What a Citrix / Terminal Server admin can and can't do with a Mac

Now that owning a Mac is so trendy there have been dozens of articles and blogs written about how to use a Mac in a corporate environment (hooking up to an Exchange server, firewalls, etc.)

As many of you know, I recently switched from Windows to Mac. Now that owning a Mac is so trendy there have been dozens of articles and blogs written about how to use a Mac in a corporate environment (hooking up to an Exchange server, firewalls, etc.). In this article, I'll share what I've learned and discovered about using a Mac as a Citrix / Terminal Server admin. (And no, I'm not going to talk about running Windows in a VM on a Mac. I'm talking about a "real" Mac OS X in a Citrix and Terminal Server environment.)

Using a Mac with a Terminal Server

Let's start with Terminal Server. First, yes, Microsoft makes an RDP client for Mac. They call it the Remote Desktop Connection for Mac, and you can download it from Microsoft.com. Right now the RDP Mac client is compiled for PowerPC processors, but of course this will seamlessly run on Intel Macs. (I have an Intel Mac.) The only weird thing is that client printer mapping only works from PowerPC-based clients. I assume that Microsoft will release a universal binary version soon that will fix this problem.

A little quirk to keep in mind is that while cutting and pasting between the local and remote system works fine, you need to remember that each platform uses a different keystroke. So to copy something from your desktop to a remote server, you would need to use OPTION+H on your desktop, and then CTRL+V in the remote session. I can't tell you how many times I think that the clipboard is broken only to finally realize I've been trying OPTION+C in the remote RDP session instead of CTRL+C.

You can also connect to Windows Server 2003 console sessions with the Mac RDP client by holding down the Option key when you click the "connect" button. Very nice.

The only thing that's super weird about the Mac RDP client is that only one instance of it can run at a time. So if you have a session open and you lauch the RDP client from the Applications folder, it will just pop your current session window to the foreground instead of popping up the box that allows you to connect to a second remote RDP session. Fortunately there is a cool utility that fixes this problem called RDC Launcher. RDC Launcher is this little app that spawns individual and separate instances of the RDP client software. So instead of clicking on the RDP client to open new windows to connect to other systems, you click on the RDC Launcher and it pops up another client. I use this every day and routinely have three or four RDP sessions connected at the same time.

Using a Mac with Citrix Presentation Server

As for Citrix, yes, Citrix offers an ICA client for the Mac too. It's currently version seven-something (versus nine-something for the Win32 client), but it supports the main features like seamless windows, multiple connections, client printing, client drives and audio, etc. The Mac ICA client also fully supports MIME types in the normal way, so users accessing their applications via Web Interface can just click on an icon to run an application. Gone are the days where the temporary ICA file had to be saved to the desktop and then double-clicked.

There's no Program Neighborhood for the Mac, but that shouldn't really be a problem since it's compatible with Web Interface.

The only really annoying thing about the Mac ICA client is that the Option+H hotkey combination is not passed through to the remote seamless application. In the Mac OS X world, Option+H "hides" an application, which is kind of like minimizing an app in Windows except that hiding an app also removes it from the dock (the taskbar equivilant). It would be cool if the Option+H command could be used to hide individual seamlessly-published apps, but instead it's intercepted by the local OS and ends up hiding the entire ICA client.

Another cool way to access your ICA apps from a Mac is via the "Powertoy" components on CDN. One of these components is a Firefox browser extension that's essentially an ICA Program Neighborhood Agent plug-in for Firefox. This extension works fine with the Mac version of Firefox.

Finally, you can connect to Windows PCs using Citrix's GoToMyPC product from a Mac, but a Mac cannot be the remote computer that you're connecting to. However, because the GoToMyPC viewer is Java-based, you won't be able to cut and paste between your local and remote programs.

What's missing?

The biggest bummer about this whole Mac / Citrix thing is that as of today, there is no Mac client for the Citrix Access Gateway. This is a huge bummer for me. I guess it's kind of cool that Mac OS X has a pretty slick and totally integrated PPTP client, and I use it every day. But I still occasionally get stuck at a location that doesn't have the PPTP port open, and I'm jealous of my coworkers who can tunnel in via 443.

The good news in that front is that I interviewed Mark Templeton last week, and I made a passing remark about the lack of a CAG client for the Mac. Mark said that a Mac CAG client is definitely coming. Citrix is looking for strong Mac support since more and more are being sold, and Citrix needs to support whatever client devices the masses are using.

Join the conversation

12 comments

Send me notifications when other members comment.

Please create a username to comment.

To clarify, seamless windows is not supported with the MacOS X client.  Individual published applications will run with a border around them.  The Citrix Web Interface 4.x defaults to using the ICA Java client when using the Safari browser.  The Java client does support seamless apps.  However, there are a couple Citrix articles that describe how to change this behavior and give the users a choice.
 
Our company has a small Graphics Arts department with about 12 users mainly running Macs.  With the advent of the Intel based machines and virtualization (Bootcamp and Parallels) Mac users have a lot of choices to run Windows apps.  But so far ours seem to be sticking with Citrix since it doesn't disrupt their work and they can have the same access from both home and work.
Cancel
As an independent Windows consultant, I recently noticed an increasing number of Macs in several of my client's workplace. I ignored it.
 
But as management began to request more and more of "how can we use these Macs in the enterprise and connect to Windows AD?" questions, I noticed I was saying "I dont do Macs or Apple" one too many times. If I said it too much, they would find someone who would answer Yes.
 
So I got Mac Pro.
 
How is this thing going to pay for itself, I thought. Then I had a client come to me with a project:
 
They were all on an NT40 domain, with about 200 users. They wanted to migrate to W2K3 AD with minimum interference and not lose any computer accounts and user security accounts.
 
Long story short-- I used a PC running VMWare to create an NT40 BDC at their offices; then brought the BDC back to my lab. I then used the MAC runing Parallels and created multiple VMs and a VM running W2K3 as the control station. The upgrade from NT40 to W2K3 ran flawlessly on the MAC VM and retained all user accounts and computer accounts.
 
My client then wanted to change the Domain Name.
 
Still using the MAC VM Parallels environment, I used the procedure:
http://www.microsoft.com/technet/downloads/winsrvr/domainrename.mspx
recommended by Microsoft for renaming a domain.
 
I then got the client's 1U Supermicro server they planned on using as  their new domain controller and used DCPROMO to migrate the AD information over to the fully-physical machine. I then demoted the MAC VM AD, migrated master roles, and that was it.
 
There was a little cleanup on the Supermicro needed to purge some metadata out of AD after I used DCPROMO to bring the Supermicro server online. 
I used this:
http://technet2.microsoft.com/WindowsServer/f/?en/library/1a7522c3-ac6e-4f83-af5b-9be87b47a95d1033.mspx
to delete the extinct server metadata from the new AD.
 
I could not have done this without the MAC. The PC VMWare did not like the NT40 VM after it was upgraded to W2K3 and I could not figure out how to get VMWare to see the new change in OS after the upgrade, so it crashed. The MAC VM Parallels product, on the other hand, upgraded smoothly. It warned me as I was booting into W2K3 that the OS had changed; so I changed the platform in a dropdown box, and that was it-- instant upgrade.
 
Need stuff.
 
William Lolli
Tech Assist Inc
Escondido CA
 
Cancel
Neat Stuff, not need stuff
 
Cancel
Hi there Brian,

This is immensely helpful to those of us who use a Mac for accessing server-based application full-time or from our home machine.

One thing I would like to add is that the latest Java ICA client supports more features (such as seamless windows) than the native Mac client and would be worth checking out.

One major issue I have with the Mac client is the lack of support for this platform from vendors like Uniprint and ThinPrint. Neither of these vendors offer (working and usable) Mac support for their products which is very disappointing if these products are required for printing from a Citrix session.



Cancel
Other issues that you might run into while using either of the Mac clients to access Citrix:

Certificates. Unlike Windows, neither the Mac client nor the Java client access the central Keychain keystore. What this means is that it is very unlikely that your Secure Gateway's certicficate will be supported "out of the box" by either client.

Adding certificates to the native client is not particularly difficult, and it is possible to add the certificate and re-bundle the client into a DMG with the cert included.

The Java client is SIGNIFICANTLY more complicated. It involves using the command line to add the certificate to the java keystore.

I really do hope that Citrix brings the Mac client up to date - usage of the Mac by folks at home has been increasing over the last two years a great deal.

Matthew
Cancel
ORIGINAL: William Lolli
Long story short-- I used a PC running VMWare to create an NT40 BDC at their offices; then brought the BDC back to my lab. I then used the MAC runing Parallels and created multiple VMs and a VM running W2K3 as the control station. The upgrade from NT40 to W2K3 ran flawlessly on the MAC VM and retained all user accounts and computer accounts.

My client then wanted to change the Domain Name.

Still using the MAC VM Parallels environment, I used the procedure:
http://www.microsoft.com/technet/downloads/winsrvr/domainrename.mspx
recommended by Microsoft for renaming a domain.

I then got the client's 1U Supermicro server they planned on using as  their new domain controller and used DCPROMO to migrate the AD information over to the fully-physical machine. I then demoted the MAC VM AD, migrated master roles, and that was it.

There was a little cleanup on the Supermicro needed to purge some metadata out of AD after I used DCPROMO to bring the Supermicro server online. 
I used this:
http://technet2.microsoft.com/WindowsServer/f/?en/library/1a7522c3-ac6e-4f83-af5b-9be87b47a95d1033.mspx
to delete the extinct server metadata from the new AD.

I could not have done this without the MAC. The PC VMWare did not like the NT40 VM after it was upgraded to W2K3 and I could not figure out how to get VMWare to see the new change in OS after the upgrade, so it crashed. The MAC VM Parallels product, on the other hand, upgraded smoothly. It warned me as I was booting into W2K3 that the OS had changed; so I changed the platform in a dropdown box, and that was it-- instant upgrade.



It seems you are having a problem with VMware, remember when you upgrade NT4 to Win2k3 in VM, you need to upgrade the VMware tools or else the VM network driver would give you problems.  I love how Mac users post these "Mac to the rescue" posts.

I've never had the problem you indicated here, in fact it could be done without Vmware with Microsoft's own free Virtual PC product.  I find VPC better driver support then VMware, I use VMware for application development more.


Cancel
Brian,

be aware that Citrix does support the Access gateway Enterprise on a Mac. I use this daily to full satisfaction.
Cancel
The last time I used Citrix ICA with a Mac, I discovered an odd "undocumented feature." Whenever I had a Microsoft Office program open, Command-C (copy) would interrupt the Citrix session. (Pulling down Edit > Copy from the menu interrupted it too.) I'd have to quit all MS Office programs in order to successfully relaunch ICA.

Since I was one of the only people using a Mac at my company (and the only one using Citrix over a Mac), the IT department didn't want to spend too many resources fixing the problem, so I wound up cutting-and-pasting (instead of copying). The company was on MetaFrame XP, and I hope Presentation Server has solved that problem. Anyone else familiar with this hiccup, or was it unique to my old company? I have a choice of Mac or PC at my new Citrix-friendly company, and if this bug is still present, then it might alter my decision.
Cancel
Ah good point. Of course the Access Gateway enterprise edition is based on the NetScaler stuff, not the Net6 stuff, and the enterprise edition does not give you AAC or smartaccess functionality. Plus those enterprise things are freaking expensive.
 
Brian
Cancel
Ive had this hickkup problem on a windows client.. We use PS3 with a ica v8 web client and WI2. it does not always happen, but sometimes, mayby after a while of inactivity.
Cancel
The biggest issue I face integrating Macs into our environment is the total ban on usernames and passwords - we require smart card authentication for all access to any resource.  With Thursby ADmitMac middleware, we are now authenticating to the Mac and getting an AD Kerberos ticket (The Apple OS does not know what to do with the ticket), and VMware on the Mac works fine with a smartcard, except only one OS can own the SCM Microsystems reader.  (Parallels cannot support our USB readers, and is a Russian based company causing other issues.)  The RDP clients, from any source, do not appear to support smart cards either, which could be our way into the virtual machine.
 
Apple Mail or Microsoft Office 2004 Entourage for Mac cannot connect to our Exchange servers because no one knows their passwords because of the required smart card authentication enforced from the user account in AD.  Until users can get to the GAL (for e-mail signing an encryption certificates), and interact with free/busy, they again cannot fit into our Enterprise, because we are 100% Microsoft Exchange.  One solution requires IMAP (off in our environment) and the other WebDav or OWA - and OWA is now required to be off.
 
Until vendors start taking smart cards authentication seriously, they will have issues getting into our environment.
 
BTW - Apple is not the only vendor.  Linux and Solaris struggle here also.  Microsoft has smart card authentication almost figured out - except for OWA, so we are not totally happy with them either.
 
Another big issue is the lack of VPN support to the newer Cisco and Juniper devices, and again no smart card support...
 
Also, almost every Apple patch and OS update breaks existing software.  A perfect example is the Citrix ICA client for Macs.  This makes them very difficult to manage.
 
I don't want to come across as pro-Microsoft and anti-everything else, but I have requirements for our Enterprise and all products must measure up or be left behind...
 
My stance, at the moment, is that Apples (and Linux) workstations are mere toys and are not Active Directory Enterprise ready.
Cancel
Citrix fanboy. Now Mac fanboy... What is happening with you Brian?
 
Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close