Summary
This document discusses the security setup for drive access and the ways to modify the Webica.ini file to override or preset certain types of access for your ICA-based clients.
Note: This article only applies to XenApp Plug-ins (clients) for Windows.
For newer configurations consider reviewing the following – CTX127308 – How to Configure File Security Preferences for Web Plug-in 12.1 for XenApp 6 Common Criteria
CTX128775 – How to Customize Client Selective Trust and User Defined Client Device Settings
Background
Citrix has extended the ICA Web client for the purpose of providing more reliable security and user-configurable client drive file security. Accordingly, ICA Client File Security can be configured on an actual client computer that is going to use a Web browser or install the ICA Web client.
Description
Users can configure file access types to one of the following File Security settings:
No Access
Read Access
Full Access
Also, users can configure whether or not a file security pop-up window appears when they access the same server again with the following options:
Always ask me
Never ask me again for this server
Never ask me again
No Access and Always ask me are the default settings.
When a user connects to one server in a farm but Never ask me again for this server is selected for that specific server, the ICA File Security window does not appear on that server but it still does when connecting to other servers. If Never ask me again is selected, that configuration is applied on all servers the user connects to and the ICA File Security window does not appear at all.
The ICA File Security window should appear the first time a user connects to a server that the user has never accessed before using the Web client.
However, the Never ask me again setting is overridden in the following situations:
The user accesses a new server that the user has never accessed before
The user attempts to access a server already configured using Always ask me
The ICA file security configuration is saved in the webica.ini file contained inside the following directory:
<root directory>Documents and Settings<username>Application DataICAClient
Note: With version 10.1 of the Presentation Server Client or later, the webica.ini file is stored in the user profile directory. See CTX114265 – Client File Security is Disabled After Upgrading From Version 10 of the Presentation Server Client to Version 10.1.
Webica.ini file configuration:
The types of access you can set based on the settings in the INI file are described below.
405 means give the server Full Access.
404 is Read Access.
403 is No Access.
-1 means no security setting is configured.
For example, type the following in the Webica.ini file if you do not want to show any ICA File Security pop-up windows to users, but your servers need full access to client computers.
Note: The [Access] heading is required.
[Access]
GlobalSecurityAccess=405
[AudioInput]
GlobalSecurityAccess=804
By default, the security value for [AudioInput] is set as follows:
806 = Yes, Always Prompt For Audio Input
Note: If you select this option, the Webica.ini file remains blank.
If you select any other value, you will see the appropriate entries in Webica.ini:
803 = No Access to Audio Input, Never Ask me again
804 = Full Access to Audio Input, Never Ask me again
806 = Always Prompt For Audio Input
807 = Never Prompt Current Application For Audio Input
808 = Never Prompt Any Application For Audio Input
Note: The custom options 807 and 808 are not available through the User Interface.
For information on testing Audio Input and Audio Security see CTX104737 – Testing Audio Input and Audio Security Policy.
More Information
CTX104737 – Testing Audio Input and Audio Security Policy
CTX124921 – Citrix Online Plug-in 12.0 Ignores Webica.ini Settings
