Tag: Citrix/Terminal Services

Today I ran into a curious problem. I had installed Flash 9 on three Citrix servers and on the last one it only worked for admins.

I googled for a while and ran into this solution:

1. Make sure you have ADMIN privileges to the machine
2. Search your machine for the file “flash.ocx”
3. copy or write down the full path to this file. It -should- be
C:/Windows/System32/Macromed/Flash/Flash.ocx
If the file is NOT in that folder, copy it into that folder. Make sure there are NO other .ocx files in that folder. If there is an ‘swflash.ocx’ delete it.
4. Choose Start> Run
5. In the run dialog, type or paste exactly this line. :
RegSvr32 C:/Windows/System32/Macromed/Flash/Flash.ocx

 

And it worked!!!

Links:

http://www.brianmadden.com/forums/t/21123.aspx

The other day I ran into a problem with an old Windows 2000 Citrix Server which suddenly stopped accepting some connections. The problem turned out to be that they recently updated the server with Rollup Fix 1 (from 2005). It seems that there is a problem with RO1 together with Citrix. The fix needs to be manually downloaded from MS.

Links

http://support.microsoft.com/default.aspx?scid=kb;en-us;891861
http://support.microsoft.com/kb/904711
http://support.citrix.com/article/CTX107051

I have collected a couple of programs for remote control:

mRemote
Vision App Remote Desktop (requires registration)
Terminals

Note: This is a work in progress

[Computer ConfigurationAdmin TemplatesSystemGroup Policy]

Enable the following setting:
User Group Policy loopback processing mode

[Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options]

Enable the following settings:
Do not display last user name in logon screen
Restrict CD-ROM access to locally logged-on user only
Restrict floppy access to locally logged-on user only

[Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Installer]

Enable the following setting, and set it to Always:
Disable Windows Installer

Note The default setting for Disable Windows Installer prevents any non-managed applications from being installed by a non-administrator. Setting Disable Windows Installer to Always may prevent some of the newer updates from Windows Update from being applied. Therefore, we recommend that you only set Disable Windows Installer to Always if there is a specific need or an identified threat that you must address. 

[User ConfigurationWindows SettingsFolder Redirection]

Enable the following settings:
Application Data
Desktop
My Documents
Start Menu

[User ConfigurationAdministrative TemplatesWindows ComponentsWindows Explorer]

Enable the following settings:
Remove Map Network Drive and Disconnect Network Drive
Remove Search button from Windows Explorer
Disable Windows Explorer’s default context menu
Hides the Manage item on the Windows Explorer context menu
Hide these specified drives in My Computer (Enable this setting for A through D.)
Prevent access to drives from My Computer (Enable this setting for A through D.)
Hide Hardware Tab

[User ConfigurationAdministrative TemplatesWindows ComponentsTask Scheduler]

Enable the following settings:
Prevent Task Run or End
Disable New Task Creation

[User ConfigurationAdministrative TemplatesStart Menu & Taskbar]

Enable the following settings:
Disable and remove links to Windows Update
Remove common program groups from Start Menu
Disable programs on Settings Menu
Remove Network & Dial-up Connections from Start Menu
Remove Search menu from Start Menu
Remove Help menu from Start Menu
Remove Run menu from Start Menu
Add Logoff to Start Menu
Disable and remove the Shut Down command
Disable changes to Taskbar and Start Menu Settings

[User ConfigurationAdministrative TemplatesDesktop]

Enable the following settings:
Hide My Network Places icon on desktop
Prohibit user from changing My Documents path

[User ConfigurationAdministrative TemplatesControl Panel]

Enable the following setting:
Disable Control Panel
Important When you enable this setting, you prevent administrators from installing any MSI package on to the Terminal Server, even if the explicit Deny is set for the Administrator account. 

[User ConfigurationAdministrative TemplatesSystem]

Enable the following settings:
Disable the command prompt (Set Disable scripts to No)
Disable registry editing tools

[User ConfigurationAdministrative TemplatesSystemLogon/Logoff]

Enable the following settings:
Disable Task Manager
Disable Lock Computer

[Computer ConfigurationAdministrative TemplatesSystemUser Profiles]

Enable the following settings:

Delete Cached Copies of Roaming Profiles

[User ConfigurationAdministrative TemplatesInternet ExplorerInternet Control PanelAdvanced Page]

Enable the following settings:

Empty Temporary Internet Files Folder when browser is closed

Turn off Internet Explorer enhanced Security for regualar users

Links:

http://www.msterminalservices.org/articles/Locking-Down-Windows-Terminal-Services.html
http://support.microsoft.com/?kbid=278295
http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=37&threadid=45686&enterthread=y
http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html

Here is a link on how to package a Citrix Client for deployment using AD and GPO

Source

http://www.appdeploy.com/packages/detail.asp?id=539

Q: I get the following error om my terminal servers:

Event Type: Error
Event Source: .NET Runtime
Event Category: None
Event ID: 0
Date:  2007-06-19
Time:  07:08:58
User:  N/A
Computer: COMPUTER
Description:
The description for Event ID ( 0 ) in Source ( .NET Runtime ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Unable to open shim database version registry key – v2.0.50727.00000.

A: There is a hotfix for this but I am not sure how public it is. I got it from connect.microsoft.com (direct link below)

KB Link

Download Link

Source

From Windows Server 2003 SP1 it is possible to protect the RDP connection using SSL/TLS. This will give you a HUGE boost in security. Here is a simple way to set it up using a self signed certificate.

1. Create a self signed certificate using SelfSSL from the IIS 6.0 Resource Kit

   selfssl.exe /N:CN=LABDC01 /K:1024 /V:7 /S:1 /P:443

Note: If you already have IIS installed this will add the cert to the default website and if you are not going to use it you can disable SSL on that site. If you already have a SSL site on the computer you will need to back up the cert because this will be broken so you will need to recreate it. If you do not have IIS installed you will recieve an error message because the cert can’t be added to the default website but it will still be addad to the computer cert store.

2. Start Terminal Services Configuration and open properties of RDP. Click the edit button and select the correct certificate.

3. Select Security Layer SSL

Apparently there is a change in the hotkey setup in Citrix Client v10 which sets Shift-F12 to mean Full Screen. Unfortunatley this conflicts with the AS/400 setup at one of my customers where Shift-F12 means F24… 

I am looking into this problem and I will write more in this article if I find a solution 

I had some problems with a customers brand new Citrix Server. I can use it locally but I run into problems over VPN.

After some searching the net I found this article on Citrix Knowledgebase. It gave a hint on somethin called Session Reliability whish I hadn’t heard of before. I said that I migth get it to work if I turned session reliability of. And what do you know… they where right 🙂

You can find the setting under Citrix Farm Properties.

Links:

Troubleshooting the Citrix XTE Service and Errors