Get best of the week

Surround the user digit

Remote work with us will remain for a long time and beyond the borders of the pandemic raging today. 74% of the 317 companies surveyed by Gartner will continue to use telecommuting. IT tools for her organization will be actively sought after in the future. Introducing Citrix Workspace Environment Manager, an Essential Element for Creating a Digital Workspace. In this article, we will consider the architecture and main features of the product.



Solution Architecture


Citrix WEM has a classic client / server architecture solution.


WEM agent \ WEM agent - the client part of Citrix WEM software. It is installed on workstations (virtual or physical, single-user (VDI) or multi-user (terminal servers)) to control the user's environment.

WEM Infrastructure services \ infrastructure services - the server part that provides service to WEM agents.

MS SQL Server - the DBMS server necessary for servicing the WEM database where Citrix WEM configuration information is stored.

WEM administration console - WEM environment management console.

Let's make a small adjustment in the description of the WEM Infrastructure services component on the Citrix website (see screenshot):


The site mistakenly stated that WEM Infrastructure services is installed on a terminal server. This is not true. On terminal servers, a WEM agent is installed to manage the user environment. In addition, it is not possible to install WEM agnet and the WEM server on the same server. For the WEM server to work, the role of terminal services is not required. This component is infrastructure and, like any service, it is desirable to place it on a separate dedicated server. One WEM server with characteristics of 4 vCPUs, 8 GB RAM is capable of serving up to 3000 users. To ensure fault tolerance, install at least two WEM servers in your environment.

Key features


One of the tasks of IT administrators is the organization of the user workspace. Work tools used by employees must be at hand and set up appropriately. Administrators need to provide access to applications (place shortcuts on the desktop and the Start menu, configure file associations), provide access to information resources (connect network drives), connect network printers, the ability to centrally store user documents, provide users with the ability to configure their environment and most importantly - to ensure comfortable user experience. On the other hand, administrators are responsible for data security depending on the particular conditions in which the user works and the conditions for observing the software licensing policy.Citrix WEM is designed to solve these problems.

So, the main features of Citrix WEM:

  • user environment management
  • computing resource management
  • restrict access to applications
  • physical workstation management

User workspace management


What capabilities does Citrix WEM provide for managing user desktop creation options? The figure below shows the Citrix Workspace Environment Manager management console. The Action section lists the actions that an administrator can use to set up a work environment. Namely, create application shortcuts on the desktop and in the Start menu (including for published applications through integration with Citrix Storefront, as well as the ability to assign hot keys for quick launch of applications and coordinates for the location of shortcuts in a specific location on the screen), connect network printers and network drives, create virtual disks, manage registry keys, create environment variables, configure mapping of COM and LPT ports in a session, modify INI files,run programs \ scripts (during LogOn, LogOff, Reconnect operations), manage files and folders (create \ copy \ delete files and folders), create User DSN to configure database connection on the SQL server, configure file associations.


For ease of administration, the created "actions" can be combined into Action Groups.

To apply the created actions, they must be assigned to a security group or KM of a domain user on the Assignments tab. The figure below shows the Assessments section and the process of assigning the created “actions”. You can assign an Action Group with all its “actions” or add the necessary set of “actions” individually by dragging them from the left column Available to the right Assigned.


When assigning "actions", you need to select a filter, based on the analysis of which the system will determine the need for the use of certain "actions". By default, the system creates one filter Always True. When using it, all assigned “actions” are always applied. For more flexible management, administrators create their filters in the Filters section. The filter consists of two parts: “Conditions” and “Rules”. The figure shows two sections, on the left side a window with creating a condition, and on the right a rule containing the selected conditions for applying the desired “action”.


A fairly large number of “conditions” are available in the console — only a part of them is displayed in the figure. In addition to checking the membership of a site or Active Directory group, individual AD attributes, filters are available to check the name of the PC or IP addresses, match the OS version, check the date and time, the type of published resources, etc.

In addition to managing user environment settings through the use of Action, the Citrix WEM console has another large section. This section is called Policies and Profiles. It provides the possibility of additional settings. This section consists of three sections: Environmental Settings, Microsoft USV Settings, and Citrix Profile Management Settings.

Environmental Settings includes a large number of settings, thematically grouped into several tabs. Their names speak for themselves. Let's see what opportunities are available for administrators to form a user environment.

Start Menu Tab:


Desktop Tab:


Windows Explorer Tab:


Control Panel Tab:


SBC \ HVD Tuning Tab:


Skip the settings from the Microsoft USV Settings section. In this block, the standard Microsoft components — Folder Redirection and Roaming Profiles — are set up similarly to the settings in group policies.


And the last subsection is Citrix Profile Management Settings. He is responsible for setting up Citrix UPM for managing user profiles. There are more settings in this section than in the previous two combined. Settings are grouped into sections and organized as tabs and correspond to the Citrix UPM settings in the Citrix Studio console. Below is a drawing with the Main Citrix Profile Management Settings tab and a list of available tabs added for general presentation.


Centralized management of the user's work environment settings is not the main thing that WEM offers. Much of the above functionality can be accomplished using standard group policies. The advantage of WEM is how these settings are applied. Standard policies are used when connecting users sequentially one after another. And only after applying all the policies, the logon process ends and the desktop becomes available to the user. The more settings are enabled through group policies, the more time is required to apply them. This greatly lengthens the login time. Unlike group policies, the WEM agent changes the processing order and applies the settings to several threads in parallel and asynchronously. User login time is significantly reduced.

The advantage of applying settings through Citrix WEM over group policies is demonstrated in the video.


Compute Management


Consider another aspect of using Citrix WEM, namely the possibility of optimizing the system in terms of Resource Management. Settings are located in the System Optimization section and are divided into several blocks:

  • CPU Management
  • Memory management
  • I \ O Management
  • Fast logoff
  • Citrix Optimizer

CPU management contains parameters for managing processor resources: limiting the consumption of resources in general, processing surges / surges in the consumption of processor resources and prioritizing resources at the application level. The main settings are located on the CPU Manager Settings tab and are presented in the figure below.


In general, the purpose of the parameters is clear from their name. An interesting feature is the ability to manage processor resources, which Citrix calls smart optimization - CPU \ Intelligent CPU optimization. A loud name hides a simple, but quite effective functionality. When the application starts, the process is assigned the maximum CPU utilization priority. This provides a quick launch of the application and overall increases the level of comfort when working with the system. All the “magic” in the video.


In the sections Memory Management and I \ O Management there are few settings, and their essence is extremely simple: managing memory and the input-output process when working with a disk. Memory management is enabled by default and applies to all processes. When the application starts, its processes reserve part of the RAM for their work. As a rule, this reserve is more than necessary at the moment - the reserve is created “for growth” to ensure the fast operation of the application. Memory optimization consists in freeing up memory of those processes that were in the inactive state (Idles State) for a set time. This is achieved by transferring unused memory pages to the page file. Disk optimization is achieved by prioritizing applications. The figure below shows the options available for use.


Consider the Fast Logoff section. At the usual end of the work session, the user sees how the applications are closed, the profile is copied, etc. When using the Fast Logoff option, the WEM agent monitors the call to end the work session (Log Off) and disconnects the user session - puts it in the Disconnect state. For the user, the session ends instantly. And the system regularly completes all work processes in the background. The Fast Logoff option is enabled by one “daw”, but exceptions can be assigned.


And finally the section, Citrix Optimizer. Citrix administrators are well aware of the tool to optimize their golden image - Citrix Optimizer. This tool is integrated into Citrix WEM 2003. The following figure shows a list of available templates.


Administrators can edit the current templates, create new ones, view the parameters set in the templates. The settings window is shown in the figure below.


Application Access Restriction


Citrix WEM can be used to limit the launch / installation of applications, scripts, loading DLL - libraries. These settings are collected in the Security section. The figure below lists the rules that the system proposes to create by default for each of the subsections and by default, everything is allowed. Administrators can override these settings or create new ones. For each rule, one of two actions is available - Allow \ Deny. In brackets with the name of the subsection, the number of rules created in it is indicated. The Application Security section does not have its own settings; it displays all the rules from its subsections. In addition to creating rules, administrators can import existing AppLocker rules, if used in an organization, and centrally manage environment settings from a single console.


In the Process management section, you can create black and white lists to limit the launch of applications by executable file names.


Physical Workstation Management


We were interested in the previous settings for managing resources and parameters for creating the working environment of users in terms of working with VDI and terminal servers. What does Citrix offer to manage the physical workstations from which you are connecting? The WEM capabilities highlighted above can be applied to physical workstations. In addition, the tool allows you to "turn" the PC into a "thin client". This conversion occurs when users block access to the desktop and use the built-in features of Windows in general. Instead of the desktop, the graphical shell of the WEM agent is launched (it uses the same WEM agent as on VDI \ RDSH), in the interface of which the published Citrix resources are displayed. Citrix has Citrix DesktopLock software, which also allows you to transform your PC into "TC",but Citrix WEM features are wider. Below are images of the main parameters that can be used to control physical computers.




Below is a screenshot of how the workplace looks after transforming it into a “thin client”. The Options drop-down menu lists the elements with which the user can customize the environment as he sees fit. Some of them or all elements can be removed from the interface.


Administrators can centrally add links to the company’s web resources to the “Sites” section, and applications installed on physical PCs, necessary for users, to the “Tools” section. For example, it is useful to add a link to the user support portal in the "Sites", where an employee can create a request if there are problems connecting to VDI.


Such a solution cannot be called a full-fledged “thin client”: its capabilities are limited in comparison with commercial versions of similar solutions. But it is enough to simplify and unify the interface of working with the system, limit user access to the system settings of the PC and use the aging PC fleet as a temporary alternative to specialized solutions.

***

So, we summarize the Citrix WEM review. The product "can":

  • manage user environment settings
  • manage resources: processor, memory, disk
  • provide quick entry / exit from the System (LogOn \ LogOff) and application launch
  • restrict application use
  • transform PCs into thin clients

Of course, you can skeptically evaluate demos using WEM. As our experience shows, for most companies that do not use WEM, the average login time is 50-60 seconds, which is not much different from the time on the video. With WEM, logon times can be significantly reduced. Also, using simple rules for managing company resources, you can increase the density of users on the server or provide the best quality work with the system for current users.

Citrix WEM fits well with the concept of a "digital workstation", is available to all users of Citrix Virtual Apps And Desktop starting with the Advanced edition and with the existing support for Customer Success Services.

Posted by Valery Novikov, Lead Design Engineer, Jet Infosystems

More articles:


All Articles