Set Virtual Desktop Idle Timeouts Correctly


One of the major advantages of virtualizing the desktop is security. Organizations are better able to keep data internal as opposed to letting it sit on endpoint devices located anywhere in the world. But security doesn’t stop there. I recently observed an interesting situation that we all need to be aware of to avoid. Imagine this scenario…

A user walks away and doesn’t lock their end point. After 10 minutes their virtual desktop is locked automatically. However, around the 20 minute mark, I walk by, see an unlocked endpoint and start looking around. No data on the endpoint. But I see the user left their browser opened and one of the tabs is connected to Web Interface. And luckier still, the user is still logged into Web Interface. If I select the virtual desktop, I now re-connect to the user’s already active virtual desktop and have complete access to their data.

The goal for most organizations is to prevent unauthorized users from gaining access to a user’s virtual desktop. Many put a timer on inactive desktops so users are required to re-enter their credentials, thus helping to prevent others from gaining access. This works fairly well, but only if you take the setting further, and outside of the virtual desktop.

Many users initiate their connection via Web Interface. Web Interface has its own timeout setting. If you set Web Interface timeout to be 30 minutes and your virtual desktop is 10 minutes, you really aren’t doing anything.

I hope you can see the trouble this might create. This is a pretty easy one to avoid by simply modifying the Web Interface Session timeout setting contained within the Session Settings configuration for the site (and if you can, enable end point lockouts as well).

Daniel – Lead Architect

Advertisements

XenDesktop Design Handbook – No Registration Required


A few months ago we released the XenDesktop Design Handbook that contained a collection of reference designs, implementation guides and planning guides. When it was initially released, it had a few items. Over the past couple of months we have included additional items like

  • Bandwidth planning
  • Windows 7 optimization guide
  • VM resource allocation
  • SMB reference design

One of the biggest requests I got was to get rid of the registration page. I agree. I hate when I have to register for content. So if you use this new link, you can get access to the XenDesktop Design Handbook without registration.

If you log in with your MyCitrix account, you get the added benefit of allowing you to sync the kit for offline use. With the offline tool, you can just re-sync every month or so to get the latest planning guides.

Enjoy

Daniel – Lead Architect

XenDesktop for the SMB/SME Webinar Questions and Answers – Part 1


For those of you who attended the XenDesktop design for small to medium business had many great questions. It has taken some time, but I’ve been able to provide answers to many of the submitted questions that we did not have time to answer during the webinar. First, some links for everyone:

  1. XenDesktop Design Handbook
  2. XenDesktop Design for SMB webinar

Now, onto the Q&A (note, this is part 1 of unknown number of parts. I had so many great questions that this will take some time).

Q: In XenDesktop is there a way to manually move the Master Farm Server to another to complete server maintenance

A: You don’t need to. If the XenDesktop farm master fails (or goes offline for maintenance), one of your other servers will take over that role.

Q: Is there any available documentation on a migration path/plan for going from XenDesktop 4 to XenDesktop 5

A: Not yet as the product isn’t out. There will be materials and recommendations and blogs talking about this in Q1/Q2 of 2011.

Q: If we do have the capacity to have the images on shared storage/SAN, is the performance going to be better than local?

A: It should, but it is tough to say. If the SAN is design right, it should be fully optimized and have plenty of caching capabilities and enough spindles to support the load. You could do the same for local storage, but again, you would need array controllers, spindles, etc. The only benefit you would get with local storage is that it is all local instead of going across the wire.

Q: Is it possible to stream remote desktops via broadband links to remote sites?

A: Anything is possible, but many things you don’t want to do. I assume when you say stream, you mean stream a desktop to an endpoint that is across a broadband connection using Provisioning services. The problem you will run into is the amount of data that is required. You need 200MB to boot, on broadband, this might take 1 minute. Plus, you need to be able to network boot. This is hard to do over your broadband connection. J Third, any time that the end point requires additional portions of the stream, it will take time to send it across the wire, which results in slow responses for the user. Best bet is to use a hosted solution (VM-Based or Shared) and the the HDX protocol go over the slow link.

Q: In this scenario are we using PVS HA? If so, best recommended way to sync vdisks

A: Yes, HA is planned for the environment. For smaller implementations where you only need 2 PVS servers, put the vDisk on local drives and either manually copy or have a script auto copy if one vDisk is updated. Keep it simple.

Q: Was Xenapp included in this Example for application management? Do you see VDI edition and building Apps into OS for SMB as an option?

A: For SMB, if you don’t already have XenApp, you might end up going with the VDI edition without XenApp. It is a decision you need to make. Do you want to manage more desktop images (becase the apps are in the vDisk image), or do you want to manage a XenApp infrastructure and have fewer desktop images. Most SMB implementations have few desktop images so installing the apps into the base desktop image simplifies the architecture. It does increase the number of images, but the number is manageable.

Q: Running two Web Interface VM’s makes sense for redundancy; but what are the type of failures that could fail one WI and not the other?

A: IIS service failure, disk space shortage, mis-typed configuration, etc. Many reason why one WI server would fail and not the other. Many times it is admin error, but you do get the occasional software glitch.

Q: we dont use provisioning servers?? we just connect the citrix clients through desktop delivery controller to the desktop VM’s is that an incorrect method?

A: That is an option and it does work. You essentially P2V your traditional desktop to a virtual desktop in the data center. The only thing is you have to manage the virtual desktops like you did in the physical world. PVS simply provides you with a single image management to help with operations.

Q: Does the provisionning server need to be physical as often recommended ?

A: No. It works virtual. However, you do have to look at performance. Many systems that stress a hardware component are questionable if they should be virtualized as the hypervisor will add overhead. The level of overhead is based on product, component, etc. You can virtualize PVS on a hypervisor, but you might not get bare-metal performance as PVS stresses the NIC.

Q: What is SRIOV?

A: SR-IOV allows the VM to bypass the hypervisor to get to the NIC. This helps overcome some of the overhead questions just mentioned. This blog is useful to see what I mean: http://community.citrix.com/display/ocb/2010/09/14/Citrix+Provisioning+Server+Gets+Virtual+with+SR-IOV

Q: do you need a separate image for each language or is it possible to do it with 1 image with language packs ?

A: Interesting question and I’ve never done it before, but if your base image contains the language packs, then you should be able to stream to multiple languages.

Q: What options are there for graphics intensive CAD workstation virtualisation ?

A: Streamed to the endpoint or Blade PCs. Both allow you to have full desktop power, plus allows for use of specialized hardware.

Q: For 500 users why not use VMs for the PVS servers (I know that Citrix doesn’t like it)?

A: With a physical PVS server, we estimate you will get 500 desktop streams per 1Gbps NIC. Unless you have SR-IOV on XenServer, you probably won’t get 500 streams per NIC. Plus, without SR-IOV, all of the NIC traffic has to go through the hypervisor, which can cause bottlenecks. Now if you virtualize, you will end up needing more virtual PVS servers than if you had physical PVS servers. Unfortunately, I don’t have stats on the virtual PVS.

Q: What about peak IOPS? logons and anti virus scans may push IOPS up to 150 for Windows 7?

A: AntiVirus must be configured so the impact isn’t as great. Logon storms are a big issue that we must determine how it will impact your overall storage design. I suggest you look at the XenDesktop Design Handbook as there is some info on AV design.

Q: What is the difference of using Hyper-V as solution for virtual desktop and using your product if we already have license with microsoft?

A: None. Hyper-V is a great option for XenDesktop. The rest of the architecture and recommendations should still be the same. We have a Hyper-V reference design for XenDesktop within the XenDesktop Design Handbook.

Q: I thought PVS and DDC only supports Windows 2003, is this still the case?

A: In XenDesktop 4, the DDC only supports Windows 2003. XenDesktop 5 the controller runs on Windows 2008. Provisioning Services runs on 2003 or 2008. 64 bit is recommended for PVS to get better caching capabilities.

Light Users: Hosted VM-based or Hosted Shared Desktops


I recently posted a blog focusing on the resource requirements for hosted VM-based virtual desktops. These are realistic numbers and should make you wonder if the hosted VM-based virtual desktop is the most appropriate solution for all four user categories. What I found interesting was I had another blog identified as a follow-up talking about if the hosted VM-based desktop model made sense for all of the defined user groups when I started to receive emails, blog comments and twitter comments expressing the same concerns. This is great! That means many more people realizing that desktop virtualization does not always mean the hosted VM-based desktop model.

Let me explain further. As a refresher, we typically break down users into one of four groups defined as follows:

User Group Description
Light One or two applications no browser-based activity
Normal Multiple applications with limited browser-based activity
Power Many simultaneous applications with extensive browser-based activity and Internet-based applications.
Heavy Few applications but have heavy system resource requirements. Data processing, compiling, or graphics manipulation are common applications.

Of course as you move up the levels so too do the requirements for the hosted VM-based virtual desktop. But does it really make sense to have our light users running on the hosted VM-based desktop model? For light users, we typically define the following in terms of resource allocation:

User Group Operating System vCPU Allocation Memory Allocation Avg IOPS (Steady State) Estimate Users/Core
Light Windows XP 1 768MB-1 GB 3-5 10-12
Windows 7 1 1-1.5 GB 4-6 8-10

Is this crazy? Why does a user who only runs 1 or 2 applications, which are most likely line-of-business applications, require a hosted vm-based desktop environment? If you then go back to our high-level recommendations on application integration, you will see that many line-of-business applications are better served as applications virtualized on XenApp. This isn’t because desktops can’t run the applications; it is because many line-of-business applications are complex, have many dependencies, require extensive configurations. Hosting these applications on XenApp is something that has been successful for years and virtual desktops do not change that fact.

Many of the issues we’ve seen with organizations running hosted shared desktops in the past is that it doesn’t look or feel like the desktop OS. That was then, this is now. Windows 2008 can look like Windows 7. Challenge solved.

Many organizations struggle to justify transforming their desktop environment due to the costs associated. I agree, there is a cost, but the cost can be significantly reduced if you don’t go in blindly. If we use the hosted shared desktop model for our light user loads, we can save. Think about it this way, every light user will need 1-1.5GB of RAM for their hosted VM-based desktop session. Of that amount roughly 768MB of that will be just for the OS. Why does each one of the users require a full-fledged desktop OS? If we share the desktop across 100 users, we save almost 8GB of RAM. It doesn’t sound like much but what about 1000 users or more? And we haven’t even begun to discuss the impact on storage for these users.

So far we are only looking at the OS requirements; what about the application RAM requirements? Because the resources are completely shared, if the application requires 200MB to run, a large percentage of that amount can be shared across all users, helping to reduce the overall RAM requirements (and many Line-of-business applications I’ve seen, including the dependencies, need way more than 200MB of RAM).

So what is my point in all of this? Just because you are looking at virtual desktops, it doesn’t mean that you must put all of your users onto the same type of virtual desktop. Align the technology you implement with the user requirements.

Daniel – Lead Architect

VDI Resource Allocation


I have seen a lot of scalability reports lately around desktop virtualization. This is good in that we can start to see how the different things we do can provide better capacity. However, one thing that does trouble me is when I see tests only allocating 512 or 768MB of RAM to a Windows 7 VM. Sure it works. And yes it does successfully complete the scalability test, but remember what the scalability test is testing. It is not telling you how many users YOU will get. It is telling you how well the infrastructure can scale and what bottlenecks we might experience when the hardware is stressed. Unfortunately, because of these tests, too many people believe that they too can roll out a virtual Windows 7 desktop on 512MB of RAM. I wish that was the case. In fact, I bet Microsoft wishes that was the case as well. But I’m sorry to say, but sadly it’s true that it is not.

I wanted to provide you with what we (myself, Nicholas Rintalan, Doug Demskis and Dan Allen) figure is a reasonable estimation for resource allocation for Windows 7 and Windows XP desktops when delivered in the hosted VM-Based virtual desktop model (or VDI for short).

User Group Operating System vCPU Allocation Memory Allocation Avg IOPS (Steady State) Estimate Users/Core
Light Windows XP 1 768MB-1 GB 3-5 10-12
Windows 7 1 1-1.5 GB 4-6 8-10
Normal Windows XP 1 1-1.5 GB 6-10 8-10
Windows 7 1 1.5-2 GB 8-12 6-8
Power Windows XP 1 1.5-2 GB 12-16 6-8
Windows 7 1-2 2-3 GB 15-25 4-6
Heavy Windows XP 1 2 GB 20-40 4-6
Windows 7 2 4 GB 25-50 2-4

See anything shocking? How about 1.5 GB of RAM for light Windows 7 users? Remember, we are talking about the typical implementation that we have seen. That means the desktop image includes antivirus agents, malware agents, monitoring agents and line-of-business applications. These agents and applications add up (especially Line-of-Business apps). Even though the user is a light user, that means they only run 1 or 2 applications. However, those applications are more than Microsoft Word. They are the main Line of Business application. So even though they don’t hit the CPU hard, they still consume a lot RAM (of course these implementations could just put the line of business app on XenApp and not worry about providing a true Windows 7 desktop for light users).

Are you wondering what defines the four groups of users? Here is how we define them:

User Group Description
Light One or two applications no browser-based activity
Normal Multiple applications with limited browser-based activity
Power Many simultaneous applications with extensive browser-based activity and Internet-based applications.
Heavy Few applications but have heavy system resource requirements. Data processing, compiling, or graphics manipulation are common applications.

I’m hopeful that as you start planning your XenDesktop environment, you use realistic approximations on your virtual desktop specifications.

If you want to know more about resource allocation as well as many other areas for planning a XenDesktop environment, then sign up for the XenDesktop Design Handbook. This helps guarantee that you have the latest and greatest design information available.

Daniel – Lead Architect

Provisioning Services and CIFS Shares


Looks like we can use CIFS shares to store our vDisk images.  Yes, you heard that right, CIFS shares are OK to use.  Take a look at Citrix Sr. Consultant Dan Allen’s blog about Provisioning Services and CIFS Stores – Tuning For Performance.  Why does this matter? First we’ve always said not to use CIFS shares as Provisioning Services wouldn’t cache the contents. We knew Windows 2008 could cache from CIFS shares but Provisioning Services wouldn’t.  Well, apparently the install of Provisioning Services disables certain capabilities, but if you don’t store your write cache on the file server (Server-side), the registry key Provisioning Services disables can be re-enabled and system caching works (BTW, we don’t recommend you store your write cache server-side so we are good). Take a look at Dan’s article to get all of the details. Highly recommended. But for highlights, do the following:

  1. Must use Provisioning Services 5.6 SP1
  2. Make sure you provide the Provisioning Services with enough RAM for system cache.
  3. Set the following registry values below

Recommended Registry Values:

  • Windows 2003 File server:
  • HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
  • “autodisconnect” = dword:0000ffff

 

  • Windows 2008 R2 File Server
  • HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • “autodisconnect” = dword:0000ffff
    • ‘Smb2″ = dword:00000001

 

  • Windows 2003 x64 Provisioning Server
  • HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters
    • “EnableOplocks” = dword:0x00000001
  • HKLM\SYSTEM\CurrentControlSet\services\mrxsmb\Parameters
    • “OplocksDisabled” = dword:0x00000000
    • “CscEnabled” = dword:0x00000001
  • HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • “autodisconnect” = dword:0x0000ffff

 

  • Windows 2008 R2 Provisioning Server
  • HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters
    • “EnableOplocks” = dword:0x00000001
  • HKLM\SYSTEM\CurrentControlSet\services\mrxsmb\Parameters
    • “OplocksDisabled” = dword:0x00000000
    • “CscEnabled” = dword:0x00000001
  • HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • “autodisconnect” = dword:0x0000ffff
    • “Smb2” = dword:0x00000001

RAM Smorgasbord


When I talk about virtual desktop specifications, we often break down our users into a few different categories (Light, Normal, Power, and Heavy). These categories correspond to the resources we allocate to the virtual desktop (assuming we are talking about the hosted VM-Based desktop model). This should be no surprise. This discussion directly relates to the resource allocation to the virtual desktops. We want to make sure we provide what the users require. No more and no less. Of course I always get the question about memory ballooning, memory overcommit, dynamic memory, etc. I briefly touched upon this in a previous article where I talked about Improper Resource Allocation as part of my Top 10 Virtual Desktop Mistakes series.

I usually recommend against these technologies for virtual desktops because we are dealing with users. Most users will slowly start to consume more RAM as the day progresses. This is because

  1. They are using more applications
  2. They are using more features within applications, think about your browser. By the end of the day, you have more tabs open than in the morning, thus consuming more RAM.
  3. The application, if closed, probably does not fully release memory.

Don’t believe me? This is a graph for my own desktop as the day progresses (I have similar ones for different days and they all look similar). As you can see I start under 2GB used but as the day goes on, I increase to about 3.5GB. You can easily see when I start new applications and close applications. But by the end of the day, I typically have 5-10 different applications open and some consume a lot of memory.

Although I like to believe that I am special, I am just like many other users (at least from desktop usage characteristics). We leave applications open. So if we over allocate RAM, we run into a major risk at the end of the day when users are trying to finish things up before they head home. There isn’t enough RAM to go around. That means we page to disk and we all know how fast disks are. We are killing the user experience because performance has gone right down the drain.

And as I am a user, I want a good experience. If I don’t get it, I will take this virtual desktop and tell you what I really think, virtually 🙂