More Related Content More from Nuno Alves (20) Xc e 4.5 condensed tech deck 17 dec2012 final2. Agenda
• XenClient Overview
• XenClient Solutions
• Architectural Overview
• System Requirements
• Image Management: Layering and Publish Process
• Policy-Based Management
• Data Protection: Disk Encryption and User Data Backup
• Data Backup
• References and Resources
2 © 2012 Citrix | Confidential – Do Not Distribute
3. XenClient Simplifies and Secures Corporate PCs
Secure and Optimized Local Execution Centralized Control
True Type-1 Client Hypervisor Policy-driven Management Server
Make PCs manageable, reliable, & secure
3 © 2012 Citrix | Confidential – Do Not Distribute
© 2012 Virtual Computer Inc
4. XenClient Components – Client Endpoint
• Engine
ᵒType-1 hypervisor running directly
on the hardware and hidden from the
user
• Launcher
ᵒThe UI which provides an interface
to the user
• Dock
ᵒA Dock that provides Citrix Receiver,
RDP Client, and Google Chrome
4 © 2012 Citrix | Confidential – Do Not Distribute
5. XenClient Components – Synchronizer
• The management server performs all the administrative tasks for the solution.
It keeps a database of all objects in the XenClient Enterprise solution.
Objects Description Synchronizer Tasks:
•Create VMs (Authoring)
Users Computer, policy and VM assignments plus
backups for each VM •Publish VMs
•Create Users and Groups
Groups Which users belong to which groups, and
•Assign a VM
group assignments
•Restore a VM
VMs Which OS, and version, which groups and
users, policies
Policies Backup frequency, USB and other device,
VM and computer access control, and more
Software What is available in the Software library
Computers Which users are supposed to use them
Events Detailed audit trail of actions for each object
5 © 2012 Citrix | Confidential – Do Not Distribute
6. What's New in XenClient Enterprise?
Next Generation Supports the latest Ultrabooks and Intel 3rd generation processors
Global Desktop Windows 8 support
Now available in English and 6 other languages for major markets!
Expanded
Use Cases
Enables more enterprise network policies with VLAN tagging
NetScaler support for Synchronizer external network access
Increased Dual monitors in dock support
Performance Improved hypervisor boot time
import and export VMs directly from the client hypervisor
6 © 2012 Citrix | Confidential – Do Not Distribute
7. Effortless Device Management for PCs
Project-based solution
Customer Challenges and Opportunities Solution includes:
• Companies buy thousands units of PCs each year and need a better way to manage their current & new PCs • XenClient Engine to secure PC
• PCs deliver excellent local performance, but are riddled with patch failures, reliability, & security issues endpoints and turn them into
easy-to-manage Virtual Appliances
• Traditional Device Management is expensive , distracts focus and budget from higher value service delivery
• XenClient Synchronizer for simple
• XenClient FlexCast model turns PCs into Virtual Appliances, cutting management & operations costs by 70+%
centralized management of fully
virtualized desktops running on PCs
Features Benefits • Citrix Receiver for access to hosted
XenDesktop or XenApp in addition to
Failsafe Provisioning, Provision 1000s of PCs as easily as one, eliminate patch failures, and the local virtual desktop
Patching, & Updates achieve 100% success rates on updates
• NetScaler integration for providing
PC Execution for Delivers local execution for use cases that need them – including secure access to the management
distributed offices, limited network bandwidth, etc. interface from any location
Local Uses Cases
Excellent Scalability with Offers near-zero backend infrastructure cost by harnessing inexpensive Value Story:
Near-Zero Infrastructure compute and storage available on endpoint PCs
Citrix delivers the lowest-cost, simplest
Secure, locked-down, but Secure the PC with full-disk encryption, protected VM image for instant device management solution for PCs,
personalized desktops recovery from malware or corruption, and network isolation turning them into centrally managed
Virtual Appliances, for use cases where
High Reliability and Delivers high reliability with zero patch failures, transparent backup, rapid organizations are already using PCs or are
Rapid Recovery recovery, and instant full migration to new PCs in case of hardware failure planning to purchase them.
7 © 2012 Citrix | Confidential – Do Not Distribute
8. Secure & Manage Mobile Laptops
Project-based solution
Customer Challenges and Opportunities Solution includes:
• The number of enterprise laptops is increasing rapidly with users spending more time outside the office • XenClient Engine to completely secure
• Lost data on insecure laptops leads to financial losses, negative customer/market impact, and legal liability laptops online and off, turning them
into easy-to-manage Virtual Appliances
• Laptops are difficult to manage and update because of how often they are off the LAN or disconnected
• XenClient Synchronizer for simple
• Reliability and rapid recovery is critical for laptop users who are traveling and cannot be visited by IT
centralized management of virtual
desktops that work both online and off
Features Benefits • Citrix Receiver for access to hosted
XenDesktop or XenApp in addition to
High Security for AES-256 bit full-disk encryption, time-based lockout, and remote kill the local virtual desktop
Mobile Laptop Users capabilities protect sensitive corporate data even if a laptop is lost
• NetScaler integration for providing
Failsafe Management Off Achieve 100% success rates patching and updating laptops regardless of secure access to the management
whether they are on or off the corporate network interface from any location
the Corporate Network
Extending Desktop Extend desktop virtualization to offline laptops to gain all the benefits of Value Story:
Virtualization to Laptops centralized management, enhanced reliability, and high security
Citrix XenClient extends the benefits of
Transparent Backup to Automatically synchronize user data and profile information in the desktop virtualization to corporate
Protect Corporate Data background to protect corporate data against loss or corruption laptops, turning them into Virtual
Appliances that are completely
High Reliability & Rapid Delivers high reliability with zero patch failures, complete data protection, manageable, reliable, and secure.
Recovery on the Road and instant malware/corruption recovery to laptops users on the road
8 © 2012 Citrix | Confidential – Do Not Distribute
9. Architectural Overview – Engine
• True Type-1 Hypervisor (No OS below the hypervisor layer)
ᵒFully virtualized platform
Shared Image
Patch
ᵒSupports wide range of business-class PCs Backup
ᵒFull shared image support for Windows 7, XP & Vista Store
ᵒLinux supported as custom image or local install (Note: Support is
Management
unofficial since there are no PV drivers for Linux) Server
Virtual Machine #1 Virtual Machine #2
User Data User Data
Applications … Applications Services
Management
and Control
Windows XP Windows 7 Domain
Domain
(DomS)
Virtual HW Virtual HW (Dom0)
Xen™ Hypervisor (Open Source)
Hardware
9 © 2012 Citrix | Confidential – Do Not Distribute
10. Architectural Overview – Synchronizer
Central Server SQL Management
Server
Console
LDAP
Control
API
FileSystem
Repository
Hyper-V
Storage
10 © 2012 Citrix | Confidential – Do Not Distribute
11. Architectural Overview – Synchronizer Infrastructure
Server Components
Management Server
XenServer, VMware, Hyper-V or Physical
Stores one copy of each image and patch
Distributes to all attached devices
Stores backups
Authoring Server
Physical Server
Runs Server 2008 w/ Hyper-v
Authors VM‟s centrally
Publish/patch VMs
Both components can be installed on a single system
Distribute across multiple systems for larger deployments
11 © 2012 Citrix | Confidential – Do Not Distribute
12. Architectural Overview – Hierarchical Mgmt
Central • Optimized for low-bandwidth/WAN environments
• Intelligent caching of downloaded images
Management Server • Efficient use of bandwidth between remote offices
(Web/App)
• At Remote Office
• Local LAN operations for publishing/backups
SQL • One copy of OS image and patches
• Backups stored locally in Remote Office
• At Central Office
• Single view of Environment through management UI
Remote
Caching Server
SQL Server (1433)
WAN
HTTPS (443)
12 © 2012 Citrix | Confidential – Do Not Distribute
13. Architectural Overview – OS Management
Management
Update One to many Server
from server Shared Image
Shared System Disk System Patch
One to many, patch once, publish many VHD
Backup Snapshot
For backup Backup
Persistent User Data Store
User
Backed-up on server for instant recovery VHD
Persistent Local Data (no backup) Local Fast
VHD Recovery
Page.sys, temp files, indexes, .ost files
13 © 2012 Citrix | Confidential – Do Not Distribute
14. System Requirements
Client Hypervisor (Engine) Management Server (Synchronizer)
• Processor: • Operating System:
- Dual-core processor with hardware Windows Server 2008 R2 with Hyper-V
virtualization technology support (Standard, Enterprise or DataCenter)
• Processor:
• System Memory: We strongly recommend at
ᵒAuthoring Server
least 4 GB of RAM • 2 Xeon class cores enough to create and update
• Available Disk Space: 80 GB free disk virtual machine images
space, more for multiple OSs ᵒManagement Server
• 1-2 cores for running backend server
• 3 Xeon class cores for each 1GB LAN connection
Browser to connect to Management Server: • System Memory: 8 GB minimum
• IE 9 recommended ᵒAuthoring Server
• Recommend 6GB free for creating and updating virtual
• Microsoft .NET Framework 2.0 installed machine images
• RDP ActiveX control enabled ᵒManagement Server
• Minimum is 8GB
• Increasing to 16GB will give the best performance
14 © 2012 Citrix | Confidential – Do Not Distribute
15. Image Management – Layering
XenClient Enterprise rolls back an image:
How layering works in XenClient Enterprise:
Pointer to run to the top of the chain (current)
Version 4
Version 3
Adding patches will grow the chain
Version 2 The first patch becomes the top of the chain
• All patches are processed
Version 1 Base System VHD in the background
• All backups are uploaded
in the background
• The VHD chains are
Gold Snap 1 Snap N Leaf handled by the engine
15 © 2012 Citrix | Confidential – Do Not Distribute
16. Image Management – Layering
VM Hypervisor
Drive L: local.vhd Contains any changes
made since VM has started
Drive U: user.vhd Contains NxPrep Results
• Computer name
snapback.vhd • Domain Account
• Device Initialization
nxprep.vhd
• NxPrep Extend
Drive C: version3.vhd
Downloaded from the
version2.vhd backend
version1.vhd
16 © 2012 Citrix | Confidential – Do Not Distribute
17. Image Management – Backups
System User Local
Drive C: Drive U: Drive L:
Files: Files: Files:
C: C:Program Data C:WindowsPrefetch
C:Program Files C:Usersjohns C:UsersjohnsAppDataLocalTemp
C:Users C:UsersPublic C:Program DataMicrosoftSearch
C:UsersAdministrator C:UsersDefault C:Program DataMicrosoftWindowsDefender
C:UsersDefault
C:Windows
C:Nxtop Registry: Registry:
User disk registry entries Local disk registry entries
17 © 2012 Citrix | Confidential – Do Not Distribute
18. Publishing Process – Publishing a VM
Publish Process Publish Boot Details
• One-time setup, done against initial VHD • Process Takes ~5 mins
version • Configure Windows Services
• NxTop Service injected offline • Install PV Drivers & NxTop Mgr Service
• Standard software packages installed. • Uninstall Hyper-V integration services (3 mins)
• Per-published version processing • Disable services
• Create differencing disk to hold publish • Speeds up Publish/NxPrep process
changes • Services are enabled again at end of NxPrep
• referred to as „n-diff‟
• Hyper-V Publish Boot
• PV drivers installed
• No hardware yet – just added to Windows
database
• Final VHD chain is (1..n, n-diff)
• Communicated to client in XML description of
VM
18 © 2012 Citrix | Confidential – Do Not Distribute
19. Publishing Process – Publish Chain
4-diff Versions can be marked as a Staged version
Version 4 for testing. Only users marked to receive a
staged version will get them.
When Version 2 is published, the results are Non-published versions can be created as
stored in 2-diff Version 3 checkpoints.
2-diff When Version 1 has been published, future
Version 2 patches are applied to a new Version 2 diff disk
1-diff
When Version 1 is published, the results are Base System VHD, the start of the chain when
stored in 1-diff. Version 1 the VM is first installed.
19 © 2012 Citrix | Confidential – Do Not Distribute
20. Publishing Process – Publish Chain Rollback
4-diff The most recent version (or versions) can be
Version 4 deleted using the Rollback feature if they are
broken.
The topmost versions are simply removed and
Version 3 discarded (so long as no clients are currently
using the version)
2-diff
Version 2
1-diff
Version 1
20 © 2012 Citrix | Confidential – Do Not Distribute
21. Publishing Process – Engine-Side Processes
Preparation Process System Disk Collapse Process
•Client downloads required VHD files •Intent is to collapse entire (1..n) chain
•All elements in system disk chain (1..n,n-diff) •Improve performance
•Only loads those not already present locally •Reduce disk usage
•User disk chain if it exists •Resulting chain is (1‟,n-diff-1,n-diff-2)
•User disk created on client when VM first deployed to user •Chain is collapsed in one step
•Push n-diff-1 disk onto system disk stack •Blocks in versions (2..n) are written to version 1
•Push new diff disk onto user disk to hold updates •For each 2MB block, find all the modified sectors in (2..n)
•Create local disk VHD if not present •Write these sectors to version 1
•Boot into NxPrep •This produces updated 1‟
•VM booted with minimal memory size and no network •Once complete, VHD chain updated
•Runs at the same time as the existing version •(n-diff-1) updated to point to (1‟)
•Uses PnP to install virtual devices: •Meta data updated to indicate (1‟) contains all previous
•QEMU emulated devices not present on server versions
•PV devices (disk, network, mouse, etc) •Lastly, old versions (2..n) are discarded.
•Performs user personalization
•Rename NxTop user for workgroup users
•Create domain account profile
21 © 2012 Citrix | Confidential – Do Not Distribute
22. Policy-Based Management – Overview
Policies control aspects of a VM, Engine, or Synchronizer
• Policies are defined in the Synchronizer, and then assigned to VMs.
There are 3 basic types of policies in XenClient Enterprise
• Virtual Machine policies
ᵒThese policies control various aspects of how a virtual machine (VM) performs
• Engine policies
ᵒDeals with Launcher, Activities Center, Network and Power Management
• Synchronizer policies
ᵒUsed to define Admin roles and bandwidth control for e.g. updates
22 © 2012 Citrix | Confidential – Do Not Distribute
23. Policy-Based Management – Setting Policies
There are nine different types of XenClient policies:
• Administrator Role: Allows an administrator to assign privileges based on an assigned role
• Backup: How often automatic backup is performed and how long backups will be retained
• Bandwidth: Set the bandwidth policy for an IP or subnet (max bandwidth, time period, etc.)
• Engine: Engine Policies affect behavior of XenClient Engines, not VMs
• Default policy sets behavior for all XenClient Engines associated with a Synchronizer
• Expiration: Limits VM use to a number of days from first use
• Lockout: How long the computer can be out of contact with the Synchronizer before locking users
out of the VM (lease period)
• OS Profile: A set of rules for the OS for special handling for applications, services, or other setting.
• Snapback is the ability of the OS to return to the condition of the last XenClient publish and
discarding any made changes.
• USB Filter: The types of USB devices can be used on the VM
• Windows Setting: Establishes logon types and automatic logon settings for users. Configures VLAN
tag settings
23 © 2012 Citrix | Confidential – Do Not Distribute
24. Encryption Architecture unencrypted
encrypted
Unencrypted K1 Encrypted K2 Encrypted
MBR Boot Partition 1 Partition 2
Trust /boot Control Domain VHD Repository
GRUB
K1 K2
1 2 3 4
BIOS
24 © 2012 Citrix | Confidential – Do Not Distribute
25. Data Protection – Remote Kill
• Shreds all encryption keys
ᵒSo an encrypted boot can‟t be read
• Deletes all VM VHDs
ᵒAny running VMs will have blue screen at some point when the data can‟t be read.
• Writes random data all over the physical disk
ᵒWill completely wipe our software and entire disk (and anything on the system
including dual boot roots)
• Finally, system is halted after 30 minutes if not already stopped
25 © 2012 Citrix | Confidential – Do Not Distribute
26. Data Protection – User Data Backup Overview
Backed up on a schedule
• As defined by policy
Items Included Out-of-the-Box
• Users directories
• Personalization (Wallpaper, Application data)
OS Profile Customization
• XML language defines files/registry values to save
Client-Side Process
• Snapshot created on scheduled basis
• Pause guest
• Add new diff disk “user-diff-m” onto head of user chain
• Update guest to use new head
• Resume guest
• Backup sends previous diff disk to server
• Sends “user-diff-(m-1)”
• Once backup sent, merge to single VHD
• When system is idle
26 © 2012 Citrix | Confidential – Do Not Distribute
27. Data Protection – User Data Backup Process
Snapshot3: If scheduled time for backup reached
Backup of Snapshot2: Once initial backup has Snapshot3 again, a further snapshot is created.
been sent, second one will be transferred
Snapshot2: New COW disk created when scheduled
Snapshot2 time for backup reached. Changes made by VM are
written to new snapshot.
Backup of User VHD: Previous disk in chain
uploaded to server when connection available
Initial State: Original User VHD, start of the chain
User
VHD
27 © 2012 Citrix | Confidential – Do Not Distribute
28. Data Protection – User Data Backup Process
Snapshot3
User Once backups have been sent to the server, they are
VHD‟ merged into the base disk
(2..1)
28 © 2012 Citrix | Confidential – Do Not Distribute
29. Customer Quotes
Thanks to XenClient Enterprise, computers are being deployed to our newest hospital at a
fraction of the time it would ordinarily take.
Ames Prentis, CEO, IVG Hospitals
XenClient Enterprise is the first product I have ever tested where my users want to adopt merely
by word of mouth. We had employees at all levels literally begging to get these systems.
Alan Rabideau, CIO, Residential Finance Corporation
By using XenClient, we can centralize the management of PCs remotely instead of traveling to
each site to deploy, update or patch. This has greatly reduced our costs and increased the
productivity of our IT staff.
Kraig Stewardson, IT Desktop Manager, Life Time Fitness
© 2012 Citrix | Confidential – Do Not Distribute
30. More Technical Resources
• Watch XenClient “How-to” videos in the XenClient Enterprise 4.5 How-to Series
• Get more information from the Extended XenClient Technical Presentation
• Get specific technical information about XenClient from the Knowledge Center
• Get technical support from the XenClient Support Forums
• Get the latest XenClient Customer Presentation for use with prospects
• Get the latest sales resources from the XenClient Sales Kit
• Keep up with latest XenClient news by subscribing to the XenClient Blog RSS feed
• Contact the XenClient sales overlay team at xenclientsales@citrix.com
• Download the latest version of XenClient at www.citrix.com/xenclient/tryit
30 © 2012 Citrix | Confidential – Do Not Distribute
Editor's Notes When we go a layer down, XenClient works by combining a comprehensive centralized management system with a Type-1 client hypervisor.A bit of coverage on the a few use cases – so that you can think of the potential opportunities:Well-managed laptops/desktops for offline/online useMulti-VM environment for power users (dev./tester/Itpros)Multi-level security environments Management Server host must be standalone physical or virtual server. XenClient Synchronizer requires a database.MS SQL Express is included in the installation media.Other enterprise databases such as MS SQL 2005/2008, Oracle, and PostgreSQL are also supported BIOS Measures MBR and Invokes boot loader Trusted GrubGrub Measures Boot Partition, decrypts Key1, then Boots Operating SystemOS Decrypts Control Domain Partition and Loads Client SoftwareClient Authorizes User then Allows Access to Encrypted Virtual MachinesNo key for bitlocker - don’t use TPM to virtualize or for encryption