Click here to go to The Official Citrix Blogs
Post to Twitter
I get this question less often recently than I used to but it still shows up.
- Can Application Streaming be ported to Apple Mac or Linux?
The question is usually based on the idea of wanting to run XenApp published streamed applications in an isolation system on the foreign operating system. That is, to bring streamed Windows applications to the other system.
You can insert your favorite operating system on the above list, but the answer remains the same, no.
APPLICATION ISOLATION is about changing things and lying to applications so that they think they are doing one thing when they are really doing another. Fundamentally though, the executed application is still a "native" application for the operating system. The executed Windows based application is still a Windows based application and it will not run unless something exists below to satisfy the Windows APIs. The application won't even load unless the Windows loader brings it into memory.
Can you use App Streaming on Mac? SURE!
Insert your favorite MACHINE virtualization system such as Parallels, install Windows into the virtual machine, install the streaming client (aka: offline plug-in) and then run all the applications streamed that you want. This works fine!
Is it "streaming" to the Mac? No!
I see people around Citrix doing this all the time. They run streamed MS Outlook 2007 and happily check their email and do many things of their job, all day long with lots of apps. Many of them spend most of their day inside the Windows environment of the Mac machine.
In this usage, I call the MAC the ...
- THE WORLD'S LARGEST WINDOWS LOADER!
For the non programmers in the room, the "loader" is the component of the operating system that is responsible for bringing the operating system to life. The quick version goes something like this:
The machine powers up and and a whole bunch of things happen, but eventually the hardware kicks off the machine loader from ROM in "real mode" at address CS:IP FFFF:0000, this kicks starts the BIOS. The BIOS h has the job of finding a 512 byte sector of disk, loading it into memory and "jumping" to it. From the BIOS perspective, at this point the machine is "booted". The 512 byte initial loader, brings in a bigger loader, which brings in a bit more, which brings in a primitive part of the operating system, which brings in some "boot" device drivers such as "disk" boot load device drivers, which brings in more of the operating system, which loads more device drivers, like NTFS, enables paging and does a bunch more stuff until you eventually get a machine, running and ready to do useful work. You can make a career out of any of these activities.
In my mac example without machine isolation, the Mac must boot first and once it's done, it loads the virtual machine thingie which "powers on" the x86 box, which does a bunch of things, which then runs from "ROM", which is really "RAM" and jumpts to a "real mode" address FFFF:0000 and then boots the Windows machine.
This continues on until the Windows box is ready to do work => ergo, the Mac is the worlds largest Windows loader. While boot sequences are fun, I am way off topic.
Can you run App Streaming based apps on a non-Windows platform?
Answer the question with a question:
- Can you run WINDOWS based applications on a non-Windows platform? Answer no.
Sometimes this answer receives a follow up: Have you considered adding this capability?
Now, a white-board is needed. We use a white-board because nobody has chalk-boards anymore. Frankly, I prefer the old style because they could be readily and reliably erased, but I'm digressing away from the topic.
How much slower does a streamed app run compared to a locally installed app?
Answer: They are the same! CPU wise, it's the same. A process is a process is a process and program code is program code. The isolated app runs NATIVE on the machine. It is loaded by Windows and the app uses Windows to do things that apps do with Windows.
Eventually, the program may call a Windows API, such as RegOpenKeyEx or CreateFile. When this happens, the program execution takes a brief side journey through the isolation system where the parameters to the API are "adjusted" to make the application run inside of an "isolated environment". This is how the layers of glass are implemented.
The application is still an application and it is still dependent on the Windows machine for running the application. Things do get a bit more complicated because even DOS apps running on the Windows machine can be isolated (link), but fundamentally, Application Isolation "adjusts" the execution of applications that are running native on the Windows machine.
Finally, the question can be answered: You can't run "isolated" Windows apps on a non-Windows machine, so there is no point is worrying about running App Streaming under MAC or Linux or others.
What about App Streaming to Windows XP Embedded?
Sure, that will work and this has been done.
What about App Streaming to Linux under Wine?
Sounds like an interesting activity. I'm quite sure it won't work, but there could be other neat things.
Enjoy!
Joe Nord
Citrix Product Architect - Application Streaming and User Profile Manager
It's always best to define a topic such as this, especially in light of the fact that "X as a Y" has been loosely connected to Cloud Computing in every way imaginable. IT as a Service is no different. Although several articles have been written about IT as a Service, the underlying core elements have not. To really understand how we can approach something as monumental as the topic, we have to break it down into its core sub-elements, namely Software as a Service, Desktop as a Service and Platform as a Service.
Software as a Service (SaaS) - commonly defined by web based applications, this technology approach allows for the delivery of applications from a location separate from the local end device (PC, MAC, Mobile, etc). This can be accomplished by utilizing a web browser to access the application or an application may be virtualized and transported to the end device. In either case, the application is generally loaded in a central data center and delivered via LAN, WAN or open Internet connection. In most cases web based applications are delivered over the Internet to the end device. This gives rise to the notion that applications of the future will not be the sole responsibility of an Enterprise IT group. Although the group may administer certain aspects of the applications and resulting end user data, the application itself is owned and core administration is done off-premise at the site of the application owner's facility (usually known as a Independent Software Vendor or ISV). Some applications are being re-developed for this environment. Microsoft Office 2010 is a perfect example. Whereas previous releases have required the expert administration of the local (on-premise) IT personnel, the design of Office 2010 is much different.
To seed the market and the new approach, Microsoft is offering up 'light' versions of Office 2010 free of charge, delivered over the open Internet. The target audiences for this product are consumers and 'light' users who will only require a fraction of the capabilities of the Office products. Other companies, such as Salesforce.com and Citrix (GoToMeeting) have created this new paradigm. Microsoft (and others) are merely following suit to what is an emerging mechanism for the delivery of applications. Business owners and executives looking for a way to circumvent expensive IT infrastructure and personnel are looking at SaaS as a way to augment (or dissolve completely) their Information Technology groups. There are technologies available today that enable locally run applications to be delivered in a SaaS model.
Desktop as a Service (DaaS) - One of the more confusing approaches under the IT as a Service mantra, DaaS recognizes that the ultimate goal is to connect a person to a machine. In other words, an application is only a portion of what any user does on a personal computer, thin client or smart phone. Where SaaS focuses on the individual application, DaaS focuses on the Individual. DaaS allows not only applications to be delivered to an end device from a LAN, WAN or open Internet, but associates specific characterizations such as icon placement, desktop settings, interaction between desktop applications and interaction between an operating system and the applications. There are many forms of DaaS including but not limited to Virtual Desktop Infrastructure (VDI). In DaaS, anytime an end user wants access to his or her applications and data, the entire desktop is presented to them based on their individual (personalized) set up. By using certain technical approaches, many of these characteristics can be delivered to the end user as well without the encumbrance of a direct connection with the operating system. Client hypervisors are emerging to further arbitrate the hardware and associated operating systems from the applications and data themselves. In parallel, server based computing has been a means to accomplish both the delivery of applications and the entire desktop. The critical path to success for any DaaS approach is to understand the end users requirements and then deliver a technology approach that meets the demand. DaaS implementations are becoming more commonplace but come with a cost. By definition application delivery utilizes less bandwidth and server capacity than an entire desktop. For service providers this is crucial as the offerings tend to be in the hundreds of thousands if not millions of subscribers from a single data center.
Platform as a Service (PaaS) - Once again PaaS has many definitions but seems to be concentrating around the notion that in order to develop structured environments (whether for Information Technology or for Software Engineering) there needs to be a mechanism to manage and control all of the pieces of the system. As data centers (whether on-premise of off-premise) become more virtual in the way in which applications are loaded, delivered and managed a need is arising to create a platform by which to simplify the work and workloads. This platform is really the orchestration of many different elements of a data center. For instance, in the Applications Platform as a Service (APaaS) model, software development is accomplished as a virtual entity. All of the available resources (memory, CPU, UI, O/S) are made available to the developer on virtual machines and software images stored for execution off-premise. This allows for rapid development cycles and on-the-fly iterations of production code.
In a production software delivery environment, the 'platform' is managed via a "universal management console" where virtual servers, O/S and applications can be stored, delivered and recovered with ease. In either case, the PaaS approach is used to provide an endless means of flexibility and efficiency by arbitrating the physical hardware from the developer and the end user. Many of the technologies required for this approach are already available but the System Level Management to easily manipulate the information and provide secure access are embryonic. Service providers who will need agility and scale that a PaaS can offer will need a fully integrated solution to make this approach a reality.
When we roll all of this together we begin to see the possibilities and the challenges. Each of these approaches brings benefits to what we have previously known as on-premise IT. IT as a Service then is the combination of SaaS, DaaS and PaaS in order to deliver a simple, manageable, secure ecosystem which always has one common denominator... The end user. When considering buying or selling any or all of these approaches, the most beneficial way to start is with the end user. Critical questions need to be asked in order to determine the right fit. What are the end user needs? When is it appropriate to use SaaS vs. DaaS? How will a PaaS implementation be managed and what are the critical elements of the system? Once this has been determined, a reasonable TCO/ROI model can be built with the end customer's needs in mind. Without answering these questions, we merely replace one technology with another and potentially the ability to exponentially expand a bad Information Technology approach.
As the Citrix Architect of Application Streaming AND Architect of Citrix Profile Manager, you might infer that I'm interested in leveraging one technology to help the other.
Background on roaming profiles and Citrix Profile Manager
First, background on Windows "roaming profiles" and similar. Consider that when a user logs onto a machine, the logon activity must "roam" or "copy" the network stored version of the user's profile onto the execution machine. In the general sense, everything on disk beneath %USERPROFILE% or C:\Users\usename, will be copied onto the execution machine at logon and then copied back to central store at logoff.
During logon, this is a "large" consumer of logon time where it consumes perhaps the largest portion of the overall logon clock. With roaming profiles, this full copy happens every time, but with efficient systems such as Citrix Profile Manager, the "copy" is actually a "sync", so the copy happens really fast and the copy back is limited to only the files that changed. While this also speeds logoff time, let's stick with the value of logon time because ... nobody cares how long it takes to logoff.
Where all of this stuff gets more interesting is when you consider a user logging on to XenApp hosted session or logging onto a hosted XenDesktop session where a common disk image is used for the base operating system. Notice that in each of these hosted cases, the user's profile on the execution machine is initially "empty" and it will be initially "empty" on every logon. This means that the glorious logon sync that the Citrix Profile Manager does at logon will actually be a "full copy" and here, it starts to behave with the same inefficiency as the base operating system profile solution because it will be a full copy at EVERY logon. We like to do better than this.
For a more detailed introduction to Citrix Profile Manager, consult this Sepago white paper. Recall that Citrix Profile Manager is based upon the Sepago Profile technology that Citrix acquired some time back.
Use "streaming" to solve profile population
Logical move: Instead of copying stuff onto the machine at logon, use isolation technology to LIE to the system to tell it everything is copied local when it is really still on the central store. Eventually, when the system or an application references stuff in the user profile, go fetch it and make it present. This is "just in time" population and it has the promise to greatly improve logon time in a hosted environment.
For JUST IN TIME population, the bet goes, some large portion of the user profile will never be referenced, so you save big on the logon speed and you save big on the runtime because much of what exists in the user profile will NEVER be copied to/from the central store. This means that using a just in time profile solution will save LOTS of time for logon, and this is a great benefit!
Great - How much quicker?
The answer: LOTS QUICKER!
Yes, but do you have a number?
I'd like quote: Just in time Profile Manager speeds XenApp logon by 100% 
My gut says that the number is closer to 40% - 50%, but I don't have any hard evidence and thus the premise of this blog post...
Getting a "number" is harder because the answer is that "it depends". Marketing people and customers prefer hard integers. The integer number is hard to dream up because the answer depends on the size of the user's profile and the efficiency of network activity to/from the central profile store to the execution physical machine or virtual machine. The BIGGER the profile, the more efficient. If the profile is zero size, then JIT doesn't do anything and if the profile size if infinite the the JIT logon benefit is also without limit.
So, the answer for the logon value of just in time is is somewhere between a 100% benefit and 0%. This doesn't help.
Let's go with an example: The profile on my primary computer is 11GB, yes Gigabytes. I could be a rare case. This is pretty close to "infinite" so I will save plenty in an average logon.
It turns out that 10 GB of my 11 GB profile is a TrueCrypt encrypted hard disk container. I'm sure glad I'm not copying that down from a central store on each logon! In a hosted VDI, I would be. Technically, I'd store stuff differently, but in concept I'd be copying this down. In a hosted XenApp execution with just in time, I would never copy down this file so Joe's benefit of just in time will be either 0% or 100% and nothing in the middle. This still isn't helping me come up with a number.
For my normal machine, I am not connected to profile manager or roaming solution or even to a domain so my system may not be the perfect example. As XenDesktop becomes more and more prevelant though, the strange things that users do to populate their user profile will make examples of users doing stupid things like placing 10GB files into the user profile more and more common.
If you are using the same profile for the primary hosted desktop as well as numerous XenApp server based app executions, you experience the victory! Only ONE of them will be accessing that really big file.
In my case, the primary machine will access the really big file, but all the "vacation request" and similar applications that I run will run on another computer, where the really big file will never be referenced. Using just in time population of the user profile, the majority of my logons and I'll say that ALL of my quick in/out sessions will have a HUGE benefit to not copying down that 10GB file! This will make my logon time benefit near 100% on these other sesions and near 0% on the machine where I do access that single file that is 90% of my user profile!
It is much better to quote percentages on something like this, so the time saved will be some percentage of the overall logon time and the LARGER the user profile, the HIGHER the savings! Okay, we're getting closer.
Right - what's the number to quote?
Let's start with a formula:
- TimeSaved = TotalTimeWithouJIT - TotalTimeWithJIT;
- PercentFaster = (TimeSaved / TotalTimeWithoutJIT) * 100%;
How to calculate "TotalTime"? This number will be the sum of the entire logon, nobody cares how much more efficient the roaming profile copy is, they want to know how many SECONDS this will save on logon time and how much of a percentage faster the logon time is.
This requires breaking down the logon time of a "NORMAL" logon. What is a "normal" logon?
Need to have: Computers that are representative of a "normal IT shop". Need networks that are also representative of "normal world" and network servers and end user machiens that are "normal". Must simulate some kind of load on these machines or just take it as a given that the load during the test will be similar to all the other stuff going on with the test network at the time of the measurement.
The key ingredients are:
- Size of the user profile.
- Speed of the network.
- Overall logon time
- Logon time used to copy the full user profile
Given the above, we tigger the measurement to figure out how much time is profile population and poof! Take the total logon time, subtract out the portion spent copying the user profile without JIT and ... We have a number!
What's that number again?
What is the SIZE of an "average" user profile? What is the average file size? How many files are "normal".
Do normal users have giant files inside their user profile? Yes, they do! If you have have you ever copied a .MPG file or .MP3 onto your desktop, then you're as guilty as I am. The PROFILE WILL GROW and will be large.
How large?
We need to exclude some files. What about the files that will NEVER copy onto the execution machine even ignoring just in time. Some stuff like "My Documents" will not be roamed, but will instead be accessed straight off the network via folder redirection. This is "standard procedure" for setting up profile environments and here, "just in time" doesn't have any effect.
Let's get to statistcs.
Start with the initial 11GB and take out that 10GB file that is an anomaly and I'm left with 390MB. The missing 610 MB is round off error.
Administrators usually redirect "My Documents". Take out Joe's "My Documents" = 208,055,865 bytes and I'm left with 182,450,081 bytes.
Okay, I wonder what I have inside my USERPROFILE that could possibly constitute 182MB? Dig deeper. I have 24 MB of pictures! While I am sure that they are lovely - I am also sure that I haven't looked at them in months. If I were "server side" my admin would probably redirect "My Pictures" too. Now I'm down to 158MB.
Keep looking.... BING BING BING BING BING!! We have a winner. I have 149MB of "Downloads".
First - before anyone starts, "Downloads" have ZERO relation to the 24 MB of pictures!
Something is wrong here because after you subtract all this out and I'm down to 9MB of stuff that wouldn't normally be "redirected" and I KNOW that NTUSER.DAT on my machine is 8.9 MB. This leaves me with 100KB of stuff that is candidate for JIT value. There's a number breakdown here someplace, but let's keep it going.
Pretty soon it's obvious that I don't have ANYTHING in the user profile that matters. I store it all in that huge the container file and in "other places" on the hard disk. In a hosted case, these "others places" would find their way into the user profile, so all my utilities would be a plus for the profile. Go looking...
What are "other places".
Utilities. I have lots of them and store them off the root. In a hosted desktop model, they will be in the user profile. Add in 137 MB. I have 77 MB of sound .wav files left over from my days of writing audio device drivers. These would almost never be accessed, but they would live in my user profile. Batch files. They are kept separate from executable utilities, so add in another 9 MB and utilities and 33 MB of Windows SYMBOL files for debugging stuff. 137 + 9 + 77 + 33 = 256 MB of additional stuff for the user profile.
I love it when numbers come out to a power of 2!
One number: "Average" user profile size is 256MB!
Yes, I left the 10GB file out of this mix. That quantity of storage just has to kind of go away from the calculation. I hear numbers of 20-30 seconds of XenApp logon time being required for copying down user profile content? If we can make this number be "zero", then there can be real value in just in time profile solutions.
Add in some stuff that would be moved from my container file onto the user profile and I propose that the real size could easily double.
Joe's proposal: The Average size of user profile is 512MB!
If any of this math makes sense, then I have an example number set that can be used to construct a measurement. Is 256MB the right number? Is 512MB the right number? How about 1GB?
Real world statistics are the elusive number. If you happen to have a couple hundred profiles representing a years worth of regular hosted desktop usage and wouldn't mind sharing, please send me an email or comment below.
THANKS.
Joe Nord
Product Architect of Application Streaming, Profile Manager and a few side projects
Citrix Systems - Fort Lauderdale, FL
PCoIP is VMware's latest attempt at delivering a decent user experience for a virtual desktop. After failed attempts with RDP, Sun Ray, RGS and TCX, VMware View 4 is betting that a software version of the PCoIP protocol will deliver the great user experience customers demand from a VDI solution.
I've been in the virtualization business for many years. Currently I lead the HDX technology for XenDesktop. In the past I've worked on tons of projects for the ICA protocol including CGP, Secure Gateway, and Thinwire. In recent years I've led the Apollo project which has created technologies now in XenDesktop 4 like HDX MediaStream for Flash, HDX 3D Pro Graphics, HDX RealTimeand HDX Broadcast. So I've watched with amusement as VMware attempts to position PCoIP as the next great remoting protocol. The three most amusing 'marketing' tactics about PCoIP are:
PCoIP bets on UDP as the foundational transport for graphics
One of the major design flaws in PCoIP is that it relies exclusively on UDP for deliver bitmaps. UDP is valid for some narrow use cases but PCoIP relies on it entirely. When you need a reliable transport, TCP is a much better option. The fact that PCoIP has application-layer packet reliability shows you need reliable delivery for desktop graphics. If all you are doing is playing a video, fine... but that's not what a virtual desktop is all about. You may not know this but many years ago, ICA supported a datagram-based protocol with application-layer reliability just like PCoIP. Since then, we have learned that TCP is the ideal transport for delivering desktop graphics over the network. It is also friendlier to firewall and network infrastructure. And it is cheaper to deploy as customers can leverage their existing network infrastructure.
PCoIP claims bitmap remoting is the best way to deliver graphics
Another interesting aspect of PCoIP is that the protocol is based on the idea of sending bitmaps. No wonder, since their hardware solution used as input the DVI port of the graphics card. It is interesting that VMware claim that sending bitmaps is better than sending graphic primitives. This is a half truth. While sending bitmaps make sense in some scenarios, sending graphic primitives is much more efficient in other scenarios. Think of this, what is more efficient when sending a 400x300 rectangle with black borders and white background? As a bitmap or sending a RECT command with both upper left and lower right coordinates? The key is to be smart about it and know when one scenario makes more sense than the other. That's what we call SmartRendering. Getting this right is very hard and it has taken us years of fine tuning. But a half truth is convenient because sending bitmaps is the easiest thing to do, after all, that's all most graphic remoting protocols can do.
PCoIP relies primarily on the server to do all the heavy lifting
PCoIP also focuses on the use of server resources to deliver the graphics. But you soon realize that does not get you far enough. I have spoken with countless customers asking us to solve their scalability issues with playing Flash multimedia. I'm sure VMware have shown some YouTube videos to get people excited but you have to look at the CPU and bandwidth consumption. The Flash player uses up lots of CPU, so if your only available solution is server-side rendering then you are going to need a lot of servers. Customers need solutions that scale, are cost effective and leverage their computing resources in the data center and also on the user device. PCoIP fails to do this because it is an incomplete protocol.
Delivering a complete solution takes time and it's hard, very hard. I see PCoIP making some of the same mistakes we made 15 years ago. I congratulate them for trying, but they have a long way to go.
To deliver a great user experience you not only need a robust protocol, you need all the components in the delivery infrastructure working together to optimize the delivery of virtual desktops and applications. This is what we are doing with HDX at Citrix.
Follow me on Twitter
Do we really want to allow our users to have the ability to self provision / install applications? Won't this just cause mayhem and anarchy? How will we ensure that we are licensed to install the applications that the users choses to install?
Simon Rust, VP of Technology at AppSense answers these questions in an article he posted over of the AppSense Community Blog - Please find the post below:
These are a small sample of some of the obvious and key issues that the IT administrator needs to seriously consider when thinking about allowing the user to install applications of their own choice.
Just this week, @HarryLabana asked the following question via Twitter - "Are user installed apps a compliance nightmare waiting to happen?". A very sensible question that effectively is asking, "WHY should we even consider allowing the user to install their own stuff?"
To labor on the need briefly, it is relatively simple as to why we need to cater for it (we don't need to agree with it, but we do have to accept it to a certain degree 
). Bottom line is that for years, there has been a challenge with packaging all the applications required by a user to conduct their daily duties. This is a challenge that traditional desktop managers have had for years, and now with desktop virtualization it is perhaps getting more noise. Unfortunately it is not going away any time soon, in fact may be getting worse as time progresses and the number of applications increases. If we choose to not allow users to install their own stuff, then how do we ensure that the user does not fall foul downstream of an application not being available and hence their inability to conduct their work? An obvious example would be the corporate user who uses Microsoft Live Meeting to conduct online meetings, who has a meeting booked with an organization that uses Citrix GoToMeeting. The GoToMeeting client would not be installed, and hence the user would only find this out 5 to 10 minutes before the session, and hence would be unable to join
AppSense Product Manager Chris Oldroyd (Twitter - @coldroyd) wrote about the various user installed applications a month or so ago and is well worth a read - What is a User Installed Application? And why should we care?
So, now we have accepted that we need to cater in some form or another, we can move on to consider HOW. The key aspects to delivering users with the ability to install their own apps is CONTROL - it would be insane (most would argue) to allow ALL users with the ability to install their own stuff. Very quickly the enterprise would find themselves in a situation where literally 1000's of applications have found their way in, and are posing a serious legal issue. It is (mostly) true that a typical enterprise using laptop devices has this very issue today, since the majority of users of laptop devices are administrators of them. There is usually a solid business reason (from years gone by) as to why the user is an administrator, whether that reason being a requirement to install printer drivers (pre Vista) or something like that. Typically, once a user has admin rights, it is nigh impossible to get them back again
Arguably this is all part of something called "User Rights Management" as well as "Personalization". Both of these are clearly becoming markets in their own right with vendors appearing in it regularly, and many other vendors morphing their solutions to fit the model(s) also
In order to deliver against the need, but to do so in that all important controlled manner, we need to enable / allow for the following (there will be more - these are just the key areas);
- Only allow certain users to install apps (AD group based / end point device based)
- Only allow those users to install from certain (internal) network location(s) - that way the enterprise can control exactly WHAT a user who is authorized to install can install
- Only allow those users to install applications from certain vendors
- Full reporting is required to enable the administration team to be able to see what is out there in a quick snapshot
- Full administrative override to enable rapid removal of any applications as necessary
The overriding point here is simple - user installed applications is NOT for everyone, but it will be for a significant portion of the user population, so we need to provision for it in some way - simply saying no will not cut it.
Thanks
Gareth Kitson
AppSense
Twitter - @garethkitson
Yesterday, Citrix announced the new Citrix Ready Open Desktop Virtualization program. Today, I would like to provide you with more details. The program is designed to ensure that organizations deploying virtual desktops have confidence that their deployments will deliver a true, high definition (HDX), multi-device experience for the end users as well as satisfy the security and management requirements of the IT organization
As you probably saw from our XenDesktop 4 announcement, Citrix's view of desktop virtualization is much broader than running a user's desktop in a hosted virtual machine (VDI) and is emerging in mainstream deployment with customers such as Emory Healthcare and Collier County Schools. Citrix's FlexCast delivery technology enables the delivery of every major desktop virtualization model via XenDesktop. As IT organizations pilot and architect their the desktop virtualization solutions it quickly becomes evident that desktop virtualization requires a robust ecosystem of partners to ensure that, amongst other things, the deployment is fully supported in the desktop value chain, end user's USB devices that are attached to their desktops continue to work, user personalization of their desktops remains persistent and that their desktop are available via multiple modes of access.
At the center of the program is the open architecture of XenDesktop 4. XenDesktop 4 is the only desktop virtualization solution on the market with an open architecture that is designed, certified and tested to work with the wide variety of products customers already have in production, including all popular applications, servers, storage and backup systems, client devices (BTW, check out our new HDX Ready designation that ensures a truly awesome user experience), printers and desktop peripherals, security and desktop management software and systems management products. The Citrix Ready Open Desktop Virtualization Program incorporates over 200 Citrix Ready partners and covers more than 10,000 devices. The products are verified using the full reach of the Citrix Ready program... Citrix product engineering organizations; Citrix Ready partner engineering organizations; our community of technology partners, customer and resellers; as well some via third party venders who verify a range of products (for example, USB devices).
The program covers product categories from the data center to the desktop; from choice of virtualization infrastructure to choice of end user device as shown below. For more detailed information check out the Citrix Ready Open Desktop Virtualization program at http://www.citrix.com/ODV.
I have heard some rumors of the production level App Streaming service (radesvc.exe) dying at runtime. In the reported failure, the administrator has configured the service for automatic restart to work past the issue and I have suggested that this is only masking the problem, don't do that! The streaming service, like most NT services, should never die and I'd much rather cure the root cause than work around the issue.
The realities of "real users" and "production use" sometimes necessitate doing things that aren't ideal in a theoretical sense so this advice cannot always be followed, which brings us to this post where I will bring vision to the perils and values of configuring the streaming service for automatic restart.
Put your FSFD programmer hat on
You wear this hat when you're writing kernel mode code. You write the file system filter code for the App Streaming isolation system and this code has two primary purposes; file system filtering and process monitor for sandbox management.
As a FSFD writer, you are never allowed to die or the entire machine will turn blue. Today's post is not about kernel mode things dying, its about application level things dying.
Put your NT Service programmer hat on
You wear this hat, you think you're powerful because you run with "higher privilege"; higher than mere apps. You may even be considered part of the "system", but from the perspective of the kernel code, you're a mere app too and as a class, all of you are untrustworthy. When a service dies, the machine does not turn blue, but it is still bad!
What does the service do?
Among other things, it is responsible for launching all isolation sandboxes and placing applications into the sandbox for execution. Here's a chart that brings some color to this description. What isn't drawn in the below is that the service talks to the FSFD to define sandboxes and launch applications into sandboxes.
What does the File System Filter Driver do
The FSFD hangs out and implements file system redirection - the layers of glass for the file system. It is also responsible for managing which applications are in the isolation spaces; yes, that's plural on purpose. On a given machine, especially on a XenApp server, the FSFD can easily be tracking 500 isolation spaces. Consider that there is state data for each of these. It isn't large, but it exists and the code that keeps track of this actually does it in a balanced binary tree, which seems like overkill until you get large number of isolation spaces.
In the service, you also have state data for each sandbox. Here though the state data is allocated per-thread. Put differently, each sandbox gets a thread and this thread and only this thread is used for communication with the kernel mode code. In this way, a few things are achieved.
- The streaming service doesn't have to have complicated logic to manage its sandbox state
- The kernel code can gate who it's willing to talk to based on the thread of the creator
- When the FSFD has work for the service to do, the service "always" wakes up in the right state.
For computer science stuff, these are all positive actions.
The negative actions
The service isn't supposed to die without a graceful shutdown and it should only close gracefully if it isn't managing any sandboxes. In practice, "non scheduled" terminate happens all the time during development and recent reports show, it can also happen during production.
The FSFD tolerates service death. Why? Primarily it does this because it doesn't have any other choice.
If the service dies, the kernel code, being all powerful isn't surprised by this action - it "observes" that the service has died, but there isn't a whole bunch it can do about it.
Consider an example
You have isolated applications up. Let's say you have 10 of them running, from 5 different profiles. This means that you have 10 applications running in 5 different sandboxes.
The service dies...
The applications are still running, but they have lost their support network.
Let's say that the application now issues a DIRECTORY ENUMERATION on stuff in the isolated space. Normally, the FSFD gathers information from the service to satisfy this request. This is how the FSFD "LIES" to the application to tell it that things are present that aren't really present. In this case though, the service is "gone", so what does the FSFD do? Answer: It does the best it can and "falls back" to AIE style N layer directory merge. The directory enumeration is satisfied, but the files that are there via a lie will not be included in the directory enumeration results? What effect does this have on the application? Don't know - depends on the app, but in general the results are bad.
If the application issues a file open, you'll satisfy it based on the things you can answer without the help of the streaming service. This means that if the file is really present in the cache, the file open will succeed and if it isn't, it won't, or execution will drop down to a lower layer in the layers of glass to answer the file operation.
Will this work for the application? Maybe. Ideally, you'd like to terminate the applications, but terminating applications when users have stuff running and haven't saved their work is considered bad form.
New sandboxes are launched
Recall that new sandboxes cannot be created without the help of the streaming service, so here it is a given that the service has been restarted. When the service loads, it contacts the FSFD to register itself. The kernel code says "nice to have you back" - but there isn't a dag gone thing it can do to help the orphaned sandboxes from the previous run of the service. All the "app level" state data is "gone" and there's no way to put it back together again.
New launches though can be handled. When created, the FSFD notes who the service is and will communicate with this "new" instance of the streaming service to manage the "new" sandboxes.
During development this is cool!
When developing the code, if you are the NT Service writer, this is really really cool because you can write code, debug it, terminate the debugger (which unloads the service), change the code, compile it again, run it (which loads the service) and the FSFD will just plain deal with all of this. Very fast for development; no reboots needed and you can even do all this stuff from a visual development environment like MS Visual Studio.
During PRODUCTION this is not as cool!
Being willing to take on new sandboxes means that auto-restarting the service can seem like a good idea. The thing this overlooks is that the orphaned sandboxes are, well they don't have their support network and without the streaming service, directory enumeration and file opens are not going to occur correctly unless the streaming cache is completely full.
Put your ADMINISTRATOR hat on
What should you do? Answer: Treat death of the streaming service with caring detail. It should be investigated and fixed. The Citrix support team will love this - Joe said we should report service death rather than restarting the service. My response, the service should not DIE unless you kill it! I'm pretty sure service team already has the report, so I'm really writing for the next person and hopefully by the time you read this, we'll already have it fixed....
How to work around.
Above said, if you get in this situation, run one app from each profile with "-e" populated RadeRunSwitches. This will fully populate the streaming cache and will minimize cases where the application will fail a file open or directory enumeration. Next - Turn "-e" off as it will command a full extract on EVERY App Launch and you don't want that. Next step - get the service fixed. In the mean time, you can auto-restart the service to get new sandboxes created, but just be sure you aren't using the auto-restart to hide a problem that really needs to be investigated.
Before people ask, I already have feelers out to the people that have seen the service die. Hate to have this happen with production code, but the correct answer is to research the problem and make the fix. Hopefully readers of this post will appreciate the open nature to acknowledge a bug that isn't widely seen.
Joe Nord
Citrix Systems Product Architect - Application Streaming.
Citrix Support is focused on ensuring Customer and Partner satisfaction with the support of our products. One of our initiatives is to increase the ability of our Partners and Customers to leverage self-service avenues for finding answers and resolving problems. A key area that the Support teams focus on is development a series of How To videos covering the most common questions asked in support.
To date there are over 40 How To videos covering 11 products available from Citrix TV. Over the coming weeks and months lots more will be added.
If you have a How To video suggestion or feedback on the current videos, contact us via one of the following channels:
- email AskSupport@citrix.com
- Tweet us @citrixsupport and @citrixreadiness
- Leave a message on our Facebook page - http://www.facebook.com/CitrixSupport
Current video series available on Citrix TV are:
- Citrix XenServer - http://www.citrix.com/tv/#series/137
- Citrix XenApp - http://www.citrix.com/tv/#series/131
- Citrix XenDesktop - http://www.citrix.com/tv/#series/135
- Citrix NetScaler - http://www.citrix.com/tv/#series/133
- Citrix Provisioning Services - http://www.citrix.com/tv/#series/136
- Citrix Web Interface - http://www.citrix.com/tv/#series/129
- Citrix Merchandising Server - http://www.citrix.com/tv/#series/124
- Citrix Password Manager - http://www.citrix.com/tv/#series/126
- Citrix EdgeSight - http://www.citrix.com/tv/#series/132
- Citrix Workflow Studio - http://www.citrix.com/tv/#series/130
- Citrix Access Gateway Standard Edition - http://www.citrix.com/tv/#series/134
David
Twitter - http://twitter.com/citrixreadiness
Citrix Support on Facebook - http://www.facebook.com/citrixsupport
Ubuntu 9.10に対するCitrix Linux Clientインストールメモです。
- まずクライアントをダウンロードします
- 以下のようにディレクトリを作成します。
- mkdir /tmp/citrix/
- ダウンロードしたファイルを上記ディレクトリにコピーします。
- ファイルを展開します。
- gzip -d linuxx86-11.0.140395.tar.gz
- tar xvf linuxx86-11.0.140395.tar
- 以下のようにセットアップコマンドを起動します。
- sudo ./setupwfc
- 以下のようにインストーラーの指示に従います。
Citrix Receiver for Linux 11.0 セットアップを行います。 Copyright 1996-2009 Citrix Systems, Inc. All rights reserved. Citrix、Independent Computing Architecture (ICA)、Program Neighborhood、MetaFrame、および MetaFrame XP は米国およびその他の国 における Citrix Systems, Inc. の登録商標です。Citrix Receiver、 Citrix XenApp、XenDesktop、Presentation Server、Citrix Access Suite、 および SpeedScreen は、米国およびその他の国における Citrix Systems, Inc. の商標です。 Microsoft、MS、MS-DOS、Outlook、Windows、Windows NT および BackOffice は、米国およびその他の国における Microsoft Corporation の登録商標または 商標です。 その他のすべての商標および登録商標は、該当する各社の財産です。 セットアップ オプションを選択してください。: 1. Citrix Receiver for Linux 11.0 のインストール 2. Citrix Receiver for Linux 11.0 の削除 3. Citrix Receiver for Linux 11.0 セットアップの終了 オプション番号を入力してください。 1-3 [1]: 1 Citrix Receiver for Linux をインストールするディレクトリを入力してください。 [デフォルト /usr/lib/ICAClient] インストールを中止する場合は "quit" を入力してください。: Citrix Receiver for Linux 11.0 のインストールを選択しました。 /usr/lib/ICAClient. インストールを続行しますか? [デフォルト n]: y CITRIX(R) ライセンス契約書 本コンポーネントの使用については、本コンポーネントと共に使用いただく Citrix 製品に適用される Citrix ライセンス契約の条件に従います。本コン ポーネントは、当該使用製品と共に使用いただくためにのみライセンスを許 諾されるものです。 CTX_code EPEUC_T_A42236 オプション番号を選択してください。: 1. 同意する 2. 同意しない オプション番号を入力してください。 1-2 [2]: 1 インストール中 ... 使用可能なディスク容量をチェックしています ... 使用可能なディスク容量 4898092 K 必要なディスク容量 6267 K 続行中 ... ディレクトリの作成 /usr/lib/ICAClient コア パッケージ ... ファイル許可を設定中 ... Web ブラウザと統合中... Web ブラウザが見つかりました。 統合が完了しました。 Citrix Receiver を KDE および GNOME に統合しますか? [デフォルト y]: y GStreamer でこのクライアントからのプラグインを使用しますか? [デフォルト y]: y セットアップ オプションを選択してください。: 1. Citrix Receiver for Linux 11.0 のインストール 2. Citrix Receiver for Linux 11.0 の削除 3. Citrix Receiver for Linux 11.0 セットアップの終了 オプション番号を入力してください。 1-3 [2]: 3 Citrix Receiver for Linux 11.0 のセットアップを終了します。
なお、自分のホームディレクトリでインストールファイルを実行しようとすると以下のようなエラーが出力されます。
No target hinst.msg found under /home/masao/ãã¦ã³ãã¼ã for ja_JP.UTF-8 Trying English... Could not find hinst.msg under /home/masao/ãã¦ã³ãã¼ã for en
今回はiPhone, iPod Touch向けのクライアントソフトウェアであるCitrix Receiver for iPhoneとCitrix XenAppサーバーでホストされているアプリケーションへの接続を体験できるCitrix Demos In the Cloudのご紹介です。お手持ちのiPhone, iPod Touchからの接続でその操作性、接続性をぜひ体験してみてください。
Citrix Receiver for iPhone とは?
Citrix Receiver for iPhoneは、iPhone, iPod Touch向けのCitrixクライアントコンポーネントです。現在の最新バージョンはCitrix Receiver for iPhone 1.0.3 となり、iPhone, iPod TouchからCitrix Receiver for iPhoneを通じてCitrix XenAppサーバーファームに公開されているWindowsアプリケーションが利用可能となります。また、iPhone, iPod Touchの特徴のひとつである「マルチタッチ」、「加速度センサー」にも対応しています。
Citrix Receiver for iPhone のインストールと Citrix Demos In The Cloud 環境への接続
1. Citrix Receiver for iPhoneのインストール
Citrix Receiver for iPhoneはApp Storeからのダウンロード(iTunes経由、もしくはiPhoneから直接)により入手、インストール可能です。
2. Citrix Demos In The Cloudアカウント登録
Citrixでは、Citrix Receiver for iPhoneからCitrix XenAppサーバーファームへの接続を体験するためのCitrix Demos In The Cloud環境を用意しています。Citrix Demos In The Cloudアカウント登録を行い、お手持ちのiPhone, iPod TouchからCitrix XenAppサーバーファームに公開されているWindowsアプリケーション(3D CADアプリケーション、MS Officeアプリケーション、Flashアプリケーションなど)への接続を体験してみてください。
Citrix Demos In The Cloudアカウント登録サイト
http://citrixcloud.net/
3. Citrix Demos In The Cloud環境への接続
Citrix ReceiverアイコンをタップしてCitrix Demos In The Cloudアカウント登録時にE-mailアドレスに送付されたCitrix Demos In The Cloud環境への認証情報(アドレス、ユーザー名、パスワード、ドメイン名)の入力によりWindowsアプリケーションが利用可能となります。
Citrix Support is focused on ensuring Customer and Partner satisfaction with the support of our products. One of our initiatives is to increase the ability of our Partners and Customers to leverage self-service avenues for finding answers and resolving problems. A key area that the Support teams focus on is development of troubleshooting and health checking tools.
Following on from my last post about the Citrix Printing Tool another recently released tool from Citrix Support is the Citrix Quick Launch Tool.
This tool offers a simplified and easy to user interface to connect to any XenApp server or its published applications over the ICA protocol.
You can download the Citrix Printing Tool here.
Also find below a video by the tools developer Frederic Serriere, providing an overview and demo of the Citrix Quick Launch Tool.
David
Twitter - http://twitter.com/citrixreadiness
Citrix Support on Facebook - http://www.facebook.com/citrixsupport
Citrix Support is focused on ensuring Customer and Partner satisfaction with the support of our products. One of our initiatives is to increase the ability of our Partners and Customers to leverage self-service avenues for finding answers and resolving problems. A key area that the Support teams focus on is development of troubleshooting and health checking tools.
One of the most recent tools to come out of Citrix Support is the Citrix Printing Tool.
The Citrix Printing Tool helps configuring and troubleshooting the Citrix Printing subsystem on XenApp, XenApp Online Plugin, and XenDesktop products.
You can download the Citrix Printing Tool here.
Also find below a video by the tools developer Frederic Serriere, providing an overview and demo of the Citrix Printing Tool.
David
Twitter - http://twitter.com/citrixreadiness
Citrix Support on Facebook - http://www.facebook.com/citrixsupport
Administrators are used to the idea, that running applications under Application Streaming will permit poorly written applications to run in a multi-user terminal services environment. For example, if the application wants to write to the \Windows directory, no problem; the application will believe that it wrote there and later if it reads the same stuff, it will see what it put there and generally, the application will work. What is less known is that that Application Streaming and XenApp publishing can be used to reduce the rights of the application at execution so that it has a reduced chance of hurting the machine.
Privilege vs. Isolation
Isolation and "privilege" are different things. Running the application "isolated" does not mean that the application can't do powerful things. An administrator privilege ISOLATED application CAN still perform privileged operations such as adding new users to the machine, marking them as administrators and adding them to the remote desktop group where the evil doer can then remotely login, as a non-isolated administrator and easily do evil things.
Not a problem for XenApp hosted execution
To be clear, none of this is important for XenApp hosted execution. Here, the user is already a user and stripping power from the user to get them to user power is a "nop" because they were a "user" to start with. This discussion of "privilege" reduction is more of a Windows XP client side, or hosted desktop statement where "admin" power users are the norm. On Windows XP, unless you're very good at locking down the machine the end user will be running as an "Administrator" and this is not desired. How can you make this happen as little as possible? How can you get MOST of the applications to run with the least privilege possible?
Brain damaged applications
Some applications even CHECK to see if they are admins and refuse to run if they are not. Awesome! If you can't figure out how to code it, demand admin rights machine wide! You can easily hit a situation where 90% of your desktop applications will run fine without admin rights, yet you have no choice but to make the user a full blown administrator because some small subset of the applications demand admin rights; or perhaps, even really need them.
What about the "normal" applications that don't need admin rights, or at least don't need admin rights when run under isolation? It would sure help if we could at least make the "all powerful" user be a "lowly user" for the purposes of the majority of application execution, even if the user is really an administrator. You can, and XenApp makes this easy. First, some history.
DropMyRigthts
Go back in time and take a look at this 2006 technet article from Microsoft on Least User Access and a description of the DropMyRights utility by Michael Howard. Excellent stuff and here is a related set of blogs from Aaron Margolis of Microsoft who seems to have a passion for running apps as a user! The output of this early work was a command line utility called DropMyRights which would duplicate the user's logon token, strip the powerful rights - and then use the modified token to launch the application. Good stuff. As an example, here is the .BAT file I used to use to launch MS Outlook.
- dropmyrights "%PROGFILES%\Microsoft Office\OFFICE11\OUTLOOK.EXE"
The idea of running apps on forced user privilege on Windows XP was not unique to App Streaming, but we did wrap pretty GUI around it and wrapped application publishing around it to make it easy to use - and then we didn't tell anyone it was there. To be fair, most of the usage was server side, so it wasn't as important, but hosted desktops are changing this.
The XenApp publishing system makes this dropping of user rights accessible via easy to use GUI.
Access Management Console
Here's the AMC screen that controls this setting. Notice that this "stripping of rights" is controlled in the AMC - not in the streaming profiler. Could it be controlled in the profiler? Sure. Both of these tools are nice GUIs which could accomplish the same goal, so yes, it could be controlled in the profiler, but it isn't. One could even make a really good argument that it is in the wrong place and SHOULD be in the profiler because this is where the admin is that knows more about the application. I would agree, but it wouldn't matter, it's still in the publishing console whether or not this seems like the right place.
When I wrote the draft for this post, I did it in a place without internet access, so I couldn't easily check the default. I wrote that SURELY! the default is that we strip the rights before launching the app. Surely, Shirley, what ever you call it, the default is the other way; by default, the launch leaves the user's token alone and launches the app using what ever power the user has according to logon. If you CHECK the box, then the Access Management Console tells the Citrix IMA to tell the Citrix Web Interface to tell PNAgent to tell the Streaming Client that it should strip power from the user for the purposes of running this stream to client application. Where the application will permit it, You should set the checkbox.
XenApp server side, it won't change anything;XenApp Client side, it will ensure that the application is launched using a user token that has "lower power". Lower power is better...
Here are some other writings on Application Streaming related to this:
- Enhancing the Security of Application Streamingfor Desktops
Enjoy!
Joe Nord
Citrix Systems Product Architect - Application Streaming
The Citrix Workflow Studio Evaluation Virtual Appliance (EVA) is now available. This EVA provides you with 30 days to evaluate a pre-configured virtual machine running Windows Server 2008 that has Workflow Studio 2.0 already installed and configured with all activity libraries and the sample workflows from CDN. Download the EVA and review the Getting Started guide .
If you have any questions leave a comment or contact me directly
While a mandatory based profile solution was the original approach (something we leveraged in the earliest releases), we are not going to return to that method. Let me explain why and get your thoughts and opinions on this.
One request that has been commonly voiced has been around a mandatory style implementation. While previously we had leveraged a mandatory profile as the base, for many reasons we moved away from that approach. One key reason was to save time that the merging process required (the copying of the mandatory down first and then copying of all the net changes). All in the spirit of logon speed. Another key reason is that it really was not a mandatory profile anymore. Profile management captured all the net changes from that base mandatory. So no settings were enforced or re-written at next logon. Basically it was a holder of starting settings when a profile was loaded. But the net changes were always re-applied over the base so nothing was ever enforced. So in the end, you needed to leverage Group Policy to enforce any permanent settings anyway.
It's also been explained that having a mandatory approach enables customers without Group Policy delegation to have a means to control the profile settings. And mandatory by itself is a great solution albeit the limitations on the breadth of personalization - which the amount of personalization afforded by a mandatory solution is probably adequate for many scenarios. While you can redirect folders like My Documents, Favorites, Cookies and others, the ability to change anything registry related is prevented e.g. wallpapers, application configurations and such. But if you try to combine this with something like Profile management to enable those changes, how are you going to restrict what does not get saved? You would need to create an exclusion list of all the settings you want enforced (and thus excluded from being saved). Doable on a few settings but it will get unwieldy really fast. And I am willing to bet it's going to be harder than Group Policy to manage before long. In the end, it seems capturing all the settings and using Group Policy to enforce setting as required is the way to go and thus the direction for our profile management solution.
Finally, let's address the capability of having a base profile to start with. We do offer a template profile capability which you could think of as a Global Default User profile. When a user logs onto Windows and does not have an existing profile (be it local, mandatory, roaming or TS), Windows creates a new profile for that user based on the Default User profile located on that current machine. The fun of this is unless you want to sync all the Default User profiles across all the machines a user might likely log onto for the first time, the starting profile will different (although often only slightly) from user to user. Might not be a big deal initially or on smaller scales, but will be more problematic as your environment expands and grows.
The purpose of the template profile is to enable a consistence starting point for a new profile being created no matter the machine. The template profile can leverage a copy of the mandatory profile you use today but you just need to rename the NTUSER.MAN back to NTUSER.DAT (so no you can't use the same one as both the template and a mandatory). And the template profile has to be complete (e.g. the entire directory structure and NTUSER.DAT). Also keep in mind that this is used for profile creation. So changing the template is fine, but only affects new profile being created and not existing ones. Need to change or enforce a setting for all users? Then we are back to using Group Policy for those situations.
So that is where we stand today with our Profile management feature (a feature of both XenApp (Enterprise and Platinum) and XenDesktop (Advanced, Enterprise and Platinum). Of course this is always open to debate and discussion if you have scenarios that illustrate weaknesses to this approach that Citrix should pay more attention to addressing.
DABCC will be hosting a webinar Nov 4, 2009 on Web Interface customization leveraging Extentrix Web Optimizer ... details here: http://www.dabcc.com/media.aspx?id=647
You can register through the above link. Key topics covered:
– Make your Web Interface "look and feel" consistent with your corporate and intranet web sites
– Quickly add custom graphics and themes
– Simple and easy to use interface and available quick start templates get you up and running quickly
– Unrivaled support for mobile devices
We have had a great discussion going about user-installed applications and the need/risks associated with this type of solution. One of the comments I received in favor of allowing users to install applications was around Firefox. For those of you who don't use Firefox, there are thousands of add-ons a user can install to customize their browser experience. I personally have about five different add-ons configured with my Firefox implementation.
Now I've been advocating the need for IT to have a process in place that can handle the expansion of the application pool for the users as needed by:
- Taking user requests for new applications/tools
- Validating the need
- Delivering in a timely manner
This is all well and good until we get to the topic of these add-ons. I don't expect any IT organization to have a requirement to support the add-ons. There are thousands of them. Think about it, do you really expect your IT to be spending time messing with these add-ons? And what would it look like for the user? A Firefox application with thousands of add-ons? CRAZY (I do wonder at what point that app would crash. Maybe need a MythBuster episode on it)
All of the sudden, I had a very enlightening experience. I just got my new XenDesktop 4 environment built. I went in an started to personalize my environment, including my 5 Firefox add-ons (remember I'm using pooled desktops from a single base image with roaming profiles). The next day, when I logged onto my virtual desktop, my Firefox starts up and BAM all of my add-ons are still there?!?!
I did some investigation into this. Well, this is an example of an intelligent application design. The add-ons are located within the user's profile (the roaming portion). User's are able to customize the Firefox application without any special tools/utilities. The discussion about Firefox and the add-ons is now a non-issue as the application manages this for us.
So, 1 application down, only 999,999 to go 
The point is you need to test before deciding if something will or will not work.
Daniel - Lead Architect - Worldwide Consulting Solutions
- Twitter: @djfeller
- Ask the Architect - Next-Generation site
- Questions - Then Ask The Architect
With the release last month of HDX 3D for Professional Graphics as a feature of XenDesktop, Citrix now offers two alternatives for delivering high-end 3D graphics from hosted applications. Let's compare these two solutions.
HDX 3D Pro Graphics on XenDesktop
Our premier solution for 3D professional graphics is based on hosted Windows desktops and works with either the XenDesktop 3 or XenDesktop 4 Desktop Delivery Controller. HDX 3D Pro Graphics features our most advanced technologies for data compression, making XenDesktop the best solution on the market for delivering 3D graphics to remote workers. For top level performance, we offer GPU-based compression, leveraging NVIDIA graphics processors with 96 or more CUDA cores. The compression level is automatically adjusted based on bandwidth. Just below that is CPU-based JPEG XR compression (no special GPU required). JPEG XR (the 'XR' stands for 'Extended Range'), formerly known as HD Photo, is an ISO/IEC standard for high dynamic range image encoding. These compression options are supported by the HDX 3D online plug-in for Windows, a special version of the ICA client. With advanced compression and other clever innovations, HDX 3D Pro Graphics delivers a good experience even at 2 Mbps and 200 ms roundtrip latency. And, of course, it delivers a high definition "like local" experience on high bandwidth, low latency connections.
Application compatibility is excellent with HDX 3D Pro Graphics because the applications run on a standard Windows XP operating system (and Windows 7 support is in development). It doesn't matter whether the applications use DirectX/Direct3D or OpenGL or whatever. HDX 3D supports True Color, important when a very large number of colors, shades, and hues need to be displayed, as with high quality photographic images or complex graphics. Customers are already using HDX 3D to work with models with more than a million parts, and 64-bit OS support is coming soon, which will enable huge amounts of memory to be addressed.
These comments from our customers sum it up best:
• So far this is the only product to have anywhere near acceptable performance
• Everyone is loving it
• 50 to 75% better than our existing solution
• In pure Swedish, it is "sh$@#ing good"!
• At 1.5 Mbps it is still very usable
• We have been extremely impressed
HDX 3D on XenApp for Windows Server 2008
For many organizations, HDX 3D on XenApp provides a great solution for delivering professional graphics, since Windows Server 2008 now enables a graphics card to be used for 3D rendering on Terminal Services / Remote Desktop Services. While hardware acceleration is limited to DirectX/Direct3D-based applications, that may be all you need depending on the specific applications your end users require. OpenGL based applications are CPU-rendered but they perform much faster on 64-bit Windows than on 32-bit so you may find that to be adequate. Of course, if you really need hardware acceleration for your OpenGL applications, go with HDX 3D Pro Graphics on XenDesktop.
Compression options with HDX 3D on XenApp are not quite as extensive as on XenDesktop but are generally sufficient for intracontinental WAN access. The highest level of compression is obtained by selecting Heavyweight JPEG, a special variant of JPEG that uses arithmetic encoding instead of the normal Huffman encoding. It gives a further reduction in bandwidth of around 10 to 20% without changing the pixel quality at all (compared to standard JPEG), at the cost of higher CPU consumption. With Progressive Display, users get a responsive experience even over WAN/Internet connections because images are delivered with lossier compression while being moved and quickly resolve to full resolution when motion stops.
A single graphics card in the server can support multiple concurrent users, depending on their usage characteristics. I spoke with a customer using an entry-level NVIDIA FX 370 GPU and they support four concurrent users on an HP 360 G5 server with a dual-core Xeon processor and 4 GB of memory running 32-bit Windows Server. They estimate that they will be able to support 12 to 16 simultaneous users on a dual quad-core server with 64-bit Windows Server and 32 GB of memory. Again, it depends on the application and the work profile of the users. A more powerful GPU, like the NVIDIA FX 5600 or 5800, will help with scalability, too.
HDX 3D on XenApp supports lossless compression (important in Healthcare), but color depth with DirectX hardware acceleration is currently limited to 16-bit High Color. True Color support (16 million colors) is offered with CPU-based rendering, and True Color with GPU hardware acceleration is planned for the near future, making HDX 3D on XenApp a great option for delivering PACS applications over hospital campus networks.
A Look Ahead
How will these technologies evolve in the future? 64-bit Windows XP and Windows 7 support is planned for HDX 3D Pro Graphics on XenDesktop, and True Color support is coming soon for HDX 3D on XenApp. Windows Server 2008 R2 is likely to bring some benefits, too. And as the graphics and hypervisor vendors introduce GPU virtualization, we expect to leverage that on both XenApp and XenDesktop; some exciting progress in this area is already happening in the lab. Expanding the VM Hosted Apps feature of XenApp to encompass 3D graphics apps would be a natural step.
Tell Us about Your Experience with HDX 3D
If you're using either of the HDX 3D technologies described above, I'm sure other customers would like to hear your story. Please tell us about the 3D applications you deliver, your data center and network, and how your users are benefiting.
Derek Thorslund
Citrix Product Strategist, HDX
Citrix XenApp 5 Feature Pack 2 for Windows Server 2003 has a very cool feature called Secure Clipboard Control. The technical folks may know this feature as "Read-Only Client Drive Mapping and Clipboard", but the end results are the same: it further mitigates risks of data leakage.
Granting remote users CDM access is great because they can open local files with server published apps. But they also have the ability to save server documents locally thereby increasing the probability that confidential data leaks out beyond the enterprise. Some customers have tried to tackle this problem by disabling CDM and clipboard altogether, but that does not offer users flexibility - what if administrators want to only let users save documents back on the server? This is where the new Secure Clipboard Control setting can help. It is a really simple feature for administrators to configure, yet provides an added level of flexibility (users can save documents to the server, but cannot save documents to the local device) administrators didn't have before.
To enable the feature in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdm\Parameters, create a DWORD value with value name ReadOnlyMappedDrive and value data 1.
To enable one way clipboard In registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard, create a DWORD value with value name ReadOnly and value data 1.
After rebooting the server all users that connect will only be able to read documents from their mapped drives and will only be able to copy and paste text into a published application. Data that is copied into the published application clipboard (via CTRL-C) will not show up in the client's clipboard paste buffer. Whenever the user tries to save a file to a mapped drive they will get an error saying they don't have permission to write to the location because XenApp has the drive open in read-only mode.
For now both settings are server wide so remote users will have to be confined to specific machines where the settings are enabled. You can find out more about this feature at CTX123002 and in Citrix eDocs here.
Learn more about Citrix XenApp 5 Feature Pack 2
- Official Press Release - http://citrix.com/English/NE/news/news.asp?newsID=1857726
- XenApp 5 Feature Pack 2 release Web Site - http://citrix.com/xenapp/featurepack2
- XenApp 5 Feature Pack 2 Executive Video - http://citrix.com/xenapp/fp2/video
- XenApp 5 Feature Pack 2 Release Webinar - http://citrix.com/xenapp/fp2/techtalk
- XenApp feature matrix by platform, version and edition - http://citrix.com/xenapp/comparativematrix
- XenApp Expert Series videos for this release - http://citrix.com/xenapp/fp2/expertseries
- XenApp 5 Feature Pack 2 Blogs- http://community.citrix.com/blogs/tag/xa5fp2
- Download XenApp technology previews - http://citrix.com/xenapp/techpreviews
- XenApp Product Page - http://citrix.com/xenapp/
Follow XenApp on 
| 
| 
| 
As the first opportunity to really interact with customers and partners on a large scale after the XenDesktop 4 and FlexCast announcements, Tuesday's CitrixLive!was a really exciting day for many of us at Citrix. Ron Lott, Frank Anderson and I had the opportunity to do the Q&A sessions for FlexCast, our name for the uniquely numerous methods Citrix has of delivering virtualized desktops and applications, all under one product, XenDesktop 4. As my XenDesktop counterpart SME, Frank is an incredibly savvy technologist and fellow Citrite, with a rather impressive employment history with some of Citrix's largest and most successful partners, customers, and XenApp rollouts. I knew him when he was at Disney and Emory, but have really enjoyed watching him work over the last couple of years in a vital role on our XenDesktop product team... just a great guy to work with. But I digress...
Back to FlexCast and the delivery options:
Simply put, FlexCast is all about enabling the broadest class of capabilities under a single product from a single vendor, in order to enable IT buyers and engineers to focus on the right implementation for their environment and users, without getting caught up in what many are finding to otherwise be a costly, multi-vendor solution that usually doesn't quite cut it.
After some of the questions on FlexCast during the CitrixLive! Event on Tuesday I thought it would be a good idea to start a blog series about FlexCast On-Demand Apps by presenting the matrix of application and desktop delivery options included in XenDesktop 4. Dan Feller has posted a quick video over in his "Ask the Architect" Blog that goes into this as well. Dan's posts are always a great resource so please check them out. In follow on posts we will go into more detail about specific implementations from this matrix, which grows much larger when you take into account that some users actually use multiple desktops and scenarios, sometimes all at the same time.
In the matrix I have included traditional installation as "End-point Installed", not to include it as part of FlexCast, but to acknowledge it in perspective to the options enabled by FlexCast.
I have also separated "Online streamed/app-v" and "offline application streaming/App-V" in order to clarify the target platform for these on-demand delivery types. "Offline" in the Citrix vernacular describes the ability of an execution platform to run an isolated app without requiring an active connection to to a back-end XenApp server.
| App Type \ Desktop Type | Hosted Shared Desktop |
Hosted VM-Based Desktop |
Hosted Blade Desktop |
Local Streamed Desktop |
Local VM-Based Desktop |
Installed Desktop |
|---|---|---|---|---|---|---|
| Online Installed |  |
|
|
|
|
|
| Online Streamed to Server | |
|
|
|
|
|
| Online App-V Streamed to Server* | |
|
|
|
|
|
| Offline Application Streaming | |
|
|
|
|
|
| Offline Microsoft App-V** | |
|
|
|
|
|
| End-point Installed*** | 3rd Party | 3rd Party | 3rd Party | 3rd Party | 3rd Party |
* Requires Microsoft VDI Suite - Premier
** Requires Microsoft VDI Suite - Standard
*** Manual or 3rd Party ESD installs are not part of FlexCast
As you can see, there are 28 discreet options to be considered for any single desktop implementation. This can at first sight be a little overwhelming. I would argue that this is much less overwhelming than being forced into one particular desktop or application delivery solution and then trying to address all of the complexities of a growing number of access scenarios (i.e. are all of the users on campus? How many branches do we have to serve and what are the idiosyncrasies of each one? What do you mean the CEO is working from a remote island with crappy internet access, next week, but still wants to work like they are on the dedicated 10Gb link we installed in his office yesterday) OK, maybe that last one was a bit of an exaggeration, but you get the point.
With all of the other considerations to take into account, being hobbled by any solution that can only address the problem in a single, specific way, because that is all it can do, is often like painting a car with push broom, yep the paint will go on, but is the end result really what you were hoping for? Citrix FlexCast pretty much covers every consideration that needs to be taken into account for cost effective desktop and application delivery. Especially in light of current economics and increasing budget constraints, let alone consumer based end-user expectations that are outpacing the current capacity of corporate IT to deliver acceptable usability and service levels.
In the flexibility line of thought and in light of all of the pressure we are all under in a down economic climate, I'd like to share an excerpt that hit me from one of my favorite books while I was looking at this matrix and reflecting on the great opportunities that On-Demand Apps and XenDesktop 4 introduces.
All three quotes are from one book, they are not in sequence but they cover three thoughts...
The opportunity:
"Congratulations!
Today is your day.
You're off to Great Places!
You're off and away!
You have brains in your head.
You have feet in your shoes.
You can steer yourself any direction you choose.
You're on your own. And you know what you know. And YOU are the guy who'll decide where to go."
The Trap to avoid:
"You can get so confused that you'll start in to race down long wiggled roads at a break-necking pace and grind on for miles across weirdish wild space, headed, I fear, toward a most useless place.
The Waiting Place...for people just waiting."
The Reward for getting it right:
"Oh! The Places You'll Go!
You'll be on your way up!
You'll be seeing great sights!
You'll join the high fliers who soar to high heights.
You won't lag behind, because you'll have the speed. You'll pass the whole gang and you'll soon take the lead. Wherever you fly, you'll be best of the best. Wherever you go, you will top all the rest."
Wow, I almost feel like Stuart Smalley after that one, anyway thanks for allowing me the tangent, and oh yes, thanks Dr. Seuss, one of the 20th centuries greatest philosophers!
Now, back to business... I am looking for the community to help this blog series evolve by asking questions, sharing examples, and pushing us to deliver more in those areas where you have real pain but no real solution yet. These are the things that I would really like to be talking about, so let's have at it!
Kurt
