Citrix AntiVirus Exceptions – Fantastic List

Found this great list of A/V exceptions from Citrix. Useful for a one stop shop reference.

http://blogs.citrix.com/2013/09/22/citrix-consolidated-list-of-antivirus-exclusions/

The following antivirus exclusions should be applied to all Citrix infrastructure servers:

Set real-time scanning to scan on write operations only and not on read/access

Set real-time scanning to scan local drives only and not network drives

Disable scan on boot

Remove any unnecessary antivirus related entries from the Run key

Exclude the pagefile(s) from being scanned

Exclude IIS log files from being scanned

Exclude Windows event logs from being scanned

Below are the recommended antivirus exclusions, by Citrix product:

Citrix Profile Manager Agent:
Do not scan on open or status-check operations

UserProfileManager.exe

EdgeSight Agent:
\Application Data\Citrix\System Monitoring\Data

\ProgramFiles\Citrix\System Monitoring\Agent\Core\rscorsvc.exe

\ProgramFiles\Citrix\System Monitoring\Agent\Core\Firebird\bin\fbserver.exe

Edgesight Server:

\CommonProgramFiles\\Citrix\System Monitoring\Server\RSSH

\ProgramFiles\Citrix\System Monitoring\Server\EdgeSight\scripts\rssh

\ProgramFiles\Citrix\System Monitoring\Server\EdgeSight\Pages

\ProgramFiles\Microsoft SQL Server\MSSQL\Reporting Services

\ProgramFiles\Microsoft SQL Server\MSSQL\Data

\SystemRoot\SYSTEM32\Logfiles

Provisioning Services Server:
Exclude scanning of Local vDisk Store

\Windows\System32\drivers\CvhdBusP6.sys

\Windows\System32\drivers\CfsDep2.sys

\Program Files\Citrix\Provisioning Services\BNTFTP.EXE

\ProgramData\Citrix\Provisioning Services\Tftpboot\ARDBP32.BIN

\Program Files\Citrix\Provisioning Services\StreamService.exe

\Program Files\Citrix\Provisioning Services\StreamProcess.exe

\Program Files\Citrix\Provisioning Services\soapserver.exe

Provisioning Services Target:

Exclude scanning of Write Cache

\Program Files\Citrix\Provisioning Services\BNDevice.exe

\Windows\System32\Drivers Directory\bnistack6.sys

\Program Files\Citrix\Provisioning Services\TargetOSOptimizer.exe

\Windows\System32\drivers\CfsDep2.sys

\Windows\System32\drivers\CVhdBusP6.sys

Provisioning Services Target – Personal vDisk:

CTXPVD.exe

CTXPVDSVC.exe

\Program Files\Citrix\Personal vDisk\BIN\WIN7\

XenApp Controller:
\Windows\system32\csrss.exe

\Windows\system32\winlogon.exe

\Windows\system32\userinit.exe

\Windows\system32\smss.exe

\Program Files\Citrix\Group Policy\Client-Side Extension\CitrixCseEngine.exe

\Program Files (x86)\Citrix\System32\wfshell.exe

\Program Files (x86)\Citrix\system32\ctxxmlss.exe

\Program Files (x86)\Citrix\System32\CtxSvcHost.exe

\Program Files (x86)\Citrix\system32\mfcom.exe

\Program Files (x86)\Citrix\System32\Citrix\Ima\ImaSvc.exe

\Program Files (x86)\Citrix\System32\Citrix\Ima\IMAAdvanceSrv.exe

\Program Files (x86)\Citrix\HealthMon\HCAService.exe

\Program Files (x86)\Citrix\Streaming Client\RadeSvc.exe

\Program Files (x86)\Citrix\Streaming Client\RadeHlprSvc.exe

\Program Files\Citrix\Independent Management Architecture\RadeOffline.mdb

\Program Files\Citrix\Independent Management Architecture\imalhc.mdb

Session Host:

\Windows\system32\spoolsv.exe

\Windows\system32\csrss.exe

\Windows\system32\winlogon.exe

\Windows\system32\userinit.exe

\Windows\system32\smss.exe

\Program Files\Citrix\Group Policy\Client-Side Extension\CitrixCseEngine.exe

\Program Files (x86)\Citrix\System32\wfshell.exe

\Program Files (x86)\Citrix\system32\CpSvc.exe

\Program Files (x86)\Citrix\System32\CtxSvcHost.exe

\Program Files (x86)\Citrix\system32\mfcom.exe

\Program Files (x86)\Citrix\System32\Citrix\Ima\ImaSvc.exe

\Program Files (x86)\Citrix\System32\Citrix\Ima\IMAAdvanceSrv.exe

\Program Files (x86)\Citrix\HealthMon\HCAService.exe

\Program Files (x86)\Citrix\Streaming Client\RadeSvc.exe

\Program Files (x86)\Citrix\Streaming Client\RadeHlprSvc.exe

\Program Files (x86)\Citrix\XTE\bin\XTE.exe

\Program Files\Citrix\Independent Management Architecture\RadeOffline.mdb

XenDesktop Controller:
\Windows\system32\csrss.exe

\Windows\system32\winlogon.exe

\Windows\system32\userinit.exe

\Windows\system32\smss.exe

\Program Files\Citrix\Group Policy\Client-Side Extension\CitrixCseEngine.exe

\Program Files (x86)\Citrix\System32\wfshell.exe

\Program Files (x86)\Citrix\system32\ctxxmlss.exe

\Program Files (x86)\Citrix\System32\CtxSvcHost.exe

\Program Files (x86)\Citrix\system32\mfcom.exe

For additional information on antivirus exclusions, please reference the following articles:

Citrix Profile Management – Profile Management 5.x – eDocs

EdgeSight – CTX111062, CTX114906

Provisioning Services – CTX124185

XenApp – CTX127030

Great article summarizing benefits of IP hash based load balancing in vSphere

Here’s a great article highlighting how IP hash based load balancing works as well as some of the limitations.

IP hash based load balancing can improve overall link utilization by dynamically calculating based on IP of the source and destination which NIC to use. Compared to standard port based load balancing which generally sees a VM tied to a single NIC for traffic this can really improve throughput and load distribution. Keep in mind that the physical switches need to be configured appropriately!

It also identifies some common limitations that need to be kept in mind:

ESX/ESXi supports IP hash teaming on a single physical switch only: This one can be a real deal-breaker for some. Because etherchannel bonding is usually only supported on a single switch, it may not be possible to distribute the uplinks across multiple physical switches for redundancy. There are some exceptions to this rule as some ‘stacked’ switches, or modular switches with a common backplane support etherchannel across physical switches or modules. Cisco’s VPC (virtual port channel) technology can also address this on supported switches. Consult with your hardware vendor for your options.

ESX/ESXi supports only 802.3ad link aggregation in ‘Static’ mode: This is also referred to as ‘Mode On’ in the Cisco world. This means that LACP (link aggregation control protocol) cannot be used. The only exception is with a vNetwork Distributed Switch in vSphere 5.1, and with the Cisco Nexus 1000V. If you are using vNetwork Standard Switches, you must use a static etherchannel.

Beacon Probing is not supported with IP hash: Only link status can be used as a failure detection method with an IP hash team. This may not be desirable in some situations.

IP Hash based load balancing

XenClient 2.1 Performance Testing – How it stacks up versus native installs

Currently I am evaluating XenClient for users in an organization. Part of this project involved providing XenClient systems running Windows 7 Enterprise x64 to very demanding users. We had some feedback that was mixed. In order to get quantitative results I put the XenClient through some performance metric testing.

The testing was done on the following system:

  • HP 8460P (Intel® Core™ i5-2520M (2.50 GHz, 3 MB L3 cache)
  • 4GB RAM
  • SATAII 250GB HD 7200RPM
  • AMD Radeon HD 6470M with 1 GB dedicated DDR3 video memory

**Note that this is the first model which includes VTd which is required to allow direct access to the Video Card to allow HDX 3d enabled VMs. While this sounds like it would not be required for all users – the fact that extending the display to multiple monitors requires this could be a huge show stopper! We got caught by this – so check carefully as the Citrix HCL does not indicate this clearly.

The benchmark I used was Performance Test 7.0 (1025) Win64 by PassMark software.

Conclusion:

When the second vCPU was enabled the performance dramatically improved to the following (Percent performance of XenClient VM with 2vcpus and 3d enabled compared to Native bare metal install).

  • CPU Mark – 75%
  • 2D Graphics – 124%
  • Memory Mark – 68%
  • Disk Mark – 107%
  • CD Mark – 94%
  • 3D Graphics Mark – 96%
  • Passmark Rating – 91%

I did not run extensive iterations of all tests but these results are a good indication of how well a XenClient VM can perform. The CPU and memory results indicate there is an overhead associted with virtualizing the workload, while its not huge, its not irrelevant either.

The fact that multiple CPUs are required to achieve near native performance combined with the warning from Citrix that it may cause instability for mutliple VMs should be noted for users requiring all of their hardwares raw performance.

Also there is an identified instability when allocating over 3GB of RAM to VM’s using HDX 3D access which forces users to leverage less memory resources than are potentially available to the VM.

Results:

Native Install (no XenClient – Win 7 Enterprise x64 Bare Metal install)

*note this system would have an edge as it would leverage all 4GB of RAM compared to the 3GB VMs

  • CPU Mark – 3961
  • 2D Graphics – 385
  • Memory Mark – 1261
  • Disk Mark – 676
  • CD Mark – 482
  • 3D Graphics Mark – 420
  • Passmark Rating – 1442
Native BareMetal Win7 install HP 8460p

Native BareMetal Win7 install HP 8460p

XenClient 2.1 Installed VM (Win7 Ent x64 – No 3D enabled, single vCPU, 3GB RAM)

  • CPU Mark – 1379
  • 2D Graphics – 563
  • Memory Mark – 873
  • Disk Mark – 712
  • CD Mark – 545
  • 3D Graphics Mark – N/A
  • Passmark Rating – 1005
XenClient HP 8460p No 3D enabled, Single vCPU

XenClient HP 8460p No 3D enabled, Single vCPU

XenClient 2.1 Installed VM (Win7 Ent x64 – 3D enabled, single vCPU, 3GB RAM)

  • CPU Mark – 1511
  • 2D Graphics – 524
  • Memory Mark – 789
  • Disk Mark – 692
  • CD Mark – 439
  • 3D Graphics Mark – 152
  • Passmark Rating – 849
XenClient HP 8460p 3D enabled, Single vCPU

XenClient HP 8460p 3D enabled, Single vCPU

XenClient 2.1 Installed VM (Win7 Ent x64 – 3D enabled, two vCPUs, 3GB RAM)

**Note at this time multiple vCPUs are not configurable in the GUI and must be done via command line. See the XenClient 2.1 release notes

XenClient_2_1_Release_Notes.pdf

I have detailed the better results of the two runs I did. Both results are listed below.

  • CPU Mark – 2951
  • 2D Graphics – 480
  • Memory Mark – 852
  • Disk Mark – 722
  • CD Mark – 453
  • 3D Graphics Mark – 402
  • Passmark Rating – 1311
XenClient HP 8460p 3D enabled, Two vCPUs (Second Run)

XenClient HP 8460p 3D enabled, Two vCPUs (Second Run)

 

XenClient HP 8460p 3D enabled, Two vCPUs (First Run)

XenClient HP 8460p 3D enabled, Two vCPUs (First Run)

Sizing storage and hosts for Citrix Xendesktop and VMWare View

I’m currently working on comparing the costs associated with doing 100 users in a shared desktop model. I was looking for resources around sizing storage and stumbled across these fantastic calculators by Andre Leibovici. He’s created one for both Xendesktop and VMWare view. Both leverage ESX as the hypervisor currently.

Here are the links:

VMWare View VDI Sizing Calculator

Citrix XenDesktop Sizing Calculator

Calculator Instructions and Parameters

 

Simplicity through Complexity

The rate of change in the technology field is relentless. Constantly there are new solutions and products changing the status quo. This is especially true in the area of virtualization. We now have:

  • virtual servers
  • virtual desktops
  • virtual applications
  • virtual appliances
  • virtual fabrics
  • virtual switches
  • and so on, and so on…

So where does this get us, apart from learning a bunch of new solutions that all seem more complicated than the way things were one before. The answer is simplicity, these technical solutions are all leading to one thing: abstraction. What this means is that they are removing dependencies in the stack from one another. Less dependencies, less complexity, more agility and freedom.

They’ve talked about this model in many capacities in different areas of virtualization; a common one is the layers of cake, or simply the layers model in VDI. Where the OS is decoupled from the applications and user profile. All the components come together to achieve the end result of a functional user workspace, yet none of the components are dependent on the others.

This facilitates simplified rollouts, migrations and upgrades. Admins no longer need to be concerned of adverse interactions with the upgrade of any one particular component, instead each component can be dealt with independently. This vastly simplifies change management and regression testing. It also enhances portability, users can bring their profile or applications to any OS with minimal headaches.

I have been doing research into Microsoft SCVMM 2012 and that was when I saw this model being taken and applied to server virtualization. Let me tell you- it was impressive. Microsoft has a product called Server App-V which like its MDOP counterpart, which virtualizes desktop applications, it allows for the virtualization of server workloads. Things like IIS, SQL Reporting Services or XenApp for example can be virtualized.

 

server app-v application compatibility

Application Compatibility

The ability to virtualize server workloads really starts to shine when you look at the rest of the capability of SCVMM 2012. SCVMM is moving towards the goal of providing resources regardless of location or hosting platform. Resources are no longer merely virtual machines, storage and networking but are tied together as services including the application layer. These services can be templated and basically act as a “recipe” for fully functional services such as a online purchasing system or XenApp host. This facilitates simplified user self service for deployment of services on demand. The fact that all the components of the “recipe” are virtualized and abstracted means extreme portability (think moving to the cloud!). Components can be upgraded independently and without concern of the other components. Think of how much this will simplify deployment.

Server App-V can take an application that has a 200 page installation guide and contain it so that every deployment is identical after the first succesful one. It can be ported from development to production and back again without ever changing. Any application changes and config is captured as “state”. Server App-V can monitor and port this state data so it can be migrated simply as well. Server App-V is a feature of SCVMM 2012. This means that all this can be automated in SCVMM’s console. It lets you visually define the components of a service and save it as a service template.

It is really exciting to think that one day incompatability type issues will no longer be a major headache. Everything will just work, as it is no longer some huge infrastructure stack with hooks running between all the layers, but rather a series of clean, known good, abstracted layers. Layers that can be moved between the datacenter and the cloud. The vision is starting to shine, and the clouds are starting to clear ;)

Server App-V Summary
http://blogs.technet.com/b/serverappv/archive/2011/04/07/so-what-is-server-app-v-anyway.aspx

How to video : Sequencing an application with Server App-V

http://blogs.technet.com/b/adhall/archive/2011/11/01/video-sequencing-an-application-using-server-app-v.aspx

Video: Server App-V TechEd Presentation

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/VIR314

 

Citrix moving away from Web Interface to Cloud Gateway

Citrix will be renaming its Web Interface to Storefront and altering its functionality soon. This comes as Citrix is changing to a different reciever infrastructure based on the Cloud Gateway and Storefront. It will eventually allow users to maintain their application lists across devices typical with the trend in cloud hosted settings. Thomas Koetzing lists some of the details around the functionality differences in this article:

http://www.thomaskoetzing.de/index.php?option=com_content&task=view&id=346&Itemid=254

While I agree with the direction this is going – it sounds like there is a bit of work to be done before this is ready for the enterprise.

Virtual Desktop Optimizations – Using Quest vWorkspace Desktop Optimizer (VMWare and Citrix users listen up too!)

Quest has released a handy tool for quickly refining your virtual desktop images to dramatically improve on performance. This tool makes a number of tweaks that can save on disk, cpu and even RAM usage in a virtual desktop environment. The tool works for all vendors and it’s free! So check it out:

Quest Desktop Optimizer

 

 

XenClient 2 – New Features and enhancements, ready for production?

Citrix has had a slew of announcements lately, one of them being XenClient 2. Here’s a copy of the features – I’ll post more once I have it set up in the lab!

Let’s first start with the new capabilities at a high level for XenClient 2 and then below I’ll dig into the details on what’s new since v1:

  • EXPANDED HARDWARE COMPATABILITY, NOW RUNABLE ON 45 MILLION SYSTEMS. XenClient 2 will run on 3x as many systems as the first release by introducing support for Intel’s 2nd Generation Core vPro platform, adding support for additional PC systems plus expanded coverage to workstation and non-vPro value enterprise class systems. The hardware compatibility delivered in the XenClient 2 expands on XenClient’s previous ability to run on 15 million systems
  • PRODUCTION SCALE SYNCHRONIZER that enables customers to deploy Synchronizer for XenClient for centralized deployment and management of XenClient in larger and more complex environments with enhanced levels of scalability, more detailed environment reporting, optimized transfers and backups along with support for complex active directory environments.
  • SIMPLIFIED USER EXPERIENCE that enables increased adoption of XenClient by non-technical users. A revamp of the Citrix Receiver for XenClient user interface has produced a simpler, more responsive, and more intuitive user interface. Additional XenClient platform capabilities now allow a more native user experience with a set of features that allow XenClient to stay hidden during normal use of Windows virtual machines.

Here are the new features and enhancements added since the Tech Preview release:

  • SEAMLESS APPLICATION SHARING allows the seamless display of applications running in one VM to be displayed into another. Thus allowing users to have a single display that combines applications from multiple VMs on the same system. And it does all this while keeping strict isolation of data between the virtual machines.
  • OVER-THE-AIR UPGRADES now enables simple and secure upgrades of the XenClient software from a Synchronizer or other web server. This will allow end users to upgrade XenClient without the need to burn or boot CDs and means that IT can easily deploy new versions and fixes into their environment.
  • 2ND FACTOR REGISTRATION PIN AUTHENTICATION provides an extra layer of security for customers deploying the Synchronizer with public facing internet access. When a XenClient system first connects to a Synchronizer for XenClient backend, it can require an optional 2nd factor of authentication, above and beyond a username and password combination to provide an extra layer of protection. Subsequent connections will use a unique digital certificate stored on the XenClient system.
  • HIDDEN WIRELESS AUTOCONNECT enables XenClient to automatically make connections to hidden wireless networks that some customers have deployed in their environment or that IT pros use at home.
  • ADDITIONAL POLICY CONTROLS allows the Synchronizer for XenClient to have even greater policy control over virtual machines on XenClient endpoints including policies for autobooting virtual desktops, 3D graphics, and seamless application sharing.
  • DISPLAYPORT AND DVI VIDEO SUPPORT for systems based on Intel’s 2nd Generation Core platforms allows the use of the latest all digital connections to monitors and projectors.
  • HIGH SPEED LINUX DRIVERS delivers near native performance for networking and storage when running Ubuntu 11 Linux as a virtual machine on XenClient.

And we always like to give a glimpse of features in progress that we want your feedback on so we have some new experimental feature previews in as well:

  • SAFE GRAPHICS MODE enables the use of basic display capabilities on almost any graphics architecture including systems with nVidia graphics.
  • EXPERIMENTAL 3G MODEM support allows the XenClient platform to make connections using a much broader set of integrated and USB based 3G data modems.
  • EXPERIMENTAL TOUCHSCREEN gets us ready for increased use of touch enabled laptops and PC tablets. The XenClient UI was extensively rewritten to be touch enabled and a selection of USB and serial touchscreen systems will now work with XenClient out of the box.

And below are the new enhancements we delivered in the tech preview release and in the final release announced today:

  • EXPANDED 3D GRAPHICS ARCHITECTURE now supports Intel HD 2000 and HD 3000 integrated graphics along with AMD FirePro and Radeon discrete graphics architectures. This not only expands hardware compatibility but together with Intel vPro directed I/O (Intel VT-d) technology delivers a native 3D graphics experience.
  • NON-VPRO SYSTEM SUPPORT now enables a larger set of customers to evaluate and use XenClient on value enterprise systems. Users can now have a great 2D graphics experience when running XenClient on systems with Intel integrated graphics.
  • LATEST OPERATING SYSTEMS with support for Windows 7 Service Pack 1 32-bit and 64-bit along with initial support for Ubuntu 11.04
  • IMPROVED AUDIO EXPERIENCE delivers integrated audio drivers for Windows 7 with improved fidelity and performance
  • LARGE VM MEMORY ALLOCATION support allows the use of up to 8GB of memory for local virtual desktops running on XenClient. This allows Windows 7 to run with more applications, handle more open files, and support memory intensive workloads with ease.
  • USER PROFILE VIRTUALIZATION allows the separation of the user personality from the rest of the system using layering. It allows the ability to selectively backup and recover the user profile independent of the rest of the system.
  • OPTIMIZED BACKUPS to reduce the storage required for offering backup and recovery of virtual desktops. This is done by using smart disk block filtering to automatically remove unused disk blocks, Windows pagefiles, and other unnecessary data reducing the amount sent to the Synchronizer during backup operations.
  • AUTOMATIC CONNECTION THROTTLING protects users, Synchronizers, and your network from heavy loads. The Synchronizer will automatically throttle and queue XenClient systems downloading images and sending backups when the systems or network is under heavy load.
  • OPERATIONAL ENHANCEMENTS allow administrators to more easily setup, configure, and maintain the Synchronizer for XenClient. Additionally a new device filtering capability allows for more targeted reporting on information about deployed XenClient systems.
  • SIMPLE OPERATIONS CONSOLE which allows admins to see at a glance the current configuration of their Synchronizer, along with simple configuration management from networking, to active directory connections, SSL certificates and more.
  • COMPLEX ACTIVE DIRECTORY environment support with the ability to run in environments with complex trust relationships between multiple-active directories. Login and target images and policies to users and groups across your whole organization.
  • PRECACHED VM DOWNLOADS to allow rapid deployment and recovery of virtual machine images from the Synchronizer even over slow network links. This is done by locally preloading the majority of the image from an optical disk or USB flash drive and only downloading the latest information over the wire from the Synchronizer.
  • AUTOMATED iSCSI DEPLOYMENT allows hands off deployment of XenClient to Lenovo desktop systems by hosting the XenClient installer system and automated answer files on a Lenovo Storage Array.
  • REVAMPED USER INTERFACE makes it even easier to create, maintain, and run local virtual desktops on XenClient. Includes a new simplified view with both basic and advanced features, the ability to swap virtual desktop hotkeys, and greatly improved system responsiveness.
  • AUTOBOOT, AUTOSLEEP, AUTOSHUTDOWN allows XenClient power operations to be linked to the power state of a Windows virtual machine. This allows hiding XenClient behind the scenes