Installing Citrix GoToMeeting and GoToWebinar when Application Manager is deployed

Version 1

    Verified Product Versions

    AppSense Application Manager 8.9AppSense Application Manager 8.8AppSense Application Manager 8.7AppSense Application Manager 8.6

    Introduction

    Both Citrix GoToMeeting and GoToWebinar do not require elevation to install.  Both of the GoTo packages change on a regular basis, therefore providing an Application Manager Snippet that will stay valid is difficult.

    When installed with standard user rights, the GoTo packages are typically installing into %localappdata%\Citrix and is only available to the user that installed the package.  When installed as an Administrative user, the GoTo package will install to %ProgramFiles%\Citrix or %ProgramFiles(x86)%\Citrix on 64bit machines.  An Administrative install will be available to all users.

    Although Administrative installs are availiable to all users, it still tends to be easier to install the GoTo packages with standard user rights.  The GoTo packages are designed to use standard user rights as an expected priviledge level for most installations, therefore is already suitable for standard user permission installations.  The GoTo packages are quite lightweight and tend not to consume too much disk space when multiple users share the same endpoint.  In addition the GoTo packages tend to install the same version of the product that is being used by the Host of the meeting.  Even when joining a meeting while running the most up to date client, the GoTo package may install an earlier version of the client if the meeting Host is running an earlier version.  The behaviour and requirements continually change with major and minor releases of the product.

    Installing as a standard user reduces the complexity of an Application Manager configuration and the requirement to maintain multiple versions of the GoTo products installed.  This Knowledge Article focuses on how let Application Manager allow a standard user run the GoTo installer and the installed program.  The example provided is for the GoToWebinar package but the same process applies for GoToMeeting.

    Ideally an Virtual Machine that can be snapped shot and rolled back quickly is the easiest approach to determine the requirements.

    Detail

    Using Vendor Certificates

    Typically the simplest configuration to create is adding the Citrix Vendor certificate to the Trusted Vendor list as per the screenshot.

    This allows process and DLLs to execute that are signed with the certificate and tends to requires mainteance when Citrix change the Vendor certificate used.

    To add the certificate:

    • Save a copy of the Installer on the endpoint with the Application Manager Console.
    • Within the appropriate Rule, under Trusted Vendors -> Rule Item Tab -> Add -> From Signed File.
    • Select the file of the installer package and the Citrix Vendor certificate for the installation will be added.

    It can and most likely will be the case that a Process or DLL is signed by a different Vendor Certificate resulting in an error message when the GoTo product is launched.  There are a couple of approaches to tackle this.  It is at this stage an endpoint with Application Manager Agent installed and can be quickly snapshotted and roled back is useful:

    • Usually on the test endpoint the GoTo package will report the DLL it had an issue with.  The certificate can then be imported using the same technique as above.  In the example above, the DLL was a plugin located in %localappdata%\Citrix\Plugins\<version>\npappdetector.dll.
    • Use the Application Manager Rules Analyzer feature to determine the process or DLL that was denied.  Overwrite-If deny results can be ignored.  Note, on http://support.appsense.com under AppSense Exchange there are a couple of tools to make Rules Analyzer logs easier to review.
      • AM Rules Analyzer Parse - Is a utility that provides an alternative inferface to view Rules Analyzer logs and will automatically parse out Overwrite-If entries.
      • PowerShell script to filter Rules Analyzer logs - Removes the Overwrite-If entries prior to reviewing using the AM Console Rules Analyzer Log Parser.
    • As the GoTo products do not install many files, it can be easier to copy them over to the AM Console endpoint and to test added signatures from each file.  Most executables that share the same file size within %localappdata%\Citrix\GoToMeeting\<Version> are the same binary under a different file name.

     

    Using Signatures

    Using signaures to define Process and DLLs that a standard user is allowed to run requires more maintenace than using the Vendor Certificate approach.  Where a Vendor Certificate will allow any process or DLL to run that is signed by that file, using signatures will only allow the files in question to run.  Signatures will need to be maintained for every version of the GoTo package that is needed to run.

    • On the test endpoint, rename %localappdata%\Citrix if it already exists and is possible.  This will allow the collection of all files added by the installer.  If this is not possible, modification to step three maybe required.
    • Install the GoTo package as the standard user.
    • Copy the original installer package and the contents of %localppdata%\Citrix to an endpoint with the Application Manager Console installed.  The installer will install the bulk of the files into %localappdata%\Citrix\GoToMeeting, however additional plugins may also be installed in the parent Citrix folder.  Therefore starting off with a blank Citrix folder helps identify the files added by the installer.
    • Within the AM Console -> Library -> Group Management, create a Citrix GoToWebinar group.
    • Select the Citrix GoToWebinar Group then select Groups Tab -> Launch Signature Wizard.
    • Within the Wizard choose "Search Folders".
    • Select the folder that contains the Citrix GoToWebinar installer and Installed files.  Tick Include Subfolder
    • Complete the Wizard and all file signatures will enumerated for the folder.
    • Several of the GoTo executables share the same file and therefore share the same signature.  As a result a "Duplicate Items Found" will most likley be returned and can be ignored.
    • For the Rules Group, under Accessible Items -> Rules Item Tab -> Add Item -> Accessible -> Group:
      • Tick the "Add To" for the the "Citrix GoToWebinar Group".
      • As the files will be owned by an Untrusted owner (installed by the standard user) also tick "Allow Untrusted Owner".