Welcome to Kraft Kennedy

Before creating an image of a XenApp server, several steps must be performed to generalize the XenApp installation, in order to remove the machine-specific information from the install and allow the server to come online and join the XenApp farm as a unique entity. In the past, this was either accomplished manually or through the use of a set of scripts. Citrix has since released a small MSI that contains a command-line tool and a Windows service that can be leveraged to quickly generalize a XenApp installation. The tool is called XenAppPrep and it can basically be thought of as the equivalent of sysprep for Windows, only used with XenApp installations.

With XenAppPrep, you can easily prepare and clone your XenApp servers, either by traditional Ghost/image type methods or through the use of Provisioning Services (talked about in my previous post Citrix Provisioning Services Part 2 – PVS with XenApp!). Using XenAppPrep is a simple process:

Continue reading…

My last post Citrix Provisioning Services Part 1 – What Is It? served an introduction to what exactly Citrix Provisioning Services is capable of. Below I hope to open people’s eyes to using PVS for something other than VDI, as it is often thought of as a part of the XenDesktop suite. However PVS is actually independent of XD or VDI, and can be utilized in combination with XenApp to bring single-image benefits to the Terminal Services world.

Provisioning Services allows for server consistency, easier maintenance, dynamic servers, and aids in disaster recovery.

• Consistency – As a best practice every XenApp server delivering the same applications should be 100% identical to the rest of the farm. However, obtaining this is easier said than done.  By streaming the same image to every server, each server is inherently and 100% the same as the rest.
• Maintenance – Updating and patching large farms can be a very time consuming task, and anything done to one server must be repeated for the entire farm to maintain consistency. With PVS, patches and software installations are applied once to the master image and on next reboot, each XenApp server boots the new updated image. In addition to software patching and installation, Terminal Servers need to be completely refreshed periodically to keep them clean and performing optimally; they are used by dozens of different users, reducing performance and resulting in inconsistent servers. A typical server refresh requires the server to be re-imaged and the software redeployed, a time consuming process that can be prone to error, leaving a server in an unusable or inconsistent state. Operating system streaming with PVS results in a completely fresh and optimized server on every reboot.
• Dynamic – PVS allows for a dynamic XenApp farm instead of a static one. As load rises and additional servers are needed, they can be quickly brought online in seconds instead of hours. Conversely, as load drops, un-needed servers can be powered off or repurposed as needed. A server becomes a vessel for different workloads and can be a XenApp server one day and an IIS server another if need be. Since Provisioning Services is capable of streaming to both physical and virtual servers, administrators have the ability to utilize different types of resources all from the same master image(s).
• Disaster Recovery – Creating a disaster recovery plan for the XenApp environment often requires complex processes, scripts and configurations. Assuming a PVS server has been built in the DR site, and that the master image has been replicated as well, quickly bringing an entire farm of XenApp servers online becomes a simple task.

Creating a XenApp environment that is more dynamic and easier to maintain is a goal for many XenApp administrators. The addition of Provisioning Services to a XenApp implementation can go a long way to achieving those goals. By leveraging the single-image management capabilities of PVS, administrators can dramatically reduce the costs involved with deploying and maintaining their XenApp farms. While at the same time, guaranteeing consistency between and ensuring peak performance of each server in the farm. All while being capable of quickly adapting to changes in load and disaster scenarios.

With Server Based Computing and consolidation becoming increasing prevalent along with the enormous buzz of VDI, I think it is worth debunking some of common myths of XenApp and Terminal Server.  Below are the most common misconceptions that I continue to hear from IT folks today on the limitations of XenApp/Terminal servers that I have debunked from real world experience supporting and working with different terminal server environments.

Myth 1: Application compatibility is a huge problem on Terminal Servers.
There might have been some truth to this myth a decade ago, but in reality this is just not a big problem in the 2003/2008 world.  From my first hand experience, I can say that an application that works on XP will work on 2003, what works on Vista, will work on 2008, etc.  Are there some exceptions?  Of course.  However, these applications are few and far between, yet the “application compatibility” myth continues to circulate. This myth was probably true in the NT/2000 OS where applications did not do a good job of differentiating between “user” and “computer” parts of an installation.  Since Windows XP, application developers have done a better job writing “user” specific information in the user profile and “machine” specific information in Program Files, or HKLM.  I would probably attributed to the “Fast User Switching” feature introduced in XP.  Whatever the reason, this is just not a problem anymore.

Continue reading…

Last month, I posted my findings on the beta releases of XenApp 4.5/5.0 HRP5 for Windows 2003 and the 11.2 Plug-in.  Today, Citrix released the final Citrix XenApp Online Plug-In 11.2 (formally called XenApp client).  See my previous post on more detail on the new features and changes this client; another notable change in this client is the removal of the Program Neighborhood. 

Program Neighborhood (PN.EXE) was primarlily leveraged to create connections directly to XenApp servers (as opposed to connecting through a Web Interface or the PNAgent).  With the removal of the Program Neighborhood, Citrix has made it very clear that they do not want support this functionality.  Fortunately, there IS a way to work around this issue if you decide to upgrade to 11.2 client and are still required to make a connection directly to a XenApp server.  The trick is to create an ICA file. Copy and paste the template below into notepad and substitute the approriate server name denoted below as “servername.domain.com”.  Save the file with a .ICA extension and voilà.  You can now connect directly to a XenApp server with the 11.2 client.

Macs continue to gain traction in the personal computing space.  This in turn has required Windows administrators to become more familiar with Macs and the limitations they may have when connecting to a typical corporate Windows environment.  In the past, Citrix has done an OK job providing Mac support for XenApp through a basic ICA client.  Specifically, they created a functional no-frills client that supports the latest, as well as past, Mac Operating Systems.  The client primarily supported ICA connections through an ICA file.  The Program Neighborhood Agent functionality did not exist and published applications (not desktops) launched through Citrix Web Interface were presented in a kludgy window.  This changes with the release of the 11.0 plug-in (formally called client). 

Primarily, the 11.0 plug-in finally enables seamless functionality of published applications on Macs.  Seamless published applications (opposed from the desktop) present themselves to the user as if they are running locally.  This in turn allows the user to run published and local applications side-by-side for an improved experience.  More importantly, this seamless functionality opens the door for corporate environments who serve applications through the Program Neighborhood Agent or Citrix Web Interface to give Mac clients a user experience that is in line with what Windows clients have supported for years. 

Also included in this update is the introduction of Citrix’s Dazzle interface.  It looks like Citrix has larger plans for Dazzle suite, but from a client perspective, applications served through the Program Neighborhood website are presented in an iTunes like interface.  I think the logic Citrix is following is that users would be acclimated easily to an application delivery interface that mimics iTunes on the assumption that most users are already familiar with iTunes. The interface is clean, intuitive and even gives the user the ability to add the application to the OS X dock. The “Add” function threw an error for me when I was testing testing the client , but in theory it *should* work.  I’ll post the fix when I come across it, but this bug doesn’t takeaway from the huge functionality upgrade in this client.

It is unfortunate Citrix took years to finally give Macs the same support that the Windows client has had for years, but better late then never, right?  Download it here.

Dazzle interface of the 11.0 Mac plug-in:

A couple of months back I posted on Citrix’s HDX Media Stream, as well as my first hand results with the trial release of HDX Media Stream for Flash.  Today, I wanted to follow up on that post with the newly released betas of XenApp 4.5/5.0 Hotfix rollup pack 5 (HRP) and Citrix Online Plug-in 11.2 (formally called ICA Client).

To start, both of these releases feature the typical bug fixes on both the client and server.  The 11.2 plug-in will also replace both the XenDesktop receiver client (11.1) as well as the XenApp plug-in (11.0).  Citrix has finally unified the XenApp and XenDesktop clients into a single installation.

This client/HRP combo provides some significant functionality to enhance user experience in existing XenApp environments.  It will add HDX Flash redirection support in XenApp.  The functionality is disabled out of the box, but can be enabled and controlled granularly in GPO with a supplied ADM template.  Testing this in a lab environment checks out.  Very straightforward and the functionality works as advertised.

The other new feature as part of this client/HRP is and addition to what Citrix calls “HDX Plug-n-Play“.  I don’t care for the terminology, but this finally brings dynamic USB redirection to XenApp.  Previously, USB devices on the client needed to be connected prior to XenApp session creation.  If a USB device was plugged in after a session was already created, the user would be required to logoff and login for the newly added USB device to present itself within the ICA session.  This was not intuitive and very annoying to users. (Also, would generate a helpdesk call.) Citrix has a dynamic USB tool that provided some functionality around this, but it was never officially supported and buggy.  Like the Flash redirection, this functionality is enabled with little configuration.  Simply running the 11.2 client on a server with HRP5 will enable the functionality.

Both of these enhancements coming to XenApp are not surprising, however it is a pleasant surprise that Citrix will roll this functionality into a hotfix rollup and client release.  This will allow existing 4.5 and 5.0 environments to take advantage of these new features.  These enhancements also echo Citrix’s focus on continually improving the user experience amongst their solutions.

Grab the betas here: (Requires a My Citrix login)
HRP5 for XenApp 4.5 and 5.0
Plug-in 11.2

Installing the VMware Tools package inside a VMware virtual machine improves overall performance and allows the use of advanced features and faster virtual hardware drivers.  The installation package also installs a tray icon that controls guest access to virtual hardware, time synchronization, etc.  Since most virtual machines are servers and end users don’t typically access the console of a server, worries about the security implications of leaving that tray application running have been fairly minimal.  However, as firms move towards solutions like virtualized XenApp servers or virtual desktops, this becomes more of a concern.

Removing administrator access to end users is unfortunately not enough.  For example, a user can open the VMware Tools tray icon and select the Devices tab, and from there can uncheck “NIC1″ and click Apply.  What happens?  You guessed it – the virtual NIC is disconnected and the user loses connection.  That’s bad in a virtual desktop environment since it will orphan the desktop and likely require a connection broker like XenDesktop to create another desktop but it is even worse on a XenApp server where the user potentially just disconnected dozens of other users as well.

This, and several other things found in the VMware Tools, can be dangerous to leave available to an end user even if they have no rights to the server itself.  To get around this, there are two approaches that make sense:

1) Remove access to the VMware Tools for end users.

2) Modify the VMX configuration file to prevent these actions.

I prefer the second method since it allows for more granular control over security, though if you’re interested in option one then you can read VMware’s KB article on the subject.  In order to prevent this at the VMX (virtual machine configuration file) level, simply add the following lines to the virtual machine(s) that you wish to protect (after powering it down):

isolation.device.connectable.disable = “true”
isolation.device.edit.disable = “true”

To see how to add one of these values to the VMX file via PowerShell and PowerCLI, it would look something like this:

$vm = Get-View (Get-VM NameofVM).ID
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=”isolation.device.connectable.disable”
$vmConfigSpec.extraconfig[0].Value=”true”
$vm.ReconfigVM($vmConfigSpec)

There are many other security parameters that can be set in the VMX file that are covered in VMware’s Security Hardening document (PDF).  The document covers this and many other common security best practices for virtual machines.  As always, test any change you make (especially the script above) before putting anything into production.

One of the challenges in maintaining and managing a large scale XenApp farm is automating application publishing. Servers may have dozens of applications published to them and manually managing these applications is time consuming and impractical. 

At the moment, organizations have the option of using Citrix’s Installation Manager or third party solutions such as Enteo’s Citrix Management Suite to assist in automating these tasks.  Both can introduce management overhead and can be tedious to maintain especially if the organization is invested in another software distribution platform. Management through scripting is currently possible leveraging MFCOM, but these scripts are cumbersome and not intuitive. Introduce, “XenApp Commands” (currently in Technology Preview).  XenApp Commands will give administrators the ability to manage a XenApp farm using PowerShell.

PowerShell scripting for XenApp introduces a potent method of managing and maintaining a XenApp environment.  Functions such as application publishing, policy maintenance, and load evaluator application can all be accomplished through PowerShell cmdlets.  Full list of cmdlets are available here, and a cursory look shows a fairly exhaustive list.  XenApp Commands will make automating tasks and functions significantly easier then in days past. More importantly, XenApp Commands will give organizations more flexibility in how they deploy and manage applications to their XenApp farm.

Obviously, maximizing the use of “XenApp Commands” will take working knowledge of PowerShell, but with Microsoft incorporating PowerShell in Windows Server, Exchange, SQL, and the System Center suite of products, administrators should already be exposed to this technology (or should already be familiar with this technology.).  XenApp Commands is still in “Technology Preview”, but looks to be released for XenApp 4.5 and 5.0.  Download it here (login required).

Among the benefits of a server based computing (SBC) environment, are the potential savings that exist when purchasing cheaper desktops or terminals on the client side. The logic being that because applications are being run on a server, the client just needs enough horsepower to present the server based applications to the user. Of course this might not be a driving factor of deciding to go to a SBC environment but it could result in some cost savings over a traditional desktop environment.

Organizations that start to design a SBC environment will most likely entertain Wyse terminals or other equivalent terminals that can run the ICA or RDP protocol to present a XenApp/VDI environment. These terminals have a small profile, are low power and reduce management overhead over traditional desktops. The obvious drawbacks are the lack of flexibility these terminals provide because they don’t run Microsoft Windows. In the scenario a Windows application does not run/will not run in the Terminal Server or VDI environment, there is no option to run it locally on a terminal. This variable is large enough for organizations to opt for traditional Windows desktops to serve as “thin clients” resulting in minimal or no cost savings on the client side (from a power and hardware perspective).

Recently, Dell released the Optiplex 160 series line of desktops. They are classified as “Tiny Desktops” because of their ultra small form factor. About the size and weight of a textbook, they can be configured with Windows (XP or Vista) and leverage the low power Intel Atom processor found in most netbooks. (Dell claims 87% power efficiency over traditional PCs.)

The 160 series bridges the gap between Wyse terminals and traditional Windows PCs with its low power draw and tiny form factor. However, it has a seemingly inflated price, which starts at $567. For some reason, Dell has priced it only a couple of hundred bucks less than a modestly configured traditional desktop. Price seems to be a limiting factor right now but does open up another option on the client side for an organization moving to a SBC environment.

Media playback within a XenApp or XenDesktop session has always been a challenge when designing a server based computing solution. The user’s experience is degraded through choppy playback and the host server is taxed processing the audio and video playback. Administrators have typically addressed this challenge by educating users to leverage their local client browser and media player whenever media functions were required. Not only does this introduce obvious training challenges in educating users, the experience is less than ideal having users switch between the “server” and “client” environments. Not to mention any new application integration issues that this generates.

Over the last few years Citrix has made incremental improvements to its HDX (formerly called SpeedScreen) technology to improve Flash and general media to solve this challenge. The improvements are significant over RDP, but playback overall is still not even close to “local” speed. Along with traditional improvements to HDX, Citrix has quietly included media redirection in XenApp and XenDesktop for certain media types. This is the mechanism in which media playback is offloaded to the client workstation for a more seamless experience. The server passes instructions to play the media to the client and the local audio and video codec is used for the actual playback. Media plays back seamless and the server processor is not taxed in the process. At the moment, XenApp and XenDesktop support DivX, XVid, MP3, among other media types. Check out this Citrix technote on all of currently supported media. From an administrator’s perspective, the requirements to enable this functionality are very straight forward. Enable SpeedScreen and ensure the client and server have codec installed and it will just work (given that the media type is supported).

As of last month, Citrix released a trial to enable Flash redirection (currently not officially supported). Flash has become the de facto standard for streaming video and multimedia on the internet, so the full release will be highly anticipated (tentative for Q3). Not that most users are doing this, but to test the technology, I was able to play back a 720p video through a XenApp server without any skipping or lag. Impressive stuff.