More details about Citrix XenClient internals

Posted by Staff   |   Wednesday, May 19th, 2010   | already reported about several aspects (features, GA availability and strategy) of the new Citrix client hypervisor launched two weeks ago at Synergy 2010 (see event coverage).

Now, while additional feedbacks about the release candidate are being published by early adopters, and while Citrix is busy answering VMware on the value of client hypervisors for BYOC models, we are able to share additional details about its internals.

During the conference in fact, Ian Pratt (Chairman of and Vice President of Advanced Virtualization Products at Citrix) and Tom James (Desktop Virtualization Manager of Business Client Platform Division at Intel) shared interesting details about the XenClient and Synchronizer internals.

About XenClient

The client hypervisor doesn’t just run the end-user virtual machines. It also run a lightweight additional one called Service VM, where all Citrix management components are installed. They include the interface to switch from one virtual desktop to another, the control panel, the Citrix Receiver and Synchronizer agents (if available).
XenClient can run more than one Service VM, and it’s probably here that Citrix looks for extensibility by third parties. Security vendors like McAfee, for example, may deploy their out of band security servers as Service VMs.

Besides the Service VM, there’s a Control Domain, which is responsible for direct access to physical hardware and chipset capabilities (like the Intel vPro features).
Part of physical components, like the GPU, can be exposed to the virtual desktops through Intel VT-d technology but there’s a severe limitation: only one virtual machine per time, the nominated VM, can have direct access to the GPU.
This means that while one virtual desktop will have near native graphic performance, the other (or the others) will have worse rendering, solely relying on para-virtualized graphic drivers.
Despite this direct GPU access for one virtual desktop, the Control Domain will still decide where and how pixels must be rendered on screen. This is done to prevent hacking attacks through the GPU, like screen scraping or pixel injection.

PortICA is being used to expose the applications of one virtual desktop on another through the seamless window technology.
As reported in a previous article, there’s no direct connection between virtual desktops and all traffic has to pass through the networking layer. Anyway PortICA traffic will not.
It’s not clear if Citrix is allowing its flow across an internal virtual switch that is not exposed to the physical network or in other ways.

XenClient features a so-called Secure Keyboard.
All keyboard activities are directed to the Control Domain which routes them only on the currently active virtual desktop. This is done to avoid keyboard attacks like key injection and keylogging from non-active VMs.

The Control Domain also owns the USB host controller.
All virtual desktops have a para-virtualized driver that emulates their own USB host controller, and the Once a new USB device is connected to the laptop, the Control Domain will check and apply security policyt to it, then it will forward the USB messages from its controller to the emulated ones.

XenClient will leverage Intel Trusted Execution Technology (TXT), which is part of Intel vPro, to verify its integrity and recognize any manipulation in its configuration states.
The configuration states are encrypted. The encryption key is sealed in the Trusted Computing Platform, and released only if the checksum matches.

About Synchronizer

Citrix Synchronizer comes as a virtual appliance for XenServer.
It listens to a single HTTPs port and features a web-based administration interface.
The authentication to this interface can be done using a local user database or a remote Microsoft Active Directory directory service.

Every time something changes in XenClient virtual desktops, a live snapshot is being taken in the background and sent back to the Synchronizer (it’s not clear with which frequency the whole thing happens).
Snapshots are taken leveraging block level differencing and compression to reduce the size as much as possible.
Synchronizer receives these snapshots from XenClient in the form of VHDs. Over time, multiple VHDs of the same virtual desktop are merged together in the background.

Labels: ,

blog comments powered by Disqus Newest articles
Release: VMware vRealize Log Insight 4.5

June 13th, 2017

Log Insight is a log aggregation, management and analysis tool, that VMware first introduced in 2013 and considered a competitor of Splunk.
Yesterday VMware announced the release of version 4.5, available for…

Release: VMware vRealize Automation 7.3

June 6th, 2017

Today VMware announced the latest release of its cloud management platform vRealize Automation, former vCloud Automation Center.
VMware vRealize Automation 7.3 release notes can be found at this link.


Paper: Introducing the NSX-T Platform

February 9th, 2017

“We see greater potential strategic opportunity in NSX over the next decade than our franchise product vSphere has had for the past decade.”
said VMware’s CEO Pat Gelsinger talking about…

Paper: VMware vSphere Virtual Machine Encryption Performance

November 22nd, 2016

Encryption of virtual machines is something that has been requested for years by the security community. VMware continued to postpone its implementation due to the negative operational impact that many…

Quest Software leaves Dell

November 1st, 2016

In September 2012 Dell announced to have completed the acquisition of Quest Software, a Californian company with an history in systems management, security, business intelligence and, falling back in our…

Citrix announces Q3 2016 results

October 21st, 2016

Citrix announced its financial results for third quarter 2016.
The revenues for the second quarter were $841 million for an increase of 3% compared to Q3 2015.
Net income was $132…

Release: VMware vSphere 6.5 & Virtual SAN 6.5

October 19th, 2016

2016 edition of VMworld US has been quite turbulent, on the other hand during VMworld Europe, happening these days in Barcelona, the company announced a few more products for the…

Release: VMware vRealize Log Insight 4.0

October 18th, 2016

Log Insight is a log aggregation, management and analisys tool, that VMware first introduced in 2013 and now is usually compared with Splunk.
Yesterday VMware announced Log Insight’s new major…

Release: Windows Server 2016 with support for Window Server & Hyper-V containers

October 13th, 2016

Yesterday Microsoft announced the general availability of Windows Server 2016 which the company defines as a cloud-ready OS.
Beside fancy definitions, one of the most relevant perks of this release…

Release: Oracle VM 3.4.2

September 22nd, 2016

During Oracle OpenWorld 2016 the company released version 3.4.2 of its enterprise virtualization solution.
Oracle VM is available for both x86 and SPARC based processor architectures and uses the Xen hypervisor…

VMworld US 2016 Wrap-up

September 1st, 2016

Today was the last day of VMware’s flagship conference VMworld in Las Vegas, an highly controversial edition which left a good chunk of the audience disoriented if not properly disappointed….

Gartner releases its Magic Quadrant for Cloud Infrastructure as a Service for 2016

August 11th, 2016

Last week Gartner updated its Magic Quadrant for Cloud Infrastructure as a Service (IaaS) for the year 2016. The Magic Quadrant for the year 2015 was released in May last year…

Release: Ansible Tower 3 by Red Hat

August 2nd, 2016

Ansible is one of the four main players in the automation market, younger then the well known Chef and Puppet, has been launched in 2013 in Durham, N.C. and acquired…

IBM announces earnings for Q2 2016

July 19th, 2016

Yesterday IBM announced its results for Q2 2016.

If we compare with the same quarter in 2015 earnings per share, from continuing operations, decreased 22%. Net income, from continuing operations,…

Monthly Archive