2012
年
9
月
Citrix
移动办公解决方案
竞争分析
Eric Yao
Agenda
Citrix
移动办公平台
--
XenApp
Citrix
移动办公和传统
VPN
的关系
Citrix
XenApp
和微软
RDS
的关系
国内厂商的应用虚拟化,例如深信服
和智能手机平板电脑上直接开发程序的方式比较
XenApp
是什么?
XenApp
:
Citrix
®
XenApp™
是一款按需应用交付解决方案,允许在数据中心对任何
Windows
应用进行虚拟化、集中保存和管理,然后随时随地通过任何设备按需交付给用户
。
简单的
说就是服务器提供应用程序的运行环境,让各种前端设备观看界面
所有指定应用全部集中在数据中心
简便安装、管理、支持
到达终端的应用与数据从一开始就是被集中管理的
XenApp
的原理
应用服务器
应用
虚拟化服务器环境
XenApp
服务器
服务器端元件
网络应用
订制化应用
数据中心
桌面
/
终端
那么什么是虚拟化,什么又是云计算,我们知道
Google
在
2010
年
12
月
8
日于旧金山发布了
Chrome
操作系统。那么
Chrome
长什么样呢?。。。。。。
与传统技术比较
1
服务
请求
Data
2
业务
数据
业务系统
用户终端
4
远程屏 幕图片
1
按键信号
鼠标位置
2
服务请求
Data
3
业务数据
业务系统
应用
交付
平台
用户终端
(瘦终端或
PC
)
传统数据交互
应用交付虚拟化后的数据交互
1000
多种
PCs
和
Macs
150
多种智能手机
40
多种平板电脑
10
多家瘦客户机厂商
2
0
亿个设备
Citrix
移动办公和
传统
VPN
的关系
工作
原理截然不同
VPN
方式:客户
机和
服务器之间需要传输实际数据,所以对网络带宽要求较高,数据下载到本地后有严重的泄漏风险。
Citrix
主要是
SBC
(
Server-based Computing
)模式,客户端看到的应用程序
100%
在服务器上
运行
,网络
上传输
的只是客户端的显示界面更改的
部分,对网络要求很低,同时数据不下载到客户端本地,完全没有数据泄漏风险。
应用
服务器
应用虚拟
化技术特点
鼠标与键盘输入信号发送到服务器,没有字符等可显示数据
应用或桌面在服务器端运行
用户界面推送到客户端设备
用户
虚拟化平台
ICA
协议传输图像变化和设备支持, 含有
32
个虚拟通道,分别传输不同信息
传输键盘扫描码、鼠标事件和打印数据等,没有真实业务数据
服务器端获得信息实现对屏幕的操控, 传输图像变化在客户端显示
可对用户所有操作进行录像审计,提高安全监控级别
用户体验与使用本地系统基本一致, 每个客户端平均只需
30Kb
p
s
带宽
网络
VPN
技术特点
带宽消耗测试:传统
VPN
模式
Vs.
Citrix HDX
传统模式下,
应用的带宽消耗和操作有关,有些操作或模块会突然传输
3000K/
分钟的数据(深蓝色曲线),如果这时网络无法保证带宽,给用户带来的直接感受就是操作变得很慢;
Citrix
:
带宽消耗(浅蓝色)一致稳定在
10K
左右。
虚拟化
VS
传统方式的性能体验
在相同的互联网接入的情况下,通过某省移动应用虚拟化访问移动总部统一信息平台,和通过总部
SSL VPN
访问相比,访问时间约为
SSL VPN
的
1/3,
数据流量约为
15%-30%
。
某省移动测试结果:速度比
SSL VPN
方式快
2~6
倍,在窄带环境下(
Edge/GPRS
)可顺畅使用。
访问速度对比:传统
VPN
模式
Vs. Citrix HDX
10-20 kb
100 kb-1 Mb
100 Mb, 1 Gb
支持的终端设备对比
通过统一的客户端利用最新的设备
提供最终用户灵活性,选择性和连续生产力
通过
XenVault
™
确保应用数据安全
简单、快速、自服务安装和自动升级
绝大部分的
VPN
只支持
PC
终端接入;
Any device, anywhere with Receiver™.
Today’s digital workforce demands the flexibility to work from anywhere at any time using any device they’d like. Leveraging Citrix Receiver as a lightweight universal client, XenDesktop users can access their desktop and corporate applications from the latest tablets, smartphones, PCs, Macs, or thin client. This enables virtual workstyles, business continuity and user mobility.
XenDesktop 5 includes new Citrix Receivers for all the latest tablets, smartphones, Macs and thin clients.
投资方式
VPN
一般是租用线路或利用现有线路,所以一是每月要向电信部门交纳可观的
费用,再者
可能
会占用
原有的
带宽
Citrix
为一次性的投资,无限期的使用,占用非常小的带宽,长期的
受益
。
虚拟化
技术解决
VPN
难以克服的传统
IT
困难
总结
虚拟专用网(
VPN
)解决方案具有明显的局限性。虽然它们使用加密通道建立了一套安全
交付方式
,但是它们提供的访问范围通常过于广泛。用户(以及系统中可能存在的任何恶意软件)
通常
可以访问整个网络。同样,
VPN
对企业数据向授权用户和端点的发送几乎不做任何控制。
相反,
基于
Citrix
®
XenApp
™
的移动办公方案能
够帮助企业快速、安全地为任何地点、使用任何设备的用户提供
对应用
和桌面的细粒度访问,同时对敏感数据的使用和分配进行严密、集中的控制。
Citrix
产品和
VPN
不是互为竞争的产品,
Citrix
产品本身就是解决远程应用的性能的,而
VPN
则是纯粹的物理连
路。
Citrix
环境可以很好地在
VPN
环境中部署,因为
Citrix
占用网络带宽小,应用速度快的特点,实际上能够极大地提升
VPN
网络中用户访问的速度和性能,尤其是对那些
C/S
架构的应用有非常突出的
表现。
Citrix XenApp
和微软
RDS
的关系
澄清关系
Citrix
和微软在这个领域是长期的合作关系
微软的
2008R2 RDS
提供了应用程序虚拟化的平台,适合简单场景下的应用程序发布
Citrix
的
XenApp
提供完整的功能
和企业级的解决方案
Citrix XenApp
的优势
. Citrix Datastore can be hosted on either SQL, a local MS Access database or Oracle which all
configs
are stored centrally and each Citrix server will contact the Citrix datastore individually to receive updates. Citrix administrators can administer the environment via the datastore. The datastore could be easily backed up and restored when needed which introduced a level of disaster recovery which was totally un-available at the time. The datastore meant there was no single point of failure in any Citrix environment and offers a single point of management.
All the configuration is local to each Terminal Server, there is no
centralised
model for administration, to publish applications on Terminal Services 2008 an administrator would connect to the server directly using the new server manager utility and run a tool called ‘TS Remote App Manager’ this would allow a user to make an application available for connection but it does not allow you to publish that application across any other Terminal Servers that you may have on your network so that means you would have to repeat the process for each server.
With Terminal Services 2008, you would need to create a server farm for every application silo that you have (remember though that a farm is not a point of management like it is with Citrix). This would be horrible, complex and a total nightmare to manage which is why Microsoft state this is an entry level solution for non complex environments where you have maybe 1-5 applications hosted identically on 1-5 servers.
TS Session broker: Th
e cost of making this environment redundant would pay for the extra Citrix
licences
and then some. If customer has redundancy with my 5 Terminal Servers, what happens if TS Broker which may have 3 different farms enabled actually fails or goes offline?”. The answer to that is a very expensive one: Windows Clustering and shared storage on a SAN or
iSCSI
device is needed to cluster the TS Session Broker.
Available Load Balancing Algorithms
The algorithm that the TS Session Broker uses is based on a distributed user load, not the overall
realtime
performance of the servers in question. For example, in a Citrix environment a server can report itself as heavily loaded when memory/
cpu
usage is at 70% (configurable) even though user count is low however with the TS Session Broker the server would still accept incoming sessions resulting a poor experience for the user and a possible crash of the host.
Distributed Architecture
The TS Session Broker does not allow for load balancing across sites, if you have geographically distributed Terminal Servers then you would need to create/manage and maintain multiple TS Session Broker and multiple Farms. If you needed fault tolerance on each of these implementations then Windows Clustering and shared storage would need to be deployed.
Mutliple
Platforms
Terminal Server 2008 is the minimum requirement for load balancing with the TS Session Broker, you cannot load balance across multiple platforms which means all your applications will need to be certified and may/may not work which could be expensive and time consuming.
All the above limitations are available with the entry level Citrix Presentation Server solution.
What happens when your Terminal Server farm is now at around 20 servers and the business wants expansion across multiple sites and more application coverage? I believe you then have 2 choices, you either spend a considerable amount of money on Windows Clustering and shared storage to make your TS Session Brokers fault tolerant or you spend the money on rebuilding the environment to Citrix Presentation Server.
. Scalability
For all the reasons mentioned above and by Microsoft’s own admission it is not scalable above 5 servers with an identical configuration and I would never advise a customer to use it and then a year down the line advise them to install Windows Clustering to support a more
resiliant
environment.
7. Monitoring & Reporting
Citrix Presentation Server offers many reporting capabilities, either
realtime
or historical data covering performance, configuration changes, application usage,
utilisation
usage, uptime, etc
etc
. All the information is stored in a summary database and can be reported on at anytime and formatted for executive summary.
Microsoft Terminal Services 2008 has no real reporting capabilities, however
realtime
basic performance monitoring is available as it was in Terminal Services 2003.
8. User Experience through RDP
Lets take a look at this from the client side. Many have compared RDP to ICA over the years in terms of bandwidth, it’s about the same these days thus nobody mentions it anymore so don’t forget what technology Citrix incorporates into ICA client to ensure the user experience is a
positve
one.
Flash
optimisation
Progressive speed screen display
Speed screen flash acceleration
Speed screen multimedia acceleration
Speed screen image acceleration
None of the above is included in RDP and it can make a huge difference to the user experience especially when using the Internet.
9. Seamless Application Publishing
One of the key benefits that Citrix Presentation Server added to Terminal Server is the past was ‘Seamless Application Publishing’. Microsoft Terminal Services 2008 now introduces a similar solution called ‘RemoteApp Manager’.
RemoteApp Manager allows users to connect to native Terminal Servers and run applications as if they are local, previously Terminal Services could only offer remote desktop access. So how does it compare to Citrix application publishing? Again the name suggest something similar however RemoteApp Manager is a very basic tool which is used to create and distribute ‘RDP’ files to internal users.
To use RemoteApp Manager, you connect directly to the Terminal Server that the application is on and launch it (there is no central management console), there are a few very basic options in terms of where the application is located (nothing about who is
authorised
to use it) before you finish publishing your application. Once it is finished, you can distribute it as an RDP file to your clients using technologies such as SMS or you can choose to publish it in ‘TS Web Access’ (more on that later).
One of the distinct options that is lacking here is the ability to publish the application to a specific group of users, Out of the box RemoteApp Manager assumes that the user is allowed to access to the server and is a member of the local servers Remote Desktop Users group, other than that there is no granularity of user access or which servers the application should run on. The only other option is to allow the application to appear in TS Web Access or not to appear (TS Web Access has no authentication).
RemoteApp
Manager allow application publishing on a server by server basis and not on a user by user basis, if a user has access to the server via the Remote Desktop User group then they get to see and use all the published applications on that server.
10. TS Web Access (Web Interface for us)
Citrix comes with Web Interface, in many cases it is a primary platform used for accessing a Citrix environment, it is robust, supports dynamic client deployment for Windows, PDA’s, Mac’s and other operating systems. It supports workspace control, multiple servers, multiple domains, multiple Citrix server farms, basically it is a well developed,
resiliant
front end access point which will enumerate and display published applications from different Citrix servers which may be all over the place and belong to totally different domains.
Typical example of a Web Interface deployment
TS Web Access is a similar type of platform for Terminal Services 2008, it is free also but can only support Microsoft clients with only the RDP client version 6 and upwards, so no access from a Mac or PDA. The set up and configuration is very basic, it is installed and then you give it the name of one Terminal Server and that’s the configuration over. It does not enumerate applications across different domains, different Terminal Servers or different Terminal Server farms by default. TS Web Access is a very basic web front end to a single Terminal Server.
Typical example of a TS Web Access deployment using Terminal Services as a data source:
There is a method to configure TS Web Access to enumerate applications from more than one Terminal Server or indeed more than one Terminal Server farm but again it is complex and clunky. It involves exporting the individual applications from TS Remote App into a file share and then configuring access using Microsoft Active Directory Group Policies which over complicates the environment somewhat.
Typical example of a TS Web Access deployment using Active Directory as a data source
11. TS Gateway (CAG or Citrix Secure Gateway)
One of the big advantages of the Citrix Access Gateway appliance was the fact the it was not Windows based, on numerous occasions this would be brought up when selling Citrix Secure Gateway as a DMZ based public facing service.
Citrix Secure Gateway was easy to setup, and worked well with Citrix Presentation Server. TS Gateway from Microsoft is pretty much the same as Citrix Secure Gateway, it allows access to your internal Terminal Servers from external non trusted devices out on the internet through SSL, but nothing else.
The technology is old hat, Citrix Secure Gateway has evolved into the Citrix Access Gateway solutions. TS Gateway is very basic and only supports the full Microsoft RDP and above for client access on Vista and XP SP3, where obviously the Java client has been supported with Citrix from the beginning allowing external access to a much broader rang of devices. Also, Citrix have always provided a small ICA ‘web’ client that can be easily deployed in no time to a client.
There is absolutely no comparison between the two technologies today. Citrix Access Gateway out of the box provides more secure access to Citrix Presentations servers and full VPN access from the same hardened
linux
appliance, it can be clustered and used in the Citrix Access Gateway solutions for delivery of many other internal resources without the nee
详细比较
详细比较
Citrix
与
RDS
的实测比较
上述测试数据出自
Citrix
与微软顾问在某股份制银行核心银行项目性能测试的结果
测
试的用户脚本为:
打
开
IE
浏览器,访问
Bancslink
的网页
按
F
5
刷新网页
输
入用户名、密码、柜员号、其他信息
提
交
重
复步骤
2-4
采用
Citrix
的
Xenapp
和
ICA
后,对终端服务的并发用户数有一定程度的增加,对网络带宽有显著改善。对比
TS
模式和
Citrix
模式,由于
Citrix
每用户消耗内存更少,因此可以在相同的服务器平台上支持更高的用户数,同时
Citrix
会话更加节省带宽,可以避免真实环境中的广域网的带宽瓶颈,从而进一步提升数据中心的并发用户支撑能力。
每用户内存消耗因平台而异,在
Windows2003
平台上每
Citrix
用户约消耗
50M,
在
2008
平台上每
Citrix
用户消耗约
70M
。(由于每用户在
2003
平台上消耗的内存小于
2008
平台,因此对于内存消耗型应用,
Citrix
在
2003
平台上比
2008
能够支持更多的并发用户)
Citrix
XenApp
Vs.
深信服
2000
年底成立
于
深圳,
公司规模近
1100
人,在全球设有
42
个分支机构,约
400
人的研发团队;
主要提供各种
基于应用层的网络安全与网络优化
产品;
目前深
信服
科技产品主要分为两类:
网络
安全产品线,包括:
SSL VPN
,
IPSEC VPN
,上网行为管理(
AC
),下一代应用防火墙(
NGAF
),第二代上网行为管理
——
安全桌面。
网络
优化产品线,包括:上网优化网关(
SG
),流量管理(
BM
),应用交付(
AD
),广域网优化(
WOC
),应用性能管理(
APM
)。
知己知彼:深信服公司
据国际权威机构
FROST & SULLIVAN 2008
年调查报告显示,深信服
SSL VPN
以
%
的市场占有率一举超越众多国内外厂商独占鳌头。
2009
这一占有率上升至
%
,进一步扩大深信服
SSL VPN
第一品牌的优势。
2010
年,深信服
SSL VPN
产品市场占有率高达
%
,又增进了市场份额。
2009
年,据
IDC
调查数据显示,深信服上网行为管理产品凭借深厚的技术优势和优质的客户服务,获得了各行业客户的一致认可,在中国内容安全管理市场占有率达
%
,高居第一,超过第二三名的总和。
深
信服的应用虚拟化?桌面虚拟化?
深信服的应用虚拟化
技术
名称
是:深信服
EasyConnect
EasyConnect
不是一个产品名称,它是一个包含在深信服
SSL
VPN
设备里面的软件模块,需要
License
单独激活;
任何一款从低端到高端的深信服
SSL VPN
设备都有这个功能;
任何
一款深信服
SSL VPN
设备
+ EasyConnect
的
License
即可;
它
可以发布桌面,不过发布的就是微软的
RDP
桌面,就是
XenApp
发布的共享桌面的原理
。
深
信服的应用虚拟化?桌面虚拟化?
深信服的桌面虚拟化
产品
名称
是:深信服
VSP
虚拟化安全
平台
这是一款深信服单独的硬件产品,从
SSL VPN
衍生而来;
该设备是基于沙盒原理开发的,实际上是本地的一个虚拟桌面,还不是利用服务器计算的原理;
深信服把
VSP
的对手认为是
Citrix XenDesktop
,但事实是两者完全不是一种类别的产品;
详细对比请联系
Citrix
公司
深信服
EasyConnect
的工作原理
深信服
EasyConnect = SSL
VPN
+ Windows Server RDS
中的
RemoteApp
功能
协
议本质
XenApp
真的需要和
EasyConnect
硬碰硬吗?
既然
EasyConnect
使用的是
MS
的
RDP
协议,采用
RDS RemoteApp
方式发布:
产品非自有知识产权,能否提供微软的使用授权许可?如果深信服不能提供,您考虑过采购这种盗版产品所带来的后续麻烦吗?
产品出了问题以后,能否自己
troubleshooting
和
fix bug
?解决问题的周期有多长?解决问题的主动权在自己手上吗?
微软自己没有开发原生的
RDP client for Android, iOS,
( 深信服估计也无能力开发。所以
OEM
第三方
RDP client
的可能性大。)
请问当新的
OS
,新的
device
出来以后,如何快速支持新的系统和设备?产品的升级又如何保障?
您以后计划发布其他形式的桌面吗?比如
VIP
的
dedicated desktop, Mac OS
,办公桌上的台式
PC
?深信服如何帮您?
一
个
RDS Server
只能支持几十个用户,如果您以后的部署规模是几百甚至上千的移动用户。请问在后端基础架构上
,扩展性
,内建的负载均衡能力,统一管理,跨区域部署等方面您是怎样考虑的?深信服能否达到您的要求?
和智能手机平板电脑
上
直接开发程序的方式比较
