Archive
#Netscaler Insight and Integration with #XenDesktop Director – via @msandbu
Great blog post by Marius! 🙂
This is another one of Citrix hidden gems, Netscaler Insight. This product has been available from Citrix some time now, but with the latest update in became alot more useful. Insight is an virtual applance from Citrix which gathers AppFlow data and statistics from Netscaler to show performance data, kinda like old Edgesight. (NOTE: In order to use this functionality against Netscaler it requires atleast Netscaler Enterprise or Platinum)
Insight has two specific functions, called Web Insight and HDX insight.
Web Insight shows traffic related to web-traffic, for instance how many users, what ip-adresses, what kind of content etc.
HDX Insight is related to Access Gateway functionality of Citrix to show for instance how many users have accessed the solution, what kind of applications have they used, what kind of latency did the clients have to the netscaler etc.
You can download this VPX from mycitrix under Netscaler downloads, important to note as of now it is only supported on Vmware and XenServer (They haven’t mentioned any support coming for Hyper-V but I’m guessing its coming.
The setup is pretty simple like a regular Netscaler we need to define an IP-address and subnet mask (Note that the VPX does not require an license since it will only gather data from Netscaler appliances that have a platform license and it does not work on regular Netscaler gateways)
After we have setup the Insight VPX we can access it via web-gui, the username and password here is the same as Netscaler nsroot & nsroot
After this is setup we need to enable the insight features, we can start by setting up HDX insight, here we need to define a expression that allows all Gateway traffic to be gathered.
Here we just need to enable VPN equals true. We can also add mulitple Netscalers here, if you have a cluster or HA setup we need to add both nodes.
After we have added the node, just choose configure on the node and choose VPN from the list and choose expression true.
#Citrix #PVS vs. #MCS Revisited – #Nutanix, #Sanbolic
Another good blog post from Citrix and Nick Rintalan around the famous topic whether to go for PVS or MCS! If your thinking about this topic then don’t miss this article. Also ensure that you talk to someone who have implemented an image mgmt/provisioning service like this to get some details on lessons learnt etc., also with the change in the hypervisor layer and the cache features this is getting really interesting…
AND don’t forget the really nice storage solutions that exists out there like Nutanix and Melio that really solves some challenges out there!!
http://go.nutanix.com/rs/nutanix/images/TG_XenDesktop_vSphere_on_Nutanix_RA.pdf
Melio Solutions – Virtual Desktop Infrastructure
Back to the Citrix blog post:
It’s been a few months since my last article, but rest assured, I’ve been keeping busy and I have a ton of stuff in my head that I’m committed to getting down on paper in the near future. Why so busy? Well, our Mobility products are keeping me busy for sure. But I also spent the last month or so preparing for 2 different sessions at BriForum Chicago. My colleague, Dan Allen, and I co-presented on the topics of IOPS and Folder Redirection. Once Brian makes the videos and decks available online, I’ll be sure to point people to them.
So what stuff do I want to get down on paper and turn into a future article? To name a few…MCS vs. PVS (revisited), NUMA and XA VM Sizing, XenMobile Lessons Learned “2.0″, and Virtualizing PVS Part 3. But let’s talk about that first topic of PVS vs MCS now.
Although BriForum (and Synergy) are always busy times, I always try to catch a few sessions by some of my favorite presenters. One of them is Jim Moyle and he actually inspired this article. If you don’t know Jim, he is one of our CTPs and works for Atlantis Computing – he also wrote one of the most informative papers on IOPS I’ve ever read. I swear there is not a month that goes by that I don’t get asked about PVS vs. MCS (pros and cons, what should I use, etc.). I’m not going to get into the pros and cons or tell you what to use since many folks like Dan Feller have done a good job of that already, even with beautiful decision trees. I might note that Barry Schiffer has an updated decision tree you might want to check out, too. But I do want to talk about one of the main reasons people often cite for not using MCS – it generates about “1.6x or 60% more IOPS compared to PVS“. And ever since Ken Bell sort of “documented” this in passing about 2-3 years ago, that’s sort of been Gospel and no one had challenged it. But our CCS team was seeing slightly different results in the field and Jim Moyle also decided to challenge that statement. And Jim shared the results of his MCS vs. PVS testing at BriForum this year – I think many folks were shocked by the results.
What were those results? Here is a summary of the things I thought were most interesting:
- MCS generates 21.5% more average IOPS compared to PVS in the steady-state (not anywhere near 60%)
- This breaks down to about 8% more write IO and 13% more read IO
- MCS generates 45.2% more peak IOPS compared to PVS (this is closer to the 50-60% range that we originally documented)
- The read-to-write (R/W) IO ratio for PVS was 90%+ writes in both the steady-state and peak(nothing new here)
- The R/W ratio for MCS at peak was 47/53 (we’ve long said it’s about 50/50 for MCS, so nothing new here)
- The R/W ratio for MCS in the steady-state was 17/83 (this was a bit of a surprise, much like the first bullet)
So how can this be?!?
I think it’s critical to understand where our initial “1.5-1.6x” or “50-60%” statement comes from – that takes into account not just the steady-state, but also the boot and logon phases, which are mostly read IOPS and absolutely drive up the numbers for MCS. If you’re unfamiliar with the typical R/W ratios for a Windows VM during the various stages of its “life” (boot, logon, steady-state, idle, logoff, etc.), then this picture, courtesy of Project VRC, always does a good job explaining it succinctly:
We were also looking at peak IOPS and average IOPS in a single number – we didn’t provide two different numbers or break it down like Jim and I did above in the results, and a single IOPS number can be very misleading in itself. You don’t believe me? Just check out my BriForum presentation on IOPS and I’ll show you several examples of how…
Continue reading here!
//Richard
Top 10 #CitrixSynergy sessions…watch them today!
Have a look at the 10 most popular Citrix synergy sessions! They are now uploaded and ready for you to see:
- SYN501: Geek Speak Tonight! (Desktop Virtualization panel) & SYN501 (Mobility panel)
- SYN415: Advanced best practices for migrating from Web Interface to StoreFront
- SYN321: Next-generation desktop and app delivery with XenDesktop 7, Microsoft System Center 2012
- SYN334: What’s new in XenDesktop and XenApp Platinum
- SYN320: XenDesktop 7: what you should know about FlexCast management architecture and XenApp migration
- SYN299: One Step Beyond – An audience with the Citrix CTO’s
- SYN322: XenDesktop 7: reinventing HDX for mobile, 3D graphics and beyond
- SYN222: Architecting a global XenApp farm with regional users using NetScaler and StoreFront
- SYN404: Introducing the Citrix Diagnostic Toolkit
- SYN206: What’s new in ShareFile Enterprise
Continue reading here!
//Richard
How to check which #NetScaler policy that your #Citrix #Receiver or web browser hits?
Ok, this is a common issue that you’ll end up in when setting up Access Gateway access scenarios:
How do you know which policy that is hit when your different Receivers are logging in?
Well, there are a couple of nice commands that can help you troubleshooting your access scenario! I guess that most of you have a simple scenario where you have one domain to authenticate against and some simple PNA, CVPN and potentially SSL VPN policies and profiles to deal with, and they are all linked to the virtual server like something like this simple example:
But in more complex scenarios you may end up controlling which browser the user is accessing with (for giving nice error messages instead of Citrix default messages when users may use an unsupported browser etc.), or when you have multiple AD domains and AD groups to link different policies to etc. Then it may be complex and you have multiple policies and profiles for the same config with minor changes like the SSO domain name etc. So how do you then troubleshoot that easily?
First we have the must know command that hooks into the auth process of the NetScaler and gives you a view of the authentication process:
cat /tmp/aaad.debug
When you run that and you authenticate you’ll see the result of your auth process agains for instance LDAP and RADIUS sources like the result here when I logged in to our little environment:
At the top of the output you see all the AD groups that I’m a member of that needs to match the group that you like to use on the NetScaler side, and last you see that accept from AD for my authentication request.
Then you know that you’re authentication ok, but which of the session polices are we hitting? Then you need to have a look at this great command:
nsconmsg -d current -g pol_hits
This is the output when I access using my Receiver on OS X:
#Citrix #Receiver for Win 8 and RT 1.3 now on the Windows Store
Blog post from Citrix on Windows RT and Win 8 pro devices and Receiver!
Our first official update for our touch-enabled Receiver for Windows RT and Windows 8 Pro devices! This version adds the ability to use multiple sessions as well as a number of usability improvements. It can be used with StoreFront or Web Interface deployments. Connections can be direct or through Access Gateway Enterprise Edition version 10.
Click here to try this version. It is still a good idea to ask your IT department if it can be used in your environment. IT managers can find details on configurations supported and settings at Citrix eDocs.
What’s new?
- Users can run multiple apps within a single session, switching between them with the in-session app bar.
- Sessions now use the keyboard layout and input language in effect on the device (as configured on the Windows 8 Language bar) whether its a physical and touch keyboard.
- A Refresh button on the My Apps and All Apps pages enables users to easily refresh the apps list.
- A default icon appears in My Apps, All Apps, and Search results until the correct app icon downloads.
And we have even more great things planned for the next update, including support for Access Gateway Enterprise 9.3 with…
Continue reading here!
//Richard
SSO to StoreFront not working in CVPN mode – #Citrix, #NetScaler, #StoreFront
Single Sign-On from Access Gateway to StoreFront not working in CVPN mode
There is yet another “thing” to have in mind when setting up Access Gateway and StoreFront in CVPN mode!
It’s been an interesting day (or days/weeks/months I must admit) with some “issues” with a NetScaler ADC, Access Gateway with CVPN profiles and StoreFront 1.2. And one thing that we have been struggling with was Single Sign-On to StoreFront when we had the AG configured for CVPN access. And it was just this environment where I’ve seen this issue!!
After a lot of troubleshooting the Citrix guys came up with an explanation on why SSO from AG doesn’t work in this specific environment! And it’s not an obvious one to find I must say… but I now understand why it doesn’t work!
So let’s explain the design reason for why it doesn’t work (so bear with me, solution at the end!!)…
The following picture tries to give a VERY rough picture of how it could look like, clients on the Internet on the left, then a NetScaler ADC with the Access Gateway feature enabled and a vServer configured. This AG vServer has session policies and profiles for ICA proxy (old traditional ICA proxy policy) and the little newer CVPN mode. And YES; I’ve left out a lot of stuff like AD etc. to simplify this picture A LOT…
The overall idea and config is that AG authenticates the user and then shall do SSO to StoreFront. The CVPN policy have been created according to all best practices etc. (Citrix CloudGateway Express 2.0 – Implementation Guide).
But SSO still doesn’t work!! If you login through a browser when having the CVPN policy linked to the vServer you’ll see that authentication works perfectly but then when it tries to passthrough the authentication to StoreFront it fails.
This picture just shows the login to the NetScaler ADC Access Gateway vServer:
Host checks/EPA scans are not for everyone – #Citrix, #NetScaler, #AccessGateway
This is an interesting blog post from Citrix… It captures a scenario that I know one of my previous customers was thinking of, so have a look at it!
The main thing that think of when reading this though is that EPA scans are NOT for everyone, I agree. And please also read my earlier posts on why it cannot be done with todays products from Citrix.
#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA
Even though the latest Receiver Receivers changed some scenarios and enables host checks/EPA scans it still doesn’t provide the full picture. But I’ll be publishing a more detailed picture on why later, some late night I’ll be able to complete it! 😉
Here you have the blog post from Tobias Frigger:
A customer of one of my Citrix Consulting colleagues recently came up with an interesting request.
Like many others they are using Citrix NetScaler’s Access Gateway Enterprise Edition module to grant remote secure remote access to applications and desktops.
Additionally, they use a client management and software distribution solution to deploy the EPA plugin to client computers and therefore wanted to suppress Access Gateway offering the EPA scan plugin for download through the browser. This introduces some additional level of control over which client is entitled to connect through Access Gateway.
An approach restricting certain user groups from logging in by using group memberships is a more common scenario, but in this case the customer intended to restrict the end points and not the users. When end users lack administrative permissions to install custom software, preventing the download is indeed an effective measure.
A job for Citrix Consulting!
As you know, Access Gateway Enterprise Edition offers two ways of running Endpoint Analysis (EPA) scans – before and after authentication. Consequently, there are two procedures.
The formal requirements
- Remove the download button displayed when accessing the AGEE virtual server and the plugin is not detected by the browser or if the plugin is outdated
- Alter the message text such that it refers user to contact their system administrator if they think the plugin should be installed.
- When using a post-authentication EPA scan, add a “logout” button.
Backup
As a precaution, we want to make backup copies…
Continue reading here!
//Richard
#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA
This little blog post is about Citrix SmartAccess. I’ve been a fan of SmartAccess for a long time, and it’s also something that Citrix has been talking a lot about in their story. The way that Citrix technology can provide applications, desktops and information to end-users on any device in a secure and controlled way.
But the purpose of this blog post is to give you my view of this story, and how true the SmartAccess story is. Remember that this is my personal view and that I’ve actually not tested all my theories below so parts of it is purely theoretical at this stage.
So a bit of background first to build my case…
Citrix has been going on about SmartAccess, and it’s been true that the Access Gateway capabilities once added to Web Interface and XenApp/XenDesktop where great in terms of adding another layer of functionality that the IT supplier could use to determine how the XenApp and XenDesktop environments where accessed, and from what type of device. The device detection/classification is done through host checks (Endpoint Analysis Scans, EPA) that the Access Gateway feature provided as a pre- or post-authentication scan. This scan then resulted that either the device met the policies or didn’t, and then this policy could be leveraged by the other internal components (XenApp/XenDesktop) to control/manage which apps, desktops and functionality (virtual channels like printing, drive mapping etc.) that the end-user should get for that specific session.
And this was/is working well for certain scenarios from a technical point of view. But is it really working for the whole story that Citrix and the whole IT-industry is driving now with BYOD etc.? Think about the message that is being pushed out there today, use any device, we can control and deliver according to security policies, we can provide access from anywhere, etc…
And this is where it becomes interesting. All of a sudden then you as an architect are to take this vision that your CIO or IT-board has and realise it into manageable IT services that combined deliver a fully fledged IT delivery of Windows, Internal Web, SaaS, Mobile and Data for this great set of use cases and scenarios. Wow… you’ve got yourself a challenge mate!
This text is from the Citrix homepage about SmartAccess;
SmartAccess allows you to control access to published applications and desktops on a server through the use of Access Gateway session policies. This permits the use of preauthentication and post-authentication checks as a condition for access to published resources, along with other factors. These include anything you can control with a XenApp or XenDesktop policy, such as printer bandwidth limits, client drive mapping, client clipboard, client audio, and client printer mapping. Any XenApp or XenDesktop policy can be applied based on whether or not users pass an Access Gateway check.
So let’s start of then with going back to the SmartAccess which is the topic of this blog!
The IT Melting Pot! 