The FlexCast Management Architecture – Key Takeaways
The FMA, its foundation:
- The Flex Management Architecture is a Microsoft dot net based architecture built upon the WCF framework.
- Citrix offers several SDK’s and API’s, plus some additional tools and services to help you build and integrate custom developed monitoring and management solutions.
- Always deploy at least 2 Delivery controllers per site, as if you can per Zone as well. A minimum of one controller per zone is needed in case of a WAN link failure.
- Almost all site traffic goes directly through your controllers to central site DN and vice versa
- Try to keep your delivery controllers physically close to your database server and Host connections you might have setup.
- Delivery controllers are fundamentally different from Data Collectors. Remember that, No LHC, direct database communications, no communication between delivery controllers, service and agent(VDA) based, and so on..
- StoreFront(SF) directly communicates with one of your Delivery controllers during user authentication, enumeration and launch process. You can configure your storefront server with a NetScaler load balance VIP address, which will load balance the connections to the delivery controllers within the NetScaler VIP.
Virtual Delivery Agent:
- VDA’s communicate directly with your Delivery Controllers (With Desktop Service) and on Boot, VDA’s register themselves with a Delivery Controller
- The Mechanism used to find a Delivery Controller to register which is referred as ‘Auto-Update’ but can be achieved through several ways
- VDA registration will be done through port 80 and can be customized through Control Panel.
- VDA registration can be verified by restarting the Citrix Desktop Service on the VDA Machine itself. After restart, look for the success registration event 1012.
- A VDA consists of 2 main services i.e, CITRIX DESKTOP SERVICE and CITRIX ICA SERVICE. The Desktop Service communicates with the broker service on the Delivery Controller it registers with.
- The Delivery Controller will also power-manage the VDA, meaning it will re(boot) it when needed(Works for Desktop VDA only). It will also tell it to listen for new connections when users login to their VDI environment to ensure a successful connection.
- Used the VDA in HA mode as a last resort and VDA’s can be managed through policy — Need to search in detail
- Different versions of VDAs can be mixed within same environment but using Mixed version of VDA’s can limited feature support. This includes Management and monitoring features through Studio and Director. Good practice to uninstall old VDA and install(update) new VDA.
- Before installing latest VDA, make sure to check with Citrix for any known issue that might have documented, sometimes manually updating to the latest VDA(after reimaging) is recommended.
- Basically , you have points of authentication within XenDesktop/XenApp Site : StoreFront and NetScaler
- When working with Zone, always make sure to deploy at least one StoreFront server per Zone. Needed in case of a WAN link failure.
- Users may need to subscribe themselves to resources for which they are allowed to use. These User Subscriptions are synchronized between all StoreFront servers with in StoreFront server Group. This is also referred as ” Self Service Store” and it is enabled by default.
- The Self Service Store can be disabled, leaving you with the “Mandatory Store” configuration. Using this setup, all allowed resources will be displayed by default and no subscription is required.
- Combined with the “Self Service Store” approach you can configure keywords in Citrix studio to automatically subscribe users to certain resources.
- If “Email” based discovery is enabled and configured , you will have option to either advertise the store or hide the Store. When advertised, user have the option to add and when you hide , user need to configure Citrix receiver himself using a setup URL or provisioning file.
- You can manually propagate the StoreFront changes to other StoreFront within same server group.
- When dealing with multi-site deployments, you can configure specific user groups to be mapped to a preferred Site.
- If you publish a single desktop to a user , StoreFront will automatically launch after user login to storefront URL. This “Auto Launch” behavior can be changed by manually editing web.conf file . Ref: CTX139058
- Storefront plays an important part in configuring Citrix Receiver pass-through authentication a.k.a Single Sign-on. Ref: CTX200157
Central Site Database:
- As of Xendesktop7.x, only support Microsoft SQL for Central Site database. It contains all static as well as dynamic site wide information.
- If your Site spread across multiple geographical locations or you have multiple zone configured, it is good to keep Central Site database in the primary zone, or the main datacenter
- When database fails(even without connection Leasing) existing connection will continue to work. New sessions cannot be established and site wide configuration changes are also not possible.
- It is not recommended to install SQL on the same machine as Delivery controller.
- SQL software, server or Express must be installed and configured before creating a XenDesktop Site after its initial installation.
- You must be a local administrator or domain user to create and initialize the databases (or change the database location).
- Note that web access and self-service does not have to be one or the other. They can be configured and used side by side. A couple of years ago, self-service plugin released as a separate plugin, it is now built-into Receiver. .
- In fact, some of the important modules that make Receiver today are the ICA Client Software, Slef Service plugin, and the single sign-on module for ICA.
- It all started with the ICA client software back in 2009,since then it has gone through lot of name changes and of course the underlying technology also matured over time.
- The upcoming Receiver XI is probably a great example of its evolution during the last decade.
- When upgrading Citrix receiver , make sure to follow the step by step procedure as outlined by Citrix. CTX135933.
- As it stands today, Citrix Receiver 4.4 should be able to upgrade from any of the older Receiver and when you upgrade to a version older than 4.4 from any old then you may run into any issues. Have a look at CTX137494, the Receiver Clean-Up utility.
- By default, the HTML5 based and built-in(storefront) Receiver is not enabled, this needs to be done manually.
- While zone is not a new concept, you need to be aware that Zones within a 7.x deployment are not the same as with XenApp6.5 -not yet anyway. There are some distinct differences between the two — Need to check Chapter
- Citrix is working on a phased approach with regards to reintroduction of zones. Needless to say, this is phase1.
- Zones in the FMA is still dependent on the Central Site database: there is no LHC.
- The main focus of this first releases is to simplify overall management and keep the traffic local.
- Make sure to keep an eye on the RTT between Zones; it needs to be below 250 milliseconds; less is more in this case. Consult the table for recommended values.
- Director is real-time monitoring and troubleshooting web based tool.
- Citrix Edge Sight technology has been built into Director(primarily used for historical data reporting, trends and analyses). The Edge Sight software will no longer available as a separate product. The latest version of Edge Sight was 5.4 which is still supported until 31-Dec-2017.
- To be able to make use of built-in historical reporting functionality Platinum XenDesktop/XenApp license will be needed.
- To make use of Network analysis functionality you will need to have at least a NetScaler Enterprise or Platinum.
- Depending on your XenDesktop/XenApp/NetScaler licenses, you will be able to store historical data for a certain period of time.
- The Main XenDesktop/XenApp infrastructural services are also being monitored by Director, these are visible from Main Dashboard view. It uses PowerShell for this. SCOM alerts and notifications can be configured and viewed from Director as well.
- Citrix Licensing relies on Flexera software , as do many other product vendors by the way.
- A single license server is able to handle over 10,000 continuous connections.
- XenDesktop and XenApp licenses comes in different forms. There are per user, per device and concurrent licenses available. The license server will decide which one to apply/check out.
- A “User License” gives a single user the right to start sessions on a unlimited number of devices. The License is bound to the user and not dependent on device.
- A “Device License” works the other way around. A session can be started from a single device but it does not matter by whom. It is user independent.
- If a “User/Device” license is issued, it is applied to a license token for both a XenDesktop and a XenApp license token, even if you only connect to just one or the other. They are always issued in pairs.
- “Concurrent License” are not bound to a user or device. You can use them for both. However, these are more expensive to purchase.
- If the license server becomes unavailable for some reason it will make use of a builtin grace period of 30 days. Everything will continue to function as before during grace period.
- Netscaler will need its license installed directly onto the device itself.
- Citrix offers various forms of support and maintenance. Subscription Advantage allows you to upgrade to the latest versions, Feature packs and so on.. Software Maintenance, on the other hand offers you 24*7*365 support. When purchasing either XenDesktop and/or XenApp you will need to also purchase at least one year Subscription Advantage and /or Software Maintenance , which is not that uncommon..
- Recently Citrix released their Current Release (CR) and Long Term Service Release(LTSR) product support options. For each LTSR, the clock restarts giving you 5 Years of Mainstream support and 5 years of extended support, plus more. Current Release will provide access to the latest security, productivity and collaboration feature to help keep your workforce competitive plus etc..
- The “new” CR release is not really new, it is basically the way it has always been before they introduced the LTSR option.
- While in earlier release of XenDesktop/XenApp 7.x,Host Connection were limited to Hypervisor platform and now Cloud environments are well supported.
- As it stands today, MCS can be used in combination with Azure,AWS and/ Or the Citrix Cloud platform. However, PVS is not supported: it simply does not work. It also works for , or with all hypervisors mentioned. The Nutanix Acropolis hypervisor will be added to the list shortly.
- MCS only works with Virtual Machines and not Physical.
- You can add multiple Host Connections if you want, also combining cloud and on -premises hypervisors. And when adding host connections, you have to use the SCVMM or VCenter or XenCenter.
- When using Zones, make sure that the Host Connection configured for a Zone is close to, or actually physically located within, that Zone.
NetScaler Gateway and ADC:
- All NetScaler’s are almost equal with regard to the functionality and features that they can deliver. Depending on the type of license you upload, certain functionalities and /or features will become available. Pay as you Grow
- The Main difference between the physical appliances can be found in the computer resources and the type of Cavium SSL accelerator card that they hold. This card is used to decrypt and encrypt SSL traffic. The more powerful the card, the more SSL transactions it will be able to handle.
- NetScaler’s can be Physical(MPX and SDX),virtual (VPX), virtual on physical (VPX on SDX) and Containerized (CPX).
- While not mentioned earlier(except for the license type) there is also a “NetScaler Express edition”. It is free of charge and a potential great source for smaller deployments, PoC’s and test environments . The VPX Express edition offers the same features as the VPX standard edition. However, there are a few limitations to keep in mid like: no SSL offload capabilities, max 5 Mbps throughput, licensed per year. Other than it is definitely worth having a look at.
- There are three main ADC platform license available. Standard, Enterprise and Platinum. There is also a separate NetScaler Gateway License and a universal license.
- NetScaler HA(2 nodes) is always setup as Active-Passive. If Primary fails to respond and after multiple tries a secondary node will take over ,which is referred to as failover. NetScaler clustering , which is Active/Active using ECMO, can grow up to 32 nodes in total.
- When applying Netscaler HA , be aware that different NetScaler models cannot be paired: the model and make of both Netscalers must run the same software version, licenses included.
- The NetScaler can also provide secure remote access to XenMobile web, SaaS and mobile applications. The latter is referred to as Micro VPNs. In fact, you need a NetScaler for this.
Provisioning Services :
- Provisioning Services streams a base image over the network down to either virtual or physical machines.
- It works for both desktop as well as server Operating Systems.
- A device using a vDisk is also referred to as Target Device.
- The Machine used to create and maintain the vDisk is referred to as the Master Target Device.
- Target Devices are managed using Device Collections.
- The life cycle of a vDisk consists of Creation,Deployment,Maintainance and finally Retirement. For this, we can leverage the built-in PVS versioning mechanism.
- While Personal vDisks (PvDs) have their use, apply them wisely: it is not for everyone. And while this may be somewhat off topic, in many cases where VDI ie being considered , RDSG might make more sense.
- Check CTX117372,CTX124185 for some PVS best practices & PVS vDisk’s.
- While past , it was always considered to use physical machines for your PVS ,today virtual machines are almost always recommended by Citrix. The same applies to isolating PVS traffic but still it depends on the requirement whether to isolate PVS traffic or not as multiple blogs advised not required of network isolation ,however isolation sometimes might make sense is because of security considerations
Machine Creation Services:
- MCS is considered to be easy. It is managed and configured directly from studio and you do not need any additional infrastructural components as you do with PVS.
- MCS is based on differencing disk technology.
- Your base(Golden Image) will be copied to overall data stores, which are part of hosting connection(storage connection).
- When using MCS, rollbacks are treated the same way as a new or updated base image : they will again need to be copied over to all data stores involved. Note that in some cases the previous image might still in use by some machines. If so, then no full copy will be needed.
The FMA Core Services:
- FMA stands for Flex Management Architecture and of XenDesktop version 7, includes a Desktop as well as Server VDA.
- It is the next generation architecture for XenDesktop and XenApp VDI and /or RDSH based deployments.
- Over the years it has evolved from 6 services to 11 services in total
- Internal communication takes place over port 80 using Windows Communication Foundation endpoints.
- Each Service runs complete separated from the other services, as a result each service also has its own separate database connection string: if one service fails it will not directly affect any of other services.
- There is a distinct difference in architecture when compared to the IMA. All of the HDX /ICA bits and bytes are installed as part of the VDA on the session.
- All services under the NT AUTHORITY \Network account \Local Computer Account for database authentication purposes. One of the benefits this brings is that password are automatically changed for every 30 days. This is big deal , as service accounts are usually dangerous.
- The Broker service includes the XML, as well as the STA Service.
- There are 18 active(sub) site services in total, all running within the Broker services, taking care of various Site housekeeping tasks.
- Citrix uses the Auto Update feature so that VDAs automatically contact the Delivery Controller within a Site to be able to register themselves.
- The PortICA (PicaSvc2.exe),service is an important one during VDA launch and user login process.
- The PortICA a.k.a.(also known as) PicaSc2.exe and the Citrix Desktop Service a.k.a. BrokerAgent.exe are the two main FMA services within VDA
- The Connection Brokering Protocol(CBP) plays an important role in VDA registration process. It is basically a collection of WCF endpoints.
- The Server VDA does not have the PortICA(PicaSvc2) service, however it does have a Broker Service. It basically uses the same ICA stack as with XenApp 6.5, but with different management interface to make it compatible with the 7.x Delivery Controllers.
- Service groups make FMA services highly available.
The ICA /HDX Protocol:
- Edward Lacobucci founded Citrix in 1989.
- Initially they started developing a multi-user platform for Microsoft OS/2.
- Citrix actually started out as Citrus.
- They licensed the OS/2 source code from Microsoft and started developing Multiuser, which would later become their first major release.
- ICA was introduced when Citrix Multiuser was launched, which was around 1990/1991.
- Shortly after Citrix launched Multiuser, Microsoft announced that they would drop OS/2 and move to Windows.
- With some help of other companies, Microsoft included, Citrix managed to stay in business.
- In the meantime Citrix patented ICA and they started working on a new and improved version of ICA.
- Eventually a new agreement was signed giving Microsoft access to the ICA source code. This is how the Microsoft RDP protocol came to exist.
- ICA uses TCP/IP port 1494 by default and it is tunneled through port 2598 when session reliability is enabled.
- The ICA protocol consists of 32 virtual channels in total, 17 which are reserved by Citrix.
- Virtual channel consists of, and communicate through, virtual drivers at the client side and server-side applications on the server side. Customers and other third parties have the ability to develop their own virtual channels.
- Each virtual channel has a default priority assigned to it, ranging from 0 to 3,with 0 being the highest or most important. A higher priority means more bandwidth.
- Multi-Stream ICA works by assigning separate TCP/IP ports to group of priorities, or streams, establishing true QoS.
- Session Reliability ensures that the user session is not disconnected and that the user’s session freezes, while in the background the ICA traffic is buffered.
- All buffered ICA traffic will be flushed out to the user’s device once the user session reconnects.
- Session Reliability can leverage the Auto client reconnect feature to enforce users to reauthenticate when a session is reconnected.
- HDX is an extension to the ICA protocol and is in no way to intend to replace ICA.it works on the top of ICA protocol.
- The Citrix Thin wire technology had multiple names: it is known as ThinWire Plus, ThinWire Advanced, Legacy ThinWire and ThinWire Compatibility mode. They all have one thing common: ThinWire is all about compressing data and enhancing the overall user experience.
- ThinWire has a small CPU and memory footprint and does not need much bandwidth.
- Framehawk is all about packet loss and high latency connections, delivering a more than acceptable user experience under challenging circumstances.
- In general, Framehawk needs more CPU and bandwidth than ThinWire, although this has been greatly enhanced with the latest 7.8 release.
- AppDisks is Citrix’s approach to application layering.
- AppDisks will be available for all licenses. AppDNA integration with AppDisks will be for Platinum Customers only. AppDNA will automatically check your AppDisks for any potential compatibility issues with the underlying Operating System and /or any other software, including applications, security updates and patches etc. already installed and running. When applicable it will tell you what is wrong and how to correct it.
- Application layering is not meant as a direct replacement for application virtualization.: they go hand-in hand . In practice you will probably use all three, base image-installed applications virtualized and layered apps.
- Application layering does not isolate applications like App-V does, for example.
The User Login Process:
- There are 2 main authentication points within a Flex Management- based architecture. NetScaler(Optional) and StoreFront.
- As of version 3.0, StoreFront can also use the XML service for authenticating users.
- Note that there is a distinct difference between Authentication and Verification(Authorization). Authentication is to make sure that somebody is who he or she claims to be. Verification is done to find out which resources have permission to the user or assigned to the user which will then be displayed in the user’s store, ready for subscription.
- User Authentication and resource enumeration basically go hand-in-hand.
- The STA only applies when connections are coming in externally through NetScaler.
- The STA service is part of the Broker Server, and so is perhaps better-known XML service.
- The HMTL-5 based Citrix Receiver ,as part of your internet browser, can offer the exact same functionality and features as a natively installed Receiver.
- The Windows authentication process is also involved when launching a Citrix published resource.
A deeper look into Citrix Printing:
Key-Takeaways-The-Ultimate-Citrix-printing-internals-cheat-sheet — Upload PDF as List is too big