Configuring and Securing Citrix Shadowing. Shadowing is a valuable tool released with Citrix Presentation Server, however, taking time to implement and delegate this ability to support personnel often falls to the bottom of the priority list. Enabling your first responders with the shadowing ability, and a basic understanding of Citrix, will help them to identify the source of a problem and thus decrease the amount of escalated calls. This article will go over the different methods of configuring shadowing (including order of precedence), shadowing utilities, shadow logging, and to conclude, a summary of best practices. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. Terminology. Before we discuss the different methods of configuring shadowing, it’s worthwhile to make note of the different terminology Citrix and Windows use to describe the same functionality. Citrix refers to shadowing as . The functionality, however, is limited simply to the three options above. We will now take a look at the different locations shadowing can be configured. Presentation Server Installation. During the Presentation Server installation you are presented with a screen to configure shadowing. Express Helpline- Get answer of your question fast from real experts. Article ID -- Article Title. FD36152 - Technical Note: FortiGate is not forwarding TCP ports 5060, 50 FD40558 - Technical Note: Error 'Unable to establish. Monica July 3, 2017 at 1:11 AM. Hi Ayumi, I had downloaded MapleSea full client and it stated that the MD5 check failed. I tried the method on their official page. Version 4.11.2100.4008 (March 31, 2017) Fixes 19924 Resolved an issue where upgrading Core Agent to version 4.0 resulted in the service entry missing. Today I wanted to check the update status of my VMs. Unfortunately, the WSUS console was unable to connect to the WSUS server. I checked the status of the service and. Shadowing is a valuable tool released with Citrix Presentation Server, however, taking time to implement and delegate this ability to support personnel often falls to. By default shadowing is enabled. If you choose to prohibit shadowing at this point you will not be able to enable it later by any method but reinstalling Presentation Server. Further, at the installation point you have the option to force a shadow notification, as well as allow or disallow input into the shadowed session. If you enforce these restrictions at the installation point you will not be able to re- enable the feature by any other means but reinstalling Presentation Server. In some countries it’s illegal to shadow a user without notification, therefore, it makes sense to prohibit shadowing without notification at the installation point. In every other configuration method described below you can restrict shadowing options that have been enabled at the installation point, therefore if you’re not bound to any legal requirements it makes sense to allow shadowing without notification at the installation point, knowing you have the option to apply restrictions later. Also, if you want to enable logging for shadowing you must do this at the installation point as well. Windows User Account Properties. In the Active Directory (AD) user account properties, Remote Control tab, you have the ability to . Windows Group Policy. Consistent with AD practice, if something can be configured at the user account level, it can likely be accomplished through Group Policy. This holds true for Terminal Services remote control options. Windows Terminal Services Configuration Tool (tscc. Citrix Connection Configuration (CCC)The Terminal Services Configuration tool (tscc. TSCC)) and the Citrix Connection Configuration (CCC) tool are two other places where shadowing (or remote control) settings can be configured. Within these tools you can configure both ICA and RDP connections. HKLM\SYSTEM\Current. Control. Set\Control\Terminal Server\Win. Stations\ICA- tcp\Shadow. HKLM\SYSTEM\Current. Control. Set\Control\Terminal Server\Win. Stations\RDP- Tcp\Shadow. If you make a change in the TSCC to the RDP connection, Remote Control tab, the exact same change will be immediately reflected in the RDP connection properties of the CCC. The actual registry keys that each tool edits are the same. Since these tools edit the registry of a server, settings configured in the TSCC and the CCC are configured on a per server basis. Manually Editing the Windows Registry. Since Group Policy is actually a GUI to editing the registry, it is possible to manually edit the Windows registry to configure shadowing. When you configure, . Citrix Policy. Another option to configure shadowing is to use Citrix Policies. To configure shadowing, create or edit an existing Citrix policy. The Permissions rule allows you to specify to whom you wish to grant shadowing abilities—the . Active session will not get the change until a new session is established. Order of Precedence. What happens if more than one method of configuring shadowing is in place with conflicting settings? As we discussed in the Citrix Policy section, Citrix Policy is controlled by the IMA service and stored in the datastore. Therefore if situations exists where settings conflict, determining which setting will take precedence depends on whether one setting can . Assume a Citrix Policy is applied to a Presentation Server with . Order of precedence can be confusing. If it’s ever in question which settings will take precedence simply set up a test scenario or two, play around with different configurations, and the precedence will be made clear to you. Which Shadowing Configuration Method is best? Determining which method is best for you is dependent on your environment, any security requirements you may have, and whether or not you have administrative rights to AD. In my opinion, any centralized administration option will always be a more efficient than manually configuring individual servers. Best practices will be discussed in more detail later. Three Utilities to Shadow Citrix Sessions: The Shadow Taskbar, The Citrix Management Console (CMC) or Presentation Server Console, The Access Suite Console. Now that we’ve looked at the various ways you can configure shadowing, let’s look at the tools that your helpdesk, other administrators, and even users can use to actually perform shadowing duties. There are three . If you launch a shadow session using any of the utilities mentioned and launch Windows Task Manager, you’ll see cshadow. You can only shadow an ICA session from an ICA session. If the utility you are using to shadow detects that an ICA session does not exist (for example you are trying to shadow from server console session), it will launch an ICA session for you and ask for your credentials. To avoid having to re- enter your credentials for the shadower's ICA session, launch the shadow session from an already established ICA session. This rule applies to RDP as well. With this knowledge, let’s look at the shadow utilities. Shadow Taskbar. The Shadow Taskbar is a simple tool that installs with Presentation Server and provides the ability to shadow active ICA sessions. In addition Citrix Policy provides additional security.) The Shadow Taskbar allows you to have multiple shadow sessions launched at once and it also allows for many users to shadow a single session at one time. In terms of logging, if logging is not installed with Presentation Server, you do have the option of using a less robust method of logging within the taskbar that is not available within the CMC. You are not able to view disconnected sessions or perform any session maintenance (such as logging off sessions, sending messages etc.) within this tool. On occasion, I’ve experienced problems with the taskbar not enumerating clients list. The Shadow Taskbar is an older tool that hasn’t really been updated since Meta. Frame XP. The Presentation Server Console (PSC) or Citrix Management Console (CMC)The Presentation Server Console (PSC) or Citrix Management Console (CMC) is another method of shadowing. You can only shadow one session at a time if the shadow session is initiated from a published version of the PSC. Let’s consider some Advantages and Disadvantages of using the PSC to shadow. Advantages. When the PSC is used for shadowing, all session types are visible to shadower including active, disconnected, and RDP session information. If you would like your shadower to have the ability to view farm level information in addition to session information, you are able to provide this with the PSC. Multiple users can shadow one session. As with the Shadow Taskbar, this may be useful in training circumstances. Disadvantages. If you do not allow logging at the Presentation Server install, no logging options are made available through the PSC. The Access Suite Console. Citrix’s new MMC- based management snap- in, the Access Suite Console (ASC), is another tool available to shadow users. However, there are a few additional advantages and disadvantages listed below. You can only shadow one session at a time if the shadow session is initiated from a published version of the ASC. Advantages (in addition to the PSC)From the Access Suite Console you can shadow both ICA and RDP sessions! You can also download the code to Quick Shadow and create your own shadow utility. Terminal Services Manager. Windows Terminal Services Manager (TSM) is another utility used to shadow sessions, or . This tool will allow you to remote control RDP sessions, however, you can still view ICA session information within this tool. Remote controlling an RDP session from a Terminal Service console session will not work, you must launch the TSM within a RDP session that is not a console session for it to work. Moving on from the various shadowing utilities, let’s look at what Citrix has to offer in terms of Shadow logging. Shadow Logging. When installing PS4 you have the option to select . The events appear in the Application log as Meta. Frame Event, in the category of . Events such as when and who requests a shadowing request and when a shadowing session is terminated are examples of information logged. Some specific examples of shadowing events captured in Event Viewer are as such. Event ID: 1. 00. 1 User: helpdesk. PS4 Servername> :session 2) has stopped shadowing user: user. PS4 Servername> :Session 1). The session ended successfully. Event ID: 1. 00. 2 User: helpdesk. PS4 Servername> :session 2) has failed to shadow user: user. PS4 Servername> :Session 3). The session ended unsuccessfully. Event ID: 1. 00. 3 Error 5: Access is denied. Event ID: 1. 00. 6 The requested session is not configured to allow remote control.(7. The problem with this logging is that these event log entries will be scattered throughout your Citrix environment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
August 2017
Categories |