FEATURE | Citrix
ONE TO MANY:
as a Service
Desktops have been the bane of administrator’s existences
ever since they first appeared on the market. Desktops are
distributed points of access to system resources and as such
must be standardized as much as possible to reduce potential
issues. However, too many organizations do not lock down
their desktops even if they do standardize them. Open desktops
or desktops where the end user is a local administrator are
impossible to manage since they have the potential to change
from the very moment they are deployed.
BY DANIELLE RUEST AND NELSON RUEST
1 January 2009 | Virtualization Review | VirtualizationReview.com
FEATURE | Citrix
f desktops are not locked-down there can be no a lot of sense, just because they are so much easier to manage,
control and there always are a lot of issues. Yet it but there are a lot more reasons why desktop virtualization
is possible to lock down systems and still make it makes more sense than managing physical desktops.
work. One of our customers locked down their I First, you can provide centrally-managed desktops to
desktops with Windows NT in 1996. The result: users on any endpoint device—desktops, thin clients, Web
they reduced desktop-related help desk calls by clients and more.
800 percent! If it was possible for them to lock I Second, you can lock down virtual desktops because they
down the desktop with an archaic operating system like are controlled centrally and therefore easier to provision—
Windows NT, then it is possible for everyone else to do it with just create one single desktop image, lock it down and copy it
either Windows XP or Windows Vista, both of which have as often as needed.
massive built-in improvements for just this issue. Yet admin- I You spend less time on endpoints—the actual physical
istrators still today don’t bother even trying because it is just PCs—because they no longer need to be managed as tightly.
too much work. Users have become used to controlling every- After all, you only need these endpoints to provide an RDC to
thing on their desktop and they just won’t give up this free- the virtual desktop.
dom since they now consider it an acquired right. I You can provide service level agreements (SLA) only for the
The problem has always stemmed from the very name we central desktop and not for the endpoint itself. Users can be
use for desktops: personal computers (PC). Instead of person- administrators on the endpoints, but locked down on the virtu-
al computer, organizations should make a point of calling al desktop. This lets them do what they want to the endpoints,
their systems professional computers. Using the term PC in but remain controlled within the corporate PC environment.
its original sense gives every user the impression that the I You can reduce costs and improve service stability
computer is theirs in the first place. Well, that is not the case. because you know where the starting point for each PC is:
The computer, like the desk it sits on, belongs to the organiza- from your golden virtual desktop image.
tion, not the individual and because of this, it should be locked I You can create virtual desktop images that can be time-
down and controlled centrally. The key to such a project is the controlled to meet timely requirements. For example, if you
proper negotiation of who owns what on the PC. Where do the have a staff influx to meet a seasonal business need, then you
user’s rights begin and where do they end? What belongs to can generate time-controlled PC images for the duration of
the corporation and what belongs to IT? Defining each of the effort and wipe them out once the requirement is met.
these property zones on the PC and making them very clear I Information can be secured by keeping the virtual desktop
through massive communications with the user makes a inside the datacenter. This can give you more control over intel-
locked-down project work. lectual property (IP); all you have to do is lock down the image
you create so that it does not have access to external devices.
In Comes Desktop Virtualization This makes it considerably easier to maintain compliance since
But who has the time to do this today? Most organizations have the IP is stored centrally and does not leave the datacenter.
just finished moving to a standard desktop running Windows XP I Complex or sensitive applications can be encapsulated
and they certainly don’t want to start this kind of project again. and isolated into specific PC VMs to ensure proper operation.
Distributing desktops, desktop operating systems and applica- This way the application does not need to interact or coexist
tions is a pain. Deployment projects are just massive headaches with any others.
that never seem to go away. No wonder Windows Vista isn’t I New operating system migrations can be easier to per-
catching on. No one wants to start another distributed deploy- form since resources are only required centrally, not locally.
ment project. But, what if you could centralize all your desktops There is considerably less impact on hardware refresh since
and control them with just a few clicks? Users would access endpoints don’t need to be upgraded to provide the RDC link
them from any connected location: LAN, WAN, even from home. to the central desktop.
All your desktops would be completely locked down and you I Mergers and acquisitions are easier to manage since all
would no longer have to worry about distributed endpoints desktops are centralized and can easily be provided as is to
since all they need to have is a Remote Desktop Connection new users.
(RDC). Wouldn’t that make life easier? I Alternative workspaces can be provided on an as-needed
This is the promise of centralized virtual desktops or virtu- basis to employees when they need them.
al desktop infrastructures (VDI). Desktops are run as virtual I You can use custom virtual desktops to provide contractors
machines (VM) on host servers that are located in the data- with secured, encrypted machines to work in your environ-
center and basically never have to leave the office. This makes ment. This way their own machines only need to connect onto
2 January 2009 | Virtualization Review | VirtualizationReview.com
FEATURE | Citrix
your network for the RDC link.
I Virtualized PCs can also support Testing and Development
environments since they support the ability to undo changes
made to the VM.
But what is a virtual desktop and how do you make it operate?
The Anatomy of a Desktop
Desktop construction should be structured. In fact, Resolutions,
the firm we work with, has been touting a system construction
model for over ten years: the Point of Access to Secure Services
(PASS) model (see Figure 1). This model builds a desktop in lay-
ers, layers that address the needs of various classes of users,
from basic to complex. As you can see, this model treats each
layer of desktop construction.
But, when it comes right down to it, a desktop should have
three core components (see Figure 2):
I The Core OS Layer which includes the OS itself as well as Figure 2: The Anatomy of a Desktop.
any patches and utilities it requires.
I The Application Layer which is designed to provide added These are the three key components of a desktop and if you
functionality to the end user. This includes the productivity can abstract these layers from one another, then you can sig-
application layer, role-based applications required by groups nificantly reduce desktop management overhead. This is
of users with the same functions and any ad hoc applications where desktop virtualization products can help. Because the
certain users may require on a one-by-one basis. desktop is contained within a virtual machine, you gain all of
I The User Data Layer which contains all of the user’s data the advantages and few of the issues that come with machine
including user-produced documents, presentations and management when a machine is transformed from the phys-
more as well as application configuration settings and desk- ical to the virtual. You also greatly simplify how systems must
top personalizations. be constructed and deployed, especially if you rely on central-
ized desktop virtualization.
Doing Centralized Desktop Virtualization Right
There are two main centralized desktop virtualization mod-
els. The first, stateful virtual desktops, focuses on virtual
desktops that are tied to each specific user. In this model,
each user connects to his or her own particular desktop virtu-
al machine(s). The VMs are stored in a central shared storage
container, much as they are when you virtualize server soft-
ware. Host servers running production hypervisors manage
all of the desktop virtual machines and make sure they are
highly available. This model often tends to require a signifi-
cant amount of storage since each VM can easily take up
dozens of megabytes or more. Users rely on an RDC link to
connect to their VM PCs (see Figure 3).
The second model, stateless virtual desktops, focuses on
the generation of virtual machines on an as needed basis.
Machines can either be generated when the user connects or
they can be pre-generated and linked to a user when a con-
nection request occurs. The advantage of this model is that
the machines are completely volatile and built on the fly. The
core desktop image is generated and then, when the user is
Figure 1: The PASS System Construction Model. identified during the connection, the applications they
Virtualization Review.com | Virtualization Review | January 2009 | 3
FEATURE | Citrix
In Comes the Citrix XenDesktop
With this in mind, virtualization provider Citrix has developed
XenDesktop, a tool that brings together all of Citrix’ virtualiza-
tion and remote desktop products. Citrix XenDesktop is a solu-
tion that provides virtual desktop provisioning on an as-needed
basis to users. By default, XenDesktop relies on one single base
image. All desktops are provisioned from a single image through
the XenDesktop software engine. This core image is not dupli-
cated at any time. This feature alone can save 40 percent or
more of storage space, a considerable savings which often off-
sets the original cost of the XenDesktop solution (see Figure 5).
Figure 3: Stateful virtual desktops provide a direct correlation between a XenDesktop was formed by combining the features of the
user and the VMs they rely on.
XenServer server virtualization engine with those of Citrix’
require are applied to the desktop image (see Figure 4). The XenApp delivery mechanism as well as the feature set from
user’s data and preferences are also applied at logon. While an acquisition, that of Ardence. Ardence provides the tech-
you may think that this process is time-consuming and can nology required to generate differential files from the core
cause user dissatisfaction, it is not actually the case. The desktop image. This technology allows the XenDesktop to rely
ideal volatile desktop will also rely on Application on a database to automatically redirect registry queries for
Virtualization to profile applications only when the user critical PC items such as computer name, computer security
actually requests them. And, because everything occurs on a ID (SID), Active Directory domain relative ID (RID) and so on.
backend storage area network, applications and user profiles This method lets XenDesktop manage hundreds or even thou-
are provided through high speed disk-to-disk exchanges sands of differential images based on one single core image.
which are practically transparent to users, even multiple This is a critical feature because normally, you need to
users. customize each PC image through the Windows System
This last model is usually the most popular. Given that Preparation Tool (SysPrep.exe). SysPrep will automatically
desktops are volatile and temporary, they only require stor- depersonalize a Windows PC image so that it may be repro-
age space during use. Applications and user data are stored duced as many times as required. When the PC image is
outside the desktop image and because of this, the organiza- opened, the SysPrep process automatically repersonalizes
tion has no need to maintain single images for each user. the image, giving it the right SID, RID, computer name and
Since each desktop is generated from a single image, you only so on. When you use the XenDesktop, you do not need to
have one single target to update when patches are available. perform this task, however, you do need to create a refer-
This greatly simplifies the virtual desktop management ence computer image and prepare it according to your orga-
model and this is the model you should aim for since it also nizational standards. Then, instead of depersonalizing the
greatly reduces storage requirements. image through SysPrep to generate a source image, you cre-
ate a second, read-only copy of your
golden image. This second copy
becomes the core image used by
XenDesktop. It is always maintained in
read-only mode. User changes and
customizations are captured in the dif-
ferential file and either discarded
when the user logs off (stateless PC
image) or saved to a personal user file
(stateful PC image). Differential files
are block level files that capture only
the changes made to the core image.
This is perhaps the most impressive
feature of the XenDesktop. However,
because XenDesktop is from Citrix and
Citrix has years of experience in remote
Windows computing, XenDesktop also
provides an edge in terms of remote
Figure 4: Stateless virtual desktops are generated as needed when users connect. desktop delivery because it relies on
4 January 2009 | Virtualization Review | VirtualizationReview.com
FEATURE | Citrix
Figure 5: By default, XenDesktop uses a single source image with differential files, saving tons of disk space.
Citrix’ ICA protocol instead of Microsoft’s Remote Desktop Installing and Running XenDesktop
Protocol (RDP). ICA provides a considerable improvement, Because it is a solution that relies on virtualization, testing
especially in terms of graphics rendering over RDP, which XenDesktop isn’t quite as easy as testing other types of products
makes the end user experience richer and more lifelike. This because you can’t do it in a virtual environment; you actually
technology is called SpeedScreen in XenDesktop. Don’t need some hardware to do it. In fact, to test XenDesktop at the
believe it, then check out the difference between the RDP and most basic level, you’ll need at least two physical machines. One
the ICA experience on YouTube. will act as a host server and the other will act as the endpoint
Traditionally, XenDesktop will require a XenServer back- device. If you want to test desktop VM failover, then you’ll need
end, the XenDesktop which acts as the desktop delivery con- at least three machines, two host servers linked to shared stor-
troller or the desktop image provisioning engine and the age and one endpoint device.
XenApp delivery server to provide remote desktop connectiv- One of the pitfalls of centralized desktop virtualization is
ity to the desktop images through the ICA protocol (see Figure the host server configuration. Servers by default do not sup-
6). However, because XenDesktop was formed from the port many of the features of desktops. For example, servers
Ardence acquisition and Ardence supported VMware ESX will rarely include high quality graphics cards, yet these cards
Server first, it also supports a full VMware backend. In addi- are required to run desktop VMs since end users constantly
tion, because of its strong partnership with Microsoft, work with graphics. Consider this when you prepare your
XenDesktop has been adapted to support a Windows Server host environment for VDI.
2008 Hyper-V backend. This means that you can use the But from then on the test will go fairly smoothly. You’ll have
XenDesktop solution with any of the major server virtualiza- to set up your host server(s), then install the host server man-
tion engines (see Figure 7). agement interface. Once this is done, you can move on to cre-
This is a boon for most every organization because early ating the virtual machines you’ll need for the environment.
adopters of server virtualization will often already have both You’ll need at least a few server VMs before you create the
Citrix Presentation Server (now named XenApp but used for desktop VMs. Required server VMs include at least one domain
Presentation Virtualization only) and technologies like VMware controller to create an Active Directory structure—AD is
ESX Server or Microsoft Virtual Server (which they will no doubt required for any VDI solution—this server should also run the
upgrade to Hyper-V) already in place. Since they already have a Domain Name Service (DNS) and the Dynamic Host
server virtualization infrastructure and they already own Citrix Configuration Protocol (DHCP), one VM to run the Desktop
products, adding XenDesktop is often a very low-cost solution Delivery Controller, and one to run the Provisioning Server—
for the introduction of virtual desktop infrastructures. the server that generates desktop VMs from the central image.
Figure 6: The components of the Citrix XenDesktop solution.
VirtualizationReview.com | Virtualization Review | January 2009 | 5
FEATURE | Citrix
experience in Presentation Virtualization, many of its PresentV
features are included in each edition of XenDesktop. One edi-
tion even includes Citrix EasyCall—a feature that integrates
telephone communications with any application—a feature that
stems from the original Presentation Server before Citrix’
acquisition of XenSource and Ardence.
XenDesktops can either be persistent or pooled (see Figure
9). Persistent desktops retain the differential information
generated by each user. The user is then connected to this
particular differential file each time he or she reconnects.
Pooled images are stateless images that are reset to a stan-
dard state each time a user logs off. Obviously, pooled images
take up less storage space since differential data is discarded
at log off. Each image mode, persistent versus pooled, applies
to a different user type. Persistent images would most likely
apply to permanent users while pooled images are best for
Figure 7: When you provision desktops with XenDesktop, you can choose temporary or task-based employees who do not need to
any of the ‘Big Three’ as a host environment. retain customizations and preferences. Pooled or persistent
images can either be x86 or x64 versions of the desktop OS
Once the server images are ready, you move on to your since all of the supported virtualization engines—VMware
desktop VM. Create a source desktop VM and for the purpose ESX Server, Citrix XenServer or Microsoft Hyper-V—support
of expediency, install base applications within it. Then, gen- both 32 -bit and 64-bit VMs.
erate the base desktop VM template from this original Since each image is based on a central core desktop and
machine. This process basically creates a clone of your orig- is generated at logon, you might think that it takes some
inal desktop VM. This leaves the original desktop VM as is so time for the image to build when a user first tries to acti-
that you can easily update it when needed and use it to vate it by logging on. It will indeed take some time, espe-
replace the clone used to generate the virtual desktops your cially if thousands of users log on at the same time, even
users run. though the differential file is a very small file. However,
Next prepare an endpoint. If the endpoint already has an Citrix solves this problem through image pre-provisioning.
OS, then you only need to install the XenDesktop client and XenDesktop allows administrators to set image generation
configure it to run in full screen mode. You are then ready to policies that will pre-populate images before users begin to
generate multiple XenDesktop images and connect to them log on. For example, take the following scenario.
(see Figure 8). Organization A has three main offices. Office A is in New
While the process is relatively simple, it does take time and York City and contains 500 users. Office B is in Salt Lake City
requires a comprehensive set of skills for domain administra-
tion, DNS configuration, DHCP configuration, the installation of
server and desktop OSes, the installation and configuration of
the XenDesktop components and so on. Do not take these tasks
lightly. Nevertheless, if you have the right experience level,
you’ll find that test driving XenDesktop is very straightforward.
When you decide to implement XenDesktop, however, you’ll
probably want to bring together a team of experts from your
internal staff including domain administrators, network
administrators (for DNS, DHCP and WAN communications),
desktop technicians, application packagers, end user subject
matter experts and more to ensure you have all of the skill sets
required to implement a centralized desktop virtualization
solution that will provide the very best in return on investment.
XenDesktop comes in several editions, each including its own
feature set. Table 1 outlines each of these editions and the fea- Figure 8: You can pre-provision desktops with XenDesktop, having them
ture set it includes. As you can see, because Citrix has a lot of ready when needed.
6 January 2009 | Virtualization Review | VirtualizationReview.com
FEATURE | Citrix
reducing the various issues you face
when working with distributed desk-
tops. Desktops are delivered quickly
and reliably to any linked location. You
control which devices are linked to the
VM, therefore controlling the manage-
ment of data and reducing the potential
loss of intellectual property. You can
significantly reduce the cost of each
desktop, sometimes by as much as 40
percent. You can reduce the number of
images to manage, especially when you
work with volatile PC images.
Machines are easier to patch and
update since you only have one core
image to update.
However, using technologies such as
XenDesktop and others does present a
challenge in terms of PC image con-
struction and management. Ideally,
organizations will rely on a single PC
image, unless of course, they need an
x86 and an x64 image. Using one single
Table 1: Citrix XenDesktop editions and feature sets.
image to meet each and every user’s
and contains 200 users. Office C is in San Francisco and needs means that you have to devise a system that will auto-
contains 400 users. Each morning, the users log on matically provision the image with the required applications
between 7:00 and 9:00 AM, however, because each office is and user data at log on. The best way to do this is to rely on
in a different time zone, the load on the back end host application virtualization and user profile protection mecha-
servers is somewhat attenuated.
By using pre-population policies, the
administrators at Organization A have
XenDesktop generate images ahead of
time before users begin to log on. The
policy generates 500 machines in NYC
at 6:30 AM Eastern time (see Figure 10),
200 machines at 6:30 AM Mountain
time (two hours later) and 400
machines at 6:30 AM Pacific Time (one
hour later). While this scenario is a bit
unrealistic because no one starts work
at 7:00 AM on the West Coast, it does
illustrate the power of pre-provisioning
with XenDesktop policies. And through
XenDesktop’s wide area network
(WAN) acceleration features, all of the
desktops can reside in the NYC datacen-
ter and yet all users can have a rich vir-
tual desktop experience.
As you can see, virtual desktop infra-
structures offer much in the way of
simplifying desktop management and Figure 9: Determining whether to create persistent or pooled desktop VMs in XenDesktop.
VirtualizationReview.com | Virtualization Review | January 2009 | 7
FEATURE | Citrix
today, runs with any of the major three
server virtualization technologies. This
makes it a clear winner in our book.
That and its ability to work with differ-
ential images only, its use of the Citrix
ICA protocol instead of Microsoft’s RDP,
and its ability to pre-provision images,
make it one of the best VDI options on
the market. XenDesktop is off to a very
good start and should definitely be part
of the short list for any organization
that wants to move to VDI and do it
As seen in Table 1, the Citrix XenDesktop
comes in several flavors. Express
Edition is a free starter version of the
product which supports 10 free desk-
tops on one single host server. All other
Figure 10: XenDesktops can be set to launch before work begins to make them available editions sell on a per concurrent user
when users log on. basis. Standard Edition sells for $75
USD; Advanced sells for $195 USD;
nisms. User profile data must absolutely be stored outside the Enterprise sells for $295 USD; and Platinum Edition sells for
PC image if it is to be protected. XenDesktop does not offer $395 USD. While each edition includes the corresponding
this feature at this time, but Citrix intends to provide it by the XenServer licenses to run a complete Citrix end to end solu-
end of the year through its recent acquisition of tion, you can replace it with either VMware ESX Server using
SepagoProfile. Windows, however, already offers a profile the VMware Virtual Infrastructure or Microsoft Windows
protection mechanism through the combination of roaming Server 2008 Hyper-V which makes XenDesktop even more
profiles and folder redirection. (For information on how to attractive since it can run on your existing server virtualiza-
protect user data through these tools, look up Chapter 8: tion infrastructure if you already have it in place. However,
Working with Personality Captures from the free Definitive there is no rebate if you choose not to use the enclosed
Guide to Vista Migration by Ruest and Ruest). XenServer licenses. Currently, Citrix is offering a promotion
Application provisioning is more complicated since it that enables customers to purchase XenDesktop Advanced
requires the ability to provide the end user with the applica- for just $95 USD along with their XenApp Platinum licenses;
tions they need when they need them. Using traditional appli- existing XenApp Platinum customers also have access to
cation delivery methods will not work since they take time to this promotion. This promotion will run through the end of
install and deploy. If this was the method you used, then your 2008.
users would be completely dissatisfied with VDI as they wait- For more information on the XenDesktop, go to
ed for long periods of time at login as the applications they http://www.citrix.com/XenDesktop. VR
required were attached to the desktop image. This is why VDI
does not work on its own. It must absolutely be tied to appli- About the Authors
cation virtualization and therefore application streaming to Danielle Ruest and Nelson Ruest, both Microsoft MVPs, are IT
make it work. Citrix does it right because it includes its appli- professionals focused on technologies futures. They are authors
cation virtualization engine, XenApp, along with the of multiple books, including Windows Server 2008: The
XenDesktop components. However, you must convert your Complete Reference from McGraw-Hill Osborne which is
applications to the XenApp format to virtualize them and this focused on building virtual workloads with this powerful new
can take time unless you use a tool such as InstallShield OS. They are currently writing Virtualization, A Beginner’s
AdminStudio from Accresso Software which can generate Guide for McGraw-Hill Osborne. They are also performing a
XenApp applications from existing Windows Installer pack- multi-city tour on Virtualization in the US.
ages in a batch process. Feel free to contact them at firstname.lastname@example.org for any com-
XenDesktop, unlike many other VDI tools on the market ments or suggestions.
8 January 2009 | Virtualization Review | VirtualizationReview.com