The launch of Windows 7 fills me with dread and excitement. The dread comes from coordinating Citrix Global Platinum sponsorship of this launch with North America Roadshows, Virtual Live Events, TechEd EMEA and local launch events. The excitement comes from the promise of Windows 7 after the relative disappointment of Vista (I must stress the word "relative"), as the performance of Windows 7 is definitely promising to live up to the hype.  

So, why would Microsoft invite Citrix to be a Global Launch Partner for an operating system launch?

Normally when you want a new OS, you just go on the web, buy a new PC, and use the CD to install the OS or, if you are like me and technologically incompetent, you get your IT Department to install it. However, the technology landscape has shifted. Now there is an alternative way to get your instant Windows 7 desktop with Citrix and Microsoft Desktop Virtualization, which delivers Windows desktops as an on-demand service to any user, on any device, anywhere.

The combination of Citrix and Microsoft gives customers the fastest way to deliver Windows 7 realizing benefits of increased efficiency and simplified IT Management. In addition Citrix HDX Technology offers up to 10X better Flash multimedia performance compared to alternative solutions, delivering a user experience that is indistinguishable from a local PC.

7 Ways to get up to speed on Citrix and Microsoft Desktop Virtualization for Windows 7

1. Check out the Citrix Desktop Virtualization Live, "Secrets, Lies and VDI" event on the 20^th October - register here

2. Attend the "Harness The Power of Virtualization" events with guest speakers from Citrix, Microsoft, Intel and HP - register here

3. Microsoft New Efficiency Virtual Live Event

4. North America Windows 7 Roadshows in 65 Cities for Technical Decision Makers and IT Professionals

5. Microsoft Tech EMEA

6. Check out your local events

7. Check out Win7 Community Central to see how the Citrix Partner Ecosystem helps deliver Windows 7 - Click here

Citrix training courses provide the foundation to effectively implement and support Citrix solutions. Check out these upcoming training classes in Australia:

Course Name: CXA-202-1I Implementing Citrix XenApp 5.0 for Windows Server 2008 Skills Update
Date/Location: November 2-4, 2009 at Dimension Data Learning Solution, Sydney Australia
                       November 4-6, 2009 Dimension Data Learning Solution, Melbourne Australia
Description: This course is for experienced Presentation Server 4.5 users looking update their skills to XenApp 5.0. Students will gain the foundation necessary to effectively implement, deploy and administer Citrix XenApp 5.0 and its components, including Web Interface, application streaming and Secure Gateway. Learners will receive hands-on training for installing Citrix XenApp for Windows Server 2008 and Plug-ins and for using the various administrative consoles to configure policies, individual server and server farm settings, isolation environments, streaming applications and much more. This course is the recommended training for Citrix exam A05, the requirement for the Citrix Certified Administrator (CCA) for Citrix XenApp 5.

Register here or call DDLS on 13 12 01 

Course Name: CTX-1264AI Citrix XenApp (Presentation Server 4.5): Support
Date: November 23-25, 2009
Location: Dimension Data Learning Solution, Melbourne Australia
Description: This course provides learners with the skills needed to monitor, maintain and troubleshoot network environments running Citrix Presentation Server 4.5 and XenApp 5.0 for Windows Server 2003 software. Learners are introduced to the tools used to monitor the Presentation Server farm, record farm activity and generate reports. In addition, learners take away the skills needed to maintain data and server integrity and to scale, optimize and troubleshoot the XenApp (Presentation Server) farm. This training is recommended for Citrix exam 264, a requirement for the Citrix Certified Enterprise Administrator (CCEA) for XenApp 4.*

Register here or call DDLS on 13 12 01

Course Name: CTX-1456AI Citrix Access Suite4.0: Build/Test Workshop
Date: November 26-27, 2009
Location: Dimension Data Learning Solution, Sydney Australia
Description: This workshop-style course provides learners with valuable experience building and testing designs for Citrix Access Suite™ 4.0. Over 80% of the class is conducted through hands-on exercises. Students will gain the knowledge and skills required to build an enterprise environment in which all components of the Citrix Access Suite 4 are implemented. This course will prepare you for exam 456, a requirement for the CCEA certification.*

Register here or call DDLS on 13 12 01

*Individuals holding a CCEA can easily update to the upcoming Citrix Certified Enterprise Engineer (CCEE) by passing just one exam. Those without a CCEA must pass five exams to earn a CCEE.

I've been doing a lot of research of late around the future of the Cloud, what of the hype is real and where the market dominance will be for Internet based applications delivery. I read a piece by one of the analysts I follow and he gave some sage advice about not getting drawn into the herd of marketers who are using Cloud as a platform to sell anything in their portfolio by renaming it "Cloud -X". Another analyst I follow put together a great map of the differing technologies that make up Cloud Computing and one of the huge foundational pieces is that of Software-as-a-Service. In fact both of these analysts would say that SaaS is absolutely not hype and is one of the pieces of Cloud that will not only emerge, but flourish in the process.

In my research, I've been trying to assess the total number of Windows based applications that are in market today. The purpose is simple. To determine the total market opportunity in the SaaS space you first have to determine who is playing in it, what the applications are and who will subscribe to those applications. SaaS is defined as "a model of software deployment whereby a provider licenses an application to customers for use as a service on demand" and there is no distinction between Windows based applications and Web based applications.

Since Windows still enjoys over 90% market share in the operating systems realm, it also makes sense to extrapolate service offerings based on what businesses are currently using... which happens to be Windows based solutions. The difficulty in making an assessment for the total number of Windows based application in market today is nobody wants to talk about it. Microsoft got in hot water in 2000 with the DOJ because of the volume of Windows applications in market creating what was being called a "barrier to entry" for developers of other platforms. As a result, Microsoft doesn't publish this information. And the forums that support Windows developers are only microcosms of the larger eco system.

Third parties make attempts to extrapolate the total population of Windows based apps, but we don't often see real data to support it. To add to the problem, some support programs for Windows based apps are considered applications themselves. Some estimates have the total number of Windows based applications in the 100,000 range and above. In 2008, Windows Mobile apps alone totaled 18,000. Even if we take a fraction of these estimates there are still a huge number of applications to consider. For purposes of this blog, let's take a total number of 120,000 and divide that by 1/2. That would leave us with approximately 60,000. If we cull that number by another 50% to delineate only business applications we get a total of 30,000 applications. If we use an equal distribution of applications per business segment (Finance, Gov't, Healthcare, Communications and Services) we have 6,000 applications per segment.

That means that there is an opportunity for 6,000 Independent Software Vendors (ISVs) in each major business segment to expand their base by offering a different route to market. Many of these ISVs have been stifled in their growth because of their current sales motion and distribution channels. Also, servicing their existing customer base is expensive because upgrades must be done through expensive marketing, downloads and retail shrink-wrap sales. Up to now, there has only been one alternative... re-engineer and re-code to a web enabled browser based application. This is a very, very expensive approach. But what is an ISV to do? If he wants more revenue through expansion of his base of customers, is there any alternative?

Well the answer is yes but I continue to be dumb founded that more ISVs don't look to Citrix when they begin this analysis.  When Terminal Services was in its infancy, Citrix was solving the problem of remote access even before the Internet reached the masses.  The identical technology can be used today to solve the dilemma of ISVs in the SaaS space.  Why re-code when you can host the application just as it is and give users the same experience as being loaded locally?  The question is will the ISV of today be savvy enough to choose the Citrix path before spending millions on re-engineering the code?  Time will tell.

I'm willing to bet that any Windows based ISV who does adopt Citrix technology to expand his base of customers through SaaS will be miles ahead of his competition who are spending money on re-engineering instead of capitalizing on additional subscriber growth with the same code.

By the way... if you've got a better assessment of the total number of Windows Application in market today I'd love to see the comment!

Please join us for two webinars covering XenApp Fundamentals sales and technical topics. The new sales topic is "Extending Terminal Services with XenApp Fundamentals".  We will expand on several newly published case studies that illustrate why customers still have a need for a remote access solution that meets both their performance and security requirements.  These case studies highlight instances where customers had initially implemented Terminal Services as a stand alone solution, and why they saw a need to add XenApp Fundamentals to their application environment. 

Our technical topic will be "XenApp Fundamentals for HP Proliant Servers with Microsoft Small Business Server 2008 - Technical Overview".  This session is a technical review of the implementation options for deploying XenApp Fundamentals with Windows Small Business Server on HP Servers. We have many partners who have already implemented this solution and are pleased to have Terry Sheehy,who is an independent IT consultant, join us to share some best practices. This topic was originally presented several months ago and is being repeated due to popular demand. 

I just wanted to announce an upcoming TechTalk I'm delivering on the new HDX Technologies included within the upcoming XenApp 5 Feature Pack 2 release.  As you know, HDX refers to a series of technologies that deliver a high-definition experience for both XenApp and XenDesktop users.

In this particular session, I'm going to do a technical deep dive on the latest HDX features include in XenApp 5 Feature Pack 2.  Each feature will include an overview, configuration details, and deployment considerations to help you maximize your XenApp deployments and help you provide the best possible experience to your end users.  The features included in this presentation are:
-HDX MediaStream for Flash
-HDX Plug-and-Play for Thumb Drives
-Secure Paste

The TechTalk is this Thursday, October 1 (1pm to 2pm EST).  To sign up for the session, visit this link: https://www1.gotomeeting.com/register/907190776

I hope to see you there!

Yesterday I've posted Part 1 of this series, talking about Capacity Estimation. Today I will describe the Power Management schedule policies. PCM use these policies to determine how many servers should be powered down, how sessions will consolidate or spread among the online servers, and when to power on additional servers to handle unexpected load.

The load policies for a workload vary during the day - you need more capacity during working hours than over the weekend. PCM configurations are entered over a weekly table period. Each entry has a start time four settings described below.

You will find this configuration on the PCM console. Select any workload, and then the "Schedule" tab. Each entry configures the following policies:

Minimum session capacity (Min Capacity): specify how many sessions, connected or not, should be on-line. The minimum session capacity is probably the easiest policy to understand and define. It describes the typical session utilization of that workload over time. For example, if you expect 1000 users connected to a workload during the day, and 250 over night, you will configure Min Capacity to 1000 from 8 to 5, and 250 from 5 to 8. It's that simple.

PCM will start as many servers as needed to support the Min Capacity policy. Servers are selected randomly, although you may control the selection order using the server tiers - I will cover tiers in more details at another post.

The session capacity is the sum of the estimated capacity of each online server in that workload. See Part 1 for in-depth description of load estimation.

Min Capacity is ignored if "Power Management" is disabled for that workload.

Minimum available servers (Min Servers): specify how many servers will handle logon requests. At first glance this seems similar to Minimum session capacity, but there's more to it.
PCM works its magic by setting the IMA load index to 20,000 value, indicating to IMA load balancer that the server is not available to take additional sessions. In the PCM console, you can see each servers selection state - select a workload and the "Servers" tab. At the left side of the "Sessions" column, you will find a small icon that can be:

• Circle: Load consolidation has disabled logons on this server. The IMA load index is set to 20,000.
• Green Triangle: Load consolidation has enabled logons on this server. The IMA load index is calculated based on the Load Evaluator.
• Yellow Triangle: Load consolidation has enabled logons on this server, but the load is higher than the optimal load. The IMA load index is still calculated based on the Load Evaluator.

The Min Servers policy defines how many servers with "green triangles" you will see in that workload - servers with enabled logons and under the optimal load. In the picture, I have Min Servers set to 1. Server 1 is draining, Server 2 is accepting logons, and Server 3 is above the optimal load (of 70%).

The value of this parameter should be related to expected user logon concurrency. If you set this value too low, then a small number of servers have to process too many logon requests, increasing the average logon time. If you set Min Servers too high, then sessions will spread to too many servers.

As a rule of thumb, you should set Min Servers to a higher number just before a shift starts - say, at 7:00AM - and reduce it after the logon peak has passed.

But how should I estimate this value? Well, you may start with a conservative high number and work your way back until user logons are impacted. Edgesight is a terrific way to get this data. Another way is to calculate the expected concurrent logons per server, based on peak logon rate and the logon time. For example, if average logon time is 30 seconds, and peak logon rate is 2 users/second, you should expect 15 concurrent logons if Min Servers is set to 1 (30 seconds/logon divided by 2 users/second). If you want to limit servers to process at most 5 concurrent logons, you will need Min Servers set to 3.

Min Servers policy is ignored if you disable load consolidation in the workload.

Online session reserve (Session Reserve): specify how many sessions should be available at on-line servers. Available sessions are calculated as "Session Capacity" minus connected sessions. For example, if a server has session capacity of 100 and 30 sessions, available sessions would be estimated as 70.

PCM counts all server sessions, including console and disconnected sessions.

Session reserve is used to create a buffer of available sessions for unexpected session influx. Servers take a while to boot, therefore you need to start powering on servers before the workload is fully loaded.

When the session reserve policy is violated, PCM will start sufficient number of servers to bring the policy back to compliancy.

Session Reserve can be estimated based on server power on time, and the maximum unexpected connections influx you have to support via SLA. For example, let's say your servers take 5 minutes to power on, and your DR strategy requires the workload to take up to 60 users/minute if a site fails. Your session reserve has to be set to 300 - the expected number of sessions before the 1st offline server can become available.

In the example above, PCM may issue additional power-on commands before the 1st server comes online. Let's say each offline server can take 100 sessions. When the number of available session falls under 300, the 1st server is started. If connections continue to come in, and available sessions fall under 200, the 2nd server is started, since the 1st server alone wouldn't be sufficient to get the session reserve policy back into compliancy.

Online session reserve is ignored if you disable power management in the workload.

Maximum session capacity (Max Capacity): specify a high water mark for capacity in the workload. This is an advanced setting, most workloads won't have to bother (default is "infinite"). This is used if you want to specify a session reserve, but stop adding servers after a certain point.

For example, assume your servers have session capacity of 100. A workload has 400 sessions at peak utilization. You have an SLA to support up to 600 sessions during DR events. You also have 7 servers assigned to this workload, but you can only power on 6 at a time due to power constraints - the 7th is there in case any other breaks. In this case, you may define Maximum session capacity as 600. Even if the session load gets above 500 (breaching the Session Reserve policy) PCM will not start the 7th server as it would violate the maximum capacity policy.

OK, that completes the PCM weekly schedule policy configuration. Next, in Part 3, I will talk about sites, tiers, and computer managers.

One of the first screens you will see in the Streaming Profiler wizard is a screen about "Enable User Updates" or in the earlier profilers, this was called "Enhanced security" or "Relaxed security".   Wow!  Mysterious terms!  The first thing we do in the profiler is hit the admin with a question that they don't know the answer to.  Hum.

Steps:

1. Describe the panels
2. Describe what the settings do
3. Examples of how this effects application execution
4. Guidance on how to configure the setting

Here's the panel in the streaming profiler version 5.2 (XenApp 5 Feature Pack 2):  Hot off the presses, released GA to the web download last night.

Here's the same panel in the previous streaming profiler (1.3)

What does this setting do?

Under the profiler, it doesn't do a whole lot.  It just sets a BOOLEAN that accompanies the streaming profile.  You can see via nice visual form in this streaming profiler, but if you dig down, you'll find that all this does is set a boolean in the profile XML data; at the PROFILE layer.   Changing this setting actually does more work, but I'll get to that in a minute.

Going back to the Layers of Glass, there are conceptually 3 layers of isolation.  Here's an abbreviated version.

At runtime, the applications in the isolation sandbox see a multi-layer merge of the true machine at the bottom, masked by the installation image and at the top, a per-user layer.  The per-user layer is seen "first", followed by the lower layers of isolation and finally the true disk or true registry of the machine.

The normal action is that the machine starts out pretty much clean, the streaming profiler captures the installation activity of an "installer" that writes stuff to the file system and registry.  These are packaged up to become the "blue" layer above, the installation image.  

At end user execution, the installation image is laid down on top of the execution machine and as far as the isolated applications are concerned, they are installed.  It's all a lie - they aren't really installed.

The top layer is initially "clear" or "blank".  As the programs run, they may store documents and similar, but these would generally not be in isolated space, so they don't really show up in this picture.  The application though may WRITE things to "off-limits" locations which would be caught by the isolation system and end up with storage of stuff to the per-user layer of isolation.  These land in the top layer of the isolation stack which is set up as one per-user.  This is what allows ill-behaved application to run happily under isolation on a multi-user machine when they won't happily run without isolation.  As an example, consider an application that stores settings to the program installation directory in a .INI file.  Under isolation, this will be captured and land in per user space and the application becomes runnable in a XenApp Terminal Services world where otherwise it would not work successfully.

Back to this post

If the application updates itself at runtime, the update will land in the per-user layer of isolation and this is bad.  Standard procedure when profiling application installations is to TURN OFF all automatic updates.  The application should not update itself - this should only be done in the profiling scenario where the administrator commands the update.  Recall that the isolation space is ONE and the per-user space are MANY, so we only want application content to be updated in a single place.

What does "Enable User Updates" do?

If the user downloads application updates such as .DLL updates or .EXE updates, should this be permitted?

The general answer is "NO!".  Some administrators may have a scenario where this is desired.  The common ones are users wishing to install their own plugins for isolated web browsers or install their own addons for things like Microsoft Office.

How does it work?

Put your file system filter driver writer hat on.  For isolated applications, EVERY TIME the application opens a file or tries to open a file, you get first look.  If the file open is for executable content, should this be permitted?  If "enable user updates" is "off", then file opens for RUNNING executable content from the user layer will be denied.  

The neat part here is that the isolation system distinguishes this behavior based on WHO the caller is.

If the caller is vanilla application wanting to read or write content, no problem - do what you want.  If the caller is the Windows LOADER, then this setting comes into play.  If the LOADER is trying to load executable content from the per-user layer of isolation, then the isolation system can be told to FAIL that operation, and this is what this setting controls.  Pretty neato.

One headache

The setting while stored as a profile level single property (a boolean) is implemented in the isolation system as an attribute of EACH of the isolation rules for EACH execution target of the profile.  If you set the profile level property, the streaming profiler must modify the isolation rules (many) for each Target of the profile.  This means that if you have a profile with 4 execution targets and you're editing one of them - and you set the profile level property, behind the scenes, the profiler brings the other 3 execution targets into "edit state" to make the change and will eventually write all 4 targets back to the application hub.  Going to edit state to change the rules requires unzip of the can file from the network server onto the profiler machine.  If the profile/targets are large, this can be a very painful operation to accomplish a single boolean set, but this is how it is.  If you make this change, be aware of the large behind the scenes work that the profiler is doing.  Grummble yell a bit and then it will be done.

Fun with streaming - Great entertainment in isolation circles

Turn on the -x RadeRunSwitch so you can an isolated command prompt when you launch your next favorite streamed application.  This assumes you have user updates disabled, which is the default.

cd c:\windows\system32
c:\Windows\System32>notepad.exe
< it runs >

c:\Windows\System32>type notepad.exe
< see textual giberish - the file open succeeded for read access from CMD.exe >

c:\Windows\System32>copy notepad.exe n.exe
        1 file(s) copied.
< file copy was successful - n.exe is at the per-user layer of isolation >

c:\Windows\System32>type n.exe
< see textual giberish - the file open succeeded for read access from CMD.exe >

c:\Windows\System32>n.exe
The system cannot find the file c:\Windows\System32\n.exe.

FIREWORKS HERE!

The isolation system LIED to the Windows Loader - returning ERROR_FILE_NOT_FOUND (2) rather than completing the loaders request to run this file from user layer of isolation.  This is what this setting does!

But wait, there's more!

c:\Windows\System32>copy n.exe notepad.exe
        1 file(s) copied.

c:\Windows\System32>notepad.exe
< it runs!! >

Why does notepad.exe succeed in the final case?  Easy, there are two notepad.exes.  At the per-user layer, there's a notepad.exe which was written on the file copy from n.exe.  We don't care what this file is, but it is executable content and it exists at the per-user layer of isolation and therefore it doesn't exist for purposes of running programs.

Since the "Enable user updates" setting is set to disable user updates, executable content at the per-user layer of isolation does not exist from the perspective of the Windows loader.  BUT - at the physical layer, there does exist a file with that name and this can satisfy the file open, without violating the isolation rules.  There could also be a file with that name at the application installation image layer.  In this example there wasn't, but there could be.  The isolation system starts at the top and goes down until it finds a hit.  If "Enhanced security" is enabled, then the per-user layer is "off-limits" for execution of executable content.

The grand result

The application "update" applied by the user may have been applied as far as the user or application is concerned, but in reality, it was not applied.  The version of the application that is running is the version that the administrator profiled.  Pretty cool stuff.

Why did we rename the setting?

Putting "security" in the title implies that this will somehow prevent users from doing things to run content that they download and this is not what it does.  If the program updates itself, then this setting will block that content from being executed.  The setting can also block user installed additions to the program (plugins), depending on the location to which they were installed - was it included as an isolation rule during profiling?

Take a web browser for example, if the user downloads executable updates to the browser, this will be captured and the user installed stuff won't run, but if the user downloads evil.exe and places it on their desktop, and then double clicks it - this will be outside of isolation so the layers here do not apply.   This is also true if the user downloads evil stuff to locations outside of isolation and launches it from the isolated application.  It will still run isolated, but it will run!  Describing this activity as "disable user updates" is more accurate than the previous words, so we've made the change.  I also hope that it removes confusion in the streaming profiler wizard.  "Enable user updates" is pretty easy to understand.

How should you create your profiles

1) Enable user updates should generally be "off".  Plugins are a rare need and where there is a real need for users to add plugins, start asking yourself if you can add those plugins at profiling to the common layer.  OR, if the use of user installed executable content is large, should this application be locally installed rather than isolated?

2) Always tell the application to NEVER update itself at runtime.

 A look to the future

Streaming dev team are discussing removing this option from a future release.  That is, "Enable user updates" will always be OFF.  I'm not sure of all the ramifications of this yet.  The question really is "how many admins are profiling their applications with user installed updates permitted"?  I hope the number is "few".

Joe Nord

Product Architect - Application Streaming

Citrix Systems

Background
First of all, This is relatively older article, however, it was really interesting for me so I posted today. The problem is that user failed path thru logon from Linux ICA client v10.x to Citrix Presentation server. It is no matter the server is Citrix Presentation server 4.0 and 4.5.The most important thing is whether ICA connection is thru WI4.0 or not.Secondary, we had somewhat change in the specification for ICA file encoding between WI4.0 and WI4.5. In a case of using WI4.0, it is based on S-JIS in JA Platform, WI4.5 is based on UTF-8.Firnally, we supposed that Linux Clinet a.k.a Unicode Client will send UTF-16 data to the server.

By default in a case of ICA connection thru WI, we are using ICA Ticket like magic number rather than actual Domain / User infomation. then it will be conveted to actual Domain / User information properly within the server later. ICA ticket has '\'as prefix byte in itself.

Debug Log
Here is an example in a case I met and investigated this.

'\' is 0x005C in S-JIS encoding, it is 0x00A5 in UTF-16 encoding. ccticket!RequestCredentialsFromTicker2() has ICA Ticket in UTF-16 encoding in Cliet - Host data structure in the case user fails to logon through WI4.0 to CPS40 HRP03 from Linux10.26 JA client. That measn Linux Client 10.26 JA sends UTF-16 data to CPS40 HRP03. On the other hand, ccticket!RequestCredentialsFromTicker2() will check UTF-16 data comparison to '\', which means, 0x005C(S-JIS) data. therefore, ccticket!RequestCredentialsFromTicker2() never try to convert ICATicket to NTLM authetication data the directly pass them to Gina. so user failed to logon in this scenario.

• Normal Case
  kd> p
  eax=001134b0 ebx=77b78dba ecx=0011350c edx=00000000 esi=001134b0 edi=0000008e
  eip=67ef323f esp=0285ef00 ebp=0285ef84 iopl=0 nv up ei pl nz na pe nc
  cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
  ccticket!RequestCredentialsFromTicket2+0x59:
  001b:67ef323f 6683395c cmp word ptr [ecx],5Ch ds:0023:0011350c=005c
  kd> dw ecx
  0011350c 005c 0035 0034 0033 0046 0042 0046 0034
  0011351c 0036 0032 0032 0036 0045 0043 0046 0041
  0011352c 0035 0000 0075 0073 0065 0072 0030 0030
  0011353c 0000 0033 0046 0031 0030 0030 0041 0032
  0011354c 0042 0031 0030 0046 0033 0034 0042 0000
  0011355c 0000 0000 0000 0000 0000 0000 0000 0000
  0011356c 0000 0000 0000 0000 0000 0000 0000 0000
  0011357c 0000 0000 0000 0000 0000 0000 0000 0000

• Problem Case
  kd> p
  eax=0011b1e8 ebx=77b78dba ecx=0011b244 edx=00000000 esi=0011b1e8 edi=0000008e
  eip=67ef323f esp=028cef00 ebp=028cef84 iopl=0 nv up ei pl nz ac pe nc
  cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  ccticket!RequestCredentialsFromTicket2+0x59:
  001b:67ef323f 6683395c cmp word ptr [ecx],5Ch ds:0023:0011b244=00a5
  kd> dw ecx
  0011b244 00a5 0030 0041 0033 0037 0038 0032 0034
  0011b254 0033 0044 0032 0042 0035 0038 0038 0043
  0011b264 0045 0000 0075 0073 0065 0072 0030 0030
  0011b274 0000 0031 0030 0042 0032 0031 0036 0036
  0011b284 0035 0033 0034 0041 0042 0030 0038 0000
  0011b294 0000 0000 0000 0000 0000 0000 0000 0000
  0011b2a4 0000 0000 0000 0000 0000 0000 0000 0000
  0011b2b4 0000 0000 0000 0000 0000 0000 0000 0000

• Patching Data and Stack
  As following, I configured conditional break point so that debugger patch the binary stored 0x00a5 to 0x005c when WDICA.sys initialize winstation driver credential member　in WDICA data structure with the second parameter ICAWdCredentials(), as a result of that, I could become to logon to the CPS4.0 from Linux Clinet v10.x.

3 e f56aa5f6 0001 (0001) WDICA!ICAWdCredentials "kv; dw poi(esp+8)+d;ew poi(esp+8)+d 5c00;dw poi(esp+8)+d;gc"
kd> g
ChildEBP RetAddr Args to Child
f5afe1f0 f569eb44 8183c000 81883000 0000005e WDICA!ICAWdCredentials (FPO: [Non-Fpo]) (CONV: stdcall)
f5afe244 f569f62a e103bfb1 00000000 01000061 WDICA!ProcessIcaPacket+0x436 (FPO: [Non-Fpo]) (CONV: stdcall)
f5afe260 f56b371a 00597f41 818b5def 00000040 WDICA!ICAPacket+0x166 (FPO: [Non-Fpo]) (CONV: stdcall)
f5afe49c f76ad194 8183c000 00000000 818b5def WDICA!WdRawInput+0x2e0 (FPO: [Non-Fpo]) (CONV: stdcall)
f5afe4c0 f51ea2bd 8189619c 00000000 818b5def termdd!IcaRawInput+0x58 (FPO: [Non-Fpo])
f5afe4e4 f76ad194 81e51b68 00000000 818b5def pdcrypt1!PdRawInput+0x279 (FPO: [Non-Fpo]) (CONV: stdcall)
f5afe508 f56cb723 81fb1eac 00000000 818b5dee termdd!IcaRawInput+0x58 (FPO: [Non-Fpo])
f5afe52c f76ad194 81a13008 00000000 818b5dee pdrframe!PdRawInput+0x63 (FPO: [Non-Fpo]) (CONV: stdcall)
f5afe550 f5a2dfcb 81f8f2bc 00000000 818b5dec termdd!IcaRawInput+0x58 (FPO: [Non-Fpo])
f5afed90 f76ac265 818b5ca0 00000000 818d8660 TDTCP!TdInputThread+0x371 (FPO: [Non-Fpo])
f5afedac 809418f4 81986008 00000000 00000000 termdd!_IcaDriverThread+0x4d (FPO: [Non-Fpo])
f5afeddc 80887f4a f76ac218 81dce200 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

8188300d a500 4600 3900 4500 4300 3000 3900 3900
8188301d 4400 3000 3800 3500 4600 4200 3000 3200
8188302d 4300 0000 7500 7300 6500 7200 3000 3000
8188303d 0000 4300 4200 4300 3000 3100 4600 3700
8188304d 4400 3900 4100 3200 3500 3500 3400 0000
8188305d 0000 0000 0000 0000 0000 0000 0000 0000
8188306d 0000 0000 0000 0000 0000 0000 0000 0000
8188307d 0000 0000 0000 0000 0000 5400 0002 0000

8188300d 5c00 4600 3900 4500 4300 3000 3900 3900
8188301d 4400 3000 3800 3500 4600 4200 3000 3200
8188302d 4300 0000 7500 7300 6500 7200 3000 3000
8188303d 0000 4300 4200 4300 3000 3100 4600 3700
8188304d 4400 3900 4100 3200 3500 3500 3400 0000
8188305d 0000 0000 0000 0000 0000 0000 0000 0000
8188306d 0000 0000 0000 0000 0000 0000 0000 0000
8188307d 0000 0000 0000 0000 0000 5400 0002 0000

Global Escalation Manager Tokyo
-fb

Windows 7 looks great

Like it or not, Windows 7 will be here soon. I am a new user of Windows 7 and it looks great! Definitely faster! I think that the adoption rate will far outpace not just Vista (of course) but also Windows XP. So chances are pretty good that there will be a rollout in your organization in the next 12 months.

But,...

Unfortunately, a migration could be disruptive, time consuming and can bust your budget.

Windows 7 represents a significant change as compared to XP. Apps that ran on XP may not run natively on Win7 without upgrading. The XP emulation feature on Win7 - the jury's still out on that. So, no matter what, you are likely going to have to spend a lot of time to test all of your applications in XP emulation or go buy upgrades to some of the apps and then do compatibility testing to ensure everything interacts the way it did in XP. In addition to spending 100's or even 1000's of dollars per user on these license upgrades, even a medium sized organization could spend millions on testing/integration/project management/installation.

Then, of course, there may be the cost of buying new PCs for the upgrade. If you have the luxury of time, you can just wait until the next refresh and ensure you get Win7 for some of your users. With this approach, you will have spent a chunk of money on planning Win7 app upgrades to just the first 20-25% of your user base and you will still be stuck with supporting PC desktops along with two OS platforms for years to come.

Finally, you need to manage somehow getting Windows 7 physically rolled out on all the end points that you manage. If you are lucky, they are all sitting in a single room - but for most of you this means end points everywhere. Also, since you did your last migration to Windows XP, you now have users that you didn't have in your previous migration - contractors, offshore, partners, you name it - you likely have it.

Time to think of the right plan

Can desktop virtualization help you with Win7 migration? Yes! In a big way: make it non-disruptive and will help you lower your costs.

1. You can migrate to Windows 7 by installing it once in the datacenter without touching every end point.
2. You don't need to refresh the hardware. Repurposing old PCs into thin clients can get you started quickly.
3. Any application conflicts can be managed via app virtualization technology, which should be a key component of any virtual desktop project. App virtualization makes desktops so much easier to manage than dealing with multiple desktop images spread on multiple end points.

Once you have established a golden OS image with Win7, desktop virtualization will deliver Win7 to your old PCs essentially overnight.

The key is to leverage the right delivery technology for different end point devices. By judiciously applying OS streaming technology, you can leverage the local processing power in newer PCs and reduce the investment in data center infrastructure. This has a significant impact on the overall per user cost of the solution. Now, you will be able to get started with desktop virtualization by using the budget you have allocated for PC replacement and start reducing desktop management costs from that point on.

7 STEPS TO WIN 7

1. KICK-OFF A PILOT FOR HOSTED VIRTUAL DESKTOPS TODAY - Kick off a pilot for virtual desktops today in order to experience the different in management and user experience. This gets you started.
2. SEGMENT YOUR USERS & EXPAND VIRTUAL DESKTOPS - Pick the right kind of virtual desktop for all your enterprise users. Expand your pilot to other office workers, remote workers and guest workers.
3. INVENTORY & VIRTUALIZE YOUR APPS - Inventory all the apps that you have and identify the ones that get updated the most or will have compatibility problems with Windows 7. Virtualize these apps within your virtual desktop pilot. Ether host the apps on dedicated servers if they are big, chunky LOB apps or stream them into the image (isolated) if they are productivity apps.
4. PREPARE CLEAN & PRISTINE WINDOWS 7 IMAGE - Prepare the OS image that you plan to roll-out with Windows 7. Ensure that you only have one clean & pristine image for all your users - virtualize all other applications and separate them from your OS. Centrally update your virtual desktops to Windows 7 for instant experience for all.
5. ROLL OUT WINDOWS 7 WITH VIRTUAL DESKTOPS FOR ALL ONLINE USERS - use a combination of delivery technoloies for getting the best ROI and levreage of your existing PC refresh budgets and cycles.
6. ADOPT OFFLINE VIRTUAL DESKTOPS - Once you are done with your online users, it will be time to expand llocal virtual desktops for your offline users. This is where you are using a technology such as XenClient to implement offline virtual desktops.
7. GET OUT OF MANAGEMENT OF END POINTS - This is where you transfer the responsibility of managing the end points entirely out of IT; and give it to other groups. It could be facilities. Or, it could be the employees themselves - helping you implement a BYOC program.

Follow this process and be a hero - lead the migration without disruptions for a change! And, you will never need to worry about the disruption and costs of another OS upgrade!

It will be hard to argue that there will be a migration process that is simpler and less disruptive. So, our conversation should shift to evaluating the technology landscape - which technology can help you with this migration best. Of course - my advice would be - XenDesktop

We will be talking more about this and more in our big desktop virtualization show - there will be thousands attending the online event - Secrets, Lies and VDI

Finally, join others who are going through Windows 7 migration with desktop virtualization

Power and Capacity Manager (PCM) is a feature of XenApp 5.0 Feature Pack 2. In this multi-part post, I will deep-dive on PCM configuration and trade-offs. I will assume you have basic understanding of the feature, please look here for an introduction.

To use Power and Capacity effectively, you will have to define the power management and load characteristics of your workloads. You have to strike a balance: if you are too aggressive, you may overload servers or cause connection failures. If you are too conservative, you will limit the manageability gain and power cost savings.

All PCM policies are defined per "workload". A workload is a group of computers that publish the same set of applications. You configure the PCM workload name during the agent installation, and you can modify it editing HKLM:\SOFTWARE\Policies\Citrix\XenAppPCM\WorkloadName

There are two important set of configurations in PCM: the Session Capacity estimation and the Weekly power management schedule. I will describe Capacity Estimation in this post, and the Weekly Power Management schedule in Part 2.

PCM policies are based on "Session Capacity" of each server and workload - i.e., how many sessions each server in a workload can host. The most basic concept in PCM is "Load Consolidation": instead of spreading sessions to all servers in the workload we load a few servers up to an "optimal load". Optimal load is defined as a percentage of the server session capacity, so we must estimate the later accurately. Also, most PCM policies reference "session buffers" and "available sessions", both require server capacity estimation.

Our first attempt was to use the server Load Evaluators to estimate capacity. XenApp uses load evaluators to determine which server will process a connection request. The Load Index varies from 0 (no load) to 10,000 (maximum), so couldn't we use the load index (divided by 100) as load percentage? Not really. A server with 50 sessions and a load index of 5,000 won't necessarily behave well with 100 sessions. The key problem is that load index is only used to find the least loaded server, and the session capacity is irrelevant most of the time. Therefore most XA environments stick to the Default Load evaluator (cap at 100 sessions), even though the servers never host more than 30-40 sessions.

We felt that overloading the load evaluator to estimate capacity was dangerous. We wanted a "soft" estimation, that wouldn't cause problems if it was underestimated. Therefore PCM defines a new configuration called "Typical Session Capacity", which tells PCM how many sessions to expect for a particular hardware specification.

In the PCM console, select a workload, then the "Capacities" tab. Over there you will see one row per hardware specification - for example, in my XenServer setup I see "VM: Intel Xeon E5345 @ 2.33 GHz, 1 core, 512 MB". Select the hardware spec, then "Server Profile Properties..." in the actions pane.

You should configure the typical load as the number of sessions you know a server can host without impacting user performance. PCM will force IMA to load a few servers up to an optimal load, so this number has direct impact on how much sessions will consolidate. The safest way to estimate this value is to start with the session high-water mark on your existing servers, and work your way up if you believe the server can handle more.

As an example, let's say you define typical load at 50 sessions. If you left the default optimal load configuration (70%), PCM will load servers up to 35 sessions before enabling other servers. Once all servers reach the optimal load, the load balance will behave as before - finding the least loaded server. Therefore, there's little risk in underestimating the typical load - at worst you will be back to pre-PCM load balancing!

OK, but what happens if the IMA load index gets to 10,000 before the server hit the optimal load? Good question! PCM constantly adjust the server capacity based on the IMA load index. For this dynamic estimation, we assume the load index is linear: each session contribute the same way to the index, and that new sessions will continue to do so - i.e, capacity = 10,000 * Current Sessions / IMA Load Index . PCM then use the smallest of the static and dynamic estimations. In the example above, if IMA load index was 5,000 with 10 sessions, PCM would reduce the capacity estimation to 20.

We have also exposed an advanced configuration if you want to use the IMA load index as the primary method to determine server load. This requires a more careful construction of the load evaluator - you have to adjust it so that the load index grows smoothly from 0 to 10,000. You would use this method if the session capacity varies too much - say, it's usually 100, but sometimes it can go up to 150. You would be wasting the last 50 sessions using the previous approach.

To model such load pattern, go to the "Server Profile Properties" and select the "Advanced" checkbox. Enter the "Estimated Session capacity limit" - it would be 150 in this example. Now PCM will use the Typical session capacity only when the server is off-line or with zero sessions. Otherwise, it will use the IMA load index and the "estimated session capacity limit".

Why not set the typical session capacity to 150 in the example above? Well, if most of the time servers get loaded at 100, then PCM will over-estimate the server capacity when servers are offline. This will cause some grief during unexpected load events, when servers must be powered on to cover unexpected incoming sessions. So keep the "typical" value to what is the norm, and use the "estimated limit" to get an extra mile adjusting load evaluators.

Stay tuned for Part 2, with a deep-dive on the PCM power management schedule!

 Update: Part 2 (Policies) posted here.

Learn more about Citrix XenApp 5 Feature Pack 2

• Official Press Release - http://citrix.com/English/NE/news/news.asp?newsID=1857726
• XenApp 5 Feature Pack 2 release Web Site - http://citrix.com/xenapp/featurepack2
• XenApp 5 Feature Pack 2 Executive Video - http://citrix.com/xenapp/fp2/video
• XenApp Expert Series videos for this release - http://citrix.com/xenapp/fp2/expertseries
• XenApp 5 Feature Pack 2 Blogs- http://community.citrix.com/blogs/tag/xa5fp2
• Download XenApp technology previews - http://citrix.com/xenapp/techpreviews
• XenApp Product Page - http://citrix.com/xenapp/

Follow XenApp on | | |

Sometimes I wonder if people really connect the fact that Citrix Systems and Citrix Online are the same company.  I also wonder if people understand that the same company that completely dominates the hosted application and desktop market also is the dominant player in online collaborative services.  In fact Citrix Online products rank top 4 in the world among Software as a Service (SaaS) vendors.  Next time you see a GoToMeeting advertisement on Fox News, Discovery or whatever your favorite TV channel is... take a good look.  You'll notice at the end of each commercial a tie-in to Citrix.

Maybe one of the reasons that this connection is not readily understood is the market dynamic.  Could it be organizations using GoToMeeting or GoToMyPC may not be using XenApp or XenDesktop?  In fact the Online products are so easy to use, IT is rarely involved.  You merely sign up for the service and start to use the meetings, webinars, and other collaborative tools. 

So while I'm musing I also wondered how many service providers (or hosting companies) out there understand the value they would bring to one of their customers if they could bundle a collaboration service with other application/desktop hosting solutions.  Did you know that according to many analysts collaboration is the #2 revenue generator in an $8+ Billion Market?  It's just behind business grade email in terms of demand. 

The service from Citrix Online is so easy that I used it the other day to give a presentation to a customer in China.  That's right... I used my Internet connection from home (East Coast time was 10:00 P.M. - too late to be in the office) to do the presentation.  But what was really cool was pulling my PowerPoint up using XenApp, making changes securely over the Internet 5 minutes before the meeting and then firing up GoToMeeting in four different locations on three different continents.  What a business case in this new economy...Just think of all the applications your customers (SMB) have while they continue to grapple with shrinking travel budgets.

If you're in the hosting business and want to enhance your ability to service your customer, why aren't you in the Citrix Online Affiliate Program?  All you have to do is sign up, plaster one of the best brands in the world on your web site and begin to collect revenues for it.  Not quite ready to take the full steps to being an Affiliate but still want to make some cash?  Citrix Online also pays for referrals.  Sounds easy enough, doesn't it?  Now you can take your million dollar business and add another couple of hundred thousand to it.  Why would you not do this?  I dunno?

Seems like a pretty good idea to me.

With the release of Feature Pack 2, the EdgeSight team has made some updates to both EdgeSight and EdgeSight for Load Testing. The key updates include;

EdgeSight 5.2 (for XenApp, Endpoints, and Virtual Desktops):

• Additional support for XenDesktop - Farm-wide monitoring and troubleshooting of virtual and physical desktops
• Support for the latest Citrix Receiver - Service Monitoring plug-in
• Microsoft Systems Center Operation Manager (MS SCOM) Support - Management pack connector
• Additional Operating System support - Windows 7
• New summary reports - XenApp, XenDesktop

EdgeSight for Load Testing 3.6:

• Service-based architecture - Easier to manage and does not require logged-in users for running the launchers
• Enhanced application security - When replaying scripts, allows for a basic level of authentication
• Intelligent Load Control - Ability to sense script execution & delays, and adjust accordingly (Introduced in 3.5)
• Xen Counters - Exposure of performance issues when XenApp is running on XenServer (Introduced in 3.5)

I've recorded a short video which gives a little more detail and a few screenshots in regards to the new EdgeSight functionality which you can find at http://www.citrix.com/tv/#videos/1164. In addition, there is a short ESLT 3.5 video from a month or so ago detailing those new features which is available at http://www.citrix.com/tv/#videos/666

Learn more about Citrix XenApp 5 Feature Pack 2

• Official Press Release - http://citrix.com/English/NE/news/news.asp?newsID=1857726
• XenApp 5 Feature Pack 2 release Web Site - http://citrix.com/xenapp/featurepack2
• XenApp 5 Feature Pack 2 Executive Video - http://citrix.com/xenapp/fp2/video
• XenApp Expert Series videos for this release - http://citrix.com/xenapp/fp2/expertseries
• XenApp 5 Feature Pack 2 Blogs- http://community.citrix.com/blogs/tag/xa5fp2
• Download XenApp technology previews - http://citrix.com/xenapp/techpreviews
• XenApp Product Page - http://citrix.com/xenapp/

Follow XenApp on | | |

I heard a great phrase recently "an embarrassment of riches" . I thought to myself...that is definitely what XenApp has become. There's nothing you can't do with it now. When it comes to virtualizing applications, you can deliver from a Windows Terminal Server, you can stream to a server or a client, and now with VM Hosted Apps, you can deliver from a workstation if the other two methods are not suitable. The user gets a seamless application that looks like it is running locally without ever being the wiser on what back end infrastructure is hosting the application. These days, you will be hard pressed to find an application that cannot be delivered with XenApp.

If you did not read my last post, I talked about considerations that you should take into account before selecting VM Hosted Apps (new in XenApp 5 Feature Pack 2) as your application delivery solution. If you are still deciding whether VM Hosted Apps is right for you, then go back to my first blog to help you with that decision. If and when you are convinced, come back and read below where I tell you how to set it up.

VM Hosted Apps components for application virtualization

These are the components that make up a VM Hosted Apps infrastructure:

• Physical or virtual workstations with either Windows XP, Windows Vista, or Windows 7 installed. The Virtual Desktop Agent software and applications must be installed on these machines.
• A Desktop Delivery Controller which is the brains behind that operation. It brokers connections to virtual desktops.
• An IIS web server with the Web Interface software installed. The user connects to this web site to display the application.
• Citrix Receiver, or the online plug-in standalone, installed on the client device

If you are already familiar with XenDesktop, then these are the exact same components that deliver desktops. The only difference between a VM Hosted Apps and a XenDesktop infrastructure is the license. No really, it's true! You need a XenApp license to deliver applications and you need a XenDesktop license to deliver desktops.

Follow me as we dig into this a bit deeper. The first component you need to install is the Desktop Delivery Controller (DDC) software which must be installed on a Windows 2003 Server only (we're working on WS 2008 support so hang tight). Use the software version that comes with XenApp Feature Pack 2 on the VM Hosted Apps media. It will require a database in order to complete the installation of the DDC. You can use Access, SQL, Oracle, IBM DB2 just like XenApp. But don't try to make it part of the same farm sharing the same physical database as XenApp, because it won't work. It must exist in a separate farm database.

Administering application virtualization with VM Hosted Apps

Next, you will administer the environment using the Delivery Services Console, formerly the Access Management Console (Yes we renamed it... again). You can use the console that is installed on the DDC by default or you can install the console on a separate machine. You are actually installing a rebranded XenDesktop Console which means that if you already have XenDesktop you can use this new console to manage that as well. Since this console cannot be used to administer your XenApp farm, to make administration easier , install both consoles on the same machine. When you do this, they will aggregate together in the same MMC snap-in automatically. We know customers hate separate consoles but it could not be helped in this release. If the two consoles are installed on the same machine, then administration will be less of a hassle.

Publishing VM hosted virtual applications

To publish a VM Hosted App, it is nothing like publishing an application with XenApp. It is more like publishing a virtual desktop with XenDesktop. You run the Desktop Group creation wizard in the console and check the box "Use Desktop Group for VM Hosted Apps".

Don't forget to name the Desktop group the same name as your application and change the default XenDesktop icon to an application icon. The application name and icon you select is displayed to users when they log into Web Interface. Selecting this box however, does not make an application available to users. Here is how you actually publish the application.

• First, install the Virtual Desktop Agent software on the workstation image or vdisk you are creating.
• Then after you install the desired application, place a shortcut for this application in the "SeamlessInitialProgram" folder located under \Program Files\Citrix\ICA Service.

You should only put one application shortcut in this folder, if other helper applications are needed, you can install them on the workstation and they will be called by the main application when necessary. If you are using Provisioning services to dynamically provision desktops, then make sure these steps are complete on the workstation image before you save the virtual disk. If you are not using PVS, then be aware that you will need one virtual workstation for each simultaneous user because multiple users cannot launch applications from the same workstation.

The last step is to make the application available to users by modifying your Web Interface site to add the VM Hosted Apps farm and point to the Desktop Delivery Controller. Web Interface is actually installed on the Desktop Delivery Controller by default. You can use that Web Interface server or you can use Web Interface from a standalone web server, as long as it is version 5.2 or above. You must have a XenApp web (aka web interface) or services site (aka pnagent site) configured in order to deliver your applications.

That's it! Now if you run into trouble, apply the same troubleshooting methodology that you would for XenDesktop.

Cris Lau the Product Manager for XenApp Feature Pack 2, hosted a TechTalk on how to configure VM hosted Apps in which Sr. Software Engineer Madhav Chinta demonstrated how to configure and publish a VM hosted application.

If you are a Citrix Partner you will soon have access to an Education sponsored Technical Readiness Learning Lab Series that focuses on VM Hosted Apps. The Learning Lab series offers you the opportunity to watch a CitrixTV video about how to configure VM Hosted Apps, then we'll let you log into a hands-on lab environment in the cloud so that you can play around with this feature using a step by step lab guide. Stay tuned for that!

Learn more about Citrix XenApp 5 Feature Pack 2

• Official Press Release - http://citrix.com/English/NE/news/news.asp?newsID=1857726
• XenApp 5 Feature Pack 2 release Web Site - http://citrix.com/xenapp/featurepack2
• XenApp 5 Feature Pack 2 Executive Video - http://citrix.com/xenapp/fp2/video
• XenApp 5 Feature Pack 2 Release Webinar - http://citrix.com/xenapp/fp2/techtalk
• XenApp Expert Series videos for this release - http://citrix.com/xenapp/fp2/expertseries
• XenApp 5 Feature Pack 2 Blogs- http://community.citrix.com/blogs/tag/xa5fp2
• Download XenApp technology previews - http://citrix.com/xenapp/techpreviews
• XenApp Product Page - http://citrix.com/xenapp/

Follow XenApp on | | |

There are some new articles posted on the Workflow Studio section of CDN. These will probably only be of interest to the developers and advanced workflow gurus out there, but I found them interesting and wanted to share (yes, I am a geek )

• Configuring Workflow Studio to use SQL Server for Tracking and Persistence
• Tips, Tricks, and Best Practices

Keep in mind that most of the CDN sections for Workflow Studio are open to the general public to post and edit (be sure to share your workflows and activity libraries). The tips and tricks article was intentionally left open to all to edit - come on in and share. Make sure you bookmark the articles section, add it to your RSS reader, or just click on the Community tab from within Workflow Studio every time you open it.

We have posted some initial XenApp workflows that demonstrate the capabilities in the new XenApp activity library. You can use these workflows to backup applications on your farm and then restore them to specific servers in your farm. These workflows are useful for backup purposes and also can aid in migrating applications between farms (e.g. QA to production).

XenApp-Backup Applications
XenApp-Restore Applications to Server

As always feel free to leave feedback in comments or email me directly.

Learn more about Citrix XenApp 5 Feature Pack 2

• Official Press Release - http://citrix.com/English/NE/news/news.asp?newsID=1857726
• XenApp 5 Feature Pack 2 release Web Site - http://citrix.com/xenapp/featurepack2
• XenApp 5 Feature Pack 2 Executive Video - http://citrix.com/xenapp/fp2/video
• XenApp 5 Feature Pack 2 Release Webinar - http://citrix.com/xenapp/fp2/techtalk
• XenApp Expert Series videos for this release - http://citrix.com/xenapp/fp2/expertseries
• XenApp 5 Feature Pack 2 Blogs- http://community.citrix.com/blogs/tag/xa5fp2
• Download XenApp technology previews - http://citrix.com/xenapp/techpreviews
• XenApp Product Page - http://citrix.com/xenapp/

Follow XenApp on | | |

With Workflow Studio 2.0 we officially support 8 different OS platforms (all on the latest service pack only):

• Windows XP x86
• Windows XP x64
• Windows Vista x86
• Windows Vista x64
• Windows Server 2003 R2 x86
• Windows Server 2003 R2 x64
• Windows Server 2008 x86
• Windows Server 2008 x64

We don't stop you from installing on unsupported platforms and the chances are pretty good that everything will work just fine. However, we know that everyone wants to use their product in a fully supported environment. As we plan for the next release, Windows 7 and Windows Server 2008 R2 will be available. To make sure we make the right decisions on which platforms we officially support I would like to get your feedback.

Please take the polls below to let us know which platform(s) you want to be able to use Workflow Studio with and whether you need 32-bit support only, 64-bit support only, or both:

If you would like to install Workflow Studio in an unattended fashion or if you just want to learn more about the installation process, there is now an article available on the community site:

http://community.citrix.com/display/wf/Workflow+Studio+2.0+Installation+Overview

Learn more about Citrix XenApp 5 Feature Pack 2

• Official Press Release - http://citrix.com/English/NE/news/news.asp?newsID=1857726
• XenApp 5 Feature Pack 2 release Web Site - http://citrix.com/xenapp/featurepack2
• XenApp 5 Feature Pack 2 Executive Video - http://citrix.com/xenapp/fp2/video
• XenApp 5 Feature Pack 2 Release Webinar - http://citrix.com/xenapp/fp2/techtalk
• XenApp Expert Series videos for this release - http://citrix.com/xenapp/fp2/expertseries
• XenApp 5 Feature Pack 2 Blogs- http://community.citrix.com/blogs/tag/xa5fp2
• Download XenApp technology previews - http://citrix.com/xenapp/techpreviews
• XenApp Product Page - http://citrix.com/xenapp/

Follow XenApp on | | |

To use agent-less streaming or installed agent streaming; that is the question.

I have received inquiries recently - lots of inquiries on the same question actually - that all imply that "user mode" streaming and isolation is "better" than evil kernel driver streaming and isolation, because it doesn't have any kernel components.  This sounds exciting on first glance, but when you dig down the problem is more complex.  There are advantages to installed isolation systems and there are advantages to all user mode.  This blog shows some examples for both categories. 

To get it started, consider an isolation system's ability to load and isolate a Windows NT Service.  How can you isolate the execution of an NT Service if the isolation system itself is "user privilege".   At user rights, the isolation system lacks the privilege to start a service that isn't already installed, so it can't run and isolate services unless the service is already installed outside of isolation.  

Scalability is also a big concern.  It doesn't matter for a small system, but if you load the machine up with lots of users and lots of applications, having a separate copy of the installation system for each application becomes problematic.  

On the plus side for agent-less, it is really nice to NEVER need admin rights on the execution machine and this can help engage work from home or kiosk environments.    Another plus for agentless, the "attack surface" is smaller if there are fewer privileged components; this is the point that usually starts the conversation that "agentless is better".   Keep reading...

First, some definitions:

Agent-less streaming

Nothing is "installed" into the machine.  The isolation engine can run the profiled software without ANY components themselves being installed.  "Admin" rights are never required and the system usually embeds the isolation system and profiled application into a single .EXE image that is "executed" to run the isolation system and the isolated application.

Examples of agent-less isolation systems include ThinApp, InstallFree, XenoCode.

Installed agent streaming

With an "installed agent", parts of the isolation system are "privileged", they require an install time execution which usually includes the installation of at least one kernel mode device driver and generally also includes the installation of a NT Service that supervises the sandboxes that are active on the machine. 

Examples of installed agent isolation systems include Citrix Application Streaming and Microsoft App-V.  Even this is a simplification as the Citrix system uses kernel mode for process monitoring and file system filtering and USER MODE for registry filtering, which makes it kind of a hybrid.  App-V uses kernel mode for both.   The real key is that an installation step was required.  If you require an "install", you are a member of the installed agent camp!

Which is better?

The answer is simple: Mine! 

The real answer is that you have to ask what "better" means.  I mean, better at what?  Each of the systems have their advantages.

Consider installation

Not needing to install an agent is handy for some environments especially where the execution machine is not company managed.  USB Thumb Drives were the original player here; you can take you application anywhere!  By contrast, if you're really running in a company environment, either stream to client, running on a XenApp Server or even on a XenDesktop hosted world, the installation of an agent is not a gate - the admin controls the base image and can install any agents that they want.   For more on this, see "security" below.

Consider scalability

If you are running a heavily loaded XenApp Server.  Let's say 64-bit machines, with 64-bit Operating System, a handful of high end CPUs and enough RAM memory to run 100 concurrent users, with each user running 5 distinct isolated applications.   How many isolation spaces is that?  100 * 5 = 500 isolation spaces.  If the isolation system is 100MB, that's 500 * 100MB = 50GB of allocated virtual memory just to load the isolation engines.   I made these numbers up, but stick with me on the concept.

How many separate copies of the isolation system do you want to load?  Answer: One would be nice.  

With kernel mode or NT Service isolation systems, you'll have ONE single code space for all of the isolation sandboxes, a bit of instance memory for each sandbox and other than that, you're off and going.

This too is a over simplification.  For starters, the Citrix App Streaaming case is a hybrid.  I haven't checked the memory footprint lately, but the kernel pices are ONE and the registry and named object pieces are MANY as these are implemented inside the isolation space.  To get back on subject for this post, think of it as ONE installation system because all "installed agent" systems are in the same camp.

Does agentless mean that there is really a separate isolation engine for each application?  yes and no.   We tend to generalize this to say that the isolation engine is carried along with the to be run application.

If the agentless isolation system uses DLL references to get to the isolation engine, then the agentless system's memory load will be page table shared across the images.  This a function of the Windows NT PE Loader and memory manager.  With DLL load of the runtime, many pages of the 500 instances of the isolation system will be shared.   I don't know if the clientless systems use DLLs for the agent runtime, but if they don't, they could and this will share the load.  

Citrix App Streaming uses DLLs for the registry filtering, so the shared model here still applies (ONE).  

How to update the agent

If the isolation agent needs to be updated, how many application images do you have to update?  This is a plus and a minus for both again.  With installed agents, you update one and all the profiles/sequences benefit.

With agentless, you have to touch each of the isolation images.  Or, back to the DLL approach, you could achieve the same ONE update in agentless if you're using DLL based runtime.   

If go with the "one app, one executable to distribute" model, then the isolation system is not shared and the memory usage on a XenApp hosted model will totally suck.  Prototypes will be great, but actual performance under load will be a heavy hit to single server scalibiltiy.  When it comes time to update the isolation agent, you'll have to touch all of the profiles to get things updated; or you can skip this as a plus toward not having to maintain anything once you profile it.

Consider security

There is a perception that if kernel mode components are involved, then it's less secure.  This is mostly a statement of "attack surface".  There are many privileged components in the machine and they are all candidates for attack.  The real headache with privileged components is that they have to be "installed", but the security aspects still apply and are real.  

If you're installed and you have power, then you can do powerful things.  The corollary is that if you are not installed and you don't have power, then you CANNOT do powerful things and this is as much a plus as a minus.

Consider that many agent-less streaming systems receive "yes" check-boxes in comparison matrices when discussing isolation of NT Services.  

Either you're USER MODE or you're not user mode, you can't claim to be both.  

A step back: NT Services are installed applications, with no GUI and no direct user interaction.  Services run on either a powerful system defined account or a named user account of install time specified rights. "LOCAL_SYSTEM" and "LOCAL_SERVICE" are the common installation configurations and these equal "powerful".

In many cases, the reason that the programmer went through the pain to write a service is that they needed to do something with privilege and that was impossible from the user privilege application space.  This is why they are done in the service rather than in the application itself.

If the isolation system is agentless (user mode), and if that isolation system can load and isolate NT Services - and have that service work - then a boundary has been passed and the isolation system is no longer user mode.  Given that the agent itself would not be privileged, how can the applications that it runs be privileged?

Answer: The agentless streaming system requires the applicaiton services to be installed outside of isolation, and by installed, I mean REALLY INSTALLED.   This pretty much deletes the check-box for isolation of services.

Some NT Services likely CAN tollerate user mode execution under isolation, but for the general discussion, the answer will be that this breaks down and the service requires installation to the local machine - breaking the isolation boundary between the application and the local machine.
An "installed agent" isolation system CAN have the power to start services itself, and in this environment CAN run the service isolated.  This is only possible because the agent itself is INSTALLED and has power.  If the isolation agent is not installed, then the user cannot start isolated services and there's a pretty big gap in the claimed support of isolated services.  The services have to be outside of isolation and installed - they aren't isolated and the access to that service is not governed by the published application set.

Consider application launch performance 

Now that Application Streaming 5.2 client is out (real-soon), I can describe the greatness of 2nd time application launch.  If a sandbox is running that will support this app, there is no longer ANY need to create an isolation space for a second, third or fourth application launch.   Creating an isolation space/sandbox/bubble is an expensive operation.  The 5.2 client's ability to skip this expensive operation will provide great benefits in launch speed.  I describe this briefly here, but need to write more.   

Can agentless do things to equal this application launch performance?  Can it toss execution over the wall to already running isolation spaces?  Probably, but as an big executable based execution, by the time they run to make this decision, they will already have the isolation system mapped into memory and it's big and I'm betting, slow.  Bottom line, I'm looking foward to a new round of statistics with the 5.2 client - we should kick some major butt!  "Agent based" here has advantages, but this alone will not sway a discussion.

Consider central management
Both Citrix Application Streaming and Microsoft App-V are heavily predicated on the concept of communication with a back-end infrastructure and administrator driven management of the applications available to users and even preventing the execution of non-approved applications. 

The applications are published to users and in App-V case, users or machines and both systems communicate information back to the central authority to decribe the use of applications.   App-V can even block the launch of applications based on license metering.  All of this is enabled because of communication with back end, from an installed agent.  

Can that communication be done from an agentless system?  Probably.  Is this done?  I'm not sure.  If it is done, is that something you really want happening from a user privilege component?

What applications are available to the user and how can I trigger the update of application content?  What applications have been actively used across my whole organization and which ones are published that the users really don't care about?  What applications should I focus my support on and which ones should I deprovision without telling anyone?  Do I have enough application licenses?  

All of these questions can be answered with back end information.  Agent-based makes this easier.   Having a NT Service hanging out to collect this information and centrally report back statistics is an opportunity for central management, control and monitoring of applications.

Then again - agent-less can get most of this too. 

For example, Citrix EdgeSight monitors application usage on a machine and reports this back to make truly beautiful reports that tell the admin what has been happening on their machines.  It doesn't matter if the applications are isolated or not isolated, the EdgeSight monitoring system still sees them and can report on usage.   This happens for Citrix Application Streaming and can just as easily occur for clientless based isolation system.   

Conclusion 

Is agent-less better or is agent based better?  The answer really depends on how the whole system will be architected and what control the administrator has on where the agent will be installed.   Both have advantages.

Joe Nord

Product Architect of Citrix Application Streaming (An agent based isolation system)

Citrix Systems - Fort Lauderdale, FL

I am sure by now you have heard about this great new way of virtualizing applications with XenApp called VM Hosted Apps - now in Feature Pack 2.  We have been talking it up  everywhere  from Citrix sponsored events, such as Synergy, to blog postings, to webinars, etc.  The feature allows you to deliver applications to end-users from a virtual workstation.  The traditional method of delivering  applications with XenApp  is to install or stream the application to the server or to the client device.  This new feature is by no means designed to replace this traditional method. As a matter of fact, we expect VM Hosted Apps to be far from mainstream. 

VM hosted apps isn't one of those features that you simply spin up and see what happens.  First, it has totally different components than the typical XenApp customer is used to.  In this version, you'll have a Desktop Delivery Controller(DDC) that uses a separate farm database and new MMC snap-in that is separate from the traditional XenApp infrastructure.  Your application is installed and delivered by a workstation that communicates with the DDC which is responsible for brokering connections to the virtual workstation.  It's not hard but it certainly isn't as simple as the rest of the XenApp infrastructure. That doesn't change the fact that  VM Hosted Apps is a brilliant idea....  I want to encourage you to check it out and so to help make it easier, I've included a few helpful hints below.

To have an  efficient setup, you will need

• Some type of server virtualization  infrastructure. You can pay for one from those _other_ guys or you can use XenServer which is free! Your choice but it's a pretty obvious one.  That is,  unless you plan on purchasing extra cooling devices after placing numerous amounts of physical desktops in your data center (RE: Blade PC's). 
• You will need one workstation for each concurrent user. Once you decide where to  host the workstations, you will need to determine how you are going to get the workstation operating system  onto the physical or virtual machines.  It supports Windows XP, Windows Vista, and Windows 7. 

The best way to illustrate how important a decision this is, is with an example.   Lets say you are the administrator for a large company with thousands of end users.  The company wants to deliver a  highly  specialized application that is not Terminal Services compatible.  The application vendor only supports this app on Windows XP.  VM Hosted Apps is the feature for you only if  you are sure that the app won't work on Terminal Services, or that Streaming the application is not appropriate either. 

Now that Citrix provides three methods of delivering applications, your  thought pattern should follow something like this.  

• Can I install or stream the app to my XenApp Terminal Server?
• Can I have it streamed to the client device? 

If the answer is "No" to both questions, then VM Hosted Apps is the logical choice.  Aside from the new skill sets that your Citrix Administrators  will need to attain to administer this appropriately i.e. XenDesktop, Provisioning services, XenServer, you need to consider the Microsoft aspect.  You will need to purchase Microsoft's VECD licenses to license those virtual desktops.  One good thing about VECD licenses is that one  license is good for 1 physical device and connections to 4  windows virtual machines.  The bad news is, you must renew the licenses yearly.  So you will be paying  repeatedly unlike Terminal Services licenses where you pay just once.  

Once you know what you are getting into when using VM Hosted Apps, and you determine that this solution is right for you, here are some best practices that might help you stay out of the long dark rabbit hole that troubleshooting a bad setup can get you.  Make sure your DNS and Active Directory are flawless.  Virtual Desktops find and register with Desktop Delivery Controllers using something called a Service Connection Point (SCP).  SCPs are a feature of Active Directory and allow services to be published so that they are found by different components.  If you keep getting strange errors in your event viewer that relate to Active Directory, I highly suggest you  fix them before embarking  on a VM Hosted App  setup.  Use utilities like Active Directory Explorer to help you determine the state of  Active Directory.  The next culprit that could derail your setup is DNS.  Forward and reverse look up must be configured and working properly. 

Now lets  go back a bit.  One of your first decisions was how you were going to deliver  those 100 desktops/virtual machines to your end-users that needed to use that specialized application.  Will you build 100 desktops manually? Even though you can use private virtual machines for each user you should try to avoid it if you don't need it.  Instead, the most efficient way to do this is with Provisioning services.  You will get Provisioning services for use with VM hosted apps in XenApp Enterprise Edition or higher. Use Provisioning services to create a virtual disk with the OS already installed and configured and then stream that OS from the centralized vdisk to create as many virtual workstations as you need.  It will even spin up these machines on demand. The downside is, if you don't already know how to use PVS, this is yet another skill set that you will need to attain to support VM Hosted Apps.

As a readiness instructor, my job is to deliver the naked truth. While at times it may seem like I am describing  reasons not to  use this feature, this couldn't  be further from the truth.  VM Hosted Apps is a powerful feature and if you already know how to setup XenDesktop and PVS, then this should be a breeze for you.  If not, learning how to set it up will give you the bonus of preparing you for the world of desktop virtualization in general so it is certainly not niche expertise. As homework (I am a teacher after all), go to to Citrix eDocs and do your homework before you do ANYTHING.  Then get on that white board and draw a design depicting where these new components that you just learned about are going to fit in your environment. Then get out your calculator, calculate your budget needs and get organized. Again great feature ...but if you want to succeed you've got to do your homework! I am working on CitrixTV recordings to walk you through the setup so look out for that.

Since this feature has generated so much buzz, I just posted Part 2 to take you through the components and configuration.

Follow me on Twitter http://twitter.com/StacyCitrix

Learn more about Citrix XenApp 5 Feature Pack 2

• Official Press Release - http://citrix.com/English/NE/news/news.asp?newsID=1857726
• XenApp 5 Feature Pack 2 release Web Site - http://citrix.com/xenapp/featurepack2
• XenApp 5 Feature Pack 2 Executive Video - http://citrix.com/xenapp/fp2/video
• XenApp 5 Feature Pack 2 Release Webinar - http://citrix.com/xenapp/fp2/techtalk
• XenApp Expert Series videos for this release - http://citrix.com/xenapp/fp2/expertseries
• XenApp 5 Feature Pack 2 Blogs- http://community.citrix.com/blogs/tag/xa5fp2
• Download XenApp technology previews - http://citrix.com/xenapp/techpreviews
• XenApp Product Page - http://citrix.com/xenapp/

Follow XenApp on | | |