Symantec antivirus on citrix

In addition, on 64 bit terminal servers you will also see ProtectionUtilSurrogate. This is normal behaviour and should not cause problems in small deployments or remote administration scenarios. Although these processes are required for a fully working SEP client installation, they can be prevented from loading on terminal servers with minimal effect to the end user.

For details on how to do this, please see Appendix D. Although SEP client can be configured to support multiple users with individual policies, in a terminal server environment, this will manifest itself in a different way than would be imagined. If a user is logged onto the console of the server, then all remote users will be given the same policy. If there is no console user, then all users will receive the policy of the first logged in user.

Symantec are working to change this so that the feature works correctly on terminal servers, but this behaviour is expected at this moment in time. As with Windows Terminal services, Symantec Endpoint Protection runs without major issue on Citrix environments as long as all previous recommendations are taken into account.

In addition, certain components of the application may however cause issues. These can vary from an incorrectly configured firewall component blocking traffic to the Tamper Protection module causing issues with certain health checking components of Citrix. In addition to the AntiVirus and AntiSpyware exclusions for standard terminal servers, the following exclusions are recommended for Citrix servers:.

Symantec recommends that the following process is excluded from Tamper Protection on Citrix servers, as it is known to cause problems:. As per terminal servers, if you wish to run the SEP firewall on a Citrix server then it is possible to do so without any issue using the default rule set in SEP If, however you wish to create a custom rule set for Citrix then the following processes and communications ports should be taken into account:.

Default ICA port, this can be changed if necessary. This port is not necessary to be open on the external firewall if you will be utilizing Citrix Secure Gateway for Windows. This port is only used when Session Reliability is enabled. In the case of services that use dynamic ports on servers, it is recommended that a host group be used that contains the IP addresses of the Citrix servers in your organization.

This group has been pre-created in the provided firewall policy, you simply need to add your Citrix server addresses to it. It should be noted that administrators will only see multiple instances of SmcGui.

If published applications are used solely then there will be no multiple instances of these processes and there is no requirement to follow the steps in Appendix D.

While it is possible to run the Symantec Endpoint Protection Manager on a terminal server, it is not recommended if the terminal server is to be hosting a large number of terminal sessions due to the performance overhead of the Manager services, particularly when updating definitions and running the Java console. Future versions of Symantec Endpoint Protection are already in development and there are many changes being made to the code to provide better optimization in terminal services environments.

Until these enhancements are realized, the steps in this whitepaper will provide the same performance benefits. All the steps in this whitepaper have already been performed on several large Citrix deployments on Symantec customer sites and all participants have been extremely impressed at the performance benefits that these modifications bring about. For the purpose of testing, anonymous access to Citrix applications was configured.

Common business applications, such as Microsoft Word and Excel were installed onto the Citrix servers and were published through the Citrix Web Interface.

In addition, a full desktop was also published. The Windows firewall was turned off on all servers, as the SEP firewall was used, initially with the default firewall policy from In the same way, 10 anonymous sessions were established to each Citrix server — separate tests were performed for published applications and the published desktop.

In both cases, the task manager was observed from a console connection. Changes were then made to the clients on the servers and re-testing was performed to see the difference in performance and processes that were loaded. Each change was made separately, then tested. Once the process and AntiVirus and AntiSpyware optimization were complete, work was started on the firewall ruleset, with an initial ruleset being put in place that allowed all communication to and from the domain controller and blocked and logged all further traffic.

Rules were then created per each block rule that allowed the Citrix and Terminal Server processes until there were no more blocked requests related to Citrix or Terminal Services processes. All tests were then re-run with this new ruleset in use to confirm overall functionality.

In addition, Citrix farm administration tasks were also performed from each Citrix server to ensure that server to server communications were still working correctly.

Once all performance changes and testing had been completed, functionality tests were run against the SEP clients running on the servers to prove that core functionality had not been affected by the changes put in place. Virus detections still occurred and users were notified, clients were able to be managed from the management console, and would accept commands and update content and policies successfully. The following additional processes can be seen running on a Windows terminal server running SEP Client:.

Diagnostic Facility COM Server — manages diagnostic facility tracing when used to diagnose problems with the Citrix server. Provides information and notifications regarding licensing events on the license server if server is a Citrix License Server. Citrix Print Manager Service — handles the creation of printers and driver usage within Citrix sessions. Citrix Encryption Service — Handles encryption between the client device and the Citrix server.

Citrix Health Monitoring and Recovery — Provides health monitoring and recovery services in the event problems occur. Citrix Services Manager - Allows the components of Presentation server to interact with the operating system. To configure a seamless global registry flag, edit any or both of the following registry keys in the Windows Registry Editor:.

The session was left in active state because the SmcGui. This might be due to the Seamless Desktop Integration feature of Citrix, where resources running on a Terminal Server might be made to appear as if the resources are running on the client. CTX — Seamless Configuration Settings for more information about seamless configuration settings.

Symantec Web page for more information about multiple icons on the Terminal Server. Failed to load featured products content, Please try again.

Customers who viewed this article also viewed. Log in to Verify Download Permissions. By Content Type. PoC Guides. Tech Briefs. Tech Insights. Design Decisions. Deployment Guides. Tech Papers. The Click-Down Podcast. Tech Zone Live. Document History. Aviso legal.

Este texto foi traduzido automaticamente. Este artigo foi traduzido automaticamente. This article provides guidelines for configuring antivirus software in Citrix Virtual Apps and Desktops environments, and resources for configuring antivirus software on other Citrix technologies and features for example, Cloud Connectors, Provisioning Services, and so on. Incorrect antivirus configuration is one of the most common problems that we see in the field.

It can result in various issues, ranging from performance issues or degraded user experiences to timeouts and failures of various components. In this Tech Paper, we cover a few major topics relevant to optimal antivirus deployments in virtualized environments: agent provisioning and deprovisioning, signature updates, a list of recommended exclusions and performance optimizations. Successful implementation of these recommendations depends upon your antivirus vendor and your security team.

Consult them to get more specific recommendations. This article contains antivirus exclusions. It is important to understand that antivirus exclusions and optimizations increase the attack surface of a system and might expose computers to various security threats.

However, the following guidelines typically represent the best trade-off between security and performance. Citrix does not recommend implementing any of these exclusions or optimizations until rigorous testing has been conducted in a lab environment to thoroughly understand the tradeoffs between security and performance.

Citrix also recommends that organizations engage their antivirus and security teams to review the following guidelines before proceeding with any type of production deployment. Agent software that is installed on every provisioned virtual machine usually needs to register with a central site for management, reporting of status and other activities. For registration to be successful, each agent needs to be uniquely identifiable.

With machines provisioned from a single image using technologies such as Provisioning Services PVS or Machine Creation Services MCS , it is important to understand how each agent is identified - and if there are any instructions required for virtualized environments.

Some vendors use dynamic information such as the MAC address or computer name for machine identification. Others use the more traditional approach of a random string generated during installation. To prevent conflicting registrations, each machine needs to generate a unique identifier. Registration in non-persistent environments is often done using a startup script that automatically restores machine identification data from a persistent location.

In more dynamic environments, it is also important to understand how de-provisioning of machines behaves, if cleanup is a manual operation, or if it is performed automatically.

Some vendors offer integration with hypervisors or even delivery controllers where machines can be automatically created or deleted as they are provisioned.

If registration requires more steps for environments with single-image management, include these steps in your image sealing instructions, preferably as a fully automated script.

Timely consistently updated signatures are one of the most important aspects of endpoint security solutions. Most vendors use locally cached, incrementally updated signatures that are stored on each of the protected devices. With non-persistent machines, it is important to understand how signatures are updated and where they are stored. This enables you to understand and minimize the window of opportunity for malware to infect the machine.

Especially in a situation in which updates are not incremental and can reach significant size, you might consider a deployment in which persistent storage is attached to each of the non-persistent machines to keep the update cache intact between resets and image updates. Using this approach, the window of opportunity and the performance impact of a definitions update is minimized.

Aside from signature updates for each of the provisioned machines, it is also important to define a strategy for updating the master image. Automating this process is recommended, so is updating the master image regularly with the latest signatures.