[THIN] RE : Client Settings - the 'never ask again for any application' setti ng
- From: Goudreault.Louis@xxxxxxxxxxx
- To: thin@xxxxxxxxxxxxx
- Date: Wed, 17 Dec 2003 15:28:39 -0500
ICA Client File Security: WEB Client Drive Access and the Webica.ini File
Explained
Document ID: CTX568194
This solution pertains to:
ICA Client
Last modified: Wed May 09 10:34:19 2001
This document discusses the use of the Webica.ini file
that is created on WinFrame- and MetaFrame-based clients
using our Citrix ALE client plugin to connect to a server,
load balanced server farm, or published application.
In particular,
the nuances of the security setup for drive access
and the ways to modify the Webica.ini file
to override or preset certain types of access for your ICA based clients are
discussed.
By default a WinFrame or MetaFrame server maps client drives and printers
from ICA-based clients
that support that function.
One of these is the Web Client that users download from a Web page
when they want to start an ICA-enabled application from their Web site.
Because the ICA protocol is trying to establish a connection between client
hosts,
some people have concerns over the type of client mapping and access being
given to the client's local hard drive.
In response to these security concerns, we enhanced the original Web Client
to have a more dynamic and configurable client drive capability.
With these new modifications,
you can set the type of client access you want to have at the actual client
OS
in which you have the browser and ICA Web Client installed.
This is done through a Windows pop-up that is generated
the first time that client accesses that particular server for that
application.
Users have a choice of Full Access, Read Access, or No Access, as well as a
"Don't notify me again" check box.
Below is a sample INI file of what gets written to the client,
and the definitions of the type of access that has been set per the INI file
and the user's selection on the Windows menu selection.
This file is called a Webica.ini file.
When it is created and modified, it is placed in the %windir% path of the
client's Windows operating system.
Webica.ini
[Access]
CurrentConnection=SQL DATABASE10.4.3.245
GlobalSecurityAccess=-1
SQL DATABASE10.4.3.245=405
179.103.132.77=-1
CurrentConnection=.
This is the last server connection that was made.
Notice it consists of the published application name and the server address.
If SQL DATABASE is load balanced between 10.4.3.245 and 10.4.3.145,
when this user connects to 10.4.3.145, he or she gets the pop-up.
The entry SQL DATABASE10.4.3.145=405 needs to be added.
The user will not see a pop-up for SQL DATABASE10.4.3.245 because an entry
is already defined.
This is done on a per IP address basis
You can choose not to see the pop-up each time by selecting Do not notify me
again.
It sets the GlobalSecurityAccess to the selected value.
In this case it is (-1), which means it is not set and is ignored.
If the GlobalSecurityAccess is set, it takes precedence over specific
entries.
For instance, assume you have a published application SQL database being
load balanced by servers A and B.
If the client is directed to server A five times in a row and selects the
"Do not notify me again" button,
the pop-up appears only at the first of the five connections.
Now assume the sixth connection is routed to server B due to server load
rerouting the connection.
The pop-up appears again, because the user is attaching to a different
server.
This behavior is intentional. Trusting a remote server (or application) is
based on its IP address.
Giving permission to a remote machine to access your local drives should
only be done on a per-address basis.
This ability to "remember" given permission was added as an enhancement from
the original release version
and was related to some very real security concerns.
We wanted to be sure that malicious users could not get Read/Write access to
the client drives
of Web-based users on the Internet.
If only the published application name is used,
there is very little security.
If I were trying to hack into systems,
I could make a published application on the Internet and call it MSWORD.
Any users who trust a published application called MSWORD would
automatically trust mine.
But mine really isn't Word.
In order to be sure we only trust the people we really want to,
it uses the published application's name and server address.
Types of access based on the settings in the INI file are as follows:
[Access]
CurrentConnection=SQL DATABASE10.4.3.245
This is just a way of keeping track of the current connection. It is not a
security setting.
MSACCESS 10.4.3.228=405
405 means give the server Full Access.
404 is Read Access.
403 is No Access.
-1 means no security setting is configured.
MSACCESS 10.4.3.227=405
This is a second server entry if MSACCESS is load balanced to more than one
server by its published application name.
NOTEPAD10.4.1.26=405
This is a second published application the client has accessed and set the
appropriate security on.
GlobalSecurityAccess=-1
This could be set to 405 and the user would never get prompted for security
on any connection.
The example below provides two ways to set this manually for a preconfigured
scenario.
Example:
SQL DATABASE is the published application. It is published on 10.4.3.245 and
10.4.3.246.
You do not want your users to get prompted for the security access
but you want the server to have full access to the client machines.
There are two possible solutions.
Solution 1:
Your Webica.ini file gets these two entries:
SQL DATABASE10.4.3.245=405
SQL DATABASE10.4.3.246=405
If you have these two entries in your Webica.ini file, you will not get a
pop-up when connecting to the published application SQL DATABASE regardless
of the server to which you connect.
Solution 2:
Your Webica.ini file gets this entry:
GlobalSecurityAccess=405
You will not get the pop-up for SQL DATABASE or any other published
application to which you connect.
-----Message d'origine-----
De : Woodward, Michael [mailto:Michael.Woodward@xxxxxxxxxxxxxx]
Envoyé : 17 décembre 2003 15:17
À : 'thin@xxxxxxxxxxxxx'
Objet : [THIN] Client Settings - the 'never ask again for any application'
setti ng
OK, I have looked and looked. On the standard Program Neighborhood setup;
When the client first connects to a server they get the message for client
security where they can select options including:
- Full Access,
- Never ask again for any application.
Once a user has selected these options, where can they go to change them?
Client is 6.20.985.
Thanks
-----
C. Michael Woodward
Mid-Tier Support
Sun Chemical
Cincinnati, Ohio 45232
* 513.681.5950 x 576
* Michael.Woodward@xxxxxxxxxxxxxx
Other related posts:
- » [THIN] RE : Client Settings - the 'never ask again for any application' setti ng
