Archive
Content Switching instead of Load balancing of XenApp XML brokers? – #XenApp #NetScaler #CS #LB
Ok, I was contacted by another colleague today again about a customer and their setup of XenApp load balancing. They of course had NetScalers and had read the guidelines and best practises from Citrix on how to do load balancing and monitoring of XML brokers. But they had the same issue that many have, they had to contact the network team when they needed to add farms that they should load balance, and they needed an IP for each LB vServer per XenApp farm…
And this is not the first time I’ve seen this… why doesn’t people use Content Switching instead when doing load balancing of their XenApp farms (and other resources as well of course!)?
This is the Citrix picture on how to do it;
But what I’d do instead and recommend is to use Content Switching (CS) instead. Setup a CS vServer with an IP and an A-record in DNS, in the picture below it’s the one with bogus IP 10.10.10.10 and FQDN of cs8080.envokeit.local.
Then what you do is to configure a CNAME alias for each of your farms in DNS, like farm1.envokeit.local that you can see in the picture. Have the CNAME to be an alias of the CS you just created. Then in the NetScaler you setup your LB vServers just like you’ve always done and create the Service Group and add the correct monitors etc. to it. And remember that you in this case don’t have to have an IP set on the LB vServers, these don’t have to be directly addressable from the network, only through your CS that you just setup.
Then on the CS create your policies to do CS on the hostname of the incoming requests to the respective LB vServer. No more requesting IP’s per farm and all of that, one IP and you can support MANY farms…. I just love CS! 🙂
Happy content switching! 😉
//Richard
#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA
This little blog post is about Citrix SmartAccess. I’ve been a fan of SmartAccess for a long time, and it’s also something that Citrix has been talking a lot about in their story. The way that Citrix technology can provide applications, desktops and information to end-users on any device in a secure and controlled way.
But the purpose of this blog post is to give you my view of this story, and how true the SmartAccess story is. Remember that this is my personal view and that I’ve actually not tested all my theories below so parts of it is purely theoretical at this stage.
So a bit of background first to build my case…
Citrix has been going on about SmartAccess, and it’s been true that the Access Gateway capabilities once added to Web Interface and XenApp/XenDesktop where great in terms of adding another layer of functionality that the IT supplier could use to determine how the XenApp and XenDesktop environments where accessed, and from what type of device. The device detection/classification is done through host checks (Endpoint Analysis Scans, EPA) that the Access Gateway feature provided as a pre- or post-authentication scan. This scan then resulted that either the device met the policies or didn’t, and then this policy could be leveraged by the other internal components (XenApp/XenDesktop) to control/manage which apps, desktops and functionality (virtual channels like printing, drive mapping etc.) that the end-user should get for that specific session.
And this was/is working well for certain scenarios from a technical point of view. But is it really working for the whole story that Citrix and the whole IT-industry is driving now with BYOD etc.? Think about the message that is being pushed out there today, use any device, we can control and deliver according to security policies, we can provide access from anywhere, etc…
And this is where it becomes interesting. All of a sudden then you as an architect are to take this vision that your CIO or IT-board has and realise it into manageable IT services that combined deliver a fully fledged IT delivery of Windows, Internal Web, SaaS, Mobile and Data for this great set of use cases and scenarios. Wow… you’ve got yourself a challenge mate!
This text is from the Citrix homepage about SmartAccess;
SmartAccess allows you to control access to published applications and desktops on a server through the use of Access Gateway session policies. This permits the use of preauthentication and post-authentication checks as a condition for access to published resources, along with other factors. These include anything you can control with a XenApp or XenDesktop policy, such as printer bandwidth limits, client drive mapping, client clipboard, client audio, and client printer mapping. Any XenApp or XenDesktop policy can be applied based on whether or not users pass an Access Gateway check.
So let’s start of then with going back to the SmartAccess which is the topic of this blog!
#NetScaler #SDX design and best practise
Ok, I understand that this is something that I’ve touched upon before as well and received some comments on (NetScaler MPX vs. SDXÂ dilemma). But I’ll still continue the reasoning behind why I think that the NetScaler SDX architecture is great, and that is needs to be offered on all the different platforms/appliance types/sizes!
To kick off the reasoning I recommend that you read this post; #NetScaler #AAA on NS 10.00 Build 70.7 = watch out!. When you’ve read both previous posts I hope that you see where I’m now going with all of this…
Just have a look at this picture where I’m trying to illustrate two design options for how you could build your NetScaler service for a tenant;
And if you then keep in mind about the AAA bug that caused the whole NetScaler engine to crash, what happens in the top scenario if this VPX had been affected? Think about if that NetScaler hosted network connectivity to you public cloud services with workloads, all SSL VPN users connected to the enterprise, all ICA/HDX proxy users into XenApp/XenDesktop, and also provided AAA features to the enterprise web apps used by customers and partners etc.? Wow, that would actually mean that one single 401 basic authentication could have taken down EVERYTHING!
But; if you would have separated your capabilities/features into separate VPX’s then you wouldn’t have had that issue. The “only” thing that would have happened if you ran into an issue that caused the NetScaler to crash then it would only affect that VPX (AAA VPX in the scenario above).
So my personal view is that it’s great that Citrix provides all the features on one appliance/instance. But it also adds quality and test efforts on Citrix to ensure that they perform testing of ALL features and functions before releasing a new build. And that may affect the lead-time to get fixes and new builds released and quality may also be impacted… and that’s what I’m afraid of is happening. So a little word of advice; separate workloads/features when you can and when you don’t want this big of a risk, and prey that Citrix soon delivers the SDX architecture on all appliances! And they would of course perhaps not just sell the larger boxes like they force us into today even if the bandwidth capabilities of that box isn’t required. But they would instead sell more VPX’ on top of the HW, that’s at least what I think.
Comments?
Cheers!
//Richard
My Post-Synergy View – Update 2 #CitrixSynergy #Citrix #CitrixSummit #XenApp #XenDesktop #NetScaler #Sanbolic
Hi again!
Ok, time to wrap up my Synergy update post series… In the previous post I started to give U my view of the takeaways from Citrix Synergy. So let’s continue! 🙂
As I wrote before I tried to structure the post using the following; each heading represents the enhancement request topic and/or the takeaway item, and then the subheading of Description and Status is showing you my personal view on the topic and its status.
NetScaler
Description:
These where the items that we had on the enhancement list before going to Synergy:
- Create SDX platform/architecture to run on all MPX appliances, for more info why see; NetScaler MPX vs. SDX dilemma; https://richardegenas.com/2012/10/03/netscaler-mpx-vs-sdx-dilemma/
- Add support for AG session policies so that ICA proxy can be turned on for specific published apps and desktops and not per session. This for situations where you might have one app or desktop that sits behind an AGEE and others don’t.
- The NetScaler/Access Gateway HTML/GUI pages used shall be able to be customized per AGEE/AAA Virtual Server. Today they are global pages so that specific modifications/customizations cannot be made and you have to buy an additional NetScaler unless major customizations are done and then life-cycle management becomes an issue.
- Change so that you can specify different Authentication policies and requirements mapped to Session policies instead of to a Virtual Server, AAA group etc. This could then provide a way so that you could offer ICA proxy mode with single auth and two-factor if you launch/select to open an SSL VPN tunnel. And then a user that has forgotten a hardtoken could still get access but only in ICA proxy mode and have all virtual channels disabled without having to have multiple accounts in the Receiver and admin doesn’t need multiple NS AGEE VS.
- It would be good to get the same Account Self-Service functionality that the Single Sign-On/Password Manager service can provide and have integrated into the AGEE login page where end-users can themselves unlock their accounts and reset their passwords without involving Service Desk. And the solution for how to get the single sign-on account self service feature should be an integration part of the NetScaler AGEE console rather than manually updating the HTML pages etc.
UCS and XenDesktop – Best Practises guide #Cisco #UCS #XenDesktop #VXI
I must admin that the Cisco, NetApp and Citrix story around providing a great offering around a complete server hardware, storage and networking solution!
I’m currently attending the 5h SYNBCN12-614W-Platform training on XenDesktop with Cisco Unified Computing System and NetApp session here and I must say that I like the offering due to the broad capabilities of the products included in the solution.
I think that one of the real added values that companies will like is that you have ONE (1) support contact (Cisco) for the whole solution, then Cisco wodk with the others to solve any potential issue etc.
And while playing around here the trainer also mentioned this best practise guide, and it looks good;
Additional info about the Cisco VXI – Desktop Virtualization can be found here.
Cheers!
//Richard
Issue 23 – The XenDesktop Experience A Technical Publication for XenDesktop Customers
Ok, Citrix has again released the XenDesktop technical publication, have a look at it!
Example topics include;
- High Availability for Citrix XenDesktop and Citrix XenApp – Planning Guide
- How to Tighten the Security of Windows Desktops
- Tackling Windows Migration
Continue reading here!
//Richard
Please contribute – What do we expect from Citrix? – Citrix community enhancement list
Ok, there are a lot of things that I think we all expect Citrix to deliver now in Barcelona when Synergy soon kicks off! But so far I’ve not seen someone that has been combining a community list yet…
And the most important part I feel is that I get more and more information from companies out there that have enhancement requests and issues that they have a hard time expressing and getting into Citrix. The larger enterprises can of course through their channels get more information and also make their voice heard, but the SMB’s have a hard time to do so!
So this is my attempt to start a dialogue with all of U out there on what we expect to see from Citrix in the future! I think it would be interesting to see if the items I’m waiting for a change on is aligned with the rest of the community!
So why don’t we all contribute to a list that we all can share and prioritise over time? I can for a start moderate this list if you comment or send me items that you think should be on the list and then I’ll try to make sure that people within Citrix get the items and I’ll try to follow up! Of course we need help from the CTP’s (just to be clear; I’m not a CTP so don’t get me wrong here) and others as well to put pressure and assist in the governance of this activity.
So this is my first list of items that I think that we can build upon… It’s a first draft and far from the total number of items are there so bear with me! 😉
Please comment below to have your item(s) added to the list and let’s make a change!
| ID | Product/Area | Enhancement request/Issue | Status |
| 1 | Licensing | Ensure that all products supports the license server (NetScaler etc.) | Not fullfilled |
| 2 | Monitoring & Reporting | Ensure that you can get historical concurrent user reports that spans across ALL products (NetScaler/AG, XenApp, XenDesktop etc.) | Not fullfilled |
| 3 | Monitoring & Reporting | Ensure that Citrix provides an end-2-end monitoring and reporting service for the whole Citrix stack. This to ensure that delivery organizations can deliver reports like “Service Availability in %” over time that includes all service components (NetScaler AGEE VIP, StoreFront/WI, PVS/MSC, XenServer, XenApp/VDA, Profile Server, etc. If Citrix isn’t going to do this; then please point on a product that does the job. | Not fullfilled |
| 4 | Monitoring & Reporting | Provide a monitoring solution to ensure health and best practise configurations of all products involved in a traditional “XenDesktop” stacked service. | Not fullfilled |
| 5 | Cross-product | Improve your testing!! There have been to many issues with updates to products in the “Citrix stack” that has caused issues in others, like update to XenServer that caused PVS issues, or updates to a specific NetScaler feature that caused others to fail. | Not fullfilled |
| 6 | Cross-product | Create an central update service for all products that can inform the admin about updates not applied or if components aren’t in synch in terms of SW versions etc. | Not fullfilled |
| 7 | Cross-product | Ensure that the end-user look & feel are the same across the products used in the stack (NetScaler AGEE login page, Web Interface/StoreFront, Receiver etc..). This should not require admins to do and should be a design principle. | Not fullfilled |
| 8 | Cross-product | Come on, simplify the administration of the products in the stack = reduce the number of consoles! | Not fullfilled |
| 9 | AppController | Multi-domain support | Not fullfilled |
| 10 | AppController | Support for multiple setups that can synch the DB. This to ensure that you can have an HA pair setup for instance in Europé and one in the North Americas and have the end-user be logged in against both and have their subscriptions etc follow them (as well as of course reporting, monitoring etc. etc.) | Not fullfilled |
| 11 | AppController | Support for really large AD domains with LARGE # of AD users and AD groups | Not fullfilled |
| 12 | AppController | Support for AD domain structure where the BASE DN is different to where AD users and the AD security groups you want to use for roles | Not fullfilled |
| 13 | EdgeSight | Ensure that EdgeSight or equivalent end-user monitoring and reporting is integrated and that works on both XenApp and XenDesktop VDA’s and that doesn’t increase the IOPS with rediciolous numbers… | Not fullfilled |
| 14 | NetScaler | Create SDX platform to run on all MPX appliances, for more info why see; NetScaler MPX vs. SDX dilemma; https://richardegenas.com/2012/10/03/netscaler-mpx-vs-sdx-dilemma/ | Not fullfilled |
| 15 | NetScaler | Provide out of the box integration with the Single Sign-On product (former CPM) so that Account Self-Service can be made directly from AGEE VIP login page. | Not fullfilled |
| 16 | NetScaler | Add support for AG session policies so that ICA proxy can be turned on for specific published apps and desktops and not per session. This for situations where you might have one app or desktop that sits behind an AGEE and others don’t. | Not fullfilled |
| 17 | NetScaler | The NetScaler/Access Gateway HTML/GUI pages used shall be able to be customized per AGEE/AAA Virtual Server. Today they are global pages so that specific modifications/customizations cannot be made and you have to buy an additional NetScaler unless major customizations are done and then life-cycle management becomes an issue. | Not fullfilled |
| 18 | NetScaler | Change so that you can specify different Authentication policies and requirements mapped to Session policies instead of to a Virtual Server, AAA group etc. This could then provide a way so that you could offer ICA proxy mode with single auth and two-factor if you launch/select to open an SSL VPN tunnel | Not fullfilled |
| 19 | NetScaler | It would be good if you on the Receiver could select what authentication you want to perform upon login and not just at setup of the Account. That would mean that you could pass that info the the NS VS and then in AGEE handle that to the authentcaiton policies and session policies. Then a user that has forgotten a hardtoken could still get access but only in ICA proxy mode and have all virtual channels disabled without having to have multiple accounts in the Receiver and admin doesn’t need multiple NS AGEE VS. | Not fullfilled |
| 20 | Merchandising Server | Ensure that it supports larger AD environments and multi-domain support | Not fullfilled |
| 21 | Merchandising Server | Create a central DB for config etc or ensure that MS is migrated into SF asap. | Not fullfilled |
| 22 | Provisioning Services | Improved/simplified support/update functionality for when you use KMS licensing | Not fullfilled |
| 23 | Provisioning Services | Create REAL update msp or msi files for updates, you can’t require admins to go in and replace DLL-files etc in 2012 | Not fullfilled |
| 24 | Provisioning Services | Implement replication of vDisk files (diff-files) etc so that it’s automated within the PVS solution so that you don’t have to rely on DFS-R etc. | Not fullfilled |
| 25 | ShareFile | Ensure that encryption on local devices are available for all device types and OS’s (iOS, Android, Windows Phone, Win XP/7/8, Linux, OS X) | Not fullfilled |
| 26 | ShareFile | Design the product so that you could leverage public storage providers for your storage but encrypt it using your own PKI service and proxy traffic to it through the Storage Center server(s) without having to invest in in-house storage solutions and reduce CAPEX. | Not fullfilled |
| 27 | ShareFile | Design the solution so that you can configure the plygin/Receiver functionality when it comes to StoreFront on groups/roles instead of just for the whole account. | Not fullfilled |
| 28 | Storefront | Support for multiple setups that can synch the DB. This to ensure that you can have an HA pair setup for instance in Europé and one in the North Americas and have the end-user be logged in against both and have their subscriptions etc follow them (as well as of course reporting, monitoring etc. etc.) | Not fullfilled |
| 29 | Storefront | Simplify configuration and branding of the StoreFront for Web sites like most other providers have and they had in Web Interface | Not fullfilled |
| 30 | Storefront | Add all features that where available in Web Interface | Not fullfilled |
| 31 | StoreFront | Design the product to allow the user to select whether he/she can group apps and desktops into folders or tabs in StoreFront for Web | Not fullfilled |
| 32 | Receiver | Ensure that email-enrollment to StoreFront stores can somehow support multidomain support (like if you have multiple users having the same email-address; name@company.com can be linked to different AD domains | Not fullfilled |
| 33 | Receiver | Corporate branding for the Receiver, logo, text etc. | Not fullfilled |
| 34 | Receiver | Ensure that all Receivers have the same look & feel and functionality. Like the secondary and primary password field names should be the same on a Mac and a Windows client, as well as other features. | Not fullfilled |
| 35 | Receiver | Add so that Receiver passes DOMAINNAME to NetScaler/AG VS so that it can be used to determine which AD domain to authenticate with. In todays version you have to either make one VS per domain or cascade through multiple domains on the same VS. And cascading is available as a workaround but triggers failed logins against AD and is not that nice and security/AD teams are not that happy… | Not fullfilled |
| 36 | XenDesktop | Support for Linux VDA’s (Ubuntu for example) | Not fullfilled |
| 37 | XenApp | Support for Linux Terminal Servers (Ubuntu for example) | Not fullfilled |
I’ll post an excel-spreadsheet as well for download soon, and then let’s see if there is an interest or not! 😉
Cheers!
//Richard
Citrix Knowledge Center Top 10 – September 2012
Citrix has released the September Top 10 list, ensure you have a look at it!
Citrix Support is focused on ensuring Customer and Partner satisfaction with our products.
One of our initiatives is to increase the ability of our Partners and Customers to leverage self-service avenues via our Knowledge Center.
Find below the Citrix Knowledge Center Top 10 for September 2012.
Top 10 Technical Articles
| Article Number | Article Title |
|---|---|
| CTX129229 | Recommended Citrix and Microsoft Hotfixes for XenApp 6 and Windows Server 2008 R2 |
| CTX129082 | Application Launch Fails with Web Interface using Internet Explorer 9 |
| CTX132875 | Citrix Receiver Error 2320 |
| CTX804493 | Users Prompted to Download ICA File, Launch.ica, Instead of Launching the Connection |
| CTX105793 | Error: Cannot connect to the Citrix server. Protocol Driver Error |
| CTX101644 | Seamless Configuration Settings |
| CTX101810 | Communication Ports Used By Citrix Technologies |
| CTX127030 | Citrix Guidelines for Antivirus Software Configuration |
| CTX133037 | Citrix Receiver 3.2 – Issues Fixed in This Release |
| CTX115637 | Citrix Multi-Monitor Configuration Settings and Reference |
Continue reading here!
//Richard
Lync 2013 client preview for VDI/Hosted Virtual Desktop environments
This is an update in the right direction for getting all Lync features to work in a hosted environment! But where are we on this topic of getting the collaboration features etc. to our end-users in a good way to the “Any Device” and “Anywhere” or BYOD if that’s what you wanna call it?
Before there has been a lot of issues with running Lync and what’s supported feature-wise depending on where you ran Lync, what protocol you where accessing it over and how Lync was presented (either as published desktop or as a published app). And this had it’s challenges for companies that for instance wanted to go to a BYOD model where the end-point device the user was sitting on wsn’t managed and didn’t allowed Lync to be installed and where those users then were relying on their XenApp or XenDesktop environment. And then there are features that aren’t supported or let’s say; didn’t work that well and really loaded the host server.
The table below is from a great Microsoft blog post by Jesper Osgaard where he compares the features of Lync in a virtualized environment;
What did Citrix do about it? Well first they released the HDX Realtime Optimization Pack for Microsoft Lync to address these issues and to ensure improved Lync functionality. And I must give Citrix credit for adding support for Linux directly!
Try it! – Profile Management Configuration Check Tool (UPMConfigCheck)
Ok, how often don’t you hear or see that technology just have been implemented with the “Next -> Next -> Finish” methodology? Now Citrix has introduced a tool to check whether you’ve configured your environment the most optimal way or not! Great!
“UPMConfigCheck is a PowerShell script that examines a live Profile management system and determines whether it is optimally configured.
UPMConfigCheck requires PowerShell 2. UPMConfigCheck is designed to run on XenApp servers and on XenDesktop virtual desktops with Profile management installed. Supported operating systems are the same as for Profile management.
These include:
• Windows XP
• Windows Vista
• Windows 7
• Windows Server 2003
• Windows Server 2008 / Windows Server 2008 R2
32-bit and 64-bit operating system versions, where available, are supported.”
Download it here and here you find a good blog post about it!
//Richard
The IT Melting Pot! 