Who should use this guide?

Who should use this guide?

This reviewer’s guide is designed to help you quickly install and configure XenApp® 7.8 for a trial evaluation. It guides you through a XenApp deployment scenario to help you better understand how the application delivery capabilities work with the FlexCast® Management Architecture (FMA). The instructions provide an evaluation method to the most common use cases for XenApp: hosted shared apps and hosted shared desktops.

Starting with release 7.0, XenApp and XenDesktop® use identical code-base and are delivered using the same software download. The difference is in how it is licensed and bought, offering flexibility of picking the feature-set and price point to suit different budgets and needs. While Citrix offers two separate guides to evaluate XenApp and XenDesktop, most concepts in this guide apply to both products. The trial license of XenDesktop, for example, allows you to try all features of XenApp using the single pane of glass for administering both XenApp and XenDesktop.

This guide was written using certain assumptions. The target reviewer will:

1. Have prior knowledge of virtual machine (VM) management and Windows server infrastructure
2. Possess experience in a system administration or technical reviewer role
3. Be familiar, at least on a conceptual level, with previous versions of XenApp or XenDesktop

In the process of following this guide, the reviewer will use XenApp for the core datacenter infrastructure, Citrix StoreFront for access to the enterprise app store, and Citrix Receiver™ as the end user client software. An active directory infrastructure with DHCP and DNS services must be available as the pre-requisite. It is outside the scope of this guide.

The guide highlights the following key features in XenApp 7.8:

1. FlexCast Management Architecture
2. Friendly configuration wizards, inline validation
3. Enhanced app publishing in Studio
4. New user-interface of Citrix StoreFront 3.5 enterprise app store
5. Citrix Director helpdesk, monitoring, and proactive notification
6. Geographically distributed zones
7. HDX enhancements: display graphics, input devices, and audio-video communications For an in-depth evaluation and more details on the release, please see the Product Documentation.

What are the components of XenApp?

Here’s an overview of the unified infrastructure components:

The components numbered in Figure 1 are described below. The two white boxes on the far right of the graphic represent the physical hardware; the colored boxes represent the applications and resources that will be delivered from that hardware.

1. Citrix Receiver™. This endpoint component provides users with self-service access to resources published on XenApp servers. Citrix Receiver is easy to deploy and use, and offers quick, secure access to hosted applications, desktops and data. Users can run it on a wide variety of devices, including low-cost thin-clients, tablets and mobiles, kiosks, and devices based on Linux, Mac, Windows, and Chrome OS.
2. Citrix StoreFront. StoreFront enables you to create enterprise app stores that aggregate resources from XenApp 7.x, XenApp 6.x, XenDesktop, XenMobile, and cloud services.
3. Citrix Studio. Studio is the primary console to configure and manage XenApp and XenDesktop deployments. Studio provides various wizards to guide you through the process of setting up your environment, creating desktops and assigning desktops to users.
4. Citrix Director. This web-based console enables IT support and helpdesk teams to monitor XenApp and XenDesktop environments, troubleshoot issues before they become system critical and perform support tasks for end users.
5. Delivery Controller. The delivery controller is responsible for distributing applications and desktops, managing user access and optimizing connections to applications. The delivery controller runs the broker services, which establishes the HDX connection between end user devices and the resource. One or more delivery controllers make up a site.
6. Server OS machines. These virtual or physical machines based on Windows server operating systems are used for delivering XenApp-based applications and XenApp-based desktops to users.
7. Desktop OS machines. These virtual or physical machines based on Windows desktop operating systems are used for delivering the full XenDesktop VDI (virtual desktop infrastructure) to users. This concept is covered in the XenDesktop reviewer’s guide.
8. Virtual Delivery Agent. The agent, which is installed on the virtual or physical machines hosting applications to be delivered to users, enables these machines to register with the delivery controllers. It also manages the HDX connection between the hosted applications and Citrix Receiver.
9. Citrix NetScaler Gateway™. NetScaler Gateway terminates a virtual private network (VPN) for remote users coming over the Internet and communicates with StoreFront to deliver apps and desktops to authorized users. The optional security component does not fall under the scope of this paper, which considers only local users who access StoreFront directly.

Licensing

XenApp is designed for organizations interested in delivering applications today, but also gives them the flexibility to expand to the other FlexCast models, such as full desktops, at a later time. Unlike previous versions, such as XenApp 6.5, unified architecture in XenApp 7.8 has a single delivery infrastructure and the same consoles for delivering server-based applications (XenApp) and virtual desktops (XenDesktop).

XenApp 7.8 can be purchased either as a standalone license or bundled in one of the XenDesktop 7.8 editions. Since the code base for the two remains the same, upgrading from XenApp to XenDesktop is as easy as replacing the license key. There is no requirement for building a separate infrastructure and no new management consoles.

Important information for customers upgrading from XenApp 6.5

Until XenApp 6.5, the product used a different architecture known as Independent Management Architecture (IMA). All current releases of XenApp and XenDesktop use the Flexcast Management Architecture (FMA). If you are upgrading from XenApp 6.5, please review this documentation:

http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-8/technical-overview/concepts.html

A significant enhancement in this release, compared to XenApp 6.5, is the concept of separating XenApp management from the Windows Server machines that host virtual apps or server-based desktops. XenApp 7.8 enables you to publish apps and server-based desktops from multiple platforms such as Windows Server 2008, 2012 and 2012 R2 – all from one instance of the product. Future upgrades are also simpler as a result, because it is not directly associated with a specific version of Windows Server.

Citrix NetScaler ADC Overview

Citrix NetScaler ADC Overview

The Citrix® NetScaler® ADC product line optimizes delivery of applications over the Internet and private networks. NetScaler is an application delivery controller (ADC) that accelerates application performance, enhances application availability with advanced L4-7 load balancing, secures missioncritical apps from attacks and lowers server expenses by offloading computationally intensive tasks. All these capabilities are combined into a single, integrated appliance for increased productivity, with lower overall total cost of ownership.

NetScaler is deployed in front of web, application and database servers. It combines high-speed L4-7 load balancing and content switching with application acceleration, data compression, static and dynamic content caching, SSL acceleration, network optimization, application performance monitoring application visibility and robust application security via an application firewall.

NetScaler appliances are installed in the data center and route all connections to back-end servers. The NetScaler features are enabled and the policies configured are then applied to incoming and outgoing traffic. NetScaler requires no additional client or server side software, and can be configured using the NetScaler web-based GUI, RESTful API (“Nitro”) and CLI configuration utilities.

NetScaler is available as a high-performance network appliance and a virtual appliance for maximum

deployment flexibility. The hardware based MPX appliances with multi-core processor designs are available with a wide range of appliance availability; from sub gigabit throughput to 50 Gbps. Each leverages a fully hardened and secure operating system.

NetScaler appliances provide multi-dimensional scalability for a superior ROI. Pay-As-You-Grow and Burst Pack upgrade licenses enable specific models to be upgraded to higher-end models within a

particular platform via a software license. NetScaler SDX models allow up to 40 fully independently

managed NetScaler instances to run on a single platform. NetScaler with Citrix TriScale clustering

allows up to 32 NetScaler appliances (of the same platform, model and edition) to be aggregated

into a single group to increase aggregate app delivery capacity.

NetScaler solutions are available in three software editions: Standard, Enterprise, and Platinum. These editions offer the following feature sets:

Standard Edition

NetScaler Standard Edition provides comprehensive layer 4-7 load balancing and content switching, SSL acceleration and server offload capabilities.

Enterprise Edition

NetScaler Enterprise Edition is a highly integrated application delivery solution. It includes all Standard Edition capabilities, plus dynamic routing support, data compression (AppCompress), global server load balancing (GSLB), surge protection, priority queuing, L7 DoS protection, AAA for traffic management and cache redirection. Enterprise Edition also includes Citrix Command Center software.

Platinum Edition

NetScaler Platinum Edition is the most integrated and feature-rich NetScaler offering. It includes all Enterprise Edition capabilities, plus content caching (AppCache), web application firewall, NetScaler Cloud Bridge and EdgeSight for NetScaler application performance monitoring. It also includes Citrix Command Center software and NetScaler Cloud Bridge.

Note: NetScaler clustering license upgrades are available on all NetScaler MPX and VPX models and software editions.

Software Options

The following options are available for NetScaler MPX appliances.

• Global Server Load Balancing (GSLB) - Directs user requests to the data center best able to handle it. Requests can be redirected based on dynamic changes in global network performance, site connectivity and availability. Server location, load and many other factors determine the optimal server to use.
• NetScaler AppCompress™ - Improves end-user performance and reduces bandwidth consumption by compressing HTML/text content before transmission to clients. AppCompress supports both encrypted and unencrypted data.
• AppCache™ – Citrix NetScaler AppCache improves application performance by storing cacheable content, both static and dynamic, directly on the NetScaler platform. Multiple techniques ensure content freshness.
• NetScaler Application Firewall™ – NetScaler Application Firewall ensures security at the application layer. It is an ICSA-certified web application firewall that automatically blocks malicious web traffic.
• Citrix EdgeSight™ for NetScaler – EdgeSight for NetScaler is a transparent tool to measure end-user performance, and does not require a client-based agent. EdgeSight for NetScaler helps evaluate performance issues and monitor trends to anticipate future unacceptable performance levels allowing proactive network changes. Numerous application performance parameters, such as time to download a page and round trip response times, are stored and displayed in a variety of formats.

Network Topology

Where Does a NetScaler Fit in the Network?

NetScaler resides in front of web and applications servers, so that client requests and server responses pass through it. In a typical installation, virtual servers (vservers) configured on the NetScaler provide connection/termination points that clients use to access the applications delivered by NetScaler. In this case, the NetScaler owns public IP addresses that are associated with its vservers, while the real servers are isolated in a private network. It is also possible to operate the NetScaler in a transparent mode as an L2 bridge or L3 router, or even to combine aspects of these and other modes.

Physical Deployment Modes

NetScaler can be deployed in either of two physical modes: inline and one-arm. In inline mode, multiple network interfaces are connected to different Ethernet segments, and the NetScaler is placed between the clients and the servers. The NetScaler has a separate network interface to each client network and a separate network interface to each server network. The NetScaler and the servers can exist on different subnets in this configuration. It is possible for the servers to be in a public network and the clients to directly access the servers through the NetScaler, with the NetScaler transparently applying the L4-L7 features. Usually, vservers are configured to provide an abstraction of the real servers.

The following figure shows a typical inline deployment.

In one-arm mode, only one network interface of the NetScaler is connected to an Ethernet segment. The NetScaler in this case does not isolate the client and server sides of the network, but provides access to applications through configured vservers. One-arm mode can simplify network changes needed for NetScaler installation in some environments.

Citrix NetScaler as an L2 Device

A NetScaler functioning as an L2 device is said to operate in L2 mode. In L2 mode, the NetScaler forwards packets between network interfaces when all of the following conditions are met:

• The packets are destined to another device’s media access control (MAC) address.
• The destination MAC address is on a different network interface.
• The network interface is a member of the same virtual LAN (VLAN).

By default, all network interfaces are members of a pre-defined VLAN, VLAN 1. Address Resolution Protocol (ARP) requests and responses are forwarded to all network interfaces that are members of the same VLAN. To avoid bridging loops, L2 mode must be disabled if another L2 device is working in parallel with the NetScaler.

Citrix NetScaler as a Packet Forwarding Device

A NetScaler can function as a packet forwarding device, and this mode of operation is called L3 mode. With L3 mode enabled, the NetScaler forwards any received unicast packets that are destined for an IP address that it does not have internally configured, if there is a route to the destination. A NetScaler can also route packets between VLANs.

In both modes of operation, L2 and L3, a NetScaler generally drops packets that are in:

• Multicast frames
• Unknown protocol frames destined for a NetScaler’s MAC address (non-IP and non-ARP)
• Spanning Tree protocol (unless BridgeBPDUs is ON)

XenMobile Deployment Prerequisites

XenMobile Deployment Prerequisites

Topics:

• Gathering Information Before You Deploy XenMobile Components
• Opening Ports for the XenMobile Solution
• Gathering Network Information
• Obtaining and Installing Certificates

Before you deploy the XenMobile solution and install the components, make sure you have the right prerequisites and system requirements. This effort will prepare you to configure the network settings, open ports in your firewall, install certificates and licenses, and configure authentication. This section details the deployment information you need to gather and includes the XenMobile Solution Pre-Installation Checklist to guide you through the recommended settings.

Gathering Information Before You Deploy XenMobile Components

Before you install XenMobile components in your network, you need the right prerequisites. These prerequisites include:

• Network settings. These settings include IP addresses, ports, DNS, Network Time Protocol (NTP) and SMTP servers, and the IP address or fully qualified domain name (FQDN) of a load balancer.
• Hardware and sizing requirements. These include Windows Servers, hypervisors, and NetScaler Gateway requirements. The NetScaler Gateway appliance you select (VPX, MDX, or SDX) determines the maximum number of user connections to your XenMobile deployment.
• Certificates. These include server, root, intermediate, Apple Push Notification Service (APNS), and certificates for wrapping mobile apps with the MDX Toolkit.
• Licenses. Licenses are required for XenMobile MDM Edition and NetScaler Gateway.
• Active Directory settings. These settings are required for XenMobile MDM Edition and for XenMobile App Edition.
• Authentication method Before deploying XenMobile components, it's important to decide on an authentication method. For example, you should decide if you are implementing the Worx PIN that you configure in App Controller. The Worx PIN caches Active Directory credentials and works with client certificate authentication. Authentication settings can enable LDAP, RADIUS, one-time passwords, client certificate authentication, and two-factor authentication. If users connect to internal web sites, you need to configure authentication for NetScaler Gateway and SharePoint to allow single sign-on (SSO) to work.

Note: If you implement an authentication method for users and then change the method after users enroll, users will need to enroll again.

• Load balancers. Load balancers manage connections to your XenMobile deployment. You might also need to plan for packet inspection appliances to monitor network traffic entering your internal network.
• Email server and data synchronization settings These settings include Exchange Server and ActiveSync configurations for XenMobile MDM Edition and WorxMail.
• Databases. These databases include either Microsoft SQL Server or Postgres for XenMobile MDM Edition. The Postgres database comes with XenMobile MDM Edition and installs when you install Device Manager.

Note: Citrix recommends that you use Microsoft SQL Server. You should only use PostgreSQL in test deployments.

Opening Ports for the XenMobile Solution

To allow devices and apps to communicate with each XenMobile component, you need to open ports in your firewall. The following tables define the ports you need to open.

Opening Ports for NetScaler Gateway and App Controller

You need to open the following ports to allow user connections from Worx Home, Receiver, or the NetScaler Gateway Plug-in through NetScaler Gateway to App Controller, StoreFront, XenDesktop and to other internal network resources, such as intranet web pages.

• If NetScaler Gateway can reach the authentication server through a system IP (NSIP) subnet, the appliance uses the NSIP as the source IP. If the authentication server is not on a local subnet to the NSIP, the source IP is the subnet IP (SNIP). You should configure the firewall rules accordingly.
• For the sake of this guide, the listed ports are the default settings for the associated protocols. You may need to adjust the port configuration if your environment uses custom ports for any of the associated services. The list is also not exhaustive; advanced features not covered in this guide may use additional ports.

Gathering Network Information

You need to identify the following network settings and configure appropriate server settings before you install the XenMobile components in your network:

• IP addresses for each XenMobile component. For example, for NetScaler Gateway, you need the system IP (NSIP) and the subnet IP (SNIP) addresses.
• Opening the appropriate ports in your firewall to allow network traffic to communicate with each component.
• Domain Name Servers (DNS) for name resolution with users inside your network and users who connect from remote locations. You might need different IP addresses for each DNS server.
• Network Time Protocol (NTP) server. The NTP server synchronizes the time between all of your network components. Citrix recommends that you use an NTP server for your XenMobile deployment.
• SMTP server for email. When you configure an SMTP server, you need the fully qualified domain name (FQDN) of the email server, such as mail.mycompany.com. You also need to identify the port, the email addresses used for the send function, and user email addresses and passwords.

The XenMobile Pre-Installation checklist includes a section where you can write down all of your network settings. You might need to coordinate with other team members to configure the ports and servers you need for the XenMobile deployment.

Obtaining and Installing Certificates

Certificates are used to create secure connections and authenticate users.

XenMobile MDM requires a certificate from the Apple Push Notification Service (APNS). XenMobile MDM also uses its own PKI service or obtains certificates from the Microsoft Certificate Authority (CA) for client certificates.

All Citrix products support wildcard and SAN certificates. For most deployments, you only need two wildcard or SAN certificates. You can use the following formats:

• External - *.mycompany.com
• Internal - *.myinternaldomain.net

For NetScaler Gateway and App Controller, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the NetScaler Gateway configuration utility or the App Controller management console. After you create the CSR, submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on NetScaler Gateway or App Controller.

For more information about installing certificates, see the following topics in Citrix eDocs:

• NetScaler Gateway: Installing and Managing Certificates
• App Controller: Configuring Certificates in App Controller
• Device Manager: Requesting an APNS Certificate

Configuring Client Certificates for Authentication

NetScaler Gateway supports the use of client certificates for authentication. Users logging on to a NetScaler Gateway virtual server can also be authenticated based on the attributes of the client certificate that is presented to the virtual server. Client certificate authentication can also be used with another authentication type, such as LDAP or RADIUS, to provide two-factor authentication.

To authenticate users based on the client-side certificate attributes, client authentication should be enabled on the virtual server and the client certificate should be requested. You must bind a root certificate to the virtual server on NetScaler Gateway.

When users log on to the NetScaler Gateway virtual server, after authentication, the user name information is extracted from the specified field of the certificate. Typically, this field is Subject:CN. If the user name is extracted successfully, the user is then authenticated. If the user does not provide a valid certificate during the Secure Sockets Layer (SSL) handshake or if the user name extraction fails, authentication fails.

You can authenticate users based on the client certificate by setting the default authentication type to use the client certificate. You can also create a certificate action that defines what is to be done during the authentication based on a client SSL certificate.

Building Your XenMobile Solution

Building Your XenMobile Solution

Topics:

• Deploying XenMobile Components
• Deploying NetScaler Gateway with App Controller and StoreFront
• Deploying Device Manager
• Deploying the MDX Toolkit
• Deploying the Entire XenMobile Solution

The XenMobile components you deploy are based on the device or app management requirements of your organization. The components of XenMobile are modular and build on each other. For example, you want to give users in your organization remote access to mobile apps and you need to track the device types with which users connect. In this scenario, you would deploy NetScaler Gateway, XenMobile Device Manager, and App Controller.

This section discusses this and additional scenarios for deploying the XenMobile components in your network, as well as for the NetScaler appliance. The topics include architectural diagrams, information about the Citrix products you can integrate into your deployment, a recommended order in which to deploy the components, and the ways users connect depending on the deployment scenario you implement.

Deploying XenMobile Components

You can deploy XenMobile components to enable users to connect to resources in your internal network in the following ways:

• Connections to the internal network. If your users are remote, they can connect by using a VPN or Micro VPN connection through NetScaler Gateway to access apps and desktops in the internal network.
• Device enrollment in Device Manager. Users can enroll mobile devices in Device Manager so you can manage the devices that connect to network resources.
• Web, SaaS, and mobile apps from App Controller. Users can access their web, SaaS, and mobile apps from AppController by using Worx Home or Receiver.
• Windows-based apps and virtual desktops. Users can connect with Citrix Receiver or a web browser to access Windows-based apps and virtual desktops from StoreFront or the Web Interface.

To achieve some or all of these capabilities, Citrix recommends deploying XenMobile components in the following order:

• NetScaler Gateway. You can configure settings in NetScaler Gateway to enable communication with App Controller, StoreFront, or the Web Interface by using the Quick Configuration wizard. You must install App Controller, StoreFront, or the Web Interface before using the Quick Configuration wizard in NetScaler Gateway.
• Device Manager. After you install Device Manager, you can configure policies and settings that allow users to enroll their mobile devices.
• App Controller. After you install App Controller, you can configure mobile, web, and SaaS apps. Mobile apps can include apps from the Apple App Store or Google Play. Users can also connect to mobile apps you wrap with the MDX Toolkit and upload to App Controller.
• MDX Toolkit. You can wrap .ipa or .apk apps and Worx apps with the MDX Toolkit. After you wrap the apps, you can upload the apps to App Controller.
• StoreFront (optional). You can provide access to Windows-based apps and virtual desktops from StoreFront through connections with Receiver.
• ShareFile Enterprise (optional). If you deploy ShareFile, you enable enterprise directory integration through App Controller or Security Assertion Markup Language (SAML). For more information about ShareFile, see ShareFile Enterprise in Citrix eDocs.

If you install all of the XenMobile components in your network, the deployment may look like the following figure:

The topics in this section detail the possible deployment scenarios in your network for the XenMobile components, as well as for the NetScaler appliance. The topics include architectural diagrams, information about the Citrix products you can integrate into your deployment, and the ways users connect depending on the deployment scenario you implement.

Deploying NetScaler Gateway with App Controller and StoreFront

You can deploy NetScaler Gateway at the perimeter of your organization's internal network (or intranet) to provide a secure single point of access to the servers, applications, and other network resources that reside in the internal network. In this deployment, all remote users must connect to NetScaler Gateway before they can access any resources in the internal network.

You can deploy NetScaler Gateway with the following Citrix products:

• XenMobile App Edition
• StoreFront
• XenApp
• XenDesktop
• Web Interface

Users can connect to resources in your internal network by using the following methods:

• Worx Home for users who connect with mobile devices and need access to MDX mobile apps. Users must connect with Worx Home on the mobile device to access MDX apps.
• Receiver so users can access Windows-based applications and desktops hosted by XenApp or XenDesktop. To allow users access to their Windows-based apps, you must deploy StoreFront or the Web Interface. If users connect with Receiver on a Windows or Mac computer, MDX apps are not available to users.
• Optionally, users can also connect with the NetScaler Gateway Plug-in for full VPN access to the internal network. Users can access email servers, files shares, and web servers with the NetScaler Gateway Plug-in for Windows or the NetScaler Gateway Plug-in for Mac.

The way you deploy App Controller in your internal network depends on how users connect: with Worx Home or with Receiver. In either scenario, you install NetScaler Gateway in the DMZ.

You can deploy the App Controller virtual machine (VM) on XenServer, VMware ESXi, or Microsoft Hyper-V located in your internal network. Users can connect to App Controller from an external connection (the Internet) or from the internal network. If users connect from the Internet or a remote location, the connection must route through NetScaler Gateway. App Controller resides in the internal network behind the firewall.

Allowing Access to MDX Apps Through NetScaler Gateway

If users connect with Worx Home and you have MDX mobile apps installed on App Controller, you place StoreFront behind App Controller in your internal network. Users can connect to App Controller through NetScaler Gateway in the DMZ to obtain their web, SaaS, Android and iOS mobile apps, along with documents from ShareFile. StoreFront resides behind App Controller to deliver Windows-based apps and virtual desktops as shown in the following figure:

Deploying Device Manager

In order to get your users' devices under management, users need to enroll their devices into Device Manager. To get started, you install Device Manager in your network. Next, you connect to Active Directory to import users by using the LDAP wizard. Then, you configure the following settings in Device Manager:

• Enrollment
• Policies
• Apps

When you finish configuring Device Manager, you can send enrollment invitations to your users. The invitation contains a link that allows users to download Worx Enroll, which then allows users to enroll their devices in Device Manager. When users log on, Device Manager authenticates the user's identity and enrolls the device.

Citrix recommends that you deploy NetScaler or NetScaler Gateway for security. You deploy NetScaler or NetScaler Gateway in the DMZ with Device Manager, as shown in the following figure. When you deploy NetScaler or NetScaler Gateway, you can use the XenMobile NetScaler Connector (XNC) to control access to email, calendar, and contacts from mobile devices. In this deployment, after enrollment, user devices connect to NetScaler or NetScaler Gateway to access resources.

If users enroll their iOS devices, the devices and Device Manager must communicate with the Apple Push Notification Service (APNS).

The preceding figure also shows the ports you need to open to enable the connections. You must open all of the ports behind the firewall for each identified service. For details about the ports, see Opening Ports for the XenMobile Solution on page 21. For details about the APNS server, also shown in the preceding figure, see Requesting an APNS Certificate in the Device Manager documentation in Citrix eDocs.

Deploying the MDX Toolkit

Mobile app management allows you to securely manage and deliver mobile apps to users. With the Citrix MDX Toolkit, you can wrap iOS and Android apps to secure access and enforce policies. After you wrap the app, you can upload the app to XenMobile App Edition and configure MDX policies. Users can then download and install the app from Citrix Receiver. They can subsequently open and work with the app from an icon on the home screen, on the mobile device, or from the Receiver home page.

For more information about MDX policies for Android and iOS mobile apps in App Controller 2.8, see the following topics in Citrix eDocs:

• Configuring MDX Policies for Android Apps in App Controller
• Configuring MDX Policies for iOS Apps in App Controller

Deploying the Entire XenMobile Solution

If you deploy all of the components of the XenMobile solution, you have successfully completed the following tasks:

• Opened the required ports for communication between each component.
• Installed each component in your network.
• Successfully tested connections from user devices.

The next section discusses the deployment prerequisites and includes a checklist for you to use to get ready for your deployment. The subsequent sections contain component installation steps, and configuration tests you can carry out.

The following figure shows the complete solution:

First Impressions of the Plant

First Impressions of the Plant

When I sat down to collect my thoughts, I realized that my impressions were even worse than I had consciously realized. Without the threat of George knocking me on my butt, the truth of what I saw came out pretty freely—and the truth was ugly. The word “ugly” stuck in my mind.

I remembered that when I got started in consulting, a friend in the business told me, “You never want to tell the customer he has an ugly baby.” That was his not-so-charming way of saying that you don’t badmouth the customers’ processes or initiatives—especially when they’ve attempted to instill a positive improvement.

I tried to keep that in mind as I prepared my notes, but it wasn’t easy. Sid had an ugly baby.

At exactly 4:30 p.m., I walked out of the conference room and headed toward Sid’s office. About 20 feet from the door, George called from behind, “Hey, Sam, wait up.” He jogged the few steps to catch up with me and said, “Hope you don’t mind, but Sid asked me to join you.”

Sid was waiting and looked eager, so I began talking as soon as we had exchanged pleasantries. Now, sensitive I’m not. If I were, I would have noticed the look on both their faces as I waded deeper into my impressions of the facility. When I was finished running down my laundry list of things that were wrong, I looked up at them and was genuinely amazed by the shocked look in their eyes.

I immediately looked down at the scribbled notes in my lap to see what I had said that would have been so devastating to the two men:

• The plant is filthy.
• There’s no control of parts that don’t meet specifications.
• There’s no semblance of lot control for work in process or finished goods inventory.
• Operators are performing their work sloppily and to no particular standard.
• There’s no apparent flow to the processes.
• There’s so much inventory that no one knows what they have and what they don’t have.
• There are excess and broken tooling and fixtures scattered everywhere in the plant.
• The lighting is very poor and work conditions are unsafe.
• All raw inventory is contaminated and there is no sure method of controlling inventory. Raw material is stored alongside the production lines and appears to have been there for years.
• Material handlers are running all over the plant with nothing on their forklifts, wasting gas and endangering each other and the process operators.
• Hazardous material is not stored properly.
• There are years of inventory on trailers out back. (This is what I was afraid of when I parked earlier in the day.)
• The few control charts scattered about the plant are outdated by months—but no one is even looking at them anyway, thank goodness!
• The processes are producing in batches because the setup times are so long.
• The last processes before final inspection are being starved for part assemblies for hours because of the batch and queue methods.
• People are standing all over the plant waiting for something to do.

Uh-oh, maybe I’d gone a little overboard! Sometimes I have a tendency to forget that I’m talking about someone’s business when I give my impressions.

From the looks on their faces, I may have just stepped over the line. I slowly moved my chair a little closer to the door. As an afterthought, I finished my onslaught with “Look at it this way: knowing there’s a problem is half the battle.”

Sometimes only people on the outside will make honest, candid assessments of a process or business.

Sid took a minute before he responded. I’m sure he was clenching and unclenching his fists under the desk.

“Sam, I’m not sure you remember why I asked you here.” He cleared his throat and continued. “I’m not looking for your opinion of the state of my company.” More throat clearing. “I just wanted to know which machine I should purchase to make sure I meet my upcoming customer demands.”

My response to this comment made my earlier litany look like child’s play. I looked directly at him and spoke once more without my “fit for human interaction filter” in the “on” position.

“Look, Sid, if you keep up the way you’re going out there today, you won’t have any problems meeting your customer demands—because you won’t have any customers.”

Before Sid could get in his next comment, I decided to finish my thoughts.

I don’t know exactly the words I used, but they were something to the extent that SG’s quality had to be below one sigma with all the things they were doing wrong and that their inventory turns were a joke.

They looked puzzled. After I paused to let it sink in, I made my point. “One sigma,” I explained, “means your yield is only 31%. Most company operate at between three and four sigma, which means yields around 93% to 99%.”

Then I pointed out that if they wanted to compete in today’s market, they were going to have to learn to be more efficient and focus on eliminating waste from all their processes, because if their manufacturing processes were bad, I had to assume that their transactional processes were in even worse shape. Of course we couldn’t be sure because everything was in such disarray that we couldn’t even tell how bad things were. On top of all that, the employees were so pissed off that they wouldn’t tell you if the building was burning down.

George finally shook himself out of shock and said there was no way I could tell all those things from a brief 45-minute walk through the plant. He also mumbled under his breath that he should have

known I’d try to dig in and get paid my daily rate forever….

Ignoring the last comment, I conceded that George might be right about my quick assessment. So I asked some basic questions:

• What are your inventory turns?
• What is your overall quality level?
• Do you measure quality as a percentage or as parts per million?
• Do you final-inspect every product you build?
• How do you determine your inventory levels?
• What does your preventive maintenance schedule look like?
• What is your operator interface? How does an operator know the state of the process?
• Are your margins on some products negative?
• Do your employees understand the concept of waste?
• When was the last employee suggestion for improvement made?
• How often do you conduct a physical inventory?
• What is the rate of over/under you typically see in inventory?

As George responded to each of my questions (usually failing to provide an answer other than “I don’t know”), a look of caution began to form on Sid’s face.

By the time the questions were through, Sid looked at me and said, “I’ve heard about that sigma stuff and inventory turns, but I don’t really know much about any of it. So what should I do?”

The answer I gave really surprised Sid—and I think it pissed him off as well.

“We need to get organized out there.

“Just give me a week and I’ll work with one of your teams and we’ll start a program of Five S in your facility. I’ll teach them what Five S means and how it applies, then work with them to establish the principles in their work area. After that, we can select some of your more dedicated people and have them teach the technique across the organization.”

Establish metrics that are meaningful for the health of your business. Metrics—measures against which current procedures and finished products can be compared—will be different for each organization. These metrics will be the goals that the company should always be working to achieve. If it matters, it will be measured.

At this George started forming a smile that grew until finally he was grinning from ear to ear.

“Yeah,” he said, I’m gonna love seeing you try to get these guys to clean up their work area. There’s no way in hell they’ll ever do it. We can’t even get them to walk to the trash can at lunch time. They just leave everything laying all over the snack bar for someone else to clean up.”

George went on to explain how SG had to hire a cleanup crew to go behind every shift and pick up after the employees in order to keep the health inspector off their case.

I gave George my “I understand” nod and said, “Just give me the week and tell me where you want to start. If I fail, you pay for one week and I’ll be gone. If I succeed, you may find that we can increase your capacity and margins considerably without any capital expense—and that would be a good thing.”

George started to argue, but Sid held up his hand and said, “You’ve got a deal. Tell us which day you want to start; we’ll have the training room set up and the people there for you. You have one week to make this Five S thing work. Then we’ll meet with the team you’re training and discuss the results.”

George just shook his head and looked at the floor.

After giving Celia the date I wanted to have the first session and shaking hands with Sid and George, I walked out to the car to drive home. It was already dark outside and I had a lot of planning and

thinking to do.

Key Points

• To compete in today’s market, companies must learn to be more efficient and focus on eliminating waste from all their processes.
• A good way to begin a Lean Six Sigma initiative is with a program of Five S.

A Powerful Strategy for Sustained Success

A Powerful Strategy for Sustained Success

THE MOST CHALLENGING question confronting business leaders and managers in the new millennium is not “How do we succeed?” It’s: “How do we stay successful?”

Business today offers the spectacle of a succession of companies, leaders, products, and even industries getting their “15 minutes of fame” and then fading away. Even corporate powerhouses—the IBMs, Fords, Apples, Kodaks, and many others—go through dramatic cycles of near-death and rebirth. It’s like riding the wheel of fortune as consumer tastes, technologies, financial conditions, and competitive playing fields change ever-more-quickly. In this high-risk environment, the clamor for ideas on how to get the edge, stop the wheel (while on top, of course), or anticipate the next change gets louder and louder. Hot new answers are almost as common as hot new companies.

Six Sigma can seem like another “hot new answer.” But looking closer, you’ll find there is a significant difference: Six Sigma is not a business fad tied to a single method or strategy, but rather a flexible system for improved business leadership and performance. It builds on many of the most important management ideas and best practices of the past century, creating a new formula for 21st-century business success. It’s not about theory, it’s about action. Evidence of the power of the Six Sigma Way is already visible in the huge gains tallied by some very high-profile companies and some not-so-high-profile ones, which we’ll examine in a moment. Just as important, though, is the role Six Sigma plays in building new structures and practices to support sustained success.

The goal of The Six Sigma Way is to enable you to understand what Six Sigma is (both a simple and a complex question), why it’s probably the best answer to improved business performance in years, and how to put it to work in the unique environment of your organization. In our mission to demystify Six Sigma for the executive and professional, we hope to show you that it’s just as much about a passion for serving customers and a drive for great new ideas as it is about statistics and number-crunching; that the value of Six Sigma applies just as much to marketing, service, human resources, finance, and sales as it does to manufacturing and engineering. In the end we hope to give you a clearer picture of how Six Sigma—the system—can dramatically raise your odds for staying successful, even as you watch other companies ride one wave of good times only to wipe out on the next. (Our first and last surfing analogy!)

Some Six Sigma Success Stories

Seeing the impact that Six Sigma is having on some leading companies sets the stage for understanding how it can impact your business. As we relate some of these results, we’ll also be reviewing the history that has brought Six Sigma to the forefront.

General Electric

Six Sigma has forever changed GE. Everyone—from the Six Sigma zealots emerging from their Black Belt tours, to the engineers, the auditors, and the scientists, to the senior leadership that will take this Company into the new millennium—is a true believer in Six Sigma, the way this Company now works.” —GE Chairman John F. Welch1

When a high-profile corporate leader* starts using words like “unbalanced” or “lunatics” in connection with the future of the com-

* Since launching GE’s effort in 1995, Jack Welch has urged his top lieutenants to become “passionate lunatics” about Six Sigma. He has described GE’s commitment to Six Sigma as “unbalanced.”

pany—you might expect a plunge in the company’s share price. At General Electric, however, that passion and drive behind Six Sigma have produced some very positive results.

The hard numbers behind GE’s Six Sigma initiative tell just part of the story. From an initial year or so of break-even efforts, the payoff has accelerated: $750 million by the end of 1998, a forecasted $1.5 billion by the end of 1999, and expectations of more billions down the road. Some Wall Street analysts have predicted $5 billion in gains from the effort, early in the decade. GE’s operating margins—for decades in the 10 percent range—continue to hit new records quarter after quarter. The numbers are now consistently above 15 percent, and even higher in some periods. GE leaders cite this margin expansion as the most visible evidence of the financial contribution made by Six Sigma.

Improvements from Services to Manufacturing

The financial “big picture,” though, is just a reflection of the many individual successes GE has achieved through its Six Sigma initiative. For example:

• A Six Sigma team at GE’s Lighting unit repaired problems in its billing to one of its top customers—Wal-Mart—cutting invoice defects and disputes by 98 percent, speeding payment, and creating better productivity for both companies.
• A group led by a staff attorney—a Six Sigma team leader—at one of GE Capital’s service businesses streamlined the contract review process, leading to faster completion of deals in other words, more responsive service to customers—and annual savings of $1 million.
• GE’s Power Systems group addressed a major irritant with its utility company customers, simply by developing a better understanding of their requirements and improving the documentation provided along with new power equipment. The result: Utilities can respond more effectively to their regulatory agencies, and both the utilities and GE have saved hundreds of thousands of dollars a year.
• The Medical Systems business—GEMS—used Six Sigma design techniques to create a breakthrough in medical scanning technology. Patients can now get a full-body scan in half a minute, versus three minutes or more with previous technology. Hospitals can increase their usage of the equipment and achieve a lower cost per scan, as well.
• GE Capital Mortgage analyzed the processes at one of its top performing branches and—expanding these “best practices” across its other 42 branches—improved the rate of a caller reaching a “live” GE person from 76 to 99 percent. Beyond the much greater convenience and responsiveness to customers, the improved process is translating into millions of dollars in new business.

The Actions behind the Results

GE’s successes are the result of a “passionate” commitment and effort. Notes Welch: “In nearly four decades with GE I have never seen a Company initiative move so willingly and so rapidly in pursuit of a big idea.”2 Tens of thousands of GE managers and associates have been trained in Six Sigma methods—a hefty investment in time and money (which is appropriately deducted from the gains cited earlier). The training has gone well beyond “Black Belts” and teams to include every manager and professional at GE—and many front-line people as well. They’ve instilled a new vocabulary revolving around customers, processes, and measurement.

While dollars and statistical tools seem to get the most publicity, the emphasis on customers is probably the most remarkable element of Six Sigma at GE. As Jack Welch explains it:

The best Six Sigma projects begin not inside the business but outside it, focused on answering the question—how can we make the customer more competitive? What is critical to the customer’s success? . . . One thing we have discovered with certainty is that anything we do that makes the customer more successful inevitably results in a financial return for us.

Lean: Listening to the Process

Lean: Listening to the Process

George was surprised when he walked into the conference room the next morning. I was already making notes on the whiteboard and all the members of Michelle’s work team were sitting around the large conference table.

I had written in large bold letters at the top of the board:

Balancing Work Flow

As George took his seat, the chatter in the room died down and we began the meeting. I started off by explaining that the crow’s-nest view made it evident that Michelle’s process was still the bottleneck.

Despite the obvious issues surrounding CNC machine #14 that George and I had looked at on our tour of the plant, we had to prioritize projects. Michelle and her team were already involved in the Six Sigma implementation and training and the problems they had on the main line were more important than the single CNC machine. We had to find a way to eliminate the capacity issue and free up some extra time so that Michelle’s team could run in sync with the rest of the plant.

I was starting to facilitate a brainstorming session when Michelle stood up and suggested that we move to the factory floor. Everyone thought that was an excellent idea, so we picked up our flipchart and walked out to the process. The night shift had agreed to stay over an hour to continue the process while we conducted the meeting and they were hard at work when we walked up to the line.

The Five S and Visual Factory work completed earlier by the team made it very easy to see the flow of the process. Material and quality issues were readily apparent just by watching the process in action. When the team members began brainstorming, the ideas came faster than I could add them to the list.

“Whoa!” I shouted. “I can’t keep up with you guys! Slow down! Or, better yet, who wants to take over as scribe for this session?”

George didn’t really volunteer; he just took the pen from me and started writing. While relieving my hand cramp, I had the opportunity to watch the process for a while. I turned to George and said, “Add

‘rework’ to the list.”

George started to write down rework, but Michelle stopped him. In fact, all of the members turned around and looked at me like I was crazy.

Bob, one of the newer employees on the line, spoke up.

“What are you talking about? We don’t have any rework on this line. Our first-time yield on this process is over 98%.” 

I held my hands up to stop Bob from going on.

“Wait, wait, wait! I’m not trying to insinuate that you guys are doing a poor job. I just want to make sure we capture all the opportunities available to us.”

Michelle spoke up next.

“Well, what are you talking about then, Sam? We don’t see any defects on the line, the scrap bins are empty, and there’s nothing piling up for quality inspection.”

I couldn’t argue. The team had done a great job of setting up a visual workplace. A casual observation would not reveal any problems.

I walked toward one of the workstations and addressed all of the team members.

“Well, let’s talk about the tools you’re using to complete the tasks at this process.”

I turned toward George and said, “George, flip the page on the chart and let’s list all the tools we are using for each station.”

Watching the process will allow you to see waste in the system. You cannot find the problems from a computer terminal or an office. Look for things that are not required for the value added activities of the tasks being performed.

George began writing as we dictated a complete list of all of the tools being used in the process:

1. impact wrenches

2. rubber mallet

3. square

4. drill for reaming

5. tap

6. hoist

As we finished the list, the class turned back to me and Bob asked

again, “OK Sam, where is the rework?”

I started to explain, but then one of the operators gasped.

“It’s the reamer,” she said. “We are using the reamer on every

unit!”

Michelle shook her head.

“It can’t be the reamer. We can’t build parts without it, so the

reamer is not rework—it’s part of the job.”

I prompted Michelle for more information about the process and, in particular, exactly what caused them to ream every unit of production. As I spoke, I started timing the reaming process. Michelle spent the next several minutes explaining the process to me.

“I’ve been working on this line for more than 20 years, Sam, and we’ve always reamed these holes. You can’t expect to join three pieces of metal together in multiple locations without reaming the holes so that bolts can fit through them.”

She smiled patiently and went on to explain.

“If we don’t ream the holes, the unit won’t be square and the components down the line won’t fit properly. So,” she concluded with a smile, “reaming isn’t rework; it’s just part of the process.”

“Well, Michelle,” I explained, “while you were talking just now, I timed three cycles of production. Reaming multiple holes adds over five minutes to the total cycle time for your process.”

I didn’t want to push too hard, but I needed to make sure that she understood where I was trying to lead her.

“What if the holes lined up perfectly when the parts were stamped? Would you still have to ream them?”

While Michelle thought about my question, Bob spoke up.

“Of course you wouldn’t have to ream anything. But if you think you could ever stamp those holes that perfectly, well, you’re nuts!”

His coworkers paused a second and then let out a loud laugh.

I knew it was important to pursue the point while they were still laughing.

“OK, OK,” I smiled, “but if we could stamp the parts perfectly, that would eliminate the reaming process, right?”

They all continued to snicker, but Michelle nodded. I pressed on.

Often, improvement opportunities are pushed aside as being impossible before they are fully investigated because the historic knowledge of the organization will not accept the possibility.

“So if we could eliminate the reaming process, would our cycle time balance out better with the main line?”

George had been pretty quiet up to this point, but he finally spoke up.

“If we could drop the reaming process, we would be able to eliminate all the overtime from this process and still work slightly faster than the main line.”

He paused a second.

“But I have to agree with the team on this one, Sam. I don’t think it can be done.”

He went on to explain that they had looked at the stamping process a couple of times. The equipment was in good shape and the engineering group couldn’t find any problems with the program.

We didn’t notice, but Sid had walked up behind us and was listening to the discussion. After George finished explaining why the reaming process couldn’t be eliminated, I asked him to have the engineer

and the press operator paged to the stamping building so we could have a look at the process.

George looked skeptical, but he had the two men paged as I’d requested. Michelle said I was crazy and started rounding up her team members so they could get back on their process. As I walked over to the stamping building, I was wondering if I had lost my mind, as everybody seemed to believe.

At 11 that evening, I walked out of the plant and shook the hands of the two men who had stayed with me to look at the process for more than 14 hours. I was just about to get into my car when I heard someone call my name from across the parking lot.

“Sam! Hey, Sam, wait up!”

I turned to see George and Sid running toward me.

“We couldn’t leave while you were working out there all night,” George said, “but we didn’t want to interrupt.”

“I stopped by a couple of times to see how things were going,” Sid said, “but you three were huddled so tightly that I figured I’d just let you go at it.”

I was surprised to see the two of them hanging around there that late, but I was happy that they were interested enough to wait to see what we’d found out.

“Well, I didn’t figure it out. We looked at everything—the program, the specification, the equipment. Everything was within the tolerance limits defined by the design engineers and we couldn’t find a reason for the misalignment. We were frustrated.”

I paused as George and Sid nodded knowingly. Then I continued.

Brian, the engineer, looked at the program for most of the night but couldn’t find any fault in the logic. Jason, the press operator, showed me the dies and the setup tools he used and we couldn’t find

anything wrong there either.

Then, around 9 p.m., we all sat down for some coffee. I asked Jason to tell me what had been done on the process over the past 20 years.

Jason explained that he’d been running the process since it was started. He reached into his back pocket and pulling out a small notebook. What a surprise! He had kept process notes on everything that had been done since the beginning.

I asked if I could take a quick look at his notes. They were particularly well laid out and very complete. I didn’t see anything that would lead me to believe that the process had been disrupted in any way.

I picked up my cup and finished my coffee. A strange look came over Jason’s face.

“You know,” he started slowly, “there was one thing. It’s probably not really important, but when we were setting up the process, we couldn’t be sure which side of the die was supposed to be facing up.

The process supervisor came out with the engineering team and measured the die and all the locator pins and they decided that the die was symmetric. The engineers said that since the die was equal on

all sides it didn’t really matter which side faced up. We marked the die so we could be sure we always do it exactly the same way—and that’s how we’ve been doing it each time we set up the machine.”

I looked at Jason and he read my mind. We ran back to set up the machine and run parts, not wanting to wait until the next day to check our theory.

After turning the die over and setting up on the opposite side of standard, we stamped enough parts for one unit of production in the assembly process and had the parts moved to the main line for a trial

run.

Michelle’s team—the morning shift—was long gone, of course, but the third shift team was more than happy to help. We threaded in the unit we had just stamped and, as they laid the parts on the fixture, Jason, Brian, and I held our breath.

One of the operators—a nice guy named Marty—came over with the reamer, but I stepped up just as he was moving into position.

“Could you try bolting it up without reaming?” I asked.

He looked at me and shrugged.

“Sure, but I’ve been doing this for over five years and I’ve never seen a frame go together without reaming. I don’t see why it would start working right now.”

Marty was kind enough to humor me. He handed his coworkers the bolts for the frame. They positioned the frame on the fixture—and the bolts slipped easily into the holes. Their mouths dropped open and all eyes shifted to me.

If employees are not trained to identify waste, they will adopt non-value-added activities, such as rework, as part of the process—even going so far as to write the steps of rework into their standard process documents.

Sid and George reacted the same way as I got to this point in my story. I recognized it in their puzzled expressions.

“Sam,” George started slowly, “I thought you said you didn’t figure out what was wrong with the process.”

I smiled.

“Not I. It wasn’t I who figured it out. It was Jason, when he remembered the problem and when it had started. His notes and his memory allowed us to fix the problem.”

I opened my car door and turned to Sid.

“You have a lot of great people in this company, Sid. Make sure you take advantage of their willingness to offer suggestions for improvement.”

I said good night and drove away. It had been a long day. But I couldn’t help smiling . . . because I love this job!

Key Points

• Examining the entire operation from the “crow’s nest” will allow you to find the problems in the system. 
• Oftentimes, the problems have become so imbedded in the process that they aren’t even realized as waste. If an organization is to achieve six sigma, employees must be trained to look for waste in every aspect of their jobs.