Unflappings

Introduction

Cisco ACS is the newest revision (as of 8/2010) of their RADIUS/TACACS+ authentication server, which allows you to centrally manage user access and all that good stuff. One big thing people may ask is why not just use Windows IAS or Network Access Policy role on the newer servers. The Windows solution makes a whole lot of sense for small to medium installs, or where the IT staff is not strictly defined as “server” and “network” guys.  In larger installations or where this is the case, a box removed from the Active Directory servers and able to be controlled by “network” staff can more effectively delegate management throughout the organization.  Now lets dive in to the installation procedures.

Note: Keep in mind this install needs 60GB of free disk space and 1GB of usable memory, otherwise installations will fail.

Continue Reading »

Below are listed some of the best practice guidelines for installing and configuring Citrix Xen Desktop 3.0 in a new environment. Some of the information is miscellaneous, but I hope these notes help someone.

• Uninstall Web Interface and IIS from Desktop Delivery Controller
  • Less overhead on these systems
  • Must use an existing web server infrastructure
  • SETUP.EXE -nosites
  • Suggested to uninstall if already installed
• Separate Farm Master and Desktop Delivery Controller
  • When there are multiple servers, separate these roles.
  • Farm master is best to control its own roles and not worry about being Desktop Delivery Controller
  • Ensure that a particular server is chosen to be Farm Master
  • Ensure that unnecessary duties are not performed by that server
• Server Preference Settings
  • Master: Server are preferentially chosen as Farm Master
  • Backup: Chosen when Master is unavailable
  • Member: When all else fails, this can become the Farm Master
• Farm Master Selection
  • Farm masters have the logic for launching sessions
  • Its recommended to have the Master be its own server, everything else should be Member servers
  • Web interface servers should point to Member servers
• Configure Delivery Controller Selection
  • For some reason we have to do this in the registry.
  • HKLM\Software\Citrix\IMA\RUNTIME\UseRegistrySetting set to DWORD of 1
  • HKLM\Software\Citrix\IMA\RUNTIME\MasterRanking
  • DWORD value, 1 for Master, 2 for Backup, 3 for Member
• Throttling Commands to the Hosting Infrastructure
  • Suggested that the pool management service traffic on the Desktop Delivery Controller and the hosting infrastructure is throttled to 10% of the total pool
  • This is primarily to keep power cycling commands to a minimum which would otherwise overload the infrastructure.
  • To configure:
  • C:\Program Files\Citrix\VmManagement\CdsPoolMgr.exe.config
  • Add the following:
  • <add =key=”MaximumTransitionRate” value=”10″ />
  • This is made under <appSettings> and the value of 10 is arbitrary, it should be tuned for a situation.
  • Save the file and restart the Desktop Delivery Controller
• Scaling the Desktop Delivery Controller
  • Desktop Delivery Zone Master is a single bottleneck and can not be scaled out for a desktop group
  • Citrix says 3000 desktops per group is a good limit
  • Upgrading to a bigger/badder machine is a good plan if you have large requirements
• Scaling the Provisioning Server
  • Disk bound scaling
  • Put Write Cache files on separate LUNs from the vDisk
  • Get yourself a high performance storage system
  • Basically just make sure your storage solution is quick
• Scalability by component
  • Desktops per XenDesktop Group: 3000
  • Tested Logon Rate: 1500 over 5 min
  • vDisk per XenServer: up to 28
  • Provisioning Server for Desktops:  500VM’s per machine when using local cache files
• Planning Security Considerations
  • Install AV, Firewall usage, network securing, user privilege lockdown , etc..
  • Users who are Administrators on virtual desktops can
  • Have full control over this desktop
  • Potentially view other’s information on this desktop if it is pooled rather than assigned
  • Control/Monitor network traffic
  • Install malicious software
• Desktop Delivery Controller Requirements
  • Windows Server 2003 SP2
  • Windows Server 2003 R2
  • Terminal services in application mode, no CAL’s needed
  • IIS version 6.0 (For Web Interface Only)
  • .NET Framework 3.5
  • JRE 1.5.0_15
  • MS J#  2.0 Redistributable Package Second Edition
  • IE 5.0 or later
  • 400MB for DDC Software
• Data Store Database Requirements
  • Microsoft Access (Basically unusable except in tiny installations)
  • Microsoft SQL Server 2000 SP4 and above
  • Oracle Enterprise 10.2.0.1.0
• License Server Requirements
  • Windows 2000, 2003, 2008
  • 30 MB disk
• License Management Console
  • IE5.0 or greater
  • IIS 5.0, 6.0, 7.0
  • Server 2008 needs ASP.NET, Windows Authentication security role, IIS 6 Management Compatibility role
  • Tomcat 4.1.24
  • Apache HTTP Server 2.0.49
• Active Directory
  • No schema changes are needed
  • Each Farm needs an OU
  • Controllers Security Group Created
    • Computer Account of all controllers must  be a member of this security group
    • This is done by default
    • Service Connection Point
      • Farm Meta Info
      • Registration Services Container
        • One SCP object for each controller in the farm
        • Updated on each startup
        • Permissions must match to get rid of security groups which are added automatically by installing.
          • Should contain the computer accounts for the delivery controllers in the farm
          • By default installation sets up permissions so that controllers have write access to their SCP, make sure permissions are set that only trusted admins can change SCP info
          • Replication of new information could take some time
          • Valid forward and reverse DNS is required and up to date
• User Types
  • Task Workers
  • Data entry, standard tasks that do not require personalized desktop
  • Call center staff
    • Knowledge Workers
    • Personalized desktop and software
    • Close experience to personal desktop
• Access Modes
  • Full-Screen-Only
  • Focused on virtual desktop, fits full screen and cannot interact with local desktop
    • Window View
    • Good for multiple virtual desktops
    • Can interact with remote and local desktops
    • Flexible viewing
      • Multiple Monitor support
      • 8 total
      • Identical screen resolutions required
      • 1024×768 x 8 monitors (24bpp)
      • No configuration required, except to physically arrange desktop in a rectangle
• Web Connectivity
  • Desktop Appliance Connector Site
  • http://DesktopDeliveryControllerName/Citrix/DesktopAppliance
    • XenDesktop Services site
    • http://DesktopDeliveryControllerName/Citrix/PNAgent
      • XenDesktop Site
      • http://DesktopDeliveryControllerName/