issues with disaster recovery choices

Recently, I was involved in delivering a disaster recovery / business continuity solution for a world-renowned arts and entertainment organisation.

Some time ago, I adopted a IT decision philosophy diagram which goes like this:

Fig.1 The IT Decision Triangle

Actual business needs ought to reign supreme.  However, these are sometimes unclear and CV-driven or boy-toy technology decisions often over-rule.  Next, political muscles flex to leave a mark, which is sometimes a scar.  And ultimately, everything decided has a budget constraint, which often comes left-field. 

As we proceeded through the DR/BCP project, we faced a number of trade-off decision-points, which epitomised these ideas and effects.  

My first task was to create a detailed service catalog, relating IT services to the IT infrastructure which underpinned those services.  This step helped me to get an overview of what we needed to protect and is a step I strongly recommend to anyone taking on DR/BCP. 

My next technical task was to investigate and compare as many DR/BCP solutions as I could discover, knowing what I did of the technology at stake.  A future post will analyze the options I considered and how I was able to compare an apple with a pear with a pineapple.

Simultaneously, we undertook a detailed analysis of what the business actually expected. When I say detailed, I really mean exhaustive and exhausting.  Via a questionnaire and a series of meetings, we approached each and every business unit and asked the Unit Leaders (Managers) to detail their IT requirements and business continuity wants. 

RTO's and RPO's

In any DR project, the question of what RTO or RPO you hope to achieve kicks off your discussions.  The technology team we had at our disposal had some definite ideas and proposed that we offer the world to the business.  However, it soon became apparent from the business analysis, that the business didn't really need or desire the speed of recovery or range of recovery initially suggested by the technology team.

And here is an important point: with any DR/BCP project, don't over-promise or even over-deliver.  Find out what the business really expects!   Short RTO's (seconds) and RPO's (seconds) will cause you grief and cost you an arm.    

Even the tier 1 money earning application (as far as the business was concerned) was at the outset of the project tolerating a 1 day RPO and a similar RTO for the most serious DR events, involving total corruption of database or loss of site.    I realised that we could make strong gains by offering 60 minute RPO's and similar RTO's for the most critical applications and reduce our budget requirement dramatically from one which offered  RTO's/RPO's in seconds.

The business analysis had also thrown up the fact that a large swathe of business applications and IT services would tolerate a much greater RTO/RPO combination, like a day.  Once we identified these, we could plan our different tiers of service accordingly and save money.

We put this information into the IT service catalog, of course, and circulated it for comment.  No one important read it, naturally .... yet.

NEXT ...... How I chose a solution .....

Can Appsense Application Manager replace antivirus?

I think it depends.

advising a client recently who is maxing out the CPU cycles available in the virtualized XenApp environment, I looked at whether Appsense Application Manager could do the job of the antivirus. The client uses AM mainly for software licence management. CPU is at such a premium in the virtual environment that the client is considering deprecating use of AM to save CPU cycles.

I examined whether the client could in preference deprecate their use of AV real-time scanning in this scenario, as AM can potentially do a good job of preventing unauthorised executables from running.

I came across the following Appsense whitepaper . AppSense_WhitePaper-Eliminating_Malware_on_the_desktop.pdf , which seems to indicate the AM could be used to prevent viruses from running, but makes clear at the same time that AM is not a virus removal tool. And of course it is not. But is can stop anything not installed by a Trusted Owner from running. The whitepaper makes comment on how AM's self-healing feature can actually protect the antivirus program from stealth attacks, so this appears to suggest that best practice still dictates running AV on the protected VMs.

My own view is that the PVS-based images revert to the gold image on a weekly restart, and that at most overnight virus scanning (to remove viruses) can complement AM's application control, but that real-time antivirus scans are not actually necessary.

A useful discussion blog trail appears on Dan Feller's blog at http://virtualfeller.com/2011/07/22/virus/

gray

Receiver or Deceiver?

I’m impressed with the Receiver on the Mac & iPad. Trying out the new Deceiver 3 on a Win7 client (available from mycitrix.com from 24 August 2011) however, left me cold last week. I was evidently missing something, as I appeared to lose a way to start apps.

another examination yesterday revealed that what Citrix has done is remove the access to Published Apps & Desktops, which you could previously do by right-clicking on the Online Plug-in tray icon.

You now appear to have to put these in Start Menu or on the user’s desktop. Disadvantage? Not really. That’s where they are supposed to be for users to access them. As an admin, though, in the past I found it useful to access via the tray icon, while things were in POC or UAT.

Receiver 3 gets rid of Dazzle nonsense and unifies the client approach. Management options increase: the updated icaclient.adm has quite a few settings for managing clients via group policy, and there is the new Receiver Infrastructure which does … something.

Was my initial repulsion premature? I believe further testing is required, as the client was released a week ago and onsite at my client, it has not been tested at all in their POC. I've instructed that it be added to the Production build with a proviso that if it does not work, it can be replaced with the tried & tested Online plug-in 12.1.x Ultimately, the Online Plug-in will probably face deprecation from Citrix. Citrix has a history of quietly disowning their old clients, while everyone is distracted by name changes or new tech at Synergy.

Receiver on the Server?

I'll also be deploying the Receiver to one of my client's POC servers to check if it solves an ongoing “online plug-in stopped working” issue which sometimes happens when running the Online Plug-in within a Published Desktop.

When XenApp 6 got released the Online Plug-in began to be deployed on a XenApp build by default. In the old days, I remember that it was considered by many to be poor practice to put the pnAgent on a Presentation server. This seems to have "changed" and Citrix put it in by default, but I have seen quite a few "app crashed" issues occuring on otherwise working Published Desktops, due to attempting this way of doing ICA within ICA jumps.

Maybe the Receiver will become a panacea for this too?

GrayBlogga

vmware's little hypervisor kicks MS-bloated butt

The blogosphere's started to fill with references to the ongoing "who's smaller" hypervisor footprint-spat going on between MS & VMware. I've listed some relevant url's below, and made a (very) few comments:

MICROSOFT
http://blogs.technet.com/virtualization/archive/2009/08/12/hypervisor-footprint-debate-part-1-microsoft-hyper-v-server-2008-vmware-esxi-3-5.aspx

and part2 and part3.

Comments: YUK! shame on an MS program manager for scoring a big own-goal with some wish-they-were-reasonable arguments. fact: there are arguments for both sides. For example, should I use little slip-stream patches vs total image patches. After reading the reader comments on the MS blog & the VMware response below, I'm persuaded that VMware have the edge in both the argument and the methodology.

Interested parties owe it to themselves to review both sides of the argument before making up the mind.

VMWARE
http://blogs.vmware.com/virtualreality/2009/08/our-position-on-hypervisor-footprints-patching-vulnerabilities-and-whatever-else-microsoft-wants-to-throw-into-a-blog-post.html

and to think: I'm actually a Hyper-V fan!!! I just hate to see propoganda-rant filling up my RSS feeds.

cheers,
gray

Citrix chief architect puts the kaibosh on Microsoft detractors (Briforum '09)

I'm @ Briforum 2009, the preferred conference for SBC-computing techies, held this year at the Hilton Chicago, IL.

Sitting in on Brad Pederson's overview interview about the history of Citrix technology advances, I was surprised to hear his take on reasons why MS shook Citrix's tree back in 1997.

While some may point the finger at MS strong-arm tactics & potential-revenue hunting, Brad commented that MS may have had a higher priority. He made the point that NT was at that time "getting successful" (I would say, "taking off like a rocket in the enterprise"). His observation was that MS was primarily concerned with potential future fragmentation of the NT kernel, and had drawn a lesson from what had happened with UNIX-flavor vendoring, which had hurt individual UNIX vendors.

I'm not going to go into the ins & outs of what Citrix was doing with the NT kernel at the time, and why this could be an issue. A great article on this subject & the crisis, published by USA Today and written at the time by Kevin Maney, can be found here at

http://citrixblogger.org/2007/02/28/citrix-microsoft-crisis-1997-usa-today-article.

From my point of view though, in 1997 I was doing my MCSE on NT3.51. My dad was a UNIX-man, so I had an earful of various flavors available.

So Brad's comment sounded pretty valid, considering too that he's the chief architect at Citrix and has been with the company since 1989.

Good to see MS not always getting bad press for business strategies & takeover practices.

Attending BriForum 2009

I squeezed in my early-bird booking for Briforum 2009 late last week. I'll be a Briforum noob in Chicago later this year, but I have to admit to looking forward a good deal to hob-nobbing with the SBC gurus. ya ya.

Registration is still possible at http://briforum.com/html/register.html, but the price has gone up to $1495.

Recently, I was extremely impressed with Gabe's speedy response when I knocked over an email about some of the links not working on the 'ol www.briforum.com/videos site. I picked this up before my snowboarding holiday about a month ago, but only flagged it up to brianmadden.com when I got back to work last week. Gabe fixed the links within about a day!

Obviously, no-one else noticed or acted in the interim, which leads me to wonder how many people actually look at the vids & documents on that site regularly. It would be interesting to see some briforum/videos download stats at some point.

I can attest to the recorded sessions having revolutionised my understanding of SBC computing, notwithstanding the fact that I've been "fiddling" with most versions of Citrix since the Winview-assic period.

Citrix Xenapp Feature Comparison doc

After a number of requests to compare the feature-set of the various Xenapp versions & licensing levels, I re-located the feature-set comparison document. This sales document has been updated with Xenapp 5. The link is below:

http://www.citrix.com/site/resources/dynamic/salesdocs/CitrixPresentationServer_ComparativeMatrix.pdf