Published on February 23, 2014
Virtual OS Greatest Challenge TECHNICAL NOTES By: Brian Murphy Return to Table of Content Introduction Proven, solutions architect having designed a repeatable process relative to virtual hosted applications, architecture, application lifecycle, hardware refresh lifecycles, corporate trainer with 100 and more recommendations, awards, pertaining to Private Cloud with emphasis on solutions designed to exceed the needs of the end-users that appreciate a solution providing 10 or less second logon, one Web GUI for all applications, by default highavailability on what I have coined “VOS” as Virtual Operating System capable of withstanding several outages in the data center and zero impact to the VOS, offline for Microsoft Patches only due to separation of all applications from the desktop, customer inspired unique authentication design allowing for customized VOS using on template for the entire company yet ability for customer to choose logon banners, drastic reduction of logon scripts required for applications by moving this and other logic to the published application, drastic reduction of network aggregate bandwidth requirements per site and working with third-party vendor before and after to determine CIR adjustments where monthly costs for bandwidth has become the most beneficial OPEX savings for some companies. Emphasis on EUC satisfaction in the production solution is critical and most important in all my implementations closely followed by a paradigm impact to all internal IT teams where the focus is making life easier for IT services from operations, Windows, Desktop Support, Help Desk, Storage, Networking, Firewall Team, efficiency impacts for business units requesting access to business applications and IT Security Fulfillment or HR, in some cases, with the goal being streamline the entire procurement process by focusing on the Corporate Business Applications, proven repeatable process for migration of all COTS, internal developed, external developed, direct vendor managed, basically having a strategy that addresses the consolidation
of all business applications to a centralized location regardless of the number of applications; hence, the term repeatable in practical use doesn't care if I migrate 3000 applications or 300 – it just works and leveraging published best practices. The unique design, combined with a proven project plan, workflows, escalation paths, application lifecycle proprietary process including custom agreements with Help Desk management and Change Control management team approvals new process is immediately implemented with a customized letter sent to all Business Unit management to emphasize the critical role of allocating 1 to 3 power user UAT resources whereby user is shadowed during UAT to assist with creating of application run books which helps shift priority of success relative to new production applications working in a shared private cloud to-be environment and prevents end users from pointing the finger immediately at the new solution when evidence is provided showing the power user provided did not UAT that report or that query. In my opinion, Disregarding the attempt to start a business only to find that most hiring managers and recruiters do not truly understand VDI, the true purpose, and tend to place the cart way before the horse. Meaning, I never mention hardware until I have a list of applications, discussed application lifecycle, the benefits of one VDISK for Desktop, one VDISK for XenApp, one VDISK for Streaming Provisioning Servers. Making the senior management and customers understand that all that matters is whether or not application A to application ZZZ are candidates and creating a list of candidates by # of required remediation steps which in most cases decides what business unit or site is migrated first. SHOW STOPER – APPLICATION LIFECYCLE MANAGEMENT WITH LOCAL RESOURCES, ADEQUATE EQUIPMENT, PROPER DOCUMENTATION, SENIOR MANAGEMENT APPROVAL AND SUPPORT. If you have a site with all low hanging fruit applications then that is your first migration because the project needs a quick and easy win. The key is the application and how you deal with the application now, but most important in the future. Most environments last 6 months due to lack of application planning. It hurts our business every time a customer is the
recipient of bad architecture. Citrix, View, VDI becomes a four letter word. All because the wrong person hired for the job, engineer playing architect, vendor cannot meet the requirements. This is not just MY biggest obstacle; it is anyone interested in saving VDI to host VOS. I’ve been there and done it. I’ve written the documentation. I may seem old school but my farm at Carter Bloodcare still stands and GMAC - now Ally is still there today. Ally Bank refuses to let IBM move it until they have a functional parallel system and all their applications UAT’d. Ally Bank, btw, is 100% Citrix. You cannot access the call center applications except by the duplicate DR center in Minneapolis. I built that farm 8-9 years ago - generates 2 tickets per day, my original team left a year ago. Why do we implement VOS requiring a VDI solution? (Virtual Operating System). My words; “Virtual OS requires a solid VDI foundation and serves one purpose which is conduit for accessing the business application. This is the primary purpose but so few start with this to determine number of applications that are low hanging fruit and easily ported to those requiring more hours than narrowing the list down to a particular set of users being the easiest target for initial migration which is critical to the success. VDI starts and ends with hosted applications – meaning, unless you start with the application and create a full life-cycle management for centralized hosting, installation, patches, or uninstall-new install, to pre-production conflict analysis and DLL isolation combined with advanced merge module methodology to assure no conflicts and latest shared dll's, followed by complete customer UAT, creation of run-book, set-in-stone aka iron-cladagreements with Change Management and Help Desk stating business CANNOT open a S1 ticket on something they did not UAT. Hence, my goal is 95% MSI packages using Windows Installer Service, Wyse Packager, Wyse Conflict Analysis SQL Repository – packager calls user, user shadows packager image, packager creates run-book while capture every frame and every function and every report, obtain customer sign off, if power user forgets something – cannot open S1 and cause black eye for IT when customer never UAT'd.”
Packagers should specialize in Citrix. They should reside on the Citrix team. They absolutely can cause you to fail. Packaging is as much as an art as a science. I hired people who lived and breathed and loved packaging. They must also work with the users, create run books, force UAT, take every screen shot, capture and document everything so come ticket time the user learns the importance of process. DO NOT use another team located in India or Mexico or another location. Do NOT use their processes because their process has nothing to do with CITRIX or VMWARE or VOS / XENAPP packaging. These packagers are using Windows 2008 R2 with RDS enabled, Citrix XENAPP installed, and the base clients already installed as their base image. Example, Oracle 12, .NET 4.5, Office 2013. They bring up a VM, package the application in this environment not Windows XP, 7, or 8. They have all the merge modules downloaded, all the appropriate modules for Wyse Packager or InstallShield although I prefer Wyse Package Studio with Conflict Analysis repository. DO NOT HOST this in LAB. It is not a play thing or toy. My packagers had dual processor workstations with a SCSI controller and SCSI HD’s mirrored. 64 Bit, 8 GB or more of RAM. They can use OracleBox or VMWare Workstation. VMWare workstation cost money but I’m here to tell you it is more stable – pay the money. Create naming conventions and methodology for when to upgrade versus new versions. The upgrade or MSP is always tied to the GUID. MSI technology uses WINDOWS INSTALLER SERVICE. Google WINDOWS INSTALLER SERVICE and attempt to read how vast and untapped this resource is including self-healing features, ability to drop 1 dll into the open file system on the NAS and on change day simply turn up version B of the XenApp VDISK and start windows installer and watch it auto-update that dll file and rename the prior one to .old. Change done. Now, user must UAT the function and just the function that was mean to fix. This is added as ADDENDUM to existing RUNBOOK. DOCUMENT, DOCUMENT, DOCUMENT. I’m giving it away, because we are losing the battle. This works. I’ve done the same thing over and over again and it always works. Leverage
WINDOWS INSTALLER SERVICE. CREATE MSI PACKAGES. HIRE RESOURCES. KEEP THEM ON THE VDI TEAM, USE AND CREATE YOUR OWN VDI MSI PROCESSES. OR, YOU WILL FAIL. SHOW STOPPER – IF THE DECISION IS TO USE ZERO CLIENT, PLEASE TAKE A LOOK AT MY WHITE PAPER PUBLISHED ON SCRIBD FOR FREE. UTILIZING EXISTING INFRASTRUCTURE I SOLVED ZERO CLIENT PRINTING FOR VIEW AND CITRIX. Tested and validated. For the life of me, I cannot understand why companies still pay 200K for scripted solutions or outsourced solutions. This has the potential to greatly simply printing for Zero Client but is NOT a end-all-be-all for all customers where something like Google Cloud Print might very well provide a better solution if mostly WFH users and by no means does it impact our standard offering for non-Zero client which should be and hopefully will never change: (below) Citrix Universal Printer Driver only 2. Disable install of native drivers 3. Map Default Client Printer Only 4. Provide Universal Printer Object and XML Viewer (Client) for ALL other local printers defined on the client workstation that does not fall under Zero Client classification 1. Note: This new solution solves more than just Zero Client! The Solution for having Internal Zero Client Print Offering Does this exist today? The technology does, we just have to implement. Can we implement today with existing equipment? Yes Does it cost anything in terms of new CAPEX? No, should be able to utilize existing infrastructure and servers Is it secure? YES, HTTPS on the front-end website > Printer Gateway just passes traffic to customer print server. There are additional advanced logging features on the IIS server that we can forward to our collection server.
2008 R2 provides a free event log consolidation service and event log subscriptions. Or, we can always leverage free products from Solarwinds or Microsoft Technet System Internals to monitor the event log and send traps to a central MOM. How can I put this….It resolves your issue and question regarding the zero client in a way that is a possible long term resolution. It immediately allows any zero clients to print to any registered printer on the customer network. The solution is internal but users connect from anywhere. IPP rules don’t apply. I’m calling this ICP –Private Cloud Printing Service (PCPS). It resolves the Zero Client WFH printer issue but requires additional administrative work – for the customer. We certainly don’t want to get in the printer business. (Home Printing Only) It requires setting up a dummy printer on the print server that matches the users’ printer and driver. When I say driver, the best case scenario is having the customer update their driver to the latest driver hosted on the customer print server and choose the output as “USB” or LPT for example. Next, the Printer Name must match the name on the client machine. Keep in mind, they are already running the virtual desktop which is already authenticated so what would normally be Internal facing VIP or service we just made a private cloud printing service. It is merely an interface for the Zero clients to use (web based). This is probably not documented anywhere but IPP as a protocol has been around for some time and I’ve done this with Server 2003. It does require a customer resource for sure and they must follow the best practices defined by our team initially. We have several options for the customer, each having pros and cons. Leveraging Windows 2008 R2 we are going to take advantage of what is referred to as RPC over HTTPS. IPP or RPC with HTTPS over TCP 443 combined with II7 allows us to present a DYNAMIC print server list of printers in Web Interface.
But that is Internet? Why go internal if made for internet? Because we can and we thought of it first! Well, it was not really made for Internet other than it allowed for connecting to printers at work from home in a secure manner. We are going to use this to connect to printers internally in a secure manner from a device that does not support printing but the OS does and using GPO we can allow this to happen in the writecache. There has never been a need until now, with ZERO CLIENT. Think about it, it provides the ability to print over the internet using RPC encapsulated in HTTPS. Yet, it is perfect for this specific scenario – a fact that we should take full advantage of before others catch on and become the first to create the ZERO CLIENT printing! If you turn it on internal then it defaults to RPC and you can use Windows Integrated Login for the website so the ZERO Client running the Windows OS connects to the website and the OS and website are now communicating and the ZERO Client doesn’t care at this point that you are printing RPC. Printer is automatically installed. Printer is now available to print. More than likely, there is probably a way to automate this further. Option 1 Host the Private Cloud Printing Service (PCPS) in a dedicated infrastructure zone. Multiple clients per PCPS, clients only see their printers due to one-way-trust. Redirect output to print servers at each site or we can host a dedicated customer print server with standard drivers – policies configured to use UPD regardless - another MT-Print Server with all the printers for all customers in the Domain or even IP based and provide access to the Printer Management Console for each customer. Option 2 Place a PCPS at each location where the customer maintains a file server and in this case they will need to add the WFH printers to that server. Option 3
There are always more options. I’m just documenting what I am thinking at this moment. Benefits Private Cloud Printing Service (PCPS) makes it possible for VDI running Windows OS to use printers that are located anywhere in the world, using any client, can print to the closest corporate owned printer. A website is presented to the customer with a list of printers to which they have access; this can be > printers or fax machines or multi-purpose devices. The Private Cloud Printing Service (PCPS) Gateway Server can be hosted in the client segment but must have a registered IP and URL that is merely Internal accessible. As an option, we can consolidate all “printers” to the client subnet in a dedicated customer zone and IPP web interface to contact this server instead of placing multiple Private Cloud Printing Service (PCPS) Gateway Servers in the customer environment. Although this is an option the following must be considered: PCPS We do not want to be in printing driver business; customer must manage Printing output to printers in remote offices experience slowness (However) Possible resolution is the remote office Branch Repeater product from Citrix This provides faster printing This provides faster file copies This provides faster ICA/HDX compression and speed This provides faster application traffic for SQL, Oracle and certain others Note: Requires Platinum Edition of XenDesktop but is more than worth the expense for what you get. Side Note: This is why Citrix Platinum pays for itself.
Branch Repeater XenApp as application consolidation – Platinum allows Xenapp or XenDesktop connects HDX WAN Optimization for high-end graphics Edgesight Monitoring and Reporting Trending Forensics Historical Analysis Suite Edgesight for virtual desktops Edgesight for Netscaler Edgesight for Branch Repeater SSO – Single Sign On SSO for Customer Business Applications Quick Summary: Keep in mind, users are already authenticated. They are simply remote. By exposing a website or websites as a VIP to a VDI that is already authenticated allows for Integrated Logon. The site will not be searchable, you are not required to authenticate like with regular IPP due to having the one-way-trust. Internal infrastructure already exists. How does it work! The “Private Cloud Printing Service (PCPS)” process is as follows: From a client computer user types the internal URL for a printing device (Option 1) Created as Favorites in Profile VDI customer types in URL of the website hosting PCPS relay components User is authenticated using Integrated Logon (must be enabled – not on by default) User is presented with a list of printers to which they have access User clicks printer, printer is installed, printer is now available to Zero Client
The RPC (internal) request is sent over the LAN or MPLS customer “Private Cloud Printing Service (PCPS)” Hosted per customer segment and can exist on the customer owned file server However, preferred is create a “Delivery” segment due to one-waytrusts you can actually host every customer printer on one ICP server but the more we host the more resources we need but this is better than one or two per customer segment The other option is to have the customer host an ICP per segment where the print servers reside After the server authenticates the user utilizing Integration, the server presents status information to the user by using Active Server Pages (ASP), which contains information about currently available printers to which they have access When the client first tries to connect to any of the printers it searches for a local driver. The Zero Client does not allow this but in this case the VDI and writecache would allow, although only per session. Our Private Cloud Printing Service (PCPS) server generates a cabinet file (.cab file, also known as a setup file) that contains the appropriate printer driver files. The print server downloads the .cab file to the VDA. The user on the client computer is prompted to download the .cab file Prompt can be removed by GPO. It is “possible” that we can remove the CAB file download and just have the virtual OS perform a “logical mapping” and send output direct (GPO). I would be surprised if this is not an option. The client computer downloads the printer driver and connects to the printer by using RPC due to this being an “Intranet” LAN/WAN printing. Internal Printing Protocol (IPP) is an option if client wishes for a more secure option where the traffic is HTTPS/RPC. All of this is controlled by an extensive ADMX file for GPO
With a Medium-high or Medium security zone, IPP is used, and with a Medium-low security zone, RPC is used. At this point, the virtual OS that is running on the Zero Client is now able to print using our Gateway service and it was all internal. Additional Recommendations The print server can use IIS and other technologies to collect and log extensive data about the user, the computer that sends the printing request, and the request itself. If we can use the Windows collection service this would be a perfect fit to enhance security and provide auditing for customer. It might be possible to turn off the CAB file download and print direct. I think this is in the GPO but have not had time to research. Hopefully, more to come on this one but as is it resolves the Zero Client Issue utilizing existing technology.
Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...
In this presentation we will describe our experience developing with a highly dyna...
Presentation to the LITA Forum 7th November 2014 Albuquerque, NM
Un recorrido por los cambios que nos generará el wearabletech en el futuro
Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...
Challenges with adapting operating systems to ... the Windows Server operating system. Several major challenges and ... operating systems in virtual ...
... VMware™ virtual machine ... simplify operating system ... environment to a new operating environment. The challenges of planning and ...
History of IBM mainframe operating systems; ... System/370 and virtual memory operating systems ... The Great Mind Challenge;
Licensing Windows desktop operating system for use ... provides the greatest flexibility for ... device in a virtual operating system ...
... "Operating System ... Virtual address space. Virtual memory also ... Recent releases of Solaris have enhanced the virtual memory management system, ...
The VMware Knowledge Base provides ... adapter is added for Windows 2003 and 2008 guest operating systems. However, a virtual machine may not boot when ...
Timekeeping in Specific Operating Systems ... An additional challenge for both forms of timekeeping is ... operating system descheduled the virtual ...
Most modern computers are powerful enough to run entire operating systems within your main operating systems, which means virtual machines are more ...
Data Security Challenges. ... This burden is compounded when security must be administered on multiple systems. To meet the challenges ... Operating system ...