Citrix Web Access

This can be done with Policies... in the Citrix Management Console create a policy... under the "Client Devices" section you can disable local drive mappings.  Make sure to apply the policies to your users after creating it otherwise it will not take effect.

Another thing you can do is disable it for certain protocols altogether (ICA or RDP) using the Citrix Connection Configuration Tool... right-click the ICA Protocol and go to Edit....click the "Client Settings" button to see what devices you can disable.

I'll take a look at this when I return to work on Monday.   Two questions though:

- Can I apply it to the user ONLY when they access it via the web?   I'd like to have a different policy for the various connection methods.
- Can I apply it to only particula users?


Thanks.


Snewo

>> Can I apply it to the user ONLY when they access it via the web?

Not sure, but I will look this up.  You may need to set up additional features such as Advanced Access Control to do this.

>> Can I apply it to only particular users?

yes.  After you create a policy you can apply it to certain users/groups/servers.

Ok,   I created a policy to do what I think I want to do.   I tried the following policy:

Client Devices -> Resources -> Drives -> Connection -> Enabled with Do Not Connect Client Drives at Logon selected

I then applied this policy to my test account and logged in.  (Policy option next to my account says "allowed" which hurt my head a bit.....I'm allowing a restriction, but I digress...)

I was able to copy files from my mapped Citrix drives to my local drives.


Being as this is the example when you click on help it should work.   I have to assume I'm doing something wrong.  Any ideas?


Snewo

Do you have any other policies enabled?

Are you logging into a published Desktop or Application?  (Not just using Remote Desktop or Terminal Services right?)

Do you see the local drives as being mapped (i.e. you will see something like a drive called T$: which represents the C: drive of the local computer)  Or are you doing a copy/paste from the citrix session into your local session without any mapped drives?

Yes, I have one other policy - Universal Print Driver.

I'm logging into a published application.

Yes, I see my local drives as C$ and D$ (The main drive on the Citrix server is O:)  

Here is the application that I'm launching, you'll see it's not rocket science:  

"C:\Program Files\Internet Explorer\iexplore.exe" -E F:

From within this application I'm able to move files between any of the mapped drives to the local C & D drives, which is what I'd like to prevent.



Snewo

ok check the other policy to make sure it's not overwritting the settings you created for your new policy.

Also check your login script to see if maybe it's being mapped there... or maybe a batch file in the startup folder?

The policy you created is all you need to do so something is just buggy here..

If none of that works perhaps just try to create another published app or even the desktop.  BTW, what does the "-E F:" do at the end of your command line for IE?

and now that I say that I see that your published app is incorrect (or maybe it was just a typo)

but if you are launching IE from the server you would have to use O: as the drive in your command line (as you stated O: is the main drive in citrix)

"O:\Program Files\Internet Explorer\iexplore.exe" -E F:

and again I'm not sure what the -E F: does so maybe you can elaborate on that.

The -e starts it in explorer mode.  The F: opens to our F: drive which is yet another mapped drive for the user (their home directory).  


Snewo

The setting at:  Client Devices -> Resources -> Drives -> Connection  was marked as "Not Configured" so it should have defaulted to the lower priority.  Just to test it out I raised the priority of the new policy and it still isn't working.  

Any other ideas?



Snewo

no other ideas unless it's being mapped in a login script like i said before.  Did you try creating a new published app?  just the desktop is an easy one to do.

Have tried applying the policy to the server and to the user?

I was having the same issue when connecting to my citrix server and all of the printers were mapping everytime. When I added the server to the application of the policy as well as the user or group

On the policy to block the host drives, Client Devices -> Resources -> Drives -> Connection, have you tried enabling this one and then choosing "Do Not Connect Client Drives at Logon"

mqcIT:   Yes, I tried it on a new published app - Word.  I was still able to create a test document and save it locally.

idyllicsys:  I tried applying the policy to both the servers and the user (me) and it still allows me to write files to the local harddrive.  The policy you mentioned is exactly the one I applied earlier (and still have applied) but it's just not working.

Any ideas?



Snewo

If you have configured the policy the way you say you have, and there is no other setting creating the drive mapping, it should work. But you're setting the wrong policy if you want to disable the possibility to save to the clients local drives, the only thing this policy does is disable the automatic mapping of the local drives.

You should use Client Devices / Drives / Mappings. Enable this policy and check all 4 check boxes (floppy, hard drives, CD-ROM, remote drives) to disable access to (not only automatic mapping of) the clients drives.

For starters, assign the policy to a user account (to make sure it works). If you want to get fancy and just enable it when a user logs in using the Web Interface, use the Client Name filter and enter WI_* (providing you have a clean unmodified installation of WI, clients connecting through WI always get a client name starting with WI_. But this is configurable....)

/Anders

It's still not working, here is what I did.  Please let me know if I missed any steps no matter how small:

- Opened the Management Console
- Clicked on policies
- Double clicked on the policy I want (it is the highest priority)
- Went to Client Devices -> Resources -> Drives -> Mappings
- Enabled Mappings and checked all boxes in the window below (there are no other policy rules in with this policy)
- Selected ok
- Right clicked on my policy and choose "Apply this policy to..."
- Checked Filter based on users
- Under users I added my test account only.
- Checked Allow next to my test user
- Checked ok

I then logged in via the web and launched Excel.   From within Excel I was able to go to File -> Save As and save the file to my local drive.

The C drive displays as: C$ on 'Client' (C:)
The D drive displays as: D$ on 'Client' (D:)


What the heck is going on?  It's like it is completely ignoring my policy. Am I going nuts?


Snewo

Ok, not good ;-)

More questions:
Are all your servers in the farm Presentation Server 4.0?
Are you using an existing policy? (And have you tried creating a fresh policy?)
Are there other policies that apply to your test account that work as intended?

/Anders

- Yes, all servers in the farm (total of 2) are Presentation Server 4.0.

- I made a new policy for this item.

- I have only one other policy which is a universal print driver policy and it appears to be working fine.


The client name filter piece you mentioned looks like it will do the trick, once we solve the drive mapping issue.  



Snewo

Ok, more "stupid" questions ;-)

Have you checked that the problem exists on both servers?
Are you using Active Directory to verify the test account user?

A workaround could be to try editing the launch.ica on the WI-server. Add a line:
CDMAllowed=off

under the [WFClient] section. This should disable Client Drive Mapping for any user launching the application from the Web Interface.

/Anders

- Yes, I've forced the test user to log in to both servers and the problem is on both.

- Yes, we're using active directory but there are no log-on scripts in place.

- The only launch.ica file I have on my web server does not have a WFClient section, so I made one.   Here is the contents of the launch.ica file.   Does this look ok?


<%
// launch.ica
// Copyright (c) 2000 - 2005 Citrix Systems, Inc. All Rights Reserved.
// [NFuseVersionAndBuildNumber]
%>

<%
currPage = PAGE_LAUNCH;
%>

<!--#include file="serverscripts/webinterface.cs"-->
<!--#include file="serverscripts/include.cs"-->
<!--#include file="serverscripts/session.cs"-->

<%
UserContext userContext = sessCheckOutUserContext();
%>
<!--#include file="serverscripts/launch.cs"-->
<%
sessReturnUserContext( userContext );
%>

[WFClient]
CDMAllowed=off



The above modifications to the launch.ica file don't seem to have made a difference.

Thx,
Snewo

That modification to default.ica did it.   Thanks for working with me on this everyone.  



Snewo