Microsoft Intune vs VMware Airwatch–EMM strategy

Yeah, the subject might be a pretty good indication of what’s coming in this article but no…I have had endless debates of this subject the last couple of years (Yeah years! and you can “insert vendor name” here where most state that they are the best. This article is not to conclude if one is better then the other, but more of things you need to think about when you want to adopt an EMM vendor.
A couple of days ago Gartner posted the EMM Magic Quadrant for 2016

Research image courtesy of Gartner, Inc.

Since 2015 not much has changed especially for Microsoft and VMware. VMware is still the leader in the quadrant, while Microsoft is a bit higher up the chain and moving closer to the leader quadrant. So even though Gartner has it reports which does say alot about Strategy, Execution, Vision and its feature set, how is the market share like ?

IDC also now states the VMware has the biggest marketeshare among the vendors, which also confirms Gartners report that VMware is the market leader in this space. Also VMware has had a growth of <80% the last year.
NOTE: This numbers are from the IDC report and shows stats from 2015 EMM

image

Now while that is impressive, I am more impressed with the numbers that Microsoft has, even though they are not even among the top 3, they are the only one with <100% growth, they actually have 214% growth (from the last year) which is impressive!

While Microsoft might not have the same capabilities AS VMware, they have a couple of advantages which might allow them to grow quickly in this market….And the easiest way to tell you about those is to show them to you.

image

Now if we think about it, the largest advantage here is Office365. Many users are already using Office365 and have their Active Directory synced to Azure AD. Microsoft has Office365 apps with custom MAM policies which can of now only be managed from Intune, and also earlier today I saw that CRM online Apps also came with Intune MAM policies. Which allows for a certain vendor lock-in. Now many are also using Configuration Manager today and to get the MDM and EMM capabilities there in most cases you need to integrate with Intune, and some interesting things to know there is that there are alot of LARGE ConfigMgr deployments. Another thing to think about is that Windows 10 comes with Azure AD Join, which allows buisnesses to join their computer to AzureAD and that also supports auto-enrollment to Intune.

It also makes sense for Microsoft to create a good ecosystem for applications for other platforms, because then they can start to include “Intune” as part of the package for MAM policies.

Alot of buisnesses are also looking into EMS (Enterprise Mobility Suite, which gives them Azure AD Premium, RMS, MFA and Intune) Microsoft is heavily invested into the identity piece, to give SSO to other cloud based services, and since Intune is part of the package it makes sense to use it.

And also in another interesting twist, Microsoft announced multiple integrations coming with Citrix under Synergy this year, which allows NetScaler to integrate with the Intune SDK to allow VPN direct access on applications. Which will also give Intune another advantage in the game. So since then investing heavily with Citrix integration it will allow buisnesses which invest heavily into VDI to make Microsoft the more viable option.

Moving forward we will notice that Microsoft will add more features to the “Microsoft-only” space meaning that more and more stuff will only work in a Microsoft cloud cenviroment and that third-parties will be left out.

So while VMware has a better solution, and a larger feature matrix, I’m guessing Microsoft is going to give them a hard competition in the time moving forward.

Office365 and RDS done right with Citrix and FSLogix

UPDATE: 09/06/2016 Added FSLogix Office365 Profile Container

So this is a blogpost based upon a session I had at NIC conference, where I spoke about how to optimize the delivery of Office365 in a VDI/RSDH enviroment.

There are multiple stuff we need to think / worry about. Might seem a bit negative, but that is not the idea just being realistic Smilefjes

So this blogpost will cover the following subjects

  • Federation and sync
  • Installing and managing updates
  • Optimizing Office ProPlus for VDI/RDS
  • Office ProPlus optimal delivery
  • Shared Computer Support
  • Skype for Buisness
  • Outlook
  • OneDrive
  • Troubleshooting and general tips for tuning
  • Remote display protocols and when to use when.
  • FSLogix Profile Container

So what is the main issue with using Terminal Servers and Office365? The Distance….

This is the headline for a blogpost on Citrix blogs about XenApp best pratices

image_thumb5

So how to fix this when we have our clients on one side, the infrastructure in another and the Office365 in a different region ? Seperated with long miles and still try to deliver the best experience for the end-user, so In some case we need to compromise to be able to deliver the best user experience. Because that should be our end goal Deliver the best user experience

image_thumb1

User Access

First of is, do we need to have federation or just plain password sync in place? Using password sync is easy and simple to setup and does not require any extra infrastructure. We can also configure it to use Password hash sync which will allow Azure AD to do the authentication process. Problem with doing this is that we lose a lot of stuff which we might use on an on-premises solution

  • Audit policies
  • Existing MFA (If we use Azure AD as authentication point we need to use Azure MFA)
  • Delegated Access via Intune
  • Lockdown and password changes (Since we need change to be synced to Azure AD before the user changes will be taken into effect)

NOTE: Now since I am above average interested in Netscaler I wanted to include another sentence here, for those that don’t know is that Netscaler with AAA can in essence replace ADFS since Netscaler now supports SAML iDP. Some important issues to note is that Netscaler does not support • Single Logout profile; • Identity Provider Discovery profile from the SAML profiles. We can also use Netscaler Unified Gateway with SSO to Office365 with SAML. The setup guide can be found here

https://msandbu.wordpress.com/2015/04/01/netscaler-and-office365-saml-idp-setup/

NOTE: We can also use Vmware Identity manager as an replacement to deliver SSO.

Using ADFS gives alot of advantages that password hash does not.

  • True SSO (While password hash gives Same Sign-on)
  • If we have Audit policies in place
  • Disabled users get locked out immidietly instead of 3 hours wait time until the Azure AD connect syng engine starts replicating, and 5 minutes for password changes.
  • If we have on-premises two-factor authentication we can most likely integrate it with ADFS but not if we have only password hash sync
  • Other security policies, like time of the day restrictions and so on.
  • Some licensing stuff requires federation

So to sum it up, please use federation

Initial Office configuration setup

Secondly, using the Office suite from Office365 uses something called Click-to-run, which is kinda an app-v wrapped Office package from Microsoft, which allows for easy updates from Microsoft directly instead of dabbling with the MSI installer.

In order to customize this installer we need to use the Office deployment toolkit which basically allows us to customize the deployment using an XML file.

The deployment tool has three switches that we can use.

setup.exe /download configuration.xml

setup.exe /configure configuration.xml

setup.exe /packager configuration.xml

NOTE: Using the /packager creates an App-V package of Office365 Click-To-run and requires a clean VM like we do when doing sequencing on App-V, which can then be distributed using existing App-V infrastructure or using other tools. But remember to enable scripting on the App-V client and do not alter the package using sequencing tool it is not supported.

The download part downloads Office based upon the configuration file here we can specify bit editions, versions number, office applications to be included and update path and so on. The Configuration XML file looks like this.

<Configuration>

<Add OfficeClientEdition=»64″ Branch=»Current»>

<Product ID=»O365ProPlusRetail»>

<Language ID=»en-us»/>

</Product>

</Add>

<Updates Enabled=»TRUE» Branch=»Business» UpdatePath=»\\server1\office365″ TargetVersion=»16.0.6366.2036″/>

<Display Level=»None» AcceptEULA=»TRUE»/>

</Configuration>

Now if you are like me and don’t remember all the different XML parameters you can use this site to customize your own XML file –> http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html

When you are done configuring the XML file you can choose the export button to have the XML file downloaded.

If we have specified a specific Office version as part of the configuration.xml it will be downloaded to a seperate folder and storaged locally when we run the command setup.exe /download configuration.xml

NOTE: The different build numbers are available here –> http://support2.microsoft.com/gp/office-2013-365-update?

When we are done with the download of the click-to-run installer. We can change the configuration file to reflect the path of the office download

<Configuration> <Add SourcePath=»\\share\office» OfficeClientEdition=»32″ Branch=»Business»>

When we do the setup.exe /configure configuration.xml path

Deployment of Office

The main deployment is done using the setup.exe /configure configuration.xml file on the RSDH host. After the installation is complete

Shared Computer Support

<Display Level="None" AcceptEULA="True" /> 
<Property Name="SharedComputerLicensing" Value="1" />

In the configuration file we need to remember to enable SharedComputerSupport licensing or else we get this error message.

image_thumb11

If you forgot you can also enable is using this registry key (just store it as an .reg file)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\Configuration]
«InstallationPath»=»C:\\Program Files\\Microsoft Office 15»
«SharedComputerLicensing»=»1

Now we are actually done with the golden image setup, don’t start the application yet if you want to use it for an image. Also make sure that there are no licenses installed on the host, which can be done using this tool.

cd ‘C:\Program Files (x86)\Microsoft Office\Office15’
cscript.exe .\OSPP.VBS /dstatus

image_thumb31

This should be blank!

Another issue with this is that when a user starts an office app for the first time he/she needs to authenticate once, then a token will be stored locally on the %localappdata%\Microsoft\Office\15.0\Licensing folder, and will expire within a couple of days if the user is not active on the terminalserver. Think about it, if we have a large farm with many servers that might be the case and if a user is redirected to another server he/she will need to authenticate again. If the user is going against one server, the token will automatically refresh.
NOTE: This requires Internet access to work.

And important to remember that the Shared Computer support token is bound to the machine, so we cannot roam that token around computers or using any profile management tool.

But a nice thing is that if we have ADFS setup, we can setup Office365 to automatically activate against Office365, this is enabled by default. So no pesky logon screens.

Just need to add the ADFS domain site to trusted sites on Internet Explorer and define this settings as well

Automatic logon only in Intranet Zone

image

Which allows us to basically resolve the token issue with Shared Computer Support Smilefjes

Optimizing Skype for Buisness

So in regards to Skype for Buisness what options do we have in order to deliver a good user experience for it ? We have four options that I want to explore upon.

  • VDI plugin
  • Native RDP with UDP
  • Natnix PCoIP
  • Native ICA (w or without audio over UDP)
  • Local app access
  • HDX Optimization Pack 2.0

Now the issue with the first one (which is a Microsoft plugin is that it does not support Office365, it requires on-premises Lync/Skype) another issue that you cannot use VDI plugin and optimization pack at the same time, so if users are using VDI plugin and you want to switch to optimization pack you need to remove the VDI plugin

ICA uses TCP protcol works with most endpoints, since its basically running everyone directly on the server/vdi so the issue here is that we get no server offloading. So if we have 100 users running a video conference we might have a issue Smilefjes If the two other options are not available try to setup HDX realtime using audio over UDP for better audio performance. Both RDP and PCoIP use UDP for Audio/Video and therefore do not require any other specific customization.

But the problems with all these are that they make a tromboning effect and consumes more bandwidth and eats up the resources on the session host

image_thumb7

Local App from Citrix access might be a viable option, which in essence means that a local application will be dragged into the receiver session, but this requires that the enduser has Lync/Skype installed. This also requires platinum licenses so not everyone has that + at it only supports Windows endpoints…

The last and most important piece is the HDX optimization pack which allows the use of server offloading using HDX media engine on the end user device

And the optimization pack supports Office365 with federated user and cloud only users. It also supports the latest clients (Skype for buisness) and can work in conjunction with Netscaler Gateway and Lync edge server for on-premises deployments. So means that we can get Mac/Linux/Windows users using server offloading, and with the latest release it also supports Office click-to-run and works with the native Skype UI

So using this feature we can offload the RSDH/VDI instances from CPU/Memory and eventually GPU directly back to the client. And Audio/video traffic is going to the endpoint directly and not to the remote session

image_thumb51

Here is a simple test showing the difference between running Skype for buisness on a terminal server with and without HDX Optimization Pack 2.0

Permalink til innebygd bilde

Here is a complete blogpost on setting up HDX Optimization Pack 2.0 https://msandbu.wordpress.com/2016/01/02/citrix-hdx-optimization-pack-2-0/

Now for more of the this part, we also have Outlook. Which for many is quite the headache…. and that is most because of the OST files that is dropped in the %localappdata% folder for each user. Office ProPlus has a setting called fast access which means that Outlook will in most cases try to contact Office365 directly, but if the latency is becoming to high, the connection will drop and it will go and search trough the OST files.

Optimizing Outlook

Now this is the big elefant in the room and causes the most headaches. Since Outlook against Office365 can be setup in two modes either using Cached mode and the other using Online mode. Online modes uses direct access to Office365 but users loose features like instant search and such. In order to deliver a good user experience we need to compromise, the general guideline here is to configure cached mode with 3 months, and define to store the OST file (Which contains the emails, calender, etc) and is typically 60-80% than the email folder) on a network share. Since these OST files are by default created in the local appdata profile and using streaming profile management solutions aren’t typically a good fit for the OST file.

. Important to note that Microsoft supports having OST files on a network share, IF! there is adequate bandwidth and low latency… and only if there is one OST file and the users have Outlook 2010 SP1

NOTE: We can use other alternatives such as FSLogix, Unidesk to fix the Profile management in a better way.

Ill come back to the configuration part later in the Policy bits. And important to remember is to use Office Outlook over 2013 SP1 which gives MAPI over HTTP, instead of RCP over HTTP which does not consume that much bandwidth.

OneDrive

In regards to OneDrive try to exclude that from RSDH/VDI instances since the sync engine basically doesnt work very well and now that each user has 1 TB of storagee space, it will flood the storage quicker then anything else, if users are allowed to use it. Also there is no central management capabilities and network shares are not supported.

There are some changes in the upcoming unified client, in terms of deployment and management but still not a good solution.

You can remove it from the Office365 deployment by adding  this in the configuration file.

<ExcludeApp ID=»Groove» />

Optimization and group policy tuning

Now something that should be noted is that before installing Office365 click-to-run you should optimize the RSDH sessions hosts or the VDI instance. A blogpost which was published by Citrix noted a 20% in performance after some simple RSDH optimization was done.

Both Vmware and Citrix have free tools which allow to do RSDH/VDI Optimization which should be looked at before doing anything else.

Now the rest is mostly doing Group Policy tuning. Firstly we need to download the ADMX templates from Microsoft (either 2013 or 2016) then we need to add them to the central store.

We can then use Group Policy to manage the specific applications and how they behave. Another thing to think about is using Target Version group policy to manage which specific build we want to be on so we don’t have a new build each time Microsoft rolls-out a new version, because from experience I can tell that some new builds include new bugs –> https://msandbu.wordpress.com/2015/03/09/trouble-with-office365-shared-computer-support-on-february-and-december-builds/

image

Now the most important policies are stored in the computer configuration.

Computer Configuration –> Policies –> Administrative Templates –> Microsoft Office 2013 –> Updates

Here there are a few settings we should change to manage updates.

  • Enable Automatic Updates
  • Enable Automatic Upgrades
  • Hide Option to enable or disable updates
  • Update Path
  • Update Deadline
  • Target Version

These control how we do updates, we can specify enable automatic updates, without a update path and a target version, which will essentually make Office auto update to the latest version from Microsoft office. Or we can specify an update path (to a network share were we have downloaded a specific version) specify a target version) and do enable automatic updates and define a baseline) for a a specific OU for instance, this will trigger an update using a built-in task schedulerer which is added with Office, when the deadline is approaching Office has built in triggers to notify end users of the deployment. So using these policies we can have multiple deployment to specific users/computers. Some with the latest version and some using a specific version.

Next thing is for Remote Desktop Services only, if we are using pure RDS to make sure that we have an optimized setup.  NOTE: Do not touch if everything is working as intended.

Computer Policies –> Administrative Templates –> Windows Components –> Remote Desktop Services –> Remote Desktop Session Host –> Remote Session Enviroment

  • Limit maximum color depth (Set to16-bits) less data across the wire)
  • Configure compression for RemoteFX data (set to bandwidth optimized)
  • Configure RemoteFX Adaptive Graphics ( set to bandwidth optimized)

Next there are more Office specific policies to make sure that we disable all the stuff we don’t need.

User Configuration –> Administrative Templates –> Microsoft Office 2013 –> Miscellaneous

  • Do not use hardware graphics acceleration
  • Disable Office animations
  • Disable Office backgrounds
  • Disable the Office start screen
  • Supress the recommended settings dialog

User Configuration –> Administrative Templates  –>Microsoft Office 2013 –> Global Options –> Customizehide

  • Menu animations (disabled!)

Next is under

User Configuration –> Administrative Templates –> Microsoft Office 2013 –> First Run

  • Disable First Run Movie
  • Disable Office First Run Movie on application boot

User Configuration –> Administrative Templates –> Microsoft Office 2013 –> Subscription Activation

  • Automatically activate Office with federated organization credentials

Last but not least, define Cached mode for Outlook

User Configuration –> Administrative Templates –> Microsoft Outlook 2013 –> Account Settings –> Exchange –> Cached Exchange Modes

  • Cached Exchange Mode (File | Cached Exchange Mode)
  • Cached Exchange Mode Sync Settings (3 months)

Then specify the location of the OST files, which of course is somewhere else

User Configuration –> Administrative Templates –> Microsoft Outlook 2013 –> Miscellanous –> PST Settings

  • Default Location for OST files (Change this to a network share

Network and bandwidth tips

Something that you need to be aware of this the bandwidth usage of Office in a terminal server enviroment.

Average latency to Office is 50 – 70 MS

• 2000 «Heavy» users using Online mode in Outlook
About 20 mbps at peak

• 2000 «Heavy» users using Cached mode in Outlook
About 10 mbps at peak

• 2000 «Heavy» users using audio calls in Lync About 110 mbps at peak

• 2000 «Heavy» users working Office using RDP About 180 mbps at peak

Which means using for instance HDX optimization pack for 2000 users might “remove” 110 mbps of bandwidth usage.

Microsoft also has an application called Office365 client analyzer, which can give us a baseline to see how our network is against Office365, such as DNS, Latency to Office365 and such. And DNS is quite important in Office365 because Microsoft uses proximity based load balancing and if your DNS server is located elsewhere then your clients you might be sent in the wrong direction. The client analyzer can give you that information.

image_thumb3

(We could however buy ExpressRoute from Microsoft which would give us low-latency connections directly to their datacenters, but this is only suiteable for LARGER enterprises, since it costs HIGH amounts of $$)

image

But this is for the larger enterprises which allows them to overcome the basic limitations of TCP stack which allow for limited amount of external connection to about 4000 connections at the same time. (One external NAT can support about 4,000 connections, given that Outlook consumes about 4 concurrent connections and Lync some as well)

Because Microsoft recommands that in a online scenario that the clients does not have more then 110 MS latency to Office365, and in my case I have about 60 – 70 MS latency. If we combine that with some packet loss or adjusted MTU well you get the picture Smilefjes 

Using Outlook Online mode, we should have a MAX latency of 110 MS above that will decline the user experience. Another thing is that using online mode disables instant search. We can use the exchange traffic excel calculator from Microsoft to calculate the amount of bandwidth requirements.

Some rule of thumbs, do some calculations! Use the bandwidth calculators for Lync/Exchange which might point you in the right direction. We can also use WAN accelerators (w/caching) for instance which might also lighten the burden on the bandwidth usage. You also need to think about the bandwidth usage if you are allow automatic updates enabled in your enviroment.

Troubleshooting tips

As the last part of this LOOONG post I have some general tips on using Office in a virtual enviroment. This is just gonna be a long list of different tips

  • For Hyper-V deployments, check VMQ and latest NIC drivers
  • 32-bits Office C2R typically works better then 64-bits
  • Antivirus ? Make Exceptions!
  • Remove Office products that you don’t need from the configuration, since this add extra traffic when doing downloads and more stuff added to the virtual machines
  • If you don’t use lync and audio service (disable the audio service! )
  • If using RDSH (Check the Group policy settings I recommended above)
  • If using Citrix or VMware (Make sure to tune the polices for an optimal experience, and using the RSDH/VDI optimization tools from the different vendors)
  • If Outlook is sluggish, check that you have adequate storage I/O to the network share (NO HIGH BANDWIDTH IS NOT ENOUGH IF STORED ON A SIMPLE RAID WITH 10k disks)
  • If all else failes on Outlook (Disable MAPI over HTTP) In some cases when getting new mail takes a long time try to disable this, used to be a known error)

Remote display protocols

Last but not least I want to mention this briefly, if you are setting up a new solution and thinking about choosing one vendor over the other. The first of is

  • Endpoint requirements (Thin clients, Windows, Mac, Linux)
  • Requirements in terms of GPU, Mobile workers etc)

Now we have done some tests, which shown the Citrix has the best feature across the different sub protocols

  • ThinWire (Best across high latency lines, using TCP works over 1800 MS Latency)
  • Framehawk (Work good at 20% packet loss lines)

While PcoIP performs a bit better then RDP, I have another blogpost on the subject here –> https://msandbu.wordpress.com/2015/11/06/putting-thinwire-and-framehawk-to-the-test/

FSLogix Office365 Profile Container (ADDED 09/06/2016)

Now as I’ve mentioned earlier in this article there are alot of issues using Outlook and OST files in Office365 scenarioes. The few options we have are either using Cached Mode (Which makes sense) or regular Online mode if we have enough bandwidth and low latency but this means we lose instant search.

Now using cached mode we in most cases need to point this to a network share, this presents other challenges, why?

image

This is because that Outlook needs to keep an open SMB connection to a particular share, and this is now supported by Microsoft but there are some limitations, which can be read about here –> https://support.microsoft.com/en-us/kb/297019

Now Microsoft has a solution for RDS which is called User Profile Disks which allows us to store a user profile on a VHDX profile disk, which makes this alot simpler then doing group policy to redirect the OST file to a network share or doing local profiles for each user. The problem with this, is that UPD is restricted to RDS.

FSLogix is now offering a similar solution, which is not bound to RDS and does not have any particular lock-in all you need is Windows and a network share and some Group Policy.

(You can read more about their stuff here –> https://fslogix.com/products/profile-containers)

Using their approach, Outlook is not needing to have an open SMB connection directly to the file server and the OST file will appear to be local to the Outlook client, while a VHDX disk will be created and mounted and merged with the OS disk

image

To set it up, you need to configure some Group Policy settings which you put in the central store

image

Enable it, specify a VHD location.

Then also you need to install the agent on each client you want to use this solution, (and yes you can also specify if you want to use VHD instead of VHDX, dynamic allotcation and default size of the disk and sector size to make it more alligned with the storage)

Then lastly add the users you want to be affected by the Outlook Container Profile setting by adding the user locally

image

(If I have already logged into the machine with a user, I have to delete the local user profile and log back in again after group policy has been applied.

So next time the user logs in, they will not see any difference. The only difference can be seen in the disk manager

image

So now its use block level access to the VHDX disk instead of Outlook having a direct SMB access to the file share, but still important to have good access to a file server!

Their solution will most likely be coming out of public beta pretty soon so stay tuned for that.

Securing your NetScaler solutions

So this is part of one of my sessions at the local Citrix user groups next week, where one of the focus areas are around security. Where I ask the how and why do web services get attacked? Well in most cases it is that alot of the web services out there are vulnerable in one way or another. This might be because of design-flaws ( SQL, XSS, CSRF and so on) There might be because of Web Server exploits, or might just be because of stolen user credentials where someone gets access to the backed information.

Now this focus here is knowing about what information is shown externally to the world. Because if you have a public service you want to make sure that the service which is running is secure.

So for some research for this sessions I basically did a google search for NetScaler solutions in Norway, mostly against NetScaler Gateways.

The information I got back was scary!! ssllabs.com is a online tool that can be used to test web services to see which kind of protocols they support, ciphers and other TLS/SSL parameters such as HSTS and such

I found

+20 Services running old Secure Access Gateway
+30 Services running older version of Access Gateway

So atleast I found a bunch of potential consultant buisness for myself Smilefjes som blunker and maybe a smack to some of the partners in Norway.

When I looked closer at the solutions I also found more interesting stats

Only 30% of these public solution were using two-factor authentication as well. Why is this important? Solutions using for instance SSL 3 are much more open to MiTM attacks, and if you don’t have two factor authentication as well it gets easier for attackers to steal credentials and gain access. Having a low score on ssllabs.com does not say that your site is insecure, but it is an indication on how focused your buisness is on security!

Another interesting fact. This is from one of the largest webshops in Norway…

image

Would you trust a provider like this with your credit card information? Well not me!

Another interesting thing is that in most cases alot of information is shown directly back to the web sessions, which also gives hackers alot of useful information when they are doing for instance reconnaissance

image

OUCH! Get web server information and what kind of version it is running…. Why show this externally? Even thou this can be easily hidden from the research, another thing is handling 404 error messages. In some cases you get detailed information about the web server (including version and stack and such) which you can get maybe exploit.

But the latest and greatest of Citrix NetScaler is luckily more secure then the older versions of the Secure Access Gateway and such.

image

Well almost Smilefjes som blunker  stay tuned for more and ill dig more into the security aspects of how to limit the public information and setting up different solutions.

XenServer 7 and Docker managment of NetScaler CPX and Windows Server 2016

So lately I’ve been doing alot of content around first of Containers! Containers is a feature that runs inside and operatingsystem which slices it up into logical pieces. More importantly its operating system virtualization, and NOT machine virtualization.

So I’ve written about Windows Server 2016 and the news about docker there, and the transition from monolithic systems to microservices and where docker fits in there –> https://msandbu.wordpress.com/2016/05/21/microservices-and-containers-how-does-windows-server-2016-fit-into-the-mix-with-drawnings/

I’ve also written about NetScaler CPX and how it can operate in an Ubuntu docker host setup –> https://msandbu.wordpress.com/2016/05/14/setting-up-the-netscaler-cpx-load-balancing-on-a-ubuntu-docker-host-with-nginx/

So what now with the release of XenServer 7? Best of both worlds! and actually the first hypervisor to support this type of docker integration directly with Linux and windows based container hosts!

To be honest, I don’t have alot of XenServer experience but pretty easy peasy and well documentet to get this feature up and running on XenServer 7. There are some important pieces you need installed on XenServer 7 to get this feature to work.

And that is this little bugger here –>

image

This can be installed using XenCenter and use Install updates on the host which is running XenServer 7. So how do we proced from here to get this feature up and running?

I did a simple part. I installed first an Ubuntu 14.04 docker host following the steps outlined in the CPX blogpost. Then I needed to import the XenServer guest tools. Which can be done by mounting the ISO to the ubuntu host

image

Do a sudo mount /dev/sr0 /mnt/xs-tools and run ./install.sh

Then I had to add my regular linux user to the docker group, this will be used for XenServer to communicate with the Docker APIs

image

sudo gpasswd –a username docker

Next we need to run a xscontainer-prepare-vm –v UUID –username dockerusername

(To get the VMID you can use the xe vm list command)

Now by clicking yes, XenServer will push a config tu authorized_keys to be able to communicate with the Ubuntu host using SSH.

image

This will allow the XenServer to communicate successfully communicate with the host. If we go into XenCenter now we can see docker information on the container host

image

I can also see specific information on the container

image

Now for the Windows Server part. We need to have an Windows Server 2016 TP5 server up and running. Next we have to configure the server as a container host, which can be done using the following commands

wget -uri https://aka.ms/tp5/Install-ContainerHost -OutFile C:\Install-ContainerHost.ps1

powershell.exe -NoProfile -ExecutionPolicy Bypass C:\Install-ContainerHost.ps1

This basically downloads a WindowsServerCore image, and configures the host for Containers (This will reboot the guest vm) but then rerun the Install-ContainerHost.ps1 script.

After that run the prepare command again for the Window Server guest after XenTools have been installed!

xscontainer–prepare-vm -v UUID -u root –mode tls –generate-certs (Again UUID for windows Server VM can be get by using xe vm list

Now on the last dialog WAIT! To into the guest VM and run the bat script.

image

So now we have to go into the guest VM and run the configure_tls.cmd file which is mounted inside the guest OS.image

This is going to import different certificates and also you need to open port 2376 on the guest VM because that is where XenServer communicates with the Docker API (Or else you will get this message)

Failure diagnosis: Error: Cannot find a valid IP that allows TLS connections to Docker on the VM. Please make sure that Tools are installed, a network route is set up, Docker is running and configured for TLS and TLS is reachable from Dom0 on port 2376. Please particularly check the firewall configuration inside the VM.

now go back to xenserver and click y and finish the setup.

Now that this is done, reboot the windows Server 2016 virtual machine.

Now create some containers on the Windows Server 2016 virtual machine using Powershell

docker run –name iisdemo82 -i -t -p 82:80 windowsservercore cmd

So now I have this output from XenCenter, nice overview I get detailed information and power options.

image

With NetSCaler CPX, Windows Server 2016 and another plain docker containers

Citrix Synergy day 2 summary!

So alot of information appeard on day 2 of the Synergy keynote as well! So this is a summary of the new announcements today. Now there werent so many new stuff to discuss today, since many updates are published in the breakout sessions, which can’t be seen streamed Trist fjes and note this blogpost will be updated as soon as I know more!

Citrix Cloud Secure Browser

  • Support for internally hosted web applications
  • Option to add authentication to externally hosted web applications via NetScaler Gateway. Which means that we can using clientless access publish internal applications from within Citrix Cloud Secure Browser.
  • Ability to choose resource location region
  • Traceability through a Usage Meter in the user interface
  • Option to watermark browser apps for added security
  • Upgrade to Citrix Receiver for HTML5 2.0
  • URL Whitelisting

Citrix ShareFile

 

Citrix LifeCycle Management

https://www.citrix.com/blogs/2016/05/25/citrix-lifecycle-management-now-available-for-existing-xenapp-xendesktop-environments/

 

HDX Proxy

NetScaler HDX Proxy is a free appliance which is coming. This virtual appliance is a free appliance which can only do ICA-proxy which means that there is no Smart Access features at all!

 

Some other rumours:

App-Disks for Hyper-V coming!

Skype for Buisness 2016 support coming for HDX optimization pack!

Updated ThinWire with even more reduced bandwidth requirements!

Storefront 3.6 coming!

Guide to Understanding the Citrix Logon Process for XenApp/XenDesktop

Goliath recently released a free eBook on understanding the logon process to a Citrix environment and they break it down into different pieces where they show how the different processes which are running during a logon. Then they go into how they use their product Goliath Performance Monitor to troubleshoot slow logon issues in a Citrix environment.

NOTE: The eBook can be found here –> http://bit.ly/1ZBciMB

To be honest I wasn’t aware of all the details in a logon process to a Citrix environment it’s pretty complex and so much happening under the covers which is concealed from the user, simple yet powerful. Also kudos to the support people in Goliath Technologies which was the authors behind this eBook to actually describing it in such detail! Helps to have people which have this deep understanding of this process to write an eBook about the subject.

One of the other cool thing is that they also list a couple of real customer issues or support cases that they had, and what kind of issues that different customers was been facing, and how they used their product to troubleshoot their environment and find the root cause of the slow logon issue they were facing.

Now there are some things that I found was missing in the eBook, which I hope they will cover in a future release or in another eBook, which is having an architectural over of their product, I always find it helpful to see the bits and pieces that make up a product and how its connected from an architectural level.image

The product is pretty much based on having a small agent installed on each Citrix Server, where information and data is pulled out and sent back to the monitoring server. The monitoring server which will then store all the data on a remote SQL server. Since it is agent based you means that you can also use this against cloud based environments running in Azure, Amazon and so on as well, and not dependent on any particular infrastructure/hypervisor to get this information

Which is how they are able to generate this information, another interesting part would also be describing how they manage to monitor a session throughout the environment and across all the different Citrix components.

Another topic they should include in their next eBook, is including how all the steps are when connecting from outside the environment, more precisely when connecting through NetScaler gateway which is the authentication and connection point for most remote connection. From there showing what additional steps are involved and add the additional metric which comes from there as well into the product.

You can go here to instantly download a complimentary copy of Goliath’s Complete Guide to Understanding the Citrix Logon Process for XenApp/XenDesktop.

Summary of todays annoucements at Citrix Synergy

So like many people I have been watching todays keynote from the comfort of my own chair, and taken notes during the entire keynote. So people don’t have to read all the annoucements from every minor annoucement and rewatch the keynote here is a summary of todays news:

XenDesktop 7.9

XenDesktop 7.9 was announced, so what are the features which are included as part of this release?

  • Federated Authentication Service (Which will now finally being able to do full SAML based authentication from and endpoint to a Citrix Session) This is something I have written about before, (https://msandbu.wordpress.com/2016/03/04/setting-up-saml-authetication-for-netscaler-and-storefront-with-sso/) So I’m guessing it is going to be an extesion of that feature, welcome back!
  • Citrix MCS and Nutanix integration (This is not a new feature, it was announced a while back but now we finally know that it will be available for XenDesktop 7.9 customers, which will allow direct connection to Acropolis Hypervisor
  • Intel Iris Pro graphics technology (This is for customers who want to leverage Intel GPU in conjunction with XenServer 7 which I will discuss a bit later)
  • MCS with RAM-based caching (This will allow us to specify a RAM based caching mechanism, I’m thinking simliar to PVS

  • Provisioning Services (BDM configurations and updates for simplified deployment as well as supporting modern firmware including UEFI)
  • New releases to Universal Print Server and Universal Print Driver
  • Remote PC Access for Windows 10 machines
  • CentOS support for Linux server-based and VDI desktops
  • New Storefront version with suppor for Windows Server 2016 TP5
  • Citrix Receiver for Android, Chrome and HTML5
  • New System Center Operations Manager bundle, Citrix Connector for System Center Configuration manager and an updated version of AppDNA.

So some other important updates which most likely comes with XenDesktop 7.9, and also shows the strong partnership with Microsoft and Citrix

  • Support for Azure Resource Manager deployments, which is the de facto standard when deploying stuff in Azure these days.
  • Windows 10 VDI deployment from Citrix? Soooo many were suprised by this announcement, but from a licensing perspective this has been available for quite some time (http://www.zdnet.com/article/microsoft-to-enable-users-to-run-windows-10-on-azure/) This requires that we are running the latest Current branch for buisness

Will this finally allow DaaS from Azure? So it will be interesting to see.

Also there are some new updates which came from the session afterwards.

  • Zone Preference and failover
  • Local Host Cache

image

  • AppDisks for Hyper-V and Acropolis (Coming soon…)

XenServer 7

Also Citrix announced a new version of XenServer which came with alot of new features. For instnace

  • GPU support for Intel Iris Pro
  • support NVIDIA vGPU with Linux virtual machines
  • supports up to 128 NVIDIA GRID vGPU-enabled VMs
  • Direct Inspect APIs (these APIs allow third-party security vendors to partner with Citrix in providing the next generation of virtual infrastructure protection, leaving malware, viruses and rootkit zero-day attacks no place to hide within the VM, and unable to compromise the security software) BitDefender is one of the vendors which already support this –> http://www.bitdefender.com/business/hypervisor-introspection.html
  • Support for the SMB protocol for virtual machine storage in XenServer (Important that XenServer do not now support all the SMB protocol features like failover, multichannel and such.
  • The largest, most important update which I found was (XenServer is now the first hypervisor to offer integrated management of Docker containers on Linux and Windows) With Microsoft’s investment into Docker/Containers and with Citrix moving towards with Container support for NetScaler as well makes XenServer really interesting for enviroments where Containers make sense.
  • Automated Microsoft Windows VM driver management
  • New Microsoft System Center Operations Manager (SCOM)
  • Microsoft Active Directory integration
  • Templates for Windows 10 and Windows Server 2016
    • XenServer Health Check – provides proactive, regular and automated health checks and reporting
    • XenServer Conversion Manager – now supports batch conversion of all versions of Windows and simplifies migration from VMware
    • Significant scalability improvements –
      • 5x increase in supported host RAM (up to 5TB)
      • 2x increase in support for CPU cores (up to 288)
      • 8x increase in VM RAM (up to 1.5TB)
      • Support for Citrix AppDisks (up to 255 virtual disks per VM)

Nutanix and Citrix

I already mentioned some of the integration option with MCS and Nutanix, but they also announced an Citrix + Nutanix appliance called InstantON VDI –> https://www.citrix.com/blogs/2016/05/24/introducing-nutanix-instanton-vdi-for-citrix/

NetScaler

My favorite topic! Now there are some annoucements that have been made

  • Containerized NetScaler with CPX (You can read more about it here –> http://bit.ly/1rMh6Ug)
  • NetScaler management and analytics system (Which is an integrated Command Center and Insight, you can read more about it here –> http://bit.ly/1VVPhW5)
  • Cloudbridge renamed to NetScaler SD-WAN
  • Microsoft will embed NetScaler capabilities into Intune App SDK which will enable apps to securely access on-premises assets without having to launch a VPN

So the future for NetScaler is looking bright, I will be writing more about what the future holds for NetScaler, hold on! Smilefjes

XenMobile (heart) EMS? 

I saw on twitter that were alot of debate of the Microsoft and Citrix partnering with XenMobile and EMS. It is important to remember that EMS is NOT ONLY INTUNE, its a whole lot more.

  • Azure MFA (Multi factor authentication)
  • Azure Active Directory
  • Azure Rights Management
  • Microsoft ATA
  • and of course Intune

But alot of the confusion is XenMobile dead? no… important to remember that intune has MaM capabilities for most of the Microsoft based applications, but XenMobile will be able to leverage these capabilities, basically means that XenMobile will be using the Intune SDK to do this.

So alot of the integration stuff well be of course with NetScaler and Azure AD for identity purposes and being able to do SAML based authentication across to Azure AD as an SAML iDP. Citrix will also embed a number of EMS capabilities into XenMobile, such as self-service password reset and multi-factor authentication (MFA).

Funny thing is this quote which can be found from Brad Anderseons blog http://bit.ly/1TxIT1S : Future collaboration will also include Citrix building a new EMM service on Azure that will integrate with and add value to EMS

Finally, if you are an EMS customer, start getting educated on NetScaler.  You’ll be able to define conditional access policies in EMS/Intune in the 2H 2016 that NetScaler will enforce on a per-device, per-app and micro-VPN basis.