Here is our environment:
- Citrix Presentation Server 4.0 installed on Windows 2003 Server Std.
- Working Citrix Web Access running on a different Windows 2003 Server with IIS 6.0
- There is no firewall between the servers, they are both on our intranet right now.
We want the users who access Citrix in this fashion to NOT be able to write to the local drives of the system they are using to access Citrix. I've been looking around in the Web Access Console and in the Presentation Server itself for these configuration options and I can't find it. Is this possible, and if it is where can I find it?
Snewo
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
>> Can I apply it to the user ONLY when they access it via the web?
Not sure, but I will look this up. You may need to set up additional features such as Advanced Access Control to do this.
>> Can I apply it to only particular users?
yes. After you create a policy you can apply it to certain users/groups/servers.
Ok, I created a policy to do what I think I want to do. I tried the following policy:
Client Devices -> Resources -> Drives -> Connection -> Enabled with Do Not Connect Client Drives at Logon selected
I then applied this policy to my test account and logged in. (Policy option next to my account says "allowed" which hurt my head a bit.....I'm allowing a restriction, but I digress...)
I was able to copy files from my mapped Citrix drives to my local drives.
Being as this is the example when you click on help it should work. I have to assume I'm doing something wrong. Any ideas?
Snewo
Do you have any other policies enabled?
Are you logging into a published Desktop or Application? (Not just using Remote Desktop or Terminal Services right?)
Do you see the local drives as being mapped (i.e. you will see something like a drive called T$: which represents the C: drive of the local computer) Or are you doing a copy/paste from the citrix session into your local session without any mapped drives?
Yes, I have one other policy - Universal Print Driver.
I'm logging into a published application.
Yes, I see my local drives as C$ and D$ (The main drive on the Citrix server is O:)
Here is the application that I'm launching, you'll see it's not rocket science:
"C:\Program Files\Internet Explorer\iexplore.exe" -E F:
From within this application I'm able to move files between any of the mapped drives to the local C & D drives, which is what I'd like to prevent.
Snewo
ok check the other policy to make sure it's not overwritting the settings you created for your new policy.
Also check your login script to see if maybe it's being mapped there... or maybe a batch file in the startup folder?
The policy you created is all you need to do so something is just buggy here..
If none of that works perhaps just try to create another published app or even the desktop. BTW, what does the "-E F:" do at the end of your command line for IE?
and now that I say that I see that your published app is incorrect (or maybe it was just a typo)
but if you are launching IE from the server you would have to use O: as the drive in your command line (as you stated O: is the main drive in citrix)
"O:\Program Files\Internet Explorer\iexplore.exe" -E F:
and again I'm not sure what the -E F: does so maybe you can elaborate on that.
Have tried applying the policy to the server and to the user?
I was having the same issue when connecting to my citrix server and all of the printers were mapping everytime. When I added the server to the application of the policy as well as the user or group
On the policy to block the host drives, Client Devices -> Resources -> Drives -> Connection, have you tried enabling this one and then choosing "Do Not Connect Client Drives at Logon"
mqcIT: Yes, I tried it on a new published app - Word. I was still able to create a test document and save it locally.
idyllicsys: I tried applying the policy to both the servers and the user (me) and it still allows me to write files to the local harddrive. The policy you mentioned is exactly the one I applied earlier (and still have applied) but it's just not working.
Any ideas?
Snewo
If you have configured the policy the way you say you have, and there is no other setting creating the drive mapping, it should work. But you're setting the wrong policy if you want to disable the possibility to save to the clients local drives, the only thing this policy does is disable the automatic mapping of the local drives.
You should use Client Devices / Drives / Mappings. Enable this policy and check all 4 check boxes (floppy, hard drives, CD-ROM, remote drives) to disable access to (not only automatic mapping of) the clients drives.
For starters, assign the policy to a user account (to make sure it works). If you want to get fancy and just enable it when a user logs in using the Web Interface, use the Client Name filter and enter WI_* (providing you have a clean unmodified installation of WI, clients connecting through WI always get a client name starting with WI_. But this is configurable....)
/Anders
It's still not working, here is what I did. Please let me know if I missed any steps no matter how small:
- Opened the Management Console
- Clicked on policies
- Double clicked on the policy I want (it is the highest priority)
- Went to Client Devices -> Resources -> Drives -> Mappings
- Enabled Mappings and checked all boxes in the window below (there are no other policy rules in with this policy)
- Selected ok
- Right clicked on my policy and choose "Apply this policy to..."
- Checked Filter based on users
- Under users I added my test account only.
- Checked Allow next to my test user
- Checked ok
I then logged in via the web and launched Excel. From within Excel I was able to go to File -> Save As and save the file to my local drive.
The C drive displays as: C$ on 'Client' (C:)
The D drive displays as: D$ on 'Client' (D:)
What the heck is going on? It's like it is completely ignoring my policy. Am I going nuts?
Snewo
- Yes, all servers in the farm (total of 2) are Presentation Server 4.0.
- I made a new policy for this item.
- I have only one other policy which is a universal print driver policy and it appears to be working fine.
The client name filter piece you mentioned looks like it will do the trick, once we solve the drive mapping issue.
Snewo
Ok, more "stupid" questions ;-)
Have you checked that the problem exists on both servers?
Are you using Active Directory to verify the test account user?
A workaround could be to try editing the launch.ica on the WI-server. Add a line:
CDMAllowed=off
under the [WFClient] section. This should disable Client Drive Mapping for any user launching the application from the Web Interface.
/Anders
- Yes, I've forced the test user to log in to both servers and the problem is on both.
- Yes, we're using active directory but there are no log-on scripts in place.
- The only launch.ica file I have on my web server does not have a WFClient section, so I made one. Here is the contents of the launch.ica file. Does this look ok?
<%
// launch.ica
// Copyright (c) 2000 - 2005 Citrix Systems, Inc. All Rights Reserved.
// [NFuseVersionAndBuildNumbe
%>
<%
currPage = PAGE_LAUNCH;
%>
<!--#include file="serverscripts/webint
<!--#include file="serverscripts/includ
<!--#include file="serverscripts/sessio
<%
UserContext userContext = sessCheckOutUserContext();
%>
<!--#include file="serverscripts/launch
<%
sessReturnUserContext( userContext );
%>
[WFClient]
CDMAllowed=off
The above modifications to the launch.ica file don't seem to have made a difference.
Thx,
Snewo
Business Accounts
Answer for Membership
by: mgcITPosted on 2006-02-24 at 14:10:00ID: 16042885
This can be done with Policies... in the Citrix Management Console create a policy... under the "Client Devices" section you can disable local drive mappings. Make sure to apply the policies to your users after creating it otherwise it will not take effect.
Another thing you can do is disable it for certain protocols altogether (ICA or RDP) using the Citrix Connection Configuration Tool... right-click the ICA Protocol and go to Edit....click the "Client Settings" button to see what devices you can disable.