Low-cost PC refresh with thin clients

Key Project Design Guide

Low-cost PC refresh with thin clients

citrix.com

Low-cost PC refresh with thin clients

Key Project Design Guide

About the Key Project Design Guide

The Citrix Key Project Design Guide provides an overview of the solution architecture and implementation used in the key project on low-cost PC refresh. The design has been created through architectural design best practices obtained from Citrix Consulting Services and thorough lab testing, and is intended to provide guidance for solution evaluation and the introduction of proofs of concept (POCs). The Key Project Design Guide incorporates generally available products and employs repeatable processes for the deployment, operation and management of product components within the solution.

citrix.com

Low-cost PC refresh with thin clients

Key Project Design Guide

Now more than ever, tightening of corporate budgets is forcing IT to balance business-critical projects against routine operational projects, such as the annual PC refresh process. Replacing an aging PC with a thin client is a proven approach for reducing costs, but when those cost savings are paired with innovations in desktop virtualization and improvements in thin client system-on-a-chip (SoC) technology, the transition to thin clients becomes even more attractive.
Solution objectives
The objective of the Key Project Design Guide is to construct and demonstrate an efficient way of delivering high-performance virtual desktops optimized for low-cost endpoint devices, including validated Citrix HDX SoC devices with a price point substantially lower than that of a standard PC. WorldWide Corporation (WWCO) is a hypothetical large call center organization that would like to retire aging PCs and replace them with eco-friendly, lowpower devices, and move desktops to a central location to reduce costs and increase data security. A 500-user group has been identified for the first rollout phase. IT needs to provide a locked-down, streamlined and standardized environment with a core set of applications. There is no need for any user-installed apps or personalization. IT is also very sensitive about the cost of the endpoint devices but doesnt want to compromise on the user experience. IT needs to be able to manage and monitor these desktops centrally for cost control. To address these challenges, WWCO has decided to implement a Citrix XenApp 6.5 environment to deliver hosted shared desktops with core set of applications to users. The objective of this guide is to construct and demonstrate an efficient way of delivering locked-down Windows desktops at the lowest cost possible in the shortest time while maintaining information security best practices.

citrix.com

Low-cost PC refresh with thin clients

Key Project Design Guide

WWCO business objectives Reduce the PC hardware refresh budget with low-cost, eco-friendly endpoint devices Streamline PC support efforts and troubleshooting cycles Centrally manage and deploy core desktops to all users to reduce troubleshooting and support incidents Ensure a high-performance experience and enable users to be productive when away from the office Deliver a locked-down desktop to protect intellectual property WWCO technical objectives Build a solution that can scale from few hundred to thousands of users. Validate and prepare to deploy the solution within weeks Virtualize where possible to reduce costs and complexity Implement an n+1 highly available solution for business continuity

Low-cost PC refresh with XenApp and HDX SoC thin clients

WWCO utilized Citrix Project Accelerator, an open, web-based application for managing the move to virtualized desktops based on best practices of Citrix Consulting Services, to assist with the assessment and design of this key project. The architecture discussed here is a visual representation of the complete lowcost PC refresh solution as provided by Project Accelerator. The physical and conceptual diagrams below represent WWCOs 500-user deployment of several business-critical apps, including necessary hardware and infrastructure.

Assumptions
All users will access Windows desktops via a single datacenter, which will host all physical and virtual servers. For the scope of this design guide, there are no branch office and WAN requirements. Remote access is required for accessing Windows applications from outside the firewall. N+1 high availability is required for physical components. WWCOs existing infrastructure for Microsoft Active Directory, DNS/DHCP and Microsoft SQL Server will be reused. The application workloads will be standard office worker workloads that typically leverage some local office productivity apps, some Internet or webbased apps, occasional viewing of Internet videos and local printing.

citrix.com

Low-cost PC refresh with thin clients

Key Project Design Guide

Solution components
Citrix Receiver NetScaler Gateway
Primary

StoreFront Services

XenApp Servers

HDX

Secondary

SQL

Internet

DMZ

LAN

Figure 1: Network diagram for Low-cost PC refresh and desktops

The solution is derived from Project Accelerator using the following Citrix components: XenApp 6.5 Feature Pack 1 Citrix NetScaler Gateway 10.x Citrix StoreFront Services 1.2 Provisioning Services 6.1 Citrix Licensing Server Citrix Receiver Citrix HDX SoC thin clients These Citrix components communicate with each other to deliver a highperformance virtual desktop to low-cost HDX SoC thin client devices as an alternative to purchasing a new PC for every user. For an in-depth technical explanation of component communication, see the Appendix.

citrix.com

Solution architecture
Project Accelerator provided the architecture shown in Figure 2 as a visual representation of the complete low-cost PC refresh solution, based on the assumptions above.

Figure 2: Conceptual diagram (from Project Accelerator) for WWCOs low-cost PC refresh solution

This architecture is suitable for 500 users requiring secure access to Windows desktops from low-cost HDX SoC thin client devices. Each layer of the architecture diagram and the relevant component/s are discussed in detail below

User layer
This layer encompasses the users who access their virtualized desktop using the Citrix Receiver software client. Citrix Receiver provides a common interface for users to access their virtual desktop workspace. WWCOs group of 500 users, which had similar desktop requirements and would be accessing their Windows virtual desktop hosted on XenApp from a low-cost HDX SoC thin client device, is referred to as the Operators in Figure 2. Citrix Receiver. Citrix Receiver is an universal thin client that runs on virtually any device operating platform, including Windows, Mac, Linux, iOS and Android. This is the one client users need to access business-critical apps and desktops from todays latest tablet HDX thin client devices. Citrix Receiver was downloaded and installed by each employee on their mobile devices.

Access layer
This layer consists of servers responsible for providing connectivity to the XenApp virtual desktops via Citrix Receiver. The access layer controls connectivity across multiple pools or clusters within the desktop delivery layer. Generally, only one pool of StoreFront Services servers is required to fulfill this role in a datacenter. To provide access to Windows desktop hosted on XenApp from the HDX SoC thin clients, the solution needed an access point on that allowed each user to be securely authenticated against the corporate Active Directory domain while leveraging SSL data encryption to protect the users interactions with the Windows desktop. The following components are required to provide remote access: StoreFront Services. StoreFront Services (formerly Web Interface) provides a self-service subscription service to desktops and applications via an enterprise app store, giving users convenient access to desktops with all the apps they need. Also, these virtual desktops can be accessed from thin clients as well as mobile devices with a consistent interface and enhanced experience. Users access StoreFront Services servers through Citrix Receiver. A pair of StoreFront Services servers is required for high availability.
StoreFront Services servers Instances Virtual Machine configurations Memory Processor Disk Installed software Web interface Windows Server IIS Microsoft .NET Framework Windows PowerShell Microsoft Management Console SQL database Ports utilized Web interface 80, 443
1

2 StoreFront Services server VMs 4 GB RAM 4 vCPUs 50 GB StoreFront Services 1.2 Windows Server 2008 R2 SP1 7.5 3.5 Service Pack 1 2.0 3.0 SQL Server 2008 R2 Enterprise

NetScaler Gateway. NetScaler Gateway (formerly Citrix Access Gateway) is a secure desktop, application and data access solution that gives administrators granular desktop, application and data-level control while empowering users with remote access from anywhere. IT administrators gain a single point of management for controlling access and limiting actions within sessions based on user identity and the endpoint device. The results are better application security, data protection and compliance management.

1. ht tp://suppo r t.ci tri x.com /proddo cs/topic/dws-storefront-12/dws-system-requirements.html

Once authenticated, an SSL tunnel is created between the user and the NetScaler Gateway appliance. Users are then directed to a StoreFront Services site where they can access their virtual desktop. NetScaler Gateway requires either a physical or virtual Citrix NetScaler appliance. This use case made the assumption that WWCO did not require high availability and chose to have just one NetScaler MPX appliance, which is a single, 1U appliance with a dualcore processor that includes 4 GB of memory. Citrix recommends installing NetScaler Gateway in the network DMZ, where it participates on two networks, a private network and the Internet, with a publicly routable IP address. NetScaler Gateway can also be used to partition local area networks internally for access control and security. Partitions can be created between wired or wireless networks and between data and voice networks. The NetScaler MPX appliance supports Versions 9.2, 9.3, and 10 of the NetScaler Gateway software. Click here for detailed specifications for the NetScaler MPX appliance.

Desktop layer
This layer manages the image, optimizations and the delivery mechanism. This is the most technically complex layer in the solution deployment. Hosted virtual desktops are delivered from this layer using XenApp software.

Hosted desktops with XenApp

XenApp is a flexible, on-demand desktop and application delivery platform that can dynamically select the best method to deliver desktop and applications based on the user, virtual desktop and network. Based on the delivery method, IT can host desktops centrally in the datacenter and deliver desktop access via a high- speed protocol to any endpoint. XenApp is based on Microsoft Remote Desktop Shared Hosted (RDSH) technology, where multiple user sessions share the applications and resources of a single Windows Server instance. WWCOs virtual desktops were hosted on the XenApp servers. As a recommended best practice, an N+1 configuration was used to ensure enough XenApp servers to accommodate the loss of one.
XenApp server requirements Instances VM configurations Memory Processor Disk Installed software XenApp software Windows Server IIS Microsoft .NET Framework Windows PowerShell XenApp 6.5 Feature Pack 1 Windows Server 2008 R2 SP1 7.5 3.5 Service Pack 1 2.0 16 GB RAM 4 vCPUs 50 GB HD 15 XenApp virtual servers

Microsoft Management Console Visual J# Visual C++ SQL database Applications Ports utilized Web Interface HDX

3.0 2.0 Redistributable Package, Second Edition 2008 Service Pack 1 Redistributable Package Reuse existing SQL Server 2008 R2 Enterprise End-user applications that are to be delivered by XenApp 80, 443 1494, 2598

Provisioning Services. Provisioning Services is a server streaming solution. This means that the entire XenApp server workload is delivered via the network at server startup. No resident installation is present on the physical or virtual server before the streaming begins, while the streaming is in progress or after the streaming is complete. Provisioning Services turns XenApp servers into dynamic, yet identical, servers that can be provisioned and scaled quickly. As a best practice, every XenApp server delivering the same virtual desktops should be 100 percent identical. Provisioning Services makes this practice a reality. To minimize number of master image disks (vDisks), all target devices must have certain similarities to ensure that the OS has all of the drivers it requires to run properly. The three key components that should be consistent are the motherboard, network card and video card. Please refer to Citrix documentation to learn more about the system requirements for Provisioning Services. This solution requires two Provisioning Services servers for n+1 high availability. For this deployment, Provisioning Services was virtualized per the following specifications:
Provisioning Services server requirements Instances VM configurations Memory CPU Disk Installed software Provisioning Services Windows Server Microsoft .NET Framework Ports utilized Provisioning Services communications Network card UDP 6890 6909; TCP 54321, 54322 Minimum 1Gbps; PXE 2.1 support 6.1 Windows Server 2008 R2 3.5 16 GB RAM 4 vCPUs 50 GB HD 2 Provisioning Services server VMs

Low-cost PC refresh with thin clients

Key Project Design Guide

10 10

Control layer
The control layer contains the XenApp components required to control the delivery of hosted apps to users. They include the Access Controller components discussed in the Access Layer section. Some XenApp components in the control layer are linked to particular clusters or pools of hypervisors, while others serve the entire configuration. Infrastructure controlsWWCO was able to utilize many of its current infrastructure components for the 500-user deployment. This approach helped reduce overall solution costs and complexity while expediting solution delivery. The following infrastructure components were utilized for this solution: Active Directory. XenApp utilizes Active Directory for authentication and policy enforcement for both users and devices. WWCO leveraged its existing Active Directory 2008 R2 environment for the solution implementation. SQL Server database. This database provides the foundation for the overall XenApp farm by storing all configurations session and utilization information. StoreFront Services also requires a SQL Server database to provide the application synchronization feature. WWCO had a SQL Server 2008 R2 mirror that was leveraged for the XenApp farm and StoreFront Services. The mirror was configured with a witness server to ensure high availability. License Server. The Citrix License Server manages licenses for all components of XenApp. License Servers have a 30-day grace period should the server become unavailable. This grace period offsets the complexity involved with clustering the license server. WWCOs XenApp environment used a single virtual License Server. In the event the License Server becomes unavailable, WWCO can revert to a backup copy of the VM.
License Server requirements Instances Virtual Machine configurations Memory CPU Disk Installed software Citrix License Server Windows Server Microsoft .NET Framework Ports utilized 11.10.0 Windows Server 2008 R2 3.5 4 GB RAM 2 vCPUs 50 GB 1 License Server VM

License Server

27000, 7279

Control Hosts. Virtualizing all the components of WWCOs solution design was imperative for resource efficiency: lowering hardware costs, improving failover protection and simplifying system management. XenApp is supported on all three major hypervisors: Microsoft Hyper-V, Citrix XenServer and VMware vSphere. WWCO chose Hyper-V, and two Hyper-V clusters were created in the datacenter to support the infrastructure components. One is for the infrastructure servers and the other is for the XenApp servers.

Low-cost PC refresh with thin clients

Key Project Design Guide

11 11

Hardware layer
WWCO chose the following server configurations and hardware specifications to support XenApp and associated infrastructure components:
VMs per server selected for this use case Cluster 1: Infrastructure servers Server 1 StoreFront VM1 Provisioning Services VM1 License Server VM Server 2 StoreFront VM2 Provisioning Services VM2 Cluster 2: Control servers Server 1 XenApp VMs (1 through 5) Server 2 XenApp VMs (5 through 10) Server 3 XenApp VMs (10 through 15)

Figure 7: Project Accelerator sizing and deployment plan

Hyper-V server requirements (Cluster 1: Infrastructure) Server hosts Hardware specifications per server Memory Processor Storage Storage RAID Hyper-V Software Windows Server Hyper-V storage Windows Server 2008 R2 SP1 40 GB 32 GB RAM Intel E5600 series dual 6-core processors 4x 146 GB 15K RPM SAS Drives RAID 5 (407 GB Usable Space) 2

Hyper-V server requirements (Cluster 2: Control servers) Server hosts Hardware specifications per server Memory Processor Storage Storage RAID Hyper-V Software Windows Server Hyper-V storage Windows Server 2008 R2 SP1 40 GB 128 GB RAM Intel E5600 series dual 6-core processors 4x 146 GB 15K RPM SAS Drives RAID 5 (407 GB Usable Space) 3

Low-cost PC refresh with thin clients

Key Project Design Guide

12 12

Management and operations

Citrix provides a comprehensive set of tools for managing servers, farms, published applications, hosted desktops and connections. The management consoles have been tested to scale to thousands of users. WWCO can launch all tools by accessing the Citrix program group on the Start menu of XenApp. Delivery services console. The delivery services console is a tool that snaps into the Microsoft Management Console (MMC) and enables WWCO to set up and monitor servers, server farms, published resources and sessions. The IT team can also set up policies and printers, configure Citrix Receiver client desktop access and find troubleshooting information. In addition, WWCO can manage load balancing, diagnose problems in the farms, view hotfix information for Citrix products and track administrative changes. License administration console. WWCO uses this console to manage and track its Citrix software licenses. Citrix SSL relay configuration tool. WWCO uses this tool to secure communication between a server running StoreFront Services and its XenApp farm. Shadow taskbar. Shadowing allows users to view and control other users sessions remotely. WWCOs IT team uses the shadow taskbar to shadow sessions and switch among multiple shadowed sessions. SpeedScreen latency reduction manager. This tool can be used to configure local text echo and other features that improve the user experience on slow networks. XenApp troubleshooting tools. Citrix Auto Support is a free online troubleshooting platform for Citrix environments. Citrix Auto Support quickly analyzes log files, profiles the environment and scans for known issues, providing customized advice for a solution. Access Citrix Auto Support here to upload log files.

Low-cost PC refresh with thin clients

Key Project Design Guide

13 13

Summary
Citrix has partnered with strategic SoC thin client vendors to deliver highperformance, low-cost thin clients for a complete and highly cost-effective desktop virtualization solution. Citrix worked with device manufacturers to validate integration of their low-cost SoC thin clients with its desktop virtualization technology as delivered by XenApp. Through the combination of low-cost HDX SoC thin clients and high performance desktop virtualization with XenApp, enterprises are able to deliver a robust and cost-effective alternative to the tradition PC refresh budget.

Resources
Virtualizing XenApp on HyperV XenApp Planning Guide - Vir tualization Best Practices Design Considerations for Vir tualizing Provisioning Ser vices Provisioning Ser vices for XenApp - Reference Architecture High Availability for Citrix XenApp - Implementation Guide Simplif ying Application Deliver y to the Vir tual Desk top - Reference Architecture XenApp 6.x on Windows Ser ver 2008 R2 - Optimization Guide XenApp 6.5 Enterprise Scalable XenApp Deployments Citrix Project Accelerator beta

Low-cost PC refresh with thin clients

Key Project Design Guide

14 14

Appendix Process overview

Communication flow of user access to published desktops and applications on the XenApp server farm:

Step 1

Source Client device Citrix Receiver

Destination NetScaler Gateway

Port TCP HTTPS/ SSL 443

Description A remote user types the NetScaler Gateway address of, for example, https://www.ag.company.com, in the address field of a web browser. The user device attempts this SSL connection on port 443, which must be open through the firewall for this connection to succeed. (2a) NetScaler Gateway receives the connection request and prompts users for their credentials. (2b) The credentials are passed back through NetScaler Gateway, users are authenticated, and the connection is passed to the StoreFront. StoreFront sends the user credentials to the XML Service running in the server farm. XML service authenticates the user credentials and sends the StoreFront a list of the published applications or desktops the user is authorized to access.

TCP/HTTP 80

NetScaler Gateway

StoreFront Services (authentication)

TCP HTTPS/ SSL 443 Kerberos TCP 88 LDAP: TCP 389 TCP/ SSL 636 RADIUS: UDP 1812 TCP/HTTP 80/8080 TCP/SSL 443

StoreFront Services

XML Service (XenApp)

XML Service

StoreFront Services

TCP/HTTP 80/8080 TCP/SSL 443

Low-cost PC refresh with thin clients

Key Project Design Guide

15

StoreFront Services

Client device Citrix Receiver

ICA/HDX 1494

Client device Citrix Receiver

StoreFront Services

TCP/HTTP 80/8080 TCP/SSL 443

StoreFront populates a web page with the list of published resources (applications or desktops) that the user is authorized to access and sends this web page to the user. User clicks a published application or desktop link. An HTTP request is sent to the StoreFront indicating the published resource that the user clicked. StoreFront interacts with the XML service and receives a ticket indicating the server on which the published resource runs. StoreFront sends a session ticket request to the STA. This request specifies the IP address of the server on which the published resource runs. The STA saves this IP address and sends the requested session ticket to StoreFront. StoreFront generates an ICA file containing the ticket issued by the STA and sends the file to the Web browser on the user device. The ICA file that the StoreFront generated contains the fully qualified domain name (FQDN) or the domain name system (DNS) name of NetScaler Gateway. Note that the IP address of the server running the requested resource is never revealed to users. The ICA file contains data instructing the Web browser to start online plug-ins. The user device connects to Access Gateway by using the Access Gateway FQDN or DNS name in the ICA file. The initial SSL/TLS handshaking occurs to establish the identity of Access Gateway. The user device sends the session ticket to NetScaler Gateway, which contacts the STA for ticket validation.

StoreFront Services

XML service (XenApp)

TCP HTTP/ XML 8080 TCP HTTPS/ SSL 443 TCP HTTP/ XML 8080 TCP HTTPS/ SSL 443

Secure ticket authority (STA) service (XenApp)

StoreFront Services

StoreFront Services

Client device Citrix Receiver

ICA/HDX 1494

10

Client deviceCitrix Receiver

NetScaler Gateway

TCP/SSL 443

TCP/HTTP 80

11

NetScaler Gateway

STA (XenApp)

TCP HTTP/ XML 8080 TCP HTTPS/ SSL 443

citrix.com

Low-cost PC refresh with thin clients

Key Project Design Guide

16

12

STA (XenApp) NetScaler Gateway

TCP HTTP/ XML 8080 TCP HTTPS/ SSL 443

13

NetScaler Gateway

XenApp Server farm

TCP HTTP/ XML 8080 TCP HTTPS/ SSL 443

The STA returns the IP address of the server on which the requested application resides to NetScaler Gateway. NetScaler Gateway establishes a TCP connection to the server.

14

NetScaler Gateway

Client device Citrix Receiver

TCP/HTTP 80

NetScaler Gateway completes the connection handshake with the user device and indicates to the user device that the connection is established with the server. All further traffic T C P/ H T T P S / between the user device and SSL 443 the server is simply proxied through NetScaler Gateway. The traffic between the user device and NetScaler Gateway is encrypted.

Corporate Headquarters Fort Lauderdale, FL, USA Silicon Valley Headquarters Santa Clara, CA, USA EMEA Headquarters Schaffhausen, Switzerland

India Development Center Bangalore, India Online Division Headquarters Santa Barbara, CA, USA Pacific Headquarters Hong Kong, China

Latin America Headquarters Coral Gables, FL, USA UK Development Center Chalfont, United Kingdom

About Citrix Citrix (NASDAQ:CTXS) is the cloud computing company that enables mobile workstylesempowering people to work and collaborate from anywhere, accessing apps and data on any of the latest devices, as easily as they would in their own officesimply and securely. Citrix cloud computing solutions help IT and service providers build both private and public cloudsleveraging virtualization and networking technologies to deliver high-performance, elastic and cost-effective services for mobile workstyles. With market-leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration and data sharing, Citrix helps organizations of all sizes achieve the kind of speed and agility necessary to succeed in an increasingly mobile and dynamic world. Citrix products are in use at more than 260,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at ww w.citr ix.com. 2013 Citrix Systems, Inc. All rights reserved. Citrix, NetScaler , XenDesktop, XenApp, XenServer , ICA, HDX, CloudGateway, NetScaler Gateway, Citrix Access Gateway and Citrix Receiver are trademarks or registered trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners.

0413/PDF

citrix.com