Déjà Vu and a journey into the past
About six years ago to the day, I was my 20. career Infrastructure Assessment project (IA) performs for a client. When I started on the last deliverable letter, I experienced so me seriously deja vu. It felt honest, as I wrote for at least 20 times over the same risks!
This has got me to think. We estimate that always had our consulting team to the common risks documented , which we find? After some digging, I pulled an old white paper on one of our Sydney file shares, which was not written by the manner in Citrix, work by Hector Lima and Scott Thompson in 01. Both and our Consulting & Education and Support Company each run! Your document was a little old and outdated. So I decided to "update" completely through it to write its contents again. I documented the "Top 10 items found Citrix Consulting on assessments" I do this published as a white paper back in 08.
.
Earlier this year, my colleague Andy Baker updated the same document again. The results (even Virtualization focus ) will be posted here.
Now that Citrix has spread its wings in the Mobility space
I thought it was time, a "to attack XenMobile issue." To provide a little context, our Americas Consulting Team has now performed about 70 XME / mobility commitments in the last 2 years. I oversee most of the Mobility projects across the GEO and almost all of the large or complex engagements we do. So I dug all XM IAs until we have done so far. And I together the following list of 10 most common risks or articles that we constantly see customers design or wrong as it relates to XenMobile.
The XenMobile Top 10
10. AppC service account permissions
Almost no one gets this right! This is probably due to the fact that we have something officially released only a few months ago on this subject. This article describes the permissions for the account AppC Service requires that we use for things like "Delta-sync" with AD.
9. Apple "Stuff"
You'd be surprised how often we. Even in matters related to Apple / Mac I can not me of a single XM commitment we have experienced, where we showed up and the customer said: ". I have all the pre-reqs read who sent me" Few have completed each of them. Few can say: "Here is the Mac laptop is the MDX Toolkit we latest will use for packaging." Or: "We already have an Apple Developer License & I pursues the corporate account down we can use." Few of APNS started cert process. Honestly, if someone relayed these statements to me when we started a project, I would not believe.
Many of our customers are new to mobility. You are not familiar with things like Apple licensing and APNS. We carry even in IT departments that do not have a MacBook (or similar) have practically the app package. This leads to delays and a possible trip to BestBuy (laugh if you need to. This is actually happened). So it is important, the latest XM Pre-reqs (published online) before you start to check. Have an OSX-capable machine for packaging App available. There are rumors of a web-based tool wound come in the future (I can neither confirm nor deny). For now, we use the MDX Toolkit to wrap both iOS and Android apps requires OSX. Another big sticking point is that we create a number of administrators certs / profiles with their own personal Apple credentials seen. This is probably not the best long-term strategy for a company. Once you start this way, it is difficult to go back. One last thing I will mention here is; many customers are still unaware that we have a new portal for signing APNS CSRs. How to make your SE or opening a support case for that!
8 stop pinging. LDAP High Availability.
AppC permitted only for a single field when specifying an LDAP server. We have found that most customers do not specify, to provide a corresponding "VIP" for their LDAP services, a single point of failure. We recommend that you create a VIP for your LDAP infrastructure, if you have not already, and the indication of the VIP when configuring AppC.
7. "Others" Mail Options.
It's amazing how few customers know our "other" mail options besides WorxMail. Obviously WorxMail is a key differentiator for us. It is the safest option, so we always try to bring with him. But this option may not be for everyone. We have found in some cases that XNC or XMM (our other e-mail options) work better for customers with specific applications. Especially if the customers are use dead on the experience of native e-mail client or a cloud-based e-mail solution, such as O365. Do not get me wrong - probably 0% of the time that we provide at the end WorxMail. But, it is not the only solution. Sometimes I see customers or partners to try to "force", if other options are available.
6. SSL offload.
There is still somewhat controversial, where XDM to put on the network (DMZ or internal) and whether to use SSL offload for this component. But even if you prefer XDM set to decide in the DMZ as use SSL offload for this component, you should still be SSL Offload use for any other XME component! We find that once customers forego SSL offload for XDM, they also do not want to configure it for AppC and Share File (what to a large majority of time for scalability do).
5. AppC / XDM Integration
I do not think we've seen more than one or two clients get this right yet -. Most customers AppC to the Load Balancer point for XDM application used, which is in most cases in the DMZ and "hairpins" of traffic out to the DMZ or external network and back on. If it were up to us we would have a separate pair of internal load balancer for AppC to use, if they prevent on XDM and other services a connection that this hair-pinning and network traffic to optimize.
4. WorxMail with STA.
When I write this article a year ago, I would have talked about how the customers were still (erroneously) with MVPN in conjunction with WorxMail (as opposed to the STA method in contrast). But we hyped up pretty well (including myself). To use most of customer WorxMail with STA now. And life is good. But what we do see over and over again customers mistakenly think that AppController (which acts as the STA for XenMobile) can also be used for XenApp and XenDesktop. I repeat - AppC can not be used as an STA for XA or XD - the AppC STA implementation is completely different and you still have your XA and XD implementations to XML broker to point (! More than one for HA), the the STA encapsulated in the XML service.
3. Storefront Integration.
storefront is optional when providing XenMobile (depending on what you need to aggregate, and where). But we often see customers scratching their heads after the decision storefront with their XenMobile use to integrate. They are confused about subscriptions and NS session profiles. The first thing that should be noted: AppC and storefront have different subscription mechanisms and back-end storage (you are not a be inconsistent in the same and the user experience across different device platforms might or receiver versions). So can go a long way a little user education here. To see Lately I'm also create questions about subscriptions in connection with which the customer still saves several storefront or even separate server groups for internal and external users. Again, the people, why not migrate their subscriptions app seamlessly between all ask. As my colleague, Sarah Steinhoff, pointed in their fantastic storefront series out, it's probably best to have a single memory (or two transactions with the same within the same server group) to all users or for each user community. And yes, this is different from what we WI do for the past decade have (where we had almost always create separate sites for internal and external). We have this problem of the type (because you can now share subscriptions between a few shops) go away in v2.6. But this solution is not meant for a large number of transactions and it certainly is not subscription-replication. The key is to remember the number of stores to limit storefront - and AppC and storefront share any database. As for NS session profiles, we almost always customer at least screwed up one thing if AppC, storefront and NetScaler to integrate. Or customers blindly follow the article that describes how to do this configuration, without understanding what they are doing and how the effects of their users.
2. NetScaler firmware.
In my opinion, it is understandable why we this much to see. Most of our customers still use the MPX "taste" of NetScaler and have one year a specific firmware version on the box runs, or sometimes more. But if you are XenMobile deploy, you are from the list of our XenMobile "certified" firmware versions must choose. You will notice that some in the end have a ".E". The "e" stands for an improved and there is a special version of the firmware that XenMobile specific functions, such as Wizard Share File, proxy support, etc. Here is an example of the "build 0 e", as we call it for NS has 10.1. Do not need all of these features for your XenMobile use? That's still a risk, because you are officially supported by Citrix if you build a list of current! Because we do all our XenMobile tests with these special versions, it is really in your best interest to accept the extended version for your XM use. And you know what easily solves this problem? SDX. So, maybe it's time to upgrade. J
1. authentication strategy.
We come across this all the time. But, I counted them as "# 1" due to its criticality. Far too often we see customers choose basic authentication strategy (as WorxPIN without certs or two-factor authentication) and roll out its first 100 or 1000 devices. Then they decide they want to activate cert-based Auth or add the two-factor authentication for added security. But they do not understand, to modify the impact of their authentication strategy post-rollout. The ramification is what I want to emphasize - changes like these authentication strategy require reprofiling
Yes, the dreaded "R" word.! The one that nobody wants to talk about. The one I hope never comes on for you. Since reprofiling could mean disaster for the user acceptance. We really want it to avoid at all costs.
So, it is absolutely important that you do a proper design and really think about your future-state authentication strategy. And that you try to implement it before saying that enroll the first device. You are much better off in the long term, and it will greatly increase your chances of widespread adoption. This is also a good reason to avoid your XME POC environment in the production, to migrate. What we are also a lot to see too much of lately.
Special thanks to Ryan McClure and RaghuG for their contributions to this article. I wish you useful to find in your journey.
Nick Rintalan, Senior Architect, Americas Consulting, Citrix Consulting
0 Komentar