What is VPN and How does it Works

This is the second webinar of the Americas Networking Webinar Series Cloud

in this webinar, we will continue to develop NetScaler 101 delivered via webinar on November 24 and will go through the advanced NetScaler capabilities. We will also talk about deploying NetScaler NetScaler best practices and basic and high availability configuration using the Web interface.

NetScaler Advance Features Agenda

• NetScaler Editions
• NetScaler DataStream
• action Analytics
• Features NetScaler security
• SPDY gateway
• multi-path TCP
• Mobile TCP Experience
• NetScaler Insight Center
• deployment Best practices
• High availability
• configuration NetScaler

This webinar will not go into detail configuration for each of the modules mentioned above. However, as part of Americas Cloud Networking Webinar Series , we will make about 2 dozen webinars covering each topic in detail

Go to http :. //www.citrix. com / partnercalendar to register for this and all future webinars as they are planned. Your login Partner Central is needed.

NOTE: NetScaler functionality EPA gateway is available on Windows and Mac desktop platforms only (like May 1 2014).

With the release of NetScaler 10.1.0.1316.e Gateway, Citrix has significantly improved its end point analysis (EPA) capabilities. As a quick introduction to what is new and advanced with the EPA

• New Advanced Engine EPA with thousands of pre-configured scans
• Certificate Checks of device

for those who are new to the EPA, this ability let NetScaler Gateway evaluate the input endpoint device for posture, and evaluates policies that define this type of session will be provided to the user, if applicable. Note that a device check is different and complementary to, user authentication. While user authentication ensures that a valid and reliable user access to your corporate resources, machine control ensures that a valid user from a sound device.

In general, as an administrator, you may want to differentiate between users, based on the devices as follows:

• users from companies owned assets
• users from personal sound devices
• users from unhealthy devices

so, as you can see, the EPA is a very powerful concept, and provides granular control in terms of AAA policies and session parameters, depending on the position of the apparatus.

EPA Advanced Engine

NetScaler Gateway had a classic EPA engine, which offered great flexibility and power to the directors in terms of creating scans to detect a variety of things such as versions of the operating system, the presence or absence of certain software, domain join status ... the real power of the classic EPA engine comes in terms of a powerful political editor, who can create analyzes based on the register / Files / process controls and thus provides tons of customizable options.

What this classic motor EPA lacked was out of the box pre-configured scans, an administrator can activate and go

Advanced EPA engine now provides this infrastructure, with the following advantages :.

• thousands of pre-configured scans, available out of the box
• New scans are automatically provided, the new software is available
• easy maintainability, based on analysis that can provide minimal versions. As well as new versions come, admin may not have to go necessarily change the configuration.

Note that the current version of Advanced EPA provides preconfigured analyzes for pre-authentication checks only.

Device Certificate Checks

Device certificates are client certificates are issued to devices, as opposed to the concept of common issuance of certificates to users. As a user certificate identifies a trusted user, device certificate identifies a trusted device.

These certificates are commonly used to distinguish between corporate assets and BYOD assets. Assets belonging to the enterprise can be deployed with a device certificate by the enterprise CA, and the presence of such a certificate, is what identifies / mark the device as an asset of the company. Similarly, the lack of this certificate, mark another device as a possible BYOD device.

NetScaler Gateway now supports devices certificate checks to differentiate between these two classes of devices. Configuration is fairly homogeneous and essentially requires an admin to enable this check, and provide details Enterprise CA is responsible for issuing these certificates. Note that the CA provide information is a critical input, since you do not want to trust user certificates provided by another CA of the company, which could be issued user certificates.

NetScaler Gateway supports the parallel configuration of authentication by user certificate and check device certificate. In such a configuration, user authentication is managed as part of the SSL handshake. Once established, a device certificate verification is performed. Such verification ensures all the obvious calculations about the validity of the certificate, the certificate trust chain, the presence of the private key on the control endpoint and OCSP for corresponding certificates revoked.

So in essence, this version of NetScaler Gateway brings some powerful and advanced EPA to platform capabilities, and provides real value to any director safety conscious.

for a more detailed overview of the new version of NetScaler Gateway, see my previous post.

I have put together a page useful tools for the study and profiling Citrix XenServer. It is designed as part of a site that we put in place to help those designing applications for XenServer to test and optimize their environments, but will also be useful for administrators enthusiastic system to identify bottlenecks and implementing performance improvements for XenServer (see my post on XenServer performance tuning). This should be useful for those working with Citrix XenServer for server virtualization or as a platform for XenDesktop, CloudPlatform, Netscaler SDX or similar. In addition to advice on tools to study specific features such as GPU or passthrough vGPU can be found here

So here you go 10 useful tools for understanding XenServer (alphabetical) :.

1. Bonnie ++

This is an open source project that helps to measure and investigate the network load and includes tools to investigate a IO and large creation / deletion of small files file. There are a lot of user guides and blogs on this tool.

2. CPU-Z

CPU-Z can be especially useful if you plan: How to study and use the Turbo mode, C and P United States in XenServer

3. IOMeter

IOMeter is an open source tool, a tool I / O measurement subsystem and characterizing single and clustered systems. IOMeter is an easy way to generate stress on the I / O system and as such can be very useful in product development tests that interact with and generating load on the OVS.

4. iperf

iperf is an open source utility that can be very useful for diagnosing network problems in a XenServer environment. There are many how-to-guides and introductory tutorials available as here.

5. OProfile

OProfile is an open source tool available from http://oprofile.sourceforge.net/news/. Xen specific Vary is currently shipping in XS6.1 versions and upwards. It is detailed here: http://xenoprof.sourceforge.net/xenoprof_2.0.txt

6. vhd-util

vhd-util is an unsupported tool comes with XenServer and as such should never be used as an "API" around which to build an application based on its disposal or stability of the results. However, it is very useful as a tool to work with and VHD snapshots. It can be used to check, display and understand the VHD files including strings of clichés. There is little documentation and you will probably need to refer to using command line by typing "vhd-util" to the XenServer command line and ask for help to the desired option, for example

[root@dot56 ~] # vhd-util
use: vhd-util COMMAND [OPTIONS]
COMMAND: = {create | snapshot | query | read | set | repair | resize | complete | coalesce | change | scan | check |} return
[root@dot56 ~] # vhd-util check -h
Options: -n [-i ignore missing primary footers] [-I ignore parent uuids] [-t ignore timestamps] [-p check parents] [-b check bitmaps] [-s stats] [-h help]
[root@dot56 ~] #

Some additional information is available:

• on this blog Citrix
• research in the Citrix knowledge base for " vhd-util "
• research in the Citrix support forums

7. WinDbg

WinDbg is one of a number of tools available for Debugging Windows guest on XenServer (see link for details)

8. XenCenter

A wide range of settings are available for XenServer including: C-state, P-State IOPS, Latency and much more. Not all of these are enabled by default. The full range of settings available for hosts and virtual machines are described in Chapter 9 of XenServer 6.2 Administration Guide. This chapter also details how you can explore these settings via XenCenter.

9. xentop

xentop displays real-time information on a Xen system. It comes with the Xen tools. This Citrix article details later use: http://support.citrix.com/article/CTX127896.

10. xl

The xl utility is actually a part of the hypervisor Xen upstream developed as open source, such as the utility is not maintained by Citrix XenServer, but Xen.org.

We would generally does not recommend the use of XenServer developer xl regularly to configure test cases or the like because it affects only a portion of toolstack and as such the XenAPI XAPI and not to be aware of the changes that can lead to a very confused toolstack and some rather strange effects.

xl can, however, be of some use for debugging and diagnostics, especially investigative options such as info [-n, --numa] by which you can request information from equipment such as cores_per_socket and threads_per_core and similar data that you can connect or keep in comparative assessments.

I wish to update the page on which it is based blog, please do so to add more to the comments below, or review gotchas known with those I have suggested.

Hi there!

We hope you enjoy the many benefits of deploying XenDesktop 7 in your environment and have a great time using the troubleshooting and monitoring console - Director ! I wanted to take a little time to describe the most fundamental feature in Director - Research username !!

For a director administrator who is able to easily get the details of the session of a user / machine is of paramount importance. The "Search for users" Manager UI control is designed to provide exactly this capability to administrators.

Helpdesk admins may find monitoring the research on landing page and Helpdesk rest all directors can find both on the landing page as well as on the top right of each page.

In XenDesktop 7, the scope of the research is users . Administrators can search for a specific user by typing a search token in the search area. The search token can be the beginning of the first or the user's name or the name or the display name or account name windows.

For example, consider a user below:

Name - Sai

Name family - Peyyeti

display name - Sai Peyyeti

account name - SAIP

potential research tokens can be "s", "p", "his", "pe", "sai", "pey", "SAIP", "sai p", "sai pe", etc.

Director displays the user above at one of these tokens. Apparently more research slightest token the number of results since it would help to isolate the exact Director user. The search results will look like "display name (Domain Name Account name)"

To help understand this manager is doing when searching for a specific user, we'll talk about what happens behind the scenes. Upon connection manager creates a connection to the global catalog server domain administrator (who logs in Director) and the global catalog server domain the Director machine. In some cases, both the user and the domain of the machine will be identical. In such a case, there will be only one connection to the global catalog server. The reason for opening a connection to a global catalog is because a global catalog is designed to manage and respond to the domain controller requests a faster way. Particularly in a multi-domain scenario, it is faster to obtain information on domain objects from a global catalog server that individual domain controllers.

When a type of administration of a search token manager sends an LDAP query to the global catalog server. The LDAP query translates to - back to all users whose first or last name or the display name or account name begins with the particular token. These results also come in the sort order (sorting is done according to the account name) and returned to the admin.

So many customers asked if my Active Directory is a bit complex and my XenDesktop deployment is not that simple? Director is designed to provide customizations for such deployments listed below. These are provided as configurable application settings in IIS for the manager webapp. You can use inetmgr to start the IIS manager and go into the application parameters of the Director webapp to make these changes. Note that you must restart the Director AppPool to make the changes effective

1. Disable wide forest research -. By default filmmaker makes a forest search throughout the admin logged Director and machine areas. In some situations, it might not be necessary to obtain large forest outcomes and results of the broad research area might be enough. To do this, create an entry called Connector.ActiveDirectory.ForestSearch and set it to false in the application settings in IIS Director. This solution can also be used in a rare case where the search fails or takes too long because of the subdomains that are not functional in a forest
2. Added several areas of research -. By Director default global catalog searches the user logged into the admin area and the area of ​​Machine Manager. This can be extended to other areas that are not present in the forests of the domain admin or domain Machine Manager. This can be done by adding a coma (,) separate domain names for input Connector.ActiveDirectory.Domains called. e.g: (user), (server), domain1.xyz. The assumption here is that the forest of the user logged into the domain administrator is approved by the forest of the field also added if different. Director interprets the text "(user)" as "research in the logged in the admin area (forest)" and the text "(server)" as "research in the field of machine manager (forest)" and all other names (braces not necessary) as "research in the field xyz (forest)." As mentioned above research is done on the level instead of the domain forest if Connector.ActiveDirectory.ForestSearch is false
3. return lessor or more the number of search entries -. By default filmmaker returns a total of 20 users search entries max. Suppose if there is a need to increase the number of results (eg if there is a difficulty to type a specific user name), this can be configured via the UI.GlobalSearchMaxResults entry. This value is set to 20 by default, which is recommended, as it was arrived at the basis of many tests to experience the best user interface.

Hope this information is useful and also provides an overview of how research works Director.

-sai Peyyeti

The predictions are like noses, everyone has them. At the end of the year, it's fun to look back, but it is also good to think ahead and consider next year the old closes. Mobility moves quickly, and where once in technology, we think of 3-5 years, today it is enough just to get a law of the year. I posted some of my 2014 predictions for the mobility of businesses here VMBlog.com. Let me know what you think.

So how do we on the forecast for the previous year? Certainly one of the main areas was predicted consolidation among MDM providers. This began in earnest with the last, began with the acquisition in January Zenprise by Citrix, and capped with Fiberlink purchased by IBM last month. This acquisition makes a lot of sense as IBM moves its Smart Cloud and Fiberlink initiative is all about the cloud. Literally. There will be more acquisitions in the next year too. Of course, some providers of MDM hoping IPO, as reported here, most of the greatest players of MDM still private, but need money to expand offerings and continue the pace of development. All these IPOs will be successful, certainly there is a race to be the first.

Like other predictions, I think that many, including myself, expected that security and containerization would play a greater role than it did in 2013. containerization is used to separate and protect corporate data from staff, especially on phones that users themselves purchased (BYOD). BYOPD still happens, and I think that the adoption of containerization is yet to really take off in 2014. Until recently, there has not been a lot of offers on the market Citrix just released his latest package in June. Those who were outside were expensive or not well integrated in MDM. But containerization gained steady traction and is the most popular version of our tools MDM today. Mainly because it is integrated into the EMM and security global offer.

Well an easy prediction for 2014 is that the pace of change and innovation in enterprise mobility is not letting up. With the advent of wearables, Internet of Everything, the increased use of context, mobile commerce, services you location-based name it. Next year will be another great and interesting year.

Happy holidays in what you celebrate, and good luck to you in the new year.

Phil Redman is Vice President of Mobile Solutions and Strategy at Citrix and is very mobile.

WorxWeb is the mobile web browser, deployed as part of your deployment XenMobile. Similarly to WorxMail (the client secure mobile messaging) WorxWeb provides seamless and secure access to your entire set of company resources HTTP / HTTPS.

WorxWeb is an excellent example of our MDX technology. With MDX, we take a native mobile application, wrap it with our MDX technology, and provide a layer:

• applies MDX policies for maintaining the level of application
• international Monitors and controls access to the application, according to policies defined by the administrator
• monitor and control network access - MicroVPN - for access to corporate resources

One of the coolest things about WorxWeb, is its ability to Single Sign on users in enterprise resources. So each time you access your internal corporate portal, via WorxWeb, you do not hit your LDAP credentials again. WorxWeb manages for you. Or by technical precision - NetScaler manages for you

There is a conscious choice for the sake of greater security, we do the identification of the user cache information on the endpoint (not by default -. We do not allow basic rules caching, if you choose). So if the credentials are not available on the final point, how this SSO?

NetScaler's the magic.

Initially, when you start any MDX application WorxHome ensures that you have a valid session MicroVPN available with NetScaler. As part of this implementation, the user would need to provide his / her LDAP credentials, assuming that LDAP is one factor configured to authenticate the user on NetScaler. Now, as part of this LDAP authentication, NetScaler is able to access and record the user's credentials for future use without welding SSO on behalf of the user.

So when a user opens WorxWeb, launching say an internal portal page, here's what happens in the background :.

1. Often the portal page return an HTTP 401 error, indicating that the user authorization is required to access the
2. NetScaler is aware of this transaction, and seeing a 401 returned intercepts it and responds with the user credentials on the Web server.
3. If the user's credentials are playing well, and the web server accepts this transaction, it will return the requested page with a status HTTP 0 OK.
4. This page is then returned to WorxWeb on the end user device. In essence, we have just completed a Single Sign On

Note that the Single Sign On tempted, depends on the following :.

1. authentication credentials resources are the same as one of the factors in place on NetScaler. Note that the NetScaler ability to replay the user's credentials is intrinsically linked to the assumption that NetScaler has access to these credentials. NetScaler now never stores these credentials on disk, in a similar case that a safe password could do. But in the context of the creation of the session on NetScaler, it stores the credentials used to log on, in the context of the user's session (safely encrypted). And if those credentials match the credentials required for access to resources, in theory, we can achieve SSO.
2. Above factor is not sufficient to perform SSO. The other thing that is important NetScaler be able to see the challenge 401. NetScaler of the ability to see a 401 is possible if the session being bridged via NS, not end to end encrypted SSL. Therefore, a session is HTTPS, the rear end can not be peeped in, and therefore an attempt to SSO, not possible. That said, NetScaler is an intelligent device, and provides a possible workaround. NetScaler has several modes in which a customer can interact with the NetScaler to achieve real backend resource. Two of them are:
   1. MicroVPN Micro VPN is a complete VPN tunnel, but application specific. In a Micro VPN communications protocol most commonly used in XenMobile, NetScaler suffers from the limitation above - lack of capacity peep in an HTTPS session
   2. SecureBrowse :. In SecureBrowse mode, NetScaler down the HTTPS session in two - Customer NetScaler NetScaler and the backend resource server. In this manner, NS has complete visibility of all transactions between the client and the server. Given this, NS is now able to peep inside and see a 401 in. And whenever 401 is seen, NS can replay the user's credentials for SSO
3. There is a third factor that comes into play, which can decide on the capacity of NetScaler SSO -. Supported the auth methods. Each challenge 401 lists auth methods that can be used by the client to perform a user authentication. According auth methods supported by the server, and the auth profiles configured on NetScaler, it may or may not be able to provide SSO. Following single authentication methods are supported on NetScaler
   1. HTTP Basic Authentication NetScaler automatically, as long as SSO to Web applications is activated in the session profile
   2. [ HTTP Digest authentication :. NetScaler automatically, as long as SSO to Web applications is activated in the session profile
   3. NTLM NetScaler automatically, as SSO to Web applications is activated in the session profile
   4. Kerberos Impersonation :. This configuration requires the NS for Kerberos SSO. This is explained here
   5. Kerberos Constrained Delegation :. This configuration requires the NS for Kerberos SSO. This is explained here
   6. SAML authentication :. This configuration requires the NS for SAML SSO as part of policy of traffic. This is explained here
   7. Form Fill Authentication :. This configuration requires the NS, for the form-based SSO as part of policy of traffic. This is explained here.

XenMobile is a global mobility management solution, and the power packed with tons of features. This article attempts to provide guidance on just one of these mechanisms.

Overview

He best practices , then there reality ... they told me that for years. Because I think too many people think some best practices are set in stone and should be implemented or followed, regardless of the situation. To be honest, this could not be further from the truth. That's why many professional services organizations (CCS included) use the phrase "it depends." There is also a reason why our legal team at Citrix cringes when we use the term "best practice" ... because to a certain location in a certain client with a certain set of business requirements, this practice we recommended might not really be "better" or really optimal, and it could result mean downtime, disaster, unhappy customers, lost revenue, etc. and the word "best" may end up having legal implications, which is why we tend to use "best practices" in our documentation instead these days. But the point is better or best practices change ... some best practices change over the years ... a "best practice" in a situation with a client could be a bad practice to another customer. It really depends.

For this article, we begin 2014 and as I was doing some thinking on my almost 10 years at Citrix, I thought about what particular Citrix best practices have changed the most over the years. What best practices are old flat-out wrong these days? None of them are actually "new" as the title of my article might imply - but I hear a lot of these "myths" or old common best practices being said or implemented every day. So what follows is a collection of some of the most popular myths and best practices that have most changed dramatically in recent years in this world we live Citrix. I hope this finds everyone well into the new year and please do not be afraid to challenge the leading practices in the future ... the best practices are for change and I create new practices every day. 😉 (The list below is in no particular order by the way.)

Common Myths and "New" Best Practices

• session Reliability is Bad. I can not tell you how many times in the past, I recommend disabling PMC or the "Session Reliability". Honestly used to encode poorly and eventually causes excessive network traffic and hiding real problems network, while providing little or no use to the end user comments. But after our smart engineers in the UK got a hold of it a few years ago we moved to a less-IMA architecture XD in v5, CGP has changed. and it changed in the right direction. Now we recommend leaving SR / PMC enabled! Check this and this for more info.
• XenApp VM 2 vCPUs. this was another practice that has for some time there are about 5 or 6 years. But with recent advances in hardware schedulers hypervisor and NUMA awareness, I think we have finally proven it wrong. We are recommending XA VM with larger features VM all the time these days, such as 3, 4 or even 8 vCPUs. Check this and this for more info.
• PVS Must be physical. Our original position on PVS was to physics. But after setting 10Gb + network, progress around things like LACP and understand how PVS so we can properly size, we almost always recommend virtualizing PVS these days. Check this and this for more info.
• Isolate the PVS traffic flow. This is still somewhat controversial, especially because we dated technotes saying you should do this for performance or troubleshooting reasons (both invalid reasons in my opinion by the way). But again, with recent advances in virtualization and networking, I would say that there is little to gain from it. Our customers who keep their simple designs usually have the most success with PVS. Find out for more.
• Only Redirect Some Shell Folders . Not really specific Citrix, and more specific MSFT, but always something I wanted to address from the profile design is near and dear to my heart. We used to recommend that the lever folder redirection for specific records, such as shell and MyDocs AppData (and perhaps in the office, in some cases). But since MSFT re-designed profile namespace there are about 5 years and even told everyone they recommend to redirect all shell folders, we said the same thing. You can discuss the merits of the reorientation AppData, but is a bit beside the point here - we want you redirecting nearly everything you can so that 'ntuser.dat is roaming in and out
• MCS! You can not scale. I can still hear it said by many people and they do not even know why half the time. MCS can evolve. Especially if you pair it with thin provisioning and IntelliCache. And it does not require or generate 1.6x IOPS compared to MCS as we thought a few years ago (it is more like today 1.2x). Yes, there are still some operational challenges associated with MCS use in a part of the company ... but it absolutely can "scale" and it works fine. And it will get much better in the future, without the complexity of additional infrastructure and configuration introduced in PVS network.
• Multiple Farms are Bad. I tried to debunk this myth for years. XenApp several batteries are not a bad thing in my mind. Neither are many XD "sites" (really, they are firm, too - we just call them sites). I'm a big believer in horizontal scalability and "pod" architecture for scalability and stability known. We have many tools to manage multiple farms XA these days, too. And with virtualization and hypervisors be mainstream, I will always argue that spinning and management of some additional controllers or controllers These worth over failure caused by trying to vertical scale. Find out for more.
• 20 virtual machines per LUN must be strictly observed . First, it is a good rule of thumb. But it applies block-based storage only (FC, iSCSI, FCoE, and so on). I see too many people still quote this number or the design using this rule when you use NFS, which is file-based. I also see people designing this rule in mind, but they use vSphere VAAI and a network capable of! Save yourself the nightmare of managing the management of hundreds of tiny LUN - you can probably go a little bigger. Check this and this for more info.
• Pagefile RAM Should be 1.5x. Thanks again to the assistant, MarkR to debunk this myth for us all. This best practice is probably a decade now, and should never, never be followed! Please ask if you even need the ability of a complete memory dump ... and then do some simple tests and understand what size to make the swap file in your particular environment. Find out for more.
• SSD and shared storage are the only answer. I still get a ton of questions about whether SSDs are good, bad or ugly ... and if shared or local storage is the way to go. The bottom line is SSDs are still expensive and they are not all created equal in terms of write performance and longevity (yes, prices have fallen and we made some improvements in recent years, but still ...). And shared storage arrays major iron suppliers will always be expensive. This is why many 3rd party companies have sprung up over the last 5 years, the likes of Whiptail, Nutanix, Nimble, GreenBytes, etc. This is also why I think the dynamic storage tiering with QoS and storage virtualization are the future ... many customers get smart in that area and go with a hybrid approach already in terms of combination of SSDs and spinning disks ... and perhaps even using local storage for VDI deployments altogether to save a ton of money (especially when HA or reliability of non-persistent desktops are little interest!). So before you simply buy SSD or the next table million of our friends there at EMC, ask yourself if you really need for your virtualization project. Take a look at the I / O workloads generate first. Analyze your needs again. Look at how it could affect your business model. Or can you perhaps take a more intelligent approach is different this time, contrary to what you have done for the last decade?

Wrap-Up

this last point is probably a good ending because it's sort of the point of this article - i really want to encourage everyone to challenge old ways of thinking and to question some of the best age-old practices. Sometimes we are wrong to Citrix. Sometimes our people CCS could follow or implement the best ancient practices. And if we do, please let us know about it and we will repair. Even leave me a comment below and I will make it my personal mission to repair. And then we'll get communicated throughout our organization and community that the world is a better place.

Have you another "myth" or best practices that you think has changed considerably over the years? If so, please leave me a comment below and I'll either answer or perhaps even add to the above list with an update of the article. I'm a big believer that this kind of transparency can help customers design and partners and implement better solutions Citrix compatible in the future. 2014 will be a great year.

Cheers, Nick

Nick Rintalan, Lead Architect, Americas Consulting, Citrix Consulting Services ( "CCS")

Registration is still open for onsite examinations certification, including the 1Y0-300 Deploying Citrix XenDesktop 7 examination. The test center's capacity was increased due to demand!

Hours Certification Center

Monday 1/13: 13h00-21: 00
Tuesday 1/14: 8h00-15h00

This a few tests that can take up to 4 hours to complete - make sure that you manage your time accordingly. The examinations that require four hours or more to complete the following:

• 1Y0-300: Deploying Citrix XenDesktop 7 Solutions
• 1Y0-A22: XenApp 6.5 Advanced [1945004administration]
• 1Y0-A25: Engineering a Citrix Virtualization Solution exam