Overview
Citrix MetaFrame XP Access Suite is a complementary product suite to Microsoft's Terminal Services (included with Windows NT 4.0 Terminal Services Edition, Windows 2000 Server, and Windows Server 2003) discussed in Chapter 2. Today, Citrix serves nearly fifty million users, facilitating a seamless user experience in heterogeneous computing environments, as well as application delivery across bandwidth-restricted connections.
Citrix MetaFrame Access Suite is comprised of five software products:
MetaFrame XP Presentation Server (MetaFrame XP)
MetaFrame Presentation Server for UNIX (MetaFrame for UNIX)
MetaFrame Password Manager
MetaFrame Conferencing Manager
MetaFrame Secure Access Manager (MSAM)
Citrix Password Manager and Conferencing Manager
Password Manager and Conferencing Manager are the newest members of the Citrix MetaFrame Access Suite. Password Manager provides a simple and elegant single sign-on solution for MetaFrame XP environments (although it also works in non-Metaframe environments), and Conferencing Manager provides an all-inclusive collaborative conference interface that leverages the shadow features of MetaFrame XP. These two products further enhance the user experience of the server-based computing environment.
In this chapter, we discuss the evolution of the MetaFrame Access Suite and dissect its Independent Computing Architecture (ICA) protocol. We also cover the enhancements that MetaFrame Access Suite brings to Terminal Services, including:
Secure, encrypted access for all enterprise users from any location, without having to open firewall holes. MetaFrame Secure Gateway provides a secure infrastructure by which users can access the SBC environment literally from anywhere, any time, any place, regardless of the firewall configurations (assuming the environment allows SSL [port 443] traffic). Although Terminal Services RDP traffic is encrypted, it requires that port 3389 be open both on the Data Center firewall and at the user's location(s).
True Application Load Management. Microsoft's built-in Network Load Balancing can be effective for environments with 100 users or less, but enterprise environments absolutely require a more robust and flexible approach to determining which users are placed on which servers under what circumstances.
MetaFrame Web Interface wizard-based deployment tool (formerly called NFuse). Not only does this tool provide an automated approach to deploying access to the SBC environment, but, just as handy, it provides an automated approach to deploying the ICA client itself. Conversely, the deployment and installation of the Remote Desktop Client with Terminal Services can be a daunting task when thousands of users need an update to the client.
Universal Access to applications from any client device, to applications on Windows or UNIX platforms. Although Microsoft now supports client access from Macintosh OS X and Windows clients, Citrix not only provides support for Mac and Windows, but also support for over 200 client operating systems, including most flavors of UNIX and Linux, DOS, and embedded devices.
Enterprise management tools. Citrix provides Resource Manager, Installation Manager, and Network Manager, as well as a host of embedded management tools that present administrators with critical information as well as the automation of enterprise SBC server environments.
Table 3-1 shows the value-add features that Citrix MetaFrame XP add to a Windows Server 2003 environment.
Table 3-1: Citrix ICA Value-Add Features Application publishing
One-to-many shadowing
Customized billing reports
User collaboration
Program Neighborhood
Cross-server shadowing
Track user access to applications
Panning and scaling (handhelds)
Anonymous user support
Shadowing indicator
Centrally install applications
Pass-through authentication
Content publishing
Auto client update
Distribute service packs
Seamless windows
Content redirection
Universal print driver
Package customized install
Multimonitor support
Novell NDS support
Web-based client install
Web Interface for MetaFrame
Application save position
Delegated administration
Support for multiple farms
Non-Windows client access
End-to-end security
Centralized management console
Auto client printer detection
Integration with Network Management consoles
MetaFrame Secure Gateway
Connection control
Resource-based Load Management
Support for direct asynch
SSL/TLS 128-bit encryption
CPU prioritization
Schedule application availability
Client drive remapping
Support for digital certificates
Support for 1000+ servers in farm
Specify client IP range
Text-entry prediction
Socks 4 and 5 proxy support
Many-to-one shadowing
Application monitoring
Instant mouse-click feedback
SpeedScreen 4 browser acceleration
The Evolution of MetaFrame
The Microsoft Windows NT operating system developed from a single-user operating system architecture and continued, for nearly a decade, only to be limited in certain applications by that fact. Windows NT provided real-time multiprocessing capabilities comparable to those of rival UNIX operating systems, but did not provide functions within its OS kernel to support concurrent multiuser access to applications hosted on NT platforms.
Given the dominant business computing architecture of the late 1980s and early 1990s, which featured increasingly capable desktop computers (so-called fat-client PCs) that provided much of the same processing as client-server applications, it may well be that the need for multiuser computing platforms (similar in concept to mainframe computing environments) was not of primary concern to Microsoft designers. In Microsoft's preferred computing model, information processing was conceived as inherently distributed and individualized: desktop computers were viewed as "peers" of server platforms. In fact, most early server systems were little more than highly configured PCs, typically featuring many of the same hardware components.
At that time, there was an interest in some niche areas for a server platform that would "host" applications and share them among several connected client devices, configured as dumb terminals. One such application was remote access: a technique by which one or more offsite users could access an application located on a corporate local area network (LAN). Ideally, the remote user would be able to perform useful work as though seated at a terminal directly attached to the LAN.
However, the mainstream architecture for business computing did not yet involve shared application use. Instead, the norm was a combination of Windows-based desktop computers, emphasizing locally stored and executed individual applications, and Novell, UNIX, or NT-based servers (or a combination of all of these) interconnected via a LAN, supporting client-server computing.
Multiuser Windows—MultiWin
The idea behind server-based computing on Windows NT can be traced to the X-Window System developed by MIT in 1984. By utilizing powerful UNIX servers, remote X-Window clients can send keyboard and mouse input to server-based applications running on central servers. The X-Window System on the server then tracks output from the applications and updates the appropriate remote client session screen.
The founder of Citrix Systems, Ed Iacobucci, originally conceived the idea of allowing different types of computers to run the same applications, even though they might not have the same operating system or adequate local resources. While working as head of the joint Microsoft/IBM design team on the OS/2 project, he approached both companies with the idea, but neither firm was interested. Iacobucci then formed Citrix Systems in 1989 and the technology behind the current Terminal Services was developed—MultiWin. MultiWin rode on top of the OS/2 kernel and allowed multiple simultaneous OS/2 sessions and desktops in a protected memory area for each individual user.
WinView
In 1993, Citrix shipped its first OS/2-based multiuser operating system, called WinView. WinView used the MultiWin technology and one of the first incarnations of a remote display client called Independent Computing Architecture (ICA). Citrix first worked to deliver multiuser extensions to the OS/2 operating system and subsequently worked on the delivery of applications across Novell and TCP/IP networks. Despite prevailing personal and client-server computing models, developers at Citrix believed that multiuser computing had a future, especially as applications moved off the desktop and "into the network." They convinced Microsoft that a market for multiuser NT could be cultivated and secured a license to add multiuser extensions to the NT operating system.
WinFrame
Whether or not Microsoft shared the Citrix vision of the future, the license agreement was certainly a "win-win" for Microsoft and Citrix. With the multiuser extensions provided by Citrix in the form of WinFrame, Microsoft would be able to answer criticisms from UNIX advocates regarding a purported "deficiency" of its server operating systems: they provided little or no support for multiuser computing requirements. If Citrix visionaries were correct, and a market for multiuser computing platforms could be cultivated, Microsoft would have a solution to offer that market.
Citrix WinFrame is a combination of Microsoft Windows NT 3.51 Server and Citrix MultiWin technology. WinFrame was a major upgrade to the OS/2-based WinView. At the time of its release, Windows 3.1 (and later, Windows 95) had become the desktop standard, and WinFrame surpassed WinView as a tool for installing and executing the standard corporate end-user applications.
Thin-Client Computing
In the mid-1990s, the argument for multiuser NT was reinforced by the findings of analysts such as the Gartner Group regarding the total cost of ownership of Windows PCs. Analysts claimed that fat-client PCs cost organizations between $7000 and $13,000 per PC per year in maintenance and support. This position touched off a firestorm of industry activity, mainly from longtime Microsoft rivals. The so-called SONIA set—an acronym for Sun Microsystems, Oracle Corporation, Netscape Communications, IBM, and Apple Corporation—led the charge to displace Microsoft PCs from corporate desktops, substituting their own "network computer" in their place. Despite the obvious self-interest inherent in the SONIA value proposition, and the subsequent failure of the network computer to take hold in the market, the underlying tenant of the SONIA argument took root. The Citrix concept of thin-client computing was introduced to the lexicon of modern business computing.
Thin-client computing advocates held that, as server capabilities grew, it was only natural for server hosts to become "fatter" and for desktop platforms to become "thinner." Application software, advocates argued, should reside on application servers rather than on individual PCs. Placing applications on a server would make them accessible by means of a variety of inexpensive client devices. The advent of the Internet and World Wide Web at about the same time reinforced this perspective. Many people adopted a view of computing in which all applications would be accessed via a universal, hardware-agnostic client such as a web browser.
Citrix Systems Synonymous with Thin
Citrix Systems, with its Independent Computing Architecture (ICA), emerged from the discussion of thin computing as the undisputed leader in a market it had long helped to facilitate. In an ICA-based solution, WinFrame-based application servers could host Windows-compliant applications, while end users, equipped with any of a broad range of client devices (whether network computers or Windows PCs), could access and use the applications over a network connection. Integral to the WinFrame approach was a remote presentation services protocol capable of separating the application's logic from its user interface, so that only keystrokes, mouse-clicks, and screen updates would travel the network. With the ICA protocol, Citrix claimed, the user's experience of the server-hosted application would be comparable in all respects to that of an application executing on the end user's own desktop PC.
Terminal Services and MetaFrame
Increased interest in the WinFrame solution encouraged Microsoft to license MultiWin, the core technology of WinFrame, from Citrix Systems in 1997 and to integrate the technology into its own operating systems soon after. As explained in Chapter 2, Microsoft first implemented MultiWin in a special Terminal Services Edition (TSE) of its NT 4.0 OS. With Microsoft's integration of Terminal Services, Citrix needed to raise the bar for scalability and management. This was accomplished with MetaFrame.
Introduction of MetaFrame 1.0/1.8
Unlike WinFrame, which had been a stand-alone product and a "replacement" operating system for NT, MetaFrame was an add-on to the Microsoft NT 4.0 TSE and Windows 2000 platform. One reason for the MetaFrame product was to continue to meet the needs of WinFrame customers who were interested in migrating their NT 3.51-based WinFrame environments to newer NT 4.0 TSE-based environments but who were afraid of losing application server connections with clients that were not supported by Remote Desktop Protocol (RDP). MetaFrame added ICA client and protocol support back into the Microsoft multiuser operating system offering, since ICA allowed for connectivity from many additional clients than RDP allowed.
MetaFrame XP
MetaFrame XP is the latest version from Citrix. With the release of Feature Release 3 (FR-3), XP is compatible with Microsoft's latest operating system: Windows Server 2003. In addition to the feature updates and changes, another very significant change that Citrix made with MetaFrame XP is the change in licensing; MetaFrame 1.0/1.8 Citrix required a server license for every server with Citrix installed as well as bump packs for additional users, while MetaFrame XP only requires one base license for each server farm (with bump packs for additional concurrent users). This change makes licensing far more flexible and convenient, and in most cases cheaper, as additional servers can be brought online as needed without additional Citrix software license expense (as long as no additional concurrent users are added).
With MetaFrame XP, customers have new version choices, including XPs, XPa, and XPe. All versions of XP are supported on Windows NT 4.0 TSE, Windows 2000 Server, and Windows Server 2003. MetaFrame XP supports full integration with Active Directory in Windows 2000 or Windows Server 2003.
Note Following the release of Feature Release 1, Citrix stopped adding any additional features or enhancements to MetaFrame XP for Windows NT 4.0 TSE.
XPs is the standard version for Citrix servers for stand-alone point solution implementations with one to five servers. XPs feature highlights include MetaFrame Web Interface for MetaFrame, user shadowing, Secure Gateway, Universal Print Driver II, client time zone support, Novell NDS support, client device support, and full ICA client support.
Although more than one server can be used with XPs, it is rare, as applications cannot be load balanced across servers and any application publishing will have to be done separately on each server with different names.
XPa is the advanced version that includes all of the XPs features, with the addition of Load Management. This upgrade is designed for use in farms with 2 to 100 servers.
As shown in Table 3-2, XPe contains all the features included with XPa, as well as some additional features required for enterprise management. These extended features include Resource Manager, Installation Manager, Web Interface Extension for MetaFrame XP (formerly Enterprise Services for NFuse), a plug-in for Microsoft Operations Manager (MOM), and Network Manager. XPe is designed for 20 or more servers and accommodates multiple Citrix Server farms.
Table 3-2: MetaFrame XP FR-3 Feature Grid MetaFrame XPs
MetaFrame XPa
MetaFrame XPe
UNPARALLELED MANAGEABILITY AND SCALE
Advanced Shadowing
Cross-server shadowing
X
X
X
Many-to-one shadowing
X
X
X
One-to-many shadowing
X
X
X
Shadowing indicator
X
X
X
Shadowing taskbar
X
X
X
Application Management
Anonymous user support
X
X
X
Application publishing
X
X
X
Content publishing
X
X
X
Program Neighborhood
X
X
X
TCP-based browsing
X
X
X
Application Packaging and Delivery
Centrally install and uninstall applications
X
Create logical server groups
X
Customizable project details
X
Delivery verification
X
Distribute service packs, updates, and files
X
MSI support
X
Package applications, files, and service packs
X
Package inventory
X
Packager rollback
X
Schedule package delivery
X
Server reboot support
X
Support for unattended installs
X
Centralized Administration
Active Directory support
X
X
X
Novell NDS support
X
X
X
User policies
X
X
X
Administrator toolbar
X
X
X
Centralized Data Store
X
X
X
Citrix administrative accounts
X
X
X
Citrix Management Console
X
X
X
Plug-in for Microsoft Operations Manager (MOM)
X
X
X
Citrix Web Console
X
X
X
Connection control
X
X
X
CPU prioritization
X
X
X
Windows Installer Support
X
X
X
Centralized License Management
Centralized license activation
X
X
X
Enterprisewide license pooling
X
X
X
Plug-and-play licensing
X
X
X
Client Management
Auto client update
X
X
X
Business Recovery
X
X
X
ReadyConnect
X
X
X
Web-based client installation
X
X
X
Network Management
Access CMC from third-party management consoles
X
SNMP monitoring agent
X
Printer Management
MetaFrame Universal Print Driver version II
X
X
X
Support for color and high-resolution printers with Universal Print Driver
X
X
X
Printer auto creation log
X
X
X
Printer driver access control
X
X
X
Printer driver replication
X
X
X
Printing bandwidth control
X
X
X
Resource-Based Load Balancing
Instant load-balancing feedback
X
X
Load balancing reconnect support
X
X
Schedule application availability
X
X
Specify client IP range
X
X
Scalability
Enterprise-class scalability
X
X
X
Cross-subnet administration
X
X
X
System Monitoring and Analysis
Application monitoring
X
Customized reporting
X
Summary database and reporting
X
Perform system capacity planning
X
Real-time graphing and alerting
X
Server farm monitoring
X
Track user access to applications
X
User-definable metrics
X
Watcher window
X
ICA session monitoring
X
TOTAL" NET" LEVERAGE
Web Application Access
Web Interface for MetaFrame
X
X
X
Federal Information Processing Standards (FIPS) 140 security compliance
X
X
X
Support for RSA Secure ID and Secure Computing Premier Access second factor authentication solutions
X
X
X
Multiple server farm support
X
X
X
Application filtering and caching
X
X
X
Support for MetaFrame Secure Access Manager
X
X
X
Web Interface Extension for MetaFrame XP
X
ULTIMATE FLEXIBILITY
Access to Local System Resources
Auto printer creation
X
X
X
Automatic drive redirection
X
X
X
Client drive mapping
X
X
X
Clipboard redirection
X
X
X
COM port redirection
X
X
X
Performance
Instant mouse-click feedback
X
X
X
Persistent bitmap caching
X
X
X
Priority packet tagging
X
X
X
SpeedScreen browser acceleration
X
X
X
SpeedScreen 3
X
X
X
Text-entry prediction
X
X
X
Seamless User Experience
High-/true-color depth and resolution
X
X
X
16-bit audio support
X
X
X
Application save position
X
X
X
Auto client reconnect
X
X
X
Client printer management utility
X
X
X
Client time zone support
X
X
X
Content redirection
X
X
X
Multimonitor support
X
X
X
Panning and scaling
X
X
X
Pass-through authentication
X
X
X
Roaming user reconnect
X
X
X
Seamless windows
X
X
X
Win 16 multi-session support
X
X
X
Universal Connectivity
Universal client access
X
X
X
Support for direct asynch dial-up
X
X
X
Support for TCP/IP, IPX, SPX, and NetBIOS
X
X
X
User Collaboration
User collaboration
X
X
X
END-TO-END SECURITY
Security
MetaFrame Secure Gateway
X
X
X
Delegated administration
X
X
X
SSL 128-bit encryption
X
X
X
TLS encryption
X
X
X
Smart card support
X
X
X
SecureICA 128-bit encryption
X
X
X
SOCKS 4 and 5 Support
X
X
X
Ticketing
X
X
X
The centralized computing using MetaFrame XP provides us with the ability to completely customize which applications are provided to which users. This ensures that all users have access to the necessary resources required for their daily tasks. Software changes and upgrades are performed at the server effective instantaneously for all users. Overall, we have been able to expand and grow our IT projects ahead of estimated schedules with the seamless deployment of applications and minimum maintenance time required for our Citrix Farm.
—Michael P. Miller
Network & Systems Administrator
Primary Care Partners, P.C.
MetaFrame XP is Active Directory compliant. Thus, Active Directory groups may be used to configure permissions and users. Citrix does not change or add to the schema of Active Directory, and MetaFrame allows single sign-on for Active Directory, Novell NDS, and Novell e-Directory environments.
Web interface for MetaFrame is provided by Citrix, with all three MetaFrame XP versions to publish Windows applications to web pages on intranets and the public Internet. This tool also allows customization so that a number of applications can be combined into an "application portal." Additionally, MetaFrame Secure Gateway provides a secure method of application access delivered directly to the end user via a browser, over SSL, providing increased security while reducing problems with Firewall and VPN configurations.
With MetaFrame XP, access to applications can be provided across a variety of networks, including wide area networks, remote access dial-up connections, local area networks, the Internet, and wireless networks. Over 200 types of clients, including Windows PCs, Windows terminals, UNIX workstations, handheld devices, network computers, and numerous others, are supported as ICA clients. These client choices improve dramatically on the RDP client support inherent in Windows NT 4.0 TSE, Windows 2000 Server, and Windows Server 2003.
Independent Computing Architecture (ICA)
ICA is an architecture for server-based computing that competes with and/or complements other architectures such as Microsoft's Remote Desktop Protocol (RDP) and Sun Microsystems/X-Open's X-Window protocol. All of these architectures share in the goal to provide a means to extend resources, simplify application deployment and administration, and decrease the total cost of application ownership.
With all of these server-based computing architectures, applications are deployed, managed, supported, and executed completely on a server. Client devices, whether fat or thin, have access to business-critical applications on the server without application rewrites or downloads.
For everything that ICA, RDP, and the X-Window System have in common, they vary significantly from each other at the component level. Since very little new development is currently being done with the X-Windows System, we will focus our comparisons on ICA and RDP, although the "MetaFrame for UNIX" section provides a brief discussion on ICA versus X-Windows.
ICA Presentation Services Protocol
As depicted in Figure 3-1, the ICA presentation services protocol transports only key-strokes, mouse-clicks, and screen updates to the client. The protocol has been demonstrated to operate consistently with 20 kilobits per second of network bandwidth and provide real-time performance with 30 kilobits per second for office automation applications. This enables even the latest 32-bit applications to be operated remotely across low-bandwidth links while delivering performance comparable to local execution on existing PCs, Windows-based terminals, network computers, and a host of evolving business and personal information appliances.
Figure 3-1: ICA presentation services
The ICA protocol was designed with low-bandwidth connections in mind, making it a robust performer on both large- and small-capacity links. Moreover, the ICA protocol responds dynamically to changing network, server, and client operating conditions. It takes advantage of available network and server resources and adapts automatically when conditions are more restrictive, often without generating any noticeable changes in the end user's experience. Much of the performance of the ICA protocol can be attributed to the use of intelligent caching and data compression techniques, and to technologies such as SpeedScreen. ICA is a non-streaming protocol, meaning that if a user's screen has not changed and they have not moved the mouse or keyboard, no traffic will be passed. This feature can substantially help larger environments operating over a WAN link as many users will not be using any bandwidth at certain instances, allowing much better utilization of the bandwidth as a whole.
Citrix MetaFrame enables us to deploy Windows applications to our students in both a very cost-effective and expeditious manner. This is true whether they are working on a PC or Windows terminal on campus, or working offsite using an Internet connection.
—Tony Holland,
Director of Computing Services,
Stanford Business School
SpeedScreen
SpeedScreen is a technology for improving the performance of application delivery across ICA links. It improves performance by reducing the amount of data that must traverse an ICA connection as an end-user interacts with a MetaFrame server-based application. SpeedScreen targets the repainting function of a hosted application. With many applications, entire screens are repainted with each keyboard entry (or mouse-click) made by the end user. SpeedScreen uses an intelligent agent technology to compare information previously transmitted to the ICA client with information that is about to be transmitted, then transmits only the changed information. This is visually represented in Figure 3-2. By limiting repaint operations to specific sections of a screen affected by user interaction, the amount of traffic that must traverse the connection is dramatically reduced. Citrix's latest release of SpeedScreen, SpeedScreen 4, also called SpeedScreen Browser Acceleration, specifically focuses on major performance and usability improvements for end users connecting to published applications that embed JPEG and GIF images within Microsoft HTML pages. Supported applications include Internet Explorer v5.5 or later, Microsoft Outlook and Outlook Express.
Figure 3-2: How SpeedScreen improves link performance
With some applications, bandwidth consumption may be reduced by as much as 30 percent through the implementation of SpeedScreen, while total packets transmitted may be reduced by 60 percent. The result is lower latency in the network and better application performance for the end user—especially across low-bandwidth connections.
With the SpeedScreen Latency Reduction (SLR) manager, the end-user experience can be enhanced in two ways. First, local text echo can be enabled to give immediate feedback by having the local client render the text. The normal way text is transferred when using MetaFrame is by sending the keystroke to the server, which is processed and then rendered back to the client. This is convenient for users that type quickly, as even the slightest delay can be annoying. Second, SLR can provide for instant feedback for mouse-button clicks.
Connectivity Options
A broader range of connectivity options are supported by MetaFrame and ICA than by RDP, so a more diversified set of users can access and utilize hosted applications. Figure 3-3 depicts the connectivity options enabled by ICA, which include dial-up, ISDN, multiple LANs, wireless LANs, numerous WANs, and the Internet. RDP, by contrast, is limited in its support to only TCP/IP LAN/WAN environments.
Figure 3-3: ICA's connectivity options
Additionally, using MetaFrame and the ICA protocol breaks the barriers imposed by RDP by extending application access beyond Windows PCs. The ICA protocol supports more than 200 clients, providing flexibility in access options far surpassing that of RDP.
The ICA Client Environment
In addition to the contributions of MetaFrame and the ICA protocol to application delivery performance, MetaFrame also enhances the basic multiuser client-server environment. MetaFrame XP embodies numerous innovations designed to facilitate a broad range of hosted application environments. Considerable effort has been invested by MetaFrame XP designers to enable all applications, whether remote or local, to operate and interoperate as though they were local to the end user. This approach increases the user's comfort level and decreases the required training time.
The MetaFrame ICA Desktop
The MetaFrame ICA desktop is designed to provide a user experience that is on par with a Windows PC running locally installed and executed applications. MetaFrame enables complete access to local system resources, such as full 16-bit stereo audio, local drives, COM ports, and local printers, if available.
The mapping of local resources can be performed automatically or by means of administrative utilities. Specialized client capabilities such as modem dial-up are also supported.
Additionally, mapped resources can be shared with the MetaFrame server, if desired. Configuration of these mappings is built into the standard Windows device redirection facilities. The client mappings appear as another network that presents the client devices as share points to which a drive letter or printer port can be attached.
Seamless Windows
Of course, not all MetaFrame XP implementations utilize a full-fledged "remote desktop" model (one in which there are no applications locally installed on the client). Indeed, in many environments where MetaFrame XP is deployed, clients are themselves Windows PCs configured to provide a mixture of some locally installed applications and some remotely hosted applications. Seamless Windows is a feature of MetaFrame designed to accommodate this scenario.
Seamless Windows is a shorthand expression referring to the capability of the Citrix ICA Win32 client to support the integration of local and remote applications on the local Windows 95, Windows 98, Windows NT 4.0, Windows 2000, or Windows XP desktop. When configuring a connection to the MetaFrame XP server, an administrator or user can simply select the Seamless Windows option to enable this function.
With Seamless Windows, the user can gain access to hosted applications without having to load a remote desktop environment. While connected in a MetaFrame XP server session, the user can gain access to local applications using the Windows taskbar. Icons for both local and remote applications can be installed on the local Windows desktop, and both local and remote application windows can be cascaded on the local desktop.
Multiple Keyboards The Seamless Windows environment supports the definition of multiple keyboards to facilitate command entry in local and remote application environments. This prevents specially mapped key combinations used by MetaFrame (such as ALT-TAB) from interfering with similar key combinations used by locally executing applications.
Windows Clipboard Seamless Windows supports the use of the Windows Clipboard in conjunction with both local and MetaFrame-hosted applications. Users can cut, copy, and paste information between applications running remotely on the server or locally from the desktop. Rich text format cut-and-paste is fully supported.
Note The local/remote clipboard is part of MetaFrame XP's overall solution set. It can be used independently of Seamless Windows or Program Neighborhood.
Program Neighborhood
Building on the concept of a Seamless Windows environment, MetaFrame also delivers an easy-to-use method for accessing remotely hosted applications. Similar in concept to the Microsoft Windows Network Neighborhood, MetaFrame pushes links to published applications into a client-based Program Neighborhood facility.
In operation, Program Neighborhood presents application sets to MetaFrame client users. An application set is a user's view of the applications published on a given MetaFrame server or server farm, which that user is authorized to access. A single user- authentication operation (usually initiated when the user launches Program Neighborhood or a MetaFrame-hosted application displayed in the Start menu or as an icon on the local desktop) identifies the user to all MetaFrame servers. Based on the user's individual or group account parameters, the Program Neighborhood is populated with an application set containing each application configured for the specific user account or user group. Published applications appear as icons and are preconfigured with such properties as session window size, color depth, and supported level of encryption, as well as audio and video appropriate to the user and his or her client device.
Program Neighborhood technology is especially useful as a means to quickly publish hosted applications that are intended for use by groups of users. Users can click the Program Neighborhood icon on their Windows desktop (or click the corresponding entry in their Windows Start menu) to review a list of hosted applications available for use. No special client configuration is required to launch and use these published applications.
Management Features
The primary management tool for MetaFrame XP farms is the Citrix Management Console (CMC). The CMC is a Java tool that provides the user interface to control permissions, licensing, published applications, the load management feature of XPa, and the advanced features of XPe for both resource management and network management. The CMC is also the interface to monitor and manage printers, users, and servers. Java was chosen rather than using the Microsoft standard of the Microsoft Manager Console (MMC) for cross-platform compatibility. With the introduction of FR-1, Citrix made available the Citrix Web Console (CWC), which is not as feature-rich as the CMC, but is more convenient to use at all times.
The CMC can provide a significant load on the server farm if not used properly. It is recommended that the auto refresh feature not be used, especially in larger farms. It is also important to publish or use the CMC from the Zone Data Control (ZDC) server. Zone Data Control is further explained later in this chapter. The information that the CMC needs is located in the database on the ZDC, therefore if the CMC is run from a server other than the ZDC server, the server needs to download the information from the ZDC and this adds one more link to the puzzle. Another way to increase efficiency in using the CMC is to create folders within the CMC to categorize published applications and servers. This allows the CMC to refresh without gathering more information than is needed. Another method to reduce load on the CMC is to use the command-line tools that only query very specific data, and thus use the CPU and network bandwidth efficiently.
With MetaFrame XP Feature Release 3, Citrix released the MetaFrame XP Management Pack for MOM. This is a plug-in for Microsoft Operations Manager (MOM) that allows administrators to effectively manage the health and performance of MetaFrame XP servers from the MOM console. Since this interface is not Java based, it tends to be faster and less resource intensive. For users who are already using MOM for server management, this will make a great management tool.
From a client management perspective, MetaFrame XP brings to the administrative tool kit the Automatic ICA Client Update utility and a tool called ReadyConnect to facilitate rapid application deployment. Together, these features can save administrators many hours of tedious client configuration tasks.
The Automatic ICA Client Update utility provides the means to update Citrix ICA client software centrally, from the MetaFrame server itself. The latest versions of ICA client software are identified by the administrator, who then uses the update tool to schedule download and installation on appropriate client devices. This utility reduces the need to travel from client to client throughout the enterprise in order to install and configure the latest version of ICA client software.
ReadyConnect enables client connections to be predefined at the server. By capturing ICA client connection data, including phone numbers, IP addresses, server names, and other connection options, applications can be mass-deployed throughout the enterprise with speed and agility. Users can access applications across predefined connection points through a simple point-and-click operation.
Note While these tools are convenient, we recommend that Web Interface for MetaFrame be used instead to deploy and manage client versions and configurations. This technique will be thoroughly discussed in the "Web Interface for MetaFrame" section of this chapter and later in Chapter 16.
Zone Data Collectors
Understanding zone data collectors is critical to optimizing larger farm performance. Zone data collectors (ZDC) are used to keep information within a server farm up-to-date between member servers and other ZDCs. Every server farm has at least one zone that is set up by default. The trick is to design the right number of zones in a farm so that each ZDC does not get overloaded with traffic from its member servers. In larger farms with 50 or more servers, the ZDC is best served by a MetaFrame XP server that does not accept ICA connections.
Generally, zones start degrading performance between 100 and 300 servers, depending on the number of logins, applications served, and changes in server load. Performance can be maintained in larger farms by creating additional zones. The trade-off of adding more zones is the open link (and thus the bandwidth required) to maintain updates between each ZDC so that all updated data can be propagated throughout the farm. For optimal performance, it is best to keep the number of zones to a minimum, but still keep each zone small enough to be efficient.
The ZDC tracks data that is dynamically collected from the farm to include server load, license utilization, and session information. The more static data for a farm is maintained by the IMA data store including total licensing, published applications, administrators, permissions, server names in the farm, and trust relationships.
The ZDC is chosen with an election process. The variables used for the election process are first the software version, second the administrator-defined preference, and third the host ID. The important thing to keep in mind is that the software version overrides even the administrator-defined preference. Because of the amount of communication that takes place between ZDCs, we do not recommend setting up zones that cross WAN links. The zone traffic data that is sent across WAN links is not manageable within Citrix, but appliances like the Packeteer PacketShaper can manage this bandwidth utilization.
Independent Management Architecture
MetaFrame XP introduced the Independent Management Architecture (IMA) to replace the ICA browser service. IMA is a tremendous improvement over the ICA browser with respect to speed, scalability, and reliability of enterprise server farms.
IMA contains two components. The IMA data store is responsible for keeping information about licenses, published applications, load-balancing parameters, printer options, and security. The IMA protocol is responsible for communications between MetaFrame XP servers that maintain accurate information about server load, license usage, and user connections.
The IMA service runs on all MetaFrame XP servers to communicate with the Citrix Management Console, other MetaFrame XP servers, and the IMA data store. Each Citrix farm has one IMA data store connected to an ODBC database. The databases that are presently supported are MS Jet (FR-3 replaced Jet support with MSDE support), Microsoft SQL Server 7 or later, IBM DB2, and Oracle 7.3.4 or later. Additional licensing is required from Microsoft, IBM DB2, or Oracle if MSDE is not used. Each server downloads its configuration updates each time it is started (when the IMA services start); it also checks for changes every ten minutes. When an administrator is doing testing and maintenance, it is sometimes necessary to have more immediate response for changes. This can be done by executing the dsmaint recreatelhc command from a command prompt on the MetaFrame XP server. When each server queries the IMA data store, it only downloads relevant changes, which reduces the amount of traffic on the network. The local server stores this data in its Local Host Cache. This is helpful for increasing performance of local queries, and the data is retained for 96 hours in case of communications problems with the centralized IMA data store. the zone data collector is also involved in this communication and will be addressed in the next section.
Access to the data store can be done via "direct" or "indirect" mode. Direct mode means that each server directly accesses the database using ODBC, whereas in the indirect mode the servers aggregate queries through one MetaFrame server and it communicates to the data store. When using MS Jet (or MSDE in Feature Release 3) for the data store indirect mode must be used because of performance and locking issues. Direct or indirect mode can be used with SQL, IBM DB2 or Oracle. For small farms (50 servers or less), MSDE can work but has the disadvantage of requiring indirect mode (single point of failure), is much more likely to get corrupted data, and can be a performance bottleneck. For farms that are mission-critical and larger than ten servers, using direct mode with SQL, IBM DB2, or Oracle is recommended. The SQL, IBM DB2 or Oracle server does not need to be dedicated to the data store, since these databases support more than one database per server, assuming, of course, that sufficient server resources are available.
Data store replication is a concern in larger farms. When a server queries the data store (especially over slow link speeds) other servers could timeout and cause problems. SQL, IBM DB2, and Oracle contain integrated replication capabilities that are effective in solving this problem (the dual-commit model is recommended). When planning the resources for the data store, a good rule of thumb is to allocate about 200KB of disk space for each MetaFrame XP server.
Resource Manager
MetaFrame XPe is required when using Resource Manager (RM). This product equips administrators with a full-featured management tool suite for analyzing and tuning Citrix MetaFrame XPe servers. RM adds real-time monitoring, historic reports, and a central repository of usage information and statistics to the MetaFrame product suite.
Resource Manager keeps data for 96 hours with an internal database (15-second server snapshots) and integrates with Microsoft SQL and Oracle databases to store long-term statistics. The local database will utilize about 7MB of data for each metric to maintain data for 96 hours. The local database is only compressed when the IMA service is started; this provides one more reason to script reboot the MetaFrame XP servers every 24 to 48 hours. The link http://www.citrix.com/download contains a group of predefined free crystal reports available for use with a Microsoft SQL/Oracle database.
While monitoring the server statistics, RM can send out e-mail, pages, or SNMP traps when predefined loads are met (for example, when CPU utilization reaches 60 percent, RM can send the Citrix administrator group an e-mail). RM uses metrics to define monitored parameters, alert thresholds, and configurations. Metrics, once defined, can be applied to servers or published applications. Hundreds of example metrics are included with the RM installation. Citrix recommends, for performance reasons, not to have more than 50 metrics per server.
The farm metric server is the central server that manages all of the metrics on each of the servers and published applications. By default, the first server in the farm to have RM installed on it becomes the farm metric server, although this can be moved by the administrator at any time. Better performance can be achieved by having the farm metric server on the same machine as the zone data collector. RM can be installed on a second server in the farmer, which will automatically become the backup farm metric server for use if the primary goes offline. The metric data can be stored on the same SQL or Oracle server as the IMA data store if the server has sufficient resources. The database connection server is responsible for communicating with each MetaFrame server and the summary database (SQL or Oracle) if data needs to be retained past 96 hours.
Each defined metric has six possible states:
Green indicates the metric is operating within acceptable limits.
Yellow indicates the metric has exceeded the time and value limit.
Red indicates the yellow limit has been exceeded and administrator action has been executed (e-mail, page, SNMP traps, and so on).
Blue indicates a new metric that is not completely defined.
Grey indicates a metric that is paused (snooze) for a predetermined amount of time; in this state, data is still collected, but alerts are not processed.
Black is a sleep state; data is still collected, but alerts are not processed.
Network Manager
Network Manager (NM) is used for limited management through SNMP and to view MetaFrame XP statistics from HP OpenView, Tivoli NetView, and CA Unicenter. This tool can be useful for companies that have existing SNMP management software. NM is a component of XPe only. Since security can be compromised through SNMP, security is a primary configuration concern. If possible, SNMP should be left read-only (the default setting for Window 2000/Windows Server 2003) and all MetaFrame XP management should be done through the CMC or MOM plug-in. If it is critical to restart, terminate processes, disconnect sessions, log off sessions, send messages, and shut down, SNMP requires read-create or read-write permissions. In this case, SNMP should be locked down by limiting these SNMP privileges to only the IP address of the SNMP management server. SNMP is discussed in further depth in Chapter 9.
Installation Manager
Citrix Installation Manager (IM) is designed to automate the application installation process and facilitate application replication across MetaFrame XP servers throughout the enterprise. Through the use of IM, applications can be distributed across multiple servers in minutes rather than days or weeks. IM is available as a part of MetaFrame XPe only. IM is fully integrated into the CMC.
IM is especially useful in organizations utilizing more than 10 MetaFrame XP servers, or having numerous and frequently updated applications. In these environments, the automation offered by IM can yield significant cost and administrative time-savings.
IM contains two components: the Packager and the Installer. With the Installer deployed to all Citrix servers in the enterprise, the Packager makes replicating applications a simple two-step "package and publish" process.
The Packager runs on its own PC or server, while the Installer runs as a background service on each MetaFrame XP server and is transparent to the user.
The Packager provides the administrator with a wizard that supports the step-by-step process of installing and configuring an application. The result is a "package" that contains all application files and a "script" that describes the application setup process.
To "push" an application to MetaFrame XP servers equipped with the Installer, publish the script to those servers. The application will then be distributed and automatically installed onto MetaFrame XP servers across the enterprise.
IM also helps to sort out uninstall issues associated with many applications. For example, with many uninstall programs, application components can be left behind on the server. With IM, the Installer component tracks every application component installed and completely uninstalls the components when the administrator elects to "unpublish" the application on a specific server. This simplifies the relocation of applications from one server to another.
Load Management
Load management is available inMetaFrame XPa and XPe versions to assist administrators in maximizing the utilization of server resources and maintaining optimum user experience. Load management is a concept familiar to many administrators of Microsoft Terminal Server Edition, but it has a special meaning in the context of MetaFrame XP server operation.
With Microsoft's NT Server 4.0 TSE, Windows 2000, and Windows Server 2003 operating systems, multiuser computing capabilities are viewed as a service, much like SQL or Exchange services. Due to this orientation, Microsoft's approach to balancing system load across multiple servers focuses less on the nature and requirements of the load itself (application sessions in the case of multiuser computing), and more on the distribution of the session load across multiple systems. In effect, clients are presented with a virtual IP address representing multiple servers with replicated resources and services. As each server reaches a load threshold, incoming client session requests are forwarded to a server with available resources.
MetaFrame XP takes load managing from the server level to the application level, adding features such as automatic session reconnection and enhanced manageability to terminal services, fine-tuning the concept of load management considerably.
With MetaFrame XP Load Management, an application can be published for execution on any or all MetaFrame servers in a server farm. When an application or desktop session that has been configured for multiple servers is launched by an ICA client, MetaFrame XP Load Management selects which server will run the application based on a set of tunable parameters. Administrators have access to load management variables via the Citrix Management Console (CMC).
How the Load Manager Works
Administrators use the CMC to set load-management parameters. Load management makes decisions based on administrator-defined rules that define lower and upper limits on a number of variables that are defined by load evaluators tracked on each server. Load evaluators are numbers between 0 (free) and 10,000 (fully utilized). The zone data collectors are responsible for keeping track of each server's load evaluators and directing users to the least-busy servers. When more than one rule is applied to a load evaluator, the evaluator with the highest load value defines the load of the server.
Load evaluators can have up to 12 rules. These rules can be broken into four categories: moving average, moving average compared to high threshold, incremental, and Boolean. These categories are explained in more detail next.
Moving average uses rules based on percentage values to calculate load values. The administrator defines a low threshold where the load manager reports no load and a high threshold that the load manager reports a full load. When the moving average is between the low and high thresholds, the load is determined as the percentage multiplied by 10,000. Two-rule types operate with the moving average: CPU utilization, constituting the average usage of CPUs; and memory usage, which is the average of the physical and virtual memory in the server.
The moving average compared to the high threshold reports no load when the moving average is below the low threshold. When the moving average is at or above the high threshold, the load manager reports a full load. When the moving average is between the low and high thresholds, the load manager reports a load value based on the upper threshold value and 0. The lower threshold value is not used in calculating the load. There are five rules that use moving average compared to the high threshold. Context Switches calculate load based on CPU context switches, meaning the OS switches between processes. Disk Data I/O calculates load based on all I/O throughput in kilobytes of disks. Disk Operations calculates load based on disk operations per second for all disks. Page Faults calculates load based on the number of page faults per second, which is the number of pages that the Operating System accesses that have been flushed to disk. Page Swap calculates load based on the number of page swaps per second, which happens when the OS swaps physical memory to virtual memory on disk.
The incremental rules are user friendly and do not require performance monitor or calculations between upper and lower thresholds. All calculations are based on a full load maximum value specified by the MetaFrame XP administrator. When the maximum number specified is reached, the load manager reports full load. Otherwise, the load manager reports a percentage based on the maximum. The load value is calculated by dividing 10,000 by the rule value, then multiplying that value by the current counter. Three rules are in this classification; Application User Load calculates the load based on the number of users connected to an application. Server User Load calculates the load based on the number of users connected to a server. License Threshold calculates load based on the number of assigned connection license counts in use on the server.
Boolean rules are based on conditions being either true or false. If the conditions are met, or found to be "true," access is allowed. Otherwise, it is denied. These rules can be used in conjunction with other load evaluator rules, because they have no associated load values. If no other rules are applied in conjunction with a Boolean rule, all connections are directed to the same server. When one of these rules takes effect, it does not enforce the rule on users already connected. For instance, if the Scheduling rule disables an application at a certain hour, users employing the application can stay connected. However, if the users log off, they cannot reconnect to the application during the hours it is disabled. Boolean rules have two evaluators. IP Range enables or disables access to a server or published application based on source IP address. IP Range rules do not function in mixed mode. Scheduling enables or disables access to a server or published application during specific time periods. Scheduling, like all load evaluators, is checked only during login/application launch.
Load Management in a Mixed Citrix Environment
The MetaFrame XP farm needs to be kept in mixed mode to allow the use of load management when MetaFrame 1.8 or MetaFrame for UNIX servers are to coexist with MetaFrame XP servers. When operating in mixed mode, MetaFrame XP servers communicate with MetaFrame 1.8 servers through the ICA Browser and Program Neighborhood services. MetaFrame XP servers communicate with each other using IMA, but the ICA Browser service is responsible for application resolution and communication with MetaFrame 1.8 and MetaFrame for UNIX servers. For load balancing to work correctly in mixed mode, a MetaFrame XP server must be the master ICA Browser. The following differences exist between operating in native mode:
In mixed mode, application load evaluators and IP Range rules are ignored.
qfarm reports load information from MetaFrame XP servers only. Use qserver/load to view load information in a mixed-mode environment.
The load monitor tool reports MetaFrame XP information only.
Published applications must have the same name (case-sensitive) in both farms for load balancing to work.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment