Great discussion Andrew! A few comments... First, I think it's clear that WI is the future of Presentation Server / Tarpon access, be it via a browser or via PNA, and I do agree that browsers will continue to get more locked down, so this is a crucial discussion. I know this isn't really a WI issue, but I was flabberghasted when I learned that the motivus / live edit / dimmer switch / limited access functionality of AAC requires a client side ActiveX control! To me, part of the beauty of the live edit concept is that if you don't have real access, then we can still deliver basic app functionality. (I know, I know... it's really about security, not access in this case, but I digress.) Anyway, at BriForum last week, Simon Frost mentioned that ICA client 10 will not require admin rights to install. Will that help in these cases, or do you see this more as a launching issue? What are other companies (Abobe w/ Flash, etc.) doing in this space? Is there anything to learn there? Brian

Security, usabilities greatest nemesis! I have been thinking that I may have to change my logo from Anywhere, Any Place, Anytime, to most Anywhere, most Any place.... you get the picture. Perhaps it is time for the creation of a clearing house that actually verifies the validity of the controls and can then provide you with a super-trusted active-x control designation that will always be approved for install regardless of the O/S lockdown. There must be a solution out there somewhere.

We use Citrix as our primary desktop system but each year it increasingly comes under attack with the two main issues being "getting connected" and "multimedia". Ignoring the later for the start, the increased use of wireless and broadband access in hotels has both improved and complicated matters. When it works, it works a treat. The WI is a great step forward but that ActiveX control needs some work. I've not looked recently but is WI still firewall port limited? Any chance all of this can work with port 80? We've recently trialled NTRsupport, a remote support tool. That seems to work very well and then even have a zero-footprint EXE install. Cheers, Rob.

WI and firewall ports If you're using CSG or CAG (Citrix Secure Gateway or Citrix Access Gateway), then all traffic to the backend is SSL encrypted via port 443. So it's fair to say, "no, WI is not port limited." SSL over 443 is allowed everywhere. Brian

Great blog! To "see" and learn what is happening within Citrix has NOT been easy in the past, but hopefully this community will make it easier for us "outsiders" to take part (and maybe have some direct influence?) in what is going on... That said. Some comments to the "futuristic" WI and what I have learned so far about the 4.2 version - its benefits and its "lackings". First I want to say that the out-of-the-box solution works OK as a first approach to the Citrix environment but ?obvious? features has not been integrated. Why is it that we have to turn to guys like Thomas K?tzing (http://www.thomaskoetzing.de) to get some real functionality? It?s true that Citrix has come up with some well known ?add-ons? and ?patches? lately but not something most Citrix nerds haven?t come up with already :-0 Another thing is the actual communication within Citrix when something is actually ?fixed? – where can other Citrix Technicians get hold of these improvements. And how come we don?t see anything in the public Citrix DB? Surely Citrix has got a lot of brilliant developers and Technicians but I wonder if the internal. Don?t know what I?m talking about? Well, Ill give you an example: We got a brilliant fix for WI 4.2 from Citrix Support after detecting/reporting that the new web interface was loading applications about 8-10 times slower than WI 3.x for a customer. By applying the fix the WI 4.2 application enumeration time went from 45 seconds to 4-5 seconds !! Good work – quick response and perfect solution! As time went by I checked the Citrix.com for an official patch but it never came? During my visit to iForum in Edinburgh this year I talked to a couple of Citrix employees working primarily with WI – they had never heard about it and wondered if I could send them the fix? ?Sure no problem?, I said, ?but aren?t you able to find this in your support DB or something?? I will not repeat the answer, but I ended up sending a mail with the name of the developer at Citrix that created the fix ? I just wonder what other ?good stuff? is hidden in the internal Citrix Support DB. That said – I?m a Citrix fantast and I always look forward to new Citrix products being released so that I can go impress some customers ?

Thanks for the quick feedback! There have been comments coming in while I'm writing this reply, so I'll have to respond separately to each one I think. Brian first then. I had been vaguely thinking for a while there's just going to be this slow inevitable decline in the usefulness of WI, then I realized when I started writing this post that accessing Windows apps remotely is just so valuable that a way will be found to make it work no matter how restrictive browser lockdown becomes. Whether that will be by getting the ICA client widely bundled with PCs or browsers or other apps, or moving to new web deployment technology like .NET that isn't (yet) as restricted as ActiveX etc, I don't know - quite possibly all of these. As Brian points out, there are other companies that have the same need, and have historically managed to make their client components nearly ubiquitous - surely Citrix can apply some of the same techniques. (BTW, Citrix Online wrestles with a similar issue as well, since they rely on deploying the client component for the GoToMy* products through the web. They provided some of the inspiration for the approach we are now taking, as well as sharing some practical tips on how to detect various browser capabilities.) To answer Brian's first question, about the v10 ICA client coming soon - yes it does help WI significantly that the new client can be installed without needing admin privileges. (The slight downside is that we cannot silently install it, since it needs an explicit MSI file download.) Since Windows 2000 became a common desktop OS for businesses, the need for admin privileges when using the ActiveX download/install mechanism has been an increasing barrier. It seems that quite a lot of people find it helpful to be able to distribute and update clients directly through WI. (Auto-client update is probably still the most popular mechanism for updates, I've been told, but web updates are a close second.) Cheers, AndrewI

CaptainJ highlights a good point - security and usability requirements tend to pull in different directions. Interestingly they aren't always (or needn't be) opposite directions though - solutions that offer really good security almost always have decent usability as well, simply because if they weren't usable people would circumvent them all the time or use something else if they have the choice. So this is a tension we try hard to view as a constructive one that can lead to better not worse solutions if embraced. BTW, at a purely personal level I get to embrace this 'constructive tension' quite a lot, since I regularly interact with one of the Citrix security architects and members of our security audit team, as we are all based in the same building. (I know; some guys have all the luck.) As it happens the idea of super-trusted ActiveX controls is one we've discussed, but it understandably makes the security guys very nervous. (There's nothing like declaring a piece of software to be super-trusted - and giving it special privileges as a result - to make it a target of great interest to the hackers of the world. I guess you probably know that IE already has some interesting policies relating to admin-approved ActiveX controls? As far as I'm aware, it isn't something we've had much feedback from customers about, but I'm pretty sure there are some that use them. Cheers, AndrewI

Hi Tord - Thanks for providing such detailed feedback! You ask a very good question, about why does Citrix not include the obviously useful features that ThomasK and others have been providing for ages now. This deserves a much better response than I can provide in a short comment, and it is actually one of the topics I want to write about in its own right anyway so I'll save a proper response for a separate post. To help with that, let me know if there are specific features you have in mind when asking this question. I'm intending to step through the decision-making logic Citrix would go through in deciding whether or how to incorporate features and enhancement requests, and it is much easier to do that for specific examples. That way, people can pull us up on aspects where we've taken too much of a lop-sided view on what is valuable and what isn't. I accept your point about even the enhancements we do make not necessarily being well adverstised, even within Citrix. (Oh dear, I am one of the people you spoke to in Edinburgh who didn't know about the speedup fix, so point well made!) That particular fix I believe is incorporated into the upcoming WI 4.5 release, but I guess your broader point is that we don't have a regular hotfix rollup strategy for WI which would ensure such fixes automatically gained more visibility rather than waiting for individual customers to report the problem and get given the fix. On that point, I don't know off-hand what the right approach from Citrix might be - given how our support areas are set up, for instance, what would you find most effective? But thanks again for your honest feedback. (Mental note to self: must remember to brush up on recent support queries before attending iForum!) Cheers, AndrewI

Hi Andrew. Thanks for your prompt answer/comments. I'll be more than interrested in discussing/sharing my thoughts we you regarding this issue, but this blog is maybe not the "correct" way..? Do you prefer to be contacted per email or to continue this blog?

Hi Tord, As long as you are happy sharing your thoughts in public, I would like that, since it lets other people confirm and amplify the points that get raised. However, I've published my email address in my profile now (not that it is hard to guess) if people prefer to contact me privately. Cheers, AndrewI

When it comes to security it is almost pointless as a developer to sit around trying to create ways around it. It is akin to trying to hack something and as soon as you create the workaround someone else will block what you have done. In our locked down terminal server environments today nobody lets a user download the flash or adobe reader plugin, it is installed by us as part of the build process. Is it any different for someone who has locked down a kiosk machine? They still install the things that they feel are needed to surf the internet (such as flash). A web designer creates pages that support both flash and non flash and may even display nicely on a mobile device. I think Citrix was on the right path with the Java client that was mostly unusable for many years but is now top notch. I don't know if the Java client was originally designed for fallback purposes or if it was thought of as the future equalizer across operating systems, but it makes you think that perhaps there could be some other options for clients. Flash client anyone?

Yeah, I've been wondering about AJAX based client options lately...not sure what the limitations would be, but might be interesting to consider. Rick

Andrew, I had some great discussions at Iforum and one of them was regarding the roadblocks that are being run into with the ActiveX and Java clients. Along this vein I think it may be valuable to actually first address one of the underlying issues that you face. Today their are 14 products in the portfolio, most of which use different deployment and updating methods. The Access Client Packager methodology is fine if yo live in a push deployment world, but access anywhere and anytime is a pull deployment. You should be developing the framework for all clients to be auto-updating. Once a client is installed it should have the ability to download the latest version when it becomes available. This would address (at least after the initial install) the administrative rights required issue. It would also actually fulfill the promise of having the latest clients installed at all times. I personally cannot enable the auto-update on web interface because I have some users who do not have the rights required to install it. I have also seen one company who can push a client down through the ica virtual channel. Perhaps a virtual channel could be incorporated into all of your clients to support this ability? This is just a suggestion to get your juices flowing, I just wanted to get across that having a standard framework that is used across all of your clients is sorely needed. Jonathan

Hi Jonathan, Sorry email notification of your comment didn't get to me for some reason, so I didn't spot this. Funny you should bring up ActiveX and client install / update - I've spent a big chunk of the last two weeks wrestling with various aspects of this, and it's not over yet. This is a very hot topic right now (not entirely coincidental since it came up at iForum and Customer Council... . The idea of a Universal Client is one that comes up fairly regularly - it is probably always being considered or discussed somewhere in Citrix at any time, and occasionally worked on in some way. There are certainly some thorny problems with doing it in a full-blown way with a base client and downloadable plugins for ICA, GoToX, CAG etc say - creating a proprietary client component download mechanism is not something our security architects relish for instance. We do realize the status quo is not great for customers, and there would be significant value in improving matters, but from where I sit it doesn't feel like a problem we can hope to make great headway on quickly. We do have people actively working on at least one approach that may help one class of scenarios but the scenarios are niche ones I would say. BTW, the ICA client has had the ability for years to download newer versions of itself via a virtual channel, but actually this is being removed from the upcoming CPS release (I believe). I don't know all the ins-and-outs of the thought process that led to this decision though. Cheers, AndrewI

I'll get the ball rolling here on enhancement ideas. One of the most common I get asked for is the facility to auto launch an application when a user logs in - not using workspace control, it should be assumed that the user does not have any other sessions already running in the farm. IMHO the best way to accomplish this would be to expose the feature via Presentation Server policies, that way different applications could be launched depending on who the user is, where they are etc? Whilst this is not necessarily dependant on Web Interface, its always asked for as a Web Interface feature. Cheers,

Hi Rob, Indeed, Thomas Koetzing has told us that his auto-launch mod for WI is the most widely used mod he has produced. (See http://www.thomaskoetzing.de/index.php?option=com_content This feature is certainly on our radar, both for WI and for CPS in a slightly different form. Cheers, AndrewI

Perhaps this belongs in a separate thread, but given the interest in this topic and the common frustration of limited access / locked down devices, I wonder how many admins/users etc have tried running ICA from a USB key such as provided by Citrix partner Thinstall : http://citrix.com/English/SS/downloads/details.asp?dID=24182 If so has this helped the situation ? Is this concept part of a longer term solution or a short term work around ? Obviously it does not address situations with blocked or restricted USB ports, but there may not be a single answer. Chris Fleck

I am delighted to report that Web Interface 4.5 has officially been published on MyCitrix this week,