How can I incorporate user authentication with Citrix Server?

Normally when users login to a thinclient, such as Citrix Server or MS Terminal Services, any outgoing traffic they generate will have the server IP address as the source IP address. Thus multiple users will generate traffic from only one IP address. R3000 authentication works by binding a username and profile/Rule to an IP address. So if multiple users are coming from one IP address (e.g. the Citrix Server), then authentication should not be used.

However, Citrix has a Virtual IP feature where it can assign a unique virtual IP address to each user who logs in. Thus, it is possible to distinguish each user's traffic because of their virtual IP address.

With this feature enabled, R3000 can use the virtual IP address to assign an LDAP username and authentication profile to that particular users session, much like if the user was logging into a workstation normally.

To do this please use the following instructions.

Note: The instructions assume you've already installed Citrix MetaFrame Presentation Server 4.0 (or later) and working in Windows Server 2000 or 2003 environment.

1. Enable Virtual IP on the farm's Properties page.
2. Set ranges for virtual IP addresses for the farm.
3. Add authenticat.exe and authenticat.cfg in c:\winnt\system32 directory. Note: An admin can use command line parameters instead of a configuration file.
4. Make sure authenticat.cfg has the Citrix Option enabled, which is the NP[1] parameter.
   
   ======authenticat.cfg======
   RA[192.168.11.109]
   NP[1]
   
   
5. Add Virtual IP process: at minimum, iexplore.exe; authenticator.exe
6. Manually modify usrlogon.cmd in c:\winnt\system32 directory, which to start up the authenticator for each Citrix session.  Note: the sample here is using the command line parameters.
   
   ======usrlogon.cmd======
   If "%SESSIONNAME%" == "Console" GOTO CONSOLE
   start authenticat.exe  RA[192.168.11.109]NP[1]
   :CONSOLE