FULL DESKTOP VS. PUBLISHED APPLICATIONS | Citrix Access Suite 4 for Windows Server 2003: The Official Guide, Third Edition

Citrix provides Presentation Server administrators the option of publishing to end users a full desktop interface to the Presentation Server serverseffectively providing desktop users with a window that looks identical to that of a desktop PC running Windows XPor providing the user with individual applications, launched from within their local desktop or Web browser environment. Which to choose depends on the overall environment, the number of applications to be deployed, and whether thin clients or hybrid clients will be used. The decision to publish individual applications or the entire desktop has many ramifications , from end-user experience and performance to security. Both of these options are available in any client type or device scenario.

Publishing Individual Applications

In the case where a Presentation Server server farm is used to deploy only one application or a small selection of applications to end users (hybrid clients), the published application option has many benefits. A published application can be published directly to a user's Windows desktop using Citrix Program Neighborhood or directly to a Web browser interface using Citrix Web Interface.

Citrix offers two options for deploying and accessing published applications from a desktop icon: Citrix Program Neighborhood and Citrix Program Neighborhood Agent (PN Agent). Program Neighborhood Agent addresses many of the issues that existed with the original Program Neighborhood. With PN Agent, an administrator simply points the agent to the Web Interface server, and when users connect, PN Agent populates users' desktops, Start menus , or system trays with all of their published applications. Additionally, Program Neighborhood Agent addresses the problem of the local operating system's not knowing to open files using a published application rather than a local application. Program Neighborhood Agent changes all the local desktop MIME type associations to the appropriate ICA client.

The Program Neighborhood Agent can be controlled by an administrator with a deployment method of choice (Active Directory, for example) with no user changes available. The administrator may also allow the user to make some configuration changes such as to where the Web Interface server is or where the icons are placed in their environment.

Published applications are more secure than a published desktop, as users are not granted access to administrative or desktop tools, nor to basic operating system tools like the Start menu. Without this access, it is very difficult for users (authorized or unauthorized) to do harm to the system, although a hacker can find back doors in some published applications (such as Internet Explorer).

Published applications also tend to use system resources on the server far more efficiently , as less memory and processor power is required when the desktop is not being used, and users tend to log out of their sessions more often in a published application scenario, since they often close applications without logging out of their desktop. The significant downside to published applications though is that they can be confusing to end users, because users find it difficult to distinguish between applications that are running locally and applications published from the Presentation Server farm. Additionally, the fact that users cannot access configurations such as printer settings can cause challenges, since the user is only running the application and not the full interface, which provides access to the printer Control Panel.

Publishing the Desktop

For environments in which all or most applications will be provided to users by the Presentation Server environment, and environments with a majority of Windows terminals, we strongly recommend publishing the full desktop as opposed to just the applications. Although publishing the full desktop requires the desktop lockdown discussed in the next section, the published desktop is simpler and more intuitive for end users. With a published desktop, end users see the full interface they are accustomed to seeing, whereas from a hybrid client a user will see two Start menus (if the published desktop is set up to run as a percent of screen size ), making it more obvious whether they are using an application locally or from the Presentation Server farm. Additionally, Windows terminals based on Linux do not intuitively switch between published applications, whereas if the desktop is published, the normal hot keys and windowing controls hold true to what users are accustomed to.

When using a published desktop, the Citrix client can be published to the desktop to provide access to other applications or servers not supported on the server to which a user is logged on (this is called the ICA Passthrough feature). It is important to note though that there is a significant performance penalty associated with using the ICA Passthrough, both for the end users and in terms of server resources. If users are complaining of slow screen scroll, make sure they are not running the application through ICA Passthrough.

Desktop Lockdown

Since most organizations will utilize PCs either in full thin-client mode or in hybrid mode, locking down the PCs is critical to keep them from continuing to be an ongoing source of help-desk calls. Additionally, these same methods are useful for locking down the published desktop environment of the Presentation Server farm. Although the tools we recommend for locking down PCs are quite good and will dramatically reduce the administration and maintenance required, desktop hardware failure will still be a cause for lengthy support issues.

According to several studies, including one by the Gartner Group cited in Chapter 4, the PC operating system is the source of most of the support requests from users. Even though the Citrix client runs on a variety of operating systems, including Mac OS and Linux, this discussion will be focused on Windows client devices, since they are the most common (and therefore, most in need of being locked down).

Registry Settings

The various Zero Administration Kits (ZAK) published by Microsoft contain a wealth of information on beneficial changes to the system Registry. The strategy is to make changes to prevent the following:

– Installing applications Since the PC should come to users with the necessary local applications installed, along with the Citrix client for running applications from the Presentation Server, end-user application installation should be prohibited . Upgrades or requests for new applications should go through the help desk.
– Changing system settings Even more so than with applications, desktops should prohibit system settings changes. Setting appearance or screen savers seems innocuous at first, but simple changes like this can generate calls to the help desk when they conflict with the use of a given application. We recommend preventing any changes to the system settings.
– Recognizing installed hardware If the client operating system has the ability to recognize new hardware, it can prompt the user to install drivers. The drivers may conflict with other drivers or system libraries and, again, generate calls to the help desk. Even if users know how to install hardware, the standard operating system image should prevent them from doing it. Even plug-and-play devices have no place in the corporate desktop. It may seem simple to plug in a USB device, for example, since it will be automatically recognized, but quite often even harmless peripherals can wreak havoc on a system and prompt an all-day service repair call while the technician performs investigative work to try to determine what changed and how to fix it.

The methods for locking down Microsoft desktops have evolved over the years , although as we discuss next, there is still ample room for third-party providers to intervene and offer good solutions. For Windows XP Professional, user and group policies are reasonably powerful and easy to change through the Policy Editor. For older desktop operating systems (Windows NT 4.0, Windows 98, Windows 95, and so on), policy tools were lacking, and thus Microsoft released scripts provided in Zero Administration Kits (ZAKs). For example, the ZAK for NT Workstation contains command files to install NT in an unattended fashion (cmdlines.txt), make custom Registry changes for applications (appcmds.cmd), and set restricted access to the file system (acls.cmd). Be warned the settings chosen tend to be very restrictive and may cause problems with specific or custom applications. The various client ZAKs are supplied free of charge from Microsoft's Web site and should be evaluated as a way to restrict user activities on the desktop. At the very least they can provide a platform from which to build custom scripts.

Note	Administrators should always extract all of the contents of a ZAK and only add the parts they want to their systems. These tools should always be extracted prior to testing and investigation.

Third-Party Software for Desktop Lockdown

In the last three years, several software providers have built tools to automate the lock-down of PCs and the PC user environment. Third-party software packages for restricting user activities present a friendlier interface than the Policy Editor and Regedit32 and can track and roll back changes, as well as provide myriad management and performance optimization features. We have utilized tools from three software vendors that provide lockdown for both the server user environment and the desktop environment. Although there are many other vendors, the three that we have used and can recommend for desktop lockdown are RES, triCerat, and AppSense. Applications from these providers make user profile, policy, or direct Registry changes to a workstation based on either a standard image or a centralized rules database. The rules can be assigned by user, group, application, or even time schedule. Though the result of these applications' activities are to change the Registry on the client device operating systemsomething that can be done manuallythese vendors do it in a way that is easy to manage and scales across a large organization. Perhaps most important, these applications are compatible with both distributed and centralized application hosting. They can impose the same restrictions on an application hosted from a Presentation Server farm as they can on one running on a local desktop.

Profiles

Although profiles will be the main topic of Chapter 15, they are worth a quick mention in this section, as they impact the overall client design. Windows Server 2000 and 2003 utilize user profiles to specify a variety of user environmental and applications settings. Important items like MAPI and ODBC settings are maintained in the user profile. Because of their importance to user functionality as well as their tendency to grow fast and large like prepubescent elephants, user profiles represent a difficult challenge in the design of the system. For instance, they can be configured as mandatory, roaming, or a hybrid of a mandatory and roaming profile. A great deal of industry work has gone into creating some best practices for hybrid user profiles, as well as development of best practices for roaming profiles. Even the lockdown applications discussed earlier address user profiles, and some of them claim to alleviate the need for roaming profiles altogether.

We recommend using roaming user profiles but have ourselves used the tips and tricks provided in Chapter 15 to keep a tight reign on the size and storage of the roaming profiles. For the purposes of design, be sure to follow the steps laid out in Chapter 6 for network design to ensure that sufficient network bandwidth and disk space are allocated to support roaming profiles. From a purely client device standpoint, it is nice to note that Windows terminals are not affected by user profiles, although any published applications they log on to will be. On the hybrid PC side, administrators should be careful to keep the PC profiles separated from the Terminal Services Profiles, as discussed in Chapter 15.

Software Distribution and Server-Based Computing

Since many enterprises today utilize software distribution applications like Microsoft SMS, the question arises about how these will integrate and how this function will be performed in a Presentation Server environment. The answer is threefold:

One of the clear advantages of Presentation Server is that we no longer need to install, configure, and maintain applications on the desktop. Thus, unless the desktops will be used in hybrid mode, the software distribution headache and accompanying software tools will disappear at the desktop level.
The only exception to point 1 is the Citrix client, which must be distributed, configured, and maintained on all client desktops. Although a software distribution tool can be used for this purpose, we recommend using Citrix Web Interface to deploy the Citrix client. When a desktop user uses a Web browser to navigate to the Citrix Web Interface site and clicks an application icon, the Citrix client will download and self-configure.
Software distribution automation can be a significant time saver at the server level for large enterprises with a significant number of servers. In a Presentation Server environment, the applications must be installed on all of the servers serving them, which can be a significant undertaking for organizations with 101,000 Presentation Server servers. Citrix provides a tool for this purpose, Citrix Installation Manager, embedded in the Enterprise version of Presentation Server, which we will cover in depth in Chapter 13.

The ICA Client for Hybrids

In Chapter 3, we presented the connectivity options of the Citrix client, including Program Neighborhood, Web Interface, Citrix Secure Gateway, and the Citrix Access Gateway. In this section, we will focus on the differences between the various hybrid clients you might consider.

Significant Platform Differences

For purposes of this discussion, the 32/64-bit Citrix client for Windows will be considered the functional base for all other client versions. Although in the past other clients typically contained fewer features or worked slightly differently, Citrix has dedicated significant resources to ensure that other devices have similar feature sets and performance.

– Macintosh The Citrix client for the Mac OS prior to OS X was missing many features such as support for audio, peripherals, and remapping of local ports. But with OS X, Citrix released a new, full-featured client that has nearly identical features to the Windows 32/64-bit client. Like all non-Windows Citrix clients, the Mac client provides access to Windows key sequences through local key combinations.
– Linux/UNIX The Linux/UNIX clients offer complete functionality for any non-Windows Citrix client, but not all features are supported on all flavors of UNIX. Check your platform against the feature list on the Citrix Web site for specific support. The Program Neighborhood is not supported, but virtually all other functions are present. Windows key sequences are provided through local key combinations designed not to conflict with the ALT key sequences normally reserved for the X Window System, though these can be reprogrammed if desired.
– Web Interface clients Citrix Web Interface allows administrators to configure the Web site to provide a specific Citrix client, to provide a Citrix client based on the client operating system, or to allow the user to choose a Citrix client. The 32/64-bit Citrix client provides the most features, but with Presentation Server 4, Citrix updated the Java client to provide nearly the same functionality as the full 32/64-bit client. This client can be very useful when being run from kiosks or other locked-down environments.
– Citrix Access Gateway clients The Citrix Access Gateway requires a very small SSL VPN client that enables the advanced features of the Access Gateway solution, in addition to the standard Citrix client that will be required to access Presentation Server applications.

Local Peripherals

Local peripherals can be automatically mapped from the desktop to the server, but not without a price. The data stream used by the device must travel over the network from the server farm to the client device. This can cause excessive bandwidth utilization unless measures are taken to control it. We discuss methods for accomplishing this with printers in Chapter 9.

Note

The ICA COM and LPT port redirection allows a variety of local peripherals to be used, but many require tweaking because the ports do not work exactly as they would if they were local ports. For example, we have found that excessive latency over a WAN connection can cause redirected devices to behave erratically, and in fact, the devices can exacerbate the bandwidth problem and cause other network services to fail. Additionally, COM port and LPT port redirection aren't supported through ICA Passthrough connections.