Ed--

Thanks for the pointer. The Citrix sessions aren't using the /console switch and when we use VMware's VirtualCenter we aren't using the /console switch to RDP into that server (which is a physical standalone server). We haven't reproduced this in a physical server, but also we haven't been able to reproduce this all the time with these guest servers either, it seems intermittant, but it raises some significant security concerns.

--John

Hello,

The host on which you run the VIC and VC server should have nothing to do with this. You are talking about using the ICA client to access the Citrix sessions from a user desktop and using the VMware Remote Desktop via the Virtual Infrastructure to access the Console of the Citrix Server? I hope this is correct.

The remote desktop by default can cut-n-paste from a VM (whatever is in the user's buffer within the VM) to the desktop upon which you are running the VIC and visa versa. THat is the default settings. To secure this you will have to set the following on the VM's advanced settings.... VIC ->Select VM -> Edit Settings -> Options -> General heading Advanced link -> Configuration Parameters button... Select the Add button and enter in to the left the following:

isolation.tools.copy.enable

Enter into the right

false

Repeat for isolation.tools.paste.enable, also setting its value to false.

This disables remote console cut-n-paste from the host that runs the VIC to the VM and visa versa. TO set this you do have to recycle the power on the VM however.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

We'll definitely try this, you are correct in that we were able to copy and paste from the console connection via the VirtualCenter remote from one of the user sessions. Honestly, on our physical servers, we don't copy and paste after hitting a console session, so I can't test against that. It just seemed odd. It seems like a safe bet to disallow copy and paste in the future to address this security concern.

What is most pecular though is the first problem I reported, where a console user (via VirtualCenter) seems to interact with most of the Citrix (ICA) and a handful of Microsoft (RDP) sessions via his mouse. We've never seen anything like that with a Citrix Presentation 4/4.5 server or a Microsoft Terminal Server, but have encountered this today with one our guest servers. I tried reproducing this via an RDP session to the console and could not repeat this, so it seems to be something with the VirtualCenter console.

Thanks!

--John

Hello,

To duplicate that you would need to login to the physical console of a physical machine and not an RDP session. The remote console replicates the physical console. I would also check to see if there is some form of screen sharing going on within Citrix. Or it could be that the 'complaints' were made when multiple people were logged into the Remote Console and NOT using ICA. This would really be a problem with ICA and not necessarily VMware as ICA should prevent any 'console' actions from bleeding through.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

We have about a dozen guest 2003 servers residing on two separate hosts, some using Citrix, but we've been able to reproduce this on all the servers, those running Citrix and those that aren't-- so just plain jane file servers, IIS servers, for example. We have not been able to reproduce this on physical 2003 servers, of which we have about fifteen.

It seems to happen whenever we RDP to the virtualcenter server and click on the console view, when we move the mouse off the virtualcenter console, anyone logged into the server via Citrix ICA or RDP (in the case of the file or IIS servers, where another administrator connects) experiences interference in their sessions from our mouse. We've been able to reproduce this from multiple workstations using different mice.

Normally, we don't use the console via VirtualCenter, but lately we've had a need to do this and have found this disconcerting. Any ideas?

--John

We are experiencing the same issue when testing our Citrix environment inside ESX...

The problem is when the mouse comes back into "focus" of the console, the user's mouse will jump to that point. Once the console has "grabbed" the mouse, you can move it around without inferring with the user's session. This happens in a standard RDP session as well as a Citrix session. I uninstalled VMware tools, and reinstalled without the mouse driver, the problem is still there.

Hello,

I would open a support request with VMware. This definitely does not sound correct unless someone is RDP in using the console.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Hello Texiwill,

can you say me something about your support call? Is there an answer from vmware?

Best regards

Tim

Hello,

My comment was that the original poster should open a support call, or anyone experiencing this problem.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Oh sorry, Texiwill.

i read this thread very fast.

But i have the problem, too. I'm very interested in a solution of the problem.

Best regards

Tim

So far, we've opened a ticket and the support people seem a bit baffled by this.

Like I said earlier, we discovered this behavior on two separate host servers and it doesn't just impact Citrix sessions, it impacts RDP sessions to all the guest Windows 2003 servers.

--John

Just to keep everyone updated, we've determined this is related to the Vmware Tools on the guest Windows servers. If we don't install it on new servers, we don't have a problem.

VMWare support is investigating further and thinks they may have a patch for us to try. I'll keep people updated as it appears others have experienced this issue.

Thanks for the info, jcrowland.

Patrick Miller described problem with the mouse is exactly what we are experiencing as well.

I am also experiencing this same exact issue. Brand new host, freshly virtualized terminal server.

I too am experiencing this! I thought there users were pulling my leg to start with!

ESX 3.5 U4 hosts running on IBM x3650

Windows Server 2003 32bit Terminal Servers.

When I'm on site and using the Virtual Infrastructure Client to navigate around the servers, users complain that their mouse jumps over the screen.

Anyone have a solution to this yet?

Cheers

Adrian