Monthly Archives: November 2012

The IT manager role (car paradigm)

The “pre-cloud” era (or, before virtualization and public cloud providers): Read instructions, assemble all parts, turn engine on, let everybody drive (and then pick up the pieces):

Some assembly required…

The “cloud” era (or, virtualized datacenter, services outsourced in the cloud): Get in, put company in the back seat, CEO sits in front, CIO drives:


Squeezing VDI in a box

Virtual desktop infrastructure (VDI) is nothing new. Decoupling a Windows desktop from a physical PC and converting it into a virtual image, accessible from more than one terminal has been around for many years, pioneered mostly by Citrix. XenDesktop is the platform of choice for large enterprises, rolling out hundreds and thousands of virtual desktops for internal users and mobile workers.

However, implementing a VDI solution is a complex project with lots of moving parts, and XenDesktop is no exception: For an end to end solution that can be used from all sides of the enterprise (intranet, Internet and extranet users) one needs all of these: Virtualization platform (hypervisors and shared storage), connection brokers, catalog repositories and asset database, provisioning services, desktop image preparation tools, connection proxies, firewalls and load balancers.

Well… Citrix has managed to squeeze all of the above in a single box, with VDI-in-a-box (ViaB). The acquisition of Kaviza in 2011 led to the release of ViaB with tight integration of HDX (the network protocol used by XenDesktop to move pixels, keystrokes and data from the virtual desktop to the user endpoint) and NetScaler (Citrix’s load balancer and application proxy). ViaB comes in the form of a virtual appliance, ready to boot in your favorite hypervisor (ESXi, XenServer and HyperV). The ViaB appliance talks directly to the hypervisor to provision virtual desktops, itself is a connection broker, provisioning server and image preparation platform and works in a grid with other ViaB instances, forming a VDI cluster by just setting up more hypervisor servers, each with a ViaB appliance and joining them in a single cluster. ViaB works with local storage in each hypervisor – no requirement here for DRS or shared SAN storage.

I recently had the chance to setup ViaB as a proof of concept. Literally, the solution is enclosed in a single box. Using a 16GB RAM dual-socket server with ESXi 5.1 (free edition), BiaB was setup and configured in less than two days, given that everything was configured from scratch. The recipe is:

  • A Windows 7 Pro DVD iso image (and corresponding valid key)
  • A Windows 2008R2 server iso image
  • A physical server. Anything with 16GB RAM and 60GB local storage is sufficient for a PoC with five concurrent desktops.
  • Citrix Netscaler 10 virtual appliance (I used version 10, build 71)
  • VDI in a box version 5.1.1 ESXi virtual appliance
  • To test with Internet desktops, two public IP addresses and a FQDN valid DNS entry pointing to the Internet IP address of ViaB. The other IP address is used for outbound connections from the desktops to the Internet via NAT, through NetScaler.

There are detailed guides from Citrix to setup your environment here; the process is quite straightforward, just pay attention to small details like setting up your ViaB to talk correctly to active directory services and your DNS server. In a nutshell, that’s that you do:

  1. Setup your hypervisor. A single Ethernet will do for Internet access. All the other subnets and port groups will be contained inside your hypervisor virtual switch. You need one virtual switch and three port groups in ESXi: an Internet port group, attached to your Internet public network, a private numbered port group to run your virtual desktops, the ViaB appliance, your Windows domain controller and the internal Netscaler proxy port, and finally another VMkernel port group, in the same IP private subnet as your VDI subnet, so that the hypervisor can be accessed from your ViaB appliance. Make sure you have configured an ESXi management address there. The setup I used is shown below:
  2. Install NetScaler with an access gateway license. NetScaler is a fully featured application delivery controller (ADC) which, in our context, will be used as an HDX proxy for desktop connections to the end users via Internet through SSL (TCP port 443) and also as a NAT gateway/firewall, so that all virtual desktops can send traffic to Internet hosts. Installation is easy, download the virtual appliance from Citrix and deploy on ESXi. Setup one NetScaler interface on the public (Internet) network and another interface on the internal private network.
  3. Install the ViaB appliance. The whole process takes minutes. Just deploy the OVF template, directly downloaded from Citrix. Add a license and configure ViaB to talk to your ESXi through the management port setup in the VMkernel port group.
  4. Install a Windows 7 image, enter a valid key, apply latest Windows updates, install VMware tools and leave it running. This image must have a single Ethernet interface attached on the internal VDI network.
  5. Install a Windows 2008R2 server, add active directory services, configure DHCP and DNS, apply Windows updates, install VMTools. Again, attach a single interface on the VDI network. Promote to domain controller and setup a new forest, which will be used to authenticate your desktop users, attach virtual desktops to the domain and apply group policies. This domain controller will be used also to host your users’ roaming profiles, since the desktops that I will deploy will be stateless, erased and recreated every time a user logs out. Here, you can of course use an existing domain controller, just make sure you configure your virtual networks and routing correctly. Best practice is to use separate OUs for desktops and users. Find a snapshot of the AD structure:

    AD structure

  6. Configure a public FQDN pointing to your external NetScaler IP address. Create also a NAT rule in NetScaler, permitting traffic from the internal VDI network towards the Internet.
  7. Now, go to Citrix and follow the instructions in this article. Configuration occurs in two places: NetScaler, to setup the access gateway and the ViaB appliance. The most tedious part is the configuration of NetScaler. I preferred the methid described above instead of using the access gateway wizard, since it’s easier to go back and correct mistakes.
  8. After you have configured NetScaler and access gateway, you are ready to start building desktop images. VDI in a box here is a great tool to use, since it hides all the mechanics of using sysprep and other tools: It prepares your Windows 7 image, installs Citrix HDX agents, configures Windows firewall and lots of other settings.
  9. After you test your image, create templates, add users or groups from your AD and you are set to go. To access virtual desktops, your users have to install Citrix Receiver and point any browser to your NetScaler external HTTP port. There, they enter valid credentials from your AD and connect to desktops.

My guinea pig was my 9-yr old daughter, which by herself logged in, installed Chrome (and flash) on the virtual desktop and accessed her favorite web site, all from the iPad:

Windows 7, iPad view

According to my trusted reviewer, the GUI was snappy, without latency and the whole thing felt much faster. Reasonable, since the desktop was running on a Xeon server.

This is the same view from a conventional PC:

Same view from Windows 7 desktop