MANAGEMENT FEATURES | Citrix Access Suite 4 for Windows Server 2003: The Official Guide, Third Edition

The primary management tool for Presentation Server farms is the Citrix Management Console (CMC). The CMC is a Java tool that provides the user interface to control permissions, licensing, published applications, the load management feature of Advanced Edition, and the advanced features of Enterprise Edition for both resource management and network management. The CMC is also the interface to monitor and manage printers, users, and servers. Java was chosen rather than using the Microsoft standard of the Microsoft Management Console (MMC) for cross-platform compatibility. With the introduction of FR-1, Citrix made available the Citrix Web Console (CWC), which is not as feature-rich as the CMC but is still convenient for use.

The CMC can create a significant load on the server farm if not used properly. It is recommended that the auto-refresh feature not be used, especially in larger farms. It is also important to publish or use the CMC from the Zone Data Control (ZDC) server. Zone Data Control is further explained later in this chapter. The information that the CMC needs is located in the database on the ZDC; therefore, if the CMC is run from a server other than the ZDC server, the server needs to download the information from the ZDC, and this adds one more link to the puzzle. Another way to increase efficiency in using the CMC is to create folders within the CMC to categorize published applications and servers. This allows the CMC to refresh without gathering more information than is needed. Another method to reduce load on the CMC is to use the command-line tools that query only very specific data and thus use the CPU and network bandwidth efficiently .

Citrix Presentation Server contains a plug-in for Microsoft Operations Manager (MOM) that allows administrators to effectively manage the health and performance of Presentation Server servers from the MOM console. Since this interface is not Java-based, it tends to be faster and less resource- intensive . For users who are already using MOM for server management, this will make a great management tool.

From a client management perspective, Presentation Server brings to the administrative toolkit the Automatic ICA Client Update utility and a tool called ReadyConnect to facilitate rapid application deployment. Together, these features can save administrators many hours of tedious client configuration tasks .

The Automatic ICA Client Update utility provides the means to update Citrix ICA client software centrally , from the Presentation Server server itself. The latest versions of Citrix client software are identified by the administrator, who then uses the update tool to schedule download and installation on appropriate client devices. This utility reduces the need to travel from client to client throughout the enterprise in order to install and configure the latest version of client software.

ReadyConnect enables client connections to be predefined at the server. By capturing client connection data, including phone numbers , IP addresses, server names , and other connection options, applications can be mass-deployed throughout the enterprise with speed and agility. Users can access applications across predefined connection points through a simple point-and-click operation.

Note	While these tools are convenient, we recommend that Web Interface for Presentation Server be used instead to deploy and manage client versions and configurations. This technique will be thoroughly discussed in the section "Citrix Web Interface" of this chapter and later in Chapter 16.

Zone Data Collectors

Understanding zone data collectors is critical to optimizing larger farm performance. Zone data collectors (ZDCs) are used to keep information within a server farm up-to-date between member servers and other ZDCs. Every server farm has at least one zone that is set up by default. The trick is to design the right number of zones in a farm so that each ZDC does not get overloaded with traffic from its member servers. In larger farms with 50 or more servers, the ZDC is best served by a Presentation Server server that does not accept ICA connections.

Generally, zones start degrading performance between 100 and 300 servers, depending on the number of logons , applications served, and changes in server load. Performance can be maintained in larger farms by creating additional zones. The trade-off of adding more zones is the open link (and thus the bandwidth required) to maintain updates between each ZDC so that all updated data can be propagated throughout the farm. For optimal performance, it is best to keep the number of zones to a minimum, but still keep each zone small enough to be efficient.

The ZDC tracks data that is dynamically collected from the farm to include server load, license utilization, and session information. The more static data for a farm is maintained by the IMA data store, including total licensing, published applications, administrators, permissions, server names in the farm, and trust relationships.

The ZDC is chosen with an election process. The variables used for the election process are first the software version, second the administrator-defined preference, and third the host ID. The important thing to keep in mind is that the software version overrides even the administrator-defined preference. Because of the amount of communication that takes place between ZDCs, we do not recommend setting up zones that cross WAN links. The zone traffic data that is sent across WAN links is not manageable within Citrix, but appliances like the Packeteer PacketShaper can manage this bandwidth utilization.

Independent Management Architecture

Citrix introduced the Independent Management Architecture (IMA) to replace the ICA browser service. IMA is a tremendous improvement over the ICA browser with respect to speed, scalability, and reliability of enterprise server farms.

IMA contains two components . The IMA data store is responsible for keeping information about licenses, published applications, load-balancing parameters, printer options, and security. The IMA protocol is responsible for communications between Presentation Server servers that maintain accurate information about server load, license usage, and user connections.

The IMA service runs on all Presentation Server servers to communicate with the Citrix Management Console, other Presentation Server servers, and the IMA data store. Each Citrix farm has one IMA data store connected to an ODBC database. The databases that are currently supported are MS Jet (FR-2 replaced Jet support with MSDE support), Microsoft SQL Server 7 or later, IBM DB2, and Oracle 7.3.4 or later. Additional licensing is required from Microsoft, IBM, or Oracle if MSDE is not used. Each server downloads its configuration updates each time it is started (when the IMA services start); it also checks for changes every ten minutes. When an administrator is doing testing and maintenance, it is sometimes necessary to have more immediate response for changes. This can be done by executing the dsmaint refreshlc command from a command prompt on the Presentation Server server. When each server queries the IMA data store, it only downloads relevant changes, which reduces the amount of traffic on the network. The local server stores this data in its Local Host Cache. This is helpful for increasing performance of local queries, and the data is retained for 96 hours in case of communications troubles with the centralized IMA data store. The Zone Data Collector is also involved in this communication and will be addressed in the next section.

Access to the data store can be done via "direct" or "indirect" mode. Direct mode means that each server directly accesses the database using ODBC, whereas in the indirect mode the servers aggregate queries through one Presentation Server server, which communicates to the data store. When using MS Jet (or MSDE in Feature Release 3) for the data store, indirect mode must be used because of performance and locking issues. Direct or indirect mode can be used with SQL, IBM DB2, or Oracle. For small farms (50 servers or less), MSDE can work, but it has the disadvantages that it requires indirect mode (single point of failure), is much more likely to get corrupted data, and can be a performance bottleneck. For farms that are mission-critical and larger than ten servers, using direct mode with SQL, IBM DB2, or Oracle is recommended. The SQL, IBM DB2, or Oracle server does not need to be dedicated to the data store, since these databases support more than one database per server, assuming , of course, that sufficient server resources are available.

Data store replication is a concern in larger farms. When a server queries the data store (especially over slow link speeds), other servers could timeout and cause problems. SQL, IBM DB2, and Oracle contain integrated replication capabilities that are effective in solving this problem (the dual-commit model is recommended). When planning the resources for the data store, a good rule of thumb is to allocate about 200KB of disk space for each Presentation Server server.

Resource Manager

Presentation Server Enterprise Edition is required when using Resource Manager (RM). This product equips administrators with a full-featured management tool suite for analyzing and tuning Citrix Presentation Server Enterprise Edition servers. RM adds realtime monitoring, historical reports , and a central repository of usage information and statistics to the Presentation Server product suite.

Resource Manager keeps data for 96 hours with an internal database (15-second server snapshots) and integrates with Microsoft SQL and Oracle databases to store long- term statistics. The local database will utilize about 7MB of data for each metric to maintain data for 96 hours. The local database is compressed only when the IMA service is started; this provides one more reason to script reboot of Presentation Server servers. The link http://www.citrix.com/download contains a group of predefined free Crystal reports available for use with a Microsoft SQL/Oracle database.

While monitoring the server statistics, RM can send out e-mail, pages, or SNMP traps when predefined loads are met (for example, when CPU utilization reaches 60 percent, RM sends the Citrix administrator group an e-mail). RM uses metrics to define monitored parameters, alert thresholds, and configurations. Metrics, once defined, can be applied to servers or published applications. Hundreds of example metrics are included with the RM installation. Citrix recommends, for performance reasons, not to have more than 50 metrics per server.

The farm metric server is the central server that manages all of the metrics on each of the servers and published applications. By default, the first server in the farm to have RM installed on it becomes the farm metric server, although this can be moved by the administrator at any time. Better performance can be achieved by having the farm metric server on the same machine as the zone data collector. Presentation Server will also elect a backup farm metric server for use if the primary goes offline. The metric data is maintained with the IMA data store. The database connection server is responsible for communicating with each Presentation Server server and the summary database (SQL or Oracle) if data needs to be retained past 96 hours.

Each defined metric has six possible states:

– Green indicates the metric is operating within acceptable limits.
– Yellow indicates the metric has exceeded the time or value limit.
– Red indicates the yellow limit has been exceeded and an administrator action has been executed (e-mail, page, SNMP traps, and so on).
– Blue indicates a new metric that is not completely defined.
– Grey indicates a metric that is paused (snooze) for a predetermined amount of time; in this state, data is still collected, but alerts are not processed .
– Black is a sleep state; data is still collected, but alerts are not processed.

Network Manager

Network Manager (NM) is used for limited management through SNMP and to view Presentation Server statistics from HP OpenView, Tivoli NetView, and CA Unicenter. This tool can be useful for companies that have existing SNMP management software. NM is a component of Enterprise Edition only. Since security can be compromised through SNMP, security is a primary configuration concern. If possible, SNMP should be left read-only (the default setting for Window 2000/Windows Server 2003) and all Presentation Server management should be done through the CMC or MOM plug-in. If it is critical to restart, terminate processes, disconnect sessions, logoff sessions, send messages, and shut down, SNMP requires read-create or read-write permissions. In this case, SNMP should be locked down by limiting these SNMP privileges to only the IP address of the SNMP management server.

Installation Manager

Citrix Installation Manager (IM) is designed to automate the application installation process and facilitate application replication across Presentation Server servers throughout the enterprise. Through the use of IM, applications can be distributed across multiple servers in minutes rather than days or weeks. IM is available as a part of Enterprise Edition only. IM is fully integrated into the CMC.

IM is especially useful in organizations utilizing more than three Presentation Server servers, or having numerous and frequently updated applications. In these environments, the automation offered by IM can yield significant cost and administrative time savings.

IM contains two components: the Packager and the Installer. With the Installer deployed to all Citrix servers in the enterprise, the Packager makes replicating applications a simple two-step "package and publish" process.

The Packager runs on its own PC or server, while the Installer runs as a background service on each Presentation Server server and is transparent to the user.

The Packager provides the administrator with a wizard that supports the step-by-step process of installing and configuring an application. The result is a "package" that contains all application files and a "script" that describes the application setup process.

To "push" an application to Presentation Server servers equipped with the Installer, publish the script to those servers. The application will then be distributed and automatically installed onto Presentation Server servers across the enterprise.

IM also helps to sort out uninstall issues associated with many applications. For example, with many uninstall programs, application components can be left behind on the server. With IM, the Installer component tracks every application component installed and completely uninstalls the components when the administrator elects to "unpublish" the application on a specific server. This simplifies the relocation of applications from one server to another.

Load Management

Load management is available in Advanced Edition and Enterprise Edition to assist administrators in maximizing the utilization of server resources and maintaining optimum user experience. Load management is a concept familiar to many administrators of Microsoft Terminal Server Edition, but it has a special meaning in the context of Presentation Server server operation.

With Microsoft's NT Server 4.0 TSE, Windows 2000, and Windows Server 2003 operating systems, multiuser computing capabilities are viewed as a service, much like SQL or Exchange services. Due to this orientation, Microsoft's approach to balancing system load across multiple servers focuses less on the nature and requirements of the load itself (application sessions in the case of multiuser computing), and more on the distribution of the session load across multiple systems. In effect, clients are presented with a virtual IP address representing multiple servers with replicated resources and services. As each server reaches a load threshold, incoming client session requests are forwarded to a server with available resources.

Presentation Server takes load managing from the server level to the application level, adding features such as automatic session reconnection and enhanced manageability to terminal services, fine-tuning the concept of load management considerably.

With Presentation Server Load Management, an application can be published for execution on any or all Presentation Server servers in a server farm. When an application or desktop session that has been configured for multiple servers is launched by an ICA client, Presentation Server Load Management selects which server will run the application according to a set of tunable parameters. Administrators have access to load management variables via the Citrix Management Console (CMC).

How Load Manager Works

Administrators use the CMC to set load-management parameters. Load management makes decisions based on administrator-defined rules that define lower and upper limits on a number of variables that are defined by load evaluators tracked on each server. Load evaluators are numbers between 0 (free) and 10,000 (fully utilized). The Zone Data Collectors are responsible for keeping track of each server's load evaluators and directing users to the least-busy servers. When more than one rule is applied to a load evalua-tor, the evaluator with the highest load value defines the load of the server.

Load evaluators can have up to 12 rules. These rules can be broken into four categories: moving average, moving average compared to high threshold, incremental, and Boolean. These categories are explained in more detail next.

Moving average uses rules based on percentage values to calculate load values. The administrator defines a low threshold where the load manager reports no load and a high threshold that the load manager reports a full load. When the moving average is between the low and high thresholds, the load is determined as the percentage multiplied by 10,000. Two rule types operate with the moving average: CPU Utilization, constituting the average usage of CPUs; and Memory Usage, which is the average of the physical and virtual memory in the server.

The moving average compared to the high threshold reports no load when the moving average is below the low threshold. When the moving average is at or above the high threshold, load manager reports a full load. When the moving average is between the low and high thresholds, Load Manager reports a load value based on the upper threshold value and 0. The lower threshold value is not used in calculating the load. There are five rules that use moving average compared to the high threshold. Context Switches calculate load based on CPU context switches, that is, on when the OS switches between processes. Disk Data I/O calculates load based on all I/O throughput in kilobytes of disks. Disk Operations calculates load based on disk operations per second for all disks. Page Faults calculates load based on the number of page faults per second, which is the number of pages accessed by the operating system that have been flushed to disk. Page Swap calculates load based on the number of page swaps per secondpage swaps happen when the OS swaps physical memory to virtual memory on disk.

The incremental rules are user-friendly and do not require performance monitoring or calculations between upper and lower thresholds. All calculations are based on a full load maximum value specified by the Presentation Server administrator. When the maximum number specified is reached, Load Manager will report full load. Otherwise, Load Manager reports a percentage based on the maximum. The load value is calculated by dividing 10,000 by the rule value and then multiplying that value by the current counter. Three rules are in this classification: Application User Load calculates the load based on the number of users connected to an application. Server User Load calculates the load based on the number of users connected to a server. License Threshold calculates load based on the number of assigned connection license counts in use on the server.

Boolean rules are based on conditions being either true or false. If the conditions are met, or found to be "true," access is allowed. Otherwise, it is denied . These rules can be used in conjunction with other load evaluator rules, because they have no associated load values. If no other rules are applied in conjunction with a Boolean rule, all connections are directed to the same server. When one of these rules takes effect, it does not enforce the rule on users already connected. For instance, if the Scheduling rule disables an application at a certain hour , users employing the application can stay connected. However, if the users log off, they cannot reconnect to the application during the hours it is disabled. Boolean rules have two evaluators. IP Range enables or disables access to a server or published application based on source IP address. IP Range rules do not function in mixed mode. Scheduling enables or disables access to a server or published application during specific time periods. Scheduling, like all load evaluators, is checked only during logon/application launch.

Shadowing

In addition to providing tools for managing application publishing, Presentation Server delivers a utility targeted at reducing administrative costs by enabling the remote support of users of published applications. Session Shadowing enables the administrator (or help-desk personnel) to remotely join, or take control, of another user's ICA session. When activated, Session Shadowing displays the user's screen on the administrator's console. Optionally, the administrator can assume control of the remote user's mouse and keyboard, which enables demonstrations .

In addition to facilitating help desk and troubleshooting processes, Session Shadowing can also be used in online interactive teaching and call-center applications.

Additional security has been added to Presentation Server to limit or disable shadowing during installation that cannot be reversed . Administrators can disable shadowing of ICA sessions on all servers in a server farm if legal privacy requirements prohibit the shadowing of users' sessions. Alternatively, it may be necessary to disable shadowing on servers that host sensitive applications, such as personnel or payroll applications, in order to protect confidential data. Presentation Server Setup provides options on the Shadowing Setup page for an administrator to limit or disable shadowing at installation time. When shadowing is enabled, an administrator has the option to select the following restrictions:

– Prohibit remote control of ICA sessions By default, Presentation Server gives administrators the ability to input keystroke and mouse control during session shadowing. Select this option if you want administrators to be able to shadow without input. In some cases, shadowing without input hides administrator presence.
– Prohibit shadow connections without notification By default, Presentation Server notifies users with a prompt when an administrator is attempting to shadow their sessions. Select this option to deny administrators the ability to shadow sessions without sending this notification.
– Prohibit shadow connections without logging Events such as shadowing attempts, successes, and failures can be logged in the Windows event log and examined using Event Viewer. Select this option to enable logging. Do not allow shadowing of ICA sessions on this server. This option permanently disables shadowing by anyone of all ICA sessions on the server.

Configuring Session Shadowing

Session Shadowing is configured at the time of connection configuration. The shadowing settings in the Advanced Connection Settings dialog box control the behavior of shadowing for all sessions on the connection. Setting options include

– Enabled Specifies that sessions on the connection can be shadowed .
– Disabled Specifies that sessions on the connection cannot be shadowed.
– Input On Allows the shadower to input keyboard and mouse actions to the shadowed session.
– Notify On Specifies that the shadowed user gets a message asking if it is OK for the shadowing to occur.

Session Shadowing Initiation

The initiation of Session Shadowing can be accomplished via the Shadow taskbar, from the Citrix Management Console, or from a command line. Each interface is well documented and reasonably self-explanatory.

Presentation Server Licensing

The Presentation Server license is more than an agreement describing the cost to the user and revenue to the vendor. It is a technical licensing implementation in which licenses are pooled by the Presentation Server servers themselves and used to calculate authorized use of the product (see Chapter 2, Tables 2-3 and 2-4). In short, if the license provides for 20 users to connect to a Presentation Server server, user number 21 will be locked out by the server. Citrix delivers Presentation Server licenses in three ways: the shrink wrap method, corporate licensing, and ASP licensing.

The Shrink Wrap Method

Administrators can purchase the base product and licenses for 20 concurrent users. As configurations expand, bulk user packs can be purchased to meet changing needs. Additional Presentation Server user licenses can be added in increments of 5, 10, 20, or 50 concurrent users.

Easy Licensing

Easy Licensing is designed for customers with up to 500 concurrent licenses that wish to take advantage of electronic licensing. On-demand licensing allows administrators to purchase what is needed when it is needed. This licensing also allows for auto-activation for rapid deployment. Another advantage to Easy Licensing is that it does not have a complex paper contract but rather uses a "click to accept" online agreement (similar to opening packaged products).

Corporate Licensing

Corporate licensing programs are available for large license quantities . This program uses a point-based system with four discount levels for corporations and a special education discount level. In addition, special pricing is available for corporate customers who adopt a "long-term strategic use" posture . In this case, cumulative purchases drive discounts . This program is designed for customers with 500 to 5,000 concurrent seats.

Flex Licensing

Flex licensing is designed for companies with more than 5,000 concurrent seats. Flex Licensing requires a custom contract, called a Global 2000 agreement, reserved for enterprise customers. The advantage of Flex licensing, in addition to a very significant discount, is that Citrix provides additional license automation to make it easier to install and activate Presentation Server licensing across a large number of servers.

Subscription Advantage

Subscription Advantage provides customers with a convenient way to keep their Citrix software current and maximize their on-demand computing investments. As a customer, you receive software upgrades, enhancements, and maintenance releases that become available during the term of your subscription. Subscription Advantage is for a one-year term and can be renewed each year.

Connectivity

A broad range of connectivity options are supported by Citrix, so a diversified set of users can access and utilize hosted applications. Figure 3-3 depicts the connectivity options enabled by ICA, which include dial-up, ISDN, multiple LANs, wireless LANs, numerous WANs, and the Internet. By contrast, Microsoft's Remote Desktop Client (RDC) is limited in its support to only TCP/IP LAN/WAN environments.

Figure 3-3: Citrix connectivity options

Additionally, Citrix Access Suite and the ICA protocol support more than 200 clients, providing excellent flexibility and choice in edge device access.