0HWD)UDPH$GPLQLVWUDWRUªV*XLGH
6HFXULW\&RQVLGHUDWLRQV
In addition to using standard Windows NT security features and practices, access
to Citrix servers can be restricted in several ways:
u All users on a specific connection type can be restricted to running published
applications only.
By allowing users to access predefined applications only,
you can prevent unauthorized users from obtaining access to the Windows
desktop or a command prompt. Use the Advanced Connection Settings
dialog box in Citrix Connection Configuration to restrict users to running only
published applications.
u
Published Application Manager lets you restrict an application to specified
users or groups of users (explicit user access only).
u
MetaFrame supports Internet firewalls that can be used to restrict Internet
access to the MetaFrame server.
u
Users can be required to enter a user name and password in order to execute an
application (explicit user access only).
u
Citrix and most Web professionals recommend you either disassociate your
Web site from your production system or rigorously restrict external access.
Any system accessible through the Internet is by definition a security risk and
may give anyone unauthorized access to your production site through the Web.
Therefore, unless you have very robust security and plan to use this with an
Intranet, keep your Web server on a separate network loop outside your
firewall, if you have one.
u
The Aclcheck utility examines the security ACLs associated with your files
and directories and can report on any potential security exposures. See
Appendix A, “MetaFrame Command Reference,” for more information about
this command.
u
The Application Execution Shell (App) lets you write application execution
scripts that perform actions before executing the application and perform
cleanup after the application terminates. See Appendix A, “MetaFrame
Command Reference,” for more information about this command.
3XEOLVKLQJD6WDQGDUG$SSOLFDWLRQ
Once you enter your server(s) into a server farm, you can begin to publish
applications in the farm. Applications published in a farm automatically appear in
each specified Program Neighborhood user’s application set and are pre-
configured for such session properties as window size and colors and supported
level of encryption, audio, and video. Non-Program Neighborhood ICA Clients
will also have access to these applications: these ICA Client users can create
connections to the published application using their connection configuration
managers or can access the published application over the Internet or Intranet (in
the case of the ICA Web Clients).