Citrix Web Interface 4.5
We have become accustomed to Web Interface (WI) product revisions being tied to releases of Citrix MetaFrame and Citrix Presentation Server. That is until the latest version of Web Interface; version 4.5. The main reason for this “early release” of WI is to provide support for release 4.5 of Citrix Access Gateway Advanced Edition, or CAG with AAC for those who prefer to speak in acronyms. This article will point out the highlights of what is new in WI 4.5 and help you to decide whether to upgrade or delay until Presentation Server 4.5 is deployed within your environment. (Note: This article focuses on “Access Platform Sites” within Web Interface and does not address details of “Program Neighborhood Agent Services Sites” or “Conferencing Manager Guest Attendee Sites”)
Architecture and Server Requirements
The first good news is WI version 4.5 continues in the .Net and J#.Net development environment, but is built on different versions of these platforms than previous versions of WI. Deploying Citrix applications requiring .Net version 1.x (example: Web Interface 4.0, 4.1, 4.2) has become increasingly difficult due to the many other applications that are built on .Net 2.0 and later. For example, users have been hesitant to deploy Windows 2003 R2 as the underlying operating system for certain Citrix applications because R2 contains .Net 2.0. Thankfully, Citrix has finally broken into the .Net 2.0 and J#.Net 2.0 spaces with WI 4.5. The new Access Management Console (AMC), which replaces the Access Suite Console, is also built on .Net 2.0. The same framework (WING – Web Interface Next Generation) that was initially used in WI version 4.0 continues to be the foundation for WI in this latest version.
The server requirements are almost identical to other 4.x versions, with the exception of version 2.0 of both the .Net and J#.Net components. The other significant difference is the requirement of the new Access Management Console to manage WI 4.5. This can be an issue if you plan on installing WI 4.5 on a server that already contains other Citrix products that are previous to version 4.5. You cannot properly manage certain version 4.0 products, such as Presentation Server 4.0 with a version 4.5 AMC, and vice versa. Please see the section entitled “Things That Might Bite!” below for more details.
Both 32 bit and 64 bit Windows 2003 Server versions are supported on the Windows platform, although if you opt for 64 bit Windows you will need to use IIS in 32 bit mode. ASP.Net must also be enabled as in recent WI versions. Another noteworthy item is the requirement to install the AMC prior to installing WI, when doing a manual installation of WI. This is due to the first of two components of the AMC to be installed; the Framework component. If you wish to install WI without the AMC, use the command line install with the “-noasc” argument. Please see Wilco van Bragt’s article How To: Unattended Installation of the Citrix Web Interface for more details on performing a command line install of WI.
If you prefer to run WI on a Unix platform there is support for both Red Hat Linux and Sun Solaris. Please see the Web Interface Administrator’s Guide for more details on supported Unix versions and platforms.
New Features in WI 4.5 – Other Products May Be Required
We will begin discussing new features with the additions to support Citrix Access Gateway Advanced Edition 4.5; which actually consists of the Citrix Access Gateway appliance (CAG) and a Windows server with Citrix Advanced Access Control (AAC) installed and configured. WI now provides support for filtering access to Presentation Server applications via AAC policies; that is applications can be filtered via client end-point analysis scans. Figure 1 shows how to configure a specific WI site to utilize an AAC server for authentication; thereby leveraging end-point analysis scans, filters, and policies in place on the AAC server. Be aware that checking the box “Prompt users for password before displaying the applications list” will disable pass-through authentication and require users to enter their credentials twice; once to the AAC logon service and once on the WI page.
Configuring WI to authenticate via AAC removes the authentication responsibility from WI and places it squarely on the logon service of the AAC server. This is important to understand so you don’t struggle with troubleshooting communication across a firewall. It also moves the authentication configuration details to the AAC server.
Active Directory Federation Services (ADFS) is present in Windows 2003 Server Enterprise Edition with the R2 release. This new version of WI has ADFS support built in and no longer requires a separate WI product installation.
Citrix Password Manager provides self-service password reset functionality to allow users to reset their own Active Directory passwords and unlock their respective accounts. WI version 4.5 allows users to access this same functionality from within the Web Interface logon page. The Citrix Password Manager Agent must be installed on the WI server to enable this functionality. Figure 2 displays the settings to enable this functionality.
The addition of Password Expiration Notices provides the ability to configure warning notices to be displayed when user’s passwords will expire, and the key piece is you can now configure the time period before the warning notice is displayed. Figure 3 illustrates the configuration for password changes; you may choose to disable password reminders and never remind users their password is going to expire, or you may choose to enable password reminders and access the configuration from AD group policy or configure the reminder period on the particular Access Platform Site (Web Interface Site in previous versions). Be aware you must enable users to change their passwords at any time to use this password reminder feature, and this feature will not be available until you have deployed Presentation Server 4.5 or Citrix Streaming Server, neither of which have been released at this time.
It seems like no matter how useful or intuitive a user interface may appear to be, certain users will always want icons on the desktop. Citrix has provided that functionality with WI 4.5. Users may store URLs to specific WI published applications on their desktop, in their “Favorites”, or wherever they may chose.
New Features in WI 4.5 – These Stand Alone!
Although many of the new features in WI 4.5 require additional products (Presentation Server 4.5 and/or Citrix Streaming Manager), there are a few features that only require WI 4.5. The first of these is support for upgrading a current Web Interface server that is running WI 3.0 (the same version released with Presentation Server 3.0) or later. Although there will likely be more risk inherent in performing an in-place upgrade of WI, it is a supported method for migrating to WI 4.5. This is an indication that Citrix has not changed the code structure drastically between version 3.0 and the current version 4.5. This is excellent news to the many users who have customized a previous WI site by modifying certain include files (files with an .inc extension), or other code within WI. There is a very good chance your customizations will also work in WI 4.5, although you may have to make some minor changes. I am sorry to report this upgrade process is only supported on the Windows platform; if you are running WI on a Unix platform you will have to remove the existing version and proceed with a fresh installation of WI 4.5.
This version of WI provides support for alerts to be generated within the Access Management Console version 4.5 (formerly the Access Suite Console). This is similar to the alerts generated for Presentation Server, where the idea is to provide quick access to troubleshooting information such as knowledge base articles relative to the specific alert. Only time will tell how useful this feature proves to be.
Internet Explorer (IE) may be the most popular browser today, but is certainly not the only browser in use. More users are turning to Firefox and other browsers as alternatives to IE. In addition to support for IE version 7 Citrix has also increased support of browsers in this release to include support for Firefox on Windows, Linux, and various MAC OS versions; Safari 2 on MAC OS; IE version 6 on Windows CE version 5 (various Windows Based Terminals); and Pocket IE on Windows Mobile versions 2000SE and 2005. There are some limitations that apply; please see the release notes for Web Interface 4.5, Web_Interface_4.5_Release_Notes.doc for more details.
New Features to Support Future Products
Many of the new features in WI 4.5 provide support for features included in Presentation Server 4.5. In addition to these new features there is also support for Citrix Streaming Manager (project Tarpon), which is also scheduled for release in 2007. In figure 4 below this particular Access Platform site is configured to provide applications to users with a combination of Streaming (project Tarpon) and Presentation Server.
As more and more end users roll out the Citrix Program Neighborhood Agent (PN Agent) client, one glaring omission stands clear; the ability to have multiple PN Agent configuration servers (actually the WI servers) to provide redundancy and/or load balancing. End users have typically mitigated this risk by utilizing some type of TCP/IP load balancing solution to provide this capability. This missing link has finally been addressed to some degree in WI 4.5 with the ability to provide backup PN Agent sites (URLs). Even though this does not provide true load balancing of requests it at least addresses the single point of failure and redundancy issues.
There is a new client-side proxy detection selection that is meant to reduce the amount of configuration required when ICA clients must pass through a proxy server to reach the Presentation Servers. This will be part of the version 10 ICA client and will incorporate automatic proxy detection.
The next feature will be of interest to those of us who support users across the globe. The version 10 ICA client is a multi-lingual client. WI will provide the ability to automatically install ICA clients in all supported languages.
The reaction to the next feature is likely to be “It’s about time!” Removing the requirement for power user or administrative rights to install ICA clients has been one of the most requested feature enhancements for years. This future client package will have a modified version of the Windows ICA client capable of installing on a Windows client machine without users possessing elevated privileges. Yes, I agree, it is about time.
Before you rush to upgrade to WI 4.5, remember these particular features will not be available until Presentation Server 4.5, Citrix Streaming Manager, and/or the ICA client version 10 are released, respectively.
There are a few things you should be aware of before you jump into a WI 4.5 upgrade. The first involves the required versions of .Net 2.0 and J#.Net 2.0. If you install these components on a server that already has the Access Suite Console (any version of 3.x or 4.x) installed, that version of the Access Suite Console will no longer function. There are possible work-arounds for this issue; one consists of running the different management consoles (Access Suite Console and Access Management Console) on separate machines. Please refer to Citrix Knowledge Base Article CTX111372 and the release notes for Web Interface 4.5, Web_Interface_4.5_Release_Notes.doc for more details.
The “Account Self Service” functionality only functions when users access the WI web server via HTTPS. If users connect via HTTP, this feature is unavailable.
If using the 64-bit version of Internet Explorer, there are two issues to be aware of: ICA client detection will not function, and “Workspace Control” will only function if using the Java ICA client. The auto-download of the ICA client will not be possible for users with Internet Explorer version 7.
As you can see the vast majority of new features in Web Interface 4.5 are not useful in a Presentation 4.0 or previous version environment. If you are deploying Advanced Access Control 4.5 and plan to integrate AAC with Web Interface, you will be forced to deploy WI 4.5. However, if this is not the case it may make more sense to evaluate WI 4.5 in a test environment and consider implementing this release in conjunction with a Presentation Server 4.5 rollout or upgrade.
In next month’s article we will discuss creating and managing multiple “Access Platform” sites on a single Web Interface server.