Environment
Novell iChain 2.3 Support Pack 4
Citrix MetaFrame Presentation Server 4
Situation
Citrix MetaFrame Presentation Server 4 and the newer 9.x ICA
clients changed the way the ICA file contents were handled. iChain
2.3 customers following the iChain documentation or the cool
solution at https://www.novell.com/coolsolutions/appnote/2562.html
which documented the Presentation server 3 integration setup, would
end up with the following error after applying the configuration
settings for the docs :
"Cannot connect to the Citrix MetaFrame server. Protocol driver error"
"Cannot connect to the Citrix MetaFrame server. Protocol driver error"
Resolution
Modify the iChain formfill profiles according to the doc
below.
With the release of Citrix MetaFrame Presentation Server 4 and the new Citrix v9 clients, changes have occured in the file formats that cause iChain 2.3 not to function correctly. To workaround client communication issues with Protocol errors, the following changes will be required:
1. To single sign on to the Web interface services of Citrix MetaFrame Presentation Server 4, the only major changes from previous versions is the link to the login page - referenced by the formfill tag. For more details on the formfill tags
below, check the cool solution at
https://www.novell.com/coolsolutions/appnote/2562.html.
< !-- This is an example form fill policy for SSO or -->
MetaFrameLogin
nfuse.novell.com/Citrix/MetaFrame/auth/login.aspx
Note: MetaFrame is the default path when you create the site in the Access Suite Console. If the Citrix administrator changes it in the wizard (to specify any path you want), the folders with this changed name will be automatically created by the wizard on the IIS server. The corresponding formfill profile will need to have this new path.
2. The majority of the changes required to get iChain 2.3 to work will take place in the following profile that is used by formfill to rewrite the ICA file sent back from the WebInterface server.
The ICA parameters specific to the application (addresses, ports) will need to be rewritten for the ICA client to send the request to the Citrix accelerator instead of the back end server. The ProxyType parameter will need to be set to Secure so that the ICA client can tunnel the Citrix data through the Citrix accelerator. Finally, for single sign on to the iChain citrix accelerator, an cookie (ProxyUsername and ProxyPassword) will be added to the ICA file being returned.
Changes between the Citrix Metaframe Presentation version 3 and 4 servers, as well as the 9.x version of the Citrix clients now means that the WFClient and Application sections of the ICA file both require the proxyType and ProxyHost settings. The WFClient is basically used to locate the Citrix servers; the Application section is used to connect to the servers. To do this, the following changes are required (use the cool solution above as a reference for IP addresses, hostnames and ports):
<!-- This is an example form fill policy for logging in to Nfuse -->
<!-start of secure tunnel to MetaFrame through NFuse -->
<urlPolicy>
<name>NFuse</name>
<url>nfuse.novell.com/Citrix/AccessPlatform/site/launch.ica</url>
<actions>
<icaFill>
<icaOriginal>
[WFClient]
</icaOriginal>
<icaReplace>
[WFClient]
ProxyHost=ProxyHost = citrix.novell.com:80
ICHAIN-TOKEN = 30
</icaReplace>
<icaOriginal>
ProxyTimeout=30000
ProxyType=Auto
</icaOriginal>
<icaReplace>
ProxyTimeout=30000
</icaReplace>
<icaMetaPrivateAddress>
Address=151.155.164.200
</icaMetaPrivateAddress>
<icaMetaPublicAddress>
Address=citrix.novell.com
</icaMetaPublicAddress>
</icaFill>
</actions>
</urlPolicy>
<!- end of secure tunnel to MetaFrame through NFuse -->
Note: MetaFrame is the default path when you create the site in the Access Suite Console. If the Citrix administrator changes it in the wizard (to specify any path you want), the folders with this changed name will be automatically created by the wizard on the IIS server. The corresponding formfill profile will need to have this new path.
Troubleshooting tip: The above script was used to rewrite the ICA file returned for my sample Notepad application with Metaframe 4 servers (shown below without compression and encryption section). If the sequence does not match your ICA file, the formfill profile may need to be modified accordingly e.g. if 'ProxyType=Auto' does not preceed 'TransparentKeyPassthrough=Local'.
[Encoding]
InputEncoding=ISO8859_1
[WFClient]
ClientName=WI_PlMNsJS2hDDvp-pIA
ProxyType=Auto
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off
[ApplicationServers]
Notepad=
[Notepad]
Address=147.2.16.119:1494
AudioBandwidthLimit=2
AutologonAllowed=ON
CGPAddress=*:2598
ClearPassword=0B00C43271B8B5
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\DB328CD97933669A
InitialProgram=#Notepad
Launcher=WI
LongCommandLine=
ProxyType=Auto
SSLEnable=Off
SessionsharingKey=2-basic-basic-us2003-administrator-ichainfarm
TWIMode=On
TransportDriver=TCP/IP
Username=administrator
WinStationDriver=ICA 3.0
3. Access the WebInterface server from the browser and make sure that single sign on to the WebInterface server works after logging into iChain. A list of available applications should be displayed and visible at this point within the browser.
4. Right click the application and select 'save target as'. This will save the launch.ica file that is executed by the ICA client. WIth notepad or any editor, look at the contents of the file and make sure that the following information is displayed. Note that the 'Notepad' application entry that was selected here includes an'Address' field as well as a 'ProxyHost' and 'ProxyType' field. Making sure that these exist should allow the HTTP tunnel between the ICA client and Citrix accelerator to start so that ICA data can be exchanged between ICA client and back end Citrix server.
[Encoding]
InputEncoding=ISO8859_1
[WFClient]
ProxyHost = citrix.novell.com:80
ProxyType=Secure
ProxyUsername=f5e2a1257fe8792403ddc045
ProxyPassword=3d3c66cf7ffa2fa0046545528e39f6b6dde510a4
ClientName=WI_Xc0DY4wMD3KixW-KW
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off
[ApplicationServers]
Notepad=
[Notepad]
Address=citrix.novell.com:1494
AudioBandwidthLimit=2
AutologonAllowed=ON
ClearPassword=932103EAFCA9C3
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\31284FAAE9C6B1F6
InitialProgram=#Notepad
Launcher=WI
LongCommandLine=
SSLEnable=Off
SessionsharingKey=2-basic-basic-us2003-administrator-ichainfarm
TWIMode=On
TransportDriver=TCP/IP
ProxyHost = citrix.novell.com:80
ProxyType=Secure
Username=administrator
WinStationDriver=ICA 3.0
[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll
[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll
[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll
[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll
[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll
Note: In certain cases, it is not possible to right click on an application and select "save target as" to capture the ica file. If this is the case with our setup, go to the windows temp folder and read the temp ica file which has been downloaded from there.
A summary of the iChain formfill operations in the logger screen (assuming that SSO loaded with /L /d) will show the following - the sections in bold indicate the changes that were triggered by the formfill script above:
SSO_4: ICA Policy ' NFuseTest': nfuse.novell.com/Citrix/MetaFrame/site/launch.ica?NFuse_UID=1963591607&NFuse_Application=Citrix.MPS.App.Farm1.Notepad
cookie = ef3c8ccaa455692ec016860f08d82f0cfc201ce21622c674a0c0b57faaa4e632
cookie = [WFClient]
ProxyHost = citrix.novell.com:80
ProxyType=Secure
ProxyUsername=ef3c8ccaa455692ec016860f
ProxyPassword=08d82f0cfc201ce21622c674a0c0b57faaa4e632
Before getReplacePair
Replace token [WFClient] with [WFClient]
ProxyHost = citrix.novell.com:80
ProxyType=Secure
ProxyUsername=ef3c8ccaa455692ec016860f
ProxyPassword=08d82f0cfc201ce21622c674a0c0b57faaa4e632
Replace Address=147.2.16.119 with Address=citrix.novell.com
Replace AudioBandwidthLimit=2
AutologonAllowed=ON
CGPAddress=*:2598 with AudioBandwidthLimit=2
AutologonAllowed=ON
Replace LongCommandLine=ProxyType=Auto with LongCommandLine=
Replace TransportDriver=TCP/IP with TransportDriver=TCP/IP
ProxyHost = citrix.novell.com:80
ProxyType=Secure
*** ICA file =[Encoding]
InputEncoding=ISO8859_1
[WFClient]
ProxyHost = citrix.novell.com:80
ProxyType=Secure
ProxyUsername=ef3c8ccaa455692ec016860f
ProxyPassword=08d82f0cfc201ce21622c674a0c0b57faaa4e632
ClientName=WI_V08XRB76-Si5G_Xb7
ProxyType=Auto
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off
[ApplicationServers]
Notepad=
[Notepad]
Address=citrix.novell.com:1494
AudioBandwidthLimit=2
AutologonAllowed=ON
ClearPassword=F5D1E1AF9AEDC8
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\E097D448FD6B3AB3
InitialProgram=#Notepad
Launcher=WI
LongCommandLine=
SSLEnable=Off
SessionsharingKey=2-basic-basic-us2003-administrator-ichainfarm
TWIMode=On
TransportDriver=TCP/IP
ProxyHost = citrix.novell.com:80
ProxyType=Secure
Username=administrator
WinStationDriver=ICA 3.0
[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll
[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll
[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll
[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll
[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll
***
With the release of Citrix MetaFrame Presentation Server 4 and the new Citrix v9 clients, changes have occured in the file formats that cause iChain 2.3 not to function correctly. To workaround client communication issues with Protocol errors, the following changes will be required:
1. To single sign on to the Web interface services of Citrix MetaFrame Presentation Server 4, the only major changes from previous versions is the link to the login page - referenced by the formfill
< !-- This is an example form fill policy for SSO or -->
Note: MetaFrame is the default path when you create the site in the Access Suite Console. If the Citrix administrator changes it in the wizard (to specify any path you want), the folders with this changed name will be automatically created by the wizard on the IIS server. The corresponding formfill profile will need to have this new path.
2. The majority of the changes required to get iChain 2.3 to work will take place in the following profile that is used by formfill to rewrite the ICA file sent back from the WebInterface server.
The ICA parameters specific to the application (addresses, ports) will need to be rewritten for the ICA client to send the request to the Citrix accelerator instead of the back end server. The ProxyType parameter will need to be set to Secure so that the ICA client can tunnel the Citrix data through the Citrix accelerator. Finally, for single sign on to the iChain citrix accelerator, an cookie (ProxyUsername and ProxyPassword) will be added to the ICA file being returned.
Changes between the Citrix Metaframe Presentation version 3 and 4 servers, as well as the 9.x version of the Citrix clients now means that the WFClient and Application sections of the ICA file both require the proxyType and ProxyHost settings. The WFClient is basically used to locate the Citrix servers; the Application section is used to connect to the servers. To do this, the following changes are required (use the cool solution above as a reference for IP addresses, hostnames and ports):
<!-- This is an example form fill policy for logging in to Nfuse -->
<!-start of secure tunnel to MetaFrame through NFuse -->
<urlPolicy>
<name>NFuse</name>
<url>nfuse.novell.com/Citrix/AccessPlatform/site/launch.ica</url>
<actions>
<icaFill>
<icaOriginal>
[WFClient]
</icaOriginal>
<icaReplace>
[WFClient]
ProxyHost=ProxyHost = citrix.novell.com:80
ICHAIN-TOKEN = 30
</icaReplace>
<icaOriginal>
ProxyTimeout=30000
ProxyType=Auto
</icaOriginal>
<icaReplace>
ProxyTimeout=30000
</icaReplace>
<icaMetaPrivateAddress>
Address=151.155.164.200
</icaMetaPrivateAddress>
<icaMetaPublicAddress>
Address=citrix.novell.com
</icaMetaPublicAddress>
</icaFill>
</actions>
</urlPolicy>
<!- end of secure tunnel to MetaFrame through NFuse -->
Note: MetaFrame is the default path when you create the site in the Access Suite Console. If the Citrix administrator changes it in the wizard (to specify any path you want), the folders with this changed name will be automatically created by the wizard on the IIS server. The corresponding formfill profile will need to have this new path.
Troubleshooting tip: The above script was used to rewrite the ICA file returned for my sample Notepad application with Metaframe 4 servers (shown below without compression and encryption section). If the sequence does not match your ICA file, the formfill profile may need to be modified accordingly e.g. if 'ProxyType=Auto' does not preceed 'TransparentKeyPassthrough=Local'.
[Encoding]
InputEncoding=ISO8859_1
[WFClient]
ClientName=WI_PlMNsJS2hDDvp-pIA
ProxyType=Auto
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off
[ApplicationServers]
Notepad=
[Notepad]
Address=147.2.16.119:1494
AudioBandwidthLimit=2
AutologonAllowed=ON
CGPAddress=*:2598
ClearPassword=0B00C43271B8B5
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\DB328CD97933669A
InitialProgram=#Notepad
Launcher=WI
LongCommandLine=
ProxyType=Auto
SSLEnable=Off
SessionsharingKey=2-basic-basic-us2003-administrator-ichainfarm
TWIMode=On
TransportDriver=TCP/IP
Username=administrator
WinStationDriver=ICA 3.0
3. Access the WebInterface server from the browser and make sure that single sign on to the WebInterface server works after logging into iChain. A list of available applications should be displayed and visible at this point within the browser.
4. Right click the application and select 'save target as'. This will save the launch.ica file that is executed by the ICA client. WIth notepad or any editor, look at the contents of the file and make sure that the following information is displayed. Note that the 'Notepad' application entry that was selected here includes an'Address' field as well as a 'ProxyHost' and 'ProxyType' field. Making sure that these exist should allow the HTTP tunnel between the ICA client and Citrix accelerator to start so that ICA data can be exchanged between ICA client and back end Citrix server.
[Encoding]
InputEncoding=ISO8859_1
[WFClient]
ProxyHost = citrix.novell.com:80
ProxyType=Secure
ProxyUsername=f5e2a1257fe8792403ddc045
ProxyPassword=3d3c66cf7ffa2fa0046545528e39f6b6dde510a4
ClientName=WI_Xc0DY4wMD3KixW-KW
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off
[ApplicationServers]
Notepad=
[Notepad]
Address=citrix.novell.com:1494
AudioBandwidthLimit=2
AutologonAllowed=ON
ClearPassword=932103EAFCA9C3
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\31284FAAE9C6B1F6
InitialProgram=#Notepad
Launcher=WI
LongCommandLine=
SSLEnable=Off
SessionsharingKey=2-basic-basic-us2003-administrator-ichainfarm
TWIMode=On
TransportDriver=TCP/IP
ProxyHost = citrix.novell.com:80
ProxyType=Secure
Username=administrator
WinStationDriver=ICA 3.0
[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll
[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll
[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll
[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll
[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll
Note: In certain cases, it is not possible to right click on an application and select "save target as" to capture the ica file. If this is the case with our setup, go to the windows temp folder and read the temp ica file which has been downloaded from there.
A summary of the iChain formfill operations in the logger screen (assuming that SSO loaded with /L /d) will show the following - the sections in bold indicate the changes that were triggered by the formfill script above:
SSO_4: ICA Policy ' NFuseTest': nfuse.novell.com/Citrix/MetaFrame/site/launch.ica?NFuse_UID=1963591607&NFuse_Application=Citrix.MPS.App.Farm1.Notepad
cookie = ef3c8ccaa455692ec016860f08d82f0cfc201ce21622c674a0c0b57faaa4e632
cookie = [WFClient]
ProxyHost = citrix.novell.com:80
ProxyType=Secure
ProxyUsername=ef3c8ccaa455692ec016860f
ProxyPassword=08d82f0cfc201ce21622c674a0c0b57faaa4e632
Before getReplacePair
Replace token [WFClient] with [WFClient]
ProxyHost = citrix.novell.com:80
ProxyType=Secure
ProxyUsername=ef3c8ccaa455692ec016860f
ProxyPassword=08d82f0cfc201ce21622c674a0c0b57faaa4e632
Replace Address=147.2.16.119 with Address=citrix.novell.com
Replace AudioBandwidthLimit=2
AutologonAllowed=ON
CGPAddress=*:2598 with AudioBandwidthLimit=2
AutologonAllowed=ON
Replace LongCommandLine=ProxyType=Auto with LongCommandLine=
Replace TransportDriver=TCP/IP with TransportDriver=TCP/IP
ProxyHost = citrix.novell.com:80
ProxyType=Secure
*** ICA file =[Encoding]
InputEncoding=ISO8859_1
[WFClient]
ProxyHost = citrix.novell.com:80
ProxyType=Secure
ProxyUsername=ef3c8ccaa455692ec016860f
ProxyPassword=08d82f0cfc201ce21622c674a0c0b57faaa4e632
ClientName=WI_V08XRB76-Si5G_Xb7
ProxyType=Auto
TransparentKeyPassthrough=Local
TransportReconnectEnabled=On
Version=2
VirtualCOMPortEmulation=Off
[ApplicationServers]
Notepad=
[Notepad]
Address=citrix.novell.com:1494
AudioBandwidthLimit=2
AutologonAllowed=ON
ClearPassword=F5D1E1AF9AEDC8
ClientAudio=On
DesiredColor=2
DesiredHRES=640
DesiredVRES=480
Domain=\E097D448FD6B3AB3
InitialProgram=#Notepad
Launcher=WI
LongCommandLine=
SSLEnable=Off
SessionsharingKey=2-basic-basic-us2003-administrator-ichainfarm
TWIMode=On
TransportDriver=TCP/IP
ProxyHost = citrix.novell.com:80
ProxyType=Secure
Username=administrator
WinStationDriver=ICA 3.0
[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll
[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll
[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll
[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll
[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll
***