Back to ICA Files!
I’ve been working on a project in a very complexed network configuration where a client is connecting to our hosted Citrix XenApp service via 4 different possible network router, none over the Internet. To add to the complexed double natted network they can’t resolved DNS, so out goes any ideas of using a CAG or Netscaler or even a Web Interface as it has to be based on IP. So its back to creating ICA files for each application and each connection, Fun!
Citrix eDocs are a good place to look for detailed information on the ICA protocol and session reliability but I want to share with you how the basics work.
ICA files are good if you need to use IP address instead of DNS and how a very limited number of applications to use. You need to create the ICA files right first time before distributing them to other users, so plenty of testing is required.
If you can resolve DNS then I can’t see an advantages of using ICA files as the Web Interface or storefront with a CAG or Netscaler offer a better more flexible solution. Many ICA files can get messy and hard to maintain! In my case its the only option.
Use QuickLaunch
First you want to download quicklaunch which will allow you to create ICA files the easy way and test them before rolling them out. You also have many options you can include in your ICA file, such as session options and session reliability and dont forget encryption!
You can download quicklaunch from the Citrix Website: http://support.citrix.com/article/CTX122536
With quicklaunch you can decide if you want to launch an application or full desktop or connection to Xendesktop.
A typical ICA file for a full desktop with encryption at 128Bit may look like this:
[Encoding]
InputEncoding = ISO8859_1
[WFClient]
Version=2
ProxyType=Auto
HttpBrowserAddress=192.168.1.20:8080
ConnectionBar=0
[ApplicationServers]
192.168.1.20=
[192.168.1.20]
Address=192.168.1.20
InitialProgram=
CGPAddress=*:2598
ClientAudio=On
DesiredColor=8
KeyboardTimer = 0
MouseTimer = 0
ConnectionBar=0
Username=
Domain=
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
BrowserProtocol=HTTPonTCP
Compress=On
EncryptionLevelSession=EncRC5-128
[EncRC5-128]
DriverNameWin32=PDC128N.DLL
DriverNameWin16=PDC128W.DLL
[Compress]
DriverName=PDCOMP.DLL
DriverNameWin16=PDCOMPW.DLL
DriverNameWin32=PDCOMPN.DLL
Note the encryption level and CPG address port, when you launch your application your session will be on 2598.
But is my session Encrypted?
One of the big questions I’ve been asked is where the session is encrypted, well indeed it is, although a basic level of encryption exists by default you can use up to 128Bit RC-5 without too much trouble. Initially I assumed certificates would be requested and that means DNS, but I was surprised how it just works. so the encryption negotiations must be done between the receiver and XML service.
To enable encryption for SecureICA:
Using the quicklaunch application select the session options tab and from there you can select the level of encryption you require, you may want to select session reliability as well. once your finished go back to the General tab and select ICA File and one will be generated.
Troubleshooting
If the ICA File option is greyed out then you need to remove your username and password.
If you can’t retrieve a list of applications, then try changing the XML port to 8080 or to whatever you maybe have configured it to.
More information:
If you need more information about ICA traffic or files and how they work then have a look at these Citrix links:
http://support.citrix.com/article/CTX104147
http://support.citrix.com/proddocs/topic/xenapp5fp-w2k3/ps-securing-use-secure-ica.html
Information provided is based on real world scenarios and issues I have resolved as described but there are no guarantees or warranties.