Archive
Configuring Email-Based Account Discovery for #Citrix #Receiver
Check out this great blog post from Avinash Golusula:
Configuring Email-Based Account Discovery
1 Add DNS Service Location (SRV) record to enable email based discovery
During initial configuration, Citrix Receiver can contact Active Directory Domain Name System (DNS) servers to obtain details of the stores available for users. This means that users do not need to know the access details for their stores when they install and configure Citrix Receiver. Instead, users enter their email addresses and Citrix Receiver contacts the DNS server for the domain specified in the email address to obtain the required information.
To enable Citrix Receiver to locate available stores on the basis of users’ email addresses, configure Service Location (SRV) locator resource records for Access Gateway or StoreFront/AppController connections on your DNS server. If no SRV record is found, Citrix Receiver searches the specified domain for a machine named “discoverReceiver” to identify a StoreFront/AppController server.
You must install a valid server certificate on the Access Gateway appliance and StoreFront/AppController server to enable email-based account discovery. The full chain to the root certificate must also be valid. For the best user experience, install either a certificate with a Subject or Subject Alternative Name entry of discoverReceiver.domain, or a wildcard certificate for the domain containing your users’ email accounts.
To allow users to configure Citrix Receiver by using an email address, you need to add a SRV record to your DNS zone.
- Log in to your DNS server
- In DNS > Right-click your Forward Lookup Zone
- Click on Other New Records
- Scroll down to Service Location (SRV)
- Configuring Email-Based Account Discovery
- Choose Create Record
Explaining #Citrix Pass-through Authentication
Check out this great blog post from Joel Bejar:
Introduction
Pass-through authentication is a simple concept. User credentials are passed to a Web Interface site and then to the XenApp/XenDesktop servers, preventing users from having to explicitly authenticate at any point during the Citrix application launch process. While this authentication method seems straightforward, there are some moving pieces, and this article aims to break these down to provide a more detailed understanding of how this process truly works within Citrix.
Pass-Through Authentication – Web Interface Site
The first step to the pass-through process occurs at the Web Interface site. Users are able to navigate to the web interface site, and their credentials are passed through and they are presented with their Citrix delivered resources. Web Interface is built on Internet Information Services (IIS). For pass-through authentication to work, IIS Integrated Windows Authentication must be leveraged. Formerly called NTLM, this authentication method hashes the user credentials before they are sent over the network. When this type of authentication is enabled, the client browser proves its is authenticated through a cryptographic exchange with the Web Interface server, involving hashing. Because of this, the web browser is responsible for authenticating with the Web Interface Server (IIS). It is important to note, though, that credentials are actually never exchanged. Instead, the signed hash is provided to IIS, proving that said user had already been authenticated at the Windows desktop. The web interface user uses the user’s AD context (sometimes referred to as a token) to retrieve the user’s AD group membership and pass this list of groups directly to the XML service for authentication. At this point, the user has successfully passed through to the Web Interface site, and can now view his/her Citrix resources.
- The WI server must be in the same domain as the user, or in a domain that has a trust relationship with domain of the user.
- If the WI server and user are in different domains, and resources are published using Domain Local AD groups in the user domain, then the WI will not be able to enumerate these, even with a proper AD trust relationship (due to the very nature of Domain Local groups).
- The WI site should be added as a Trusted Site or Intranet Zone site in Internet Explorer. In addition, the security settings should be modified so that User Authentication\Logon is set to ‘Automatic Logon with Username and Password’.
- Pass-through authentication is not supported on Web Interface for NetScalerPlease Note: Pass-through authentication and Kerberos authentication are not interchangeable and they have different requirements.
Pass-Through Authentication – XenApp/XenDesktop Session
One of the biggest misconceptions with Pass-Through authentication in Citrix is that it only occurs when a user navigates to the Web Interface site and he/she is automatically passed through. As mentioned above, this IIS authentication method that is being used does not actually exchange the user password. In other words, Web Interface is never in control of the user credentials. This brings up the question: How are users passed through to the actual XenApp/XenDesktop ICA session?
While the web browser has a role in authenticating the user to the web site, the Citrix client (Citrix Receiver) plays an integral role in making sure the user is fully passed through to the application or desktop. Citrix Receiver installs a process called SSONSVR.exe, which is the single sign-on component of the client (no, not password manager SSO, but rather desktop credential pass-through authentication SSO.) This process is fully responsible for passing the user credentials to XenApp or XenDesktop. Without this piece, pass-authentication will not function.
Continue reading here!
//Richard
Delivering #Citrix #XenApp on #Hyper-V with PVS and #McAfee – via @TonySanchez_CTX
Good Citrix blog post from Tony Sanchez!
Architectures—whether physical or virtual—should be flexible enough to adapt to different workloads, allowing them to support changing business needs. Although implementing a new IT architecture takes time and careful planning, the process to test and validate an architecture should be easy. In the case of a virtual desktop architecture, test engineers should be able to follow a repeatable pattern, step by step, simply changing out the workload to validate the architecture under different anticipated user densities, application workloads, and configuration assumptions. The procedure should be as easy as learning a new series of dance steps (think PSY’s Gangnam Style, the most watched dance video on YouTube). The point causes me as a test engineer to ask the question: in the case of VDI, why can’t a hypervisor simply learn a new workload just like I might learn a new sequence of dance steps?
Luckily for test engineers, Citrix FlexCast® provides the ability to learn and deliver any workload type by leveraging the power of the Citrix Provisioning Services® (PVS). Recently I worked with engineers from Citrix and Dell, collaborating to build a FlexCast reference architecture for deploying XenApp® and XenDesktop® on Hyper-V on a Dell infrastructure. Testing of this reference architecture looked at how XenApp and XenDesktop performed under various workloads, altering hypervisor configuration settings and examining the overall user experience and user densities. At the drop of dime, FlexCast and PVS enabled a simple switch of the architecture to a new workload.
Based on that reference architecture effort, we recently began a Single Server Scalability (SSS) test using the latest hardware and software releases available. This blog focuses on that effort — what I call the “XenApp dance step for FlexCast style” and how XenApp workloads perform on Hyper-V. (A follow-on blog article will focus on an alternate “dance” sequence for XenDesktop.) The focus of this blog is how the configuration of the McAfee virus scanning software can impact performance and scaling.
In previous blogs, I describe the testing process and methodology that leverages the Login VSI test harness, along with key tips for success. Since those same methods and recommendations apply here, let’s review the configurations we used for this scalability testing as well as the workloads and actual test results.
For background reading, I highly recommend that you review Frank Anderson’s post on XenApp physical versus virtual testing results with Hyper-V. Frank is my colleague and a great resource for insights about testing, including implementation tips and general best practices. In addition, the related Dell and Citrix white paper describing the FlexCast reference architecture for deploying XenApp and XenDesktop on Hyper-V is available here.
Continue reading here!
//Richard
Enterprise Mobility Report – Lessons from the Mobile Cloud – #Citrix, #BYOD
Here is a good report done by Citrix, not that much that I didn’t expect but great to get some input!
We just released our quarterly enterprise mobility cloud report. Every quarter, we look out across our enterprise mobility customers deployed in the cloud and try to understand common practices by reviewing aggregate data on deployed apps, app blacklisting and whitelisting practices, policy deployments, and OS deployments by region and vertical industry. So here’s a small taste of what we saw in Q412.
Things we expected:
- iOS led in the enterprise. Definitely something we already knew.
- Industries like retail and restaurants – whose use cases involve direct one-on-one customer engagement, were iOS- (and iPad-) heavy. Makes sense.
- Industries with mobile field service organizations went for Android. Given the platform’s lower replacement cost, control-ability, and ubiquity, that makes sense.
- Facebook and Dropbox made the blacklist. Productivity and data security are major concerns, especially for corporate-issued devices.
Things we didn’t expect:
- Android gained in EMEA. Android gained eleven percentage points in Europe, the Middle East, and Africa in a quarter. Anecdotally, we know several organizations there that deployed big Android-based mobile line-of-business initiatives last quarter, but is there a bigger trend? Tell us what you think!
- Healthcare went for Android. 85% of deployed devices in our cloud in healthcare were Android. But healthcare organizations we talk to are standardizing on iOS, so it doesn’t add up! But remember: this is the cloud report. Most of our large healthcare customers have deployed our solution on-premise and those seem to be mostly iOS today. The cloud healthcare companies are really mobile themselves – usually home healthcare organizations like traveling nurses and therapists and hospice care workers who deliver end of life care to patients in their homes. It makes sense that these organizations would be big users of the cloud given the highly distributed nature of the business and the fact that there are some common HIPAA-compliant mobile apps that have developed for the Android platform.
- Dropbox was on the blacklist, but was also one of the most heavily-recommended apps from enterprise IT (in the enterprise app catalog). This juxtaposition speaks to Dropbox’s simultaneous usefulness and risk! Organizations can’t decide! Many of our customers talk to us about the “Dropbox dilemma” and most agree that if they could provide data sharing in a secure, enterprise-grade way, users would go for it.
Download the complete report here!
//Richard
#Citrix Virtual Desktop Handbook 5.x – #XenDesktop, #XenApp
Ok, this is a pretty good handbook I must admit. Have a look at it here!
And if you need help then of course you can always contact EnvokeIT! 😉
And here is a good blog post about this as well by Thomas Berger:
One of the foundational project management principals is that project success occurs when it is delivered on time, within budget and with a level of quality that is satisfactory to the client. Of course these three dimensions are valid for any desktop virtualization project as well.
While a lot of information about budget planning and TCO/ROI for virtual desktop / application delivery projects can be found on the internet (e.g. http://flexcast.citrix.com/analyzeandcompare.html), the amount of information about time planning and success criteria is very low.
Since this lack of publicly available information causes every customer to “reinvent the wheel” and therefore add some delays to their projects, we thought it’s time to provide some guidance around these topics.
The result of our efforts has become part of the newly released Citrix Virtual Desktop Handbook (http://support.citrix.com/article/CTX136546). Version 1 of this white paper focuses on the Assess phase that identifies the information required prior to starting the design phase and outlines the project management tasks I mentioned earlier.
But instead of just discussing the topics from a theoretical point of view, we provide detailed guidance and tools which can be used for your projects right away. For example you will get a sample project plan (Microsoft Project), which outlines and provides duration estimates for every step of a desktop virtualization project (sample below).
Furthermore the white paper discusses a general project methodology, describes how business priorities can be identified and provides detailed information about the roles required during a enterprise grade project (sample below).
This and even more can be found within the new Citrix Virtual Desktop Handbook..
//Richard
#Citrix Introducing #CloudBridge 2000 and 3000
Ok, this is interesting!
Citrix is pleased to announce the new WAN-optimization appliances: CloudBridge 2000 and CloudBridge 3000. These appliances come loaded with our WAN-optimization and XenDesktop acceleration technologies including rich protocol optimization, advanced TCP flow-control, adaptive compression and smart acceleration.
This blog highlights some of key features of these appliances.
Un-matched Scalability: A pay-grow offering that is unique in the WAN-optimization industry
Using the pay-grow offering, CloudBridge 2000 can be scaled from a throughput of 10 Mbps to 20 Mbps and further to 50 Mbps with just a license upgrade. Similarly CloudBridge 3000 can be scaled from 50 Mbps to 100 Mbps and further to 155 Mbps. This avoids the cost, time and logistics overhead associated with a forklift replacement. So if you have small office and expect to grow in future then these appliances are ideal for you.
* Session count is limited by link bandwidth, no session count is enforced. Published numbers are for guidance only. |
Built-in reliability
CB 2000 and CB 3000 models come prepackaged with Network bypass cards for the traffic interfaces. This ensures that the traffic to your network is never interrupted, even in case of power failure to the appliance.
Also with these models do not contain any rotating disks. Instead they use SSDs as storage resulting in enhanced disk-access speed and…
Continue reading here on the blog post and also look at this Service Delivery Network video where you can look at Citrix’s story on how enterprise and cloud networks are unified into a service delivery fabric that optimizes and secures applications and data.
//Richard
User-centric application delivery with Microsoft System Center and the #XenApp Connector for Configuration Manager
Another good blog post from Citrix:
This week we are happy to announce the release of the XenApp Connector for System Center 2012 Configuration Manager (a.k.a. Project Thor), marking the culmination of several months of collaboration between Citrix and Microsoft.
System Center 2012 Configuration Manager helps IT empower people to use the devices and applications they need to be productive, while maintaining corporate compliance and control. It provides a unified infrastructure for mobile, physical, and virtual environments that allows IT to deliver applications and manage user experiences based on identity, connectivity, and device.
More so than any previous release of Configuration Manager, the 2012 release supports the model of user-centric IT management. The new focus of Configuration Manager is one of empowering users by putting them at the center of the IT universe; one that supports user self-service, bring-your-own-device initiatives, workforce mobility, and the overall IT consumerization trend. We are very excited about the power this user-centric model provides and how that model is realized via integration of Configuration Manager and XenApp.
So what does the XenApp Connector do? Put simply, it extends the reach of admins using Configuration Manager to a much broader range of devices and user locations. Historically, Configuration Manager has been used for management of Windows OS & applications deployed to Windows PCs, Windows laptops, Windows Servers and Windows Phones operating within the traditional IT periphery – in other words Active Directory domain joined machines.
The XenApp Connector and Citrix Receiver extend the reach of Configuration Manager to deliver apps not just to Windows devices but all kinds of office and mobile devices including Linux, iOS, and Android devices; in fact nearly every device on the market today.. The Connector also enables a more flexible and mobile workforce. Users are able to gain access to the applications they need regardless of whether they are in the office, working from home, or on the road.
To deliver this functionality, the XenApp Connector leverages three capabilities introduced with System Center 2012:
- Deployment Types
- User-centric administration, and
- The Application Catalog
How does #Citrix #NetScaler SDX isolate its instances?
Ok, I received this question the other day and this article is really spot on! Get a cup of coffee and enjoy! 😉
And remember this: YOU CAN ONLY HAVE 7 INSTANCES/1Gbps NIC!!!! So if you intend to host more than 7 VPX’s on your SDX then ensure that you plan your network design if you use 1Gbps otherwise go for the 10Gbps ports and SPFS.
NetScaler SDX Appliance with SR-IOV and Intel-VTd
This article contains information about the Single Root I/O Virtualization (SR-IOV) and Intel Virtualization Technology for Directed I/O (Intel-VTd) technology and how NetScaler appliance uses this technology to achieve fully isolated high performance NetScaler instances.
NetScaler SDX Appliance with SR-IOV and Intel-VTd
Server Virtualization presents both a tremendous opportunity and a major challenge for Enterprise Data Centers and Cloud Computing infrastructure. Current Hypervisors already facilitate the consolidation of many servers that are not utilized efficiently to a smaller number of physical servers delivering better space utilization, lower power consumption, and reduced overhead costs.
Virtualization architectures are built on a virtualization layer called a Virtual Machine Monitor or Domain 0 that becomes the primary interface between a virtual machine and the physical hardware. Even though virtualization allows multiple virtual machines to share the same hardware, it also creates additional overhead and can lower server performance as it becomes the bottleneck between a virtual machine and input/output (I/O) hardware as the number of virtual machines increase.
The NetScaler SDX appliance breaks through these performance bottlenecks by leveraging next generation of I/O virtualization technology called SR-IOV as defined by the PCI-Special Interest Group (SIG). SR-IOV enabled Intel chips along with Intel VT-d enable the NetScaler SDX appliance to significantly reduce virtualized network processing overheads, and provide more secure and predictable mechanisms for sharing I/O device among multiple virtual machines.
Intel Implementation of Single Root I/O Virtualization
Intel has worked with the PCI-SIG to define the SR-IOV specification. As shown in the following image, SR-IOV provides dedicated I/O to virtual machines bypassing the software virtual switch in the Virtual Machine Manager (VMM) completely, and Intel Ethernet Controllers improve data isolation among virtual machines. Another feature of SR-IOV is a feature called Virtual Functions. These are Lightweight PCIe functions that allow a single physical port to look like multiple ports. Therefore, multiple virtual machines can now have direct assignment on the same port. This increases the scalability of the number of virtual machines on the machine through more efficient I/O device sharing.
Intel VT-d Technology
Intel VT-d is a hardware enhancement for I/O virtualization that is implemented as part of core logic chipset. Intel VT-d defines an architecture for DMA remapping that improves system reliability, enhances security and…
Continue reading here!
//Richard
LIMITED RELEASE – #Receiver #Storefront 1.2 Update 1 for Web Receiver Add-in
Issue(s) Fixed in This Release
- After enabling the requireTokenConsistency parameter in StoreFront’s store configuration file (c:\inetpub\wwwroot\Citrix\<StoreName>\Web.config) as described in Knowledge Center article CTX134965, users might not be able to access resources when logging in through Access Gateway.
- Attempts to authenticate to the Receiver for Web fail for users whose passwords contain certain special characters.
Continue reading and download it here!
//Richard
XenMobile product overview… and It’s nice! via @BasvanKaam – #BYOD, #MDM, #Citrix
Wow! I must say that Bas van Kaam has done a great wrap-up here! I highly recommend you to read this blog post!!! 🙂
It was only about a month ago when I was writing my Blog about the CloudGateway that I wondered which route Citrix would take now that they acquired Zenprise, well… here it is… XenMobile, another Xen sibling sees the light! Lets jump right in…
I had the opportunity to make use of one of Citrix’s demo environments to have a closer look at MDM, which is an awesome way to explore new and existing products by the way, if your company is a Citrix partner and has access I definitely recommend having a look. Besides that I used the Citrix E-Docs website as well as Citrix.com to find as much information as possible.
The main focus of this article will be on XenMobile MDM as the Mobile Solutions Bundle (one of the two editions available) focuses primarily on the CloudGateway which I already discussed in one of my previous blogs.
MDM?
MDM stand for Mobile Device Management and it’s just that! Here’s what Citrix has to say about it: As per Citrix: XenMobile MDM is a robust mobile device management solution that delivers role-based management, configuration, and security for both corporate and employee-owned devices. Upon user device enrollment, IT can provision policies and apps to devices automatically, blacklist or whitelist apps, detect and protect against jailbroken or rooted devices, and selectively wipe a device that is lost, stolen, or out of compliance. Users can use any device they choose, while IT can ensure compliance of corporate assets and secure corporate content on the device.
Editions
There are two editions: XenMobile MDM and the Mobile Solutions Bundle. XenMobile MDM primarily focuses on (hardware) device management, more on it’s extensive feature set shortly. Every major platform is supported including: iPhone, iPad, Android, BlackBerry, Symbian and Microsoft Windows 8. It includes the XenMobile Secure Mobile Gateway (SMG) and XenMobile SharePoint Data Leak Prevention (DLP) as well as the XenMobile Mobile Service Provider (ZSM) and the XenMobile Remote Support Application Toolset.
The IT Melting Pot! 