Citrix UPS is awesome, but maybe it arrived too late?

Citrix Universal Print Server (UPS) is awesome, but maybe it arrived too late?

First I wanted to say that I think the Universal Print Server (UPS) is a really great feature, for those who doesn’t know the UPS feature yet, it’s build on the proven and evolved Universal Printer driver from Citrix which is used for client printer redirection for a long time, with UPS this Universal printer driver is extended to network printers also. UPS consist of a client component and a server component which you install on the print server.  I will not go into technical details about UPS, this is pretty much covered here.

While the Citrix UPS solves a lot of printing horror (think of unstable printer drivers, driver replication issues, print spooler crashes)  I do think we needed the Citrix UPS a while ago harder than we do now, this is mainly because of the following evolutions in the printing space :

1: Follow me printing concept
I see more and more customers that are moving towards a follow me printing concept, in this concept the user is presented with one print object (may be more if you want to preset printing defaults), when a user prints to this object the job is queued on a central print server, the user walks to the nearest printer and types in a code or provide a token\card and after that the print job is send to the printer, this concept has the following advances :

– User can walk to the nearest printer (no more connecting printers based on location or group)
– The user can take away confidential documents immediately
– Monitoring print behavoir and charge-back functionality
– And of course where this blog post is about : There is only one driver needed to connect to this printer object

To illustrate the follow me printing concept, I added a picture from Konica Minolta :

2: Universal Printer Drivers from the printer manufacturer
Yes there where (and maybe still are depending on the manufacturer) a lot of issues with universal  printer drivers, but the fact is that they are getting better and have broader support for different platforms and printing devices. The reason to use Universal Printer drivers from you manufacturer is simple :

– One driver to maintain
– Supports a wide range of print devices from the same manufacturer

3: Printer Driver isolation
Last but not least, in windows 2008R2 and Windows 7, there is a mechanism called printer driver isolation. Printer driver isolation means that the printer driver is isolated (Duh) from the print spooler and optionally also from other printer drivers. In this way a single bad printer driver cannot crash the entire print spooler, one side note is that your printer driver needs to support this isolation. If you never have looked at this feature, you should definitely do this because it can be a real life saver when you have a lot of printer drivers to manage.
While this is a nice build-in feature, it’s a little bit working around the issue so it’s not a reason to not look at better solutions like the Citrix UPS or option 1 and 2. The following isolation modes can be selected:

Driver-isolation mode Meaning
Shared Run the driver in a process that is shared with other printer drivers but is separate from the spooler process
Isolated Run the driver in a process that is separate from the spooler process and is not shared with other printer drivers
None Run the driver in the spooler process

I’m sure there are a lot of good use cases for the Citrix Universal Print Server feature, and it’s even getting better in version 2 when there is also support for advanced printer properties.
For example it uses some nice compression technology between the client and the UPS, so if you are connecting to print servers over the WAN you better start looking at the Universal Print Server!

But on the other hand I do think the Universal Print Server arrived too late, we needed the Universal Print Server much harder a while ago then we do now because of the evolvements in the printing space I summarized in this blog.

The mystery of the Citrix Interceptor BHO

The mystery of the Citrix Interceptor BHO

When there is a new fix or update released for a product I am working with frequently, I always like to read the release notes to see what has been fixed or what kind of new features has been added. This helps in calculating what kind of impact the fix\update will have when installing it in a environment. It frustrates me when there is new functionality added that is not listed in the release notes, and to make it worse when a production environment is suffering because of this.
This is exactly the case with the Internet Explorer Add-On from Citrix called the Citrix Interceptor BHO. (BHO = Browser Helper Object)

This Citrix Interceptor BHO is automatically added through one of the following ways :

CtxVDAIEInterceptorBHO Class installed through Hotfix 025 for XenApp 6.5

CtxIEInterceptorBHO Class installed through Citrix Receiver 3.2

When one of the above is installed, you will likely see popups  when opening Internet Explorer to allow this BHO and its components to load outside of Internet Explorer protected mode.
If you were lucky you spot this popup when going through a test procedure, but if Internet Explorer was not on your test list you will get a lot of calls to the support desk from frustrated users.
Imagine that your users (or worse some management staff) ask you what this Internet Explorer Add-on is about and you cannot really give a good answer to it, will they take you serious about the things you are installing in a production environment? I think this is really bad…

Neither the release notes of Citrix Receiver 3.2 or XenApp 6.5 Hotfix 025 has some details about this BHO, it looks like it’s kept top secret, the only information from Citrix I could find is the following :

“In recent releases of Citrix Receiver for Windows, Citrix has implemented a new Browser Helper Object (BHO) – CtxIEInterceptorBHO (IEInterceptor.dll). This BHO does not currently provide any additional functionality for the majority of customers running XenApp or XenDesktop and is actively used only by certain XenApp Cloud Service Provider customers.”

Ok so it’s not used for the majority of customers running XenApp or XenDesktop, only by certain XenApp Cloud Service Providers… Why is it (already) added to a public release of Receiver and a public release of a XenApp hotfix with so less information provided?

I think only Citrix can answer this question, my guess is that the BHO adds functionality for some reverse seamless\content redirection functionality from project Dorado and that Citrix will keep this secret till the functionality is officially announced (maybe with the release of XenApp 6.5 Rollup Pack 1)

Since there is so little information about this BHO, I now choose to disable this add-ons entirely till there is more information about it from Citrix. The BHO add-ons can easily be disabled through a group policy see this CTX KB for more details on how to do this.
In this way it’s easy to enable the add-on again when Citrix comes with more information about the BHO and you decide you want to use it.

In a previous blog I wrote a workaround to get rid of the annoying popup in IE and enable the BHO and its components for everybody, but for now I would advise to disable the Citrix BHO entirely till Citrix comes with more information about it.
If someone has additional information about the interceptor BHO please let me know.

Please note that the information in this blog is provided as is without warranty of any kind.

The future of Access Gateway

The future of Access Gateway

5 June was the second Citrix CiTIE 2012 event in the Benelux, I wasn’t able to join the event but I would like to thanks everybody on twitter for the live updates and Wilco van Bragt for the summary of the event.

One of the announcements I noticed was the retirement of the Access Gateway Standard edition.
I was surprised about this retirement at first, because of the effort Citrix put into the new 5.x version (new flash based GUI, more advanced HA options, etc) but second I thought why would Citrix support 2 products with almost exactly the same set of features?
Below I have summarized a quick list of features, between the Netscaler CAGEE and CAG Standard in combination with the advanced access control software. Of course Netscaler can do a lot more other things, but we will concentrate on the Access Gateway functionality here.

Netscaler (CAGEE) CAG Standard + AAC*
ICA Proxy Yes Yes
Multiple Logon points (Basic + Smart access) Yes Yes
Clientless Access Yes Yes
Endpoint Analysis Yes Yes
High Availability Yes Yes
LDAP \ Radius authentication Yes Yes
Simultaneous user sessions 5,000 and up** 500

* Advanced Access Control software
** Depends on the model

As you can see a lot of the same features are present on both products, a big difference is the scalability and concurrent user limits.
But although a lot of the features are the same, they are working in very different ways for example :

They use a different SSL VPN plugin
Imagine the following scenario:
One day you will install the Access Gateway Enterprise plugin to access customer A through SSL VPN, then you need remote access to customer B which uses Access Gateway Standard.
The plugins cannot co-exist so you will have to remove the Enterprise plugin, install the Standard plugin and vice versa…

They use different types of logon points
Netscaler uses virtual IP’s (VIPs) that can be configured in Basic mode or Smart Access mode (see my previous blog post for more details about this modes), more VIPs can be created depending on the use case. Each VIP can be accessed through its own FQDN.

CAG Standard has one public facing FQDN, logon points are created after this FQDN like https:\\\lp\xenapp, this logon points can be in Basic mode or Smart Access mode, only one Logon Point can be set as the default.

They use different clientless access methods and have a different policy structure
Netscaler is very flexible when it comes to profiles and policies, you can manage policies on almost every level (Global, VIP, Groups\Users) and apply them based on different expression filters, this is why CAGEE really fits like a glove in a lot of different access scenarios.  There is no extra software needed to enable advanced functionality like clientless access.

CAG Standard in Smart Access Mode has some advanced features like Smart groups and SSL VPN. But if you really want all the advanced features (clientless access etc) you need to connect the appliance to the Advanced Controller software, which then synchronizes with the appliance. This software runs on a windows server which can be a security concern (not because it’s windows but you would need to update and secure 2 components in this setup)

They are different in architecture and hardware
Netscaler software runs on top of FreeBSD and has a large range of appliances you can choose from depending on your needs, this are the Netscaler models available today :

Physical Appliance (MPX) Virtual Appliance (Netscaler VPX)
MPX 5500 Licensed based on bandwidth (10,200,1000,3000)
MPX 7500/9500
MPX 9700/10500/12500/15500

The higher the range the more performance you get, physical appliances can have more concurrent connections because they have SSL offloading capabilities and because there is no Hypervisor layer. Physical appliances in higher ranges also have redundant components, like power supplies.

The Access Gateway Standard appliance runs on a stripped Red Hat kernel and comes in 2 flavors :

Physical Appliance (2010) Virtual Appliance (Access Gateway VPX)

The hardware of the 2010 appliance is really low level, it’s nothing more than hardware you find in a cheap PC.
I was a little bit ashamed when i opend this appliance on a customer site a while ago because of a bad harddrive, there is no way you can explain the amount of money paid for this appliance.

Conclusion : 
So Citrix have 2 products that have very similar features, because of the difference in architecture of this products, Citrix needs to update both to support new receivers and to provide new functionality (think of Cloud Gateway functionality for example). This may be one of the core reasons why Citrix will retire one of them.
I think CAGEE (Netscaler) is the best Access Gateway edition there is, it’s far more flexible and fits in a lot more different scenarios and use cases.  Access Gateway on Netscaler is also future prove because of :

– Access Gateway is lifting on Netscalers success (build on good hardware and install base)
– All Smart Access functionality is on board of the appliance no need for external software
– Fits in a lot of different scenarios based on the modular design of Netscaler
– Can be used for more functionality then Access Gateway only, Load balancing of services for example

Ok so what will be the future of Access Gateway?
If Citrix will retire CAG Standard + Advanced and Citrix makes some changes in the licensing model of Enterprise edition to replace the other editions, then we are done right?

Not really,  I think Access Gateway VPX is a good replacement for the Secure Gateway software, a Netscaler can be a bridge to far for some customers. Also if a customer is already using a competitor of Netscaler (like F5), there may be some friction with adapting Netscaler to enable Access Gateway functionality.

The perfect future if you ask me, is that Citrix will strip the Access Gateway VPX to provide standard functionality (providing access to XenApp and XenDesktop) and give it to customers for free as a replacement of the Secure Gateway software.
Then they should retire the Advanced Controller software and ditch the 2010 appliance.
So at the end there will be 2 editions of Access Gateway left :

– Access Gateway VPX for providing basic functionality to access XA/XD
– Netscaler with Access Gateway Platform license for providing basic functionality to access XA/XD, which can be extended with Access Gateway Universal licenses (also included in Cloud Gateway Enterprise) to provide Smart Access functionality.

Please note that the information in this blog is provided as is without warranty of any kind, some information is based on speculations and predictions.

Citrix Cloud Gateway, a wrap-up so far

Citrix Cloud Gateway, a wrap-up so far

Table of contents :

1 : Introduction
2 : Cloud Gateway Editions
3 : Storefront services
4 : Access Gateway services
5 : Cloud Gateway Enterprise and the Access Gateway Universal License
6 : Cloud Gateway Express and the Platform License
7 : Webinterface V.S. Receiver for Web
8 : Conclusion

1 : Introduction

In this blog post I wanted to talk about Citrix Cloud Gateway, as you may already know, Cloud Gateway will replace Citrix Webinterface and Webinterface will go end of live in 2015. Webinterface has grown into a key component in almost every Citrix environment, and it is a so called “proven technology” product. Webinterface is great in providing access to XenApp and XenDesktop environments in many different ways and  different scenarios, but that is also its limitation, there is no possibility to integrate it with Cloud services like follow-me-data or SaaS applications. This is why Citrix made a new product from scratch, called Cloud Gateway. This blog post is a wrap-up so far about Cloud Gateway, because Citrix is working hard on the product things in this blog post may be very soon changed or outdated.

2 : Cloud Gateway Editions

There are currently 2 editions of Cloud Gateway :

Cloud Gateway Enterprise

Cloud Gateway Enterprise is the paid version and provides the following features :

– Access to XenApp and XenDesktop (through Storefront)
– ShareFile integration (new in version 2.0)
– Single Sign On (SSO) and account provisioning for Web and SaaS applications through AppController
– Mobile (native) app management + remote wipe (new in version 2.0)
– Access Gateway Universal License included

Cloud Gateway Express

Cloud Gateway Express is free for XenApp and XenDesktop customers and provides access to XenApp and XenDesktop and Merchandising services only.This version will be the direct replacement of Webinterface.
With Merchandising services you can manage the complete Citrix Receiver (and other plugins) life cycle.

3 : Storefront Services

As you can see in the above pictures Storefront is one of the key components in Cloud Gateway, it’s the broker for all the services behind it and provides a SSO experience for the users.
Storefront provides access to XenApp and XenDesktop in the following 3 ways :

1 : Access through the Native Receiver (Self Service plugin)
2:  Access through StoreWeb (Receiver for Web)
3:  Access through Legacy mode (PNAgent)

The native receiver can be configured with a provisioning file (.cr file which is XML based) downloaded from the Receiver for Web or distributed by Email or something like that.
To make the internal access to Storefront more clear I made the following drawing :

Every login point is used by different type of client devices, some Receivers (older Thinclients, Android devices and Iphones) still uses the legacy mode (PNAgent). But newer Receivers will talk to Storefront directly and not using Legacy mode anymore.

4 : Access Gateway Services

Another key component in Cloud Gateway is the Access Gateway, there are 2 types of Access Gateways that can be used with Cloud Gateway:

1: Access Gateway VPX (with or without advanced controller software)
2: Access Gateway Enterprise (Netscaler VPX\MPX)

Whether you go for Cloud Gateway Express or Enterprise you need to buy a Access Gateway Platform license for one of this Access Gateways. The platform license will give you unlimited access to XenApp and XenDesktop, this is called ICA proxy. With ICA proxy you are allowed to land on the Webinterface and launch a XenApp and/or a XenDesktop session but you cannot use any advanced features of the Access Gateway (for example Clientless Access, VPN plugin, EPA scans, etc), if you want to use this features you need to purchase a Access Gateway Universal License per concurrent user (included with Cloud Gateway Enterprise license).
In Access Gateway you can choose between the following logon point\virtual server modes :

1: Basic Mode (ICA Proxy only) (Platform license needed)
2: Smart Access Mode (Advanced Features) (Platform license + Universal License needed)

To make this more clear I made a drawing how the access to storefront looks like with the Access Gateway Enterprise edition :

As you can see the Netscaler will check, if it is correctly configured, the type of Receiver based on expression filters and HTTP headers. Netscaler will then contact Storefront the right way depending on the Receiver type. With Access Gateway VPX you cannot configure this expression filters, Access Gateway VPX works with Receiver for Web, but I have not yet seen this working with the native receiver from the outside.
My guess is that Citrix will enable this in a feature release of Access Gateway VPX.

5: Cloud Gateway Enterprise and the Access Gateway Universal License

If you purchase Cloud Gateway Enterprise you are also entitled to use the Access Gateway Universal License, i think this is a logical step because Cloud Gateway Enterprise leverages the clientless access and VPN features of the Access Gateway, for example Appcontroller can be configured with keywords to start the VPN plugin and for access to Storefront clientless access is used.

6: Cloud Gateway Express and the Platform License (ICA Proxy)

As you may have noticed you need clientless access when you want to use the Native Receiver through Access Gateway, though it works on a VIP in basic mode the documentation says that you need a VIP in Smart Access mode to make this work. I can imagine that Citrix is going to allow one of the following when using Cloud Gateway Express with the platform license only :

1: Only allow landing on the Receiver for Website (same as ICA proxy using Webinterface)
2: Allow access for all type of Receivers, but only for use with XenApp and XenDesktop

Option 2 is most preferred imho! 😉

6 : Webinterface V.S. Receiver for Web

First : Webinterface cannot be directly compared to Storefront, because Storefront enables a lot more other features then Webinterface (SSO to other services, Application subscription, more advanced HA, etc.) But if we compare Webinterface with the Receiver for Website, it is safe to say that Webinterface has still a lot more features. Thomas Koetzing made a list of missing features here, but I am certain that Citrix is working hard on this feature list, remember that they are only at version 1.1 so there is a lot more to come.

The total redesign has also some very positive points, for example a big plus of Storefront is that it includes a new user authentication method which directly queries Active Directory rather than the existing double-hop Web Interface process where user credentials are sent from the Web Interface server to the XML broker who then negotiates authentication with the Domain Controller.

7: Conclusion

I think Cloud Gateway and Storefront have a lot of potential, it gives the user a true single logon experience with all of the applications and data they need in one place on almost every device. Integration is the key here as more and more companies are starting to use Cloud services,  Cloud Gateway aggregates and secures this services into one logical logon point with the same look and feel on every device.

On the down side, Storefront is still missing a lot of features compared to Webinterface, if you already installed Storefront and walked through the console you were probably done in 30 seconds 😉 not much to customize there. This is why Storefront is not yet a tight fit in scenarios with special needs and requirements. I hope Citrix will make it as flexible and customizable as Webinterface is today in feature releases!

If you want to know more about Fine-tuning Adaptive Display, please read my previous blog post and follow me on twitter or subscribe on this blogsite if you want to be notified when a new blog post is available! thanks!

Please note that the information in this blog is provided as is without warranty of any kind, it is a mix of own research and information provided by Citrix.

Adaptive Display, what’s in the game? And do we need to fine-tune?

Make sure to also check this blogpost about a very handy tool named Remote Display Analyzer

In this blog post I wanted to talk about Adaptive Display, this new HDX feature is now available in both XenDesktop 5.5\5.6 and XenApp 6.5 (through a hotfix), Adaptive Display is the successor of the highly successful Progressive Display SpeedScreen technology, and it’s switched on by default. It’s an awesome technology because it is auto adopting to changes in the available bandwidth.

There is not so much information in the Citrix Edocs about fine tuning Adaptive Display, this is mainly because it’s auto-tuning and in various blog posts from Citrix they are saying the following :

“Progressive Display requires creating complex policy configurations to get it right making it a hard to use feature. Adaptive Display eliminates the need for such complex configurations and provides a fantastic out-of-the-box experience, making it zero configurations for Citrix Administrators”

Ok that’s fine by me, so we do not have to create complex policies anymore for LAN and WAN use cases, because it will detect the available bandwidth and adjusts accordingly. Super!
But what is exactly going on inside the Thinwire channel?
Before I go further, let’s summarize the default settings that are adjustable within Adaptive Display :

Adaptive Display Setting

Default Value

Max frames per second 24
Target Minimum Frame rate 10
Minimum Image Quality Normal
Moving Image Compression On (Enables or Disables Adaptive Display)
Extra Color Compression Default Off and enabled when bandwidth is below 8192 KBps
Heavyweight Compression Default Off
Lossy Compression level Default Medium, the default threshold is unlimited

* Note:  At this time, not all Adaptive Display policies can be configured using the XenApp 6.5 AppCenter console. Use Windows Group Policy Editor (gpedit.msc) instead.

Ok so now we know what settings are in the game of Adaptive Display, how are this settings come together? To make this more clear I made some drawings and explanations.

Let’s begin with the Extra Color Compression setting,  Color Compression takes advantage of the fact that the human eye is less sensitive to color information (Chroma) than luminance (Luma). When images are encoded with less color information, the bandwidth savings are huge yet the human eye still sees a very satisfactory picture. Most of today’s digital cameras use this technique to save on storage space. Extra Color Compression is turned on by Adaptive Display when the default threshold of 8192 KBps is reached, let’s picture this default behavoir :

Ok moving on to the Minimum Image Quality setting, this setting sets the JPEG quality floor.
In other words, this is the minimal acceptable JPEG quality, the following minimum quality levels can be set :

Minimum Image Quality

JPEG Quality

Ultra High 80 (highest image quality, lowest Compression)
Very High 55
High 30
Normal (Default) 20
Low 15 (Lowest image quality, Highest Compression)

The Lossy Compression level set’s the starting JPEG Quality, Adaptive Display adjusts the JPEG quality between the starting point to the Minimum Image Quality based on the bandwidth available to try to keep the frame rate from decreasing. The default starting JPEG Quality is 55 (Medium). Ok let’s picture this combination :

Notice that the default Lossy Compression level is set to Medium and the threshold to enable Lossy compression is set to 2147483647 KBps (unlimited), which means that this setting is always on.
The following Lossy Compression levels can be configured :

Lossy Compression Level

Starting JPEG Quality

High 25
Medium (Default) 55
Low 80
None 80 (Lossless)

Ok now we know what the default settings are and how the frame rate and compression is dynamically adjusted by Adaptive Display.  So what about this default settings, should we change it or leave it alone?
As usual it depends on the use case 🙂 but read on….

There is a great tool from Citrix called HDX Monitor, this tool lets you see all the HDX aspects in an active ICA session. If you start the HDX Monitor (with the default settings in place) you will see the following screen :

Ok looks good, but what’s that big red cross? Let’s find out :

Error : Image compression is not tuned to the available bandwidth. An Administrator can improve the user experience by creating a policy that optimizes image compression.

Ok so it looks like the HDX monitor engineering team is not happy with the Out-of-the-Box experience settings from the HDX Adaptive Display engineering team 🙂
I think the HDX Monitor engineering team is right, because if we connect through a fast LAN connection the default Medium compression is used and the windows flag background and other images looks like this :

This is not the best experience you can get with LAN conditions.
Why did Citrix choose this default Out-of-the-Box settings? I think because of a combination between the following 3 points :

1: User Experience
2: Server Scalability
3: Bandwidth Scalability

The default settings also improves the performance on the LAN when viewing high resolution photos etc, if you enabled Progressive display  in the past your users might already be used to this compression level.
But we can consider to improve the user experience for LAN scenarios by lowering the Lossy compression level or turning it off. This can be done in 3 ways :

1: Configure a Lossy Compression maximum threshold

The default threshold for Lossy Compression is set to unlimited, so by default Medium compression is always used. We can change the maximum threshold so we can give it a maximum  value in KBps, above that threshold Lossy Compression will be turned off. This looks like this :

As you can see the Lossy Compression will be turned off when the maximum threshold is reached, for example you can set this threshold on 75% of your LAN speed. The side effect of this one, is that you don’t have any Lossy Compression at all when the Bandwidth is above the maximum Threshold. This can be negatively impact your environment with a lot of LAN users viewing high resolution photos.

2: Set the Default Lossy Compression to Low

If we want to improve the user experience on the LAN, we can also lower the Lossy Compression to the lowest level. This looks like this.

Keep in mind that Adaptive Display will try to maintain this starting JPEG Quality also for your WAN users.

3: Configure different Adaptive Display policies and filter them on IP address

This one is a little bit the same as we configured for Progressive Display in the past.
Make a policy which applies a low level of Lossy compression for you LAN users and filter them on internal IP ranges and give it a higher priority then your default policy.
You can let the default policy (which applies to all users) default or change it with higher compression levels. In this scenario we only give the LAN users a higher starting JPEG quality.

Conclusion :

Do we need to fine-tune Adaptive Display?
I think we need to take this into consideration depending on the use case, for example :
– Do your users need to see lossless images on the LAN?
– Is your environment (Network, Servers, Client Devices) fast and scalable enough?
I also think the default Out-of-the-Box configuration is fine for most environments, but as you can see there are possibilities to change the default behavoir of Adaptive Display slightly to fit your needs.
You can do this by changing the compression levels and telling Adaptive Display what’s the starting JPEG Quality and the Minimum acceptable JPEG Quality.

What do you think? Please leave a comment on your thoughts.
Please note that the information in this blog is provided as is without warranty of any kind, it is a mix of own research and information from the following sources :

Citrix Edocs “Configuring Adaptive Display” (Contains wrong information about the default Lossy compression level values)
Citrix Blog “Dynamic Color Compression”
Citrix Blog “Introducing Adaptive Display”

Popup in IE after installing Hotfix XA650W2K8R2X64025 and HDXFlash200WX64001 for XenApp 6.5

** Update **
Please read this blog post for additional information.

I noticed in some environments that after installing XA650W2K8R2X64025 and HDXFlash200WX64001 for XenApp 6.5 (wich fixes a lot of flash redirection issues in XA65) the users are getting an popup in Internet Explorer about the VDAredirector.exe opening outside IE protected mode :

(Screenshot is from a user with the Dutch language pack enabled)

English message :

This program will open outside of Protected mode. Internet Explorer’s Protected mode helps protect your computer. If you do not trust this website, do not open this program.

Name: Citrix FTA, URL VDA Redirector
Publisher: Citrix Systems, INC

Resolution :

After selecting “Do not show me the warning for this program again” and clicking on “Allow” i searched the registry and found the following key :

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BFFC40A2-FFE2-4E6F-B179-3641561D4FCD}]
“AppPath”=”C:\\Program Files (x86)\\Citrix\\system32”

Import this registry key into RES Workspace Manager (loginscript or other environment manager software you are using) apply it to your users and they will not be bothered with this warning message!