Archive
#Citrix #NetScaler Traffic Domains ins and outs – via @barryschiffer
Another great blog post by Barry!!! Keep up the great work!!
Citrix NetScaler Traffic Domains are a way of segmenting network traffic for different applications or even tenants. You are able to use a traffic domain to create fully isolated network environments on a single NetScaler instance. An instance is a single appliance or a HA setup of two appliances.
Citrix NetScaler Traffic Domains were introduced with NetScaler 10.0. At first NetScaler Traffic Domains started as a somewhat hidden feature which you could only configure by CLI. As of version 10.1 Traffic Domains are fully configurable in the NetScaler GUI which makes it a lot simpler to use.
In a way NetScaler Traffic Domains could compete with the NetScaler SDX platform. With Traffic Domains we segment networks on a single NetScaler instance instead of the SDX where we create a virtual appliance per network segment.
A downside of using NetScaler Traffic Domains is the fact that some features are only supported for usage inside of Traffic Domain 0. Traffic Domain 0 is the default Traffic Domain, all services run inside Traffic Domain 0 unless explicitly specified.
An example of non supported features are NetScaler Management and NetScaler Gateway. For a complete list of supported features follow this link.
For non supported features for which you need isolation you have two options, NetScaler SDX or additional NetScaler appliances (virtual or physical).
My expectations are that we will see more and more features being supported on NetScaler Traffic Domains. An amazing feature would be to enable management functionality on Traffic Domains where you would only be able to manage or create services assigned to that Traffic Domain. This would be especially useful for multi-tenancy or multi management in situations where for example one team manages Mobility and one team managing a web application.
A few use cases Citrix describes for NetScaler Traffic Domains:
- Use of duplicate IP addresses
- Use of duplicate NetScaler entities
- Multi Tenancy
A use case I’m actually using NetScaler Traffic Domains for is the ability to deliver services in a DMZ as well as an internal network.
Internal Network services like Microsoft Exchange Client Access Services and Microsoft App-V are heavy on traffic and I don’t like those services traversing the firewall in the DMZ. This also works great combined with Direct Server Return (DSR) which is blocked by most firewalls. Check out more on DSR combined with App-V on this article by Ingmar Verheij.
Single File Restore – Fairy Tale Ending Going Down History Lane – via @Nutanix and @dlink7
Great blog post by Dwayne Lessner!
If I go back to my earliest sysadmin days where I had to restore a file from a network share, I was happy just to get the file back. Where I worked we only had tape and it was crapshoot at the best of times. Luckily, 2007 brought me a SAN to play with.
The SAN made it easier for sure to go back into time and find that file and pull it back from the clutches of death by using hardware based snapshots. It was no big deal to mount the snapshot to the guest but fighting with the MS iSCSI initiator got pretty painful, partly because I had a complex password for the CHAP authentication, and partly because clean-up and logging out of the iSCSI was problematic. I always had ton of errors, both in the windows guest and in the SAN console which caused more grief than good it seemed.
Shortly after the SAN showed up, VMware entered my world. It was great that I didn’t have to mess with MS iSCSI initiators any more but it really just moved my problem to the ESXi host. Now that VMware had the LUN with all my VMs, I had to worry about resignatureing the LUN so it wouldn’t have conflicts with the rest of production VMs. This whole process was short lived because we couldn’t afford all the space the snapshots were taking up. Since we had to use LUNS we had to take snapshots of all the VMs even though there were a handful that really need the extra protection. Before virtualization we were already reserving over 50% of the total LUN space because snapshots were backed by large block sizes and ate through space. Due to the fact that we had to snapshot all of the VMs on the LUN we had to change the snap reserve to 100%. We quickly ran out of space and turned off snapshots for our virtual environment.
When a snapshot is taken on Nutanix, we don’t copy data, nor do we copy the meta-data. The meta-data and data diverge on a need basis; as new writes happen against the active parent snapshot we just track the changes. Changes operate at the byte level which is a far cry from the 16 MB I had to live with in the past.
Due to the above-mentioned life lessons in LUN-based snapshots, I am very happy to show Nutanix customers the benefits of per-VM snapshots and how easy it to restore a file.
To restore a file from a VM living on Nutanix you just need to make sure you have a protection domain set up with a proper RPO schedule. For this example, I created a Protection Domain called RPO-High. This is great as you could have 2,000 VMs all on one volume with Nutanix. You just slide over what VMs you want to protect; in this example, I am protecting my FileServer. Note you can have more than one protection domain if you want to assign different RPO to different VMs. Create a new protection domain and add 1 VM or more based on the application grouping.
#Microsoft – On the right track! – #Windows, #BYOD, #Citrix
I don’t know if you all agree but I find that Microsoft is making some really good strategic decisions to align themselves and be ready for the “next generation” workplace and client services. Everyone has been talking about BYOx and that everyone will bring their own device and consume business services and functions on that device in parallel to doing personal stuff.
But has BYOD taken off yet?
I personally think that it hasn’t to the extent that many thought it would, there are some companies in some countries that have adopted it for some use cases and user categories, but the majority is still struggling with it though their business apps and functions aren’t really there to support this way of working yet.
Even if they have a NetScaler or similar remote access capabilities with some sort of Desktop and App virtualization (like Citrix XenDesktop) to run the apps it’s still not enough. How do you solve the offline working scenario? And isn’t hosted apps and desktops just a legacy workaround until those business processes have been SaaS’ified? And what about “dropbox” alternatives, H: drives and G: drives, Sharepoint data etc. There is still a user data mess (read my earlier post on this) that needs to be solved and especially a “mega aggregator” tool for getting data/content and synch across devices in a secure manner (data also encrypted at rest on ALL devices and not just mobiles)…
Microsoft is kind of stepping up here I must say from a strategy point of view that makes me believe in them, even though I’ve said that no one ever will take my MacBook Air from me! Have a look at the features that are coming with Windows 8.1 to support a more “semi-controlled” or “semi-trusted” device, and the new cloud services like Azure AD, Windows Intunes offerings in combination with the online messaging and collaboration Office 365 services. And they are apparently also working on a “legacy” cloud service to offer desktops as a service (DaaS) as I wrote in a previous blog post as well.
I think that Microsoft is moving in the right direction towards offering the next generation enterprise IT services and to support the new way of working, and fast!
Have a look at these posts/articles on the news in Windows 8.1:
Everything you need, right from (the) Start
Microsoft is focused on delivering one experience across all the devices in your life. The centerpiece of that strategy and experience are the Microsoft services and apps that come right from (the) Start on your new Windows device.
This is the first blog post in a series that will highlight the apps and services driving toward this “one experience” vision. This experience comes to life through more than 20 new and improved Microsoft apps and services that come as part of Windows 8.1, including a new one that we are announcing today – Skype, right from (the) Start!
It’s where you want to go today….
#Citrix #AppController 2.5 Implementation Tips – #CloudGateway, #BYOD
Great blog post by Matthew Brooks!
AppController is a component of the Citrix CloudGateway Enterprise suite that orchestrates access to Enterprise Cloud applications. Those applications may take many forms including Mobile Applications, Software-as-a-Service hosted in public clouds, and Web links. Below I provided some tips to help with the implementation of AppController 2.5 (which is the latest version as of the publishing of this blog).
System Related
Including settings such as the Hostname, SSL certificates, and Restore.
TIPs:
- Take a hypervisor level snapshot after the initial installation so that you can easily return to that base level if configuration or integrations efforts go awry.
- The hostname cannot contain special characters in the AppController certificate signing request.
- The hostname must match SSL certificate.
- The system cert must be chained to its CA/(s).
Active Directory Related
Including settings such as the Server (Domain Controller), Base DN, and Service Account credentials.
TIPs:
- The AppController only supports integration with a single domain. Multiple domains require multiple AppControllers. The NetScaler Access Gateway may be configured to allow users to access a single fully qualified domain name, yet be directed to their respective domain AppController through the use of Global Groups. See CTX116169 for more informationhttp://support.citrix.com/article/CTX116169
- All user accounts must have a first name, last name, and email address configured or they will receive an authorization error when attempting to launch applications. The bind Administrator account must also have email address configured or directory integration will fail.
- Only LDAP (TCP 389) may be configured through the wizard that must be completed initially. Thereafter LDAPS (TCP 636) may be configured through the full administration menu.
- If the server name domain name is a load balanced DNS entry the initial import may work, yet subsequent bind attempts will fail. Alternatively you may use the IP address of an LDAPS load balancer on a Netscaler with specific domain controllers configured as services. See CTX135092 for more information http://support.citrix.com/article/CTX135092
Network Related
Including settings such as the IP address, @Workweb and NTP server.
TIPs:
- Use IP private addresses as system addresses if possible. When Trust Settings are configured for NetScaler Access Gateway it does not allow SSO to public addresses. If public addresses must be used the NetScaler may be configured with an SSL Bridge to access the AppController. See NetScaler Traffic Management document for more information.
- NTP must be configured or SAML authentication may fail for SaaS sites if the time difference is significant.
- When Trust Settings are configured for NetScaler Access…
Continue reading here!
//Richard
Put Citrix Receiver App Banners in Web Interface for Android and iOS – #Citrix, #Receiver
A good blog post from Roy Tokeshi about Citrix Receiver setup and provisioning.
I’ve used the Citrix Mobile Receiver Setup URL Generator for quite some time and like it (but now of course you’ll get pretty far with email-based enrolment if you can use that), but it’s still valid for some use cases and scenarios. But to add the banner to the download of the app itself is something I’ve not done, interesting!
One of the cool things you can do to help your users connect to your XenDesktop and XenApp environments is the Citrix Mobile Receiver Setup URL Generator at:http://community.citrix.com/MobileReceiverSetupUrlGenerator/
The output of this generator is a couple of links. The first is an iOS configuration link and the second is the Android configuration link. What is great about this is once the user gets this link on their iOS or Android device, via email, text message, or carrier pigeon with a micro SD card strapped to its leg , all the user has to do is click on the link and the local instance of the mobile Citrix Receiver is auto-configured.
- VCDC Email
- Application warning iOS
Something that Apple had made available is called a Smart App Banner. (I suggest that you don’t shout “Smart App Banners!” across the cube farm unless you want to start a bunch of prairie dogging or HR emails.) Regardless, the folks at Apple created an easy way for you to advertise the Citrix Receiver app itself from within web interface. At Citrix Systems we have had had a couple of different temporarily consistent hostnames we point at to get our apps and desktops. Among my customers, apps.company.com or atwork.company.com have popped up a few times. The point being, the user puts a name in the browser and the web interface client detect takes over, suggests a client version for Mac, Windows, Java and off they go to application or desktop nirvana. But what about the lonely neglected mobile devices. We tell our bosses that we need iPhones, iPads, and Androids for work. So the smart thing to do is to get a few work apps on there before bosses catch us playing Angry Birds, or Radical.FM So the question is, “How do I use this on my web interface?” That is an excellent question. We are going to take the cute little meta tag referenced in that Apple Dev article and paste that right into the login.aspx file in our web interface site. For the purposes of demonstration, I’m going to use our Virtual Computing Demo Center or VCDC as an example. The default web interface that acts as a front end of the demo instance is hosted on a virtual machine acting as the DDC for XenDesktop. The screenshots I am using are based on the connection I make to a XenApp desktop logged on as administrator. \\ddc\c$\inetpub\wwwroot\Citrix\DesktopWeb\auth\login.aspx looked like this:
Now, modified at the top line it looks like this.
Remember that this is something that is only supported in iOS and in fact from the default Safari browser. Here are some screenshots…
Continue reading here!
//Richard
The IT Melting Pot! 