Tuesday, June 30, 2015

Preparation for Azure lab


Recently I have been completing some test work with Azure, Azure AD and ADFS.  In the next week or two I will be doing some work with the Enterprise Mobility Suite (Intune for MDM, Azure AD Premium and Azure Rights Management).

Hopefully I will be able to blog some random information from my experiences, but this post is to identify potential speed bumps before you attempt to use Azure, Azure AD and ADFS.

Money/MSDN
Using Azure virtual machines and storage costs money.  When you sign up you must provide valid credit card information.  You are given a £125 trial for a month, but after that it will cost you.  You can configure spend limits which will stop surprise bills being racked up each month.

If you have a Visual Studio or MSDN subscription you actually get free credits.  I have a Visual Studio Ultimate Subscription through my work so I get £95 a month to spend in Azure (which is plenty for labs).

MSDN Credits

Make sure you turn off your Cloud Instance when you are not using it.  This will drastically reduce the cost of running your lab from the cloud.

Domain
Buy yourself a domain name.  Doesn't matter what as long as you like it.  I'd be tempted to use a popular registrar such as GoDaddy as the verification mechanism for Azure works really simply with the big registrars.  My registrar had to manually load some DNS TXT records which couldn't be completed in my admin interface.

Wildcard Certificate
The wildcard vs named certificates is an interesting debate which will continue forever I suspect.  I can see the pros and cons, but in this environment it is MUCH easier to have a publicly trusted wildcard certificate.  These can be quite pricey from some Certificate Authorities.  I used a CA called StartSSL who actually charge you on verification rather than per certificate.

StartSSL

You can create a free account and generate free named certificates, but you will soon hit a brick wall with certain services which required alternate names etc.

StartSSL Verified (which allows you to create as many wildcard/SAN certificates as you like) will set you back about $60 per year.  To complete this process you have to send them some personal documentation which did make me a little uneasy, however saving a few hundred quid was worth it I think.

StartSSL Verified

Internet Connection without outbound port blocking
This one will only apply to a small portion of the population.  Wherever you plan on connecting to your Azure cloud instance from, make sure they do not block outbound ports.  Most companies only allow a small set of ports outbound like 80,443,25 etc.  These are all used for business purposes but the likelihood of them allowing 3389 through the firewall is low.

Have a chat with your network team at work or connect to Azure Cloud Instance from home.

Lastly some links
Here are some articles I read to help me build my labs

http://office365support.ca/setting-up-the-first-web-application-proxy-servers-ad-fs-proxy-in-windows-azure-for-office365-single-sign-on/
http://tristanwatkins.com/changing-adfs-url-windows-server-2012-r2/
https://4sysops.com/archives/building-a-byod-lab-in-microsoft-azure/
http://www.cloudcomputingadmin.com/articles-tutorials/public-cloud/configure-windows-server-2012-r2-test-lab-microsoft-azure.html

Have fun!



Thursday, June 25, 2015

Citrix User Group - London - 2015

The event was held at the Novotel on Blackfriars Road in London. Unbeknown to me it was the 13th session in the UK (my first).   The announcement of the Citrix User Group Community at Synergy made me more aware of these events.


So how was the day?

Well it was bloody good fun, unusual for these types of events. Lots of jokes, a few swears but crucially some really interesting technical information.
--------------------
News & Synergy Update
Neil Spellings

Firstly Neil ran a news update session which covered the Eliot group shareholders analysis of Citrix's business strategy.

Forbes article
He also covered some high level Citrix news including Xenserver 6.5 sp1 release, acquisition of telephony provider Grasshopper and resurrection of the cloud.com domain which Citrix purchased some years ago for Citrix Workspace Cloud.
He also showed that Citrix and Xenmobile specifically is in top quadrant for EMM.

Neil followed up with a whistle stop tour of Synergy highlights.   Firstly Citrix say they love XenApp and backed it up by extending XenApp 6.5 support by a year to 2017.

He covered the tech preview of Framehawk which will be in Feature Pack 2.  This provides excellent graphical performance on poor network conditions.

Citrix also announced that they will be releasing the Linux VDA which has been in tech preview for a while and the discussed how the Receiver platform will be unified across the devices with the help of StoreFront 3.0

They announced a new proposition called Cloudbridge virtual Wan, which can connect multiple sites using different network connections. It can provide a cheap way to move away from traditional MPLS.

Netscaler 11 will have a mechanism to move Citrix services behind a content switch... Yay!   This will reduce the amount of public IP addresses you need on your Netscaler when publishing Storefront, xenmobile, sharefile etc.

Citrix Workspace cloud was a huge announcement which was briefly mentioned as an idea last year.   Now there is a proper environment you can test with.  This will move the Citrix controllers from your data centre into the cloud.  It could save administrators lots of time!

---------------------------

Citrix customer visits
Ben Dowen
Ben is a Senior Software Test Engineer at Citrix and he gave the opportunity for customers to visit engineering in Cambridge to talk about challenges and see products being built.  This sounds like a fantastic opportunity for heavy Citrix customers.  If you are interested then get in touch with him on Twitter.
----------------------------

Storefront 3.0
Simon Frost

Simon is the chief architect for the Storefront team in Cambridge.   He publicsed the fact that Storefront was built in UK.

The 3.0 version will include the following
Chrome npapi replacement, edge support
Customisation, routing for sites, Xml service based authentication and enhanced monitoring for netscaler.

Simon discussed scalabity and dismissed the folklore around there being maximum of 5 Storefront servers per group. This isn't true as they tested with 6 servers and they could login 175k users an hour.  It can also increase with extra vcpu in a linear fashion.

They can complete 40k users in 15 minutes with 2 Storefront nodes.

Npapi replacement will be included for Chrome which will stop ICA files being downloaded.   This will be achieved using custom URLs which will be used to bridge gap between browser and receiver.   This will be important going forward as Microsoft Edge browser has no active x.

This will reduce situations where Ica files are found on disk.   SF 3.0 will provide the ability to change between html5 and native receiver.

The new architecture adds a Web browser element to receiver which downloads and caches the website effectively. This makes it easy to look consistent across all devices.

3.0 provides documented custom content (CSS level), vs easy image pickers for custom UI. Allows the work flow to be change significantly, so something between auth and loading apps or just be branded correctly.

Customisations will remain after upgrades as the files are stored in a custom folder.... not like old Wi days!

There are lots of CSS options like removing toolbar on small (mobile) devices.

Receiver 4.2 finally provided key features again like desktop apps, named folders etc. Very admin and enterprise focused.

Prefer keyword for second hop launch

What is on the Road map?
There will be improved powershell for installing and configuring Storefront and a better admin console.

No plans to embed SF in the Netscaler. This is because it is easier for internal and external users to only have 1 Storefront rather than hairpining.

End of June is when it should be released!
---------------------------
LiqudwareLabs
Fraser Norman - UK territory manager

Next up was LiquidwareLabs. The first mention from Fraser was that he was non techie... Ouch.. In front of a room of techies!

In fairness he showed his product very well. They position themselves as a Citrix Ready Partner in the Desktop transformation space, migrating from XP to Windows 8.

Their core offering us understanding what people use physically now and whether VDI is the right move by installing agents on PCs which collects data and produces reports.

They have a product called Profileunity which can move profiles across different platforms. Very attractive to companies going through complex desktop change programmes.

They can provide privilege escalation per app which  is useful for unruly applications which aren't written correctly. Not ideal but fixes some potential issues if the application is important.

Flexapp is one product they have which virtualises apps by streaming from Vhd files.

Stratusphere FIT (assesment) and UX (baseline and remediation) are other tools which can be used before a desktop transformation project and during change control windows to ensure the platform is performing how they should.

Fraser had a video demo which showed adding and removing these streamed apps very quickly but look and feel native.
-------------------
Pernix data
James Smith -  SE

Next up was Pernix data.   They are a Vmware technology which was curious at a Citrix User Group, however many Citrix end users (including myself) use Vmware to virtualise their OS platforms.

This tool helps remove complexity and latency to speed up apps. Satyam Vaghani who wrote vaai and VMFS is one of the founders of Pernix data. Their product is VM and Storage agnostic.

How does it speed up applications? It shares VM resources (RAM, SSD etc.) across hosts to speed up access and caching for backend storage.  It works with anything in the vmware HCL.

It helps move storage performance to hypervisor layer and leave backend storage for capacity.

Very interesting!
---------------------------
Octoblu
Matthew Nichols

Matt is a Solution Architect with Esteem and  demoed a technology that Citrix recently acquired called Octoblu.  This is a IoT technology that can produce workflows to complete business tasks.

It was demonstrated at Synergy



His demo showed tweets sent to the #ukcuglon hashtag output on a LED screen. It completed this through a node running on Raspberry Pi.

It was very interesting, but not sure how Citrix will monetise this effectively.

Matt is hilarious too, I haven't laughed so much through a demo in ages (whilst still learning lots too!)
----------------

User profile management, is it just a load of FUD
James Rankin - Talosys
Appsensebigot.blogpost.com

James talked about managing profiles and whether non native products can actually provide benefit over roaming profiles.

He did a good deep dive on how traditional roaming profiles work and the issues. He also showed the history of these platforms and what can cause profile issues, described as profile failure due to Microsoft refuting the term profile corruption.

He typically found that most customers who had issues had the GPO for limiting profile size.

There are other things which external products can provide like removing the last writer wins issues. These tools fall into 2 categories, light tools e.g.
Citrix, Fslogix and Immidio. On the other side there are heavy tools sets or platforms including Liquidware, Res and Appsense.

He finished up with the relevation that MS have their own tool as part of the MDOP pack called Microsoft user experience virtualisation.
----------------

AppSense
Gary McAllister - Product Manager 

Gary McAllister from AppSense did a session update on their product set.

Desktop Now 8.6 has a cut the amount of infrastructure required to run EUM in half.  There is also dedupe in database which drastically reduces the size of the DB.

There is easier on boarding of profiles and apps and now has the ability for end users for rolling back parts of their profile.  This feature has been available for admins for a while, but extending it to the users could save help desks some time.

App Manager 8.9 has the ability to lockdown windows 8 apps which is really useful for Enterprises.  It can also control admin access to services so local administrators cannot stop certain key services.  I am not sure how secure this is, I would imagine that there must be a way around this albeit it might be quite destructive.

Performance Manager - Same old, nothing new to report here.

AppSense Insight looks like Citrix Edgesight product set by providing a breakdown of user experience e.g. showing why logons are slow.  Going forward AppSense Insight will be able to use this information to auto configure other products going forward rather than admins having to interpret the data and make changes accordingly.  This could help save admin time, but scares the hell out of me.  Do I want a tool automatically changing configurations on the fly?  Probably not, this is why we have Change Control!

AppSense Exchange
Templates and tools can be uploaded by the forum.  Templates will allow quick updates rather than waiting for service releases.

V10 simplification of what they do at the moment. Managed from Unified Web console and very nice it looks too.

I haven't used AppSense myself but it does seem like a huge swiss army knife to tackle many typical VDI and RDS workload issues.  The trouble is that the price tag matches it which can price out smaller customers.
-------------------
An end to the java version hell
Fslogix-James Rankin

James came back to present another session on behalf of Fslogix. They have a product which hides java from the OS.

He started with the now legendary quote.

If java were a person I would kick it's face in!

He showed us how multiple versions of Java can be installed and presented to websites based on configuration rules. This looks excellent!

They also have some tools around Profile management, reverse layering, image management, app delivery.
----------------------

Citrix life cycle management and Workspace cloud
Andrew Wood & Jim Moyle

Jim and Andrew from Atlantis did a presentation on Citrix Workspace Cloud and life cycle management. Well eventually, after many techy issues the monitors finally worked!

These tools Split the control layer apart from worker layer much like sharefile does and makes it SaaS. So you could have Citrix Studio as a cloud based app. It uses connectors in your data centre to connect to all of the VDA.  It connects back to cloud.com on outbound 443 which will make the firewall people happy!

They showed Citrix life cycle management which is a template provisioning service.  It could trigger build and deploy on monitors e.g. build machines when usage goes above a certain percentage.

Q3 release date
----------------------
Auth flexibility for XA/XD and NSG
Andrew Innes

Andrew discussed authentication flexibility for Citrix technologies using the SDK.

He showed a graph of attack vectors from Verizon DBIR which shows credentials as the weakest/most targeted item by hackers.

Verizon recommend enabling 2FA which can take many forms including Tokens, biometrics, phone apps, smart cards, gridcards

The SDK provides the mechanism to perform Risk based authentication. Ask extra questions when logging on from different or untrusted locations.

The SDK also provides a way to create a Legal disclaimer, custom auth checks (shift patterns), Identify user first then pointing to auth method and Password reset link to external service.
--------------
XenApp powershell DSC
Virtual Engine - Iain Brighton

Desired state Configuration
Any configuration tool which can create MOF files can be used to push configuration out to Windows machines. Extending tools like Chef and Puppet to manage Windows endpoints using powershell.

This session was a little complicated and went over my head a little. However it looks very interesting and I'll be investigating more!

Wednesday, June 24, 2015

Add File Extensons via Powershell

We are using an extraction tool to export data from one of our business applications in preparation to switching to our ERP solution. Unfortunately this tool doesn't add the file extensions to the exported files!

So I needed to create a powershell script to do the job for us.

As with most things there is no point reinventing the wheel.  I did a google search and found this useful blog post.

http://blogs.msdn.com/b/dan_fay/archive/2012/09/17/rename-file-extension-with-powershell.aspx

The script was pretty much there, but I needed to tweak it slightly.  I added a line which asks the user which file extension they want to use.  I also changed it so that it would only change files which currently have no file extensions configured.
What users are presented with

The result is as follows
$extractedfiles = Get-ChildItem | Where-Object {$_.Extension -eq ""}
$fileext = read-host "what file extension?"
ForEach ($file in $extractedfiles) {
$filenew = $file.Name + ".$fileext" Rename-Item $file $filenew
}
All files without extensions are now .jpg