Logon process

Application Certificaton.
Authentication issue.. (if web interface down).
What are the consoles available to manage Citrix server?

Resource Manager
Resource Manager collects, displays and stores data about system performance,
applications or process use.
Is this not exactly the same things that Performance Monitor (standard available in
Windows) does?
Citrix RM definitely has some overlap with Performance Monitor, but adds some extra
functionality to it.
These additional functionalities are the benefits of Resource Manager.
Real Time Watcher, on the monitored counters (called Metrics within Resource Manager)
you can assign two thresholds (warning and error). If these thresholds are exceeded
Resource Manager can warn you via several methods like SMS, E-mail or SNMP.
Resource Manager can store the collected data for a longer time. This makes it possible to
generate reports based on current and past activity.
Resource Manager has an option to create billing reports based on self defined costs.
Resource Manager collects, besides the system counters, also Citrix specific data like
Application usage, User activity and Farm information.
If your infrastructure already contains Database name of Resources manager:
msummerydatabase
Network Manager
Load Manager Load Manager ensures that each user connects to the server that is most
capable of handling that connection. Load Manager applies load evaluators that consist of rules
which govern the way Load Manager determines the resource loading
installation Manager Installation Manager provides an administrator with the ability to package
and deploy applications to servers running Presentation Server. An administrator can use
Installation Manager to install hotfixes, service packs, application upgrades and new applications
on all servers in the farm that have the Installation Manager component.
Web Interface The Web Interface provides users access to published applications through a web
browser. The Web Interface allows for multi-farm administration from a single Access Suite
Console. Users can log in to the front-end interface with a web browser from a variety of different
workstations and operating systems. The administrator can enforce additional authentication
checks by configuring the Web Interface to use RSA SecureID or Secure Computing SafeWord
for MetaFrame.
Secure Gateway The Secure Gateway provides secure access to published applications and
resources on servers running Presentation Server through SSL/TLS encrypted sessions. The
Presentation Server uses the Secure Gateway in combination with the Web Interface.
What is content of ICA file?
Independent Computing Architecture (ICA) file used by Citrix application servers; contains
configuration information for connecting to different servers; can be edited with an ICA Client
Editor or a basic text editor.
What is ICA protocol and what are the advantages of ICA

Page 2 of 20

ICA is a general-purpose presentation services protocolA protocol that provides graphical

interface screen updates to a client station from an application executing in a multiuser computer
system. ICA and T.share are examples for the WinFrame and Windows-based Terminal Server
systems. See WinFrame, Windows Terminal Server, ICA and T.share. Click the link for more
information. for Microsoft Windows, which allows an application's user interface to execute with
minimal resource consumption on a client device, while the application logic executes on ICAbased servers, such as the Citrix WinFrame family of multi-user application servers.
Features:
SpeedScreen multimedia acceleration (which is now called HDX MediaStream)
Smartcard virtual channels
PDA sync and TWAIN (both covered by the new, broad support for USB devices called HDX
Plug-n-Play, which actually supports more than devices than on XenApp now)
ICA perfmon counters (SMC) and end-user experience metrics. Any software running on the
Virtual Desktop Agent can consume Perfmon counters.
What is Independent Management Architecture
The IMA service allocates and assigns each session a unique IP address at session start-up. The
IMA service stores the virtual IP configuration information in the data store database and the local
host cache.
Why do we need Zones? What is the purpose of Data Collectors in Zones?
1) Zones are primarily used for dividing the citrix servers in a Farm, based on geographic
location. 2). Zone Data Collector, keeps track of the load of each Citrix Server in the Zone. This is
used for new ICA Connections to the Zone.
What is XML Broker
When a user logs on to the web interface, it retrieves list of applications for the authorized user
from IMA Data store (via the XML Broker).
I have attached a default evaluator to a server and it reports full load, How many users are
logged in does this indicate ?
100 users
what is the command for Force full removal of citrix after uninstalling form Add remove
program
CTX_MF_FORCE_SUBSYSTEM_UNINSTALL
What is Data Store:
Collection of Static Data that dont changes very often
1.Published application information/ configurations
2.Farm Configuration
3.Printer drivers and mappings.
4.Presentation Server administrator accounts
What is Data Zone collector
Collection of dynamic information of farm that changes very often
Server loads
Active sessions
Disconnected sessions
Users
What is Application isolation and how to install a application in isolated environment
We already have winzip 9 on a server and we wants to installed winzip 10 also then we can use
this feature so that both version runs on a same server in isolate environment without interrupting
each other. i.e exe. or registry.

Page 3 of 20

Go to CMC
Isolate environment
New isolation environment (Provide name i.e SILO2)
Go to Cmd Run > AIESETUP SILO2 C:\WINZIP.EXE (Path of setup file)
It will install application in citrx server you can check this on isolation environment >property >
applications
Publish application using isolate environment
Define Functions of the Local Host Cache
Each XenApp server stores a subset of the data store in the Local Host Cache (LHC). The LHC
performs two primary functions:
Permits a server to function in the absence of a connection to the data store.
Improves performance by caching information used by ICA Clients for enumeration and
application resolution. The LHC is an Access database, Imalhc.mdb, stored, by default, in the
<ProgramFiles>\Citrix\Independent Management Architecture folder.
The following information is contained in the local host cache:
All servers in the farm, and their basic information.
All applications published within the farm and their properties.
All Windows network domain trust relationships within the farm.
All information specific to itself. (product code, SNMP settings, licensing information)
On the first startup of the member server, the LHC is populated with a subset of information from
the data store. From then on, the IMA service is responsible for keeping the LHC synchronized
with the data store. The IMA service performs this task through change notifications and periodic
polling of the data store.
If the data store is unreachable, the LHC contains enough information about the farm to allow
normal operations for an indefinite period of time, if necessary. However, no new static
information can be published, or added to the farm, until the farm data store is reachable and
operational again.
How to Recreate Local Host Cache
If the IMA service does not start, the cause may be a corrupt LHC.
If you have made extensive changes to the farm data store, such as publishing various
applications, adding or removing servers from the farm, or creating new policies.
If you must clean the farm data store, using the DSCHECK utility, you should then rebuild the
LHC on each of the servers in your farm, once the data store has been cleaned.
Steps to recreate the Local Host Cache
IMPORTANT: The data store server must be available for dsmaint recreatelhc to work. If the data
store is not available, the IMA service cannot start.
1. Stop the IMA service on the XenApp server, if it is started. This can be done using the
command: net stop imaservice, or from services.
2. Run dsmaint recreatelhc, which renames the existing LHC database, creates a new database,
and
modifies
the
following
registry
key
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\PSRequired key to 1. Setting the
value PSRequired to 1 forces the server to establish communication with the data store in order
to populate the Local Host Cache database. When the IMA service is restarted, the LHC is
recreated with the current data from the data store.
3. Restart the IMA service. This can be done via the command line, net start imaservice, or from
services.
The datastore of my citrix farm is down. Assuming that am using MF XP(e), what will be
the side-effects of this on the perspective of users connecting to applications and on the
perspective of a Citrix Admin?
1. For the users, they will be able to connect to application and work without any hassles for 30
days. After that they wont be able to connect.
2. For Citrix Admins, they wont be able to even login to CMC.

Page 4 of 20

3. No activity can be performed on farm like publish application.

You have a citrix farm running in an Access Data Store. This farm has only one citrix
server. This server has to be replaced for some reason. You have the new hardware which
has to be used in place of the existing server. What are the various steps you would take
1. Install the required OS.
2. Install Citrix.
3. Issue the command dsmaint /backup in the old server
4. Copy the .mdb file from the old server to the new server
5. Issue the command dsmaint /restore with the mdb file as parameter in the new server.
I have configured a critical application on a server and I wish to allow only certain number
of IP addresses and only certain number of users access to that application? How can I
achieve this?
Create a custom Load evaluator with rules Application user load and IP ranges
How to move or recover data store.
Restore MF20.mdb from backup to a new server at c:\program files\ citrix \independente
management architecture\.
Create a file DSN that control Database through : administrative tools > ODBC > file DSN > ADD
> choose database type > choose location of MF20.mdb file > choose file name MF20.dsn > next
> finish
Got to select > choose database file (mf20.mdb) > ok
Go to CMD:
DSMAINT CONFIG /USER:ADMINISTRATOR /PWD:PASSWORD /DSN:C:\PROGRAME
FILES\CITRIX\ INDEPENDENTE MANAGEMENT ARCHITECTURE\MF20.DSN
Restart IMA service.
This server will now become data store but we need to update this information on every server on
citrix farm.
Login to other citrix server: CMD
DSMAINT FAILOVER NEW_DATA_STORE_SERVERNAME
RESTART IMA SERVICE.
What is Session printer and how to create a session printer
You can create Session printing policy to apply for the specific Client IP address ranges, thus
ensuring that a user is always attached to a nearby network printer.
How to set session printing.
In Management Console->Policies create a policy called "North Printer". Then goto the
properties on that policy->Printing->Session Printers and add a printer. Then go to the "Apply
policy to" and add users and/or groups and then that printer will show up in their Citrix session.
Assuming this is correct, removing that user or group should then remove that printer from the
next session opened. Well, in my case it is not. When I add a group to a policy the printers will
show up at next login. The printer does not go away, though, when I remove that group from the
policy then log in again.
What are the different ports used in Citrix
ICA (Default)CP: 1494
RDP 3389
IMA.TCP: 2512
CMCTCP: 2513
SSLTCP: 443
STA (IIS) TCP: 80
TCP Browsing.UDP: 1604

Page 5 of 20

XML (Default) ..TCP: 80

Citrix License Management Console:TCP: 8082
Presentation Server Licensing: TCP: 27000
ICA session w/ Session Reliability enabledTCP: 2598
Access Gateway Standard and Advanced EditionsTCP: 9001, 9002, 9005
Manager service daemon server.TCP: 2897
Network Manager SNMPUDP: 161, 162
What is Mixed mode farm, how it works

Setting a Metaframe XP server farm to mixed mode will enable the XP server to
communicate and integrate with 1.8 server, you can then publish and load balance
applications across both platfarm. User will see one unified server farm that consists of
Metaframe 1.8 and XP servers.
For mixed mode farm we will look at the following technocal component
IMA service: Met frame XP uses IMA service but Met frame 1.8 uses Program
neighborhood service and ICA browser service, Metaframe 1.8 does not understand IMA
service hence Metaframe XP server must run the Legacy ICA browser anf program
neighborhood service in addition to IMA service and all of its components.
Server Farm Design :
What difference between citrix standard, advance and enterprise version.
Presentation Server, Enterprise Edition includes:
Resource Manager
Network Manager
Load Manager
Installation Manager
Web Interface
Secure Gateway Document Center
Advance Edition includes.
Load Manager
Web Interface
Secure Gateway
Document Center
Standard edition includes :
Web Interface
Secure gateway
Document centre.
What are prerequisites for Citrix presentation server.
Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Datacenter
Windows Server 2003, Standard, Enterprise and Datacenter Editions
Terminal Services running in application mode
Java Runtime Environment version 1.4.2_06
NET Framework version 1.1 with Service Pack 1
Microsoft Windows Installer (MSI) 3.0
What is the difference between 2k & 2k3 terminal server licensing?
What is Client Lock Down?

Page 6 of 20

How to implement Policy in Citrix .

Policies property
Bandwidth= Visual effect/ Speed screen/ session limit con be configured there
Client devices =Resources (microphone, sound quality, turn of speaker)/ Drives/ Port/ PDA
Devices/ Other
Printing
User workspace
Security.
Polies filters Based on followings
Access controls == based on access i.e. secure gateway
Client Ip address
Client name
Servers
Users
What is Citrix secure / access gateway and how its work?
Which file you need to edit to sepcify the configurations Secure gateway server ?
How the licensing works in Citrix and difference in Citrix Licensing version wise
Application Streaming
Application streaming is an alternative to installing applications locally on individual PCs.
As an alternative to completely installing a Windows program on a PC, it is streamed from a
central server where only the parts of the application required by the user are installed for
immediate use. As additional functionality is required by the user it is streamed on demand. When
the user has finished with the application and chooses to do so, all components are completely
removed - as if the application was never there.
Computer application streaming is a form of on-demand software distribution.
The basic concept of application streaming has its foundation in the way modern computer
programming languages and operating systems produce and run application code. Only specific
parts of a computer program need to be available at any instance for the end user to perform a
particular function. This means that a program need not be fully installed on a client computer, but
parts of it can be delivered over a low bandwidth network as and when they are required.
Application streaming is usually combined with application virtualization, so that applications are
not installed in the traditional sense.
Stream server
An application is Packaged and stored on a streaming server.[1] Packaging or sequencing
produces an image of the application in a way that either orders delivery and/or predictively
optimizes delivery to the client.[1]
Launch & Streaming of Application
The initial launch of an application would be important for the end user and the Packaging
process might be optimized to achieve this. Once launched, common functions would be
followed. As these functions are requested by the end user, these may be Streamed in a similar
manner. In this case the client is pulling the application from the stream server. Otherwise, the full
application might be delivered from the server to the client in background. In this case, the server
pushes the application to the client.

Page 7 of 20

Advantages
Given the complexity of modern applications, many functions are never or seldomly used and
pulling the application on demand, is more efficient in terms of server, client and network usage.
Simplified operating system migrations.
Accelerated application deployment.
Centralized application management, with local execution
Ability to continue to use applications when off-line (in contrast to pure web-applications)
Delivers fully featured desktop applications (in contrast to browser-driven web-applications)
Software license optimization by controlling simultaneous users of software

What is Load evaluator, How many kind of load evaluator

Load Manager balances server load across the server farm by: Using load evaluator rules
to calculate server load Identifying which server is least busy Directing the Client to
connect to the least busy server.

Advance: Default
for its criteria.

Load Evaluator: The Default Load Evaluator uses the user session count

The Default load evaluator is based on the Server User Load rule only. This rule reports a
full load when the number of user sessions on the server exceeds 100. After 100 sessions,
additional user sessions are not allowed on the server because it has reached its
maximum load limit. The Default load evaluator functions best when the server hardware
can adequately support up to 100 users without fully consuming server resources. If the
server is not able to support at least 100 users, either because of resource-intensive
applications or hardware limitations, Citrix recommends that either the Advanced load
evaluator or a custom load evaluator be considered for that environment.
Note!
Load Manager applies the Default load evaluator if the administrator publishes an
application to multiple servers and does not specify a load evaluator. An administrator
cannot modify the Default and
Advanced load evaluators; however, an administrator can create custom load evaluators
based on the same rules or on different rules entirely.

Advanced :Load Evaluator Use the Advanced Load Evaluator to limit memory usage, CPU
utilization, and page swaps on a server for load management.

The Advanced load evaluator is based on the following rules:

Page 8 of 20

CPU Utilization, which reports a full load when processor utilization is greater than 90%
and no load when the processor utilization is less than 10%
Memory Usage, which reports a full load when memory usage is greater than 90% and
no load when memory usage is less than 10%
Page Swaps, which reports a full load when the number of page swaps per second is
greater than 100 and no load when the number of page swaps per second is equal to 0
Citrix recommends using the Advanced load evaluator in environments where server
resources become overutilized before the maximum number of users connect. The
Advanced load evaluator is also ideal when publishing applications that are CPU or
memory intensive.
Note!
Load evaluators that include more than one rule, such as the Advanced load evaluator,
calculate their load values by first determining the individual load for each rule within the
evaluator. Load Manager then uses a complex algorithm to determine the true load value
of the server or application. This algorithm includes all applicable load values and gives
the most weight to the load rule with the highest load value.
Custom load evaluator
Load evaluators are based on system resources and system resource consumption. An
administrator can create a custom load evaluator if the Default or Advanced load
evaluators are not adequate based on the hardware or application configuration of the
servers. To create a custom load evaluator an administrator can either create a new load
evaluator or copy an existing load evaluator and modify it.
A custom load evaluator is any load evaluator with the exception of the Default or
Advanced load evaluators and contains one or more rules.
Creating load evaluators based on simple rules can provide more accurate results than
creating complex
load evaluators with multiple rules.
Consider the effect of building custom load evaluators and selecting certain rules. Be sure
that all load
evaluator configurations are fully tested prior to implementing the rules in a production
environment.
For example, CPU utilization can spike for brief moments; therefore, that rule by itself may
not provide
the best method for load balancing and may not provide a true reflection of CPU usage.
!

rning!

Page 9 of 20

What is the difference between the TS Licensing in Windows 2000 and Windows 2003?
Difference between RDP and ICA
Difference between PNA and PN
Services on citrix
Citirx Print manager
The Citrix Print Manager Service (cpsvc.exe) controls the creation, deletion, and management of
all client printers
Citix XML Service MetaFrame XP uses the Citrix XML Service to supply servers running the
Web Interface for metaFrame XP and ICA Clients with the names of applications published on
MetaFrame XP servers. By default, MetaFrame XP Setup configures the Citrix XML Service to
share the default TCP/IP communication port (port 80) with Microsoft Internet Information
Services. If you intend to send data to the Web Interface for MetaFrame XP over a secure HTTP
connection using SSL, be sure that the Citrix XML Service is set to share its port with IIS and that
IIS is configured to support HTTPS.
Client device users utilize a Web browser to view the Log in page and enter their user credentials.
The Web server reads users information and uses the Web Interfaces classes to forward the
information to the Citrix XML Service on servers in the server farms. The designated server acts
as a broker between the Web server and servers.
The Citrix XML Service on the designated server then retrieves a list of applications from the
servers that users can access. These applications comprise the users application set. The Citrix
XML Service retrieves the application set from the Independent Management Architecture (IMA)
system and Program Neighborhood Service, respectively. In a MetaFrame Presentation Server
for UNIX farm, the Citrix XML Service on the designated server uses information gathered from

Page 10 of 20

10

the ICA browser and the local Web Interface configuration file to determine which applications the
user can access The Citrix XML Service then returns the users application set information to the
Web Interfaces classes running on the server.
The user initiates the next step by clicking one of the hyperlinks in the HTML page.
The Citrix XML Service is contacted to locate the server in the farm that is the least busy. The
XML Service requests a ticket from the least busy server corresponding to the users credentials.
The XML Service returns the least-busy servers address and ticket to Web Interface.
The classes finish parsing the template file and send a customized file to the Web browser.
The Web browser receives the file and passes it to the client device.
The client receives the file and initiates a client session with a server according to the files
connection information.
Citrix XTE service
Session reliability is provided by the Citrix XTE service through the Common Gateway Protocol
(CGP). By default, CGP uses TCP port 2598. Session reliability enables sessions to remain open
and on screen when network connectivity is interrupted. Client users can continue to view the
application while the network connection is restored. This feature is useful for mobile users with
wireless connections.
A user has one printer in his citrix session. However, when he prints to that printer,
features like Duplex, Staple, etc are not getting effective in printjobs. But when he prints to
the same printer without citrix, these features are available. What could be the issue
The printer in the citrix session is using the UPD (Citrix Universal Print Driver), which donot
provide all features of printers. The printer driver of the user's printer is not installed in the citrix
server
You have a citrix server with around 200 Print Drivers installed in it. All these drivers has
to be made available in another server, which is going to be doing load-balancing with this
server. What are the different ways of accomplishing this task?
1. Print Driver Replication through CMC
2. PrintMig
Citrix IMA Service is failing. What will be the troubleshooting steps to resolve this issue?
1. Check connectivity to data store.
2. Try recreating lhc using the command dsmaint recreatelhc.
3. Check for the .dll which is failing to load. (This can be found in
HKLM\Software\Citrix\IMA\Runtime\CurrentlyLoadingPlugIn)
The Independent Management Architecture (IMA) service fails to start.
Cause
There can be a number of reasons why the IMA Service appears not to have started, including
the following:
IMA Service load time
IMA Service subsystem
Missing Temp directory
Print spooler service
ODBC configuration
Roaming Profile
Another server with an identical NetBIOS name on the same network
IMA Service Load Time
If the Service Control Manager reports that the IMA Service could not be started, but the service
eventually starts, ignore the error message.
The Service Control Manager has a timeout of 6 minutes. The IMA Service can take longer than 6
minutes to start if the load on the database exceeds the capabilities of the database hardware or
if the network has high-latency.

Page 11 of 20

11

IMA Service Subsystem

Examine the following Windows Registry setting:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\CurrentlyLoadingPlugin
If there is no value specified in the CurrentlyLoadingPlugin portion of the above Windows Registry
entry, then either the IMA Service could not connect to the data store or the local host cache is
missing or corrupt.
If a CurrentlyLoadingPlugin value is specified, the IMA Service made a connection to the data
store and the value displayed is the name of the IMA Service subsystem that failed to load.
Missing Temp Directory
If administrators see an IMA Service Failed error message with an error code of 2147483649
when starting the MetaFrame XP Presentation Server, the local system account may be missing
a Temp directory which is required for the IMA Service to run.
To gain further insight into the situation, change the IMA Service startup account to the local
administrator and restart the server. If the IMA Service is successful in starting under the local
administrators account, then the odds are greater that a missing Temp directory for the local
system account is causing the situation.
If the Temp directory is not present, then manually create one as %systemroot%\Temp. For
example:
C:\Winnt\Temp
Also, verify that the TMP and TEMP system environment variables point to the temporary
directory. Restart the server to restart the IMA Service.
Print Spooler Service
When the MetaFrame XP Presentation Server attempts to start the IMA Service, the Setup Could
Not Start The IMA Service error message is displayed. This error shows that the IMA Service is
not starting, possibly due to the print spooler service not running or being configured incorrectly.
In addition, the following error messages appear in the Event Viewer:
Failed to load plugin MfPrintSs.dll with error 80000001h
Failed to load initial plugins with error 80000001h
The Independent Management Architecture service terminated with service-specific error
The error occurs because the print spooler service:
Has stopped
Is disabled
Is not configured to run under the Local System Account
To correct this error, verify that the print spooler service was started in the context of system
rather than in the context of a user. A print spooler service that is not running or has been
configured incorrectly may cause the printing subsystem to fail to load.
To resolve the situation, stop and start the print spooler service, making sure that it is configured
to run under the Local System Account. Then once again try to start the IMA Service.
ODBC Configuration
1. Verify that the Microsoft SQL Server or Oracle server is online.
2. Verify the name of the DSN file that the IMA Service is using by looking at the following key in
the Windows Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\DataSourceName.
3. Attempt to connect to the database using the DSN file with an ODBC test utility such as Oracle
ODBC Test or SQL Server ODBC Test.
4. Verify that the correct user name and password are being used for database connectivity.
5. Change the user name and password using the DSMAINT CONFIG command, if needed.
6. Enable ODBC Tracing for further troubleshooting.
Roaming Profile
When the MetaFrame XP Presentation Server attempts to start the IMA Service, the Setup Could
Not Start The IMA Service error message is displayed. In the event viewer you might see the
following error: IMA_RESULT_INVALID_MESSAGE or other events related to the IMA Service
not being able to start.
Verify the size of the roaming profile especially if it is crossing a WAN. Also watch for error
messages related to not being able to load the profile. Test with a local user profile or one that is
smaller in size.

Page 12 of 20

12

Another server with an identical NetBIOS name on the same network

Verify that there is not another server on the network with the same NetBIOS name on the
network. If the CurrentlyLoadingPlugin has the ImaLicSs.dll listed this might be an indication of
this condition. Another symptom of ImaLicSs.dll is from the MetaFrame XP SP4 Readme:
106. The IMA Service failed to start because of license group corruption in the data store.
You have 1 TS License Server in your Windows 2003 domain. You need to point all your
citrix servers to get TS Licenses from this server. How would you accomplish this?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters\Licen
seServers. Here add a key called Servername with value of your TSLicense Server.
When I open CMC, some of the nodes like Printer Management, Licensing, etc are not
visible. I have logged onto CMC as a Citrix Administrator. What command needs to be
issued to resolve this?
The command dscheck /update, will resolve the inconsistencies in the server. This will resolve
this issue.
What Citrix Products Interact with the STA?
Web Interface, NFuse Classic, NFuse Elite, MetaFrame Secure Access Manager, and Citrix Secure
Gateway all share use of the STA. Throughout this document, the following types of servers are
grouped into a single category called application enumeration servers:
Web Interface 2.0 or later
Secure Access Manager 2.0 or later
NFuse Classic 1.7 and earlier
Project Columbia 6.01.034 or later
NFuse Elite 1.0
Application enumeration servers are responsible for authenticating users, enumerating published
application icons, and producing an ICA file for a client that allows them to connect to a published
application through a secure gateway server.
Why Is the STA Necessary?
In Citrix Secure Gateway deployments, the gateway server does not perform authentication of
incoming requests. Instead, the gateway server defers authentication to an application enumeration
server and uses the STA to guarantee that each user is authenticated. Application enumeration
servers request tickets only for users who are already authenticated to the Web server. If users
have valid STA tickets, the gateway assumes that they passed the authentication checks at the
Web server and should be permitted access.
This design allows the Citrix Secure Gateway server to inherit whatever authentication methods are in place
on your Web server. For example, if your Web Interface server is protected with RSA SecurID, by design
only SecurID-authenticated users can traverse the secure gateway server.
How Is the STA Service Implemented?
The STA is written as an ISAPI extension for Microsoft Internet Information Services (IIS). The
extension is called CtxSta.dll and is hosted in the /Scripts folder by default. Other components
communicate with the STA using XML over HTTP.

Page 13 of 20

13

Application enumeration servers request tickets at application launch time by sending data to the
STA as part of a ticket request. The data sent to the STA includes the address of the MetaFrame
Presentation Server to which the user will connect and, in the case of Web Interface 2.0 and
Secure Access Manager 2.0, extended information about the name of the current user and the
published application the user wants to run. The STA responds by generating a ticket and sending
it back to the application enumeration server. This ticket and its corresponding data remains in
memory at the STA for a configurable number of seconds (100 by default).
The application enumeration server constructs an ICA file for the user and inserts the STA ticket in the
Address field of the ICA file. When the client connects to the secure gateway, the ticket is presented and the
gateway must validate the ticket before establishing a secure session for the client. The gateway performs a
data request by sending the ticket back to the STA and asking for its corresponding data in return. If
successfully validated, the STA forwards the original data to the gateway and the gateway establishes a
relay between the end user and the MetaFrame Presentation Server.
Both ticket requests and data requests are carried out as XML request/response documents. The procedure
is discussed in greater detail in the Secure Gateway for MetaFrame Administrators Guide.
Is there a Version of the STA that does not Require IIS?
No, at this time IIS is required to host the STA. Bear in mind that the STA does not have to be
exposed to an untrusted network like the Internet; the STA resides on your trusted network and is
accessed by the gateway and application enumeration servers only.
Where does the STA Server Reside?
The STA server can be placed anywhere as long as the secure gateway and application
enumeration servers can reach it. Citrix recommends placing the STA on the trusted network or on
a separate leg of your internal firewall, but there are no requirements for the STA server other than
IIS. The STA need not belong to any domain, MetaFrame Presentation Server farm, Secure Access
Manager farm, or other internal Web server, but sharing the STA with another function is common
practice. An STA is included automatically as part of the Secure Access Manager 2.0 setup; many
administrators find it convenient to locate the STA on a MetaFrame server.
Security Questions
How Is the STA Ticket Generated?

Page 14 of 20

14

The ISAPI extension CtxSta.dll uses pseudo-random number generation to produce a 16-byte
hexadecimal string. For security reasons, Citrix does not disclose the exact steps used to produce
this random sequence of characters.
Is the Ticket Validated against the Workstation?
No, there is nothing that ties a ticket to a particular workstation. It is theoretically possible for a
ticket to be requested from Workstation A and then used from Workstation B. To mitigate this risk:
Always use HTTPS between the client and the application enumeration server to prevent an
attacker from intercepting the ticket as it travels from server to client
Reduce the ticket time-to-live as much as possible to reduce the amount of time an attacker
would have to transfer the ticket from Machine A to Machine B
Bear in mind that a ticket issued by the STA can be used only once, so if the intended user on
Machine A connects successfully, the ticket is invalid for all future connection attempts from
Machine A or Machine B.
Is the Ticket Deleted after Use?
Yes, tickets are purged immediately after a successful data request so they can be used only once.
They are also deleted after a configurable time-out (default 100 seconds) if not used.
Must the STA always be Addressed using a Fully-Qualified Domain Name?
If you intend to secure traffic to the STA using SSL, any component that accesses the STA,
including your gateway server and application enumeration server, must address the STA using the
fully-qualified domain name (FQDN) that matches the subject of the server certificate used by IIS
on the STA. For example, in Web Interface 2.0, the STA address would be entered as:
https://sta-server.company.com/Scripts/CtxSta.dll
If you choose not to secure traffic to the STA, you can address the STA using an IP address, host
name, or FQDN.
How do I Change the STA Port from 80 to Something Else?
Because the STA is served by IIS, you change the STA port when you change the IIS port. Heres
an example of how to change the IIS port from 80 to 81.

Page 15 of 20

15

1. Open Internet Services Manager.

2. Right-click Default Web Site and view its Properties.
3. On the Web Site tab, change the TCP port number from 80 to 81.
4. Click OK.
The above change also affects any other resources you published from the STA Web server. If you want to
alter the STA communication port without affecting other Web pages hosted by the same Web server, you
can create a new Web site in IIS for the sole purpose of hosting the STA. The following is an example of how
you would create a new Web site on port 81 for the STA:
1. Create a new physical folder such as C:\MYSTA on your Web servers hard drive to serve as the
document root for the STA site.
2. Create a subdirectory beneath MYSTA called Scripts. Move the following files from your existing
STA into the new Scripts folder:
CtxSta.dll
CtxSta.config
ctxxmlss.txt
3. Open Internet Services Manager.
4. Right-click the server name and select New > Web site.
5. Create a new Web site called My STA site and C:\MYSTA as the document root directory.
6. View the properties of your new Web site and change the TCP port to 81.
7. Beneath My STA site in Internet Services Manager, right-click the Scripts folder and view its
properties. In the Application Settings section, change the Execute permissions to Scripts and
Executables.
Note You can choose a folder name other than Scripts but be aware that Secure Gateway and all
application enumeration servers such as NFuse Classic and Web Interface assume that the STA is

Page 16 of 20

16

published as /Scripts/CtxSta.dll so you will also need to update the STA URL in the settings on
those servers.
What other Information Is Required to Log on other than a Valid STA Ticket?
Users also need domain credentials or a MetaFrame Presentation Server ticket that is requested
by the application enumeration server. (A MetaFrame Presentation Server ticket is not the same as
an STA ticket.) Satisfying the STA opens a path only to the trusted network for a particular server.
Once there, the user must still authenticate with valid domain credentials.
How many STA's do I Need?
Because the STA is accessed only when a user launches an application, the answer to this
question varies from one deployment to the next. Do users log oin through the gateway in the
morning and run a single published application all day or do they launch several applications
throughout the day?
The duties performed by the STA are not expensive in CPU terms; it is a light XML service limited only by
the performance of IIS. In one test, a low-range server with a 1GHz processor and 256MB of RAM
supported over 250 ticket requests per second while CPU utilization stayed below 60%.
How can I Ensure STA Fault Tolerance?
The following application enumeration servers all allow you to enter multiple STA URLs when
configuring the parameters for Secure Gateway:
Web Interface 2.0
Secure Access Manager 2.0
NFuse Classic 1.7
NFuse Classic 1.61
Project Columbia 6.01.034 and higher
In all cases, if an STA fails to respond, the application enumeration server tries another STA on the
list. Each gateway server in turn must be configured with the STA URL and unique STA ID for each
ticket authority.
How do I Load Balance Multiple STAs?
Special care needs to be taken when load balancing Secure Ticket Authorities. A variety of methods
can be used to load-balance the connection between an application enumeration server and the
STAs, but a Secure Gateway server must always contact each STA individually based on its STA
ID. When configuring the address of each STA in the gateway service configuration tool, each STA
address must be the true address of the STA server do not enter the address of any hardware
load balancer, cluster name, or round-robin DNS name here.
NFuse Classic 1.7, Web Interface 2.0, and Secure Access Manager 2.0 all support round-robin
load balancing of the STAs when multiple STAs are listed. When this option is enabled, no
additional load balancing software or hardware are required.
Application enumeration servers can use any form of load balancing for issuing a ticket request because
each ticket received contains a field indicating the unique ID of the STA that generated it. As long as each
STA ID is unique and all gateway servers can resolve the STA ID to a particular (not load balanced) server
address, the operation succeeds and STA traffic is load balanced.
Can I use Several STAs with Microsoft Network Load Balancing?
Network load balancing cannot be used between the Secure Gateway server and multiple STAs. If
configured this way, users receive intermittent denials because, during the ticket validation process,
the gateway might be load balanced to an authority that did not originally generate the users ticket.
Can I Share a Single STA with Multiple Farms, Gateways, and Enumeration Servers?
Yes, a single STA can be shared among any number of Secure Gateway servers and application
enumeration servers. The STA is not restricted to any particular domain, farm, or application
enumeration server. It is an anonymous XML service.
Troubleshooting Questions
How should IIS be Configured to Host the STA?
The STA URL /Scripts/CtxSta.dll must be served with Anonymous access enabled. If you point
any Web browser to the STA URL you will not be prompted for a password.
You must grant the resource Scripts and Executables permission in the IIS metabase. This
permission is not needed for the entire /Scripts folder but can be set for the CtxSta.dll file
individually.
For Secure Gateway Version 1.1 and earlier, do not enable the Require SSL and Require 128-bit
SSL options.
By default, the following account permissions are needed:
On Windows 2000 servers
o The IUSR_MachineName account needs Read access to CtxSta.dll

Page 17 of 20

17

o The IWAM_MachineName account needs Modify access to the log file directory, which
is \Inetpub\Scripts by default
On Windows 2003 Servers
o The IUSR_MachineName account needs Read access to CtxSta.dll
o The built-in Network Service account needs Modify access to the log file directory, which
is \Inetpub\Scripts by default
How do I Enable Logging at the STA?
Using Notepad, edit the file \Inetpub\Scripts\CtxSta.config on the STA server and locate the line
that says LogLevel=0. For maximum logging, change this to LogLevel=3. You must restart the
World Wide Web Publishing Service for changes to take effect.
Note: After you enable logging, the user account under whose authority the STA executes
(IUSR_MachineName on Windows 2000 or Network Service on Windows 2003 by default) must have Write
access to the log file directory, which is \Inetpub\Scripts by default. You can also change the log file directory
when you edit CtxSta.config.
Why does the Microsoft IISLockDown Tool Break the STA?
If you accept all the default settings for the IISLockDown tool, the /Scripts folder is disabled. The
STA is implemented as an ISAPI filter published as /Scripts/CtxSta.dll; by disabling the /Scripts
directory, you deny access to the STA. Enable the /Scripts folder and allow Scripts and executables
access for the STA to function.
How can I Test the STA to be Sure it is Working Properly?
If you point a Web browser to the STA URL, you will see either a blank white page or the message
405 Resource Not Allowed. Either of these results indicates a functioning STA. You can contact
the STA in this manner from the console of your Secure Gateway server and also from any
application enumeration server configured to use the gateway. If you receive an authentication
dialog box prompting you for a password, the STA is not published anonymously and authentication
requirements need to be removed.
To verify that the application enumeration server is successfully requesting STA tickets, look at the ICA files
it generates. For example, from Web Interface 2.0, you can right-click a published application icon and save
the result as launch.ica. Open launch.ica in Notepad and view the Address= line. For normal Secure
Gateway operation, the Address parameter will contain a ticket instead of an actual MetaFrame server
address.

Page 18 of 20

18

What do you mean by Global Catalog and what are the roles of Global Catalog Server?
Global Catalog is a database which contain full replica of current domain and partial replica of
other domains. For any user query or authentication/logins, global catalog is mendatory
database which should be up all the time.
What should be all steps to know which DC is the schema master for your existing
domain?
Install adminpack, register schmmgmt.dll, and open the Schema Manager
What do you mean by Universal Group and explain the utilization of it in Live
environment?
Universal groups are available forest-wide so we can use them forest-wide for permissions etc.
Universal Group Caching for branch office is one of the most important utilisation of Universal
Groups.
What is the function of KCC?
Knowledge Consistency Checker (KCC) automatically manages replication within a site. The
KCC uses a bidirectional ring topology that uses remote procedure call (RPC) over TCP/IP
without compression. Domain controllers (DCs) within a site are typically on
What is name of active directory database and where it is located?
NTDS.DIT, Windows Folder\NTDS
What is SOA record and how its important for AD?
The SOA is the first record in every properly configured zone. There is only one SOA record
allowed in a zone file. The SOA record contains information about the zone in a string of fields.
The SOA record tells the server to be authoritative for the zone.
What are the contents of SYSVOL?
Sysvol is a shared directory that stores the server copy of the domains public files, which are
replicated among all domain controllers in the domain. The Sysvol contains the data in a GPO:
the GPT, which includes Administrative Template-based Group Policy
Give your inputs for SYSVOL Vs NETLOGON.
Logon scripts are found under the domain controller's NETLOGON admin share for Windows NT,
whereas they are found under the SYSVOL share for Windows 2000. This can cause some
confusion for Windows NT admins not familiar with the name change. On Windows NT
What are security principals and how its related with SID?
Security Principals:
1) Any entity that can be authenticated by the system, such as a user account, a computer
account, or a thread or process that runs in the security context of a user or computer account.
2) Security groups of these accounts.
What is the meaning of universal group caching? In which kind of live environment, it is useful?

Page 19 of 20

19

Universal group caching is way to have information about users and their access without having
Global Catalog.
It is used in multisite environment where link speed of one of more sites are extremely slow (Say
33.6 Kbps or bit higher). In this case we nee
How do you backup the quorum drive
Open Cluster Administrator.
If you are not already connected to a cluster, connect to one, In the console tree, click the cluster
node.
On the File menu, click Properties and verify that the Cluster service is running on the node on
which you are performing the backup.
Open Backup.
Click Advanced Mode on the Backup or Restore Wizard.
Click the Backup tab, then in Click to select the check box for any drive, folder, or file that you
want to back up click the box next to System State.
The FSMO Roles
The five FSMO roles are as follows:
Schema master. This role is held by only one domain controller per forest. This role
coordinates all changes to the Active Directory schema, and is required in order to
process any schema updates. Only the schema master is permitted to replicate schema
changes to other domain controllers in a forest.
Domain naming master. This role is held by only one domain controller per forest. This role
handles all changes to the forest-wide domain namespace, and is the only role that can process
the addition or removal of a domain to or from the forest.
RID master. This role is held by only one domain controller per domain. This role
manages the relative identifier (RID) pool for the domain (for more information about
RIDs, see the sidebar Relative Identifiers in a Domain). This role is also responsible for
moving objects from one domain to another within a forest.
PDC emulator. This role is held by only one domain controller per domain. This role is
the central authority for time synchronization within a domain, and emulates the
functionality of a Windows NT 4.0 Primary Domain Controller (PDC). Any NT Backup
Domain Controllers (BDCs) in a domain replicate from the PDC emulator. Pre-Windows
2000 (Win2K) clients without the Microsoft Directory Services Client (DSClient) contact
the PDC emulator to change user and computer passwords. The PDC emulator is also
responsible for processing account lockouts. Finally, any failed logon attempts are first
Infrastructure master. This role is held by only one domain controller per domain. This role
updates object security identifiers (SIDs) and distinguished names (DNs) in crossdomain object
references.
To seize the schema master role:
1. Open a command prompt window.
2. Run Ntdsutil.
3. At the Ntdsutil command prompt, enter
roles
4. Enter
connections
5. Enter
connect to server servername
providing the fully qualified name of the domain controller that you want to seize the
schema master role.
6. Enter
qui
7. Enter
seize schema master

Page 20 of 20

20