Metaframe XPa or XPe product license be installed and actived.
Server calculated its load and sends values for all possible load evaluation criteria to the data collector in the zone.
The data collector forwards the request of the published application to the least busy server in the farm ,if all servers are at maximum load ,the request is denied.
The routing of ICA connections to Metaframe XP servers occurs during the initial access to the application.
Load management is not fault tolerant ,no dynamic rebalancing of active ICA connections if the server hosting application goes down.


Servers and published application can have a specific load evaluators attached to it.
Are rules (identifier,description,thresold settings that can be adjusted) to balance the load in a server farm.
One or more rules can be used in a load evaluators and those work together.
To create ,customize ,duplicate ,attach and delete Load Evaluators use CMC's Load Evaluators node.
Xp come with two preconfigured load evaluators :

Load evaluators can be attached to servers in the server farm.
By default, the Default Load Evaluator is attached all servers.
Its recommended that all the servers in the farm use the same load ev.
Thresold never set to the maximum value.
A serve can become overloaded if all servers in the farm are close to being fully loaded and new connections are coming in faster than the data store can update.
Default no load evaluators are attached to the applications.
An application can be published across multiple servers but the application will not be load balanced across the servers unless a xpa or xpe license is used.
Load ev. attached to applications will not be used to balance user load in mixed mode.
Most load balancing needs can be accomplished by attaching load evaluators to servers.Attaching load evaluators to published applications increases the load on the data collector in a zone, and consume reosurces and slow performance.

The following rules are available :

Application User Load By default, reports full load whne thr number of users is greater than 100.
N.B.: in mixed mode this rules don't work, only with XPa and XPe.
Context Switches By default, reports a full load when the number of context switches per second is greater than 16.000.
Reports no load when the number of context switches per second is less than 900.
CPU Utilization By default, reports a full load when processor utilization is greater than 90% and no load when the processor utilization is less than 10%.
This rule is based on a scale of 100.
Disk Data I/O By default, reports a full load when the total disk I/O in KB per second is greater than 32,767 and no load when the total disk I/O in KB per second is equalto 0.
N.B.: if windows NT server 4.0 TS with SP6 is being run, disk perf -y must also be run on the server when using this rule.
Disk Operations By default, reports a full load when the total disk operations (read/writes per second) are greater then 100 and no load when are equal to 0.
N.B.: if windows NT server 4.0 TS with SP6 is being run, disk perf -y must also be run on the server when using this rule.
Ip Range Allows or refuses access to a published applications based on whether the IP address of the ICA client is within the specified IP address range.
If Nfuse is being used to access, the rule will be ignored unless client enumerations are allowed with Nfuse.
N.B.: only IP addresses are supported all other protocols are ignored.In mixed mode ICA client can connect even though their IP addresses are in the denied range.
License Threshold By default, reports a full load when the number of assigned licenses in use on the server is greater than 10 or the number of pooled licenses in use on the server (not server farm) is greater than 50.
N.B.:in mixed mode the rule can redirect ICA clients to different subnets when XP licenses are exhausted.
Memory Usage By default, reports a full load when memory usage is greater than 90% adn no load when is less than 10%.
Page Fault By default, reports a full load when the number of page faults per second is greater than 2.000 and no load when is equal to zero.
Page Swap By default, reports a full load when the number of page swaps per second is greater than 100 and no load when the number is zero.
Scheduling Allows or denies access to servers or published applications during certain hours.
Server User Load By default, reports a full load when the number of users on a server is greater than 100.
N.B.: this is the only rule that should be used in mixed mode.

Administrator can change the values associated with the above rules to achieve the desired output for the load evaluator.
The load manager monitor can assist in fine tuning the rule settings and combinations needed to achieve the desired load management criteria.

Load Manager Monitor

Allows an administrator to view the activity of rules attached to a server.
To display it, right click a server and then click Load Manager Monitor.
A load evaluator beginsevaluating the load as soon as it is attached to a server or published application.


Encryption process transforms data into a form that is unreadeble by anyone without a unique bit of information called key.
Two types on encryption algorithms are :


The strength of encryption algoryth depends on two factors : the strength of the algorythm itself and the size of the key used with the algorithm.
Tryig every possible key is known as a brute force attack.
A key eight bits long contains 256 possible keys.
A 56-bit key contains 2^56 possible keys.


RC5 used to encrypt ICA packets in metaframe XP.
Is a block cipher ,where a block use a variable size key combined with the encrypted version of the previous block to encrypt the current block.
Rounds are the number of times each block is passed through the encryption algorythm ,XP uses a 64-bit block size with 12 rounds and 40,56, or 128 bit key size.
RC5 is a symmetric key algorythm.
In the RC5 algorythm the key must be exchanged ,The Diffie-Hellman Key Agreement Algorythm does this by generating the same secret key on the ICA client and XP server without transmitting info ,which could compromise the security of the key.


XP contains security features that allow ICA clients to connect to metaframe servers over secure communication channels.
XP uses both a symmetric key and public-private key algorythm in its security : RC5 encrypt and decrypt the data ,Diffie- Helmann generates the secret keys.
Xp offers the following security features :

All ICA commands and data are encrypted ,including : keystrokes ,mouse data ,graphic information ,client drive data ,client printer data ,client audio data.



The security algorythm can also used when Nfuse delivers application sets to users.
SSL relay feature included with metaframe can protect the info when being transferred between the web server and the XP server.
The security components in XP offer protection for data transfers during :

The following mechanisms ensure safe user credentials and application data transmission over each connection when using Nfuse :


Citrix SSL relay decrypts the data sent between the two servers.
SOCKSv5 is used to redirect the data to the XML service.
The citrix SSL relay configuration tool can be used to configure the Citrix SSL relay.
The tool has three tabs : RELAY CREDENTIALS(contains settings that configure the server certificate for the SSL relay) ,CONNECTION(contains settings that configure the listener prot and specify the destinations for the SSL relay) ,CIPHERSUITES(is an encryption/decryption algorythm).


Firewalls prohibit unauthorized clients from accessing the network ,IP addresses determine who is permitted or denied access.
On a citrix network without a firewall ,ICA client send requests to XP servers.
XP server returned the internal IP address of data collector for the zone to the ICA client.
ICA client contact the data collector for a browse list or the internal IP address of the least busy server offering an application.
When a firewall is added to a citrx network ,it must be configured to allow TCP packets on port 1494.
ICA client uses UDP port 1604 or TCP 80 for browsing and 1494 toestablish the ICA connection to servers.
Opening ports on a firewall causes security risks ,to increase a firewall's security you can use a SOCKS proxy server or netowrk address translkation (NAT).

SOCKS Proxy server

SOCKS proxy server allows controlled firewall traversal by limitng access to XP servers.
Uses the SOCKS protocol to make requests on behalf if ICA clients attempting to access a XP server.

To protect XP servers install the SOCKS server between XP servers and the firewall.
Pass only traffic that is directed to the socks proxy server and comes from specific devices.


With NAT ,each internal XP server receives an alternate IP address ,only ICA client that know this IP address can get through the firewall.
By default ,all XP servers return the internal IP address of the data collector in hte zone.

Assigning Alternate IP addresses : with the ALTADDR command onthe xpserver.
For example to assign the alternate IP address to a XP server type : ALTADDR /set at the server's command line.

Network Address Translation Rules for the Firewall

For example (show image above) : an ica client sends a request to an alternate external IP address ,
The firewall translates the IP address and sends the request to the server with the internal IP address of
The internal server sneds the alternate IP address of the data collector throught the firewall to the ICA client.
Ica client contacts the data collector for the alternate IP address of the least busy server in the network.
The data collector return the alternate IP address ,the ICA client contacts the server and the application begins.


If the server return the internal ip address to the ica client and attempting to contact ,the firewall does not recognize the address and rejects the request.

Requesting Alternate IP Addresses

An administrator can configure an ICA client to request the alternate IP address of XP server.
A user can edit th eproperties of a specific application set or the Custom ICA Connection folder within the Program Nighborhood and click the Properties icon.
User can configure a ucstom ICA connection to go a particular XP server directly rather than load balancing the ICA connection ,by entering the alternate IP address of the data collector.
When load balancing is used on XP server farm ,the data collector in the zone returns the alternate IP address and port number of the least busy server to the external ICA client using TCP port 1494.
The ICA client uses the alternate IP address to connect to the server whose alternate IP address was returned by the data collector.

Specifying a Different TCP/IP Port

It is possible to change the TCP/IP port used by the ica protocol.
Choose any port number in the range of 0-65535 as long as it does not conflict with other reserved ports.
To change TCP/IP port type ICAPORT /port:xxxx on each server in the subnet.
The new TCP/IP port number must be configured in each ICA client.