When to Design Multiple XenApp Farms
Citrix Presentation Server 3.0 and 4.0 have been designed and tested to support up to 1,000 servers in a single farm. This was mainly intended to meet the need to consolidate numerous servers and to centralize the administration and support into a single Presentation Server farm. In most organization's environments, the proposition will work as intended; however, there are specific situations where a single farm design is not a suitable solution and a multiple farm design is more appropriate. In this article, the design considerations for selecting a multiple farm design will be presented.
Designing a single farm - single zone or single farm - multiple zone in many cases is technically feasible and will meet most organizational needs. However, a single farm design does not mean it is always the right solution for the organization because the organization may have to contend with non-technical challenges such as organizational, operational, geographical, contractual, security, and/or regulatory constraints. If the wrong farm design is selected, over time, the farm may start exhibiting farm issues related to stability and performance, and it may become progressively more difficult to maintain.
When designing a Presentation Server farm, the Citrix Architect should carefully evaluate not only the technical merits of a single farm design but also the associated organizational and business implications. The list below provides a guide for when to consider a multiple farm design.
- Type of Organization. The type of organization will influence how the Presentation Server environment should be designed to meet the current and future needs of the enterprise.
- Service Providers or IT Infrastructure Outsourcing Companies. These organizations may need to mitigate the business and legal risks associated with supporting multiple customer environments. This can be done by isolating and dedicating a Presentation Server farm and associated IT infrastructure (network, directory services, etc.) for each customer.
- A Human Resources outsourcing company wanted to fully secure and contain the Human Resources applications and associated data for each customer. This company physically segmented (network, firewall, and back-end servers) its hosting infrastructure and built a Presentation Server farm for each client. This approach has mitigated the risk of any legal liability when someone mistakenly accesses the wrong data or when unauthorized access has compromised a client application or data. Additionally, the organization has to comply with each client's change management process and maintenance windows
- A healthcare application service provider that services multiple hospitals needed to support different application modules and configurations for each client, and some Presentation Servers may have to be located at the hospital's data center to keep it close to the back-end servers of the published applications. Dedicated Presentation Server farms were built for each customer to avoid any confusion and mistakes related to what Presentation Servers and applications are associated with a customer. Additionally, separate farms clearly define how much support should be given to the customer, which is usually based on service level agreements.
- High Security Environments. Institutions and government agencies with high security standards may need to segregate their IT infrastructure based on security level: low, medium, high, and/or top secret.
- The Office of the Secretary of Defense (OSD) and the Central Intelligence Field Agency (CIFA) required segregated Presentation Server farms and segregated network infrastructure to address security concerns. Additionally, this eliminated the possibility for IMA, XML and license traffic to pass between security boundaries.
- Geographical Distribution. If the existing IT infrastructure is regionally (global or nationwide) deployed, and the management of the infrastructure is decentralized (i.e., due to political and organizational boundaries), multiple farms may eliminate the complication of coordinating and scheduling changes to the farm, prevent the risk of a global outage or downtime, minimize the scope of troubleshooting farm-wide issues, and improve the overall performance of the farm.
- A global pharmaceutical company with multiple international data centers (US, Europe, and APAC) and satellite offices with existing Presentation Servers deployed at the data centers and satellite offices wanted a single global Presentation Server farm. Although the company wanted to centralize the management of the Presentation Servers, they cannot move all the Presentation Servers into a central location or even consolidate Presentation Servers into the regional data centers. Additionally, the data centers are managed by different IT outsourcing firms. By designing three regional farms, the company avoided a major disruption to existing support infrastructure and processes, and mitigated the risks of potential global farm-wide issues and downtime. It is important to note that the current support organization is not mature enough to manage a global farm so the regional farm approach is considered an interim solution until the organization has reached the appropriate maturity level (if it ever happens).
- Regulatory Compliance. Some types of organization may need to comply with government regulations such as FDA, HIPAA, Sarbanes/Oxley, etc. Each organization may interpret the government regulations differently and they end up building their IT infrastructure based on these interpretations.
- A global pharmaceutical company implemented a separate dedicated Presentation Server farm to host clinical applications to support drug research and test activities. The farm has been configured to comply with the FDA requirements and rigorous QA and change control process. A separate corporate farm was also built to host corporate and line-of-business applications.
- Network Infrastructure Limitations. Designing a single farm with multiple zones to support multiple sites typically assumes there is sufficient network bandwidth available to support IMA traffic and inter-zone communications. However, it is important to take into consideration the quality of the network connection. If the network connection exhibits very high latency and/or high error rate, a single farm design may not be appropriate. The network quality issue is a typical problem with satellite links and links to international sites.
- A sports broadcasting company has a Presentation Server farm that is located in its US data center. A zone comprised of two servers has been implemented in its Argentina office and connected via a WAN link to the US data center. The existing WAN link has been proven unstable on a daily basis and there are times the link is down for a day. Citrix recommended that the client build a separate Argentina farm to prevent the unstable WAN link from negatively impacting the US farm.
- Operational Readiness. A very large Presentation Server farm will require a mature support organization with well-defined operational procedures to effectively maintain it. Proposing a single large farm design may not be appropriate solution to start with unless the client overcomes existing organization and process issues in a very short timeframe. With smaller farms, a client can perform a phased implementation of changes, and if a mistake is committed that negatively impacted the whole, only a subset of the user community is affected.
- In the case study under the Geographical Distribution section, the global pharmaceutical company with multiple international data centers (US, Europe, and APAC) wanted a single global Presentation Server farm but the data centers are managed by different IT outsourcing firms. By designing three regional farms, the company avoided a major disruption to existing support infrastructure and processes, and mitigated the risks of potential global farm-wide issues and downtime. It is important to note that the current support organization is not mature enough to manage a global farm so the regional farm approach is considered an interim solution until the organization has reached the appropriate maturity level (if it ever happens).
- A financial institution built a single Presentation Server farm with up to 120 member servers that support approximately 200 applications. Over a period of several months, the farm started to become progressively unstable. They experienced daily emergencies related to servers going down and application accessibility failures. Their success rate of implementing a change successfully was very low. At one point, a major data store corruption occurred and without a usable data store backup, their only option was to rebuild the farm by moving the servers from the old farm to the newly created one. Upon further investigation, it was discovered the root causes of the problem as the lack of testing and change control processes, and an improperly trained Citrix Administrator. Once the process and Citrix skills issues have been resolved, the Presentation Server farm and daily emergencies were dramatically reduced.
- Contractual Obligations. Some organizations may be contractually obligated to provide separate farms for their clients and partners or may need to meet a specific service level agreement (e.g., 99.9% uptime) with a client.
- A communication and aviation electronics company is a government defense contractor and it is required to secure its IT infrastructure. However, it is essential for this company to work with its partners and subcontractors (in co-designing or co-manufacturing solutions) which may not have the appropriate security clearance. A separate locked down and secured farm was built in addition to their corporate farm to meet their needs.
- Risk Mitigation. An outage in a single large (or global) farm may impact all users while an outage in a regional farm will only affect users in a region. With multiple smaller (or regional) farms, the potential for a large scale outage is substantially minimized. During major farm upgrades or maintenance, multiple farms can be an effective mechanism for pursuing a phased implementation; the first farm can be used as a production pilot prior to wide-scale implementation.
- A healthcare provider organization started with a single large farm with 1000 + servers. The organization supports approximately 15,000 concurrent users across multiple regions in the United States with each region requiring different application configuration. This organization has experienced farm-wide outages, very slow implementation of infrastructure changes, and general instability. After dividing the Presentation Server farm into regional farms, the stated problems dramatically diminished.
The following are common pushback that the Citrix Architect will encounter when proposing a multiple farm design to the client:
- Multiple farms defeat the purpose of centralized administration. This is not exactly true. The Access Management Console released with Presentation Server 4.5 allows administering multiple farms from within one console. Additionally, access to published applications across multiple farms can be aggregated within a Web Interface solution. There may be specific tasks that may be considered as duplication of work such as deploying applications using Installation Manager, publishing the same application across multiple farms, etc. These administrative tasks can be easily automated using MFCOM scripts and customized to work with multiple farms. The benefits of multiple farms should far outweigh the duplication of work especially when the client would like to resolve prevailing scalability, stability, and performance issues related to their unique deployment scenario.
- Dividing a single large farm is major initiative. It is important to understand the current operational challenges of the client before proposing the division of a single farm and evaluate the benefits that a multiple farm design will bring. These challenges may include,
- Inherent risk. If the farm becomes unavailable all users are affected. Additionally, a farm impacting change (e.g., rollup packs) will always put the farm at risk unless it is rigorously tested and implemented in a phased approach. The Citrix Architect should review if this type of problem has occurred in the client's environment.
- Inefficient Maintenance. A single large farm will require careful coordination and sequential implementation of changes to avoid any conflicts or oversights. Multiple farms imply that parallel changes can be implemented without the risk of conflicts.
- Large Data Store. A large farm with large data store may experience slow IMA Service startups and sluggish Citrix Management Console responsiveness.
- The Citrix Administrator or Team likes or demands a single farm. Typically, the technicians prefer to pursue a single farm design without fully appreciating the business and organizational implications. The Citrix Architect should raise the case to business and project sponsors for a final resolution.