You Know Where The Door is – Use It!.. But Do You Have To?

January 17, 2010

Yes. Something that has happened  several times before has happened again this week.

A Reseller/Solution Provider implements a Citrix/Terminal Services/VDI/Streamed Application solution for an end user client.  The end user  has since received a Software Asset Management review, and at the end of it, the client receives a big un-budgetted invoice from Software Vendor XYZ because their Citrix/Terminal Services/VDI/Streamed Application solution does not enforce a ‘Per Device’ based application access control and licensing model.  As a result, the end user client gets upset and in the case this week, the Reseller/Solution Provider was shown the door and lost the Client.

As mentioned, I have seen this many times before, and I must sound like a broken record to my reseller techies, but this scenario keeps happening and can be avoided!

Now, before you blame it all on one particular application vendor, just remember that MOST if not ALL of your typical Software Vendors have a DEVICE based model for licensing, not user based.  It’s pretty simple, if a device can potentially access the application (regardless of where the actual code executes, or, even if it executes or not) that device needs a licence.  Even if you try and block access to the application at the user level with GPO’s, SRP’s or white and black lists at a user level, this does not comply as the authorized users can still access the application from all devices and so all devices still require a licence.

For example, If I own 50 PC’s and install Application A on each PC I need to buy 50 licenses. I can’t just say I only have one user login, so I only need one license – the world doesn’t work like that.

And “network techniologies” (CTX/TS/VDI/STREAMED APPS) are no different. If I can run the application for any single one of my 400 thin clients, then either I need to buy 400 device licenses of the application, or I need a way of enforcing the number of devices that can execute it.

If you want to see this explained you can can see me white board this on the AppSense YouTube Channel here -> Whiteboarding a per device licence scenario

Now I understand not everyone sees things the same way, but my experience is the Reseller/Solution provider is often the scape goat in these scenarios when it all goes pear-shaped.  So, for the partner to protect their rear end, and be a bit proactive, some of our Aussie Solution Providers highlight this to the end user by sending a short email, not only to the IT Manager who may be running the project, but also to the CFO and CIO who sign the cheques.

This email points out that the Solutions provider is bound by their status with Software Vendor XYZ to inform the client that the solution they are looking to implement does not fulfill the licensing requirements of the Software Vendor they are wanting to use and they may be liable for additional licence fees and even financial penalties in the event of an audit.. if, they do not also include a per device application access control solution as part of their overall SBC or VDI solution.

I was having this discussion in the office this week when, Hey Presto – in jumps AppMan with his  favorite AppSense product Application Manager – he’s a jovial fellow, looking resplendent in his red outfit.  Sure he’s not the tallest guy in the office, he could do with a few visits to the gym (couldn’t we all?) and yes I agree some of his hair has left the building for greener pastures but everyone with a wife and kids has that issue :-)

However, his heart ‘s in the right place.  He wants everyone to be compliant with their software licensing, he doesn’t want to see companies paying out for licences they don’t need, and he only wants to see Trusted/Authorized Applications running on corporate architecture (more info on how AppMan and his solution Application Manager can help with per device software licensing can be found here).

In addition, there’s a side benefit – not only will AppSense Application Manager enforce a per Device licensing model, it’s also one of the most effective security products on the market.  Trusted ownership ensured only software that is installed by a Trusted Owner (typically the IT Team) it’s allowed to run. Any file installed by a user will instantly be blocked.

Effective and bullet proof, that’s AppSense Application Manager. And as I always say when the subject of security comes up, It’s not that the security team at your organisation has done a bad job, it just they don’t know what they don’t know, so how can they protect against something they do not know about, or some piece of code that has only just been written today by someone they dont know of?  On the other hand,  AppSense Application Manager will show you EVERY file users try to execute, so you do now know what is going on.

And maybe, just maybe, if we all work harder at helping our clients, we can all join a Gym, take some measures to stop our hair falling out, avoid any software licensing issues and costs.. and all live happily ever after :-)

For more information on cost reduction in your environment, please visit the cost reduction pages on the AppSense website.


Environment Manager New Feature – Logoff

October 27, 2009

AppSense Environment Manager 8.0 Service Pack 2.0 has introduced some new Logoff functionality.

To enable all Environment Manager actions to complete on logoff and to prevent the logoff black screen from appearing on Vista and Server 2008, the Shutdown Windows API call is detoured.

This API call is called whenever a user logs off or shuts down the system. The detour allows Environment Manager to:

  • Trigger Environment Manager logoff actions
  • Prevent logoff continuing until all Environment Manager actions have completed

When Environment Manager actions are completed or a 60 second default timeout has been passed logoff continues allowing any remaining processes to shut down before Windows itself shuts down. You can override the default timeout by setting a millisecond value in the “LogoffActionWaitTimeout” registry key. Since Environment Manager has already completed its work, it will not be a cause of the Windows logoff black screen.

Whilst the Environment Manager logoff actions are taking place, the system is effectively stalled and the user may wonder what is happening. To alleviate their concerns, a custom screen can be displayed informing the user that Environment Manager is busy. The screen is activated when text for the screen is configured from within the Blocked Text Library.

Adding an entry to the Blocked Text Library with the Title Logoff Message will allow a custom message to be specified for display.

Note: Once logoff continues, Environment Manager has effectively finished for the user session, therefore no more Policy Configuration actions or User Personalization will take place. Additionally, if another application decides to misbehave at this point, the black screen may still appear for those applications.


Some Citrix XenDesktop Troubleshooting Tips

September 23, 2009

I have recently had to build a new Citrix XenDesktop environment for some testing which included Citrix Provisioning Server and Citrix XenServer. Along the way, I had various issues and struggled to find a single, comprehensive, troubleshooting article so I am going to have a stab at it here since I had to go through various tests in order to sort my issues. Having said this, there are some very good technotes on the Citrix web site here – http://support.citrix.com/product/xd/v3.0/technote/

  1. Enable logging for the Workstation Agent and ensure that access to the C$ share of the master XenDesktop image is enabled, including a firewall exception for file sharing. This is so that you can get at the log file without having to log on interactively to the image. See this article for how to enable the logging by a simple edit to the WorkstationAgent.exe.config file:  http://support.citrix.com/article/CTX117452 

    Obviously ensure that the Workstation Agent (Citrix Desktop Service) is successfully starting, as are other Citrix services, and the log shows it registering with the DDC.

  2. The event logs are also obviously another place to look when things fail although this can be tricky if your VM has been connected enough to want to reboot when the connection attempt has failed.
  3. You can also enable logging for the Desktop Delivery Controller service which is detailed in the link above. Ensure that the DDC service and other Citrix ones start successfully.
  4. PortICA logging can be enabled – http://support.citrix.com/article/CTX118837 – which could show potential ICA problems. It didn’t for me but will stay enabled in my base image whilst I am still testing.
  5. Citrix tracing tool (CDF – Citrix Diagnostic Facility) – this didn’t help me as it only currently supports a small number of client side features such as USB. It can also be run on the machine running the Workstation Agent but I didn’t do this.  http://support.citrix.com/article/CTX120269
  6. I did have some errors when using the XenDesktop Setup Wizard so I followed the steps to get a log file for this. I couldn’t get the log produced via the command line so ended up modifying the .config file as described here: http://support.citrix.com/article/CTX118278 

    My issues actually turned out, I think, to do with the fact that the template I was specifying in the wizard had an 8GB disk attached (it was my Gold Build VM that was booting off the PvS disk but still had the original hard drive in case I needed to rebuild the PvS disk) so each new VM created by the wizard was creating a new 8GB disk and I simply didn’t have the storage for it (not that I got an error suggesting this). I therefore created a new VM in XenServer that had the memory, NIC and CPUs I wanted but had no hard disk so actually didn’t have an OS installed (it never even got booted). This doesn’t matter since the OS comes from the vdisk/vhd you specify, separately, in the wizard.

  7. Check that you can logon with the required accounts to the VMs in your XenCenter/XenServer console. This should show any domain joining or account issues, e.g. expiry or permissions. Also check network connectivity to/from them.
  8. Fire up your gold image VM, since it should be on a standard image disk so the changes will be lost when it shuts down, add it to a new desktop group without a hosting infrastructure so that you just use the name of the VM in the group. This should tell you if the problem was something funny about the desktop group or the VMs that comprised it.
  9. My issue was that I was launching the connection from Web Interface but I wasn’t getting a session, just a failure popup – “Unable to connect to the desktop. This may be a temporary problem. Click OK and then try starting the desktop again. If the problem persists, contact your system administrator”. Before acknowledging the failure popup, look in your %temp% folder for the ICA file that it dynamically created. It won’t be a .ica file but instead will most likely be a .tmp file although will probably start “ica*”– easily spotted by modification time, particularly if you sort on modification time. It is actually the argument to cdsbar.exe if you look in Task Manger on Vista or with SysInternals/Microsoft Process Explorer. Open the ica file in notepad and check that it makes sense – e.g. is connecting to the right thing (“Address=”) and that the entity can be resolved/contacted. Note that the ica file, in best Mission Impossible style, will self destruct, i.e. be deleted, when you ok the failure popup thanks to the “RemoveICAFile=On” line. Note also that there is little point in saving the ica file for later use since it has a logon ticket in there which most likely will have expired.
  10. This leads on to checking that port 1494 is accessible in the virtual desktop by telnetting to it. However, port 1494 is only alive for a brief while after the connection is initiated so wait a few seconds after you have clicked on the icon to launch the session in Web Interface, or Program Neighborhood, before trying the telnet. When accessing a pool, look at the temporary ICA file to figure out which machine to check or reduce the pool to a single machine. We are not really looking for anything here other than the connection succeeds although you will probably see the characters “ICA” displayed.
  11. As by this stage all logs were looking fine and port 1494 was working, I put on a network monitor, in this case SysInternals/Microsoft Process Monitor, on my client machine (the one accessing Web Interface) and filtered on wfica32.exe. This is when I found that some traffic was going through my proxy that I hadn’t allowed for – bingo, problem solved when the proxy was disabled. In my defence, I had tried accessing from a different client (this should probably be a separate line item in this troubleshooting “guide”) but that had also failed, albeit probably for different reasons as it wasn’t using a proxy.
  12. Watch for proxies! Obviously configure them as necessary or disable them.
  13. I did have some “funnies” with my XP VMs created by the XenDesktop Setup Wizard and running off PvS. I think they were because after creation I had switched the master disk away from Standard Image mode. My excuse is that you have to manually hit F5 to do a refresh after changing vDisk properties and I didn’t! I was actually getting the error described here: http://forums.citrix.com/message.jspa?messageID=1393521 

    Sometimes the streaming console (StreamConsole.exe) on the PvS box can help diagnose these kinds of issue. Unfortunately it didn’t in this case.

  14. I also got caught by my base image having miniscule event log sizes (64KB) so even though they weren’t up for long, it was enough for them to fill up and not to overwrite so it was back to the base image to set larger sizes and set them to overwrite as needed.

NEW FEATURE No. 11 – AppSense Environment Manager 8.0 Service Pack 2 – Registry Hive Exclusions

September 17, 2009

This is the eleventh installment in a series of posts about the new features and options in AppSense Version 8 Service Pack 2.  (If you have not yet downloaded this latest release, you can read more info and download it from here )

AppSense Environment Manager 8.0 Service Pack 2 introduces new functionality to the Registry Hive action – Registry Hive Exclusions.

This feature allows the administrator to specify registry settings to hive out at a specific level and then exclude certain keys or values beneath that level in order to reduce the registry file size on disk. For example, you could hive out the whole Microsoft Office key, but exclude settings for Microsoft Access.

Note: You can use wildcards for the key name and you can explicitly exclude a key name with an embedded wildcard character by enclosing the key name with quotes “”. However, it is not possible to specify a key path with a leading wildcard such as *\Software”wildcardkey*”.

Note: It is not advised to use keys that start with HKEY_CURRENT_USER since the software does not use this key internally

Note: Registry Hive Exclusions currently only work when hiving out settings rather than hiving them in. This is the preferred method since it reduces the amount of required storage space on the network.

P:S
As this is an ever growing blog topic, the previous posts on the other new features we have detailed can be found below:

NEW FEATURE No. 1 – AppSense Environment Manager 8.0 Service Pack 2 – Run As

NEW FEATURE No. 2 – AppSense Environment Manager 8.0 Service Pack 2 – Connect As

NEW FEATURE No. 3 – AppSense Environment Manager 8.0 Service Pack 2 – Improved compression and data handling protocol

NEW FEATURE No. 4 – AppSense Environment Manager 8.0 Service Pack 2 – Manipulation of files in Personalization Analysis

NEW FEATURE No. 5 – AppSense Environment Manager 8.0 Service Pack 2 – Run Once

NEW FEATURE No. 6 – AppSense Environment Manager 8.0 Service Pack 2 – Group SID Refresh

NEW FEATURE No. 7 – AppSense Environment Manager 8.0 Service Pack 2 – Trigger Action Time Audit Event

NEW FEATURE No. 8 – AppSense Environment Manager 8.0 Service Pack 2 – Stop If Fails

NEW FEATURE No. 9 – AppSense Environment Manager 8.0 Service Pack 2 – New Application Categories in the User Interface

NEW FEATURE No. 10 – AppSense Environment Manager 8.0 Service Pack 2 – Refresh

NEW FEATURE No. 11 – AppSense Environment Manager 8.0 Service Pack 2 – Registry Hive Exclusions


NEW FEATURE No. 9 – AppSense Environment Manager 8.0 Service Pack 2 – New Application Categories in the User Interface

September 11, 2009

This is the ninth installment in a series of posts about the new features and options in AppSense Version 8 Service Pack 2.  (If you have not yet downloaded this latest release, you can read more info and download it from here )

AppSense Environment Manager 8.0 Service Pack 2 introduces new Application Categories in the User Interface to make it easier to identify applications added by the administrator, versus default applications created by AppSense Environment Manager at install time:

 personalization application categories (2)

P:S
As this is an ever growing blog topic, the previous posts on the other new features we have detailed can be found below:

NEW FEATURE No. 1 – AppSense Environment Manager 8.0 Service Pack 2 – Run As

NEW FEATURE No. 2 – AppSense Environment Manager 8.0 Service Pack 2 – Connect As

NEW FEATURE No. 3 – AppSense Environment Manager 8.0 Service Pack 2 – Improved compression and data handling protocol

NEW FEATURE No. 4 – AppSense Environment Manager 8.0 Service Pack 2 – Manipulation of files in Personalization Analysis

NEW FEATURE No. 5 – AppSense Environment Manager 8.0 Service Pack 2 – Run Once

NEW FEATURE No. 6 – AppSense Environment Manager 8.0 Service Pack 2 – Group SID Refresh

NEW FEATURE No. 7 – AppSense Environment Manager 8.0 Service Pack 2 – Trigger Action Time Audit Event

NEW FEATURE No. 8 – AppSense Environment Manager 8.0 Service Pack 2 – Stop If Fails

NEW FEATURE No. 9 – AppSense Environment Manager 8.0 Service Pack 2 – New Application Categories in the User Interface

NEW FEATURE No. 10 – AppSense Environment Manager 8.0 Service Pack 2 – Refresh

NEW FEATURE No. 11 – AppSense Environment Manager 8.0 Service Pack 2 – Registry Hive Exclusions


How To Guide: Streaming Microsoft Office with Citrix XenApp 5 – Best Practice Guide & Licensing Overview

August 27, 2009

Citrix Technology Professional (CTP) Alexander Ervik Johnsen has written a very useful piece on how to Profile and Stream Microsoft Office 2007 using Citrix XenApp 5.0

This is a great guide and covers how to stream Office to a desktop, or, into a Citrix XenDesktop session.  His article and guide can be found on his website here.

Further to the actual process of profiling and streaming the Office application, I also want to ensure everyone is aware of the Microsoft Per Device Licensing Model for Server Hosted Applications.

Many Microsoft applications, including Microsoft Office™, Project™ and Visio™, are licensed on a per-device basis. This means a desktop application license is required for each and every device that is able to potentially access the application or server where the application is installed, regardless of whether a user executes and runs the application of not.  This makes licensing Microsoft applications in virtual environments a tricky, potentially very costly, and misunderstood subject. 

One misconception is that by ‘publishing’ or ’streaming’ applications to a limited “user” group, that group is compliant with the Microsoft license agreement – in other words, Microsoft licenses their applications per user.  This is in fact in breach of the Microsoft licensing model, and can lead to legal action.

I have written a blog, which also includes official Microsoft approved whitepapers on how to control and enforce application access and license compliance on a per device basis  in such virtual environments,  that blog can be found here

In addition to helping ensure compliance, effective license control and management can also reduce Microsoft License requirements and associated costs – more information on this can be found here.

If anyone has any questions or comments, as always, please do let me know.

Thanks
Gareth


Does Citrix XenDesktop Help Companies during Natural Disasters?

August 24, 2009

Jon Wallace from www.InsideTheRegistry.comwrites an interesting piece on how Citrix XenDesktop may be able to help organizations during natural disasters and power outages..

“I’m currently building out a demo rig for an upcoming tradeshow and while I was installing the various bits and bobs for the XenDesktop solution it got me thinking as to its unusual uses.

I live in Fort Lauderdale, Florida and during the summer, power outages are normal due to thunder storms and other bad weather.  This along with hurricanes, tropical storms and other activity makes working at home especially interesting at times.

When the power goes out, so does my communication.  I lose my internet, my landline and depending on the duration my laptop but one thing can be assured, the local Starbucks is always on – obviously people need coffee when they have downtime.  Anyway, back on track…

Imagine I was a columnist for a newspaper or magazine and I was working on the latest scoop that some celebrity has been caught eating a burger when the power went out – without connectivity I can’t upload the article to my corporate servers and get it out before my competitor does…”

Click here to read the rest of the article and learn how Citrix XenDesktop can help in this case…