Citrix Workspace: Addressing The Security Conundrum [Session Recorded at Citrix Synergy 2019 in Atlanta, Georgia]

 

Scott Lane and I had the privilege to lead a session at Citrix Synergy this year around the security benefits of Citrix Workspace. When most people think about the Citrix Workspace, then tend to focus on the user experience and productivity benefits. While these are very important, there are also a number of security use cases that the solution addresses. The goal of this session was to walk through these benefits with a demo centric approach. We also had Chris Fleck (Vice President and Technical Fellow at Citrix) join us as our mystery speaker and he shared some cool projects that he’s currently working on. Hope you enjoy this session! I would love to get your feedback!

 

Synergy 2019 Breakout Sessions That You Don’t Wanna Miss!

Every year, I try to compile a list of sessions that I highly recommend. This year, I’m a bit late, but better late than never. So here goes:

  • SYN101: Citrix Virtual Assistant and Productivity Analytics (Kedarnath Poduri, Omar ElNaggar)
  • SYN145: Privacy, security, data and trust: a look at the future of data risk management (Steve Wilson, Peter Lefkowitz, Lisa Bobbitt)
  • SYN129: Getting ahead of global regulations and compliance with Citrix (Florin Lazurca, Joseph Nord, Chris Hoffner, Peter Lefkowitz)
  • SYN111: Desktops-as-a-Service with Citrix (Kireeti Valicherla, Paul Carley)
  • SYN141: Learn how the intelligent Citrix Workspace organizes, guides, and automates work (Omar ElNaggar, Vishal Ganeriwala)
  • SYN142: The journey to Workspace with Citrix IT leaders (Joe Verdarame, Renee Flores)
  • SYN703: Get visibility into your Citrix licensing and active use (Daniel L’Hommedieu, Alex Tompkins)
  • SYN210: Avoid performance stress when using hybrid cloud workloads (Thomas Poppelgaard, Christiaan Brinkhoff)
  • SYN229: Citrix Cloud deployment strategies: customer and partner perspectives (Shane O’Neill, Paul Stansel)
  • SYN138: How to move from StoreFront to Workspace (Craig Hinchliffe, Alex Tompkins)
  • SYN127: Bringing Okta and Citrix together in Workspace (Daniel L’Hommedieu, Bryan Smoltz)
  • SYN130: Future of work (Christian Reilly, James Bulpin)
  • SYN201: Performance analytics for Citrix Virtual Apps and Desktops (Sameer Mehta, Jitendra Deshpande)
  • SYN211: HDX: it’s all about the user experience (Mark Howell, Miguel Contreras, Fernando Klurfan, Roberto Moreno)
  • SYN226: Reliable, high performance workspace delivery over imperfect network connections (Derek Thorslund, Wesley Shepherd)
  • SYN230: Citrix Cloud and Azure: real-world experiences and tips for a successful deployment (Paul Stansel, Jason Samuel)
  • SYN221: How to protect your Citrix deployments and modern applications with Citrix ADC (Patrick Coble, Frank Bunger)
  • SYN202: Under the hood with Citrix Analytics (Mathew Varghese, Jim Regetz)
  • SYN217: Multi-site recommended practices, reloaded (Jarian Gibson, Shane Kleinert, Kees Baggerman, Dave Brett)
  • SYN231: Architecting the workspace for high security (Kurt Roemer, Mike Nelson)
  • SYN208: Citrix App Layering: top 10 lessons from the field 2.0 (Dan Morgan, Daniel Lazar)

I also want to mention that I will be leading two sessions this year. Details below:

  • SYN236: Citrix Workspace: addressing the security conundrum (George Kuruvilla, Scott Lane)
  • SYN406: Debunking common misconceptions about Citrix Workspace: lessons from the field (George Kuruvilla, Kevin Nardone)

I look forward to seeing many of you next week in Atlanta! 

Key Takeaways from Citrix Synergy 2018 Announcements That Did Not Make The Keynote

Just like many of you, I had the pleasure of attending another awesome Citrix Synergy last week in Anaheim. Had the chance to meet many of the community members, customers and fellow Citrites in person. As is always the case, I was not able to attend a lot of sessions due to customer/internal meetings and such and spent some time this week catching up on content. While Workspace, ServiceNow Integration and Analytics were front and center, what I’m realizing is that there were plenty of great announcements made during the breakout sessions that many of you probably missed. If you want to learn more about what was announced as part of the keynote read Jason Samuel’s blog post.  I wanted to spend some time summarizing some of the most interesting announcements that were not part of the keynote. I am still in the process of reviewing the sessions and will update this post over time.

Workspace Environment Management (WEM) To Be Offered As A Citrix Cloud Service

WEM is Citrix’s solution for user environment management and resource optimization along with UPM. On average, customers see a 30% improvement in server scalability and login times can also be improved significantly. WEM did require certain infrastructure components to be deployed. However, at Synergy it was announced that the Citrix will be offering a WEM service essentially hosting, managing and maintaining all the infrastructure components such that the customer only has to deploy the agents and the cloud connector. This should make the solution even more appealing to customers and help with server scalability and user experience in a hybrid cloud environment. 

Learn more about this announcement in SYN231 (Recording below. Start at around 6:15)

Seamless Roaming O365 Outlook Email Cache and Search Index Database using UPM

A new feature is coming in UPM that allows handling of large files specifically designed for O365. And it is controlled with a single policy setting in UPM. Once the policy is enabled, a per user search index db is created and all outlook requests are redirected to the database thus enabling a roaming search index for the user for both virtual apps and desktops. Its limited to 32 bit version of Office for now. The search index and OST file will be wrapped in a VHDX container and stored in the profile. Learn more about this feature in the SYN231 video posted above. Start watching at 22:30. 

 

WEM and UPM Capabilities Now Extended To Manage Physical Endpoints

As part of Citrix’s Unified Endpoint Management strategy, WEM and UPM will soon be able to manage physical endpoints. This is a welcome change and will help customers use the same solution set to manage both physical endpoints and the virtual workloads. Learn more in the SYN231 video above. Start watching at 30:52.

PVS Management Directly From Citrix Cloud

On prem PVS workloads can soon be managed directly from Citrix Cloud. In addition a new PVS cloud license will be introduced. A customer can download the PVS cloud license from MyCitrix and install on onprem license server to manage PVS from Citrix cloud.

More info in the SYN131 video below. Watch from 28:40

Azure QuickDeploy for XenApp and XenDesktop Service

Azure Quickdeploy is a feature that is available for the XenApp Essential customers that makes it extremely easy to build Citrix workloads in Azure. The same wizard has now been ported over to XA/XD service. You can specify your Azure subscription info, connect to a resource location, upload a custom image, provide domain information and the machine catalog will be created for you. This is perfect for small deployments and POC’s. This feature will be released in the coming weeks for XA/XD service. It will only support Server VDAs. Also important to note that Quick deploy cant be used in conjunction with studio. Its an either/or. To learn more in the video. Watch from 32:00

 

Extending Citrix Cloud Support For Google Cloud Platform and Oracle Cloud

While Google cloud got plenty of attention at the keynote (and I will have a follow up blog looking specifically into Citrix Cloud and GCP), it is also worth noting that we will be extending platform support for Oracle cloud infrastructure. This is of particular interest for customers who have a significant investment in Oracle cloud today. Its all Hyper-V based which is also appealing to many customers. There is an Oracle deployment guide already published and the planned availability for support in Oracle cloud is Q2, 2018. Learn more in the SYN131 video above and start watching at 34:20

 

 

 

Citrix Director Enhancements

There were a lot of Citrix Director enhancements announced including Resource App prediction based helping admins predict future resource usage, ability to generate custom reports, a set of predefined default smart alerts (as opposed to admins having to go and define alerts manually), detailed breakdown of logon duration including a breakdown of “interactive session”, NMAS integration, the ability to troubleshoot XenMobile devices right from Director and last but not the least App Probing. App probing in particular is really exciting as it allows you to define and automate app probes for your published apps and desktops thereby helping admins be proactive about how the published resources are performing and getting ahead of potential issues. Lots of features to get excited about!! Watch SYN126 (below) for further details.

The New Citrix Files Application

The new Citrix Files application (new Sharefile client for desktop) has combined the capabilities of Sync, Drive Mapper and Deskop into a single application. Just like drive mapper, it provides a single pane of glass for all your data (network drives, sharepoint, personal cloud, OneDrive For Business etc). You also now have the ability to perform workflows directly from windows explorer or finder. You now also have the ability to map multiple drives to specific sub folders within sharefile or connectors like OneDrive for Business. The configuration can be through Citrix policies within Studio. Watch SYN100 below from 19:25 to learn more.

Intelligent Traffic Management (formerly Cedexis) Is Awesome!

Earlier this year, Citrix announced the acquisition of Cedexis to add to the Netscaler portfolio. People like to describe Cedexis as the Waze of Traffic Management. Its not far from the truth. Cedexis collects 14 billion data points on a daily basis from over 900 millon end user sessions and 40,000+ networks around the world to intelligently route traffic thereby offering the best possible user experience and intelligently avoiding application disruptions. Watch SYN123 below to get a quick overview of Cedexis.

HDX Enhancements

There were quite a few updates covered in SYN206 around HDX. I’ve tried to highlight a few below. I would highly recommend reviewing the recording below.

Browser Content Redirection 2.0

Backported as a stand-alone compatible component with LTSR 7.15. Chrome (Q3) and Edge will also be supported. Modern portocols such as HLS, DASH and Web Assembly will be supported. The rendering engine will be made part of the Workspace App. Browser content redirection 2.0 will be able to offload WebRTC as well!

Citrix Ready Partners in the Video multicasting industry like Qumu, vBrick, Ramp and Haivision will support Client side fetching and Browser content redirection for live video events where Receiver client side fetch can fetch the video from the branch office edge caching appliance.

Real Time Optimization

Skype RealTime Optimization Pack support coming for Chromebooks (that can run android apps) in H2 2018. Hardware acceleration for endpoints with AMD GPUs is also expected around the same time frame. 

Microsoft Teams Support Strategy 

In the short term, Citrix plans to support the Microsoft teams web client with browser content redirection 2.0. Chrome browser will be the first to be supported and windows endpoints will initially be supported with Linux endpoints to follow. File uploads might have limitations with browser content redirection 2.0 and MS Teams. The workaround is to use Sharefile or other such solutions to upload the files. 

Long term goal is to develop a receiver side media engine on all supported platforms (Windows/Mac/Linux) for real time optimization of MS Teams UC content. 

Delivery of Cisco Jabber from virtualized desktops

 

Workspace App and Citrix Receiver

After the keynote, in conversations with customers and partners there were a lot of questions around Workspace App and what it means for customers running Citrix receiver today. This is covered in great detail in SYN133. If you are a customer leveraging Citrix receiver, it will be automatically upgraded to Workspace app via Citrix auto update and it is fully backward compatible. All the new Workspace capabilities above and beyond virtual apps and desktops will only get enabled if you subscribe to the various Citrix Workspace services. So in other words, if you are an on premises customer leveraging  Storefront or an on premises customer leveraging Citrix Workspace just for site aggregation (more below on site aggregation), your client will be automatically updated to Citrix Workspace app but none of the functionality changes other than than UI having a new look. Watch the video below from 21:10. The session also provides a deep dive into Citrix Workspace App and demos of the new capabilities. 

Workspace and Site Aggregation

The new site aggregation feature now allows customers to tie their existing on premises deployments to Citrix Workspace (four step workflow). For customers who are on Web Interface or an older version of Storefront now have the option of leveraging Workspace to aggregate their virtual apps and desktops and deliver it to their end users with the new modern user experience. Moreover with Workspace, customers no longer have to worry about upgrading (as you would with on premises storefront) as Citrix manages and maintains the Workspace. 

Gateway Service Updates

When the Gateway service was introduced a while ago, the primary function of the service was secure ICA proxy. The service has evolved quite a bit and now supports single sign on to Enterprise Web and SaaS apps including a library of 40+ pre-defined SaaS templates. Gateway service can also be integrated with an on premises storefront deployment and supports hybrid deployments as well with Workspace aggregation. Direct connect to VDA without the need for connectors was also announced which will lead to increased scalability. Another key announcement was the much requested two factor authentication natively through the gateway service. This will be made possible with native One Time Password (OTP) support.

For an update on all Citrix Cloud services, I highly recommend watching SYN100. It also includes a lot of great demos. 

Citrix Synergy 2018 – Breakout sessions you do not want to miss!

Every year, I publish a list of my recommended Citrix Synergy breakout sessions. A number of people asked me if I had put one together this year and while its late this year, better late than never! As always I tend to pick sessions based on topics that are most relevant to customers and the quality of content and speakers. So here are my top 20 for this year!

SYN231: Manage your user experience from Workspace Environment Management Service

Who should attend: XenApp/XenDesktop Administrators, EUC Architects

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=110

SYN233: The geek’s guide to the workspace 

Who should attend: EUC/Cloud Architects, Management

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=112

SYN123: Deliver the best user experience for your customers and users with Intelligent Traffic Management (Cedexis) 

Who should attend: Network Administrators, Network Architects, EUC Architects

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=61

SYN704: Deep insights across the Citrix portfolio with Citrix Analytics 

Who should attend: EUC Architects, Citrix administrators, Security Architects, Management

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=149

SYN238: Implementing Federated Authentication Service: real world examples

Who should attend: Identity/Cloud/XenApp/XenDesktop Architects, XA/XD Adminstrators

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=117

SYN230: Discover Citrix Workspace Hub

Who should attend: Desktop Adminstrators, XA/XD administrators, EUC Architects

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=109

SYN504: Security: getting the most from your resources

Who should attend: C level executives, Security Architects, EUC Architects

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=295

SYN714: Citrix Rx for success in healthcare

Who should attend: Healthcare customers

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=157

SYN207: XenApp and XenDesktop tech update (May 2018 edition)

Who should attend: Everyone 

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=86

SYN131: Central image management: Provisioning Services and Machine Creation Services today, tomorrow and beyond

Who should attend: XenApp/XenDesktop Administrators, EUC Architects

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=69

SYN239: From StoreFront to Citrix Workspace

Who should attend: XenApp/XenDesktop Administrators, Cloud Architects, EUC Architects

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=119

SYN127: Everything you need to know about Windows 10, Server and Citrix

Who should attend: XA/XD Administrators, EUC and Cloud Architects, Management

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=210

SYN201: Citrix App Layering: top 10 lessons learned

Who should attend: XA/XD Administrators, EUC architects

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=213

SYN204: Identity and access management and SSO with NetScaler Gateway Service

Who should attend: Netscaler Administrators, XA/XD Administrators, EUC/Network/Cloud Architects

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=83

SYN241: How to break the cyber kill chain of ransomware

Who should attend: Security Architects, EUC architects

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=172

SYN226: Demystifying NetScaler SD-WAN for infrastructure architects

Who should attend: Network administrators, Network architects

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=105

SYN224: How to deploy NetScaler in public clouds and use it to provide SSO to on-prem and SaaS apps

Who should attend: Netscaler Administrators, Cloud Architects

 More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=103

SYN222: Next-gen of Native-OTP: now with Push Notification

Who should attend: EUC/Security/Network Architects, Netscaler administrator

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=101

SYN103: Expand the value of Office 365 with ShareFile

Who should attend: EUC architect, Management, Cloud architect

More info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=41&conference=synergy

SYN501: Workspace IoT

Who should attend: Executives, EUC/Cloud/Network/Security architects, IoT enthusiasts 

More Info: https://citrix.g2planet.com/citrixsynergy2018/myevent_session_view.php?agenda_session_id=290

In addition to these, I will be co-presenting two sessions at Citrix Synergy both cloud focused. The first, with Christiaan Brinkhoff, will focus around best practices and architectural considerations when deploying cloud workloads. The second, with Daniel Feller, takes a look at innovative and cost effective approaches to business continuity by leveraging Citrix Cloud. Details about the sessions below.

Look forward to seeing you at Synergy!

Sites vs Zones in XenApp/XenDesktop 7.x – Design Considerations When Choosing Between The Two

Introduction

Zones, a key design element that administrators and architects have learned to love in XenApp 6.5 was reintroduced in Xenapp and XenDesktop 7.7 FMA architecture. Prior to 7.7, building multiple sites was generally recommended when spanning multiple data centers or regions but now customers  now have the option of leveraging Zones. While Zones is a potential option, it might not always be the right option based on your situation. In this post, my goal is to review basic concepts around Sites and Zones and dig into design considerations to help choose between the two.

Primer on Sites and Zones

Sites

A site is what you define when you deploy XenApp or XenDesktop under the FMA architecture. It acts as a logical boundary with all objects defined being part of that site. It is also an administrative boundary. Each site has one or more delivery controllers and requires its own site configuration database. A site always have one primary zone defined by default. Sites can span multiple data centers and regions but there are a number of factors that need to be taken into consideration and we will review these a little later.

Zones

Zones are defined within a site to keep applications and desktops close to the user location while also simplifying administration by leveraging a single instance of Studio, Director and configuration database regardless of the number of zones. With zones, users in remote regions can get to their resources without having to traverse the WAN.

There are two types of zones – Primary zones and Satellite zones. Primary zones typically have two or more controllers and have the site configuration database locally whereas satellite zones can have a single controller or more. While similar, zones in the new FMA architecture in 7.x is not the same as XenApp 6.5. For instance, the concept of a zone data collector no longer exists.

With the introduction of Zone preference in conjunction with Optimal Gateway Routing, users can be homed to a specific zone when accessing their apps and desktops based on predefined conditions and rules. This greatly improves the user experience. Disaster recovery can also be handled intelligently.

For detailed information on Zones and Zone preference I would recommend you review the official documentation. Carl Stalhood has a very good blog on this topic as well.

There is also a great overview of Zone Preference in the XenDesktop 7.11 Master Class starting at the 58 minute mark.

When to use Sites

While zones simplifies overall administrative overheard and potentially infrastructure requirements, leveraging sites is a more prudent choice in certain scenarios. Lets look into these:

Latency

Latency will impact user performance. Latency and concurrent user requests should be taken into consideration and tested before deciding to use zones. See the chart above for different scenarios tested. There are two great blogs, one by Chris Gilbert and another by William Charnell on how latency affects brokering performance from satellite zones in XA/XD 7.7 where they collect metrics under various latency conditions. Definitely worth a read. However these metrics have improved significantly in 7.11 and above. In fact, 250 ms latency, XenApp and XenDesktop 7.11 outperforms the 7.7 code at 90 ms. With 7.11 or later, users experience quicker brokering of resources, even with latency between a broker and the SQL server. The official citrix documentation covers latency and the impact on zones, registration storm impact and how this can be tuned in great detail.

Fault Domains

When we talk about large deployments with greater than 5000 users, it is best practice to break the environment down into smaller PODs. This helps split the enviroment into multiple fault domains such that when any of the pods are affected, only a small set of users are impacted if any. Even when all users connect in to a single datacenter, it is still beneficial to break the infrastructure down to multiple sites and PODs. Here are the slides from a great session at Synergy 2015 that covered the benefits of a POD based architecture. This blog is also worth a read.

Administrative Boundaries/Regulatory Compliance

For environments that require complete administrative isolation between different regions or business units, going with separate sites is recommended. While Role Based Access Control is available, it does not meet the needs of every customer. In addition I have worked with customers that have gone with multiple sites so as to isolate environments to meet compliance requirements such as PCI or regulated environments where upgrades are not as frequent.

While multiple sites requires additional infrastructure, the resources from the various PODs can be aggregated from a user access perspective. Monitoring and troubleshooting can also be simplified as Director can manage multiple sites. A number of the tasks can also be automated by leveraging script. Image management can be greatly simplified by leveraging PVS.

When to use Zones

When designing a XenApp/XenDesktop infrastructure for an environment with multiple datacenters with latency being a non factor (within acceptable limits), zones can certainly be an option. The number of users per satellite zone can play a factor when making that determination as discussed earlier. Fault tolerance should also be taken into account as all the zones share one common site configuration database and connectivity issues could impact all the users. The resources that users connect to can be controlled based on zone preference and failover. 

Using a combination of Sites and Zones is also an option. For instance if a customer environment is spread across the globe but also has multiple datacenters within each region, they could use Sites for each region and the leverage Zones for the datacenters within each region assuming low latency between the datacenters. This would help reduce the overall complexity and administrative overheard when compared to deploying a site per datacenter.

From The Field

Here is some feedback from Jason Samuel, one of our CTP‘s based on his experience.

“Most of my customers completed their migrations from 6.5 to 7.x when either zones weren’t available in FMA yet or was still new.  They went with a site per data center.  My bigger customers embraced localized pods within each datacenter itself.  This is often self contained pods built on HCI as the backend.  Application and image management is controlled through PowerShell scripts to help with administration of multiple sites.  Since these customers have been using this model for a few years now and it is a mature process for them, they continue with this approach.  My customers that are doing greenfield 7.x deployments are the ones that really consider zones vs. doing individual sites.”

Ryan Mcclure, Senior Architect at Citrix Systems had this to say: 

“So armed with this data and information, what should you do? Stick to multiple sites? Design with zones wherever possible? Some scenarios just beg for zones, while others are obvious use cases for sites/pods, but more commonly, both are technically viable and it is a matter of weighing the pros and cons. If your workload is mission critical and your deployment lives in one or two datacenters, multiple sites are probably a good option for you. They provide additional fault tolerance, shrink failure domains and increase flexibility during upgrades. If, on the other hand, you have a number of semi-well connected locations where application back-ends reside, one site per location may prove prohibitive from an administrative perspective. These sorts of deployments are where zones should really be considered. The combination of sites and zones also shouldn’t be overlooked. The geographic distribution cited above is one example, but sites and zones can also be combined to strike a balance between manageability and availability. Rather than all VDAs in a zone mapping to a single primary site, multiple primary sites can be deployed.

When the decision isn’t obvious, our most successful customers ask the same question:

“What are other customers in similar situations doing?”

The strategy around sites and zones definitely isn’t one size fits all, but up until now, most of our large enterprise customers have gravitated towards separate sites. Many do so based on their desire to shrink failure domains and minimize risk wherever possible. You may have even heard recommendations to skip zones because sites have been available longer in the FMA world. At the time, this recommendation may have made sense, but the IT space is as dynamic as ever and leading practices need to be updated with the times. Over the last few months, this trend around steering clear of zones has started to shift, and more customers are taking a hard look at how zones can help simplify environment management. In most scenarios, zones shouldn’t be viewed as a total replacement for sites, but if your deployment can be simplified and/or management streamlined by implementing zones where the make sense, now is the time to give them a good look.”

Final Thoughts

Zones in XenApp/XenDesktop 7.9+ is a welcome addition and offers greater flexibility when planning out deployments. However, it is not necessarily the solution for every use case as discussed above. Latency, number of users/location, concurrent logins etc need to be carefully considered before deciding whether to go with multiple sites or leverage zones instead.

 

 

 

Is Samsung Chromebook Plus The Perfect Chromebook?

Over the past couple of years I’ve been collecting a lot of chromebooks. As of the 13th of Feb, I now own 6, mostly Acer and Samsung devices. As much as I love the concept of a low cost, ultra portable and secure thin client with excellent battery life & then leveraging Citrix for my enterprise apps, it always felt like there was something missing. Some of the common complaints were display resolution, build quality, lack of offline access and lack of a good touch screen model under $500.

Needless to say I was extremely intrigued when Samsung announced the 12 inch Chromebook Plus and the price point. I pre-ordered the device and got mine earlier this week. My experience so far has been terrific. Lets look into why I feel this device is close to perfect.

Design

The Samsung Chromebook Pro is a  12.3-inch laptop that also converts into a tablet. It is powered by an OP1 Hexa-core (Dual A72, Quad A53) ARM processor with 4GB of RAM and 32GB of storage. It comes with two USB Type-C ports and a microSD slot. It has various display modes, very similar to the Lenovo Yoga. It has a full metal design that weighs just 2.4 pounds. It comes with a stylus that pops out of the right side of the system, letting you take notes with Google Keep and other apps and smart enough to recognize characters, allowing you to search through your handwritten notes afterwords.

Display Resolution

Resolution has been one of my biggest gripes with chromebooks so far. And boy does this device address that issue. The Chromebook pro comes with a quad HD (2400 x 1600) pixel screen made with Gorilla Glass 3. with a 3:2 aspect ratio. The high resolution means my Citrix VDI instance looks absolutely spectacular on this device. Lots of real estate too!

Battery Time

Based on my testing so far, the battery time of the Chromebook Plus is on par every other chromebook I own. I’m getting approximately 9-10 hrs. Keep in mind that the resolution for this device is also one of the best. So that the battery time extremely impressive.

Android Apps!

This to me is a GAME CHANGER!! As you know, Google announced support for Android apps on chromebooks last yr. The challenge was that just a handful of devices were actually supported, and even among the ones where it was supported there was only one that had a touch screen. Personally I believe Android app support is pointless if there is no touch screen. Thankfully the Chromebook plus does have one! The combination of android app support, great resolution and touch screen makes it the perfect device. I now have a number of key productivity apps, many of which I can use offline. Some of my favorites so far are Citrix Secure Mail, Secure Web, Sharefile (Enterprise File Share and Sync), Slack and Skype for Business to name a few.

Touch Screen

The touch screen is extremely responsive. No lags whatsoever. Works great in tablet mode. Also great when using Android apps. All chromebooks moving forward need to be touch enabled IMHO. You cannot effectively use Android apps without touch!

Stylus!

The Chromebook Plus comes with a pressure sensitive stylus that is on par with others like the Surfacebook. Is it perfect? No. But its quite good. I can totally see myself using this device to do a white board or sketch a design while I am at customers. Very handy!!

Final Thoughts

Today was my first day out on the road with just the chromebook pro. I honestly did not miss my XPS 13. I accessed my Citrix VDI instance the entire time and the experience has never been this good on any of the other chromebooks I own. I also used a number of android apps including Skype for Business, Sharefile, Secure Web and others. The combination of VDI, chrome browser and native mobile apps is quite amazing. I used the the system for around 5 hrs and did not run into any issues during that time.

At $449, this device is a steal! If you are looking for a chromebook today, this should be in the list of favs! If I were to change one thing, I would add more memory to this device. Android apps can eat up memory fast!

Kudos to Samsung for a job well done!

Citrix acquires Unidesk: Here’s why customers should care!

Application layering has been a hot topic in the End User Computing space, specially the last 24 months or so. Layering allows you to decouple applications or groups of applications form the underlying operating system thereby enabling you to manage them indepedently. There are quite a few players in this space including AppVolumes by VMware and FlexApp by Liquidware Labs and Citrix’s AppDisk to name a few. But there is no arguing that Unidesk has been around the longest and has the most mature and comprehensive solution.

With today’s announcement from Citrix around the acquisition of Unidesk, customers have even more flexibility in terms of how applications and workspaces are delivered to their end users whether the workloads are running on premises or in the cloud.

Before we get into the key benefits of Unidesk and why this acquisition adds tremendous value, its important to understand some of the challenges that Citrix customers face. A good place to start is this survey that Unidesk conducted.

The Problem At Hand

1. Image Management – Today both PVS and MCS customers have to maintain multiple images. Larger environments sometimes manage and maintain over 10 images on a day to day basis. One of the reasons for this is business units needing one off applications leading to various silos. The administrative overheard involved in maintaining the images sometimes leads to needing dedicated resources who solely focus on image updates, testing and deployment.

2. Pooled desktops and assigning layers at runtime – Most Citrix customers are forced to use persistent desktops for certain use cases today due to users needing different sets of applications. If there was a way to decouple applications from the OS and deliver applications at login dynamically based on user privileges, then the same pool of desktops can be used for multiple use cases thereby reducing infrastructure costs and operating costs.

3. As customers move workloads to the cloud, there are new challenges that surface when it comes to image management. These need to be addressed in order to reduce cost, improve performance and thereby increase cloud adoption.

4. Not every application can be delivered via XenApp. Some applications need to be installed locally. App-V has been an alternate technology that a number of customers use but many still like to have the ability to install these locally.

5. While AppDisk provided layering, there were various limitations including the inability to attach layers at run time and the inability to use layers with persistent desktops. Appdisk also lacks true version management and rollback.

How the Unidesk acquisition helps address these issues

1. Unidesk already has a large number of Citrix customers and tight integration with both XenApp andXenDesktop. They are a proven technology at scale, a preferred MS partner for application and image management, and well regarded in the partner community.

2. Unidesk has connectors for PVS and MCS thereby simplifying application delivery and eliminating the need to manage and maintain multiple images.

3. Unidesk provides flexibility in terms of how the layers are delivered either at pre-boot or  and dynamically delivering apps into running session hosts without reboot. Unidesk has a feature called Elastic Layering that allows for layers to be attached at run time. So in a XenApp environment for instance, since applications are attached at run time, different users groups can be assigned different applications while connecting to the same server. This eliminates the need for silos.

4. Application compatibility is no longer a concern as Unidesk supports layering applications that have drivers and system service dependency and even apps that run while users are logged out.

5. Unidesk supports layering for persistent desktops in addition to XenApp and pooled desktops thereby addressing every use case. Also persistent layers can be assigned to users even while using XenApp. This allows administrators to provide users a more cost effective VDI option to their end users with persistence based off of XenApp.

6. Full Lifecycle Management of layers across your environment with version control, rollback etc.

7. Unidesk’s approach to layering is fundamentally different. A layer is assigned per application. Administrators the have the ability to create a profile so to speak consisting of the various layers for a user group. These layers are then combined into a single vhd that is then attached at boot or at run time depending on the assignment. When compared to other layering solutions since the number of vhd’s mounted is minimized, performance is greatly improved and login times reduced.

7. Cloud adoption has increased steadily over the past couple of years and customers are more inclined than ever to start moving workloads to public clouds, especially MS Azure. The Azure connector from Unidesk simplifies image management in the cloud. Layered Images can be assigned to different Azure collections. In addition all image collections can be updated by patching the OS and app layers only once. The Unidesk applicance can also run in Azure and is available via the Azure Marketplace. When you combine Citrix Cloud with Unidesk, there is definitely a better story now to be told around deploying and managing VDI workloads in Azure.

Final Thoughts

The Unidesk acquisition along with our recent acquisition of Norkskale helps customers further reduce infrastructure costs while increasing operational efficiencies and guaranteeing the most optimal end user experience. For customers running VDI in cloud or considering the move, Unidesk is a great new addition and will simplify image management. Citrix’s position as the industry leader in End User Computing is further solidified.

 

 

How to enable Local Host Cache in XenApp/XenDesktop 7.12

Local Host Cache (LHC), which was a key feature of the IMA architecture in XenApp 6.5 and earlier was reintroduced for the first time in the FMA based XenApp/XenDesktop 7.12 release.   You can learn more about LHC in detail in my previous blog on the topic.

Prior to 7.12, users were able to access resources (with some caveats) while experiencing site database loss using a feature known as Connection Leasing. When upgrading to 7.12 from an earlier release with Connection Leasing enabled, LHC is disabled by default.

To enable LHC run the following powershell command on the upgraded broker.

Set-BrokerSite -LocalHostCacheEnabled $true -ConnectionLeasingEnabled $false

The above command, enables Local Host Cache and disables Connection Leasing.

The Get-Brokersite cmdlet provides the current state of Local Host Cache (whether its enabled or disabled)

To disable Local Host Cache and enable Connection Leasing, run the following command:

Set-BrokerSite -LocalHostCacheEnabled $false -ConnectionLeasingEnabled $true

XenApp/XenDesktop 7.12 Local Host Cache Explained

With the release of XenApp and XenDesktop 7.12 Citrix brought back one of the most requested features from the XenApp 6.x days – The Local Host Cache (LHC). For those of you new to this term, it essentially provided a way for users to connect to their XA/XD published resources while the SQL based database is down but keeping a local cache on the XenApp servers themselves. LHC now replaces Connection Leasing in 7.x as the primary mechanism to allow connection brokering operations when database connectivity to the site database is disrupted. In this post, my goal is to dig into the architecture of Local Host Cache in 7.12 and how it works.

Architecture:

lhc-architecture

 

The above diagram from Citrix Documentation shows the architectural components that make up the Local Host Cache. The feature is disabled out of the box when XA/XD 7.12 is installed. If you are upgrading from a previous version LHC will be disabled under certain conditions. See the table below for further details.

screenshot-2017-01-01-at-1-10-18-am

With LHC, users can connect to Apps and Desktops that they have previously not connected to. This was not possible with Connection Leasing where users could only connect to resources that they had previously connected to.

Every broker now has three new services. The primary broker service, the secondary broker service and the configuration sync service.

LHC sychronization during normal operation and central database connectivity is not affected

  • During normal operations, the primary broker service communicates with the site database while the secondary broker service remains idle. The CSS makes sure the local db on each of the controllers is synchronized periodially.
  • Primary broker service accepts connection requests from Storefront, then communicates with Site DB and provides users access to VDAs registered with the controller and that they request access to.
  • Every 2 minutes, a check is made to see if there have been any changes to the primary broker config.
  • If a change is detected, then the primary broker uses the Citrix Config Synchronizer Service (CSS) to copy configuration to a secondary broker. This is not an incremental copy but a full copy from the primary broker to the secondary broker.
  • Secondary broker then imports the configuration to a local SQL Server Express database on the controller.
  • Once the config is copied the CSS service confirms that the config on the secondary broker matches the config on the primary broker.
  • Local DB on the secondary broker is recreated each time a config change is detected on the primary broker (checked in 2 minute intervals)
  • Secondary broker runs as a Windows service called Citrix High Availability Service

What happens when there is an outage and database connectivity is lost

  • During an outage, the primary broker can no longer connect to the site database and stops accepting connections.
  • Primary broker instructs secondary broker to start listening for and processing connection requests. An election process ensues to determine which controller takes over the secondary broker role. There can only be one secondary broker accepting connections during a site db outage.
  • When the VDAs start communicating with the secondary broker, a re-registration process is triggered and the secondary broker gets current session information about the VDA.
  • During the outage period, the primary broker continues to monitor the connection to the site database and when connectivity is restored, it instructs the secondary broker to stop listening for connections and the primary broker resumes brokering connections thereby restoring normal operations.
  • When a VDA communicates with the primary broker after it has taken over brokering, a re-registration is triggered.
  • The secondary broker removes all VDA registration info during the outage and continues checking for config updates on the principal broker every 2 minutes and updating its LHC when changes are detected.
  • If an outage occurs during an LHC sychronization, the current import is discarded and the last successful imported config is used.
  • It is important to note that during an outage, only one active secondary broker is available. So from a scalability perspective this could be a limitation. The secondary broker as mentioned earlier is chosen based on an election mechanism.

Local Host Cache and Citrix Cloud

  • If you are currently leveraging Citrix Cloud for your XA/XD control plane, the LHC functionality ensures that connectivity loss to the control plane does not impact users from accessing their resources.
  • LHC synchronization occurs the same way as it would in an on premises XA/XD deployment and the config changes are synchronized from the Citrix cloud via the Cloud connector.
  • To provide fault tolerance when connectivity to the Citrix cloud is lost altogether due to a WAN link failure, Citrix Storefront and potentially Netscaler would need to be on premises.

Local Host Cache Restrictions

  • You cannot run Studio and Powershell Cmdlets when LHC is active and site database connectivity is down.
  • Site configuration changes cannot be made when the connectivity to the central database is unavailable. This is very similar to the IMA based LHC implementation in XenApp 6.x
  • New machines cannot be provisioned as hypervisor interaction is not possible when LHC is operational.
  • Users cannot be assigned new resources during the site database connectivity outage.
  • Machines with a “Shut down after use” configuration will be placed in maintenance mode when LHC is operational

Troubleshooting

The two main tools to troubleshoot LHC are the Windows Event Logs and CDF traces.

  • The Config Sync Service logs events in the Windows Event logs in relation to LHC synchronization. If no config changes occur during the 2 minute intervals, no events are logged. If CSS receives a config change, the event is logged with event id 503. If the update to the secondary broker is successful, the event is logged with event id 504. If the update fails, the event is logged with event id 505
  • When the secondary broker takes over during an outage, event log entries are made indicating that the Citrix High Availability Service has started handling brokering. Once services are restored, you would see logs indicating that the Citrix High Availability service has stopped brokering. There will also be events related to secondary broker election. Event IDs include 3502, 3503,3504 and 3505. When Citrix Cloud is in play, XA/XD proxy log events are present. CDF traces can also be used for advanced troubleshooting.

Enabling Local Host Cache After Upgrading

Local Host Cache is not enabled by default when upgrading from an earlier version of XenApp and XenDesktop 7.x. I have written a blog on how to enable LHC after an upgrade.

Getting Started with the Citrix HDX Pi – A step by step walkthrough

1463594298798

A few months back, I wrote a blog on how to configure the Raspberry Pi thin client to access Citrix workloads. If you are completely new to the HDX Pi and want to learn more about the benefits, this is a good place to start. Since then Citrix announced the HDX Pi and I have received requests from members of the community to blog on configuring the HDX Pi. So here it is!

What you need:

  • One or more HDX Pi’s ( Microcenter edition)
  • ThinLInx Managment Software

Configuration

The HDX Pi comes pre licensed for the ThinLinx Management Software (TMS). So you can go to the ThinLinx website and download TMS and install on a windows PC. Once installed, run TMS.

Connect the HDX Pi to the network in addition to the obvious (keyboard, mouse, display). Once the Pi boots up, you will see the client within TMS.

8-5-2016 4-23-57 PM

 

8-5-2016 4-24-25 PM

 

8-5-2016 4-24-44 PM

You can now update a number of parameters and push files to the device within TMS

  • Change the name
  • Change protocol to HDX if you prefer
  • Push SSL certs if needed (If you are using private certs on Storefront for instance)
  • Change network parameters (if you dont want to use DHCP for instance or use a custom DNS server)
  • Change display parameters.

8-5-2016 4-25-05 PM

 

8-5-2016 4-25-33 PM

 

 

8-5-2016 4-26-23 PM

TMS is also how you would push new firmware to the device.

Once you are done with the configuration changes, reboot the device. Once rebooted, you should see the updated parameters within TMS.

8-5-2016 4-26-43 PM

 

Once rebooted, you will have to specify the URL that you want the Pi to connect to. This is your Netscaler Gateway URL.

After you enter the URL, you will be prompted for credentials.

Once authenticated by the Netscaler, you get prompted to pick the Store after which you see your applications and desktops.

Some Caveats to keep in mind

One catch with TMS today is that the URL does not persist unless you save it at the Pi itself. To do this, while at the storefront screen, use the Ctrl+Alt+C key combination and hit “Save Settings”. Now reboot. The HDX Pi will now authenticate and take you right to your apps once rebooted.

The TMS server will only discover devices on the same subnet. So make sure that your TMS server and Pi are on the same subnet will configuring the devices or else discovery will fail.

Viewsonic version of the HDX Pi is also available. However the configuration procedure is a little different and will be covered in a future blog post.

Once the configuration URL is saved, as mentioned earlier the device will boot straight into storefront using credentials provided initially. In order to configure a new store, you can clear config and reset to default on the device or you can factory reset the device via TMS.

Keyboard Shortcuts:

  • ctrl alt r twice to factory reset
  • alt f4 to exit HDX screen
  • ctrl alt v – volume
  • ctrl alt c – config screen
  • ctrl alt t – terminal

To learn more about performance check my previous blog. I look forward to your feedback!