MetaFrame Presentation Server 4.0 (due out next year) will have a brand-new version of the Web Interface. Where is Citrix going with this version? What has changed, and what are the real goodies you’ll get?
A lot has changed, and many things that have been requested by the community are now included. Citrix is also moving towards their goal of creating a secure access infrastructure with “smart” clients (or “trusted” clients) playing a main role. Finally, Web Interface 4.0 continues Citrix’s push to centralize the administration of all their products through a centralized MMC snap-in called the Access Suite Console (“ASC”).
Web Interface and Secure Gateway are great products. Unfortunately, there’s one big drawback from Citrix’s point of view: They are free for the Customers! I think this is the reason why some features have been moved from Web Interface to MSAM. (For instance, Citrix did not develop Web Interface Extension 3.0. Your only choice to access multiple non-trusting domains is to use MSAM.) On the other hand, Citrix has added a lot of new features to the Web Interface since the release of MSAM.
In the new version of Web Interface, administrators can visually view their site’s configuration and can easily change its design without ever having to touch any source code. Administrators of multiple farms will be happy with the new configuration service, and global administrators will be happy that Citrix implemented Multilanguage support.
In previous versions of Web Interface, administration and configuration was done via the WIAdmin web pages, and site’s layout could only be changed by modifying source code files. All of this has now been moved to the central Access Suite Console (“ASC”) where the Web Interface is integrated as an MMC extension.
This change was made for two reasons. Besides the fact that Citrix wants to move everything to their central console, it also improves security. The current security wave has an impact on almost every software company, especially the one that wants to be THE Company for secure access solutions. The problem with the WIAdmin web pages was that they were exposed to the Internet and were the first point for a hacker’s attack. If someone got access to the WIAdmin, he could easily disable the RSA functionality or get knowledge about servers or domains. The complete remove of the WIAdmin Web page was reasonable.
Another great administrative change is great news for UNIX customers. In WI 4.0, you can also use the ASC to manage your Web Interface for UNIX Servers. This ends the manual editing of the configuration file.
The first part of the Web Interface 4.0 installation is the installation of the ASC.
This view shows all the information about the current configuration of the Web Interface. You can see that this current configuration has two access routes. The first one is a direct connection while the second is a direct Secure Gateway route. (Setting the default route in this preview realize requires using all zero values for the IP Address and the Mask (0.0.0.0). The final release will have a simple drop-down option for this.)
Customizing Web Interface 4.0 to match a current corporate design is much easier than ever before. Since this task usually falls to a Citrix administrator, Citrix integrated it into the ASC MMC snap-in that provides a slick interface. You can now change the layout, welcome area, brandings and application layout within minutes (and know where you made the changes a few months later.) The only thing missing is the option to change the footer information, but this will hopefully be added in the final release. (If not, you’ll have to edit some source files again.)
Multiple Web Site Support
Even though it’s “technically” possible to rig a single web server so that it can support multiple Web Interface sites today, WI 4.0 is the first officially supported version with this functionality. It’s also the first version that does this process automatically and within the ASC.
In addition to just running multiple Web Interface sites, Citrix has also built a framework that allows you to manage multiple Web Interface sites. In previous versions this had to be done with scripts or whatever was available. WI 4.0 contains the Web Interface configuration service which is based on MetaFrame Presentation Server 4.0.
As previously said, WI’s new configuration service requires MetaFrame Presentation Server 4.0. This is for two reasons. First, the new version of the Citrix XML Service is needed (which by the way also supports STA functionality). Secondly, MetaFrame’s IMA Data Store has new schema enhancements and is now responsible for storing configuration information for a single Web Interface site or complete groups of sites. You can also use the ASC to configure Load balancing across multiple Web Interface servers (as shown in the next picture). The Web Interface Servers don’t need to be in the same domain to work together.
The setup of a Load balanced WI is now really simple. Install the ACS and WI on your servers and point the configuration service to an MPS 4.0 Server. Repeat those steps with all your WI Servers. Then, use the ASC to create a new group and select the WI Servers that you want to group together. (Make sure you run an ASC discovery again if the sites don’t show up automatically.) Now you have a load balanced Web Interface servers group with a central place to change settings group-wide.
Error or diagnostic Logging
A new feature of Web Interface 4.0 is error logging to the server’s event log. The technical preview of WI 4.0 only has placeholder information for the event descriptions, but the final version will give more detailed information and probably link to their knowledge base.
This is a great feature—especially when maintaining multiple Web sites—that will hopefully help a lot of people.
Again, this multilanguage support was possible with some of the previous versions of Web Interface, but it was not as advanced as it is in Web Interface 4.0.
The WI 4.0 installer has multilanguage support and detects the default language of the operating system during the installation. Other languages are installed in language packages so that future language packages can easily be added to an existing Web Interface.
Whenever a user visits the Web Interface logon page, the client language is detected by getting the language setting from the Internet Browser or the language that was set by the Administrator in the ASC. If no language has been set and the client language can not be detected, then WI falls back to the English language. However, the user still has the ability to set his preferred language manually.
Since WI 4.0 supports multiple languages, it needs to include the source files for the ICA client software for each platform in each language. Since a single server can also support multiple sites, this could waste a lot of space. Therefore, Citrix moved the ICAWEB folder to a central location that’s then mapped to each site. (The only client that is not localized is the Java client because version 9 of the ICA Java client is now in a multilanguage format.
At this point it’s still unclear whether RADIUS support will be integrated with Web Interface 4.0 The first time I found a note about RADIUS in WI 4.0 was after the installation of the LogonAgent, but the LogonAgent is normally only used with MSAM. Also, the LogonAgent is technically a part of the Secure Gateway—not Web Interface. At this point my guess is that RADIUS support will only be for MSAM. This will make MSAM a bit more attractive.
What is that? Never heard of it? I also never heard of it before I dug into Web Interface 4.0. Under the hood, WI 4.0 uses an entirely new Software Development Kit (SDK). The old Java objects have been rewritten from the ground up to support a more powerful and extensible set of features. These new Java objects have nothing to do with the Java objects that are currently documented in Citrix’s "Customizing the Web Interface for MetaFrame Presentation Server 3.0 - CTX103931" article. This new SDK is internally called the Web Interface Next Generation (or “WING”) and is not backwards-compatible. This of course means that any custom scripts used with Web Interface 3.0 will have to be rewritten.
There are several other random little changes that don’t really fit into the other categories.
- UPN Suffix support. WI 4.0 supports Active Directory’s UPN Suffixes and UPN-style logons. You can also predefine this in the ASC.
- Compact layout option for PDAs. This simplified set of pages only shows the logon fields and the application set.
- Bandwidth selection (ConnSpeed) and Java Fallback are now fully integrated. These enhancements have been available for a long time as a “hack” modification, but they had to be manually with every new version. Now this support is fully integrated.
- Secure Gateway 3.0 will support Session Reliability traffic over port 2598. This is an option that can be configured for the Web Interface via the ASC.