Provision Management Framework - Standard Edition
 

Review by Wilco van Bragt - October 18, 2005 Late last year, one of the top Citrix platinum resellers in the US called Emergent Online (EOL) spun off their software division into a standalone company called Provision Networks. Provision has developed several add-on software modules for Terminal Server and Citrix servers. These add-on modules can be purchased individually or in one of two complete packages called the Provision Management Framework. The standard edition, which includes the base level product mix. The enterprise edition, which includes all standard modules plus application publishing, seamless windows, and a web interface. In this article we’ll review the standard edition and take a look at how these components add to or improve Terminal Server’s out-of-the-box capabilities. (We’ll look at the Professional Edition of the Management Framework in a future review.) Installation of Provision Management Framework There’s a storage service associated with the profile management product that needs to be installed on a non-terminal server acting as a file server, and the printing product might need some additional components installed on some print servers depending on your configuration, but other than that everything you need to install can be done on a terminal server. This installation itself is pretty easy—you simply pick your installation path and choose the components you want to install. Since this product is so modular, you can install just the specific components you plan to use. Silent installation of the terminal server components is possible using Orca to create your own MST file with the options you want. After installation you can fire up the Provision Management Console. On the first run-through it will ask you to make a DSN file that points to your database. (If this database does not yet exist then it will be created and configured for the Management Framework.) Configuration of Provision Management Framework Apart from the initial installation, all configuration is done via the Provision Management Console. Some of the individual components have their own options tab and others share a tab. The first step in the configuration is to add your servers (via the servers tab). Then you can configure the individual components. Let’s take a quick look at each of the modules included in the Standard Edition of the Provision Management Framework. Manage-IT Manage-IT is used to manage a user’s environment (via the native Explorer shell.) This can be done based on a user, group, OU, IP address, client name, or a combination therein. Manage-IT manages several aspects of the user environment, including: Assigning applications to the Start Menu, quick launch bar, or desktop Locking down the desktop. (Two lockdown templates are included out-of-the-box, and you can further customize your own.) Assigning background images and color settings. Mapping network drives Connecting to shared printers Configuring logon and logoff scripts Management of Softricity Softgrid applications Configuration takes a bit getting used to. You basically configure all of the particular settings that you want in the top part of the screen using the tabs. Then, you “assign” these settings to a user by selecting a user (or group or whatever) in the bottom part of the screen and then selecting the configuration from the top to make the assignment. Block-IT Block-IT is a utility that allows you to control access to applications and hosts. It’s configuration is integrated with the Manage-IT configuration. To control access to applications, you select the folder or files you want to include in an application definition. Once selected, the hashes of each file is calculated. (Ordinarily Block-IT checks both hashes and full path, although this behavior can be overridden if needed.) Once you’ve defined these application objects then you can set permissions on them to allow or deny access. Unfortunately you cannot change the default message users get when they try to start a disallowed application. The other major feature of the Block-IT module is that it can block or allow access to intranet and Internet hosts. You can define a host via a hostname or IP address and port number. You can then deny access to these hosts by user, group, OU, or client device. One of the really great uses for Block-IT is to block access to certain internal hosts from external workstations. In both cases you can specify what the default settings for a server will be. This means that you can, for example, configure it so that unmanaged applications and hosts are denied by default. Timezones-IT Timezones-IT is a pretty simple little utility that’s integrated with the other modules in the Management Framework. When you’re assigning the other options, you can also specify which time zone the client should use when connecting. Most people use this based on the client IP address. Max-IT Max-IT is the component within the Provision Framework that controls the resource usage of the CPU and memory. Like some other vendors, provision users a “fair sharing” algorithm. First of all they calculate the "target percent CPU time" with the following formula: (100 - Reserved CPU time[default 20%]) / (number of active processes). This number is compared with the average percent CPU time per process. Processes which average is higher than the target percent CPU get their process priority set to "below normal." Processes with an average below the target keep their "normal" setting. Process with an average of zero get an "above normal" priority. Max-IT also optimizes memory by rebasing DLLs. In many environments, lots of DLLs use a hard-coded base address. Every time a DLL tries to load at this base address, the Operating System needs to relocate the DLL which requires some fix-up operations. Max-IT analyzes these colliding DLLs and permanently relocates DLL and corresponding fix-up operations. Provision claims that capacity can increase up to 30%. Metaprofiles-IT Metaprofiles-IT is a hybrid profile solution that combines the simplicity of mandatory profiles with the ease-of-use of letting users save their own settings. Metaprofiles can save and restore user registry keys and folders within the user profiles. You simply specify which keys and/or folders need to be saved and restored. You can specify which of these settings need to be applied to all Terminal Servers or a sub-group of Terminal Servers (called an Agent Server Group). In addition to saving and restoring registry keys and folders, Metaprofiles also lets users save certificates, passwords, and keyboard / mouse settings. Metaprofiles works by saving settings for all users—there is no option to specify user groups for specific keys or folders (although you can specify which groups the Metaprofiles are applied to). To get Metaprofiles-IT to work you need to configure at least one storage server (the server where the user settings are stored) within the Metaprofiles-IT options. (You can also configure multiple servers for load-balancing and redundancy purposes.) Redirect-IT Redirect-IT is a software product that redirects certain registry keys, files, and folders on a per-session basis for applications that insist on storing personal settings in common areas. Configuration is simple; all you have to do is specify the program, the original key, file, or folder, and the new location (and if applicable whether it should first make a copy of the current folder or file). In some ways Redirect-IT is like the Application Isolation Environments in Citrix Presentation Server 4, although Redirect-IT cannot be used for DLL files, so it’s not meant for installing conflicting applications side-by-side on the same Terminal Server. USB-IT USB-IT lets you synchronize Palm and Blackberry devices plugged into a client with Microsoft Exchange or Lotus Domino via the Terminal Server session. USB-IT requires a small client agent to be installed on the workstation, while the main USB-IT software is installed on a Terminal Server. You can then add new devices via the USB-IT Control Panel. (Unfortunately I do not have such a device so I could not test this component.) Print-IT Print-IT is a PDF-based universal driver printing solution for terminal server environments. Print-IT support both autocreated client printers and network printers. Like all of the third-party printing tools, using autocreated client printers requires a small Print-IT client agent to be installed on the workstations. Print-IT can be configured at the workstation or at the server. Currently this configuration must be done on a server-by-server basis, although Provision claims that the new version will also allow farm-wide configuration. Print-IT supports compression, bandwidth management, automatic upgrading of client software, and custom naming conventions. It recognizes all options (like trays, paper sizes, margins, double-sided, color, and more) on each printer and connects these to the autocreated printer objects. Since this product is based on PDF technology it has a wonderful option called the “PDF publisher.” This allows you to print directly to a PDF file or to email a PDF of a printout file to someone. In addition to client printers, Print-IT also works with network print servers (if you’re willing to install a small Print-IT agent on your print server). If you choose to do this, you can use the Print Management tab in the management console to create Print-IT printers that can then be assigned to users, groups, OUs, or client devices. Managing your Provision Farm At the moment the only way to manage or troubleshoot the Provision software is to specify a log files for each module on each server. These log files will then contain debugging and logging information about each component. Provision is working on a component called Monitor-IT that will collect server performance and application usage statistics across the entire Terminal Server farm for reporting, troubleshooting, server sizing, accounting, and accountability purposes. This module is not yet available though. Conclusion Provision-IT delivers a large set of components that extend your standard server-based computing software product (whether it is from Microsoft, Citrix, or someone else). Most components are also available from other third party vendors, so be sure to comparison shop if you’re looking for a specific module. That being said, the framework also includes some clever components like USB-IT, Redirect-IT and the host access option within Block-IT that comparable products don't have. But the real strength of the Provision Management Framework standard edition is the combining of all these components in one suite. It’s a pity that Monitor-IT is not currently available and there are no tools for troubleshooting the environment. Provision also needs to make documentation available for every component in the framework. It would also be nice if all modules were available in the Management Console (which would make all settings available on a farm-wide basis). Advantages Only product I know of which combines all of these kinds of module into one set All components deliver the most used functionally to solve your challenges Some clever solutions within the framework that other products do not have Recently set-up VIP program with some well-known SBC specialists from around the world Disadvantages No documentation for the configuration of the modules in the Framework Monitoring is not included yet in the product. Some settings (Print-IT and USB-IT) are set on a server-by-server basis instead of on the farm level Provision Management Framework – Standard Edition Complete Bundle is USD $59.00 per concurrent user Individual modules licensed per server ranging from USD $495.00 to $995.00.