Installing PGP Desktop on Citrix Servers Technical Note
Version Information PGP Desktop Technical Note. PGP Desktop Version . Released January 2008.
Copyright Information Copyright © 1991–2008 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.
Acknowledgments This product includes or may include: • The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. • bzip2 1.0, a freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. • Application server (http://jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, databinding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. • Xalan, an open-source software library from the Apache Software Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1. • Apache Axis is an implementation of the SOAP ("Simple Object Access Protocol") used for communications between various PGP products is provided under the Apache license found at http://www.apache.org/licenses/LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java Management Extensions (JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. • jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) • libxslt the XSLT C library developed for the GNOME project and used for XML transformations is distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. • PCRE version 4.5 Perl regular expression compiler, copyrighted and distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) • Free BSD implementation of daemon developed by The FreeBSD Project, © 1994-2006. • Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. © 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html. Secure shell OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released under the BSD license. • Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression Library, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. • JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. • TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html. • libcURL, a library for downloading files via common network services, is open source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. • libuuid, a library used to generate unique identifiers, is released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. • libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. • gSOAP, a development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the GNU Public License, available at
http://www.cs.fsu.edu/~engelen/soaplicense.html. • Windows Template Library (WRT) is used for developing user interface components and is distributed under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php. • The Perl Kit provides several independent utilities used to automate a variety of maintenance functions and is provided under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/Artistic.html.
Export Information Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.
4
Contents Using PGP Desktop on Citrix Servers
3
Preparing Your Citrix Server
5
Prerequisites PGP installation file Disabling new user logins Disable new user logins using the command line Disable new user logins using the console
Installing PGP Desktop on a Citrix Server
5 5 7 7 8
11
Enable Installation Mode on the server Install PGP Desktop Disable Installation Mode on the server Configure PGP to be used with Seamless Windows Recovery options for PGP SDK Service Reboot the server
Additional Configuration Tasks
11 12 13 14 17 18
21
Remove PGP from startup Using Login Scripts to Start PGP Desktop for Specific Users Script to start PGP Desktop using ifmember.exe Script to start PGP Desktop using VBScript Automatically Starting PGP Desktop for Specific Users Automatically start PGP Desktop using the Startup folder Automatically start PGP Desktop using usrlogn1.cmd Automatically start PGP Desktop using Group Policy Disabling or Enabling PGP Integration in Windows Explorer Disable PGP integration in Windows Explorer Enable PGP integration in Windows Explorer Re-enabling user logins Re-enable new user logins using the command line Re-enable new user logins using the console
Reference
21 22 22 23 24 24 25 26 26 27 29 29 29 30
33
Change logon options for Citrix version 4.5 and higher
i
33
1
Using PGP Desktop on Citrix Servers This document explains the required installation steps to deploy PGP Desktop on Citrix MetaFrame Presentation Servers and Microsoft Windows 2003 Server with Terminal Services running in Application Server Mode. This document applies to the following software versions:
Windows 2003 Server SP1, R2, SP2
Citrix MetaFrame Presentation Server 3.0, 4.0, 4.5
PGP Desktop Version 9.6.3 through 9.8
3
2
Preparing Your Citrix Server This section provides information on the steps required to prepare your Citrix Server for the PGP Desktop installation.
In This Chapter Prerequisites ..............................................................................................5 PGP installation file.....................................................................................5 Disabling new user logins ..........................................................................7
Prerequisites PGP Corporation recommends that the following settings be implemented in your Citrix Server environment:
Roaming User Profiles In a Citrix Server Farm with more than one Citrix Server the use of Roaming User Profiles is strongly recommended. This is required to maintain the PGP User settings across all servers in the Server Farm since these are stored in the “Application Data” folder of the user’s profile.
Folder Redirection It is recommended you use the Group Policy feature Folder Redirection to redirect the user’s “My Documents” folder to a central network drive. This setting speeds up the login process and maintains consistency of the user’s PGP Keyring files.
PGP installation file 1
Login to your PGP Universal Server.
2
Navigate to Policy > Internal User Policy.
3
Click Download Client. The Download PGP Clients window is displayed.
4
For Client, select PGP Desktop.
5
For Platform, select Windows (Vista, XP, 2000). 5
Installing PGP Desktop on Citrix Servers
Preparing Your Citrix Server
6
Select the box to Customize.
7
Select the option to Auto Select Policy.
8
For PGP Universal Server, enter the hostname of your PGP Universal Server. Note: If you are running a PGP Universal Server Cluster, the hostname might be different than the hostname you entered to connect to the PGP Management Console
9
For Mail Server Binding, enter the desired mail server binding configuration. Note: In most cases this will be the wildcard “*” character to enable the binding to all mail servers
10
Click Download. A download dialog box is displayed.
11
Save the file PGPDesktop.msi to your computer and copy it to a folder on your Citrix server.
6
Installing PGP Desktop on Citrix Servers
Preparing Your Citrix Server
This tutorial uses the path M:\install as the folder for the software installation on the Citrix Server.
Disabling new user logins Before you install PGP Desktop, disable all new user logins on the Citrix Server.
Disable new user logins using the command line 1
Log in to the console of the Citrix Server. Warning: Do not use a Citrix ICA or Microsoft RDP connection to a Terminal Session for installation!
2
Disable new user logins on the Citrix Server by entering the following command on the command line of the Citrix server: change logon /disable
7
Installing PGP Desktop on Citrix Servers
3
Preparing Your Citrix Server
Make sure all users are logged off from the Citrix Server. You can query the active sessions by issuing the command “query user” on the command line of the Citrix Server. Make sure that only your session with the session name “console” is active.
Disable new user logins using the console When using Citrix Presentation Server Version 4.0 you can also prepare your Citrix server using the Citrix Presentation Server Console. 1
Open the Citrix Presentation Server Console and connect to a Citrix Server in your Server Farm.
2
Select the Citrix Server you want to install PGP Desktop on by expanding the Servers container and clicking the name of the server.
3
Right-click the server name and select Properties.
4
In the Properties dialog box, do the following:
Select MetaFrame Settings.
Deselect the option to Enable logons to this server.
8
Installing PGP Desktop on Citrix Servers
5
Preparing Your Citrix Server
Save this setting by clicking OK.
Verify that all users are logged off from the Citrix Server by viewing the Users tab in the Server monitoring window. Make sure that only your session with the session name “console” is active.
\
9
3
Installing PGP Desktop on a Citrix Server This section provides the steps necessary to install PGP Desktop on your Citrix Server. Be sure to follow the steps in the order presented: 1
Enable Installation Mode on the server (on page 11)
2
Install PGP Desktop (on page 12)
3
Disable Installation Mode on the server (on page 13)
4
Configure PGP to be used with Seamless Windows (on page 14)
5
Recovery options for PGP SDK Service (on page 17)
6
Reboot the server (on page 18)
In This Chapter Enable Installation Mode on the server................................................... 11 Install PGP Desktop................................................................................. 12 Disable Installation Mode on the server.................................................. 13 Configure PGP to be used with Seamless Windows .............................. 14 Recovery options for PGP SDK Service .................................................. 17 Reboot the server.................................................................................... 18
Enable Installation Mode on the server Microsoft Windows Terminal Services require the server system to be in a special “Installation Mode” when using Terminal Services in “Application Server Mode” and when using Citrix Presentation Server software. 1
To enable Installation Mode on the Server, at the command prompt type the following command:
11
Installing PGP Desktop on Citrix Servers
Installing PGP Desktop on a Citrix Server
change user /install
2
Continue with Install PGP Desktop (on page 12).
Install PGP Desktop To install PGP Desktop on a Citrix Server, several special MSI parameters are recommended to exclude PGP functions that are not supported on Citrix or Terminal Server environments. 1
Open a command line on the Citrix Server.
2
Navigate to the folder where the PGP Desktop installation file resides.
3
Start the installation by issuing one of the the following commands: To install all components of PGP Desktop, enter: msiexec /norestart /I PGPDesktop.msi
To install PGP Desktop without PGP Virtual Disk, PGP NetShare, or PGP WDE, enter:
12
Installing PGP Desktop on Citrix Servers
Installing PGP Desktop on a Citrix Server
msiexec /norestart /I PGPDesktop.msi PGP_INSTALL_VDISK=0 PGP_INSTALL_SSO=0 PGP_INSTALL_WDE=0 PGP_INSTALL_NETSHARE=0
4
The PGP Installer starts and requires you to accept the End User License Agreement and displays the Release Notes for review. Click Next to start the installation.
5
After the installation is finished, go back to the command line of the Citrix Server. Note: The installer does not ask for a reboot since the reboot was suppressed with the “/noreboot” parameter for the Windows Installer. Before the server is rebooted it is required to exit from the Installation Mode.
6
Continue with Disable Installation Mode on the server (on page 13).
Disable Installation Mode on the server Microsoft Windows Terminal Services require the server system to exit the Installation Mode after software installation and before a reboot occurs.
13
Installing PGP Desktop on Citrix Servers
1
Installing PGP Desktop on a Citrix Server
To disable Installation Mode on the Server, at the command prompt type the following command: change user /execute Tip: For more information on the "change user" command, see Microsoft KB Article 320185 on CHANGE USER command (http://support.microsoft.com/kb/320185).
2
Continue with Configure PGP to be used with Seamless Windows (on page 14).
Configure PGP to be used with Seamless Windows Citrix MetaFrame Presentation Server offer a feature called “Seamless Windows” that is available when publishing single applications. It is recommended to implement the following settings even if you do not use the “Seamless Applications” feature today. To ensure that a user’s session is correctly logged off, when the last application was closed by the user, PGP Desktop requires a special setting in the Citrix Server’s registry. If this setting is not applied, then user sessions will stay connected until the user manually closes the PGPtray application that runs in the system tray. 1
Open the registry editor on the Citrix Server. To do this, choose Start > Run and enter regedit in the Open field.
2
Navigate to the Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell \TWI
3
Do one of the following:
14
Installing PGP Desktop on Citrix Servers
Installing PGP Desktop on a Citrix Server
If the value “LogoffCheckSysModules” already exists and another executable is listed, add PGPTray.exe to the list. Do this by inserting a comma immediately followed by PGPTray.exe. Skip steps 4 and 5.
Note: If multiple executables are configured using this registry value, make sure to separate them using a comma and no space (for example, Prog1.exe,Prog2.exe,PGPTray.exe).
If the value is not set create a new string-value by right-clicking in the right part of the window and selecting New > String Value.
15
Installing PGP Desktop on Citrix Servers
Installing PGP Desktop on a Citrix Server
4
Name the new value “LogoffCheckSysModules” and assign “PGPtray.exe” as value.
5
Continue with Recovery options for PGP SDK Service (on page 17).
Creating a file to import into the Windows Registry If the registry value does not exist or contains no data you can also use the following steps to add this value for PGP Desktop compatibility. 1
Create a file named pgp_citrix_LogoffCheckSysModules.reg on the Citrix Server.
2
Right-click this file and select Edit from the shortcut menu.
3
Copy and paste the following lines into the file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Ci trix\wfshell\TWI] "LogoffCheckSysModules"="PGPtray.exe"
4
Save the file and close the editor.
5
Import the registry setting by double-clicking the file. Note: Additional documentation about this setting can be obtained from the Citrix Knowledgebase. Follow this link for a detailed explanation of Citrix Presentation Server Published Application settings in Citrix Support Article CTX891671 (http://support.citrix.com/kb/entry.jspa?externalid=ctx891671).
6
Continue with Recovery options for PGP SDK Service (on page 17).
16
Installing PGP Desktop on Citrix Servers
Installing PGP Desktop on a Citrix Server
Recovery options for PGP SDK Service PGP Desktop requires that the system service “PGP SDK Service” is running. To make sure this service is available all the time and is automatically started again when it was ended unexpectedly it is recommended to set recovery options for the PGP SDK Service. 1
Open the Computer Management Console on the Citrix Server by choosing Start > Administrative Tools > Computer Management.
2
Select Services and Applications and open the Services Management.
3
Right-click the service named PGPserv and select Properties.
4
In the Properties dialog box, click the Recovery tab.
17
Installing PGP Desktop on Citrix Servers
Installing PGP Desktop on a Citrix Server
5
Select Restart the Service for all three Failure fields.
6
Save this setting by clicking OK.
7
Close the Management Console.
8
Continue with Reboot the server (on page 18).
Reboot the server After the installation of PGP Desktop and after exiting the Installation Mode it is required to reboot the server to finish the PGP Desktop installation 1
Select Start > Shut Down.
18
Installing PGP Desktop on Citrix Servers
Installing PGP Desktop on a Citrix Server
2
Select Restart and fill in the information for the Shutdown Event Tracker:
3
Click OK to restart the server. Note: For servers running Citrix MetaFrame Presentation Server 3.0 or later, the logon setting remains in effect after restarting the server. So after the server is restarted user still cannot log in to this server since new user logins were disabled before installation. It is recommended to leave this setting in place until the Post Installation steps are completed. Note: If usage of additional configuration options is required make sure to Re-enable logins to the Citrix Server after the configuration is completed. For more information, see Re-enable user logins (see "Re-enabling user logins" on page 29).
19
4
Additional Configuration Tasks Applications installed on Citrix Servers often require special adjustments to enhance the user experience. Some common adjustments are listed in this section.
In This Chapter Remove PGP from startup .......................................................................21 Using Login Scripts to Start PGP Desktop for Specific Users .................22 Automatically Starting PGP Desktop for Specific Users ..........................24 Disabling or Enabling PGP Integration in Windows Explorer ...................26 Re-enabling user logins ............................................................................29
Remove PGP from startup In some environments it is not practical to start the PGP Desktop software for each user that logs into the Citrix Server. PGP Desktop should be started only for users that have this application assigned by group memberships. To disable the automatic start of PGP Desktop at each user login, remove the link to “pgptray.exe” from the Startup program group. 1
Open Windows Explorer on the Citrix Server
2
Navigate to the folder %SYSTEMDRIVE%\Documents and Settings\All Users\Start Menu\Programs\Startup.
3
Delete the shortcut to PGPTray.exe from this folder.
21
Installing PGP Desktop on Citrix Servers
4
Additional Configuration Tasks
When prompted, confirm you want to remove this file by clicking Delete Shortcut.
Tip: You can also delete the shortcut by entering the following command on the command line of the Citrix Server: del "%ALLUSERSPROFILE%\Start Menu\Programs\Startup\PGPtray.exe.lnk"
Note: When installing PGP Desktop Updates the installer places a new shortcut to PGPtray.exe into the All-Users Startup folder. Remember to delete the shortcut after every PGP Update installation.
Using Login Scripts to Start PGP Desktop for Specific Users This section provides information on two login scripts that you might find useful.
Script to start PGP Desktop using ifmember.exe If you want to use a login script hosted on the Citrix Server you can utilize the “ifmember.exe” tool provided with the Windows 2003 Server Resource Kit Tools to start PGP Desktop services for users that belong to a certain user group at login time. 1
Download and install the Windows 2003 Server Resource Kit Tools from the Microsoft website on a separate computer. Note: The Windows 2003 Server Resource Kit (https://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a6957ff-4ae7-96ee-b18c4790cffd) can be downloaded from Microsoft and can be used at no extra cost for Microsoft Windows 2003 Server customers.
2
Copy the tool ifmember.exe from the PC where you installed the Windows 2003 Server Resource Kit Tools to the Citrix Server. Copy the file to the folder %SYSTEMROOT%\system32 on the Citrix Server
22
Installing PGP Desktop on Citrix Servers
3
Additional Configuration Tasks
Create a new script named startpgp.cmd in the folder %SYSTEMROOT%\system32 on the Citrix Server. Copy and paste the following lines into the script and replace the variable with the name of the Active Directory Group that contains all user accounts that should have PGP Services enabled on this Citrix Server:
@echo off rem startpgp.cmd rem Script to start pgptray only if the user belongs to a specified rem domain group rem rem Make sure to have the latest version of ifmember.exe from the rem Windows 2003 Server Resource Kit Tools package available in rem the folder %SYSTEMROOT%\system32 ifmember if errorlevel = 1 ( start "PGP" "%PROGRAMFILES%\PGP Corporation\PGP Desktop\pgptray.exe"
) Note: Remember to replace the variable with the name of the Active Directory Group that contains all user accounts that should have PGP Services enabled on this Citrix Server. Note: A complete documentation for the ifmember.exe tool can be found in the Windows 2003 Server Resource Kit Help documents.
Script to start PGP Desktop using VBScript If you want to use a login script hosted on the Citrix Server you can utilize Windows Scripting Host components to start PGP Desktop services for users that belong to a certain user group at login time. 1
Create a new script named startpgp.vbs in the folder %SYSTEMROOT%\system32 on the Citrix Server. Copy and paste the following lines into the script and replace the variable with the name of the Active Directory Group that contains all user accounts that should have PGP Services enabled on this Citrix Server:
' startpgp.vbs ' Visual Basic Script to start pgptray only if the user belongs ' to a specified domain group ' ---------------------------------------------------------------' Option Explicit Dim objNetwork, objUser, objGroup, objShell Dim strGroup, strDomain, strUser, strProg, intResult 'Set the variable strGroup to the name of the appropriate AD group strGroup = ""
23
Installing PGP Desktop on Citrix Servers
Additional Configuration Tasks
strProg = "%PROGRAMFILES%\PGP Corporation\PGP Desktop\pgptray.exe" Set objNetwork = CreateObject("WScript.Network") Set objShell = CreateObject("WScript.Shell") strProg = """" & objShell.ExpandEnvironmentStrings(strProg) & """" strDomain = objNetwork.UserDomain strUser = objNetwork.UserName Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",user") For Each objGroup In objUser.Groups If objGroup.Name = strGroup Then intResult = objShell.run(strProg, 0, False) Exit For End If Next Set objUser = nothing Set objShell = nothing Set objNetwork = nothing
Set objGroup = nothing
Note: Remember to replace the variable with the name of the Active Directory Group that contains all user accounts that should have PGP Services enabled on this Citrix Server. Note: The complete Visual Basic Scripting Reference (http://msdn2.microsoft.com/en-us/library/d1wf56tt.aspx) is available online from Microsoft.
Automatically Starting PGP Desktop for Specific Users This section provides information on how to automatically start PGP Desktop for certain users.
Automatically start PGP Desktop using the Startup folder The easiest way to start PGP Desktop Services for certain users in a small Citrix Server Farm is to use the startup folder from the Windows Start Menu. 1
Make sure “pgptray.exe” is not started using the link in the startup folder. See Remove PGP from startup (on page 21) for details.
2
Make sure you created a script to start PGP Desktop Services based on group memberships as described in Script to start PGP Desktop using ifmember.exe (on page 22) and that you have placed it in the folder “%SYSTEMROOT%\system32” on the Citrix Server.
24
Installing PGP Desktop on Citrix Servers
3
Additional Configuration Tasks
Create a link to the script in the folder “%SYSTEMDRIVE%\Documents and Settings\All Users\Start Menu\Programs\Startup” on the Citrix Server.
Automatically start PGP Desktop using usrlogn1.cmd Windows 2003 Servers with Terminal Services running in Application Server mode run extra scripts at each user login. The execution of these scripts is hidden so this is a convenient way to start PGP Desktop services for users that belong to a certain user group at login time. By default the first script that is executed is the pre configured script userlogon.cmd in the %SYSTEMROOT%\system32 folder of the Citrix Server. This script starts scripts named userlogn1.cmd and userlogn2.cmd during execution, if these exist. To start PGP Desktop Services on Citrix Servers the usage of the usrlogn1.cmd script is recommended. 1
Make sure “pgptray.exe” is not started using the link in the startup folder. See Remove PGP from startup (on page 21) for details.
2
Make sure you created a script to start PGP Desktop Services based on group memberships as described in Script to start PGP Desktop using ifmember.exe (on page 22) and that you have placed it in the folder “%SYSTEMROOT%\system32” on the Citrix Server.
3
If a script named usrlogn1.cmd already exists in the folder %SYSTEMROOT%\system32 on the Citrix Server open this script for editing. If this script does not exist, create a new script named usrlogn1.cmd and open this for editing.
25
Installing PGP Desktop on Citrix Servers
4
Additional Configuration Tasks
Add the name of the script (startpgp.cmd or startpgp.vbs) you created to start the PGP Desktop Services to the script usrlogn1.cmd. If the script already existed, add the line at the end of the script.
Automatically start PGP Desktop using Group Policy If you want to start PGP Desktop Services only for a certain group of users you can utilize the Windows Active Directory Group Policy features. In this case no additional scripts or tools are required on the Citrix Servers. The use of Group Policy is recommended for large Citrix Server Farms. 1
Make sure “pgptray.exe” is not started using the link in the startup folder. See Remove PGP from startup (on page 21) for details.
2
Utilize Active Directory Users and Groups Management Console or Group Policy Management Console on a Domain Controller or any other computer that has administrative access to the corporate Active Directory.
3
Enable the execution of the PGP Desktop component “pgptray.exe” in the folder %SYSTEMDRIVE%\Documents and Settings\All Users\Start Menu\Programs\Startup. Note: Since Group Policy configuration for Citrix Servers differs from the configuration of Client PCs make sure you work together with an Active Directory Administrator and a Citrix Server Farm Administrator so the settings are applied to the right Groups, Organizational Units and Group Policies in Active Directory.
Disabling or Enabling PGP Integration in Windows Explorer This section provides information on how to disable or re-enable PGP Desktop functionality, such as the ability to create new PGP Zip files using the File menu.
26
Installing PGP Desktop on Citrix Servers
Additional Configuration Tasks
Disable PGP integration in Windows Explorer PGP Desktop adds an additional option to the File menu of Windows Explorer. This menu can be used to create new PGP Zip files or to use the PGP Shredder for certain files or folders.
In many Citrix environments it is not desirable to provide these functions to the users of the Citrix Server. This menu can be removed using the following steps. 1
Open the registry editor on the Citrix Server by selecting Start > Run and entering regedit in the Open field.
27
Installing PGP Desktop on Citrix Servers
Additional Configuration Tasks
2
Navigate to the Registry key HKEY_CLASSES_ROOT\CLSID\{969223c026aa-11d0-90ee-444553540000}.
3
To remove the key and its values, right-click the key named {969223c026aa-11d0-90ee-444553540000} in the left pane of the window and select Delete from the shortcut menu .
4
Confirm the deletion of this key by clicking OK.
You can also use the following steps to remove this registry key 1
Create a file named pgp_RemoveShellExtensions.reg on the Citrix Server.
2
Right-click this file and select Edit.
3
Copy and paste the following lines into the file: Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\CLSID\{969223c0-26aa-11d0-90ee444553540000}] [-HKEY_CLASSES_ROOT\CLSID\{969223c0-26aa-11d0-90ee444553540000}\InProcServer32] @="THREADINGMODEL"=-
4
Save the file and close the editor.
5
Import the registry setting by double-clicking the file.
28
Installing PGP Desktop on Citrix Servers
Additional Configuration Tasks
Enable PGP integration in Windows Explorer Should you have the need to re-enable the PGP Integration in Windows Explorer execute the following steps on the Citrix Server. 1
Create a file named pgp_EnableShellExtensions.reg on the Citrix Server.
2
Right-click this file and select Edit.
3
Copy and paste the following lines into the file Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{969223c0-26aa-11d0-90ee444553540000}] @="PGP Shell Extension" [HKEY_CLASSES_ROOT\CLSID\{969223c0-26aa-11d0-90ee444553540000}\InProcServer32] @="pgpmn.dll" "THREADINGMODEL"="Apartment" 4
Save the file and close the editor.
5
Import the registry setting by double-clicking the file.
Re-enabling user logins After successful installation and configuration make sure that you re-enable user logins to the Citrix Server. After enabling user logins the Server is considered by the Citrix Load Balancing features again and users can use PGP Desktop Services on this Server.
Re-enable new user logins using the command line
Enable new user logins on the Citrix Server by entering the following command on the command line of the Citrix server:
29
Installing PGP Desktop on Citrix Servers
Additional Configuration Tasks
change logon /enable
Re-enable new user logins using the console When using Citrix Presentation Server Version 4.0 you can also use the Citrix Presentation Server Console to enable new user logins. 1
Open the Citrix Presentation Server Console and connect to a Citrix Server in your Server Farm.
2
Select the Citrix Server you installed PGP Desktop on by expanding the Servers container and clicking the name of the server.
3
Right-click the server name and select Properties.
4
In the Properties dialog box, do the following:
Select MetaFrame Settings.
Select the option to Enable logons to this server.
30
Installing PGP Desktop on Citrix Servers
Additional Configuration Tasks
Save this setting by clicking OK.
31
5
Reference This section provides additional reference information that you may find helpful.
In This Chapter Change logon options for Citrix version 4.5 and higher ...........................33
Change logon options for Citrix version 4.5 and higher When running Citrix Presentation Server Version 4.5 or higher use the Citrix Access Management Console to enable and disable user logons to a Citrix Server. 1
Open the Citrix Access Management Console.
2
Navigate to Citrix Resources > Presentation Server > Server Farm > Servers and select the Citrix Server on which you want to enable or disable logons.
33
Installing PGP Desktop on Citrix Servers
3
Reference
Modify the setting by clicking on the appropriate action in the “Other Tasks” pane in the right window
34
