SLAC Remote Access and Citrix XPe

Brian ScottSLACMay 2004

Windows Remote Access SolutionsCitrix

– Allows access to a full Windows desktop and/or various applications

VPN/PPTP– Provides encrypted tunnel between remote system

and SLAC internal networkRemote Desktop Protocol

– Unencrypted access to Windows XP systemRequires use of VPN before using RDP

File Access

Citrix provides access to all internal resources to which you have permissions

VPN access available to central Windows file servers

No longer allowing access to Windows file sharing to desktops via VPN

E-mail

Microsoft Outlook access available via several mechanisms– Citrix (full thick client access)– Outlook Web Access (OWA), new version coming

with Exchange 2003 migration this summer Old version https://www-mail.slac.stanford.edu New version coming soon

– VPN and use of Outlook thick client

Citrix XPe

April 2004 - Finished rollout of Citrix XPe farm– Farm running Windows 2000 with Citrix XPe– Support for Windows Systems and Linux (private

build to support Secure ICA over SSL)– 900+ accounts

May 2004 - Shutdown Citrix Metraframe 1.8 farm– Farm ran Windows NT TSE with Citrix Metaframe

1.8

Secured Communication Protocols

128-bit SSL encryption.– Initial communication between Web Portal servers (Citrix

MetaFrame NFuse) & client.– Subsequent communication between Application servers

(Citrix MetaFrame Presentation server) & client. Citrix SSL Relay Service.

– Server-to-server communication. Citrix Secure ICA - RSA RC5 128-bit encryption.

– ICA session between Application servers & client.– Enforceable to client as minimum requirement.

Redundancy within Citrix Servers

2 Citrix NFuse Web Portal servers.– http://slaccitrix1.slac.stanford.edu– http://slaccitrix2.slac.stanford.edu

2 Independent Management Architecture (IMA) Citrix Control servers.

N+2 Citrix Presentation servers in excess of peak capacity in Silo-1 (General Apps).

N+2 Citrix Presentation servers in excess of peak capacity in Silo-2 (Restricted Apps).

2 Silo’s

Silo 1– The purpose of the Silo1 servers is to provide access to the

common set of applications to all SLAC Citrix users. Silo 2

– The purpose of Silo2 is to provide metered access to applications with certain licensing restrictions. For example: Certain applications are only licensed to be run by members of certain SLAC departments. Other applications are only licensed to be executed by a limited number of concurrent users.

Server Configuration Web Portal Servers

– The Web servers host the Web Interface for Citrix MetaFrame XP. The Web interface consists of Java objects and Web server-side scripts that reside on the web servers.

Citrix SSL Relay– The Citrix SSL Relay is a service that runs on the MetaFrame XP servers and secures

communications between the Web portal servers, the IMA servers, the MetaFrame XP application servers and ICA client PCs.

IMA Servers (Data Collectors)– The data collectors manage server farm dynamic data and client enumeration/resolution. – MetaFrame XP server farm administrator permissions– Citrix MetaFrame XP product licenses– MetaFrame server configuration settings– Published application configuration settings– Application load balancing configuration settings– Printer management information settings– MetaFrame XP server farm policies– MetaFrame Resource Manager configuration settings– Citrix Installation Manager settings

MS SQL Server– Data store for IMA servers

WTS Licensing Server– The WTS Licensing service on the AD domain controllers is responsible for providing

WTS licensing tokens for WTS clients (including ICA client PCs).

ICA Client

WebBrowser

Cl ient PC

4

B o r d e rR o u t e r

Internet SLAC LAN

SLAC Citrix XP Server Farm

3

1

3

1

NFuse Web Serverwtsxp porta l 1

NFu se Web Serverwtsxp porta l 2

IMA Serverslacw tsima02

2

2

slacwtsxp15slacwtsxp03slacwtsxp02slacwtsxp01

2

2

. . .

101 2 3

IMA Data StoreSQL Server

MSSQL1

TS Licensing ServerAD DCs

IMA Serverslacw tsima01

MetaFrame X P App l icat io n Servers

Updated 11/26/03

. . .

User Home Directories &Roaming Profile Storage

ZWINSANs

SLAC WTS XP Server Farm -- Two-Silo, Two-Tier Model

Updated: 11-21-03

Separate images forrapid recovery

Web Portal

WTSXPPORTAL1 WTSXPPORTAL2

Separate images forrapid recovery

Farm Control Servers

SLACWTSIMA01 SLACWTSIMA02

WTS XP Server FarmData Store Database

SQL 2000Database Server

MSSQL1

Silo-1: User Desktop Sessions and Common Applications

Silo1 ReleaseCandidate image:

S1Vn+1

Silo1Staging Server

SLACWTSXP01

Silo1production image: S1_Vn

One load-balanced published desktop for all SLAC WTS users

SLACWTSXP02 SLACWTSXP03 SLACWTSXP04 SLACWTSXP05 SLACWTSXP06 SLACWTSXP07 SLACWTSXP08

Silo-2: Restricted & Metered Applications

Silo2 production image: S2_Vn

Access controlles seamless apps only,No desktops published from Silo2

SLACWTSXP10 SLACWTSXP11 SLACWTSXP12SLACWTSXP09

Silo2 ReleaseCandidate image:

S2Vn+1

CITRIX DEMO