Deployment Best Practices for Citrix XenApp over HughesNet Managed Network Services

Table of Contents
Executive Summary ........................................................................................... 1 HughesNet Managed Network Services ....................................................... 2 Citrix XenApp Overview..................................................................................... 4 Best Practices & Recommendations ................................................................ 6 Appendix A Lab Environment Detailed Diagram ..................................... 10 Appendix B Citrix WAN Policy Configuration Instructions ....................... 11 Appendix C SpeedScreen Configuration Instructions ............................... 15 Appendix D Sample DEFAULT.ICA FILE with SpeedScreen Settings ...... 20

Hughes Network Systems Contact Information: Ajith Edakandi Principal Engineer Hughes Network Systems, LLC (301) 428-7048

-i-

Executive Summary
Broadband networks offer high-bandwidth but can often exhibit high-latency and/or higher jitter with certain wireless technologies. The unique nature of high-latency networks causes poor performance amongst latency-sensitive applications. Hughes Network Systems leverages over 20 years of experience in managing enterprise networks and has over 110,000 sites under management. The result is a comprehensive set of managed network features and functionality. This functionality, available as part of any one of Hughes Managed Network Services, allows customers to offload much of the network operational support to Hughes, while retaining full visibility and oversight of the network. HughesNet Managed Network Services has many distinct advantages over other terrestrial based and other highlatency carriers: Business users need only deal with a single vendor for their entire network. (Hughes Network Systems offers terrestrial and satellite managed services.) Enterprises have only one communications platform across the network. HughesNet offers uniformity of network services throughout the system. Different remote business locations can expect the same level of service regardless of their location. Multicasting (one to many) is a natural application in a satellite network. The HughesNet service provides high network availability with up-time equal to or greater than other terrestrial based networks. The speed of the network rollout to business users is typically substantially faster compared to other terrestrial-based providers. HughesNet is cost competitive at about the same price as alternate enterprise DSL providers and significantly lower than Frame Relay providers.

Citrix XenApp, when used with HughesNet Managed Network Services, can provide an effective application delivery experience over satellite connections. Utilizing Citrix policies to regulate and optimize XenApp features in conjunction with proper implementation of SpeedScreen Latency Reduction provides a desirable end-user experience for satellite network subscribers. The Citrix Access Gateway access solution line complements the XenApp/HughesNet solution by providing efficient SSL VPN capabilities, endpoint analysis and simplified access and administration. This document was developed in partnership between Hughes Network Systems, the worlds leading provider of Broadband Satellite Services for business, government and consumers, and Citrix Systems, the global leader in Application Delivery Infrastructure, to provide systems administrators, engineers, architects and managers best practices in delivering applications with XenApp over HughesNet Managed Network Services. This article will provide an overview on how to optimize Citrix XenApp to effectively deliver applications to broadband satellite users. The key areas of focus include: Overview of HughesNet Managed Network Services Overview of Citrix XenApp Best Practices and Recommendations

-1-

HughesNet Managed Network Services

Typical terrestrial based networks are built using either copper or fiber optic connections. Those using telephone links and current generation DSL technology can only sustain limited throughput speeds (on average, up to 2 Mbps). Compared to traditional leased-line or DSL connections, fiber optic services offer significantly faster throughput. Both DSL and fiber optic service require some form of physical cabling terminated directly at the subscribers facility (businesses, home, etc). Non-terrestrial networks such as Wi-Fi, microwave and satellite networks hold many advantages over terrestrial based networks. The most notable is the ability to send and receive data without the physical constraints of DSL, leased-line, or fiber optic connections. Satellite in particular, is an attractive alternative to traditional Wide Area Networks. A potential drawback of running TCP/IP over a satellite based network is a condition known as network latency. Network latency is a measure of the delay in transmission of packets from network ingress to egress. Network latency is composed of two different parts: Propagation Delay, which is a factor of the physical nature of the network topology; and, Processing Delay, determined by the processing time at each of the hops along the way. All networks exhibit some amount of latency and varies based on the physical means of communication. Satellite based network will exhibit a greater amount of latency due to the physical distance that the signal must travel through space to the satellite and back. An example of a HughesNet communication medium is depicted below. Among other transport mechanisms HughesNet also uses satellites operating in a geostationary orbit, approximately 22,000 miles above the surface of the earth. The communications between a remote application client and its central database or network server must first travel nearly 44,000 miles to the central server, and then the response from that server must travel another 44,000 miles back to the application client. The signal travels at the speed of light, the same as Local Area Networks. The approximately 88,000 mile round trip through the satellite defines the bulk latency in a network [Figure 1].

Figure 1 - Distance and Latency

At a minimum, the best-case propagation delay for this transit would be approximately second. Average latency exhibited by the HughesNet satellite service is typically between 600 and 800 milliseconds, depending on traffic prioritization and network load. Software applications that are not optimized to mitigate network latency may, in fact, be making many client to server round trips, significantly lengthening the completion time for a specific transaction.

-2-

HughesNet (HN series) satellite routers utilize Hughes patented Performance Enhancing Proxy (PEP) and TurboPage technology to optimize the performance of many widely used Internet protocols. PEP improves performance by transparently converting various TCP/IP protocols into a satellite-friendly protocol upon entering the satellite network and restoring it prior to leaving the network. TurboPage significantly improves Web browsing performance over satellite by anticipating and fetching a web page's embedded objects before a browser requests them. Working in tandem with Hughes acceleration technology are Hughes advanced data and header compression algorithms and DNS caching techniques, which result in more efficient bandwidth utilization and a superior user experience.

-3-

Citrix XenApp Overview

Server-Side Virtualization with XenApp XenApp abstracts the user interface from the application processing that occurs on a centralized, secured server. This technology is ideal for delivering client/server applications because it eliminates the complexities of deploying, managing, updating and securing a vast array of client software on each individual users access device. Instead, a single instance of the client application is installed on XenApp within the secure confines of the data center. The application executes entirely on the server, while its interface is displayed on the users device. Application delivery can be enabled for any user, regardless of device, network or location.

XenApp delivers applications to users through the Independent Computing Architecture (ICA), a communication protocol by which servers and client devices exchange data in a server environment to separate an applications logic from its user interface. As an application runs on a server, XenApp intercepts the applications display data and uses the ICA protocol to send this data to the ICA client software running on the users device. The ICA protocol encrypts and transports an applications interface from the server it is running on to the users client device for display. It then returns the users input, mouse-clicks and keystrokes, to the application on the server.

This virtualization technology, combined with having both client and server components running together in the data center and other key features of XenApp (Citrix Policies and SpeedScreen Latency Reduction), typically results in improved application performance and end-user experience in comparison to delivering traditional client-server, messaging, and file/print services over a network susceptible to network latency.

-4-

Citrix Access Gateway Citrix Access Gateway complements the available security features within XenApp and HughesNet networks. It is a hardened appliance deployed in a DMZ or other network point-of-entry that secures all traffic with standards-based SSL and TLS encryption. It serves as a complete replacement for Secure Gateway servers or traditional IPSec VPN devices. Remote users connect via an easy-to-use Web client to enjoy a rich, desk-like experience. Always-on access seamlessly reconnects users to their documents when they change locations or devices, or lose connectivity. Integrated end-point scanning ensures user devices remain safe for connecting to the corporate network and access policies determine the level of user access based on administrator-defined rules and end-point analysis.

-5-

Best Practices & Recommendations

General High-Latency Network Considerations In a low-latency, high-bandwidth environment, administrators rarely have to take latency into account. Administrators utilizing satellite (and in some circumstances other wireless) based HughesNet Managed Services for IT service delivery can improve end user experience by reducing client-to-server round trip times, caching data, batching records and packets, and leveraging compression and acceleration technology. Here are some general best practices on how to optimize network communications over highlatency networks: Limit the number of client to server round trips - Every round trip from a remote client, through the satellite network and back will typically take between 600 800 milliseconds, and occasionally more. While the approximate one second round trip seems almost trivial, a process that makes multiple round trips will become an issue. On a LAN this is not a concern. It is definitely a problem when multiple transactions must take place sequentially over a satellite or other high latency wide area network. Cache Infrequently Changing Data Locally - Cached data does not have to be fetched over the network, thus decreasing total network traffic and making the user experience better increasing user productivity: clients will not have to wait on an operation to complete before performing another one. Batch Data Records Together - Multiple records transfer, either upload or download, to/from a server over the network are almost always best batched together rather than sent individually. This may seem like antithetical advice to keep network payload small, but pushing on a record by record basis will entail a heavy price in communication overhead involving multiple server requests and round trips. The real saving is in reducing these round trips. Leverage HughesNet Performance Enhancing Protocol (PEP) and TurboPage - Hughes comprehensive package of acceleration and compression technologies is embedded in every HN router. The result is dramatically improved throughput and response time through mitigation of satellite delay, meaning Hughes customers experience wire-line or better performance of broadband IP applications. HughesNet routers utilize Hughes patented Performance Enhancing Proxy (PEP) to optimize the performance of many widely used Internet protocols.

Citrix XenApp Recommendations The SpeedScreen Latency Reduction and Citrix Policy features of Citrix XenApp provide an effective solution to HughesNet Managed Services by effectively delivering applications over high-latency networks. Citrix Consulting Services and Hughes Network Systems Customer Solutions & Applications Research team designed a testing environment to effectively develop best practices and recommendations when Citrix XenApp is leveraged on HughesNet Managed Networks. The following diagram depicts the testing environment used for this engagement:

-6-

Figure 2 Lab Environment Layout

Citrix XenApp was tested to evaluate the delivery of bandwidth-demanding applications over high-latency connections for several different application types, including productivity, client/server, and browserbased applications. EdgeSight for Load Testing was scripted with Microsoft Office (Productivity), Internet Explorer (Browser), and Hyperion (Enterprise Client/Server) applications to ensure a consistent experience when using a LAN-based connection versus a satellite-based link. Visual observation of enduser experience and performance metrics from EdgeSight for Load Testing from both types of network connections were gathered and analyzed. Results from integration testing show that Citrix policies optimized for satellite communications in conjunction with the SpeedScreen Latency Reduction features of XenApp provided the best end user experience for HughesNet Managed Network subscribers. Other features, such as the Citrix Access Gateway, were also tested to measure their effectiveness when used with XenApp server.

Testing Strategy Basic Citrix Configuration

Configuration Citrix Configuration: Bitmap caching enabled. SpeedScreen, Native Compression and Citrix Policies Disabled, Hughes Configuration: No PEP

Performance Users experienced connection difficulties, random session interruptions, intermittent screen freezing, and frequent pauses (5-7 seconds) during typing and for all applications.

-7-

Basic Citrix Configuration with HughesNet PEP

Citrix Configuration: Bitmap caching enabled. SpeedScreen, Native Compression and Citrix Policies Disabled, Hughes Configuration: PEP enabled

Users were able to maintain connections to the Citrix XenApp server. Microsoft Office, Internet Explorer and Hyperion applications accessing data through XenApp improved. Experienced frequent screen freezing and pauses in typing, but applications were functional. Average 2 to 4 second delay in typing characters in all applications Reliable connections maintained to XenApp servers. Microsoft Office, Internet Explorer and Hyperion applications end-user experience significantly improved. Typing pauses and delays minimized (<1 second), data retrieval (small queries) using Hyperion through XenApp at 1-2 seconds with SpeedScreen and Citrix WAN Policies enabled.

Citrix Enhancements & PEP

Citrix Configuration Bitmap caching enabled. SpeedScreen, Native Compression and Citrix WAN Policy enabled. Hughes Configuration: PEP enabled

The following provides an overview of the results and related recommendations: Access Gateway (Secure Gateway Mode/Secure Access Client) For configurations that require SSL VPN Access or utilize the Secure-Gateway functionality of Access Gateway, there was no significant loss in performance or functionality when used in conjunction with XenApp published applications using default configurations. Network Administrators and engineers should design an appropriate access strategy in accordance with their companys security policies. XenApp WAN Policies During the testing, the default WAN Citrix policy for satellite communications was configured and enforced. This policy will ensure applications delivered by XenApp servers are optimized. In addition, administrators should disable any ICA virtual channels that are not required (i.e. audio, client drive mappings, etc.) or limit any virtual channel functionality (i.e. default printers, printing bandwidth, etc.). Managing the ICA virtual channels will minimize any unnecessary communications overhead between the XenApp server and client. Configuration instructions for implementing Citrix policies can be found in Appendix B of this document. SpeedScreen Latency Reduction - Network latency and bandwidth availability can impact the performance of connections to published applications and content. SpeedScreen technology allows administrators to configure several features to improve connection speed and responsiveness. SpeedScreen Latency Reduction Manager helps reduce a users perception of latency with mouse click feedback and local text echo. Enabling mouse and local text echoing on several applications improved the end user experience with applications delivered by XenApp. Server-side and client-side instructions for configuring SpeedScreen Latency Reduction can be found in Appendices C and D sections of this document. Session Reliability/ICA Keep-Alive Session reliability allows a client to reconnect and avoid inconvenience to a user during a short network interruption. Instead of removing all unresponsive applications and desktops from the client workbench, they are kept open until the connection is re-established. ICA Keep-Alive enables a server to detect broken sessions. If the server loses connectivity to the client, the connection is placed into a disconnected state, allowing a user to reconnect to a dropped session. These settings can be implemented at the farm-wide/serverdefault level or at an individual server level.

-8-

Figure 3 Farm-Wide Session Reliability Settings

Figure 4 Server-Default ICA Keep-Alive Settings

For this testing scenario, setting the ICA keep-alive (utilizing TCP port 1494) or Session Reliability (utilizing TCP port 2598) values to 180 seconds allowed sufficient time for reconnection in the event a session would become interrupted. Before implementing either option, administrators should consider the benefits of either session reliability or ICA Keep-Alive specific to their environment and determine whether these settings should be applied to farm-wide/server defaults or to specific servers. All settings should be well-tested before implementing them in a production environment. Refer to the Citrix XenApp Server Administrators Guide for information on Session Reliability and ICA Keep-Alive features.

-9-

Appendix A Lab Environment Detailed Diagram

- 10 -

Appendix B Citrix WAN Policy Configuration Instructions

Action / Description Caption

Create a new policy in the Presentation Server Console by right-clicking on policies and choose Create Policy Type in the name of the policy, a description and check the box next to Optimize initial policy settings for a connection type. In the connection type box, choose Satellite. Then, click OK.

Next, click Policies on the left side of the Presentation Server Console. You will see the policies in your farm on the right side of the screen. Right-click on the policy and choose properties. In the window, you will see the default settings for Satellite communications. Adjust any settings (disabling unused virtual channels, audio optimizations, printing optimizations, etc.) to minimize bandwidth usage by unused features. Click OK to save your settings.

- 11 -

Action / Description

Caption

To apply these settings, rightclick on the policy in the Presentation Server Console and choose Apply this policy to Check the box at the top to enable the type of association, select any additional parameters (servers, users, IP addresses, etc.) and click OK to apply your settings.

Citrix WAN Policy Settings Policy Group\ Policy Bandwidth\ Visual Effects Turn Off Desktop Wallpaper Turn Off Menu Animations Turn Off Window Content While Dragging Bandwidth\ SpeedScreen Image acceleration using lossy compression Bandwidth\ Session Limits Audio Clipboard COM Ports Drives LPT Ports OEM Virtual Channels Overall Session Printer TWAIN Redirection Client Devices\ Resources\ Audio Not Not Not Not Not Not Not Not Not Configured Configured Configured Configured Configured Configured Configured Configured Configured configure configure configure configure configure configure configure configure configure if if if if if if if if if channel channel channel channel channel channel channel channel channel is used. is used. is used. is used. is used. is used. is used. is used. is used. Setting Not Configured Enabled Enabled

Not Configured

- 12 -

Policy Group\ Policy Microphone Sound Quality Turn Off Speakers Client Devices\ Resources\ Drives Connection Mapping Client Devices\ Resources\ Drives\ Optimize Asynchronous Writes Client Devices\ Resources\ Ports

Setting Enabled Low Enabled

Not Configured disable drive mappings if not used. Not Configured disable drive mappings if not used.

Not Configured

Turn Off COM Ports Not Configured disable if channel is not used. Turn Off LPT Ports Not Configured disable if channel is not used. Client Devices\ Resources\ PDA Devices Turn On Automatic Virtual COM Port Not Configured Mapping Client Devices\ Resources\ Other Configure TWAIN Redirection Turn Off Clipboard Mapping Turn Off OEM Virtual Channels Client Devices\ Maintenance Turn Off Auto Client Update Printing Session Printers Printing\ Client Printers Auto-Creation Legacy Client Printers Printer Properties Retention Print Job Routing Turn Off Client Printer Mapping Printing\ Drivers Native Printer Driver Auto-Install Not Configured. Not Configured. Enabled, Client Default Only. Not Configured. Enabled, Retained in User Profile. Enabled, Always connect indirectly. Not Configured. Not Configured. Enabled, default values. Not Configured disable if channel is not used. Not Configured disable if channel is not used.

- 13 -

Policy Group\ Policy Universal Driver User Workspace\ Connections Limit Total Concurrent Sessions Zone Preference and Failover User Workspace\ Content Redirection Server to Client User Workspace\ Shadowing Configuration Permissions User Workspace\ Time Zones Do Not Estimate Local Time for Legacy Clients Do Not Use Clients' Local Time User Workspace\ Citrix Password Manager Central Credential Store Do Not Use MetaFrame Password Manager User Workspace\ Streamed Applications Configure Delivery Protocol Security\ Encryption SecureICA Encryption

Setting Not Configured.

Not Configured. Not Configured.

Not Configured.

Not Configured. Not Configured.

Not Configured. Not Configured.

Not Configured. Not Configured.

Not Configured. Not Configured.

- 14 -

Appendix C SpeedScreen Configuration Instructions

To configure SpeedScreen Latency Reduction for a XenApp Server:
Action / Description Caption

Launch the SpeedScreen Latency Reduction Manager from the ICA toolbar. Click on New to launch the SLR wizard to add an application/process.

The wizard will launch click next.

- 15 -

Action / Description

Caption

Browse to the process/executable that you wish to enable for SpeedScreen. Alternatively, you can use the pointer to select the application window if it is already open. When completed, click next.

Choose the local text echo, and click next.

- 16 -

Action / Description

Caption

Select whether this will be applied to ALL installations or selected installations of the application, then click next. Click Finish.

Click Apply/OK to save/exit the SpeedScreen Latency Reduction Manager.

- 17 -

To configure SpeedScreen Latency Reduction for an ICA Client connection (Program Neighborhood Client):
Action / Description Caption

In Program Neighborhood window, select the custom ICA connection or Application Set to configure. In the Program Neighborhood toolbar, click the Properties icon. Click the Options tab in the dialog box to display the Options page. In the SpeedScreen Latency Reduction section, set the mode to On to decrease the delay between user input and screen display. Turn on both local text echo and mouse click feedback.

- 18 -

To ensure SpeedScreen Latency Reduction is enabled, the following Web Interface (version 4.x) settings are required for the Citrix Web Client and Program Neighborhood Agent:
Action / Description Caption

Edit the default.ica file located \Inetpub\wwwroot\Citrix\Web Site Name\conf for a Web Interface site, or \Inetpub\wwwroot\Citrix\PNAgent\conf for Program Neighborhood Agent sites (NOTE: These paths reflect a default installation of Web Interface).

In the [Application] section, add: ZLKeyboardMode=1 ZLMouseMode=1

- 19 -

Appendix D Sample DEFAULT.ICA FILE with SpeedScreen Settings

; ICA Override File ; ; Add ICA file settings that you want to be sent to client devices ; to this file. Settings contained in this file override any This file is only used when

; settings generated by Web Interface. ; no bandwidth profile is selected.

When a bandwidth profile is

; selected bandwidth_xxx.ica is used. ; ; NOTE: The format of this file has been changed from previous ; versions of Web Interface. For backwards compatibility, you may All lines containing a tag of

; continue to use legacy files.

; the form [NFuse_XXX] will be ignored. ;

[WFClient] Version=2 RemoveICAFile=yes ProxyTimeout=30000 ProxyFavorIEConnectionSetting=Yes ProxyUseFQDN=Off

[ApplicationServers] Application=

[Application] Launcher=WI TransportDriver=TCP/IP DoNotUseDefaultCSL=On BrowserProtocol=HTTPonTCP LocHttpBrowserAddress=! WinStationDriver=ICA 3.0 ProxyTimeout=30000 AutologonAllowed=ON

- 20 -

ZLKeyboardMode=1 ZLMouseMode=1

[EncRC5-0] DriverNameWin16=pdc0w.dll DriverNameWin32=pdc0n.dll

[EncRC5-40] DriverNameWin16=pdc40w.dll DriverNameWin32=pdc40n.dll

[EncRC5-56] DriverNameWin16=pdc56w.dll DriverNameWin32=pdc56n.dll

[EncRC5-128] DriverNameWin16=pdc128w.dll DriverNameWin32=pdc128n.dll

[Compress] DriverNameWin16=pdcompw.dll DriverNameWin32=pdcompn.dll

- 21 -

Notice The information in this publication is subject to change without notice. THIS PUBLICATION IS PROVIDED AS IS WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. CITRIX SYSTEMS, INC. (CITRIX), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE. This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix. The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Copyright 2008 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 333092009 U.S.A. All rights reserved.

Version History
Author
Justin Venezia Justin Venezia Justin Venezia Justin Venezia Justin Venezia Ricardo Belmar

Version
0.1 0.2 0.3 0.5 1.0 1.1

Change Log
First Draft Revisions based on Hughes QA Citrix Consulting Solutions QA Citrix Product Mgmt QA Final Document Final Hughes QA

Date
4/10/2008 4/22/2008 6/19/2008 6/27/2008 6/30/2008 8/08/2008

851 West Cypress Creek Road

Fort Lauderdale, FL 33309

954-267-3000

http://www.citrix.com

Copyright 2008 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, Citrix ICA, Citrix MetaFrame, and other Citrix product names are trademarks of Citrix Systems, Inc. All other product names, company names, marks, logos, and symbols are trademarks of their respective owners.

- 22 -