TechAgility

So this is an interesting development where the technique of creating a Mashup of different information sources helps create a stark and frightening visual perspective of just how deep this Credit Crisis has hit?

As you can see in the images below it’s almost scary how it shows that foreclosures are starting to bite at almost every level?   

Foreclosures Shown On Scary, Encroaching Heat Maps

Erick Schonfeld at TechCrunch

18 comments »

If you want to see in stark colors exactly how the mortgage credit crisis is spreading across the country, go to real estate search site HotPads and look at the foreclosure heat maps in your area. These are map mashups that take foreclosure data from RealtyTrac and overlay them on a color-coded map. Red indicates a high rate of property foreclosures per capita, and blue indicates a low level. Since foreclosures are now hitting record rates, there is a lot of red on these maps. In Silicon Valley, for instance, only a few pockets like Palo Alto and Sunnyvale remain in the blue.
A view of New York City shows the foreclosures beginning to close in on Manhattan from the outer boroughs.

In addition to the 500,000 foreclosures you can find on HotPads, the site also lists 1.2 million homes for sale and 130,000 active rentals (which co-founder Douglas Pope claims is the second-largest rental listings after Craigslist). These are culled from real estate broker sites and submitted directly by property owners.

Foreclosures Shown On Scary, Encroaching Heat Maps

written by dcaddick

Well, hang on a minute and let’s not get too carried away? It doesn’t "run" 45 times faster - what is explained here is a simple file copy, a large file copy sure, but essentially the basic File and Print server stuff that Novell used to own some 10 or 15 years back?

Don’t get me wrong, I’m glad that someone at Redmond has finally found the Turbo button, and what I would be curious about is "exactly how" that copy instruction was carried out, and how they took their measurements - they haven’t indicated wether this is on a 1G or 10G LAN for instance?

I’m sure it was done in a like for like manner, however the reason I ask is that there is a world of difference if for instance the new Server 2008 has been perhaps optimised for 10G? Was this carried out on a Server 2008 "Core"? was the copy initiated from Robocopy, command line, CtrlC-CtrlV, mouse - even these actions can tend to have an impact (especially over slower WAN links)  

I have no doubt that Server 2008 will be faster, but I’ll wait to see exactly how much faster? ;-) 

Microsoft Developers: Windows Server 2008 Runs 45 Times Faster Than ‘03

It’s not unheard of for some of the earliest adopters of Microsoft’s Vista this year to compare the experience to swimming in wet cement — slow and not very pretty.

But word is filtering out of the Redmond, Wash.-based software giant that indicates its new server could be considerably better. Ward Ralston at the Windows Server Division Weblog reports that "our MSN group who is dogfooding Windows Server 200 RC0" has achieved the kind of testing results that might prompt a double-take. In a side-by-side between Windows Server 2003 and Windows Server 2008, the group set out to transfer 10.8 GB of "VirtualEarth Stitch files" from one server to another, and back again.

On Windows Server 2003, the data took five hours, 40 minutes and 30 seconds to transfer once, and more than six hours to transfer back again.

On Windows Server 2008, the same data took seven minutes and 45 seconds to transfer one way, and eight minutes and 10 seconds to transfer back. The Microsoft people spare you the task of doing all that math: "The improvement observed was ~45 times faster over windows 2003."

If the numbers are consistent and no other glitches come up (this software has been in beta for a few years now), it could prove compelling when it is launched - - an event now slated for the first quarter of next year.

Microsoft Developers: Windows Server 2008 Runs 45 Times Faster Than ‘03 - The Chart - IT Channel News And Views by CRN and VARBusiness

written by dcaddick

Judging by my limited experiences with Vista the "security" sounds like it might be a case of how much security you need to turn off until your Server actually communicates with the other devices and runs the Applications correctly?

Other than that I’m looking forward to seeing just how much can be accomplished with Power Shell, it’s certainly got my Brother excited

10 things to consider when making a Windows Server 2008 upgrade decision

Windows Server 2008 is expected to officially launch in February of next year, but many companies are already preparing for the next generation of Windows server software and trying to decide whether, and when, to upgrade. Release candidate evaluations are available from the Microsoft Web site and many IT departments are already trying it out in their testbed labs. Exciting-sounding new features and promised improvements on the old ones make the upgrade tempting.

In this article, we’ll look at 10 things you should consider in making the upgrade decision, including eight good reasons to upgrade as soon as possible and two equally good reasons you might just want to hold off for a while.

Note: This information is also available as a PDF download.

Reasons to upgrade

First, let’s take a look at some reasons to upgrade your network infrastructure and/or individual servers to Windows Server 2008.

Reason #1 to upgrade: Security, security, security

The most compelling reason to upgrade to Windows 2008 sooner rather than later is really at least half a dozen reasons, but they all add up to one thing: improved security. And just as the most important factor in buying real estate is location, in today’s interconnected IT world, the most important factor for most of us in selecting an operating system is security.

Here are some of Windows Server 2008’s new or improved security mechanisms:

• Network Access Protection (NAP) provides a way for administrators to exert more control over which computers connect to the network by checking for compliance with security policies and isolating those that don’t have the proper service packs and updates installed, antivirus and firewall software installed and enabled, proper configuration settings, and so forth.
• Read-only Domain Controller gives you a way to restrict the replication of the complete Active Directory database when deploying AD. This is useful when you need to run additional applications on a DC or it’s in a place that’s not physically secure, because changes can’t be made to the AD database through it.
• Federated Rights Management Services allows for better protection of sensitive data by integrating RMS with AD FS so companies with federated relationships can exchange protected files.
• BitLocker full disk encryption (also supported by Vista Enterprise and Ultimate editions) enables you to prevent unauthorized persons from booting into the server even if they have physical access.
• Secure Sockets Tunneling Protocol (SSTP) remote access VPN allows you to create an SSL VPN with strong authentication and transport-level security that will pass through firewalls that block PPTP and L2TP traffic.
• Improved certificate services offer enhancements such as support for enrolling routers and other network devices for certificates, health monitoring of CAs with PKIView, support for Online Certificate Status Protocol for better management of revocation information, and improvements to Web enrollment.

These are only a few of the specific security mechanisms in Server 2008, which also includes the new Windows firewall first introduced in Vista, Windows Defender, service hardening, User Account Control (UAC), and more.

Reason #2 to upgrade: Virtualization

Virtualization is all the rage for businesses from enterprises down to small businesses. Running servers in virtual machines (VMs) allows you to have the logical separation you need so that your Exchange mail server, your Web server(s), your file server(s), etc., have the security benefits of running on separate operating systems. But you also get the cost savings of running all those separate computers on a single physical machine.

Server consolidation is one of the biggest uses for virtualization technology, but it’s not the only one. VMs also make it much easier to test new operating systems or applications or to run multiple operating systems (such as XP and Vista) simultaneously.

Microsoft’s hypervisor virtualization technology has been in the works for quite some time. Code named “Viridian,” it has been announced as Hyper-V and will be available both as an add-on for Server 2008 and a stand-alone server product. Hyper-V can run a variety of operating systems in virtual machines, including 32- and 64-bit Windows and Linux.

Reason #3 to upgrade: Performance

Server 2008 includes numerous enhancements to increase server and networking performance. The “next generation” TCP/IP stack in Server 2008 (and Vista) include TCP receive window auto-tuning and compound TCP (CTCP), which maximizes the throughput on connections with large receive windows. Wireless networking performance has also been greatly increased.

Windows System Resource Manager (WSRM) is integrated in Server 2008 and can enhance performance by allocating resources according to your needs. With increased performance for Storage Area Networks (SAN) and Direct Attached Storage (DAS) in clustering, better virtualization performance with Hyper-V, performance enhancements to IIS, better PKI performance in checking for revoked certificates, better performance for remote terminal services users with TS Gateway and other performance enhancements, better performance is a good reason to upgrade to Server 2008.

Reason #4 to upgrade: Server Core

Server 2008 gives you two installation options: You can install the full operating system with the familiar graphical interface and built-in applications, such as Internet Explorer, or you can install just the Server Core, a more minimalist environment for command-line administration. Server Core includes the important subsystems — networking, file system, security subsystem, RDP, WMI, etc. — but doesn’t include the desktop shell, most applications (IE, mail, WordPad, etc.) or the .NET framework. You do get a few GUI utilities, such as Task Manager, Regedit, and Notepad (for editing scripts, viewing log files, etc.). Server Core provides a more secure environment (fewer applications and services to exploit), easier management, and better performance.

Reason #5 to upgrade: Server Manager

Server Manager is a new administrative tool in Server 2008 that’s like a much more sophisticated version of the familiar Computer Manager MMC. You can use it to assign roles to the server (Web server, file server, etc.), configure settings, and so forth. It provides a centralized place for managing most aspects of your server. Server Manager is exclusive to Windows Server 2008 and won’t run on previous versions of Windows, not even Vista. For those who prefer to work in the “dark place,” there’s a command-line version of Server Manager, ServerManagerCmd.exe. It’s especially useful for automating the deployment of multiple servers that are configured alike.

Reason #6 to upgrade: IIS 7.0

The latest version of Internet Information Services (IIS) provides many improvements over its predecessor. This application is now modular, and you can install only the components you need. That makes it more secure, increases performance, and makes it easier to manage. For example, if you don’t need FTP services, don’t install them.

IIS has been designed to be as secure as possible out of the box. That is, most components are not installed unless you explicitly choose to install them. ASP, ASP.NET, and similar services are not installed by default. Other security enhancements include built-in URL filtering, a new and more secure account for anonymous users, automatic sandboxing (isolation) of applications on the server, and more.

The IIS management tool has gotten a makeover, too. It’s more intuitive and more task-oriented. And a new command-line tool, AppCmd.exe, replaces numerous administration scripts that were used in IIS 6. IIS 7 can also be managed with Windows PowerShell. PowerShell is the command-line interface and scripting language that was code named Monad, and it provides a more UNIX-like environment for IT pros who are comfortable with the command line. Many tasks can be performed more quickly at the command line, and can be automated through scripting.

PowerShell can be downloaded from the Microsoft Web site and run on Windows XP SP2, Server 2003 SP 1, Server 2003 R2, and Vista, as well as Server 2008, but it is especially designed to administer Server 2008 roles, such as Terminal Services and IIS 7.

Reason #7 to upgrade: Terminal Services enhancements

If your business relies on a thin client model based on Windows Terminal Services, you’ll find plenty of improvements in Server 2008. It starts with version 6.0 of the Remote Desktop Connection (RDC) client software, which is included in both Vista and Server 2008. This client lets you use network-level authentication (NLA), which authenticates clients before the user logs on. This provides better security by eliminating the window of opportunity during which attackers might intercept credentials or do other dirty deeds. Another security enhancement is server authentication, which prevents clients from connecting to a malicious terminal server that’s spoofing the real one.

There are also improvements to the user experience. Higher resolution (up to 4096 x 2048) is supported and you can configure customized widescreen aspects such as 16:10. A welcome improvement is the ability to spread the terminal session display across multiple monitors (so long as they all have the same resolution settings). 32-bit color depth is also supported, and you can now use ClearType font smoothing in terminal sessions. Things are looking good.

Other improvements to Terminal Services include Display Data Prioritization (which provides better network utilization) and the ability to use desktop themes and even the Aero interface in terminal sessions. Printing is easier, too.

Server 2008 Terminal Services users with domain accounts can log on once (single sign-on) if they’re using Windows Vista as the client OS. And there are many other under-the-hood improvements that make Terminal Services better for both users and administrators.

Reason #8 to upgrade: Active Directory enhancements

With Server 2008, Microsoft has consolidated services that were separate in previous versions of the operating system. Active Directory is now integrated with the following:

• Certificate Services (which is now called Active Directory Certificate Services, or AD CS, and offers many improvements)
• Active Directory Rights Management Services (AD RMS), which provides control over what recipients of documents and e-mail messages can do with those files
• Active Directory Federation Services (AD FS), which provides for identity management across a federation

Improvements to Active Directory itself include enhancements to the auditing service, granular password and account lockout policies, and the ability to restart the directory services without rebooting the domain controller in Restore mode. Last but not least, Server 2008 gives us the Read Only Domain Controller (RODC), which can be deployed in locations without the best physical security.

Reasons to wait

All of the above are reasons you may be chomping at the bit to roll out Server 2008. On the other hand, there are also a few good reasons you might want to wait before upgrading.

Reason #1 to wait: Compatibility issues

As with Vista, because of the new security architecture in Server 2008 there are likely to be some applications that won’t run on it. These include many antivirus and other security applications that access the kernel, backup programs, and applications that check the operating system version prior to installation. Programs that interact with IIS may also have problems, since it has so many changes.

You’ll want to check out all your mission-critical applications in a testbed environment before making the decision to deploy Server 2008. Don’t just test whether they’ll install; some apps may appear to install with no problem but then have problems working properly. If your important business applications won’t run stably on Server 2008, you’ll have to wait until the application vendor makes upgrades or patches available or switch to different applications before you can make the operating system upgrade.

Reason #2 to wait: Cost factors

If you have many servers, the licensing cost of upgrading to Server 2008 could be significant. You’ll want to take an inventory and determine just what that cost will be and whether the benefits are worth it, given your specific needs. And don’t forget that the cost of the software isn’t the only consideration here.

Let’s face it: There’s a price for increased functionality with every new operating system, and part of that price almost always comes in increased hardware requirements. Just as Windows Vista requires more powerful computers than XP to run properly, Server 2008 makes greater hardware demands than Server 2003. Microsoft specifies a minimum 1GHz processor (1.4 GHz for the 64-bit version) and recommends a 2GHz or better machine. For Itanium, an Itanium 2 processor is required. Although 512 MB of RAM is specified as the minimum, a more realistic recommendation is 2 GB or more, and you’ll need from 10 to 40 GB of available disk space.

Many servers currently running Server 2003 don’t meet those criteria, so you may have to factor in the cost of buying new server systems or performing hardware upgrades to your existing servers to run Server 2008.

» 10 things to consider when making a Windows Server 2008 upgrade decision | 10 Things | TechRepublic.com

written by dcaddick

Technical Design Considerations for AG and AAC for 10,000 Users 
The two following pages detail the caveats and considerations that need to be addressed when designing an AG and AAC Implementation for up to 10,000 Users

· It should be kept in mind that these details were documented as of January 2006 and as such there have been some changes since then.

· It was anticipated that Citrix would be making reasonable efforts to improve the number of *Tunnels* available to the AG, however as they now have the Netscaler line of products it would seem unlikely that this will be improved on – however Citrix typically likes to announce new products and or improvements to existing products at their US based iForum scheduled later this year and it’s no secret that Citrix is highly likely to be releasing a version 4.5 of something? So perhaps we might see some improvements?

· The AG Enterprise Edition **may** possibly be referring to the new Netscaler VPN Hardware Appliances of the 7000 and 9000 models as these units are capable of supplying up to 2,500 and 5,000 VPN Connections – HOWEVER – these are NOT COMPATIBLE with the AAC and end point analysis functionality, as such they will be considered as not in scope for the purposes of this document.

· It is also somewhat remote that the AAC Functionality will ever be aligned with the Netscaler products due to fundamental differences in both the Architecture and the underlying OS. It seems I might have been off the mark on this – but as to when this might be achieved might be derived from directly from the market? I would suggest that the more people who want to install large installations and want/demand this sort of functionality the more Citrix will focus on getting it out?

Please let me know if this is incorrect, but my current understanding is that the AG is based on Linux? and the Netscaler is based on BSD?

· It is probably also worth pointing out that this design document/brief has already been used as the basis of a Pilot project nearing it’s rollout phase for a customer in North America – more details available on request, just drop me a note?

Technical Details of the Citrix Access Gateway (CAG):

·   2000 is the number of tunnels that a CAG can handle at any one time

·   A tunnel is a connection between a client application and a server application provided by the CAG

·   2000 is a hard limit (imposed by the choice of Architecture, HW and underlying OS), each tunnel takes a little memory and at 2000 tunnels the appliance runs out of memory

·   An ICA session should only use 1 tunnel (assuming session sharing is working) so you can get 2000 users on a gateway
*NOTE regarding Sessions* Be aware that in the unlikely event that a user is initiating multiple sessions from PNAgent, PNClient, Web Interface, ICA Files Then each will "consume" a separate session as session sharing is not possible between different clients – this is by design!

·   In VPN mode each user is likely to use a lot more tunnels than 1, for example a test system is using 3 connections to the exchange server from outlook, so this is 3 tunnels consumed, so if your users are just using email you have already bought the number of concurrent users on the appliance down to around 650, as well as this my system also has 3 other tunnels open to various servers on the corporate network and I am doing nothing other than email

·   You can see how many tunnels your system has open to various servers by using the netstat command

·   The appliance scalability will go down considerably (possibly dramatically??) if they start using kiosk mode, this is running a session on the appliance so you see the same issues that you do with a  terminal server, I have been told that you should not expect more than around 25 users on an appliance if they are all using kiosk mode (PS. I believe that Kiosk mode is being phased out?)
– however I have not seen any official figures So to accurately estimate how many appliances you are going to need you will first have to find out what the full VPN users are doing from remote locations and make an estimate of how many tunnels they are going to use. You will also have to see how they are using ICA, e.g. do they have applications silo’d on servers (please see note above re:sessions – same catch22 – just different way of being caught?) , if so then the ICA sessions may end up using more than one tunnel as they may not be able to session share. Ideally you would run some sort of pilot to get typical user use cases so that you can make an educated estimate on the number of appliances.

Some example numbers would be:

Example 1:
10000 users
90% ICA, 10% full VPN
ICA = 1 tunnel
Full VPN = 10 tunnels (assuming outlook and a couple of other client server apps)
Tunnels = (9000 x 1) + (1000 x 10) = 19000
Assuming 50% concurrency, tunnels = 9500

So 5 appliances per site would just cover it, it would be safer to go with 6 to give a little more flexibility

Example 2:
10000 users
90% ICA, 10% full VPN
ICA = 2 tunnels (due to silo’d apps)
Full VPN = 10 tunnels (assuming outlook and a couple of other client server apps)
Tunnels = (9000 x 2) + (1000 x 10) = 28000
Assuming 50% concurrency, tunnels = 14000
So 7 appliances per site would just cover it, it would be safer to go with 8 to give a little more flexibility

Example 3:
10000 users
80% ICA, 20% full VPN
ICA = 1 tunnel
Full VPN = 10 tunnels (assuming outlook and a couple of other client server apps)
Tunnels = (8000 x 1) + (2000 x 10) = 28000

Assuming 50% concurrency, tunnels = 14000

So 7 appliances per site would just cover it, it would be safer to go with 8 to give a little more flexibility

Example 4:
10000 users
80% ICA, 20% full VPN
ICA = 2 tunnels (due to silo’d apps)
Full VPN = 10 tunnels (assuming outlook and a couple of other client server apps)
Tunnels = (8000 x 2) + (2000 x 10) = 36000

Assuming 50% concurrency, tunnels = 18000

So 9 appliances per site would just cover it, it would be safer to go with 10 to give a little more flexibility

posted on Wednesday, June 28, 2006 12:26 PM

Feedback

# re: Citrix Access Gateway Scalability - Technical Design Considerations for AG and AAC for 10,000 Users 7/3/2006 10:40 AM Shaun Attwood

This is a good starting point for scaling the CAGs. Have you got a similar document for the Advanced Access Control servers?
Have you got more details of the customer in North America regarding scalability / sizing ?
Thanks
Shaun
Remove Comment 83918

# re: Citrix Access Gateway Scalability - Technical Design Considerations for AG and AAC for 10,000 Users 7/3/2006 12:01 PM Dave Caddick

Hi Shaun,
I’ve sent an email your way, if I’ve got the right address?
The main point that causes the issue with sizing is a limitation within the CAG/Net6 Appliance (based as it is on the SuperMicro HW) in that it’s underlying O/S is derived from FreeBSD. (It’s either that or BeOS, I can’t remember which - but as far as I am aware the AG uses one and the Netscaler uses the other)
OK, clear as mud so far? ;-))
My understanding is that this limitation is essentially down to the memory side of things trying to keep track of the various "tunnels". As such my thinking is that the AAC Servers shouldn’t be too hard pressed as they would appear to only come in to play during the initial creation of the sessions, although this would obviously depend on how much Administrators/Security want to call or use the "watch for a bad process/executable"?
I hope that makes some kind of sense?
Remove Comment 83928

# re: Citrix Access Gateway Scalability - Technical Design Considerations for AG and AAC for 10,000 Users and above (Hint - use Netscaler? 7/16/2006 3:17 AM Leo

Hi,
The AG uses Linux Redhat 8 and the NetScaler is based on FreeBSD in conjunction with a proprietary kernel that does the Request Switching.
Newer models of the AG will be using FreeBSD and (I think model 5000) also run of the NetScaler hardware platform.
Clearly having same hardware and OS will mean that the products will merge in some sort of form.
Same story goes for the Terros application firewall that will first move to the FreeBSD/NetScaler HW platform and then be integrated into the NetScaler and avaialable as a licenses option.
Leo.
Remove Comment 85337

written by dcaddick

I Had a client ring in with an issue today, although they are still testing, they wanted to be sure that the Speed Screen Latency was enabled for the users testing from Johannesburg, Sth Africa. They pointed out that they had already checked CTX103204 and CTX344154.
I had a quick check of these and then rang him back and we initiated a GoToAssist Session. I explained the background of the template.ica file as it has been used in the older NFuse Implementations and how it is now based on the default.ica file in ver.4. I also pointed out that there is also the three other "templates" for the ica file depending on the bandwidth available (high, medium and low), and how these can be set by the user under "Advanced Settings" prior to login.
Interestingly the details in the CTX344154 actually appear to be incorrect, although it states in CTX344154 that these ZL States can be set under the [NFuse_IcaWindow] the default.ica file actually states in the preamble at the start of the file that all NFuse_XXX settings are ignored. When we examined the default.ica file for Low Bandwidth the details for the ZL States are just set under the general [Application Settings](?)
After I discussed this with the client he decided that for the moment the default.ica file has been modified to add
ZLKeyboardMode=1
ZLMouseMode=1
so that all users will have this setting enforced. I also pointed out to the client that he really should then check this is the case with further testing to ensure that this is the case. We were unable to test this reliably from his PC at the time due to the fact that he had been running PNAgent on it also and this had appeared to cause some instability on his PC but not others.
I also pointed out that if he wanted to seriously stress test this component/function then he might check out something like www.shunra.com who do have trial copies of their product available that can mimic high latency connections to validate their checks.
+++++++++++++++CTX344154 Details+++++++++++++++++++++++++++++++
To enable SpeedScreen Latency Reduction for NFuse / Web Interface applications, modify the Template.ica (default.ica in Web Interface 4.x) file with the following entries under the [NFuse_IcaWindow] section.

[NFuse_IcaWindow]
ZLKeyboardMode=1
ZLMouseMode=1

Now when you open ICA Connection Center, you will see SpeedScreen Latency Reduction = ON.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Hopefully this is of some help to others? and I’ll chase up the typo(?) with Citrix tomorrow

written by dcaddick