All White Papers

White Paper

Five Ways F5 Improves XenApp or XenDesktop Implementations

Updated December 12, 2012

Introduction

Having successfully applied virtualization to server infrastructure and reaped the benefits, organizations are continuing to apply similar technology to the desktop. Driven by emerging "bring your own X" trends as well as the desires to reduce desktop management costs and close security and compliance loopholes, a majority of organizations are in the process of or are considering a transition to a virtual desktop infrastructure (VDI).

More than 50 percent of U.S. enterprises are migrating to virtual desktops or are considering transitioning to VDI in the next 12 months, according to new research from Visiongain, which projects the VDI market will reach $11.2 billion by the end of 2012. Cloud-Based VDI Market to Reach $11.2 Billion in 2012: Report

Whenever VDI is mentioned there are inevitably three names that come to mind: Citrix, VMware, and Microsoft. Despite VMware's growing footprint in the data center, Citrix remains top of mind when it comes to virtual desktop initiatives. This is no surprise given its long and successful history in providing enterprises with remote desktop access solutions. Citrix was at the forefront of desktop virtualization technology before it was the popular thing to do-well before the benefits of desktop virtualization were universally recognized as not only desirable but achievable.

But VDI is a much more complicated technology than its remote desktop predecessors. Enabling access to a remote desktop is no longer a simple matter of opening the right ports in the firewall. A complex web of interconnected systems is now required to ensure the security, reliability, and performance that are expected of virtual desktops by users, and complexity is the enemy not only of security but of performance, reliability, and the ability to implement at or under budget.

The VDI Challenge

The pressure on IT departments to meet user expectations is high. Standing in the way is a set of varied obstacles.

A spate of protocols-new and existing-combined with an increasingly diverse array of potential endpoint clients requires careful attention to security concerns. A growing mobile and remote workforce demands performance and accessibility from virtually anywhere and at any time. The need to integrate VDI delivery systems with the organization's existing network, security, and application infrastructure can result in high costs, not only in terms of the initial investment but throughout implementation and ongoing management.

External pressures arising from "bring your own X" can make VDI deployment even more frustrating as each new client or desktop introduces new performance, security, and mobility challenges. Each additional endpoint, VDI solution, and integration point increases the complexity of the infrastructure as well as the policies governing VDI delivery.

Like Citrix, with its traditional and trusted position as a leader in virtual desktop solutions, F5 has long been trusted with the delivery of applications. From the introduction of the Citrix Metaframe Presentation Server to today's XenApp, XenDesktop, and Citrix CloudGateway products, F5 has led the market in delivering Citrix remote and virtual desktop technology. With F5 BIG-IP products as part of a Citrix virtual desktop infrastructure, IT staff can meet and even exceed user expectations for performance, security, and reliability while reducing complexity and increasing mobility.

Meeting and Exceeding User Expectations

Most IT initiatives are judged by their ability to meet or exceed user expectations. Deploying an application is never enough; it must also stay available, perform well, and not be cumbersome to access. For these criteria, users are highly demanding, and it is by their standards that the business will determine success, so IT departments must overcome multiple operational challenges to meet or exceed user expectations. The F5 BIG-IP platform is a strategic approach to successfully meeting them all.

There are five challenges BIG-IP products can help overcome to improve Citrix VDI deployments and help meet the user definition of success:

  • Performance
  • Security
  • Reliability
  • Mobility
  • Complexity

Of these five key areas, four-performance, security, mobility, and reliability-are directly related to user expectations. By also addressing the fifth challenge, complexity, IT organizations benefit financially and operationally, which indirectly assists with meeting user expectations.

diagram
Figure 1: F5 products, which add significant benefits to Citrix XenApp and XenDesktop deployments through integration, automation, and optimization, represent the best-practice deployment scenario.
It's not VDI itself users hate; it's the reduced productivity. Source: Barriers Clearing for VDI Adoption

Challenge: Performance

Meeting user performance expectations, always a concern for IT departments, is often one of the key performance metrics by which IT is measured. Poor performance is related to lower user productivity, which can be traced directly to decreases in the business's bottom line.

All remote access solutions have introduced a variety of new protocols, and Citrix is no exception. ICA (Independent Computing Architecture) is Citrix's remote access protocol enabling use of a variety of remote access methods across heterogeneous platforms, including thin-client and emerging mobile platforms.

Protocol-related performance issues dramatically affect application performance, which in turn degrades the user experience. Like SSL/TLS and all application protocols, ICA comes with unique performance challenges.

Enhance ICA performance

With respect to performance, ICA is sensitive to network latency and in particular can be problematic over connections with constrained bandwidth. In recent years, Citrix introduced the concept of multi-stream ICA, enabling enhanced quality of service (QoS) and improved application delivery. Multi-stream ICA introduces the concept of channels within a session, which allows Citrix to deliver different media using specific QoS criteria and priorities to influence performance. Remote access for ICA is typically accomplished via ICA proxy-which is SSL/TLS encrypted-thus ensuring that non-encrypted ICA protocol data does not traverse a public network in plain text.

BIG-IP products support multi-streaming over four independent, secure (SSL) connections, allowing for the most efficient use of each connection for the appropriate protocol and proper DSCP/QoS settings for each priority type. For WAN-based internal access, similar benefits can be achieved with four independent virtual servers on separate ports, each optimized to individually handle the specifics of the ICA communication type. Each virtual server can have a unique TCP profile tuned appropriately for that channel's traffic, including setting proper DSCP/QoS tags.

In both configurations, F5 BIG-IP devices enhance performance at the network, transport, and application protocol layers, ensuring the ability to tune VDI delivery to meet or exceed user expectations irrespective of the connection or client device.

Optimize SSL performance

A driving factor for VDI implementations is security-specifically a need for the business and operations to centrally manage and control access to application data. VDI addresses this challenge in several ways, primarily with containerization of data and applications through virtualization. Any exchange, then, between a remote client device and data center–hosted systems should also be secured. For Citrix XenApp and XenDesktop, in-transit security is accomplished via SSL/TLS.

While desktop computing power has increased to reduce the burden imposed on systems by processing the SSL/TLS handshake, the migration to stronger (longer) keys has negated those gains. SSL/TLS remains a burden on client and server devices, adversely affecting performance.

Offloading SSL/TLS processing to a hardware-assisted BIG-IP Application Delivery Controllers (ADCs) as a means to mitigate latency introduced by lesser bulk encryption capabilities can dramatically improve overall performance, particularly when using 2048-bit keys. SSL-focused platforms, such as NetScaler 17550, provide a bulk encryption rate of less than half that of a comparably priced F5 VIPRION 2400 with two blades. The difference allows BIG-IP modules, running on the VIPRION hardware, to provide better and more predictable performance over the life of a user VDI session.

End users realize the productivity and satisfaction benefits of allowing employees to use the smartphones of their choice for work, but don't fully comprehend the extent of the security challenges this creates. Source: Survey Results: The Consumerization of IT from the End User's Perspective (Symantec, May 2011)

Challenge: Security

Applications, including VDI, always bring security challenges. Traditional network security remains a concern, especially with the driving demand for access not only externally but from a broad (and growing broader by the minute) set of client devices.

When myriad client devices enter the VDI picture, it becomes particularly challenging to manage secure authentication and authorization. Devices may or may not natively support standardized identity and access management systems, making integration difficult and frustrating users accustomed to single sign-on (SSO) and easy access. The inclusion of multi-factor authentication, too, is becoming more common when mobile endpoints are involved as organizations attempt to implement security controls designed to compensate for a lack of control over client devices.

Support flexible security services

The BIG-IP platform offers one of the broadest and most flexible sets of security services for all applications, including VDI. With integrated ICSA-certified firewall services, BIG-IP ADCs can protect critical VDI services from being overwhelmed by a wide variety of network and transport layer attacks. A unified policy and configuration setup combined with SSO for all Citrix XenApp and XenDesktop client types-desktop ICA, PNAgent, and Receiver-enables consistent enforcement of corporate access policies while ensuring the user experience meets expectations. BIG-IP ADCs can mediate for a variety of client authentication methods, including:

  • Client certificates
  • HTTP basic authentication
  • RSA token
  • Forms-based authentication
  • CAC/PIV/smartcard
  • Kerberos

Integration with multi-factor authentication systems and services offers organizations additional options. A visual editor simplifies codification of corporate access policies and can be easily extended using F5 iRules, a control-plane scripting solution. Conversely, BIG-IP Access Policy Manager (APM) supports one-time passwords (OTPs), which other solutions such as NetScaler and A10 do not.

Challenge: Reliability

Reliability is generally considered the ability of a system to perform and maintain functions. Users consider a system reliable when it is available as they expect and it performs consistently at any time-a challenge that becomes more difficult as the complexity of the system increases. VDI implementations, being inherently complex, are often shadowed by failures in reliability. Most of these failures can be prevented, however, with continuous monitoring and by following appropriate best practices for architecting reliable systems, including automatic failover in the event of an outage.

One core requirement of a scalable VDI architecture is persistence at the application delivery tier, a technique F5 pioneered. Persistence supports reliability requirements by ensuring users maintain a connection to their desktop instance. Simple load balancing services only distribute requests; adding persistence ensures that the affinity established between a user and the virtual desktop during the initial connection is maintained throughout the working session. Without persistence, VDI deployments can neither scale nor maintain reliability.

But reliability is more than simply maintaining a connection between the user and the virtual desktop. Reliability requires active participation and collaboration with VDI components as well as their supporting infrastructure.

Continuous monitoring of the entire infrastructure-from network to application- is a must to ensure reliability of VDI implementations. But knowing a problem exists is not enough; action must also be taken to address issues when and if they arise. Automatic failover is a best practice that enables continuous delivery even in the face of failure. Every component in a Citrix XenApp and XenDesktop architecture should be monitored, with a backup designated in case of a failure.

BIG-IP ADCs include a highly intelligent, application-aware health monitoring system that enables actionable status conditions to trigger failovers, notifications, or customizable events that ensure the reliability of the entire infrastructure.

Provide architectural scalability

One means of preventing failure in the first place is to ensure scalability of all systems associated with VDI. Scaling all services-including identity stores such as Active Directory or LDAP, firewall services, and load balancing-prevents overloads that can degrade performance and crash systems. BIG-IP products provide superior scalability for these services as well as any IP-based service.

An often overlooked component in any implementation, and one that can be a severe impediment to scaling and thus reliability, is logging. The ability to handle large traffic loads and simultaneously log events is critical to a scalable ADC. BIG-IP ADCs, unlike NetScaler products, can log events even at high traffic loads without negatively affecting performance.

BIG-IP ADCs can also dramatically improve the scalability of Citrix XenApp and XenDesktop by offloading computationally expensive processing such as SSL/TLS, compression, and TCP session management. Offloading such processing to BIG-IP devices enables Citrix VDI to focus on the tasks it processes best-virtual desktops and applications.

71 percent of respondents think letting employees use the smartphone of their choice for work-related activities somewhat to significantly increases employee productivity. Source: Survey Results: The Consumerization of IT from the End User's Perspective (Symantec, May 2011)

Challenge: Mobility

Mobility has multiple meanings within the context of VDI. In some cases it refers to the user expectation of being able to move seamlessly between traditional client devices such as desktop computers and laptops and modern, mobile platforms. From IT and management perspectives, mobility can be a characteristic of user access, but the word may also mean the ability to support multiple computing platforms within the data center.

Improve user mobility

When mobility is focused on the user, it means enabling seamless access to corporate resources between traditional client devices (laptops and desktops) and modern, more mobile platforms such as tablets and smartphones. Such mobility is considered in high demand by employees and is often cited as causing frustration for IT staff and operations as they attempt to deal with the security and integration challenges that arise from supporting and securing so many different operating systems and platforms.

As previously noted, the BIG-IP platform provides support for mobility with flexible and dynamic authentication and authorization services that can unify access and identity management across multiple devices, applications, and systems.

When deployed to support Citrix XenApp or XenDesktop initiatives, a BIG-IP ADC can provide consistent policy enforcement across Citrix solutions as well as other enterprise systems. This eliminates the need to deploy and subsequently manage multiple VDI-specific components, reducing total cost of ownership and complexity.

A growing number of enterprises are pursuing a strategy of "second sourcing"-deploying a different virtualization technology in a separate part of the organization. Source: Top Five Server Virtualization Trends, 2012

Support platform mobility

While many prepackaged solutions address the "three Cs" of VDI according to Mark Margevicius, client computing analyst with Gartner-CapEx, complexity, and connectivity-such solutions are often vendor specific and introduce the potential for organizations to become locked in. This stands in opposition to the trend toward a dual-vendor approach to virtualization.

For many organizations, infrastructure designed specifically for a single solution is undesirable. The BIG-IP platform provides the same performance, reliability, and security benefits for all IP-based applications, including competing VDI solutions. This enables organizations pursuing a dual-vendor VDI strategy to do so without investing in additional infrastructure or product-specific solutions. Additionally, BIG-IP products are available in a cloud-enabled form factor with complete feature parity, making them ideal for organizations seeking to realize the benefits of cloud computing in conjunction with Citrix VDI initiatives.

Interestingly, [BIG-IP] APM can support VMware View and Citrix Xen App/XenDesktop concurrently, as well as adding RDP and other technologies to the mix. Source: F5 Brings Simplicity to Complex Virtual Application Environments, Frank J. Ohlhorst, Channel Tech Network

Challenge: Complexity

Complexity, as so often noted, is the enemy of security. It is also the enemy of performance, availability, scalability, and consistency. Complexity, in general, is the enemy of IT.

There are two areas in which complexity rears its head within Citrix XenApp and XenDesktop as well as CloudGateway architectures. The first is in configuration of the various components comprising a Citrix VDI deployment. This complexity is undesirable because it lengthens deployment time and introduces unnecessary risks related to misconfiguration that can derail a VDI initiative.

The second area of complexity is in the number of components required to support the overall solution. Consolidation of services and elimination of depreciated components can reduce the number of components and thus the risk associated with the complexity those components add to the architecture.

diagram
Figure 2: An F5 VDI delivery architecture consolidates services without compromising on security, performance, or flexibility.
One thing that all appliance-based systems lack is a turnkey deployment process. Source: Appliance Makers Simplify VDI Adoption

Improve deployment cycle time with intelligent automation

The configuration of the application delivery services required to successfully implement a VDI solution is essential to ensuring security and reliability. Addressing complexity should be a top-level concern, as doing so can reduce the risk of configuration errors as well as the time it takes to deploy the VDI solution.

A simplified deployment process is a critical step toward reducing deployment cycle times and the possibility of misconfiguration. BIG-IP products include a proven deployment template-F5 iApps™ Templates-for both XenApp and XenDesktop. This unified, preconfigured iApps Template describes the load balancing, remote access, and optimization services necessary to ensure a fast, secure, and reliable Citrix VDI deployment. iApps Templates encapsulate best practices for deploying Citrix VDI as well as tuning parameters for BIG-IP ADCs that improve performance and ensure reliability of both XenDesktop and XenApp. Other solutions such as NetScaler and A10, by comparison, have no such capability and, despite providing rudimentary wizards for some applications, they cannot offer the level of automation and deployment risk reduction afforded by F5 solutions.

Eliminate web interface servers and NetScalers

The second way in which complexity can be eliminated in VDI architectures is through consolidation of services, which enables organizations to eliminate unnecessary components from the architecture.

F5 won out in all categories: configurability, compatibility with other technologies such as XenApp and Exchange 2010 … and quality of documentation and support.
Cindy Dalmasie, Network Administrator, Reliance Protectron, F5 case study

A Citrix VDI solution generally indicates the use of multiple components, which commonly include web interface servers, a Secure Ticket Authority, and Citrix Access Gateway servers. BIG-IP Local Traffic Manager™ (LTM) with BIG-IP APM can replace all three of these servers, streamlining the data path and drastically reducing the complexity of the implementation.

Consolidating the services provided by these Citrix infrastructure components provides operational benefits, simplifying troubleshooting and reducing training costs and time. Because BIG-IP LTM supports any IP-based application and BIG-IP APM can provide consistent, secure remote access to all of them, authenticated users see a consolidated set of applications across the data center. Citrix Web Interface, by contrast, shows only Citrix applications, forcing users to access other applications through separate systems.

apm-screenshot
Figure 3: The BIG-IP APM webtop consolidates remote access to any IP-based application.
In essence, [BIG-IP] APM gives administrators dynamic control of the delivery and security components of the major virtualization solutions, consolidating and unifying elements such as access, security and policy management. For example, in a typical Citrix XenApp/XenDesktop implementation, APM can replace Citrix's authentication management, Secure Ticket Authority (STA), NetScaler and other components that are required for Citrix sourced enterprise deployment. What's more, [BIG-IP] APM brings portal access, SSL VPN tunnels and SSL offloading into the equation, which improves server and application performance and simplifies security management.1

The resulting single point of control also affords operations centralized authentication, eliminating the multiple points of entry that exist in a comparable Citrix architecture. BIG-IP APM can replace the services of NetScaler Access Gateway and Secure Ticket Authority. Because BIG-IP APM can be provisioned as a module with BIG-IP LTM- which replaces traditional Citrix NetScaler services as well as Citrix AppController in a Citrix CloudGateway solution-the net result is consolidation of three separate systems into one device managed through a single administrative console.

Conclusion

Citrix brings a long and successful history of market-leading remote access solutions. Its XenDesktop, XenApp, and CloudGateway solutions are no exception.

For as long as Citrix has been delivering remote access, F5 has been delivering market-leading application delivery solutions. The BIG-IP family not only improves the reliability, performance, and security of Citrix VDI deployments but reduces complexity and deployment cycle time, improves the scalability of VDI-related services, and enhances the mobility of users and operations alike.

With a BIG-IP ADC providing the application delivery foundation for Citrix VDI solutions, IT departments can better position themselves to meet or exceed user expectations.

1 F5 Brings Simplicity to Complex Virtual Application Environments, Frank J. Ohlhorst, Channel Tech Network