Lets refresh where we are! We are discussing about architecting a Citrix environment from Architects perspective. There are 2 parts to it:
Assessment is further divided into
Design is further divided into
· Application Delievery design
· Desktop Delivery design
· Operating System Provisioning design
· Virtualization Infrastructure Design
· Access Design
· Delivery Optimization
In this blog, we will discuss design of Application Delivery . Each topic will be covered in separate blog.
Before beginning an application delivery design, architects already should have done an assessment of the organization's user groups and application needs. The number, type and complexity of the applications will drive major considerations about application delivery within the virtualized environment.
Application Delivery Design Scenario
A Citrix Certified Integration Architect has been given the task of designing a solution for delivering the applications to users in a company with two branch offices.
The company wants to secure its data, allow workers to access the data center remotely and minimize the effort required to update applications.
During the assessment, the architect documented the following information:
- There are two branch offices, one in Hartford, Connecticut and one in Boston, Massachusetts.
- The datacenter is located in the Hartford branch office.
- There are 500 users in Hartford and 200 users in Boston.
- All servers in the datacenter are running Windows Server 2003 with Service Pack 2 installed.
- Approximately 440 endpoints are running Windows XP, approximately 200 are running Windows Vista and approximately 60 are running Windows 7.
- Users have rights to install applications on their endpoints.
- Microsoft Office 2003 (Outlook, Word, Excel, Access, PowerPoint) and Adobe Acrobat Professional 7.0 are installed on all endpoints. IT would like all systems to be updated to use Microsoft Office 2007 and Adobe Acrobat Professional 8.0, but the work effort is too great.
- Help desk personnel are dispatched to offices to address user issues.
- Seibel CRM and SAP are mission-critical applications and are used by only 70 users, 5 of which work out of the Boston branch office.
- The backend servers (Exchange Server and SQL Server) are located at the Hartford branch office.
- Users at the Boston branch office complain about latency when accessing data on these servers.
- Users travel with their endpoints which makes the data vulnerable should the endpoint be stolen.
- All data is stored on the endpoints.
- Users have no access to the network when outside the office which is affecting productivity.
- A wide variety of client and network printers are used in the environment.
An architect can use the information gathered during an assessment and the information in the following topics to assist in designing an application delivery solution
Application Delivery Overview
Separating the application layer from the OS layer allows for fewer numbers of unique desktop images. Application can be added on the top of OS based on each users identity and rights. The following categories are:
1) Base: These are applications that are installed on the base image. Base Applications include helper applications and applications with many OS hooks and shell Integration
2) Custom: These are applications that are home grown
3) Resource Intensive: Require significant amount of resources
4) Challenging: Large, complex applications that require backend DB communication, eg. EFP
Following methods are used for best delivery of applications:
1) Installed: Applications installed on the base image of the OS.
2) Hosted: Hosted applications are available only to users who have been granted rights to run the applications. All execution occurs on XenApp server hosting the application
3) Streamed: Streamed applications are available only to users who have been granted rights to run the applications. The required application components are streamed across the network to the target device and executed with an isolated environment
Delivery Method Guidelines
Architects need to determine whether applications should be installed as part of the base desktop image, streamed to the virtual desktop image or hosted on XenApp. Each application should be evaluated on a case-by-case basis based on the application architecture.
Installed or Streamed
Base applications such as .NET Frameworks can be installed as part of the virtual desktop image. If the base application must be updated, the virtual desktop image must be updated. The more images there are to manage, the more complex the managing of locally installed base applications becomes. If an existing XenApp infrastructure is in place, these applications can be streamed to the virtual desktop image.
Installed or Streamed
Custom applications can be installed in the virtual desktop image if all users of the image require the application. If an existing XenApp infrastructure is in place, these applications can be streamed to the virtual desktop image or hosted on XenApp. If the custom application is not Terminal Services aware, hosting it on XenApp is not an option, but streaming the application to the virtual desktop image may be a viable solution.
Streamed or Hosted
Resource-intensive applications have a significant impact on CPU and memory resources. If the application is:
Challenging applications typically have unique configurations and dependencies. Because XenApp is a tightly-controlled environment, an organization can guarantee that the application is set up properly and functioning in the XenApp delivery model.
Ask the Architect
How should applications be executed and delivered in a virtual desktop? To find out more, view the "Integrated Apps into Virtual Desktop" video on the www.citrix.com/tv web site.
Application streaming simplifies the delivery of the application by allowing an administrator to install and configure an application on one file server for delivery to desktops. To upgrade or patch the application, the administrator must make the updates only in the location where the application was stored.
Once the architect has decided that an application should be streamed, a decision must be made about whether or not to cache the streamed application to improve the access time for users. The following caching options are available:
- No pre-caching
- Cache redirection
Pre-caching can stream the application files to the target device prior to launch by the user. When a user launches the streamed application, the plug-in will validate that the application files on the target device are current and will launch the application accordingly. An advantage of pre-caching streamed applications is that there is minimal delay in the application launch because the files are local and do not have to cross the network. In addition, because files and settings are not being streamed to the target device, the write cache size is kept to a minimum. If the application files are out of date, the application launch process will update the write cache as needed.
Applications that are used everyday and undergo semi-frequent small updates should be pre-cached to reduce user frustration, network usage and the write-cache size.
During the vDisk image build process, streamed applications can be pre-cached within the vDisk image and then executed to pre-cache all the files. Even though the streamed application becomes a part of the image, users must launch the application using a XenApp plug-in, just as with streamed applications that are not pre-cached.
Updating a streamed application does not necessarily mean that the application cache on the vDisk image must be updated. If the application update is minor, such as with a hotfix that changes a few files, the application streaming process can update the files without impacting the startup time. If the update is major, like a service pack for an application, then it would be advantageous to update the application cache on the vDisk image.
When a streamed application is not pre-cached on the target device, the application profile must be streamed to the write cache on the target device during the application launch. Even though the entire application might be 500MB in size, only the portion needed to start the application is initially sent to the target device. Because this portion of the application must be delivered over the network, the application start will be delayed until enough of the application files and settings are delivered. As the user continues to access more functionality within the application, more files are delivered to the target device, continuously increasing the write cache size.
An advantage of not pre-caching a streamed application is that the application profile is not part of the base vDisk image. As a result, updating the application profile does not necessitate updating the base vDisk image. This simplifies the process for application updates, especially in larger organizations, which typically have one group managing application profiles and another group managing base vDisk images.
A disadvantage of not pre-caching a streamed application is that the application profile must be streamed to the target device after every reboot of the server hosting the application. This will result in a delay of the application start while the write cached is being built.
Applications that should not be pre-cached include:
- Applications that undergo constant, large updates because all of the benefits of pre-caching would be negated
- Applications with sporadic usage because requiring a user to wait a little longer for an application only occasionally will not be as noticeable as delays in launching everyday applications
The .CAB based architecture used for application streaming will be replaced in future XenApp releases with an uncompressed directory structure architecture.
Another method that can be used to optimize application streaming is called cache redirection. With cache redirection the virtual desktops are designed so the storage allocated for holding the Provisioning Services write cache is also used to hold the application streaming write cache.
Advantages of using cache redirection include:
- Simplified application maintenance by decoupling the application streaming write cache from the vDisk
- Faster application launches after reboots because the cache is persistent
A disadvantage of using cache redirection is that it requires additional storage to be allocated for each virtual desktop.
XenApp Farm and Zone Design
An architect must determine how many XenApp farms should be implemented in the environment. The number of zones in a XenApp farm should often be kept to a minimum with one zone being the optimal solution. Keep in mind that a data collector exists in each zone and that the zone data collectors must replicate data to all other zone data collectors in the farm.
Farm Design Considerations
A single farm will work best in most implementations. However, there are some circumstances in which deploying multiple farms makes sense. For example:
- If the IT infrastructure is organized by region and managed in a decentralized manner, use of multiple farms could improve farm performance, save time when coordinating farm administration and simplify troubleshooting farm-wide issues.
- If the organization has network infrastructure limitations such as WANs with high latency or error rates, use of multiple farms may perform better than a single farm with multiple zones.
- If the organization has security policies in place concerning server communications, use of multiple farms can be used to segregate data based on the security level to meet regulatory compliance requirements.
- If the organization has geographically dispersed datacenters that can support their own data store database, use of multiple farms can ease administration.
- If communications between servers within the farm should not cross a firewall or WAN, use of multiple farms can resolve this issue.
- If an organization has a large deployment with thousands of servers and users, use of multiple farms can improve the scalability and the performance of the data store, local host cache and IMA service.
Some Citrix components such as Web Interface, SmartAuditor Server, Citrix Licensing and EdgeSight can be shared between multiple farms; consequently, it is not necessary to consolidate all servers in a single farm to prevent deploying these components multiple times.
Zone Design Considerations
In general, the number of zones in a XenApp farm should be kept to a minimum. When all farm servers are in one location, a single zone is probably the best solution.
Even when "Share load information across zones" is disabled (the default setting), zone data collectors must still communicate some data to all other zone data collectors in the farm, although the communication is less. As the number of zones in a XenApp farm increases bandwidth consumption and network traffic increase exponentially as a result of these data collector communications.
Multiple zones might be warranted in the following situations:
- In large organizations with datacenters geographically dispersed, geographically-related servers should be grouped into zones when latency has been determined to degrade performance. Keep in mind that not all geographically dispersed implementations require multiple zones.
- When zone preference will be used to direct user connections to specific sites
Because profiles play an important role in user satisfaction with a virtualization solution, it is imperative that the architect understands:
- The available profile types
- Which profile types best meet the needs of the users
- How to manage profile effectively
The profile information discussed in this section also applies to XenDesktop virtualization designs.
Profile Design Considerations
Profile design is one of the most critical areas in a XenApp implementation. Many of the issues commonly seen in large or complex XenApp implementations, such as slow logons, loss of user settings, profile corruption and excessive administration effort are often the result of poor profile design.
To determine which profile type should be used in a XenApp implementation, the architect must be able to answer the following questions:
- Do users need to save their settings?
- Yes: Use a roaming or hybrid profile.
- No: Use a mandatory profile.
- Do applications store settings in the registry?
- No: Use a mandatory profile.
- Yes: Use a roaming profile hybrid profile or multiple profiles.
- Will auto-created client printers be used with client-side settings?
- No: Use a roaming profile, hybrid profile or multiple profiles.
- Yes: Use a mandatory profile.
- Will network print jobs be spooled directly to the print server with the printer properties retained?
- No: Use a mandatory profile.
- Yes: Use a roaming profile, hybrid profile or multiple profiles.
- Are applications in load managed groups or silos?
- No: Use roaming profiles.
- Yes: Use a hybrid profile or multiple profiles.
Citrix Profile Management
Citrix Profile Management is a hybrid-type profile solution. It allows users to completely customize their experience while overcoming challenges with roaming profiles. For example, in a virtual desktop environment, when the user logs back into a new desktop, the mandatory profile loads and the custom modifications are applied automatically.
However, depending on its configuration, Citrix Profile Management can take over as the profile solution for XenApp, XenDesktop and the local desktop. Citrix Profile Management is not for every environment, because it is more complex than the standard Microsoft profile solutions. Citrix Profile Management should only be implemented if warranted by both technical and business requirements. In general, mandatory profiles should be used first, then roaming profiles, then Citrix Profile Management.
Suggested use cases for Citrix Profile Management include the following:
- User accesses multiple XenApp server farms and often has multiple ICA session open.
- User accesses multiple desktops, including XenDesktop, where the operating system is different.
- Excessive roaming profile corruption issues exist
Citrix Profile Management is included with XenApp Platinum and Enterprise editions. It optimizes profiles in an easy and reliable way. At logoff, registry changes, as well as files and folders in the profile, are saved to the user store for each user. If, as is common, a file already exists, it is overwritten if it has an earlier time stamp.
At logon, the users' registry entries and files are copied from the user store. If a locally cached profile exists, the two profiles are synchronized. This makes all settings for all applications and silos available during the session, so it is no longer necessary to maintain a separate user profile for each silo.
Citrix Profile Management should be installed and enabled on servers, virtual images and client devices in the environment because it can address user profile deficiencies in virtualized environments. For example, when Citrix Profile Management is not in use, and a user starts sessions in two different virtual resources, the profile of the session that terminates last overrides the profile of the first session. This problem, known as "last write wins," discards any personalization settings that the user makes in the first session. Citrix Profile Management can correct this issue.
The "last write wins" issue can also be addressed by using different profiles for each application silo. However this results in increased administrative overhead and storage capacity requirements. Another drawback is that the administrator must replicate the settings in all profiles in all silos.
Print configurations vary widely among organizations. Some users might have locally attached printers, while others might use only network printers or a combination of both. Managing the print devices, print drivers, printer configurations and network traffic can make printing administration a complex task.
An architect should design the printing environment so that it is easy to administer, responsive and seamless to users. This can be accomplished by addressing the following questions:
- Which print drivers -- native drivers, Citrix universal print drivers, or both -- will be allowed in the environment?
- Will printers be provisioned to users through client printer auto-creation, static provisioning, network printer provisioning or user-self provisioning?
- Will print jobs be routed to the client or the network?
Print drivers determine how jobs are rendered to print devices. While designing the printing architecture, the administrator must determine which print drivers are allowed and how they will be installed and maintained on XenApp servers. XenApp supports:
- Native drivers, which are the drivers provided within the Microsoft Windows operating system
- OEM print drivers, which are drivers supplied by vendors
- Citrix Universal Print Drivers, which are included with XenApp 4 and later and are compatible with most print devices
The Novell iPrint driver is not supported in a XenApp environment.
If OEM drivers will be used, it is important that these drivers be manually or auto-replicated to all servers in the farm to ensure a consistent experience regardless of the server hosting the user session. In addition, it is a best practice to limit the number of OEM drivers used in the environment.
Users do not have the ability to install OEM drivers over ICA or RDP connections but can inadvertently install native drivers over ICA or RDP connections. To accomplish this goal:
- A Citrix policy that disables the installation of native print drivers over ICA sessions can be implemented.
- A group policy to prevent users from redirecting printers over RDP connections which installs the native print driver on the XenApp server can be implemented.
If native drivers will not be used, a Citrix policy that enforces the use of the Citrix Universal Print Driver for all print jobs should be used. In addition, a Windows group policy should be implemented that disables the installation of native print drivers over RDP should be configured.
If both native print drivers and the Citrix Universal Print Driver will be used, use a Citrix policy to determine the default driver type and to ensure print drivers are consistent across all servers.
XenApp print environments are highly dynamic as they are built during user logon or application launch. During the printing design, an architect must determine how printers will be provisioned to user sessions. The following printer provisioning methods can be configured:
- Client printer auto-creation automatically creates the printers defined on the client devices. A Citrix policy can be configured to auto-create all client printers, only the default client printer, only client local printers or only client network printers.
Client printer auto-creation is the easiest to configure but may require extensive processing on the XenApp servers.
- Static printer provisioning uses local printers specified by TCP/IP, USB or another method. Local printers are typically created as part of the server build and seldom change.
Static printer provisioning has an initial high administrative burden during the setup process. In addition, it increases overhead on XenApp servers as jobs are spooled on the server. Static provisioning is optimal when:
- Applications require local printers, such as Acrobat printing to PDF.
- A small deployment with a small number of printers will be managed entirely on the servers.
- Network printer provisioning uses a Citrix policy, GPOs, logon scripts or toolkits to provision printers on network print servers to users within XenApp sessions. Network printer provisioning requires additional configuration initially but is the most efficient of the provisioning types for printer creation and printing.
- User self-provisioning allows users to configure client and network printers using the Add Printer wizard available within XenApp sessions or by publishing the PRINTCFG.EXE tool. After a user self-provisions a printer, that printer is available in all future sessions for that user. User self-provisioning reduces server overhead because no excess printers are provisioned. In addition, user self-provisioning reduces administrative overhead and the control administrators have over printer provisioning. The number of help desk calls may increase as users need help configuring their printers.
- Citrix Universal Printer provisioning is an auto-created printer object that uses the Citrix Universal Print Driver and is not tied to any specific printer defined on the client. Once implemented, it is available in all sessions that use the XenApp plug-in. It is also independent of any printing policies defined in the management console or elsewhere, and therefore, it is possible to implement the Citrix Universal Printer with other auto-created printers, session printers, and/or non-Citrix defined printers (as well as by itself). The printer auto-creates in a standard fashion with the name "Citrix UNIVERSAL Printer."
Print Job Routing
During the printing design, the architect must determine the path that print jobs destined for a network printer will take. By default, print jobs destined for a network printer are routed along the network printing path unless the application server and print server are on different untrusted domains or the print driver is not installed, in which case print jobs are routed along the client printing path.
The following information describes the two printing pathways:
- Network printer path
- The application server communicates with the remote spooler on a print server to create the print job and associated spool file.
- The print server renders the print job.
- The print server relays the print data to the appropriate print device.
The network printer path is ideal for fast networks where the application server and network print server are on the same LAN. The network printer path is not recommended for WANs, networks with substantial latency or networks with limited bandwidth due to the number of packets exchanged between the application server and network print server. In addition, the packets traversing the network are treated as regular traffic and are not compressed. This can result in the user experiencing latency while the print jobs spool.
- Client printer path
- The application server communicates with the local spooler on the XenApp server to create the print job and associated spool file.
- The print server renders the print job. If the Universal Print Driver is used, this step differs slightly.
- The rendered data is delivered to the client device through a virtual channel within the ICA protocol.
- The client device relays the print data to the printer, or to the print server which then relays the data to the print device.
The client printer path is ideal for networks with limited bandwidth because the ICA protocol compresses the print job and provides the ability to set bandwidth limits through a Citrix policy. To make client printer routing the default printing path, the Citrix print job routing policy can be set to always connect indirectly as a client printer.
During the printing design, an architect should specify whether proximity printing will be implemented in the environment. Proximity printing allows users to move within the environment and print to the closest network printer to the client device used to access the session. Proximity printing is normally warranted for mobile workers within the corporate environment.
Proximity printing is implemented by configuring the Citrix session printers policy rule and is typically applied using the Client Name filter with wildcards or the Client IP address filter. This means that the endpoints are assigned client names or IP addresses by their location (floor, building).
The session printers policy rule should be updated whenever network printers are added or removed, and whenever the DHCP IP address ranges for the floors or departments are modified, if the Client IP Address filter is used.
Tuning and Optimizations
An architect may need to tune the operating system, Terminal Services and XenApp specific-settings on a 32-bit XenApp server.
Operating System Tuning
The architect should optimize a Windows 32-bit operating system running XenApp by disabling unused services and features including the following settings.
Disable Windows Animation
System Properties > Advanced > Settings > Visual Effects > Adjust for best performance
Disable window animations which are not well suited for remote display.
Disable Paging of the Executive
HKLM\System \CurrentControlSet\Control \Session Manager\Memory Management \DisablePageExecutive
REG_DWORD = 1
Configure kernel mode drivers and other system components to not be paged to disk to improve performance.
Disable Spooler Warning Events
HKLM\System \CurrentControlSet\Control \Print\Providers\EventLog
REG_DWORD = 1
Disable warning events that are logged anytime an auto-created printer is created or deleted to prevent the System event log from quickly filling with useless warnings.
Disable Spooler Notifications
HKLM\System \CurrentControlSet\Control \Print\Providers\NetPopup
REG_DWORD = 0
Suppress notifications to users when the Spooler service connects to shared network printers to improve performance.
Server Tuning and Optimizations
The following settings may need to be adjusted on a Windows 32-bit XenApp server to enable it to run in the most efficient manner possible:
- System Cache
- Paged Pool Size
- System PTE
- Non-Paged Pool Size
- Maximum Work Items (MaxWorkItems)
- SMB Server Requests (handling and issuing)
- Maximum Raw Work Items (MaxRawWorkItems)
- Maximum Free Connections (MaxFreeConnections)
- Minumum Free Connections (MinFreeConnections)
- SMB Client Session
- Lazy Flush Interval
- Remote Recursive Events
- Terminal Services security
- TCP Maximum Data Retransmissions
- Error Mode
- NTFS Last Access Update
Data Store Design Considerations
When designing the application virtualizaton solution, an architect must ensure that the database used to hold the XenApp data store will meet the needs of the implementation.
A Microsoft SQL Server data store database should meet the following requirements:
- The data store database can be placed on the same server as other databases but should not be configured to share a database with other client/server applications or the master database.
- Approximately 100MB of disk space is required for every 250 XenApp servers hosting 50 published applications. More disk space is required for greater numbers of published applications. The default database size and settings usually suffice.
- The "temp" database must be set to automatically grow on a partition with at least 1GB of free disk space for a small farm or 4GB for a large farm with multiple print drivers.
- The Windows authentication-only setting provides the highest security. In addition, the service account can be changed from db_owner to read/write only to increase the security of the database. Keep in mind that the service account must be changed back to db_owner in order to upgrade or apply hotfixes to the database.
- TCP/IP sockets should be used as the authentication protocol because it does not rely on the Windows authentication process to establish a connection but does provide user/password authentication to the database after the connection is established
Database Replication Considerations
A replicated data store ensures that all data store reads occur on the network local to the XenApp server rather than across the WAN. An architect should be aware of the following considerations when deciding if database replication is warranted:
- A single data store works best for most deployments, but a replicated data store at remote sites can improve farm performance especially across high-latency or low-bandwidth WAN links.
- Database replication consumes bandwidth so replicas of the data store database should be placed only at sites with enough servers to justify the bandwidth cost of placing the copy at the site. As the size of the farm increases, the amount of bandwidth required for the read requests increases.
- Data coherency is required across the replicated databases, so a two-phase commit must be used.
- Merged replication should not be used, as it can lead to corruption of the data store database.
- A published XenApp management console must be used to perform farm maintenance from a remote site that has high latency to avoid performance issues.
SQL mirroring instead of replication of the data store database may be used over fast WAN links if the sites are close or tightly connected.
Database Fault Tolerance Considerations
Microsoft clustering provides failover and failback for the clustered systems. If a node running an instance of Microsoft SQL Server fails, the cluster group containing the data files for that instance is switched to another node and starts accepting connection requests for that instance. Failover of the database in a clustered environment is transparent to XenApp.
The SQL cluster should be configured in the datacenter where the majority of XenApp servers are, not where the majority of users are located.
Microsoft Cluster Services clustering does not support load balancing among clustered servers because it functions in active/passive mode only.