When SEP (Symantec Endpoint Protection) is installed, Citrix and other Terminal Servers slow down or become unresponsive. There may be multiple SEP system tray icons and/or the Task Manager Process List indicates multiple instances of SEP processes.

Symptoms
Symptoms include one or more of the following, usually increasing as additional clients log onto a Terminal Server

• High CPU utilization
• Multiple instances of the following processes: SmcGui.exe, ccApp.exe, ProtectionUtilSurrogate.exe (64 bit only)
• Duplicate SEP system tray icons (on the server; see Note in Solution below for duplicate icons on a Terminal Server client)
• Hourglass that won't go away on logged in clients (this was specifically because they don't show the icon as part of their policies)

SmcGui must be disabled to avoid multiple instances of that process and the SEP tray icon by adding the following DWORD registry value on the Terminal Server:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\LaunchSmcGui = 0

When disabling SmcGui, the following functionality is also disabled:

• No SEP icon on the system tray
• No ability to open the system logs from the client GUI
• No ability to see the firewall or SNAC status from the GUI (most customers will not install a firewall on their Terminal Server)
• No startup scans
• No delayed threat detection notifications
• No missing or out of date definition notifications
• Clients do not display all information in the Help & Support > Troubleshooting > General Information (Server, Group, Location, Policy serial number, etc)
• Clients in Hybrid Management scenario will be showing "Waiting for data" under Help > Troubleshooting > Hybrid Management, however these clients are in sync with policies in the cloud.
• Clients locally show as Offline on the Help & Support > Troubleshooting > General Information view. In reality the client is still forwarding stateful information and log data to the Symantec Endpoint Protection Manager (SEPM).
• Clients do not show the Logon Client status on the SEPM client status view.

Note: Duplicate SEP system tray icons in the local system tray of a Terminal Server client may be the result of a Citrix feature called Seamless Desktop Integration, where server resources are made to appear as if they are running on the client. See Symantec Endpoint Protection: Duplicate system tray icons appear on Terminal Server Client for each connection to a Citrix Server

Reference:  Citrix and terminal server best practices for Endpoint Protection