Five or six years ago, when Citrix first announced the Citrix Access Gateway appliance, I remember scratching my head and thinking, “Wait a minute, Citrix is in the software business. Why in the world do they want to start selling hardware, with all of the warranty, repair, and support issues that come along with being a hardware manufacturer?” The answer, of course, was that in order to build out the complete Application Delivery solution they envisioned, they needed components that, at the time, couldn’t be delivered using software alone.

But the world turns, and time moves on, and today Citrix has a world-class virtualization platform that runs on off-the-shelf server hardware that is itself mind-bogglingly powerful compared to what was available five or six years ago. So it makes all the sense in the world for Citrix to turn all of those hardware devices into virtual appliances as quickly as they can.

Yesterday, they formally announced virtualized versions of both the Access Gateway and the Branch Repeater. We’ll get to the virtual Branch Repeater in another post, because we’ll have our hands full in this one just covering the things you need to know about the Access Gateway VPX.

First, you need to know that the Access Gateway VPX is fundamentally a virtualized version of the 2010 CAG Appliance – with some exceptions that we’ll get into in a moment. You can download it and use XenCenter to import it directly into your XenServer environment. The cost is only $995 (compared to $3,500 for the 2010 hardware appliance), with an ongoing Subscription Advantage cost of $129/year. Here’s where it gets cool:

• It was difficult to come up with a good solution for redundancy and automatic failover with the 2010 appliance. Unless you wanted to put a load-balancer in front of it (and if you’re going to do that, you may as well just buy a NetScaler in the first place), redundancy depended on putting primary and secondary appliance URLs or IP addresses into the CAG client. And that did you no good at all if you were trying to run it in “CSG-replacement mode” just to provide secure Web access to a XenApp farm. But the VPX virtual appliance fully supports Live Motion, XenServer HA, and NIC bonding. So the VPX doesn’t have to be redundant, because the underlying XenServer infrastructure can provide the resilience you need.
• If you were using a 2010 appliance, and wanted to use “SmartAccess,” you had to stand up a separate “Advanced Access Control” Web server in your protected network. Obviously, that added to the cost and complexity of the solution. The VPX appliance, on the other hand, supports SmartAccess policies directly.

  Edit July 27, 2010: Not sure now where I originally picked up this information, but it is incorrect. An Advanced Access Control Web server is still required to enable SmartAccess policies with the Access Gateway VPX.

NOTE: SmartAccess, in case you’re not familiar with the term, allows you to control, at a very granular level, what applications and information a user can access, and what they can do with that information, based on the access scenario. The same user, presenting the same authentication credentials, might get a totally different level of access depending on whether s/he is connecting from inside the corporate network, from outside the network using a company-owned laptop, from home using a personal PC, or from a hotel business center using a totally untrusted device. For more information on how SmartAccess works and why it’s cool, check out this video from Citrix TV:

• The VPX appliance fully supports the latest generation of the Citrix Receiver, and works with Dazzle and the Merchandising Server.
• You no longer need to buy VPN client licenses to run it in “CSG replacement” mode. This is a biggie. Citrix made it clear some time ago that they would not be putting any more development time and effort into enhancing the software “Citrix Secure Gateway.” But the CSG just wouldn’t die, for one simple reason: it’s free. If you own XenApp or XenDesktop licenses with current Subscription Advantage, you’ve got the rights to use the CSG software, and your only cost is a server to run it on…and that’s pretty low in today’s virtual world. Yes, it could be argued that the CAG appliance was somewhat more secure, since it ran on a hardened Linux-derived kernel. But it cost $3,500 plus roughly $100 per concurrent user. Hmmm… CSG, free, CAG appliance, several thousand dollars. That was an easy decision for a lot of users.

  Co-incident with the release of the VPX appliance, Citrix is announcing that they’re eliminating the Access Gateway Standard User Licenses. They will no longer be sold as of June 30. Instead, when you buy an Access Gateway (physical or virtual), you get a “platform license” that entitles you to use it to secure access to a XenApp or XenDesktop farm (i.e., what’s generally referred to as “CSG Replacement Mode”) at no additional charge. So now the equation is: CSG, free, but I’ve got to put it on a server, and if it’s a Windows Server, the OS is going to cost me $700 – $800 or so. CAG VPX, $995, but I import it directly into my XenServer infrastructure and don’t have to pay for anything else unless I want the advanced access functionality. Suddenly the value proposition looks a lot more attractive.

• Speaking of the advanced access functionality, Citrix has made some licensing changes there as well. The Access Gateway Universal licensing model has been reduced from three tiers to two, and the prices have been lowered. So now, if you didn’t purchase the XenApp or XenDesktop Platinum Editions (which include Access Gateway Universal licenses), you can purchase the Access Gateway Universal licenses separately for $100/concurrent user in quantities up to 2,500, and $50/concurrent user for 2,500+ users.

What’s the down side? Well, I’m not sure there is one. The VPX appliance isn’t going to work well as a general-purpose SSL/VPN for thousands of concurrent users, but then neither did the 2010 hardware appliance. So if that’s what you need, or if you need the high-end enterprise features like Global Server Load Balancing to enable transparent failover to a Disaster Recovery site, then we need to have a conversation about NetScalers. But for basic CSG-like functionality, or a SmartAccess deployment for a few hundred concurrent users, the virtual appliance looks pretty darned attractive to me.

For more information on the Access Gateway VPX, including a demo of just how easy it is to import it into your XenServer environment and get it running, check out the following video from Citrix TV:

Today, I’m not going to focus on pressing business issues, Microsoft licensing, or the latest news from Citrix. Instead, I want to share a couple of software utilities that have made my computing world more pleasant. Both have free versions as well as “Pro” versions that cost a modest amount of money and give you more functionality. Both are Windows 7 compatible.

Managing Desktop Icons
First, I’m one of those users who puts a lot of icons on the desktop. I want my most frequently used programs (and even some of the less frequently used) right there where I can double-click them without having to navigate through the Start menu tree. (Yeah, I probably never entirely outgrew Windows for Workgroups v3.11 in that respect.) But the desktop can get, um, rather cluttered. Sometimes the icons don’t want to stay where I put them. I can use the “auto arrange” feature, but I don’t always like the way they get arranged.

I was delighted to discover “Fences” by Stardock. All you have to do is hold down the right mouse button and drag on your desktop to define an area, and a little context menu will pop up that says, “Create New Fence Here.” Click on that, and you’ve just created a defined area on your desktop that you can name, resize, drag to whatever position you want, and then fill with desktop icons just by dragging them inside the “fence” (see below – click to view larger picture):

"Fences" Screen Capture

Multiple Monitors
Second, I have become highly dependent on multiple monitors. My primary business computer is a Motion Computing LE1700 Tablet. I have docking stations in both my work office and my home office. When I dock it, my desktop is automatically spread across a large external monitor as well as the screen of the tablet itself. My multi-media studio PC at home has two widescreen monitors that are essential when I’m doing multi-track hard disk recording. My personal desktop PC has multiple monitors simply because I reached the point where I found a single monitor to be annoyingly limiting. But I was always annoyed by not having an easy way to have different desktop images on the different monitors.

The answer for me was “DisplayFusion” from Binary Fortress Software. DisplayFusion can do a number of cool things, including random “slide show” changes of your wallpaper, and multiple taskbars on your multiple monitors. But the key thing for me was that I finally had an easy way to put a different picture on each of my monitors.

DisplayFusion Example

And in case you’re curious, yes, I took both of those pictures. Both were taken last summer in the Mountain Loop Highway area of Washington State. The one on the left was one of many incredible views on the way from Barlow Summit to the old, abandoned mining town of Monte Cristo. The one on the right is of Perry Creek just above Perry Creek Falls – about 2 miles in and 3300 feet up on the Perry Creek – Mount Forgotten trail. Yes, I’m lucky to live in such an awesome part of the country.

But I’m sure you have some awesome pictures of your own, and now you know how to put them to use with multiple monitors and how to manage that desktop icon clutter.

So, grasshopper, you have decided to take the plunge and virtualize your server infrastructure. Someone (perhaps us) explained the business benefits of virtualization, you decided that it made sense, and that it’s time to make the move. But do you know how virtualization will affect your Windows Server licensing model?

The first thing you need to know is that Windows Server licenses are assigned to physical hardware, not to server workloads. When you purchase a license, you must “assign” that license to a physical server. How do you do that? Well, in today’s world, there is no formal process for doing that, although if it makes you feel better, you can write it down somewhere.

You may assign more than one license to a physical server, but you may not assign the same license to more than one physical server. You may reassign a license from one physical server to another, but not more frequently than every 90 days, unless the server it was assigned to is being retired due to “permanent hardware failure.”

Sound reasonable so far? Of course it does. Right up until the license model runs head-on into one of the coolest features of virtualization: live motion. Most virtualization platforms, including Microsoft’s Hyper-V R2, allow you to easily move a virtual server from one physical host to another. Great feature, right? But if you do it, you may have just violated your Windows license agreement.

I say “may” because different versions of Windows Server come with different virtualization rights. For example, a Windows Server Standard license can be used to run one physical instance of Windows (and by “physical instance,” I mean Windows is installed directly on the hardware) or one virtual instance of Windows, but not both – unless the physical instance is being used solely to manage the virtual environment.

Let me say that another way: If you buy a single license for Windows Server Standard Edition with Hyper-V, you can install it directly on the hardware without bothering with the Hyper-V role. Or you can install the Hyper-V role, have one virtual Windows Server running on top of Hyper-V, and use the physical instance exclusively to manage the virtual instance. Of course, you haven’t really gained anything by doing that…but you can purchase additional copies of Windows Server Standard, assign them to the same physical host, and run more virtual servers on Hyper-V.

Thinking this scenario through, then, if you currently have a bunch of physical Windows Servers – each licensed with Windows Standard Edition – and you want to virtualize them all, that’s no problem. You can reassign your server licenses to your virtual hosts and be perfectly legal. As long as you don’t move a server from one host to another. But if all you own are Standard Edition licenses, and you move a server from one host to another, you’ve just violated the license agreement – unless you own a “spare” server license that you have “assigned” to the target server (the host you’re moving it to) but that is not being used.

Now, in the scenario I just described, it’s possible that the most cost-effective thing you could do is to just buy a few additional licenses as “spares” rather than re-licensing your entire environment. But let’s move ahead – once we’ve covered the other Windows editions that are available to you, you’ll be better able to decide what makes financial sense for your project.

Windows Server Enterprise Edition comes with expanded virtualization rights. Each Enterprise Edition license gives you the rights to run one physical instance and up to four virtual instances on the physical host to which it is assigned. Once again, if you want to run all four virtual instances, then the physical instance may only be used to manage the virtual environment. If you want to run other services on the physical instance – and that’s actually fairly common in a Hyper-V deployment – then you only get to run three virtual instances. And you may not split the license across multiple physical hosts.

The “estimated retail price” (just the license, no Software Assurance, assuming Open Business pricing) for Windows Enterprise is $2,358, vs. $726 for Windows Standard. So Enterprise is less expensive than four copies of Standard. Therefore, if you need to buy new licenses (perhaps you’re upgrading from Server 2003 to Server 2008 as part of your virtualization project), it may make sense in a small environment to buy a copy of Enterprise Edition for each virtual host, and perhaps supplement it with a few spare copies of Standard Edition. Here’s an example:

Let’s say you have a total of nine physical servers today, and you want to virtualize them on three dual-processor virtualization hosts. (You could probably run them on two hosts, but if one failed, it might be a stretch to run all nine on one host. If you start with three hosts, and one fails, you still have two to carry the load.) You could buy nine new copies of Windows Standard Edition for $6,534, but you’d have no flexibility to use live motion to move things around. On the other hand, you could buy three copies of Enterprise Edition for your three hosts for $7,074, and effectively have one “spare” instance on each host that’s available for moving a virtual machine from one host to another.

Of course, that may not be quite enough if you want to completely unload one of your servers (perhaps to take it off-line for maintenance), because unless you’re prepared to shut down one VM completely, you’re going to need to run five VMs on one of your remaining servers. Since you may not know in advance which server needs to assume the extra VM workload, you could just buy three additional copies of Standard Edition, and assign one to each host. That would push your total license acquisition cost to $9,252, but you would then be licensed for five VMs on each of your hosts.

The ultimate in flexibility is Windows Server Datacenter Edition. Datacenter Edition is licensed per processor socket rather than per physical host, but includes unlimited virtualization rights. You can run as many VMs on your hosts as they’re capable of running, and move them around to your heart’s content. If you just don’t want to worry about what’s running where or whether or not it’s technically legal to move a given VM around, this is the license model to use.

Of course, this is also the most expensive edition of Windows. The estimated retail price for Datacenter Edition is $2,405 per processor socket (regardless of the number of cores per processor). So it would cost $14,430 to license three dual-processor servers with Datacenter Edition. This probably isn’t cost effective if you’re only virtualizing nine servers. However, if you have lots of servers, and many of them are fairly lightly loaded (in terms of processor utilization), the picture could change. If your average consolidation ratio is greater than or equal to four servers per physical processor then Datacenter Edition becomes the most cost-effective license.

In fact, if you’re even close to that 4:1 ratio, you should strongly consider Datacenter Edition, for two reasons:

1. Windows environments inevitably grow. However many servers you have today, you’re probably going to have more of them a year from now. With Datacenter Edition, you can continue to fire up new servers to the limits of your hardware without having to buy more server licenses.
2. AMD already has six-core processors. You know the “arms race” between Intel and AMD will continue. So the number of servers per processor that you can reasonably expect to support will continue to increase as the processors themselves become more powerful and contain more cores, and as this happens, Datacenter Edition will look better and better.

Note that everything we’ve discussed holds true if you’re virtualizing on XenServer or VMware rather than on Hyper-V. The only difference is that you won’t be using any of the allowed physical instances of Windows.

If you want to delve deeper into this issue, you can download a copy of the Microsoft Product Use Rights document from their Web site. Happy virtualizing!

“VSS,” or Microsoft’s “Volume Shadow Copy Service,” provides a means of requesting a “snapshot” of a data volume. In very basic terms, a snapshot captures an image of the data volume at a particular point in time. This can be useful, for example, in allowing backup software to back up a volume even though it is still in use and data may be changing while the backup operation is under way. It can also be used to facilitate a roll-back of the data volume to the point in time when the snapshot was taken.

You typically don’t want your snapshot to consist of a complete copy of your data volume, though. That would be a waste of disk space, and could take a long time to complete – and I/O operations on the data volume have to be suspended for the length of time required to take the snapshot, so we want that time to be as short as possible. Therefore, most products that use snapshots, including VSS, use a “copy on write” approach. Here’s how it works:

First, a table is created that initially contains nothing but pointers back to the physical data blocks in the original volume. This can be done very quickly, will take up very little space, and can immediately be used as though it was a complete copy of the data volume. As long as nothing has actually changed in the original volume, any read request that’s made to the snapshot for a specific block of data will simply be redirected back to the original volume.

When a write operation takes place on a block of data in the original volume, the existing data is first copied to a “recovery area,” and the pointer for that block in our snapshot table is changed so it points to the recovery area instead of to the original volume. The snapshot can continue to be accessed as though it was a complete copy of the original volume, because the point in time at which the snapshot was taken can be reconstructed by merging the unchanged blocks of data in the original volume with the blocks that were copied to the recovery area before changes were made.

As time goes by, and more and more changes are made to the original volume, the storage space consumed by the snapshot will continue to grow as more and more data is copied to the recovery area. Eventually, it will approach the size of the original volume. For this reason, snapshots are generally not retained forever – they’re kept until the purpose for which they were created has been fulfilled, e.g., until the backup operation has been completed, and then purged to release storage space.

That, in a nutshell, is what a “snapshot” is all about. For more information, check out the “Volume Shadow Copy Service Technical Reference” on Microsoft Technet.

As all IT professionals are aware, most hardware and software companies offer some type of support/maintenance renewal, WatchGuard Technologies is no different.

They offer a variety of subscription services with their WatchGuard XTM or Firebox X appliances. These services are either sold separately or as a bundle of services for one, two, or three year terms. Services available include:

• SpamBlocker – with virus outbreak detection
• WebBlocker – with HTTP and HTTPS inspection
• Gateway AntiVirus – for signature-based protection from known threats
• Intrusion Prevention Service – with comprehensive attack and spyware protection
• LiveSecurity® Service – hardware replacement warranty, free software updates, 24/7 telephone support

For more information about what each service is please contact us here at info@manage-ops.com.

The main objective of this post is not about the services themselves but rather about the renewal process. Each WatchGuard system we sell comes bundled with LiveSecurity Service for the first year. Since customers who own multiple WatchGuard systems have often bought them at different times, and since it is possible to renew LiveSecurity for multiple years, it is often the case that a customer can have different WatchGuard units whose coverage expires at different times of the year. Some companies prefer to keep these renewals separate to spread out their renewal costs over the year while others prefer to have a single renewal date for all of their WatchGuard units.

When renewing a WatchGuard subscription, ManageOps will place an order with WatchGuard and typically within 48 hours an email is sent to us as well as to the customer contact who was in charge of the renewal. That email will contain a license key for each renewal. The customer is responsible for logging in to their WatchGuard account and entering those license keys. This will result in the display of a feature key. At this point the customer needs to copy and paste that feature key into the actual WatchGuard unit, only then is the renewal complete – and the services the company has paid for will become available.

(Note that if you don’t have the time or skills to perform these tasks when you renew, ManageOps will be happy to do it for you. Yes, we will bill you for our time – although if you are a MooseGuard^TM Gold or Platinum customer, that work effort would be covered by your plan.)

Now there is a twist to this. If we change the date of the renewal (e.g., in order to synchronize renewal dates for multiple units) that change is implemented directly by WatchGuard, and NO LICENSE KEY WILL BE SENT TO YOU. Since no new license key is made available to the end user, no email is sent to remind you that you need to log into the WatchGuard online portal and retrieve the feature key to be copied and pasted on the physical unit.

So the important lessons of the day are:

1. If you chose to synchronize your WatchGuard renewal dates it will take a little longer to get the renewal done (usually 4-5 business days) since someone at WatchGuard has to manually update your renewal dates, and
2. It is important to mark your calendar so that you log in to your account after 4-5 days and see if the feature key is available.

If we’re handling the process for you (either because you’re a MooseGuard customer or because you’ve asked us to) it’s not an issue, because we know what the process is. But if you’re handling the renewal yourself…don’t just sit back and think that you’re done just because you’ve placed the renewal order. If the new feature key doesn’t get entered in your unit, the features you’re subscribing to are going to stop working – and that would be what we call, in technical terms, a “bad thing.”