Citrix Systems 1.8 manual 6HFXULW\&RQVLGHUDWLRQV, 3XEOLVKLQJD6WDQGDUG$SSOLFDWLRQ

￿￿￿0HWD)UDPH￿$GPLQLVWUDWRUªV￿*XLGH

6HFXULW\￿&RQVLGHUDWLRQV

In addition to using standard Windows NT security features and practices, access to Citrix servers can be restricted in several ways:

uAll users on a specific connection type can be restricted to running published applications only. By allowing users to access predefined applications only, you can prevent unauthorized users from obtaining access to the Windows desktop or a command prompt. Use the Advanced Connection Settings dialog box in Citrix Connection Configuration to restrict users to running only published applications.

uPublished Application Manager lets you restrict an application to specified users or groups of users (explicit user access only).

uMetaFrame supports Internet firewalls that can be used to restrict Internet access to the MetaFrame server.

uUsers can be required to enter a user name and password in order to execute an application (explicit user access only).

uCitrix and most Web professionals recommend you either disassociate your Web site from your production system or rigorously restrict external access. Any system accessible through the Internet is by definition a security risk and may give anyone unauthorized access to your production site through the Web. Therefore, unless you have very robust security and plan to use this with an Intranet, keep your Web server on a separate network loop outside your firewall, if you have one.

uThe Aclcheck utility examines the security ACLs associated with your files and directories and can report on any potential security exposures. See Appendix A, “MetaFrame Command Reference,” for more information about this command.

uThe Application Execution Shell (App) lets you write application execution scripts that perform actions before executing the application and perform cleanup after the application terminates. See Appendix A, “MetaFrame Command Reference,” for more information about this command.

3XEOLVKLQJ￿D￿6WDQGDUG￿$SSOLFDWLRQ

Once you enter your server(s) into a server farm, you can begin to publish applications in the farm. Applications published in a farm automatically appear in each specified Program Neighborhood user’s application set and are pre- configured for such session properties as window size and colors and supported level of encryption, audio, and video. Non-Program Neighborhood ICA Clients will also have access to these applications: these ICA Client users can create connections to the published application using their connection configuration managers or can access the published application over the Internet or Intranet (in the case of the ICA Web Clients).