Uninstall Symantec without password

I need a solution

I applied Policy to prevent any user from unistalling the SEP without password, but user still can unistall the SEP without asking for password,

i am sure there is no problem in applying the policy, i applied as follow > 

  1. Click Clients
  2. Select Policies tab.
  3. Click on General Settings.
  4. Select Security Settings tab.
  5. Select Require a password to uninstall the client
  6. Type the <password> in the box.
  7. Click OK.

Note: user when try to stop SEP service “SMC-Stop” , he can’t because it’s asking for a password, i don’t know why it’s not working with unistall the application.

windows version 10 “1709 & 1803”



  • No Related Posts

Add a Request a File Link to Your Outlook Signature

Add a Request a File Link to Your Outlook Signature

1. Open a New Outlook Email Message.

2. Click the Request Files button, then Use Custom Settings.

3. Configure the options to your liking.

4. For the purposes of placing a secure link in your signature, the Sign In requirement cannot be used. “Sign In” requires that the recipient of your email message (the To field) be a user on your ShareFile account. Since many different recipients can access your signature link once its done, ShareFile cannot specify which user should be created as a user on your account, and will display an “Invalid Link” error when trying to send any email containing the link you generated using the Sign In option.

5. Don’t forget to adjust your expiration settings!

6. Click OK to generate the link.

User-added image
User-added image

3. Highlight the newly generated Request a File link, right-click and select Copy.

User-added image

4. Click Signature in the ribbon and edit the Signature you wish to add the link to. Paste the Request a File link into the signature.

User-added image

5. Click OK to save the changes to your signature.


  • No Related Posts

Configure RDS Licenses for XenApp

Following 2 GPOs should be configured for licensing server and license type for RDS.

Apply policy: Computer configuration>Windows component>Remote Desktop Services>Remote Desktop Session host>Licensing

1. Use the specified Remote Desktop License Server

2. Set the remote Desktop Licensing mode

Also, perform below steps to configure RDSH server:

Install Remote Desktop Licensing

1) In Server Manager, open the Manage menu and click Add Roles and Features.

2) Click Next until you get to the Server Roles page. Check the box next to Remote Desktop Services and click Next.

3) Click Next until you get to the Role Services page. Check the box next to Remote Desktop Licensing and click Next.

4) Click Add Features if prompted.

5) Then finish the wizard to install the role service.

Activate Remote Desktop Licensing

1) After RD Licensing is installed, in Server Manager, open the Tool menu, expand Terminal Services and click Remote Desktop Licensing Manager.

2) The tool should find the local server. If it does not, right-click All servers, click Connect and type in the name of the local server. Once the local server can be seen in the list, right-click the server and click Activate Server.

3) In the Welcome to the Activate Server Wizard page, click Next.

4) In the Connection Method page, click Next.

5) In the Company Information page, enter the required information and click Next.

6) All of the fields on the Company Information page are optional so you do not have to enter anything. Click Next.

7) In the Completing the Activate Server Wizard page, uncheck the box next to Start Install Licenses Wizard now and click Finish. Since the session hosts will be configured to pull Per User licenses, there is no need to install licenses on the RD Licensing Server.

8) In RD Licensing Manager, right-click the server and click Review Configuration.

9) Ensure you have green check marks. If the person installing Remote Desktop Licensing does not have permissions to add the server to the Terminal Server License Servers group in Active Directory, ask a domain admin to do it manually. If you have the proper permissions, click Add to Group.

10) Click Continue when prompted that you must have Domain Admins privileges.

11) Click OK when prompted that the computer account has been added.

12) Click OK to close the window.

Remote Desktop Licensing Configuration

Do the following on your 2012 R2 Remote Desktop Session Hosts. The only way to configure Remote Desktop Licensing is using group policy (local or domain).

1) For local group policy, run gpedit.msc.

2) Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.

3) Double-click Use the specified Remote Desktop license servers. Change it to Enabled and enter the names of the XenDesktop Controllers. Click OK.

4) Double-click Set the Remote Desktop licensing mode. Change it to Enabled and select Per User. Click OK.

5) In Server Manager, open the Tools menu, expand Terminal Services and click RD Licensing Diagnoser.

6) The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.

NOTE: The group policy should point to your RD licensing servers. if you installed it on your Controllers then you would specify them. Otherwise specify the RD Licensing server names.


  • No Related Posts

7018598: Quickstart Guide: Setting up Active Directory Single Sign-On (SSO) with a GroupWise 2014 R2 SLES11 Linux Post Office


a. For the example purposes of this document, it is assumed thatthe GroupWise Linux Post Office Server fully qualified hostname is“bperez13.bperez11.gwlab.com” and that the Active DirectoryDomain Server fully qualified hostname is “bperez11.gwlab.com”. Substitute your hostnames as appropriate.

Inthis example the User in Active Directory and the GroupWise UserID is“aduser1” that we will work with. Your SLES11 server is upto date on patches.

b. It is assumed that in your Microsoft Active Directory Server,DNS Manager, that you have a DNS “zone name”, in thisexample, of “bperez11.gwlab.com”, but substitute yourDNS zone name, that way you will not have to make changes to theGroupWise Linux server hostname and POA agent settings hostname onthat server.

c. It is assumed that you have or will have a DNS “A”Record (on your Microsoft Domain Server) of , in this example,bperez13.bperez11.gwlab.com, substitute your GroupWise server fullyqualified hostname as needed. So in this example in theMicrosoft Domain Controller Server, in the DNS application, under”Forward Lookup Zones”, you would have defined a DNS zonecalled “bperez11.gwlab.com” and under this zone you wouldcreate a DNS A record that would have a “Host” name of”bperez13″ and a “Fully qualified domain name (FQDN)of “bperez13.bperez11.gwlab.com” along with the ip addressthat resolves to bperez13.bperez11.gwlab.com. Make the propername substitutions as you need.

d. It is assumed you are working with a Microsoft Windows 2012 R2Server.

e. It is assumed that you have created an Ldap Directory and LdapServer in the GroupWise Web Admin Console under SYSTEM, “LdapServers” by following the steps listed in Section 6.1 , steps 1thru 6 of this URL :


andthis section 6.2.1, steps 1 thru 6 of this URL :


f. It is assumed that you have imported the Active Directory usersinto GroupWise, that will be using the Single Sign-On (SSO) feature. So these users are associated with the Active Directory serverlisted in the Ldap Servers.

g. Lastly it is assumed on your Active Directory Windows Server 2012 R2box, in “Active Directory Users and Computers”, View, that youhave “checked”, “Advanced Features”.


Sinceyou will be changing the Security setting for the Post Office Agent,consider doing this on a Friday night after hours to minimize userimpact. Or you could certainly test this procedure on aGroupWise Test server, that is not production, until you arecomfortable that it will work as you expect.


Havea full complete backup of the GroupWise System before performingthese steps, in case there are any Issues. However these stepsworked correctly for me on my SLES11 GroupWise Server and Windows 7workstation with the GroupWise 2014 R2 Windows client.

NOTE: For any additional GroupWise servers that you want to haveSingle Sign-On functionality with Active Directory then you wouldjust repeat the steps in this Technical Document for each additionalLinux server where there is a GroupWise Post Office.

Stepsto Follow :

ForLinux Post Office Server you will have to “Join” theWindows Server Domain Controller and make the below changes NOW :

1. You need to know the current fully qualifiedhostname for the Linux GroupWise Post Office Server, let”s sayit is:

a. bperez13.bperez11.gwlab.com

2. You need to know current fully qualified hostnamefor your Active Directory Domain Server, let”s say it is:

a. bperez11.gwlab.com

3. Then the Linux Post Office Server will likelyneed a change to it’s listed “Name Server” in YAST, in thisexample: ( The Windows Domain Controller )

a. I.P address of the Windows Domain Controller

b. To make this “Name Server” change go to Yast,Network Devices, Network Settings,

andin the Hostname/DNS tab, the “Hostname” would have to be”bperez13“, no

quotes,and the “Domain Name” would have to be : “bperez11.gwlab.com”, no quotes. As

appropriatein your situation, change it NOW.

c. AND in this same tab, the “Name Server 1″would have to have ONLY the ip

addressof your Active Directory Domain Controller. Do not have anyvalues for

“NameServer 2” and “Name Server 3” . The “DomainSearch” list box to the

rightwould have to show – “bperez11.gwlab.com”, no quotes. Asappropriate in your situation, change it NOW.

d. The Routing tab, the “Default Gateway”,would of course have to be filled out correctly

foryour network environment. CLICK OK and exist YAST.

e. The result would be that when you go to a terminal as”root” on the Post Office

Server,you should at least be able to PING internal and external ipaddresses or hostnames to make sure you have proper ip connectivity.

4. Go to the below documentation URL for “ConfiguringSingle Sign-On with Active Directory” (54.2):

a. https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_admin/data/b1f0s9uy.html

b. With the above GroupWise documentation URL, under thesection “Configuring Single Sign-On with Active Directory”(54.2), we will go over the listed first 4 bullet points inorder:

c. For the 1st bullet point, make sure both the POA LinuxServer and the User Windows Workstation are joined to the sameActive Directory Domain:

i. On the Linux box where the Post Office is located,Click Computer, Yast, Network Services, Windows Domain Membership, onMembership “Domain or Workgroup”, type the fully qualifiedhostname NOW for your Active Directory Domain Controller, in thisexample, but substitute yours :


ii. Click the Expert Settings button, for the KerberosMethod select “system keytab”, then Click OK.

iii. Click the “NTP Configuration” button, toensure time synchronization between the Linux Post Office Server andthe Active Directory Domain Server, as needed, set the Time server. Click ADD, Click Next, Type in an appropriate local or publicTime Server, Click Test, Click OK after it responds correctly, ClickOK, then OK again. Click the JOIN button in upper right ifpresent, otherwise Click OK. ClickOK again. You should see a dialog that pops up that says “Thishost is not a member of the domain <bperez11>”. Youwill see another dialog that says “Join the domain <bperez11>?”, Click Yes. Inthe resulting dialog put in the Windows domain controller“administrator” username and password and CLICK OK.

iv. Your Linux Server is now Joined to the Active DirectoryServer.

v. To Join the User Workstation, Go to the Windows PC, Itis assumed you are not yet joined. On either Windows 7 orWindows 8.1, or Windows 10:

1. Right click the Network Icon in the Windows Tray,select “Open Network and Sharing Center”, select “ChangeAdapter Settings”, Right Click the appropriate Network Card,Highlight “Internet Protocol Version 4 (TCP/IPv4)” andClick Properties.

2. For the “User the following DNS Serveraddresses:”, for the “Preferred DNS server”, type theIP address of your Active Directory Server. Click OK then CLOSE.

3. Now to actually Join to the Active Directory Server, goto :

a. Windows 7 workstation, Click Start, Right Click”Computer”, Properties, Advanced System Settings, ComputerName tab, to Change to a Domain, click the Change button.

b. For the Member Of : Domain , list box , type the fullyqualified hostname of the Active Directory Server (example,bperez11.gwlab.com). Click OK. Supply the appropriateActive Directory credentials, Click OK, then you should successfullyJoin and get a confirmation on this. Click OK. Click OKagain to RESTART your computer as required by Windows. I assumeyou will Click RESTART NOW.

c. When the Workstation reboots, you will come to aWindows Logon dialog, type for the Username:

i. The name of your Windows Domain ServerA.D. UserName,example, in this case is “BPEREZ11aduser1”

ii. Type the password for this Active Directory User andLOGIN

d. To confirm your credentials that the GroupWise SingleSign-On depends on, to go a DOS Window (cmd) and type “whoami”,it should respond with, in this example:


e. Close the DOS Window.

f. Now for the 2nd bullet point listed in the aboveDocumentation URL:

“Makesure the POA object has the DNS fully qualified domain name insteadof the IP address :

Inthe GroupWise Admin Console > Post Office Agents > select thePOA

>Agent Settings > TCP/IP Address Field.” :

Inthis example, the value should already be: “bperez13.bperez11.gwlab.com”. Make this changeas needed NOW if necessary. Remember no I.P. Address, just thehostname.

g. For the 3rd bullet point of the Documentation URL :”Enable LDAP authentication in the GroupWise Admin Console >Post Offices > select the PO > Security tab. Make sureyour A.D. Ldap Server name is selected here. Refer to aboveAssumptions point “e” for details if needed.

h. For the 4th bullet point of the DocumentationURL: “Select Network authentication (eDirectory or ActiveDirectory) in the Admin Console > Post Office Agents > selectthe POA > Client Options > Security tab. Do this changenow. Remember to Click on SAVE.

Nowit”s time to move on in the Documentation to Section 54.2.2,”Linux POA”, there are 7 bullet points :

5. For the 1st of 7 bullet points, “Make sure thatall krb5 rpms are installed on the server”. This meansthat you should check in YAST, Software Management, search, type”krb5″, no quotes and click the SEARCH button.

a. Youshould have “checked” “krb5”, “krb-32bit”,AND “krb5-client”, if you don’t have all of these check offthe missing one and CLICK the ACCEPT button in the lower right of thedialog. Exit YAST.

b. Youcan also check what krb5 libraries you have installed by going to thelinux terminal as “root” and issuing the command:

a. rpm-qa | grep krb5

b. youshould see: krb5-client-<versionNumber>,krb5-<versionNumber>, and krb5-32bit-<versionNumber>

6. 2nd bullet point, “Make sure that the Linux serverpoints to the AD Server as it”s DNS Server” :

Wealready did this. Next step.

7. 3rd bullet point, “Join the Linux POA server tothe Windows Domain by”.” :

Wealready did this. Next step.

8. 4th bullet point, refer to this example file instead tocheck and verify what is configured in the file, modify NOW asappropriate for your environment, note the lines that are offset,they are “tabbed” not spaces, note the case of letters :

vi/etc/krb5.conf :


default_realm= BPEREZ11.GWLAB.COM

clockskew= 300



kdc= bperez11.gwlab.com

default_domain= bperez11.gwlab.com

admin_server= bperez11.gwlab.com



kdc= FILE:/var/log/krb5/krb5kdc.log

admin_server= FILE:/var/log/krb5/kadmind.log



.bperez11.gwlab.com= BPEREZ11.GWLAB.COM

bperez11.gwlab.com= BPEREZ11.GWLAB.COM

9. 5th bullet point, at a terminal on the Linux PostOffice Server, as “root”, issue this command NOW : NOTthe command in the documentation, unless it is the same :

a. net -Uadministrator@<activeDirectoryFullyQualifiedHostName> adskeytab add groupwise

b. Type the password for Active Directory “administrator”user

c. At the terminal on the GroupWise Linux server, cd to/etc, then issue the command “klist -k”, no quotes, youshould see among other content, as in this example, yours will bedifferent : 5 or so lines that show :

i. <a number>groupwise/bperez13.bperez11.gwlab.com@bperez11.gwlab.com

ii. You MUST see this fully qualified domain name, yourswill be different, that is to the left of the “@”character, “bperez13.bperez11.gwlab.com”

10. 6th bullet point, Make sure that the /etc/krb5.keytab file isreadable by the user that is running the GroupWise POA on the server.

Soif you run the GroupWise agents as “root”, or another

user,then that user must have ownership of this file.

Sowhen you go to the /etc/ directory on the Post Office Linux Serverand issue the command, as “root”, “ls -lkrb5.keytab” , no quotes.

Youwill see the owner of the file, root is the owner here :

a. -rw- – – – – – – 1 root root 2027 Jan 2215:16 krb5.keytab

b. And to compare who is running the POA process, issuethe command at the

terminal: “ps -eaf | grep gwpoa”, no quotes, the owner is in thefirst left most column.

Ifit says “root” then there is a match and the ownership ofthis file is good. If there is not a match, then you MUSTchange the ownership of the krb5.keytab file NOW with this command ,to match the user who is running the POA agent, at the /etc/directory :

“chown<userNameWhoRunsPOA>:users ./krb5.keytab”, no quotes.

c. I assume that If this is the “root” user,then “root” is part of the “root” group. Ifthe user is not the “root” user then, let”s say theuser is called “gwuser”, I assume that “gwuser”is part of the Linux group called “users”.

Thenyou must assign the appropriate user and group file permissions. Asappropriate do this NOW : either :

i. cdto the /etc/ directory, and issue the below commands NOW :

ii. chmod ug=rwx ./krb5.keytab

11. ( Optional ) 7th and final bullet point, “Create aGroupWise Name Server in DNS”. If you do not do this,users need to know the IP address and port number to connect to thePOA.

a. It is recommended you follow this technical document toaccomplish this by creating a Microsoft Service Connection Point(SCP), which has similar functionality to ngwnameserver :


12. Note: In this example situation, when you start the GroupWiseWindows Client the first time after enabling Single Sign-On, youshould see the “Micro Focus GroupWise Startup” dialog, andin this dialog you “should” see “Connecting to Post Officeat : bperez13.bperez11.gwlab.com: 1677″. Substitute yourhostname for GroupWise. If you do not see the correct hostnameor you see an ip address, then just click CANCEL and correct the”Address” list box to show your GroupWise hostname, fillout the rest of the information needed in this dialog and CLICK OK. Now when you successfully login, it will remember your credentialsand the next time you attempt to login to GroupWise you should not beprompted for your password.


Ifyou follow this Document and if you have a problem where you arestill prompted for a password when attempting to login to theGroupWise Windows client and if you are on SLES11, it could be thatyou may have an older version of the linux Kerberos “krb5″files, you can review this TID on how to check on and correctthis issue :


Otherthings to check if you still are prompted for a password:

1. Besure to verify that the “root” user owns the “/etc/krb5.keytab”file on the GroupWise Linux Post Office Server and has RWXpermissions, and also the group “root”. One command thatwill set this as described is :

a. Chmodug=rwx ./krb5.keytab

2. Verifyon the Windows Domain Controller server (Windows Sever 2012 R2), inthe application “Active Directory Users and Computers”, under theActive Directory Organization called “Computers” has an objectcalled the name of your GroupWise Linux Post Office Server name. Under this object, go under Properties, Attribute editor tab, youshould have an attribute called “servicePrincipalName”. Ifyou edit this attribute, you should see among other things,“groupwise/bperez13.bperez11.gwlab.com” . No quotes, andsubstitute your GroupWise Post Office Server hostname.

3. Fromthe perspective of the user, in Windows, in the GroupWise Windows14.2.2 client, click on Tools, Options, Security, Password tab, atthe bottom you should have a checkmark in the checkbox “No passwordrequired with eDirectory”. If you do not, Single Sign-On willnot work. If it is not “checked”, just type in yourpassword in the “Old password” listbox, then the checkbox willnot be greyed out, so you can check it. Then click APPLY andOK. Then exit the GroupWise Windows client and re-login.

4. Alsoon the user Windows workstation, go to the Dos Window ( cmd ) , andcd to : c:windowssystem32 , then type the command “klist” noquotes, you should see among other things a reference to theGroupWise Kerberos ticket, for me is shows :

Client: aduser1 @ bperez11.gwlab.com

Server: groupwise/bperez13.bperez11.gwlab.com @ bperez11.gwlab.com

KerbTicketEncryption Type: RSADSI RC4-HMAC(NT)

TicketFlags 0x40a10000 -> forwardable pre_authent name_canonicalize

StartTime: 1/9/2018 8:01:23 (local)

EndTime: 1/9/2018 16:31:30 (local)

RenewTime: 1/16/2018 6:31:30 (local)

SessionKey Type: RSADSI RC4-HMAC(NT)

5. If Single Sign-On is till not working, (you are being prompted for apassword, then do the below, after hours, so not to potentiallyaffect Post Office users, you will be toggling some settings underthe Post Office and POA objects :

a. In the GroupWise Web Admin Console, under the Post Office object,Security tab, it is assumedyou have “LDAP Authentication” turned on and that the “SelectedLDAP Servers” has a list of at least 1 Ldapserver. Do this NOW, highlight the LDAP server that is used withthis Post Office’s Single Sign-On process and CLICK the right arrowto move it to the “Available LDAP Servers” list. CLICK SAVE. Then CLOSE. Now go back to this same setting and put the LDAP serverback in the “Selected LDAP Servers” list and CLICK OK.

b. In this same area CLICK the the “Client Options” button tat thetop, Security tab, and it is assumed you currently have the checkboxchecked “Network authentication (eDirectory or Active Directory). Remove the checkmark on this setting. Click OK. Now go back to thissame setting and CLICK the checkbox “Network authentication(eDirectory or Active Directory)” AND LOCK IT, by clicking on theLOCK to the right. CLICK OK. Click SAVE at the bottom left, thenCLOSE.

c. Restart the affected POA at the GroupWise linux server terminal as“root”, issue : rcgrpwise status, you will see among otherthings : Assume your Post Office is called “provo” and yourdomain is called “utah” :

Checkingstatus [provo.utah] running”

Soissue the command : “rcgrpwise restart provo.utah”, no quotes.

Hopefullynow Single Sign-On is now working at your Windows 7, 8 or 10workstation that is configured as described in this document.


VNX: How To Remove a LUN from a Storage Group (User Correctable)

Please follow the steps below

1- Login to Unisphere and select the array serial number

2- Click on the system Tab

3- Click on the Host Tab

4- click on Storage Group

5- Highlight the desired Storage Group, then click on Properties

6- A new pop up window will appear, choose the LUN Tab

7- At the bottom half you will see the LUNs that are in that Storage Group, click on the LUN you wish to remove to highlight it

8-Click on the “Remove” button to remove it. (you may not receive an alert asking if you are sure)

9- Click Apply, or Okay to confirm

Below is a video demonstration of the same



  • No Related Posts

7022812: Sequencing Reflection Desktop 16 as a Virtual Application with Microsoft Application Virtualization 5.x

Before using the Microsoft Sequencer Package Configuration Wizard to sequence Reflection Desktop 16, document the sequencing requirements and steps by determining which Reflection Desktop 16 components and features are to be installed, the location of installation files, and the location of any configured user data, such as session documents. Some Reflection application components may not be needed and it is recommended to install Reflection on a stand-alone PC to help identify and document the installation steps in advance.

If Reflection has any service packs or updates, ensure that the service pack installer file, *.MSP, is available for installation during the sequencing process. Reflection Desktop Productivity Microsoft Office Tools have not been tested to work with Microsoft Office streamed as a virtual application.

Use the Reflection Installation Customization Tool (ICT) to create Companion install packages and to define permissions files; the basic steps which are listed below. Refer to the Installation and Deployment Guide for Reflection Desktop 16 as a resource, which is available from https://www.attachmate.com/documentation/reflection-desktop-v16-1-sp1/deployment-guide/data/bookinfo.htm

The following steps for using the Installation Customization Tool assume that a Reflection Administrative Installation has been performed per the Installation and Deployment Guide.

If desired, use the Installation Customization Tool to create a Companion.MSI file:

1. Navigate to the Reflection Administrative Installation and run Setup.exe /Admin to launch the Installation Customization Tool.

2. Select “Create a new Companion installer.”

3. Click OK.

4. In the left pane, click “Specify install locations.”

Note: It is important to perform steps a. and b. in order.

a. Under Installation type, select the “Installs to all users of a machine” option.

b. In the Default installation folder drop-down list, type in [CommonDocumentsFolder]Micro FocusReflection.

5. In the left pane, click “Add files to”

6. Select the value of [CommonDocumentsFolder]Micro FocusReflection.

7. Click the “Add button” to add files that need to be included.

These files include pre-configured Reflection session documents (.rd3x, .rd5x, .rdox, .rfw, or .rwsp settings files).

8. Click File / Save As.

Save the Companion.MSI file in the same location as Setup.exe.

If desired, use the Installation Customization Tool to define permissions files:

1. If the Companion file created in the previous section is no longer open, open the Companion.MSI file.

Navigate to the Reflection Administrative Installation and run Setup.exe /Admin.

2. In the left pane, click “Specify install locations”.

Verify that “Installs only for the user who installs it” is selected.

(This option may be dimmed; as long as it is selected, there is no cause for concern)

3. In the left pane, click “Modify user settings” to define *.access permission files.

For example to define an .rd3x.access file to restrict TN3270Basic or TN3270Advanced settings.

a. Select the Application – Settings to modify and click the Define button.

b. Select the Group from the Groups drop-down list.

This allows or restricts accessibility for each item listed.

c. Repeat steps a. and b. until the permissions have been configured appropriately.

d. Click Next.

e. Optional: Select Additional security options for Session file encryption.

f. Click Finish.

4. Click File / Save

Save the Companion.MSI in the same location as Setup.exe.

Use the Application Virtualization Sequencer Wizard to start the sequencing process with Reflection Desktop 16:

1. Launch the Microsoft Application Virtualization Sequencer

2. Select “Create a New Virtual Application Package”

3. For the Packaging Method select “Create Package (default)”

4. Press Next

5. Resolve any issues shown on the Prepare Computer list

6. Press Next

7. For the Type of Application choose “Standard Application (default)”

8. Press Next

9. On the Select Installer dialog choose “Select the installer for the application”

Use the Browse button to find the Reflection Desktop SETUP.EXE program in the Reflection Administrative Installation location

10. Press Next

11. On the Package Name screen enter the Virtual Application Package Name of your choice, like “Reflection Desktop 16”

Enter the Primary Virtual Application Directory (required) name:

For example: C:Program Files (x86)Micro FocusReflection

12. Press Next

13. Wait for the Virtual Environment to load.

14. On the Install Micro Focus Reflection Desktop 16 screen, click Continue.

15. Read and accept the License Agreement; then click Continue.

16. Personalize the installation by completing the Full name, Organization, and VPA number fields on the User Information tab.

17. On the File Location tab, verify the File Location by clicking the Browse button.

Following the example in this article:

File Location is specified as C:Program Files (x86)Micro FocusReflection

Default user data directory should be set to C:UsersPublicDocumentsMicro FocusReflection

18. On the Feature Selection tab, de-select any features not needed so that they will not install.

For example, de-select the following:

UtilitiesKerberos Manager

UtilitiesKey Agent

CompatibilityIBM Personal Communications


Application Programmer Interface

19. On the Advanced tab verify that “Install to this PC” is enabled.

20. Click the “Install Now” button.

21. When the Installation has completed successfully, click the Close button.

22. If service packs or updates are to be installed to Reflection Desktop:

a. On the Installation dialog of the App-V sequencer, press the “Run” button

b. Select the appropriate *.MSP file(s) to install a service pack, update or patch.

23. When the update or patch is installed or if there is no further .MSP updates to install continue on

24. If a Companion install file is to be installed to Reflection Desktop:

a. On the Installation dialog of the App-V sequencer, press the “Run” button

b. Select the appropriate *.MSI file to install the Companion install file.

25. When the install is complete, check the box that says “I am finished installing”

26. Press Next

27. Wait while App-V collects the system changes and the Configure Software screen displays.

28. From the Configure Software screen, highlight the Reflection Workspace choice and click on “Run Selected” to launch the application.

(Do NOT click Run All.)

29. Verify that the Reflection session documents added by the Companion.MSI file created earlier are available.

To create any additional session documents, use the Create New Document wizard.

Save the session file in the C:UsersPublicDocumentsMicro FocusReflection folder to be available for all end-users.

30. Launch and then close each session document to create the App-V files that will be used for streaming.

If you launch the Reflection Workspace, Reflection FTP client, or any session document, and a Sequencer error displays:

“The Sequencer could not stop the MSIServer service,” click OK and try again.

31. After all the applications and Reflection Workspace have been run and closed, press Next.

32. Verify the data on the Installation Report screen and resolve any issues

33. Press Next.

34. On the Customize screen decide if further customization is needed.

For example: if restrictions are required concerning different operating systems this is the time to do it.

35. If no further customization is needed select “Stop now. Create a basic virtualization package (default).”

36. Press Next.

37. Select “Save the package now” and enter the Save Location for the package contents

38. Press Create.

By default the App-V package will be located on the desktop of App-V Sequencing PC.

39. After the package is created press Close to finish and exit the Application Virtualization Sequencer program.

40. Copy the completed sequenced App-V package files to the Distribution Point or Virtual Application Server.


7021617: Enabling the Script Menu in Reflection

Enabling the Script Menu in Reflection for HP, UNIX and OpenVMS, and ReGIS Graphics

To enable the Script menu in Reflection for HP, UNIX and OpenVMS, and ReGIS Graphics, follow these steps:

  1. Start Reflection.
  2. On the Setup menu, click Menu to open the Menu Setup dialog box.
  3. In the Defined Menu box, click Macro.

Note: The Macro menu will only appear in the Defined Menu box if Visual Basic for Applications is installed as a component of Reflection.

  1. In the Available Options box, double-click Additional Items.
  2. Double-click Items from Version 6.x, and then click Script.
  3. Click the Add After button to add the Script menu to the Defined Menu list.

Note: You can choose to add the Script menu before or after any existing menu.

  1. Click OK. The Script menu should now appear on Reflection’s main menu.
  2. Click Save on the File menu to save the changes to your settings file. If necessary, create a new settings file.

Enabling the Script Menu in Reflection for IBM

To enable the Script Menu in Reflection for, follow these steps:

  1. Start Reflection.
  2. On the Setup menu, click Menu to open the Menu Setup dialog box.
  3. In the Defined Menu box, click Macro.

Note: The Macro menu will only appear in the Defined Menu box if Visual Basic for Applications is installed as a component of Reflection.

  1. In the Available Options box, double-click Additional Items.
  2. Click Script.
  3. Click the Add After button to add the Script menu to the Defined Menu list.

Note: You can choose to add the Script menu before or after any existing menu.

  1. Click OK. The Script menu should now appear after the Macro menu on Reflection’s main menu.
  2. Click Save on the File menu to save the changes to your settings file. If necessary, create a new settings file.


NetScaler Native One Time Password Configuration

Configuration using the GUI

LDAP Policies and Actions Configuration

1. Browse to Security >> AAA – Application Traffic >> Polices >> Authentication >> Advanced Policies >> Actions >> LDAP. Click Add.

User-added image

2. Configure your LDAP server. This server/policy will be used for single factor authentication to the /manageotp website for users to add/manage their devices. It will also be used for two factor authentication to the NetScaler Gateway, along with the OTP passcode. This server needs to have authentication enabled.

User-added image

3. Create a second LDAP Action. This server/policy will be used for OTP management. Make sure that you uncheck the Authentication checkbox. Ensure that the Administrator Bind DN that you use has permissions to modify the OTP Secret AD attribute for all applicable users.

User-added image

4. Configure the Server Logon Name Attribute the same as how you configured it for the normal authentication LDAP server in step 3.

User-added image

5. In the OTPSecret field, enter the name of the AD attribute that the NetScaler will use to store the OTP secret. You can use userParameters, as long as that attribute is not already being used for something else. After entering the OTP secret, click Create.

User-added image

6. Create a third LDAP Action. This server/policy will be used for OTP verification (second factor in two factor authentication) when a user authenticates to the NetScaler Gateway using a registered device. This server is to be configured exactly the same as the server in steps 4-6, with the addition of an LDAP Search Filter. In the Search Filter field, enter userParameters>=#@. This will make sure that only users with registered authenticators are allowed to login. Click Create.

User-added image

7. Browse to Security >> AAA – Application Traffic >> Policies >> Authentication >> Advanced Policies >> Policy. Click Add.

User-added image

8. Name your policy, set Action Type to LDAP, in the Action dropdown, select the server that was created in steps 1-2, and enter true as the expression. Click Create.

User-added image

9. Create a second policy. This will be for OTP management (when a user browses to the /manageotp website to enroll/manage their authentication device). Set Action Type to LDAP, in the Action dropdown, and select the LDAP server that you created in steps 3-5. This is the server with Authentication disabled, and the OTP Secret configured. Enter HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) in the Expression field, then click Create.

User-added image
10. Create a third LDAP policy. This will be for OTP verification when the user authenticates to the NetScaler Gateway. Set the Action Type to LDAP, and in the Action dropdown, select the LDAP server that you created is step 6. This is the server that we disabled Authentication, and configured the OTP Secret, as well as the SearchFilter. Type true into the Expression field, and click Create.

User-added image

Back to top

Login Schema Configuration

1. Browse to Security >> AAA – Application Traffic >> Login Schema. Click on the Profiles tab, then click Add.

User-added image

2. This is the login schema that will be used when users browse to the /manageotp website. Enter a name, and then click the pencil (Edit) icon in the Authentication Schema field.

User-added image

3. Click LoginSchema to open the folder.

User-added image

4. Scroll down, find SingleAuthManageOTP.xml, and click it to highlight it, then click the Select button, then click Create.

User-added image

5. Click Add to create another Login Schema profile. This login schema will be used for two factor authentication to the NetScaler Gateway. Follow the same steps from step 4, except select the DualAuth.xml file from the Login Schema Files.

User-added image

6. Click More, scroll down, and enter 1 in the Password Credential Index field. This will allow the user’s password to be saved into Attribute#1, which will be used later in a traffic policy to allow single sign-on to StoreFront. Check the checkbox next to Enable Single Sign On Credentials Click Create.

User-added image

7. Switch to the Policies tab. Click Add.

User-added image

8. Enter an appropriate name in the Name field. In the Profile dropdown, select the profile that you created in steps 1-4 above. In the Rule field, enter HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”), then click Create.

User-added image

9. Add a second login schema policy. Enter an appropriate name into the Name field, and select the profile that you created in steps 5-6 above. In the Rule field, type true, then click Create.

User-added image

Back to top

Configuring Authentication Policy Label

1. Browse to Security >> AAA – Application Traffic >> Policies >> Authentication >> Advanced Policies >> PolicyLabel. Click Add.

User-added image

2. In the Login Schema field, select LSCHEMA_INT. Click Continue. In the Policy Binding section, click the Click to select dropdown box under Select Policy, and then click the radio button next to the LDAP_manage_OTP_pol policy (created in step 9 of the LDAP configuration section of this document), then click Select. Click Bind.

3. Click Add Binding to add another policy. In the Policy Binding section, click the Click to select dropdown box under Select Policy, and then click the radio button next to the LDAP_confirm_OTP_pol that was created in step 10 on the LDAP configuration section of this document. Click Select, then click Bind.

4. Ensure that the LDAP_manage_OTP_pol policy has a higher priority (smaller number), then click Done.

User-added image

Back to top

Configuring AAA vServer

1. Browse to Security >> AAA – Application Traffic >> Virtual Servers. Click Add.

2. Name your vServer, select Non Addressable in the IP Address Type dropdown, click OK.

3. Click No Server Certificate, select an appropriate certificate, then click Bind. Click Continue.

4. Click No Authentication Policy. Select the LDAP policy that you created in steps 7-8 on the LDAP configuration section above, click Select.

5. Click Click to Select in the Select Next Factor dropdown, and select the OTP policy label you previously created, then click Select, and then click Bind. Click Continue.

6. In the right hand portion of the page, under Advanced Settings, click Login Schemas.

7. Scroll down and click No Login Schema in the Login Schema section.

8. Click Click to Select dropdown under Select Policy. Select the Single_manage_OTP_lschema_pol that you created in steps 7-8 in the login schema configuration above. Click Select, then click Bind.

9. Click 1 Login Schema. Click Add Binding, Click to Select, and select the dual factor login schema, click Select, click Bind, then click Close.

10. Verify that the single factor policy has a higher priority (smaller number) than the dual factor policy. Click Close.

User-added image

11. Set the portal theme to RfWebUI. This is the only type of portal theme that is supported with native OTP.

Back to top

Traffic Policy for Single Sign-on Configuration

1. Browse to NetScaler Gateway >> Policies >> Traffic. Click the Traffic Profiles tab, then click Add.

2. Name the profile appropriately, and in the SSO Password Expression field, enter: HTTP.REQ.USER.ATTRIBUTE(1). Click Create.

3. Click the Traffic Policies tab, then click Add.

4. Name the policy appropriately, in the Request Profile dropdown, select the traffic profile you just created, and then click the Switch to Default Syntax link, and create an appropriate expression for the type of traffic to which this policy will be bound in the Expression field. Click Create.

[NOTE: If the expression is configured as ‘true’ or ‘ns_true’, this policy will apply to all traffic and non-http traffic will also be impacted. The ‘true’ expression is for HTTP qualifier; for non http traffic this policy expression would fail, as explained in https://support.citrix.com/article/CTX233260. This behavior is observed in version 12.0 build 57.19]

Back to top

NetScaler Gateway Configuration

1. Browse to NetScaler Gateway >> Virtual Servers. Edit the existing NetScaler Gateway virtual server that you wish to implement OTP on.

2. Scroll down until you see the Policies section, and click the + icon.

User-added image

3. Select Traffic in the Choose Policy dropdown, and then click Continue.

4. In the Select Policy dropdown, click where it says Click to select, and then select the traffic policy that you created in the section above, then click Select, then click Bind.

5. Under Advanced Settings on the right hand side of the page, click Authentication Profile.

6. Scroll down until you see the Authentication Profile section, and then click the + icon to create a new authentication profile.

User-added image

7. In the Name field, enter an appropriate name. In the Authentication Virtual Server dropdown, Click to select. Select the OTP AAA vServer that we created earlier, and then click Select. Click Create.

User-added image

8. Click OK.

User-added image

9. Bind the RfWebUI portal theme to the NetScaler Gateway vServer. This is the only type of portal theme that is supported with native OTP.

10. If your NetScaler Gateway vServer is configured behind a Unified Gateway, you will need to modify the content switching expression. Browse to Configuration >> Traffic Management >> Content Switching >> Policies.

11. Edit the Unified Gateway policy, and add the following to the end of the Expression: || HTTP.REQ.URL.CONTAINS(“/manageotp”). Click OK.

Back to top

Enroll/Manage Mobile Authenticator

1. In your web browser, browse to your NetScaler Gateway FQDN, and add /manageotp to the end. Example: https://gateway.company.com/manageotp

2. This should load the authentication page, and it should be single factor. Login using your LDAP credentials.

User-added image

3. Click Add Device.

User-added image

4. Enter a name for your device, then click Go.

5. Open the Google Authenticator app (you can download this from the Play/App store for free). Scan the barcode that is displayed on your NetScaler Gateway browser page, then click Done. Note that you can also manually enter the string of characters.

User-added image

6. Test by clicking Test, then entering the code that is displayed on your authenticator, and click Go.

User-added image

7. If there are no additional devices to add/manage, you may logoff.

User-added image

Back to top

NetScaler Gateway Login

1. Browse to your NetScaler Gateway authentication page as you normally would, example: https://gateway.company.com

2. You should be prompted for two factor authentication. Enter your LDAP username and password, then enter the passcode from your authenticator.

User-added image

3. You should be successfully authenticated, and SSO to StoreFront should occur.

User-added image

Back to top


7021516: Keyboard Mapping in Reflection Desktop, Reflection 2014, and Reflection 2011

  1. Connect to your host.
  2. Click the Tools tab. In the Input group, click Keyboard Mapper.
  3. You can select the key to map one of two ways:
    • In the Map Keys section, place your cursor in the field and press the key or key combination that you want to map, and then click the Select Action button. Or,
    • In the Keyboard Mapper section, scroll to and select the Key Combination, and then click Modify.

Figure 1: Select the key to map under Map Keys or Keyboard Mapper.

  1. In the Select Action dialog box, there are several Map To options to choose from in the left pane:
Send Key

Sent Text

Launch Application

Open URL

Run Reflection Workspace Macro

Other Action

Action Sequence

Select an action, such as Open URL, in the left pane and make the selections or provide the information required in the right pane.

View Full Size


Figure 2: Select the action and configure it. In this example, the F5 key is being mapped to open a URL.

Mapping Control Characters in Reflection

To map a control character, select Send Text in the Select Action dialog box. Then use one of the following methods to enter the symbolic text for the control character in the “Text to send to host” text box:

  • ALT+nnn — Generate a control character by holding down the ALT key and pressing the three digit ASCII number using the numeric keypad. The symbolic text for the control character is placed into text box (<ESC> for ALT+027, for example). Using this method, Reflection 2011 can generate control characters for ASCII 1 (Start of Header) through ASCII 31 (Unit Separator).
  • CTRL+x — Generate a control character by holding down the CTRL key and pressing the letter corresponding to the control character. The symbolic text for the control character is placed into text box (<ESC> for CTRL+{, for example). Using this method, Reflection can generate control characters for ASCII 1 (Start of Header) through ASCII 29 (Group Separator).
  • Symbolic Text — Directly enter the symbolic text of the control character. All control characters from ASCII 0 (Null) through ASCII 31 (Unit Separator) can be entered using this method.

Note: If you are using Reflection 2014 ot later, you can use the “Select a special character“ list to map commonly used special characters, as shown in Figure 4.

Use the following table to identify the value for each control character for each entry method.

Control Character
Symbolic Text

Start Of Header
Start Of Text
End Of Text
End Of Transmission
Horizontal Tab
Line Feed
Vertical Tab
Form Feed
Carriage Return
Shift Out
Shift In
Data Link Escape
Device Control 1
Device Control 2
Device Control 3
Device Control 4
Negative Acknowledgement
Synchronous Idle
End of Transmission Block
End of Medium
File Separator
Group Separator
Record Separator

Unit Separator


The following example shows how to map an escape sequence.

Figure 3: Map keystroke F4 to send the text Escape 4 in Reflection 2011.

This example shows how to map to the Backspace, using the “Select a special character” list that is available in Reflection 2014 and later.

Figure 4: Map keystroke F4 to send Backspace in Reflection 2014.

Creating an Action Sequence

Follow these steps to map a series of actions to a keystroke.

  1. In the Select Action dialog box, select Action Sequence in the left pane.
  1. In the right pane, click the Add button.
  1. In the right pane, under Action category, select an action, such as Send Key, from the list.
  1. Action parameters vary depending on the action selected. If required, you will be prompted for the needed information for each parameter to the right of the Action. Select or provide the Action parameter.

For example, the Send Key action requires the parameter “Key” to be identified.

  1. Repeat steps 3 and 4 for each action in the sequence until the sequence is complete.
  2. Click OK.


If you are using non-VT terminal types such as Linux Console, Wyse, SCO ANSI or BBS-ANSI, and have trouble mapping a key, contact Customer Support (https://support.microfocus.com/contact/attachmate.html) for the latest update,.