Upload
gerry
View
76
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Welcome to TechEdge. Why Use Twitter @ TechEdge?. Back channel for real-time conversations Broadcast key takeaways Ask questions Event feedback. How to Use Twitter During TechEdge. Twitter will appear on projector screen during: Breaks Q&A Wireless access code: CTXS_Synergy_TE - PowerPoint PPT Presentation
Citation preview
Welcome to TechEdge
Why Use Twitter @ TechEdge?
• Back channel for real-time conversations
• Broadcast key takeaways
• Ask questions
• Event feedback
How to Use Twitter During TechEdge
• Twitter will appear on projector screen during:• Breaks • Q&A
• Wireless access code: CTXS_Synergy_TE
• Join the Conversation1.Contribute: Include #TechEdgeC as part of
each Tweet
2.Follow: Visit http://search.twitter.com. Enter #TechEdgeC
Follow Citrix Tech Support on Twitter
• Join the Conversation and follow Citrix Tech Support: @citrixsupport
• Owner: Mike Stringer - Sr. Director, Americas/India Support
TechEdge 2009
Citrix Delivery Center
Presenters
• Kapildev Ramlal• Sr. Escalation Engineer (XenDesktop, XenApp)
• Keith McLaughlin• Escalation Engineer (Provisioning Server)
• Jacob Maynard• Sr. Escalation Engineer (Acess Gateway Enterprise Edition)
• Don Williams• Escalation Manager (Netscaler)
Citrix Delivery Center Intro
Agenda
XenDesktop and XenApp
XenServer
Provisioning Server
Access Gateway Enterprise Edition
NetScaler
Citrix Delivery Center
XenApp
• Citrix XenApp was formerly known as Citrix Presentation Server
• Prior to Citrix Presentation Server, it was known as Citrix MetaFrame, and prior to that, Citrix WinFrame
• It is the heart of Application Virtualization
• It delivers applications as an on-demand service to users anywhere using any device
Introducing Citrix XenApp
• Utilizes a Farm concept
• A server farm is a logical grouping of servers running XenApp that share a data store
Citrix XenApp Architecture
Data StoreNewYork
Florida
California
• Independent Management Architecture (IMA) - Infrastructure for inter-server communication
• A collection of subsystems that control the various features of the Citrix XenApp family of products
• IMA helps in centralized administration of the farm
• Implemented in the form of a Windows Service (managed by the Service Control Manager)
Citrix XenApp Architecture – IMA
What is IMA?
• A subsystem is a DLL (*.dll) file.
• Subsystems allow for a modular plug-in architecture.
• The subsystem DLL files can be found typically in the following directory:
x86 Location
Program Files\Citrix\System32\Citrix\IMA\Subsystems
x64 Location
Program Files (x86)\Citrix\System32\Citrix\IMA\Subsystems
Citrix XenApp Architecture – IMA Subsystems
• The Farm relies on data
• The IMA service is the backbone of the Farm, and is responsible for manipulating the Farm's data
• Each XenApp server runs the IMA service
• There are 2 main forms of data:
• Static Data• Data which changes infrequently such as published applications, Citrix Administrators,
Citrix policies, etc.
• Dynamic Data (Dynamic Store)
• Data which changes frequently, such as connected sessions etc.
Citrix XenApp Architecture – Farm Data
The Dynamic Store
• The dynamic data is stored in in-memory tables on the Data Collector (Dynamic Store).
• The info can be viewed using the QueryDS.exe utility located in the following directory on the XenApp CD: w2k3\retail\Support\debug\w2k3
Citrix XenApp Architecture – Farm Data
• The Local Host Cache (Static Data)
• Is a subset of the Data Store containing information required only by that server
• Allows the server to operate if the Data Store goes down
• Must exist and be accessible for the IMA Service to start• Is an Access database located on every XenApp server in the farm
x86
(Program Files\Citrix\Independent Management Architecture\imalhc.mdb)
x64
(Program Files (x86)\Citrix\Independent Management Architecture\imalhc.mdb)
Citrix XenApp Architecture – Farm Data
Citrix XenApp Architecture – IMA Startup
Service Control Manager
Required Plug-ins
Product Plug-ins
PSRequired=1PSRequired=0
Zone Data Collector LHC
ImaRpcSs.dll
ImaSrvSs.dll
ImaAppSs.dll
MfSrvSs.dll
MfBrowserSs.dll
ImaUserSs.dll
ImaDomain.dll
RMAlertsSS.dll
RMMonitorSS.dll
RMSummaryDBSS.dll………………..
LHCLHC
PSRequiredHKLM\Software\Citrix\MA\Runtime
IMASrv.exe ImaRuntimeSs.dllImaRuntimeSs.dll
• A server farm can consist of one or more zones
• A server farm is typically divided into zones when the servers in the server farm are separated geographically
• Each zone has a data collector
• The data collector is responsible for collecting data from member servers and distributing it to other data collectors
• The first server in the zone is designated as the data collector for the zone, by default
Citrix XenApp Architecture - Zones
Citrix XenApp Architecture - Zones
Web Interface XML Broker
ZONE A
ZONE C ZONE B
Citrix XenApp Architecture – Change Notification
Data Collector
Data CollectorData Store
Access Management Console
Member Server
Member Server
Member Server
Member Server
Member Server
Member Server
Member Server
1) Change is made on the CMC via TCP port 2513
2) The member server writes the change to the DS and forwards the information to the DC via TCP port 25123) The DC updates the LHC on the member servers in its zones via TCP port 2512 and forwards the
information to all the other DC’s
4) The other DCs send the information to their member servers
25132513
25122512
25122512
25122512
25122512
25122512
Zone A Zone B
Client
Web Interface
XML Broker
Active Directory
Member Services
Data Collector
Data Store
Dynamic Store
LHC
ListsServersAppsTrusts
• IIS Logs
• Network Trace
• CDF Trace
• Verify User Logon Rights
• Event Logs
• Network Trace
• Authentication
• XML Service
• Basic Networking
• CDF Tracing
From Logon to Launch
XenDesktop Setup
Active Directory Integration
• Uses Kerberos to Authenticate DDC to VM traffic
• Desktops discover DDCs
• No Schema change
Active Directory Integration
• Create an OU for XD farm
• Run Active Directory Configuration Wizard
XenDesktop Setup Wizard
• Integrates with Hosting Infrastructure
• Creates multiple virtual desktops
• Integrates with PVS
Pool Management
Services Involved
• Citrix Pool Management Service
• Hosting Infrastructure• XenServer Pool Master
• Vmware Virtual Center
• MS SCVMM
Virtual Machines
Pool MasterPool Management Service
Virtual MachinesPool Management
Pool MasterDesktop Delivery ControllerPool Management Service
Troubleshooting
• Logging in Pool Management Service• CTX117452
• XenServer logs
• CDF Tracing
• XDPing tool
XenServer
XenServer Benefits
Agenda
Provisioning VM with PVS
Live Migration Xenmotion
XenApp Performance
High Availability
Disaster Recovery
Why Virtualize?• IT flexibility/agility
• Predictable scaling to dynamically respond to business need
• Key part of disaster recovery strategy
• Improve application availability
• Server or data center consolidation• Higher utilization leads to greater consolidation
• Promotes greater centralization and security
• "Green Computing"• Consume less power, cooling, and real estate
• Support DevTest environments• Works for both IT shops and development houses
XenMotion – Live VM Movement
• XenMotion allows minimal downtime movement of VMs between physical systems
• Generally 150-200ms of actual “downtime”
• Most of the downtime is related to network switch moving IP traffic to new port
XenMotion Enables Zero Downtime
Shared Storage
XenApp Optimizations
• Specific performance optimizations for XenApp
• Pre-built VM Templates for installing XenApp on XenServer
Simplifying Disaster Recovery
Shared Storage Shared Storage
Production Site DR Site
Automated backup of VM metadata to SR
Replication of SR includes Virtual Disks and VM metadata
Attach replicated SR
Restore of VM metadata will recreate VMs
1
2
3
4
1
2
3
4
High Availability
• High availability (HA) provides automatic restarts for VMs in a resource pool
• When HA is enabled;• XenServer continually monitors the health of the servers in a resource pool
• XenServer uses heartbeats on the network and a storage device (Heartbeat SR) to determine the state of the servers in the resource pool
• If a server in the resource pool fails, the VMs running on it automatically restart on another server
• If the master fails, a new server is automatically selected to take over the master role
HA Requirements
Requirements for enabling the HA feature include:
• Shared storage, including at least one iSCSI or Fibre Channel LUN of size 356MiB or greater for the heartbeat storage repository
• A XenServer resource pool
• Adequate licenses on all hosts
• Agile VMs
Note: a separate shared storage setup is required for Metadata
Considerations for HA
• The iSCSI or Fibre Channel LUN is only required for the storage heartbeat.
• Only agile VMs can be protected by the HA feature
• An agile VM:• Has its virtual disks on shared storage
• Does not have a connection to a local DVD drive configured
• Has its virtual network interfaces on pool-wide networks
Note: It is a good practice to use a bonded management interface on the servers in the pool if HA is enabled, and multipathed storage for the Heartbeat SR
Configuring HA (XenCenter)
Verify the storage repository is compatible and is attached to the XenServer pool
23
1
2
3
1
Click on an entry for your resource pool in XenCenter. The HA tab appears in the main view.
If HA is configured, an overview of the system status displays. If not, a message appears stating HA is not enabled. Click Configure HA.
Configuring HA: High Availability Wizard (XenCenter)
Click Next after the High Availability dialog opens
4
4
Select a storage repository and click Next
5
6 Specify restart protection levels and click Next
7 Click Finish 5
5 6
6
Host Fencing
• If a server failure occurs, the XenServer self-fences to ensure that the VMs are not running on two servers simultaneously
• Server failure examples: • Loss of network connectivity
• A problem with the control stack
• When a fence action is taken, the server immediately is restarted, causing all of the VMs running on it to stop. The other servers detect the VMs are no longer running and the VMs are restarted according to the assigned priorities. The fenced-server enters a reboot sequence and when it has restarted, it attempts to rejoin the resource pool
High Availability – XenServer Host• Three Components
• High Availability recovery plans created at startup stored in statedb
• Storage heartbeat to Qurorum Vdisk
• Network heartbeat over management interface
Quorum
Database
SAN
VDIs
1
2
3
Heartbeat to SR
Heartbeat to Network
State.DB Recovery Plans
High Availability – XenServer Host
• Peer Based – Enable recovery plan• Servers 2 and 3 have not heard from server 1 on the network
• Server 2 and 3 have not seen an udpate from Server 1 on the Quorum disk
• Self-Aware – Assume the HA plans are in play• Server 1 cannot see Quorum disk
• Server 1 has not heard from Server 2 or Server 3
• Self Fence network – VMs are expected to be started elsewhere
State.DB
Quorum
Database
SAN
VDIs
1
2
3
•High Availability in the hypervisor•Kernel mode
•Direct control over local interfaces•Never out of resources
Citrix Provisioning Server
Agenda
How does Provisioning resolve these issue
Common Issues and Best Practices
What active directory issue arise when streaming a vDisk
Hostname
TD1
Hostname
TD1
Hostname
TD1
Hostname
TD1
Two main Streaming concerns with AD
Domain ControllerPVS Server SQL Database
Unique Hostnames
Machine Account Creation
SQL DB PVS ServerDomain Controller
Target1
Add Target1 to Domain
Target1
Boot
Target1
Reset Machine Account Password(Manually from Console)
PVS Server Domain ControllerSQL DB
Target1
Target1
Reset Target1 Key
Target1
Reboot
Machine Account Password Reset(Automatic)
SQL DB PVS ServerDomain Controller
Target1
Target1
Boot
Target1 Expiration No ExpirationTarget1 Expiration
Password Reset
Common Issues Best Practices
• Make the Target Name Unique
• Local Machine Account Password Changes disabled.
• Do not add the Target devices very deep in the active directory tree.
Access Gateway Enterprise Edition
Access Gateway - Features
Authentication Authorization Auditing
Clients
High Availability
User Experience
Administration Scalability
Endpoint Analysis
Access Gateway Enterprise Edition: XenDesktop Integration
XenDesktop Integration
AGEE TheoryAGEE Theory
User Experience
Access choices delivered to the user are based on SmartAccess policies & EPA resultsAccess choices delivered to the user are based on SmartAccess policies & EPA results
Access Gateway Authentication Disabled No EPA, ICA Proxy On
Access Gateway
Web Interface 5.0
User
Virtual Desktops
Desktop Delivery Controller
HTTPS HTTPS
HT
TP
(S)
HT
TP
(S)
ICA/CGPICA/CGP
ICA + SSLICA + SSL
XMLXML
Access Gateway Authentication EnabledEPA Enabled, ICA Proxy On
Access Gateway
User
Virtual Desktops
WI 5.0 &Desktop Delivery
Controller
HTTPS HTTPS
ICA/CGPICA/CGP
XMLXML
ICA + SSLICA + SSL
HTTPS - SSO
HTTPS - SSO
Access Gateway Authentication EnabledEPA Enabled, Access Gateway client (ICA Proxy Off)
Access Gateway
User
Virtual Desktops
WI 5.0 &Desktop Delivery
Controller
HTTPS HTTPS
ICA/CGPICA/CGP
XMLXML
ICA + SSLICA + SSL
HTTPS - SSO
HTTPS - SSO
Access Gateway Enterprise Edition: XenApp Integration
XenApp IntegrationExternal Internal DMZ
Remote End User
VIP
NSIP
Web Interface
443,80* (HTTP/TCP)
NSIP
DNS
* Port 80 used for https redirect
NSIP
LDAP/LDAPS
SNIP or MIP
389/636 (TCP)
53 (UDP)
443,80 (TCP/HTTP) 3010, 3008 ,22 (TCP)
XenApp
80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP)
Policy Evaluation•Session Policy Expression•Session Profile Client Security Check
Policy Evaluation•Session Policy Expression•Session Profile Client Security Check
SmartAccess for XenApp with Access Gateway
Authentication WI SSO TransactionWI SSO Transaction
True policies get sent to XenApp as SmartAccess
criteria
•Policy Name•VServer Name
True policies get sent to XenApp as SmartAccess
criteria
•Policy Name•VServer Name
XenApp filters by SmartAccess criteria
•Published Apps•XenApp Policies
XenApp filters by SmartAccess criteria
•Published Apps•XenApp Policies
XenApp Application ListXenApp Application List
Reduced Access
Full Access
Global Access
+ +
+
All Applications & Virtual ChannelsFull Network Access
Reduced Applications & Virtual ChannelsRestricted network Access
SnR Security Remediation Web Site
Denied Access
Clientless Portal and Email Access
Restricted Access
+
+
+
+
LDAP/LDAPS
External
Remote End User
XenApp + STA
Internal DMZ
VIP
NSIP
SNIP or MIP
Authentication
Authorization
Smart Access
1- WI Site Settings2- WI Trace3- Event Log
1- ProfileSettings2- NetScaler Trace
XML Settings/ STA Logging
nssslvpn.txt
ICA file - ID
STA
nssslvpn.txt
STA path on WI
1- NS Trace2- STA Monitor (newnslog)
1- Auth Svr Settings2- NS Trace3- aaad.debug
1- Auth Settings2- NS.log
Security Event Log on DC (LDAP or IAS)
WI
AGEE
DNS
Problem Types:
Troubleshooting: Potential Issue Areas
Ports and IP rules
LDAP /LDAPS (TCP) - 389/636
Ports and IP rules
Ports and IP rules
Access Gateway Enterprise Edtion: Netscaler Integration
Netscaler Integration
Potential Gotchas with ICA Proxy and GSLB
• Host a wildcard certificate on the VPN VIP
• Configure each WI Server with a Unique FQDN for the VPN Virtual Server
• Must host 3 publicly resolvable Address Records:1. vpn.yourcompany.com2. site1.yourcompany.com3. site2.yourcompany.com
NOTE!!! – Not an issue when running VPN Client
NetScaler
Problem: Typical Deployment without Citrix NetScaler
Problem: Typical Deployment without Citrix NetScaler
1. Web Interface does not provide intelligent XML service monitoring
Problem: Typical Deployment without Citrix NetScaler
2. Web Interface is not redundant
Problem: Typical Deployment without Citrix NetScaler
3. No site redundancy
Problem: Typical Deployment without Citrix NetScaler
4. No link redundancy
Solution: Smart Monitoring
Solution: Smart Monitoring
Monitoring provides alerting
Solution: Smart Monitoring
Verify XML Service application enumeration and response time
Solution: Smart Monitoring
Verify Web Interface is serving a legitimate response
Solution: High Availability
Component High Availability and Load Balancing
Solution: High Availability
XML Service
Solution: High Availability
Web Interface
Solution: Link Load Balancing
Redundant ISP links
Solution: Business Continuity (GSLB)
Highly available and load balanced sites
What happens if there is a failure?
What happens if there is a failure?
XML Service
What happens if there is a failure?
Web Interface
What happens if there is a failure?
AGEE
What happens if there is a failure?
NetScaler
What happens if there is a failure?
Internet Link
What happens if there is a failure?
Data Center
• If you complete the survey, you will be entered to win the $250 Amazon gift card.The winner will be announced May 29th
• TechEdge survey link: http://www.citrix.com/techedgesurvey
• Link will also be emailed to all attendees
• The TechEdge PPTs will be posted on the Knowledge Center by Tuesday, May 5th
TechEdge Survey & Posting of PPTs
Continue Your Learning
Authorized Citrix training is highly recommended as a next step to experiencing the full potential of your Citrix solution. Visit www.citrixeducation.com to view a complete list of course offerings and learn how to validate your technical skills with an industry-recognized Citrix Certification.