How can I prevent the full desktop to users?
Open the Citrix Conenction Configuration
Start | run | mfcfg.exe | tcp-ica | advanced |enable "Only launch Published Applications"
and publish the desktop as an application to administrators. Set tcp-rdp on admins only so you can connect to desktop with TS Client.
- Terminal Server Desktop, Explorer.exe, Launches from a Published Application
How to use a MS ISA server to publish a Citrix server?
First of all when you want to have access to your MetaFrame server from the Internet I advice you to use the FREE Citrix Secure Gateway (CSG). With CSG you only need one external IP and you have only to open port 443.
Next you should consider using the CSG 1.1/3.0 in "relay mode" or the Citrix SSL relay.
With NAT you need for every Citrix server one external IP and you have to run "altaddr" on every Citrix server.
- Secure Gateway for MetaFrame Administrator's Guide
- Using the Citrix SSL Relay
- How to Publish a Citrix Server Behind an ISA Server
- IMA and ICA Browsing With Firewall Address Translation (NAT)
- Configuring NFuse/Web Interface for Use with Network Address Translation (NAT)
- Using One Public IP Address for Multiple MetaFrame Servers with NFuse / Web Interface
- Configuring Microsoft ISA Server to Allow Outbound ICA Connections
- How to Publish a Citrix Server Behind ISA Server
- How to publish a Citrix MetaFrame version 1.8 server by using Internet Security and Acceleration Server 2004
CSG / Web Interface security advice!
don't want youre
Login side in a public search engine do the following:
- In the Web root place a file named robots.txt with the following content:
This file will block every search engine robots/spider.
- Rename the Administrator account and use "good" passwords.
- Disable the WIAdmin page for access from the Internet, allow only the localhost. If you sill want access from outside, rename or move the WIAdmin side
- If you're side is listed in a search engine and you don't want that, remove the side from the engine, visit the search side to find out how to remove sides
- At least rename the default login title.
How can I hide the Terminal Server local Drives?
To hide Server drives a Group Policy Object (GPO) for Active Directory or for a Windows NT Domain a system policy has to be set. It's also possible to prevent access to local Server drives.
- HideCalc - A Tool for Hiding Drive and creates ADM, KIX and Registry files.
- Using GPO to Hide Specified Drives in My Computer for Windows 2000
- How to: Use System Policies to Hide Specific Drives
- How to Create a New System Policy
- How to apply System Policy settings to Terminal Server
- Writing Custom ADM Files for System Policy Editor
- Administer GPO Properties in Windows 2000
- Policies and Profiles Standards
- How do I prevent users from using My Computer to access the content of selected drives
JSI Tip 3636
- How to Lock Down a Windows 2000 Terminal Server Session
- Locking Down Windows Server 2003 Terminal Server Sessions
- All in One Package for NT Domains, ADM Files and Utilities.
How can I lock down Program Neighborhood?
Restrict PN by using APPSRV.INI
Change this setting to On to remove the Application Set Manager icon from the client.
Change this setting to On to remove the Custom ICA Connections icon from the client.
Change this setting to On to remove the Find New Application Set icon from the client.
Change this setting to On to remove the Add ICA Connection icon from the client.
- Appsrv.ini Parameters Deciphered
- How to Create a Preconfigured Program Neighborhood Client
- Use Resource Hacker to secure the PN hardcoded but on your own risk.