Monthly Archives: January 2017

Remote Desktop 2.0–Management from the cloud

In my first blog post I discussed, some of the advantages of moving app/deskop solution to the cloud, but there are different vendors out there from range from the ones that give you full control of the setup and to others which provide us with a finished platform (You can read the first post here –> http://bit.ly/2jNS7Qq )

Now in this post ill got a bit deeper into some of the  solutions, where management and data plane are seperated. Now moving the management plane out of the equation, allows for a lot easier management, since we now only need to focus on the desktop/app servers and ensure that the way of access point is working. Of course there are other factors like user profile management and how to handle application delivery is we are using layers and such but this simplifies things alot further. image

Now there are a few vendors which have this type of approach, the ones I’m focusing on is Citrix with their Cloud offering, VMware with their Horizon Air Hybrid Mode and Workspot which provides us with a cloud based management tier.

So let’s dig a bit deeper!

Citrix Cloud
Citrix have been pushing Citrix Cloud for some time now, and their architecture reflects pretty good the picture above, Citrix provides the management plane (running in AWS for the time being) and your on-premises setup can be running on any type of hardware and you can still be leveraging PVS if you wish or you can use the built-in provisioning mechanisms which existing like vSphere, XenServer, SCVMM and so on. They also provide as mentioned integrations with AWS, Azure as well.

image

Citrix Cloud uses a Windows component called a Cloud Connector which does the interaction between the on-premises resources and Citrix Cloud. Remote access to the enviroment is granted either using the NetScaler Gateway or using their new cloud offering called NetScaler Gateway Service.

Citrix Cloud pricing is often bundled with other cloud services such as smart tools, but the concurrent user cost is ($22.50 /user /month) with a minimum 100 users https://www.citrix.no/products/citrix-cloud/buy.html there is also a cheaper option called virtual desktops

VMware Horizon Air Hybrid Mode
Vmware Horizon Air Hybrid mode is a new offering which provides Cloud based management, now unlike VMware has also expanded their offering and introducing the setup of an on-premises finished Horizon Air node, which is a fininshed certified appliance this is to ensure that user get consistent performance.

image

Horizon Hybrid mode is also setup leveraging AppVolumes and InstantClones and this combined with a hyperconverged setup provides a fast provisiong process. Since it is leveraging AppVolumes it also handles the Application delivery method using layering which allows for more flexible ways to delivery. For some reason this needs to be setup outside of the Horizon Air nodes. This solution can also be leveraged with Blast or PCoIP protocol, PCoIP has a pretty long range of supported endpoints on the thinclient perspective and also VMware has  alot of supported endpoint for their Horizon clients.  Now Horizon Air is a bit limited in terms of supported on-premises configurations since you need to have the Horizon Air Node, which means that you cannot leverage other fininshed appliances like Nutanix or other hypervisors.

NOTE: That you cannot just use any finished appliance with this setup you would need to follow the checklist here –> http://pubs.vmware.com/horizon-air-hybrid-mode-11/topic/com.vmware.ICbase/PDF/vmware-horizon-air-hybrid-mode-customer-setup-checklist.pdf

Horizon Air mode can be purchased with the additional VMware compoents or that can be bought seperatly. For a concurrent user the price is ($26.00 / user / month) with a minimum of 100 users. http://vcloud.vmware.com/uk/service-offering/pricing-calculator/horizonairhybrid#/horizon_cloud they also have a named user pricing for $16.40 / user / month.

VMware also have a DR option which allows customers to power on their desktops in vCloud AIR for DR purposes, important to remember that Horizon air is not available in all locations, but ill go abit deeper in the pure cloud offerings in the next post.

Workspot
Workspot which is a pretty new player in the market, which has been started by some of the previous PM’s for XenApp, XenDesktop and Horizon and is focusing on what they call VDI 2.0. Now unlike VMware and Citrix, they are not focusing on developing their own protocol but relying on RDP. Leveraging RDP allows for support for large type of endpoints which already have support for RDP, like thinclients, windows, mobile devices and such.

image

They have built extensions into the protocol and added more features into the client which expands the current RDP functionality. Workspot like Citrix Cloud and Horizon Air have a Workspot Enterprise Connector which runs as Windows Service to interact between the on-premises and their management plane. 

Also Workspot integrated with VPN appliances such as Sonicwall, Juniper, Cisco or F5 to deliver secure client access to the desktop & app delivery infrastructure.

Workspot also have provisioning integration with on-premises platforms like Nutanix, System Center and VMware.  Now Workspot does not have any pricing published on their website so its difficult to say if its cheaper or more expensive then the other options.

Traffic Domains vs Admin partitions vs VXLAN for IP segmentation

I’ve previosly written about Admin Partitions on Netscaler, which allows us to logical seperate the NetScaler into multiple partitions which allows for instance departments to manage each of their applications within their own part of the NetScaler. This allows to safeguard from unwarranted configuration changes for instance.  You can read a bit more about admin partitions here –> http://msandbu.org/new-feature-in-netscaler-admin-partitions/ 

Of course a lot has changed on Admin partitions over the last time since I wrote this article, and with 11.1 a lot more features were supported in Admin partitions which you can see here –> http://docs.citrix.com/en-us/netscaler/11-1/admin-partition/admin-partition-config-types.html

So what about traffic domains ? traffic domains are a way to segment network traffic for different applications to a VLAN. So this allows to having multiple for instance overlapping IP addresses which can only communicate within that traffic domain

image

So for instance if we in a service provider setup, have customers who want to move existing resources and have overlapping IP address segments with another customer, we can easily bind this to an traffic domain to ensure that traffic from customer1 VIP is only headed to backend server for customer1 on that specific VLAN which it assigned to.

Now a traffic domain can be bound with mulitple VLANS, a VLAN cannot be assigned to mulitple traffic domains. Now agan traffic domains also have a list of features which are not supported inside a traffic domain http://docs.citrix.com/en-us/netscaler/11-1/networking/traffic-domains.html

Now Admin Partitions have the same advantage that it can have overlapping IP address segment, but can also do better role based access and we can also specify how much bandwidth and memory usage a partition can have

image

Which allows for much better control and management. Partitions can also be managed as an “entity” from MAS which allows better central management as well, actually Citrix recommends using partitions over traffic domains.

now both of these solutions allows overlapping IP segment in a VLAN. Now VLAN is a layer 2 features, which makes it hard to setup in a larger geo enviroment.

VXLAN however is another option to do IP-overlapping, instead of using VLAN we will now vrap IP addresses in a VXLAN header which leverages UDP as the transport protocol

This allows first of to overcome the limit of VLANs for 4096, easier way to strech layer 2 networks across layer 3 networks.  NetScaler supports VXLAN –> http://docs.citrix.com/en-us/netscaler/11-1/networking/vxlans.html

VXLAN is also an supported option in an admin partition, but leveraging for instance VXLAN with VMware NSX allows for much better seperation of overlapping IP segments. Since it completly isolates the layer 2 traffic and all traffic outside of the VXLAN domain can be exposed to the public internet using an dedicated public IP. For those who aren’t aware NetScaler MAS can actually be integrated into VMware NSX –> https://docs.citrix.com/en-us/netscaler-mas/11-1/integrating-netscaler-with-nsx-manager.html

Remote Desktop 2.0 Moving end user computing to the cloud!

So this is my tagline for my session at NIC CONF 2017 http://www.nicconf.com/remote-desktop-v20
But since its a large subject, I also decided to write about it as well. With the uprise of Cloud, it provides customers which a large opportunity in terms of choice when it comes to modernizing the way we can provide desktops / apps to end-users.

Now for many providing an application and desktop delivery solution has been tedious since you been needed to plan from scratch most of the time(CPU, Memory, DISK/IOPS, Capacity, GPU) and then you needed to assess the applications if you could deliver them from this type of solution, and of course you would need have the networking infrastructure in place. Decide on what kind of vendor you want to choose, what kind of endpoints you want to support and so on. Now of course after this has been setup you would need to maintain it, hardware, servers, update images, update the delivery software as well, and we also need a way to add in the mix of SaaS offerings which we want to our endusers to be able to access in an easy way.

End-user computing overview

image

As mentioned introducing the cloud has given us a lot of different advantages.

  • Rent capacity when needed
  • Pay for capacity only when needed
  • Unlimited Scale
  • Access to specific hardware without needed to invest
  • Dedicated resources
  • No need to maintain underlying hardware and hypervisor

Now these are just advantages aimed at making the infrastructure part a bit easier, but we still need to maintain the virtual machines, we still need to plan the setup of the software, remote access and it would still need maintaining. Now Cloud also introduces finished platform services, where we move higher up in the stack the software is fininshed setup and we also do some minor setup like adding an image with out LOB applications and we are given access to our applications.

Now with the introdution of all these different options, I decided to dig a bit deeper into each of them to provide you with an overview of all the vendors including features / strengths & weaknesses and where they position themselves in the cloud stack (IaaS/PaaS/SaaS)

image

So these are the vendors I’ve decided to focus on, in a kind of research document which I’ve labeled Remote Desktop 2.0 moving it to the cloud.

NOTE: If you have any other vendor which I’ve missed please contact me.

Now if we look at traditional vendors like Microsoft with RDs, Citrix with XenApp / XenDesktop delivering them in the cloud is supported in different forms.

Microsoft RDS: Can be setup in Amazon Web Services, Microsoft Azure and even Google Cloud platform, since all the pieces can be run inside Windows Server. Now RDS does not have any particular Cloud integrations, but it plays well with Azure. For instance the connection broker can now be integrated into Azure SQL to setup HA connection brokers, storage spaces direct is supported for RDS profile disks in Azure. I have blogged about setting up RDS Connection broker HA SQL database in Azure here –> http://msandbu.org/running-rds-2016-tp5-connection-broker-database-in-azure-ad/

Citrix XenDesktop/XenApp: Can be setup in Amazon Web Services, Microsoft Azure but not in Google Cloud platform still lacking NetScaler. Citrix however has provisioning capabilities built into the platform which allow them to provision resources in either AWS or Azure, they also have better capabilities in terms of integrations with Office365 with HDX optimization pack. I have blogged about setting up Azure Resources leveraging the built-in MCS provisioning engine in Azure here –> http://msandbu.org/delivering-xendesktop-from-microsoft-azure-using-azure-resource-manager/

Now looking part to this drawing, setting up RDS or XenApp/XenDesktop will provide us with a lot of control,

image

and still provide us with the same native capabilities as RDS and XenDesktop does, such as endpoint support, management capabilities, protocol support and so on, except that we cannot leverage the hypervisor connectors such as PVS in Citrix and RDS VDI which integrates with Hyper-V. Atleast we don’t need to worry about Storage / Compute and the virtualization layer.

Teradici Cloud Connect:
While not providing any full provisioning/management capabilities Teradici Cloud Connect is also supported with Azure leveraging for instance N-series with PCoIP or AWS Graphics Workspaces which truly shines with PCoIP Zero clients to leverage the GPU capabilities. I have blogged about Teradici Cloud Connect before and showing how it leverages the N-series in Azure  –> http://msandbu.org/test-run-of-teradici-cloud-access-software-on-azure-n-series/

Now for many these types of solutions are the safe options. They provide the customer with control, they are able to choose which type of resources and manage them like a regular virtual machine. They still have the advantage to scale-out as needed but they would still need to install agents, and can use the solution like they have used it before. The one issue I have is that none of these solutions have built-in mechanics to for instance scale-down automatically when not neeeded to leverage the “pay-for-what-you-use” model for public cloud. Also we are still stuck with the management pieces and components which we would need to be maintain as well.

So this first post, have been an introduction and a quick overview of some of the vendors, in the second post I will take a closer look at other vendors which have taken another approach .

NetScaler and basic functions, status of vServers and ICMP ARP operations

Sometimes when setting up a new NetScaler and migrating virtual servers from an old one to another, it is quite often that one might forget to disable or shutdown older vServers. Now NetScaler has features to disable different network settings, so this post I want to explain what each option does.

In a layer 2 network, the ARP protocol (In IPV4 network) is reponsible for mapping IP to MAC addresses. So if we have an vServer 192.168.105.200 and we ping it from a host on the same subnet, it will run an ARP request to get the MAC address of that IP

image

So if we have an vServer running on that IP with port 80 and that is enabled. If that host is not in the ARP table, what will happen when we open up a network connection (Internet browser to that IP on that port)

  • ARP will run a broadcast
  • Get the MAC of that IP
  • Initiate a TCP connection to port 80 using HTTP

Next time we open up a connection, that MAC address will most likely be in the MAC table of the host and will no longer require an ARP request.

So let us say that we want to setup a new NetScaler to replace the old one, and we want to setup a new NetScaler using the same IP address. So I’m guessing that we can just disable the vServer right?

image

Wrong, what will happen is that the IP will still be in use and respond to ARP but the service running on port 80 will not be accessable.

Here we can see that NetScaler one and two responds at the same time, even thou the service is disabled.

image

So what if we disable ARP on the VIP on the older NetScaler ?

image

Yay! now only one NetScaler will respond (IF the ARP cache is cleaned up, on Windows is takes 2 minutes before the dynamic ARP table is cleared out) if you want to disable an old vServer (Disable the vServer first TCP service, then disable ARP and ICMP as well) which will not allow it to communicate at all)

Or what I recommend is that you define the response parameters of the VIP.

image

When we define these to ONE_VSERVER they will only respond to ARP and ICMP if one vserver which is attached to the VIP is in state up. If we then would disable a vServer for maintance or something, then ARP and ICMP would automatically be disabled on the VIP, which makes alot more sense when doing maintance, because if services are reponding to ICMP but not on the service itself, people tend to star troubleshooting pretty fast.

VMware Instant Clone-Tech Preview for XenDesktop

So some while back, VMware announced Instant Clone Tech Preview for Citrix XenDesktop and I’ve been lucky enough to be part of the tech preview! So for those who are not aware of the Instant Clone technology i, they are similar to MCS machines in that all desktops read from a master disk and write to their own disk, but Instant Clone takes it one step further by doing the same thing with memory. Instant Clones utilize a new feature of vSphere 6 where desktop VMs are forked (that is, Instant Clones are created) off a running VM—instead of cloning a powered-off VM—which provides savings for provisioning, updates, and memory utilization.

This preview has some requirements in order to use it. First of you need to have the latest AppVolumes 2.12 version, XenDesktop 7.8, and of course the Instant Clone bits.  (Note the picture shows Xendesktop 7.9 which I’ve used in the lab enviroment.

image

So before we start with the Instant clone configuration we need to have a XenDesktop controller setup, where we will install the instant clone client which integrates into Citrix Studio where we will do the configuration. We also need to have AppVolumes fininshed setup and configured (Which you can do by following the configuration here –> http://msandbu.org/getting-started-with-vmware-appvolumes/ )

We also need to have a Windows 10 VDI VM setup and configured installed with the Citrix VDA agent, AppVolumes Agent and the Instant Clone agent which needs to be configured after the XenDesktop site and the AppVolumes manager have been configured.

After all the pieces are configured we can continue the setup from the Instant Clone Client on the Citrix Delivery Controller.

image

First we need to go into the configuration pane and setup the necessary integrations (Active Directory, vCenter, AppVolumes Manager) 1 configure Active Directory

image

Next we need to configure the Instant Clone Server setup, which points to the AppVolumes Manager server, by default AppVolumes is configured with a self-signed certificate, so if so you will get this warning which is shown in the screenshot below.

image

And lastly configure the vCenter configuration, same goes there if there is a self-signed certificate you will get the same warning message. So just click accept and you will be good to go. Now next we need to create a master image, remember that before creating the image you need to take a snapshot of the VDI VM.

image

So here just enter a name of the IMAGE we want to create, specify the IP address of the VDI VM where we have the snapshot we took, and also we need to specify a container path for the instant clones.

Then we specify, the NFS datastore where we want the instant clones to be placed and specify which snapshot we want to use for the image.

image

And then we need to publish the image

image

This might take some time (10 – 30 minutes) and if you encounter any issues I have a bad configured Active Directory integration setup here so if you get Publishing errors go back and look at the Active Directory integration or look at the event logs stored under C:\Program Files\VMware\VMware Instant Clone\logs

Next we need to create an instant clone pool
image

Note by creating a pool, it will take some time to create a folder on vCenter and a Machine Catalog on Citrix Studio before the pool is created. So this was part one of setting up Instant Clone for XenDesktop leveraging AppVolumes and XenDesktop. In part two ill show more in-depth on how it works and a video showing how fast it manages to spin up virtual machines

Review of 2016 and goals for 2017

2016 has been an interesting year for me, a lot happening at work and also a lot of stuff happening personally. It has been a great year for me and I’ve been quite lucky with all the cool projects and some new achivements I’ve made so far.

So what happend for me in 2016?

* Moved my blog to Azure –> already up to 40,000 Views (The old one at msandbu.wordpress.com still had over 400,000 views last year)
* Joined as one of the leaders for the  Citrix Special Interest Group for Networking (and we have over 350 members and have had two webinars so far)
* Joined the board of the local Citrix User Group in Norway.
* Was awarded with VMware vExpert in Januar and was then further awarded with VMware NSX later that year
* Was awarded with NVIDIA  grid community advisor as one of the founding members.
* Was awarded with Citrix technology advocate
* Was awarded with Avi Networks Aviators
* Joined whatmatrix.com as a category consultant and published the ADC category.
* I wrote two free ebooks on Citrix NetScaler –> http://msandbu.org/books/
* Was reawarded with Veeam Vanguard
* Was rewarded with Microsoft MVP Azure
* Was reawarded with Nutanix Technology Champion
* Joined the KEMP VIP group
* Wrote over 170 blogposts!
* Created a slack channel for NetScaler & Citrix ITpros
* Switched jobs and am now working as a cloud architect for EVRY

I also had numerous speaking engagements.

* NIC Conference
* Citrix User Group Summer conference
* Citrix User Group Autumn conference
* Event with Microsoft Norway
* NetScaler Live Norway
* Dell/EMC Event

So it has been quite the busy year, and when I look back at the year I notice a couple of things.
1: I’ve learned alot from my previous work around HCI infrastructure, Storage, and redundant networking and L4-L7 security aspect, which is something ill always have in my personal toolbox.
2: I’ve focused to little on learning new stuff.

So some of my friends have asked me about my personaly new years resolution, I have some  clear goals in mind on what I want to learn in the upcoming year, so you should expect more blog content around these topics as well.

* Microservices and Containers ecosystem (This is something I’m working more and more around and it an really interesting set of topics since it is becoming such as a large ecosystem)
* AWS, GCP (I’ve worked alot with Azure and will continue to do so, but I need to expand my toolset around GCP and AWS more as well and you should too!)
* Taking more time to read stuff properly (one of the things I lack when reading new stuff which constantly pops up in my news feed is to read interesting content properly, I usually tend to scroll trough and continue on. So I want to dedicate more time to read interesting content properly)
* Serverless and working more with API interactions, so much cloud features have some form of API and one of the best ways to learn more about a feature is to write against the API of a particular feature so I’m going to spend more time on this.
* Work smarter with better tools (Try to get a common set of tools which I learn to use properly whcih I can leverage in my day to day work.

So that’s it! Looking forward to see what 2017 brings! Smile

Deploy NetScaler Gateway VPN profile using Microsoft Intune

So with the upcoming integration between Intune and NetScaler I decided to take a look at some of the possiblities that are here with the latest build.  I’ve blogged a bit about it before that Intune and NetScaler now supports Conditional Access to web applications, but Intune also supports VPN profile deployment to Citrix NetScaler SSL VPN.

Now Citrix has two VPN clients, one for iOS and one for Android. The iOS version has supported Intune for about 1 month, but to be able to leverage it for Android you need to join the beta version program, which can be found here –> https://play.google.com/store/apps/details?id=com.citrix.CitrixVPN&hl=no if you get it on AppStore you have an option to choose beta version from there.

Since there is no option to deploy the Android beta app using Intune as of now, this step will only show the Android client as is (this will of course change when Citrix gets out an updated version)

NOTE: Leveraging this walktrough, it requires that your Android device is already enrolled into Intune using Company Portal.

Since Intune doesn’t support linked Android from store you need to download the apk file from the store, so using a site like apkpure — https://apkpure.com/citrix-vpn/com.citrix.CitrixVPN

Software installer from Intune (Yes its in Norwegian…) but I just point to type APK and find the APK file stored locally on my computer.

image

After you have uploaded it, we can distribute it to our users.

image

The easiest way to not enforce an deployment is to choose user based install and define it as available

image

Now we need to configure the VPN Policy within Intune. Go into policies – Configuration Policies – Click Add – Android – VPN Profile. Select Citrix from the connection type.

Define the IP address of the NetScaler Gateway. Even though it is a reuirement to define custom data I havent found any documentation around what kind of data it is expecting there yet.

image
I just defined a Authentication method to username and password and defined an IP address.
NOTE: The documentation on Citrix just started appearing in the last 20 days so I expect some more information come there a bit later as well.

After you’ve created the policy you have to deploy it to our devices

image

When the policy refresh happens on the device or you can go into the company portal and refresh the VPN policies.

Screenshot_20170101-213006

So after the VPN profiles have been refreshed you can open up the Citrix SSL VPN client and notice that the VPN connection has been created.

Screenshot_20170101-213020

So in the next post we will take a closer look at Per-App VPN and Conditional Access leveraging Citrix VPN.