Some history of Citrix
[This is the accompanying tutorial document from a session I ran at the SAGE-AU conference in Hobart, Tasmania on August 5, 2003]
Citrix Systems was founded by Edward Lacobucci in 1989. With US$3M in capital, only 18 employees and a license to modify the OS/2 source from Microsoft, Citrix produced a multi-user version of OS/2 called Winview which shipped 2 years later.
By 1995 Citrix had also licensed the NT 3.51 source from Microsoft and produced WinFrame. The key developments that secured Citrix’s future were “MultiWin”, the core enabling sharing of system resources to multiple Operating System sessions, and the Citrix ICA protocol which encapsulated the session data (screen updates, mouse clicks etc).
Within a few years Microsoft licensed MultiWin from Citrix and produced Windows NT: Terminal Server Edition (actually, they called it a joint marketing/developing agreement and have since renewed the agreement). The agreement effectively gave Microsoft the ability to include MultiWin as part of the Windows operating system in the form of Windows Terminal Services. Advanced functionality (and the ICA protocol) was retained by Citrix and is currently sold as an “add on” to Windows server OS’s called Metaframe.
In recent years Citrix has value-added its product line by bundling in various other applications and services such as the Citrix Secure Gateway and NFuse, securing its position as leader in application delivery to potentially any client device, over any network.
An introduction to thin client technologies (why bother? What are the benefits over the traditional desktop scenario?)
- Centralize application infrastructure. Improve manageability. Pool resources.
- Simplify code/version control and upgrades. Maintain multiple versions. Licensing conformance (metering).
- Leverage and extend existing applications and infrastructure. Instantly web-enable legacy applications. Current web front-ends are often not full-featured.
- Enhance application performance and reliability – consistent application behavior regardless of location and client device. Allows a varied client base to access a familiar desktop environment. Reduce bandwidth costs.
- Lower operating costs. Eliminates the need for frequent client desktop upgrades.
- Enhance service levels. Consistent performance for web applications. Load balancing.
- Increase productivity. Increases the reach of organizational information via multiple mediums.
- Enhance security. Provides a secure environment for delivery of applications via the Web. VPN-like capabilities allow zero-footprint client access to applications from anywhere.
- The Citrix Solution for Business Continuity delivers applications and information via the Internet to users regardless of location, device or connection in the event of a planned or unplanned business interruption.
- A high availability infrastructure
- Customers, partners and employees quickly return to productivity
- Rapid and secure access to applications and information over the Web
- Organization’s business continuity objectives are met and business runs unabated
- Preservation of employees’ sense of corporate community
- Organizations have traditionally not had a timely and efficient means of providing application access as part of their business continuity solution. Citrix products can be a vital piece of an organization’s business continuity solution – providing uninterrupted, virtual access to all critical applications and information – during both periods of planned or unplanned systems downtime.
Remote Office Connectivity & Workforce Mobility
- Quicker Office Integration
- Faster Services Rollout
- Improved Security of Corporate Information
- Efficient Bandwidth Usage
- Improved Application Performance
- Improved Productivity
- Real-Time Data Access
Architecture of the Citrix solution and why Terminal Services can’t scale
Servers can be configured standalone for small environments or pilot implementations. If Metaframe is used on a single server install, it is usually because ICA is required.
Multiple servers can be grouped into geographically local or distributed Metaframe server “farms”. Farms allow for load balancing and redundancy of ICA connections. Terminal Services can’t load balance intelligently, and would require layer4 intervention or primitive round robin tricks to do this.
Resources are usually accessed through the “publishing” process. Full desktops can be published or just specific applications. When a user accesses an application (as opposed to a full desktop) it appears to run as a local Windows application with (potentially) access to most desktop resources such as printers, server shares, modems etc. The subset of all the applications that a user can access in a server farm is called an “application set”. Terminal Services allows access to full desktops only, and allows only the most basic of access to workstation resources depending on the version.
Application sets can be viewed from Windows using the “Citrix Program Neighborhood” client. Published applications that can be accessed by that user are displayed and can be launched. Other platforms so not have this capability natively, and users or administrators must manually add application entries to the Citrix client software. However, the Citrix Program Neighborhood can itself be published to allow a similar experience on UNIX and Macintosh platforms. Alternatively, the Citrix Web Interface (called Citrix NFuse until recently) can be accessed from most browsers to view a specific application set. Terminal Services has no equivalent of an application set.
The transport protocol that communicates and controls data between the client and server farm. The ICA protocol itself encapsulates keystrokes, screen updates, audio, encryption, port redirection etc. RDP is the Terminal Services equivalent.
Metaframe includes Installation Management, which is a method of packaging up applications and deploying to multiple servers. Terminal Services does not provide this capability natively.
An integrated management subsystem that allows real-time reporting of utilisation and other metrics. Also supports NMS/MOM extensions, and event notification
Metaframe XP stores farm configuration in a database. This can be a locally stored MS Access database on the first server in the farm, or it can be an existing MS SQL or Oracle database. This in itself introduces an additional administrative concern (backup the data store), but the advantages outweigh the drawbacks. Terminal Services does not require a data store because it does not have a centralised data repository (although Terminal Services does have a licensing service that operates centrally).
Session shadowing is an important support function from a client services support point of view. Depending on specific configuration, a user’s Desktop session can be “shadowed” by support personnel and any problems resolved interactively. This is effectively the equivalent of the old desktop remote control model (e.g. PC-Anywhere). RDP can now shadow.
- Metaframe now supports extremely high resolutions and true colour, as well as serial/parallel/clipboard/drive/audio remapping. USB printers and disks can be redirected also. The time zone in the session represents local time on the client. RDP 5.2 found in Windows 2003 also supports these features.
- According to Microsoft’s long-term strategy, Terminal Services is not a key application delivery mechanism.
The major Citrix technologies (Metaframe, NFuse, Citrix Secure Gateway etc) and the how/when/where/why?
Metaframe XP Presentation Server
The Metaframe XP Presentation Server is Citrix’s flagship product. Often referred to as simply “Metaframe XP” it provides network and Internet users with access to applications and information using a Citrix ICA client.
Metaframe XP is currently at Feature Release 3. FR’s are released periodically to customers on a maintenance agreement (1 year maintenance included with the initial purchase). FR’s contain new features to current tools and often includes completely new functionality and add-ons.
Metaframe XP is sold in 3 flavours.
Metaframe XPs (XP standard) – The basic, minimal environment. Includes NFuse.
Metaframe XPa (XP advanced) – Essentially the same as XPs but includes Load Balancing capabilities.
Metaframe XPe (XP enterprise) – The same features as XPa but includes Installation Management, Resource Management and some other enterprise management features.
Metaframe Presentation Server for UNIX
Allows remote access to Solaris, HP-UX and AIX systems. Often used in very low bandwidth environments where X11 has previously proven to be unacceptable.
Citrix Web Interface (was called NFuse and then NFuse Classic)
NFuse is effectively a web-based equivalent of the Windows “Program Neighborhood” ICA client. It prompts the user for logon credentials then displays an application set (list of applications they can launch) from a particular Metaframe farm. NFuse can be viewed from any modern web browser and runs under a number of web servers on Windows and various UNIX platforms.
NFuse can be configured to launch applications using the local ICA client, or it can embed the application in the browser window using An Internet Explorer control or Netscape plug-in. Alternatively, the zero-footprint java client can be used instead or as a backup to the other methods.
NFuse supports SSL encryption on the client end via the web server, and the server end via SSL relay. Like most Citrix products, smart card authentication and ticketing is supported.
NFuse can also be installed with Enterprise functionality to allow access to multiple server farms. The NFuse core is composed of java servlets, but nearly all functionality can be modified by editing the front-end web pages, composed of CGI and ASP pages depending on the platform.
Citrix Secure Gateway
The Secure Gateway is a solution that leverages NFuse for secure application delivery to untrusted networks. The Secure Ticket Authority and Secure Gateway Service provide a ticketing mechanism to authenticate users, and then relay SSL encrypted data from the DMZ to/from the Metaframe farm and the client without ever revealing the addresses of the internal Metaframe servers.
Secure Gateway is particularly useful when you consider that there are no additional licensing fees on top of the Metaframe investment, and that for many organisations it removes the need for a separate VPN product. The java client can be utilised to provide zero-footprint access to Metaframe applications and data over the Internet.
The Secure Gateway can run on Windows or Solaris.
Secure Access Manager (was called NFuse Elite)
NFuse Elite was originally positioned as a stand-alone web portal for enterprise customers. It did not require Metaframe to run.
The Secure Access Manager is built on top of the original NFuse Elite product, but is now positioned as a combination of web portal and application access point.
Password Manager is a new application that allows single sign-on to password-protected applications delivered via Metaframe and the Secure Access Manager.
Metaframe Conferencing Manager
New product. Allows users to conference ICA sessions. Share existing applications real-time. Conference features such as white boarding, private messaging. Granular conference control (who can do what). Exchange & Outlook integration. A published management app controls sessions.
How to manage the solution
Configuring the environment
Most Citrix products ship with individual management tools. In the case of Metaframe XP, all of the common management tools have been integrated into the Citrix Management Console which is a java application and can be run locally on the server or installed or published for remote use. Once the console is started you are prompted to authenticate into a particular server farm, at which point the entire farm (or individual servers) can be managed according to the administrator’s permissions.
Monitoring and performance management
Metaframe XPe includes Resource Management features that make it easy to monitor server performance and perform alerting functions. E.g. Send an e-mail to a number of administrators when CPU utilisation exceeds 90% for more than 15 minutes. Statistical information on configured metrics is also retained for long-term management.
XPe also includes Network Manager, allowing SNMP management from popular NMS’s.
All versions of Metaframe XP also add performance management counters to the Operating System, meaning that the standard windows perfmon or external SNMP-capable management utilities can be used to monitor various system counters.
Generally, Metaframe can be backed up just like a regular Windows or UNIX system. Because these environments tend to not have user data installed on them, many implementations require only periodic snapshots to capture configuration changes. Many implementations do not require backups at all, which is explained in a case study later.
As mentioned previously Terminal Services does not scale out well. Similar limitations apply to Metaframe XPs due to its lack of load balancing.
Metaframe XPa and XPe both contain load balancing. Scaling the solution up can be as simple as adding another server to the farm and allowing Installation Management to copy the applications onto the system. The number of connections to each machine over time will then balance out, reducing the load on any one machine and increasing redundancy.
Integration with existing environments
Because Metaframe XP value-adds an existing Windows environment, it becomes easy to integrate solutions into an existing environment. Existing Active Directory Group Policy Objects (GPO’s) apply, but in almost all cases changes will need to be made to lock down the environment as much as possible. There are some challenges and decisions to be made regarding user profiles.
Installation Management is included with Metaframe XPe. It allows the packaging and distribution of applications to a number of servers without intervention. It provides for a consistent experience across servers in the farm and contributes towards an effective disaster recovery strategy. IM supports its own packaging format as well as standard MSI packages familiar to existing Windows 200x administrators.
Metaframe XP Licensing
Citrix licensing can be a complex issue, and tends to vary with different product releases. Additionally, it is necessary to consider Microsoft Terminal Server licensing and application software licensing as part of the solution.
Terminal Services Licensing
Because Metaframe is installed on top of Windows 2000 Server or Windows 2003 Server (or variants thereof) it is necessary to license:
- The server software (e.g., Windows 2000 or Windows 2003)
- Windows Server connection CAL’s (depending on the licensing model onsite)
- Terminal Server CAL’s (only if the client OS is not Windows 2000 Pro or Windows XP Pro)
Licensing Metaframe itself is now drastically simpler than it used to be. Generally, a starter pack is bought, with add-on licenses purchased to increase the connection limit. Starter pack licenses usually cost exactly the same as add-on licenses per unit. Under most licensing schemes licenses cost the same each no matter what volume is purchased (i.e. no financial penalties for buying five 10-user add-on packs over a period of time rather than a 50-user pack upfront).
Metaframe is also licensed per concurrent user to the farm. This means that if you have 20 Citrix connection licenses, you can have a maximum of 20 users connected to the farm at any one time. You can legally have the Citrix ICA Client software on as many workstations as you like. Additionally, the 20 connected users may be accessing resources from any number of servers in the farm whilst only consuming a single license.
Obviously Metaframe XPs, XPa and XPe vary in price due to product capabilities. Upgrade paths also exist between versions and from older versions of Metaframe. Citrix licensing also operates on a points system, the higher the purchase and hence the higher the number of points awarded, the higher the discount margin is.
Note also that there are no longer any Metaframe “server” licenses, only connection licenses. This means that there are no penalties for scaling out to a larger number of less powerful servers, and also that a 5 user starter pack can be purchased relatively cheaply for pilot testing without a lot of risk involved.
Metaframe XP can also be upgraded from one variant to the next without reinstallation (e.g. XPs to XPa).
Application software licensing
Obviously, the whole point of having a Metaframe environment is to access applications! Application licensing really does depend on the individual vendor. As a general rule of thumb though, most vendors expect that you license software on Terminal Server and Metaframe according to concurrent users of the specific application.
One important note though: If you have a Microsoft application licensed for a specific desktop PC, then a user on that PC can access the same version of the application via Metaframe or Terminal Services without an additional license. This means that in many cases you can move software away from the local desktop without licensing hassles
Environment built for easy scale-out and recovery
The basic (simplified) steps involved may be similar to the following:
- MS SQL or Oracle backend data store created, managed and backed up on existing database infrastructure
- Metaframe XPe installed either manually or via a scripted install on the first server and documented
- Applications installed, packaged and tested on a separate system before deployment
- Backup the first server with something like Symantec Ghost onto a FAT32 partition at the end of the disk
- Restore image to remaining servers in the farm
This would leave us with an environment that can be easily scaled by simply adding another server, copying the OS image to it and making some minor changes before allowing Installation Management to redeploy the software packages to the machine.
Additionally, if a server needs reinstalling due to corruption the same steps can be followed.
An existing Metaframe environment requires secure access by users who have Internet connections.
The basic design would go something like this (utilising the Citrix Secure Gateway 1.1):
- Install the Secure Ticket Authority on the internal network and configure
- Install the Secure Gateway service and NFuse in the DMZ and configure the java client
- Issue an SSL certificate to secure NFuse over the web
- Issue an SSL certificate to secure the Secure Gateway service
- Make some minor firewall modifications to allow SSL into the DMZ etc
This solution would allow a user to connect to a specific URL (e.g. https://nfuse.myorg.com.au) to access the NFuse web interface over SSL. An application session could then be launched. If using a local Citrix client then the root certificate for the CA that issued the certificate for the Secure Gateway service must be installed. If the java client is used there is a workaround to stream the root certificate down transparently. The application session will then connect to the nominated Secure Gateway service via SSL, supply the NFuse ticket, and ultimately start receiving ICA session data over SSL.
A Metaframe environment exists, what are the best thin clients to use?
Many customers elect to use current or old PC’s as thin clients or as fat clients that access only some applications via Metaframe (perhaps just their ERP software or some application that won’t run in their native desktop OS).
A problem is apparent in environments that wish to use Metaframe exclusively to deliver a desktop environment… how to do this cost-effectively? Dedicated thin clients can be purchased that run a variety of Operating Systems. Another common solution is to utilise small form factor PC’s with only a CPU, NIC, RAM and video support (possibly with no moving parts). A small image is loaded from the network when the system starts up. This image contains a basic Linux or DOS operating system and an ICA client. This can typically be done in only a few megabytes.
Biography of Presenter:
[Bio from 2003 – I’m all grown up now]
Paul Lawrie is a Senior Systems Engineer with Data#3, one of Australia’s largest IT Solutions companies. He holds a number of industry certifications including an NT4 MCSE+I, Windows 2000 MCSE, Citrix CCEA and Cisco CCNP. His day-to-day duties involve the design and integration of Enterprise solutions into Corporate and Industrial environments, building volumes of frequent flyer points, and trying to fit all those letters onto business cards.
Paul has worked in similar roles for various other employers including Com Tech (now Dimension Data), Unisys and Dialog, and invests his spare time avoiding IT as much as possible and spending time with friends and family.