Remote work with us will remain for a long time and beyond the current pandemic. Of the 74 companies surveyed by Gartner, 317% will continue to work remotely. IT tools for its organization will be actively in demand in the future. Introducing an overview of the Citrix Workspace Environment Manager product, an essential element for creating a digital workspace. In this material, we will consider the architecture and main features of the product.
Solution architecture
Citrix WEM has a classic client-server solution architecture.
WEM agent WEM agent β the client part of the Citrix WEM software. Installed on workstations (virtual or physical, single-user (VDI) or multi-user (terminal servers)) to manage the user environment.
WEM Infrastructure services β server part that provides maintenance of WEM agents.
MS SQL Server β DBMS server required to maintain the WEM database, where the Citrix WEM configuration information is stored.
WEM administration console β WEM environment management console.
Let's make a small correction in the description of the WEM Infrastructure services component on the Citrix website (see screenshot):
The site erroneously states that WEM Infrastructure services is installed on the terminal server. This is wrong. The WEM agent is installed on terminal servers to manage the user environment. Also, it is not possible to install WEM agnet and WEM server on the same server. The WEM server does not require the Terminal Services role. This component is infrastructural and, like any service, it is desirable to place it on a separate dedicated server. One WEM server with 4 vCPUs, 8 GB RAM features can serve up to 3000 users. To ensure fault tolerance, it is worth installing at least two WEM servers in the environment.
Main Features
One of the tasks of IT administrators is the organization of the workspace of users. Work tools used by employees should be at hand and configured as needed. Administrators need to provide access to applications (place shortcuts on the desktop and the Start menu, set up file associations), provide access to information resources (connect network drives), connect network printers, be able to centrally store user documents, allow users to configure their environment and, most importantly, to ensure a comfortable user experience. On the other hand, administrators are responsible for data security depending on certain conditions in which the user works and the conditions for compliance with the software license policy. Citrix WEM is designed to solve these problems.
So, the main features of Citrix WEM:
- user environment management
- management of consumption of computing resources
- restriction of access to applications
- physical workstation management
User Workspace Management
What options does Citrix WEM give you to control the settings for creating user desktops? The figure below shows the management console for Citrix Workspace Environment Manager. The Action section lists the actions that an administrator can take to set up a work environment. Namely, create application shortcuts on the desktop and in the Start menu (including for published applications through integration with Citrix Storefront, as well as the ability to assign hot keys for quickly launching applications and coordinates for locating shortcuts in a specific location on the screen), connect network printers and network drives, create virtual drives, manage registry keys, create environment variables, configure mapping of COM and LPT ports in session, modify INI files, run script programs (during LogOn, LogOff, Reconnect operations), manage files and folders (create, copy, delete files and folders), create a User DSN to set up a connection to a database on the SQL server, set up file associations.
For ease of administration, the created "actions" can be combined into Action Groups.
To apply the created actions, they must be assigned to a security group or domain user account on the Assignments tab. The figure below shows the Assessments section and the process for assigning the created "actions". You can assign an Action Group with all the βactionsβ included in it, or add the required set of βactionsβ individually by dragging them from the left Available column to the right Assigned column.
When assigning βactionsβ, you need to select a filter, based on the results of the analysis of which the system will determine the need to apply certain βactionsβ. By default, one Always True filter is created in the system. When using it, all assigned "actions" are always applied. For more flexible management, administrators create their own filters in the Filters section. The filter consists of two parts: "Conditions" (Conditions) and "Rules" (Rules). The figure shows two sections, on the left side a window with the creation of a condition, and on the right side a rule containing the selected conditions for applying the desired βactionβ.
A fairly large number of "conditions" are available in the console - the figure shows only a part of them. In addition to checking membership in an Active Directory site or group, filters are available for checking individual AD attributes for checking PC names or IP addresses, matching OS version, checking date and time matching, type of published resources, etc.
In addition to managing user desktop settings through the Action application, there is another large section in the Citrix WEM console. This section is called Policies and Profiles. It provides additional settings. The section consists of three subsections: Environmental Settings, Microsoft USV Settings, and Citrix Profile Management Settings.
Environmental Settings includes a large number of settings, thematically grouped under several tabs. Their names speak for themselves. Let's see what options are available to administrators to create a user environment.
Start Menu tab:
Desktop tab:
Windows Explorer tab:
Control Panel tab:
SBCHVD Tuning tab:
We will skip the settings from the Microsoft USV Settings section. In this block, you can configure the regular Microsoft components - Folder Redirection and Roaming Profiles in the same way as the settings in group policies.
And the last subsection is Citrix Profile Management Settings. He is responsible for configuring Citrix UPM, which is designed to manage user profiles. There are more settings in this section than in the previous two combined. The settings are grouped into sections and organized as tabs and correspond to the Citrix UPM settings in the Citrix Studio console. Below is an image with the Main Citrix Profile Management Settings tab and a list of available tabs added for general presentation.
Centralized management of the user's working environment settings is not the main thing that WEM offers. Much of the functionality listed above can be accomplished using standard group policies. The advantage of WEM is how these settings are applied. Standard policies are used during connection of users sequentially one after another. And only after applying all the policies, the logon process is completed and the desktop becomes available to the user. The more settings are enabled through group policies, the longer it takes to apply them. This seriously lengthens the login time. Unlike group policies, the WEM agent reorders processing and applies settings across multiple threads in parallel and asynchronously. User login time is significantly reduced.
The advantage of applying settings through Citrix WEM over group policies is demonstrated in the video.
Managing the consumption of computing resources
Let's consider another aspect of using Citrix WEM, namely the possibility of optimizing the system in terms of managing resource consumption (Resource Management). The settings are located in the System Optimization section and are divided into several blocks:
- CPU Management
- Memory Management
- IO management
- Fast logoff
- Citrix Optimizer
CPU management contains options for managing CPU resources: limiting resource consumption in general, handling surges in CPU consumption, and prioritizing resources at the application level. The main settings are located on the CPU Manager Settings tab and are shown in the figure below.
In general, the purpose of the parameters is clear from their name. An interesting feature is the ability to manage processor resources, which Citrix calls "smart" optimization - CPUIntelligent CPU optimization. Under the loud name hides a simple, but quite effective functionality. When an application starts, the process is assigned the highest CPU usage priority. This ensures a quick launch of the application and, in general, increases the level of comfort when working with the system. All the "magic" in the video.
There are few settings in the Memory Management and IO Management sections, but their essence is extremely simple: managing memory and the I / O process when working with a disk. Memory management is enabled by default and applies to all processes. When an application starts, its processes reserve some of the RAM for their work. As a rule, this backlog is more than what is needed at the moment - the reserve is created βfor growthβ in order to ensure the fast operation of the application. Memory optimization consists in freeing memory from those processes that have been in an inactive state (Idles State) for a set time. This is achieved by moving unused memory pages to the paging file. Disk activity optimization is achieved by prioritizing applications. The figure below shows the options available for use.
Consider the Fast Logoff section. During normal session termination, the user sees how applications are closed, the profile is copied, etc. When using the Fast Logoff option, the WEM agent monitors the call to log off the session (Log Off) and disconnects the user session - puts it in the Disconnect state. For the user, ending the session is instantaneous. And the system regularly completes all work processes in the "background". The Fast Logoff option is enabled with a single checkbox, but exceptions can be assigned.
And finally the section, Citrix Optimizer. Citrix administrators are well aware of the golden image optimization tool, Citrix Optimizer. This tool is integrated into Citrix WEM 2003. The figure below shows a list of available templates.
Administrators can edit current templates, create new ones, view the parameters set in templates. The settings window is shown below.
Restrict access to applications
Citrix WEM can be used to restrict application installation, script execution, DLL loading. These settings are collected in the Security section. The figure below lists the rules that the system suggests creating by default for each of the subsections, and by default everything is allowed. Administrators can override these settings or create new ones, for each rule one of two actions is available - AllowDeny. The brackets with the name of the subsection indicate the number of rules created in it. The Application Security section does not have its own settings, it displays all the rules from its subsections. In addition to creating rules, administrators can import existing AppLocker rules, if used in their organization, and centrally manage environment settings from a single console.
In the Process management section, you can create black and white lists to limit the launch of applications by the names of executable files.
Managing physical workstations
We were interested in the previous settings for managing resources and parameters for creating a working environment for users in terms of working with VDI and terminal servers. What does Citrix offer to manage the physical workstations that connect from? The WEM features discussed above can be applied to physical workstations. In addition, the tool allows you to "turn" a PC into a "thin client". This transformation occurs when users are blocked from accessing the desktop and using the built-in features of Windows in general. Instead of the desktop, the WEM agent graphical shell (using the same WEM agent as on VDIRDSH) is launched, the interface of which displays Citrix published resources. Citrix has Citrix DesktopLock software, which also allows you to transform a PC into a "TK", but the capabilities of Citrix WEM are wider. Below are images of the main settings that you can use to manage physical computers.
Below is a screenshot of what the workplace looks like after transforming it into a βthin clientβ. The "Options" drop-down menu lists items that the user can use to customize the environment to their liking. Some or all of them can be removed from the interface.
Administrators can centrally add links to the company's web resources to the "Sites" section, and applications installed on physical PCs necessary for users to work in the "Tools" section. For example, it is useful to add a link to the user support portal in Sites, where an employee can create a ticket if there are problems connecting to VDI.
Such a solution cannot be called a full-fledged "thin client": its capabilities are limited compared to commercial versions of similar solutions. But it is enough to simplify and unify the system interface, limit user access to PC system settings and use an aging PC fleet as a temporary alternative to specialized solutions.
***
So, we summarize the review of Citrix WEM. The product "can":
- manage user working environment settings
- manage resources: processor, memory, disk
- provide fast login/logout of the System (LogOnLogOff) and application launch
- restrict app usage
- transform PC into "thin clients"
Of course, one can be skeptical about the demos using WEM. In our experience, most companies that do not use WEM have an average entry time of 50-60 seconds, which is not much different from the time on video. With WEM, the login time can be significantly reduced. Also, using simple company resource management rules, you can increase the density of users per server or provide a better system experience for current users.
Citrix WEM fits well with the concept of "digital workspace", available to all users of Citrix Virtual Apps And Desktop starting with the Advanced edition and with ongoing support for Customer Success Services.
Author: Valery Novikov, Lead Design Engineer of Jet Infosystems Computing Systems
Source: habr.com