.
The machine automatically restarts. You must also change the VDA registration port on the Controllers by running Broker. Service. exe /VDAPort. Controller Registration – Verify.
If you restart the Virtual Delivery Agent machine or restart the Citrix Desktop Service…In Windows Logs \ Application, you should see an event 1. Citrix Desktop Service saying that it successfully registered with a controller. If you don’t see this then you’ll need to fix the List. Of. DDCs registry key. You can also run Citrix’s Health Assistant on the VDA. If you are installing VDA 7.
Citrix Profile Management 5. Virtual Delivery Agent Hotfixes. These hotfixes are already included in VDA 7. Only install these on a base VDA 7. Citrix CTX1. 42. 35. Recommended Hotfixes for Xen.
App 7. x. For RDSH, download Virtual Delivery Agent hotfixes for Server OS. These hotfixes will have the letters TS in the name. For virtual desktops, download Virtual Delivery Agent hotfixes for Desktop OS. These hotfixes will have the letters WS in the name. Install each hotfix by double- clicking the . At a minimum, install VDA 7. Hotfix 3. 2 for TS, or 2.
WS x. 86, or 2. 6 for WS x. This is required for Framehawk and the Receiver for HTML5 File Transfer functionality. In the Welcome to the Citrix HDX TS/WS Setup Wizard page, click Next. In the Ready to update page, click Update. In the Completed the Citrix HDX TS/WS Setup Wizard page, click Finish. When prompted to restart, if you have multiple hotfixes to install, click Cancel.
Continue installing hotfixes. Restart when done. Framehawk. VDA 7. Only install these on a base VDA 7.
Download Framehawk Components from Xen. App Platinum, Xen. App Enterprise, Xen. Desktop Platinum, or Xen.
Locking Down Windows Server 2. Terminal Services. Introduction. Some of the greatest enhancements to Terminal Services in its Windows Server 2. Being one of the most prolifically used forms of remote server access by both administrators and users alike, this is not too much of a surprise and is greatly welcomed. In this article we will go through several things you can do to make your Terminal Server environment more secure. Using Two- Factor Authentication. Do you remember watching the Little Rascal’s when you were growing up?
If so, then you remember that every time someone wanted to walk into a He- Man Woman Hater’s club meeting, they first had to give a special knock on the door, followed by presenting the super secret official club handshake. Even a group of rambunctious seven year olds knew the importance of having two forms of authentication, so it makes that much more sense that we would want to do the same when thinking about network security. There are several different forms of two factor authentication available, but the most common that is supported by Terminal Services is the use of Smart Cards. In using a smart card, a user not only has to provide valid logon credentials, but they must also be able to physically connect the smart card to the device they are using as a remote terminal.
In order to require smart card authentication, you must create a Group Policy Object that can be applied to your Terminal Server. In the GPO, browse to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options and enable the Interactive Logon: Require Smart Card setting. Also, you will need to enable Smart Cards to be redirected to the Terminal Server by placing a check in the Smart Cards checkbox on the Local Resources tab of the Remote Desktop Connection client on user workstations. Figure 1. Enforce Network Level Authentication for All Clients. In previous implementations of Terminal Services authentication to the server was achieved by connecting to a session on the server and entering login credentials into the Windows Server logon screen. This may seem fairly trivial, but from a security perspective being able to achieve a session logon screen can disclose information about our network (domain name, computer name) or leave our server vulnerable to a denial of service attack to anybody who happens to have that servers’ public IP address.
Network Level Authentication (NLA) is a feature introduced in version 6. Remote Desktop Connection Client which allows a user to enter their logon credentials prior to being displayed a Windows Server logon screen. Windows Server 2. Figure 2. In order to use NLA, you must be using a Windows 2. Server, and your connecting clients must support Cred. SSP (Windows XP SP3, Windows Vista, Windows 7) as well as be running Remote Desktop Connection 6.
You can configure your Terminal Server to require its clients to use NLA in a few different locations: During the initial Terminal Services role installation process, when you are presented with the Specify Authentication Method for Terminal Server screen, select the Allow connections only from computers running Remote Desktop with Network Level Authentication option. Access the Terminal Services Configuration MMC Snap- In, right click the terminal server connection being used by your clients and select properties, and select the Allow connections only from computers running Remote Desktop with Network Level Authentication option. Create a Group Policy Object, browse to Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security, enable the Require user authentication for remote connections by using Network Level Authentication setting, and apply it to an OU containing the terminal server.
Change the Default RDP Port. By default, a Terminal Server uses port 3. RDP traffic. By default, every single competent hacker in the world knows that a Terminal Server uses port 3. RDP traffic. That being the case, one of the quickest changes you can make to your terminal server environment to detour potential intruders is to change this default port assignment. In order to change the default RDP port for a Terminal Server, open regedit and browse to HKEY_LOCAL_MACHINE\System\Current.
Control. Set\Control\Terminal Server\Win. Stations\RDP- Tcp. Locate the Port. Number key and replace the hex value 0. D3. D (which is equivalent to 3. Alternatively, you can change the port number used by your Terminal Server on a per connection basis.
While still using regedit, browse to HKEY_LOCAL_MACHINE\System\Current. Control. Set\Control\Terminal Server\Win. Stations\connection name. Again, locate the Port. Number key and replace the hex value in place with the value you wish to use. Keep in mind that when changing this setting on your server, all connecting clients will need to be sure they are connecting to the Terminal Server with the new port extension tagged on to the servers IP address.
For example, connecting to a Terminal Server with an internal IP address of 1. Remote Desktop Connection client. Figure 3. Use Easy Print and Limiting Redirected Printers.
Printing from devices locally attached to client workstations has always been a downfall of Terminal Services prior to Windows Server 2. In order to do this, you had to ensure the exact same version of the printers’ driver was installed on both the client and server, and even then this didn’t always work. From a security standpoint, we never want to install any more drivers to our system than we absolutely have to. Each driver installed to the server has the potential to broaden its attack surface. Windows Server 2. Easy Print which radically changes the way locally- attached printers are handled.
In essence, TS Easy Print is a driver that serves as a proxy that all print data is redirected through. When a client prints to a device using the Easy Print driver, the data and print settings are converted to a universal format that is sent to the Terminal Server for processing. In doing this, after clicking print the print dialog box is launched from the client and not in the terminal session. This means that no drivers have to be installed to the Terminal Server in order to process print jobs from locally- attached print devices. In order to configure Easy Print you will need to ensure that all locally- attached print devices have logical printers configured on the client workstations that are set to use the Easy Print driver.
The Easy Print feature is supported by all Windows XP SP3, Windows Vista, and Windows 7 clients running Remote Desktop Connection 6. NET Framework 3 SP1. Figure 4. Once you have configured the locally- attached devices at the workstation level, it is a good idea to ensure that it is the only printer being redirected to the Terminal Server is the printer using TS Easy Print, which should be set as the default printer. You can do this by creating a Group Policy Object and browsing to Computer Configuration\ Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection, and enabling the Redirect only the default client printer option.
Limit Users Accounts. If you hire someone to plow your fields then typically all you need to do is give that person the keys to the tractor… not the keys to the combine, the barn, and the four- wheel drive. That is not just because they don’t need a combine to do the task at hand, but because you don’t really want to see your brand new John Deere turn up missing or find it in a ditch.
Using that same train of thought, we have to keep in mind that when a user is connecting to and working directly from a server they may inherently have access to several things they don’t need, and in order to create a more secure environment we need to limit this. This not only protects against a users’ credentials being compromised, but also protects against a legitimate user with illegitimate intentions.
A couple of things we can do include: Use Specific Accounts for Terminal Users. It is not uncommon for a user to work locally with certain applications and then access a Terminal Server for access to other applications. Using the same user account for both local and terminal access is easier from a management standpoint, but it also makes things easier from the viewpoint of an attacker who simply has to compromise one set of credentials to access a multitude of applications.