It is year end… Again..

2016 to 2017

This is going to be a quick/brief blog.  The point behind it is to get you to read or reread two previous blogs.

A couple of years ago, we discussed the significance of year-end in IT in two previous blogs.

In the first blog “ Year-End – What to Expect in IT”, we discussed why many companies incorporate a change lock-out policy for the end of the year.  Though that blog is two years old, almost everything discussed is still valid this year.  The biggest difference is that I did not have to camp out for the door-buster deals.  This year, Black Friday started on Thursday around 5 or 6pm.  Luckily, that annoying holiday called Thanksgiving did not get in the way of retailers having their employees on hand.  (Please add a note of dripping sarcasm when you read the previous sentence.)  In fact, most of the sales started on-line Thursday morning.  I did not have to go to the store or wait in a line to get what I wanted.

In the second blog “End-of-Year IT Tasks”, we discussed the tasks that may need to be done to prepare for the end of the calendar year.  Everything in that article is still valid today.  Please use the links provided to review these previous blogs.  If not both, at least read the tasks article.  It may help you remember a task you needed to do to prepare for the end of the calendar year.

 

As always, please feel free to post any questions or comments below or reach me directly by email.

Craig Kalty

 

 

 

 

 

Craig R. Kalty
(CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)
Sr. Network Consultant craig.kalty@customsystems.com

©2016 Custom Systems Corporation

Citrix XenApp/XenDesktop 7.11 – Is this the version we should be on?

It is December 2016 and we hit that point again where I have been asked numerous times what version a client’s XenApp/XenDesktop (XA/XD) environment should be?  We have situations where clients are building new version 7.x XA/XD environments and others that are on lower 7.x versions and are wondering if they should upgrade.  Basically, I am being asked a few questions:

  • Is version 7.11 stable?
  • Should I build or upgrade to 7.11?
  • How great is the risk?

The quick answer to the first question is ‘yes’.  Version 7.11 is not a major change to the engine behind previous versions of XA/XD.  In fact, the VDA (Virtual Delivery Agent) is probably at its best in this version.  Issues where a server or desktop shows as unregistered have been addressed with this new VDA.  This version is more of a features update than anything else.  Version 7.11 has been out for a few months now, so you are not quite on the ‘bleeding edge’ by installing it.  I am not saying all the kinks have been worked out, but what is left should be minor.

In answer to the second question, I am going to say ‘most likely’.  I can’t say definitely because there are situations where you may not want or be able to go to version 7.11 at this time.  For instance, there are companies with policies that determine what level of a software release can be utilized.   These policies may prohibit from going to version 7.11.  I don’t agree with upgrading for the sake of upgrading.  This goes back to the old saying; “If it isn’t broke, don’t fix it”.  If you have a viable reason for performing the upgrade, then definitely upgrade to 7.11.  If you are building a new farm, then start at version 7.11.  One sure reason why you would want to go to version 7.11 is Windows Server 2016 support.  If you want to utilize Windows Server 2016 in your farm, then you have very little choice, but to install version 7.11.  In fact, version 7.11 is the first time that Citrix had a version released for day 1 availability on a new full version of Windows Server.

New versions of software always come with risks.  Proper testing and other precautions will mitigate some of the risks.  It has been my experience so far that upgrading from other 7.x versions to 7.11 has been very successful.  In fact, Citrix has taken a lot of the difficulty out of the upgrade process.  You can upgrade from versions prior to 7, but I prefer a migration path in those cases.  Migrations always give you more chances to test properly and run in parallel before going to production.

As always, please feel free to post any questions or comments below or reach me directly by email.

Craig Kalty

 

 

 

Craig R. Kalty
(CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)
Sr. Network Consultant craig.kalty@customsystems.com

©2016 Custom Systems Corporation

Secure Remote Access

Custom Systems and Citrix Make Mobile Access Secure and Simple

Isn’t mobility great? It makes it possible for employees to work anywhere, on any device, and be more productive than anyone could have ever imagined. But it’s not always so great for your business when it comes to making that access both secure and easy.

Increasingly, security concerns are putting companies between a rock and a hard place – having to choose whether to limit mobile access to company data on corporate or personal devices (which makes it harder for people to work at maximum productivity) or to give employees free rein to use their own devices (which makes it harder to secure sensitive data).

And don’t get employees started on the usability challenges that mobility can create. It’s hard to achieve the productivity that mobility offers when they have to use different interfaces and credentials for different devices – and even then might not be able to access all the corporate resources they need.

Fortunately, Custom Systems provides app and desktop virtualization solutions powered by Citrix that eliminate these challenges. By virtualizing apps and desktops, employees can work remotely, stay productive, and easily use the devices they prefer – from company laptops to personal tablets or smartphones – for mobile access over any type of network connection. They also receive the same consistent experience across all devices. And you can rest assured that business-critical information is safe because secure access to both data and apps is built in.

To learn more about all the benefits of app and desktop virtualization solutions from Custom Systems and Citrix, visit www.SolveITwithCitrix.com/infographic/customsystemscorporation where you can access a library of resources including whitepapers and videos. Or give us a call.

David Bubb

David Bubb, Sales Director
david.bubb@customsystems.com

©Custom Systems Corporation 2016

Issue: Printing – Solution: Tricerat

triceratAs is usually the case, the subjects of my blogs tend to correlate with situations currently being seen in a client’s environment. Recently, we have had more than one client with printing issues in their environments. The problems range from driver issues to an applications ability to recognize a user’s printers. In each case, we tried to handle the situation using the built-in tools within the Citrix products to resolve our issues. Do not get me wrong, I think the current set of printing utilities Citrix offers for their products is some of the best built-in solutions we have had. However, we still had issues they could not resolve. So, it was time to turn to a third party product. As the title implies, we tested Tricerat’s Simplify Printing product. I know this is starting to sound like a product endorsement, and in a way, it is. However, my intention is to share a solution to various printing problems we faced. To be fair, I am not saying that Simplify Printing is the only solution out there, but I have been using Tricerat’s products for years and it is one of my go-to solutions.

As I was saying, I am writing about this because of recent events. So, let’s take a look at those events.

Problem 1  – Solution – Tricerat ScrewDrivers

At the first client, we had a situation where users worked from a XenApp/XenDesktop environment, but would travel to multiple company sites. They needed to print at each site while accessing a virtual desktop back in the data center. Users needed to have multiple printers for multiple sites. Just assigning all the printers to the users did not work. Typically, the user would forget which printer was defaulted and send items to the wrong printers. Our original solution was to assign printers based on IP address of the client. The problem we ran into was that the number of printers at each site made it an administrative nightmare to work printer assignments/policies at an individual user level. Simplify Printing has a utility that allows the user to assign the printers that they need for themselves. Each printer in each location has its active directory name labeled where the users know to look. The Simplify Printing utility is a published application the user can open and select the printer they need. All they had to do was look at the name label and find the printer in the list. This did take a little bit of user training, but once the users got used to this process, calls to IT for printer problems dropped to almost none. There were other benefits from the installation of Simplify Printing. The product handled all the print drivers. We no longer have printer drivers in the Citrix environment for all of those various printers. The Citrix environment no longer had to fully process print jobs which saved on system resources. External users had a better printing experience once they installed the Tricerat ScrewDrivers client because all the features of the local printer were now available to them.

Issue 2 – Solution – Tricerat Simplify

At another client, a law firm, the issues started in the XenApp environment. However, Simplify Printing was not implemented at the Citrix level. It was implemented at the domain level so all printer functions in the environment, not just the ones in Citrix, are handled by Simplify Printing. The original issue involved printers needing to be assigned based on user groups. However, just because a user was in a group, that did not mean they had the right to use all the printers the group had assigned. For instance there are users in the Marketing group that need to be in the group, but do not need rights to Marketing’s color multifunction printer. Citrix policies helped, but they got out of hand. Also, as stated before, this issue was not just at the Citrix level. The dashboard in Simplify printing made it easier to assign printing rights while also controlling exclusions. Assignments made at the domain level were inherited in the Citrix environment as well. It literally became an administrative matter of drag and drop to control printer assignments/permissions.

At a third client, we had an industry specific, third party application, which also had company specific modifications. The handling of printers in this application is archaic in my opinion and does not follow proper conventions. We also had extremely limited control over it. Built-in Citrix printing utilities could not give the application what it wanted because of how printers were named for user sessions. A script created by one of the administrators was a semi-viable solution, but still had issues. Simplify Printing’s custom naming allowed us to get a modification in the app to make the user’s printers recognizable. This is another location where Simplify Printing will soon be used for all printer assignments in the domain. They are also looking into another Tricerat product called Simplify Scanning to help with their scanning needs.

In some cases, it was a matter of trial and error to get to where we wanted to be. We even needed help from Tricerat support to get things just right. However, that is not a dig on the product. We just had some tricky situations to resolve. I am going to do a little more shameless endorsement and tell you that the support team really cared that they find a solution for us.

As stated earlier, Simplify Printing is not Tricerat’s only product. Besides printing and scanning, they have products that handle monitoring, profiles, clipboard sharing, and backup. They also offer their products in a bundle called the Simplify Suite. I have not had the opportunity to use each and every one of their products in production environments, but the scanning and profile management products are also go-to solutions for me.

As always, please feel free to post any questions or comments below or reach me directly by email.

AZS-3

 

 

 

Craig R. Kalty
(CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)
Sr. Network Consultant craig.kalty@customsystems.com

 

 

 

©2016 Custom Systems Corporation

New Features in XenApp & XenDesktop 7.7

Help DeskThe latest version of XenApp and XenDesktop were released at the end of December 2015. Version 7.7 of both products will be followed up by another version (7.8) currently scheduled to be released sometime 1st quarter 2016. Citrix is being a little more aggressive with these releases because they are trying to accelerate their relationship with Microsoft, increase integration between products, and (re)introduce features.

With version 7.7, Citrix has given us these new features:

    • Zoning – Why does that sound familiar? Prior to version 7, zoning was has always been a part of XenApp and even MetaFrame. When version 7 was released, zoning was not included. With version 7.7, zoning is back. It has the same purpose as before. Zoning gives us simplified management across geographically dispersed deployments. One XenApp site can now be deployed in multiple geographical locations while enabling application control from one console.
    • Application Limits – Another feature being revived is the ability to put certain limits on published applications. This is where an administrator can control how many concurrent sessions can be active at one time, how many active sessions of a published application a user can have open simultaneously, and more.
    • Advanced Database Configuration – Previously, all database activity was installed in one location. Now, the site, monitoring, and logging databases can be installed on different servers and even in different locations. As a note along this path, SQL 2012 SP2 is now installed instead of SP1.
    • Improved Maintenance Notifications – Notifications to users about system maintenance can now be configured to go out at a specific time prior to the maintenance commencing and reminders can be sent at configured intervals.
    • Skype for Business functionality – This allows for a full installation of Skype using a desktop or a virtual app. The RealTime Optimization Pack will need to be installed to provide a user with the best experience while using Skype for Business.
    • Citrix Director Improvements –
      • Defined application limits (see above) are now shown in Director.
      • Director can use your windows credentials to authenticate you (single sign-on).
      • Better SCOM 2012 integration.
      • Proactive monitoring alerts to help improve reaction time.
      • New usage views for both desktop and server OS’s. Usage can be viewed at the site, delivery group, and machine level.Along with new features, there are a number of enhancements:
    • There are updates to platform support. This is to allow and improve performance with new hardware technologies.
    • New APIs are being introduced for developers. Using PowerShell SDK, session roaming can be tailored to an organization’s needs. Another API will allow for the access of templates, images, and snapshots across multiple hypervisor connections.
    • Windows 10 support for the VDA and Studio is now available.
    • Extended integration with Microsoft Azure – You can now use Machine Creation Services (MCS) from XenApp and XenDesktop to provision virtual machines in Azure.

Look for a future blog post detailing the changes coming in version 7.8.

As always, please feel free to post any questions or comments below or reach me directly by email.

AZS-3

Craig R. Kalty (CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)| Sr. Network Consultant craig.kalty@customsystems.com

 

 

 

©2016 Custom Systems Corporation

Chrome: Citrix Receiver Plugin Unsupported

A recent issue was brought to our attention by a client when a message appeared in the Chrome browser, stating that the Citrix Receiver plugin was not supported. I will walk you through the solution in this week’s post.

While accessing a Citrix StoreFront or Web Interface site in Google Chrome, you may see something like this:


This does not mean that Citrix will no longer support the Receiver. This is actually an issue with the Chrome browser. In order to improve security, Google has decided to disable NPAPI plugin support in the Chrome browser. This affects both Windows and Mac installations. This means that those Chrome plugins we have grown to love and count on will no longer work by default. “By default” is the operative statement here and I will get back to that.
Updates of Chrome as of April 2015 remove NPAPI support. This results of this change have already appeared for the Citrix Receiver. The Receiver Plugin is what checks to see if we already have a client installed and whether it is up to date. It is then responsible for launching applications/desktops when we click on the icon. The plugin is no longer running, so StoreFront will always ask you to install the receiver because it cannot tell if you have it:


This will also affect NetScaler implementations:

The next thing that will happen is you will not be able to launch an application by just clicking a presented icon. Instead, it will ask to be saved:
four
And you will have to click on the saved .ICA file to launch the application:
six
Annoying, isn’t it. So, how do we get around this?

  1. Upgrade to the latest and greatest. Unfortunately, the upgrade is not only on the client side. Citrix has just released updated versions of the Receiver (Windows Receiver ver. 4.3 and Mac Receiver ver. 12.0) and for StoreFront (ver. 3.0). The combination of the latest StoreFront and Receiver will work around this issue with Google Chrome and a similar issue with Microsoft Edge. I believe HTML 5 is used instead of a plugin, but I need to confirm that.
  2. Re-enable NPAPI support. (Note: This is opening up the security holes Google is trying to close. Do this at your own risk.) NPAPI support is disabled by default. We can change the default. Here is how:
    • In Chrome’s address bar, type “chrome://flags/#enable-npapi”:
    • In the list that appears, find “Enable NPAPI Mac, Windows” and click Enable:
    • Click the “Relaunch Now” button on the bottom of the screen. It appears after you make your changes:
    • After relaunch, you will probably still see the warning about the plugin being unsupported because that is part of Chrome. There is probably some way to get rid of it by modifying Chrome, but I am not getting into that here.

There you have it. I hope this helps. If you have any questions or comments, please feel free to leave them in the space below.You can also reach me directly by email.

 

AZS-3

 

 

Craig R. Kalty (CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)| Sr. Network Consultant craig.kalty@customsystems.com

 

 

©2015 Custom Systems Corporation

Quick Look: This Week’s New Citrix Releases

Citrix released new versions and feature packs for a number of products this week. For some products we received new versions. For other products we received new Feature Packs. Feature Packs are additional features we have the option of including in our deployment. Keep in mind that some features are restricted by licensing.

Let’s take a look at what has been released:

  • NetScaler Gateway 11.0 – Many, many modifications, updates, and new items are included in this new version. The items affected in this new version are DNS, GSLB, Load Balancing, Application Firewall, CloudBridge, Clustering, Gateway, Insight, SSL, Optimization, Policies, etc. Because he NetScaler has many features and many different uses, the list goes on.
  • Citrix Storefront 3.0 – This is a significant face lift for StoreFront. In my opinion, it is a much better look. Enhancements include:
    • The already mentioned new look.
    • Receiver customizations enable functionality with this new look.
    • Google Chrome support has been added so the HTML 5 client is no longer the primary option.
    • An improved SDK.
  • Citrix Receiver 4.3
    • Windows 10 compatibility.
    • StoreFront 3.0 integration.
    • Microsoft Edge and Google Chrome support.
    • Improved Session Reliability
    • FrameHawk graphics mode support with XenApp/XenDesktop 7.6 FP2
      For those that don’t know, FrameHawk is a technology for accelerating graphics in low latency connections to Citrix.
    • ADMX support for Receiver group policy
  • XenApp 7.6 Feature Pack 2:
    • FrameHawk enabled content
    • XenServer 6.5, Service Pack 1
    • Linux Virtual Desktop 1.0
    • HDX RealTime Optimization Pack 1.8
    • Session Recording 7.6.100
    • Storefront 3.0
    • New Receivers
  • XenApp 6.5 Feature Pack 3:
    • HDX RealTime Optimization Pack 1.8
    • Director 7.6.300
    • Storefront 3.0
    • New Receivers

Please post your comments or questions below. You can also reach me directly by email.

AZS-3

 

 

Craig R. Kalty (CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)|
Sr. Network Consultant
craig.kalty@customsystems.com

 

 

 

©2015 Custom Systems Corporation

Do I really need an Intermediate Certificate?

So what is an intermediate certificate and why do you need one?

Let’s look specifically at its purpose in the NetScaler appliance. This provides us the opportunity to explain the installation of an intermediate certificate on the latest release of NetScaler firmware in the next blog.

Certificates protect our data. Working with certificates is an important, necessary evil. In the past, Web Developers and Network Engineers did the majority of work with certificates. It has become more common for administrators and other IT people to get involved with them. It is becoming more and more prevalent for us to use certificates to protect our internal/private communications as well as external/public communications. Certificates are a key component of Secure Sockets Layer (SSL) which is the primary form of security for the Internet. SSL is used to encrypt data (whether on the internet or internally). The purpose of the certificate is to provide the key to decrypt the data and authenticate that you are communicating with your intended target. Simply put, using a certificate makes sure the only ones who can decrypt the data are the two endpoints doing the communication.

So, where does an intermediate certificate come in to all of this? An intermediate certificate is kind of a proxy certificate. Authentication methods for SSL communications utilize the root certificate supplied by the organization that issued the requested certificate used to provide SSL for our service. The purpose of an intermediate certificate is to allow us to install the root certificate in a higher level of security and use a different certificate that is signed from the root certificate to front-end the root. That front-end certificate is the intermediate. Since that the intermediate was signed by the root certificate, it can act as a “middle-man” for the root and the service’s issued certificate. The term for this is the “Chain of Trust”. In essence, we are protecting the key to our data communications.
The need for an intermediate certificate will depend on what service you are offering from the NetScaler. It will actually depends on the requesters connecting to our service. For instance, the most common purpose of a NetScaler in a Citrix XenApp/XenDesktop environment is to be the secure access gateway (besides being a load balancer and all the other features). The access gateway service requires a certificate. You can acquire your certificate from whichever provider you are most comfortable.
A very common issue occurs when you do not have an intermediate certificate installed on the NetScaler. Windows PCs will connect without a problem, but Apple MACs, Apple devices (iPads and iPhones), and Android devices will not connect. You usually see an SSL error or something similar. The reason for this is the requester’s operating system. When released, operating systems usually include a batch of recognized root certificates from various providers. The operating systems on the devices that cannot connect most likely do not have the root certificate needed to validate the certificate your service is providing. In order to complete the “Chain of Trust” for these devices, we need to install an intermediate certificate on the NetScaler (or the server or device offering the SSL certificate). Once the intermediate certificate is installed on the NetScaler and linked to the proper certificates already on the NetScaler, all devices should be able to connect.
In the second part of this post, I’ll explain how to install certificates on a NetScaler. For those of you not interested in the NetScaler (whoever that one person is), read or read not. It’s your call.
Please post your comments or questions below. You can also reach me directly by email.

AZS-3

 

 

Craig R. Kalty (CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)|
Sr. Network Consultant
craig.kalty@customsystems.com

 

 

 

©2015 Custom Systems Corporation

XenApp 7.6 – Are we there yet?

citrix-logo-webIn a previous blog, I discussed upgrading to the XenDesktop/XenApp version 7.x product lines. On the XenDesktop side, I briefly discussed that the decision to upgrade is a no-brainer. Just do it. For version 7.6, I still hold to that statement. However, for XenApp, I said to be careful before jumping in. The reason for that was the loss of many features that we had in IMA and not under the new FMA architecture. XenApp 7.6 does a great job of closing that feature gap. With the release of 7.6, we get back these features:

  • Anonymous login to enable a kiosk mode.
  • Session linger which holds a session in an active state for a little while in case we did not mean to disconnect from our session or realized there is something we forgot and needed to jump back in.
  • Application pre-launch which enables faster user logon.
  • Resilient connections (called Database Connection leasing) which is similar to the purposes of Local Host Cache in previous versions.
  • FIPS compliance which is important for security particularly with the government.
  • Application folder support to help us organize our published applications.

This feature set includes most of what I had said was missing in the previous blog. There are still a few features missing in the FMA architecture. For instance, one feature I wish to have back is the ability to specify that a server be able to publish applications across different sets of servers. For example, I used to be able to publish an application on Servers 1 through 3 and then publish another application on servers 3 and 4. Or, I could have published an application across a group of servers and then exclude some of those servers when publishing another application. We cannot do anything similar to that in XenApp 7.x. At the moment, you can put a server in one group only and all published applications are across all servers in that group. If you have multiple groups of servers, it is not possible to create just one published application across some or all the servers in different groups. Each group would have its own set of published applications.

We do get a lot of new features in the release of XenDesktop/XenApp 7.6. There are new features that have to do with hosting, provisioning, and more. However, I am focusing specifically on the XenApp side. New XenApp features since 7.5 include:

  • USB 3.0 support. This does not mean everything we plug in to a USB 3.0 port is usable within XenApp, but it does mean that USB 3.0 drivers are recognized and supported devices can be accessed through the port.
  • Improved graphics acceleration.
  • A new XenApp 6.5 to 7.6 migration tool.

While focusing on the new, let’s not lose sight of the other advantages of XenApp 7.x:

  • Support for Windows Server 2012 and 2012 R2. So, if you want to utilize the latest server technology, XenApp 6.5 will not cut it.
  • The installation for version 7.x has been greatly streamlined. It is much easier than version 6.5.
  • HDX improvements.
  • Cloud compatibility and integration.
  • More.

So, the question remains: Upgrade or not? In my previous blog, I was more in the ‘not’ zone. With XenApp 7.6, I am now in the ‘maybe’ zone. If your XenApp 6.5 farm is working fine and you have no pressing reason to upgrade, then why fix what is not broken. If you want to work towards moving off XenApp 6.5 and can bring up new servers without touching the old, you can run both farms side-by-side. You can utilize Storefront or even Web Interface to make it seamless to the users.

Keep in mind that I am not saying that XenApp 7.x is a bad product. It is not. If you are building a new farm then you definitely should be going to XenApp 7.6. I am just talking about the upgrade decision. I believe that XenApp 6.5 is a great product and should not be dropped because a new version of XenApp is out. I am a consultant. It would be in my interest for my clients to upgrade their environments. However, I also work at being a trusted advisor for my clients and would not have them perform an upgrade for the sake of going to the latest and greatest.

What do you think? I’m always interested in hearing about your experiences with Citrix XenApp. Please post your comments or questions below. You can also reach me directly by email.

AZS-3

 

 

Craig R. Kalty (CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)|
Sr. Network Consultant
craig.kalty@customsystems.com

 

 

 

©2015 Custom Systems Corporation

It’s all about the data… And secure, remote access

shutterstock_NeyroIt always comes down to data. In order to function properly in their jobs, employees need access to data. Along with access to the data, they need a comprehensive method of utilizing the data. In the office, employees  have secure access to the data they are permitted and the means to utilize the data. However, the company office is not the only place users require access to data.

We now have users that work from home, mobile, and remote offices. We have many types of portable devices, Wi-Fi access, and the Internet at our disposal that we can be just about anywhere and be need access to company data. So, if employees are not in the office, how do we make it possible for them to securely access data and provide the means to utilize it?

There are many solutions we could implement to offer our users secure remote access to data. Each one has its pros and cons involving ease of use, security, performance, and comprehensiveness. All the methods have the ability to be secure (some more secure than others). All solutions have the ability to require users authenticate/logon. In fact, depending on how each access solution is implemented, they all have the ability to make use of two-factor authentication. All methods have a varying level of complexity to implement. Here are some of the most common solutions:

  • Public Facing Websites – a website that is accessible to the Internet to provide users access to data in the company’s private data center. Security can be provided by SSL encryption and user authentication (logon). The webpage provides the GUI for users to comprehensively utilize data. The application being used can determine how viable a website solution is. Many third-party applications already provide web based access. For instance, almost every third-party e-mail solution of today has the ability to provide access through a webpage. In-house developed applications may or may not have been created with web access and may not be viable for straight access through the Internet. The biggest con to a web-based solution is security. You are providing a public doorway to your data with a webpage. If you do everything correct in securing the page you should be fine, but there is always risk.
  • Cloud Services – in essence, another form of web based access to data with differences. For instance, one difference may be where the data resides. Cloud based solutions do not always keep the data in the companies private data center. The data could reside at the data center of the cloud solutions provider instead. Required hardware and security are then provided by the cloud provider. Enterprise organizations may have the means to offer their own cloud based solutions, but most small to medium companies will need to lease a cloud-based solution. Cloud services is a subject in itself.
  • VPN – a Virtual Private Network solution offers a user remote connections directly to the company network and behave as if the user is on the local network. Using features like split-tunneling, communications meant for the company network can be segregated from other communications the user may be utilizing (i.e. Internet browsing). The most common form of VPN today is an SSL VPN. As the name implies, it utilizes SSL encryption for security. Almost all VPNs in use today utilize Internet access. However (believe it or not) some organizations still require the higher security of dial-in access. The problem with a VPN is that though it does a great job of getting you connected to the company network, you still need a method of utilizing the data. Once connected through a VPN, a user can access an internal web site, run an application that is on their device that knows to connect to data through the VPN, or access something on the network that will enable the user. This solution is probably the easiest to implement for an administrator, but it can also be the one with the highest learning curve for the user. Many times, the users will have to take extra steps in order to enable proper data access.
  • Remote Desktop Services (RDS) or Citrix XenApp – RDS comes with Windows Server (2008 or 2012). It allows users to access server based desktops or applications. The user is given access to either a full desktop or just specific applications. The desktops or applications are all running on a server back in the data center. The data and the applications are never on the remote user’s device. Only keyboard presses, mouse movement, and changes in video are transmitted between remote device and data center. The data remains safely in the datacenter. In this solution, users are sharing server resources, but do not interact with each other. RDS requires Client Access Licenses for each accessing user. Citrix XenApp installs on top of RDS and enhances RDS abilities (think of it as RDS on steroids). RDS was designed by a combined team of Microsoft and Citrix specialists, so Citrix knows how to enhance RDS. XenApp is faster, more secure, easier to administer, and has more features than RDS. I have been working with Citrix XenApp and its predecessors since the late 90s and love it, so I am a little biased when I say that this is my preferred solution.
  • Virtual Desktop Infrastructure (VDI) – refers to Citrix XenDesktop, VDI-in-a-Box, VMWare View, and similar products. In this case, users connect remotely to a virtual machine that is running a desktop OS (Windows XP, 7, or 8). Like RDS and XenApp, the data stays in the datacenter. Only keyboard presses, mouse movements, and screen changes are transmitted. The difference is that the user is accessing a desktop with its own resources instead of sharing resources with other users. Applications installed on the desktop provide users with the comprehensive access to data with a high level of compatibility for applications. This solution is generally more expensive to implement, but it can also be one of the most secure and comprehensive ways to enable users both locally and remotely.
  • Remote PC – this refers to services like VNC, LogMeIn, and even Citrix XenDesktop. In this case, the user is taking remote control of a physical PC/workstation in the company office. For instance, a user has a desktop that they work on in the company office. When the go external to the company office, they can connect back to their company office desktop and control it remotely. This provides the user with the same working environment internally and externally. However, this method tends to be a little slower and is affected more by bandwidth and slowness issues. I mention Citrix XenDesktop again because XenDesktop has a feature where it can have an agent on a physical desktop and provide that desktop to a user instead of a virtual machine. Because it uses Citrix’s ICA protocol and access methods, Citrix’s Remote PC solution tends to provide higher performance than others.

There are many other solutions for accessing data from the outside world, but not enough time to explain each here. I have instead listed the ones I consider the most prevalent. There is one consideration in the securing of data that I did not stress and I am going to do so now. The safest place for your data is in the datacenter. If data is stored on or copied to a remote device, it is harder to keep the data safe. If data is stored only on a remote device and not on the network, loss of that device through hardware failure or theft will most likely be irreplaceable loss of that data. Solutions like RDS, VDI, Citrix, and remote PC keep the data in the datacenter and still allow the users adequate access to it. VPN solutions allow for and sometimes need to have data on a remote device. When deciding on a method of access, keep in mind where you want the data to be stored and how you want it accessed. That should be one of the primary deciding factors.

Questions? As always, please post your questions or comments below.

 

AZS-3

 

Craig R. Kalty (CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)|
Sr. Network Consultant
Craig.Kalty@CustomSystems.com

 

 

 

© 2014 Custom Systems Corporation