Citrix XenClient by System Administrator

In the previous materialdevoted to Citrix XenClient, I showed the possibilities of this solution from the point of view of the user. Let me remind you that XenClient is a first-level hypervisor that is installed on bare metal and allows you to simultaneously work on a computer with two or more operating systems. The advantage of XenClient over conventional (let's say, user) virtual machines is that all operating systems have equal access rights to hardware resources and are completely isolated from each other. Accordingly, this allows you to simultaneously work in the "home" and "corporate" environments. In the event that you have one laptop for everything, it is very convenient: the working operating system is fully protected and constantly synchronized with the server, and the personal environment does not suffer from restrictions related to security policy.

In this article, I will describe in more detail how to work with XenClient from the point of view of a system administrator. I will show how you can configure users' machines in a couple of minutes, how data is backed up and what happens if a negligent employee forgot his laptop in a taxi.

What's new?

Last time I worked with XenClient on a ThinkPad X201 laptop, which is fully compliant with the technical requirements.this product. This time, for tests we used the ThinkPad T410s with NVIDIA Optimus graphics, which allows switching between a discrete NVIDIA graphics card and integrated Intel GMA HD graphics system. XenClient does not yet support NVIDIA video cards, but over time such support will certainly appear, so it makes sense to choose a similar configuration, as they say, for growth. In the meantime, I wanted to find out if the current version of the hypervisor is working properly provided that integrated graphics are used. There were no problems here: in the corresponding BIOS section, the laptop was configured to use only Intel graphics.

In addition, at the very beginning of the year, XenClient itself was updated: version 1.0 Service Pack 1 was released, which can be downloaded from this link. One of the noticeable changes in the new version is the ability to remotely administer a computer via SSH. In addition, the problems with high-definition video playback when using a graphics accelerator, which I encountered in preparing the previous material, disappeared.

On the administrator side

So, today we are testing the operation of the virtual operating system under XenClient in a corporate environment. In this scenario, the operating system is not installed on the computer with XenClient using the installation image. Instead, a ready-made container with a virtual OS is loaded from the server. To manage computers with XenClient installed, the Citrix Synchronizer program is used, which can also be downloaded from the company's website .

The configuration and management of employee computers is done through the Synchronizer web interface, which is as follows:



The main window of the system displays available images of virtual OSs, but there is also the opportunity to view a list of users registered in the system and a list of equipment used:



Opposite each device, there is a Mark As Lost button, by clicking which the system image on the laptop will be automatically deleted the first time you connect to the Internet. It works as follows: for each virtual system, a certain frequency of legitimacy checks is established: to access the OS, the user must connect to the Internet, enter the login and password for Citrix Synchronizer. If the user does not do this, access to the corporate OS will be automatically blocked. If the administrator marked in Synchronizer that the computer was lost, the data from it will be automatically deleted, even if the password for accessing the system is correctly entered on the computer. At the same time, between the "reports" to the server, the user can work with the corporate OS without problems, even without connecting to the Internet.



Let's move on to the settings of the virtual system image. The Phone Home Frequency field is responsible for sending a report on the use of the virtual OS, and the Lease Time parameter determines the maximum system uptime without connecting to the Internet. Here you can also set the frequency of automatic backups to be uploaded to the server. You can also enable or disable the user from manually starting the backup system.



Part of the virtual OS settings in Synchronizer is standard: the administrator can set the number of processor cores used and the amount of memory. Much attention is paid to security. The screenshot above shows the permission settings for connecting external devices in the virtual OS: if necessary, the administrator can prohibit working with external drives in order to avoid data leakage. By the way, the container with the virtual OS is stored on the user computer in encrypted form. Network access is configured in the same way: you can, for example, allow access to a wired network, but deny a connection via WiFi. In this case, additional security can be provided by the security policy settings in Windows itself.



And a few more security settings: you can allow the user access to the optical drive of the laptop, but only for reading. The strict data protection principles in some companies force notebook manufacturers to block the recording function of optical drives at the hardware level. This is, in a sense, a less costly way to do the same.

On the user side

Let's move on to setting up a custom laptop. I described XenClient installation in the previous material, it takes just a few minutes and does not require special user involvement. If your computer meets the technical requirements (Intel processor and graphics, at least two gigabytes of RAM, support for VT-x and VT-d virtualization technologies), there should be no problems. Immediately during installation or after the first start of XenClient, you need to enter the address of the Synchronizer server and your username and password.

Then everything is simple: in the standard menu for adding a virtual machine, we select not “Install from Disk” (this is how we installed the “custom” OS), but Download from Synchronizer.



XenClient will contact the server and offer to download one of the virtual machines to choose from (there may be several). In my case, a container with virtual Windows 7 takes about 12 gigabytes, and it took quite a while to load it through the Internet. But for the local network of the enterprise, where the initial configuration is performed, this should not be a problem.

After loading, the virtual OS is immediately available for use, with all the programs and settings provided by the system administrator. True, in our case, the set of XenClient utilities for the virtual OS turned out to be outdated. This is not a problem: XenClient automatically connected a virtual drive to the system with the latest version of a set of utilities and drivers. Theoretically, the system can work without this set (in particular, I had Ubuntu Linux installed and working fine), but some functions may not be available.



By clicking the small icon with the letter i in the description of the virtual machine, you can view information about the last backup and the time of the last connection to the Synchronizer server. Here you can start the backup process of the virtual machine manually. It is not necessary to upload the entire image of the system back to the server: the size of the incremental backup in my case turned out to be about 4 gigabytes - a third of the total size.



You can pause the backup download at any time and restart it. At this time, you can use the virtual machine without any restrictions. If you lost your laptop, or it broke down and was sent to the service, just install XenClient on a new machine, enter the username and password for Synchronizer, and when adding a new virtual OS, select "Restore from Backup". After some time, you will get a working OS with all your data since the last backup.

When working with XenClient in a corporate environment, I provided only the most basic features. If necessary, the Citrix hypervisor also provides more complex designs, in particular, on-demand application delivery using the XenApp solution, as well as launching applications from the corporate environment in the user OS while preserving all security settings. As you can see, XenClient is flexible enough to configure, so it is convenient to use for both the system administrator and the user. And all this - with a minimal (a few percent) loss of performance in a virtual OS compared to a similar "hardware" system, and full transparency of the hypervisor for external devices.