How to provide unmatched availability, performance and security for Citrix XenDesktop www.citrix.com
Introduction Enterprise networks have traditionally been designed to optimize the delivery of applications running within the boundaries of the corporate datacenter. However, the focus of IT is now changing. Rather than building and operating monolithic enterprise applications, companies are aggregating combinations of internally developed and externally sourced services and managing their delivery to the business. In other words, IT is transforming into an internal provider of services to the business. One of the major trends responsible for this transformation is cloud computing. Whether it s implementation of a private cloud where all data and run-time applications remain in house, broader consumption of applications hosted using the Software-as-a-Service (SaaS) model or a hybrid cloud configuration where Infrastructure as-a-service (IaaS) resources are used to extend the corporate datacenter, the result is the same: there s now greater emphasis on services. Among the more critical services in many enterprises is the virtual desktop. Leading desktop virtualization solutions such as Citrix XenDesktop allow today s enterprises to resolve the persistent cost and management challenges that plague traditional desktop computing. By enabling centralized administration, single instance management and delivery of desktops as an on-demand service, XenDesktop not only reduces desktop ownership and operating costs but also increases business agility, strengthens data protection and provides users with a uniform experience from any location, on any device. Fully realizing the benefits of XenDesktop, however, is not automatic or guaranteed. It requires an organization s network and datacenter to be equipped to accommodate desktop virtualization, which inherently demands more resources than conventional desktops. This demand necessitates ensuring the availability, performance, security and manageability of the entire service a set of objectives for which Citrix NetScaler, Citrix Branch Repeater and Citrix Access Gateway are ideally suited. This paper explains how enterprise IT can use this powerful combination of Citrix networking solutions to establish a service delivery network that optimizes and secures XenDesktop, resulting in a successful deployment that yields the best user experience. 1 Ensure availability Conventional desktop environments run on each user s local device, but virtual desktops rely heavily on network connectivity and centralized hosting infrastructure. With this shared infrastructure, any failures could impact large numbers of users. Resilience is key to the quality of your XenDesktop implementation, to protect not only against events that impact individual components, but against disasters that cause site-level outages too. Citrix NetScaler, an advanced application and service delivery solution, incorporates a trio of capabilities to help you meet these requirements and guarantee users always-on access to desktop resources. Available as a high-performance hardware appliance or flexible software-based virtual appliance, NetScaler offers high availability, health monitoring and disaster recovery for your XenDesktop environment. 2 1 The transformation from application delivery to service delivery. Citrix white paper 2011.
High availability for critical XenDesktop elements. In the event that a XenDesktop service fails, NetScaler load-balancing capability dynamically routes XenDesktop traffic to alternate servers that are configured as part of a managed pool. In this way, NetScaler automatically addresses both unanticipated failures and scheduled downtime for: Critical XenDesktop front-end components, such as Web Interface servers and Desktop Delivery Controllers (DDCs) Important supporting services such as file transfer, licensing, provisioning and management servers Optional downstream components, such as separate Web Interface and XML Broker servers for Citrix XenApp, which can be deployed to incorporate application virtualization as part of the overall solution NetScaler ensures availability and proper behavior of critical XenDesktop components XenDesktop health monitoring for proactive failure management. Operating in concert with the product s core load-balancing capabilities, NetScaler health checks proactively determine the status of key solution components. XenDesktop, for example, is rendered inoperable if Web Interface and/or the DDC are not available to enable user authentication, desktop enumeration and launch services. It is not sufficient, though, to simply ping respective servers. Such an approach confirms that a network connection is available and that underlying server hardware is up and running, but does nothing to determine the state of higher-level services and software. This is why NetScaler includes extended content verification checks to establish both the availability and proper operation of numerous software routines and system-level components, including ASP.net and essential logon, pool management, controller and database services. Disaster recovery for XenDesktop. NetScaler includes robust global server load balancing that provides seamless disaster recovery for XenDesktop users. If a XenDesktop site becomes unavailable for any reason, users can automatically be directed to an alternate datacenter to access their desktops. For users previously constrained by fixed desktops, this represents an unprecedented capability: they can be up and running again almost immediately in the event of a site-level outage. This benefit must be balanced, however, with the amount of data replication and storage required to maintain currency at the backup site a consideration that generally makes such a DR configuration best suited for task workers and other users who do not need customized, persistent desktops. 3
By taking advantage of intelligent monitors and policies, IT can also configure NetScaler to routinely direct users of standard, non-persistent desktops to different sites based on administrator-selected priorities such as proximity, resource utilization levels or overall performance. Because they are now utilized during normal operating conditions, secondary facilities are more fully leveraged, while users consistently receive the best available performance. Enable multi-site XenDesktop deployments transparently to users. Automatically route users to the nearest and most available datacenter. Optimize your user experience Whether XenDesktop is accessed locally or across the WAN, virtual desktop performance must be comparable to operation of a classic desktop. All facets of the user experience, including logon, application usage and printing, must be fast and seamless so users embrace their virtual desktops and enterprises fully realize return on investment and other associated benefits of desktop virtualization. Accelerating virtual desktops for branch office and mobile users Branch Repeater is a service optimization solution that enables desktop and application centralization without compromising the high-definition experience users have come to expect. Available as a physical appliance, virtual appliance or software plug-in for Citrix Receiver, the XenDesktop client, Branch Repeater optimizes the experience for both branch and mobile users by accelerating traffic, reducing bandwidth and providing administrators with integrated visibility and control of network usage. Custom-tailored to support XenDesktop, Branch Repeater delivers performance improvements for all FlexCast delivery models to ensure an unrivaled experience across the WAN and provides invaluable insight for monitoring and maintaining related SLAs. Branch Repeater enhances the performance of all TCP-based applications and services, including XenDesktop, using a comprehensive set of highly complementary optimization technologies. The inclusion of specific optimizations for ICA, the XenDesktop delivery protocol, further ensures superior results when compared with any other WAN optimization product. 4
Adaptive TCP flow control. Designed to overcome networks characterized by high packet loss rates and high latency, this technology employs a collection of standards-based techniques to bypass conservative, default TCP flow control settings to more thoroughly utilize available bandwidth. Adaptive compression. Depending upon the type of traffic being sent and prevailing network conditions, Branch Repeater dynamically selects among multiple compression, caching and data de-duplication algorithms to dramatically reduce bandwidth consumption. Intimate knowledge of ICA and direct communication with XenDesktop server processes ensure optimal treatment down to the level of individual virtual channels. It also helps overcome a masking effect where the ICA protocol can make repeat data appear unique a condition that significantly reduces the effectiveness of less-capable WAN optimization solutions when supporting XenDesktop. Adaptive protocol acceleration. This technology orchestrates with XenDesktop to provide intelligent acceleration of ICA by sensing and responding to network and traffic conditions. Latency mitigation is provided by eliminating unnecessary round trips for ICA and several other application protocols. These include HTTP/HTTPs, CIFS, MAPI, FTP, NFS and more some of which are utilized during negotiation of virtual desktop sessions and delivery of desktops and applications that are streamed instead of hosted. Traffic prioritization and control. Branch Repeater uniquely supports classification and prioritization of discrete workflows within each XenDesktop session. As a result, interactive traffic such as screen refreshes and mouse movements can be given preference over traffic associated with file downloads or printing. Maximum bandwidth utilization is also ensured: the priority queuing engine that reserves a configured percentage of bandwidth for each class of traffic, or queue, automatically makes any unused capacity available to other queues that need it. Only Branch Repeater can prioritize and control individual published applications and workflows within XenDesktop virtual channels 5
Branch staging of streamed applications. The ability to pre-position XenApp streamed applications locally in branch offices significantly reduces access and download times, while automatic synchronization ensures users always get the latest, fully patched and updated version of each application. Another major strength of Branch Repeater is seamless deployment. No configuration changes are required as it automatically orchestrates with XenDesktop and other service delivery components to maximize effectiveness. Examples include: Decrypting, optimizing and re-encrypting traffic natively encrypted by XenDesktop Suppressing XenDesktop TCP optimization and compression functionality to avoid redundant and potentially conflicting processing, while enabling data de-duplication to operate across multiple user sessions (rather than on each session individually) Interoperating with Access Gateway to optimize all TCP traffic within the secure tunnel for remote and mobile users Ensuring the plug-in for Citrix Receiver automatically defers to a Branch Repeater appliance when a mobile user is operating from a branch office The overall impact of these mechanisms and technologies is typically quite significant. By using Branch Repeater in conjunction with XenDesktop, enterprises can expect to reduce the average bandwidth consumed per session by up to 89 percent (depending upon the types of workflows being processed); reduce response times for workflows such as screen refreshes, mouse clicks and printing by up to 60 percent; and support at least twice as many users on a given connection before having to invest in increased bandwidth. 2 Providing a uniform, streamlined user experience with NetScaler Another way the user experience is enhanced is via NetScaler Cloud Gateway. An innovative combination of single sign-on and self-service capabilities, NetScaler Cloud Gateway extends the single pane of glass user experience already provided by Receiver for desktop and client/server applications to enterprise web, SaaS and cloud-based applications. For example, with NetScaler Cloud Gateway the same credentials used for authenticating into XenDesktop can be leveraged for all other services, while SaaS and cloud-based applications appear in the user s start menu alongside their other resources. The net result is a single, consistent and highly efficient way for users to access all types of services including their virtual desktops and any Windows, web, and cloud-hosted applications they need from any device, over any network. 2 Performance assessment and bandwidth analysis for delivering XenDesktop to branch offices. Citrix white paper. 2010. 6
Strengthen security Robust security capabilities are essential to the success of desktop virtualization for several reasons: 1. A significant percentage of users are likely to access their desktops remotely over an insecure network. 2. Enhanced protection is needed to account for the ongoing proliferation of client devices, many of which are not owned or controlled by the enterprise and may have inadequate security settings or capabilities. 3. With desktop virtualization, users get access not only to their own applications and data, but also to all of the downstream resources (e.g., the Internet) their desktops are entitled to access. Solidifying network-layer protection with NetScaler A couple of design features automatically protect any devices front-ended by NetScaler, including key components of XenDesktop. For example, NetScaler incorporates a high-performance, standards-compliant TCP/IP stack that has been enhanced to enforce a positive security model, dropping all traffic that is illegally formatted and automatically thwarting many types of DDoS/flood attacks that exploit vulnerabilities in common connection handling techniques. A second layer of protection is derived from the NetScaler proxy architecture, which automatically shields downstream components from direct connections, inherently reducing their exposure to malware and other types of attacks. Achieving advanced security and user control with Access Gateway Access Gateway is a full-featured SSL VPN that provides the highest level of protection for XenDesktop. Primarily applicable for mobile users traversing the Internet and for workers at branch offices where a network-layer (e.g., IPSec) VPN is not already in place, Access Gateway is typically deployed as an integral component of NetScaler. This integration enables enterprises to engage several powerful security capabilities by implementing a single NetScaler device. To begin with, Access Gateway provides an encrypted tunnel for remote users and supports multiple authentication methods. Desktop sessions traversing public networks are protected against interception, while the enterprise is able to fully leverage its existing identity management investments. 7
The combination of SmartAccess policy management and robust end-point inspection capabilities subsequently enables administrators to granularly control the level of access to individual resources each user receives. Authorization can be based on a broad array of administrator-defined attributes, including user role, location (e.g., public network or secure network), strength of authentication, resource sensitivity, and ownership and security posture of the client device. Detailed insight into XenDesktop virtual channels permits control over both access and actions for example, a user who successfully authenticates but is utilizing an untrusted device such as a kiosk at a tradeshow may be allowed read-level application access but may be denied local printing, copy, paste and save to disk functionality. Additional client-side security features help minimize the risk of supporting a diverse population of user-owned devices. These features include the ability to perform a detailed check of a device s security posture and to wipe the browser cache and delete or encrypt downloaded data upon termination of the XenDesktop session. Only Access Gateway provides granular control over both access and actions for each published desktop and application 8
Enable service delivery management In today s computing environments, particularly given the rise of cloud computing, any given service, including virtual desktops, is likely to depend upon multiple underlying networks and infrastructures. Nonetheless, IT must ensure these resources operate and appear to users as a single, cohesive solution and that related SLAs are met. This is the role of service delivery management. Providing unmatched visibility with AppExpert Visualizer and Citrix AppFlow One way Citrix networking solutions contribute to service delivery management of XenDesktop is by providing unmatched visibility of the associated infrastructure, its operation and the individual services it supports. Two tools representative of this capability are AppExpert Visualizer and AppFlow. AppExpert Visualizer. With Visualizer, administrators obtain an at a glance graphical view illustrating the full end-to-end virtual desktop infrastructure, including individual NetScaler delivery capabilities and the specific XenDesktop components they support. Relationships, health status and configuration parameters can easily be monitored, aiding routine administration as well as analysis and troubleshooting in the event of problems. AppFlow. Employing a standards-based approach, AppFlow extends the TCP-level information already captured by IPFIX the IETF standard for NetFlow to include per-flow, application-layer data records, including who is using which services, when and to what extent. Completely non-intrusive, AppFlow obviates the need for proprietary taps, software agents or data sources and avoids the need for additional devices by leveraging an organization s existing NetScaler infrastructure. By similarly leveraging Branch Repeater, AppFlow will also add details pertaining to individual streams within XenDesktop virtual channels so that IT can gain greater insight into how XenDesktop services are being used. Operationally, AppFlow does for applications and services what NetFlow has long done for network traffic: it leverages existing devices to expose a wealth of invaluable information in support of countless management objectives. Taking control with Citrix Command Center Detailed insight into the XenDesktop environment and the ability to optimize and secure that environment are of limited value without efficiently controlling the resulting service delivery network. This is where Citrix Command Center makes a difference. Command Center is a unified console that enables IT to easily and centrally manage hundreds of NetScaler, Branch Repeater and Access Gateway instances worldwide. Extensive configuration and event management capabilities reduce operational expenses by automating routine administrative tasks, while real-time performance monitoring ensures enterprises get the most out of their entire service delivery infrastructure. 9
Conclusion NetScaler, Branch Repeater and Access Gateway provide organizations with a powerful, enterprise-class service delivery network. This is an important evolution of traditional application delivery infrastructure that is necessary as the role of IT shifts from building and operating technology products to aggregating and managing the delivery of a broad set of services to the business. Such a network also helps IT ensure the availability, performance and security of XenDesktop, thereby maximizing the benefits derived from an investment in desktop virtualization. Worldwide Headquarters Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309, USA T +1 800 393 1888 T +1 954 267 3000 www.citrix.com Americas Citrix Silicon Valley 4988 Great America Parkway Santa Clara, CA 95054, USA T +1 408 790 8000 Europe Citrix Systems International GmbH Rheinweg 9 8200 Schaffhausen, Switzerland T +41 52 635 7700 Asia Pacific Citrix Systems Hong Kong Ltd. Suite 6301-10, 63rd Floor One Island East 18 Westlands Road Island East, Hong Kong, China T +852 2100 5000 Citrix Online Division 6500 Hollister Avenue Goleta, CA 93117, USA T +1 805 690 6400 About Citrix Citrix Systems, Inc. (NASDAQ:CTXS) is a leading provider of virtual computing solutions that help companies deliver IT as an on-demand service. Founded in 1989, Citrix combines virtualization, networking, and cloud computing technologies into a full portfolio of products that enable virtual workstyles for users and virtual datacenters for IT. More than 230,000 organizations worldwide rely on Citrix to help them build simpler and more cost-effective IT environments. Citrix partners with over 10,000 companies in more than 100 countries. Annual revenue in 2010 was $1.87 billion. 2011 Citrix Systems, Inc. All rights reserved. Citrix, XenDesktop, NetScaler, Branch Repeater, Access Gateway, XenApp, Citrix Receiver and FlexCast are trademarks or registered trademark of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners. 0711/PDF