I’ve written about staying away from publishing IE via Citrix if you can help it in many articles before. It’s a pain to do all the hardening that comes with publishing a browser. If you don’t lock it down, users will go nuts opening up all sorts of tabs through it thinking it’s their desktop browser and your XenApp servers are going to be overloaded with runaway processes. All it takes is a handful of users streaming video on Youtube to see an impact on your CPUs. Or something more serious, how about the user that manages to browse to a site that’s injecting malware via the latest Java exploit? You have to do all sorts of hardening at the OS and network level to really lock it down. It’s much easier to just publish a URL as content and let the client browser take over so you don’t have to deal with the headache.
But in some instances, you have no choice but to publish a browser. One of the most common examples is a web application that uses a specific legacy version of Java. You don’t want your users to run old versions of Java on their PCs and be vulnerable and incompatible with newer web apps so you run it on a XenApp server instead minimizing your attack vectors. Lock down the server at the network level to just the websites you want to get out to. Use a web proxy. Stick it on a secure VLAN. Heck, edit the server’s local host file and create a DNS black hole if that’s all you can do in a pinch. Do whatever you can to prevent them from getting out to some malicious website looking for browser exploits and open up a world of trouble for you.
As far as the locking down the IE browser itself, one thing you can do is publish it in kiosk mode:
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -k http:\\www.google.com
This will launch IE in full screen with no buttons, tabs, status bar, address bar, title bar, etc. This is perfect for a kiosk but not so much when published to regular and mobile devices. Users want the ability to be able to hit an X button to close the browser. They’re not going to know they have to hit Alt+F4 to exit out of kiosk mode.
The solution is to write a little VBS script and control every aspect of the browser. Here is an example of one of my scripts:
|
1 2 3 4 5 6 7 |
Set objExplorer = CreateObject("InternetExplorer.Application") objExplorer.Navigate "http://www.google.com" objExplorer.ToolBar = 0 objExplorer.StatusBar = 1 objExplorer.Left = 0 objExplorer.Top = 0 objExplorer.Visible = 1 |
I just publish it as:
wscript.exe "D:\Citrix Published Website scripts\Google.vbs"
and it will work just fine as a published app. Just remember, on Server 2008 R2 this is going to launch the 64 bit version of Internet Explorer because you’re calling on the 64 bit version of the Windows Script Host. You will likely want the 32 bit version for Java and other Addons to work. So publish it like this for 32 bit IE using the 32 bit Windows Script Host:
C:\WINDOWS\SysWOW64\wscript.exe "D:\Citrix Published Website scripts\Google.vbs"
Leave the working directory as the location of your scripts:
D:\Citrix Published Website scripts
You’ll notice I only allow the the title bar and status bar with this script but you can do anything you like.
You can even control the window size by just adding a couple of lines:
|
1 2 |
objExplorer.Width = 1024 objExplorer.Height = 768 |
Hope this helps someone!
UPDATE: One of my co-workers let me know if you publish this on a Server 2012 R2 / IE 11 box, you may need to add:
|
1 |
On Error Resume Next |
to the top of the VBS script or you might get a Windows Script Host popup with error 80004005 “unspecified error” or 80010108 “the object invoked has disconnected from it’s clients” error. I found an even easier solution which is to simply move the:
|
1 |
objExplorer.Navigate "http://www.google.com" |
line to the very bottom of the script. No more Windows Script Host errors after that using Internet Explorer 11. Hope this helps!
UPDATE 2: Here’s a more robust script I found by a gentleman named “Paul T” that checks the screen size of the session. This comes in very handy with Virtual Desktop sessions. I’ve made a few small modifications to make it iPad friendly:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
Set objArgs = WScript.Arguments If objArgs.Count = 0 Then WScript.Echo "No URL provided, please supply a URL to open" & VbCrLf & VbCrLf & "e.g. CScript OpenURL.vbs http://www.google.com" wscript.quit End If Set objIE = CreateObject("InternetExplorer.Application") With CreateObject("internetexplorer.application") .navigate "about:blank" With .document.parentWindow.screen iHeight = .height iWidth = .width End With End With objIE.StatusBar = False objIE.Visible = True objIE.AddressBar = False objIE.MenuBar = False objIE.ToolBar = False objIE.Top = 0 objIE.Left = 0 + 8 'Move to the side just a bit to show the desktop objIE.Width = iWidth - 16 'Shrink to let a bit of the desktop show on the sides objIE.Height = iHeight - 28 'Shrink a bit to see the taskbar objIE.Navigate (objArgs(0)) |
just name this script OpenURL.vbs and invoke it via command line like this:
|
1 |
OpenURL.vbs google.com |
sreedhar
May 11, 2014 at 1:46 PM
The solution is working fine for only the published browser instance.
I have published IE for one of our web Application using the Vbscrip which contains shortcut links which are pointed to open other websites. when I clicked the links from the Locked browser the urls open with a full browser.
Do you have any solution for this issue
Vincent
May 16, 2014 at 5:39 PM
Nice work and it did help me to publish IE apps as Kiosk alike without using –k. I wish there is a way to lock down the hotkey(shortcut key) to open another IE browser in the same session (Fortunately, there’re not many users knowing how to do it).
Vincent
May 19, 2014 at 3:47 AM
Jason,
FYI,
I’m experiencing an issue to publish IE app with this VBScript in 2008R2/XenApp 6.5 environment. The name of Application for active session does not display in Citrix AppCenter.
This symptom is very similar to an article from Citrix below.
http://support.citrix.com/article/CTX133835
Hopefully, you will have solution for it.
Thank,
Vincent
Vincent
May 21, 2014 at 3:21 AM
FYI, http://support.citrix.com/article/CTX139195
Thanks,
Saurabh
October 8, 2014 at 10:48 PM
The problem is any website published via this method is still vluenrable, beacuse any hyperlink redirects to open another instance of IE without lockdown feature…any solution how to restrict this….all instances of IE shall open with Lockdown feature.
Jason Samuel
October 8, 2014 at 10:55 PM
AppSense Environment Manager works well. It can truly lock down the browser or any app for that matter. I’ll try and do a how-to article soon.
Saurabh
October 8, 2014 at 11:45 PM
Thanks Jason ! Eagerly waiting for that !
In the absense of Appsese how doe we manage this…I have a project depending on this requirement.
Adam Mariak
October 16, 2014 at 11:52 AM
I have tested this solution and ran into the problem that Saurabh is talking about with some links opening a new window. What I did to accomplish this instead of using this script:
Created a GPO that locked down the browser. Microsoft has a template for IE11 which you can use that gives you access to lockdown the browser so the user can not browse any where or even open new windows using shortcuts or buttons.
Even when a user does click on a link that opens a new window, that window will also be locked down.
One problem I ran into though is that when IE is open on Citrix and a user clicks on a link in Outlook ( or any application ) we normally would have it open the browser on the users computer but because IE was open on the Citrix server, the website opened in the Citrix browser. I resolved this by publishing IE on a seperate server where the regular applications do not run.
austin
May 11, 2015 at 9:19 AM
Hi Jason, The command line Argument pointing to the URL in XA/XD7.6 Does not work. It returns error for the URL it is suppose to point to (“c:/ProgramFile…..”http://example.com) Is there something i am missing? Thanks
MJ Almassud
July 26, 2015 at 5:41 PM
Excellent solution to an old and stubborn problem.
What can I add to make it open IE maximized?
Thanks a lot for all of your hard work.
MJ
elproducto
March 16, 2016 at 8:27 PM
Jason,
This script seems work good for launching IE, but I seem to run into issue in Citrix when closing IE. The session never ends after closing the visible IE Window. When I look at end user process seems three instances of IE are running even after closing the visible IE Window. Do you know of a way to ensure all IE Windows closes properly? Finally did you write the article leveraging Appsense for this type of scenario?
Stuart Thompson
January 24, 2017 at 10:56 AM
I get the same issue as elproducto. Session won’t end after user closes IE and there are still iexplore.exe processes running for the user.
Anyone find a fix for this?