Posts

VM Hosted Apps – and Why You Should Care

I’ve found that one of the least-understood features of XenApp is “VM hosted apps.” So, gentle reader, I thought it was time to try to bring some clarity to what is actually a very cool piece of technology, and may actually be the solution for how to continue to deliver IE6 for the Web apps that require it, even after you upgrade to Win7. (As you probably know, Microsoft has, so far, taken the position that packaging, streaming, or otherwise delivering IE6 by itself is a violation of their license – much to the consternation of users who have applications that depend on it.)

Why it exists
Anyone who has been around the block a few times with XenApp knows that there are some applications that just don’t play nicely in a multi-user environment. I can tell you that our own engineering team has become quite talented at making applications run in a XenApp environment even when the application vendors themselves said it couldn’t be done. And as the older DOS-based and 16-bit Windows applications gradually die of old age, things in general are getting better. Tools like application isolation and application streaming can help as well. But every now and then, you’ll run into an application that either just won’t run in a Remote Desktop Services (formerly Terminal Services) environment, or won’t play nicely with other applications, or misbehaves when more than one person at at time tries to run it.

We also occasionally run into applications that require some kind of hardware “dongle” as a license enforcement mechanism. Other applications have license mechanisms that are dependent on IP or MAC addresses, and/or save user-specific information that will require the application user to go back to the same system each time s/he wants to run the application. Finally, there may be users who need a very high-performance graphics processing unit, e.g., to run a graphics-intensive CAD program.

To help you deal with this, Citrix included a little bit of XenDesktop technology in XenApp, beginning with XenApp 5 Feature Pack 2. It’s only fair, after all, since XenApp functionality is now included in XenDesktop Enterprise and Platinum Editions, but while XenDesktop 4 (and now XenDesktop 5) includes all the functionality of XenApp for delivering applications to your XenDesktop users, XenApp’s VM hosted apps feature contains just enough XenDesktop functionality to create virtual – or physical – desktop systems specifically to run individual applications. In fact, that’s all those systems do. You can’t deliver multiple VM hosted apps from a single PC Operating System (well, not very easily anyway).

How it works
First of all, you have to build out the basic components of a XenDesktop farm. Yes, it can share some components with the rest of your infrastructure, but you’re going to need to build a Desktop Delivery Controller, you’re going to need a XenDesktop farm database, you’re going to need either a virtualization host (if you’re going to use virtual PC instances) or some physical PCs or blades, and you’re going to need an Operating System image with the target application installed into it. You may also deploy Provisioning Services if you want to stream the OS image either to your virtual infrastructure or to your blade PCs. In short, you go through the same process that you would go through if you were putting together a XenDesktop infrastructure to deliver a virtual desktop…but in this case, we’re delivering an application, not a desktop.

Here’s a high-level overview of the process:

  • Create an OS image.
  • Install the XenDesktop Virtual Desktop Agent into the image.
  • Install the desired application. If the application needs “helper apps” (e.g., an accounting app may require Microsoft Excel to display reports), you can install them too. You can even install the Citrix Online Plugin, Offline Plugin, Single Sign-On Plugin, etc., if you want to launch those helper apps on a XenApp server or have XenApp stream them down to the desktop image for local execution.
  • Create a shortcut for your desired application. If you really need to launch multiple applications, or launch something like the Citrix Online Plugin, create a script or batch file to launch the applications you want to launch, then create a shortcut to that script or batch file instead.
  • Place that shortcut into the C:Program FilesCitrixICA ServiceSeamlessInitialProgram folder of your desktop image. NOTE: If you try to put more than one shortcut in that folder, you will get an error!
  • Using the Citrix XenDesktop tools, convert your image into a VHD if you’re going to be streaming it via Provisioning Services or deploying it in a virtual environment. Like any other XenDesktop image, it can be a private image that is either preassigned to a specific user or assigned on first logon, or it can be a public image that you use with Provisioning Services to boot and run multiple instances.
  • Publish that application. It can be displayed via the Citrix Web Interface right alongside other applications that are being delivered via XenApp.

When the user clicks the icon, the application will be launched within the desktop OS, but will run as a “seamless app,” meaning that it looks and feels to the user as though it was running locally (just as applications published from the XenApp farm do). The user will never know, or care, which apps are running on XenApp servers and which are running on desktop OS instances.

Just as you would with any other XenDesktop deployment, you can configure, via the Desktop Delivery Controller, how many OS instances you want running in an idle state at any given point in time during the day – this eliminates the need for the user to wait for the PC/OS to boot before launching the app. Remember, though, that a desktop OS is not multiuser…meaning that if you have ten people who may need to run that application at the same time, you have to provide resources for ten virtual PC instances (or ten blades, as the case may be). And if you have two different applications that need to be deployed this way, you’re probably going to need to provide separate resources for each application. (Yes, I suppose you could create a script that launched both apps – but do you really want your users to click on a single icon and launch two completely different apps? Never mind the fact that the users who need one of the apps may have no overlap with the users who need the other one.)

Here are a couple more things to remember:

  • Your users are going to be remotely interacting with a Microsoft Desktop OS. That means you’re going to have to comply with Microsoft’s VDI licensing requirements. We’ve beat that horse to death elsewhere in this blog, so we won’t go into it again here.
  • Citrix never expected that VM hosted apps would be used for more than one or two percent of all the applications you may need to deploy in a XenApp environment. But sometimes that one or two percent represent business-critical apps, even if they’re only business-critical to a handful of your users.
  • You do not need XenDesktop licenses to do this. Users who launch a VM hosted app will consume a concurrent-use license from your XenApp license server. Users who launch multiple apps, e.g., a VM hosted app and several other apps delivered via XenApp, will still consume a single license.
  • You could also use VM hosted apps to quickly deploy an application while you’re figuring out how to make that application run on XenApp. Once you’ve figured that out, just re-publish the application. The users will never know – they’ll go to the same Web Interface and click on the same icon, and the app will launch.

So – back where we started this: If you’re one of those who are struggling to figure out how you’re going to continue to support IE6 in your environment while still migrating your users off of Windows XP, this is one potential answer for you. Deploy IE6 on Windows XP using VM hosted apps. Your users will never see the XP desktop, so they’ll never know.

A very cool tool to have in your toolbox, in our opinion.

If you want to know more about VM hosted apps, here are a couple of videos from Citrix TV. The first is from the XenApp Expert Series, with our old buddy Vinny Sosa (on the left) and Modesto Tabares talking about various use cases for the feature. This one will take you about 25 minutes if you watch the whole thing:

…and here’s a more technical video from the Learning Lap series that actually takes you through the installation and configuration of VM hosted apps. This one is about 20 minutes long:

Citrix Fixes the Provisioning Services – KMS Problem!

This is big news for anyone who wants to use XenDesktop to facilitate a Windows 7 migration. Here’s why: It only takes a moment’s thought to realize that if your desktop virtualization project simply trades inexpensive desktop SATA storage for expensive data center SAN storage, it’s not going to do good things for your ROI. So provisioning your virtual desktops from a shared Standard Image is a must. And that’s what Provisioning Services (“PVS”) allows you to do. If your standard Windows 7 OS image is, say, 15 Gb, you only need one instance of it on your SAN regardless of how many virtual PCs you’re provisioning from it. Then, using the Citrix Profile Management tool in conjunction with standard Group Policy folder redirection techniques, you can merge user personalization at logon time.

There was only one problem…turning a Win7 vDisk into a Standard Image broke the Microsoft license key. The only way around that was to use Key Management Services (KMS) to auto-activate systems as they were provisioned, but there were problems in using KMS with PVS, as we’ve documented in earlier posts.

I am happy to report that the problem has been addressed in PVS v5.6, SP1, which is now available for download at the Citrix download site. Not only that, but PVS v5.6, SP1, also works with a Multiple Activation Key (MAK) for smaller environments where KMS is not justified. Here’s the difference between the two activation methods:

KMS is a service that runs on a server in your own network. It supports Windows Server 2008 and 2008 R2, Vista, Win7, and Office 2010. However, it requires a minimum number of systems checking in for activation before any systems will be activated. That threshold is 8 systems for server activation, and 25 systems for workstation activation. Prior to SP1, systems provisioned from a Standard Image looked to the KMS server like the same system checking in again and again, so the threshold counter didn’t increment. SP1 fixes that. Please note, however, that you must be running KMS on a 2008 R2 server if you want virtual machines to increment the threshold counter.

With an MAK, the activation server is hosted at Microsoft. The MAK is a reusable key that’s good for a predefined number of activations. With SP1, PVS will cache the activation confirmation code for each system, so they will automatically reactivate on subsequent reboots.

Here is the configuration process, straight from Citrix. First of all, the Imaging Wizard allows you to choose which activation method you’re going to use:

PVS Imaging Wizard

Choosing the Activation Method

Once you’ve chosen either KMS or MAK, here are the next steps:

KMS Activation

  • Reset the activation status on the vDisk image:
    • Boot the master target device from vDisk in Private Image mode
    • Run slmgr.vbs -rearm in console on master target device
    • Shut-down master target device
  • Put disk in Standard Image mode and stream. Target devices will automatically register with KMS server, and activate (provided there are at least 25 systems checking in).

MAK Activation

  • Put disk in Standard Image mode and stream.
  • Use “Manage MAK Activations” to remotely activate streamed target devices. This is done only once per group of devices.
  • Provisioning Services will cache activation confirmation code for each device so that devices will automatically reactivate on subsequent reboots.

Kudos to the Citrix PVS development team for getting this done and out the door. Great job!

Windows 7 and Security

Volume 9 of the Microsoft Security Intelligence Report is out, and it makes for some pretty interesting reading. Among other things, it talks extensively about botnets – the various “families” of botnets, how they are used, how they work, and how access to them is sold and traded on the black market. Why? Because (quoting from the report), “When we look at that intelligence as a whole, it’s clear that botnets pose one of the most significant threats to system, organizational, and personal security.”

One of the things you’ll find in the report is a discussion of the infection rates of different versions of the Windows Operating System. You may have noticed that every now and then, as part of the critical patches and updates that Microsoft pushes to your PC, there’s something included called the “Malicious Software Removal Tool,” or “MSRT.” Microsoft keeps track of how often the MSRT actually finds malicious software when it runs, and that information is presented here as the number of computers cleaned of bot-related malware per 1,000 executions of the MSRT. Take a look at the following graph, which covers just Q2 of 2010 (click to view larger image):

Infection rate found per 1,000 executions of MSRT

I would like to particularly direct your attention to the fact that the infection rate for Windows XP SP3 is four times the infection rate for Windows 7, and the rate for Windows XP SP2 is five times the Win7 rate.

I understand that, for some people, the issue of upgrading from Windows XP to something else borders on being a religious discussion. But, honestly, if Windows 7 is that much more secure – which it clearly is – isn’t it getting a bit difficult to justify the “you can have my Windows XP when you pry it from my cold, dead fingers” position?

Of course, larger enterprises have some challenges to overcome. As we discussed in our September post about the cost of a Windows 7 migration, Gartner recently reported that, since most organizations weren’t planning to begin their Win7 migrations until 4Q2010, and with PC hardware replacement cycles typically running at four to five years at present, most organizations simply will not be able to complete a Windows 7 migration through the normal PC replacement cycle before Microsoft ends support for XP SP3. There just isn’t enough time left.

But even if there was enough time – why would you not want to move to an Operating System that’s four times more secure as quickly as you possibly can?

As Gartner pointed out, one alternative is to move some users to a “hosted virtual desktop” instead of a new PC. Translation: Making VDI part of your migration strategy can help get you out from behind the eight ball. It can also boost the overall security of your organization. Doesn’t that make it a conversation worth having?

Citrix Announces XenDesktop 5

Earlier today, at Citrix Synergy in Berlin, Citrix announced XenDesktop 5, which is scheduled for availability in December, 2010. Naturally, we went looking for the “what’s new” list. You can find that list on the Citrix Web site, but, just to save you a few clicks, here’s our take on it.

Most of the user-facing features are evolutionary, as opposed to revolutionary. There have been incremental improvements in devices supported by the Citrix Receiver, the performance of Citrix HDX, user self-service provisioning, and single sign-on. There is also support for XenClient and XenVault, which were recently made available for download as part of XenDesktop 4, Feature Pack 2. But the truly revolutionary, knock-your-socks-off features are on the management side.

Installation and deployment of a large XenDesktop environment is now a snap using the new Desktop Studio tool. Since a video is worth a thousand words, check out the following video demo of Desktop Studio:

But wait! That’s not all! There’s something here for the help desk staff as well, and this may be the coolest part of all. Take a look at a demo of the new Desktop Director tool:

One of Citrix’s stated goals with XenDesktop 5 is to take VDI from “wow” to “how” – to show you how to easily install, scale, and manage a desktop virtualization deployment. Desktop Studio and Desktop Director are huge steps in that direction.

XenServer Tips – HBAs, HA, and HOSTDEVSCAN

In this installment of the Moose Logic Video Series, Steve Parlee, our Director of Engineering, talks about:

  • Why we always use iSCSI HBAs in our Citrix XenServer deployments.
  • The possible risks of using HA in a two-server pool. (NOTE: Initial testing indicates that XenServer v5.6 may not present the same problems in a two-server pool as earlier versions. When we have completed our testing, we will post an update here.)
  • A useful utility for XenServer called “hostdevscan.”

Desktop Virtualization for the SMB

One of the criticisms that’s been leveled at XenDesktop by its competitors is that it is too complex – too many components that have to be configured to get everything to work. And while that’s partially true, it’s not the whole story. As we’ve discussed in previous posts, XenDesktop is extremely flexible in that it allows you to mix and match different kinds of virtual desktops in your environment to best meet the needs of various groups of users. As you bring more kinds of virtual desktops into the mix, you add more infrastructure components to manage them. More infrastructure components = more complexity but also more flexibility.

If you don’t need all that flexibility – if, for example, you just want to deploy “classic” VDI, by which I mean a bunch of virtual PCs running on the hypervisor of your choice – then you don’t need all that complexity, either.

In this video, Dan Feller of Citrix presents a reference architecture for a straightforward VDI deployment of up to 500 users. The video takes about 50 minutes to watch, but it’s worth your time. You’ll learn some interesting things.

For example, you’ll note that Dan is recommending that the XenServers in the XenServer pool that supports the virtual Windows 7 machines should have local disk drives, in a RAID 10 configuration, that will be used for the local host cache for the provisioned Windows 7 systems, for two reasons: First, it’s less expensive than using SAN storage. Second, the limiting factor for how many virtual PCs you will be able to run on a XenServer host is not processing power, and it’s not RAM – it’s IOPS. And he walks you through the calculation of how many functional IOPS the local storage on the XenServer can support, and how many virtual desktops you can therefore reasonably expect to support.

In fact, my only reservation about this video is that, like just about every other discussion I’ve seen regarding Windows 7 virtualization, it doesn’t mention the Microsoft license activation issue that’s inherent in provisioning Vista and Windows 7 desktops, the need for the Microsoft Key Management Service, and the nuances of getting KMS to work properly. But we’ve pummeled that issue elsewhere in this blog.

So, with that in mind, heeeerrrrrreeee’s Dan (P.S.: the audio doesn’t start until about 15 seconds into the video):

The Cost of a Windows 7 Migration

According to an August 26 Gartner press release, your Windows 7 migration may have a painful impact on your budget. The heart of the problem is summed up in this quote from Gartner managing vice president Charles Smulders:

Corporate IT departments typically prefer to migrate PC operating systems (OSs) via hardware attrition, which means bringing in the new OS as they replace hardware through a normal refresh cycle. Microsoft will support Windows XP for four more years. With most migrations not starting until the fourth quarter of 2010 at the earliest, and PC hardware replacement cycles typically running at four to five years, most organizations will not be able to migrate to Windows 7 through usual planned hardware refresh before support for Windows XP ends.

Because of this time crunch, Gartner says that you really have only one of three options:

  1. Accelerate your PC replacement schedule. This obviously will impact your capital budget.
  2. Upgrade some of your existing PCs. Unfortunately, not all of your PCs are likely to support Windows 7 without some upgrades. In fact, Gartner estimates that 25% of the installed base of PCs will require some kind of hardware upgrade to run Windows 7. Also, unless you’re prepared to stretch out the life of these upgraded PCs beyond your usual upgrade cycle, those users are going to end up being migrated twice, not once, during the next four years. Gartner’s estimate of the migration cost per PC, assuming a large enterprise with 10,000 PCs where all PCs are upgraded: between $1,274 and $2,069, depending on how well-managed the environment is to begin with, which, by the way, is not a heck of a lot less than their estimated migration cost if you do just replace them.
  3. Migrate some users to a “hosted virtual desktop” instead of a new PC.

If you’ve been following this blog for any length of time, you know were we stand on the “hosted virtual desktop” issue. To most people, the term “hosted virtual desktop” refers to a virtual instance of a PC OS (e.g., Windows 7) running on a virtualized infrastructure such as VMware, Hyper-V, or XenServer. However, this is only one way to deliver a virtual desktop to a user. Other ways include:

  • Delivering a shared desktop from a server using Remote Desktop Services and XenApp (we’ve been doing this for years).
  • Streaming the PC OS from a common, shared image to a physical PC across the local area network. (Note that this would still require that the hardware in the physical PC be able to support the new OS.)
  • Streaming the PC OS to a client-side hypervisor (XenClient) so the client device can be disconnected from the network and continue to operate.

We’re also of the opinion that no single one of these approaches will fit all use cases. But the nice thing about Citrix XenDesktop is that you can mix and match any and all of these use cases to the needs of your users, all under a single license model.

It still isn’t going to be inexpensive. As Gartner points out, you have to build the virtual infrastructure to deliver those desktops, which will involve both capital costs and labor costs. Anyone who tells you that VDI will save you money in immediate capital costs compared with buying new PCs is not being straight with you. But you can, according to other studies, save up to 40% in your “Total Cost of Ownership” (“TCO”).

And your other alternatives aren’t inexpensive either. So why not take advantage of this opportunity to change the way you deploy and manage PCs? Take a look at what you can do with XenDesktop today, think about how much easier and less costly your Windows 7 roll out would be if you already had XenDesktop in place, and then think about how much easier and less costly your next major PC upgrade project will be if you deploy XenDesktop now.

Windows 7 is going to impact your budget one way or another. Gartner estimates that if you just decide to accelerate your upgrade cycle, the percentage of your IT budget that you spend on PCs will need to increase somewhere between 20% and 60% in 2011 and 2012. If, as in many organizations, your PC spending accounts for 15% of your overall IT budget, that means that in 2011 and 2012 you’re going to be spending between 18% and 25% of your budget on PCs instead of 15%. And that will impact other projects.

As if that wasn’t bad enough, Gartner also predicts that the demand for “highly qualified Windows 7 migration IT personnel” will exceed supply in 2011 and 2012. Remember those discussions about supply & demand back in Economics 101? Yep, that means that IT labor costs are going to go up. In fact, Gartner predicts that the labor shortage, and higher costs, will persist into 2013 as organizations realize that they’re behind in their planned migration schedule and try to figure out what to do about it.

Mr. Smulders had a recommendation on that as well: “Begin talks with suppliers now about putting in place contracts that can deliver flexible levels of resources at a fixed rate over the migration period.”

If you want to purchase a copy of the full report from Gartner, you can order one through their Web site. Or, if you just want to take Mr. Smulders’ advice, you can reach us at (206) 774-0619, or by email at sales@mooselogic.com, or by using our handy information request form. We’re here to help.

What is Storage Virtualization? (Part 1 of 2)

This is the first of two videos addressing virtual storage and its benefits. There are a number of storage solutions out there on the market but we have chosen to focus on DataCore of the purposes of this video. DataCore is an iSCSI SAN solution and you can learn more about their products here.

In part one, we address thin provisioning and virtual volumes. Watching this video will help you understand part 2 of “What is Storage Virtualization” where we talk about how multipathing relates to virtual volumes and contributes to a highly available SAN solution.

Citrix Formally Announces XenClient and XenVault

Yesterday (August 25), Citrix formally announced XenDesktop 4 Feature Pack 2. It’s expected to be available by the end of September, and, of course, will be available at no charge to existing XenDesktop customers whose Subscription Advantage is current. The big news in this Feature Pack is the incorporation of XenClient and XenVault.

We’ve talked a lot about XenClient here, but haven’t said much about XenVault. It’s high time we did, because it’s a pretty cool piece of technology in its own right.

If you’ve used Citrix products in the past, you know that we have administrative control over whether, for example, users who are running applications on a XenApp server are able to save data back to a disk drive on their client device. With the advent of Smart Access (enabled by Access Gateway Enterprise policies), we can get even more granular: we might allow a user to save data to a client drive if they’re connecting from within the protected network, or connecting from a corporate-owned laptop, but deny that same user the ability to do so if they’re connecting from a personal device or public location like a hotel business center.

Unfortunately, once the data is on a client device, you now have a security risk. It could potentially be copied to a USB drive. The corporate laptop could be lost or stolen. (For some of the more high-profile examples, check out the “laptop losers hall of shame.”) Nevertheless, it’s often viewed as a risk we have to take so that our mobile users can be productive.

XenVault, which was first previewed at the Synergy event last May, is designed to address this risk. XenVault is a new plug-in for the Citrix Receiver. As such, its deployment and configuration are controlled through the Citrix Merchandising Server. To quickly review, Merchandising Server is the preferred tool Citrix has provided for installing and configuring client software. The first time a user authenticates to the Merchandising Server (through a simple browser interface), the Citrix Receiver will be pushed down and installed on the client device, together with whatever plug-ins and configuration details the administrator has defined for that user. Subsequently, the Citrix Receiver will check back with the Merchandising Server behind the scenes, and receive any configuration updates that may be available.

The XenVault plug-in creates a secure, encrypted (256-bit AES) storage area on the client hard disk. Typically, any application that is running remotely on a XenApp server or XenDesktop virtual PC will only be able to store data in the secure, encrypted location, if it is allowed to store data on the client drive at all. Same for an application that has been streamed via XenApp for local execution on the client (regardless of whether it was packaged with the Citrix streaming tools or with App-V). While the user will be able to use Windows Explorer to look at the secure location and see what files are there, the user will not be able to copy files from the secure location to a non-secured area of the hard disk, nor open the files with applications other than those specified by the administrator. For a deeper explanation of how this works, see Joe Nord’s blog post on the subject.

If the laptop is lost or stolen, the administrator can issue a “kill pill” that will cause the secure, encrypted area to be locked or deleted the next time the Receiver checks in with the Merchandising Server. Pretty cool.

If you can’t wait until the end of September to try it out, and you have a mycitrix login, you can download the XenVault technology preview now. And keep watching this space, because I’ve got a feeling that this will be a good subject for a future video blog.