[THIN] RE : Re: Citrix Access to local drives
- From: Goudreault.Louis@xxxxxxxxxxx
- To: thin@xxxxxxxxxxxxx
- Date: Wed, 22 Jan 2003 11:59:20 -0500
Have a look at Citrix document CTX568194
If you don't want the users to be prompt again
Just modify the webica.ini and set GlobalSecurityAccess=405
Here is a copy of the document
(so you won't have to search for it)
******************
ICA Client File Security: WEB Client Drive Access and the Webica.ini File
Explained
Document ID: CTX568194
This solution pertains to:
ICA Client
Last modified: Wed May 09 10:34:19 2001
This document discusses the use of the Webica.ini file
that is created on WinFrame- and MetaFrame-based clients
using our Citrix ALE client plugin to connect to a server,
load balanced server farm, or published application.
In particular,
the nuances of the security setup for drive access
and the ways to modify the Webica.ini file
to override or preset certain types of access for your ICA based clients are
discussed.
By default a WinFrame or MetaFrame server maps client drives and printers
from ICA-based clients
that support that function.
One of these is the Web Client that users download from a Web page
when they want to start an ICA-enabled application from their Web site.
Because the ICA protocol is trying to establish a connection between client
hosts,
some people have concerns over the type of client mapping and access being
given to the client's local hard drive.
In response to these security concerns, we enhanced the original Web Client
to have a more dynamic and configurable client drive capability.
With these new modifications,
you can set the type of client access you want to have at the actual client
OS
in which you have the browser and ICA Web Client installed.
This is done through a Windows pop-up that is generated
the first time that client accesses that particular server for that
application.
Users have a choice of Full Access, Read Access, or No Access, as well as a
"Don't notify me again" check box.
Below is a sample INI file of what gets written to the client,
and the definitions of the type of access that has been set per the INI file
and the user's selection on the Windows menu selection.
This file is called a Webica.ini file.
When it is created and modified, it is placed in the %windir% path of the
client's Windows operating system.
Webica.ini
[Access]
CurrentConnection=SQL DATABASE10.4.3.245
GlobalSecurityAccess=-1
SQL DATABASE10.4.3.245=405
179.103.132.77=-1
CurrentConnection=.
This is the last server connection that was made.
Notice it consists of the published application name and the server address.
If SQL DATABASE is load balanced between 10.4.3.245 and 10.4.3.145,
when this user connects to 10.4.3.145, he or she gets the pop-up.
The entry SQL DATABASE10.4.3.145=405 needs to be added.
The user will not see a pop-up for SQL DATABASE10.4.3.245 because an entry
is already defined.
This is done on a per IP address basis
You can choose not to see the pop-up each time by selecting Do not notify me
again.
It sets the GlobalSecurityAccess to the selected value.
In this case it is (-1), which means it is not set and is ignored.
If the GlobalSecurityAccess is set, it takes precedence over specific
entries.
For instance, assume you have a published application SQL database being
load balanced by servers A and B.
If the client is directed to server A five times in a row and selects the
"Do not notify me again" button,
the pop-up appears only at the first of the five connections.
Now assume the sixth connection is routed to server B due to server load
rerouting the connection.
The pop-up appears again, because the user is attaching to a different
server.
This behavior is intentional. Trusting a remote server (or application) is
based on its IP address.
Giving permission to a remote machine to access your local drives should
only be done on a per-address basis.
This ability to "remember" given permission was added as an enhancement from
the original release version
and was related to some very real security concerns.
We wanted to be sure that malicious users could not get Read/Write access to
the client drives
of Web-based users on the Internet.
If only the published application name is used,
there is very little security.
If I were trying to hack into systems,
I could make a published application on the Internet and call it MSWORD.
Any users who trust a published application called MSWORD would
automatically trust mine.
But mine really isn't Word.
In order to be sure we only trust the people we really want to,
it uses the published application's name and server address.
Types of access based on the settings in the INI file are as follows:
[Access]
CurrentConnection=SQL DATABASE10.4.3.245
This is just a way of keeping track of the current connection. It is not a
security setting.
MSACCESS 10.4.3.228=405
405 means give the server Full Access.
404 is Read Access.
403 is No Access.
-1 means no security setting is configured.
MSACCESS 10.4.3.227=405
This is a second server entry if MSACCESS is load balanced to more than one
server by its published application name.
NOTEPAD10.4.1.26=405
This is a second published application the client has accessed and set the
appropriate security on.
GlobalSecurityAccess=-1
This could be set to 405 and the user would never get prompted for security
on any connection.
The example below provides two ways to set this manually for a preconfigured
scenario.
Example:
SQL DATABASE is the published application. It is published on 10.4.3.245 and
10.4.3.246.
You do not want your users to get prompted for the security access
but you want the server to have full access to the client machines.
There are two possible solutions.
Solution 1:
Your Webica.ini file gets these two entries:
SQL DATABASE10.4.3.245=405
SQL DATABASE10.4.3.246=405
If you have these two entries in your Webica.ini file, you will not get a
pop-up when connecting to the published application SQL DATABASE regardless
of the server to which you connect.
Solution 2:
Your Webica.ini file gets this entry:
GlobalSecurityAccess=405
You will not get the pop-up for SQL DATABASE or any other published
application to which you connect.
---------------------------------------------------
Louis Goudreault
Tech Support
Software Development Group
Hydro-Quebec
E-Mail: goudreault.louis@xxxxxxxxxxx
---------------------------------------------------
"For even the very wise cannot see all ends."
Gandalf,
Fellowship of the Ring
-----Message d'origine-----
De : Jan Broucinek [mailto:TinyBeetle@xxxxxxxxx]
Envoyé : 22 janvier 2003 11:45
À : thin@xxxxxxxxxxxxx
Objet : [THIN] Re: Citrix Access to local drives
Yes, but how to make it never ask in the first place?
Jan Broucinek, System Manager
Arthur Rutenberg Homes, Inc.
(727) 536-5900 voice
(727) 536-7168 x245 direct
(727) 538-9089 fax
www.arhomes.com
----- Original Message -----
From: "Schneider, Chad M." <CMSchneider@xxxxxxxxx>
To: <thin@xxxxxxxxxxxxx>
Sent: Wednesday, January 22, 2003 11:35 AM
Subject: [THIN] Re: Citrix Access to local drives
have them choose do not ask again for any application.
-----Original Message-----
From: Greg Reese [mailto:GReese@xxxxxxxxxxxxxxxx]
Sent: Wednesday, January 22, 2003 10:35 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Citrix Access to local drives
is there a way to stop the prompt from coming up at all? It causes much =
confusion for my users
-----Original Message-----
From: Selinger, Stephen [mailto:SSelinger@xxxxxxxxxxxxxx]
Sent: Wednesday, January 22, 2003 11:38 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Citrix Access to local drives
You can have the user right click on the ica session and select "Client
Security Status". =20
-----Original Message-----
From: Magnus [mailto:magnus@xxxxxxxx]=20
Sent: January 22, 2003 9:30 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Citrix Access to local drives
You can delete the webica.ini file on their local machine and It will = ask
them again
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On =
Behalf Of David Teague
Sent: Wednesday, January 22, 2003 11:24 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Citrix Access to local drives
Hi all,
Stupid question that I cannot remember. When citirx tries to access =
the local drives on your computer you get a pop up window with three =
choices. I think I have a user that choose read only access, how do I resets
this = so that they have full access?
Thanks
David Teague
********************************************************************
This Week's Sponsor: RTO Software - TScale
TScale increases Terminal Server capacity. Get 30-40% more users per
server to save $$$ and time. Add users now! - Not more servers.
If you?re using Citrix, you must learn about TScale!
Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=79
*********************************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
- » [THIN] RE : Re: Citrix Access to local drives
