Your are here: Home > Blog

XenApp – Beyond Application Virtualization

May 28th, 2010 | Posted by Sid Herron in Application streaming | Application Virtualization | Citrix | Virtualization | XenApp - (0 Comments)

A couple of days ago, in the post entitled “What Is Application Virtualization?” I made the statement that, although application virtualization is a component of XenApp, and has been since the release of Presentation Server v4.5, XenApp is more than just application virtualization. To fully understand what I mean by that, you need to understand the Citrix vision of how applications should be delivered to users.

Over the years, there have been a lot of ways to connect client devices to server-based applications and desktops: Program Neighborhood, Program Neighborhood Agent, “Project Charlotte” which became Nfuse which became Web Interface, etc., etc. But if you look back over the last 15+ years, you will see an evolution toward the Citrix vision of “Any” – any application, to any device, anytime, anywhere, over any kind of connection – and you will see an ongoing effort to make it simple and easy for users to access the applications they need, as well as easier for the IT staff to deliver the right applications to the right users.

In Citrix’s view, the delivery of applications to users should be as simple as the delivery of broadcast content over your satellite TV network. Think about that model for a moment – you generally don’t have to worry about whether you have a big or small TV set, or whether it has a traditional picture tube (yes, there are still some of those around), an LCD screen, or a Plasma screen…because you have a receiver that conforms to an accepted standard, and that will connect to any TV. You bring the TV home, take it out of the carton, and connect it to your satellite receiver, and with little or no additional configuration, you can watch the channels you’ve subscribed to. And you get to decide what you watch and when. If you have a DVR built into your receiver (as most do these days), you can even cache the programming content and watch it later.

The current Citrix delivery method is darned close to this, and completely unique in the market, in my opinion. There are four basic components:

  • The Citrix Receiver, together with several plug-ins for the Receiver.
  • The Citrix Merchandising Server, which is a virtual appliance designed to run on either XenServer or VMware. My expectation is that it will also soon be ported to Hyper-V.
  • Citrix Dazzle, which is a mechanism for user self-service.
  • Citrix Update Service, which is an on-line service provided by Citrix that is responsible for notifying Merchandising Servers of available plug-in updates.

Let’s look at these in turn, then see how they all play together.

Receiver
Citrix used to have a lot of separate clients, that all had to be installed separately. You had a client for XenApp. You had another client for XenDesktop. You had one for the Access Gateway, one for Single Sign On (a.k.a. Password Manager), one for Branch Repeater acceleration, one for receiving streamed apps – you get the picture. It was getting a little ridiculous, not to mention difficult to manage, and cluttered up your System tray with multiple little icons. By contrast, the Receiver is a sort of “universal client” that is responsible for managing a variety of plug-ins on the client desktop. Instead of multiple client icons in your System Tray, you’ll have just one – the Receiver. The plug-ins are modules of client functionality that are managed by the Receiver. At the moment, you have plug-ins for:

  • Secure Access (for Access Gateway Enterprise Edition)
  • Secure Access (for Access Gateway Standard Edition)
  • Online Plug-in (for XenApp hosted applications/desktops and connecting to XenDesktop-managed virtual PCs)
  • Offline Plug-in (for streamed applications)
  • App-V Plug-in (for Microsoft App-V streamed applications)
  • Communications Plug-in (for EasyCall)
  • Acceleration Plug-in (Branch repeater)
  • Service Monitoring Plug-in (enables Edgesight for Endpoints to gather data from the client)
  • Profile Management Plug-in (enables Citrix Profile Manager)
  • Dazzle Plug-in (enables application self-service via the Dazzle interface)

Merchandising Server
The Merchandising Server is the virtual appliance responsible for managing and delivering the Receiver and its various plug-ins to end users. The Merchandising Server can contact the Citrix Update Service via the Internet and download the latest versions of the Receiver and plug-ins. Once you have those, you create rules that stipulate what the Merchandising Server will push to different users as they authenticate, depending on such parameters as Machine Name, User Domain Membership, Machine Domain Membership, Operating System, and IP Address Range.

The first time the user connects, s/he will point a browser at a designated URL and enter login credentials, and the Merchandising Server will push down the specified package, which will be automatically installed. One installed, the Receiver will periodically check back with the Merchandising Server for updates, so you can dynamically add, remove, or update plug-ins as required.

Dazzle
Dazzle is a new variation on the old Program Neighborhood Agent theme that enables user self-service. Those who have worked with Citrix technology for a while will remember that the PN Agent communicated “behind the scenes” with a special Web Interface site to retrieve a list of the published applications available to the user. Icons for those applications could be pushed onto the Start Menu, or accessed by right-clicking on the PN Agent icon in the System Tray. The Dazzle plug-in also communicates with a special Web Interface site, but allows the user to open a window, view the available applications, and select the ones s/he wants to use (see below):

Dazzle User Experience

Dazzle User Experience


Applications can be organized into multiple “Stores” by the Administrator, and can be tagged to appear in a “Featured” list to draw the user’s attention. There’s a friendly description of each available application, and a column that indicates whether that application will work offline (i.e., whether it will be streamed to the client machine) – and, by the way, it doesn’t matter whether the app was packaged for streaming using the Citrix tools or using Microsoft’s App-V, so long as you’ve delivered the correct plug-in to them. Applications that are not tagged as working offline are, by implication, going to be executed on a XenApp server, and therefore will only be available when the client has connectivity to the XenApp server farm.

The user can browse through the list, or use a search function, which is extremely valuable in an enterprise that may have dozens – or even hundreds – of applications. To select an application, the user simply clicks on the “Add” button. The selected applications will appear in a “Dazzle Apps” folder on the Start Menu tree:

Dazzle Apps Folder

The Dazzle Apps Folder


So let’s summarize what we have with this system:

  • Administrators can easily publish applications, and organize them into “App Stores.” Applications from multiple server farms can be integrated into a single App Store, or multiple App Stores can be created as desired (e.g., one for Human Resources, one for Engineering, etc.).
  • Users no longer have to install or configure anything – all required client software is transparently pushed out to them and installed, and automatically updated, by the Merchandising Server.
  • Users can help themselves to the applications they need to be productive, and to only those applications. Just because an application is available to them doesn’t necessarily mean they will have an icon for that application cluttering up their desktop or Start Menu.

I don’t think that application delivery can get much easier than that.

And why, you may ask, is User Self-Service something you should be concerned about? Well, in addition to the obvious fact that is makes life easier for both your users and your IT staff, take a peek at the following video. Increasingly, these are the people you are going to want to attract and retain as employees. They’ve grown up with technology, and they have their own preferred ways of using it to be productive. Here’s what they had to say about corporate computing:

This is why I contend that XenApp is substantially more than just application virtualization, and substantially more than “something I add to my Remote Desktop Servers to make things run faster.” It is a new and unique way of delivering to your users the applications they want and need, and only those applications, with minimal muss and fuss on both ends of the transactions. Increasingly, your users are used to the self-service model (e.g., the Apple on-line store), they find it intuitive, and they like it. It enables BYOC (“Bring Your Own Computer”) policies. It makes life simpler for everyone. And no one else has anything like it at the moment.

If this has caught your interest and you’d like to see more detail, check out the video below. It’s a bit long (about 30 minutes), but does an excellent job of explaining how everything works:

, , , , ,

What Is Application Virtualization?

May 26th, 2010 | Posted by Sid Herron in Application streaming | Application Virtualization | Citrix | Microsoft | Virtualization | VMware | XenApp - (2 Comments)

Some folks out there are still scratching their heads over the Citrix decision to change the name of Presentation Server to XenApp. There were actually several reasons for that change. For one thing, we’ve all seen Remote Desktop Services (formerly known as Terminal Services) get better and better with every release of Windows Server – and don’t think for a minute that Citrix didn’t see that coming. As closely as they work with Microsoft, of course they did. So it became obvious to Citrix long ago that they needed a better value proposition for their product than “something that I add to Terminal Services to get better performance.”

In point of fact, Citrix does have a considerably better value proposition than that – but not everyone was “getting it.” One way to help people get it is to re-frame the conversation by repositioning the product, and sometimes changing the product name can help make that happen.

But why XenApp? Well, that goes back to the acquisition of XenSource a few years ago. It seems that, after making that aquisition, Citrix decided that, in their vocabulary, “Xen” = “Virtualization.” Therefore…

  • “XenServer” = “Server Virtualization”
  • “XenDesktop” = “Desktop Virtualization”
  • “XenApp” = “Application Virtualization”

But does it, really? (XenApp, I mean.) Well, sort of. These days, application virtualization is a component of XenApp, but XenApp is more than just application virtualization.

Which brings me back to the question: What is application virtualization? I would suggest, as a good working definition, that, just as server virtualization is the abstraction of a server operating system from the underlying hardware, application virtualization is the abstraction of an application from the operating system it’s executing on.

We virtualize servers by interposing a layer of software – the hypervisor – between the hardware and the operating system. Although some operating systems, like Windows Server 2008, are virtualization-aware, meaning that they know when they’re running on a hypervisor and modify their behavior accordingly, earlier OS versions had to be fooled into thinking that they were running directly on server hardware when in fact they were not.

Applications today are still at the stage of development where they have to be fooled into thinking that they’ve been installed normally when in fact they have not. When they’re installed, applications typically write specific information to specific locations in the Windows registry. They place .DLL files into specific folders (most frequently into C:\Windows\System32) – and sometimes these .DLL files overwrite or conflict with others, which is why you can’t, for example, run two different versions of Microsoft Access on the same PC workstation without some kind of application virtualization. Application virtualization places a sort of “software wrapper” around the application – sometimes referred to as an “isolation environment,” or a “sandbox.” It causes these Registry keys and files to be written to an application specific location, and redirects the application calls so they can be found when the application executes.

By contrast, when an application is executed via Remote Desktop Services (with or without the involvement of XenApp), you’re really virtualizing the presentation of the application. The application is executing on the server, and the user interface is being presented remotely at a client device, using a protocol such as RDP (Microsoft) or ICA (Citrix) to transport keystrokes and mouse movements from the client to the server, and screen updates from the server to the client.

In the old days – and often today as well – that application was installed directly on the Remote Desktop server. Today, we can instead use application virtualization to deliver the application to the server for execution on demand rather than installing the application in advance in the traditional way. But it’s important to understand that presentation virtualization – running the application in one place and displaying the user interface in another – is not the same thing as application virtualization, which, as we have defined it, has to do with how that application is installed on the desired execution platform and how it behaves when it executes.

The first product to do application virtualization on a large scale for Windows apps was Softricity, by a company called SoftGrid. Softricity evolved into App-V after Microsoft acquired SoftGrid. App-V not only virtualizes the application as described above, it also allows the application to be streamed on demand to the computer that needs to execute it. Application streaming works better than you might think, because it turns out that for most Windows apps, most of the code is seldom (if ever) used. (Just think of all the arcane features in Word or Excel that the average user will probably never use.) So we can stream down just enough code to get the user interface up and running, and continue to stream additional code in the background as features are actually required.

The combination of (1) not having to explicitly install applications on workstations (or Citrix servers, for that matter), and (2) not having to worry about applications conflicting with one another can make life much easier for the IT staff:

  • You no longer have to run around from workstation to workstation with a backpack full of installation CDs.
  • It can potentially eliminate the old practice of having multiple “silos” of servers within a Citrix server farm to run applications that would not play nicely with one another.
  • It makes image management for both workstations and XenApp servers much simpler, because if all of your applications are baked into your OS image, then any application change requires that you change (and regression test) your OS image – but if a streamed application changes, all you have to change is that application.

Meanwhile, back in Fort Lauderdale, Citrix had been working on its own approach to application isolation, which was added to the Enterprise and Platinum editions of Presentation Server when v4.0 was released. This “Application Isolation Environment” then evolved into application streaming with the release of Presentation Server v4.5. For those who are familiar with the Citrix application publishing paradigm, you can now:

  • Run the application through the Citrix packaging utility
  • Park the resulting package on a shared folder that’s accessible by your target machines
  • Step through the process of publishing the application, with a new twist: “I want to make this application available to this group of users, on this set of XenApp servers, and here’s the path to the application package.”

NOTE: Yes, I know that not all applications can be successfully packaged for streaming. But most modern Windows applications can be. Yes, you’ll have to test your apps, or, if you have a lot of apps, use a tool like AppDNA to analyze them for compatibility.

Administrative options allow you to specify whether an application package will be streamed to a XenApp server to be executed there, or streamed directly to the client PC to be executed there, or conditionally streamed (e.g., stream to the client PC if a particular set of criteria is satisfied, otherwise execute the app via XenApp). You can also stream it and cache it on the client PC so, in the case of a laptop, it can be disconnected from the network and continue to run the app for a specified period of time.

So, in a sense, the application virtualization component of XenApp competes with App-V. Prior to the release of XenApp 6, our advice would have been to use XenApp to package and stream apps if your need was primarily to serve up apps to Citrix users, and use App-V if Citrix represented only a small piece of your infrastructure and you primarily needed to package and stream apps to Windows-based workstations. This was mostly based on the fact that App-V needed its own servers to control publishing and streaming of the applications – so if your primary need was to deliver apps to XenApp users, it didn’t make sense to build that App-V control infrastructure when your Citrix farm already had everything you needed to stream apps via XenApp.

One of the features of XenApp 6, however, is the ability to deliver App-V packages through the Citrix application publishing infrastructure, without having to build out the App-V back-end server infrastructure. So now you can use whichever packaging tool you prefer with your Citrix infrastructure. If your staff is more familiar with – or just prefers – App-V, it’s not a problem, because XenApp will support those packages natively.

A discussion of application virtualization wouldn’t be complete without mentioning VMware’s ThinApp. A while back, VMware, seeing which way the competitive winds were blowing, realized it needed an application virtualization solution of its own, so it went out and bought one. In addition to packaging and streaming, ThinApp can also wrap an application up as a free-standing executable, meaning that you could theoretically carry the entire Microsoft Office suite with you on a USB stick, and plug it into any Windows PC anywhere regardless of whether (or which version of) Office was installed on that PC. Of course, if you actually did that with a PC that wasn’t already legally licensed for Office, you’re violating your Microsoft Office license, but I digress.

There are other application virtualization products in the marketplace, but at the moment, the “big three” are App-V, ThinApp, and XenApp. However, as I said way back in the beginning of this post, XenApp is more than just application virtualization. And that will be the subject of my next post.

, , , , , , , ,

Five Cool Products from Synergy 2010

May 18th, 2010 | Posted by Sid Herron in Application streaming | Application Virtualization | Citrix | Citrix Synergy | Provisioning Services | VDI | Virtualization | XenDesktop - (1 Comments)

As many readers know, I spent last week attending back-to-back Citrix conferences in San Francisco. Monday and Tuesday (“Summit”) was for Citrix Partners, Wednesday through Friday (“Synergy”) was for the larger user community. In the coming days, I expect to be writing a lot about stuff I learned there – to the extent that I can without violating the Non-Disclosure Agreement that all attendees agree to as part of the registration process.

Today’s post is about five cool products that I think are worthy of further investigation. I should stress that, aside from Wyse, we do not currently sell any of these vendors’ products, and we may or may not partner with them in the future. So this should not be interpreted as an endorsement other than to say that these products intrigued me and I believe them to be worth looking into.

Wyse XenithTM “Zero Client”
Finally, a non-Windows-based thin-client device with HDX MediaStream video support! I can hardly wait for us to get our hands on one of these for testing. Up until now, if you wanted high performance video, you needed to buy a Windows-embedded thin-client, and install the same Citrix Receiver and plug-ins that you would install on a full-blown desktop PC. And, unfortunately, a Windows-embedded thin-client can easily cost as much as a low-end PC. While I don’t have firm cost numbers yet, I was told it would be “sub-$300” (which I assume to mean $299).

At the Wyse demo, they plugged in the box, turned it on, it auto-discovered the XenDesktop infrastructure and automatically configured itself accordingly, and was ready to use literally in a few seconds. Wow.

Kaviza’s “VDI-In-a-Box”
Kaviza has an intriguing product. It won the “Best of Synergy” award in the “Business Efficiency” category. As the product name implies, they make a virtual appliance that handles the provisioning, load-balancing, and management of virtual desktops in a single package. Their original appliance was designed to run on VMware, but the Beta of v3.0 they were showing at Synergy will run on XenServer. They do not require shared storage (i.e., a SAN), or a separate connection broker. When you add more of their appliances, their “grid” automatically reconfigures itself to incorporate the new appliances, replicating desktop template images as required.

They’re positioning this as an SMB solution – up to a couple hundred desktops. If you’re going to grow beyond that, you’re probably going to want the greater storage efficiency of storing your desktop images on a SAN and using the provisioning services of XenDesktop 4. Also, this is specifically a VDI solution, by which I mean a bunch of virtual PCs running on one or more virtualization hosts. As we’ve discussed in other posts, VDI is only one kind of desktop virtualization. If you want the flexibility of being able to leverage all the different kinds of desktop virtualization, XenDesktop gives you that flexibility.

Suggested list price is $125 per concurrent user. Citrix has a VDI-only version of XenDesktop (which does include provisioning services, but does not include any other form of desktop virtualization) which lists for $95 per named user, or $195 per concurrent user. So, taking into account the cost savings from reducing the back-end infrastructure requirements, Kaviza is certainly competitive for smaller deployments, if you’re looking for strictly a VDI solution. Kavisa estimates that, including the virtualization hosts, you’re still under $500/user.

Interestingly enough, Citrix recently made a “strategic investment” in Kaviza, and has licensed their HDX high-performance video technology to them. This suggests that, at some level, Citrix does not necessarily view Kaviza as a competitive threat to XenDesktop 4.

You can view a demo of an earlier version of Kaviza on Brian Madden TV, or go right to the source and sign up for a Webinar on their upcoming v3.0 release.

App-DNA
Good Lord, if we’d only had a tool like this a few years ago. Several years ago, we worked with a major financial institution that will remain nameless (you know who you are) to build an infrastructure of what was then called Presentation Server that would serve up roughly 300 different applications to roughly 1,000 users. Application Isolation wasn’t available at the time, so we had to do things the hard way. We had a team of several engineers who spent months on application compatibility testing – not only to see which apps would run in a Presentation Server environment, but to see which apps could co-exist in a single server image. It was a huge project, and cost the customer a very large pile of money.

The App-DNA AppTitudeTM software automates the process of application compatibility testing. You give it access to the installation packages of your applications, and it will tell you which Windows desktop and/or server Operating Systems they are compatible with, whether they’re 64-bit compatible, and whether you should be able to package and stream them with XenApp’s app streaming tool or with Microsoft’s App-V. Moreover, if there’s an issue with an application, it tells you what the issue is and makes suggestions as to how you may be able to remediate it!

This product won the “Best in Show” award at Synergy, as well as winning in the “Process Improvement” category. The people I talked to couldn’t give me pricing, but if you’re looking at a major upgrade or migration that involves a lot of applications, this could be a huge time-saver.

Liquidware Labs
Their Stratusphere FitTM product was a Best of Synergy finalist in the “Business Efficiency” category (the category that was won by Kaviza). This is a VDI assessment tool. It will monitor and log a bunch of desktop OS and user performance metrics, looking at network usage, application usage, disk and memory utilization, graphics intensity, disk IOPS, network latency between the current desktop location and the data center you’re hoping to move it to, etc.

After gathering information for a while (a minimum of two weeks is recommended), it will spit out both detail and summary reports that will identify good, fair, and poor candidates for virtualization, identify potential problem areas, and help you size the back-end infrastructure that will be needed to host all of the newly-virtualized desktops.

The cost of a time-limited license (90 days, if memory serves me correctly) is roughly $7 per user. Look at it this way: You can design your VDI hosting environment by the seat of your pants, and probably end up either over- or under-building the infrastructure, or you can spend a little bit of money to develop some hard data to guide the design decisions. If it helps you avoid design mistakes, and helps insure the success of your VDI project, that’s probably money well spent.

Unidesk
The Unidesk product competes directly with the provisioning services component of XenDesktop 4. Why, you may ask, would you want to pay extra for a third party product instead of using the provisioning functionality that comes with all versions of XenDesktop 4? Here are some possible reasons:

  • Unidesk integrates patching and version management into their provisioning tool.
  • Unidesk can deliver boot-time drivers such as antivirus software, VPN software, and printer drivers as components that are separate from your master OS image.
  • Unidesk integrates application management into their provisioning tool, including applications that have been packaged for streaming via XenApp, App-V, or ThinApp.
  • The big one: Unidesk treats user-installed applications as part of “user personalization” – yes, you can provision from a single master OS image and still allow users to install their own apps. (And you can also – relatively easily – repair the damage when a user installs an app that breaks something else.)

In some organizations, user acceptance will make or break a desktop virtualization project. In a native XenDesktop 4 deployment, if you want to allow the user to install applications, you have to dedicate an OS image to that user. If this is a requirement for a lot of your users, you’re going to burn up a lot of expensive SAN storage. If internal company politics will allow you to lock down the corporate desktop, great! Your life will be much easier. And, as we’ve observed elsewhere, XenClient promises to address this by giving the user multiple desktops: a corporate desktop that’s locked down, and a personal desktop where they can install their own applications. But if you are forced, for whatever reason, to allow your users to install their own applications on top of the corporate desktop image, Unidesk could save you a bunch of storage space, and maybe even your sanity.

, , , , , , , , ,

Cloning a XenApp 6 Server

May 18th, 2010 | Posted by Jeromy Carman in Application Virtualization | Citrix | Troubleshooting and How-Tos | XenApp - (4 Comments)

One of the many enhancements Citrix made in XenApp v6 is that cloning a server is now much easier that it was in previous versions. Here’s a step-by-step guide, with lots of screen caps:

  1. Install the updated XenApp Server Configuration Tool.
  2. Run the XenApp Server Role Manager (Start – All Programs – Citrix – XenApp Server Role Manager – XenApp Server Role Manager):
    XenApp Server Role Manager

    XenApp Server Role Manager

  3. Select “Edit Configuration:”
    Edit Configuration

    Edit Configuration

  4. Select “Prepare this server for imaging and provisioning:”
    Choose a Task

    Choose a Task

  5. On the next screen, check “Remove this current server instance from the farm,” as shown below, then click “Next.” As the pop-up tip indicates, this will save you from having to do it manually later. The server will automatically join the farm when you bring it back on-line.
    Provisioning Options

    Provisioning Options

  6. On the next screen, click “Apply:”
    Ready to Configure

    Ready to Configure

  7. The server runs through the items that are needed to prepare XenApp for cloning. Note the informational warning that the settings will be applied when you clone or reboot the server. This means that once your new server comes on-line, it will automatically join the farm that the original server was in (before you removed it in Step 5).
    Configuring Server

    Configuring Server

  8. Back at the XenApp Server Role Manager screen, you can choose to reboot the server (which you probably don’t want to do just yet), or simply close the window and proceed with any additional tasks you may need to perform before cloning, such as Sysprep.
    XenApp Server Role Manager

    XenApp Server Role Manager

  9. After you’ve finished any additional tasks, you can shut the server down, and clone it to your heart’s content. When your clones come back on-line, if they have a network connection on the correct IP subnet, they will automatically join the farm. However (“gotcha” alert), if you didn’t Sysprep them, they will all try to join the farm under the same machine name – the one your original server had. So if you didn’t change the name of the server, it’s best to disconnect it from the network, change the name and IP address, reconnect to the network, join it to the AD Domain, and then reboot it so it can join the XenApp farm using the correct name.

If you’re a Citrix “old-timer,” you’ve got to agree that it doesn’t get much easier that this!

, ,

Why Isn’t Desktop Virtualization More Widely Adopted?

May 12th, 2010 | Posted by Sid Herron in Citrix | Citrix Synergy | VDI | Virtualization | XenApp | XenClient | XenDesktop - (15 Comments)

I attended an interesting session at Citrix Synergy earlier today. It was conducted by Ron Oglesby, Chief Solution Architect of Unidesk, and the subject was why desktop virtualization has not taken off like server virtualization has. This is something I’ve wondered about myself, so I was eager to hear someone else’s view on the subject. Since a lot of the points he made could also be classified as “things to watch out for,” I thought others might also find it interesting.

First of all, it is important to recognize that “Virtual Desktop” does not equal “VDI.” (And by “VDI,” I mean turning your physical PCs into virtual machines that are running on some kind of hosting infrastructure, such as VMware, XenServer, or Hyper-V.) VMware has done a pretty good job in many cases of framing the conversation as though these terms were equivalent, because VDI is what they do, and it’s in their best interests to frame the conversation that way. Hats off to them for the degree to which they’ve accomplished that.

But VDI is just one form of desktop virtualization. The fact is that we’ve been virtualizing desktops since the debut of WinFrame a decade and a half ago. And it can be argued that XenApp is still the most cost-effective way to virtualize a desktop. I can pretty much guarantee that, on a given piece of server hardware, I can support more concurrent users with XenApp than I can by building individual virtual PCs.

But what seems to be happening in some cases is that management has seen the tremendous cost savings that have been achieved through server virtualization, so they decide that they should virtualize desktops the same way they virtualized servers, expecting that they will see the same kind of dramatic cost savings. Often, they are painfully disappointed.

Dramatic cost reduction through server virtualization is a no-brainer. You take a bunch of servers that are already in the data center, most of which are probably idling along at less than 10% processor utilization (if that), and consolidate them onto a smaller number of servers. You save space. You save power (both the power it takes to run the servers and the power it takes to cool them). You gain agility and fault tolerance through things like live motion technology. The CAPEX (capital expenditure) savings are obvious. You can probably show a positive return on investment in the first year.

Near-term CAPEX savings are almost impossible to show in a VDI project, because of the back-end infrastructure you have to put in place to host your virtual desktops. (Note that we’re talking here specifically about VDI as I defined it earlier in this post.) Your savings are primarily in ongoing operating expenses, and (according to the Burton Group in a different session I attended) it may take as long as 3 – 5 years to see a significant ROI. Beyond that, you’re talking about things that are very hard to quantify at all, such as the benefit of giving your employees the flexibility to be productive from anywhere. Great idea, difficult to quantify.

Unless you are using some kind of tool that will let you provision multiple virtual desktops from a single shared image, your storage costs are going to skyrocket, because you’re replacing cheap SATA storage on the desktop with expensive SAN storage in the data center – and a Windows 7 image with all the apps on it can easily run 30 Gb. Moreover, the way a desktop OS uses storage is completely different from the way a server uses storage. Your typical Windows server probably averages about 5 IOPS (Input/Output Operations Per Second), with a read/write ratio of 2:1 to 3:1 (more reads than writes). A Win7 system averages more like 30 IOPS, and the read/write ratio is just the opposite.

In other words, workstations aren’t servers, and they won’t behave like servers just because you move them into your data center and put them on a SAN, and therefore you can’t treat them as though they were servers. If you do, you probably won’t be happy with the result.

Finally, although IT guys love standardization, users don’t. They’re used to being able to personalize their personal computers, and they won’t easily give that up. And they definitely won’t be happy if all of the personalization they’ve done suddenly disappears when you replace their PCs with virtual desktops. Unfortunately, there is no magic wand you can wave that will transform a bunch of diverse PCs that have been highly personalized into a single shared image while still preserving all of the personalization. There are some tools that will help you with this, but you have to plan, you have to test, you have to be careful, and you need to have a roll-back plan.

So does this mean that desktop virtualization is a bad idea? No, not at all. It does mean that you need to take the time to understand your users, and come up with a desktop strategy that encompasses all of your use cases. And you need to recognize that classic VDI is probably not a “one-size-fits-all” solution for all of your users:

  • Task-based workers (e.g., call centers) are probably very well served by “Hosted Shared Desktops,” a.k.a., virtual desktops running on XenApp servers.
  • Remote workers may also be covered by Hosted Shared Desktops, although those who need more power, or need the flexibility of a dedicated OS, may be well served by a hosted virtual PC – traditional VDI. For example, a contract programmer may be a continent away, and may need the ability to do things that cannot be done on a shared server OS, like modifying the registry or rebooting the system, but the employer may also want the security of knowing that the code never leaves the datacenter. VDI is a perfect solution for this use case.
  • Office workers may be served by hosted virtual desktops (VDI), but could also be served by streaming the PC operating system from a central shared image directly to the PC hardware on their desks. Managing that central image beats running around to all the desktops with a backpack full of CDs to do your upgrades!
  • Power users who might, for example, need the power of a dedicated 3D graphics processor might be best served by streaming a central shared image to a blade PC in the datacenter, which the user then accesses via a thin-client desktop device.
  • Mobile users, by definition, need to work when they’re not connected to the corporate network. This is the use case addressed by XenClient.
  • In all of the cases above, having a provisioning tool that allows you to boot and run multiple systems from a single shared image is going to save you a bundle on storage.

The cool thing about XenDesktop 4 is that you can handle all of these use cases, and mix and match the best virtual desktop deployment method to each group of users, and they’re all included in your XenDesktop 4 Enterprise or Platinum license. No other vendor offers that flexibility.

, , , , , , ,

XenClient Is Officially Here

May 12th, 2010 | Posted by Sid Herron in Citrix | Citrix Synergy | Remote Access | VDI | Virtualization | XenClient | XenDesktop - (2 Comments)

Greetings from the Citrix Synergy conference in sunny San Francisco! It’s been a long time coming, but you can now download the XenClient Express Release Candidate code from the Citrix Web site. The link went live as Mark Templeton (the Citrix CEO) was delivering today’s keynote address.

It’s taken a while, because (1) there are a lot of things you need to worry about with client-side virtualization that aren’t an issue with server-side virtualization – like 3D graphics and USB plug & play, and (2) they wanted to make sure they got it right the first time.

This is a true “Type 1″ hypervisor, which means that it installs directly on the PC hardware (so be aware that it will wipe out whatever OS is already on the PC), and you are going to need specific hardware virtualization support on your PC. We’ll write more about that as time permits and as the requirements become more clear. But here are some of the cool things about it:

  • The first, and most obvious, is that you will be able to push a virtual desktop image down to a laptop PC, unplug it from the network, and take it on the road. There is a configurable lease timer that will disable that image if it doesn’t synchronize with the network again within the specified number of days.
  • If you are a desktop administrator, your life just got easier. Every desktop admin I’ve ever talked to has struggled with the issue of locking down the desktop. Take the user’s control away, and you’ve got managers in your face because they can’t install iTunes. Back down and give them local admin rights, and they break the desktop. Now you have to fix it.

    Now you can have a locked-down corporate desktop running side by side with a personal desktop on the same machine. If the user screws up the personal desktop, you can wipe it clean and push out a new one…and they can’t screw up the corporate desktop. How cool is that?

  • You manage the virtual desktops through a “Synchronizer,” which is a virtual appliance that runs on XenServer. When the user fires up the machine and connects to the Internet, it uses a client-initiated https connection to contact the Synchronizer – no VPN access is required.
  • The Synchronizer allows you to insure that critical data on the laptop is backed up in the datacenter, using a block-level protocol with compression for bandwidth efficiency.
  • If the laptop is lost or stolen, you can issue a “kill pill” from the Synchronizer that will immediately disable the VM image the next time the laptop comes on-line (or immediately, if it’s on-line when the kill pill is issued).
  • Because everything is backed up to the Synchronizer, it’s a matter of only a few minutes (depending on bandwidth) to push out that backed-up image to a new laptop, which doesn’t even have to be the same manufacturer as the old laptop, since the Type 1 Xen hypervisor gives you device independence.

VMware recently announced that they were changing direction away from a Type 1 hypervisor in favor of a Type 2 hypervisor for off-line VDI access. Basically, they’re still using a variation of VMware Workstation. That means that the VM is running on top of your local copy of Windows, and there are millions of lines of code between the VM and the hardware, as opposed to only about 80,000 lines of code in the Xen hypervisor. No way in the world that’s going to approach the performance level and user experience of XenClient.

Moreover, VMware assumes that everyone who will have off-line access will also have a hosted virtual desktop running somewhere on a VSphere infrastructure. So the hosted VDI instance comes first, then you get to check that virtual desktop out for some period of time, use it, and check it back in, at which time changes get synchronized. XenClient does not require that you have a hosted XenDesktop instance. You can push the corporate desktop image down onto a XenClient-enabled PC regardless of whether that user has access to a hosted XenDesktop PC. And synchronization takes place whenever you’re on-line.

As you can probably tell, I’m excited about this release. Yes, it’s “Release Candidate” code, and it’s intended to allow us to start playing with it so Citrix can get feedback on what needs to be tweaked. But it appears to be pretty darned solid RC code, and I don’t think we’re that far away from general availability.

Gartner is predicting that, by 2014, 72% of computing “endpoints” will be laptops. You cannot have a solid VDI strategy unless you can address off-line access by this large population of users. Citrix understands that. This is another game-changer!

, , , ,

Switch to SAN but BE CAREFUL!

May 6th, 2010 | Posted by Scott Gorcester in Storage | Virtualization - (0 Comments)

I am a big fan of Storage Area Network (“SAN”) technology. SAN technology offers high performance, highly flexible storage for Physical and Virtual Systems and is particularly valuable to empower advanced features for virtualization solutions such as VMWare, XENServer, and Hyper-V Virtual Hosts to name a few. 

The moral of this story is that you need to know that SANs have some very different management requirements compared to traditional Direct Attached Storage (“DAS”).  Many if not most IT Staff in small to medium size organizations are most familiar with throwing hard disks into physical servers in single or RAID configurations.  Now that they are are purchasing and deploying SAN technology we find that many problems occur if they do not fully understand how to implement and manage these new beasts. 

I would suggest that the difference between DAS and SAN technology is similar in spirit to the difference between a passenger car and a high performance race car.  Most passenger cars are designed to be slower and more forgiving than race cars, if you get into trouble it’s much easier for the average driver to recover.  Race cars will do many things that passenger cars won’t, but if you push them too far you will require very specific skills to recover or you will spin out of control.  SANs are in my opinion similar to this analogy, they will do many things that DAS won’t but if you don’t design and manage them properly you may quickly find yourself in spinning out of control. 

Here are a couple of things you need to know.

  1. Most popular SAN’s offer some impressive features such as “Thin Provisioning.”  Thin provisioning is one of those features that you will absolutely love, that is, until you don’t.  Thin Provisioning is a feature that allows you to provision gobs of storage – more, in fact, than you actually have – to Physical and Virtual Systems.  For example, you might have a SAN with 2 terabytes of physical storage, but then “provision” 10 individual 2 terabyte “volumes" and present them to your physical and virtual servers.  Your servers will see this as a combined total of 20 terabytes of storage. This is great but requires you to be very careful.  The reason is that you have offered 20 terabytes of “Virtual Storage” but of course you really only have 2TB of actual or “physical” storage.  So while your systems believe there is 20TB of available storage you have to insure that you do not attempt to put more than 2TB of physical data on this system or bad things will happen. 

    What bad things? Well in most cases once you fill up the physical space the volume will become unusable.  You must make sure you carefully monitor the system and pay close attention to it so that if you start reaching capacity, you’ll know in time to do something about it.  Our own SANs alert us when total available free space reaches 20%.  We have from time to time been between 70% and 90% utilization of our total capacity, and while everything is running just fine we know we have to watch this carefully.  If we hit 100% (intentionally or otherwise), the result could be catastrophic: the storage could immediately shut down and the recovery might not be quick. 

    This happened to a client last week. They started a backup, and when they realized that this was causing one of their thinly-provisioned SAN volumes to fill up to capacity, they immediately stopped the backup and deleted the data.  Unfortunately this caused the volume to fill to 100% and immediately shut down.  Fortunately this volume was mirrored to a second SAN and since there was a little more room on the mirror volume the workload actually stayed online until we could assist the client in recovering from this problem.  If the mirrored side had filled to 100% as well, the result would have been an immediate failure of a critical SQL server workload. 

    The client didn’t realize that copying all this backup data to a Windows Server VM would fill up the SAN volume, nor did they realize that simply deleting that data from the VM would not necessarily delete it from the SAN.  We were able to configure a new volume and replace the full half of the mirror with an empty volume, but only because their was some un-provisioned space available to use for this purpose.

  2. And that brings me to my second point – which is that deleting data from a Physical or Virtual server that is using SAN storage may not in many cases free the physical space on the SAN.  Again, DAS is like the passenger car, if you over-commit your storage you can simply press the brake (a.k.a. delete key) and recover immediately. With SAN storage it is common that once the space is committed you may have to perform specific tasks to free up this space.  This task might require special tools or utilities, or even require adding more physical disks.  In extreme cases it may require that you remove and recreate the over-committed SAN Volumes, and that is time consuming and painful.  In this scenario an ounce of prevention is worth a hundred pounds of cure. 

    We have been running our SAN over-provisioned for years with no ill affects or degradation in performance…but we know we are “on the bubble” and we carefully monitor and maintain this situation.

So please be aware that SAN technology is wonderful, but its important to learn some new skills to keep the systems performing their best.

, ,

Copy Machine Security Risk

May 6th, 2010 | Posted by Sid Herron in General | Security - (0 Comments)

Here’s a 5-minute video you really need to watch. It’s a report by CBS News on what could be a huge security risk that most companies probably haven’t even considered: the office copy machine. And I’m not talking about the risk of someone copying sensitive information that they shouldn’t be copying – I’m talking about what happens when the copy machine is retired.

Most modern copy machines contain a hard disk drive. That’s why you can feed a stack of originals into them and walk away while the machine prints and collates multiple copies of your stack. But what you may not know is that most copy machines do not automatically delete those page images from the internal hard drive when they’re done printing. So when you turn that copy machine in at the end of your lease, you’re also handing over thousands of images of documents that you’ve copied on that machine.

Those copy machines are typically re-sold, with the hard drives still intact. Many are shipped overseas. And your documents are shipped right along with them, easily readable by anyone with commercially available hard disk forensic software.

Depending on the nature of your business, that may or may not be a big deal. But think about this:

  • Have you ever made photocopies of a new employee’s driver’s license or social security card for your files?
  • Have you ever photocopied an order form that contained a customer’s credit card information?
  • Have you ever photocopied your company tax returns, forecasts, bugetary information, or financial planning documents?
  • Have any of your employees used it to make copies of their own tax returns?
  • What about proprietary information or trade secrets?

And, of course, if you’re a business that deals with sensitive documents – such as a law firm, an insurance company, or a business that handles medical records – you (and your clients or patients) may have even more at stake.

So, please, spend five minutes and watch this video. Then, the next time you’re ready to retire a copy machine, find a way to get the hard drive out of it and destroy it yourself before it goes beyond your reach.

,

DNS Security Extensions and Why You Should Care

May 4th, 2010 | Posted by Sid Herron in Computer Basics | General | Security | Troubleshooting and How-Tos | WatchGuard - (1 Comments)

Tomorrow (May 5), at 17:00 GMT, all 13 root DNS servers on the Internet will begin using DNSSEC (Domain Name System Security Extensions) to reply to user requests. Here’s why you might care about this.

As most of our readers know, DNS is what translates the URL you type into your browser (like “www.mooselogic.com”) into an IP address (like “216.9.9.164″) that your computer can actually use to send packets of data across the Internet. If you have a Windows Server-based network, one (or more) of your Windows Servers is probably providing DNS services to the users on your network. But the DNS server on your network doesn’t automatically know where everything is. If it needs to resolve an address that doesn’t happen to already be in its local cache, it has to ask some other DNS server out on the Internet. Sometimes those queries go all the way to one of the root servers.

It’s been recognized for quite some time that the existing protocol used for DNS queries isn’t entirely secure. Therefore, the international standards bodies have been working on a more secure standard, which is DNSSEC. DNSSEC uses digital signatures to authenticate DNS responses, so your computer knows the response actually came from an authoritative DNS server.

So what’s the problem? The potential problem is that those DNS responses will arrive in significantly larger data packets than before. Specifically, rather than using UDP packets that are smaller than 512 bytes, the responses will not only be longer, but may be broken into multiple TCP packets. Some routers and firewalls specifically inspect DNS traffic to look for anomalies, and if you have older equipment that doesn’t know about the DNSSEC standard, these changes may very well look like anomalies, and be blocked. That would mean that your DNS clients or DNS server would not be able to communicate with the public root DNS servers, and that would mean that you would start having problems resolving DNS.

These problems may be intermittent in nature at first, because some DNS requests may be able to be resolved by using locally cached information…but DNS records typically have a “time to live” built into them, so eventually the cached information will expire and have to be refreshed. So if you do have a problem, it’s likely to get worse with time.

There are some tools available to help you determine whether you’re likely to have a problem. If you’re comfortable using a DNS query tool like dig (which is a command-line query that can be run from most unix or linux systems), you can find instructions on using it at https://www.dns-oarc.net/oarc/services/replysizetest. If you don’t have access to a unix or linux host, or don’t feel comfortable using such a tool, you can download a Java utility from http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues, and run it on any system with Java run-time installed (which includes most Windows systems). Just download and save the file, then double-click it.

Watchguard customers should note that if you have a Watchguard Firebox or XTM appliance with current firmware, you should not have any issues with these new DNSSEC packets.

,

How Do You View Technology?

May 3rd, 2010 | Posted by Sid Herron in Computer Basics | General - (0 Comments)

A former colleague of mine once observed that most businesses could be divided into three broad categories, based on how they view their computer systems. Which category do you fall into?

1. A Necessary Evil
Some businesses really don’t need much technology to do what they do. For example, a small automotive machine shop may have one PC that they use to run a simple accounting program to keep their books and not much else. They may not even have an Internet connection at their place of business. Computer technology is not in the least strategic to what they do, and they’d rather not deal with it any more than is absolutely necessary. They’ll typically run the systems they have until they’re forced to upgrade.

2. Another Business Tool
Other businesses understand the need for technology, but do not view it as strategic. It’s just another business tool, like the telephone system. They don’t spend much time thinking about it, but they do expect it to work when they turn it on – just as they expect a dial tone when they pick up a telephone. They recognize that their computer systems provide essential business services – not just running the accounting system, but enabling their employees to keep in touch with clients and vendors, perform essential research on the Internet (when they’re not watching YouTube videos or updating their Facebook pages), create presentations, write letters, create budget and forecast spreadsheets, etc. Still, they don’t particularly want or need to be on the “bleeding edge” of the latest and greatest stuff – they just want the stuff they have to work, because they know it costs them money when it doesn’t. They don’t want to spend any more money than they have to, but they recognize that they have to spend some money to keep things working. They are reluctant to upgrade their systems as long as the systems they have are getting the job done.

3. A Strategic Asset
Businesses in this final category truly view technology as strategic to their businesses. They proactively look for ways to leverage technology to give their businesses a competitive advantage. Ultimately, all businesses exist to make money. You make more money by either selling more of whatever products and services you sell, or by taking cost out of the business so that your present level of sales becomes more profitable. Technology can be used to do both of these things, and in a variety of ways. In fact, that may be a good subject for a future series of posts – but in the meantime, if you give the matter a little thought, you can probably come up with several examples yourself of how to use technology to increase sales or reduce costs, or both.

One of the interesting things about this classification system is that it has very little to do with the size of the business in question, and everything to do with how the business views technology. I have known relatively small businesses who fell into category #3, and relatively large businesses who fell into category #2. (I haven’t dealt with very many category #1 businesses, because, frankly, a company like Moose Logic doesn’t have much to offer them. And, in fact, if you’re reading this blog, it’s a pretty strong indication that you’re not a category #1 business.)

It is, of course, important to us to understand which category you fall into, because it determines, to a large extent, what kind of conversation we’ll have about technology. If you’re in category #2, we should be talking about increased productivity, simplified management, the cost savings of virtualization, and perhaps even the outsourcing of some or all of the management of your systems. If you’re in category #3, we should also be talking specifically about how you go to market, how you differentiate yourself from your competitors, and how we can use technology to create or enhance that competitive edge.

But it’s equally important that you understand which category you fall into, and that you’re comfortable with it. The fact is that a category #3 business is going to spend more (relative to the size of the business) on technology than a category #2 business. If you claim to be in category #3, but you’re behaving like you’re in category #2, you’re simply fooling yourself, and you need to be realistic about your goals and objectives. If you want to be in category #3, but are hindered by budgetary constraints, then you can begin to plan for how you’re going to get there. If you’re in category #2, and you’re content to be in category #2, great! There’s absolutely nothing wrong with taking that position, as long as it’s a conscious decision made with a clear understanding of what it means for your business.

So… what category are you in? And are you comfortable there?