Citrix XenApp

Publishing IE via Citrix in full screen kiosk like mode and retaining the X button to close

on

I’ve written about staying away from publishing IE via Citrix if you can help it in many articles before. It’s a pain to do all the hardening that comes with publishing a browser. If you don’t lock it down, users will go nuts opening up all sorts of tabs through it thinking it’s their desktop browser and your XenApp servers are going to be overloaded with runaway processes. All it takes is a handful of users streaming video on Youtube to see an impact on your CPUs. Or something more serious, how about the user that manages to browse to a site that’s injecting malware via the latest Java exploit? You have to do all sorts of hardening at the OS and network level to really lock it down. It’s much easier to just publish a URL as content and let the client browser take over so you don’t have to deal with the headache.

But in some instances, you have no choice but to publish a browser. One of the most common examples is a web application that uses a specific legacy version of Java. You don’t want your users to run old versions of Java on their PCs and be vulnerable and incompatible with newer web apps so you run it on a XenApp server instead minimizing your attack vectors. Lock down the server at the network level to just the websites you want to get out to. Use a web proxy. Stick it on a secure VLAN. Heck, edit the server’s local host file and create a DNS black hole if that’s all you can do in a pinch. Do whatever you can to prevent them from getting out to some malicious website looking for browser exploits and open up a world of trouble for you.

As far as the locking down the IE browser itself, one thing you can do is publish it in kiosk mode:

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -k http:\\www.google.com

This will launch IE in full screen with no buttons, tabs, status bar, address bar, title bar, etc. This is perfect for a kiosk but not so much when published to regular and mobile devices. Users want the ability to be able to hit an X button to close the browser. They’re not going to know they have to hit Alt+F4 to exit out of kiosk mode.

The solution is to write a little VBS script and control every aspect of the browser. Here is an example of one of my scripts:

I just publish it as:

wscript.exe "D:\Citrix Published Website scripts\Google.vbs"

and it will work just fine as a published app. Just remember, on Server 2008 R2 this is going to launch the 64 bit version of Internet Explorer because you’re calling on the 64 bit version of the Windows Script Host. You will likely want the 32 bit version for Java and other Addons to work. So publish it like this for 32 bit IE using the 32 bit Windows Script Host:

C:\WINDOWS\SysWOW64\wscript.exe "D:\Citrix Published Website scripts\Google.vbs"

Leave the working directory as the location of your scripts:

D:\Citrix Published Website scripts

You’ll notice I only allow the the title bar and status bar with this script but you can do anything you like.

ie-locked-down-for-citrix-xenapp

You can even control the window size by just adding a couple of lines:

Hope this helps someone!

UPDATE: One of my co-workers let me know if you publish this on a Server 2012 R2 / IE 11 box, you may need to add:

to the top of the VBS script or you might get a Windows Script Host popup with error 80004005 “unspecified error” or 80010108 “the object invoked has disconnected from it’s clients” error. I found an even easier solution which is to simply move the:

line to the very bottom of the script. No more Windows Script Host errors after that using Internet Explorer 11. Hope this helps!

UPDATE 2: Here’s a more robust script I found by a gentleman named “Paul T” that checks the screen size of the session. This comes in very handy with Virtual Desktop sessions. I’ve made a few small modifications to make it iPad friendly:

just name this script OpenURL.vbs and invoke it via command line like this:

About Jason Samuel

Jason Samuel is an Infrastructure Architect in Houston, TX with a primary focus on mobility, virtualization, and cloud technologies from Citrix, Microsoft, & VMware. He also has an extensive background in web architecture and information security. He is certified in several technologies and is 1 of 50 people globally that is a recipient of the prestigious Citrix Technology Professional (CTP) award. He is 1 of 28 people in the world that is an Atlantis Community Expert (ACE). He is a featured author on DABCC which provides the latest IT Community News on Cloud, Data Center, Desktop, Mobility, Security, Storage, & Virtualization. In his spare time Jason enjoys writing how-to articles and evangelizing the technologies he works with.

Recommended for you

12 Comments

  1. sreedhar

    May 11, 2014 at 1:46 PM

    The solution is working fine for only the published browser instance.

    I have published IE for one of our web Application using the Vbscrip which contains shortcut links which are pointed to open other websites. when I clicked the links from the Locked browser the urls open with a full browser.

    Do you have any solution for this issue

  2. Vincent

    May 16, 2014 at 5:39 PM

    Nice work and it did help me to publish IE apps as Kiosk alike without using –k. I wish there is a way to lock down the hotkey(shortcut key) to open another IE browser in the same session (Fortunately, there’re not many users knowing how to do it).

  3. Vincent

    May 19, 2014 at 3:47 AM

    Jason,

    FYI,

    I’m experiencing an issue to publish IE app with this VBScript in 2008R2/XenApp 6.5 environment. The name of Application for active session does not display in Citrix AppCenter.

    This symptom is very similar to an article from Citrix below.
    http://support.citrix.com/article/CTX133835

    Hopefully, you will have solution for it.

    Thank,

    Vincent

  4. Vincent

    May 21, 2014 at 3:21 AM

  5. Saurabh

    October 8, 2014 at 10:48 PM

    The problem is any website published via this method is still vluenrable, beacuse any hyperlink redirects to open another instance of IE without lockdown feature…any solution how to restrict this….all instances of IE shall open with Lockdown feature.

  6. Jason Samuel

    October 8, 2014 at 10:55 PM

    AppSense Environment Manager works well. It can truly lock down the browser or any app for that matter. I’ll try and do a how-to article soon.

  7. Saurabh

    October 8, 2014 at 11:45 PM

    Thanks Jason ! Eagerly waiting for that !
    In the absense of Appsese how doe we manage this…I have a project depending on this requirement.

  8. Adam Mariak

    October 16, 2014 at 11:52 AM

    I have tested this solution and ran into the problem that Saurabh is talking about with some links opening a new window. What I did to accomplish this instead of using this script:

    Created a GPO that locked down the browser. Microsoft has a template for IE11 which you can use that gives you access to lockdown the browser so the user can not browse any where or even open new windows using shortcuts or buttons.

    Even when a user does click on a link that opens a new window, that window will also be locked down.

    One problem I ran into though is that when IE is open on Citrix and a user clicks on a link in Outlook ( or any application ) we normally would have it open the browser on the users computer but because IE was open on the Citrix server, the website opened in the Citrix browser. I resolved this by publishing IE on a seperate server where the regular applications do not run.

  9. austin

    May 11, 2015 at 9:19 AM

    Hi Jason, The command line Argument pointing to the URL in XA/XD7.6 Does not work. It returns error for the URL it is suppose to point to (“c:/ProgramFile…..”http://example.com) Is there something i am missing? Thanks

  10. MJ Almassud

    July 26, 2015 at 5:41 PM

    Excellent solution to an old and stubborn problem.

    What can I add to make it open IE maximized?

    Thanks a lot for all of your hard work.

    MJ

  11. elproducto

    March 16, 2016 at 8:27 PM

    Jason,

    This script seems work good for launching IE, but I seem to run into issue in Citrix when closing IE. The session never ends after closing the visible IE Window. When I look at end user process seems three instances of IE are running even after closing the visible IE Window. Do you know of a way to ensure all IE Windows closes properly? Finally did you write the article leveraging Appsense for this type of scenario?

  12. Stuart Thompson

    January 24, 2017 at 10:56 AM

    I get the same issue as elproducto. Session won’t end after user closes IE and there are still iexplore.exe processes running for the user.
    Anyone find a fix for this?

Leave a Reply

Your email address will not be published. Required fields are marked *