Back in October of last year, Dell announced at the Gartner IT Expo a new solution called Dell On-Demand Desktop Streaming as part of their Flexible Computing Solutions. This is a bundled solution that includes Citrix Provisioning Server for Desktops. Here is the description of this solution from Dell.

 
The Dell blog, Direct2Dell put up a post and video of the new solution in which "Bharath Vasudevan and Aaron Prince from the Solutions Engineering team walk you through a demo of a 100-client setup".

(You may need to update your Windows Media Player to see the player with the post. If you see a red x above instead the media player window, here is the link to the video.)


Dell created a  Deployment Guide for the On Demand Desktop Solution. Here is a list of components of the solution as listed in the deployment guide:

Dell also put together a Performance Characterization whitepaper for the joint offering. This is a very detailed document that includes numerous metrics under increasing loads, including client boot time, client retires, server cpu utilization, memory utilization and disk queue length. If you are curious about the performance and scalability of Citrix Provisioning Server in this Dell Solution, take a few moments to review this whitepaper.
If you are considering making a change in desktops and want to dramatically lower support costs, this new joint solution from Citrix and Dell is worth taking the time to evaluate.

It's been a long long time since my last post, and much has happened since then in the desktop virtualization space, both for Citrix and in the wider industry. At the time of my last posting (December 2006, no less!) we were seeing the first attempts to virtualize Windows-based desktops, using home-grown and relatively simple "brokers". Typically, they would use straight-forward one-to-one mappings between end users and their virtual desktop, perhaps based on the user's login identity and their virtual desktop's IP address.

Since then, we have made great strides to deliver more sophisticated solutions for desktop virtualization, and a first batch of products have been released from vendors such as VMware (VDM, courtesy of their acquisition of Propero), Quest (via ProvisionNetworks), Leostream, and others (there's a good overview available from it2.0). And of course we delivered Desktop Server 1.0 last year, and have now just made a beta version of XenDesktop 2.0 available for download.

A great deal has happened here beyond the obvious name change, and our vision for this product has undergone major shifts over the past year or so. I'd like to use this post to bring you up to speed on how XenDesktop differs from Desktop Server and also many of the other desktop virtualization products.

First and foremost, while Desktop Server 1.0 was a broker that mapped end users to virtual desktops, XenDesktop provides a much more comprehensive approach to delivering desktops. A broker by itself is all very well. It allows you to migrate desktops into the data center, with all the benefits this brings in terms of preventing data loss (remember all those news stories about stolen laptops and hard drives and optical discs getting lost in the post?), reducing downtime, and gaining visibility and manageability - provided you have appropriate tools and processes in place to manage the sprawl of what will typically be VMs that host your virtual desktops.

Of course a desktop virtualization strategy can also introduce new headaches. For instance, you need to think hard about what moving your end users' desktops into the data center means for the security of other assets in the data center - you'll probably want to consider a strategy that fences off virtual desktops from other services and data hosted in the data center. More than that, though, moving desktops into the data center by itself doesn't solve some of the big management problems - you still need to worry about image management, patches, anti-virus, and on top of that you have to keep an eye on the health of the desktop virtualization infrastructure, whether this be XenServer, VMware, blade PCs, or other desktop hosting technologies. Finally, all the images for your virtual desktops need to be stored somewhere, and with multi-GB disk images, this quickly adds up to a substantial storage cost.

XenDesktop includes technology that will help you to tackle these complications, and help you get a long way towards reaping the promised benefits of desktop virtualization (well, that's my sincere hope anyway). Here's how we envisage a successful desktop virtualization strategy to play out:

1. Lock down your end user's endpoint devices, or better yet, replace them by Desktop Appliances (the new term for thin clients that are specifically designed to take advantage of desktop virtualization). This minimizes the maintenance overhead and reduces the risk of end users misconfiguring or otherwise breaking their devices. We've designed XenDesktop's end-user UI so that this step becomes as painless as possible for end users: after switching on their device, end users enter their credentials and XenDesktop takes over, connecting them straight to their virtual desktop. Depending on your deployment, this uses a combination of Web Interface and Program Neighborhood Agent technology under the covers, but this is entirely transparent to end users.
2. Take advantage of the migration to centrally hosted desktops and consolidate and rationalize the OS images for your end users. Ideally, you should end up with a small number of "golden images" that contain only the base operating system, as well as perhaps a few universal applications that all your users need, e.g. a standard browser or email client. The idea here is to separate the base OS from applications and user data, and hence make it an entity that can be maintained and managed independently and separately, and hence more effectively. Citrix Provisioning Server (also known as PVS - you may be familiar with it under its previous label of "Ardence") provides the required technology here, and is conveniently included in XenDesktop.
3. PVS is used to create and store golden images, which are then shared among VMs, or even blade PCs. In other words, if you have 100 users all using the same base OS, you only need to store the image on disk once and PVS will stream it to the VMs hosting your virtual desktops, on demand. The VMs (or blade PCs) themselves can be entirely diskless, and this can add up to a tremendous saving in storage cost. What's more, PVS makes managing golden images is made a lot easier as well: if you need to patch your base OS with the latest service pack, you only do this to the golden image. Restarting the VMs suffices to apply the new image across the board. And if the service pack update goes wrong - no problem, it's trivial to switch back to the previous version of the image. PVS and XenDesktop will also automate the management of AD computer accounts, hence there's no need for sysprep or other tools, and adding a new virtual desktop is done in seconds: create a new diskless VM, add it to PVS' client list, and let PVS manage the new desktop's AD account.
4. So now you have a very manageable environment that you can use to deliver generic desktops based on golden OS images to your end users. But your end users will need applications to carry out their daily work (remember, don't include too many apps into the base OS image, because then you need to manipulate that image every time you need to change or update one of these apps). This is where application streaming or "client side virtualization" comes into play; I've briefly touched upon this in my previous post: using XenApp technology, you can deliver applications transparently to your end users, without having to touch or "pollute" the golden image. This allows you to get away with a small number of golden images, even if your users have differing needs with respect to the applications they access: just let XenApp (or alternative technologies) deliver applications to users based on demand.
5. Finally, users also need to store data and configuration or personalization settings. Again, these must be separated from the base OS and also the applications, in order to make the entire system manageable and effective. Right now, you'll have to use off-the-shelf solutions like Windows roaming profiles to store and manage data and settings separately, but naturally we recognize this as a gap and are working towards offering a solution that's integrated with XenDesktop in the not too distant future.

To recap, XenDesktop has evolved significantly from a broker into a fully fledged desktop virtualization solution that combines a broker, ICA's high-performance remoting protocol (courtesy of PortICA), virtualization infrastructure (and before you ask: yes, XenDesktop works well with a VMware and Microsoft virtualization infrastructure as well, although of course we'd prefer you to use the XenServer technology that's included in XenDesktop), image management and OS streaming, a set-up tool for wizard-driven provisioning of diskless VMs with OS streaming, and more. If you want to dig deeper, check out the official XenDesktop product site where you can also download the beta, and join the discussion forums for support.

For my next post I'm planning to go a bit more technical and describe one of the areas that has generated many questions for the beta: how XenDesktop works with AD.

I took a netscaler basic training a while ago. The class is very informative. And I would recommend it if you have an opportunity to take it.

For more information about this product, see

http://www.citrix.com/English/ps2/products/feature.asp?contentID=21681

You can find more information about this training class at

http://www.citrix.com/English/ps2/products/feature.asp?contentID=21768

Note that the course is being updated for 8.0 release.

Netscaler is great for network, application administrators and most articles have focused on this audience. Not much has been said about Netscaler benefits to application developers and its impact to application designs (particularly web applications). As a developer, I will try to give some examples from a developer perspective based on what I learned from the class.

Load balancing:

Netscaler offers powerful load balancing capabilities. In a multiple web server deployment scenarios, you will probably need a load balancer to load balance web servers. If your web server requires all requests associated with a session to remain on one server, Netscaler can be configured to do so easily and there are multiple methods to choose from. So a simple web application may simplify its design by maintaining its session state on the local server.

Some more complex applications use a separate group of application servers to run business logics. One example of such application is the MSAM product I worked on. (MSAM is an enterprise portal product for those who don know). Making sure the requests from web server to these application servers are load balanced efficiently was a challenge for us. And we spent lots of efforts on it. With netscaler, I now wonder if it makes more sense to eliminate application servers. Instead, host business logics on web servers as well and use netscaler to load balance web servers. It would simplify the design quite a lot and would have more flexible deployment options since the load balancing is separated from the application itself. Such design would be easier to debug, easier to scale up and perform better (less network traffic, simpler code)

For example, Netscaler has a slow start feature to avoid a newly added server to be overloaded. Many of the applications I seen don have this load balancing feature.

Content redirection:

Netscaler has this feature of redirecting requests to different backend servers based on flexible policies. For example, you can configure it to redirect HTTP traffic to a mobile web site if the request headers indicate the client device is a small form factor device. A use case for example can be as follows:

Web interface users can type the same URL they are familiar with from either small form factor devices such as blackberry (we have a blackberry ICA client now!http://citrixcommunity.com/blogs/cdn/archive/2007/03/26/Idokorro-Launches-new-Citrix-ICA-Client-for-BlackBerry.aspx) or a regular PC. A Netscaler can be put in front of web interface servers and redirect requests to different web interface sites that are designed to serve appropriate published applications.

Sure, the applications can do similar things themselves. But it not only require additional code but also difficult to make it as flexible as netscaler can do. Plus it is easier to reconfigure netscaler than changing the applications. Netscaler has a nice GUI to help with this task. Not to mention some applications such as web interfaces currently don have such capabilities yet.

Integrated caching:

For example, Netscaler can cache even dynamic content for specified period of time. Thus it can reduce the load to application server. For certain applications, it means, application developers can focus more on solving business problem and leaving the hard job of caching to NS.

It can be a challenge to design a high performance application. In MSAM and later AAC (advanced access control) products I worked on, we spent tons of development and testing effort to improve the web applications performance. It difficult because tasks such as converting word documents to PDFs do take relatively long time. We improved performance by caching the conversation result. But it is difficult to do and is application specific. If we could rely on Netscaler, we could have delivered the products much quicker.

There are many other benefits to developers. The above are just some examples. We love to hear your experience with netscaler.

The next virtualization vendor on up in my series of posts digging down into CIO Magazine's "10 Virtualization Vendors to Watch" is PlateSpin.

In my last post on this series, I got a bit ahead of myself and posted that Marathon Technologies was next. I had just seen some videos of Marathon working with XenApp and got a bit ahead of myself. Marathon is after PlateSpin.

Here is what CIO Magazine has to say about PlateSpin -

As you may have heard, Platespin and Novell recently announced that Novell is acquiring PlateSpin.

PlateSpin did a podcast interview with Virtual Strategy Magazine last year.

PlateSpin has three products today, PowerConvert, PowerRecon, and a new virtual appliance product called Forge. Here are some brief product overviews.

PowerConvert

You can view a replay of a PowerConvert webinar here.

PowerRecon

The PowerRecon webinar replay is here.

Forge

I found a couple of quick PlateSpin PowerConvert overviews on YouTube (made by ITDVDs.com)

-

-

-

I did an earlier post on PlateSpin that includes a link to a video interview at iForum.

Next up on the list is Marathon Technologies (I am sure this time! ). Again, I have posted about Marathon before (such as this post and this post . Marathon Technologies has an excellent solution that not only integrates with XenServer but XenApp as well. I have quite a few videos to show this teed up for my next post in this series.

Without Single Sign-On, users are left to their own devices (such as yellow stickies) to retain the many different passwords they need.

Trouble was that security vendors were so eager to provide this functionality (starting about 10-12 years ago), and the hype was so great, and the technology was so immature, that early SSO projects often had tragic results.  Early implementers in some cases dumped millions in services dollars to coax the immature SSO product into actually working for a subset of their applications.

 Well, the technology is mature now, and SSO really works!

With the Citrix SSO product, Citrix Password Manager (CPM), we have a very successful install base of customers, with many implementations with more than 50,000 users.   Very conveniently, CPM is included as the SSO XenApp Platinum component, bringing more value to users as well as value to IT administrators in increasing actual security by eliminating bad user behavior.

Recently I published a video blog post about RAVE (Remote Audio & Video Extensions), the technology behind SpeedScreen Multimedia Acceleration. RAVE supports high quality playback of media streams that can be decoded by a media player that uses DirectShow or DirectX Media Objects (DMO). A question came in from the field asking how a customer can determine whether SpeedScreen Multimedia Acceleration is functioning. So here are some handy tips for verifying whether RAVE is working or not. In addition, you'll find a helpful troubleshooting article in our Knowledge Center.

The quick answer is that you can probably tell by the quality of the video playback since RAVE delivers a user experience on par with running the media player locally. But here are some other telltales. When RAVE is working, a black rectangle will quickly flash by as the video begins to play. Server CPU usage will be much lower than if the video were being rendered on the server (for comparison, you can disable SpeedScreen Multimedia Acceleration on the console and try playing the same video). Searching for "FilterInt" in ProcessExplorer will show that DLL loaded by the media player's process.

Are there any enhancements that you would like to see to make it easier to discover that an additional codec needs to be installed on the client (or even on the server to support server-side rendering as a fallback)? For example, one possible enhancement would be for SpeedScreen Multimedia Acceleration to record RAVE events in the Windows Event Log.

Derek Thorslund
Product Strategist, Multimedia Virtualization

As a follow up to Carlo's post on XenApp for UNIX, I would like to discuss our future for the UNIX product. XenApp for UNIX is a fully supported, maintained and enhanced product. Since we released Presentation Server for UNIX 4.0, the product has been following an incremental feature delivery model. Since the 2005 release we have added over 80 feature enhancements like seamless improvements, session query utility, enhanced diagnostic logging, roaming user support, adding support  for Solaris x86/x64 platform, Solaris SPARC license server, Virtual Channel SDK, Enhanced keyboard and wheel mouse support, Solaris zones support, enhanced server farm publishing options etc. Instead of coming up with a brand new release (like PS for UNIX 4.5 or 5.0), we have opted to get these enhancements as public hot fixes and feature packs. e.g. we added Solaris x86/x64 support when we released PS 4.5 Feature Pack 1. And we will have the next feature pack update for UNIX that will align with the upcoming Delaware release.

The reason for using this delivery model is it speeds up our feature development and helps our customers easily adopt the functionality they need. The customer can install these updates as either hot fixes or as feature packs based on their needs. Of course, you need to be current on SA in order to use the features.

Regarding support for Linux platform, we still don't see a huge market for Linux apps. Also, we might not have native Linux support but some of our customers use XenApp for UNIX as a proxy to serve Linux applications. We will soon have a KB article explaining how you can do that.

...and why is an Application Firewall important?

The Internet is at Flood Stage

When they think of the Internet, most users think of the web sites they visit using Internet Explorer, and perhaps the email they exchange with family and friends. Those who use the Internet at work think of the web sites they use on the job. If they think of the underlying infrastructure that stores this information and transmits it to their browser, they think of it only when a glitch prevents them from doing something they wanted to do. At present, this happens only rarely with most users.

Unfortunately appearances do not correspond with reality. At present, a significant amount of traffic on the Internet is not transferring legitimate content to users who requested it. Users are mostly aware of one aspect of this problem, spam in their mailboxes. According to the widely-respected anti-spam organization SpamHaus, 85% or more of the email sent across the Internet is spam – email that the end users did not ask for and (in most cases) do not want. The vast majority of spam advertises questionable or outright fraudulent products or services, and is sent using computers compromised by trojan or vius software and controlled by the spammers to form botnets. In other words, many spammers are using stolen resources to send their spam. The spammers use a wide variety of techniques – DNS poisoning, fast-flux hosting, and others – to switch between hundreds or thousands of these computers, making it extremely difficult to find all the compromised computers and remove the virus or trojan.

Increasingly, the web sites advertised in this type of spam are also hosted on the same compromised computers. Originally the spammers compromised mostly consumer workstations running Microsoft Windows 2000 or Windows XP, but increasingly they are targeting business workstations and servers that may run Windows or any of several types of Unix. For example, one widely-tracked (and widely loathed) spam botnet organization targets Unix computers running insecure versions of the Apache web server. This organization, and others like it, host false bank or financial institution web sites (called phishing web sites), child pornography (CP), unlicensed pharmaceutical web sites, and many other types of web sites promoting illegal or questionable products or services on computers without the permission or knowledge of the owners. This results in lost use of computer resources, embarrassment, and inconvenience to the owners when these spammed web sites are tracked to their server rooms.

This is where the Citrix Application Firewall, or another application firewall, becomes important for any business or organization with a web site. The Application Firewall is a filter that sits between web applications and users, examining requests and responses and blocking dangerous or inappropriate traffic. The Application Firewall protects web servers and web sites from unauthorized access and misuse by hackers and malicious programs, such as viruses and trojans (or malware). It provides protection against security vulnerabilities in legacy CGI code or scripts, web server software, and the underlying operating systems. It helps keep the bad guys out of your company's computers.

I'll have specific examples of types of web site abuse and how to prevent them in upcoming posts.

I spent some time with our friends and partners CSC, both at their Aldershot UK headquarters and at VMworld Cannes. In case you missed it, we just announced a partnership around "CSC Dynamic Desktops" last month. The guys I met were real veterans of VDI, really sharp and above all, great guys to work with. Turns out, they built what had to be one of the first - if not the first - VDI implementation, over 2.5 years ago! (They did it prior to joining CSC.) To hear their war stories, both political and technical, it was truly an incredible journey. Just imagine if the guys who first invented the wheel met with such resistance:

• "Came up with idea for a better way to move stuff around. No one will give us any tools though, so we are using our fingernails to dig some curvy bits into a rock we found.
• Finished our curvy rock, needs some more refinement and funding so will present to the bosses later this week.
• Presented to bosses, they said they couldn't understand why this was any better than just having a bunch of servants carry things around. Servants are cheap, we need rocks to build huts, they said. Told us to go away.
• Decided to make our own tools out of twigs and twine, finally finished our first real prototype, made of wood this time. Much easier to work with than rock!
• Presented it again, bosses said they needed the wood for kindling, burned our thing that we called a "wheel" and sent us home again.
• Made another set of wheels, and demonstrated how it could carry a whole deer back to the camp with little effort. Now they want more wheels, and more deer."

Okay, it's a silly metaphor, but it's not much of an exaggeration for how much bootstrapping there seemed to be, and how uphill the battle was to get the concept off the ground. They've seen it all in VDI - as much as there is to be seen so far - and determined that Citrix has the right goods. Regardless, they have taken their considerable expertise to CSC. And CSC has selected Citrix as the partner to go to market with under the CSC Dynamic Desktops solution offering.  I really look forward to working with them and posting some of our experiences here.

The Microsoft Windows Server® 2008 Launch event and the Germany SharePoint Conference rolled out together February 19-21. Microsoft's goal was to attract 5,000 attendees (customers and partners), and more than 7,000 attendees showed up!

This was a great opportunity for Citrix Germany to make a splash in spite of some limitations imposed by the Microsoft
program: all the sponsors were allowed to present only at the Sharepoint Conference, not the MS Windows Launch.
This limited Citrix's exposure and opportunity to demonstrate the value-add of virtualization, but the Citrix Germany
team did not give up and stay in the background. Instead, they took full advantage of their two presentation slots
at the SharePoint Conference, giving brilliant presentations on the Application Delivery story, and gearing attention to
the ANG product portfolio.
They utilized the previously successful "speed-up-your-app-delivery" concept and gave out 500 Citrix-branded toy
Mini Coopers and raffled three remote-controlled Minis in exchange for a lead-generating interview. This clever and well
received giveaway generated 250 leads, many of which already have concrete projects underway.
 

Focusing on the virtualization message
The three-day event had about 240 breakout sessions with over 100 exhibitors. Conversations with customers and partners focused on virtualization and the Citrix Xen family of products to IT decision makers and IT specialists.

The next virtualization vendor on up in my series of posts digging down into CIO Magazine's "10 Virtualization Vendors to Watch" is Marathon Technologies.
Here is what CIO Magazine has to say about Marathon -

As stated by CIO Magazine, Marathon was awarded a Best of VMWorld award in 2007. This is a quote from Tech Target about Marathon and this award -

I have posted about Marathon before (such as this post about the video interview from iForum and this interview with the CTO Jerry Melnick . Those two posts give you some background on the technology. Tarry Singh of Virtualization for Everyone did an interview with Jerry Melnick in January.

Recently Marathon Technologies has posted a demo video on YouTube.

-

-

Marathon's everRun v-Available gives you the only fault tolerant solution for virtual machines, and it is designed exclusively for Citrix XenServer. Recently, Marathon published a joint whitepaper with Citrix that dives down into this solution . You can download the paper here. You can run the Marathon v-Available ROI Calculator here.


Pricing: The pricing on Marathon Technologies v-Available everRun for Citrix XenServer is $2000 per server. Here is the math for buying a complete solution with XenServer -

Citrix XenServer Enterprise licenses at list-
2 X $3000=$6000

Marathon v-Available at list -

2 X $2000=$4000

Total = $10000 

For $10,000 you get a fault tolerant server virtualization solution that provides true fault tolerance  AND maximum uptime for your virtual machines on XenServer.  You contact Marathon for more info.



Marathon clearly has an excellent solution to provide true fault tolerance for virtual machines running on Citrix XenServer. Many people do not realize that Marathon Technologies also has a solution for Citrix XenApp. Gabe Carrejo on the Field Readiness team at Citrix recently did some testing regaiidng their solution for Citrix XenApp and shared with me the test videos he created.

Gabe has done excellent work in working with Marathon to build this environment and to record his results. He broke his test out into eight different scenarios, and created short videos for each.

In this first video, Gabe shows XenApp sessions (the video was made before the name change, so still uses the Presentation Server name) maintaining the  connection despite a hard drive failure on the primary node.

-

-

In this next video, you see all the XenApp sessions over ICA stay up despite a network card failure on the primary server.

-

-

Next, Gabe causes the primary server to completely fail and the load to migrate over to the secondary server. No XenApp sessions are lost during this failure and migration.

-

-

Gabe then migrates the entire load back to the primary server with no session loss.

-

-

One final video I would like to show you from testing done by Gabe. In this test, Gabe simulates 39 user sessions using EdgeSight for Load Testing. He causes the server to fail and all the sessions maintain the connection. .

-

-

Here is a higher resolution version, but without the call outs (notes).

-

Gabe created additional videos where he simulated the failure of different hard drives in each server and a combination of hard drives and network cards. You can watch these additional videos at http://youtube.com/user/CitrixBlogger.

As you can see, Marathon Technologies provides a truly fault tolerant solution for both Citrix XenServer and XenApp (and to XenApp running virtualized on XenServer).

Next up is Blue Lane.

Have you ever tried to get the Client IP address for a Citrix or terminal services session and got stuck? I have had several emails asking me on how to do it. Well I thought I might just blog about it. I can think four ways to do it and if you can add to the list then please do via comments. So let's get to the business right away.

1. The simplest way is to use the MFCOM API to get a list of session and enumerate each session to get username and the Client IP address. Here is a code snippet.

Set objFarm = CreateObject("MetaFrameCOM.MetaFrameFarm")
objFarm.Initialize(1)
For Each objSession In objFarm.Sessions
WScript.Echo "User name : " & objSession.UserName
WScript.Echo "IP Address: " & objSession.ClientAddress
Next

You need to be an admin on XenApp (Formerly known as Presentation Sever) Farm to run  MFCOM queries. You can read more and download the MFCOM example here.

2. Use WFAPI SDK WFEnumerateSessions method to get a list of all the sessions on a server and then use WFQuerySessionInformation to extract Client IP for each session on the server I have written a Sample program on how to do it. Follow this link to download WFAPI and Csharp .Net program which enumerates all sessions on a server and their Client IP address.

3. Use native terminal Services API. Similar to WFAPI use TSEnumerateSessions to get a list of sessions on a server and then use TSQuerySessionInformation to extract Client IP address each session on the server.  To read more follow this link to download Terminal Services API sample example written in Csharp .Net.

4. You can also use ICO SDK and  GetClientAddress API to get client IP within a ICO session The ICA Client Object is the framework that exposes the functionality of the Citrix  ICA Win32 Client to third party applications.   The ICA Client Object (ICO) SDK enables developers and administrators to modify the behavior and appearance of a Windows 32-bit Citrix ICA client. The SDK is a series of documents that detail   available application programming interface (API) in the Citrix ICA client Follow this link to download an ICO example which illustrates the use of methods and properties available to get client network name and IP address information using Citrix ICO SDK.

Code snippet for ICO in JavaScript

function GetClientNetworkName(form)
    {
        form.netname.value = document.ICO1.GetClientNetworkName()
    }
    function GetAddrCnt(form)
    {
        form.addrcnt.value = document.ICO1.GetClientAddressCount()
    }
    function GetAddr(form)
    {
        form.addr.value = document.ICO1.GetClientAddress(0)
    }

 This video demo is showing the benefit of ICA in XenDesktop (vs. RDP in VMware VDI) over a 200ms latency WAN link. 

Simon Crosby , the CTO of the Citrix Virtualization and Management Division, was interviewed recently at VMWorld Europe by Tarry Singh of Virtualization for Everyone .
Here is how Tarry describes the interview on his blog -

Tarry has many more VMWorld Europe interviews on his blog of Virtualization for Everyone and at Virtualization.com .

Folks,

This is my first post on the "Official" Citrite Blogs.  My blog was one of those displaced after Citrite.org was taken offline.  It will take me some time to bring JonEugenio.com back to life after the content at Citrite.org was deleted.  Please bear with me as I rebuild the links and such.

More to Come!

 -Jon

I've always been impressed by librarians. They always seemed to go about their work with quiet efficiency.  It was amazing how once I'd taken a look through the card catalog, they would pull up ten times the information on the topic using a variety of sources.  They may not have been experts on the topic, but they sure knew how to find the experts! 

We've added our own librarian to My Citrix.  With over 3,000 pages of information and another 3,000 pages of resources, it's not always easy to separate the wheat from the chaf in My Citrix.  The Reference Desk function of My Citrix is an excellent chaf separater.  Located right on the home page, you can select a Citrix product, business need or industry solution and instantly get all the content separated into categories.  Need a case study for XenApp?  No problem.  How about a Selling and Positioning presentation for NetScaler?  What features are in the latest release of XenServer?  Presto! 

Check it out.  The Reference Desk will become your first stop!  Take that Dewey Decimal!

In every Application Delivery Conference (the new iForum) we have something called a Citrix Tech Lab where we show case our latest technologies and give a peek into the future technologies that are brewing in our labs. Traditionally this has been a pure feature based demonstration. You go around each booth looking at the new technologies and then  start to figure out how you can use it in the real world. This time we would like to make it more intuitive by having demos based on real world scenarios. Think of the iPhone ad. Instead of show casing its features like a phone, a browser, ability to watch a movie etc, they tie all that into a nice little story that we can associate with.

We have several ideas but let us know what you like in the Tech Lab and what you don't like (or don't care). Help us build the best Tech Lab for you. Leave us your comments or send me a mail at sridhar dot mullapudi at citrix dot com.

For those of you looking for more information specifically on the open source Xen hypervisor, a new blog has been started on the Xen.org site. The blog can be found at http://blog.xen.org.

I've been talking to a customer in the midst of a large rollout of Citrix Password Manager and heard some interesting items.  This is a very positive Citrix customer, but they don't want users aware of CPM. 

 Now, being software developers, we just assumed everyone would want to be aware of our cool SSO application.  But this customer, and apparently others, want their SSO solution to be transparent to users.

Why?  They have high turnover and their end users are unsophisticated from an IT perspective.  Their users have limited patience and get frustrated if they feel like they are getting slowed down.  So, even though CPM is saving them time and increasing security, the IT folks want CPM to be "invisible" so that users don't get the wrong perception (i.e., while CPM is launching they get irritated.)

We've already made some changes to the product to address this, but this customer experience convinces me we need to do more.

Another tidbit: training their new workers to use SSO is more easier than training established employees who already have bad habits like writing down their passwords, guessing a good bit, and getting locked out a good bit. 

After sponsoring more than a dozen Microsoft launch events around the world, I have reached out to the virtual Citrix event team to get an understanding of the top ten questions we are hearing with respect to Citrix XenApp.  While we all know that history tends to repeat itself, I was still surprised that the same questions we heard back when Microsoft launched Windows Server 2000 and 2003 came up again.  The top 10 boil down to really only 2 key questions:

Question 1: Does Citrix and Microsoft compete in the virtualization space?
I would like to shed some light here. Citrix and Microsoft have shared a strategic partnership for more than 18 years and have worked closely together to innovate on the Windows platform.  As recent as January, we announced an expanded relationship within the adjacent desktop and server virtualization markets. Through the alliance, Citrix and Microsoft will work together to ensure interoperability and cross compatibility with the Windows platform for server, application and desktop virtualization solutions.  Furthermore, we are tightly integrated around the development of our upcoming release of XenApp on the Windows Server 2008 platform. There is no better evidence of this than our joint go-to-market plans that we are effecting. For example, we have been delivering joint presentations to our customers and the market as part of the Microsoft 2008 launch wave, and sponsored conferences and tours. And, for those of you who have not had a chance to attend one of the Microsoft events, take a look at the video clip that was shown at the Microsoft keynote and on their virtual launch site. It specifically highlights the tight integration between our two companies.
Question 2:  What value does XenApp bring relative to the standalone offering of Windows Server 2008 Terminal Services 
Similar to the past, Citrix will continue to build upon the strength of the Windows Server platform to provide customers an end-to-end application virtualization solution. Our solutions complement one another in that we will leverage the enhancements Microsoft has made in Windows Server 2008 around platform stability, security and scalability and extend the platform to introduce some enhancements to our core XenApp functionality.  With the interest of not repeating what has already been written, take a look at  Bryon Thomas's post, Citrix XenApp on Microsoft Windows Terminal Services - A Feature Analysis, which provided an introduction to a more technical analysis at the feature level that helps get at the heart of how Citrix embraces and extends the Windows Server 2008 platform.  It is being revised based on some feedback we received to his post but a new version is due out soon so stay tuned.

We want to know what is burning on your mind. So if these are not the same questions you have, just leave us a comment. Inquiring minds want to know.

?

If you have not visited CDN lately, I suggest you give it a view. The team has made some significant usability enhancements as well as interesting content that is being contributed by employees as well as the larger Citrix community. For example, Vishal Ganeriwala has made a recent blog post that describes multiple ways to get a Client IP address from a Citrix session, in last few days the post has been viewed almost 3000 times ! , apparently lots of our users want to learn an easy way to do this. CDN provides a home for Developers and Citrix Pro's to learn and share ideas, code, and scripts for developing new products to integrate with Citrix or enabling and enhancing their Citrix implementations .

The new site also ranks the contributions by popularity, so a special thanks to Venkata Krishnan part of our Citrix Community who contributed a script providing printer driver information on a farm, this script now ranks at the top for popularity on our Script Exchange.  

You will also find featured content, such as new pages and resources describing the exciting new Citrix Workflow Studio , stay tuned for more  announcements around this product. The new site will also provide a location for sharing Workflow Templates and leveraging the power of the community.   

Let us know what you think and more importantly make use of the resources and contribute so we all can benefit.  

 
The XenApp User Experience breaks down into two camps:

1: The Transparent Integrated Desktop Experience -- In this model the users primary interface is either a Windows or Mac desktop. Some of their applications are locally installed and some are being delivered by XenApp. The best experience that Citrix could provide is one that completely obscures the apps mode of delivery. In short, users shouldn't be able to tell the difference between locally installed and Citrix delivered apps.

2: The Web Everywhere Experience- The Web based model is a story of consistency and ubiquity. Regardless of whether a user is connecting from their PC at work, at home or at a public kiosk the experience is always the same. Browse to a URL, enter your credentials and launch your apps.

Citrix covers these scenarios today with Program Neighborhood Agent and The XenApp Web Interface respectively. While it's difficult for us to measure the exact numbers the balance seems to lean toward the Web everywhere experience. The question is why ? There is a big focus on enhancing the transparent experience and a strong belief that If we get it right the Web UI will become virtually unnecessary.

So, Are we right ? What's stopping you from moving over to Program Neighborhood Agent and the Transparent Desktop Experience ?

I'm currently working on a new Web site project that aims to shed some light on Application Delivery Infrastructure (ADI) and provides best practices for using ADI technologies to deliver applications and desktops. In short, the site will have sections on:

• Introduction to ADI:  Content explaining the technologies, products, and approaches used to deliver applications to users.
• ADI Best Practices:  Content generated by Citrix and the ADI community about the best way to deliver applications for specific scenarios and use cases.
• Citrix Product Architecture:  Content describing how the products that make up the CitrixDeliveryCenter work from an architectural perspective.

First of all, let me explain that ADI is the category of technologies that most of you reading this blog will already be familiar with. They include Server Virtualization, Application Virtualization, WAN Optimization, End User Experience Monitoring, Application Acceleration, and Application Traffic Control. These technologies have one thing in common:  they can be used to deliver applications, both Windows and Web, and desktops to users in a multitude of access scenarios. The Web site I am working on will contain content that explains these different technologies that make up an ADI, as well as descriptions of Citrix product architectures that are part of the ADI.

Over the years, these technologies and their applications (I'm talking about how they are applied, not software apps J) have developed largely in isolation from each other. Vendors of these technologies, and their communities, have been applying them individually as solutions to virtually every type of use case scenario. In most cases, they have been very successful in addressing the scenarios encountered; however, they don't meet all of the requirements for all of the scenarios. Some scenarios in which all of the requirements are not met would be considered "edge cases," but others are pretty common.

Once organizations realize that the technologies can be combined into one infrastructure category, they can then apply the technologies in combinations that can address the requirements of every scenario. The challenge then becomes what technologies to use for what scenarios. I have read some good commentary on this subject (an article from Brian Madden, for example) that has roused some passionate discussions. Another function of this new site will be to provide a place for the community to discuss what technologies can or should be applied in what circumstances. To help this discussion along, the site will contain a number of best practices for using ADI as solutions to deliver applications in specific scenarios---scenarios that include the type of application, location of users, business need (such as business continuity), and other factors. The community will be welcome to add their own best practices based on their experiences.

I'll keep you posted on our progress with this effort. In the meantime, if you have any suggestions for additional features and information that you would like to see on this site, please let me know by posting your comments on this blog entry.

In the process of working on a project I had to gather all of the ports used by Citrix XenApp (the new name for Citrix Presentation Server). I had to look in a number of documents and KB articles. All I have to say is WHEW! I thought this might be useful for someone out there since I would have liked to have something similar. There are other ports too but I felt they weren't important (or perhaps I didn't understand how important they were so I left them out   ). Many of these are not Citrix ports but rather the service ports that we use to communicate into the infrastructure (such as LDAP). Hope this helps someone. If you find an obvious error or something omitted, please be sure to comment to this post. Enjoy!

Definitely nice to see that regardless of all of these ports, all clients/users need to connect are HTTP(S)-TCP ports 80 or 443.

NOTE: For more information on commonly known ports, visit http://www.iana.org/assignments/port-numbers. 

• Application Performance Monitoring (powered by Citrix EdgeSight)
  • EdgeSight Agent to Edgesight Server - TCP 80/443 (Payload and alerts)
  • EdgeSight Web console (non-IMA) to RSCorSvc on EdgeSight Agent - TCP 9035
  • EdgeSight Agent internal communication - TCP 9036 (client-side database) NOTE: After EdgeSight 4.5, replaced with IPC)
  • EdgeSight database - SQL 1433 (configurable)
• Client-side Application Virtualization -
  • Streaming Client to Application Hub (File Server/Share) - SMB 445
• EasyCall -
  • To client - HTTP(S)-TCP 8443 (PSync)
  • To Admin console (non-IMA) - TCP 443
  • To LDAP Directory- TCP 389
  • To PBX - port varies by vendor
• Independent Management Architecture (IMA) Services - TCP 2512, 2513
• Licensing Service - TCP 27000, 27009 (configurable)
• Server-side Application Virtualization
  • Management Console (Using IMA) - TCP 2512, 2513
  • Application requests - TCP XML 80, 8080 or 443 (configurable)
  • Access to Applications Virtualized on the Server - ICA-TCP 1494, 2598 (Session Reliability)
• Single Sign-on (powered by Citrix Password Manager)
  • Management Console (non-IMA) or Agent to Password Manager Service - TCP-443
  • Management Console (non-IMA), Agent or Service to credential store
    • Network File Share Credential Store - TCP/UDP 445 (CIFS) or TCP/UDP 135-139 (NetBIOS)
    • Active Directory Credential Store - TCP/UDP - 389, 636, TCP - 3268, 3269
    • Novell File Share Credential Store - TCP/UDP - 524  
• SmartAccess (powered by Citrix Access Gateway)
  • Standard and Advanced Edition
    • Client connections- TCP-SSL 443 (configurable)
    • Advanced Access Control (AAC) to Appliance communication - TCP 80 or 443 (configurable), 9001, 9002, 9005
    • Management Console
      • to Appliance (non-IMA) - 9001, 9002, 9005
      • to AAC - IMA-TCP-2513
  • Enterprise Edition
    • To client - SSL-TCP 443
    • To internal network - SSL-TCP 443, Native Authentication port (i.e. RADIUS 1812, LDAP 389), Native application ports (i.e. ICA-1494)
    • Management console (non-IMA) - SSH-TCP 22, HTTP(S)-TCP 80/443
• SmartAuditor -
  • Management (non-IMA) - Use local console on Agent or on Server.
  • Agent to Broker (Recording and Policy Check) - TCP 80/443 (configurable)
  • Player to Broker - TCP 80/443 (configurable)
  • Agent to Server (Metadata and Video)- Microsoft Message Queuing,
    • Default - TCP: 1801; RPC: 135, 2101*, 2103*, 2105*; UDP: 3527, 1801 (*These port numbers may be incremented by 11 if the initia choice of RPC port is being used when Message Queuing initializes. A connecting QM queries port 135 to discover the 2xxx ports.)
    • Over SSL- TCP 80,443
• WAN Optimizer -Guidance provided was to get it from Admin Guide
  • Appliance to Appliance - Pass-through native application port (e.g. ICA-1494, HTTP-80, LDAP-389)
  • Management Console (non-IMA) - TCP 80
  • Client to Appliance - TCP 443
• Web Interface
  • Client connections - TCP 80/443 (configurable)
  • Server-to-server - TCP XML 80/8080, 443 (using SSL Relay)
  • Management console (partially IMA) - DCOM 135 (+ configurable high port range), IMA-TCP 2513, TCP 80/443

Brian Madden created a webinar that helped to explain some core communications processes. That might also be useful and you can find it here (called Understanding and Designing Presentation Server Farms).

Eric Horschman of VMware recently posted on his blog about the ESX memory overcommitment feature. It can be a utilization benefit in some use cases, especially with lightly used virtual desktops. But Eric describes it as if it's somehow a game-changing economy.

The test he uses to support the claim is very impressive - if what you want to do is to power on virtual machines. If you're going to look at their screensavers all day while you do your work with a pencil and paper and abacus, power-on statistics are meaningful. And the moment you power on is the time you get the most out of page-sharing: nearly all pages are either operating system and services code pages (which are identical from guest to guest in many cases) or all-zero (which are all initially mapped to the same physical page).

Unfortunately for this scenario, I like to use my computer. I may push it a little further than some, but... I currently have a 20000-message Outlook mailbox and a 25000-message Thunderbird mailbox open, a 60-page Word doc, a 260-page PDF, five different browser tabs with graphics-intensive web pages... and, oh, yeah, I'm playing music in iTunes too. Not so much page sharing going on any more - in fact, I'm using 2GB on my 2GB notebook pretty consistently. And since now only 15% or so of my machine is running pages that it has in common with other people's machines - unless, of course, our tastes in music and our correspondence are identical - well, how do you think all that page sharing is really working out?

What do you think happens when those pages start to un-share, as people start doing real work? How big do you need to expand those balloons, and how much do you have to starve those guests, to keep your 5:1 memory allocation? And if you can't balloon 5:1, how much do you further degrade it when you start using the hypervisor swap file?

(Besides, try those numbers again with XenServer Standard Edition at $900 for the license and first year's Subscription Advantage, with 8GB or even 16GB in the system, versus ESX at 4GB, instead of adding servers, and see how both the cost and the user satisfaction come out.)

This is a stunt, showing penny-wise savings of an inexpensive resource (memory) at the pound-foolish cost of an expensive resource (user time and patience).

It's all about the applications and their performance; minor cost savings don't matter much in the face of user revolt.

Some customers want to store the RadeCache on USB sticks.    Is it possible?  The answer is: Yes, but it requires jumping through a few hoops.  The background on the problem and the steps to pull it off are described below.

Background 

With Application Streaming, the general idea is to runtime populate execution material onto the machine - and to execute that content from the runtime populated cache.  The cache is called "RadeCache" as that is the base directory where all execution content is stored.  There are actually two; a main one which is shared across all users on the machine and another that holds the per-user isolation layer.  For this discussion, we are most interested in the common one that holds the majority of the execution material.

How is the runtime cache populated?  The execution content is held centrally on a file share, or if you prefer the fancy word, the "Application Hub".  There is no Citrix code running on the file share.

Here's a picture that conveys the general architecture.   The highlighted pieces are specific to Application Streaming.  The rest of the components are the publishing infrastructure common with XenApp (new name for Presentation Server).

Challenge:

Some customers want to store the RadeCache on USB sticks.   

The primary reason I've heard for doing this is to use Citrix for application publishing and as the central point of application updates, but the customer is more interested in isolation than they are in streaming and, here's the kicker, the network link to the home office is a 1200 baud 1985 vintage modem and they don't want to move execution content across that link!  Publishing information is okay, just no gigabyte execution images.   More: They also do not want a file share (Application Hub) at each remote office.  Another possible reason is to have the execution content for an application follow a user as they - and their USB stick - move from machine to machine at the office.  Whatever the reason, folks want to do it, the rest of this post describes the "how".

How to store RadeCache on USB StickFirst thing to know is that most USB sticks pre-formatted when you buy them and are prepared for the FAT32 file system.   This makes them ready to use right out of the box and makes them compatible with the largest set of computer systems. 

The Application Streaming code will not isolate anything formatted FAT32.  It assumes this is user document space and leaves it alone.  If it doesn't isolate that space, it can't store the execution image there and from a "before" view, this means that you can't store the RadeCache on removable media - but that's not the complete story.  The steps below show how to format a USB stick for NTFS and how to tell the streaming system to use that stick for storage of the RadeCache.  Interestingly, even when formatted NTFS, the isolation system will still not isolate user documents stored to the stick as the media is removable and the isolation system leaves removable media alone.

Back on subject - what has to happen to store the RadeCache on a USB stick? 

Step 1:

Format the USB stick NTFS.  The steps to do it are documented rather nicely, here.

Step 2:

Tell the Streaming Client that the RadeCache location is on the USB stick.  Note: This must be done using the utility below and not with registry edits.  A DACL is applied to the directory that gives the Streaming Service user account permission to write to the directory.  Without the DACL, runtime cache populates will not occur and you'll get an error messages on failed cache fills.   The "why" is that the streaming service actually runs on a pretty dumbed-down user account as compared to local system.  It can only write to certain places, like the RadeCache.

Start / Run: C:\Program Files\Citrix\Streaming Client\ClientCache.exe

Browse to the USB stick. Tell it where to create the directory. The utility must CREATE the directory.

Step 3:

Reboot to have the change take effect. 

If you're impatient for reboots, terminate all running streamed applications and from a command prompt issue "net stop radesvc" and "net start radesvc".

That's it!

If you find this useful or can describe other use cases where this can be of value, I'd like to know of them.  Append here for all to share.

Joe Nord

Product Architect - Application Streaming Citrix Systems, Fort Lauderdale, FL 

When I talk to customers about their initial experiences with virtual desktop deployments (VDI for VMware users), they have three key concerns:

1. Complexity of the solution
2. Cost per desktop
3. User experience

At the most fundamental level, the ROI of a VDI deployment will be negative if users reject the solution because of poor performance.  Most VMware VDI end users  that I talk to, tell me that their user experience is "nowhere near that of a PC".  We think we deliver a compelling desktop experience with Citrix XenDesktop, which you can download here.  Of course XenDesktop (which includes XenServer) is also optimized for Microsoft Hyper-V and fully supports VMware - so you get the best possible user experience independent of your virtual infrastructure.

But at the virtual infrastructure layer the heat is on, and VMware has made another clumsy attempt to inject FUD into the market in the form of a blog posting by Eric Horschmann of VMware who attacks the ROI of XenServer or Hyper-V based deployments of virtual desktops because, using ESX's memory overcommitment feature, he managed to boot many more VMs on ESX than on XenServer / Hyper-V. 

Roger Klorese (XenServer product marketing, and one-time product manager at VMware) corectly identifies the fallacy underlying the VMware claims:

"What do you think happens when those pages start to un-share or users start to load up different applications, as people start doing real work? How big do you need to expand those balloons, and how much do you have to starve those guests, to keep your 5:1 memory allocation? And if you can't balloon 5:1, how much do you further degrade it when you start using the hypervisor swap file?"

There's no such thing as a free lunch, and in VMware's case there isn't a free hypervisor either.  When you overbook memory excessively, guest performance takes a hit.  Not only will the hypervisor have to start swapping (so much for the  claims that ESX is a lightweight hypervisor - it still contains swapping, which is an OS feature), but the guests will also start to swap.  We have observed many occasions where ESX performance hits the floor because the hypervisor has to swap in memory pages just so that Windows can swap them out!    

Several independent users have chimed in - a welcome addition to the debate.   In a follow up to a CRN article on the topic, Stan Kasper writes:

"My experience has been that the memory sharing features in ESX place a heavy burden on performance. In fact, to optimize performance I disable the PSHARE option and do a fixed allocation of memory for each VMWare guest. PS My initialze test on the beta Hyper-V vs ESX for disk performance is that they are about equal, and maybe Hyper-V is a bit faster. But do not read to much into this as benchmarks are rather a finicky science."

Though overbooking and common code page sharing are different things, even overbooking impacts performance, and causes major headaches and additional complexity and latency in suspend/resume and live relocation operations.  But assuming for a moment that VMware's memory overbooking and PSHARE are flawless and impose no performance overhead, then you can get a good idea of the performance per guest by taking the CPU speed of the server and dividing it by the number of guests.  Though the CPU speed is not offered in the VMware "analysis", let's assume it's a dual core 2GHz server with 4GB RAM.  So each of Eric's Windows Desktops gets about 50 MHz of CPU.  Even with double the CPU, that's only a 100 MHz PC.  No wonder users are underwhelmed by their performance!  

I conclude that VMware's flawed focus on defending the price point of its hypervisor, and thereby maximizing dollar take per server, is in direct conflict with the customer's goal in any Desktop Delivery project - a great user experience with terrific ROI.

Getting back to ROI, it appears that VMware also fails to understand that ROI is a solution-based analysis (not a hypervisor based one).   The right way to calculate ROI for desktop virtualization is to compare the overall cost per desktop of a complete solution that delivers great user experience.  One key piece of the architecture that is missing from VMware's "pseudo ROI claims" is the storage cost. Citrix XenDesktop, with XenServer Platinum, can boot up to 1000 VMs from a single Windows golden image.  That's a factor 1000 less storage than the VMware "VM Sprawl" approach, and a factor 1000 less effort to patch and manage desktop workloads.  And it doesn't have to be stored on a SAN - VMware's typical storage deployment.  A thousand SAN based VMs will cost an awful lot of money.  With XenServer / XenDesktop you can use any storage repository.  For example - in XenServer 4.1 (download the beta here), we have direct integration with NetApp's ONTAP API to leverage array-based snapshots and cloning, and to use their thin provisioning and block dedup technologies. So the real cost of the SOLUTION is what counts. My friends at VMware, heavily addicted to their SAN based storage architecture, drive customer acquisition costs for virtual desktops through the roof. Bottom line: Until you look at an overall solution cost per delivered desktop, you don't have an ROI case.

The bottom line: VMware's "ROI analysis" offers neither an ROI comparison nor any analysis.  But it does offer valuable insight into the mindset of a company that will fight tooth and nail to maintain VI3 sales at the expense of a properly thought through solution that meets end user requirements.  The very fact that the VMware EULA still forbids Citrix or Microsoft or anyone in the Xen community from publishing performance comparisons against ESX is further testimony to VMware's deepest fear, that customers will become smarter about their choices, and begin to really question ROI.

 So I was thinking a demonstration of XenApp desktop integration might be in order. "Citrix Applications" formerly known as "Program Neighborhood Agent" allows you to deliver Citrix applications seamlessly to the Windows Start Menu, Desktop, Quick Launch bar, Sidebar and the Windows Notification Area (AKA The Systray). Virtually everywhere you can place a Windows shortcut you can place a Citrix delivered app shortcut. Check it out ...

These were created on my Vista desktop but this all works equally well in Windows XP with the exception of the Sidebar which isn't available. The important take away is that users can interact with Citrix delivered apps in the same way they do with local apps.

 Our Motto - "If we do this right users wont know we've done anything at all."

 Al-

At Citrix, we know that improving security and compliance are two of the main challenges for businesses today, especially in highly regulated industries. Well, recently we released a technology in Citrix XenApp (the new name for Citrix Presentation Server) Platinum Edition that helps businesses monitor, record and play back ICA sessions as part of their ongoing risk management and regulatory compliance measures. The technology is called SmartAuditor (check out the demo to see how it works).

If you have a TiVo or a digital video recorder at home and love it (like I do), then you'll love SmartAuditor because its functionality is very similar in concept. The same way TiVo allows you to record all the shows that you want to watch, whenever you want, and play back those shows, SmartAuditor allows you to record and play back XenApp ICA sessions. 

The great value of this technology is that it enables IT to monitor and examine user activity of applications demonstrating internal control, and ensuring regulatory compliance and successful security audits. Its monitoring capabilities can aid in monitoring user activity involving sensitive data, such as in financial operations and healthcare patient information systems. Additionally, there are many other use cases where SmartAuditor can help, such as in litigation support, training and in technical support to help speed up problem identification and time-to-resolution.

How does it work?

SmartAuditor uses flexible policies to automatically trigger recordings of XenApp sessions and it works in 3 easy steps: Configure, Capture and Audit.

First, the administrator configures the tool and selects which users, applications and servers they want to monitor. Then, they capture the user activity by recording it to a video file that is digitally signed and stored in a central location. Finally, they can review the user activity by playing back the recorded ICA session in the SmartAuditor player.





Use Case Example

So now that you understand how SmartAuditor extends IT's ability to monitor and examine user activity of applications, let me give you an example. Let's say that the IT manager at a high-tech company, needs to monitor every employee planning to leave the company. Well, he can use SmartAuditor to record sessions for all employees who gave their two-week notice to leave the company. This type of user could potentially present a risk of data or intellectual property theft, but with SmartAuditor the IT manager can monitor all user sessions to capture suspicious activity. These recordings could be used as visual evidence if needed to prove criminal intent, but furthermore, with SmartAuditor he can notify the users that they are being recorded which, in itself, can help prevent theft or malicious activity in the first place.

If you are not using SmartAuditor or never heard about it before reading this blog, click here to watch the demo and learn more.

If you are already using SmartAuditor, please let me know your thoughts. Also, I encourage you to share your use cases and post any comments and/or suggestions you may have.   

What other aspect of SmartAuditor would you like to see covered in this blog?

Last month I posted about Ian Pratt's presentation on the Xen Open Source Hypervisor at the FOSDEM (Free and Open Source Developer's European Meeting) Conference. FOSDEM has posted videos of all the sessions. As the one of the primary founders of the Xen Open Source Hypervisor Project, Ian has unique insight into the Xen Project.  http://video.fosdem.org/2008/maintracks/FOSDEM2008-xen.ogg

In the last couple of months, there have been a number of blogs added on this site covering the progress of Project Delaware -- the next release of XenApp (new name for Presentation Server) for Windows Server 2008. At the same time, another team of talented engineers has also been working on the next release of Citrix Access Essentials (CAE), codename Project Eden. Like its bigger XenApp sibling, Access Essentials projects are also named after rivers; however, in our case, Access Essentials projects are named after rivers "across the pond" - that is, in the U.K.  Project Eden has three main objectives:

1. Support Windows Server 2008 - Microsoft has introduced a number of enhancements in Windows Server 2008, including improved management, security and printing. As the adoption of Windows Server 2008 ramps up for the small to mid-size business (usually more rapidly because they have more flexibility to change), let's make sure customers can continue to leverage AE on this new OS platform. 
2. Integrate with Microsoft's new mid-size business offering, Essential Business Server (EBS) or codename "Centro". If you follow the SMB space, undoubtedly you've heard of "Centro" or Essential Business Server. You've probably also seen Citrix mentioned in one of the many EBS industry write-ups or the Citrix logo on a Microsoft EBS' blog post.
3. Deliver features to improve usability and enhance end-user experience. As an example, CAE 2.0 introduced SpeedScreen technology of Browser and Image Acceleration. Project Eden will deliver the additional SpeedScreen technology currently available in XenApp product for CAE customers.

Obviously there are more features and details not mentioned here, but, as you can see already, there are many exciting things going on with Access Essentials. So, even though the last CAE blog was posted some time ago, don't despair. You can expect to see more CAE coverage in the up-coming months! As the new Product Manager of CAE, I am very excited about this product and its future! If you are currently a CAE customer, I would love to hear about your experience with CAE. You can reach me by clicking on my name/profile above. If you are new to CAE, you can learn more about it here.

    Back in the days of Windows 9.X Microsoft had "Network Neighborhood" on everyone's desktop. It made sense for us to place an icon on the desktop and call it "Program Neighborhood". From there is wasn't much of a leap to get to "Program Neighborhood Agent" when we decided to create a less conspicuous way to integrate applications into the Windows Start Menu and Desktop. Of course, Microsoft has long ago done away with the "Neighborhood" concept leaving us with a very cool program that no longer had a clear and meaningful name.

    Late last year we embarked on a project called "Pineapple". So named as it was charged with identifying the "low hanging fruit" in the users experience. It probably shouldn't be all that surprising that XenApp with its 13 year legacy doesn't have too much that's easy to  change. There's more to the story but for now let's say that Pineapple settled on crafting a consistent user experience across our products. As a result "Program Neighborhood Agent" became "Citrix Applications". We were shooting for something simple and obvious and I think we nailed it. And, yes, in case anyone was wondering we are considering making it possible to change "Citrix Applications" to something that makes even more sense depending on the implementation.

    These days there is a lot of emphasis at Citrix around End User Experience. You may have heard about "App Receiver" which has been highlighted during the keynote at "App Delivery Expo" back in October of 2007 and at our "Partner Summit" this past January.  App Receiver is our vision for a new user experience that will bring together multiple Citrix technologies in a way that is intuitive and easy to use. Imagine client software that is downloaded, installed and configured with little user interaction. An intelligent system that delivers the right components to the user without revealing any of the complexity involved. We will be talking more and more about App Receiver in the coming months so keep watching this space. I bring up App Receiver now only to point out that it is not simply "Program Neighborhood Agent" rebranded. The new "Citrix Applications" is a part of the larger vision and will play a key role in success of App Receiver but it is only a part of a much bigger plan to provide an awesome experience to the folks who use Citrix products every day to get theirs jobs done.

                So how about a few screen shots of the new "Citrix Applications" .....

Al Grandville

Citrix Product Management 

I've been wondering if I should mention here where I have gone.
Some people think that I have stopped blogging.  This is actually not true.  I've just moved.

My new address is http://citrixblogger.org based on WordPress.  The change happened about the time Citrite.org collapsed.  At that stage, this site was not fully set up yet.  I got used to my own space and now I would be reluctant to move back.  Citrixblogger.org is just about Citrix stuff that I write about.

As an example of a relevant post, please check out http://citrixblogger.org/2008/03/08/lessons-from-rick-mack/.
It's important to mention that I do blog once a day so there is usually something new.

Stop by if you get a chance.

    OK. So I'm airing some rather grungy laundry here but, for good reasons I'm sure, our internal implementation of XenApp serves up some 80 + apps to every user.  It's a pretty tough list to manage but, believe it or not, I've heard horror stories that some folks out there are dealing with hundreds and sometimes thousands (yes thousands) of published apps. You can just imagine how painful it must be for users to sort through such a cumbersome list every time they want to launch an app. XenApp provides tools to publish apps to only the subset of users who need them. This, of course, implies that the folks who set up XenApp had the time, resource and the information available to make these decisions. It's difficult to know how many user actually struggle with this problem but it still seems like an obvious place to uplift the users experience. The question is how we go about it.

Option 1 - Fine Tune Citrix Applications

    Citrix Applications allows users to move shortcuts to their desktop, quick launch bar, Vista gadget, etc ... Users can take advantage of all the methods that the OS provides to allow for quick access to his/her most commonly launched applications. There are some areas that still call for refinement like  full support for the recently used apps list in the Start Menu (right now we only show the last app launched ).

Option 2 - Favorites

    We could provide a method that allows users to create a list of favorite  apps. Once the list exists it would act as a filter and the users would only see their list of favorites. We would provide an interface to configure the list and to show the entire list again if the user needs to access an infrequently used app.

Option 3 - Most Recently Used

    A Most Recently Used or MRU list would build as users launched applications. When a user accessed the list their MRU entries would be their primary view with an easy way to expand the entire list if the user needs to access an infrequently used app. The size of the MRU list would be restricted to a small set of apps but could be made configurable by the user and/or the administrator.

We are in the process of planning the next version of the new Mac client for XenApp. This new client will be focused on creating a transparent integrated desktop experience for the Mac platform. The concept is much the same as "Citrix Applications" (formerly PNAgent). Our goal is create an environment where users can move seamlessly between their locally installed apps and those being delivered by XenApp. Or, at least as seamless as you can get when you are running Windows apps on a Mac

 

We are running a survey for the next two weeks to gather feedback on the enhancements that will make the XenApp Mac experience world class. If you are interested in taking part in the survey just click here.

Thanks

Al Grandville

Citrix Product Management

XenDesktop Beta Video Tips Contest

Are you taking the plunge into the XenDesktop Beta? Record your experiences as video tips for the Citrix Community and you could win an iPod Touch.

Announcing the XenDesktop Beta Video Tips Contest

The XenDesktop beta has been an an extremely popular download on MyCitrix.com (currently #1 in most popular downloads). Many people are pulling down the code and getting it installed in their labs. A few videos of user experiecnes have already appeared on YouTube.

Here is one video I just came across on YouTube  -

Citrix XenDesktop Performance Comparison

We would like to see even more videos, so we are creating a XenDesktop Video Tip Contest. Record a technical tip of XenDesktop and you could win an iPod Touch!

How to Win

Every other week, we will post what we judge to be the Top 10 videos posted for the past two weeks. We will take a vote on the best videos here on the blog until Wednesday of the following week. The top two video creators as voted by the blog readers will receive an iPod Shuffle. There will be four bi-weekly reviews and EIGHT bi-weekly winners.

You can post videos up until May 9th. Starting on May 15th, we will be taking votes here on the Official Citrix Blog on the eight winners from the bi-weekly voting.  The Top video winner receives a 16 Gb iPod Touch, second place receives an 8 Gb iPod Touch, and Third Place receives a 4 GB iPod Nano.

Contest Setup

Create a screen recording video of one of the following -

- XenDesktop Components Install

- Desktop Setup and Configuration

- Provisioning Server Configuration and Administration

- XenServer Configuration and Administration

- Application Delivery to Virtual Desktops - (Published apps on XenApp, application streaming, etc...)

- Performance Testing and Load Simulation  

- User Experience

- Third Party Integrations (Profile solutions, Microsoft Application Virtualization, Altiris SVS, etc...)

The XenDesktop Beta Getting Started Guide is full of different processes that need to be completed to install and configure XenDesktop. You could record one of these processes and add in some audio narration and notes that detail the steps and your thoughts on the process.

Videos that include notes (also called call outs) and/or narration are preferred and will have a better chance of winning.

Tools

In order to make these videos tips viewable here on the Citrix blog, we are requiring the videos be posted at either UTipU.com or YouTube.com

About UTipU.com

UTipU.com is a website that provides a free Tool (TipCam) that you can download and use to record your screen. TipCam gives you the ability to Zoom, Annotate (draw), or add a voiceover ( or redo a voiceover without redoing the video). You can then upload the video to the UTipU.com website.

Here are a few Tip videos on how to use UTipU.com

Intro to UTipU
http://utipu.com/app/tip/id/405/

How to Install TipCam
http://utipu.com/app/tip/id/1250/

How to Record Using TipCam
http://utipu.com/app/tip/id/1251/

How to add Notes to Your Videos
http://utipu.com/app/tip/id/1274/

How to Use Zooming in TipCam
http://utipu.com/app/tip/id/329/

Here is a very brief sample video of the Setup Tool for Citrix XenDesktop that I quickly put together as an example.

-

-

If you choose to use an existing tool you already have (Camtasia or ScreenCast from TechSmith for example) you can upload the video to YouTube. Click below for help on Uploading videos to YouTube -

http://www.google.com/support/youtube/bin/topic.py?topic=10524

Tags

For both YouTube and UTipU, please use these tags -
Citrix XenDesktop Video Contest VDI

Please add a tag for the type of video (Install, Desktop Setup, Provisioning Server, XenServer, App Delivery, Performance, User Experience, Third Party).

A few times a week we will highlight new videos that are posted by linking to them from the Official Citrix blog.

We are looking forward to seeing your tips and examples of the creativity, expertise and innovation that is out there in the Citrix Community.

Good luck!

Great things happen over a beer at Citrix events. As many of you who attend can attest, you never know what you will learn or who you will meet. For me this year the highlight at Summit was having a beer with Gus Pinto and Rich Crusco. After being summoned by Barry Flanagan to join a conversation about what Citrix can do to better to connect with the community and provide the resources and web presence to leverage the growing opportunities. At Citrix we have been making some fairly recent concerted efforts to better engage with the community including the CTP program, the Citrix Blog, the new CDN site, and a few other activities. However we also recognize there is a long way to go to really utilize and grow the massive skills that exist around the Citrix Community.

It turns out we have been planning some specific projects like the ADI Best Practices site to help educate the industry around App Delivery methods and solutions, but we were also looking for more insight from experts in the community. It did not take much beer to have Gus and Rich exploding with ideas and passion about how Citrix can deliver on the ADI vision. And they are not just talk, many of you already know Gus and Rich as MVP's, a CTP, and huge contributors to the community. In their spare time they have been running the Fameworkx.com site that has helped literally millions of IT Pros and users.  Their day job has been very significant as well, designing and implementing  ADI solutions for Citrix ( and VMware ) award winning partner Entisys. So imagine if we could tap that energy and experience and make it a full time effort ( day and night... ) supporting and growing the Citrix community and ecosystem. Well that's just what we are doing , starting next week Gus and Rich will be joining Citrix as full time Citrites and Technology Evangelists. To find out more about Gus and Rich and their plans to help the community checkout the latest posts at http://www.frameworkx.com/

Welcome aboard !

Last week I had a really fun opportunity.  I was asked to kickoff a New Hire Orientation Class of new Citrites.  I had 2 glorius hours to spew forth everything I knew about our products, the Application Delivery Infrastructure, and the all new Citrix Delivery Center. 

Mark Twain said, "It usually takes me more than three weeks to prepare an impromptu speech."  I didn't have three weeks, but I did want to make sure these newly minted Citrites were able to explain the Citrix Delivery Center.  To make sure you understand it, just go to this link: Citrix Delivery Center

As you can see, there's so much to say about the topic.  So, to make it easy, I resorted to an old trick I've used all through my marketing career - Start with the Customer in Mind!   

IT departments all build out in pretty much the same way. 

They start with a pain point > they research and find a solution > they justify the expenditure> and they add it to "THE STACK". 

The customer stack has server(s)>operating system(s) > optional hypervisor > database> middleware > applications > networks > appliances> devices > users. 

And Citrix has: Access Essentials, Access Gateway, Application Firewall, Application Gateway, EasyCall, EdgeSight, GoToAssist, GoToMeeting, GoToMyPC, GoToWebinar, NetScaler, Password Manager, Provisioning Server for Datacenters, Provisioning Server for Desktops, WANScaler, Workflow Studio, XenApp, XenDesktop, XenServer

 So after sketching all of this out on the whiteboard, I told the class it was time for the pop quiz.  They had to explain where all of the products overlaid the customer point of view.  Since mine was the first presentation, the look of panic on their faces was priceless!  But, the point stuck. The Citrix Delivery Center helps partners explain a logical end-to-end application delivery infrastructure that customers can leverage over many pain points.  Some products are key for end to end virtualization across applications, servers and desktops, while others are supporting products that enhance the value of a complete solution from one vendor.  Have a look at the Citrix Delivery Center.  It's a great platform for great products!  

Recently I have been working with the different teams here at Citrix implementing Provisioning Server in XenApp environments.  As we venture into this realm, we are finding remapping of drives is quite common in many 4.x, 3.x and XP implementations.  There are typically two scenarios I hear about:

• Users are confused when they perform a "Saves As" in an ICA session and they do not see their "C" drive a "C" drive.  Remapping addresses this issue minimizing support calls I image.
• Customers have spent a sizable amount of money creating application packages to work properly in a remapped environment.  To undo this would be another sizable amount of money so customers are not quick to revert. 

As Provisioning Server was introduced into the picture, people have asked... "What about the remapped drives?" Below is the explanation on how to ensure the remapping is seen when streaming a XenApp (Presentation) Server with Provisioning Server.

Below is the process to make a XenApp (Presentation) Server operable when streamed by a Provisioning Server with remapped drives are part of the baseline.

I will have a follow-on article discussing two partition scenarios coming soon!

As always, I am a huge fan of feedback, so please leave comments.

Summary

When using a Provisioning Server to stream a XenApp (Presentation) Server that has a remapped drive, Provisioning Server does not always boot with the proper drive letter therefore making the streamed target device inoperable. This article will provide the "How To" on creating a vDisk in with the Provisioning Server Image Builder when a XenApp (Presentation) Server is currently remapped.

Requirements

Requirements for completing the task and a specific knowledge and/or hardware and software requirements:

• Basic knowledge and understanding of Provisioning Server for Datacenters 4.5
• Advanced knowledge of XenApp (Presentation) Server 4.x
• Basic knowledge of Active Directory, IIS, Windows System administration and Network Terminology
• A baseline install of Windows Server 2003 with latest patches and drivers
• A baseline install of XenApp (Presentation) Server on an existing Master Target Device
• A vDisk created and ready to image
• Knowledge of the Citrix Provisioning Server PS Integration Utility: CTX116063 (http://support.citrix.com/article/CTX116063)
• Assumes default remapping of C: to M:

Background

XenApp (Presentation) Server drive letter remapping is only necessary when users will be accessing and saving data on their local client devices from ICA sessions. For example, when a user uses Microsoft Word on a XenApp (Presentation) Server and perform a 'Save As' they will be asked where to save the document. Without drive mapping, the user can become confused because their local system drive may appear as drive V (as an example). With drive remapping, their system drive will show up a drive letter C.

The advantages of remapping server drive letters are:

• Users will be able to see their own local disk drives as the correct drive letters.
• If you need to change the drive letter, the XenApp (Presentation) Server installation program provides an easy way to do this.

The disadvantages of remapping server drive letters are:

• Any previously installed applications will most likely stop working.
• Any new installed applications, patches or hotfixes may not properly install.
• In some situations, unexplainable things happen on the server.

When dealing with a Provisioning Server that is streaming a XenApp (Presentation) Server down to a target device, the drive remapping may not correctly propagate to the vDisk therefore causing the XenApp (Presentation) Server to be inoperable upon boot. Below explain how to configure a XenApp (Presentation) Server that has a remapped drive so that it functions properly when streamed by Provisioning Server.

Procedure

The steps to complete the task:

1. Boot the master target device and log on to the system as a domain administrator or a domain user.
2. Install and configure Citrix XenApp (Presentation) Server.  At the end of the installation, you will be prompted to reboot
3. Reboot the master target device.
4. When the master target device is successfully restarted, log on to the system as a local or domain administrator, or a domain user (with local install privileges).
5. Install the Provisioning Server for Datacenters Target Device client software and then shutdown the master target device.
6. Boot the master target device, enter the BIOS configuration utility and configure the boot order to PXE boot first.  Save configuration settings and continue the boot process. When PXE booting a master target device for the first time, the Provisioning Server Streaming Service will prompt for the following:
   1. Client Name - Give the master target device a meaningful name
   2. Description - Give the master target device a meaningful description
   3. Select vDisk - Select the vDisk that was created and formatted for this installation
   4. Boot From - Select boot from hard drive
7. When the master target device is successfully restarted, log on to the system as a domain administrator, or a domain user (with local install privileges).
8. Double click on 'My Computer.'
9. The drives drive will appear (assuming the defaults) as follows:
   1. System = M:
   2. CD-Rom = N:
   3. vDisk = C: 
10. Right click on 'My Computer' and click 'Manage.' 
11. The 'Computer Management' service console will open.
12. Click on 'Disk Management' to view all disks associated with the Master Target Device.
13. Right click on the vDisk drive C and click 'Change Drive Letter and Paths.'
14. The 'Change Drive Letters and Path for C: (vDisks)' dialog box will open.
15. Click on the 'Change' button.
16. The 'Change Drive Letters or Path' dialog box will open.
17. Select a drive letter greater than the remapped system drive.
18. Click 'OK' to close the 'Change Drive Letter or Path' dialog box and click 'OK' to the 'Confirm' dialog box.
19. The drive letters should be as follows (assuming system drive letter is M):
    1. System = M:
    2. CD-Rom = N:
    3. vDisk = O:
20. Install the "PVS PS Integration Utility.msi" on the master target device.
    • As noted this utility does require a logon to invoke the cpsmods.vbs, which performs a series of steps that are critical for the XenApp (Presentation) Server to fully function while being streamed by Provisioning Server.  Several scenarios for completing the logon process are outlined in: CTX116063 (http://support.citrix.com/article/CTX116063)
21. Click "Next" on the "Welcome" dialog box.
22. Select the version of XenApp (Presentation) Server currently installed on the master target device and click "Next."
23. Click "Next" on the "Confirm Installation" dialog box.
24. Click "Close" on the "Installation Complete" dialog box.
25. Upon completion of the install, an icon will be created on the desktop of the master target device called either the "CPS 4.5 Integration Tool" or "CPS 4.0 Integration Tool."
26. Double click on the icon and a dialog box will appear indicating success.
27. Click "OK" and the "Client Image Builder" will automatically open and proceed to build the image to the vDisk mapped during the PXE boot process.
28. Build the vDisk pointing the 'Destination Drive' to the proper drive letter (Note: Be sure to 'Optimize' before building the image).
29. Upon completion of the image build, shut down the master target device.
30. The vDisk is now ready to stream to multiple Target Devices using Standard Image mode.
    

More Information

For more information on drive remapping please following these links: http://www.brianmadden.com/content/article/Should-you-remap-drive-letters-when-installing-MetaFrame-Presentation-Server

http://support.citrix.com/article/ctx457309

Note: This procedure will be available with pictures as a TechNote in the Knowledge Center.  I will update with the link once it is posted.

Most people don't realize the value of the answers to their personal security questions (Citrix Password Manager calls this Question Based Authentication.)  As it turns out, those answers are more valuable than passwords.  If someone learns enough answers to your personal security questions, they very often can reset your password and have access to your accounts.  Yes, that includes your online bank account and it's a very real problem.  In fact, I have a friend so paranoid about this that he swears his favorite color is "three."

 Some of the issues around personal security questions are kind of interesting.  For example, I've dealt with customers where personal privacy of employees is a big consideration in selecting the questions.  Let's call that one "sensitivity".  Another issue is what I'll call "changeability" - your favorite movie may change from month to month.  Then another issue is what I'll call "detectability" - my place of birth is public record, if somebody happens to know where I was born and what my maiden name was.  Both of those are completely unguessable in my case so I am probably safe on that problem. 

 Then there is always my favorite, "guessability" - there are only so many colors, even if you count teal and puce.

We can't forget the punctuation marks either.  Tricky to remember whether I indicated a teacher's name as Mrs. Winters, Ms. Winters, Mrs Winters or Ms Winters when I signed up for a web account.  Have to be careful on that one.

 We are finding that the more flexibility you can allow the better on these personal security questions for CPM.  Let companies write their own personal security questions that are more obscure than place of birth.  Let people choose between a number of security questions that they find unique and easy to remember.

In fact, I'd love some comments on pet peeves and helpfuls suggestions on personal security questions!

In my previous SmartAuditor blog post, I described how SmartAuditor works and its benefits for improving security and regulatory compliance. Well, guess what? Recently, a major healthcare company (obviously highly regulated by HIPAA) with tens of thousands of employees shared with me their thoughts, experiences, and main use cases regarding our SmartAuditor technology. In addition to providing care and services, this healthcare company partners with numerous nursing homes, hospitals and other healthcare organizations in the United States. The interesting part is that the more I talk to customers about SmartAuditor for recording ICA sessions, the more interesting the use cases get. So here's their success story.

Background

This customer offshore most of their development to India, had employees and non-employees accessing production systems remotely on a daily basis and wanted to monitor what they were doing, and needed to deliver custom applications in a faster way. They started using the SmartAuditor technology since it was released as a beta a little over two years ago.

The Challenges

The main challenges for this customer were:

• How to track and monitor IT change control?
• How to ensure employees comply with company policies?
• How to allow offshore developers to see user interaction with custom applications in QA and test environments?

Use Case #1: IT change control management

The customer had a lot of employees and non-employees logging in remotely to production systems on a daily basis and wanted to monitor them and ensure they were compliant (especially tracking the activity of users offshore). In order to improve security and compliance, they set up a secure portal using Citrix Access Gateway and turned on the SmartAuditor capabilities of Citrix XenApp. So by using SmartAuditor, any time a developer, employee or non-employee access the production system, all the ICA sessions are being recorded, making sure that they are keeping up with company policies.

Use Case #2: Rapid application delivery

Like most businesses, this customer has some fragile and complex applications and users that just don't get it. So instead of releasing an application into production and having users call the help desk trying to diagnose problems, this customer put SmartAuditor ahead of the process. The customer turned SmartAuditor on before the application was fully delivered into production. They took the application and released it only to their test users and generated a list with issues. Then, with the rapid playback and bookmarking capabilities of SmartAuditor, the developers very quickly diagnosed what was wrong with the application and made the changes. The main benefits the customer got out of this were that they were able to deliver the application to market quicker and that the application was clean. By doing this, they have minimized the number of help desk calls and problem resolution for this application.

The Benefits

The main benefits for this customer were:

• Enhanced auditing for improving compliance
  • Encouraged employees to comply with company policies. The customer is watching and recording. People log in, get out, and stick to the script.
• Improved the quality of the application development process by visually seeing problems and accelerating time-to-resolution
  • The rapid playback and bookmarking capabilities saved time. Experts were able to find the issues and solved them right away.

The Results

• Low storage requirements
  • With SmartAuditor, compression over a period of time was very good. The customer has been using SmartAuditor for over 2 years. In that period of time, they recorded 8,222 sessions which only required 43GB of storage space. On average, that's a 5.2MB file size per recorded session. Wow!
• Excellent performance when recording and reviewing sessions
• Faster application delivery and better user acceptance

How are you using SmartAuditor? What has been your experience with this feature of XenApp?

The first entry in the Citrix XenDesktop Video Tip contest has been cross posted to both UTipu.com and YouTube.

-

-

The poster added several notes to explain each step of the video. Unfortunately, notes do not display for embedded videos from UTip.com, so go to this link to watch it with the notes that explain each step.

Here is the YouTube version -

-

-

As you can see, UTipU has a higher screen resolution so you can certainly see more on the UTipU version.

The race for the 16 GB iPod Touch is on now! You can post as many videos as you like, and there are no limits on eligibility. I look forward to seeing more great videos like this one.

As I noted in my first blog post about optimizing Flash performance on XenApp, SpeedScreen Flash Acceleration currently checks for specific binary file names such as flash8b.ocx or flash9.ocx. Therefore, new versions of Flash require the creation of hotfixes to accommodate different binary file names. After reviewing this issue, I challenged our Engineering team to come up with an improved design. They devised a creative new solution that they predict will gracefully handle Flash updates and thus eliminate the time lag between new releases of Flash and the development of new XenApp hotfixes. That enhancement is now working its way through development and test.

In the meantime, we still need hotfixes that will look for newer Flash file names. I previously highlighted that a limited release hotfix (PSE400R03W2K3091) is available for customers with active Preferred Support Services contracts who are running XenApp Presentation Server 4.0 on Windows Server 2003 (see KB article CTX115426, login with appropriate access privileges required). Subsequently, our Support department received requests for a solution for XenApp Presentation Server 4.0 on Windows Server 2000. In response, the Life Cycle Maintenance (LCM) team has created and released hotfix PSE400R04W2K012 for PS 4.0 with HRP04 on Windows Server 2000. This limited release hotfix adds support for Adobe Flash versions 7a, 8, 8b, 9, 9c and 9d. Customers with an approved support contract can obtain the Knowledge Base article describing this new hotfix by visiting our Support web site at http://support.citrix.com/article/CTX115555 (login required) or by searching for CTX115555.

Meanwhile, Adobe has released Flash 9e (9.0.115.0). I wish I could tell you that the new hotfix handles 9e but, as Aaron Parker has already identified in his blog post on stealthpuppy.com, it doesn't. However, the wheels are in motion to create a hotfix that will handle 9e. If all goes well, this might be the one that introduces Engineering's new generic solution that isn't tied to specific binary file names. Stay tuned to this blog for further updates.

Derek Thorslund
Product Strategist, Multimedia Virtualization

I've received a couple of calls from some customers and partners that asked the same following question:

"What is the difference between Application Streaming to XenApp Servers versus Streaming an Operating System?"

The questions continued to come up even in the "Microsoft and Citrix: Better Together Tour" event that I spoke at this Monday at the new Microsoft Office at the Westfield Centre in San Francisco. Therefore, I've decided this would be an excellent first blog. Please allow me to give this a shot at blogging the explanation.

Application Streaming to XenApp Servers (Background):

For those of you that were previously unaware, the artist formerly known as "Citrix Presentation Server" is now called, "Citrix XenApp". In XenApp 4.5, the product has the ability to provide for Server Side Virtualization and Client Side Virtualization. Traditionally, previous versions of CPS/XA were dependant on the network to provide published applications. However, enter in from stage right our new buddy "Application Streaming". Application Streaming allows for you as a customer to install an application into an Isolated Environment. This isolated environment can be compared to a bubble. This bubble contains for all intents and purposes, everything that an application would require to run. This bubble is an island until itself, only to run within the bubble and therefore seperate or isolated from installed applications that are already installed normally on the CPS/XA server.

Imagine if you will, the possiblity to provide applications On-Demand to both XenApp servers and also to client endpoints (Laptops and Desktops). Therefore, these isolated bubbles are stored on a central file repository, NAS or otherwise, ready and ripe for delivery by stream. For example, if I install Microsoft Word 2003 in one isolated environment and Microsoft Word 2007 in another isolated environment, neither applications know about each other because they are in their own bubbles. Now, take it a step further and imagine where you have a sample of 5 XenApp servers that don't have applications installed on them. This is because the applications in their bubbles will be streamed on-demand over to the XenApp server at point of use. So, what does this mean for you as an administrator? Well, really a couple of things. Here is the net-net of it:

1. Centralized code base for apps to be delivered by stream.
2. The ability to bring up a CPS/XA server faster without the pain of having to install the applications.
3. The ability change an application during the production day (Although, this is between you and your maintenance cycle...) and apply patches and revisions as need be.

This is one type of application streaming. That streaming is to XenApp servers. However, you can also stream the same applications over to endpoints as I stated earlier...and therefore providing a delivery mechanism for applications that need to run on the user's physical machine and allowing them to detach from the network.

For a Flash Demo of Application Streaming, please point your browser to:

http://www.citrix.com/site/resources/dynamic/additional/demos/as/as_master.html

Please excuse the demo goober during the start of the video. Now that you have an background on Application Streaming to XenApp Servers, now we can begin to explain streaming an operating system.

Streaming an Operating System with Citrix Provisioning Server (Background):

Streaming an operating system to bare metal can be accomplished by using a seperate product called "Citrix Provisioning Server". The 10k foot view is that you are able to provision operating systems based upon workload types. For instance here is a great example, say that your company is at the end of their quarter. Heads are flying, paperwork is spinning and data is being entered into applications that could be fully consuming your server's resources. Well, it isn't practical today to add a server into the mix because of the sheer time it takes to build the server and then load the applications to eventually configure that application. It is pretty time consuming. Enter in our friend, Citrix Provisioning Server. With Provisioning Server you are able to boot a new server in PXE (Preboot Execution Environment) mode, get a DHCP address and have a server OS streamed to your bare metal machine in a matter of a reboot. Therefore, you are adding another server to be used for end of quarter work...and you did it with a few clicks and a reboot.

Using that same example, now jump with me to the future where end of quarter is far from your mind. With a few more clicks and a reboot of all of those servers that were being used for quarter end, you can re-provision those servers to become web servers, applications servers or rather anything that you'd like them to be. The concept here is that a virtual disk runs on a storage device and Provisioning Server then provisions that vdisk to a server or servers identified by their MAC addresses. It's actually really cool stuff and makes delivery of servers for new or previous workloads literally a cinch. One of my customers compared the product to "Multiple Personality Disorder/Reorder for Servers". I received a bit of a chuckle when hearing that. This technology will also be highlighted and utilized heavily in the upcoming release of our new product, Citrix XenDesktop. There are many blogs on Community.Citrix.com that you can spend a great deal of time learning about new technology.

Seeing is believing and I understand that there are those that need to assess the logical and hold the tangible. Originally, we purchased a company formerly called "Ardence" that allowed us to acquire this technology. I suggest that you watch both of these videos below to see Provisioning Server in action.

Citrix Provisioning Server Demo by Pete Downing and Mark Templeton:
http://mfile.akamai.com/8296/wmv/citrix.download.akamai.com/8296/iForum07/Demos/ProvisioningServerDemo.asx

Also, Provisioning Desktop Operating Systems:
http://www.youtube.com/watch?v=moIuHqIc-PQ

-----------------
I hope that this has provided a good explanation of the difference between Streaming Applications and Streaming Servers. Should you have any questions, please email me.

Thanks! - Jon

Today Citrix and HP announced a new integrated virtualization solution for HP Proliant Servers.

I am sure many of you who use HP Proliant Server are curious to know what the integration looks like. Peter Blum in our OEM Division has already created some screen shots and online demos of the solution. (Peter created the XenServer Mini-product training that has been very popular).
(Click thumbnails to enlarge) 

 
 
Peter created a couple of great flash based demos that you can access as well (short registration required).

XenServer HP Select Edition ProLiant Virtual Console

XenServer HP Select Edition, First Boot to VM in 3 minutes 

Check out Peter's demo for a deeper dive into this new integrated solution.

We have created a joint white paper with HP as well.

This announcement has generated some interest from the virtualization blogosphere. Tarry Singh of Virtualization for Everyone inteviewed John Glendenning (VP of Virtualization Sales, EMEA) about this announcement -

Read the full interview here.This story has also been picked up by David Marshall at VMBlog.com and Alessandro Perilli at Virtualization.info.

This new integrated virtulization solution from HP and Citrix is slated to be available in Q2.

First let me introduce myself, as this is my first Citrix blog. I've been with Citrix for nearly ten years now, in the slightly secretive world of 'advanced products' where we try to second guess what the next hot technologies will be, and help work out how our customers can benefit from them.

More recently I've been brought into the fold to help deliver 'desktop appliances'. So what is all the fuss about?

I could start by describing the technical features of a 'desktop appliance' - by comparing and contrasting it to its close relation the 'thin client' - but that isn't really the point. Much of a desktop appliance is about branding and packaging, but (and as an engineer it pains me to say so) this is really important stuff.

What is so great about the iPod or the Wii? They aren't necessarily technically best of breed, but they are certainly well loved - why? I think the reason is simple - they set out to do a job, they do it well, and they do it with style. No one with an iPod feels they got second best; no one with a Wii feels intimidated by the technology. This is the point of a desktop appliance. When you arrive at work to find that one of these beasts is on your desk in place of a regular PC, we want you to be pleased, not horrified. Desktop appliances are designed to provide the best desktop experience - with style and with the minimum of fuss and bother.

So lets get technical. Is a desktop appliance technically very different from a thin client? Not necessarily - but where the thin client is a Swiss army knife, the desktop appliance is a scalpel. With a desktop appliance, you turn on, log on, and get your desktop. That's it. Hardly worthily of a diagram - but here's one anyway:

I'm a techie, not a marketer, and this is a blog, not a soap box; so lets get to some technical details. Essentially a desktop appliance is a device much like a thin client - but one which conforms to a strict set of rules. I've been working on this set of requirements - to make sure that every appliance that meets this specification will deliver a superb experience. The first desktop appliance specification covers ICA requirements, user experience and ensures that the boxes have sufficient resources to deliver all current ICA features, and enough extra head room for those features and optimizations that we hope to deliver in the near future.  Over time, as we add more and more optimizations and enhancements to ICA - and we are committed to doing just that - the desktop appliance specification will be updated, and appliances that meet the specification will provide these seamlessly and with the minimum of fuss.

Does this mean thin clients are dead? Not at all - they remain the Swiss army knife, flexible and adaptable in XenApp or XenDesktop environments. However with that flexibility comes the potential for complexity.

A desktop appliance is your desktop - a small, quiet box, a monitor and your keyboard. Turn on, log in, and go.

There was a recent flurry of emails when a Citrix partner wanted to know whether they could redistribute our SDK libraries as a part of the integration with their tool. Brad Pedersen (Chief Architect and Senior Fellow) confirmed that we allow distribution of Citrix libraries with products modified using the SDKs. In fact, we encourage our customers and partners to embed, integrate, and distribute our libraries. This way, we grow the Citrix ecosystem and the community.

I have also posted the revised EULA on the Citrix Developer Network so you don't have to download and install the SDK to read it. The EULA clarifies the above distribution rights.
http://community.citrix.com/display/cdn/Citrix+End+User+License+Agreement

Application Streaming stores stuff isolation layers.   The main one that holds the executable content is stored in the "RadeCache" directory below the Citrix Streaming Client installation directory.  The sub-directory name is a GUID that uniquely identifies the execution image.  There is a corresponding user layer that is sandwiched on top and the application at runtime views the machine through the 3 layers of isolation. 

Here's a picture of the layers.  
The majority of the applications installation image is in the middle layer.  This layer is "actually" stored below the RadeCache directory, below the installed to directory for the Streaming Client.

It can be big - Customers commonly want to "move it". 

Setting the location of this directory is easy; run the ClientCache.exe utility that is included with the streaming client; done.   It's even documented in KB article: http://support.citrix.com/article/CTX115137

The ClientCache utility does a few jobs

-          Sets a registry string to tell the Streaming Service where the Cache is located

-          Creates the directory

-          Adds a DACL to the directory to give the Streaming Service privilege to write stuff to the cache.

-          Note that the streaming client service actually runs on a dumbed down account and without this DACL, even though it's a service, it lacks privilege to write to anything important.

Deploy folder

Consider offline "streaming".  How do you "Stream" when disconnected from the company network?

Answer: Everything that would normally be on a central store to support the streamed execution of the app, is actually copied onto the execution machine.  At runtime, execution content is "streamed" from this local copy into the execution cache, as it is needed - just like the online case.

The directory, \Program Files\Citrix\Deploy holds all the profiles copied to the execution machine to support offline execution.  Neatly, the streaming client core doesn't distinguish between online and offline.  It just knows where the execution cache is located (Installation/Execution image) and runtime populates stuff into the cache.  The source for the runtime populate when offline is actually a CAB file local to the execution machine; a nit.  It keeps the architecture simple when the client doesn't have to worry about online vs. offline. 

Changing the location of the deploy folder

We already covered changing the location of the RadeCache, this is easy.  Use the ClientCache.exe utility, done.   

Imagine my surprise when someone asked me about setting the location of the Pre-Deploy folder; there's no ClientDeploy.exe utility!  Hum.

Can it be done?  Sure.  There's no utility to do it for you, so it becomes a manual process - documented below.

Configuring the location of the directories

Key directories:

-          The RadeCache location defaults to \Program Files\Citrix\RadeCache.

-          The PreDeploy location defaults to \Program Files\Citrix\Deploy.

The Streaming Service (RadeSvc.exe) queries the location of each of these key directories by reading strings from the registry as part of its startup logic.   

Here are the registry keys that set the location of the RadeCache and PreDeploy folders.  These are both stored below HKLM\Software\Citrix\Rade.

-          CacheLocation

-          PreDeploy

Changing the location of the Deploy folder can also be done, but it is a manual process.

How to change the location of the Deploy directory:

1)      Create a directory

2)      Fix the registry string to point to the new location

3)      Give the Streaming Service Full rights to the created directory

4)      Terminate all presently streamed applications

5)      Unload and Reload the streaming service

Example steps from a command prompt:

-          net stop radesvc

-          Mkdir C:\NewLocation

-          cacls c:\NewLocation /E /G Ctx_StreamingSvc:F

           Alternate to above is to MOVE the existing folder, and its contents.

-          reg add hklm\software\citrix\rade /v PreDeployDir /t REG_SZ /d C:\NewLocation

-          echo y| reg delete hkcu\Software\Citrix\Rade\Offline

-          net start radesvc

Finally, PNAgent  - Right Mouse Button, refresh applications - and the new location will be used for the Deploy folder.  Depending on how the administrator has published the application, it may be necessary to actually run an application before the "bring it to deploy folder" logic kicks off. 

The above will work with Streaming Client 1.0 (Presentation Server 4.5) and with Streaming Client 1.1 (Presentation Server 4.5 HRP1).   There will be some changes in this logic going forward and when we get there, I can update this post with the particulars.
Joe Nord

Product Architect - Application Streaming.  Citrix Systems, Fort Lauderdale, FL

Do you have an interesting story to tell about your experience with Citrix products? Are you eager to share the wisdom you have gained about the relationship between business and technology? Would you like to discuss the valuable lessons you have learned about delivering applications with the entire Citrix Community?

Submit your session idea and you could get free admission to the conference ($1395 value) and four nights in the conference hotel (over $800 value) at Citrix Synergy in the George R. Brown Convention Center in Houston Texas. Submit your session proposal at the Call for Presentations site now.

You can get a full list of all the technical sessions at Citrix Synergy at this link.

Tell your story, share your vision, make new connections with others in the Citrix Community, and increase your own visibility. We are accepting proposals at the Call for Presentations site until April 4th. You can click here to register for Citrix Synergy.

This is a little-known fact that may be very interesting for customers who want SSO, but realize Password Manager does not natively support your language.  We have an SDK available for partners to do their own translations of the CPM UI.  It is available for free, and has already been requested by partners in Russia, Czech Republic, Sweden, Italy, Greece and Poland.

This SDK can be used with standalone CPM and XenApp Platinum (Single Sign-on powered by Password Manager.)  Both offerings are the same code base.

Our terms are intentionally simple: the local Citrix rep approves the partner to me, partner signs a EULA, I give the partner access to the SDK via FTP, and the partner owns the resultant work effort (of course CPM licenses are still required for the customers purchasing translated versions from the partner.)

The caveats are that the business partner is responsible for keeping up with changes as new releases are provided from Citrix, and the local Citrix account team vouches for the integrity of the partner.  We need to be sure the UI delivered is of quality, hence the local team involvement.

If you're interested, please have your Citrix rep contact kate.brew@citrix.com

 Would also appreciate comments on this approach - yea or nay!

My first blog on Mobile Devices and The App Delivery Center seemed to get enough hits that I thought I would follow up with a video demo to give a better view of XenApp applications actually being delivered to a mobile device.  Also felt that it would be good to describe the setup used to create the video, so details follow below.  The demo was intended to show a "real world" use case that a lot of us have been through.  The script for the video is that your boss sends you an email asking you to perform a number of tasks in preparation for an upcoming meeting:

-       update a Word document

-       update an Excel spreadsheet

-       verify a CAD document is up to date

-       join a GoToMeeting

All of these tasks are performed in the below video.  Details on the setup:

-       A real ATT 8525 device with the 10.0 WinMo ICA client was used to connect to  a XenApp 4.5 server

-       The server is hosted on the internet, outside of the Citrix network.

-       The Web Interface changes referred to in my Mobile Devices and The App Delivery Center blog post are in use on this demo server, thus you get the better app sizing described in the aforementioned post (http://support.citrix.com/forums/thread.jspa?forumID=136&threadID=91629&tstart=0).

-       Soti Pocket Controller was used to display the screen of the 8525 on my laptop

-       When connected to Soti, an active sync connection is used, which actually provides the network connection for the 8525.  So the native 3G data connection of the 8525 was not used, BUT.

-       I used the EVDO Rev A connection on my laptop to connect to the internet, so even though the device has ATT 3G connection, a Verizon EVDO Rev A connection was actually used in this case, thus a WWAN connection is being used.

-       Camtasia was used to capture the Soti output on my laptop

So now that you know the gory setup to get this capture, the video is below.  Hope this give a better picture of use of the Citrix Mobile ICA clients.

Obviously some clarity of the video was lost during conversion and upload to YouTube.  But I thing you'll get the idea!

From Frameworkx.com 

This is a ~6 min video I did right after I installed the latest build of Citrix Applications that will ship with Citrix XenApp. On this video I share my first impressions as well as a first look at the new name, branding and installing path...

Watch video at souce

Sometime in 2002 or 2003, I sat in a room with several other PeopleSoft IT employees while we considered how we could use the then-new Data Center's resources during rolling brown-outs.  Power consumption in California was an issue then and the price of that electricity from Pacific Gas and Electric was increasingly onerous.  It led me to wonder: how could we shut off underutilized servers in some of our production server farms to help with the cause?  Turn the clock forward to 2008, and some environmentally friendly folks are asking the same question.  Although we are not currently blighted by rolling power brown-outs, power consumption, heating and cooling remain issues for everyday IT shops. 

Virtualization, whether server or application, can assist us with this issue. Addressing the need for a smaller physical server footprint leads to the idea of less physical server room space.  This in turn reduces power consumption issues by giving us less to cool.  Now, pair a virtualization solution with a blade chassis from Hewlett Packard and you just might be sitting pretty.  However, if you still have 1U, 2U or 3U servers, then what?  A utility on the Citrix horizon is "Citrix PowerSmart" which can help you save power with some of those underutilized Presentation Server/XenApp servers.  With PowerSmart, Citrix and Hewlett Packard have joined together to provide a utility that assesses whether that server is idle or underutilized, and if so, lower the power consumption.  For you admins sitting there wondering why this would matter to you, here's the gig:

While you're saving power with PowerSmart, using blades and virtualizing through the awesome power of paravirtualization via XenServer, your boss and company are taking interest in saving money.  How can you be PowerSmart and pennywise?  Utility providers such as Pacific Gas and Electric, Southern California Edison, et al, actually provide incentives and rebates for customers that virtualize.  Virtualizing and saving energy with PowerSmart can bring you cost-saving and other benefits we've mentioned above. 

But wait, there's more--best of all, Citrix PowerSmart is free!   

---------------------------------------------------
For extra credit, some light reading on the subject:

http://h71028.www7.hp.com/ERC/downloads/4AA1-7946ENW.pdf?jumpid=reg_R1002_USEN

Hewlett Packard Energy Efficient Computing with Citrix PowerSmart:

http://h71019.www7.hp.com/ERC/downloads/4AA1-7655ENW.pdf

Southern California Edison Virtualization Incentives:

http://www.sce.com/RebatesandSavings/LargeBusiness/SPC/default.htm?goto=spc

Pacific Gas and Electric (Northern California) Virtualization Rebates:

http://www.pge.com/mybusiness/energysavingsrebates/incentivesbyindustry/hightech/hteeincentives.shtml

---------------------------------------------------
Note: PowerSmart is currently compatible with XenApp 4.5 but is not included in the product downloads or on the media.  Citrix PowerSmart is still in Beta and is available for HP customers to use, and is available for download from Citrix Developer Network at the following URL:
http://community.citrix.com/display/cdn/Citrix+PowerSmart+Utility+for+Presentation+Server+%2528Beta%2529

Remember, PowerSmart is compatible with Hewlett Packard servers only.  If you have questions, please see the forums at http://support.citrix.com.

Cheers and see you next week,

Jon

In this interview, Willie Wright, one of the original developers of XenApp's CPU Management Technology, talks to Prasanna Padmanabhan about the history of MalooCPU, Delaware improvements as part of Preferential Load Balancing and some longer term research in the area of general resource management.

Some you may have listened to this one, but our podcasts don't support comments yet. So I thought I'd put it in here as a blog post, so that we now have a way to hear back from you. 

Citrix has partnered with Nokia on ICA clients for their Symbian devices for years.  I recently did an interview with the Nokia team on use of the Citrix ICA client for Series 60 3rd Edition devices such as E61, E70 and E90 devices for their Nokia Forum Pro.  These ICA clients can be downloaded from http://www.citrix.com/English/SS/downloads/details.asp?dID=2755&downloadID=165587&pID=186.

Snippet from the interview below: 

Helping enterprise IT departments

 The Citrix XenApp Client for S60 3rd Edition devices offers some very clear benefits to IT departments as well, Marano adds. "From an IT perspective, the flexibility of mobile devices can be scary," he says. "How do you encourage people to use them, but also make sure that they are used properly and securely? With this solution, the same infrastructure being used today for external laptops and desktops can be used to deliver applications to the Series 60 3rd Edition devices. Minimizing the number of technologies used to deliver business-critical data to end users regardless of device type, by standardizing on a single platform, is a key factor to consider."

The interview gives a good overview of use Nokia S60 devices, but also provides a pretty good overview on the use of mobile devices as a whole with XenApp.

The full PDF interview can be found at: http://www.nokia.com/NOKIA_COM_1/Developers/Success_Stories/Enterprise_&_productivity/Dev_succ_Citrix_SC_v1.0.pdf

How can you submit your topic of choice for a Citrix technical webcast? It's very simple. Just reply to this blog post. We are requesting input from you to understand what XenApp (the new name for Presentation Server) technical topics you want Citrix to discuss with you via our TechTalk webcast series.

While you think about some topics, let me point you to some of our most popular technical webcasts for Presentation Server. These might spark some ideas. I encourage you to watch these, but you also have the option to skip to the end of this post and submit your favorite topics.

Best Practices for Upgrading/Migrating to Citrix Presentation Server 4.5
Thinking about upgrading to Citrix Presentation Server 4.5? Learn directly from our expert the necessary steps for a successful implementation.

Tuning Citrix Presentation Server to Get More Users per Server
Do you want to get more users on your Citrix Presentation Server? Are you ready to learn how 64-bit architecture can remove performance bottlenecks from application delivery? Then learn from Citrix and Microsoft engineers on how to leverage 64-bit technology to increase the number of users per server.

Using Citrix Apps Offline: Understanding Application Streaming in Citrix Presentation Server 4.5
Hear directly from the architect how Application Streaming provides you with the flexibility to stream applications to remote users who need local CPU resources, require local peripherals or need to work offline.

Discover What's New in Citrix Presentation Server 4.5 Feature Pack 1
Get an in depth technical overview of the latest features of Citrix Presentation Server 4.5 including SmartAuditor & EasyCall technologies.

Designing Citrix Presentation Server Farms for Maximum Scalability
Find out from our experts the critical design considerations needed for any Citrix Presentation Server environment. Learn how to design your server farm zones for high scalability. Also, find out about data store sizing, architecture & operation and how to plan for future deployments based on farm growth.

Using the Citrix Presentation Server 4 Universal Printer Driver
Go 'under the hood' with Gary Barton as he discusses new printing architecture that addresses real-world printing dilemmas.

Graphics Acceleration & ICA Client Enhancements
Learn how Citrix Presentation Server 4.5 can help increase the performance and usability of graphics-intensive applications. Also, learn about some of the ICA client enhancements in this release.

Health Assistant Automated Server Recovery and Configuration Logging
Hear directly from the engineers about the new server health checks and recovery actions in Presentation Server, how to increase application availability with Independent Management Architecture (IMA) Thread Pooling, and how to resolve the on ramp black hole situation with Load Throttling. Also, learn about the Configuration Logging design and security features and how to filter and generate reports.

Web Interface & Active Directory Federated Services (ADFS)
Find out from our experts about the Web Interface support for advanced application delivery, the architecture behind web-based application delivery, the architecture and benefits of ADFS integration in Citrix Web Interface, and how to configure ADFS integration in Citrix Web Interface.

What XenApp technical topics do you want to hear about?

In my last post, I talked about our plans of moving XenApp farm settings, server settings and session policies into Group Policy Objects. This time, I want to describe our plans on a related topic: how to migrate XenApp 4.x farms into this new management model.
XenApp 4.5 Administrators have two options to migrate their farms: either upgrade the existing farm over time, running the farm in mixed-mode; or create a new farm and move users and applications over time. 
The mixed-farm approach seems to be the easier of the two, but it has an important drawback: the migration cannot be staged. The recommended first step is to upgrade the Zone Data Collectors, which in turn affects all users and applications in the farm. If anything wrong happens - which is usually detected once users start to login and use their applications - there is no way to rollback without creating a farm outage.
The new farm approach is safer, as it allows Administrators to perform an "in-production" validation, migrating users and applications to the new version over time. The old production farm is not touched, which allows quick rollback of users to the previous farm if anything wrong is detected.

However, creating a new farm from scratch is not realistic in many environments. The reasons:

• Farm configuration documents may not exist, or be out-dated.
• Not sufficient hardware to maintain both farms in parallel. Servers have to move from one farm to other over time.
• The migration is not transparent to end-users. If a single Web Interface is used, it will list applications as "Application (Old Farm)" and "Application (New Farm)". If a separated WI is used, then users must configure browser and PNA to use another URL.

We do not plan to support mixed-farm migrations when we move XenApp configuration to Group Policy. Instead, we will focus on the issues above, creating the necessary tools to facilitate the transfer of configurations, users and servers from farm to farm.
This is the plan:
The first step is to create a new farm, installing a new Data Collector and creating a new IMA database. Infrastructure servers (License, Database, Edgesight, etc) may be shared between the old and new farm. The next step is to launch the Migration Wizard and go through the following steps:

• The migration tool wizard will ask information about the old farm (address, authentication). You may chose to export all the old farm data into an XML file and modify it before importing the data in the next steps.
• The wizard will ask the new farm information. It will then convert session policies, farm and server settings into Group Policies, and automatically associate GPOs with the new farm Organizational Units.
• If the old farm contained multiple application silos, the wizard will ask for a server that represents the old farm silo, and create a Group Policy Object containing that server configuration. The wizard will then associate that GPO with the OU representing the Application Silo in the new farm configuration.
• You will be able to select a list of "in-production" test users. The new farm will only enumerate applications to users in that filter list, regardless of the Application object configuration.
• Add the new farm in your Web Interface sites. Web Interface will suppress enumeration of applications coming from multiple farms, based on configuration. This change will make the migration process completely transparent to end users.

At this point, you will have a fully configured, although empty new farm. Over time, you will:

• Add more users to the new farm filter
• Remove servers from the old farm
• Upgrade XenApp software in the server (or re-image)
• Assign the server to the new farm Organizational Unit.

This method is very flexible, you may stage the process based on application silos, zones, users, or any combination of these. The migration tools provided here are also very useful for other use-cases, such as replication of settings between test and production environments.

This plan is still on the drawing board, please feel free to comment and raise scenarios where you believe it wouldn't meet your needs. Note that this is planned for the next major release after project Delaware, therefore still a long way in the future.

Most of us know or have heard about Virtual Appliances.  Mostly single purpose virtual machines usually running on some variant of Linux today.  So why is this beneficial?

-          Ease of installation - import the VM and start it up

-          Preconfigured - maybe not fully preconfigured, but much more than having a stack of OS and product CDs and bare metal to start with

-          Reduced maintenance costs - starting with a preinstalled and mostly configured solution tends to reduce the number of errors associated with the install and configuration when done from scratch

So why not a Virtual Application Delivery Appliance (VADA)?  A preinstalled and mostly configured XenApp or CAE server that already has a targeted application published in the virtual machine.  A virtual machine that I get from my ISV that I start on my XenServer server.  Web Interface and PNAgent are already setup with defaults.  I add my users to the published application and start delivering the app.  Kind of a normal virtual appliance, but on digital steroids to enhance performance.

This is already starting to happen!  Our Platform Development Group at Citrix has been increasingly having discussions with ISV alliance partners to do just what is explained above.  Some are doing it; others are looking at the feasibility of doing it with their solution.  They have an application, or multi-component software solution that they want to, or are required to deliver via Citrix Application Delivery, and they want to simplify the process for both the customer and themselves as much as possible.  Maybe the deployment of the solution is a standalone environment and not to be part of a bigger farm.  Maybe there are reasons that their solution should run on dedicated server(s) and they simply join an existing farm.  In either case, by deploying their solution as a VADA (I'll let marketing guys change this acronym later), they can greatly reduce their installation/deployment cycle, and spend more time on training the customer on use of the solution, thus increasing customer satisfaction (VADA Bing VADA Boom!).  Post-installation maintenance should also be lower, being a large percentage of the OS and application installation has been automated by creation of the tested baseline virtual machine image which already contains the OS, XenApp and the published application, all following best practices established in the ISVs controlled lab environment.

So why not just jump on this band wagon today?  As always there's a few "gotchas". 

-          Licensing - while a bit easier on the Linux side, what we are discussing here is Microsoft Servers and Citrix Application Delivery products.  Usually ISVs do not have access to distribute licenses for either of these.

-          Server Virtualization Platform - So which platform does the ISV support (XenServer, VMWare, HyperV).  I think you can see some of the benefits of having a standard virtual machine image format, and why it's good that 2 of the 3 vendors listed are working towards such a standard. 

-          Please add your "gotchas" below.

 Intent of this thread is not to indicate the right or wrong way to approach the above scenario, but to get your feedback and ideas on the concept.  I find this concept very intriguing.  So give us and the other readers of this blog your input below.  Respond with your "gotchas" or respond to others "gotchas" on how they should be resolved.  I'll be sure to send a link to this post to our interested ISV partners, so they get the input.

I kicked it off, help me finish it! 

References:

Satori Group VADA blog post

You still have until this Friday by midnight to get in your video tech tip for the first leg of the XenDesktop Beta Video Tips Contest.
You have to place in the top 10 of one of the four bi-weekly votes to be entered to win the top prize - a 16 GB iPod Touch.

Your video could be as short as a minute or two, so it will not take you long to get it done. Follow this link to get the contest rules.

As more and more people experience the recent beta release of XenDesktop, the value of Citrix's ICA protocol in delivering graphics is getting a lot of notice. ICA is shining in environments where network latency puts other protocols to shame.

Here are a couple of recent video blog posts that capture the performance advantages of ICA for graphical content. The first video (click here to view) shows the simple and common task of dragging an image across the screen, as you might do when editing a PowerPoint. The second video (click here to view) shows a CAD viewing and publishing application, eDrawings from SolidWorks. These are good examples of how ICA technologies such as SpeedScreen Image Acceleration and SpeedScreen Progressive Display optimize the user experience.

Derek Thorslund
Product Strategist, Multimedia Virtualization

This little application verifies the version of both Citrix Client and the Remote Desktop Client.
It's a cool app that allows your help desk run on client machines and not relie on users to tell you what version they are running.

This tool was written by our good friend Alex author of iShadow and fellow Microsoft MVP.

Download: ICA RDP Version Checker 

Gus Pinto, Microsoft MVP
Technology Evangelist
Frameworkx.com

It's been a month and a half since I suggested here using the respective Citrix and Microsoft application virtualization together on client devices and I curious what's on people's minds. I know, the idea sounds counter-intuitive, but my colleague Joe Nord explains how exactly it works in his post on the subject, so the mechanics are clear

People are picking up on it, including Ruben Spruijt who pointed it on in an article on BrianMadden.com. So did Chad Jones, the Product Manager for Microsoft Application Virtualization in a post on TechNet. In the last week alone, I've fielded questions from a couple of customers on the subject and the first question both times was why?

There are limitations for both solutions. MAV can't handle 64-bit environments and as I noted in my post on which applications not to virtualize, Application Streaming can't isolate all services. Both of these customers had these requirements so it makes perfect sense to leverage both solutions, especially if they can work together.

So why not try it? I'd love for somebody to prove me wrong.

You may have heard by now that iForum is now called Synergy, and will be held May 20 - 23 in Houston. I'm working on a new track called "Geek Speak", which will be the most truly techie part of the whole event.

But before I go any more into what we are planning, I just wanted to emphasize that Synergy is replacing the usual iForum event - meaning there will be no iForum in October. So, if you head down to Orlando in October expecting the usual iForum activity, all you might be seeing there is Goofy (and maybe feeling a little goofy yourself).

Our objective for Geek Speak is for it to be an informal event in which you can meet with like minded people to discuss (and even argue) about the technical aspects of App Delivery. We'll have a number of recognized SMEs from outside as well as inside Citrix leading some of the discussions, but there will also be the opportunity for attendees to suggest and even lead additional discussion topics which will voted on before and during the event.

We are going to be a bit more relaxed than previously about the topics that can be discussed at this event. You can expect to see quite a few of our CTPs there talking about the topics dearest to them, as well as a few of our Citrite technical superstars. There will be no powerpoint allowed, with each topic being started by a short discussion followed by open Q&A. If a particular discussion goes over time, everybody still interested in keeping it going will move over to a corner of the room to continue while we allow for the next speaker to start.

I've decided that the theme for this years inaugural Geek Speak  will be "tips, techniques, tools and toys". While the discussions can fall outside of this theme, we will have an area set aside to show off tools and gadgets that the community thinks are cool.

I'll keep you posted with how it all develops, and also keep an eye out for blogs from Gus Pinto & Barry Flanagan who are working with me on this event.  Let me know if you have any ideas for topics or the event in general by posting a comment.

Another reason you should be using XenApp Platinum edition, Wan Optimization!  The newest feature just added to the complete application delivery system.

What is actually being added?  Now every Platinum license entitles you to use the WANScaler client.

What are the benefits of this feature? 

• Allows the home-based, mobile, or small office user to enjoy the benfits of Wan optimization in situatuions in which an appliance cannot be readily deployed
• Offers comprehensive TCP flow control, advanced compression, and advanced application protocol optimizations to ehnhance productivitiy fo PC users
• Compatible with a wide range of secure remote acess technologies included populat IPsec implementations and Citrix Access Gateway Standard and Advanced Editions.
• Read more here

Will this optimize ICA traffic?  This has been a little tricky.  ICA is already extremely optimized.  In fact, we all know that ICA is one of our biggest competitive advantages.  However, this is something that we are actively testing.  Stay tuned for more information on this soon.

How do I start using this feature? 

1. Again, you must have a XenApp Platinum license with valid subscription as of 1/1/08 (which all Platinum customers will have since it's only been in the market for just a year now)
2. Login to MyCitrix>Support>Downloads>Clients>WANScaler Client or simply click here to download the WANScaler client
3. Also, you will also need either the Citrix WANScaler 85xx or 88xx series appliance available for purchase seperately

When can I start using this feature?  NOW!

Watch for more information to come out in your customer newsletter and channel flash communications.

Supporting administrators using Application Streaming, one of the items that comes up from time to time is RadeRunSwitches.  They can be a good tool for running applications and even more important, for debugging the operation of a streamed application. 

This post describes the undocumented switches...

The Application Streaming client exists as part of Presentation Server 4.5 and later versions.  It works in conjunction with the PNAgent Win32 ICA Client as well as the Web Interface clients that run on the Windows platforms.  This is true both on user machine "client side" as well as server hosted, stream to server.

The icon placement and decision to launch an application happen in PNAgent and/or the Web Interface. These two components eventually toss the execution over the wall to the Streaming Client who does the actual work of running the Streamed application.  In the diagram below, the Streaming Client components are in green and the publishing components are in blue.

.

The executable that receives the launch request is RadeRun.exe.    RadeRun's mission is to carry out the launch request, via a single set of code that may be called from multiple sources.  Classic computer science stuff here; implement the launch logic once and you can be confident that if it works for one, it will work for the other and you get a single point of maintenance.    The "true" flow between the various components is a bit more involved than the above, but in principle, this is how it works.

Back to the beginning

In the earliest days of Application Streaming development, the PNAgent and Web Interface teams were not yet engaged.   All execution of applications started with RadeRun.   Early programming, testing and proof of concept were all done using RadeRun.exe as a command line utility to trigger the execution of streamed applications.  Some of this legacy remains even though PNAgent and the Web Interface are now quite capable of communicating with the streaming service without an intermediary. 

Isolation layers

In a minute, I will go through each of the switches to RadeRun - but first it helps to have an understanding of the isolation layers used in Application Streaming.

The application views the machine from above looking down.  The higher levels are like panes of glass laid on top of a business desk. The desk represents the true disk and true registry of the execution machine.  The application is above looking down and the layers of isolation glass "mask" the application's view of the true machine.    The layer of glass in the middle is read only at application execution, but was writable during profiling.  This layer represents the execution image for the application and is sometimes called the "InstallRoot" in documents describing Application Streaming.

The top layer is a per-user image and is writable at application runtime.  The application view of the true machine is masked from top to bottom, first by the per-user space and then by the installation image.   The application runs from above, looking down through the panes of isolation glass and since the middle layer represents what was written during profiling and since the top layer of glass starts clear, the initial application view of the machine is what existed at profiling.  The application believes it is installed - when it is not.  Each user gets their own top layer of glass and it is this layer that is writable at runtime.  This way, if an application writes to isolated spaces at runtime, that write is held in the per-user space.  Put it all together and applications not written for clean execution on a multi-user system can run without conflict.  More, the per-user pane of glass stays with the user's profile and can follow them from session to session.

The above applies to both disk and registry.  It also applies to COM objects and the systems named addressable items like PIPES and named semaphores.  

Lies, damn lies and statisticians:

The execution image (middle layer) is not really there.  Instead the isolation system lies and tells the application that the installation image is present on the machine and this reduces the amount of stuff that has to be brought down to the execution machine to run the application.  Many applications, particularly big ones, only reference a small portion of the stuff they install.  More classic computer science stuff says that if you can put off copying that data to the execution machine long enough, maybe you can avoid it permanently. 

Now - you'll notice a few important things.  Files that need to be there aren't and the isolation system has to do stuff to make them look like they are there and eventually, when actually needed, it has to make them really there, pausing and resuming the executing application while filling the missing content.  Worse, complicated things like Short File Names exist on the profiling machine and these names need to be maintained all the way to execution machine even if the TRUE short file name on the execution machine doesn't match the one that was used during profiling.  The application must see the SAME name no matter what and there is no reliable system API to make this happen.  The list goes on - bottom line is that there's lots of work to make these layers work and this means that there is lots of testing needed to prove that it works.

Proving it works

Once the execution cache becomes "full", very few runtime cache fills occur.  If you're in the business of testing the cache fill logic, this is no good.   Consider "stress" test in one of the Citrix labs.  The test is 100s of servers, 30 users on each server with all the users all running a variety of streamed applications.   The test then runs for about 24 hours and if anything ever fails, the test stops and your phone rings.  "They don't call it the stress lab for nothing!".

How can testers get the cache empty when the cache is being filled?

Answer: Backdoor logic to tell the streaming service to purge the cache before the application starts. Variations of this exist to control flushing all of the layers in the isolation system and to control "when" the flushing occurs.    This backdoor logic is controlled via command line arguments to RadeRun.exe.  There's one trick.  RadeRun.exe is not directly used for testers or users to launch applications. Instead, the applications launch via the web interface or PNAgent.   

Quandary:  If you don't "run" RadeRun directly, then how do you give it command line arguments? 

Answer: Registry key

HKLM\Software\Citrix\Rade\RadeRunSwitches (Reg_SZ)

RadeRun still accepts directly provided command line parameters, but it also checks a registry key for additional parameters.  With this, you can give command line arguments to the Streaming Client launcher even though you're not directly using RadeRun to trigger the execution of an application.

Evertything so far has discussed "why" RadeRunSwitches exist.  We can finally get to what they are. RadeRun.exe command line parameters

Specify using registry: HKLM\Software\Citrix\Rade\RadeRunSwitches (Reg_SZ)

c    clear execution cache before app opens

C   clear execution cache and per-user cache before app opens

d    clear execution cache after app closes

D    clear execution cache and per-user cache after app closes

e    Pre-fill everything into the execution cache

x    launch cmd.exe inside of isolation when launch the streamed application

Example contents: "-C -x"

*Are they documented or undocumented?

Now that I've written this, they are documented.  That said, in theory, with the exception of -x, they aren't needed much or more precisely - shouldn't be needed much.   The sections below will give more color to each of the switches;  what they do and where they should be used.

-c

Useful for the Citrix test groups to cause high-exercise for the isolation systems cache fill logic. Not really useful for customers as it results in all application launches being a first time launch, and first time launches are "slow" compared to a second time launch.  

-C

Same as the lowercase version, but clears BOTH the execution cache and the per-user cache.  People still tend to code this as -c -C when running the switches.  It actually makes more sense to me that -c should control the execution cache and -C control the per-user cache, but that isn't how it is.

-d

Useful for the Citrix test groups to cause high-exercise for the isolation systems cache fill logic.  In some cases, this one is useful for customers. If you have "secret" stuff that is part of your execution image and you want it "gone" after the application terminates, then -d can be an answer.  I'll add that the execution cache is DACL protected and users who are not running the application "right now" can't see it.  That said, some folks have good reason to be paranoid and this switch tells the streaming client to purge the cache when application terminates.  Notice that -d, like -c will cause the next launch to be "a first time launch" every time, and first time launches are "slow" compared to a second time launch.  

I normally recommend avoiding -c and -d and instead using a post-exit script to delete the just the smallest amount of secret stuff.  This way, the application launches are not first time penalized and the secret stuff is gone after execution.   The post exit script deletes the secret stuff and the next launch brings it back with a runtime cache fill.  Presumably, the secret stuff is small compared to the whole app.

-C

Same as the lowercase version, but clears BOTH the execution cache and the per-user cache.

-e

No longer needed.   In my first rounds of "documenting" RadeRunSwitches, I didn't even put this one on the list.  -e was created during development to allow the isolation system to run applications even before the cache fill logic was coded.   Today, it is sometimes used to diagnose a suspected cache fill error - or more precisely, a suspected "escape" from isolation.  If an application "works" with -e and doesn't work without it, then it implies that something isn't being isolated right and needs to be diagnosed. I do not recommend the use of -e in production systems but it can be useful in debugging applications.

UPDATE (04-Apr-08): I have been told of a worthy use of -e.   If an application is run with -e enabled as a part of a maintenance activity, then the entire cache can be filled; and then -e turned off.  This as a means of ensuring fastest possible launch time for users even if no user has ever logged on that client machine or server.  Application Streaming still does all the central publishing and applicaiton isolation stuff, but the streaming part not really used.  Interestly in this scenario, RadeRun.exe can be used directly.  Its fun to see how stuff gets used.

-x

This is my absolute favorite of the bunch and the real reason for documenting the switches. 

Notice that -x has nothing to do with cache management.   When profiling and testing profiled applications, it is often useful to have a command prompt or other utility running next to the streamed application and "seeing what the app sees".   Adding CMD.exe to the application profile and then publishing it is one way to get this accomplished.  This was common during the early days of Application Streaming development - until the developers got tired of repeatedly publishing a command prompt with every created profile.   Adding a switch to the RadeRunSwitches allows very quick addition of an in-sandbox command prompt for any streamed application.  This simplifies diagnosis of failing systems because you don't have to ask the person that created the profile to go back and change it to add debugging information.  Regedit to add the switch, launch the application and "poof!" a command prompt inside the same isolation environment as the launched application.

TIP: If you're debugging more than one application at a time, it is useful to use the "title" command to label your command prompts.

If you run regedit, from the command prompt, then regedit will see the view of the system that the isolated application sees, handy.  Do know though that you need to not have regedit already running for this to work because a second instance of regedit kicks the execution over to the first and then terminates.

Killing sandboxes: If you're running applications and particularly if you're writing scripts for your profile, you need to know that the sandbox does not terminate until all of the isolated applications in that sandbox terminate.  The started command prompt is "part of the sandbox" so it too must close for the sandbox to end. 

Wrap up

I hope this information is useful.  If you have comments or ideas for other switches, post here or let me know.

Joe  Nord
Product Architect Application Streaming, Citrix Systems, Fort Lauderdale, FL

If you have followed the discussions in the XenDesktop forums, or - even better - if you've tried the beta version of XenDesktop, you'll be aware that it integrates with Active Directory. Indeed, in particular the Desktop Delivery Controller (DDC - the component responsible for brokering end users to their virtual desktops) has a strong dependency on AD, and stores some data in AD that relates to security and determines how virtual desktops discover and communicate with desktop delivery controllers. Several questions have come up on this integration, and on what is actually stored in Active Directory. This post will show in more detail what's going on under the covers. Just a note of caution: the information in this post reflects the beta release of XenDesktop; however we're not expecting major changes in this area in the final release.

When you install a DDC server, an "AD set-up wizard" will start towards the end of the installation. When you install the first DDC in a farm, the wizard will ask you for the location of an OU, and will populate it with the data that XenDesktop needs to link up virtual desktops and DDCs, and to secure their communication paths. Whenever you install an additional DDC or remove one, the wizard will also start, and add or remove the DDC-specific information from that OU, although you won't typically see this, because it happens without the wizard GUI actually popping up. You can also run the wizard manually at any time, it's installed in the start menu on a DDC, and you can also run it from the command line (c:\program files\citrix\xendesktop server\adsetup.exe; use the 'rungui' option to start the GUI wizard).

When the wizard is running for the first time, it asks you to choose an OU for that farm, as shown in the previous screen shot. Every DDC farm needs a separate OU. The OU can be at an arbitrary level of a domain, and the OU does not need to contain the computer accounts for either the virtual desktops or the DDC servers (although it'd be best practice for the DDC servers to live in the farm's OU). If the user running the wizard has sufficient privileges, they can choose to create a new OU (tick the check box in the wizard). Alternatively, a domain administrator can pre-create an empty OU, and give the XenDesktop administrator running the wizard sufficient delegated privileges over that OU (you'll need 'create child' permissions). In that case, you should select that empty OU in the wizard by using the AD browser, as shown in the example above.

Now let's look at the data that shows up in the OU after the wizard has completed. The following screen shot shows that the OU contains one security group, one service connection point (SCP), and a container that contains another service connection point object:

The 'Controllers' security group is used by virtual desktops to ensure that only authorized DDCs that are members of the farm can broker and control connections (I'll explain how virtual desktops figure out where to find this security group in a moment). Whenever a DDC invokes one of the web services implemented by the virtual desktop, the VDA (Virtual Desktop Agent, the XenDesktop component that you install on a virtual desktop) will check that the caller is a member of this security group. When you add DDCs in the AD set-up wizard, as shown in the following screen shot, one of the things it does is to add the computer account for the DDC into this security group. Because the OS service that invokes web services on the VDA runs using the NetworkService predefined account on the DDC, the VDA will see incoming calls as using the DDC's computer account. You need to exercise caution in which computer accounts are made a member of this group, because all VDAs in your farm will trust these computers to control them.

Next, the farm's OU contains a 'Farm SCP'. This is an object that contains some markers in the keyword attribute, which define the enclosing OU to be a XenDesktop OU. The keywords include a couple of GUIDs as well as the name of the farm prefixed by XDFarm:, as shown in the following screen shot.

By virtue of being a marker, the farm SCP allows the VDA installer to present a list of farms that the virtual desktop can join: when the installer runs, it searches the global catalog for all SCPs that contain the XenDesktop GUID in their keywords, and lets the user select one of the farms. This results in a registry entry being written to the registry on the VDA, as shown in the following screen shot. The FarmGUID contains the AD GUID of the OU that contains the farm SCP chosen in the installer (i.e. the OU's objectGUID attribute). You can also set this after installing the VDA, and we'll provide a group policy template that you can use to set an equivalent registry entry through policies.

If you need to find this GUID, it's also displayed in the farm's read-only properties in the AMC, as shown below:

The final piece of information stored in the farm's OU lives in a separate 'RegistrationServices' container. This contains one SCP object per DDC in the farm, and the SCP object's name is the GUID of the computer object in AD that represents the DDC (in my example, my server called ddc.martinm.local is represented by the DDC$ object in the Computers container, and that object's objectGUID attribute contains the value 84d879b8-...). This is the second piece of data that the AD set-up wizard writes to the OU when a new DDC is added. The SCP again contains a number of GUIDs and other information in its keywords attribute that mark it as a XenDesktop server SCP; this is similar to the farm SCP. In addition, it also contains the URL and binding information of a 'registration' web service that runs on every DDC, and which VDAs use to register themselves with the farm. The AD set-up wizard creates the SCP for each DDC and gives each DDC write access to its SCP. Every time the DDC starts it validates that the information in the SCP is still accurate, and updates it if necessary (e.g. if you change the TCP port used by the DDC).

Using this information, a VDA on a virtual desktop gets linked into the farm as follows: the VDA starts up, reads the farm OU GUID from its registry. It then attempts to bind to AD through LDAP, and checks that the OU is indeed a valid XenDesktop farm OU (by checking the farm SCP). It then enumerates all registration service SCPs by querying AD for all SCPs with the right keywords (GUIDs), scoped by the farm's OU. Finally, it reads the registration web service address from the SCPs it finds. This way, it ends up with a list of web services that it can invoke to register with a farm. If the server it is registered with fails, it can simply pick another one.

Finally, here's a list of other AD-related information that's relevant for XenDesktop:

• You don't have to use the AD set-up wizard. If you want to, you can create all the objects in the farm's OU manually, e.g. through tools such as AD explorer. However, you should be careful to get the keywords in the SCPs right (all GUIDs are constant, but the farm name must be correct), and you need to be careful with who has permissions to change these objects, as mentioned above.
• While the farm OU, computer accounts, and user accounts can all live in different AD domains, all these domains must be in the same AD forest - VDAs and DDCs must be able to resolve each other's identity (Windows Communication Foundation uses Kerberos to authenticate machines), and of course end users must be able to log on. You must also run the AMC on a machine that is a member of a domain that is trusted by the AD domains containing the computer and user accounts (or run it with a user account that is trusted), otherwise it will not be able to resolve user and computer names and you'll end up with SIDs displayed instead. 
• XenDesktop supports all AD functional levels. However, if you're running in Windows 2000 mixed mode, restrictions on the scope of security groups mean that the farm OU and the DDC computer accounts must be in the same domain (as pointed out above, it'd be best practice to put the DDC computer accounts into the farm OU anyway).
• The names of the objects in the XenDesktop farm OU are hardcoded and cannot be changed. We have found that some AD environments have very strict policies as to where objects, in particular security groups, can be located and how they are named. If the 'Controllers' security group is not suitable in your environment, you can use an arbitrary security group located anywhere in your forest instead. To do this, you must create this group according to your AD policies, populate it with the computer accounts of the DDCs in your farm, and then set the following registry entry on all the VDAs in your farm: the key HLKM\Software\Citrix\ADConfig needs to contain a string value called ServersGroupGuid, and the contents of this value must match the objectGUID attribute of the custom security group (without curly brackets). You can also set this registry entry on the DDC servers, before installing the DDC software: if you do so, the AD set-up wizard will add and remove the DDC computer accounts from the right (i.e. your custom) security group automatically.
• For mutual machine authentication through Kerberos to work, the DDC and VDAs must be able to resolve each other's DNS names; also, Kerberos is quite picky and you'll encounter authentication errors if there's a significant clock skew between the machines (the default settings allow the clocks to drift by up to 5 minutes).
• If you run your virtual desktops as VMs and suspend them for prolonged periods of time, they may get out of sync with computer password changes made by the domain controller. There are a range of Microsoft KB articles on this topic which you may want to check out (be aware of the associated security risks, though). The good news here is that if you use Provisioning Server, it can take over AD computer account management for you, so you don't have to worry about this.

Project Delaware is the code name for the next major release of Citrix XenApp™ (the new name for Presentation Server) and it will include some major improvements in application virtualization.You can pre-register for the upcoming Delaware early release program and try out all the new capabilities for yourself. The program will begin in late April, so don't miss out. You will receive an email as soon as the code is available for download from MyCitrix. Please note that in order to participate, you will need to have access to Windows Server 2008 RTM code from Microsoft.

I'd love to hear what you think about the new Delaware features after you try to them out.