Citrix Admin Guide

Administrator’s Guide
Citrix MetaFrame for UNIX®

Operating Systems
Feature Release 1 for Version 1.1,
Solaris Intel / Solaris SPARC®, HP-UX® and AIX®
Citrix Systems, Inc.
Information in this document is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission of
Citrix Systems, Inc.
© 1999-2001 Citrix Systems, Inc. All rights reserved.

Citrix, Independent Computing Architecture (ICA), SecureICA, Program Neighborhood, SpeedScreen, NFuse,
MetaFrame and WinFrame are registered trademarks or trademarks of Citrix Systems, Inc. in the U.S.A. and
other countries.
UNIX is a registered trademark of The Open Group in the U.S.A. and other countries.
Solaris is a trademark or registered trademark of Sun Microsystems, Inc. in the United States and other countries.
All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC
International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon
an architecture developed by Sun Microsystems, Inc.
HP-UX is a registered trademark of Hewlett-Packard Company.
AIX is a registered trademark of International Business Machines Corporation.
ctwm source. Copyright 1988 by Evans & Sutherland Computer Corporation, Salt Lake City, Utah
Portions Copyright 1989 by the Massachusetts Institute of Technology, Cambridge, Massachusetts
All Rights Reserved Permission to use, copy, modify, and distribute this software and its documentation for any
purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in supporting documentation, and that the names of
Evans & Sutherland and M.I.T. not be used in advertising in publicity pertaining to distribution of the software
without specific, written prior permission.
EVANS & SUTHERLAND AND M.I.T. DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN
NO EVENT SHALL EVANS & SUTHERLAND OR M.I.T. BE LIABLE FOR ANY SPECIAL, INDIRECT
OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
THIS SOFTWARE.
ctwm source. Copyright 1992 Claude Lecommandeur. Permission to use, copy, modify and distribute this
software [ctwm] and its documentation for any purpose is hereby granted without fee, provided that the above
copyright notice appear in all copies and that both that copyright notice and this permission notice appear in
supporting documentation, and that the name of Claude Lecommandeur not be used in advertising or publicity
pertaining to distribution of the software without specific, written prior permission. Claude Lecommandeur make
no representations about the suitability of this software for any purpose. It is provided "as is" without express or
implied warranty.
Claude Lecommandeur DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT
SHALL Claude Lecommandeur BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
X Server source code. Copyright 1996 X Consortium Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation files (the “Software"), to deal in the Software
without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute,
sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE X
CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
xload. Copyright (c) 1989 X Consortium. Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to
the following conditions:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE X
CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of the X Consortium shall not be used in advertising or otherwise to
promote the sale, use or other dealings in this Software without prior written authorization from the X
Consortium.
X Window System is a trademark of X Consortium, Inc.
XFree86. Copyright 1990,91 by Thomas Roell, Dinkelscherben, Germany. Permission to use, copy, modify,
distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided
that the above copyright notice appear in all copies and that both that copyright notice and this permission notice
appear in supporting documentation, and that the name of Thomas Roell not be used in advertising or publicity
pertaining to distribution of the software without specific, written prior permission. Thomas Roell makes no
representations about the suitability of this software for any purpose. It is provided "as is" without express or
implied warranty.
THOMAS ROELL DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING
ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL
THOMAS ROELL BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR
ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
FreeType Engine. The software is based in part of the work of the FreeType Team.The FreeType project is
copyright (C) 1996-1998 by David Turner, Robert Wilhelm, and Werner Lemberg.
XPM Library (C) 1989-95 GROUPE BULL
xv. Copyright 1994 by John Bradley. All rights reserved.
All other Trade Names referred to are the Servicemark, Trademark, or Registered Trademark of the respective
manufacturers.
Contents v
Contents
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
UNIX Command-line Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Getting More Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Finding Resources on the Citrix Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Providing Feedback About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 1 Welcome to Citrix MetaFrame for UNIX Operating Systems . . . . . . . . 21
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
What’s New in Feature Release 1? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
New Features That Do Not Require a Feature Release 1 License . . . . . . 24
Fixes Included in Feature Release 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
PCL and Postscript Printing Problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Introduction to MetaFrame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
MetaFrame Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Integrating With Other Citrix Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Getting Started Quickly… . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
What To Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Chapter 2 Deploying MetaFrame Version 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Before You Begin Installing Version 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Minimum Machine Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
On the Solaris Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
On the HP-UX Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
On the AIX Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
UNIX Operating System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Operating System Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
On the Solaris Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
On the HP-UX Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
On the AIX Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Euro Currency Symbol Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Installing MetaFrame Version 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Installation Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
vi MetaFrame Administrator’s Guide
Creating the Citrix Server Administrator User and Group . . . . . . . . . . . . . . 44

Installing MetaFrame on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Installing MetaFrame for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . 45
Upgrading to Version 1.1 from a Previous Release of MetaFrame . . . . . 46
Performing an Unattended Install on Solaris . . . . . . . . . . . . . . . . . . . . . . 48
Installing MetaFrame on HP-UX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Performing an Unattended Install on HP-UX . . . . . . . . . . . . . . . . . . . . . 50
Installing MetaFrame on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Performing an Unattended Install on AIX . . . . . . . . . . . . . . . . . . . . . . . . 52
Setting the Paths to MetaFrame Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configuring User Access to Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configuring ctxsrvr Access to Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Setting the Path to the man pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Starting and Stopping MetaFrame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Starting MetaFrame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Stopping MetaFrame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
About ICA Client Keyboard Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configuring Non-English Keyboard Support . . . . . . . . . . . . . . . . . . . . . . . . 57
Troubleshooting Non-English Keyboard Support . . . . . . . . . . . . . . . . . . 58
Configuring MetaFrame Event Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Removing MetaFrame Version 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Reinstalling MetaFrame Version 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
What To Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Chapter 3 Upgrading to Feature Release 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
About Feature Release 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Getting Feature Release 1 Up and Running Quickly. . . . . . . . . . . . . . . . . . . 64
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
MetaFrame Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Citrix SSL Relay Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Citrix XML Service Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Requirements for All Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Additional Requirements for the Solaris Operating Environment . . . . . . 67
Additional Requirements for the HP-UX Operating System . . . . . . . . . . 67
Additional Requirements for the AIX Operating System . . . . . . . . . . . . 67
Creating the ctxnfuse and ctxssl User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . 67
Installing Feature Release 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Downloading Feature Release 1 Files From the Citrix Web Site . . . . . . . . . 69
Contents vii
Installing Feature Release 1 on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Performing an Unattended Install on Solaris . . . . . . . . . . . . . . . . . . . . . . 72
Installing Feature Release 1 on HP-UX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Performing an Unattended Install on HP-UX . . . . . . . . . . . . . . . . . . . . . 75
Installing Feature Release 1 on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Performing an Unattended Install on AIX . . . . . . . . . . . . . . . . . . . . . . . . 78
What To Do After Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
What Configuration is Required for Feature Release 1? . . . . . . . . . . . . . . . . . . 79
Configuration Required for New Features . . . . . . . . . . . . . . . . . . . . . . . . . . 79
SSL-Secure Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Greater ICA Session Size and Color Depth . . . . . . . . . . . . . . . . . . . . . . . 80
Multi-Monitor Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
HTTP Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Application Caching and Filtering on NFuse . . . . . . . . . . . . . . . . . . . . . . 81
NIS+ Support on NFuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Configuring User Authentication in NFuse . . . . . . . . . . . . . . . . . . . . . . . 82
Configuration Required for Fixes to Take Effect . . . . . . . . . . . . . . . . . . . . . 82
Fixing the Disappearing Text Cursor Problem. . . . . . . . . . . . . . . . . . . . . 82
Enabling the Left-hand Keypad of SPARC Keyboards . . . . . . . . . . . . . . 83
Fixing the Disappearing X Cursor Problem . . . . . . . . . . . . . . . . . . . . . . . 83
Fixing Screen Refresh Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Color Depth Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Applications Requiring Writable Palettes . . . . . . . . . . . . . . . . . . . . . . . . 85
Applications Requiring 16-bit High Color . . . . . . . . . . . . . . . . . . . . . . . . 85
Multi-Monitor Display Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Limitations Using Seamless Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Limitations Using Remote Desktop Windows . . . . . . . . . . . . . . . . . . . . . 86
Removing Feature Release 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Reinstalling Feature Release 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Chapter 4 Citrix Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
What Is Citrix Licensing? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
License Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
The Grace Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
About User Counts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Pooling User Counts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Client Device Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Activating a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
viii MetaFrame Administrator’s Guide
Step 1—Adding the License Serial Number . . . . . . . . . . . . . . . . . . . . . . . . . 94

Step 2—Getting an Activation Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Step 3—Activating the License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Installing an Upgrade License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Displaying Information About Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Adjusting the Pooled User Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Removing a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Removing an Upgrade License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Chapter 5 Publishing Applications and Desktops . . . . . . . . . . . . . . . . . . . . . . . . 101
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
About Published Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Why Publish Applications? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Administrative Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Efficient Use of Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Publishing Applications for Explicit or Anonymous Use . . . . . . . . . . . . . . 103
Publishing Applications for Explicit Use . . . . . . . . . . . . . . . . . . . . . . . . 103
Publishing Applications for Anonymous Use . . . . . . . . . . . . . . . . . . . . 103
Configuring Published Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Publishing an Application, Shell Script, or Desktop . . . . . . . . . . . . . . . . . . 105
Publishing an Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Publishing a Shell Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Publishing a Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Publishing a Java Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Publishing a UNIX Command-Line Application . . . . . . . . . . . . . . . . . . 107
Publishing an Application on a UNIX Server of Different Architecture 107
Specifying a Working Directory for Published Applications. . . . . . . . . 110
Publishing an Application to Accept Parameters From the Client. . . . . 110
Displaying Details About Published Applications . . . . . . . . . . . . . . . . . . . 112
Changing the Settings of a Published Application . . . . . . . . . . . . . . . . . . . 113
Enabling and Disabling Published Applications . . . . . . . . . . . . . . . . . . . . . 114
Creating a New Published Application from Existing Details . . . . . . . . . . 114
Renaming a Published Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Publishing an Application on More than One Server . . . . . . . . . . . . . . . . . 116
Restricting Connections to Published Applications Only . . . . . . . . . . . . . . 117
Deleting a Published Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Configuring an Initial Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Deploying Applications that Require a 3-Button Mouse . . . . . . . . . . . . . . . . . 119
Contents ix
Publishing an Application With Mouse Mappings . . . . . . . . . . . . . . . . . . . 119

Step 1—Identify the Mouse Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Step 2—Decide How to Emulate the Missing Mouse Button . . . . . . . . 120
Step 3—Publish the Application With Mouse Mappings . . . . . . . . . . . 120
Publishing Pre-Configured Applications for Anonymous Use. . . . . . . . . . . . . 121
Chapter 6 Managing Servers, Users, and Sessions . . . . . . . . . . . . . . . . . . . . . . . 123
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Displaying Information About Users and Sessions . . . . . . . . . . . . . . . . . . . . . 124
About the Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Displaying Information About Servers on the Network . . . . . . . . . . . . . . . . . . 126
About the Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Ending a Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Logging Off a Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Disconnecting a Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Connecting to a Disconnected Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Resetting a Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Reconnecting to Load Balanced Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Shadowing a User’s Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Ending Shadowing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Configuring a Different Hotkey to End Shadowing. . . . . . . . . . . . . . . . 132
Sending Messages to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Displaying Client Printers or Printer Ports . . . . . . . . . . . . . . . . . . . . . . . . . 134
Printing From the Command Line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Printing From Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Troubleshooting Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Connecting to a Remote Server from an ICA Session . . . . . . . . . . . . . . . . . . . 137
Chapter 7 Configuring a MetaFrame Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Configuring the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Controlling Logon Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Setting the Number of Permitted ICA Connections . . . . . . . . . . . . . . . . . . 142
Controlling Behavior for Disconnected or Broken Connections. . . . . . . . . 143
Enabling or Disabling Printing for Users . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Enabling or Disabling Clipboard Mapping . . . . . . . . . . . . . . . . . . . . . . . . . 144
Providing Additional Graphics Clipboard Support . . . . . . . . . . . . . . . . . . . 145
Providing Users with ctxcapture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Enabling or Disabling Shadowing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
x MetaFrame Administrator’s Guide
Controlling Timeout Behavior. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Allowing Users to Log On Without a Home Directory. . . . . . . . . . . . . . . . 150
Configuring Mouse-Click Feedback for High Latency Connections . . . . . 151
About the Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Generating and Using Server Configuration Details . . . . . . . . . . . . . . . . . . 153
Displaying a List of the Current Configuration . . . . . . . . . . . . . . . . . . . 153
Creating a Shell Script of the Current Configuration . . . . . . . . . . . . . . . 153
Propagating Server Configuration to Multiple Servers . . . . . . . . . . . . . 154
Screensaver Setting Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Customizing the Appearance of MetaFrame . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Customizing the Login Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Changing the Window Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Changing the Window Manager for Every User . . . . . . . . . . . . . . . . . . 157
Changing the Window Manager for a Particular User . . . . . . . . . . . . . . 158
Changing the Font Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
About Font Servers and Font Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Removing the Font Server From the Font Path . . . . . . . . . . . . . . . . . . . 159
Configuring Backing Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
When Should Backing Store be Switched On? . . . . . . . . . . . . . . . . . . . 160
Switching Backing Store On and Off. . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Chapter 8 Advanced Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Configuring Anonymous Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Displaying Anonymous User Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Configuring Anonymous User Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Changing the Number of Anonymous Users . . . . . . . . . . . . . . . . . . . . . 163
Changing the Naming of Anonymous User Accounts . . . . . . . . . . . . . . 164
Setting an Idle Timeout Period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Specifying a Particular Shell for Anonymous Users . . . . . . . . . . . . . . . 165
Specifying User-Ids for Anonymous Users . . . . . . . . . . . . . . . . . . . . . . 165
Troubleshooting Anonymous User Accounts . . . . . . . . . . . . . . . . . . . . . . . 166
Anonymous User Accounts and NIS Domains . . . . . . . . . . . . . . . . . . . 166
Configuring MetaFrame Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Why Use MetaFrame Security?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Which Users Are Affected by Security? . . . . . . . . . . . . . . . . . . . . . . . . 167
Which Functions Can ctxsecurity Control? . . . . . . . . . . . . . . . . . . . . . . 168
Controlling Security at Different Levels . . . . . . . . . . . . . . . . . . . . . . . . 169
The Security Checking Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Contents xi
Default Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Displaying Security Settings for a Function . . . . . . . . . . . . . . . . . . . . . . . . 172
Configuring Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Changing the Global Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . 172
Configuring Security for a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Configuring Security for Groups of Users . . . . . . . . . . . . . . . . . . . . . . . 173
Using Inherit to Remove Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
MetaFrame for UNIX and the ICA Browser Service . . . . . . . . . . . . . . . . . . . . 176
Controlling the Master Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Locating the Current Master ICA Browser . . . . . . . . . . . . . . . . . . . . . . 177
Manipulating Master Browser Elections . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Introducing a New Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Biasing the Results of Elections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Configuring the ICA Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Starting and Stopping the ICA Browser. . . . . . . . . . . . . . . . . . . . . . . . . 181
If a MetaFrame Server Uses Multiple NICs. . . . . . . . . . . . . . . . . . . . . . 181
Load Balancing Published Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Load Balancing a Group of Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Tuning Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Tuning Load Balancing in Version 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . 184
Tuning Load Balancing in Feature Release 1. . . . . . . . . . . . . . . . . . . . . 184
Displaying the Load Factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Displaying the Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Troubleshooting Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Configuring ICA Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Using ICA With Network Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
ICA Browsing With Network Address Translation . . . . . . . . . . . . . . . . . . . . . 189
Returning External Addresses to ICA Clients . . . . . . . . . . . . . . . . . . . . . . . 189
Configuring the TCP/IP Port Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Configuring the Operating System for a Large Number of Connections . . . . . 191
Configuring a Solaris System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Changing the Number of Pseudo-Terminals . . . . . . . . . . . . . . . . . . . . . 191
Increasing File Limits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Increasing the Number of Concurrent CDE Sessions . . . . . . . . . . . . . . 192
If the Database Gets Corrupted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Configuring an HP-UX System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Configuring an AIX System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Changing the Number of Pseudo-terminals . . . . . . . . . . . . . . . . . . . . . . 195
xii MetaFrame Administrator’s Guide
Increasing the Number of Processes Per User . . . . . . . . . . . . . . . . . . . . 195

Chapter 9 Using the Citrix XML Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
New in Version 1.6 of the XML Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Introducing NFuse and the Citrix XML Service . . . . . . . . . . . . . . . . . . . . . . . 200
An Overview of the XML Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Comparing the UNIX and NT Versions of the Citrix XML Service . . . 201
Constraints on MetaFrame Server Farms . . . . . . . . . . . . . . . . . . . . . . . . 201
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Setting the Path to the XML Service Commands . . . . . . . . . . . . . . . . . . . . . . . 204
Disabling the Guest Login Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Configuring the Server Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Starting the Citrix XML Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
About Application Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Stopping the Citrix XML Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Guidelines for Creating Web Pages for Use with NFuse for UNIX. . . . . . . . . 207
Using the Web Site Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Using the Example Web Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Configuring Application Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Overview of Configuring Application Settings . . . . . . . . . . . . . . . . . . . 208
Configuring How An Application is Displayed . . . . . . . . . . . . . . . . . . . . . 209
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Resetting an Application to Use Default Display Settings. . . . . . . . . . . 210
Changing the Default Display Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Resetting the Default Display Settings. . . . . . . . . . . . . . . . . . . . . . . . . . 211
Configuring the Visibility of Applications to Users . . . . . . . . . . . . . . . . . . 212
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Troubleshooting Application Visibility . . . . . . . . . . . . . . . . . . . . . . . . . 213
Enabling and Disabling Application Filtering . . . . . . . . . . . . . . . . . . . . . . . 213
Displaying Application Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Enabling and Disabling Publishing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Configuring User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Displaying the Current Authentication Setting . . . . . . . . . . . . . . . . . . . 218
Configuring the XML Service For Use With SSL Relay . . . . . . . . . . . . . . . . . 219
Displaying SSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Troubleshooting SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Contents xiii
Configuring DNS Address Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Displaying the Current Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Managing Backup Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Appendix A Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
MetaFrame Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
ctx3bmouse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
ctxalt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
ctxanoncfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
ctxappcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
ctxbrcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
ctxcapture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
ctxcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
ctxconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
ctxdisconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
ctxgrab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
ctxlicense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
ctxlogoff. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
ctxlpr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
ctxmaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
ctxmsg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
ctxprinters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
ctxqserver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
ctxqsession. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
ctxquser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
ctxreset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
ctxsecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
ctxshadow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
ctxshutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
ctxsrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
XML Service Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
ctxnfuseauth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
ctxnfusecfg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
ctxnfusefilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
ctxnfuserefresh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
ctxnfusesrv. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Appendix B Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
xiv MetaFrame Administrator’s Guide
Appendix C Operating System Patch Information . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Patches Required for Version 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Patches Required for Feature Release 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Patches Required for Citrix SSL Relay for UNIX. . . . . . . . . . . . . . . . . . . . 281
Patches Required for the Citrix XML Service for UNIX . . . . . . . . . . . . . . 281
Patches for Euro Currency Symbol Support. . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Patches that are Incompatible with MetaFrame for UNIX . . . . . . . . . . . . . . . . 283
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
15
Before You Begin
About This Guide

This guide is for system administrators responsible for installing, configuring,
and maintaining MetaFrame for UNIX Operating Systems and the Citrix XML
Service for UNIX Operating Systems.
The first few chapters of this guide introduce MetaFrame for UNIX Operating
Systems and explain how to install and license MetaFrame, and deploy
applications.
Subsequent chapters describe how to configure your MetaFrame system and the
XML Service for MetaFrame for UNIX Operating Systems.
16 MetaFrame Administrator’s Guide
Documentation Conventions
The following conventional terms, text formats, and symbols are used throughout
the documentation:
Convention Meaning
Bold Where appropriate, this indicates boxes and buttons, column
headings, command-line commands and options, icons, dialog
box titles, lists, menu names, tabs, menu commands and user
input.
Italic Indicates a placeholder for information or parameters that you
must provide. For example, if the procedure asks you to type
filename, you must type the actual name of a file. Italic also
indicates new terms and the titles of other books.
ALL UPPERCASE Represents keyboard keys (for example, CTRL, ENTER, F2).
Monospace Represents text displayed at the command prompt and text file
contents.
Ø Indicates a procedure with sequential steps.
■
Indicates a list of related information, not procedural steps.
{braces} Encloses required items in syntax statements. For example,
{ yes | no } indicates that you must specify yes or no when
using the command. Type only the information within the
braces, not the braces themselves.
[brackets] Encloses optional items in syntax statements. For example,
[password] indicates that you can choose to type a password
with the command. Type only the information within the
brackets, not the brackets themselves.
| (vertical bar) Stands for “or” and separates items within braces or brackets.
For example, { /hold | /release | /delete } indicates that you
must type /hold or /release or /delete.
… (ellipsis) Indicates that you can repeat the previous item(s) in syntax
statements. For example, /route:devicename[,…] indicates that
you can specify more than one device, putting commas
between the device names.
Before You Begin 17
Information that is specific to a particular UNIX platform is identified using the

following symbols:
Symbol Identifies instructions specific to the

IBM AIX Operating System
Hewlett-Packard HP-UX Operating System
Sun Solaris Operating Environment
A symbol with a line through it indicates information that does not apply to a
particular platform. For example, the following symbol is used to indicate
information that does not apply to the HP-UX platform:
Note The examples and screens shown throughout the documentation are for the
Solaris Operating Environment, unless indicated otherwise.
UNIX Command-line Conventions

MetaFrame for UNIX has a command line interface, so you type the commands
to control the server at the command prompt.
If you are not familiar with UNIX command lines, note that:
§ All UNIX commands are case sensitive.
§ The spacing on the command line is important, and must be followed exactly
as described in the instructions.
Note Only one instance of some MetaFrame commands should be run at any one
time—these are the commands that cause configuration changes (rather than
commands that just query and display information). If more than one instance
runs simultaneously, you may get unpredictable results.
Getting More Information

Your MetaFrame software includes the following online documentation:
§ The online version of the MetaFrame Administrator’s Guide.
§ Man pages, which can be displayed online, for each MetaFrame command line
tool. These provide an overview of the command, warnings and important
notes, and pointers to related commands.
§ The Citrix ICA Client Administrator’s Guides tell administrators how to
install, configure, and deploy the various ICA Clients to end-users.
§ The Citrix SSL Relay for UNIX Administrator’s Guide which explains how to
configure and use Citrix SSL Relay in your MetaFrame for UNIX
deployment.
The documentation for MetaFrame is also available in Adobe PDF format in the
documentation directory of the MetaFrame for UNIX and the ICA Client
CD-ROM (on the HP-UX platform, the documentation for MetaFrame is
available as an installable package). Using the Adobe Acrobat Reader, you can
view and search the documentation electronically or print it for easy reference. To
download the Adobe Acrobat Reader for free, please go to Adobe’s Web site at:
http://www.adobe.com/.
Important Please consult the readme file in the root directory of your CD-ROM,
for any last-minute updates, installation instructions, and corrections to the
documentation. On HP-UX, the readme file is available from the swinstall tool.
Finding Resources on the Citrix Web Site

Citrix offers online Technical Support Services at http://www.citrix.com/ that
include the following:
§ Downloadable Citrix ICA Clients, available at http://download.citrix.com/
§ A Frequently Asked Questions page with answers to the most common
technical issues
§ An FTP server containing the latest service packs and hotfixes for download
§ An Online Knowledge Base containing an extensive collection of technical
articles, troubleshooting tips, and white papers
§ Interactive online support forums
§ A product documentation library, available at:
http://www.citrix.com/services/productdocs.asp
Before You Begin 19
Providing Feedback About this Guide

We strive to provide you with accurate, clear, complete, and usable
documentation for Citrix products. If you have any comments, corrections, or
suggestions for improving our documentation, we would be happy to hear from
you. You can email the authors at:
documentation@citrix.com
Please include the name and version number of the product and the title of the
document in your email.
21
CHAPT ER 1
Welcome to Citrix MetaFrame for

UNIX Operating Systems
Overview
Welcome to Citrix MetaFrame for UNIX Operating Systems.
This chapter will help you to get started using MetaFrame. It includes:
§ What’s new in Feature Release 1 for MetaFrame for UNIX Operating Systems
version 1.1
§ An introduction to MetaFrame and an overview of server-based computing
§ Descriptions of some of the key MetaFrame features that you may want to use
in your deployment
§ A quick guide to installing MetaFrame, with cross-references to help you get
the most from this manual and other Citrix documentation
What’s New in Feature Release 1?

Feature Release 1 is an upgrade for version 1.1 of MetaFrame for UNIX
Operating Systems. You can also upgrade to Feature Release 1 from the Early
Access Version of Feature Release 1.
Feature Release 1 provides a number of new features, together with fixes for
known problems in version 1.1 of MetaFrame for UNIX. Feature Release 1 is
available on CD-ROM or from the Citrix Web site.
When you install Feature Release 1, the fixes and some new features are included
automatically. However, to enable some new features, you must install and
activate the Feature Release 1 license. For further information about installing
and configuring Feature Release 1, see “Upgrading to Feature Release 1” on
page 63.
New Features
The following new features are available when you install Feature Release 1 and
add and activate the Feature Release 1 license:
§ SSL-secure communications—Feature Release 1 includes support for Citrix
SSL Relay. Citrix SSL Relay provides the ability to secure data
communications using version 3.0 of the Secure Sockets Layer (SSL)
protocol. SSL provides server authentication, encryption of the data stream,
and message integrity checks. You can use Citrix SSL Relay to secure
communications:
§ Between an SSL-enabled ICA Client and a MetaFrame server.
§ In an NFuse deployment, between the Web server and MetaFrame server.
For information about configuring and using SSL Relay to secure your
MetaFrame installation, see the Citrix SSL Relay for UNIX Administrator’s
Guide.
§ Greater ICA session color depth—Feature Release 1 supports High Color
(15-bit) and True Color (24-bit) connections, provided your users are running
Version 6.0 ICA Clients. This means that you can use MetaFrame for UNIX to
deploy applications that require high graphics performance. For information
on color depth limitations, see “Color Depth Limitations” on page 85.
§ Greater ICA session size—Feature Release 1 supports greater ICA session
size, provided your users are running Version 6.0 ICA Clients. Screen size is
limited only by server memory, the type of ICA Client and the properties of
the underlying X11 window system. For example, in the Win32 ICA Client,
the session size can be as great as 32767 by 32767 pixels.
Chapter 1 Welcome to Citrix MetaFrame for UNIX Operating Systems 23
§ Greater bandwidth efficiency—Feature Release 1 is designed for more

efficient use of bandwidth. This means that the data between the client device
and the server is sent more efficiently, so users benefit from improved
application performance.
§ Multi-monitor display—Feature Release 1 supports multi-monitor display
so, provided your users are running Version 6.0 ICA Clients and their
hardware and operating system support it, users can take advantage of this
feature. Multi-monitor display is also available to users that connect to
applications via NFuse. With multi-monitor display, users can:
§ Display several applications on multiple monitors. For example, a user can
display three different views of a CAD application on three monitors (one
view on each monitor) from just the one client device. The application
views are displayed simultaneously so there is no need to constantly
minimize and maximize windows to display them.
§ Display one application on several monitors. For example, a user has a
large project plan that spans many months and normally, to see all the
details, the user has to scroll through the plan. However, with multi-
monitor display, the entire plan can be displayed over two monitors, from
just the one client device.
For information on multi-monitor limitations, see “Multi-Monitor Display
Limitations” on page 86.
§ Ticketing—in NFuse, ticketing provides enhanced authentication security by
eliminating user credentials from the ICA files sent from the Web server to
client devices. By default, previous versions of NFuse placed user credential
information in the ICA files sent to client devices for ICA session
initialization. An attacker able to intercept the file or retrieve the file from disk
could repeatedly use the file to access a Citrix server. The use of NFuse’s
ticketing feature eliminates these dangers. For more information about
ticketing, see the NFuse Administrator’s Guide.
§ Client Drive Mapping (CDM)— Client drive mapping is not available
immediately, but will be available from the Citrix Web site at a later date for
customers with a Feature Release 1 license (including Subscription Advantage
customers). Check the Citrix Web site for updates. Client drive mapping
enables users to access their local drives from within a MetaFrame for UNIX
session. When a user connects to the MetaFrame server, their client drives are
automatically mounted, such as floppy disk drives, network drives, CD-ROM
drives and hard disk drives.
New Features That Do Not Require a Feature Release 1

License
The following new features are available immediately when you install Feature
Release 1. These features do not require you to add and activate the Feature
Release 1 license:
§ Load balancing enhancements—Feature Release 1 provides you with the
ability to tune the distribution of connections among a group of load balanced
servers. This means that you can load balance a group of servers to take into
account a particular server’s speed and power, relative to the other servers in
the group. For example, if you have a server that is 50% more powerful than
other servers in the group, you can tune load balancing so that this server
receives 50% more load.
§ HTTP browsing—with Feature Release 1 you can provide your users with
HTTP (HyperText Transport Protocol) browsing. The ICA Client uses HTTP
to communicate with the Citrix XML Service to fulfill browser requests.
HTTP browsing uses the standard HTTP port on the firewall—port 80—to
allow users to browse applications and servers that exist on the other side of a
firewall. This means that, provided port 80 is not being used by a Web server
running on the MetaFrame for UNIX server, there is no need to open an
additional port on the firewall for browser requests. Note that HTTP browsing
is sometimes called “TCP Browsing” in some Citrix products.
§ Ability to publish an application to accept parameters from the client—
you can configure the MetaFrame server to accept published application
parameters passed by the ICA Client. This allows users to connect to a
published application and automatically launch a particular file. Or, it can be
used to pass other parameters, such as a user name or reference number.
Similarly, you can also change the directory in which an application runs by
specifying a working directory on the client.
§ Allowing users to log on without a home directory—by default, users
whose home directories are unavailable are unable to log on to the MetaFrame
server. However, with Feature Release 1, you can configure the MetaFrame
server to allow users whose home directories are unavailable to log on. Note
that anonymous users are never allowed to log on without a home directory.
§ X font server automatically included in the font path—in Feature Release
1, the font path contains the X font server by default. However, you can
remove the X font server from the font path by editing the ctxsession.sh
script. For more information, see “Changing the Font Path” on page 159.
§ Mouse-click feedback—with Feature Release 1, mouse-click feedback is

enabled by default. With mouse-click feedback, when a user clicks the mouse,
the ICA Client software changes the mouse pointer to an hourglass to show
that the user’s input is being processed. You can configure the thresholds in
which mouse-click feedback operates, or you can disable mouse-click
feedback.
§ Ability to bind to a specific NIC—if a MetaFrame server has more than one
network interface card (NIC) and is connected on more than one subnet, you
can configure the server so that the ICA Browser communicates only with
other ICA Browsers on a particular subnet. This prevents the server
attempting to become master browser on more than one subnet.
§ Backing store enhancements—Feature Release 1 allows you to switch on the
backing store feature in the X server. Backing store solves performance
problems in some applications that require this feature. By default, backing
store is off, but you can switch it on by editing the ctxXtw.sh file. For more
information, see “Configuring Backing Store” on page 160.
§ NIS+ support on NFuse—Feature Release 1 extends PAM support to NFuse.
PAM (Pluggable Authentication Modules) provides user name and password
validation, and supports the NIS+ Naming Service for the centralized
administration of user accounts. Therefore, users can log onto NFuse with user
names and passwords stored using NIS, NIS+ and many other types of user
directories.
§ Group and folder-based application caching and filtering—in NFuse,
application caching and filtering is user-based, by default. This means that the
application set displayed to a user is filtered to include only the applications
the user needs to see. Typically, user-based caching and filtering is adequate
for normal use, and you do not need to change this. However, Feature Release
1 also supports application caching and filtering based upon groups and
folders. For more information, see “Enabling and Disabling Application
Filtering” on page 213.
§ NFuse administration improvements—in NFuse, you can configure the ease
by which the Web server retrieves and presents the applications available to
MetaFrame for UNIX users. With the new ctxnfuseauth command in the
XML Service, you can control whether a user’s password is authenticated
when he or she logs on to NFuse. By default, password authentication is on
but you can switch it off to improve response time. The new ctxnfuserefresh
-apps command lets you refresh application settings from the master browser
immediately. This means that after configuring application settings, you can
apply your changes with immediate effect. For more information, see “Using
the Citrix XML Service” on page 197.
§ Screensavers are off by default—ICA connections running graphical

screensavers can consume server resources, so screensavers are turned off by
default in Feature Release 1. If you want to turn screensavers on, see
“Screensaver Setting Recommendations” on page 155 for details.
§ 256 X applications per session—users can now run up to 256 X applications
concurrently in the one ICA session. Previously, only 128 X applications
could be run per ICA session.
§ Users’ login shells are no longer verified—the users of non-standard shells
are no longer prevented from logging on. Previously, in Version 1.1 of
MetaFrame for UNIX Operating Systems, on the Solaris platform, the users of
shells other than C, Bourne and Korn could only log on if an /etc/shells file
had been created to give these users access—this is no longer the case in
Feature Release 1.
Fixes Included in Feature Release 1

Feature Release 1 provides fixes for known problems in version 1.1 of
MetaFrame for UNIX Operating Systems.
Hotfixes
The following hotfixes are automatically included when you install Feature
Release 1:
Hotfix ME110Sx002
ME110SS002 (SPARC) and ME110SI002 (Intel).This hotfix addresses the
following issues:
§ Removes the need to restart the MetaFrame server for configuration changes
made using the ctxcfg tool to take effect. In other words, you no longer need
to stop and restart the MetaFrame server for configuration settings to be
applied. The only exception is if you change the port number using ctxcfg -P
which does require a server restart.
§ Fixes the problem where there is an occasional failure when trying to
reconnect to an application that is running within a seamless window.
§ Fixes the problem where fatal exception errors occur on Win32 ICA Clients in
applications running within seamless windows. This problem can occur when
a user opens a menu and then a submenu. This has only been reported on
Version 6.00.910 Win32 ICA Clients.
§ Fixes a problem that caused incorrect graphics to be displayed. This problem
was first noticed in Adobe FrameMaker, but it can occur in any application.
Hotfix ME110Sx003
ME110SS003 (SPARC) and ME110SI003 (Intel). This hotfix addresses the
following issues:
§ Fixes the problem where the text cursor disappears during a session. After you
install Feature Release 1, edit the /opt/CTXSmf/slib/ctxXtw.sh file if there are
problems with the cursor. See “Configuration Required for Fixes to Take
Effect” on page 82 for details.
§ Fixes the excessive screen refresh problem. This problem affects the
performance of some applications as the screen is constantly redrawn. The
problem is more likely to occur on Win32 ICA Client connections. The
problem was first noticed in the Cadence application Virtuoso Layout Editor
4.3.3, but it can occur in any application. After you install Feature Release 1,
edit the /opt/CTXSmf/slib/ctxXtw.sh file if there are problems with screen
refreshing. See “Configuration Required for Fixes to Take Effect” on page 82
for details.
§ Fixes the problems experienced by some AFS (Andrew File System) users
when writing to their home directories and running applications. This hotfix
extends PAM (Pluggable Authentication Modules) support to AFS users.
Hotfix ME110Sx004
ME110SS004 (SPARC) and ME110SI004 (Intel). This hotfix addresses the
problem where the Undo, Copy, Paste, Cut and Find keys on the left-hand keypad
of a SPARC keyboard fail to work during a session.
For this fix to take effect, you must ensure that your users are running Version 6
ICA Clients. If your window manager is CDE, after you install Feature Release 1,
you need to include the Citrix bindings file and edit the xmbind.alias file. See
“Configuration Required for Fixes to Take Effect” on page 82 for more
information. If your window manager is Openwindows, no further configuration
is required.
Hotfix ME111Sx001
ME111SS001 (SPARC) and ME111SI001 (Intel). This hotfix:
§ Includes an enhancement that implements warp pointer functionality for X
windows. Warp pointer functionality allows application controlled relocation
of the mouse pointer.
§ Fixes the problem in the OpenLook window manager, where applications
running in seamless windows incorrectly display pop-up dialog boxes.
Hotfix ME111Sx002
ME111SS001 (SPARC) and ME111SI001 (Intel). This hotfix:
§ Fixes a problem in application publishing, where the server displays the error
“internal error: no such file or directory” when then total number of characters
in all of the published applications exceeds 500.
§ Fixes a problem that prevents the server from being restarted for 12 minutes
after the failure of MetaFrame for UNIX.
§ Includes an enhancement that stops an application from causing an X cursor to
disappear. This enhancement improves the usability of applications such as
Sunguard Forex. Such applications hide the X cursor and use their own bitmap
cursor, which may cause problems over high-latency connections. After you
install Feature Release 1, edit the /opt/CTXSmf/slib/ctxXtw.sh file if there are
problems with the X cursor. See “Configuration Required for Fixes to Take
Effect” on page 82 for details.
PCL and Postscript Printing Problem
Included in Feature Release 1 is a fix for the printing problem that caused print
jobs containing null characters to fail. The problem only affects binary files, such
as Postscript and PCL print jobs. The problem is fixed automatically when you
install Feature Release 1.
Introduction to MetaFrame
MetaFrame is a server-based software product that you can use to provide the
users of your network with access to UNIX and Java applications.
You install MetaFrame on a UNIX machine that will be used as a server.
MetaFrame allows multiple users to log on and run applications in separate,
protected sessions on the same server. The applications you deploy must also be
available on the server. For example, you may want to install word processors,
Web browsers, Java applications, a particular window manager or custom
applications.
You install the ICA (Independent Computing Architecture) Client software on the
client devices, so users can connect to the MetaFrame server from a client device,
such as a Windows PC. The ICA Client software is provided free, and is available
for a range of different devices. This allows users to connect to the MetaFrame
server from various platforms.
MetaFrame uses the ICA protocol to send information between the client device
and the server. The ICA protocol sends keystrokes, mouse clicks and screen
updates between the server and the client. The application processing remains on
the server, which means that processing on the client is kept to a minimum. To the
user of the client device, it appears as if the software is running locally on the
client.
Because applications run on the server and not on the client computer, users can
connect from any client device. A Macintosh, a Windows PC, or another UNIX
machine can be used—the application looks and feels the same on each client
device.
The following diagram shows a MetaFrame server with ICA connections:
Server provides application processing in

protected sessions:
Session 1: Published Application
Session 2: Connection to Desktop
MetaFrame for UNIX Server
mouse clicks mouse clicks

and key presses and key presses
screen screen
updates updates
Macintosh Client Windows PC Client

connecting connecting
from remote site via LAN
via WAN
Session 1:Published Session 2: Desktop

Application. The session. The UNIX
application appears in desktop appears in
window on Macintosh. window on PC.
MetaFrame Features
Connection from Typically, users connect to an application or desktop by clicking on an icon or
a client device application name from the client software on the client device. You can create
connections to MetaFrame for UNIX and MetaFrame for Windows NT
Application Servers.
Connection to You can publish specific applications. A published application is a predefined

published application or shell script and its associated environment. Publishing
applications applications is an efficient way to provide access to specific applications. Users
connect to an application and the session closes when they exit the application.
Connection to You can provide users with full access to the UNIX server desktop. Users can
UNIX desktops run any application available on the desktop, in any order, or simultaneously.
from client The server desktop appears in a window on the client device.
devices
One MetaFrame When a user first connects to a server, one MetaFrame license is consumed.
license consumed If the user of that client device connects to other servers or published
per client device applications during the session, additional licenses are not consumed. This
means that a user can connect to a number of published applications using just
the one license. See “Citrix Licensing” on page 91 for further information.
Integration with MetaFrame uses the security set up on the UNIX server. Therefore, you do not
UNIX security need to set up new user accounts for MetaFrame—the user at the client device
and accounts can log on using their existing UNIX user account and password. Solaris and
HP-UX use Pluggable Authentication Modules (PAM) for user name and
password validation; AIX uses its own authentication mechanism.
Note that MetaFrame supplies the user name and password for authentication—
if additional information is required for the authentication process, this is not
supported. For more information about configuring PAM on Solaris and HP-UX
machines, see the man page for “PAM”; for AIX, see the man page for
“authenticate”.
Special group MetaFrame requires you to create a special user group with the authority to run
and account for MetaFrame administration commands and start and stop the server. This is the
Citrix server Citrix server administrator group, which is called ctxadm. The user ctxsrvr
administrators must be created and added to this group. If you install the Citrix XML Service or
Citrix SSL Relay, you must also create the ctxnfuse and ctxssl user accounts.
Configurable You can control which users or groups of users can use particular MetaFrame
permissions for features, such as logging on, disconnecting and sending messages to other
access to sessions, using the MetaFrame security feature. See “Configuring MetaFrame
MetaFrame Security” on page 167 for further information.
features
Guest user MetaFrame includes special anonymous user accounts with limited permissions.
access You can use these accounts to provide users with guest access to published
applications and a temporary working directory for use during the session.
Shadowing user You can display and interact (using your keyboard and mouse) with another
sessions user’s session from your own session. This feature is called shadowing. You can
use shadowing to help remote users with training or technical support issues.
The following diagram shows the shadowing of one session from another:
MetaFrame for UNIX Server
Server provides application processing in protected

sessions:
Session 1: User running application published on UNIX
Server
Session 2: Administrator running UNIX desktop
Session 1: UNIX application displayed on Session 2: Admininistrator starts

PC. shadowing session 1 from this session.
The user allows shadowing, and can see The administrator can see the same
the mouse moving on screen as the screen display that the user of session 1
administrator controls the session. can see, and can now use mouse and
keyboard to control the session.
Copying text and Users can copy text and graphics between server-based applications and
graphics between applications running locally on the client device. The clipboard behaves as if all
applications applications are running on the client device itself.
Load balancing If you install Citrix Load Balancing Services, you can publish the same
between servers application on a number of servers. Users connect to the published application
and MetaFrame ensures that the connections are distributed among servers so
that one particular server does not become overloaded. Feature Release 1 for
MetaFrame for UNIX also provides the ability to tune the distribution of
connections among a group of load balanced servers.
SSL security Feature Release 1 for MetaFrame for UNIX includes support for SSL Relay,
which allows you to secure communications using version 3.0 of the Secure
Sockets Layer (SSL) protocol. SSL provides server authentication, encryption of
the data stream, and message integrity checks. You can use Citrix SSL Relay to
secure communications between an SSL-enabled ICA Client and a MetaFrame
server, or in an NFuse deployment, between the Web server and MetaFrame
server.
XML Service and Feature Release 1 for MetaFrame for UNIX includes support for Version 1.6 of
NFuse the Citrix XML Service. The Citrix XML Service communicates information
deployment about the UNIX applications published in a server farm to the Web server
component of the NFuse deployment. The Citrix XML Service also provides
users with HTTP (HyperText Transport Protocol) browsing.
Integrating With Other Citrix Servers

§ MetaFrame for UNIX Operating Systems will co-exist with other Citrix
servers (for example, MetaFrame XP) on a network by sharing master browser
information. However, although MetaFrame for UNIX and MetaFrame XP
servers will co-exist, license pooling only works if the XP servers are in mixed
mode for interoperability—see the MetaFrame XP Administrator’s Guide for
more information.
§ Although you cannot add MetaFrame for UNIX Operating Systems servers to
Citrix server farms, you can use a pass-through ICA Client to access
applications on MetaFrame for UNIX using Program Neighborhood. ICA
PassThrough technology allows non-Win32 ICA Clients to take advantage of
the Citrix Program Neighborhood features. This is done by publishing the pre-
installed ICA Client on a MetaFrame for Windows server and having clients
“pass through” the server’s Citrix Program Neighborhood client to access a
server farm.
§ You can use the Citrix XML Service with NFuse to provide users with access
to Windows and UNIX applications from one location. Citrix NFuse is an
application portal technology that lets you integrate and publish applications
into a Web browser from any standard Web server. The Citrix XML Service
for MetaFrame for UNIX is available on the Feature Release 1 CD-ROM, or
as a separate download package from the Citrix Web site.
Note Cross-server administration between Windows and UNIX versions of
MetaFrame is not possible.
Getting Started Quickly…

This section provides an overview of the minimum steps required to install and
set up a MetaFrame server. For full details of how to install MetaFrame for
UNIX, including step-by-step installation and configuration instructions, see
“Deploying MetaFrame Version 1.1” on page 39. We recommend that you read
this chapter before installing MetaFrame for UNIX Operating Systems for the
first time.
Ø To install and get a MetaFrame server up and running, you need to
1. Set up the accounts for the Citrix server administrator. Use the standard UNIX
system tools to do this. At minimum, you need to log on as root and create a
group called ctxadm, and a user called ctxsrvr (with ctxadm as the primary
group).
2. Install the MetaFrame for UNIX server software on your UNIX server using
the appropriate installer, and then start MetaFrame on the server using the
command ctxsrv start.
3. Install the client software on each client device you plan to use from the ICA
Client CD-ROM included in your MetaFrame for UNIX package, or from the
Citrix Web site.
4. After installing the client software, create ICA connections to your
MetaFrame server and test that you can connect from each type of ICA Client.
When you can connect to your MetaFrame server from an ICA Client, your
MetaFrame server is operational.
To find out how to Read

Install the MetaFrame server “Installing MetaFrame Version 1.1” on page 44
software
Install the client software on a The installation section in the Client Administrator’s
particular client device Guide for the client you plan to deploy.
Create a connection from a The Client Administrator’s Guide for the
client device to a server appropriate client.
Note There is a Client Administrator’s Guide for each client in the

documentation directory on the ICA Client CD-ROM in your MetaFrame for
UNIX server package. The filename for the PDF refers to the client, for
example ICAUNIX.PDF is the filename for the Client Administrator’s Guide
for the UNIX Client.
What To Do Next
If you:
§ Do not have version 1.1 of MetaFrame for UNIX Operating Systems on your
system yet:
1. Install version 1.1 of MetaFrame for UNIX Operating Systems. For
information, see “Installing MetaFrame Version 1.1” on page 44.
2. Add and activate the version 1.1 base license. See “Citrix Licensing” on
page 91 for more information.
3. Install the Feature Release 1 upgrade—see “Upgrading to Feature Release
1” on page 63.
4. Configure the server for some of the new features and fixes to take effect—
see “What Configuration is Required for Feature Release 1?” on page 79.
5. Add and activate the Feature Release 1 license to enable the new features
that require the license.
§ Already have version 1.1 of MetaFrame for UNIX Operating Systems, or the
Early Access Version of Feature Release 1, on your system:
1. Install the Feature Release 1 upgrade—see “Upgrading to Feature Release
1” on page 63.
2. Configure the server for some of the new features and fixes to take effect—
see “What Configuration is Required for Feature Release 1?” on page 79.
3. Add and activate the Feature Release 1 license to enable the new features
that require the license. See “Citrix Licensing” on page 91 for more
information.
Note Many new features and fixes are available without the Feature Release 1
license—for a list of these, see “New Features That Do Not Require a Feature
Release 1 License” on page 24 and “Fixes Included in Feature Release 1” on
page 26.
39
CHAPT ER 2
Deploying MetaFrame Version 1.1
Overview
This chapter describes how to install, deploy, and remove MetaFrame version 1.1.
Important To upgrade to Feature Release 1 for MetaFrame for UNIX Operating

Systems, version 1.1 of MetaFrame for UNIX (or the Early Access Version of
Feature Release 1) must be installed on the server first. For more information
about upgrading to Feature Release 1, see “Upgrading to Feature Release 1” on
page 63.
Topics covered in this chapter include:

§ System requirements
§ Setting up the Citrix server administrator user and group
§ Installing MetaFrame version 1.1
§ Setting up the paths to MetaFrame commands and man pages
§ Starting and stopping MetaFrame
§ Configuring non-English keyboard support
§ Configuring MetaFrame event logging
§ Reinstalling MetaFrame
§ Removing MetaFrame
Before You Begin Installing Version 1.1

Please make sure that you read the following information before installing
MetaFrame:
§ “UNIX Operating System Requirements” on page 42—the UNIX Operating
System must be installed before you install MetaFrame. You must also ensure
that your operating system is configured to run MetaFrame, and that you
install the required updates, as listed in this section.
§ “Creating the Citrix Server Administrator User and Group” on page 44—you
must set up ctxadm and ctxsrvr before installing MetaFrame.
Note Make sure that all users who connect to the server have a home directory
path that is valid on the server, and that can be written to by the user. If a user has
no home directory and tries to connect, the logon fails. However, if you upgrade
to Feature Release 1, you can configure the MetaFrame server to allow users
whose home directories are unavailable to log on.
System Requirements
This section lists the minimum machine specifications and operating system
requirements for MetaFrame for UNIX Operating Systems.
Minimum Machine Specifications

The minimum machine specification depends upon how many connections are to
be supported. As a general rule, we recommend that each server has between 16
and 24 MB of RAM per ICA connection. However, you may need to increase this
amount of RAM depending upon the type of applications your users are running,
and the session properties, such as color depth and size.
The following specifications are guidelines only.
Chapter 2 Deploying MetaFrame Version 1.1 41
On the Solaris Platform

1 to 3 connections:
Solaris SPARC Solaris Intel
Sparcstation 20 P133
128MB RAM 128MB RAM
More than 3 connections:

Solaris SPARC Solaris Intel
'Ultra-30' PII 300
UltraSPARC-II 248MHz 256MB RAM
256MB RAM
On the HP-UX Platform

1 to 3 connections:
C110 120MHz PA-RISC
128MB RAM
A400 440MHz PA-RISC
256MB RAM.
On the AIX Platform

1 to 3 connections:
43P Model 150
128MB RAM
44P Model 270
256MB RAM
UNIX Operating System Requirements

This section provides information about the operating system requirements for
MetaFrame for UNIX Operating Systems on each of the platforms.
Operating System Patches

For information about the operating system patches that are required, see
“Operating System Patch Information” on page 279. This information is also in
document CTX222222 in the Solution Knowledge Base on the Citrix Web site at
http://knowledgebase.citrix.com/
The information in the Solution Knowledge Base is updated regularly and may be
more up to date than the information provided in this guide.
On the Solaris Platform

The Solaris edition of MetaFrame for UNIX Operating Systems requires:
§ Solaris 2.6 (also known as SunOS 5.6), SPARC version
-Or-
§ Solaris 7 (also known as Solaris 2.7 and SunOS 5.7), SPARC version
-Or-
§ Solaris 8, SPARC or Intel versions
The server machine must have an X Window system installed with the
appropriate window manager for the platform, for example, CDE.
The following operating system packages are required:
§ SUNWxwoft X Window System optional fonts
§ SUNWuiu8 Iconv modules for UTF-8 Locale
Check if these packages are installed using the pkginfo command.
Note On Solaris 7 and 8 these two packages are installed when you do an end-
user install. On Solaris 2.6 the packages are not installed in an end-user install.
The Iconv libraries must be installed; they are necessary for MetaFrame to run.
Check that the following files exist in the /usr/lib/iconv folder:
UCS-2*.so
UTF-8*.so
8859-1*.so
On the HP-UX Platform

The HP-UX edition of MetaFrame for UNIX Operating Systems requires:
§ HP-UX version 11.x
appropriate window manager for the platform, for example, CDE.
On the AIX Platform

The AIX edition of MetaFrame for UNIX Operating Systems requires:
§ AIX version 4.3.3
appropriate window manager for the platform; for example, CDE.
Euro Currency Symbol Support

MetaFrame for UNIX supports the ISO 8859-15 Euro-currency symbol, if the
underlying UNIX operating system supports it. To ensure this support, you may
need to install patches recommended by your operating system and hardware
vendor. See the Web site for your operating system manufacturer or contact your
hardware vendor for details of the appropriate patches and for instructions for
ensuring Euro symbol support.
Installing MetaFrame Version 1.1

This section explains how to:
§ Create the Citrix server administrator user and group
§ Install MetaFrame for UNIX Operating Systems for the first time
§ Upgrade to version 1.1 from a previous release of MetaFrame
§ Perform an unattended install that allows you to install MetaFrame without
intervention
Installation Overview
You need to perform the following steps to install MetaFrame:
1. If you are installing MetaFrame for the first time, you need to create the Citrix
server administrator user and group accounts.
2. Install MetaFrame from the CD-ROM.
3. If you are installing MetaFrame for the first time, you need to add the
MetaFrame path(s) to your path, so that you can run the MetaFrame
commands.
4. Start the MetaFrame processes on the server.
The following describes the installation process in more detail.
Important You must set up the Citrix server administrator group and user account
before you install MetaFrame. The installation will fail if the ctxadm group and
ctxsrvr user have not been created.
Creating the Citrix Server Administrator User and Group

If you are installing MetaFrame for the first time, you need to create the Citrix
server administrator group account, and a user in this group, before you install
MetaFrame. This account is required by some MetaFrame commands that
demand special administration rights for MetaFrame, but do not require root
access to the UNIX system.
§ Create the Citrix server administrator’s group using the group name ctxadm.
§ Create a Citrix server administrator using the user name ctxsrvr. Make sure
that you add the ctxsrvr user to the ctxadm group, and that the ctxadm group is
its primary group.
Important Do not use the Citrix server administrator user or group for any
purposes other than MetaFrame system administration.
Installing MetaFrame on Solaris

Installing MetaFrame for the First Time
This section describes how to install MetaFrame version 1.1 for the first time.
Before you begin, ensure you have created the Citrix server administrator group
account ctxadm and the user ctxsrvr.
With this method you are prompted for information—if you want to perform an
installation that uses a response file see “Performing an Unattended Install on
Solaris” on page 48.
Ø To install MetaFrame
1. Log on as root at the server on which you want to install MetaFrame.
2. Mount the MetaFrame CD-ROM.
3. Change to the directory for the version of MetaFrame you want to install. For
example, type:
cd /cdrom/mfunix/solaris_version
where solaris_version is the name of the directory on the CD-ROM for the
platform architecture (SPARC or Intel) of Solaris you are using. The path is
usually /cdrom/mfunix/... but it may change depending on how your system
mounts the CD.
4. To add the MetaFrame package, type:
pkgadd -d CTXSmf
This starts the package installation script.
5. At the prompt for the startup/shutdown script installation, type y if you want
to start MetaFrame when the machine is booted and stop it when the machine
is shut down. If you answer yes, the script “S99ctxsrv” is installed in the
/etc/rc2.d directory.
6. At the prompt for the man page installation, type y to install the MetaFrame
man pages.
7. At the prompt for anonymous users, type y to create 15 anonymous user
accounts if you want to enable guest access.
8. At the prompt about security settings for setuid/setgid, type y to set the correct
file permissions for the MetaFrame files and processes.
Important Do not type n, or MetaFrame will not operate correctly.
9. At the next prompt, type y to continue installing MetaFrame. When complete,

a message tells you that the installation was successful and the command
prompt is displayed.
Note Do not attempt to share or copy the MetaFrame for UNIX installation files
between servers. The configuration database cannot be duplicated, and you will
experience problems if you attempt to do this.
Upgrading to Version 1.1 from a Previous Release of

MetaFrame
This section explains how to upgrade to version 1.1 of MetaFrame for UNIX
Operating Systems. When you upgrade, your existing configuration settings, such
as licensing and published application information, are preserved.
Note For information about upgrading to Feature Release 1 for MetaFrame for
UNIX Operating Systems, see “Upgrading to Feature Release 1” on page 63.
During the installation of the upgrade you are prompted for information, such as
whether you want to install anonymous users. The installation also takes into
account some of the settings you had in your previous release, such as whether
the start-up script and man pages were installed, and it re-applies these settings.
With this method you are prompted for information; if you want to perform an
installation that uses a response file, see “Performing an Unattended Install on
Note During the upgrade installation, script files are overwritten with new
versions that contain a checksum. If you have changed a script file since
MetaFrame was last installed, the installation process detects this and the existing
files are backed up before being replaced. The backed-up files have .bak and a
version number, such as v1.0, appended to them. You will need to copy your
changes into the new script files when the upgrade installation is finished.
Ø To upgrade to version 1.1

1. Ensure that there are no active sessions, and stop MetaFrame, using the
ctxshutdown command—see “Stopping MetaFrame” on page 55 for more
information.
2. Log on as root at the server on which you want to upgrade MetaFrame.
3. Mount the MetaFrame CD-ROM.
4. Change to the directory for the version of MetaFrame you want to install. For
example, type:
cd /cdrom/mfunix/solaris_version
platform architecture (SPARC or Intel) of Solaris you are using.
The path is usually /cdrom/mfunix/... but it may change depending on how

your system mounts the CD.
5. To install the upgrade, type:
pkgadd -d CTXSmf -a /cdrom/mfunix/default CTXSmf
where /cdrom/mfunix/default is the sample administration defaults file used
by the -a option of the pkgadd command. This is included on the MetaFrame
CD-ROM for your convenience—if you want to use different default settings,
copy and change this, as appropriate.
Note Ensure you specify the -a option or you will get the error message:
“Current administration requires that a unique instance of the <CTXSmf>
package be created. However, the maximum number of instances of the
package which may be supported at one time on the same system has already
been met. No changes were made to the system”.
6. At the prompt, type y to confirm you want to upgrade. This starts the package
installation script.
7. At the prompt for anonymous users, type y to create 15 anonymous user
accounts if you want to enable guest access.
8. At the prompt about security settings for setuid/setgid, type y to set the correct
file permissions for the MetaFrame files and processes.
Important Do not type n, or MetaFrame will not operate correctly.
9. At the next prompt, type y to continue installing MetaFrame. When complete,

a message tells you that the installation was successful and the command
prompt is displayed.
10. Reapply any changes you made to the script files by copying your changes
from the backed-up files to the new script files.
Performing an Unattended Install on Solaris

This section explains how to set up a script and a response file so that you are not
prompted for information during installation. Using this method, you can install
MetaFrame quickly and easily on multiple servers. You can use this procedure to
install MetaFrame for the first time or to upgrade to version 1.1 from a previous
release.
Ø To perform an unattended install
2. Create a response file that will be used by the -r option of the pkgadd
command—for example: /tmp/CTXSmf11. In this file include the following:
CLASSES=none app sts man
ANONYORN=y
The CLASSES variable specifies what to install:
§ none and app are mandatory.
§ If sts is specified, the startup script is installed.
§ If man is specified, the man pages are installed.
The ANONYORN variable specifies whether anonymous users are added
(y=yes; n=no).
3. Create a script file to perform the unattended install, for example:
#!/bin/sh
# change permissions for root to execute this file - chmod 744
pkgadd -r /tmp/CTXSmf11 -a /cdrom/mfunix/default -d /cdrom/mfunix/
solaris_version/CTXSmf CTXSmf
platform architecture (SPARC or Intel) of Solaris you are using, and
/cdrom/mfunix/default is the sample administration defaults file used by the
-a option of the pkgadd command. This is included on the MetaFrame CD-
ROM for your convenience—if you want to use different default settings,
copy and change this, as appropriate. The path is usually /cdrom/mfunix/...
but it may change depending on how your system mounts the CD.
4. Run the script file to start the unattended install.
Installing MetaFrame on HP-UX

This section describes how to install MetaFrame on an HP-UX platform. Before
you begin, ensure you have created the Citrix server administrator group account
ctxadm and the user ctxsrvr.
installation that does not prompt you see “Performing an Unattended Install on
HP-UX” on page 50.
Ø To install MetaFrame on HP-UX
2. Insert the MetaFrame CD-ROM into the CD-ROM drive.
3. At the command prompt, type swinstall. The SD Install program begins and
the Specify Source dialog is displayed.
4. In Source Depot Type, specify Local CD-ROM. The system auto-detects the
CD-ROM and displays a path. Choose OK.
5. In the SD Install dialog, select MetaFrame.
6. To install the entire MetaFrame package (including man pages, 15 anonymous
user accounts and the startup script) choose Mark for Install from the
Actions menu.
Alternatively, to install particular components, expand MetaFrame to display
the following filesets, then mark the filesets you want to install:
Fileset Description
Anon Choose to create 15 anonymous user accounts. You cannot install
this fileset on its own—the Runtime fileset must also be installed.
Man Choose to install the MetaFrame manual pages. You cannot install
this fileset on its own—the Runtime fileset must also be installed.
Runtime Choose to install the MetaFrame runtime environment (the
programs and the configuration database).
Startup Choose if you want to start MetaFrame when the machine is booted
and stop it when the machine is shutdown.
If you choose this fileset, the script ctxsrv is installed in the
/sbin/init.d directory, and two symbolic links are added:
- the startup link S999ctxsrv is installed in /sbin/rc3.d
- the shutdown link K001ctxsrv is installed in /sbin/rc2.d
You cannot install this fileset on its own—the Runtime fileset must
also be installed.
7. From the Actions menu, choose Install (analysis) to display analysis

information prior to the installation. If warnings are generated, display the
Logfile for further details.
8. Choose OK.
9. At the confirmation prompt, choose Yes to complete the installation.
Performing an Unattended Install on HP-UX

This section explains how to perform an unattended install of MetaFrame on an
HP-UX platform. With an unattended install, you are not prompted for
information during the installation, so you can install MetaFrame quickly and
easily on multiple servers.
Ø To perform an unattended install of MetaFrame
2. Insert the MetaFrame CD-ROM into the CD-ROM drive and mount it as a
read-only filesystem. For example, at the command prompt type:
mount -r /dev/dsk/c0t0d0 /mnt/cdrom
where /dev/dsk/c0t0d0 is the file that identifies the CD-ROM drive and
/mnt/cdrom is the mount point of the CD-ROM.
user accounts and the startup script), at the command prompt, type:
swinstall -s /mnt/cdrom MetaFrame
Alternatively, list the particular filesets you want to install. For example, to
install MetaFrame and the man pages, at the command prompt, type:
swinstall -s /mnt/cdrom MetaFrame.Runtime MetaFrame.Man
Installing MetaFrame on AIX

This section describes how to install MetaFrame on an AIX platform using SMIT.
Before you begin, ensure you have created the Citrix server administrator group
account ctxadm and the user ctxsrvr.
AIX” on page 52.
Ø To install MetaFrame on AIX
3. Type smit. The System Management Interface Tool dialog is displayed.
4. Choose Software Installation and Maintenance.
5. Choose Install and Update Software.
6. Choose Install and Update Software by Package Name (includes devices
and printers). A dialog is displayed.
7. Choose List. The Single Select List dialog is displayed.
8. Select the CD-ROM drive.
9. Choose OK. The Multi-select List dialog is displayed.
10. Select Citrix and choose OK.
user accounts and the startup script) select Citrix.MetaFrame.
Alternatively, to install particular components, select the filesets you want to
install:
Citrix.
Fileset description
MetaFrame...
.boot Choose if you want to start MetaFrame when the machine is booted
and stop it when the machine is shutdown.
If you choose this fileset, the daemon ctxmfd is installed in
/usr/lpp/CTXSmf/sbin, and starts up automatically.
During the installation of the .boot fileset, an entry is made in the
/etc/inittab file that starts up ctxmfd and the MetaFrame server,
when booting up.
You cannot install this fileset on its own—the
Citrix.MetaFrame.rte fileset must also be installed.
.anon Choose to create 15 anonymous user accounts. You cannot install

this fileset on its own—the Citrix.MetaFrame.rte fileset must also
be installed.
.rte Choose to install the MetaFrame runtime environment (the
.man Choose to install the MetaFrame manual pages.
12. Choose OK. The Install and Update Software by Package Name (includes
devices and printers) dialog is displayed.
13. Choose OK to begin the installation.
14. At the prompt, choose OK to continue installing MetaFrame. When complete,
check the Installation Summary to make sure that the installation was
successful.
15. To exit from smit, select Exit SMIT from the Exit menu.
Performing an Unattended Install on AIX

This section explains how to perform an unattended install of MetaFrame on an
AIX platform. With an unattended install, you are not prompted for information
during the installation, so you can install MetaFrame quickly and easily on
multiple servers.
Ø To perform an unattended install of MetaFrame
user accounts and the startup script), at the command prompt, type:
installp -X -d/dev/cd0 Citrix.MetaFrame
where -d/dev/cd0 is the CD-ROM device, and -X ensures that there is
sufficient disk space to install the package.
install MetaFrame man pages, at the command prompt, type:
installp -X -d/dev/cd0 Citrix.MetaFrame.man
Setting the Paths to MetaFrame Commands

There are two types of MetaFrame commands:
User commands Any user can run these commands. They include
the MetaFrame commands for logging off and
disconnecting from a server.
User commands are installed in:
/opt/CTXSmf/bin
/usr/lpp/CTXSmf/bin
System administration Only the ctxsrvr user (or members of the ctxadm
commands group) can run these commands. They include
server, published application, and ICA Browser
configuration tools.
Administration commands are installed in:
/opt/CTXSmf/sbin
/usr/lpp/CTXSmf/sbin
Configuring User Access to Commands

Generally, you do not have to do anything to allow users to run user commands
from their sessions. The path to these commands is added to each user’s path
upon connection to the server, so any user can access MetaFrame user commands
from an ICA session.
However, you may have to configure access to MetaFrame commands if the
user’s shell script startup file (for example, .profile or .login) overrides the path.
For example, on HP-UX, the default system profile (/etc/profile) sets the PATH
environment variable explicitly.
Ø To configure user access to MetaFrame commands
§ If you are using a C shell, use a .login file for the user, and add the path to the
user commands. For example:
setenv PATH ${PATH}:/opt/CTXSmf/bin
setenv PATH ${PATH}:/usr/lpp/CTXSmf/bin
§ If you are using a Bourne or similar shell, use a .profile file for the user, and
add the path to the user commands. For example:
PATH=${PATH}:/opt/CTXSmf/bin
export PATH
PATH=${PATH}:/usr/lpp/CTXSmf/bin
export PATH
Configuring ctxsrvr Access to Commands

A Citrix server administrator needs to be able to run both user and system
administration commands. If you are installing MetaFrame for the first time, you
need to configure your system so that the ctxsrvr user can run all the commands
from the MetaFrame server console, and also from an ICA session.
Ø To configure ctxsrvr access to MetaFrame commands
§ If you are using a C shell, use a .login file for the ctxsrvr user, and add the path
to the user and administrator commands. For example:
setenv PATH ${PATH}:/opt/CTXSmf/sbin:/opt/CTXSmf/bin
setenv PATH ${PATH}:/usr/lpp/CTXSmf/sbin:/usr/lpp/CTXSmf/bin
§ If you are using a Bourne, or similar, shell use a .profile file for the ctxsrvr
user, and add the path to the user and administrator commands. For example:
PATH=${PATH}:/opt/CTXSmf/sbin:/opt/CTXSmf/bin
export PATH
PATH=${PATH}:/usr/lpp/CTXSmf/sbin:/usr/lpp/CTXSmf/bin
export PATH
Setting the Path to the man pages

Generally, you do not have to do anything to allow users to display man pages for
MetaFrame commands from a session. The path to these files is added to every
user’s MANPATH environment variable upon connection to the server.
However, you may have to configure access to the MetaFrame man pages if the
user’s shell script startup file (for example, .profile or .login) overrides the path.
For example, on HP-UX, the default system profile (/etc/profile) sets the
MANPATH environment variable explicitly.
To display the MetaFrame man pages from the server console when you log on as
ctxsrvr, you must set up your MANPATH environment variable to point to the
location of the installed man pages. You need to do this only if you are installing
MetaFrame for the first time.
Ø To set the MANPATH environment variable
§ If you are using a C shell:
setenv MANPATH ${MANPATH}:/opt/CTXSmf/man
setenv MANPATH ${MANPATH}:/usr/lpp/CTXSmf/man
§ If you are using a Bourne shell:
MANPATH=${MANPATH}:/opt/CTXSmf/man
export MANPATH
MANPATH=${MANPATH}:/usr/lpp/CTXSmf/man
export MANPATH
Starting and Stopping MetaFrame

Starting MetaFrame
When installation is complete, start the MetaFrame process on each server using
the ctxsrv command.
Ø To start MetaFrame
1. Log on at the MetaFrame server as a Citrix server administrator (for example,
the default user ctxsrvr).
2. At the command prompt, type:
ctxsrv start
Note If, during installation, you chose to add the startup/shutdown script,
MetaFrame will automatically start when the machine is booted.
Stopping MetaFrame
To stop the MetaFrame process on a server, use the ctxshutdown command. With
ctxshutdown you can specify when the shut down process will begin, and notify
users that the server is about to shut down. This allows users to save their work
and log off gracefully.
When the shut down process begins, applications will terminate, except for those
that have registered window hints. These applications will attempt to interactively
log users off by displaying a series of prompts.
With ctxshutdown, you can specify the maximum duration that users have to
respond to these prompts. Any sessions that are still active when this period
expires are terminated and the users are automatically logged off.
The server prevents users from logging on during the shut down process.
Ø To stop MetaFrame
1. Log on to the MetaFrame server as a Citrix server administrator.
2. At the command prompt:
To Use the command

Shut down the server using the defaults. By default, the ctxshutdown
server shutdown process begins after 60 seconds; the
message “Server shutting down. Auto logoff in 60
seconds” is sent to all users logged on to the server.
Applications that have registered window hints (the
WM_DELETE_WINDOW attribute) have a further 30
seconds to interactively log users off before terminating.
Operate in quiet mode. This reduces the amount of ctxshutdown -q
information displayed to the administrator by the
ctxshutdown command.
Specify when the shut down process will begin, and ctxshutdown -m seconds
how long the message will be displayed, in seconds. The
default is 60 seconds. When this period expires and the
shut down process begins, applications that have
registered window hints (the
WM_DELETE_WINDOW attribute) will attempt to
interactively log the user off. Applications that have not
registered window hints will terminate immediately.
Specify how long applications that have registered ctxshutdown -l seconds
window hints (the WM_DELETE_WINDOW
attribute) have to interactively log users off. The
default is 30 seconds. When this period expires, any
remaining sessions are automatically terminated, users
are automatically logged off, and the MetaFrame
process stops.
Specify the message displayed to all users logged on to ctxshutdown message
the server. If you do not specify a message, the default
message “Server shutting down. Auto logoff in x
seconds” is displayed, where x = the number of
seconds specified in the -m option (or the default of 60
seconds if this is not specified).
Example
The following example shows how to display a message and begin the shut down
process after two minutes. Applications that have registered window hints are
given a further three minutes to attempt to interactively log users off.
ctxshutdown -m 120 -l 180 "Please log off now"
About ICA Client Keyboard Support

This section describes how to use ICA Client devices with non-English
keyboards with your MetaFrame for UNIX server.
MetaFrame for UNIX supports ICA Client devices that use the following
keyboards:
Language Locale ID
US English 409
UK English 809
French 40c
German 407
Swedish 41d
Spanish 40a
Italian 410
Configuring Non-English Keyboard Support

Your users can make connections to the MetaFrame server with ICA Client
devices that use non-English keyboards. The keyboards that MetaFrame supports
are shown in the table above.
Ø To configure non-English keyboard support
1. Ensure you start the server in the country locale of the ICA Client keyboard
that your users are using. For example, if your users have German keyboards,
start the server in a German locale. This ensures that the session runs in an
appropriate locale where fonts containing the required keyboard symbols are
in the font path and keyboard symbols appear correctly on the screen.
2. Make sure your users select the appropriate keyboard in the Settings dialog on
the client device. For further information about selecting keyboards, refer to
the Client Administrator’s Guides for the clients you are deploying.
Tip You can alter the locale for an individual user by setting environment
variables in their start-up files—see “Customizing the Appearance of
MetaFrame” on page 156 for further information.
.
Troubleshooting Non-English Keyboard Support

If users experience problems obtaining accent symbols, such as the circumflex
accent (^), it may be that the application they are using does not support dead
keys. A dead key is a key that does not produce a character when pressed—
instead, it modifies the character produced by the next key press. For example, on
a generic French PC keyboard the “^” (circumflex) key is a dead key. When this
key is pressed, and then the “a” key is pressed, “â” is generated.
Configuring MetaFrame Event Logging

When you first install MetaFrame on a UNIX system, events are not configured
to be sent to the system log (syslog).
MetaFrame uses the following event log levels:
§ user.notice
§ user.info
§ user.warning
§ user.err
§ user.debug
To record MetaFrame events, you can add a line to the /etc/syslog.conf file and
specify the event log levels that you want to record. You must be root to edit
syslog.conf.
Note The event log level names that MetaFrame uses may also be used by other
programs. You may see messages from other software in the event log.
For example, adding the following line to the end of syslog.conf (separated with a
tab, not a space) causes all event log messages from MetaFrame for UNIX
Operating Systems to be put in the file /var/adm/messages:
user.notice;user.info /var/adm/messages
user.notice;user.info /var/adm/syslog/syslog.log
Note The file that you use (e.g. /var/adm/messages) must exist. If it does not, then
create it.
You may also want to send certain types of MetaFrame event details to the
console. For example, to ensure that all MetaFrame error messages appear on the
console, add this line to the file /etc/syslog.conf:
user.err /dev/console
For more details about configuring system event logging, see the syslog.conf man
page.
Removing MetaFrame Version 1.1

The following describes how to remove version 1.1 of MetaFrame.
Ø To remove MetaFrame on Solaris
1. Log on as a Citrix server administrator at the MetaFrame server.
2. Ensure that there are no active sessions and stop MetaFrame, using the
ctxshutdown command. See “Stopping MetaFrame” on page 55 for more
information.
3. Log on as root.
4. To remove MetaFrame, type:
pkgrm CTXSmf
Ø To remove MetaFrame on HP-UX
information.
3. Log on as root.
4. To remove MetaFrame, type:
swremove
5. The SD Remove dialog is displayed. Choose MetaFrame.
6. From the Actions menu, choose Mark for Remove.
7. From the Actions menu, choose Remove (analysis) to display analysis
information prior to the installation. If any warnings are generated, display the
8. Choose OK to remove MetaFrame.
Tip To quickly remove the entire MetaFrame package, at the command

prompt, type: swremove MetaFrame
Ø To remove MetaFrame on AIX

ctxshutdown command. See “Stopping MetaFrame” on page 55 in this
chapter for more information.
3. Log on as root.
6. Choose Software Maintenance and Utilities.

7. Choose Remove Installed Software. The Remove Installed Software dialog
is displayed.
8. In SOFTWARE name, type Citrix.MetaFrame
Or, to remove a particular fileset, type in its name—for example
Citrix.MetaFrame.man.
Note If you want to remove the Citrix.MetaFrame.rte fileset, you must also
remove the Citrix.MetaFrame.boot and Citrix.MetaFrame.anon filesets. If
you do not, a ‘Dependency Failure’ occurs.
9. Set PREVIEW only? to no.

10. Choose OK.
11. At the prompt, choose OK to confirm you want to remove the software. When
complete, check the Installation Summary to make sure that the removal was
successful.
Note If the removal of MetaFrame fails it may be because you did not stop the
server—see Step 2.
prompt, type: installp -u Citrix.MetaFrame.
Reinstalling MetaFrame Version 1.1

You may need to reinstall MetaFrame if:
§ You (or another user) have accidentally deleted MetaFrame files, such as
binary files. If this happens, you need to reinstall MetaFrame but preserve
your configuration so that information such as licensing and published
application data is retained. To do this, simply follow the instructions for
“Installing MetaFrame”.
§ The configuration database is corrupted. For example, you may experience
problems displaying or modifying settings such as Citrix licensing, or you
may see “Internal Error” messages. If you are in doubt about whether you
have a corrupt configuration database, contact Citrix support. You may need to
reinstall MetaFrame and overwrite your configuration files. To do this,
remove MetaFrame (see “Removing MetaFrame Version 1.1” on page 59 for
information) and then reinstall MetaFrame by following the instructions in
“Installing MetaFrame Version 1.1” on page 44. You will need to reactivate
your Citrix licenses.
Note When you reinstall MetaFrame on the AIX platform, ensure you set the
OVERWRITE same or newer versions box in the Install and Update
Software by Package Name (includes devices and printers) dialog to yes,
or MetaFrame will not reinstall.
When you reinstall MetaFrame on the HP-UX platform, ensure you select the
Reinstall filesets even if same revision exists option in the Options dialog
(available from the Options/Change Options menu in swinstall) or
MetaFrame will not reinstall.
What To Do Next
To complete the installation, you need to activate your Citrix licenses to permit
ICA connections to the server and enable the software. For information, see
“Citrix Licensing” on page 91.
For information about upgrading to Feature Release 1 for MetaFrame for UNIX
Operating Systems, see “Upgrading to Feature Release 1” on page 63.
63
CHAPT ER 3
Upgrading to Feature Release 1
Overview
This chapter is for users who are upgrading to Feature Release 1 for MetaFrame
for UNIX Operating Systems. It describes the steps you need to perform to install
Feature Release 1, and configure and use the new features. Topics in this chapter
include:
§ Introduction to Feature Release 1
§ An overview of how to get Feature Release 1 up and running quickly
§ System Requirements
§ Creating the ctxnfuse and ctxssl user accounts
§ Installing Feature Release 1
§ Configuring the MetaFrame server for the new features and fixes to take effect
§ Removing Feature Release 1
§ Reinstalling Feature Release 1
About Feature Release 1

Feature Release 1 is an upgrade for version 1.1 of MetaFrame for UNIX
Operating Systems. You can also upgrade to Feature Release 1 from the Early
Access Version of Feature Release 1.
Feature Release 1 provides a number of new features, and fixes for known
problems in version 1.1 of MetaFrame for UNIX. For a list of the new features
and fixes included in Feature Release 1, see “What’s New in Feature Release 1?”
on page 22.
After you install Feature Release 1 on your MetaFrame server, most fixes for
known problems in version 1.1 of MetaFrame for UNIX Operating Systems
automatically take effect. However, for some fixes to take effect, additional
MetaFrame server configuration is required.
To enable some of the new features, you must add and activate the Feature
Release 1 license. For some new features to take effect, additional MetaFrame
server configuration is also required.
Getting Feature Release 1 Up and Running Quickly

The following section provides an overview of the steps required to install
Feature Release 1, and get it up and running quickly on your MetaFrame server.
Ø To upgrade to Feature Release 1
1. Install Feature Release 1 on the MetaFrame server. The server must have
Version 1.1 of MetaFrame for UNIX Operating Systems, or the Early Access
Version of Feature Release 1 already installed.
Important If you want to include the Citrix XML Service or SSL Relay for
UNIX in the installation, create the ctxnfuse user and the ctxssl user (with the
primary group set to ctxadm) before you begin the installation process.
2. Add and activate the Feature Release 1 license to enable some of the new
features—for information on installing and activating Citrix licenses, see
“Citrix Licensing” on page 91 . For information about which features require
the the Feature Release 1 license to be activated, see “New Features” on
page 22.
3. Configure the server for some of the new features and fixes to take effect—for
information on what configuration is required, see “What Configuration is
Required for Feature Release 1?” on page 79.
The following section explains in more detail how to install Feature Release 1,
and how to configure the MetaFrame server for the new features and fixes to take
effect.
Chapter 3 Upgrading to Feature Release 1 65
System Requirements
This section lists the system requirements for Feature Release 1, for MetaFrame
for UNIX, the Citrix XML Service for UNIX, and Citrix SSL Relay for UNIX.
Note For information about the operating system patches that are required, see
“Operating System Patch Information” on page 279. This information is also in
document CTX222222 in the Solution Knowledge Base on the Citrix Web site at
http://knowledgebase.citrix.com/
more up to date than the information provided in this guide.
MetaFrame Requirements
Feature Release 1 is an upgrade to Version 1.1 of MetaFrame for UNIX Operating
Systems, or the Early Access Version of Feature Release 1. Therefore, to install
and run Feature Release 1, Version 1.1 of MetaFrame for UNIX or the Early
Access Version of Feature Release 1 must be installed. For information about
installing version 1.1 of MetaFrame for UNIX, see “Deploying MetaFrame
Version 1.1” on page 39.
The appropriate Citrix Licenses for version 1.1 of MetaFrame must also be
installed. For more information, see “Citrix Licensing” on page 91.
Citrix SSL Relay Requirements

During the installation of Feature Release 1, you can choose whether to include
Version 1.0 of Citrix SSL Relay for UNIX.
SSL Relay provides server authentication, encryption of the data stream, and
message integrity checks. The system requirements for SSL Relay are the same as
for MetaFrame for UNIX.
Citrix XML Service Requirements

During the installation of Feature Release 1, you can choose whether to include
Version 1.6 of the Citrix XML Service for UNIX. The XML Service is required
for NFuse deployment, and for TCP/IP + HTTP browsing for clients.
Requirements for All Platforms

For NFuse deployment, NFuse Web Extensions version 1.5 or later must be
installed on your Web server. However, to ensure that you can take advantage of
all the new features available in Feature Release 1—such as SSL support—you
must install NFuse Web Extensions version 1.6 or later. If you are using NFuse
1.0, you must upgrade to NFuse Web Extensions version 1.5 or later or this
service will not operate. See the NFuse Administrator’s Guide for more
information.
If the server is part of a MetaFrame server farm, we recommend that all other
MetaFrame for UNIX servers in the farm are version 1.1 or later. However, to
ensure that you can take advantage of all the new features available in Feature
Release 1—such as ticketing—all MetaFrame for UNIX servers in the farm must
be running Feature Release 1 and Version 1.6 of the Citrix XML Service for
UNIX. The Feature Release 1 license must also be installed and activated for
ticketing to work.
If you configure the template ICA files in NFuse to enable the use of alternate
addresses, all MetaFrame for UNIX servers in the farm must be running Feature
Release 1 and Version 1.6 of the Citrix XML Service for UNIX—see the NFuse
Administrator’s Guide for more information about alternate addressing.
Version 1.0 servers can be included in a UNIX-only farm, provided the master
browser is Feature Release 1; however, applications on version 1.0 servers will
not be visible through NFuse.
All UNIX servers in the farm must participate in the same authentication domain,
and we recommend that this is done through NIS. You can use a mixed farm of
MetaFrame for UNIX and MetaFrame for NT servers if you set up your servers
so that:
§ The MetaFrame for UNIX servers are all version 1.1 or above, and
§ The MetaFrame for NT servers are all version 1.8 or above.
In addition, each user requires a Web browser and ICA Client, as required by the
NFuse Web Extensions.
Additional Requirements for the Solaris Operating

Environment
On the Solaris 2.6 platform, ensure that the Java runtime environment (JRE)
installed on your system is version 1.1.8 or higher. JRE versions are available at:
http://www.sun.com/software/solaris/jre/download.html
Additional Requirements for the HP-UX Operating System

The Citrix XML Service for UNIX requires an HP-UX workstation running
HP-UX version 11.x or later. Ensure that the Java runtime environment (JRE)
installed on your system is version 1.1.8 or higher. JRE versions are available
from the HP Web site: http://www.hp.com/
Additional Requirements for the AIX Operating System

The Citrix XML Service for UNIX requires an AIX server running AIX version
4.3.3 or later, with the Java 1.1.8 runtime environment installed.
Creating the ctxnfuse and ctxssl User Accounts

If you are installing the Citrix XML Service for the first time, you need to create
the Citrix NFuse administrator user account, before installing the XML Service.
Similarly, if you are installing Citrix SSL Relay for the first time, you need to
create the Citrix SSL Relay administrator user account, before installing the SSL
Relay. If you do not do this, the installation will fail. These accounts are required
by some commands that demand special administration rights, but do not require
root access to the UNIX system.
§ Create a Citrix NFuse administrator using the user name ctxnfuse. Make sure
that you add the ctxnfuse user to the ctxadm group, and that the ctxadm group
is its primary group.
§ Create a Citrix SSL Relay administrator using the user name ctxssl. Make sure
that you add the ctxssl user to the ctxadm group, and that the ctxadm group is
its primary group.
Important Do not use the Citrix NFuse administrator user for any purposes other
than XML and NFuse system administration, and do not use the Citrix SSL Relay
administrator user for any purposes other than SSL Relay system administration.
Installing Feature Release 1

During the installation of Feature Release 1:
§ Your existing configuration settings, such as licensing and published
application information, are preserved. Your existing configuration is backed-
up as two files in: /var/CTXSmf/backup1.1.0.0 (if you are upgrading from
version 1.1) or /var/CTXSmf/backup1.1.1.0 (if you are upgrading from the
Early Access Version). For example, if you are upgrading from version 1.1,
the back-up files are:
§ YYYYMMDDhhmmss-ctxconfdb.HKLM.1.1.0.0.dir
§ YYYYMMDDhhmmss-ctxconfdb.HKLM.1.1.0.0.pag
where YYYYMMDDhhmmss is the date (in year, month and day format) and
time (in hours, minutes and seconds format) that the backup was taken.
§ Any hotfixes that are currently installed are superseded and replaced by
Feature Release 1.
§ Script files are overwritten with new versions. If you have changed a script
file since MetaFrame was last installed, the installation process detects this
and the existing files are backed up before being replaced. The name and
location of the backed up files depends upon the UNIX platform:
§ On Solaris, .BAKvME111Sx000 or .BAKvME110Sx000 is appended to
the backups (depending upon whether you are upgrading from version 1.1
or the Early Access Version), where x is S for SPARC or I for Intel.
§ On AIX, version.save.index is appended to the backups, where version is
the version number of the upgrade (1.1.2), and index is a number (starting
at zero) that is incremented on each save.
§ On HP-UX, scripts are backed up in the following directory:
/var/CTXSmf/backupversion where version is the version number of the
previously installed product (1.1 or 1.1.1). The name of the script file is not
changed.
You will need to copy your changes into the new script files when the upgrade
installation is finished.
The following describes the steps required to install and start Feature Release 1.
Downloading Feature Release 1 Files From the Citrix Web Site

Feature Release 1 is available on CD-ROM or from the Citrix Web site. The
following section describes the steps required to download the Feature Release 1
files from the Web site, and untar and uncompress them prior to installation.
Note Although you can download Feature Release 1 from the Citrix Web site,
you will require a license serial number to activate many of the new features.
License serial numbers are distributed on the Feature Release 1 CD-ROM, or via
a Web site if you have been given a URL through an electronic licensing
program. However, many new features and fixes are available without the Feature
Release 1 license—for a list of these, see “New Features That Do Not Require a
Feature Release 1 License” on page 24 and “Fixes Included in Feature Release 1”
on page 26. To obtain the Feature Release 1 CD-ROM, contact Citrix or your
usual Citrix supplier.
Ø To download Feature Release 1 from the Citrix Web site

2. Download the Feature Release 1 files from the Citrix Web site (the files are
available at: http://www.citrix.com/download) to a suitable directory on the
server on which you want to install the Feature Release 1. Ensure there is at
least 40Mb free in this directory.
3. The Feature Release 1 files are archived and compressed. To untar and
uncompress the files, type:
zcat ME112xx000.tar.Z | tar xvf -
where ME112xx000 is:
§ ME112SS000 for the Solaris SPARC version
§ ME112SI000 for the Solaris Intel version
§ ME112HP000 for the HP-UX version
§ ME112SI000 for the IBM AIX version
Installing Feature Release 1 on Solaris

This section describes how to install Feature Release 1 on a Solaris platform
using pkgadd.
Ø To install Feature Release 1 on Solaris
1. Ensure that there are no active sessions and stop MetaFrame using the
ctxshutdown command—for information about ctxshutdown, see “Stopping
MetaFrame” on page 55.
2. Log on as root at the server on which you want to install Feature Release 1.
3. Insert the Feature Release 1 CD-ROM into the CD-ROM drive and change to
the directory for the version of MetaFrame you want to install. For example,
type:
cd /cdrom/mfu1.1fr1/solaris_version
platform architecture (solaris_sparc or solaris_intel) you are using.
Alternatively, change to the directory where you downloaded the Feature
Release 1 files from the Citrix Web site.
The following packages are available:
CTXSmf—Feature Release 1 for MetaFrame. Choose this package to install
the new features and fixes available in Feature Release 1.
CTXSssl—Citrix SSL Relay for UNIX version 1.0. Choose this package to
provide SSL-secure communications.
CTXSxml—Citrix XML Service version 1.6. Choose this package for NFuse
deployment, and for TCP/IP + HTTP browsing for clients.
Important If you want to install Citrix SSL Relay or the XML Service, make
sure you create the ctxnfuse and ctxssl users before you proceed, or the
installation will fail—for information, see “Creating the ctxnfuse and ctxssl
User Accounts” on page 67. If you want to install only Citrix SSL Relay or the
XML Service, MetaFrame Feature Release 1 (CTXSmf) must be installed
already.
4. You can install all three packages, or an individual package.

§ To install all three packages, type:
pkgadd -d /cdrom/mfu1.1fr1/solaris_version CTXSmf CTXSxml CTXSssl
where solaris_version is the name of the directory for the platform
architecture (solaris_sparc or solaris_intel) you are using.
§ To install an individual package (for example, MetaFrame Feature Release
1) type:
pkgadd -d /cdrom/mfu1.1fr1/solaris_version CTXSmf
5. Installation begins and the system displays a series of prompts. At the prompt
about security settings for setuid/setgid, type y to set the correct file
permissions for the MetaFrame files and processes, and also for the XML
Service or SSL Relay files and processes, if you have chosen to include these.
Important Do not type n at the setuid/setgid prompt, or MetaFrame will not
operate correctly.
When installation is complete, a message tells you that the installation was
successful and the command prompt is displayed.
Note Do not attempt to share or copy the Feature Release 1 for UNIX installation
files between servers. The configuration database cannot be duplicated or shared,
and you will experience problems if you attempt to do this.
Performing an Unattended Install on Solaris

This section explains how to set up a script and a response file so that you are not
prompted for information during installation. Using this method, you can install
Feature Release 1 quickly and easily on multiple servers.
Ø To perform an unattended install
2. Create a response file that will be used by the -r option of the pkgadd
command—for example: /tmp/CTXSmf112. The lines required in the
response file are:
CLASSES="none app man sts sslrelay script"
ANONYORN=y
INSTALLTYPE=upgrade
FROMVERSION=1.1.0.0
SAVETREE=1
BASEDIR=/opt
CONFIGBASEDIR=/var
JREBASEDIR=/usr/java1.2/jre
MAKEBASEDIR=0
MAKECONFIGBASEDIR=0
Note Set FROMVERSION=1.1.0.0 if you are upgrading from Version 1.1, or

set it to 1.1.1.0 if you are upgrading from the Early Access Version.
JREBASEDIR specifies the location of the Java Runtime Environment
(JRE)—ensure the JRE you specify is version 1.1.8 or higher.
3. Create a script file to perform the unattended install, for example:

#!/bin/sh
# change permissions for root to execute this file - chmod 744
pkgadd -r /tmp/CTXSmf112 -a /cdrom/mfu1.1fr1/default
-d /cdrom/mfu1.1fr1/solaris_version CTXSmf CTXSssl CTXSxml
platform architecture (SPARC or Intel) of Solaris you are using, and
/cdrom/mfu1.1fr1/default is the sample administration defaults file used by
the -a option of the pkgadd command. This is included on the MetaFrame
CD-ROM for your convenience—if you want to use different default settings,
copy and change this, as appropriate. The path is usually /cdrom/mfu1.1fr1/...
but it may change depending on how your system mounts the CD.
4. Run the script file to start the unattended install.
Installing Feature Release 1 on HP-UX

This section describes how to install Feature Release 1 on an HP-UX platform.
HP-UX” on page 75.
Ø To install MetaFrame on HP-UX
3. The next step depends upon whether you are installing from CD-ROM or from
the Citrix Web site:
Installing from CD-ROM
§ Insert the Feature Release 1 CD-ROM into the CD-ROM drive.
§ At the command prompt, type swinstall. The SD Install program begins
and the Specify Source dialog is displayed.
§ In Source Depot Type specify Local CD-ROM. The system auto-detects
the CD-ROM and displays a path. Choose OK.
Installing from the Web site
§ At the command prompt, type:
swinstall -s /path MetaFrame.depot
where /path is the directory you downloaded the files from the Web site to.
4. The SD Install dialog displays the packages you can choose from:
CTXSdocs—MetaFrame documentation. Choose this package to install the
MetaFrame for UNIX Administrator’s Guide and the Citrix SSL Relay for
UNIX Administrator’s Guide, in pdf format.
CTXSssl—Citrix SSL Relay for UNIX version 1.0. Choose this package to
provide SSL-secure communications.
CTXSxml—Citrix XML Service version 1.6. Choose this package for NFuse
ME112HP000—Feature Release 1 for MetaFrame. Choose this package to
install the new features and fixes available in Feature Release 1.
XML Service, MetaFrame Feature Release 1 must be installed already.
5. To select a package, choose Mark for Install from the Actions menu.
Alternatively, to install particular components of a package, expand the
package to display the filesets, then mark the filesets you want to install. For
example, ME112HP000 has the following filesets:
Fileset Description
Anon Choose to create 15 anonymous user accounts. You cannot
install this fileset on its own—the Runtime fileset must also be
installed.
Man Choose to install the MetaFrame manual pages. You cannot
install this fileset on its own—the Runtime fileset must also be
installed.
Runtime Choose to install the MetaFrame runtime environment (the
Startup Choose if you want to start MetaFrame when the machine is
booted and stop it when the machine is shutdown.
If you choose this fileset, the script ctxsrv is installed in the
/sbin/init.d directory, and two symbolic links are added:
- the startup link S999ctxsrv is installed in /sbin/rc3.d
- the shutdown link K001ctxsrv is installed in /sbin/rc2.d
You cannot install this fileset on its own—the Runtime fileset
must also be installed.
6. From the Actions menu, choose Install (analysis) to display analysis

information prior to the installation. If warnings are generated, display the
7. Choose OK.
8. At the confirmation prompt, choose Yes to complete the installation.
Performing an Unattended Install on HP-UX

This section explains how to perform an unattended install of Feature Release 1
on an HP-UX platform. With an unattended install, you are not prompted for
information during the installation, so you can install Feature Release 1 quickly
and easily on multiple servers.
Ø To perform an unattended install of Feature Release 1
2. If you are installing from CD-ROM, insert the Feature Release 1 CD-ROM
into the CD-ROM drive and mount it as a read-only file system. For example,
at the command prompt type:
mount -r /dev/dsk/c0t0d0 /mnt/cdrom
where /dev/dsk/c0t0d0 is the file that identifies the CD-ROM drive and
/mnt/cdrom is the mount point of the CD-ROM.
3. To install Feature Release 1, at the command prompt, type:
swinstall -s /mnt/cdrom ME112HP000 CTXSxml CTXSssl CTXSdocs
Installing Feature Release 1 on AIX

This section describes how to install Feature Release 1 on an AIX platform using
SMIT.
AIX” on page 78.
Ø To install Feature Release 1 on AIX
3. Insert the Feature Release 1 CD-ROM into the CD-ROM drive, or change to
the directory where you downloaded the Feature Release 1 files from the
Citrix Web site.
6. Choose Install and Update Software.
7. Choose Install and Update Software by Package Name (includes devices
and printers). A dialog is displayed.
8. Choose List. The Single Select List dialog is displayed.
9. Select the CD-ROM drive, or the directory containing the Feature Release 1
files.
10. Choose OK. The Multi-select List dialog is displayed.
11. Select Citrix and choose OK. You can choose from the following packages:
Citrix.MetaFrame—Feature Release 1 for MetaFrame. Choose this package
to install the new features and fixes available in Feature Release 1.
Citrix.ssl—SSL Relay for UNIX version 1.0. Choose this package to provide
SSL-secure communications.
Citrix.xmld—XML Service version 1.6. Choose this package for NFuse
XML Service, MetaFrame Feature Release 1 must be installed already.
12. To install a package select it.

Alternatively, to install particular components, select the filesets you want to
install. For example, MetaFrame has the following filesets:
Citrix.
Fileset description
MetaFrame...
.boot Choose if you want to start MetaFrame when the machine is
booted and stop it when the machine is shutdown.
If you choose this fileset, the daemon ctxmfd is installed in
/usr/lpp/CTXSmf/sbin, and starts up automatically.
During the installation of the .boot fileset, an entry is made in
the /etc/inittab file that starts up ctxmfd and the MetaFrame
server, when booting up.
You cannot install this fileset on its own—the
Citrix.MetaFrame.rte fileset must also be installed.
.anon Choose to create 15 anonymous user accounts. You cannot
install this fileset on its own—the Citrix.MetaFrame.rte
fileset must also be installed.
.rte Choose to install the MetaFrame runtime environment (the
.man Choose to install the MetaFrame manual pages.
Important On the AIX platform, you can install software in the applied state (the
new software is applied, but the previous version is backed-up) or you can
commit the changes (the new software is applied, and the previous version is
removed). Therefore, if you want to remove Feature Release 1 easily in future, set
COMMIT software updates? to no.
13. Choose OK. The Install and Update Software by Package Name (includes
devices and printers) dialog is displayed.
14. Choose OK to begin the installation.
15. At the prompt, choose OK to continue installing Feature Release 1. When
complete, check the Installation Summary to make sure that the installation
was successful.
Performing an Unattended Install on AIX

This section explains how to perform an unattended install of Feature Release 1
on an AIX platform. With an unattended install, you are not prompted for
information during the installation, so you can install Feature Release 1 quickly
and easily on multiple servers.
Ø To perform an unattended install of Feature Release 1
2. Insert the Feature Release 1 CD-ROM into the CD-ROM drive, or change to
the directory where you downloaded the Feature Release 1 files from the
Citrix Web site.
3. To install the Feature Release 1 packages, at the command prompt, type:
installp -X -d/dev/cd0 Citrix.MetaFrame Citrix.xmld Citrix.ssl
where -d/dev/cd0 is the CD-ROM device, and -X ensures that there is
sufficient disk space to install the package.
install MetaFrame man pages, at the command prompt, type:
installp -X -d/dev/cd0 Citrix.MetaFrame.man
What To Do After Installation

After you have installed Feature Release 1, you must add and activate the Feature
Release 1 license to enable some of the new features. Also, for some features to
take effect, MetaFrame server configuration is required.
Most fixes for known problems in version 1.1 of MetaFrame for UNIX Operating
Systems automatically take effect when you install Feature Release 1. However,
for some fixes to take effect, additional MetaFrame server configuration is
required.
For information about configuring the MetaFrame server for Feature Release 1,
see the following section.
What Configuration is Required for Feature Release 1?

This section describes how to configure your MetaFrame server to take advantage
of the new features and fixes in the Feature Release 1 upgrade. Topics include:
§ Configuration required for the new features
§ Configuration required for fixes to take effect
§ Limitations on using greater color depth
§ Multi-monitor display limitations
Configuration Required for New Features

Generally, after you install Feature Release 1 and activate the Feature Release 1
license you must:
§ Ensure that your ICA Client users are running Version 6.0, or later, ICA
Clients. Without Version 6.0 ICA Clients, users will be unable to take
advantage of some of the new features, including:
§ Greater ICA session size and color depth
§ Multi-monitor display
§ Greater bandwidth efficiency
§ HTTP browsing
§ SSL security
The latest ICA Clients are available for download at:
http://www.citrix.com/download/
§ Ensure that Version 1.6 of the Citrix XML Service, or later, is installed on
your MetaFrame for UNIX servers. Version 1.6 of the Citrix XML Service is
available as an optional package that you can choose during the installation of
Feature Release 1. If you do not use the latest version of the XML Service, the
new features will not be available to users who connect to applications via
NFuse.
Note If you are installing the XML Service on a machine for the first time (in
other words, the XML Service is not installed on the machine already)
publishing is disabled by default. Therefore, before the XML Service will
respond to NFuse or client HTTP browsing requests, you must enable
publishing. For more information about enabling publishing, see “Enabling
and Disabling Publishing” on page 216.
The following section describes in more detail what you and your users must do
for particular new features to work.
SSL-Secure Communication
For information about configuring and using SSL Relay to secure your
MetaFrame installation, see the Citrix SSL Relay for UNIX Administrator’s
Guide.
Greater ICA Session Size and Color Depth

For users to take advantage of greater ICA session size and color depth, users
must:
§ Run Version 6.0 ICA Clients.
§ Configure their ICA connection window properties to use greater session size
and color depth. If a user does not configure the window properties, default
properties are used instead—for information on the defaults, see the
appropriate Citrix ICA Client Administrator’s Guide.
For users that connect to applications via NFuse to take advantage of greater ICA
session color depth and session size, you must:
§ Install Version 1.6 of the Citrix XML Service, or later, on your MetaFrame for
UNIX servers.
§ Use the ctxnfusecfg tool to configure published applications that are accessed
via NFuse for greater session size and color depth.
§ Ensure that your users run Version 6.0 ICA Clients. To do this, install Version
6.0 Clients on the Web server and instruct your users to click the Install
Client button on the NFuse Web page to automatically upgrade to Version 6.0
of the ICA Client.
Note If you have set up your NFuse Web page to use the Java Client which is
downloaded in real-time (in other words, the client is not installed locally) users
do not need to upgrade the ICA Client.
For more information about installing and configuring the Citrix XML Service,
see “Using the Citrix XML Service” on page 197.
Note Increasing ICA session size and color depth increases demand upon
memory. For example, an ICA connection configured to run at a color depth of
256 colors and session size of 4096 x 4096 uses approximately 16Mb of memory
just for the ICA session (additional memory is required for the applications). An
ICA connection configured to run at the same session size but at a color depth of
24-bit True Color uses approximately 64Mb of memory. Consequently, as
memory consumption increases, it may not be possible to run as many concurrent
sessions without increasing memory. Note that disconnected sessions also
consume memory.
Multi-Monitor Display
For users to take advantage of multi-monitor display:
§ Users must be running Version 6.0 ICA Clients.
§ The user’s hardware and operating system must support multi-monitor
display.
For information on multi-monitor display limitations, see “Multi-Monitor
Display Limitations” on page 86.
HTTP Browsing
For users to take advantage of HTTP browsing:
§ You must install Version 1.6 of the Citrix XML Service, or later, on your
MetaFrame for UNIX servers.
§ Users must be running Version 6.0 ICA Clients.
§ Users select TCP/IP + HTTP from the Network Protocol drop-down menu in
the ICA Connection properties box.
Load Balancing
If you have a Citrix Load Balancing Services license, you can tune the
distribution of connections among a group of load balanced servers. For
information, see “Load Balancing Published Applications” on page 183.
Application Caching and Filtering on NFuse

In NFuse, application caching and filtering is user-based, by default. In the
unlikely event that you need to change this, Feature Release 1 also supports
application caching and filtering based upon groups and folders.
To take advantage of group or folder-based application caching and filtering, you
must:
UNIX servers.
§ Publish applications on your MetaFrame servers for groups of users or within
folders. For more information about publishing applications by group or by
folder, see the NFuse Administrator’s Guide.
§ Configure the XML Service to enable application filtering for user or group-
based filtering—see “Enabling and Disabling Application Filtering” on
page 213.
NIS+ Support on NFuse

For users that connect to applications via NFuse to take advantage of NIS+
support, you must:
UNIX servers.
§ Configure each UNIX server that is to share common user account
information in your network to use NIS+.
Configuring User Authentication in NFuse
Before you can configure user authentication in NFuse, so that users benefit from
improved response time, you must:
UNIX servers.
§ Use the ctxnfuseauth tool to control whether a user’s password is
authenticated when he or she logs on to NFuse.
Configuration Required for Fixes to Take Effect

After you install Feature Release 1, you may need to configure the MetaFrame
server for particular fixes to take effect. The following section explains how to:
§ Configure your server to enable the left-hand keypad of SPARC keyboards.
Only do this if you are using the CDE window manager.
§ Update the /opt/CTXSmf/slib/ctxXtw.sh file for the disappearing text cursor,
X cursor and screen refresh fixes to take effect. ctxXtw.sh is a script file that
runs when the X server starts; ctxXtw.sh includes X server configuration
settings.
If you do not require these fixes, you can disregard this section.
Fixing the Disappearing Text Cursor Problem

To fix the disappearing text cursor problem, include the -notransfills switch in
ctxXtw.sh. This switch turns off the transparent fills optimization setting that can
cause this problem with some clients and 256-color sessions.
§ In ctxXtw.sh, find the line that begins with XTW_OPTS and add -notransfills.
For example:
XTW_OPTS="-session $CITRIX_SESSION_ID -terminate -notransfills -bs"
Enabling the Left-hand Keypad of SPARC Keyboards

If you are using the CDE window manager, you need to configure your
MetaFrame for UNIX server to enable the left-hand keypad of SPARC keyboards.
To do this, you include the Citrix bindings file, edit the xmbind.alias file, and edit
users’ login scripts, as follows:
Ø To enable the left-hand keypad of SPARC keyboards
1. Copy the Citrix bindings file, included on the Feature Release 1 CD-ROM or
in the download, to the /usr/dt/lib/bindings directory. The Citrix bindings file
contains keyboard mapping information.
2. Edit the /usr/dt/lib/bindings/xmbind.alias file. This file contains server and
bindings file mapping information. Include the following line in the list of
mappings:
"Citrix Systems Inc" citrix
3. To activate the Find key on the SPARC keypad, you must edit your users’
login scripts, as follows:
If you are using a C shell, add the command:
xmodmap -e "keysym F19 = SunFind" >& /dev/null
If you are using a Bourne shell, add the command:
xmodmap -e "keysym F19 = SunFind" 1>/dev/null 2>&1
Note For this fix to take effect, you must also ensure that your users are running
Version 6 (or later) ICA Clients.
Fixing the Disappearing X Cursor Problem

In applications, such as Sunguard Forex, that hide the X cursor and use their own
bitmap cursor, problems with the X cursor can occur over high-latency
connections. To fix the disappearing X cursor problem, include the
-notranscursor switch in ctxXtw.sh. This switch stops the application from
causing the X cursor to disappear.
§ In ctxXtw.sh, find the line that begins with XTW_OPTS and add
-notranscursor. For example:
XTW_OPTS="-session $CITRIX_SESSION_ID -terminate -notranscursor -bs"
Fixing Screen Refresh Problems

If an application has a complex graphical interface, and you encounter screen
refresh problems, include the -frameexpose switch in ctxXtw.sh. This switch
forces the server to redraw the application from the server’s frame buffer. With
complex screen displays, this method is faster than allowing the application to
redraw itself.
§ In ctxXtw.sh, find the line that begins with XTW_OPTS and add
-frameexpose. For example:
XTW_OPTS="-session $CITRIX_SESSION_ID -terminate -frameexpose -bs"
Cadence Applications
For Cadence applications, you must also include the -palette and
-noredrawpalette switches. This is because Cadence uses palette animation that
sends one palette change per second. Use the -palette switch to filter out these
unnecessary palette changes. Other palette changes will be sent to the client, but
only after a delay of 1500 milliseconds (1.5 seconds). The -noredrawpalette
switch reduces the communication between the server and the client, if the
application changes colors that are not currently visible in the session.
XTW_OPTS="-session $CITRIX_SESSION_ID -terminate -frameexpose -palette 1500
-noredrawpalette -bs"
If this setting does not improve performance sufficiently, use -palette 3500
instead:
XTW_OPTS="-session $CITRIX_SESSION_ID -terminate -frameexpose -palette 3500
-noredrawpalette -bs"
Note A possible side-effect of including the -palette switch, is that the sending of
palette changes from server to client is delayed. This means that it can take longer
for objects to be displayed properly and, at first, objects may appear in unexpected
colors until the new palette is sent. For example, you may see this effect when a
splash screen is first displayed or when CDE first appears. This is normal.
Color Depth Limitations

Applications Requiring Writable Palettes
Some X applications require writable palettes, known as PseudoColor visuals, for
color or image manipulation. However, Feature Release 1 only supports writable
palettes in ICA sessions using a color depth of 256 colors. Therefore, applications
requiring PseudoColor visuals will not work in ICA sessions using High Color
and True Color color depths. This is because High Color and True Color sessions
use TrueColor visuals, in which colors are predefined and cannot be changed.
If users connect to applications that require PseudoColor visuals, ensure that the
ICA connection uses a color depth of 256 colors. If a connection is made at a
higher color depth the application may display an error message. To check if an
application requires PseudoColor visuals, refer to the application’s
documentation, or test the application on the server console or in a published
desktop to ensure that it works.
In NFuse, to configure an application to use a color depth of 256 colors, use the
ctxnfusecfg tool with the -c 256 option—see “Configuring How An Application
is Displayed” on page 209 for more information.
Applications Requiring 16-bit High Color

Feature Release 1 supports 15-bit High Color connections, although some ICA
Clients refer to High Color as 16-bit in the Window Color property settings.
Some applications, such as WordPerfect, explicitly require a 16-bit display and
will therefore not run in a 15-bit High Color connection. Other applications that
require a 16-bit display may attempt to run in a 15-bit connection and fail,
causing screen corruption. If you require a high color resolution to run these
applications, use a True Color (24-bit) connection instead.
Multi-Monitor Display Limitations

The limitations of multi-monitor display depend upon whether users connect to
applications running in multi-monitor mode using seamless or remote desktop
windows.
Limitations Using Seamless Windows

If you use a seamless window, the primary monitor must be the left-most and top-
most monitor. If you attempt to use a seamless window in multi-monitor mode
with another configuration, the ICA session reverts to running a full-screen
window that spans the virtual desktop.
The color depth of an ICA session is limited by the lowest color depth in the
display. For example, on a dual-monitor system, if one graphics card is
configured to display 256 colors and the other graphics card is configured to
display 24-bit color, the ICA session color depth is limited to 256 colors,
regardless of which monitor the session is displayed on.
If you are using graphics card drivers that create a virtual desktop, ICA sessions
are maximized to fill the virtual desktop.
Pop-up message boxes, dialog boxes, and windows displayed by applications
running in a seamless window may appear centered relative to the center of the
entire desktop. When using graphics card drivers that create a virtual desktop,
these elements are centered relative to the center of the virtual desktop.
Limitations Using Remote Desktop Windows

If you use a remote desktop window, pop-up message boxes, dialog boxes, and
windows appear centered in the session window, regardless of how the ICA
session window is displayed across multiple monitors.
Removing Feature Release 1

The following describes the steps you need to perform if you want to remove
Feature Release 1 for MetaFrame.
On the AIX and HP-UX platforms, when you remove Feature Release 1, the
system automatically restores your previous MetaFrame installation. Note that on
the AIX platform, if the software is in the applied state, you can restore the
previous version. However, if you chose to commit the changes, you cannot
restore the previous version.
On the Solaris platform, during the installation of Feature Release 1, the system
asks “Do you want to save your current installation before you upgrade?”. If you
answered yes, your previous MetaFrame installation is backed-up. Therefore,
when you remove Feature Release 1, the system automatically restores the
previous installation from the back-up. However, if you answered no, and you
remove Feature Release 1, your previous installation is not restored, and you will
need to reinstall it.
Ø To remove Feature Release 1 on Solaris
information.
3. Log on as root.
4. To remove all three packages, type:
pkgrm CTXSssl CTXSxml CTXSmf
Note Make sure you remove MetaFrame last, as the XML Service and SSL
Relay depend upon MetaFrame.
5. If during the installation of Feature Release 1 you chose to backup your

previous MetaFrame version, you are prompted to run the postremove script.
This script restores your previous MetaFrame installation. To run the
postremove script, type:
/tmp/CTXSmf.postremove
The postremove script may take a few minutes to complete.
Ø To remove Feature Release 1 on HP-UX

information.
3. Log on as root.
swremove
5. The SD Remove dialog is displayed. Choose the packages you want to
remove—for example: ME112HP000, CTXSxml, CTXSssl and CTXSdocs.
6. From the Actions menu, choose Mark for Remove.
7. From the Actions menu, choose Remove (analysis) to display analysis
information prior to the installation. If any warnings are generated, display the
8. Choose OK to remove Feature Release 1.

prompt, type: swremove ME112HP000 CTXSxml CTXSssl CTXSdocs
Ø To remove Feature Release 1 on AIX

information.
3. Log on as root.
6. Choose Software Maintenance and Utilities.
7. Choose Remove Installed Software. The Remove Installed Software dialog
is displayed.
8. In SOFTWARE name, type Citrix.MetaFrame Citrix.xmld Citrix.ssl
Or, to remove a particular fileset, type in its name—for example
Citrix.MetaFrame.man.
Note If you want to remove the Citrix.MetaFrame.rte fileset, you must also
remove the Citrix.MetaFrame.boot and Citrix.MetaFrame.anon filesets
(assuming these filesets were added during installation of Feature Release 1).
If you do not, a ‘Dependency Failure’ occurs.
9. Set PREVIEW only? to no.

10. Choose OK.
11. At the prompt, choose OK to confirm you want to remove the software. When
complete, check the Installation Summary to make sure that the removal was
successful.
Note If the removal of Feature Release 1 fails it may be because you did not
stop the server—see Step 2.
Tip To quickly remove the Feature Release 1 packages, at the command
prompt, type: installp -u Citrix.MetaFrame Citrix.xmld Citrix.ssl
Reinstalling Feature Release 1

You may need to reinstall Feature Release 1 if:
§ You (or another user) have accidentally deleted MetaFrame files, such as
binary files. If this happens, you need to reinstall Feature Release 1 but
preserve your configuration so that information such as licensing and
published application data is retained. To do this, simply follow the
instructions for installing Feature Release 1.
§ The configuration database is corrupted. For example, you may experience
problems displaying or modifying settings such as Citrix licensing, or you
may see “Internal Error” messages. If you are in doubt about whether you
have a corrupt configuration database, contact Citrix support. You may need to
reinstall MetaFrame and overwrite your configuration files. To do this,
remove MetaFrame and then reinstall MetaFrame by following the
instructions in installing MetaFrame. You will need to reactivate your Citrix
licenses.
Note When you reinstall Feature Release 1 on the AIX platform, ensure you
set the OVERWRITE same or newer versions box in the Install and
Update Software by Package Name (includes devices and printers) dialog
to yes, or Feature Release 1 will not reinstall.
When you reinstall Feature Release 1 on the HP-UX platform, ensure you
select the Reinstall filesets even if same revision exists option in the Options
dialog (available from the Options/Change Options menu in swinstall) or
Feature Release 1 will not reinstall.
91
CHAPT ER 4
Citrix Licensing
Overview
This chapter explains Citrix Licensing. Topics in this chapter include:
§ An introduction to Citrix Licensing and why you need to activate licenses
§ How to activate a Citrix License
§ Installing an upgrade license
§ Displaying information about licenses
§ Adjusting the pooling of license user counts across servers
§ Removing a Citrix License
What Is Citrix Licensing?

Citrix Licensing controls the number of ICA connections permitted on your
MetaFrame server and the features available on the server. To complete the
installation of MetaFrame, you need to activate your Citrix licenses to permit ICA
connections to the server and enable the software.
To further increase the user count or enable additional features on the server, you
can purchase and activate additional licenses.
License Types
There are two types of Citrix license:
Base licenses Every Citrix server comes with a base license.

The base license enables the multiuser features of
your Citrix server and can include a user count. If
the base license is not present, ICA connections
are not supported and server extension licenses
cannot be added.
Server extension licenses Server extension licenses increase the user count
(and are sometimes called “user licenses”) or
enable additional functionality, such as load
balancing. Upgrade licenses are a type of server
extension license.
The Grace Period

Some licenses have a 35-day grace period after installation. During this period,
your MetaFrame software is fully functional and connections to the server work
normally. However, periodic reminder messages are generated to remind you to
activate the license within x number of days.
If the license is not activated by the end of the grace period, the MetaFrame
software is automatically reduced to single user mode, and only one ctxsrvr user
can log on to the server at a time.
Chapter 4 Citrix Licensing 93
About User Counts

Base licenses and user licenses have a user count. A server’s user count is the
number of ICA Client users who can have a session on that server simultaneously.
Pooling User Counts

Citrix user counts can be shared (pooled) by all servers on the same network
subnet. Each server contributes its installed user count to the master ICA
Browser.
For example, if Server A’s user count is 15 and Server B’s user count is 15, a total
of 30 is available for use by either server. For example, Server A can support up
to 20 users as long as Server B serves no more than 10. You can adjust how
licenses are pooled on a given server—see “Adjusting the Pooled User Count” on
page 98. MetaFrame servers that pool licenses must be on the same subnet.
By default, all user counts are pooled.
Note User counts are not pooled across ICA Gateways.
Client Device Licensing

Client device licensing allows users to start multiple sessions on the same server
or on different servers, while using only a single Citrix user count. All
connections must be from the same client device.
When a user starts a second session on the same Citrix server as the first session,
the new session does not consume a second user count.
When a user starts a second session on a different Citrix server, the new session
does not consume a second user count if all the following conditions are true:
§ The first session consumed a pooled user count
§ The user makes all connections from the same client device
§ All servers are on the same subnet (using the same master ICA Browser)
Important Citrix servers exhaust all local (unpooled) user counts before
consuming pooled user counts. Therefore, a user assigned a local user count uses
a second user count when starting a second session on a different Citrix server.
Activating a License
There are three steps to activating a Citrix license:
1. Add the supplied serial number using ctxlicense. The serial number is the
25-character number that you will find:
§ on the sticker on the back of the CD booklet, in version 1.1
§ on the sealed inside flap of the CD pack, in Feature Release 1
§ on a Web site, if you have been given a URL through an electronic
licensing program
When you add a serial number, MetaFrame generates a unique 35-character
license number, based on the serial number.
2. Get an activation code from Citrix for the license. This step uses the license
number generated in Step 1.
3. Activate the Citrix license using ctxlicense. You must provide the license
number and activation code from previous steps.
The following section describes these steps in detail.
Step 1—Adding the License Serial Number

To add a license, you need to supply the serial number from the packaging, or
from a Web site if you have been given a URL through an electronic licensing
program.
Ø To add a license serial number
ctxlicense -add serial-number
Type the serial number exactly as it appears (it is case sensitive). A message
tells you that your Citrix license has been successfully added. MetaFrame
generates and displays a unique 35-character license number, based on the
serial number you entered.
3. Copy the license number to the clipboard, or make a note of it, because you
will need it later.
Note If you install a base license for an older version of MetaFrame, you will be
prompted for an upgrade license at this point.
Step 2—Getting an Activation Code

When you have added the license, you need to contact Citrix to get an activation
code. The activation code is a number that validates and enables the Citrix
license. The activation code is based on the license number generated when you
added the license (see Step 1).
Ø To get an activation code from the Citrix Web site
Go to the Citrix product activation Web site: http://www.citrix.com/activate/ and
follow the instructions on screen. You will need to supply the 35-character license
number generated in Step 1.
Step 3—Activating the License

When you have added the license and obtained an activation code from Citrix,
you are ready to activate the license. You need to supply both the license number
and activation code in this step.
Ø To activate a license
ctxlicense -activate license-number activation-code
Paste in the license number from the clipboard, or type it in, and type in the
activation code supplied by Citrix. A message telling you that your Citrix license
has been successfully activated appears. The software is now ready for use.
Installing an Upgrade License

If you are upgrading your MetaFrame installation, you need to add and activate
the upgrade license after you install the upgrade software. For example, after
installing Feature Release 1, to enable some of the new features you must add and
activate the Feature Release 1 license.
Only when you have installed the base license of the previous version and
installed and activated the upgrade license is your MetaFrame server properly
licensed.
Ø To install and activate an upgrade license
1. Ensure your previous base license is installed—see “Displaying Information
About Licenses” on page 97 for details about how to check this. If the
previous base license is not installed, add it now. See “Step 1—Adding the
License Serial Number” on page 94 for information.
2. Install and activate the upgrade license—follow the three steps described in
“Activating a License” on page 94. When you activate the upgrade license, the
base license is automatically activated.
If you add a base license for an older version of MetaFrame, or you add an
upgrade license on its own (without a previous base license), MetaFrame displays
a warning message to prompt you for the missing license. However, you can
suppress these warning messages and add the licenses individually, using the
-noprompt option.
Ø To install licenses individually and activate an upgrade license
2. Add the base and upgrade licenses in any order using the -noprompt option.
At the command prompt, type:
ctxlicense -add -noprompt serial-number
3. Activate the upgrade license. See “Step 3—Activating the License” on
page 95 for further information.
Displaying Information About Licenses

You can use ctxlicense to display information about all the licenses present on the
Citrix server. A description of each license, the license number, user count and
pooled user count, and an indication of whether it is activated or not, is provided.
Ø To display license information
ctxlicense -list
Note You can also display information about licenses on Citrix servers on the
network using the ctxqserver command—see the “Command Reference” on
page 223 for further information.
Adjusting the Pooled User Count

By default, all user licenses are pooled across Citrix servers. You can reserve
licenses for use only on a local Citrix server by lowering the number of pooled
licenses. Un-pooled local licenses are not available to other Citrix servers and
cannot be used for client device licensing.
To change the pooled user count you need to supply the 35-character license
number. See “Displaying Information About Licenses” on page 97 for details
about how to display license numbers.
Ø To change the pooled user count across Citrix servers
ctxlicense -pool license-number pooled-count
The pooled count must be between zero and the total number of user counts
installed with this license number. Any remaining user counts become local to
this server only.
Note In a mixed server farm containing MetaFrame for UNIX Operating Systems
servers and MetaFrame XP servers, license pooling only works if the XP servers
are in mixed mode for interoperability—see the MetaFrame XP Administrator’s
Guide for more information.
Removing a License
You can use ctxlicense to remove a license from a Citrix server. You may want to
do this so that you can use the license on a different server.
To remove a license you need to supply the 35-character license number—see
“Displaying Information About Licenses” on page 97 for details about how to
display license numbers.
Ø To remove a Citrix license
ctxlicense -remove license-number
3. Type yes to confirm the removal of the license.
Note If you remove a license and then use it on a different server, you need to get
a new activation code from Citrix—the old activation code will not work.
Removing an Upgrade License

You must remove an upgrade license first, before removing the base license. If
you remove an upgrade license, the server will no longer be properly licensed,
even if the base license is present.
101
CHAPT ER 5
Publishing Applications and

Desktops
Overview
This chapter describes how to provide access to applications for ICA Client users.
Topics in this chapter include:
§ An introduction to application publishing
§ Publishing applications, desktops, shell scripts, and UNIX command lines
§ Publishing applications on UNIX servers of different architecture
§ Publishing an application to accept parameters from the client
§ Displaying the applications published on a server
§ Maintaining published applications
§ Configuring an initial program
§ Deploying applications that require a 3-button mouse
About Published Applications

To an ICA Client user, a published application is an application that appears
similar to an application running locally on the client device.
Published applications:
§ Give ICA Client users easy access to applications running on Citrix servers
§ Increase your control over application deployment
§ Shield users from the complexities of the UNIX environment hosting the ICA
session
The ctxappcfg command is the main tool for publishing applications. You can
publish any application that can run on the UNIX workstation or server on which
MetaFrame is installed.
Why Publish Applications?

The main reasons for publishing applications are the ease of user access, the
degree of administrative control, and the efficient use of resources.
Administrative Control
When you publish applications, you get greater administrative control over
application deployment.
§ Enabling and Disabling Applications. You can disable published
applications without having to delete their configuration. This allows you to
temporarily stop users from connecting to published applications. A disabled
application can be quickly enabled at a later stage.
§ Load Balancing. Application publishing, when used in conjunction with
Citrix Load Balancing Services, lets you direct ICA Client connection
requests to the least busy server in a group of servers configured to run an
application.
User Access
When you publish applications, user access to those applications is greatly
simplified in the following areas:
§ Addressing. Instead of connecting to a Citrix server by its IP address or server
name, ICA Client users can connect to a specific application or desktop by
whatever name you give it. Connecting to applications by name eliminates the
need for users to remember which servers contain which applications. This
also allows administrators to change the server(s) on which applications are
deployed, without reconfiguring clients, and without users being aware of the
change.
Chapter 5 Publishing Applications and Desktops 103
§ Navigation of the server desktop. Instead of requiring ICA Client users to

have knowledge of the UNIX desktop to find and start applications after
connecting to Citrix servers, published applications present the user with only
the desired application in an ICA session.
Efficient Use of Resources
ICA connections to server desktops can consume considerable resources because,
by default, CDE is loaded for each connection. For more efficient use of server
resources, use published applications rather than server desktops.
Publishing Applications for Explicit or Anonymous Use

When you publish an application, you have to tell MetaFrame if the application is
for anonymous or explicit use.
Publishing Applications for Explicit Use

An explicit user is a person who has his or her own user account.
If you publish an application for use by explicit users, when the users log on, they
supply their username and password. Explicit users have a “permanent”
existence—their desktop and security settings are retained between sessions and
their files persist from one session to another.
Publishing Applications for Anonymous Use

Publishing applications for anonymous use allows you to provide “guest” user
access to an application.
When a user starts an application published for anonymous use, no login box is
displayed and the user does not have to supply a username or password. Instead,
the server selects an available account from a pool of anonymous user accounts
and assigns this to the user.
A temporary home directory is also assigned to the user for use during the
session. Users do not have a persistent identity, and no information in the home
directory is retained when they log off. Any desktop settings, user-specific files,
or other resources created or configured by the user are discarded at the end of the
ICA session.
If the session is idle (in other words, if there is no user activity for a specified time
period), the session is terminated. Users are logged off after a broken connection
or timeout.
For information about how to change or maintain anonymous user accounts, see
“Configuring Anonymous Users” on page 162.
For information about setting up configuration files for applications published for
anonymous use, see “Publishing Pre-Configured Applications for Anonymous
Use” on page 121.
Note The total number of users, whether anonymous or explicit, who can be
logged on to the MetaFrame server at the same time depends upon your licensed
user count. See “Citrix Licensing” on page 91 for details.
Security Considerations
Take care when choosing applications to publish anonymously, as no username or
password is required to access these applications and therefore little meaningful
audit data can be obtained. We recommend that you do not publish applications
that will provide the user with a command shell, as the user may be able to access
and affect the system in the same way as an explicit user.
For example, on HP-UX, a user can change their shell or information from a login
shell. Such changes will persist even after the session is terminated—in other
words, if a change is made to an anonymous user account, the next user of this
account will pick up these changes. To prevent a user from changing their shell,
restrict /etc/shells so that it contains only the desired system shell.
If you need to publish applications for explicit use and applications for
anonymous use that may present the user with a command shell, you can partition
the applications onto separate MetaFrame servers and tune the server security so
that the server with anonymous applications is more tightly controlled than the
server with explicit applications. You may also need to change the permissions on
some command line tools (for example, passwd and chsh) so that members of the
ctxanon group cannot execute these tools.
Configuring Published Applications

This section explains how to:
§ Publish an application, shell script, desktop, or UNIX command line
§ Publish an application on a UNIX server of different architecture
§ Specify a working directory for published applications
§ Publish an application to accept parameters from the client
§ Display details about the applications published on a server
§ Change the settings of a published application
§ Enable and disable published applications
§ Create a new published application from existing details
§ Publish applications on multiple servers
§ Restrict connections to published applications only
§ Delete published applications
Publishing an Application, Shell Script, or Desktop

Publishing an Application
Use the ctxappcfg command to publish an application. The command prompts
you for the information required to publish the application.
Application installation is not part of the application publishing process. Before
an application can be published, both MetaFrame and the application must be
installed. The order in which you install the application and MetaFrame does not
matter. Once an application is installed, it can be published at any time.
Ø To publish an application
ctxappcfg
You will see the following prompt:
App Config>
3. At the App Config prompt, type add. When you add a new application, the
program requests each item of information you need to supply:
At the prompt Type

Name: The name you want to use for the published application.
The user selects this name when setting up an ICA
connection to this published application. The name
does not need to be the same as the name of the
executable file for a particular program.
Command line: The command line required to run the application or
script file, for example: /usr/bin/diary.bin.
Working directory: The default working directory. This directory must
exist. Leave blank to specify the user’s home directory.
Note that ~/sub-dir is supported; ~otheruser is not.
Anonymous [yes|no] y if the application is for anonymous use only, or n if it
is for use by users with explicit accounts only.
4. At the App Config prompt, type exit.

The published application is automatically enabled. You can now connect to the
server from an ICA Client and set up a connection to this published application.
You can change the configuration of a published application at any time—see
“Changing the Settings of a Published Application” on page 113 for more details.
Tip To publish an application for both explicit and anonymous use, publish it
under different names—once for explicit use, and once for anonymous use.
Publishing a Shell Script

You can also publish an application by writing a script file that sets up the
application environment and then executes the application. You then publish the
shell script file as a published application, using the ctxappcfg command. To
publish a script file, enter the name of the script file at the command line prompt.
Publish a shell script if you want to publish an application that requires a
particularly complex environment—for example, if you need to set particular
environment variables.
Publishing a Desktop
You publish a server desktop in the same way as you publish an application, using
the ctxappcfg command. However, to indicate you are publishing a desktop, you
leave the command line blank.
Note ICA connections to server desktops consume considerable server resources

because, by default, CDE is loaded for each connection. For more efficient use of
server resources, use published applications rather than server desktops.
Publishing a Java Application

You can publish Java applications on your MetaFrame server by writing a script
file that you publish using the ctxappcfg command. In the script file include any
environment variables required to set up the application environment, and the
commands to launch the Java application.
Publishing a UNIX Command-Line Application

You can publish applications that only require use of the command line. For
example, you may have a legacy application that you want to publish. You do this
using the ctxappcfg command. At the command prompt, type:
xterm -e “commands”
where commands is the set of commands required to launch the application.
Enclose the commands within double quotes. If the set of commands is complex,
include this in a script file and run the script file:
xterm -e script_file
Publishing an Application on a UNIX Server of Different

Architecture
You can publish applications on UNIX servers that are of a different architecture
to your MetaFrame for UNIX server. For example, you can publish an application
on your MetaFrame for UNIX server, although the application exists and runs on
a Linux server.
To do this, you create a script file to run the application on the remote UNIX
server. Then you create a script file on the MetaFrame server to set up the
application environment and launch the application on the remote server. This
script uses the remote shell command to run the script on the remote server. The
script also uses the DISPLAY environment variable, which you set to
CITRIX_REMOTE_DISPLAY, to display back onto the MetaFrame server.
Finally, you publish the script on the MetaFrame server using the ctxappcfg
command.
Example
The following example shows how to publish an application on a MetaFrame for
UNIX server that runs on a Linux server. In this example, the MetaFrame server
is called ‘Buffy’, the Linux server is called ‘Mandix’ and the application is called
‘Diary’.
ICA connection
Client
- makes ICA
connection to Diary Buffy
MetaFrame for UNIX server
- ctxappcfg used to publish a
script that launches Diary
Result = Client Launch Diary

runs Diary
Mandix
Linux server
- hosts Diary
Ø Step 1—Create a script file on Mandix

1. Install Diary on Mandix.
2. Create a script file on Mandix that will run Diary on Mandix. For example,
create a script file /usr/local/bin/rundiary.sh containing:
#!/bin/sh
DISPLAY=$1
shift
export DISPLAY
cd /export/home/apps/diary
/export/home/apps/diary/diary $*
3. Make sure that the script file works, by testing locally on Mandix.
Ø Step 2—Create a script file on Buffy

1. Create a script file on Buffy that will set up the application environment and
launch rundiary.sh on Mandix. For example, create a script file
/export/home/apps/diary.sh containing:
#!/bin/sh
DISPLAY=$CITRIX_REMOTE_DISPLAY
# allow everyone to access this display
xhost +
# launch app on the machine "Mandix"
rsh Mandix "/usr/local/bin/rundiary.sh $DISPLAY ~/group.cal"
Note On HP-UX, the remote shell command is remsh.
2. Make sure that the script file works on Buffy, by testing that it correctly
launches the application on Mandix, using a display on Buffy. ~/group.cal is
the parameter passed to the diary application on Mandix.
Ø Step 3—Publish the application on Buffy
1. Create a script file on Buffy that uses the ctxappcfg command to publish
diary.sh. For example:
ctxappcfg <<EOF
add
MY_DIARY
/export/home/apps/diary.sh
~/data
n
exit
EOF
2. Test that the script file works by making an ICA connection to MY_DIARY.
Specifying a Working Directory for Published Applications

By default, when a user connects to a published application, the application starts
in the user’s home directory on the MetaFrame server. However, you can change
the directory in which the application runs by specifying a working directory on
the client.
To do this, you publish the application on the MetaFrame server in the usual way,
and configure the ICA Client to pass a working directory parameter to the server.
Example
The following example shows how to configure the published application
“Editor” to run in the working directory: /home/docs.
Ø Step 1—Publish Editor on the MetaFrame server
1. Install Editor on the MetaFrame server.
2. Publish Editor in the normal way using the ctxappcfg command—for more
information, see “Publishing an Application, Shell Script, or Desktop” on
page 105.
Ø Step 2—Configure the ICA Client
1. Create an ICA connection to the Editor application in Citrix Program
Neighborhood—for example, create an ICA connection and name it
“MyEditor”.
2. Locate the APPSRV.ini file and open it in an editor (such as Notepad).
3. In the APPSRV.ini file, find the name of the published application—this is the
name you gave the application in Citrix Program Neighborhood, contained
within square brackets. For example, find: [MyEditor].
4. In the lines relating to the published application, add a line for the working
directory (if such a line does not exist already). For example, for the Editor
application, add the line:
WorkDirectory=/home/docs
Publishing an Application to Accept Parameters From the

Client
You can configure the MetaFrame server to accept published application
parameters passed by the ICA Client. This allows users to connect to a published
application and automatically launch a particular file. For example, if a user
regularly updates a particular document, you can publish the application that they
use to automatically open the document specified by the client machine.
To do this, you configure the ICA Client to pass parameters to the MetaFrame
server, and configure the MetaFrame server to accept and use the parameters
passed by the client.
Example
A user wants to regularly update their resume, which is stored in: /home/docs/
MyCV.doc, using the published application “Word”. The following shows how to
configure the published application to automatically open this file when the user
connects.
Ø Step 1—Publish Word on the MetaFrame server
1. Install Word on the MetaFrame server.
2. Publish Word using the ctxappcfg command. At the Command line prompt,
include “%*” where the parameters from the client are to be included. For
example:
/usr/bin/word.bin %*
Ø Step 2—Configure the ICA Client
1. Create an ICA connection to the Word application in Citrix Program
Neighborhood—for example, create an ICA connection and name it “MyCV”.
2. Locate the APPSRV.ini file and open it in an editor (such as Notepad).
3. In the APPSRV.ini file, find the name of the published application—this is the
name you gave the application in Citrix Program Neighborhood, contained
within square brackets. For example, find: [MyCV].
4. In the lines relating to the published application, find the line for the initial
program. For example:
InitialProgram=#”METAFRAMESERVER1”
5. Edit this line with the file name to be opened. For example:
InitialProgram=#”METAFRAMESERVER1” /home/docs/MyCV.doc
Notes
§ If there is no “%*” in the command line on the server, parameters from the
client are ignored. If no parameters are passed by the client, or the syntax is
incorrect (for example, the quotes are missing), the server ignores the
parameters and “%*” has no effect.
§ Because client parameters are interpreted by the shell, you can use wildcards
and environment variables etc.
§ If you specify client parameters, seamless session sharing is switched off.
Displaying Details About Published Applications

Ø To display details about the applications published on a server
2. At the command prompt, type ctxappcfg. This starts the program and displays
the following prompt:
App Config>
3. At the command prompt, type list. This displays the names of the applications
published on the server:
App Config> list
Name: Accounts
Name: Orders
Name: Diary
Applications that have been disabled have (disabled) displayed next to them.
4. To find out more details about a particular published application, use the select
command with the name, for example:
App Config> select Diary
This displays the details for the published application, for example:
Name: Diary
Command line: /usr/bin/diary.bin
Working directory: ~/tmp
Anonymous [yes|no]: yes
Enabled [yes|no]: yes
5. If you want to list information for a different application, type drop to
de-select the current application. You can then use the select command again
with the appropriate application name.
6. To exit from ctxappcfg, type exit.
Note You can also display information about published applications on the
network using the ctxqserver command—see the “Command Reference” on
Changing the Settings of a Published Application

After you publish an application, you can change the configuration settings by
running the ctxappcfg utility again.
Ø To change the details for a published application
App Config>
3. At the command prompt, type list to check the names of the applications
published on the server.
4. Select the published application you want to change, for example:
5. This displays the details for the published application, for example:
Name: Diary
6. To change the configuration, use the set command with the following syntax:
set [cmd=[cmd_line], dir=[dir_name], anonymous=[yes|no],
enabled=[yes|no]]
Option Description
cmd The command line required to run the application or script file, for
example: /usr/bin/diary.bin.
dir The default working directory. This directory must exist. Leave blank to
specify the user’s home directory. Note that ~/sub-dir is supported;
~otheruser is not.
anonymous Type y if the application is for anonymous use only, or n if it is for use
by users with explicit accounts only.
enabled Type n to disable an application—this stops users from connecting to
the application without deleting its configuration. Type y to enable a
previously disabled application.
7. When you are finished configuring the published application, type save to
save the changes.
Enabling and Disabling Published Applications

You can disable a published application without having to delete its
configuration. This is useful when you want to temporarily stop users from
connecting to a published application—for example, to upgrade the application to
a newer version, or to apply patches. A disabled application can be quickly
enabled at a later stage.
When you disable a published application, the master browser is updated and
users are no longer able to see or connect to the disabled application.
Note When you publish an application, it is automatically enabled.
Ø To enable or disable a published application

1. Use the the ctxappcfg utility with the set command, as described previously
in “Changing the Settings of a Published Application” on page 113.
2. Set the enabled option to n to disable an application, or set it to y to enable a
previously disabled application.
Creating a New Published Application from Existing Details

After you publish an application, you can re-use the settings by copying the
details to a new name.
Ø To copy details to create a new published application
App Config>
4. Select the published application that has the details you want to copy, for
example:
5. This displays the details for the published application, for example:
Name: Diary
6. Type copy and the new name for the published application at the prompt. Type
drop.
7. Change the details for the new published application using the set command.
8. When you are finished configuring the published application, type save to
save the changes.
Renaming a Published Application

After you publish an application, you can change the name by copying the
settings to a new name, then deleting the original.
Ø To rename a published application
App Config>
4. Select the published application you want to rename, for example:
5. This displays the details of the published application, for example:
Name: Diary
6. Type copy and the new name for the published application at the prompt. Type
drop.
7. To delete the original published application settings, select the original
application and use the Delete command. See “Deleting a Published
Application” on page 117 for more details.
Publishing an Application on More than One Server

You may want to publish the same UNIX application or shell script on more than
one MetaFrame server. For example, you might publish an application on a
number of servers, and then use load balancing to balance the load among the
servers.
When you publish the same application on other servers, the location and
working directory does not have to be the same—the application can be run in
different locations, from different install directories. However, if the location and
working directory are kept the same, you can use a script file to publish the
application on other servers. You still need to install the application on each
server before running the script file.
Note If you are going to use Citrix Load Balancing Services to balance the user
load among servers, the name of the published application must be identical on
each server.
Ø To publish an application on multiple servers

1. Install and publish the application on the first server.
2. Run ctxappcfg and type list to display the names of the applications published
on the server. Select the name of the application you want to publish and make
a note of the settings that ctxappcfg displays.
3. Create a script file using the ctxappcfg settings from the previous step. For
example, type:
#!/bin/sh
/opt/CTXSmf/sbin/ctxappcfg <<EOF
add
Diary
/usr/bin/diary.bin
/work/diary
n
exit
EOF
Note On the AIX platform, substitute /opt/CTXSmf/sbin/ctxappcfg with
/usr/lpp/CTXSmf/sbin/ctxappcfg.
4. Make sure that the script file is executable.

5. Install the application you want to publish on the other servers. Make sure that
you install it in the same location as on the first server.
6. Run the script file on each server.
Restricting Connections to Published Applications Only

You can restrict users so that they can connect only to published applications on a
MetaFrame server. Doing so prevents users from connecting to the server by
name, or to the server desktop.
Ø To restrict connections to published applications only
2. Use the ctxcfg command to allow users to run only published applications:
ctxcfg -i PUBONLY
Note To restrict access on several servers, you must run ctxcfg -i PUBONLY at
each server.
Deleting a Published Application

Deleting a published application removes all published application configuration
information from the server. When you delete a published application, that
application is no longer available to ICA Client users under the published
application name (although it may be available as another published application
or from a Citrix server desktop session).
Tip To temporarily stop users from connecting to a published application, disable

the published application. Disabling a published application does not delete its
configuration, and it can be quickly enabled at a later stage. See “Enabling and
Disabling Published Applications” on page 114 for further information.
If you want to make the application available again, republish it under its old
name or with a new name.
Ø To delete a published application
1. Run ctxappcfg. At the prompt, type list to display the names of the
applications published on the server.
2. Select the published application you want to delete, for example:
3. Type delete.
4. Confirm the deletion by typing y.
5. Type exit.
Note If you have published an application on more than one server, to delete it
entirely from the server farm, you must delete its published application
configuration from each server.
Configuring an Initial Program

An initial program is an application that MetaFrame starts automatically when a
user logs on. Closing the initial program does not terminate the ICA session.
Initial programs:
§ Can be set on the MetaFrame server by a Citrix server administrator.
§ Can be set from an ICA Client device as part of the properties for a specific
ICA Client connection. If an initial program is configured on the server and
client, the initial program configured on the server is started when a user logs
on.
Ø To configure an Initial Program on the MetaFrame server
To Use the command
Configure the server so that if an initial ctxcfg -i INHERIT
program is set on the client, it is used.
Configure the server to start the initial ctxcfg -i prog=progname,wd=dir
program progname whenever a user
connects.
List the current initial program details. ctxcfg -i list
Deploying Applications that Require a 3-Button Mouse

You may need to use MetaFrame to deploy UNIX applications that are designed
for use with a 3-button mouse. However, many ICA Clients run on devices that
have only a 2-button mouse, 1-button mouse, or pointing device available.
To do this, you publish another version of the application for use by these ICA
Clients. This version of the application is published using a script file that
includes ctx3bmouse settings. The ctx3bmouse command lets users represent a
missing mouse button by combining an existing mouse button with a modifier
key. For example, a missing button might be simulated by clicking the left mouse
button and pressing the SHIFT key.
By running a script file that includes ctx3bmouse settings, you ensure the
application is run in a session with the appropriate mouse mappings.
Note Middle mouse button emulation is included in version 6.20, or later, of the
Win32 ICA Client. If users are connecting to the MetaFrame for UNIX server
using this client, disable any ctx3bmouse settings configured on the server.
Where you have a mixture of clients deployed, you may need to publish two
versions of the application, with and without ctx3bmouse.
The following explains how to publish applications with mouse mappings.
Publishing an Application With Mouse Mappings

There are three steps to publishing an application with mouse mappings:
1. Identify which mouse buttons are available and which are missing.
2. Decide which mouse button and modifier key will represent the missing
mouse button.
3. Publish the application using a script file that sets up the mouse mappings and
then executes the application.
Step 1—Identify the Mouse Buttons
To identify the mouse buttons on the different types of mouse:
§ On a 3-button mouse there are left, middle, and right buttons
§ On a 2-button mouse there are left and right buttons
§ On a 1-button mouse there is a left button only
The left and right buttons on a 3-button mouse are mapped automatically to the
left and right buttons on a 2-button mouse. The left button on a 2-button or
3-button mouse is mapped automatically to the left button on a 1-button mouse.
For devices that have only a 1-button mouse (such as a Macintosh mouse) or a
pointing device, please refer to the appropriate client documentation for
information about emulating mouse buttons.
Step 2—Decide How to Emulate the Missing Mouse Button

You can emulate the right, middle, or left mouse buttons on a 3-button mouse,
using the ctx3bmouse command.
Ø To emulate a missing mouse button
Decide which mouse button and modifier key combination will represent the
missing mouse button. To identify the number of the modifier key to use, run the
xmodmap command to display a list of modifier keys for the system. xmodmap
is located in:
/usr/openwin/bin/xmodmap
/usr/bin/X11/xmodmap
In the following example, the first modifier key is SHIFT, the second is CAPS
LOCK, and so on.
Step 3—Publish the Application With Mouse Mappings

When you have identified how to represent the missing mouse button, you
publish the application using a script file that sets up the mouse mappings and
then executes the application.
Ø To publish an application that includes mouse mappings
1. Create a script file that maps the missing mouse button using ctx3bmouse and
then executes the application. Use the ctx3bmouse command with the
following syntax:
ctx3bmouse missing-button=mouse-button,number-of-modifier-key
For example, to execute an application with mouse mappings that emulate the
missing middle button of a 2-button mouse, using the SHIFT key and the left
mouse button:
ctx3bmouse middle=left,1
/usr/bin/2bmouse_diary.bin
2. Save the script file, for example as:
/usr/bin/2bmouse_diary.sh
3. Publish the script file:
Name: 2bmouse_Diary
Command line: /usr/bin/2bmouse_diary.sh
For further information about publishing applications and script files, see
“Publishing an Application, Shell Script, or Desktop” on page 105.
Important You need to tell your users the mouse mappings set in the script file.
Publishing Pre-Configured Applications for

Anonymous Use
When a user logs on to use an application that you have published for anonymous
use, MetaFrame assigns the user an empty home directory. MetaFrame deletes
any files that the user creates in this directory when the user logs off.
Some applications use configuration files that initialize settings when the
application starts. For example, an application such as a Web browser may use
proxy settings, file paths, and font and display settings. In normal use, a user
configures these settings once. If the configuration files are not available, the
applications starts in its default configuration.
You can set up configuration files for applications that you publish for
anonymous use. You create these in a special template directory called
/usr/anon/anontmpl. MetaFrame copies all files in the template directory to the
assigned home directory when a user logs on.
Ø To create configuration files for an application
1. Create a user (for example, called “anontmpl”) with home directory set to
/usr/anon/anontmpl. Use this user account only to pre-configure applications
for anonymous use.
2. Log on to the server as this user and run the application you want to configure.
3. Configure the application so that it mirrors the settings you want to provide
when an anonymous user logs on. For example, for a Web browser application
such as Netscape, you may want to set proxy server settings or clear the cache.
4. Exit the application.
5. Start the application again and make sure that the application works as
required. If not, adjust the process and repeat until you are sure that the correct
configuration is in use when the application starts.
6. Using grep or a text editor, search for occurrences of the user name or folder
name (in this example, “anontmpl”) in each of the files in /usr/anon/anontmpl.
7. Make the template directory readable by everyone using:
chmod -R a+rX
8. Log on as a Citrix server administrator.
9. Edit the script file ctxanoninit.sh. This file is installed in the following
directory:
/opt/CTXSmf/lib
/usr/lpp/CTXSmf/lib
10. For each file containing occurrences of “anontmpl” in the files in
/usr/anon/anontmpl, add lines to the end of ctxanoninit.sh that use the sed
command to substitute the user name and home directory.
For example, a Netscape preferences file contains references to the home
directory, so add the following lines to the end of ctxanoninit.sh:
sed –e “s,anontmpl,$USER,g” $ANON_TMPL_DIR/.netscape/preferences.js >
newprefs.js
rm .netscape/preferences.js
mv newprefs.js .netscape/preferences.js
# add commands here to set the correct file permissions.
Note Use the environment variable $USER, which is set automatically by

/bin/sh, to determine the name to substitute.
11. Publish the application for anonymous use. Make sure that the application
works by launching a session from an ICA Client, repeating the above steps as
necessary.
123
CHAPT ER 6
Managing Servers, Users, and

Sessions
Overview
This chapter describes how to manage the users, sessions, and processes on a
MetaFrame server. It includes how to:
§ Display information about sessions and users
§ Display information about the MetaFrame servers on the network
§ Log off, disconnect, and reconnect sessions
§ Reset sessions in case of error
§ Shadow ICA sessions
§ Send messages to users on your server
§ Display available client printers and print files from the command line or from
applications
§ Connect to a remote server from within an ICA session
Displaying Information About Users and Sessions

You can display information about ICA connections to the Citrix server, such as
user name, session name, session id, and state.
Ø To display session details
Run the ctxqsession command:
ctxqsession
If you want information, by username, for all the current sessions, use the
ctxquser command.
Ø To display session details, by username
Run the ctxquser command:
ctxquser
Chapter 6 Managing Servers, Users, and Sessions 125
About the Display

The ctxqsession and ctxquser commands display:
Display Description
SESSION The session name.
USERNAME The user name.
ID The session id.
STATE listen—indicates the session that is listening for new incoming
connections.
active—indicates an established, active connection.
connq—indicates a brief session initialization phase that occurs
before the login prompt appears, and during reconnect.
init—a brief session initialization phase.
conn—indicates a session that is being connected.
disc—indicates a disconnected session.
down—indicates a broken session.
shadow—indicates that the user of this session is shadowing another.
reset—indicates a session currently being reset.
TYPE wdica—indicates that the ICA protocol is being used.
DEVICE The name of the ICA Client device.
IDLE TIME The length of time since there was user activity on this session.
LOGON TIME The time the user logged onto the system.
Displaying Information About Servers on the Network

Use the ctxqserver (query server) command to display information about Citrix
servers on the subnet. You can display information such as server name and
network address, transport protocol, and the number of connections available.
Ø To display information about all Citrix servers on the subnet
ctxqserver
Ø To display information about a specific Citrix server
At the command prompt, type ctxqserver and specify the server name:
ctxqserver server-name
About the Display

The ctxqserver command displays:
Display Description
Server The server name.
Transport The transport protocol; i.e. TCP/IP.
Conns The current number of ICA connections on the server.
Free The remaining number of connections the server is capable of
receiving.
Total The current number of ICA connections plus the number of free
connections.
Network The IP address of the server. An M next to the IP address indicates
Address that the server is the master browser.
Notes
§ You can use ctxqserver to display information specific to Citrix servers (such
as ICA gateways and Citrix Licensing), or about published applications and
ICA Client sessions on the subnet. You can also use ctxqserver to send
requests to servers. For information about the other options available with
ctxqserver, see the “Command Reference” on page 223.
§ If the MetaFrame server has more than one network interface card (NIC) and
you have configured it so that the ICA Browser listens on only one subnet,
ctxqserver only displays information about this one subnet. For more
information, see “If a MetaFrame Server Uses Multiple NICs” on page 181.
Ending a Session
To end a session, you can use commands that either log off or disconnect the
session.
§ Disconnecting a session terminates the connection between the server and
client. However, the user is not logged off and all running programs remain
active, and the user can later reconnect to the disconnected session.
§ Logging off a session terminates the connection and all running programs, and
the user cannot reconnect to the session.
Logging Off a Session

Use the ctxlogoff command to log off a session.
Ø To log off from your own session
Type ctxlogoff.
Ø To log off another user’s session
2. At the command prompt, type ctxqsession to display the current sessions at
this server.
3. From the results of ctxqsession, identify the session id or session name of the
connection session you want to forcibly log off.
To Use the command

Log off a session by specifying the session id ctxlogoff id
Log off a session by specifying the session name ctxlogoff name
Disconnecting a Session
Use the ctxdisconnect command to disconnect a session.
Ø To disconnect your own session
Close the client or type ctxdisconnect at the command prompt.
Ø To disconnect another user’s session
2. At the command prompt, type ctxqsession to display the current sessions at
this server.
3. From the results of ctxqsession, identify the session id or session name of the
session you want to disconnect.
To Use the command

Disconnect a session by specifying the ctxdisconnect id
session id
Disconnect a session by specifying the ctxdisconnect name
session name
If a user logs on to the server and there is a disconnected session on the server
belonging to him or her, the user is given a choice of whether to connect to the
disconnected session or start a new session.
Note You cannot disconnect an anonymous user session. This is because it is not
possible to reconnect to the session as the identity of the user is not known. If an
anonymous session is disconnected, MetaFrame logs off the session.
Connecting to a Disconnected Session

Use the ctxconnect command, from within an ICA session, to reconnect to a
disconnected session.
A user can connect to a previously disconnected session by logging on again with
the same username. Once logged on, if there are disconnected sessions on the
server, the user can reconnect to the disconnected session or start a new session.
A Citrix server administrator can connect to any user’s session. Other users can
connect only to their own sessions.
Ø To connect to a disconnected session

1. At the command prompt, type ctxqsession. This displays the current sessions
at this server. A disconnected session shows disc in the State field.
2. From the results of the ctxqsession command, identify the session id
associated with the session to which you want to connect.
3. At the command prompt, from within an ICA session, type:
ctxconnect id
where id is the session id of the session to which you want to connect.
The server disconnects your current session and connects you to the selected
session.
Note Your connected session must be capable of supporting the video resolution
used by the disconnected session. If the session does not support the required
video resolution, the operation fails.
Resetting a Session
You can reset a session in the event of an error. However, the system will attempt
to terminate all processes running within that session. Resetting a session may
cause applications to close without saving data.
Use the ctxreset command to reset a session.
Ø To reset a session
2. At the command prompt, type ctxqsession. This command displays the
current sessions at this server.
3. From the results of the ctxqsession command, identify the session name or
session id you want to reset.
:
To Use the command

Reset a session by specifying the session id ctxreset id
Reset a session by specifying the session name ctxreset name
Reconnecting to Load Balanced Sessions

Published applications allow users to run applications or access a desktop session
without knowing the name or address of a particular server. If the published
application is located on a single server, users can disconnect and reconnect to the
same session.
If the published application is configured to run on multiple servers, users must
be reconnected to the same server to reconnect to their session. The ICA Browser
can reconnect users to their previous session on the same server under certain
conditions.
For a user to reconnect to disconnected load balanced sessions:
§ The user must disconnect gracefully from the server, for example, by using
ctxdisconnect.
§ The user must reconnect from the same Citrix ICA Client device (using the
same client name).
Use ctxqsession to view a list that displays disconnected sessions—see
“Displaying Information About Users and Sessions” on page 124.
Note If users frequently disconnect and reconnect their sessions rather than
logging off, the number of sessions on a server farm may not be evenly
distributed because users are reconnected to their previous sessions on the same
servers.
Shadowing a User’s Session

You can monitor the actions of users, and interact with their sessions, using the
keyboard and mouse. This is called shadowing. The person who issues the
ctxshadow command is called the shadower, and the session being shadowed is
called the shadowed session.
Use the ctxshadow command to shadow another user’s session:
ctxshadow {id|name} [-v] [-h[[a][c][s]+]x]
Important Only ICA sessions can be shadowed or used to shadow ICA sessions.
The MetaFrame server console cannot be shadowed or used to shadow ICA
sessions.
The ctxshadow command is a user command, rather than a system administration

command. Therefore, any user can shadow any other session, provided the
shadowed user approves the shadowing, and MetaFrame security permits the user
to shadow. Disabling shadowing notification means that a user may be unaware
that shadowing is occurring. See “Enabling or Disabling Shadowing” on
Note The following procedure assumes that you will use the CTRL key and *
(asterisk) key combination to end shadowing. If you cannot use this hotkey
combination, or you want to use an alternative combination to end shadowing,
see “Ending Shadowing” on page 132.
Ø To start shadowing a session

1. Log on to an ICA session.
session id of the user’s session that you want to shadow.
4. At the command prompt, type ctxshadow. You must specify either a session id
or session name. Use the -v (verbose) argument to display more information
during the shadow session initiation, for example:
ctxshadow tcp#5 -v
The user is notified of the pending shadowing, and is given the opportunity to
allow or deny the shadowing (unless notification has been disabled for shadowing
using ctxcfg—see “Enabling or Disabling Shadowing” on page 146 for details).
If the user does not respond to the notification message, the shadow request times
out and is terminated.
About Shadowing and the Clipboard

The user of the shadowed session can use the clipboard to copy and paste
between the client session and applications running locally. As shadower, you
cannot access the contents of the shadowed session’s clipboard—information in
the clipboard belongs to the shadowed session. However, if you copy information
to the clipboard while shadowing, this information is available to the shadowed
session for pasting.
Ending Shadowing
By default, you can end shadowing using the CTRL and * (asterisk) hotkey
combination.
Ø To end the shadowing session
Press the CTRL key and the * (asterisk) key of your keyboard’s numeric keypad.
Configuring a Different Hotkey to End Shadowing

If you cannot use the default hotkey combination from the ICA Client device you
are using, or you prefer to use an alternative, you can configure your own
combination. You do this using the ctxshadow command.
The hotkey you configure applies only to the current shadowed session and
therefore needs to be set up each time you shadow a session.
Ø To configure a different hotkey to end shadowing
1. Log on to an ICA session.
session id of the user’s session that you want to shadow.
ctxshadow {id|name} [-h [[a][c][s]+]x]
where [a][c][s] and x is the hotkey combination you want to use to end
shadowing—choose this combination from:
[a][c][s] a = ALT; c = CTRL; s = SHIFT

(Note: you can use any combination of a, c and s, including all or none.)
x Choose from the alphanumeric characters: a to z (or A to Z) and 0 to 9.
Example
To begin shadowing, and to specify a hotkey combination of ALT and q to stop
shadowing the session, type:
ctxshadow tcp#5 -h a+q
Note The hotkey combination is not case sensitive, therefore, in the above
example, you could choose ALT + Q or ALT + q to stop shadowing.
Sending Messages to Users

You can send a message to users using the ctxmsg command. A message can be
sent to a particular session, or to all sessions.
Ø To send a message to a particular session
2. At the command prompt, type ctxquser. This command displays the current
sessions at this server.
3. From the results of ctxquser, identify a session name or session id to identify
the user and session you want to send a message to.
To Use the command

Send a message by specifying a session id. ctxmsg id message
Send a message by specifying the session name. ctxmsg name message
Send a message that includes a timeout period, in ctxmsg {id|name} message
seconds. The message is displayed on the user’s timeout
screen until it times out or the user dismisses it.
Send a message that will suspend your terminal ctxmsg -w {id|name} message
window, until the message times out or is timeout
dismissed by the user. In other words, you get
your command prompt back only when the user
responds or the message times out.
Ø To send a message to all sessions

ctxmsg -a message
Note If a message includes spaces or any other characters that have a special
meaning in your UNIX shell, enclose all the text in double quotes.
Examples
ctxmsg tcp#5 “Contact System Admin”
ctxmsg 11 Hello
ctxmsg 5 “Fancy lunch?” 30
ctxmsg -a “Get out, the building is on fire”
Tip To inform users that the server is about to shut down, use the message option
with the ctxshutdown command. See “Stopping MetaFrame” on page 55.
Printing
This section describes the information your ICA Clients need to know when they
want to print. It explains how users can list available client printers and print files
from the command line or from applications.
In the UNIX environment, the application performs the print rendering. The print
driver is specified inside the application or, in the case of a desktop utility, raw,
unformatted text is generated.
Displaying Client Printers or Printer Ports

When an ICA Client connects to a MetaFrame server, client printers are mapped
and are available from the desktop command line and from applications running
in the session.
From an ICA Client session, users can list the mapped client printers, or available
printer ports, using the ctxprinters command.
Ø To display mapped client printers
ctxprinters
A list of printers configured on the client and mapped for use from the ICA
session is displayed.
(default) is displayed after the printer that is the default. The following
information is shown for each printer:
§ Printer name or printer port (for example, lpt1). This can be used in the ctxlpr
-P command to specify a printer other than the default.
§ Printer driver name. This is for information only.
§ Printer connection description. This is for information only.
Printing From the Command Line

Within an ICA session, users can print a file from the command line by using
ctxlpr, instead of lpr or lp. If no files are specified, the ctxlpr command takes its
input from standard input (stdin).
Ø To print a file from an ICA Client session
1. At the command prompt, type ctxprinters.
2. From the results of ctxprinters, identify the printer or printer port, that you
want to use. To print to a printer other than the default, note the printer
name—the printer name is the first item in the ctxprinters listing.
To Use the command

Print the file named filename to the default printer. ctxlpr filename
Print a series of files to the default printer. Each file ctxlpr filename filename
is treated as a separate print job.
Print a file to a printer (or printer port) other than the ctxlpr -P [Printername |
default. This is the printer name or printer port Printerport] filename
shown in the first column of the output from
ctxprinters.
Print a file in the background. ctxlpr -b filename
Print a file only if the printer is not in use. Use this ctxlpr -n filename
option to stop an application waiting while other
printer jobs are handled. If the printer is in use, an
error message is displayed.
Examples
To send the file mydoc.ps to the printer \\PRINTSRVR\Sales_HP4000, use the
following command:
ctxlpr -P '\\PRINTSRVR\Sales_HP4000' mydoc.ps
Note In some UNIX shells, ‘\’ has a special meaning so you may need to
substitute ‘\\’ for ‘\’. For example:
ctxlpr -P "\\\\PRINTSRVR\\Sales_HP4000" mydoc.ps
If you are using a client that uses direct printer port mapping:
ctxlpr -P lpt2 mydoc.ps
Printing From Applications

The exact configuration of how to set up printing from applications depends on
the behavior and user interface of the UNIX application.
If the user interface for an application allows you to specify the actual printer
command to use when printing, you can configure client printing by replacing the
lpr or lp command with the ctxlpr command.
When a user connects to the server and prints from the application in a session,
the server redirects the output to the mapped client printer.
Often, in this type of application, you can also specify the command line
modifiers on a different line. You can use the same switches for ctxlpr as when
printing from the command line. For example, -P with a printer name (or printer
port) to print to a printer other than the default; -b for background printing, and so
on.
Tip If the user interface of an application does not allow you to specify the actual
printer command to use when printing, find out whether the application (or
window manager) uses a configuration file where you can replace the lpr
command functionality with ctxlpr.
Troubleshooting Printing
Because UNIX applications generally produce only UNIX ASCII text or
PostScript output, PCL (Printer Control Language) printers are not suitable.
Therefore, ensure your client printers support PostScript. If you do not have a
PostScript printer, install a utility such as Ghostscript to convert PostScript files
to a different output format, such as PCL.
If text does not print out correctly, this may be due to carriage return / line feed
differences between UNIX and DOS text files. To print a UNIX text file to a
Windows printer, use a utility such as unix2dos. For example, to print out a
UNIX text file called “printfile” type:
unix2dos printfile | ctxlpr
ux2dos printfile | ctxlpr
Alternatively, use Perl instead. For example, type:
perl -pe 's/\n$/\r\n/' printfile | ctxlpr
Or, create a script file called “unix2dos” that includes the following:
#!/bin/sh
perl -pe 's/\n$/\r\n/' "$@"
Make the script file executable using chmod a+rx unix2dos. You can now use
the script file just like the unix2dos utility.
Connecting to a Remote Server from an ICA Session

This section explains how to establish a connection to a remote server from
within an ICA session.
When you establish a remote session, you must set the $DISPLAY environment
variable in the remote session to ensure that graphics, keystrokes and mouse
clicks are sent back to your ICA session. To simplify the setting of $DISPLAY,
use the $CITRIX_REMOTE_DISPLAY environment variable.
Example
The following example shows how to establish a connection to the remote server
“Emily” from within an ICA connection to the MetaFrame for UNIX server
“Bagpuss”, and how to correctly set the value of the $DISPLAY variable using
$CITRIX_REMOTE_DISPLAY.
Ø To connect to the remote server Emily from an ICA session

1. Establish an ICA connection to Bagpuss.
2. Open a terminal window and display the value of the
$CITRIX_REMOTE_DISPLAY environment variable. At the command
prompt, type:
setenv | grep CITRIX_REMOTE
The system displays a value; for example: bagpuss:10.0
3. Make a note of the value of $CITRIX_REMOTE_DISPLAY.
4. Establish a remote login session to “Emily” using the rlogin command:
rlogin emily
5. Enter your login password.
6. Open a terminal window and set the value of the $DISPLAY environment
variable to the value of $CITRIX_REMOTE_DISPLAY. For example, if you
are using a C shell, type:
setenv DISPLAY bagpuss:10.0
139
CHAPT ER 7
Configuring a MetaFrame Server
Overview
This chapter describes how to configure the MetaFrame server to provide the
required resource access and session behavior for the ICA Client users of your
network. Topics in this chapter include:
§ Configuring the server
§ Screensaver recommendations
§ Customizing the appearance of MetaFrame
Configuring the Server

You can configure your server in different ways to control access to services for
users connecting to the server. The combination of settings you use depends on
how you intend to use your Citrix servers. From the server, you can configure
settings that include:
§ The number of ICA sessions you want to allow at this server.
§ What happens to a session if the connection is broken or times out.
§ Whether to allow local printer mapping. If you enable printer mapping from
the server, ICA Client users can configure and use their local printer to print
from applications that are actually running on the server.
§ Whether to allow local clipboard mapping. If you enable clipboard mapping
from the server, ICA Client users can copy and paste text between applications
running on the client device and the remote applications running on the server.
§ Whether to allow shadowing.
§ The maximum permitted session duration, and how long to leave idle or
disconnected sessions before timing out.
§ Whether to allow users to log on without a home directory.
§ Mouse-click feedback.
Note User access to MetaFrame commands and sessions is controlled by the

MetaFrame ctxsecurity function. See “Configuring MetaFrame Security” on
page 167 for information.
Controlling Logon Settings

When ICA Client users connect to a MetaFrame server, the users need to supply a
username and password (unless they are accessing an application published for
anonymous use). Users can either type this information into the dialog box that
appears when they connect to the server or published application, or configure the
client so that their username and password are saved as part of the properties for a
particular connection.
You can also use the ctxcfg tool on the server to configure settings that give you
and ICA Client users flexibility and security when logging on.
Ø To display the current logon settings
ctxcfg -a list
Chapter 7 Configuring a MetaFrame Server 141
This displays the current logon settings.
Note The list argument never displays passwords.
Ø To change the logon settings

To Use the command

Configure the server so that if logon details are ctxcfg -a INHERIT
set on the client, they are used.
Configure the server so that a user logging on is ctxcfg -a prompt=TRUE
always prompted for a password, regardless of
any password set in the server or the client.
Configure the server so that a user logging on is ctxcfg -a prompt=FALSE
not prompted for a password.
Set a default user name for all users who log on ctxcfg -a user=name
to the server. For example, you can use this to set
up a guest user account.
Set a password for all users who log on to the ctxcfg -a pass
server. Type pass as a keyword; ctxcfg then
displays a prompt where you can type in the
password. Note that if you have not set up a user
name, this setting is ignored.
Erase any user name and password details that ctxcfg -a ERASE
have been set (using the user and pass options)
and configure the server to use logon details set
on the client.
Setting the Number of Permitted ICA Connections

You can specify a maximum number of concurrent ICA connections that a
particular server will support.
Ø To check the current number of permitted connections
ctxcfg -l list
This command displays the number of logons permitted, or displays
UNLIMITED if no limit is set.
Ø To change the number of permitted connections
To set Use the command

A maximum, where n is the number of ctxcfg -l max=n
concurrent connections you want to allow
No limit to the number of concurrent ctxcfg -l max=UNLIMITED
sessions you want to allow
Note The number of ICA connections that a server can support is also affected by
Citrix Licensing—see “Citrix Licensing” on page 91 for more information.
Controlling Behavior for Disconnected or Broken Connections

A broken connection occurs when the communication link between the ICA
Client and the MetaFrame server is interrupted—for example, as the result of a
network failure.
Use the ctxcfg tool with the -c option to control the behavior for broken or
timed-out connections, and to specify reconnection options.
Ø To display the current configuration for broken and timed-out connections
ctxcfg -c list
Ø To configure the settings for disconnected and broken connections

:
To configure the server so that Use the command

Broken connections are immediately reset ctxcfg -c broken=reset
Broken connections are disconnected ctxcfg -c broken=disconnect
A user can connect to a disconnected session ctxcfg -c reconnect=any
from any client device
A user can only connect to a disconnected ctxcfg -c reconnect=original
session from the original terminal
You can configure the system so that disconnected sessions are reset
automatically after a timeout interval or continue until a user (or a Citrix server
administrator) resets the session. See “Controlling Timeout Behavior” on
page 148 for details of how to set a timeout interval for disconnected sessions.
Enabling or Disabling Printing for Users

Client printer mapping allows ICA Client users to use printers that are available
on the client device from applications running on a MetaFrame server.
Use the ctxcfg tool with the -p switch to enable or disable client printer mapping.
Ø To check if client printing is currently enabled or disabled
ctxcfg -p list
Ø To enable or disable client printing
:
To Use the command

Enable client printing ctxcfg -p enable
Disable client printing ctxcfg -p disable
Enabling or Disabling Clipboard Mapping

Users can copy text and graphics between server-based applications and
applications running locally on the client device. Even if an application is running
on the server, the clipboard behaves as if it is on the client device.
Use the ctxcfg tool with the -C switch to enable or disable client clipboard
mapping.
Ø To check if the client clipboard is currently enabled or disabled
ctxcfg -C list
Ø To enable or disable the client clipboard

:
To Use the command

Enable client clipboard mapping ctxcfg -C enable
Disable client clipboard mapping ctxcfg -C disable
Providing Additional Graphics Clipboard Support

MetaFrame provides users with the ctxgrab tool that lets them grab windows or
screen areas and copy them from an application in an ICA Client window to an
application running on the local client device.
By default, ctxgrab is available to users connecting to published applications
through the ctxwm window manager as follows:
§ In a seamless window, right click the button in the top, left hand corner of
the screen to display a menu and choose the Screen Grab option.
§ In a “full screen” window, right click to display the ctxwm menu and choose
the Screen Grab option.
Users connecting to a server desktop can run the tool by typing ctxgrab at the
command prompt.
If you have users who require more extensive graphics clipboard support, you can
deploy the ctxcapture tool. With ctxcapture users can:
§ Grab dialogs or screen areas and copy them between an application in an ICA
Client window and an application running on the local client device, including
non-ICCCM-compliant applications.
§ Copy graphics between the ICA Client and the X graphics manipulation utility
xv. xv is a Shareware utility that is available for download from the Internet.
Providing Users with ctxcapture
You do not have to do anything to make ctxcapture available to users connecting
to a server desktop—it is available from the command prompt by typing
ctxcapture.
To make ctxcapture available to users who are connecting to published
applications, you make it available from the ctxwm window manager. To do this,
you edit the ctxwmgrab.sh script to make ctxcapture, rather than ctxgrab,
available.
Ø To make ctxcapture available to users of published applications

2. Open the ctxwmgrab.sh script. This is located in the:
/opt/CTXSmf/lib directory
/usr/lpp/CTXSmf/lib directory
3. Find the following line:
exec /opt/CTXSmf/bin/ctxgrab
exec /usr/lpp/CTXSmf/bin/ctxgrab
4. Substitute ctxgrab with ctxcapture.
Enabling or Disabling Shadowing

Session shadowing allows you to monitor the display of another active session.
Shadowing allows you to see what users are doing and interact with their
sessions, using the keyboard and mouse. You can shadow active sessions on the
same server.
Use the ctxcfg tool with the -s switch to configure shadowing.
Note By default, any user can shadow any other session. To change this, use
MetaFrame security—see “Configuring MetaFrame Security” on page 167 for
further information.
Ø To display the current shadowing settings for the server

ctxcfg -s list
The shadowing configuration for the current server is displayed, for example:
Ø To change the shadowing settings for the server

To enable shadowing Use the command

So that sessions on the server can be shadowed. ctxcfg -s enable
By default, input is set to on and notify to on.
To change the input and notify options Use the command
So that the shadower can input keyboard and ctxcfg -s input=on
mouse actions to the shadowed session.
So that the shadower cannot input keyboard and ctxcfg -s input=off
mouse actions to the shadowed session.
So that the shadowed user gets a notification ctxcfg -s notify=on
message requesting confirmation that the
shadowing can occur.
So that the shadowed user does not get a ctxcfg -s notify=off
notification message.
To disable shadowing Use the command
So that sessions on the server cannot be shadowed. ctxcfg -s disable
Important Disabling shadowing notification means that users might be shadowed

by another user, but be unaware that they are being shadowed. Some countries
require by law that users be notified before shadowing occurs.
Example
You may want to set up shadowing to help you solve technical support issues. The
system administrator can show the user how to complete a task by shadowing the
user’s session. To allow shadowing with notification and to allow the shadower to
control the mouse and keyboard, use the command:
ctxcfg -s enable,input=on,notify=on
See “Shadowing a User’s Session” on page 130 for information about shadowing
sessions.
Controlling Timeout Behavior

You can use the ctxcfg tool with the -t switch to specify timeout intervals for
connected, disconnected, and idle ICA sessions.
These settings specify timeout intervals in minutes. The timeouts are:
Connection The maximum connection duration. If a connection duration

is specified, the session is disconnected or terminated when
the specified duration elapses. If NONE is specified, the
connection timer is disabled.
Disconnection The maximum duration that a disconnected session is
retained. If a disconnection duration is specified, sessions in
the disconnected state are terminated when the specified
duration elapses. If NONE is specified, the disconnection
timer is disabled.
Idle The maximum idle time (time without user activity) allowed
before the session is disconnected or reset. If an idle duration
is specified, the session is disconnected or reset when the
specified interval elapses without any activity on the
connection. If NONE is specified, the idle timer is disabled.
To specify whether sessions are disconnected or reset, see
“Controlling Behavior for Disconnected or Broken
Connections” on page 143. To specify an idle timeout period
for anonymous users, see “Configuring Anonymous Users”
on page 162.
Ø To display the current timeout intervals

ctxcfg -t list
The current timeout value for each setting is displayed. If a timeout interval is
configured, the value is shown in minutes. If no timeout interval is configured,
the keyword NONE shows that sessions will not be timed out.
Ø To change the timeout intervals

:

A connection timeout (in minutes). All ctxcfg -t connect=num
connections are terminated after this period.
No connection timeout. All sessions continue ctxcfg -t connect=NONE
until the user disconnects or logs off.
A disconnection timeout (in minutes). ctxcfg -t disconnect=num
Disconnected sessions are reset after this period.
No disconnection timeout. Disconnected ctxcfg -t disconnect=NONE
sessions remain until reset by a user or a Citrix
server administrator.
An idle timeout (in minutes). If no user activity ctxcfg -t idle=num
is detected during this time, the connection is
terminated.
No idle timeout. All sessions continue until the ctxcfg -t idle=NONE
user disconnects or logs off.
Notes Only new sessions are affected by changes to the timeout intervals.
ctxcfg -t has no effect on anonymous users—to specify an idle timeout period for
anonymous users, see “Configuring Anonymous Users” on page 162.
Example
If you expect users to dial into the server, you may want to set the disconnect
timeout to a suitable setting in case of a broken connection. Users can reconnect
to their sessions during the timeout interval. To set the disconnection timeout to
15 minutes, type:
ctxcfg -t disconnect=15
Allowing Users to Log On Without a Home Directory

By default, users whose home directories are unavailable cannot log on to the
MetaFrame server. However, with Feature Release 1, you can configure the
MetaFrame server to allow users whose home directories are unavailable to log
on. For example, you might do this if your users’ home directories are mounted
on a network that is occasionally unreliable.
If you allow users whose home directories are unavailable to log on, all explicit
users (in other words, users who have their own user accounts) can log on,
regardless of whether their home directories are available or not. Anonymous
user accounts are not affected by these changes, as anonymous users are never
allowed to log on without a home directory.
A temporary home directory is allocated to users in: /tmp/CTXSmf_uid where
uid is a decimal number—for example: /tmp/CTXSmf_12345.
If a user logs on and his or her home directory is unavailable, the following
message is displayed: “Your home directory is unavailable. Logging you in with
temporary home directory: /tmp/CTXSmf_uid”.
Important You must make your ICA users aware that /tmp/CTXSmf_uid is
temporary and may be deleted at a later stage, and that any changes and additions
that users make in this directory must be applied to their normal home directory
when this becomes available.
In the unlikely event that there is a problem with the /tmp/CTXSmf_uid

directory, the temporary home directory defaults to: / (the root directory). Note
that some applications may not operate correctly when the home directory is /
because users do not have write permissions.
Ø To allow users whose home directories are unavailable to log on
ctxcfg -k lognohome=1
Ø To prevent users from logging on without a home directory
ctxcfg -k lognohome=0
Configuring Mouse-Click Feedback for High Latency Connections

With Feature Release 1, mouse-click feedback is enabled by default. With mouse-
click feedback, when a user clicks the mouse, the ICA Client software changes
the mouse pointer to an hourglass to show that the user’s input is being processed.
Typically, you do not need to configure mouse-click feedback—however, for high
latency connections you may want to adjust this to improve your users’
interaction with the system.
You can configure the thresholds in which mouse-click feedback operates, or you
can disable mouse-click feedback. To do this, you use the ctxcfg command with
the -m option:
ctxcfg -m [enable|disable] [lowerthreshold=num] [upperthreshold=num] [list]
About the Thresholds

Mouse-click feedback is controlled by upper and lower threshold values, which
are like switches that determine when mouse-click feedback is on or off. The
thresholds are the network delay between client and server (in other words, the
latency) that triggers the display of the hourglass symbol.
§ Upper threshold—if the latency exceeds the upper threshold, the hourglass
symbol is displayed.
§ Lower threshold—if the latency falls below the lower threshold, the
hourglass symbol is not displayed.
§ Between the two thresholds—what happens between the upper and lower
thresholds depends upon whether the latency is increasing or decreasing. If the
latency was previously in the upper threshold but falls to between the two
thresholds, the hourglass symbol is displayed until the latency drops below the
lower threshold. If the latency was previously in the lower threshold but
increases to between the two thresholds, the hourglass symbol is not displayed
until the latency increases above the lower threshold. This controls the
sensitivity of mouse-click feedback, and prevents the hourglass from
flickering on and off as the latency fluctuates.
By default, the upper threshold is 500 milliseconds, and the lower threshold is
150 milliseconds. The following diagram illustrates what happens between the
default threshold values.
Ø To change the mouse-click feedback thresholds

ctxcfg -m lowerthreshold=num,upperthreshold=num
where num is the threshold value in milliseconds.
Ø To disable mouse-click feedback
ctxcfg -m disable
Ø To display current mouse-click feedback settings
ctxcfg -m list
Information similar to the following is displayed:
Mouse click feedback: enabled
Lower threshold for mouse click feedback: 150
Upper threshold for mouse click feedback: 500
Generating and Using Server Configuration Details

You can generate a list of the current ctxcfg settings for a particular server. If you
send the output to a file, you can use the file in a shell script to replicate identical
configuration settings on other servers. You can also use a file as a temporary
backup of the current configuration, allowing you to experiment with other
settings, but easily restore your original settings, if desired.
Displaying a List of the Current Configuration

Ø To display a list of the current ctxcfg settings
ctxcfg -g
This generates a list of the current settings.
Creating a Shell Script of the Current Configuration

When you use the -g option with the ctxcfg command, the generated list contains
the commands and settings for the current configuration using the ctxcfg
command line syntax. You can redirect the output of this command to a file and
use the file as a shell script to restore (or set) this configuration.
Propagating Server Configuration to Multiple Servers

You can use the output from ctxcfg -g if you want to configure a number of
servers in the same way.
Ø To propagate the same configuration from one server to another
1. Complete the configuration of the first server. Generate a list of the server
configuration using the ctxcfg command and the -g option, piping the output
of the command to a file. Note that ctxcfg -g does not generate the password,
so you need to enter this manually.
2. Log on to the next server as a Citrix server administrator and run the file as a
shell script.
Tip You can use the rsh (remote shell) command to propagate the shell script on a
remote server. On HP-UX, the remote shell command is remsh.
Screensaver Setting Recommendations

ICA connections running graphical screensavers can consume considerable
server resources. Therefore, we recommend that screensavers are switched off.
In version 1.1 of MetaFrame for UNIX Operating Systems, screensavers are
switched on by default. However, if you upgrade to Feature Release 1,
screensavers are switched off by default.
Ø To switch screensavers off
Run the xset command with the s option and off parameter:
xset s off
To ensure published applications are run in sessions with the appropriate
screensaver settings, we recommend you publish a script file that runs the
xset s off command, and then the application.
Note Although you can switch screensavers off by default, CDE may override
this setting. To switch the screensaver off in CDE, choose the Screen option in
the Style Manager and set Screen Blanker to off.
Ø To switch screensavers on
Although it is best to switch screensavers off, if you prefer not to (for example,
for security reasons) you can use the X server “prefer blanking” screensaver
option. This causes the screen to go blank, rather than display a pattern, when the
screensaver is activated.
To switch screensavers on, run the xset command with the s option and blank
parameter:
xset s blank
For example, to make the screen go blank after 1 minute, use the commands:
xset s 60
xset s blank
Ø To display the current screensaver setting
To display the current settings, run the xset command with the q option.
xset q
Customizing the Appearance of MetaFrame

This section explains how to change the appearance of the MetaFrame Login
screen and the window manager. Also explained is how to remove the X font
server from the font path, and how to switch on the backing store feature in the X
server.
Your MetaFrame installation includes script files that you can customize. These
scripts are in the:
/opt/CTXSmf/lib directory
/usr/lpp/CTXSmf/lib directory
The script ctxXtw.sh runs when the X server starts, and includes X server
configuration settings such as the font path and the X security policy. By default,
the MetaFrame X server does not use a security policy (for the X security
extension). It is disabled by the option -sp /dev/null in ctxXtw.sh. If you want to
use a security policy, write the security policy (see the Xserver man page for
details about how to do this) and then change this option in ctxXtw.sh to point to
the policy file.
The script ctxsession.sh runs after a user logs on. You can use this script file to
customize the local environment for user sessions, such as defining the default
window manager, configuring scripts, or setting environment variables for users.
Customizing the Login Screen

You can change the appearance of the MetaFrame Login screen by substituting
the Citrix logo frame for a graphic of your choice. The graphic you choose must
be in .xpm (X pixmap) format.
The graphic used in the MetaFrame Login screen is located in:

/opt/CTXSmf/data/C/logo.xpm
/usr/lpp/CTXmf/data/C/logo.xpm
The image that is displayed is limited to 120 x 200 pixels and 256 colors. If you
use a larger graphic, only the 120 x 200 pixels in the center of the graphic are
displayed. If you use a smaller graphic, the image displayed is centered in the
frame.
Ø To display a different logo in the Login screen
2. Rename the current Citrix logo.xpm file—for example: old_logo.xpm
3. Rename your new graphic to logo.xpm and move this to the appropriate
.../CTXSmf/data/C/ directory (see previous).
The new graphic is displayed in the MetaFrame Login screen.
Changing the Window Manager

Using ctxsession.sh you can configure the system to load a window manager,
other than CDE. You can do this for every user who logs on to the MetaFrame
server, or for a particular user.
You can change the window manager that MetaFrame loads for connections to
server desktops, and published applications running in “full screen” windows. By
default, MetaFrame loads the ctxwm window manager for all connections to
published applications.
Changing the Window Manager for Every User

Use the following procedure to load a new window manager for every user who
logs on to the MetaFrame server.
Note The window manager is not loaded for any initial programs that a user has
set on the client. To do this, use the procedure described in “Changing the
Window Manager for a Particular User” on page 158.
Ø To use a different window manager for every user

2. Install the new window manager.
3. Open the ctxsession.sh script and locate the following line:
: ${CDE_WM:="/usr/dt/bin/dtsession"}
4. Change this line to:

: ${CDE_WM="/path/window_manager"}
where path is the location of the new window manager and window_manager
is the name of the new window manager.
Changing the Window Manager for a Particular User
Use the following procedure to load a new window manager for a particular user
each time the user logs on. The new window manager is also loaded for any initial
programs that the user has set on the client.
Ø To use a different window manager for a particular user
2. Install the new window manager.
3. Open the ctxsession.sh script and locate the following lines:
#if [ -f $HOME/.ctx.session.sh ] ; then
# . $HOME/.ctx.session.sh
#fi
4. Remove the # character from the start of each line, so that these lines are no
longer commented out.
5. In the user’s home directory, create a file called .ctx.session.sh
6. In the .ctx.session.sh file, add the new window manager’s bin directory to the
path:
PATH=${PATH}:/path
where path is the location of the new window manager’s bin directory.
7. Add lines to load the new window manager and suppress the message that tells
the user that the window manager is being loaded:
DESKTOP_WM=”/path”
DESKTOP_MESSAGE=””
where path is the location of the new window manager’s start file.
8. Add lines to load the new window manager when an initial program is
launched, and suppress the message that tells the user that the window
manager is being loaded:
INITIAL_APPS_WM=”/path”
INITIAL_APPS_MESSAGE=””
where path is the location of the new window manager’s start file.
Example
The following example shows the lines required in the user’s .ctx.session.sh file
to start the kde window manager:
PATH=${PATH}:/usr/local/kde/bin
DESKTOP_WM=”/usr/local/kde/bin/startkde”
DESKTOP_MESSAGE=””
INITIAL_APPS_WM=”/usr/local/kde/bin/startkde”
INITIAL_APPS_MESSAGE=””
The result is that every time a user logs on, the system checks for the
.ctx.session.sh file in the user’s home directory. If it finds this file, the system
runs it and the new window manager is loaded. If the file is not found, or the user
connects to a published application, CDE is loaded.
Changing the Font Path

In Feature Release 1, by default, the font path contains the X font server.
However, you can remove the X font server from the font path by editing the
ctxsession.sh script.
For information about the X font server, and how to set it up, refer to the
documentation provided with the X font server.
About Font Servers and Font Paths

An X Windows session can obtain the fonts that it requires locally or from a font
server. A font server provides sessions with fonts and performs font conversion.
Typically, a font server is used to deploy a set of fonts across a network; it is also
useful for catering for applications that have particular font requirements, such as
TrueType fonts.
The path that a session takes to search for fonts is determined by the font path.
The ctxXtw.sh script on the MetaFrame server, which runs when the X server
starts, sets the default font path. The ctxsession.sh script, which runs after a user
logs on, checks whether the font path contains the X font server. If the font path
does not contain the X font server, ctxsession.sh adds it (provided the X font
server is running).
Important MetaFrame does not start the font server. Therefore, Citrix recommend
that you enable the font server to start automatically. Use the fsadmin font server
administration utility to enable the X font server—for more information, see the
fsadmin man page.
Removing the Font Server From the Font Path

You can remove the font server from the font path by editing the ctxsession.sh
script.
For example, you may want to remove the font server from the font path if the
font server causes performance problems on the MetaFrame server. Note,
however, that performance problems are unlikely to occur unless many short-term
applications run on the MetaFrame server and make demands on the font server.
Ø To remove the font server from the font path

2. Open the ctxsession.sh script and locate the following line:
USE_FONT_SERVER=1
3. Set the USE_FONT_SERVER flag to zero:
USE_FONT_SERVER=0
Configuring Backing Store

With Feature Release 1, you can switch on the backing store feature in the X
server, for applications that rely on this functionality. Backing store caches the
contents of the window displayed by an application and, where necessary,
automatically repaints the window from the cache.
By default, backing store is switched off.
When Should Backing Store be Switched On?

Only some applications require backing store to be switched on. An application
may require backing store if the application appears to be running very slowly, or
users experience screen corruption problems.
Because the use of backing store can increase the bandwidth between the server
and the client, Citrix recommend that backing store is not switched on, unless you
are deploying applications that require it.
Switching Backing Store On and Off

Ø To switch backing store on
2. Open the ctxXtw.sh script and locate the following line:
XTW_OPTS=”-session $CITRIX_SESSION_ID -terminate -bs”
3. Delete the -bs parameter from this line to turn backing store on.
Ø To switch backing store off
To switch backing store off, reinstate the -bs parameter in the ctxXtw.sh script.
161
CHAPT ER 8
Advanced Topics
Overview
This chapter discusses advanced MetaFrame system administration topics. Topics
discussed include:
§ Configuring anonymous user settings
§ Configuring MetaFrame security
§ Understanding and configuring the ICA Browser Service
§ Load balancing published applications
§ Configuring ICA Gateways
§ Using ICA with network firewalls
§ Configuring the TCP/IP port number
§ Configuring the operating system for a large number of connections
Configuring Anonymous Users

During MetaFrame installation, you can create a special user group called
ctxanon on the Citrix server, together with 15 local anonymous user accounts.
These accounts allow 15 users guest access to applications that you publish for
anonymous use.
Anonymous user accounts do not usually require further maintenance; however
their properties can be displayed and modified using the ctxanoncfg command.
Note You must be root to display and update anonymous user settings.
Displaying Anonymous User Settings

Use ctxanoncfg to display the current number of anonymous user accounts, the
naming of the accounts, the anonymous user group name, and the idle timeout
period.
Ø To display anonymous user settings
1. Log on to the MetaFrame server as the root user.
2. At the command prompt, run ctxanoncfg with the -l option to display
anonymous user settings:
ctxanoncfg -l
Chapter 8 Advanced Topics 163
Configuring Anonymous User Settings

You can use ctxanoncfg to change the number of anonymous user accounts, the
names of the anonymous user accounts, and the idle timeout period for
anonymous user sessions. You can also use ctxanoncfg to specify a particular
shell, or assign user-ids, to anonymous user accounts.
Tip The ctxanoncfg command displays what it is doing at each stage, together
with any errors that may occur. To suppress the display of this information, use
the -q (quiet) option with the ctxanoncfg command. For example, type:
ctxanoncfg -n 20 -q
Changing the Number of Anonymous Users

Use ctxanoncfg with the -n option to change the number of anonymous user
accounts. You can create any number of anonymous user accounts, but the
number you can use simultaneously is limited by your licensed user count.
Further options are available that allow you to change the naming of anonymous
user accounts and the idle timeout period.
Important MetaFrame must be stopped on the server before you create

anonymous users. If MetaFrame is running, use the ctxshutdown command to
stop it—see “Stopping MetaFrame” on page 55 for further information.
Ø To create anonymous users

1. Ensure MetaFrame is not running on the server and log on as root.
2. At the command prompt, use ctxanoncfg with the -n option to specify the new
number of anonymous user accounts you require:
ctxanoncfg -n number
where number is the new number of anonymous user accounts.
3. Start the MetaFrame process on the server—see “Starting and Stopping
MetaFrame” on page 55 for instructions.
Examples
To specify 20 anonymous user accounts, type:
ctxanoncfg -n 20
To delete all anonymous user accounts, type:
ctxanoncfg -n 0
Changing the Naming of Anonymous User Accounts

Use ctxanoncfg with the -b option to change how anonymous user accounts are
named. By default, the ctxanon group contains 15 user accounts with names in
the format anonx, where x is a number from 1 to 15. User account names can
have a maximum of 8 characters.
Note You can only use the -b option when creating new anonymous user
accounts; -b cannot be used to change existing anonymous user accounts.
Ø To change how anonymous user accounts are named

1. After stopping the MetaFrame process on the server, log on as root.
ctxanoncfg -n number -b name
where number is the new number of anonymous user accounts, and name is
the new name of the accounts.
Example
To create 25 anonymous user accounts called “guest1”, “guest2” ... up to “guest
25”, type:
ctxanoncfg -n 25 -b guest
Setting an Idle Timeout Period

Use ctxanoncfg with the -t option to specify the idle timeout period, in minutes,
for anonymous user sessions.
If there is no user activity within this time, a warning message informs the user
that they will be logged off after 5 minutes, unless they resume use of the session.
The default idle timeout period is 10 minutes.
Ø To specify an idle timeout period
ctxanoncfg -n number -t minutes
where number is the new number of anonymous user accounts, and minutes is
the idle timeout period.
Examples
To create 25 anonymous user accounts with a timeout period of 30 minutes, type:
ctxanoncfg -n 25 -t 30
To alter only the timeout period to 20 minutes, type:
ctxanoncfg -t 20
Specifying a Particular Shell for Anonymous Users

When anonymous user accounts are created, the default system shell is assigned
to these accounts—for example: /bin/sh. However, you can specify a particular
shell to use for anonymous user accounts, using ctxanoncfg with the -s option.
Ø To specify a particular shell
ctxanoncfg -n number -s shell
where number is the new number of anonymous user accounts, and shell is the
shell you want to assign to these accounts.
Example
To create 25 anonymous user accounts that use the C shell, type:
ctxanoncfg -n 25 -s /bin/csh
Specifying User-Ids for Anonymous Users

When anonymous user accounts are created, MetaFrame automatically assigns
available user-ids to these accounts. However, you can assign specific user-ids to
anonymous user accounts. To do this, you use ctxanoncfg with the -u option, and
specify the first user-id in the range.
Ø To assign specific user-ids
ctxanoncfg -n number -u uid-number
where number is the new number of anonymous user accounts, and uid-
number is the first user-id you want to generate from.
Example
To create 10 anonymous user accounts with user-ids 10,027 to 10,036, type:
ctxanoncfg -n 10 -u 10027
Troubleshooting Anonymous User Accounts

If you experience problems with anonymous user accounts, delete the current
anonymous user configuration, using ctxanoncfg with the -clear option, and then
create new anonymous user accounts. The -clear option removes all internal
anonymous user account configuration, such as the home directories and entries
in the password file.
Ø To delete all anonymous user account configuration
ctxanoncfg -clear
For information about creating new anonymous user accounts, see “Changing the
Number of Anonymous Users” on page 163.
Anonymous User Accounts and NIS Domains

All anonymous user accounts are created as local (non-NIS) accounts, with home
directories in /usr/anon. We recommend that you do not attempt to reconfigure
these accounts to be NIS accounts, or move the home directories for these users
onto non-local (for example, NFS) file systems.
To create user home directories on another file system, create a symbolic link
from /usr/anon to the desired file system.
When creating NIS accounts, ensure that these accounts do not re-use user-ids
which have been assigned to anonymous users.
Configuring MetaFrame Security

This section describes the MetaFrame security function that controls user access
to MetaFrame commands and sessions. It provides an overview of MetaFrame
security, and it tells you how to display and configure security settings.
When you install MetaFrame, default security settings automatically control user
access to various MetaFrame commands. By default, users can log on, send
messages, and shadow other sessions, but they are denied access to all other
MetaFrame commands. See “Default Security Settings” on page 171 for
information about which functions are allowed or denied.
Why Use MetaFrame Security?

MetaFrame security lets you tighten or relax user access to MetaFrame
commands and sessions. With MetaFrame security you can:
§ Change the default security settings. For example, by default, all users can
shadow other users’ sessions, but you may want to prevent this.
§ Provide groups of users with access to MetaFrame commands and sessions.
For example, you may want to give the “helpdesk” user group the rights to
connect, disconnect, and reset other users’ sessions.
§ Deal with exceptions on an individual user basis. For example, you may want
to prevent a particular user from being able to send messages to other users’
sessions.
Security Overview
This overview explains which users are affected by security, which functions are
secured, how security can be controlled at different levels, and how the security
checking process works.
Which Users Are Affected by Security?

MetaFrame security controls user access to specific MetaFrame commands and
sessions.
However, MetaFrame security does not control Citrix server administrator access
to commands and sessions. In other words, the ctxadm group (for example,
ctxsrvr) is unaffected by MetaFrame security. MetaFrame security controls the
access rights of the root user and ordinary users (explicit and anonymous users).
Who Can Do What in MetaFrame

The following table provides a brief summary of which users can do what in
MetaFrame. Only the functions indicated by “ctxsecurity” are controlled using
MetaFrame security.
MetaFrame functions/commands root user ctxadm other users

Install and remove MetaFrame Yes No No
Activate Citrix Licensing No Yes No
Start and stop server processes Yes Yes No
Configure the MetaFrame server No Yes No
Log on to the server ctxsecurity Yes ctxsecurity
Query who is on the server Yes Yes Yes
Perform actions on others’ sessions, such ctxsecurity Yes ctxsecurity
as shadowing or resetting sessions
Perform actions on their own sessions Yes Yes Yes
Send messages ctxsecurity Yes ctxsecurity
Note If root is unable to log on at the server, this may be due to the CONSOLE
setting in the /etc/default/login file (the /etc/security/user file on AIX), which
can be used to prevent root logging on at a terminal other than the one specified.
The ctxsecurity command cannot be used to override the CONSOLE setting.
Which Functions Can ctxsecurity Control?

MetaFrame security controls access to specific MetaFrame functions called
secured functions. The secured functions are shown in the following table:
Secured function MetaFrame security determines...

login Which users can log onto the MetaFrame server.
sendmsg Which users can use ctxmsg to send messages to other users’
sessions.
connect Which users can use ctxconnect to connect to other users’ sessions.
disconnect Which users can use ctxdisconnect to disconnect other users’
sessions.
logoff Which users can use ctxlogoff to log off other users’ sessions.
reset Which users can use ctxreset to reset other users’ sessions.
shadow Which users can use ctxshadow to shadow other users’ sessions.
Controlling Security at Different Levels

Security can be controlled at the:
§ User level—i.e. UNIX user level
§ Group level—i.e. UNIX group level
§ Global level—i.e. UNIX global level
A global security setting exists for every secured function. When you install
MetaFrame, security is automatically controlled at the global level for each
secured function. For example, by default, all users can send messages to other
sessions.
However, you can also configure security for individual users, or for groups of
users. For example:
§ If you want to prevent the user “fred” from sending messages to other
sessions, you can set up user-level security to deny fred access to ctxmsg.
§ You can set up group-level security for the “Support” group to allow members
of this group to reset other users’ sessions using ctxreset.
If no user or group-level security exists, the global security level determines user
access rights.
The Security Checking Process

To configure MetaFrame security or troubleshoot security, you need to
understand how the MetaFrame security checking process works.
When a user attempts to run a secured function, MetaFrame checks whether the
user has the rights to do so. MetaFrame first checks the user security level, then,
depending on the result, the group security level. If neither user nor group-level
security exists, a final check is made at global security level.
The following diagram shows each step in the security checking process, using
the example of a user attempting to run the ctxshadow command:
Default Security Settings

A global security setting always exists for each secured function. The global
setting acts as the default, when neither user-level nor group-level security exists.
Because the primary function of security is to deny access to unauthorized users,
the global security setting can be thought of as the last line of defense.
After installation, the default settings are:
Secured function Default global setting

Login Allow
Sendmsg (ctxmsg) Allow
Deny for anonymous users
Connect (ctxconnect) Deny
Disconnect (ctxdisconnect) Deny
Logoff (ctxlogoff) Deny
Reset (ctxreset) Deny
Shadow (ctxshadow) Allow
Deny for anonymous users
Note By default, root cannot log on to the server from an ICA Client. However, if
your super user has a different account name to “root” or multiple account names,
he or she can log on from an ICA Client.
To change the default settings, see “Changing the Global Security Settings” on
page 172.
Displaying Security Settings for a Function

Use the -l (list) option with the ctxsecurity command to display security settings
for a particular function. You must specify the secured function for which you
want to display settings. All levels of security (user, group, and global) are
displayed for the function.
Ø To display security settings for a function
ctxsecurity secured-function -l
where secured-function is one of: login, sendmsg, connect, disconnect,
logoff, reset or shadow.
Example
To display security settings for the ctxshadow function, type:
ctxsecurity shadow -l
Security settings such as the following are displayed:
global allow
group users deny
Tip Use grep to filter and identify specific information—for example, to display
security settings for a particular user or group.
Configuring Security Settings

You can use the ctxsecurity command to change the global security settings or to
configure user and group-level security.
Changing the Global Security Settings

You can use the ctxsecurity command with the -a (all) option to change the
global security setting for a secured function.
Ø To change a global security setting
ctxsecurity secured-function -a allow|deny
Example
To change the global security setting for the ctxshadow tool to deny, type:
ctxsecurity shadow -a deny
Configuring Security for a User

You can use the ctxsecurity command with the -u (user) option to configure
security at the user level. For example, you might want to allow a particular user
access to a MetaFrame function that is denied at the global level.
Ø To configure security for a user
ctxsecurity secured-function -u user-name allow|deny
Example
To allow the user “fred” to use the ctxreset command to reset other users’
sessions, type:
ctxsecurity reset -u fred allow
Configuring Security for Groups of Users

You can use the ctxsecurity command with the -g (group) option to configure
security at the group level. For example, you might want to allow a group of users
access to a MetaFrame function that is denied at the global level.
Ø To configure security for a group of users
ctxsecurity secured-function -g group-name allow|deny
Example
To allow the group “support” to use the ctxreset command to reset other users’
sessions, type:
ctxsecurity reset -g support allow
Using Inherit to Remove Settings

You can use the inherit option with the ctxsecurity command to remove
previously set security settings. This option is useful when you want to remove
settings that are exceptional cases.
For example, the “management” group is allowed to shadow other sessions, but
the user “fred”, a member of this group, is an exception and has been denied
access to shadowing. When it is later decided to allow “fred” to shadow, the
Citrix server administrator can use inherit to reinstate the group’s security
setting. In effect, inherit removes fred’s user-level security setting, and picks up
the security setting from group level.
Users can inherit settings from the group or global level, while a group can inherit
settings from the global level. Global security settings cannot inherit values.
Ø To inherit a security setting
ctxsecurity secured-function {-u user-name|-g group-name} inherit
Example
To remove fred’s user-level security setting for the ctxshadow command and
reinstate the group’s security setting, type:
ctxsecurity shadow -u fred inherit
The result is that the user “fred” inherits a security setting. MetaFrame checks
which groups fred belongs to, and whether any of these groups have a group-level
security setting. If at least one group-level setting exists that allows shadowing,
fred inherits the right to shadow. Otherwise, if at least one group-level setting
exists that denies shadowing, fred is not permitted to shadow. If no group-level
setting exists, fred inherits rights from the global level.
Examples
In the following examples, MetaFrame security is used to tighten security, and
then to provide a group of users with access to a particular MetaFrame function.
Example 1: Locking Down Security

After installation, the default MetaFrame security settings allow users to shadow
other users’ sessions. However, the Citrix server administrator decides to tighten
security to prevent this.
The administrator does this by changing the global security setting for the
shadowing function:
ctxsecurity shadow -a deny
Example 2: Giving Rights to a Group of Users
MetaFrame security is configured so that users are prevented from shadowing
other users’ sessions. However, the “helpdesk” group needs to be able to shadow
so they can help users with problems.
The administrator uses MetaFrame security to provide the “helpdesk” user group
with access to the shadowing function:
ctxsecurity shadow -g helpdesk allow
MetaFrame for UNIX and the ICA Browser Service

The ICA Browser maintains data on Citrix servers and published applications.
The ICA Browser consists of a master browser, member browsers, and client
systems. The ICA Browser uses directed packets to communicate with other ICA
Browser services running on Citrix servers.
Citrix ICA Clients query the ICA Browser service to obtain a list of Citrix servers
and published applications. The Citrix ICA Client queries the ICA Browser
service for the network address of servers and published applications when a
session is launched. Citrix servers use the ICA Browser service to pool licenses
and share administrative and performance information.
Controlling the Master Browser

Every Citrix server runs the ICA Browser service. One Citrix server is elected the
master browser; all other Citrix servers on the network are member browsers. The
master browser is an ICA Browser acting as a central information store. The
master browser keeps track of the following information:
§ The available Citrix servers
§ The available published applications
§ Pooled licenses (user counts)
§ Performance and load information for Citrix servers
The master browser for each network is chosen by a master browser election. If
the current master browser on a network is not responding, a new master browser
election is held automatically. This provides high reliability for the ICA Browser
service.
Note MetaFrame for UNIX servers do not support the backup ICA Browser
feature. The backup ICA Browser stores information about pooled licenses, in the
event that the master browser server fails. However, this feature is available in a
mixed farm containing MetaFrame for NT servers.
In general use, the ICA Browser service is invisible to you and does not affect the
continued operation of MetaFrame for UNIX Operating Systems. However, you
may want to manipulate the possibility of a particular machine becoming the
master browser, because:
§ Servers running different versions of MetaFrame provide different versions of

the ICA Browser service when they are master browser. This can affect the
features available to users. In particular, if you have MetaFrame XP servers in
your network, you may want to ensure that a MetaFrame for UNIX server in
the network does not become the master browser.
§ The master browser service consumes more resources, and may respond
slowly if it is running on a heavily loaded machine. Therefore, you may want
to make sure that machines that receive many connections are less likely to
become the master browser. If necessary, you can configure the settings of one
or more dedicated machines in the network so that one of these machines is
more likely to become the master browser.
Locating the Current Master ICA Browser
You can use the ctxqserver command with the -master option to locate the Citrix
server acting as the master browser.
Ø To locate the master browser
ctxqserver -master
The address of the master ICA Browser on the local subnet is displayed. If no
master browser is running, for example during a browser election, the error
message “Error obtaining requested information” is displayed.
Manipulating Master Browser Elections

The ICA Browsers on a network subnet elect a master browser under any of the
following conditions:
§ The current master browser does not respond to another ICA Browser
§ The current master browser does not respond to an ICA Client
§ A Citrix server is started
§ Two master browsers are detected on the same network subnet
A combination of factors affect the outcome of the election. The two main factors
are:
§ The version of the Citrix server—for example, MetaFrame XP in mixed mode,
MetaFrame for UNIX 1.1, WINFRAME 1.7 (note that MetaFrame for UNIX
Release 1.0 and Release 1.1 are treated the same)
§ The master browser preference setting for each server
You set this preference using the ctxbrcfg tool for MetaFrame for UNIX
Operating Systems servers or, for other Citrix servers, Citrix Server
Administration. Citrix servers can be set to:
neutral The default value of “no preference” behavior in elections.

always Always attempt to become master browser.
never Never attempt to become master browser.
Other factors, such as the length of time a server has been running and whether
the Citrix server is also a Windows NT domain controller (not applicable to
MetaFrame for UNIX Operating Systems), can also affect an election result.
Tip You can force a master browser election using the ctxqserver -election
command. For more information, see “ctxqserver” on page 245.
Introducing a New Server

Introducing any type of Citrix server into your network forces an election.
§ The default master browser preference setting for a MetaFrame for UNIX
Operating Systems server is neutral; i.e. unbiased. If you add a server with
this default setting to a network that includes MetaFrame XP in mixed mode
servers that are also configured as unbiased in elections, the MetaFrame for
UNIX server will not become the master browser. Under these circumstances,
a MetaFrame XP in mixed mode server automatically has preference to
become the master browser.
§ If you add a MetaFrame for UNIX server to a network that only includes other
MetaFrame for UNIX servers, it may become master browser if all the other
servers are set to neutral.
Important It is the combination of settings for all servers on the network that
decides the results of an election. A MetaFrame for UNIX server could still win a
master browser election with a MetaFrame for NT server, if the master browser
preference on the MetaFrame for NT server is set to never.
Biasing the Results of Elections

Ø If you do not mind which server becomes master browser
Leave the master browser preference setting on each server to the default setting
of neutral or no preference, as appropriate for the type of server.
Ø If you want a particular server to be the master browser
1. Configure the master browser preference on the server you want to become
master browser to be always. Use the ctxbrcfg command for MetaFrame for
UNIX. See “Configuring the ICA Browser” on page 180 in this section for
more detailed instructions. For other Windows-based Citrix servers, use Citrix
Server Administration.
2. Leave the master browser preference on the other servers to be neutral or no
preference, as appropriate for the type of server. Do not set the other servers
to be never—reserve this setting for a particular server that should never
become master browser.
3. The changes you make using ctxbrcfg will cause a master browser election to
occur. Wait a few moments for the election to take place and then check the
master browser status using the ctxmaster command.
Ø If you want to stop a particular server from becoming the master browser
1. Configure the master browser preference on the server that you do not want as
the master browser to be never, using the ctxbrcfg command.
Important Do not set the master browser preference on all servers in a network
to be never because unpredictable election results will occur.
2. Leave the master browser preference on the other servers that can become the
master browser to be neutral or no preference as appropriate for the type of
server. Any changes you make using the ctxbrcfg command will cause a
master browser election to occur.
Note If the MetaFrame for UNIX server has more than one network interface
card and is connected on more than one subnet, restrict the server to one subnet—
for details, see “If a MetaFrame Server Uses Multiple NICs” on page 181.
Configuring the ICA Browser

The ICA Browser maintains data about Citrix servers and published applications.
You can display and change the ICA Browser settings on a server using the
ctxbrcfg tool. Any changes you make using ctxbrcfg will cause a master browser
election to take place.
Ø To control how the ICA Browser behaves during browser elections
:
To Use the command

Configure the server so that it always attempts to ctxbrcfg -m always
become the master browser in an election, subject to
the presence and actions of other browsers.
Configure the server so that it refrains from ctxbrcfg -m never
participating in an election. Note that the server can
still become the master browser under some
circumstances.
Configure the default behavior of “no preference”. ctxbrcfg -m neutral
The refresh period controls how often the ICA Browser on this server updates the
master ICA Browser. The ICA Browser updates the master ICA Browser after the
specified amount of time elapses. A short refresh period makes the master ICA
Browser data more accurate, but increases CPU and network load.
Ø To view or change the refresh interval for the ICA Browser service
To Use the command

Display the current refresh interval. ctxbrcfg -r list
Set a period (in minutes) at which the local ICA ctxbrcfg -r set=num
Browser service will update the master browser.
Note The default settings work for most installations. Change them only when
you understand the implication of each setting.
Starting and Stopping the ICA Browser

You can start and stop the ICA Browser process on a server, without having to
stop and start all the MetaFrame processes, using the ctxsrv tool.
If you stop the ICA Browser on a server, users will be unable to connect to
published applications on this server, although they will still be able to connect to
the server desktop. If you stop the ICA Browser process on the master browser, a
master browser election will occur among the other Citrix servers on the network.
Ø To start or stop the ICA Browser using ctxsrv
ctxsrv {start|stop} browser
If a MetaFrame Server Uses Multiple NICs

If a MetaFrame server has more than one network interface card (NIC) and is
connected on more than one subnet, problems may occur if this server attempts to
become master browser on a subnet. If the server becomes master browser on one
subnet, it may assume it is also master browser on another subnet that already has
a master browser.
To prevent this from occurring, you must configure the server so that the ICA
Browser communicates only with other ICA Browsers on a particular subnet or
NIC. In other words, you must bind the server to a particular subnet or NIC.
To do this in Feature Release 1, you use the ctxbrcfg command with the -b
option.
Ø To restrict the ICA Browser to a particular subnet or NIC
ctxbrcfg -b set=address
where address is the IP address or subnet address you want to restrict the ICA
Browser to, in aaa.bbb.ccc.ddd format—for example, 10.20.123.123.
3. Restart the ICA Browser by typing:
ctxsrv start browser
Ø To remove a restriction on an ICA Browser

ctxbrcfg -b unset
3. Restart the ICA Browser by typing:
Ø To display current restrictions on an ICA Browser
ctxbrcfg -b list
If there are no restrictions “No address specified, binding to all available
adapters” is displayed.
If there are restrictions, “Browser bound to adapter address aaa.bbb.ccc.ddd”
is displayed (where aaa.bbb.ccc.ddd is the IP address or subnet address the
ICA Browser is restricted to).
Troubleshooting Multiple NICs
If you bind the server to a subnet, make sure that there is only one NIC on this
subnet, or the ICA Browser will not start and an error will be written to the
system log. Instead, bind to a specific NIC rather than the network.
Load Balancing Published Applications

This section introduces load balancing and explains how to activate and tune load
balancing in your MetaFrame installation.
Load balancing determines which servers are least busy and can best run an
application. The master browser keeps track of the load levels and the number of
users connected on each MetaFrame server. When a published application or
desktop is launched from an ICA Client, the master browser selects which server
will run the application or desktop session, based on server load. For more
information about the master browser, see “MetaFrame for UNIX and the ICA
Browser Service” on page 176.
Load balancing also offers increased availability. By configuring a pool of servers
capable of running your users’ applications, you can easily bring servers off-line
for maintenance or add more servers for increased performance without affecting
application availability.
If you are deploying applications using Citrix NFuse, load balancing works in the
normal way. In other words, NFuse contacts the XML Service, which in-turn
contacts the master browser. The master browser then distributes connections
among the servers, taking into account load factors.
To use load balancing, you need to purchase and install Citrix Load Balancing
Services—see “Upgrading to Feature Release 1” on page 63 for more
information.
Load Balancing a Group of Servers

When you activate load balancing, by default, MetaFrame automatically monitors
the number of users connected to each server and sends new connections to the
server that is least busy.
However, if a user already has a disconnected session on a server, the
disconnected session is reconnected, regardless of how busy the server is.
Ø To load balance a group of servers
1. Install a Citrix Load Balancing Services license on each server.
2. Publish the application on each server. You can publish the application on one
server and then create and run a script file to publish the same information on
the other servers—see “Publishing an Application on More than One Server”
on page 116 for more information.
3. Allow users to connect to the published application. Connections are
distributed among all the servers on which the application is published.
Note Load balancing works by identifying the names of published

applications. Therefore, make sure that the application you want to load
balance over a group of servers is given the same name in ctxappcfg on each
server.
Tuning Load Balancing

Different types of servers—for example, with different processor speeds or
available memory—can accept a different number of connections before
becoming busy. If you find that some servers become busier than others with
evenly distributed connections, you can tune load balancing so that this is taken
into account.
How you tune load balancing depends upon whether the server is running Version
1.1 or Feature Release 1 of MetaFrame for UNIX Operating Systems.
Tuning Load Balancing in Version 1.1

In Version 1.1 of MetaFrame for UNIX (without the Feature Release 1 upgrade)
you can tune the load using ctxcfg with the -l option to control the number of
connections permitted on each server.
Ø To tune the number of connections on each server
1. When a user experiences problems running a session, use the ctxqsession
command to identify the server to which the user is connected.
2. Count the active number of sessions on the server that is causing the problem,
and then limit the maximum number of users who can log on to the server,
using ctxcfg and the -l option.
3. Limit the maximum number of users who can log on, on the other servers, in a
similar way. For best results, set a value on each server.
Tuning Load Balancing in Feature Release 1

If Feature Release 1 is installed on the MetaFrame for UNIX server, you can bias
the distribution of connections to take into account the relative speed and power
of a server. To do this you use ctxcfg with the -k loadfactor option to adjust the
load factor.
By default, each server has a load factor of 100. However, if you have a server
that is more powerful relative to the other servers in the group, you can increase
the load factor to ensure that this server receives more connections. Likewise, if
you have a server that is less powerful, you can decrease the load factor to ensure
that it receives fewer connections. The load factor can be any number between 1
and 10000.
Alternatively, you can use ctxcfg with the -l option to control the number of
connections permitted on each server—see “Tuning Load Balancing in Version
1.1” on page 184 for more information.
Ø To tune the load on each server
1. Stop the ICA Browser by typing:
ctxsrv stop browser
ctxcfg -k loadfactor=num
where num is a load factor value between 1 and 10000.
3. Start the ICA Browser by typing:
Note If you have a combination of MetaFrame for UNIX Version 1.1 and Feature
Release 1 servers in your network, Citrix recommend that you either remove the
restrictions on the number of connections permitted on the Version 1.1 servers, or
upgrade all of the servers to Feature Release 1. Otherwise, when MetaFrame
attempts to load balance, the restrictions on the number of connections on the
Version 1.1 servers may cause overloading of the Feature Release 1 servers.
Example 1
There are 10 MetaFrame for UNIX servers in a server farm, each running Feature
Release 1. One server has a higher than average processor than the others, and
you estimate that it can handle 50% more load than the other servers.
§ On the more powerful server, allow 50% more load than on the other servers
in the group. At the command prompt type:
ctxsrv stop browser
ctxcfg -k loadfactor=150
Example 2
There are five MetaFrame for UNIX servers in a server farm, each running
Feature Release 1. One server has a lower than average processor, and you
estimate that it can handle 25% less load than the others.
§ On the less powerful server, allow 25% less load than on the other servers in
the group. At the command prompt type:
ctxsrv stop browser
ctxcfg -k loadfactor=75
Example 3
A word-processing application is published on a number of servers. Occasionally,
a server becomes overloaded. This is due to a high number of users concurrently
using the application (rather than the fact that the application places a high
demand on server resources, such as in the case of a CAD application). Therefore,
you decide to limit the number of connections permitted on each server to 200.
§ On each server on which the word-processor is published, restrict the number
of connections to a maximum of 200. At the command prompt, type:
ctxcfg -l max=200
Displaying the Load Factor

If you have tuned the load using ctxcfg -k loadfactor, you can display the current
load factor setting for an application using the ctxcfg -g command.
Ø To display the load factor
ctxcfg -g | grep loadfactor
Displaying the Load

You can display the load for a particular server or application using the
ctxqserver -app command.
Ø To display the load
ctxqserver -app [application-name | server-name ]
where application-name is the name of a published application, and server-name
is the name of the MetaFrame server that you want to display the load for.
Troubleshooting Load Balancing

If users frequently disconnect and reconnect to sessions on load balanced Citrix
servers, rather than logging off, the load may not be distributed evenly among the
servers.
Also, if users are using clients that support session sharing and they start multiple
applications, the clients will attempt to start subsequent applications within the
existing session, rather than create a new session. This may lead to uneven
application load distribution among the servers.
Configuring ICA Gateways

For Citrix servers or ICA Clients to contact Citrix servers on a different network,
an ICA Gateway must be configured.
The master ICA Browser maintains the browse list and periodically receives
updates from other browsers (the Citrix servers) on the same network. The
exchange of information between the master ICA Browser and the other browsers
takes place over the local subnet. To communicate and exchange information
with other networks, you must establish an ICA Gateway on the participating
networks.
If you have more than one network subnet—for example, if you use a router or a
WAN to connect two networks—you need to set up an ICA Gateway to allow the
master browsers on each network to share information about available Citrix
servers and published applications.
An ICA Gateway consists of at least two Citrix servers. The local server is
responsible for contacting the other network and setting up a link between the
master browsers on each network. The remote server is a Citrix server on the
other network that communicates with the local server to establish the ICA
Gateway.
Ø To display the ICA Gateways configured on a server
ctxbrcfg -g list
Ø To add or remove an ICA Gateway
:
To Use the command

Add a gateway host name or IP address to the ctxbrcfg -g add=gateway
list.
Remove a gateway host name or IP address ctxbrcfg -g remove=gateway
from the list.
Note You can also use the ctxqserver -gateway command to display information
about the ICA Gateways known to each server on the network—see the
“Command Reference” on page 223 for details.
Using ICA With Network Firewalls

Network firewalls can allow or block packets based on the destination address
and port. If you are using ICA through a network firewall, use the information
provided in this section to configure the firewall.
ICA TCP/IP Connection Sequence

1. The Citrix ICA Client sends a packet to port 1494 on the Citrix server
requesting a response to a randomly selected port above 1023.
2. The Citrix server responds by sending packets to the Citrix ICA Client with
the destination port set to the port requested in Step 1.
If you have a firewall or other TCP/IP network security, configure it to allow
TCP/IP packets on port 1494 to pass to Citrix servers on your network.
Configure the firewall to allow TCP/IP packet on ports above 1023 to pass to
Citrix ICA Clients.
If the firewall is not configured to pass ICA packets, users may receive the error,
“There is no route to the specified address.”
Note You can configure the Citrix server to use a different port number than
1494. See “Configuring the TCP/IP Port Number” on page 190 for details. Citrix
ICA Clients must be configured to use the different port—see the Citrix ICA
Client Administrator’s Guides for the clients you plan to deploy.
The ICA Browser

The ICA Browser service uses UDP port 1604. ICA Browser responses are sent
to a high port number above 1023.
The firewall must be configured to allow inbound UDP port 1604 packets to
Citrix servers for load balancing, server farms, and ICA server browsing to
function correctly. Note that with the Citrix XML Service you can avoid passing
UDP through the firewall—for more information see “Using the Citrix XML
Service” on page 197.
Warning Allowing untrusted access to the ICA Browser service entails some
security risk. Configure the firewall to pass ICA Browser data only if load
balancing and server browsing across the firewall are essential.
ICA Browsing With Network Address Translation

Some firewalls use IP address translation to convert private (Intranet) IP
addresses into public (Internet) IP addresses. Public IP addresses are called
“external” addresses because they are external to the firewall, whereas private IP
addresses are said to be “internal” addresses.
Hosts on the internal network have one set of addresses that is translated to
another set when passing through the firewall.
For example, an internal host has a private address 192.168.12.3. The firewall
translates this into a different public address such as 206.103.132.20.
To browse Citrix servers and published applications, the Citrix ICA Client
contacts a Citrix server and requests the address of the master ICA Browser. If the
ICA Client is external to the firewall, it must be configured to use the public
address of a Citrix server. The server returns the IP address of the current master
ICA Browser to the ICA Client. By default, the IP address returned to the ICA
Client is the internal address.
If the ICA Client is outside the firewall and the firewall is configured for address
translation, the IP address returned to the client for the master browser will be
incorrect.
Returning External Addresses to ICA Clients

Use the ctxalt command to configure the ICA Browser to return the external IP
address to Citrix ICA Clients. You must configure every server that can be elected
as the master ICA Browser.
The ctxalt command sets an alternate address for the ICA Browser on that
machine. The external address for the server is specified as the alternate address.
The Citrix ICA Client requests the alternate address when contacting servers
inside the firewall. The alternate address must be specified for each server.
Ø To set an alternate address for a Citrix server
1. Determine the correct external IP address.
2. At the command prompt, type ctxalt -a browser-address alternate-address
See Appendix A for more information about the ctxalt command.
3. Repeat on each server.
In addition to specifying the alternate address on the Citrix server, the ICA Client
must be configured to request the alternate address when contacting the master
ICA Browser. For information about configuring ICA Clients to request the
alternate address, see the Citrix ICA Client Administrator’s Guides for the clients
you plan to deploy.
Configuring the TCP/IP Port Number

By default, the TCP/IP port number used by the ICA protocol is 1494. You can
change the port number using the ctxcfg command with the -P option.
The port number should be in the range 1024–65535 and must not conflict with
other port numbers being used. Whenever the port number is changed, the server
must be restarted for the new value to take effect.
Important If you change the port number on the MetaFrame server, you must also
change it on every Citrix ICA Client that will connect to that server. For
instructions about changing the port number on Citrix ICA Clients, see the Citrix
ICA Client Administrator’s Guides for the ICA Clients that you plan to deploy.
Ø To display the current TCP/IP port number

1. Log in as a Citrix server administrator at the MetaFrame server.
ctxcfg -P list
Ø To change the TCP/IP port number

1. Log in as a Citrix server administrator at the MetaFrame server.

The port number to the value num ctxcfg -P set=num
The port number back to the default, 1494 ctxcfg -P reset
Examples
To set the TCP/IP port number to 5000:
ctxcfg -P set=5000
To reset the port number to 1494:

ctxcfg -P reset
Configuring the Operating System for a Large Number

of Connections
This section tells you how to configure your system for a large number of
connections. A large number of connections consumes resources, therefore it is
important that you choose the optimum values for your environment.
This section also explains where to get more information on this topic.
Configuring a Solaris System

This section provides guidelines for configuring your Solaris system for more
than 30 connections. You may need to configure the total number of pseudo-
terminals, or increase the limits on the number of files. Also, with the default
configuration of Solaris, there is a limit to the number of concurrent CDE
sessions that can be run, and you may need to increase this number.
For further information about how best to configure your system, see the Solaris
System Administrator Collection.
Warning Be careful when using the set command in /etc/system—it causes

unchecked, arbitrary, and automatic changes to variables in the kernel. If the
server will not boot and you suspect a problem with /etc/system, use the
boot -a command. See the boot man page for more information.
Changing the Number of Pseudo-Terminals

In a large number of MetaFrame connections, the number of ptys (pseudo-
terminals) can easily surpass the default value (usually a MetaFrame session has
at least one pty).
Ø To change the number of pseudo-terminals
1. Add the following lines to the /etc/system file:
# set limit on pseudo-terminals
set pt_cnt = 500
Note Do not set pt_cnt above 3000.
2. Shut down the server—for example, type:

init 0
3. Reboot the server:
boot -r
Increasing File Limits

There is a limit to the number of files a process can have open; the default value is
64. To increase the file limits for an individual process, use the ulimit command
in a script before launching the process, as in the following example.
Ø To change the file descriptor limits for all processes
1. Add the following lines to the /etc/system file:
# set hard limit on file descriptors
set rlim_fd_max = 4096
# set soft limit on file descriptors
set rlim_fd_cur = 256
2. Reboot the server:
boot -r
Increasing the Number of Concurrent CDE Sessions

With the default configuration of Solaris, there is a limit to the number of
concurrent CDE sessions that can be run (approximately 60, depending upon
session configuration). This is due to the tooltalk database reaching a limit of
available file descriptors. However, you can increase the number of possible
concurrent CDE sessions.
Ø To increase the limit on concurrent CDE sessions
Check to see if the file /usr/dt/bin/rpc.ttdbserverd is a link to:
/usr/openwin/bin/rpc.ttdbserverd.
If the file is a link, do the following (if it is not a link, see later):
1. Remove the file /usr/dt/bin/rpc.ttdbserverd:
rm /usr/dt/bin/rpc.ttdbserverd
2. Replace the link with the following script file. In this example, ulimit is used
to increase the limit to 1024:
#!/bin/sh
ulimit -n 1024
exec /usr/openwin/bin/rpc.ttdbserverd
3. Make the file executable:
/bin/chmod a+x /usr/dt/bin/rpc.ttdbserverd
4. Kill the currently running rpc.ttdbserverd process.
5. Restart rpc.ttdbserverd to ensure the new limit is applied.
Ø If the file is not a link, do the following:

1. Edit the file /usr/dt/bin/rpc.ttdbserverd and change the limit.
2. Kill the currently running rpc.ttdbserverd process.
3. Restart rpc.ttdbserverd to ensure the new limit is applied.
If the Database Gets Corrupted
Files in /TT_DB occasionally get corrupted, and messages such as the following
may appear in your /var/adm/messages file:
/usr/dt/bin/ttsession[11627]: Error: rpc.ttdbserverd on 127.0.0.1 is
not running
/usr/dt/bin/ttsession[11627]: _Tt_db_client::connectToDb():
fcntl(F_SETFD): Bad file number
/usr/dt/bin/ttsession[11627]: _Tt_db_file::_Tt_db_file(): _file_cache-
>insert(<your hostname>:/etc/tt/types.xdr), dbStatus 16
If you suspect that the database is corrupted, remove all the files in the /TT_DB
directory and repeat Steps 4 and 5 (see previous). Restarting the server
automatically creates new database files.
Configuring an HP-UX System

This section provides guidelines for configuring your HP-UX system for more
than 10 connections.
For further information about how best to configure your system, see the relevant
white papers on Hewlett-Packard’s Web site at:
http://docs.hp.com/hpux/.
Ø To configure your HP-UX system for more than 10 connections
1. Choose System_Admin from the Application Manager.
2. Choose Sam.
3. Enter the root password at the prompt. The System Administration Manager
dialog is displayed.
4. Choose Kernel Configuration.
5. Choose Configurable Parameters. The Kernel Configuration dialog is
displayed.
6. Update your system with the following settings. This tunes your system to run
multiple processes (each of which may have many threads and open files) and
increases the number of users that can log on concurrently.
Note Change the value of maxusers first—this allows you to update the other
settings.
Parameter Setting Description

maxusers 1000 (or as Allocates system resources for macros on
required) expected maximum users
dbc_max_pct 20 Maximum dynamic buffer cache
max_thread_proc 2048 Maximum threads per process
maxfiles 2048 Soft limit of files per process
maxfiles_lim 2048 Hard limit of files per process
maxssiz 401604608 Maximum process storage segment size
maxssiz_64bit 1073741824 Maximum process storage segment size—64bit
maxswapchunks 4096 Maximum swap space configurable on the
system
nflocks 3461 Maximum number of file locks on the system
npty 2000 Maximum number of ptys (pseudo-terminals) on
the system
Configuring an AIX System

This section provides guidelines for configuring your AIX system for more than
30 connections.
For further information about how best to configure your system, see the relevant
white papers on IBM’s Web site at: http://www.ibm.com/.
Changing the Number of Pseudo-terminals

In a large number of MetaFrame connections, the number of ptys (pseudo-
terminals) can easily surpass the default value (usually a MetaFrame session has
at least one pty).
Ø To change the number of pseudo-terminals
1. Log on as root at the server that you want to configure.
3. Choose Devices.
4. Choose PTY.
5. Choose Change/Show Characteristics of the PTY.
6. Change the number of Pseudo-Terminals.
7. Select OK. pty0 changed is displayed.
Increasing the Number of Processes Per User
On AIX, by default, there is a limit to the number of processes a user can have
running simultaneously. The default is 128 processes per user.
If a user runs out of processes he or she will be unable to run any commands or
log off from the session until more processes are made available. For example,
this situation may occur in a training scenario where several users are logged on
to the MetaFrame server using only the one training user id.
You can increase the number of processes a user can run simultaneously using
SMIT.
Ø To increase the number of processes per user
1. Log on as root at the MetaFrame server.
3. Choose System Environments.
4. Choose Change/Show Characteristics of Operating System.
5. Increase the value of Maximum number of PROCESSES allowed per user
(Num).
197
CHAPT ER 9
Using the Citrix XML Service
Overview
This chapter introduces the Citrix XML Service for MetaFrame for UNIX
Operating Systems. It explains how to plan your deployment, and how to
configure and use the XML Service. Topics include:
§ What’s new in this release
§ An overview of NFuse and the XML Service
§ Getting started
§ Setting the path to the XML Service commands
§ Configuring the server port
§ Configuring how applications are displayed
§ Configuring the visibility of applications to users
§ Enabling and disabling publishing
§ Controlling the authentication of a user’s credentials
§ Configuring the XML Service for use with SSL
§ Configuring DNS Address Resolution
§ Managing backup servers
New in Version 1.6 of the XML Service

You can choose whether to install Version 1.6 of the Citrix XML Service, during
the installation of Feature Release 1 for MetaFrame for UNIX Operating
Systems.
Version 1.6 of the XML Service includes the following new features:
§ SSL Relay support—Citrix SSL Relay provides the ability to secure data
communications using version 3.0 of the Secure Sockets Layer (SSL)
protocol. SSL provides server authentication, encryption of the data stream,
and message integrity checks. You can use Citrix SSL Relay to secure
communications in an NFuse deployment, between the Web server and
MetaFrame server. For more information about configuring and using SSL
Relay, see the Citrix SSL Relay for UNIX Administrator’s Guide.
§ Ticketing—Ticketing provides enhanced authentication security by
eliminating user credentials from the ICA files sent from the Web server to
client devices. By default, previous versions of NFuse placed user credential
information in the ICA files sent to client devices for ICA session
initialization. An attacker able to intercept the file or retrieve the file from disk
could repeatedly use the file to access a Citrix server. The use of NFuse’s
ticketing feature eliminates these dangers. For more information about how to
use ticketing in your NFuse deployment, see the NFuse Administrator’s
Guide.
§ NIS+ support on NFuse—You can extend PAM support to users that connect
to applications via NFuse. PAM (Pluggable Authentication Modules) provides
user name and password validation, and supports the NIS+ Naming Service
for the centralized administration of user accounts. Therefore, users can log
onto NFuse using user names and passwords stored using NIS, NIS+ and
many other types of user directories. Note that you must configure each UNIX
server that is to share common user account information in your network to
use NIS+.
§ Greater ICA session color depth—High Color (15-bit) and True Color
(24-bit) connections are supported. For users that connect to applications via
NFuse to take advantage of this feature, use the ctxnfusecfg tool to configure
published applications running in NFuse for greater color depth.
§ Greater ICA session size—Greater ICA session size is supported. Session
size is limited only by server memory, the type of ICA Client and the
properties of the underlying X11 window system. For users that connect to
applications via NFuse to take advantage of this feature, use the ctxnfusecfg
tool to configure published applications running in NFuse for greater session
size.
Chapter 9 Using the Citrix XML Service 199
§ HTTP browsing—You can provide your users with HTTP (HyperText

Transport Protocol) browsing. The ICA Client uses HTTP to communicate
with the Citrix XML Service to fulfill browser requests. HTTP browsing uses
the standard HTTP port on the firewall—port 80—to allow users to browse
applications and servers that exist on the other side of a firewall. This means
that, provided port 80 is not being used by a Web server running on the
MetaFrame for UNIX server, there is no need to open an additional port on the
firewall for browser requests.
§ Group and folder-based application caching and filtering—Application
caching and filtering based upon groups and folders is supported. Application
caching and filtering is user-based, by default. User-based application caching
and filtering is adequate for normal use and it is unlikely that you will need to
change this.
§ Ability to configure user authentication—The ctxnfuseauth command lets
you control whether a user’s password is authenticated when he or she logs
onto NFuse. By default, password authentication is on, but you can switch this
off to improve response time.
§ Application information refresh on demand—The ctxnfuserefresh -apps
command lets you refresh application settings from the master browser
immediately. This means that after configuring application settings, you can
apply your changes with immediate effect—you no longer have to wait for up
to 10 minutes for updates to take effect.
Introducing NFuse and the Citrix XML Service

Citrix NFuse is an application portal technology for deploying applications on
MetaFrame servers using the Web.
NFuse uses Java object technology executed in a Citrix Web Server Extension to
dynamically create an HTML-based presentation of the Citrix server farm for
each of your users. Included in each user’s presentation are all of the applications
published in the Citrix server farm for that user.
An NFuse deployment consists of three interacting network components:
§ A Citrix MetaFrame server farm.
§ A Web server running the Citrix Web Server Extension.
§ ICA Client devices.
For more information about NFuse, see the NFuse Administrator’s Guide.
An Overview of the XML Service

The Citrix XML Service communicates information about the UNIX applications
published in a server farm to the Web server component of the NFuse
deployment. Using appropriately configured Web pages on the Web server, you
can make these applications available to users, via a standard Web browser.
The Citrix XML Service allows:
§ You to make all published applications visible to all users. This is the default
when the service is first installed.
§ You to specify the name and icon used to display the link to each application
in the Web page, and the default window settings for the application when run.
§ Application filtering, allowing you to specify to which users or groups each
application is visible.
The Citrix XML Service also provides users with HTTP (HyperText Transport
Protocol) browsing. The ICA Client uses HTTP to communicate with the XML
Service to fulfill browser requests. HTTP browsing uses the standard HTTP port
on the firewall—port 80—to allow users to browse applications and servers that
exist on the other side of a firewall. This means that there is no need to open an
additional port on the firewall for browser requests.
The XML Service for UNIX runs as a daemon on one or more MetaFrame for
UNIX servers in a server farm.
Comparing the UNIX and NT Versions of the Citrix XML

Service
There are several important differences between the UNIX and NT versions of
the Citrix XML Service. These differences are summarized in the following table:
Feature MetaFrame for NT MetaFrame for UNIX

Information about visibility Stored in Windows Stored in local configuration
of applications to users and NT Program file.
how applications are Neighborhood.
displayed.
Implementation of the Citrix Windows NT system UNIX daemon.
XML Service. service.
Error reporting. Windows NT error Syslog.
log.
Support for authentication Supports multiple Supports authentication in a
domains. domains. single NIS domain. This is the
domain containing the
MetaFrame for UNIX server
running the Citrix XML
Service.
Constraints on MetaFrame Server Farms

A MetaFrame server farm allows published applications to be distributed
between a set of multiple UNIX or NT MetaFrame servers. For UNIX
MetaFrame servers to be included in a farm they need to be on the same subnet,
or connected by Citrix gateways.
NFuse allows you to publish UNIX and NT applications to the Web from a mixed
server farm, provided the NT MetaFrame servers are version 1.8 or above.
Getting Started
The following section helps you to get the XML Service up and running quickly
in your MetaFrame for UNIX installation. It guides you through planning an
XML Service deployment, and explains the steps required to install, license and
configure the XML Service ready for use.
Step 1—Plan your XML Service Deployment

First, you must determine which server(s) in your MetaFrame for UNIX farm will
run the XML Service. You may want to run the XML Service on more than one
server in your server farm, so that you have a backup server. A backup server
allows applications to be published via the Web, even if the main server is
unavailable.
If you decide to run the XML Service on more than one server, you must
determine which server will act as the primary XML server. The primary server is
the contact point for NFuse, and for ICA Clients performing HTTP browsing.
The primary server also communicates with other servers in the farm—for
example, to obtain a logon ticket, or to query the alternate address of a
MetaFrame for UNIX server. The benefit of appointing a primary server is that
you only need to configure NFuse application settings on this one server, rather
than on every server running the XML Service.
If NFuse is configured to use ticketing (which is the default in NFuse Version 1.6)
the XML Service must be installed on all MetaFrame for UNIX servers in the
farm and the Feature Release 1 license activated, otherwise no applications can be
launched through NFuse. Also, if you configure the template ICA files in NFuse
to enable the use of alternate addresses, all MetaFrame for UNIX servers in the
farm must run Feature Release 1 with Version 1.6 of the Citrix XML Service for
UNIX. See the NFuse Administrator’s Guide for more information about alternate
addressing.
Step 2—Install and License the XML Service

Version 1.6 of the Citrix XML Service is available when you install Feature
Release 1 for MetaFrame for UNIX Operating Systems and include the XML
Service in the installation process. For more information, see “Installing Feature
Release 1” on page 68.
To enable the new ticketing feature, activate the Feature Release 1 license. The
other XML Service features will work without activation of the Feature Release 1
license.
If the XML Service is installed on a machine for the first time, you need to set the
paths to the XML Service commands. You do not need to do this if you are
upgrading the XML Service. See “Setting the Path to the XML Service
Commands” on page 204 for more information.
Step 3—Configure the Primary Server

If the server farm is composed of MetaFrame for UNIX machines only (in other
words, there are no MetaFrame for Windows servers in the farm), configure the
primary XML server to become the master browser, using ctxbrcfg -m always.
Configure any backup XML servers to only participate in browser elections if the
primary server fails. Configure other MetaFrame for UNIX servers so that they
never become master browser. For more information, see “Manipulating Master
Browser Elections” on page 177.
By default, the NFuse Web Server Extension communicates with the XML
Service using port 80. If port 80 is already in use on the server running the XML
Service, assign the XML Service to an unused port. The XML Service port
number you choose must be the same for all servers in the farm. See “Configuring
the Server Port” on page 205 for more information.
Enable publishing on the primary server (if it is not already enabled) so that the
XML Service can respond to NFuse or client HTTP browsing requests, and any
application configuration changes you make are visible to your users. See
“Enabling and Disabling Publishing” on page 216 for more information.
Publishing may also be required by other Citrix Web products—for details, check
their documentation.
Once publishing is enabled on the primary server, you can configure your
applications for use with NFuse. Following installation of the XML Service, all
published applications have default settings, however, you can override these
settings using the XML Service commands. You only need to change the settings
on the primary server—see “Configuring Application Settings” on page 208.
You must disable the guest login feature for MetaFrame for UNIX farms. In
NFuse, the guest login feature allows users to connect to and run applications
configured for anonymous use. Currently, this feature does not work with
MetaFrame for UNIX, and must be disabled—see “Disabling the Guest Login
Feature” on page 205 for information.
To enable your users to make SSL-secure connections to applications via NFuse,
you must configure the XML Service for use with SSL Relay. For information
about how to do this, see “Configuring the XML Service For Use With SSL
Relay” on page 219.
You can also create customized Web pages for use with the Citrix Web Server
Extension. For examples of how to do this using Microsoft’s Active Server Pages,
Sun Microsystems’ Java Server Pages, and sites based on Citrix’s own extensions
to HTML, see the sample Web pages supplied with the Citrix Web Server
Extension and the NFuse Administrator’s Guide.
Note The sample pages are designed for use with the Citrix XML Service for NT.
These need to be modified for use with the Citrix XML Service for UNIX—see
“Guidelines for Creating Web Pages for Use with NFuse for UNIX” on page 207
for more information.
Step 4—Configure the Backup XML Server(s)

Configure any backup XML servers to only participate in browser elections if the
primary server fails. You must also enable publishing on backup servers (if
publishing is not already enabled).
Ensure all servers hosting the XML Service use the same port number as the
primary XML server. The primary server may forward requests to XML servers
in the farm—for example to obtain a logon ticket, or to query the alternate
address of a MetaFrame for UNIX server—however, for this to work, all servers
hosting the XML Service must be configured to use the same port number.
For information about automatically replicating configuration changes to the
backup XML hosts, see “Managing Backup Servers” on page 222.
Setting the Path to the XML Service Commands

If you are installing the Citrix XML Service on a machine for the first time, you
need to configure your system so that the ctxnfuse user can run the NFuse
commands.
Ø To configure ctxnfuse user access to Citrix XML Service commands
1. Log on to the MetaFrame server as a Citrix NFuse administrator.
2. Add the path to the NFuse commands. For example:
If you are using a C shell, type:
setenv PATH ${PATH}:/opt/CTXSmf/sbin:/opt/CTXSmf/bin:/opt/CTXSxml/sbin
setenv PATH ${PATH}:/usr/lpp/CTXSmf/sbin:/usr/lpp/CTXSmf/bin:/usr/
lpp/CTXSxml/sbin
Or, if you are using a Bourne, or similar, shell:
PATH=${PATH}:/opt/CTXSmf/sbin:/opt/CTXSmf/bin:/opt/CTXSxml/sbin
export PATH
PATH=${PATH}:/usr/lpp/CTXSmf/sbin:/usr/lpp/CTXSmf/bin:/usr/lpp/CTXSxml/sbin
export PATH
Disabling the Guest Login Feature

Guest login is a new feature in NFuse 1.6 that allows users to connect to and run
applications configured for anonymous use. In other words, with guest login,
users do not need to supply login credentials to run applications configured for
anonymous use.
However, the guest login feature currently does not work with MetaFrame for
UNIX, and must be disabled for MetaFrame for UNIX farms.
If the server is part of a mixed server farm, there is no need to disable guest
login—however, only Windows applications published for anonymous use will
be visible using guest login.
Ø To disable the guest login feature
Edit the NFuse.conf file, which is installed as part of the NFuse 1.6 Web
extensions, and change the setting of AllowGuestLogin to off.
Configuring the Server Port

By default, the NFuse Citrix Web Server Extension communicates with the Citrix
XML Service using port 80. If port 80 is already in use on the server running the
Citrix XML Service, assign the Citrix XML Service to an unused port. The XML
Service port number you choose must be the same for all servers in the farm.
Note The Citrix XML Service port number must be unique. If the port is already
in use by another process, results may be unpredictable. You must configure the
NFuse Citrix Web Server Extension to use the same port number as you have
specified for the Citrix XML Service—see the NFuse Administrator’s Guide for
information on how to do this.
Ø To configure the Citrix XML Service port

1. Log on to the MetaFrame server as a Citrix NFuse administrator.
ctxnfusesrv -port portnumber
where portnumber is an unused port; for example, 8080.
Note You must restart the Citrix XML Service for the new port to be used.
Ø To display the current port number

At the command prompt, use ctxnfuse with the -l (‘l’ as in ‘list’) option:
ctxnfusesrv -l
Starting the Citrix XML Service

When you start and stop MetaFrame, the Citrix XML Service automatically starts
and stops. However, using the ctxsrv command, you can start and stop the Citrix
XML Service on each server.
Ø To start the Citrix XML Service
1. Log on to the MetaFrame server as a Citrix server administrator (for example,
the default user ctxsrvr).
ctxsrv start nfuse
Starting a MetaFrame server causes an election, and the master browser may
change. The master browser takes some time to acquire information about
applications available on the farm. If the Citrix XML Service is started at the
same time as a MetaFrame server, it can take up to 10 minutes before these
applications are visible through NFuse.
About Application Filtering

When you start the Citrix XML Service for the first time, application filtering is
disabled, so all applications published on the MetaFrame for UNIX server are
visible to all users.
This initial configuration is useful for setting up and testing Web pages on the
NFuse Citrix Web Server Extension. However, once you have configured the
Web pages you want to use, you may want to enable application filtering, and
then define the visibility of each application independently. For more information
see “Configuring Application Settings” on page 208.
Stopping the Citrix XML Service

ctxsrv stop nfuse
Guidelines for Creating Web Pages for Use with NFuse

for UNIX
To publish applications to the Web from a MetaFrame for UNIX server, you
create customized Web pages to suit your requirements.
NFuse includes a Web Site Wizard, and several sample Web pages, that are
suitable for immediate use with the NT version of the Citrix XML Service.
However, you must adapt these Web pages for use with the UNIX version of the
Citrix XML Service. This section provides some guidelines for doing this.
If accessing a MetaFrame for UNIX only farm, use either the Windows wizard to
generate pages, or the example Web pages as a starting point. If you are accessing
a UNIX/NT mixed farm, use the multi-farm example Web pages as a starting
point.
Using the Web Site Wizard

If using the Web Site Wizard, note the following:
§ If allowing explicit logins, select ‘Force domain’ and enter some text in the
domain field. You can specify any text—for example, ‘unix’.
Using the Example Web Pages
If using the example Web pages as a starting point, note the following:
§ Customize the login page to handle login without a domain prompt—for
example, by replacing:
<tr>
<td ALIGN=RIGHT VALIGN=CENTER>Domain:</td>
<td><input NAME="nfuse_Domain"></td>
</tr>
with:
<INPUT TYPE="hidden" NAME="nfuse_Domain" VALUE="unix">
Configuring Application Settings

When you first install the Citrix XML Service on a MetaFrame server, all
published applications have the following default settings:
§ Applications have no description, an empty folder name, the ICA icon, and a
800 x 600 256-color window.
§ Filtering is disabled, so all published applications are visible to all users.
§ SSL is disabled, as it is not required to run applications.
You can override these settings using the Citrix XML Service command-line
utilities. For each published application, you can specify:
§ How it is displayed.
§ To which users or groups it is visible.
You can also change the settings that applications have by default.
Overview of Configuring Application Settings

To configure application settings you:
§ Execute a configuration command to specify the appearance and access
settings for each application.
§ Execute a refresh command to prompt the service to refresh its configuration
from the configuration file.
Alternatively, submit the configuration commands using a shell script and include
the refresh command as the last command in the script.
These procedures are described in detail in the following sections.
Configuring How An Application is Displayed

The following table summarizes the application appearance settings you can
configure using the Citrix XML Service ctxnfusecfg command:
Parameter Description Default

-c Number of colors used to display the 256
application.
-description An optional description that can be displayed blank
on the user’s Web page. If the description
includes spaces, enclose it within quotes.
-i Specifies an icon file. ICA icon
-f Specifies a folder for the program. blank
-w Specifies the window size and type. 800 x 600 pixels
Ø To configure the appearance of an application

ctxnfusecfg -name applicationname -i iconfile -f foldername
-description description -w window -c {16|256|4bit|8bit|16bit|24bit}
where:
applicationname is the name of the MetaFrame application that you want to
configure.
iconfile is a graphic in .xpm (X pixmap) format. Icons used with the XML
Service must be 32 x 32 pixels. If your icon is larger than this, use an image
editor to resize it to the correct size.
foldername is the name of a folder. You can configure the Citrix Web Server
Extension to organize applications into folders. The folder acts as a logical
location for the application.
window is the size of the window (width, height or percentage of desktop) and
type of window (desktop or seamless).
3. To refresh the XML Service settings from the configuration file, at the
command prompt, type:
ctxnfuserefresh -cfg
Examples
§ To configure the ‘xcad’ application to use High Color (24-bit) color depth, at
the command prompt, type:
ctxnfusecfg -name xcad -c 24bit
§ To configure the published application ‘Diary’ so that the window size is
32767 by 32767 pixels, type:
ctxnfusecfg -name DIARY -w 32767 32767
Notes
§ By default, the Citrix Web Server Extension launches applications in a
seamless window. Therefore, the -w option only affects applications if
seamless is not available. You can configure the Citrix Web Server Extension
so that the -w option is always used—see the NFuse Administrator’s Guide for
more information.
§ Version 1.6 of the Citrix XML Service supports 15-bit High Color
connections, although the ctxnfusecfg command and some ICA Clients refer
to High Color as 16-bit. Some applications, such as WordPerfect, explicitly
require a 16-bit display and will not run in a 15-bit High Color connection.
Other applications that require a 16-bit display may attempt to run in a 15-bit
connection and fail, causing screen corruption. If you require a high color
resolution to run these applications, use a True Color (24-bit) connection
instead.
Resetting an Application to Use Default Display Settings

You can reset an application’s display settings to the default settings using the
ctxnfusecfg -reset command.
Ø To reset an application to use default settings
ctxnfusecfg -name applicationname -reset
where applicationname is the name of the MetaFrame application that you
want to configure.
2. To refresh the XML Service settings from the configuration file, type:
Changing the Default Display Settings

When you first install the Citrix XML Service, all published applications have
default display settings. The default display settings are shown in the table on
page 209.
You can change the default settings using the ctxnfusecfg command.
Ø To reset default appearance settings
ctxnfusecfg -default -i iconfile -f foldername
-description description -w window -c {16|256|4bit|8bit|16bit|24bit}
where:
iconfile is a graphic in .xpm (X pixmap) format.
foldername is the name of a folder.
window is the size of the window (width, height or percentage of desktop) and
type of window (desktop or seamless).
2. To refresh the XML Service settings from the configuration file, type:
Ø To display the current default settings
ctxnfusecfg -default -la
Example
To configure applications to use High Color (24-bit) color depth by default, type:
ctxnfusecfg -default -c 24bit
Resetting the Default Display Settings

You can reset the default display settings to their original values using the
ctxnfusecfg -default -reset command.
Ø To reset the default display settings
ctxnfusecfg -default -reset
Configuring the Visibility of Applications to Users

For each application, the Citrix XML Service stores a list of groups and users for
whom the application is visible. The Citrix XML Service for UNIX uses the same
users and groups as MetaFrame for UNIX and the underlying UNIX operating
system.
You can add groups or users to this list using the -gadd and -uadd commands.
The -gadd -all command adds all the groups that exist when the command is
executed. The -grm and -urm commands allow you to remove groups or users
that have already been added.
Ø To add or remove users or groups
ctxnfusecfg -name applicationname -uadd users -urm {-all | users}
-gadd {-all | groups} -grm {-all | groups}
Ø To refresh the Citrix XML Service configuration from the configuration file
Ø To refresh the expansion of groups into users
The set of users belonging to each group is read when the Citrix XML Service is
first run. If you have changed the membership of one or more groups, use this
command to update the visibility of applications to reflect the changes. At the
command prompt, type:
ctxnfuserefresh -users
Tip If you are making frequent changes to the definitions of the groups on your
system and you want the Citrix XML Service to reflect these changes, include the
refresh command in a cron style job set to run on a regular basis, such as every 30
minutes.
Examples
Ø To make an application visible to groups and users
The following command makes the application ‘Word’ visible to all users in the
group ‘publishing’, and also to the user ‘smith’:
ctxnfusecfg -name word -gadd publishing -uadd smith
Ø To deny a user access
The following command denies user ‘smith’ access to the application ‘Word’,
(assuming the user was previously given access with -uadd smith—this does not
work if ‘smith’ is a member of a group added using -gadd):
ctxnfusecfg -name word -urm smith
Ø To exclude visibility to a particular group

The following example makes the application ‘xcad’ available to all groups,
excluding the group ‘sales’, but including user ‘jones’:
ctxnfusecfg -name xcad -gadd -all -grm sales -uadd jones
Troubleshooting Application Visibility

If applications do not become visible, check for problems with the master
browser. You can verify which applications have been published with the
MetaFrame command:
ctxqserver -app
Enabling and Disabling Application Filtering

When the Citrix XML Service is first installed, application filtering is disabled.
Therefore, all published applications are visible to all users, irrespective of the
effect of ctxnfusecfg commands. However, you can enable application filtering
using the ctxnfusefilter command.
User-based Caching and Filtering

In the default NFuse configuration, when a user logs onto NFuse, the Web server
communicates with the Citrix XML Service to determine the user’s application
set. If application filtering is enabled, the XML Service sends the Web server only
the applications accessible by the user. If application filtering is disabled, the
XML Service sends the Web server all applications.
Tip With user-based filtering, you can improve response time by switching
password authentication off using ctxnfuseauth—see “Configuring User
Authentication” on page 218 for more information.
Group-based Caching and Filtering

If NFuse is configured to use group-based application caching and filtering, and
application filtering is enabled, the XML Service sends the Web server only the
applications accessible by the groups to which the user belongs. For example, a
user in the Accounts department only sees the applications available to the
Accounts group.
The disadvantage of using group-based filtering, is that the group membership
information is duplicated in the groups.txt file on the Web server, and this file
must be created and updated manually. By comparison, with user-based caching
and filtering, the XML Service accesses the group membership information
directly from the operating system account database, which can be refreshed
automatically.
Folder-based Caching and Filtering

If NFuse is configured to use folder-based application caching and filtering, it
does not matter whether application filtering is enabled in the XML Service.
NFuse filters the list of published applications and displays only the applications
in the user’s folder. For example, a user in the Accounts department sees only the
applications published in the Accounts folder.
The disadvantage of using folder-based filtering, is that the folder membership
information is duplicated in the folders.txt file on the Web server, and this file
must be created and updated manually.
Ø To enable application filtering
ctxnfusefilter -on
Ø To list the current status of application filtering
ctxnfusefilter -l
For more information about publishing applications by group or by folder, see the
NFuse Administrator’s Guide.
Displaying Application Settings

Use the ctxnfusecfg command to display an application’s appearance and access
settings.
Ø To list application appearance and access settings
ctxnfusecfg {–name applicationname | -default} -lacfgiuw
The following table explains the effect of each of the settings:
Parameter Description
–l Lists the name and description of the configured application.
–la Lists all configuration data.
–lc Lists the application name and color setting.
–lf Lists the application name and folder.
–lg Lists the application name and its groups.
–li Outputs the application icon to a file ‘applicationame.xpm’. This
file is saved to the current working directory.
–lu Lists the application name and its users.
-lw Lists the application window settings.
-ls Lists the SSL setting for an application. For more information, see
“Displaying SSL Settings” on page 220.
Example
Ø To list an application’s description, folders and groups
Type the following command to list the description, folders and groups associated
with the ‘Word’ application:
ctxnfusesrv –name WORD -lfg
Enabling and Disabling Publishing

If you are installing the XML Service for the first time, you must enable
publishing on the primary server—in other words, the server that acts as the
contact point for NFuse and clients performing HTTP browsing. You must also
enable publishing on any backup servers running the XML Service. If the XML
Service was installed previously, and you are upgrading to Version 1.6,
publishing is automatically enabled.
You enable publishing on the server so that:
§ The XML Service responds to NFuse or client HTTP browsing requests
§ Any application configuration changes you make are visible to your users
By designating a particular server to act as a contact point, this means you only
need to configure application settings on the one server.
If you install Version 1.6 of the XML Service on a server for the first time,
publishing is set to disable by default. If an earlier version of the XML Service
was previously installed, by default, publishing is set to enable full.
When publishing is disabled, the XML Service will not respond to NFuse or
client HTTP browsing requests, and any application configuration changes you
make will not be visible to your users. Ticketing is still available, however, if the
Feature Release 1 license is activated. Therefore, if you have a number of
MetaFrame for UNIX servers in a server farm, these servers will issue and accept
tickets, regardless of whether publishing is enabled or not.
Note If NFuse is configured to use ticketing (this is the default in NFuse Version
1.6) the XML Service must be installed on all MetaFrame for UNIX servers in the
farm, and the Feature Release 1 license activated, otherwise no applications can
be launched through NFuse.
Publishing is enabled using the ctxnfusesrv command.

Ø To enable publishing
ctxnfusesrv -publish enable [ basic | full ]
The following table explains the parameters:

Parameter Description
enable basic Choose enable basic to enable publishing if you are using the XML
Service to publish data to NFuse.
enable full Choose enable full if you are using the XML Service to publish data
to other Citrix Web products, in addition to NFuse. When publishing
is set to enable full, the XML Service provides these products with
additional information about users and groups. For more information
about which Citrix Web products require this additional publishing
information, check the documentation provided with these products.
3. Use ctxnfuserefresh to apply the new setting:

Ø To disable publishing
ctxnfusesrv -publish disable
Configuring User Authentication

You can use the ctxnfuseauth tool to control whether a user’s password is
authenticated when he or she logs on to NFuse. By default, password
authentication is on but, to improve response time, you can switch it off.
When password authentication is on and a user logs on to NFuse, the Web server
forwards the user’s credentials to the Citrix XML Service for authentication. The
XML Service verifies that the user-id exists and that the password is valid. If both
the password and user-id are valid, XML determines the user’s application set and
forwards this information to the Web server, and the application set is displayed
to the user.
If you turn password authentication off, when a user logs on to NFuse, the Web
server forwards the user’s credentials to the Citrix XML Service for
authentication, as before. However, the XML Service only verifies that the
user-id exists—it does not check that the user’s password is valid. Provided the
user-id is valid, the user’s application set is displayed.
Note If you turn password authentication off, and a user supplies an incorrect
user-id, a blank application set is displayed. If a user supplies an incorrect
password, the user’s application set is displayed; it is only when the user launches
an application that the incorrect login is detected.
Ø To turn password authentication off

ctxnfuseauth -off
Displaying the Current Authentication Setting

You can display whether the password authentication process is on or off using
ctxnfuseauth and the -l (‘l’ as in ‘list’) option.
Ø To display the current authentication setting
ctxnfuseauth -l
Configuring the XML Service For Use With SSL Relay

To allow users who connect to the MetaFrame server via NFuse to make SSL-
secure connections to applications, you must configure the XML Service for use
with SSL Relay. To do this you use the:
§ ctxnfusecfg command to specify whether SSL is used to secure connections
on all published applications, or on a particular application only.
§ ctxnfusesrv command to specify the port number that SSL Relay listens for
connections on. You only need to run this command if you are not using TCP
port 443, which is the standard port for SSL-secured communications. The
SSL Relay port number you specify must be the same on every MetaFrame for
UNIX server in the server farm.
For information about installing Citrix SSL Relay for UNIX, see “Installing
Feature Release 1” on page 68 . For more information about configuring SSL
Relay, see the Citrix SSL Relay for UNIX Administrator’s Guide.
Ø To configure the XML Service for use with SSL Relay
2. Specify whether SSL secures connections for a particular application only or
for all published applications. If SSL is used for a particular application only,
at the command prompt, type:
ctxnfusecfg -name application-name -ssl on
where application-name is the name of the published application secured by
SSL.
If SSL is used for all applications, by default, at the command prompt, type:
ctxnfusecfg -default -ssl on
3. If SSL Relay listens for connections on a port other than 443, specify this port
number. At the command prompt, type:
ctxnfusesrv -ssl-port port-number
where port-number is the port number that SSL Relay listens for connections
on. For example, if SSL Relay listens on port 444, type:
ctxnfusesrv -ssl-port 444
Note If you make changes using ctxnfusesrv -ssl-port, run

ctxnfuserefresh -cfg to apply the changes.
Example
You publish an accounting application called “imbalance” on a MetaFrame for
UNIX server. Citrix SSL Relay is installed on the server, and is configured to
listen for connections on TCP port 443. To allow users who connect via NFuse to
make SSL-secure connections to this application, you configure the XML Service
for use with SSL Relay. To do this you use the command:
ctxnfusecfg -name imbalance -ssl on
Displaying SSL Settings

You can display the current SSL setting for an application using ctxnfusecfg and
the -ls option.
Ø To display the SSL setting
ctxnfusecfg -name application-name -ls
Alternatively, use the -la option to display the SSL setting for each application.
Troubleshooting SSL
If you have configured your MetaFrame server to use NIS for name resolution,
the server will be unable to support SSL-enabled ICA connections. This is
because NIS does not supply the fully qualified domain name (FQDN). The
FQDN is required by the XML Service to direct requests from NFuse and ICA
Clients.
To solve this problem, configure the MetaFrame server to use DNS, in preference
to NIS, for name resolution, since DNS supplies the FQDN.
Configuring DNS Address Resolution

By default, MetaFrame for UNIX servers reply to ICA Client browsing requests
with an IP address. However, Feature Release 1 allows a MetaFrame for UNIX
server to respond with the fully qualified domain name (FQDN). This feature,
called Domain Name System (DNS) address resolution, is available to clients
using the XML service. In most situations, the use of IP addresses works well and
with less overhead.
You can enable DNS address resolution using the ctxnfusesrv -dns command.
Ø To enable DNS address resolution
ctxnfusesrv -dns enable
3. Use ctxnfuserefresh -cfg to apply the new setting:
Note If DNS addressing is enabled, clients can only connect reliably to

MetaFrame for UNIX servers if they can resolve the fully qualified domain name.
If the client is not configured correctly, it will be unable to connect. Ping a server
with its DNS host name to verify this.
Displaying the Current Setting

You can display the current DNS address resolution setting using ctxnfusesrv
and the -l (‘l’ as in ‘list’) option.
Ø To display the current DNS address resolution setting
ctxnfusesrv -l
Managing Backup Servers

If you have a server farm of UNIX MetaFrame servers, you may want to run the
Citrix XML Service on two or more servers to act as backups. This allows
applications to be published via the Web, even if the primary server is
unavailable.
Note The back-up servers must use the same port setting as the primary server.
The configuration file has the name ctxxmld.cfg and is installed in the
/var/CTXSxml directory, by default. The configuration file must reside on a local
disk on the primary XML server. Only make configuration changes on this server.
The back-up server can either copy the master configuration file, or access it via NFS.
The back-up servers should run a cron style job to periodically refresh the local
configuration.
223
AP PE NDI X A
Command Reference
Overview
This appendix describes the MetaFrame and XML Service command line
utilities.
MetaFrame commands
The MetaFrame commands listed in this appendix are:
ctx3bmouse configure 3-button mouse emulation
ctxalt alternate address configuration for ICA browsers
ctxanoncfg configure anonymous users
ctxappcfg configure published applications
ctxbrcfg configure ICA browser settings
ctxcapture graphics cut and paste (between ICA and local applications)
ctxcfg configure Citrix server settings
ctxconnect connect to a session
ctxdisconnect disconnect from a session
ctxgrab graphics cut and paste (from ICA to local applications)
ctxlicense configure Citrix licensing
ctxlogoff log off from a Citrix server
ctxlpr print to a client printer
ctxmaster show master ICA browser
ctxmsg send a message
ctxprinters list printers installed on the client
ctxqserver display information about Citrix servers
ctxqsession display session details
ctxquser display session user details
ctxreset reset a session
ctxsecurity configure MetaFrame security
ctxshadow start a shadowing session

ctxshutdown shut down the Citrix server processes
ctxsrv start up or stop the Citrix server processes
XML Service commands

The XML Service commands listed in this appendix are:
ctxnfuseauth control the authentication of user passwords in NFuse.
ctxnfusecfg configure or display NFuse application appearance and
access settings.
ctxnfusefilter enable or disable application filtering in NFuse.
ctxnfuserefresh refresh the Citrix XML Service configuration.
ctxnfusesrv configure the Citrix XML Service http port, enable
publishing mode, DNS address resolution, and specify the
SSL Relay port.
Appendix A Command Reference 225
MetaFrame Commands
ctx3bmouse
Description
ctx3bmouse configures 3-button mouse emulation.
You may need to use MetaFrame to deploy UNIX applications that are designed
for use with a 3-button mouse. However, many ICA Clients run on devices that
have only a 2-button mouse, 1-button mouse, or pointing device available.
To do this, you publish another version of the application for use by these ICA
Clients. This version of the application is published using a script file that
includes ctx3bmouse settings. The ctx3bmouse command lets users represent a
missing mouse button by combining an existing mouse button with a modifier
key. For example, a missing button might be simulated by clicking the left mouse
button and pressing the SHIFT key.
By running a script file that includes ctx3bmouse settings, you ensure the
application is run in a session with the appropriate mouse mappings.
Syntax
ctx3bmouse missing_button=mouse_button,number_of_modifier_key
ctx3bmouse -r
ctx3bmouse -c
Options
-r Display mouse mappings for the current session.
-c Clear all mouse mappings for the current session.
Parameters
missing_button The missing button which is to be emulated:
left| middle| right
mouse_button The existing mouse button which, when pressed with the
modifier key, simulates the missing mouse button.
number_of_ Number of modifier to use. Use the xmodmap command to
modifier_key show which keys correspond to which modifiers.
Remarks
With xmodmap it is possible to remap almost any aspect of the keyboard and
mouse. Take care when using xmodmap with ctx3bmouse because the
combination may be confusing.
Middle mouse button emulation is included in version 6.20, or later, of the Win32
ICA Client. If users are connecting to the MetaFrame for UNIX server using this
client, disable any ctx3bmouse settings configured on the server.
ctxalt
Description
ctxalt specifies alternate address configuration for ICA Browsers.
Syntax
ctxalt -l
ctxalt -d alt_addr
ctxalt -a browser_addr alt_addr
ctxalt -r addr
Options
-l List current alternate address configuration.
-d Set the default alternate address.
-a Set an alternate address.
-r Remove an alternate address.
Parameters
alt_addr Specifies the alternate address.
With the exception of the -r option, all addresses must be
supplied in standard IP address format. The -r option also
accepts the (case insensitive) keyword DefaultAddress to erase
the default address setting.
browser_addr Specifies the default alternate address.
Remarks
You must be a Citrix server administrator to run this command.
ctxanoncfg
Description
ctxanoncfg configures anonymous users.
Syntax
ctxanoncfg -l [-q]
ctxanoncfg -n number [-b anonymous_user_name]
[ -t minutes] [-s shell] [-u user-id] [-q]
ctxanoncfg -t minutes [-q]

ctxanoncfg -clear
ctxanoncfg -h
Options
-l List current anonymous user settings.
-q Quiet mode. Use with the other options to suppress the
display of error messages and what the command is
doing at each stage.
-n Specify the number of anonymous user accounts.
-b Change how anonymous user accounts are named.
Only use this option when creating new anonymous
user accounts—do not use it to change existing
accounts.
-t Specify the idle timeout period, in minutes, for
anonymous user sessions. If there is no activity within
this time the user receives a warning message stating
that they will be logged off if the session remains
inactive for a further 5 minutes.
-s Specify a particular shell for anonymous user
accounts.
-u Assign specific user-ids to anonymous user accounts,
where user-id is the first id in the range.
-clear Remove all anonymous user configuration.
-h Display help message.
Parameters
number New number of anonymous user accounts.
anonymous_user_name New name of anonymous user accounts. By default,
account names are in the format anonx where x is a
number from 1,2 ... etc.
minutes Idle timeout period, in minutes.
shell Shell you want to assign to anonymous user
accounts—for example: /bin/csh
user-id First user-id you want to start generating anonymous
user accounts from.
Remarks
You must be root to run this command.
You must stop the MetaFrame process on the server before you configure
anonymous users.
See also
ctxshutdown—to stop the MetaFrame process.
ctxappcfg
Description
ctxappcfg is an interactive command that allows you to publish and configure
applications.
Syntax
ctxappcfg
Usage
When you run ctxappcfg, the App Config> command prompt is displayed and the
following commands can be entered:
list Displays a list of published application names.

add Allows you to publish an application. You are prompted for the
following details:
Name - the name used to refer to the published application.
Command Line - the command line used to launch the application.
To publish the desktop, press ENTER without specifying a
command line.
Working Directory - the working directory used by the application.
To specify the user’s home directory, leave this blank.
Anonymous - whether the application is for use by anonymous or
explicit users. Enter y if the application is for use by anonymous
users only, or n if it’s for explicit users only.
select Allows you to configure a published application. If you do not

[name] specify the name of the application you want to configure, you are
prompted for it. Note that the application name is case-sensitive.
When you have selected an application, the prompt changes to the
name of the application and you can enter the following commands:
list - lists the configuration details of the selected application.
set - allows you to change the configuration. The full syntax is:
set [cmd=cmd_line,] [dir=dir_name,] [anonymous=yes|no] [enabled=yes|no]
where the parameters are as follows:
cmd - the command line required for the program to run.
dir - the initial working directory.
anonymous - indicates if the application is for use by anonymous or
explicit users.
enabled - indicates if the application is enabled or disabled.
copy - creates a new published application by copying the
configuration of the current application. You are prompted to enter a
name for the new application. The new configuration is saved and
automatically selected.
save - saves the changes you make.
delete - deletes the currently selected application and returns you to
the App Config> prompt.
drop - de-selects the currently application and returns you to the
App Config> prompt.
help / ? - displays a brief usage message.
exit - exits the command.
help / ? Displays a brief usage message.
exit Exits the program.
Remarks
See also
ctxqserver—to list all published applications on the network.
ctxbrcfg
Description
ctxbrcfg configures ICA browser settings.
Syntax
ctxbrcfg -g [add=gateway,] [remove=gateway,] [list]
ctxbrcfg -m [always | never | neutral,] [list]
ctxbrcfg -r [set=num,] [list]
ctxbrcfg -b [set=address | unset | list]
Options
-g Gateways. Allows you to add or remove gateways.
-m Master election. Allows you to influence the criteria used for the
master election. always makes the local browser try to become the
master. never instructs the browser to refrain from standing in an
election. neutral reinstates the default behavior of “no preference”.
-r Refresh period. Allows you to specify the interval (in minutes) at
which the local browser will update the master browser.
-b Restrict the ICA Browser to one subnet. If a MetaFrame server has
more than one network interface card (NIC) and is connected on
more than one subnet, configure the server so that the ICA Browser
listens on only one subnet and ignores broadcasts on the others. Use
set to restrict the ICA Browser to a subnet. Use unset to remove a
restriction. Use list to display current restrictions.
Parameters
num Specifies the interval (in minutes) at which the local browser will
update the master browser.
gateway Specifies the gateway host name or IP address.
address The IP address or subnet address you want to restrict the ICA
Browser to, in aaa.bbb.ccc.ddd format—e.g., 10.20.123.123.
Remarks
If you bind the server to a subnet, make sure that there is only one NIC on this
subnet.
See also
ctxqserver—to display information about gateways and the master browser.
ctxcapture
Description
ctxcapture lets you:
§ Grab windows or screen areas and copy them between an application in an
ICA Client window and an application running on the local client device,
including non-ICCCM-compliant applications.
§ Copy graphics between the ICA Client and the X graphics manipulation utility
xv. xv is a Shareware utility that is available for download from the Internet.
ctxcapture is available from the command prompt; it is also available when you
connect to published applications through the ctxwm window manager, if your
Citrix server administrator has made it available, as follows:
When ctxcapture is started a dialog box is displayed.
Syntax
ctxcapture
See also
ctxgrab—a simple tool to cut and paste graphics from ICA applications to
applications running locally on the client device.
ctxcfg
Description
ctxcfg configures Citrix server settings.
Syntax
ctxcfg -a [ERASE | [[prompt={TRUE | FALSE},] [INHERIT |
[user=name,] [pass]] [list]
ctxcfg -l [max={UNLIMITED | num }] [list]
ctxcfg -t [connect={NONE | minutes },] [disconnect={NONE |
minutes },idle={NONE | minutes}] [list]
ctxcfg -c [broken={DISCONNECT | RESET},] [reconnect={ORIGINAL |
ANY},] [list]
ctxcfg -p [enable | disable] [list]
ctxcfg -C [enable | disable] [list]
ctxcfg -P [set=num | reset] [list]
ctxcfg -g
ctxcfg -e [require={none | basic}] [list]
ctxcfg -i [ INHERIT | PUBONLY | ([prog=name,][wd=dir])] [list]
ctxcfg -s enable [,input={on|off}] [,notify={on|off}]
-s disable
-s list
ctxcfg -k [loadfactor=num] | [lognohome= {0|1}]
ctxcfg -m [enable | disable] [lowerthreshold=num]
[upperthreshold=num] [list]
Options
-a Allows you to set automatic logon details. Use INHERIT to make the
server use logon details specified on the client, rather than setting a
user name and password for the server using user and pass.
Alternatively you can specify a username and/or password for all
users who log on to the server. Set prompt to TRUE to prompt users for
a password, regardless of whether one is specified on the server or the
client. Use the pass option to prompt users for a logon password. Note
that using -g with the list option will not display the password.
ERASE erases any user name and password details that have been set
using the user and pass options and makes the server use logon
details specified on the client.
-l Logons. Allows you to limit the number of users that can be
concurrently logged on to the server. Specify an unsigned number or
the keyword UNLIMITED to allow an unlimited number of users to log
on.
-t Timers. Allows you to specify timeout intervals (in minutes) for
connected, disconnected, and idle sessions. Only new sessions are
affected by changes to the timeout intervals. For example, to specify a
timeout interval of 10 minutes for disconnected sessions, use -t
disconnect=10. Use the keyword NONE to disable all timeout settings.
-c Connections. Allows you to define how the server handles timed out
or broken sessions.
Set broken to DISCONNECT to disconnect sessions that are broken; set
to RESET to terminate broken sessions. Set reconnect to ORIGINAL to
allow reconnection only to a broken or timed out session from the
original terminal; set to ANY to allow reconnection to the session from
any terminal.
-p Client printing. Use to enable or disable client printing.
-C Client clipboard. Use to enable or disable the client clipboard.
-P Port number. Use to specify a TCP/IP port number for the ICA server
to listen for connections on. Use set to use a specific number, or
reset to use the default number. You must restart the server for the
new value to take effect.
-g Generate. This generates a list of commands that, if executed, restores
all settings to their current values (except the password). You can
redirect these commands to a file that you can later execute as a shell
script. -g cannot be used with any other argument.
-e Encryption. Use to force clients to use encryption and prevent clients
who do not use encryption from connecting.
-i Initial program. Use to specify a program, and path if necessary, to run

when the client initially connects. INHERIT uses the program and path
specified on the client. PUBONLY restricts users so that they can connect
only to published applications, and prevents users from connecting to
the server by name, or to the server desktop.
-s Shadowing. Use to enable or disable shadowing. Set input to on to
allow the shadower to interact with the shadowed session using the
keyboard and mouse. Set notify to on to give users the option to
approve or deny the shadowing of their session.
Note that when enabling shadowing, the default for input is on and
the default for notify is on.
-k Switch that allows you to turn features on and off (for example, the
ability to log on without a home directory) and set numeric factors
(such as the load factor).
To tune the load factor on a server, use ctxcfg -k loadfactor=num
where num is a load factor value between 1 and 10000. By default,
each server has a load factor of 100.
To allow users whose home directories are unavailable to log on, set
lognohome=1. To prevent users from logging on without a home
directory, set lognohome=0
-m Mouse-click feedback. Use this option to enable and disable mouse-
click feedback. With Feature Release 1, mouse-click feedback is
enabled by default.
You can also configure the thresholds in which mouse-click feedback
operates by setting upper and lower threshold values, in milliseconds.
The thresholds are like switches that determine when mouse-click
feedback is on or off. By default, the upper threshold is 500
milliseconds, and the lower threshold is 150 milliseconds.
To display the current settings, use the list option.
Remarks
ctxcfg -t has no effect on anonymous users.
See also
ctxanoncfg—to specify an idle timeout period for anonymous users.
ctxconnect
Description
ctxconnect lets you connect to a session.
Syntax
ctxconnect id
Parameters
id Specifies the session id to connect to.
Remarks
By default, Citrix server administrators can connect to any session; other users
can connect only to their own sessions.
See also
ctxsecurity—to control which users can connect to other users’ sessions.
ctxdisconnect
Description
ctxdisconnect lets you disconnect a session.
Syntax
ctxdisconnect [ id | name]
Parameters
id Specifies the session id to disconnect.
name Specifies the session name to disconnect.
Remarks
If you do not specify a session id or session name, your own session is
disconnected. By default, Citrix server administrators can disconnect any session;
other users can disconnect only their own sessions.
See also
ctxsecurity—to control which users can disconnect other users’ sessions.
ctxgrab
Description
ctxgrab lets you:
§ Grab dialogs or screen areas and copy them from an application in an ICA
Client window to an application running on the local client device.
ctxgrab is available from the command prompt or, if you are using a published
application, from the ctxwm window manager, as follows:
When ctxgrab is started a dialog box is displayed.
Syntax
ctxgrab
See also
ctxcapture—a more extensive tool that lets you cut and paste graphics between
ICA applications and applications running on the client device.
ctxlicense
Description
ctxlicense manages Citrix licensing.
Citrix licensing controls the number of ICA connections permitted on your Citrix
server, and the features available on the server .
Syntax
ctxlicense -add [-noprompt] serial_number
ctxlicense -activate license_number activation_code
ctxlicense -list
ctxlicense -pool license_number pooled_count
ctxlicense -remove license_number
Options
-add Add a Citrix license to the server. If you are installing an
upgrade license, use the -noprompt option to add and activate
the base and upgrade licenses in any order.
-activate Activate a Citrix license using the generated license number
and supplied activation code.
-list Display information about all licenses present on the Citrix
server.
-pool Change the pooled user count.
-remove Remove a license from a Citrix server. If you are removing
an upgrade license, you must remove the upgrade license
before removing the base license.
Parameters
serial_number The 25 character number on the sticker on the back of the CD
booklet.
license_number The 35 character number generated by MetaFrame when you
add a license. The license number is based on the serial
number.
activation_code The code supplied by Citrix that validates and enables the
license.
pooled_count The user count shared (pooled) by all Citrix servers on the
same network subnet.
See also
ctxqserver—to display information about licenses on Citrix servers on the network.
ctxlogoff
Description
ctxlogoff logs off a user from the MetaFrame server.
Syntax
ctxlogoff [ id | name]
Parameters
id Specifies the session id to log off.
name Specifies the session name to log off.
Remarks
If a user is not specified, you are logged off.
By default, Citrix server administrators can log off any user; other users can log
only themselves off.
See also
ctxsecurity—to control which users can log off other users’ sessions.
ctxlpr
Description
ctxlpr prints to a client printer.
Syntax
ctxlpr [-P printerName] [-b] [-n] [file1, ...file10]
Options
-P Print a file to a printer (or printer port) other than the default. This is
the printer name or printer port shown in the first column of the
output from ctxprinters.
-b Print the job in the background.
-n Only one print job can be handled at a time in any one session. If a
call is made to ctxlpr while a previous job is still printing, the
default behavior is for the second command to wait for the first
job to end before continuing.
Use the -n option to cause a second print job to fail rather than
wait. Use this to stop applications waiting while other printer jobs
are handled.
Parameters
file Specifies the name of a file to print. Up to ten files can be
specified; each file is treated as a separate print job. If no files are
specified, ctxlpr takes its input from standard input (stdin).
printerName Name of the printer (or printer port) other than the default.
See also
ctxprinters—to list printers installed on the client.
ctxmaster
Description
ctxmaster shows the master ICA Browser address.
Syntax
ctxmaster
Remarks
We recommend you use the ctxqserver -master command instead to display the
Citrix server acting as the master browser.
See also
ctxqserver—to display the master browser address.
ctxmsg
Description
ctxmsg sends a message to a particular session or to all sessions.
Syntax
ctxmsg -w {id | name} message [timeout]
ctxmsg -a message
Options
-w Suspends the ctxmsg program until the message either times out or
the user dismisses it. In other words, you get your command prompt
back only when the user responds or the message times out.
-a Send a message to all users.
Parameters
id Session id of the user to whom you want to send the message.
name Session name of the user to whom you want to send the message.
message The text you want to send. To send a message that contains spaces,
enclose it within double quotes.
timeout Specify a timeout (in seconds) for the message. If no timeout is
specified, the message dialog is displayed until dismissed by the
user.
See also
ctxquser or ctxqsession—to display users’ session names and IDs.
ctxsecurity—to control which users can send messages to other users’ sessions.
ctxshutdown—to inform users that the server is about to shut down.
ctxprinters
Description
ctxprinters lists printers installed on the client and indicates which is the default.
For each printer, the list displays:
§ The printer name or printer port (for example, lpt1). You can use this in the
ctxlpr -P command to specify a printer other than the default.
§ The name of the device driver.
§ The name of the port to which the printer is attached.
Syntax
ctxprinters
See also
ctxlpr—to print to a client printer.
ctxqserver
Description
ctxqserver displays information about Citrix servers on the network.
Syntax
ctxqserver [server_name]
ctxqserver -addr server_name
ctxqserver -app [application_name | server_name]
ctxqserver -disc [application_name | client_name]
ctxqserver -election
ctxqserver -gateway [server_name]
ctxqserver -gatewaylicense:IP_address
ctxqserver -license [server_name]
ctxqserver -load server_name
ctxqserver -master
ctxqserver -netlicense
ctxqserver -ping [-count:value] [-size: value] server_name
ctxqserver -reset server_name
ctxqserver -serial [server_name]
ctxqserver -stats server_name
ctxqserver -update server_name
Options
-addr Display the network address of a specific Citrix server.
-app List all published applications and the server load. Specify
the name of an application or server to narrow the list.
-disc List all disconnected sessions. Specify the name of an
application or client to narrow the list.
-election Force a master browser election. You must be a Citrix
server administrator to run this command.
-gateway List the ICA gateways known to each server. Specify a
server name to narrow the list.
-gatewaylicense Display the number of remote licenses available from a

gateway. Specify the IP address of the gateway; e.g.,
ctxqserver -gatewaylicense:12.12.123.12
-license List the licenses on each server. Mach displays the number
of licenses kept local to the machine; Pool displays the
number of pooled licenses; Total shows the sum of the
local and pooled licenses.
Specify a server name to narrow the list.
-load Display the loading for a particular server.
-master Display the IP address of the master browser.
-netlicense Display information about the number of licenses installed
and in use on the local network. The number of licenses
kept local to the machine and the number pooled is also
shown.
-ping Ping the named server.
-reset Reset statistics about the activities of the browser (e.g.,
elections sent/received, packets sent/received) for the
named server.
-serial Display the licenses on each server. Specify a server name
to narrow the list.
-stats Display statistics about the activities of the browser for a
particular server.
-update Request the named server to update the master browser
with its data.
Parameters
server_name Name of a specific Citrix server.
application_name Name of a published application.
-count:value Use with the ping option to specify the number of packets
to send. The default is five packets.
-size: value Use with the ping option to specify the packet size. The
default is 256 bytes.
IP_address TCP/IP address of a server.
ctxqsession
Description
ctxqsession displays session details.
ctxqsession displays information about ICA connections to the Citrix server. The
information includes, where appropriate, user name, session name, session ID,
state, type, and device.
Syntax
ctxqsession
See also
ctxquser—to display session user details.
ctxquser
Description
ctxquser displays session user details.
ctxquser displays information about users logged on to the Citrix server. The
information displayed includes the user name, the session name, the session ID,
the state, the time the user has been idle, and the total time the user has been
logged on.
Syntax
ctxquser [user usr_name]
See also
ctxqsession—to display session details.
ctxreset
Description
ctxreset resets a session.
ctxreset resets an ICA connection to a Citrix server. You can specify the session to
be reset using its session id or name.
Syntax
ctxreset {id | name}
Remarks
By default, Citrix server administrators can reset any session; other users can
reset only their own sessions.
See also
ctxqsession—to display the current sessions.
ctxquser—to display session user details.
ctxsecurity—to control which users can use ctxreset to reset other users’ sessions.
ctxsecurity
Description
ctxsecurity configures MetaFrame security.
MetaFrame security controls a user’s access to MetaFrame commands and
sessions. When you install MetaFrame, default security settings are applied that
automatically control access at a global level to MetaFrame-secured functions.
Security can also be controlled at user and group level.
Syntax
ctxsecurity secured_function -l
ctxsecurity secured_function -a {allow | deny}
ctxsecurity secured_function -u {user_name} {allow | deny}
ctxsecurity secured_function -g {group_name} {allow | deny}
ctxsecurity secured_function {-u user_name | -g group_name}
inherit
Options
-l Display security settings for a particular secured function.
-a Change the global security setting for a secured function.
-u Change security at user level for a secured function.
-g Change security at group level for a secured function.
Parameters
secured_function A particular MetaFrame tool; e.g., shadow. The secured
functions are shown in the following table.
allow Permit access to the secured function.
deny Prevent access to the secured function.
user_name User account name.
group_name Group name to which the user belongs.
inherit Remove previous user or group security settings and inherit
settings from the level above.
Secured Functions
The following table lists the secured functions together with their default settings
after installation.
Secured function MetaFrame security determines Default global setting

login Which users can log onto the Allow
MetaFrame server.
sendmsg Which users can use ctxmsg to send Allow
(ctxmsg) messages to other users’ sessions. Deny for anonymous users
connect Which users can use ctxconnect to Deny
(ctxconnect) connect to other users’ sessions.
disconnect Which users can use ctxdisconnect Deny
(ctxdisconnect) to disconnect other users’ sessions.
logoff Which users can use ctxlogoff to log Deny
(ctxlogoff) off other users’ sessions.
reset Which users can use ctxreset to reset Deny
(ctxreset) other users’ sessions.
shadow Which users can use ctxshadow to Allow
(ctxshadow) shadow other users’ sessions. Deny for anonymous users
Remarks
See also
ctxcfg—to enable and disable shadowing.
ctxshadow
Description
ctxshadow starts a shadowing session. Shadowing lets you monitor and interact
with another active session.
The session that issues the ctxshadow command is referred to as the shadower,
and the session being shadowed is called the shadowed session.
Syntax
ctxshadow {id | name} [-v] [-h[[a][c][s]+]x]
Options
-v Verbose output. Displays additional information.
-h Configure a hotkey combination to end shadowing.
Parameters
id Specify the session to be shadowed using its session ID.
name Specify the session to be shadowed using its session name.
{a|c|s}+x Specify the hotkey combination you want to use to end shadowing.
Choose this combination from:
a|c|s where a = ALT; c = CTRL; s = SHIFT
x where x is an alphanumeric character (a to z and 0 to 9).
(Note: you can use any combination of a, c and s, including all or none.)
For example, to begin shadowing and to specify a hotkey combination
of ALT and q to stop shadowing, type:
ctxshadow {id | name} -h a+q
To End a Shadowing Session

By default, you can end shadowing by holding down the CTRL key and pressing
the * (asterisk) key on your keyboard’s numeric keypad. However, if you cannot
use this hotkey combination, or you prefer to use an alternative, you can
configure a different combination using the -h option.
Remarks
Note that virtual channel data (instructions to the server that affect only the
shadowed session) is not shadowed. For example, if you print a file while
shadowing a session, the file is queued at the shadowed session’s printer.
You may also get some unexpected results using the clipboard channel. The user
of the shadowed session can use the clipboard to copy and paste between the
client session and applications running locally. As shadower, you cannot access
the contents of the shadowed session’s clipboard—information in the clipboard
belongs to the shadowed session. However, if you copy information to the
clipboard while shadowing, this information is available to the shadowed session
for pasting.
See also
ctxcfg—for shadowing configuration at the server.
ctxquser or ctxqsession—to display session name and ID.
ctxsecurity—to control which users can shadow other users’ sessions.
ctxshutdown
Description
ctxshutdown stops the Citrix server processes.
Syntax
ctxshutdown [-q] [-m seconds] [-l seconds] [message]
Options
-q Quiet mode. Use to reduce the amount of information displayed
to the administrator by the ctxshutdown command.
-m Specify when the shut down process will begin, and how long
the message will be displayed, in seconds. The default is 60
seconds. When this period expires and the shut down process
begins, applications that have registered “window hints” (the
WM_DELETE_WINDOW attribute) will attempt to interactively
log the user off. Applications that have not registered “window
hints” will terminate immediately.
-l Specify how long applications that have registered “window
hints” have to interactively log users off. The default is 30
seconds. When this period expires, any remaining sessions are
automatically terminated, users are automatically logged off,
and the MetaFrame process stops.
Parameters
message Specify the message displayed to all users logged on to the
server. If you do not specify a message, the default message
“Server shutting down. Auto logoff in x seconds” is displayed,
where x = the number of seconds specified in the
-m option (or the default of 60 seconds if this is not specified).
Remarks
See also
ctxsrv—to stop the MetaFrame processes on a server.
ctxsrv
Description
ctxsrv starts up or stops the server processes.
You can use ctxsrv to start up and stop all the processes on the server, or to start
up and stop an individual process, such as the ICA Browser or Citrix SSL Relay.
Syntax
ctxsrv start [browser | sslrelay | nfuse | all]
ctxsrv stop {browser | sslrelay | nfuse | all}
Options
browser The Citrix ICA Browser service.
sslrelay Citrix SSL Relay.
nfuse Citrix XML Service.
all All server processes.
Remarks
We recommend you use the ctxshutdown command to stop the MetaFrame
processes on a server. If you use ctxsrv to stop MetaFrame, and sessions are still
active when the server is stopped, the sessions are terminated and unsaved
applications or user data can be lost.
You must be root or a Citrix server administrator to run this command.
See also
ctxshutdown—to shut down the MetaFrame processes on a server.
XML Service Commands

ctxnfuseauth
Description
ctxnfuseauth controls whether the authentication of a user’s password occurs or
not, when a user logs on to NFuse. By default, password authentication is on.
Syntax
ctxnfuseauth {-on | -off | -l}
Options
-off Sets password authentication off.
-on Sets password authentication on.
-l Lists the current password authentication setting.
Remarks
If password authentication is off, and a user supplies an incorrect password, the
user’s application set is still displayed. It is only when the user launches an
application that the incorrect login is detected.
Run ctxnfuserefresh for the changes to take effect.
ctxnfusecfg
Description
ctxnfusecfg configures the appearance and access settings for an application, sets
the default appearance settings for all applications, or lists the current
configuration.
Configuring an application
Syntax
ctxnfusecfg -name applicationname
[ -i icon file ]
[ -f folder name ]
[ -description description ]
[ -w width height ]
[ -w percentage percent ]
[ -w fullscreen ]
[ -w seamless ]
[ -c 16 ]
[ -c 256 ]
[ -c 4bit ]
[ -c 8bit ]
[ -c 16bit ]
[ -c 24bit ]
[ -uadd user ... ]
[ -urm user ... ]
[ -urm -all ]
[ -gadd group ... ]
[ -gadd -all ]
[ -grm user ... ]
[ -grm -all ]
[ -ssl {on | off} ]
Resetting the configuration

Syntax
ctxnfusecfg -name applicationname -reset
Resetting the configuration of an application restores the default settings and

prevents it from being displayed if application filtering is enabled.
Listing the configuration

Syntax
ctxnfusecfg -name applicationname -lacfgiuws
Setting the default configuration

Syntax
ctxnfusecfg -default
[ -i iconfile ]
[ -f foldername ]
[ -description description ]
[ -w width height]
[ -w percentage percent]
[ -w fullscreen ]
[ -w seamless ]
[ -c 16 ]
[ -c 256 ]
[ -c 4bit ]
[ -c 8bit ]
[ -c 16bit ]
[ -c 24bit ]
[ -reset ]
[ -lacifguw ]
[ -ssl on | off ]
Resetting the default configuration

Syntax
ctxnfusecfg -default -reset
Listing the default configuration

Syntax
ctxnfusecfg -default -lacfiws
Options
-i iconfile Sets the application’s icon. The icon is read from the supplied
XPM file. Icons used with the XML Service must be 32 x 32
pixels. If your icon is larger than this, use an image editor to resize
it to the correct size.
-f foldername Specifies a folder for the application.
-description Sets the application description. The description must be in
description "quotes" if it consists of more than one word.
-w width height Sets the application window width and height. The maximum
window size you can set is 32767 by 32767 pixels.
-w percentage Sets the application window size to be a percentage of the desktop
percent size.
-w fullscreen Sets the application to run in a fullscreen window.
-w seamless Sets the application to a seamless window.
-c { 16 | 256 | 4bit Configures the application to use 16 (4-bit) , 256 (8-bit), 16-bit or
| 8bit | 16bit | 24-bit colors.
24bit}
-uadd user … Adds the specified user(s) to the list of users who can see this
application.
-urm user ... Removes the specified user(s) from the list of users who can
see this application.
-urm -all Removes all users from the list of the users who can see this
application.
-gadd group ... Adds the specified group(s) to the list of groups whose
members can see this application.
-gadd -all Adds all the list of group(s) currently defined in the NIS
domain to the groups whose members can see this application.
-grm group ... Removes the specified list of group(s) from the groups whose
members can see this application.
-grm -all Removes all the list of group(s) currently defined in the NIS
domain from the groups whose members can see this
application.
-reset Resets the application to its default settings.
-lacifguws Displays application settings, where:

l = Name
a = All
c = Colors
i = Icon (the icon is saved to a file)
f = Folder
g = Groups
u = Users
w = Window settings
s = SSL settings
-ssl {on | off} Specify whether connections to applications are SSL-secured.
By default, SSL is not enabled.
Remarks
The ctxnfusecfg -l command lists details of all the applications currently
configured.
You must run ctxnfuserefresh -cfg after the ctxnfusecfg commands, for the
ctxnfusecfg commands to take effect.
See also
ctxnfuserefresh—to refresh the settings.
ctxnfusesrv—if you are configuring the XML Service to allow SSL-secure
connections.
ctxnfusefilter
Description
ctxnfusefilter lists or configures whether application filtering is to be done.
Syntax
ctxnfusefilter {-on | -off | -l}
Options
-off Specifies all applications are visible by all users.
-on Specifies applications are to be filtered by user.
-l Lists the appropriate data setting.
Remarks
ctxnfuserefresh
Description
ctxnfuserefresh refreshes:
§ The Citrix XML Service settings from the configuration file, or:
§ The Citrix XML Service application information from the master browser, or:
§ The Citrix XML Services’s knowledge of users and groups from the NIS
database.
Syntax
ctxnfuserefresh {-users | -cfg | -apps}
Options
-users Prompts the service to refresh the user and group account data.
-cfg Prompts the service to refresh configuration from the file.
-apps Prompts the service to refresh application settings from the
master browser.
Remarks
ctxnfusesrv
Description
ctxnfusesrv configures the server listening port, or lists the current listening port
You can also use ctxnfusesrv to enable and disable publishing. Publishing must be
enabled on the server that you want to act as the contact point for NFuse and
clients performing HTTP browsing.
ctxnfusesrv can also be used to enable users to make secure connections using
SSL, and to enable and disable DNS address resolution.
Syntax
ctxnfusesrv {–l | –port portnumber}
ctxnfusesrv -publish [ enable {basic|full} | disable ]
ctxnfusesrv -ssl-port portnumber
ctxnfusesrv -dns [ enable | disable ]
Options
–port Configures the HTTP server listening port. The default port
number is 80.
-l Lists the current HTTP server listening port, the publishing
mode, the SSL port number, and the DNS address resolution
setting.
-publish Configures publishing mode. Enable publishing so that the XML
Service responds to NFuse or client HTTP browsing requests,
and any application configuration changes you make are visible
to your users.
When publishing is disabled, ticketing is still available (if the
Feature Release 1 license is activated) but the XML Service does
not respond to NFuse or client HTTP browsing requests, and any
application configuration changes you make will not be visible to
your users.
-ssl-port Specifies the port number that SSL Relay listens for connections
on (this is the SSL port you configured using the Citrix SSL
Relay configuration tools). You only need to run this command if
you are not using TCP port 443, which is the standard port for
SSL-secured communications.
-dns Enables and disables Domain Name System (DNS) address
resolution. By default, DNS is disabled and MetaFrame for
UNIX servers reply to ICA Client browsing requests with an IP
address.
Parameters
portnumber TCP port number.
enable Enables DNA address resolution or publishing mode. Choose
“enable basic” to enable publishing if you are using the XML
Service to publish data to NFuse. Choose “enable full” if you are
using the XML Service to publish data to other Citrix Web
products, in addition to NFuse. When publishing is set to “enable
full”, the XML Service provides these products with additional
information about users and groups. If you upgrade to Version
1.6 of the XML Service, publishing is set to “enable full”, by
default.
disable Disables DNA address resolution or publishing mode.
Remarks
If you make changes using ctxnfusesrv -port, you must stop and restart the XML
Service using ctxsrv {start | stop} nfuse for the changes to take effect.
If you make changes using ctxnfusesrv -publish, -dns or -ssl-port, you must use
ctxnfuserefresh -cfg for the changes to take effect.
See also
ctxsrv—to start and stop the XML Service.
ctxnfusecfg—if you are configuring the XML Service to allow SSL-secure
connections.
265
AP PE NDI X B
Glossary
Overview
This appendix provides a glossary of terms and acronyms used throughout the
MetaFrame documentation.
activation code The code you use to activate your Citrix software
licenses. To get an activation code from Citrix, you
contact the Citrix Activation System (CAS) and enter
the license number.
ALE See Application Launching and Embedding.
alternate address The external address of a Citrix server. An external
address is a public (Internet) IP address.
anonymous application An application published exclusively for use by
anonymous users.
anonymous session The session of an anonymous user.
anonymous user A guest user granted restricted access to a published
application on a Citrix server.
anonymous user A user account defined on a Citrix server for
account accessing applications published for anonymous use.
Application Launching A feature of MetaFrame and Citrix ICA Clients that
and Embedding (ALE) enables full-function applications to be launched
from or embedded into HTML pages without
rewriting any application code.
base license A type of Citrix license that enables the multiuser

features of your Citrix server. If a base license is not
present, ICA connections are not supported.
Bourne shell A type of UNIX shell. In Solaris, Bourne is the
default shell.
broken session A broken session occurs when the communication
link between an ICA Client and the MetaFrame
server is interrupted, for example, as the result of a
client device failure.
browser election See master browser election.
Appendix B Glossary 267
C shell A type of UNIX shell, based on the C programming

language.
CDE See Common Desktop Environment.
Citrix NFuse NFuse is an application portal technology that
provides organizations with the ability to integrate
and publish interactive applications into any standard
Web browser. NFuse is a three-tier solution that
includes a Citrix server, a Web server, and a client
device with a web browser.
Citrix Connection The Citrix utility you use to configure ICA and other
Configuration connections to your MetaFrame servers.
Citrix Licensing The utility you use to add, activate, configure and
remove licenses and user counts.
Citrix server Any MetaFrame, WINFRAME or VideoFrame server
on which you publish applications or videos.
Citrix server A member of the user group ctxadm, who has special
administrator permissions regarding the administration of
Citrix SSL Relay A Citrix product that provides the ability to secure
data communications using the SSL protocol. SSL
provides server authentication, encryption of the data
stream, and message integrity checks.
Citrix XML Service A daemon that runs on the MetaFrame for UNIX
server, that communicates information about UNIX
applications published in a server farm to the NFuse
Web server. The XML Service also provides an
HTTP interface to the ICA Browser, allowing
connections across most firewalls.
client device Any device capable of running one of the Citrix ICA
Clients.
client device licensing A feature of Citrix licensing that allows users to start
multiple sessions on the same server, or on different
servers, while using only a single user count. All
connections must be from the same client device.
client printer mapping See client device mapping.
Common Desktop A standard desktop for UNIX that uses windows,

Environment (CDE) icons, and menus to provide services to end-users,
systems administrators, and application developers
across platforms.
connection See ICA connection.
csh See C shell.
ctx3bmouse Command line tool for configuring 3-button mouse
emulation.
ctxadm The Citrix server administrator group name. See
Citrix server administrator.
ctxalt Command line tool for alternate address
configuration.
ctxanoncfg Command line tool for configuring anonymous
users.
ctxappcfg Command line tool for controlling published
applications.
ctxbrcfg Command line tool for configuring ICA Browser
settings.
ctxcapture Command line tool for graphics cut and paste
(between ICA and local applications).
ctxcfg Command line tool for configuring MetaFrame
servers.
ctxconnect Command line tool for connecting to a session.
ctxdisconnect Command line tool for disconnecting a session.
ctxgrab Command line tool for graphics cut and paste (from
ICA to local applications).
ctxlicense Command line tool for licensing your MetaFrame
software.
ctxlogoff Command line tool for logging off the MetaFrame
server.
ctxlpr Command line tool for printing to a client printer.
ctxmaster Command line tool for showing the master ICA
browser address and alternate address.
ctxmsg Command line tool for sending messages to sessions.
ctxnfuse User account required for Citrix NFuse

administration. The ctxnfuse user is a member of the
ctxadm group.
ctxnfuseauth Command line tool for controlling the authentication
of user passwords in NFuse.
ctxnfusecfg Command line tool for configuring and listing NFuse
application appearance and access settings.
ctxnfusefilter Command line tool for enabling or disabling
application filtering in NFuse.
ctxnfuserefresh Command line tool for refreshing the Citrix XML
Service configuration.
ctxnfusesrv Command line tool for configuring the Citrix XML
Service http port.
ctxprinters Command line tool for listing the printers installed
on the client.
ctxqserver Command line tool for displaying information about
Citrix servers on the subnet.
ctxqsession Command line tool for displaying session details.
ctxquser Command line tool for displaying session user
details.
ctxreset Command line tool for resetting a session.
ctxsecurity Command line tool for displaying and configuring
user access to MetaFrame commands and sessions.
ctxshadow Command line tool for shadowing a user’s session.
ctxshutdown Command line tool for stopping the MetaFrame
process on a server.
ctxsrv Command line tool for starting up or stopping the
server processes on a Citrix server.
ctxsrvr Default member of the Citrix server administrator
group.
ctxssl User account required for Citrix SSL Relay
administration. The ctxssl user is a member of the
ctxadm group.
DNS Domain Name System.

disconnected session An ICA session in which the ICA Client is no longer
connected to the Citrix server. However, the user is
not logged off, their applications are still running,
and the user can reconnect to the disconnected
session.
dtterm The standard terminal emulator used by CDE.
explicit user A user who has an account name and password.

Explicit users log on using user accounts created and
maintained by system administrators, and when they
log on they supply a username and password.
external address The public (Internet) IP address of a Citrix server.
firewall A network node that provides security by controlling

traffic between network segments.
FQDN Fully Qualified Domain Name.
grace period A 35 day period which some Citrix licenses have,

after they are added. During this period, the
MetaFrame software is fully functional and
connections to the server work normally. However, if
the license is not activated by the end of the grace
period, the MetaFrame software is reduced to single
user mode, and only one ctxsrvr user will be able to
log on to the server at a time.
HTTP browsing HyperText Transport Protocol browsing. A feature

available in Version 6.0 or later ICA Clients that
allows users to browse applications and servers that
exist on the other side of a firewall. The ICA Client
communicates with the Citrix XML Service to fulfill
the browser requests.
ICA See Independent Computing Architecture.

ICA Browser The background process on a Citrix server that
maintains information about other servers and
published applications.
ICA Client The software installed on a client device that enables
end users to connect to Citrix servers.
ICA connection The logical “port” used by an ICA Client to connect
to, and start a session on, a Citrix server. An ICA
connection is associated with a network connection
or a serial connection (modems or direct cables).
ICA Gateway A gateway between two network subnets that enables
the Citrix servers on those subnets to exchange
information.
ICA PassThrough Allows non-Win32 ICA Clients to take advantage of
the Citrix Program Neighborhood features. This is
done by publishing the pre-installed ICA Client on
the server and having clients “pass through” the
server’s Citrix Program Neighborhood client while
trying to access a server farm.
ICA protocol The protocol used by ICA Clients and Citrix servers
to exchange information.
ICA session A lasting connection between an ICA Client and a
Citrix server, identified by a specific user ID and ICA
connection. It consists of the status of the connection,
the server resources allocated to the user for the
duration of the session, and any applications
executing during the session.
Independent The architecture that Citrix uses to separate an

Computing application’s logic from its user interface. With ICA,
Architecture (ICA) only the keystrokes, mouse clicks, and screen
updates pass between the client and server on the
network, while the application's logic executes on the
server.
ICCCM Inter-Client Communication Conventions Manual.
ICCCM is a proposed X Consortium standard for
inter-client communications.
initial program An application that starts automatically when a
session begins.
internal address The private IP address of a Citrix server.
ksh See Korn shell.

Korn shell A superset of the Bourne shell. It has many of the
Bourne shell features, plus additional ones such as
aliasing and history.
license A software license installed on your Citrix server that

does one of the following:
- enables the base server software
- enables additional server functionality
- increases the user count (number of ICA
connections) supported by the server.
license number A number you use to activate your Citrix software
licenses. The license number is unique to the
individual server where you are activating the
software. To get the license number, you enter the
serial number (that appears on the serial number
sticker on the back of the CD booklet) into the Citrix
Licensing utility.
license pooling A feature that enables you to combine the connection

licenses of all the Citrix servers on the same network
subnet into a common pool of licenses, which users
consume as they connect to any server. All licenses
are pooled by default. Assigning a license to a server
removes it from the pool.
load balancing An optional feature for adjusting the load on Citrix
servers. When a user launches a published
application that is configured for load balancing, that
user’s ICA session is established on the most lightly
loaded server, based on criteria you can configure.
man page A man page (literally a “manual page”) exists for each
UNIX command. Each man page includes a
description of the command, the syntax, warnings and
important notes, and related commands.
master ICA Browser The ICA Browser on one Citrix server in a network
or master browser that gathers information about licenses, published
applications, performance, and server load from the
other member browsers within the network, and
maintains that information.
master browser The process ICA Browsers go through to choose
election (elect) a master browser from among the Citrix
servers on a given network. Browser elections occur
when a new Citrix server is started, when the current
master browser does not respond, or when two master
browsers are detected by another server or an ICA
Client.
MetaFrame security The feature that controls user access to MetaFrame
commands and sessions. Default security settings are
applied at installation—these defaults can be changed
using the ctxsecurity command.
mouse-click feedback A feature that enables visual feedback for mouse
clicks. When a user clicks the mouse, the ICA Client
software immediately changes the mouse pointer to an
hourglass to show that the user’s input is being
processed.
NFuse See Citrix NFuse.

NIC Network Interface Card.
NIS+ Network Information Service. A network naming
service that allows resources to be centrally
administered. NIS+ provides automatic information
updating and adds security features such as
authorization and authentication. Formerly called
“Yellow Pages”. NIS+ is available on the Solaris,
HP-UX and AIX platforms.
PAM Pluggable Authentication Modules. PAM allows you

to select the authentication service you want to use,
and plug-in and make available new authentication
service modules without having to modify your
applications.
PassThrough client See ICA PassThrough.
permissions In UNIX Operating Systems, permissions determine
which users have read, write, and execute access to
files and directories. Permissions are associated with
each file and directory.
pkgadd A tool on the Solaris platform for installing software.
published application An application installed on a Citrix server that is
configured for multiuser access by ICA Clients. To an
ICA Client user, the published application appears
similar to an application running locally on the client
device. With Load Balancing Services, you can load
balance a published application among several servers.
root The name given to the UNIX administration account

that has special permissions. Also known as the super
user.
script See Shell script.

seamless window One of the settings ICA Client users can specify for a
published application. If a published application runs
in a seamless window, the user can take advantage of
all the client platform’s window management
features, such as resizing, minimizing, dragging and
dropping between remote and local applications, and
so forth.
secured function A MetaFrame function that the MetaFrame security
tool “ctxsecurity” controls user access to.
security See MetaFrame security.
serial number The first number you use to activate your Citrix
software licenses. The serial number appears on the
serial number sticker on the back of the CD booklet.
Enter the serial number in the Citrix Licensing tool to
get a license number that is unique to the server
where you are activating the software.
server-based A model in which applications are deployed,
computing managed, supported, and executed on a server.
server extension license A type of Citrix license that increases the user count,
or enables additional features such as load balancing.
session See ICA session.
session ID A unique identifier for the session on a specific
server.
sh See Bourne shell.
shadowing A feature of Citrix servers that enables authorized
users to remotely join or take control of another
user’s session for diagnosis, training, or technical
support.
shell The interface between the user and the kernel. The
shell acts as a command processor that accepts,
interprets and executes commands.
shell script An executable file that contains a set of UNIX shell
commands.
smit The System Management Interface Tool on the AIX

platform.
SSL Secure Sockets Layer. A security protocol that
provides server authentication, encryption of the data
stream, and message integrity checks.
subnet A subset of a network.
super user See root.
swinstall A tool on the HP-UX platform for installing and
configuring software.
TCP/IP Transmission Control Protocol/Internet Protocol. A

suite of communication protocols that enables
resources to be shared among PCs, hosts, and
workstations.
Terminal Server Microsoft Windows NT 4.0, Terminal Server
Edition.
ticketing A feature in NFuse that provides enhanced
authentication security. Ticketing eliminates user
credentials from the ICA files sent from the Web
server to client devices.
UDP User Datagram Protocol. A transport protocol in the

Internet suite of protocols. UDP, like TCP, uses IP for
delivery; however, unlike TCP, UDP provides for
exchange of datagrams without acknowledgments or
guaranteed delivery.
user count Some Citrix licenses come with a user count. This is
the number of ICA Clients who can have a session
running on the server simultaneously. User counts
can be shared (pooled) by all servers on the same
subnet.
window manager A program that handles general window-

management jobs, such as creating borders around an
application’s main windows and controlling how you
move and resize windows.
workstation A computer designed for running UNIX Operating
Systems.
X See X Window system.

XML Service See Citrix XML Service
xterm A terminal emulator for the X Window system.
xv A UNIX graphics application that allows users to
select and cut and paste areas of a screen and save
graphics in different formats.
X Window system The X Window system is a UNIX GUI (graphical
user interface). Note that X runs on various
platforms, not just UNIX.
279
AP PE NDI X C
Operating System Patch

Information
Overview
This appendix provides information about the operating system patches that are
required for MetaFrame for UNIX Operating Systems, version 1.1 and Feature
Release 1.
Note More information about operating system patches for MetaFrame for UNIX
Operating Systems can be found in document CTX222222 in the Solution
Knowledge Base on the Citrix Web site at: http://knowledgebase.citrix.com/
more up to date than the information provided in this appendix.
Patches Required for Version 1.1

Solaris 2.6 (SPARC)
Patch Description
105633-10 OpenWindows 3.6: Xsun patch
105802-12 OpenWindows 3.6: ToolTalk patch
Solaris 7 (SPARC)
Patch Description
107893-05 OpenWindows 3.6.1: ToolTalk patch
AIX 4.3.3
Patch Description
APAR: NIS+: Memory Leak Fixes/Performance Enhancements
IY12309 (this patch is included in ML5 APAR:IY12051)
HP-UX 11.0
Patch Description
PHSS_20298 Xserver cumulative patch
PHSS_21493 X11 cumulative patch
PHCO_24148 libc cumulative patch
Appendix C Operating System Patch Information 281
Patches Required for Feature Release 1

Solaris 2.6 (SPARC)
Patch Description
108618-01 Patch for UTF-8/Unicode iconv code conversions
Patches Required for Citrix SSL Relay for UNIX

Use the following patches for Citrix SSL Relay, version 1.0, for MetaFrame for
UNIX Operating Systems.
Solaris 2.6 (SPARC)

You may require the following patches if you experience problems with SSL
Relay:
Patch Description
105568 SunOS 5.6: /usr/lib/libthread.so.1 patch
105210 SunOS 5.6: libaio, libc & watchmalloc patch
105181 SunOS 5.6: Kernel update patch
106429 SunOS 5.6: /kernel/drv/mm patch
Patches Required for the Citrix XML Service for UNIX

Use the following patches (or later) for the Citrix XML Service, version 1.6, for
Solaris 7 (SPARC)
Patch Description
106980-15 libthread patch
106327-08 Shared library patch for C++
Solaris 2.6 (SPARC)

Patch Description
106125-10 Patch for patchadd and patchrm
105568-22 Threads bug fix Infrequent problem
107733-09 Linker patch
108091-03 Update for XI18N_OBJS
Patches for Euro Currency Symbol Support

MetaFrame for UNIX supports the ISO 8859-15 Euro-currency symbol, if the
underlying UNIX operating system supports it. To ensure this support, you may
need to install patches recommended by your operating system and hardware
vendor. See the Web site for your operating system manufacturer or contact your
hardware vendor for details of the appropriate patches and for instructions for
ensuring Euro symbol support.
Appendix C Operating System Patch Information 283
Patches that are Incompatible with MetaFrame for UNIX

This section lists patches that are incompatible with MetaFrame for UNIX
Operating Systems, version 1.1.
The following patches cause an error in which “No String” is displayed in the
MetaFrame for UNIX login box, instead of the title and the user and password
prompts. These patches do not cause this error in Feature Release 1 for
MetaFrame for UNIX.
Solaris 2.6 (SPARC)

Patch Description
105210-37 libaio, libc & watchmalloc patch
Solaris 7 (SPARC)
Patch Description
106541-15 Kernel update patch
Solaris 8 (SPARC)
Patch Description
108991-10 libc and watchmalloc patch
Index 285
Index changing the window manager 157

increasing concurrent sessions 192
publishing a desktop 105
Citrix Licensing. See licensing
A Citrix Load Balancing Services. See load
accented characters 57 balancing
activation code 95 Citrix on the World Wide Web 18
active sessions, displaying 124 Citrix server administrator
adding licenses 94 configuring the group 44
address resolution 220, 221 permissions 168
alternate address configuration 189 Citrix SSL Relay 22
anonymous users configuring NFuse for 203, 219
accounts 103, 162 ctxssl user 67
adding and configuring settings 163 installing 70, 73, 76
and NIS domains 166 starting and stopping 254
displaying settings 162 system requirements 65
installation 45, 47 Citrix XML Service 35, 188, 197–222
security considerations 104 configuring 208
template directory 121 installing 70, 73, 76
troubleshooting 166 new in Version 1.6 198
application caching and filtering 199 overview 200
application publishing system requirements 66
about application publishing 102 CITRIX_REMOTE_DISPLAY environment
and load balancing 183 variable 107, 137
copying from existing details 114 Client Administrator’s Guides
deleting applications 117 locating 18
displaying details about 112 client device licensing 93
for explicit or anonymous use 103 client drive mapping 23
on more than one server 116 clipboard and shadowing 131
on servers of different architecture 107 clipboard mapping
parameter passing from the client 24, 110 enabling and disabling 144
pre-configured for anonymous use 121 graphics clipboard support 145
renaming a published application 115 color depth 22, 80
restricting access to 117 in NFuse 209
specifying a working directory 24, 110 limitations 85
with mouse mappings 119 command line
apply software updates, on AIX 77, 87 conventions 17
authentication, in NFuse 218 printing 135
publishing 107
B commands 223–262
backing store 160 configuring access to 53
backing-up script files 46 ctx3bmouse 119–121, 225
backup ICA Browser 176 ctxalt 189, 226
backup XML servers 222 ctxanoncfg 162–166, 227
base licenses 92 ctxappcfg 102, 229
broken connections ctxbrcfg 180–187, 231
setting timeout intervals 148 ctxcapture 145, 232
browser. See ICA Browser ctxcfg 142–154, 190, 233
ctxconnect 128, 236
C ctxdisconnect 128, 237
CDE ctxgrab 145, 238
ctxlicense 94–99, 239 ctxanoninit.sh 122

ctxlogoff 127, 240 ctxappcfg 102, 105–117, 229
ctxlpr 134–136, 241 ctxbrcfg 180–187, 231
ctxmaster 177, 242 ctxcapture 145, 232
ctxmsg 133, 243 ctxcfg 117, 233
ctxnfuseauth 218, 255 configuring shadowing 146
ctxnfusecfg 209, 219, 256 configuring TCP/IP port number 190
ctxnfusefilter 213, 260 controlling logon settings 140
ctxnfuserefresh 209, 210, 211, 212, 217, enabling / disabling clipboard 144
219, 261 enabling / disabling printing 144
ctxnfusesrv 205, 216, 219, 262 listing server configuration 153
ctxprinters 134, 244 setting the number of permitted
ctxqserver 126, 245 connections 142
ctxqsession 124–125, 247 setting timeout intervals 148
ctxquser 124–125, 247 ctxconnect 128, 236
ctxreset 129, 248 ctxdisconnect 128, 237
ctxsecurity 168–175, 249 ctxgrab 145, 238
ctxshadow 130, 251 ctxlicense 94–99, 239
ctxshutdown 55, 253 ctxlogoff 127, 240
ctxsrv 55, 181, 182, 254 ctxlpr 134–136, 241
types of MetaFrame commands 53 ctxmaster 242
commit software updates, on AIX 77, 87 ctxmsg 133, 243
concurrent sessions, limiting 142 ctxnfuse user 67
configuring ctxnfuseauth 218, 255
an initial program 118 ctxnfusecfg 209, 219, 256
anonymous users 162 ctxnfusefilter 213, 260
applications to print 136 ctxnfuserefresh 209, 210, 211, 212, 217, 219,
backing store 160 261
Feature Release 1 79 ctxnfusesrv 205, 216, 219, 262
ICA browsers 180 ctxprinters 134, 244
ICA gateways 187 ctxqserver 126, 177, 245
network firewalls 188 ctxqsession 124–125, 247
NFuse applications 208 ctxquser 124–125, 247
security 172 ctxreset 129, 248
servers 140 ctxsecurity 168–175, 249
shadowing 146 ctxsession.sh 156–160
TCP/IP port number 190 ctxshadow 130, 251
timeout intervals 148 ctxshutdown 55, 253
connecting to a remote server 137 ctxsrv 55, 181, 182, 254
CONSOLE setting, and ctxsecurity 168 ctxsrvr user
conventions configuring access to commands 54
command line 17 creating 44
in the documentation 16 ctxssl user 67
copying ctxwm, window manager 157
published applications 114 ctxXtw.sh 156, 160
server configuration to other servers 154 currency symbol support 43
ctx3bmouse 119–121, 225 current sessions, displaying 124
ctxadmn group 44, 168
ctxalt 189, 226 D
ctxanon group 164 dead keys, on non-English keyboards 58
ctxanoncfg 162–166, 227 default
Index 287
display settings in NFuse 211 client clipboard mapping 144

printer 134 client printing 144
security settings 171 notification of shadowing 147
deleting published applications 102, 113, 114
anonymous user accounts 163 publishing mode 216
published applications 117 shadowing 146
desktop, publishing 107 encryption
disabling forcing clients to use 234
client clipboard mapping 144 environment variables 53, 54, 106, 107, 122,
client printing 144 137
mouse-click feedback 152 Euro currency symbol support 43
notification of shadowing 147 event logging 58
published applications 102, 113, 114 explicit users 103
publishing mode 217 external addresses 189
shadowing 146
disconnected sessions F
setting timeout intervals 148 Feature Release 1
disconnecting a session 128 about 64
DISPLAY environment variable 107, 137 upgrading to 63–86
displaying what’s new in 22
anonymous user settings 162 file limits, increasing 192
client printers or printer ports 134 filtering 213
event logs 58 firewalls 188
information about Citrix servers 126 and network address translation 189
license information 97 fixes, in Feature Release 1 26
load information 186 font path 24, 159
master browser name 177 forcing an election 178, 245
mouse-click feedback settings 152 foreign
NFuse application settings 215 keyboards 57
published application information 112 FQDN. See fully qualified domain name
security settings 172 fully qualified domain name 220, 221
server configuration 153
SSL settings for applications in NFuse 220
G
user/session information 124 gateways
DNS address resolution 220, 221 configuring ICA gateways 187
documentation generating
Client Administrator’s Guides 18 server configuration details 153
comments and suggestions 19 grace period 92
conventions 16 graphics clipboard support 145
online 18 guest login, in NFuse 205
other sources 18
downloading, Feature Release 1 from the Web
H
site 69 home directory
allowing users to log on without 24, 150
E hotfixes, in Feature Release 1 26
elections hotkey, to end shadowing 132
about elections 177 HTTP browsing 24, 81, 200
configuring server behaviour 180
forcing 178, 245
I
manipulating 177 ICA Browser 176
enabling backup ICA Browser 176
configuring 180
locating 177
refresh interval 180
L
restarting and stopping 181 license serial number 94
UDP port 188 licensing 91–99
with firewalls 188 activating a license 94
with network address translation 189 client device licensing 93
ICA Client displaying licenses 97
documentation 18 installing an upgrade license 96
keyboards 57 introduction to 92
software 29 pooling licenses 98
ICA gateways 187 removing licenses 99
ICAPORT (configure TCP/IP port number) 190 limiting the number of connections 142
idle sessions listing
setting for anonymous sessions 164 anonymous user settings 162
setting timeout intervals 148 information about Citrix servers 126
inheriting license information 97
logon details 141 load information 186
security settings 174 mapped printers 134
initial program configuration 118 mouse-click feedback settings 152
installing Feature Release 1 NFuse application settings 215
on AIX 76 published applications 112
unattended installation 78 security settings 172
on HP-UX 73 server configuration 153
unattended installation 75 SSL settings for applications in NFuse 220
on Solaris 70 the default printer 134
unattended installation 72 user/session information 124
installing MetaFrame 44 load balancing
on AIX 51 a group of servers 183
unattended installation 52 about 183
on HP-UX 49 displaying the load 186
unattended installation 50 displaying the load factor 186
on Solaris Feature Release 1 enhancements 24, 184
for the first time 45 reconnecting to load balanced sessions
unattended install 48 130
upgrading to a new release 46 troubleshooting 186
overview 44 tuning the load on a server 185
reinstalling 61 tuning the number of connections 184
integrating with other Citrix servers 35 load factor
ISO 8859-15 43 displaying 186
locale, and non-English keyboards 57
J logging events 58
Java applications 107 logging off a session 127
Login screen, customizing 156
K logon settings 140
kernel tuning
on AIX 195
M
on HP-UX 194 man pages
on Solaris 191 displaying 54
keyboards, non-English support 57 installing 46
on AIX 52, 77
on HP-UX 49, 74
on Solaris 45
Index 289
MANPATH environment variable 54

mapping
P
client clipboard 144 PAM. See Pluggable Authentication Modules
client printers 144 parameter passing from the client 24, 110
master browser 176–177 pass-through ICA client 35
elections 177 password
locating 177 and explicit / anonymous users 103
refresh interval 180 authentication 218
messages forcing a user to enter 140
during server shut down 56 pasting
sending to users 133 enabling clipboard mapping 144
MetaFrame patch requirements 279
getting more information on 18 PATH environment variable 53, 204
mouse configuration 119–121 permissions 44, 168
mouse-click feedback 25, 151–152 Pluggable Authentication Modules (PAM) 32,
multi-monitor display 23, 81 198
limitations 86 pooling licenses 98
multiple NICs 181 port number
multiple servers configuring 190, 205
installing MetaFrame on 48 primary XML server 202
propagating server configuration to 154 printer mapping 144
printing 134–136
N configuring applications to print 136
network address translation enabling / disabling for users 144
and ICA browsing 189 from applications 136
network firewalls 188 from the command line 135
network interface card, binding to 181 troubleshooting 136
NFuse 200 propagating
NIC. See network interface card configuration between servers 154
NIS domains pseudo-terminals 191, 195
and anonymous users 166 ptys. See pseudo-terminals
and SSL 220 publishing a UNIX command line 107
NIS+ support 198 publishing applications
notification, of shadowing 147 about 102
and load balancing 183
O copying from existing details 114
online documentation 18 deleting applications 117
operating system displaying details about 112
configuring for a large number of users enabling and disabling 102, 113, 114
191, 194, 195 for explicit or anonymous use 103
optimizing 191, 194, 195 on more than one server 116
requirements on servers of different architecture 107
on AIX 43 pre-configured for anonymous use 121
on HP-UX 43 renaming 115
on Solaris 42 restricting access to 117
patches 279 using ctxappcfg 229
optimizing MetaFrame with mouse mappings 119
configuring for a large number of users publishing desktops 105
191, 194, 195 publishing mode, in the XML Service 216
publishing applications 102 publishing shell scripts 105
setting a blank screensaver 155
Q sending messages to users 133

server extension licenses 92
quiet installation servers
on AIX 52, 78 configuring 140–153
on HP-UX 50, 75 displaying information about 126
on Solaris 48, 72 integrating with other Citrix servers 35
quiet mode, during shut down 56 session name/id
R displaying 124
session size 22, 80, 209
reconnecting, to load balanced sessions 130
sessions
refresh interval
configuring session shadowing 146
for ICA Browser service 180
connecting to disconnected sessions 128
reinstalling MetaFrame 61
disconnecting 128
remote configuration of servers 154
displaying information about 124
remote server, connecting to 137
ending a session 127
removing
resetting 129
licenses 99
setting the number of 142
MetaFrame 59
setting timeout intervals 148
published applications 117
shadowing 130
remsh command 109
shadowing
renaming
and the clipboard 131
anonymous user accounts 164
configuring a hotkey to end 132
published applications 115
configuring session shadowing 146
replicating
shadowing a user’s session 130
server configuration to other servers 154
stopping shadowing 132
resetting
shell
a session 129
setting for anonymous users 165
restarting
shell scripts
the ICA Browser 181
backing-up 46
root access 44, 168
ctxanoninit.sh 122
rsh command 109, 154
for installation 48
S publishing 105
S99ctxsrv 45
S99ctxsrv 45
screensaver settings 155
shutting down MetaFrame 55
script files
silent installation
backing-up 46
on AIX 52, 78
ctxanoninit.sh 122
on HP-UX 50, 75
for installation 48
on Solaris 48, 72
publishing 105
SSL Relay. See Citrix SSL Relay
S99ctxsrv 45
starting
MetaFrame 55
secured functions 168
the ICA Browser 181
security 167–175
the XML Service 206
and anonymous users 104
stopping
Citrix SSL Relay 22
MetaFrame 55
configuring 172
shadowing 132
displaying settings 172
the ICA Browser 181
examples 175
the XML Service 206
integration with UNIX 32
subnet
removing settings 174
configuring ICA gateways 187
X security policy 156
Index 291
syslog.conf 58 upgrade licenses 92, 96, 99

system requirements 40, 65 upgrading to
a new release 46
T Feature Release 1 63
TCP browsing. See HTTP browsing user
TCP/IP port number, configuring 190 anonymous users 103
template directory 121 authentication in NFuse 218
ticketing 198 counts 93
timeout settings 148, 164 logon settings 140
troubleshooting permissions 44, 53, 168
anonymous users 166 USER environment variable 122
application visibility in NFuse 213 user-id
errors and warnings 58 setting for anonymous users 165
load balancing 186
non-English keyboards 58 W
operating system requirements 42 Web pages, configuring for NFuse 207
printing 136 Web site
tuning load balancing 184 downloading from 69
window manager
U customizing 157–159
UDP port and ICA Browser 188 working directory, specifying 24, 110
unattended installation World Wide Web, finding Citrix on 18
on AIX 52, 78
on HP-UX 50, 75 X
on Solaris 48, 72 X font server 24, 159
uninstalling MetaFrame 59 X security policy 156
UNIX command line, publishing 107 XML Service. See Citrix XML Service
unix2dos 136

Citrix Admin Guide

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Citrix Admin Guide

Încărcat de

Drepturi de autor:

Formate disponibile

Administrator’s Guide

Citrix MetaFrame for UNIX®

© 1999-2001 Citrix Systems, Inc. All rights reserved.

HP-UX is a registered trademark of Hewlett-Packard Company.

AIX is a registered trademark of International Business Machines Corporation.

XPM Library (C) 1989-95 GROUPE BULL

xv. Copyright 1994 by John Bradley. All rights reserved.

Creating the Citrix Server Administrator User and Group . . . . . . . . . . . . . . 44

Installing Feature Release 1 on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Step 1—Adding the License Serial Number . . . . . . . . . . . . . . . . . . . . . . . . . 94

Publishing an Application With Mouse Mappings . . . . . . . . . . . . . . . . . . . 119

Controlling Timeout Behavior. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Default Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Increasing the Number of Processes Per User . . . . . . . . . . . . . . . . . . . . 195

Configuring DNS Address Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Appendix C Operating System Patch Information . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Before You Begin

About This Guide

Information that is specific to a particular UNIX platform is identified using the

Symbol Identifies instructions specific to the

Hewlett-Packard HP-UX Operating System

Sun Solaris Operating Environment

UNIX Command-line Conventions

Getting More Information

Finding Resources on the Citrix Web Site

Providing Feedback About this Guide

Welcome to Citrix MetaFrame for

What’s New in Feature Release 1?

§ Greater bandwidth efficiency—Feature Release 1 is designed for more

New Features That Do Not Require a Feature Release 1

§ Mouse-click feedback—with Feature Release 1, mouse-click feedback is

§ Screensavers are off by default—ICA connections running graphical

Fixes Included in Feature Release 1

The following diagram shows a MetaFrame server with ICA connections:

Server provides application processing in

Session 1: Published Application

Session 2: Connection to Desktop

MetaFrame for UNIX Server

mouse clicks mouse clicks

Macintosh Client Windows PC Client

Session 1:Published Session 2: Desktop

Connection to You can publish specific applications. A published application is a predefined

MetaFrame for UNIX Server

Server provides application processing in protected

Session 2: Administrator running UNIX desktop

Session 1: UNIX application displayed on Session 2: Admininistrator starts

Integrating With Other Citrix Servers

Getting Started Quickly…

To find out how to Read

Note There is a Client Administrator’s Guide for each client in the

Deploying MetaFrame Version 1.1

Important To upgrade to Feature Release 1 for MetaFrame for UNIX Operating

Topics covered in this chapter include:

Before You Begin Installing Version 1.1

Minimum Machine Specifications

On the Solaris Platform

More than 3 connections:

On the HP-UX Platform

On the AIX Platform

UNIX Operating System Requirements

Operating System Patches

On the Solaris Platform

On the HP-UX Platform

On the AIX Platform