Welcome to TechEdge

Why Use Twitter @ TechEdge?

• Back channel for real-time conversations

• Broadcast key takeaways

• Ask questions

• Event feedback

How to Use Twitter During TechEdge

• Twitter will appear on projector screen during:• Breaks • Q&A

• Wireless access code: CTXS_Synergy_TE

• Join the Conversation1.Contribute: Include #TechEdgeC as part of

each Tweet

2.Follow: Visit http://search.twitter.com. Enter #TechEdgeC

Follow Citrix Tech Support on Twitter

• Join the Conversation and follow Citrix Tech Support: @citrixsupport

• Owner: Mike Stringer - Sr. Director, Americas/India Support

TechEdge 2009

Citrix Delivery Center

Presenters

• Kapildev Ramlal• Sr. Escalation Engineer (XenDesktop, XenApp)

• Keith McLaughlin• Escalation Engineer (Provisioning Server)

• Jacob Maynard• Sr. Escalation Engineer (Acess Gateway Enterprise Edition)

• Don Williams• Escalation Manager (Netscaler)

Citrix Delivery Center Intro

Agenda

XenDesktop and XenApp

XenServer

Provisioning Server

Access Gateway Enterprise Edition

NetScaler

Citrix Delivery Center

XenApp

• Citrix XenApp was formerly known as Citrix Presentation Server

• Prior to Citrix Presentation Server, it was known as Citrix MetaFrame, and prior to that, Citrix WinFrame

• It is the heart of Application Virtualization

• It delivers applications as an on-demand service to users anywhere using any device

Introducing Citrix XenApp

• Utilizes a Farm concept

• A server farm is a logical grouping of servers running XenApp that share a data store

Citrix XenApp Architecture

Data StoreNewYork

Florida

California

• Independent Management Architecture (IMA) - Infrastructure for inter-server communication

• A collection of subsystems that control the various features of the Citrix XenApp family of products

• IMA helps in centralized administration of the farm

• Implemented in the form of a Windows Service (managed by the Service Control Manager)

Citrix XenApp Architecture – IMA

What is IMA?

• A subsystem is a DLL (*.dll) file.

• Subsystems allow for a modular plug-in architecture.

• The subsystem DLL files can be found typically in the following directory:

x86 Location

Program Files\Citrix\System32\Citrix\IMA\Subsystems

x64 Location

Program Files (x86)\Citrix\System32\Citrix\IMA\Subsystems

Citrix XenApp Architecture – IMA Subsystems

• The Farm relies on data

• The IMA service is the backbone of the Farm, and is responsible for manipulating the Farm's data

• Each XenApp server runs the IMA service

• There are 2 main forms of data:

• Static Data• Data which changes infrequently such as published applications, Citrix Administrators,

Citrix policies, etc.

• Dynamic Data (Dynamic Store)

• Data which changes frequently, such as connected sessions etc.

Citrix XenApp Architecture – Farm Data

The Dynamic Store

• The dynamic data is stored in in-memory tables on the Data Collector (Dynamic Store).

• The info can be viewed using the QueryDS.exe utility located in the following directory on the XenApp CD: w2k3\retail\Support\debug\w2k3

Citrix XenApp Architecture – Farm Data

• The Local Host Cache (Static Data)

• Is a subset of the Data Store containing information required only by that server

• Allows the server to operate if the Data Store goes down

• Must exist and be accessible for the IMA Service to start• Is an Access database located on every XenApp server in the farm

x86

(Program Files\Citrix\Independent Management Architecture\imalhc.mdb)

x64

(Program Files (x86)\Citrix\Independent Management Architecture\imalhc.mdb)

Citrix XenApp Architecture – Farm Data

Citrix XenApp Architecture – IMA Startup

Service Control Manager

Required Plug-ins

Product Plug-ins

PSRequired=1PSRequired=0

Zone Data Collector LHC

ImaRpcSs.dll

ImaSrvSs.dll

ImaAppSs.dll

MfSrvSs.dll

MfBrowserSs.dll

ImaUserSs.dll

ImaDomain.dll

RMAlertsSS.dll

RMMonitorSS.dll

RMSummaryDBSS.dll………………..

LHCLHC

PSRequiredHKLM\Software\Citrix\MA\Runtime

IMASrv.exe ImaRuntimeSs.dllImaRuntimeSs.dll

• A server farm can consist of one or more zones

• A server farm is typically divided into zones when the servers in the server farm are separated geographically

• Each zone has a data collector

• The data collector is responsible for collecting data from member servers and distributing it to other data collectors

• The first server in the zone is designated as the data collector for the zone, by default

Citrix XenApp Architecture - Zones

Citrix XenApp Architecture - Zones

Web Interface XML Broker

ZONE A

ZONE C ZONE B

Citrix XenApp Architecture – Change Notification

Data Collector

Data CollectorData Store

Access Management Console

Member Server

Member Server

Member Server

Member Server

Member Server

Member Server

Member Server

1) Change is made on the CMC via TCP port 2513

2) The member server writes the change to the DS and forwards the information to the DC via TCP port 25123) The DC updates the LHC on the member servers in its zones via TCP port 2512 and forwards the

information to all the other DC’s

4) The other DCs send the information to their member servers

25132513

25122512

25122512

25122512

25122512

25122512

Zone A Zone B

Client

Web Interface

XML Broker

Active Directory

Member Services

Data Collector

Data Store

Dynamic Store

LHC

ListsServersAppsTrusts

• IIS Logs

• Network Trace

• CDF Trace

• Verify User Logon Rights

• Event Logs

• Network Trace

• Authentication

• XML Service

• Basic Networking

• CDF Tracing

From Logon to Launch

XenDesktop Setup

Active Directory Integration

• Uses Kerberos to Authenticate DDC to VM traffic

• Desktops discover DDCs

• No Schema change

Active Directory Integration

• Create an OU for XD farm

• Run Active Directory Configuration Wizard

XenDesktop Setup Wizard

• Integrates with Hosting Infrastructure

• Creates multiple virtual desktops

• Integrates with PVS

Pool Management

Services Involved

• Citrix Pool Management Service

• Hosting Infrastructure• XenServer Pool Master

• Vmware Virtual Center

• MS SCVMM

Virtual Machines

Pool MasterPool Management Service

Virtual MachinesPool Management

Pool MasterDesktop Delivery ControllerPool Management Service

Troubleshooting

• Logging in Pool Management Service• CTX117452

• XenServer logs

• CDF Tracing

• XDPing tool

XenServer

XenServer Benefits

Agenda

Provisioning VM with PVS

Live Migration Xenmotion

XenApp Performance

High Availability

Disaster Recovery

Why Virtualize?• IT flexibility/agility

• Predictable scaling to dynamically respond to business need

• Key part of disaster recovery strategy

• Improve application availability

• Server or data center consolidation• Higher utilization leads to greater consolidation

• Promotes greater centralization and security

• "Green Computing"• Consume less power, cooling, and real estate

• Support DevTest environments• Works for both IT shops and development houses

XenMotion – Live VM Movement

• XenMotion allows minimal downtime movement of VMs between physical systems

• Generally 150-200ms of actual “downtime”

• Most of the downtime is related to network switch moving IP traffic to new port

XenMotion Enables Zero Downtime

Shared Storage

XenApp Optimizations

• Specific performance optimizations for XenApp

• Pre-built VM Templates for installing XenApp on XenServer

Simplifying Disaster Recovery

Shared Storage Shared Storage

Production Site DR Site

Automated backup of VM metadata to SR

Replication of SR includes Virtual Disks and VM metadata

Attach replicated SR

Restore of VM metadata will recreate VMs

1

2

3

4

1

2

3

4

High Availability

• High availability (HA) provides automatic restarts for VMs in a resource pool

• When HA is enabled;• XenServer continually monitors the health of the servers in a resource pool

• XenServer uses heartbeats on the network and a storage device (Heartbeat SR) to determine the state of the servers in the resource pool

• If a server in the resource pool fails, the VMs running on it automatically restart on another server

• If the master fails, a new server is automatically selected to take over the master role

HA Requirements

Requirements for enabling the HA feature include:

• Shared storage, including at least one iSCSI or Fibre Channel LUN of size 356MiB or greater for the heartbeat storage repository

• A XenServer resource pool

• Adequate licenses on all hosts

• Agile VMs

Note: a separate shared storage setup is required for Metadata

Considerations for HA

• The iSCSI or Fibre Channel LUN is only required for the storage heartbeat.

• Only agile VMs can be protected by the HA feature

• An agile VM:• Has its virtual disks on shared storage

• Does not have a connection to a local DVD drive configured

• Has its virtual network interfaces on pool-wide networks

Note: It is a good practice to use a bonded management interface on the servers in the pool if HA is enabled, and multipathed storage for the Heartbeat SR

Configuring HA (XenCenter)

Verify the storage repository is compatible and is attached to the XenServer pool

23

1

2

3

1

Click on an entry for your resource pool in XenCenter. The HA tab appears in the main view.

If HA is configured, an overview of the system status displays. If not, a message appears stating HA is not enabled. Click Configure HA.

Configuring HA: High Availability Wizard (XenCenter)

Click Next after the High Availability dialog opens

4

4

Select a storage repository and click Next

5

6 Specify restart protection levels and click Next

7 Click Finish 5

5 6

6

Host Fencing

• If a server failure occurs, the XenServer self-fences to ensure that the VMs are not running on two servers simultaneously

• Server failure examples: • Loss of network connectivity

• A problem with the control stack

• When a fence action is taken, the server immediately is restarted, causing all of the VMs running on it to stop. The other servers detect the VMs are no longer running and the VMs are restarted according to the assigned priorities. The fenced-server enters a reboot sequence and when it has restarted, it attempts to rejoin the resource pool

High Availability – XenServer Host• Three Components

• High Availability recovery plans created at startup stored in statedb

• Storage heartbeat to Qurorum Vdisk

• Network heartbeat over management interface

Quorum

Database

SAN

VDIs

1

2

3

Heartbeat to SR

Heartbeat to Network

State.DB Recovery Plans

High Availability – XenServer Host

• Peer Based – Enable recovery plan• Servers 2 and 3 have not heard from server 1 on the network

• Server 2 and 3 have not seen an udpate from Server 1 on the Quorum disk

• Self-Aware – Assume the HA plans are in play• Server 1 cannot see Quorum disk

• Server 1 has not heard from Server 2 or Server 3

• Self Fence network – VMs are expected to be started elsewhere

State.DB

Quorum

Database

SAN

VDIs

1

2

3

•High Availability in the hypervisor•Kernel mode

•Direct control over local interfaces•Never out of resources

Citrix Provisioning Server

Agenda

How does Provisioning resolve these issue

Common Issues and Best Practices

What active directory issue arise when streaming a vDisk

Hostname

TD1

Hostname

TD1

Hostname

TD1

Hostname

TD1

Two main Streaming concerns with AD

Domain ControllerPVS Server SQL Database

Unique Hostnames

Machine Account Creation

SQL DB PVS ServerDomain Controller

Target1

Add Target1 to Domain

Target1

Boot

Target1

Reset Machine Account Password(Manually from Console)

PVS Server Domain ControllerSQL DB

Target1

Target1

Reset Target1 Key

Target1

Reboot

Machine Account Password Reset(Automatic)

SQL DB PVS ServerDomain Controller

Target1

Target1

Boot

Target1 Expiration No ExpirationTarget1 Expiration

Password Reset

Common Issues Best Practices

• Make the Target Name Unique

• Local Machine Account Password Changes disabled.

• Do not add the Target devices very deep in the active directory tree.

Access Gateway Enterprise Edition

Access Gateway - Features

Authentication Authorization Auditing

Clients

High Availability

User Experience

Administration Scalability

Endpoint Analysis

Access Gateway Enterprise Edition: XenDesktop Integration

XenDesktop Integration

AGEE TheoryAGEE Theory

User Experience

Access choices delivered to the user are based on SmartAccess policies & EPA resultsAccess choices delivered to the user are based on SmartAccess policies & EPA results

Access Gateway Authentication Disabled No EPA, ICA Proxy On

Access Gateway

Web Interface 5.0

User

Virtual Desktops

Desktop Delivery Controller

HTTPS HTTPS

HT

TP

(S)

HT

TP

(S)

ICA/CGPICA/CGP

ICA + SSLICA + SSL

XMLXML

Access Gateway Authentication EnabledEPA Enabled, ICA Proxy On

Access Gateway

User

Virtual Desktops

WI 5.0 &Desktop Delivery

Controller

HTTPS HTTPS

ICA/CGPICA/CGP

XMLXML

ICA + SSLICA + SSL

HTTPS - SSO

HTTPS - SSO

Access Gateway Authentication EnabledEPA Enabled, Access Gateway client (ICA Proxy Off)

Access Gateway

User

Virtual Desktops

WI 5.0 &Desktop Delivery

Controller

HTTPS HTTPS

ICA/CGPICA/CGP

XMLXML

ICA + SSLICA + SSL

HTTPS - SSO

HTTPS - SSO

Access Gateway Enterprise Edition: XenApp Integration

XenApp IntegrationExternal Internal DMZ

Remote End User

VIP

NSIP

Web Interface

443,80* (HTTP/TCP)

NSIP

DNS

* Port 80 used for https redirect

NSIP

LDAP/LDAPS

SNIP or MIP

389/636 (TCP)

53 (UDP)

443,80 (TCP/HTTP) 3010, 3008 ,22 (TCP)

XenApp

80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP)

Policy Evaluation•Session Policy Expression•Session Profile Client Security Check

Policy Evaluation•Session Policy Expression•Session Profile Client Security Check

SmartAccess for XenApp with Access Gateway

Authentication WI SSO TransactionWI SSO Transaction

True policies get sent to XenApp as SmartAccess

criteria

•Policy Name•VServer Name

True policies get sent to XenApp as SmartAccess

criteria

•Policy Name•VServer Name

XenApp filters by SmartAccess criteria

•Published Apps•XenApp Policies

XenApp filters by SmartAccess criteria

•Published Apps•XenApp Policies

XenApp Application ListXenApp Application List

Reduced Access

Full Access

Global Access

+ +

+

All Applications & Virtual ChannelsFull Network Access

Reduced Applications & Virtual ChannelsRestricted network Access

SnR Security Remediation Web Site

Denied Access

Clientless Portal and Email Access

Restricted Access

+

+

+

+

LDAP/LDAPS

External

Remote End User

XenApp + STA

Internal DMZ

VIP

NSIP

SNIP or MIP

Authentication

Authorization

Smart Access

1- WI Site Settings2- WI Trace3- Event Log

1- ProfileSettings2- NetScaler Trace

XML Settings/ STA Logging

nssslvpn.txt

ICA file - ID

STA

nssslvpn.txt

STA path on WI

1- NS Trace2- STA Monitor (newnslog)

1- Auth Svr Settings2- NS Trace3- aaad.debug

1- Auth Settings2- NS.log

Security Event Log on DC (LDAP or IAS)

WI

AGEE

DNS

Problem Types:

Troubleshooting: Potential Issue Areas

Ports and IP rules

LDAP /LDAPS (TCP) - 389/636

Ports and IP rules

Ports and IP rules

Access Gateway Enterprise Edtion: Netscaler Integration

Netscaler Integration

Potential Gotchas with ICA Proxy and GSLB

• Host a wildcard certificate on the VPN VIP

• Configure each WI Server with a Unique FQDN for the VPN Virtual Server

• Must host 3 publicly resolvable Address Records:1. vpn.yourcompany.com2. site1.yourcompany.com3. site2.yourcompany.com

NOTE!!! – Not an issue when running VPN Client

NetScaler

Problem: Typical Deployment without Citrix NetScaler

Problem: Typical Deployment without Citrix NetScaler

1. Web Interface does not provide intelligent XML service monitoring

Problem: Typical Deployment without Citrix NetScaler

2. Web Interface is not redundant

Problem: Typical Deployment without Citrix NetScaler

3. No site redundancy

Problem: Typical Deployment without Citrix NetScaler

4. No link redundancy

Solution: Smart Monitoring

Solution: Smart Monitoring

Monitoring provides alerting

Solution: Smart Monitoring

Verify XML Service application enumeration and response time

Solution: Smart Monitoring

Verify Web Interface is serving a legitimate response

Solution: High Availability

Component High Availability and Load Balancing

Solution: High Availability

XML Service

Solution: High Availability

Web Interface

Solution: Link Load Balancing

Redundant ISP links

Solution: Business Continuity (GSLB)

Highly available and load balanced sites

What happens if there is a failure?

What happens if there is a failure?

XML Service

What happens if there is a failure?

Web Interface

What happens if there is a failure?

AGEE

What happens if there is a failure?

NetScaler

What happens if there is a failure?

Internet Link

What happens if there is a failure?

Data Center

• If you complete the survey, you will be entered to win the $250 Amazon gift card.The winner will be announced May 29th

• TechEdge survey link: http://www.citrix.com/techedgesurvey

• Link will also be emailed to all attendees

• The TechEdge PPTs will be posted on the Knowledge Center by Tuesday, May 5th

TechEdge Survey & Posting of PPTs

Continue Your Learning

Authorized Citrix training is highly recommended as a next step to experiencing the full potential of your Citrix solution. Visit www.citrixeducation.com to view a complete list of course offerings and learn how to validate your technical skills with an industry-recognized Citrix Certification.