Archive

Archive for the ‘Client Services’ Category

#Citrix #XenMobile #MDM Integration With #Cisco ISE for #BYOD

April 4, 2013 Leave a comment

Interesting and a good blog post by Sameer Mehta.

World of BYOD

 Bring your own device (BYOD) initiatives are enabling employees to bring their own personal devices to work and allowing them corporate access to services such as Email. We did a recent audit using our ability to integrate with security incident and event management (SIEM) systems for a customer. The audit provided visibility into their ActiveSync traffic and found devices that belonged to executives that were not under IT management. Here’s a snapshot of their BYO devices.

 

There are several reasons to enable such access – for example, to boost employee productivity or convenience of accessing email from any device. Having said that, as Uncle Ben puts it, “with great power comes great responsibility”, and this responsibility is on the IT administrator from a security point of view. It’s IT’s responsibility to make sure that corporate data is not compromised or leaked in the following scenarios:

  • What happens when this personal device is lost or stolen?
  • What happens if this device is jailbroken or rooted?
  • What happens if this device ends up outside an approved geofence. For example, outside of the US?
  • What happens if the user inadvertently installs an application that has the ability and access to the entire device memory, thereby having unauthorized access to corporate data?

End User’s perspective on Enterprise Mobility

End users want access to corporate services such as email, intranet, ability to share and collaborate over documents, and also use 3rd party applications such as Evernote, Quick Office or GoodReader. With mobile solutions such as XenMobile MDM, CloudGateway, ShareFile and GoToAssist, Citrix provides ubiquity i.e. ‘access any app. from any device’, and a unified view for applications with an enterprise app store, documents via ShareFile. Having said that, since the user is accessing multiple applications; end user experience is a key component of mobility solutions. For example, bootstrap authentication and provide single sign on (SSO) to other applications.

Enterprise IT perspective on BYOD

As IT is providing access to corporate services, the main concern is around data loss prevention (DLP) and protecting corporate content on the mobile device. This means, encrypting data at rest for application data, and documents that are hosted either on Sharepoint, Network File share or Cloud storage. From a DLP perspective, for security conscious organizations, the mobile solutions bundle, which includes XenMobile MDM and CloudGateway…

Continue reading here!

//Richard

Categories: All, BYOD, Citrix, CloudGateway, Mobility, XenMobile Tags: , , , , , , , , , , , , , , , , , , , , , ,

Configuring Email-Based Account Discovery for #Citrix #Receiver

April 2, 2013 Leave a comment

Check out this great blog post from Avinash Golusula:

Configuring Email-Based Account Discovery

1     Add DNS Service Location (SRV) record to enable email based discovery

During initial configuration, Citrix Receiver can contact Active Directory Domain Name System (DNS) servers to obtain details of the stores available for users. This means that users do not need to know the access details for their stores when they install and configure Citrix Receiver. Instead, users enter their email addresses and Citrix Receiver contacts the DNS server for the domain specified in the email address to obtain the required information.

To enable Citrix Receiver to locate available stores on the basis of users’ email addresses, configure Service Location (SRV) locator resource records for Access Gateway or StoreFront/AppController connections on your DNS server. If no SRV record is found, Citrix Receiver searches the specified domain for a machine named “discoverReceiver” to identify a StoreFront/AppController server.

You must install a valid server certificate on the Access Gateway appliance and StoreFront/AppController server to enable email-based account discovery. The full chain to the root certificate must also be valid. For the best user experience, install either a certificate with a Subject or Subject Alternative Name entry of discoverReceiver.domain, or a wildcard certificate for the domain containing your users’ email accounts.

To allow users to configure Citrix Receiver by using an email address, you need to add a SRV record to your DNS zone.

  • Log in to your DNS server
  • In DNS > Right-click your Forward Lookup Zone
  • Click on Other New Records
  • Scroll down to Service Location (SRV)
  • Configuring Email-Based Account Discovery
  • Choose Create Record
Categories: All, Citrix, CloudGateway, NetScaler, Receiver Tags: , , , , , , , , , , , , , , , , , , ,

Explaining #Citrix Pass-through Authentication

April 2, 2013 Leave a comment

Check out this great blog post from Joel Bejar:

Introduction

Pass-through authentication is a simple concept. User credentials are passed to a Web Interface site and then to the XenApp/XenDesktop servers, preventing users from having to explicitly authenticate at any point during the Citrix application launch process. While this authentication method seems straightforward, there are some moving pieces, and this article aims to break these down to provide a more detailed understanding of how this process truly works within Citrix.

Pass-Through Authentication – Web Interface Site

The first step to the pass-through process occurs at the Web Interface site. Users are able to navigate to the web interface site, and their credentials are passed through and they are presented with their Citrix delivered resources. Web Interface is built on Internet Information Services (IIS). For pass-through authentication to work, IIS Integrated Windows Authentication must be leveraged.  Formerly called NTLM, this authentication method hashes the user credentials before they are sent over the network. When this type of authentication is enabled, the client browser proves its is authenticated through a cryptographic exchange with the Web Interface server, involving hashing. Because of this, the web browser is responsible for authenticating with the Web Interface Server (IIS).  It is important to note, though, that credentials are actually never exchanged. Instead, the signed hash is provided to IIS, proving that said user had already been authenticated at the Windows desktop.  The web interface user uses the user’s AD context (sometimes referred to as a token) to retrieve the user’s AD group membership and pass this list of groups directly to the XML service for authentication.  At this point, the user has successfully passed through to the Web Interface site, and can now view his/her Citrix resources.

  • The WI server must be in the same domain as the user, or in a domain that has a trust relationship with domain of the user.
  • If the WI server and user are in different domains, and resources are published using Domain Local AD groups in the user domain, then the WI will not be able to enumerate these, even with a proper AD trust relationship (due to the very nature of Domain Local groups).
  • The WI site should be added as a Trusted Site or Intranet Zone site in Internet Explorer. In addition, the security settings should be modified so that User Authentication\Logon is set to ‘Automatic Logon with Username and Password’.
  • Pass-through authentication is not supported on Web Interface for NetScalerPlease Note: Pass-through authentication and Kerberos authentication are not interchangeable and they have different requirements.

Pass-Through Authentication – XenApp/XenDesktop Session

One of the biggest misconceptions with Pass-Through authentication in Citrix is that it only occurs when a user navigates to the Web Interface site and he/she is automatically passed through. As mentioned above, this IIS authentication method that is being used does not actually exchange the user password. In other words, Web Interface is never in control of the user credentials. This brings up the question: How are users passed through to the actual XenApp/XenDesktop ICA session?

While the web browser has a role in authenticating the user to the web site, the Citrix client (Citrix Receiver) plays an integral role in making sure the user is fully passed through to the application or desktop. Citrix Receiver installs a process called SSONSVR.exe, which is the single sign-on component of the client (no, not password manager SSO, but rather desktop credential pass-through authentication SSO.) This process is fully responsible for passing the user credentials to XenApp or XenDesktop. Without this piece, pass-authentication will not function.

Continue reading here!

//Richard

Categories: All, Citrix Tags: , , , , , , , , , , , ,

Enterprise Mobility Report – Lessons from the Mobile Cloud – #Citrix, #BYOD

March 24, 2013 Leave a comment

Here is a good report done by Citrix, not that much that I didn’t expect but great to get some input!

We just released our quarterly enterprise mobility cloud report. Every quarter, we look out across our enterprise mobility customers deployed in the cloud and try to understand common practices by reviewing aggregate data on deployed apps, app blacklisting and whitelisting practices, policy deployments, and OS deployments by region and vertical industry. So here’s a small taste of what we saw in Q412.

Things we expected:

  • iOS led in the enterprise. Definitely something we already knew.
  • Industries like retail and restaurants – whose use cases involve direct one-on-one customer engagement, were  iOS- (and iPad-) heavy. Makes sense.
  • Industries with mobile field service organizations went for Android. Given the platform’s lower replacement cost, control-ability, and ubiquity, that makes sense.
  • Facebook and Dropbox made the blacklist. Productivity and data security are major concerns, especially for corporate-issued devices.

Things we didn’t expect:

  • Android gained in EMEA. Android gained eleven percentage points in Europe, the Middle East, and Africa in a quarter. Anecdotally, we know several organizations there that deployed big Android-based mobile line-of-business initiatives last quarter, but is there a bigger trend? Tell us what you think!
  • Healthcare went for Android. 85% of deployed devices in our cloud in healthcare were Android. But healthcare organizations we talk to are standardizing on iOS, so it doesn’t add up! But remember: this is the cloud report. Most of our large healthcare customers have deployed our solution on-premise and those seem to be mostly iOS today. The cloud healthcare companies are really mobile themselves – usually home healthcare organizations like traveling nurses and therapists and hospice care workers who deliver end of life care to patients in their homes. It makes sense that these organizations would be big users of the cloud given the highly distributed nature of the business and the fact that there are some common HIPAA-compliant mobile apps that have developed for the Android platform.
  • Dropbox was on the blacklist, but was also one of the most heavily-recommended apps from enterprise IT (in the enterprise app catalog). This juxtaposition speaks to Dropbox’s simultaneous usefulness and risk! Organizations can’t decide! Many of our customers talk to us about the “Dropbox dilemma” and most agree that if they could provide data sharing in a secure, enterprise-grade way, users would go for it.

Download the complete report here!

//Richard

Categories: All, Citrix, Mobility Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

#Citrix Virtual Desktop Handbook 5.x – #XenDesktop, #XenApp

March 19, 2013 Leave a comment

Ok, this is a pretty good handbook I must admit. Have a look at it here!

And if you need help then of course you can always contact EnvokeIT! 😉

And here is a good blog post about this as well by Thomas Berger:

One of the foundational project management principals is that project success occurs when it is delivered on time, within budget and with a level of quality that is satisfactory to the client. Of course these three dimensions are valid for any desktop virtualization project as well.

While a lot of information about budget planning and TCO/ROI for virtual desktop / application delivery projects can be found on the internet (e.g. http://flexcast.citrix.com/analyzeandcompare.html), the amount of information about time planning and success criteria is very low.

Since this lack of publicly available information causes every customer to “reinvent the wheel” and therefore add some delays to their projects, we thought it’s time to provide some guidance around these topics.

The result of our efforts has become part of the newly released Citrix Virtual Desktop Handbook (http://support.citrix.com/article/CTX136546). Version 1 of this white paper focuses on the Assess phase that identifies the information required prior to starting the design phase and outlines the project management tasks I mentioned earlier.

But instead of just discussing the topics from a theoretical point of view, we provide detailed guidance and tools which can be used for your projects right away. For example you will get a sample project plan (Microsoft Project), which outlines and provides duration estimates for every step of a desktop virtualization project (sample below).

Furthermore the white paper discusses a general project methodology, describes how business priorities can be identified and provides detailed information about the roles required during a enterprise grade project (sample below).

This and even more can be found within the new Citrix Virtual Desktop Handbook..

//Richard

Categories: All, Citrix, Provisioning Services, XenApp, XenDesktop Tags: , , , , , , , , ,

#Citrix Introducing #CloudBridge 2000 and 3000

March 15, 2013 Leave a comment

Ok, this is interesting!

Citrix is pleased to announce the new WAN-optimization appliances: CloudBridge 2000 and CloudBridge 3000. These appliances come loaded with our WAN-optimization and XenDesktop acceleration technologies including rich protocol optimization, advanced TCP flow-control, adaptive compression and smart acceleration.

This blog highlights some of key features of these appliances.

Un-matched Scalability: A pay-grow offering that is unique in the WAN-optimization industry

Using the pay-grow offering, CloudBridge 2000 can be scaled from a throughput of 10 Mbps to 20 Mbps and further to 50 Mbps with just a license upgrade. Similarly CloudBridge 3000 can be scaled from 50 Mbps to 100 Mbps and further to 155 Mbps. This avoids the cost, time and logistics overhead associated with a forklift replacement. So if you have small office and expect to grow in future then these appliances are ideal for you.

 

 

 

Series 2000 3000
Application Large Branch/Small Enterprise Medium Enterprise
Licensed Bandwidth 10/20/50 50/100/155
Concurrent HDX Sessions 100/200/300* 300/400/500*
Pay-to-Grow Yes Yes
Disk Storage 600 GB SSD 4 x 600 GB SSD
Interfaces Four 1 GigE Copper FTW

2 x 1 GigE Cu (HA/Mgmt)

 6 – GigE Cu or 4 – Fiber FTW

2 x 1 GigE Cu (LOM/Mgmt)
Power Supplies 1 x 300 watt 2 x 300 watt, hot swap
* Session count is limited by link bandwidth, no session count is enforced.  Published numbers are for guidance only.

Built-in reliability

CB 2000 and CB 3000 models come prepackaged with Network bypass cards for the traffic interfaces. This ensures that the traffic to your network is never interrupted, even in case of power failure to the appliance.

Also with these models do not contain any rotating disks. Instead they use SSDs as storage resulting in enhanced disk-access speed and…

Continue reading here on the blog post and also look at this Service Delivery Network video where you can look at Citrix’s story on how enterprise and cloud networks are unified into a service delivery fabric that optimizes and secures applications and data.

//Richard

Categories: All, Citrix, CloudBridge Tags: , , , , , , , , , , ,

User-centric application delivery with Microsoft System Center and the #XenApp Connector for Configuration Manager

March 15, 2013 Leave a comment

Another good blog post from Citrix:

This week we are happy to announce the release of the XenApp Connector for System Center 2012 Configuration Manager (a.k.a. Project Thor), marking the culmination of several months of collaboration between Citrix and Microsoft.

System Center 2012 Configuration Manager helps IT empower people to use the devices and applications they need to be productive, while maintaining corporate compliance and control.  It provides a unified infrastructure for mobile, physical, and virtual environments that allows IT to deliver applications and manage user experiences based on identity, connectivity, and device.

More so than any previous release of Configuration Manager, the 2012 release supports the model of user-centric IT management.  The new focus of Configuration Manager is one of empowering users by putting them at the center of the IT universe; one that supports user self-service, bring-your-own-device initiatives, workforce mobility, and the overall IT consumerization trend.   We are very excited about the power this user-centric model provides and how that model is realized via integration of Configuration Manager and XenApp.

So what does the XenApp Connector do?  Put simply, it extends the reach of admins using Configuration Manager to a much broader range of devices and user locations. Historically, Configuration Manager has been used for management of Windows OS & applications deployed to Windows PCs, Windows laptops, Windows Servers and Windows Phones operating within the traditional IT periphery – in other words Active Directory domain joined machines.

The XenApp Connector and Citrix Receiver extend the reach of Configuration Manager to deliver apps not just to Windows devices but all kinds of office and mobile devices including Linux, iOS, and Android devices; in fact nearly every device on the market today..  The Connector also enables a more flexible and mobile workforce. Users are able to gain access to the applications they need regardless of whether they are in the office, working from home, or on the road.

To deliver this functionality, the XenApp Connector leverages three capabilities introduced with System Center 2012:

  • Deployment Types
  • User-centric administration, and
  • The Application Catalog

Read more…

Categories: All, Citrix, System Center, XenApp Tags: , , , , , , , , ,

How does #Citrix #NetScaler SDX isolate its instances?

March 14, 2013 Leave a comment

Ok, I received this question the other day and this article is really spot on! Get a cup of coffee and enjoy! 😉

And remember this: YOU CAN ONLY HAVE 7 INSTANCES/1Gbps NIC!!!! So if you intend to host more than 7 VPX’s on your SDX then ensure that you plan your network design if you use 1Gbps otherwise go for the 10Gbps ports and SPFS.

NetScaler SDX Appliance with SR-IOV and Intel-VTd

This article contains information about the Single Root I/O Virtualization (SR-IOV) and Intel Virtualization Technology for Directed I/O (Intel-VTd) technology and how NetScaler appliance uses this technology to achieve fully isolated high performance NetScaler instances.

NetScaler SDX Appliance with SR-IOV and Intel-VTd

Server Virtualization presents both a tremendous opportunity and a major challenge for Enterprise Data Centers and Cloud Computing infrastructure. Current Hypervisors already facilitate the consolidation of many servers that are not utilized efficiently to a smaller number of physical servers delivering better space utilization, lower power consumption, and reduced overhead costs.

Virtualization architectures are built on a virtualization layer called a Virtual Machine Monitor or Domain 0 that becomes the primary interface between a virtual machine and the physical hardware. Even though virtualization allows multiple virtual machines to share the same hardware, it also creates additional overhead and can lower server performance as it becomes the bottleneck between a virtual machine and input/output (I/O) hardware as the number of virtual machines increase.

The NetScaler SDX appliance breaks through these performance bottlenecks by leveraging next generation of I/O virtualization technology called SR-IOV as defined by the PCI-Special Interest Group (SIG). SR-IOV enabled Intel chips along with Intel VT-d enable the NetScaler SDX appliance to significantly reduce virtualized network processing overheads, and provide more secure and predictable mechanisms for sharing I/O device among multiple virtual machines.

Intel Implementation of Single Root I/O Virtualization

Intel has worked with the PCI-SIG to define the SR-IOV specification. As shown in the following image, SR-IOV provides dedicated I/O to virtual machines bypassing the software virtual switch in the Virtual Machine Manager (VMM) completely, and Intel Ethernet Controllers improve data isolation among virtual machines. Another feature of SR-IOV is a feature called Virtual Functions. These are Lightweight PCIe functions that allow a single physical port to look like multiple ports. Therefore, multiple virtual machines can now have direct assignment on the same port. This increases the scalability of the number of virtual machines on the machine through more efficient I/O device sharing.

Intel VT-d Technology

Intel VT-d is a hardware enhancement for I/O virtualization that is implemented as part of core logic chipset. Intel VT-d defines an architecture for DMA remapping that improves system reliability, enhances security and…

Continue reading here!

//Richard

Categories: All, Citrix, NetScaler Tags: , , , , , , , , , , , , , , , ,

LIMITED RELEASE – #Receiver #Storefront 1.2 Update 1 for Web Receiver Add-in

March 14, 2013 Leave a comment

Issue(s) Fixed in This Release

  1. After enabling the requireTokenConsistency parameter in StoreFront’s store configuration file (c:\inetpub\wwwroot\Citrix\<StoreName>\Web.config) as described in Knowledge Center article CTX134965, users might not be able to access resources when logging in through Access Gateway.
  2. Attempts to authenticate to the Receiver for Web fail for users whose passwords contain certain special characters.

Continue reading and download it here!

//Richard

Categories: All, Citrix, CloudGateway Tags: , , , , ,