The Nine Tiers of Desktop Hell

I started playing Minecraft again recently and I frankly love the complexity of building a new home with multiple levels, different types of foundations, wall types, flooring from different woods, torches and all manner of other decorations. There’s a tonne of work involved building something big and elegant but it only takes one of those bloody creeper monster things to walk over, blow it up and I’m off building it again. Very annoying. You know what I’ve found out? I had too many floors. I faff around putting together a house with so many levels only to realise I just need a small and simple base with some chests to keep my stuff in and a bed. And a sword or two in case those monsters come knocking again.

Tiers suck. Complexity sucks.

I’ve banged on about the problems I’ve encountered with 3-tier architectures on here and at but allow me a moment to wind you back a few years to where my career started because today dear reader – one day there may be two of you – we’re going to talk about End User Computing, Virtual Workspaces, Desktop Virtualisation, Application Mobility or as you may also know it “VEE to the DEE to the EYE.”

Whatever you call the practice of centralising apps, desktops and data the job is the same; broadcast them to any device over any network to any location and get my apps and data to end users quickly and without friction. This will increase employee mobility, security and in turn make businesses and people more productive. That’s generally page one of the requirements and outcomes report but a beautiful vision can quickly become a mirage as the technology selection comes into focus.

Back at Citrix I have to admit that I didn’t take too much notice of what our software sat on. If it was HP servers on top of a NetApp Filer with some Atlantis in the middle well that was just “other stuff” – out of sight and, for better or for worse, out of my mind. I was viewing the projects from a very narrow angle and it was only when customers uttered the words “my Citrix is slow” did I start disproving my software wasn’t at fault – and it never was, by the way.

Now, while working from underneath Citrix at the Nutanix layer, I have a more rounded appreciation for the complexity that sits behind the end user’s screen and let me tell you it’s a world of problems navigated in part by best judgement and in many ways masked by luck.

The Traditional Stack

This picture represents the layers of a virtual desktop and application stack. If you’re not familiar with these let’s break them down into what they do and a give few examples of what vendors you’ll see in each layer.

Delivery Protocol

A delivery protocol is what connects the virtual desktop to an end user device like a thin client or laptop over a network. Smart protocols will also allow things like local printers, USB passthrough and make the desktop look, sound and perform nice and snappy – just like a local desktop. Citrix ICA, Microsoft RDP and Teradici PCoIP are popular examples of protocols in use today.

Secure Remote Access

Secure Remote Access is how users access their desktops and apps from outside of the company network. Typically, this is a virtual or physical network appliance from someone like Juniper, F5, Cisco or Citrix although disruptors like zScaler have come up in recent years. It’s a network security device that will grant or deny access but also enforce various policies along the way so end users access what they need with an extra blanket of security around them. It’s critical this works in a ‘sense and respond manner’ with the next layer otherwise end users might have to choose which VPN to launch or application to use based on where they are. Choices they simply shouldn’t care about.

Desktop & App Delivery

Desktop & App delivery represents connection brokering and desktop image management. These decide what desktops and apps a user can launch or in some cases what they can see upon logon. It also deals with the management of desktop creation, updates and enforcing or working with policies dictated by the Secure Remote Access solution and the Delivery Protocol. Citrix, VMware, Microsoft, Workspot and a host of smaller players flood this market. Nutanix recently bought Frame which is a Desktops as a Service product. Again this part has to work with all the above but also relies heavily on integration with the next layer so let’s move on.

Profile Management

Next up we get into the world of personalising the experience for the end user with Profile Management. This is a centrally managed service that gives all those desktops and applications user-specific settings depending on who logs in. It could be simple things like a desktop background or more complex application settings such as dictionaries in Office. Essentially this is all the personal settings a user will change (and expect to be there!) when they start using their desktop and applications. Pre-VDI this was all saved locally on a laptop or desktop but now we need to ensure a user’s ‘personality’ gets applied to any desktop or app they log on to. Out in the wild you might have come across tools from Ivanti (Appsense and RES in their pre-acquisition lives) to do such a task. We also need to think about what storage platform the user profiles sit on. NetApp tends to be the one I see the most but all storage vendors have a separate NAS platform to offer. It’s no good putting it on a cheap array of disks because user profiles are key to logon times, application performance and application stability.


Virtualisation means the hypervisor. The broker mentioned above has to talk to a hypervisor to instruct it to create and update the virtual machines. This is the engine that runs the desktops and apps so it’s important that it’s able to drive required performance from the hardware and complete tasks such as evenly balancing load across all servers, move VMs between hosts using live migration, restoring VMs to service, make efficient use of compute resources and generally keep the valuable services running and available to the end users. This market is split between VMware, Microsoft, Citrix, Nutanix and several open source hypervisors like KVM and Xen.


Servers provide the hardware compute components. The CPUs and memory are allocated into neat virtual chunks by the hypervisor. This is considered a commodity by most, you can strongly argue the hypervisor is too, but it’s critical that it’s designed and validated with the hypervisor otherwise all sorts of problems will surface causing downtime, excessive patching and finger pointing between vendors. There are dozens of server manufacturers out there from HP, DellEMC, Cisco, Lenovo, Fujitsu etc. The internals are similar Intel CPUs but validating solutions for each one and testing components correctly is still a mammoth task and they all do it very well.


The Storage layer is the enterprise shared storage that gives the hypervisor and thus the virtual machines their ability to move between physical servers – called live migration – but also features such as snapshotting to save the state of VMs or as part of DR. There are probably hundreds of companies out there do this but the main ones would be HP, DellEMC, NetApp and Pure. Sizing this accordingly for a VDI environment is critical as it’s generally the first part of the stack to show up bottlenecks. For 3-tier architectures it has to also be sized for the maximum number of desktops up-front to avoid scalability issues further down the line.

Data Protection

Data Protection refers to backup, rollback or disaster recovery of a VM. If a desktop becomes corrupted or gets deleted by mistake businesses need a quick way to restore it back to service. In architectures that require two or more data centres for availability disaster recovery scenarios also fall under the Data Protection layer. Think of this as disaster recovery from VM to site level. VEEAM and Commvault are common examples of tools that can provide this advanced functionality over and above any native snapshot tools in the storage layer


Networking is a huge area. At this layer in the EUC stack we’re referring to visualising, segregating and securing network traffic between subnets or networks, including the internet, and the virtual desktop and application servers. Most organisations will do this using firewalls running from within the VMs like Windows Firewall or on the outside of the datacentre using purpose build firewall appliances from the likes of Palo Alto Networks. The issue here is VM can be compromised from the OS, especially Windows, and a perimeter firewall will only operate as the doorman checking names at the door. It won’t keep checking what’s coming into or out of each VM. This is where tools such as VMware NSX have used Microsegmentation to provide VM level firewalling.

There are obviously a load of other bits within the desktop image itself to consider but I’m going to put that to one side as that’s a science by itself and your attention span is already being challenged by my awful writing style. To be honest I’ve named so many different vendors up there I hope you can see where the cost and complexity can quickly come into play. Imagining all the combinations of layers and vendors and deciding which ones will play nicely with each other – while giving that expectant user the best desktop possible – is a very daunting task indeed.

Sadly it’s a common headache.

I’ve worked with many customers where all 9 layers are from different vendors each with their own management, support contract and in some unfortunate cases their own agendas. Getting the technologies to line up for the benefit the end user was an everlasting experience many would prefer to avoid. Even when some tiers were consolidated on things like vBlocks the stars would still lose their alignment due to patches at one tier having to wait for validation at another. The goalposts were always moving and just when one part was completed another would need attention. It actually looks and behaves like a game of Jenga and is no less frustrating to play at times but then again I’m crap at Jenga.

When I saw Nutanix for the first time back in early 2014 the first thing that struck me was what a good fit it was for Citrix customers and over the last few years both companies have worked together to make end user computing an easier and more predictable workload to deploy.

The Nutanix+Citrix Stack

Let’s take a look at what those 9 tiers look like when only Nutanix and Citrix are involved.

Before we get into the guts it’s important to say that neither of us are removing the need for any of those layers but now but they are delivered together, by just two vendors, without complexity and friction.

In short the top bit is designed and engineered to work with the bottom bit which is a huge step forward vs the home-brew method you saw earlier.

No more guesswork and certainly no more finger pointing between vendors or, worse still, internal teams.

Citrix takes care of the delivery protocol through to the user profile management and Nutanix the virtualisation down to the VM network security. Each part shaking hands with the next.

Let’s look at the layers again and see what Citrix and Nutanix bring to this now unified stack.

Delivery Protocol

ICA is widely accepted to be the pinnacle of Delivery Protocols. End user experience is what separates Cirtix from all others in their space. Over the years they’ve lead innovations for low latency networks, virtualising highly graphical applications and offering this on a multitude of client devices. All the features and functionality of ICA were branded HDX but to the hardcore, like me, it’ll always be ICA. First reader to comment on what ICA stands for wins some stickers.

Secure Remote Access

Citrix ADC or, as the T-shirt I have from 2005 says, NetScaler was a massive and positive acquisition by Citrix to move into the networking market. This is a physical or virtual appliance that provides secure policy based access to networks, desktops and applications. It works so seamlessly with the rest of the Citrix suite it’s effectively a set and forget. Did you know Sunil Potti, Nutanix Chief Product & Development officer, used to run the NetScaler engineering teams for Citrix?

Desktop and App Delivery

Citrix Desktops and Citrix Apps used to be called XenDesktop and XenApp and before that Presentation Server, Metaframe (when I started), WinFrame, WinView, Multi-win, Citrix Multiuser… They’ve been doing end user computing since 1993 and have considerable pedigree to say the least. As with ICA, this is the best platform for managing and deploying a wide variety of desktops and applications to end users. The same design-first thinking the end users benefit from is felt by the administrators on the backend as the platform is easy to use even with minimal training.

Profile Management

Citrix integrates their own Profile Management tool as part of Citrix Apps and Desktops. This is cunningly called Citrix Profile Management. It has a utilitarian name because it’s frankly a great utilitarian product with little fuss to be seen. Profiles are managed and maintained centrally with a simple policy ran from with the Citrix broker and applied to Desktops an Apps. These are also called upon via Citrix ADC to enforce or adapt settings depending on user location.

Another component of the Nutanix piece is the introduction of Nutanix Files. Don’t confuse this with the recently re-named Citrix Files (formerly ShareFile) although they can work together. This is a distributed virtual filer for user profiles and home directories to sit on the Nutanix cluster. No more separate NAS to support and manage. One benefit customers might see is faster logon times simply because the user profile aren’t coming from a constrained NAS and over time the data will be localised meaning files are read at bus speed rather than over the network.

Again, Citrix deals with the actual user profile management between desktops – critical for the success of any EUC project – and Nutanix provides the scalable and highly available distributed file system to host them.


The Nutanix underpinnings for our EUC stack begin with the Virtualisation layer. AHV (Acropolis Hypervisor) is unique to Nutanix with its roots in open source KVM. Back in 2015 Nutanix took the engine and important guts of KVM and layered on a fully distributed control plane to simplify the management of a previously tricky, but highly stable and robust hypervisor. Joint support for all Citrix EUC applications means every Citrix component we’ve discussed is fully supported and backed up with best practice guides. Admins benefit from the simplicity of AHV while also using it as the single management portal for all Nutanix software. I like to think of AHV as being the way virtualisation would be done today if we had to start again. Modern, lightweight and purpose build for all workloads.


Hardware platforms haven’t changed that much from the 3-tier example we looked at earlier with the exception that Nutanix personally certifies each platform and the components used. The big architectural difference is we use the locally attached disks to form the shared storage rather than just using them for compute. Nutanix ships their own hardware with various Intel and commodity components inside them. Customers can also chose servers from OEM partners DellEMC and Lenovo or certified platforms from HPE and Cisco. The insides of all hardware platforms are subject to our own stringent testing so the experience for the end customer is the same as is the software and choice here is only a positive.


Storage is the easiest conversation we’ll have in this blog because Nutanix storage management is as close to hands-off as possible. Nutanix brings all the benefits of enterprise shared storage into what’s called a hyperconverged appliance – virtualisation, compute and storage together. All the disks in each server form one large storage cluster which is then presented to the hypervisor as shared storage. All administrators need do is turn on efficiency policies for compression and dedupe. That’s it. For customers this means storage administration is reduced to mere minutes, if at all, and they retain everything they had before such as live migration, dedupe, compression, thin provisioning and snapshots. The Nutanix software takes care of all the typically manual or intensive tasks in the background so virtual desktop and apps are fast, efficient and always available. Needless to say this supports provisioning technologies such as MCS (and PVS if you’re so inclined).

All workloads benefit from predictable performance and linear scale because the Nutanix architecture but this is especially useful in EUC because end users will detect the slightest change in performance long before you do. All worries should be put to bed and it’s thanks to the unique and patented beauty of Data Locality. This simple concept of keeping the hot data on the same node as the VM requesting it means that we can confidently state how many desktops per node, what their performance will be and then no matter how many desktops we add to the cluster over time the user experience will remain consistent. I can’t stress how unique and important this is. It makes it very easy to predict cost per user as well of course!

It’s pretty cool that Nutanix designed a platform with this feature at its core. Nearly 9 years later it’s still the biggest advantage we bring to our customers.

Data Protection

Data Protection on Nutanix covers both data availability within the local cluster to withstand hardware and software failures and also how the data is replicated between clusters for disaster recovery purposes. For persistent desktops these can be replicated between geographical clusters by adding them to protection domains. These are groups of VMs treated to a scheduled snapshot and replication policy. For non-persistent desktops the master image can be snapshot’d (is that a word yet?) and replicated to another site. This can be used to maintain a single gold image in an active active scenario. Nutanix can also replicate many to many so for customers with several datacenters a DR plan can be in place to match business requirements. To simplify DR further, Nutanix have demonstrated an up-coming runbook feature that will automate failover and DR between sites. Using Citrix ADC to front the remote connections users can get load balanced to the right location for reasons of availability or proximity. Smart, huh?


We can’t discuss any form of EUC without touching on security. One of the biggest reasons to centralise desktops and data are to give organisations more control over who can access certain resources. However simply moving desktops into your datacentre doesn’t mean there isn’t more to do.

Nutanix released a product called Flow earlier in 2018. This is network micro-segmentation tool native to AHV and adds a layer of security that’s quickly becoming the norm. Remember that the vast majority of malware and attacks come from within the network and if a customer is planning to centralise thousands of desktops back into the datacentre it’s even more important to take a long hard look at what VMs can talk to what services. The last thing you want to centralise is a trojan horse. End users aren’t stupid but everyone can get tricked with a dodgy link or open a file they shouldn’t.

Flow is a simple, transparent VM based firewall that will gracefully lock down and secure communications to and from any VM running on the cluster. Set once via a policy and you’re done. Admins can also use this to view network communication down to the port level so if a VM does get infected or some other rouge element on the network tries to do unsavoury things it’s easy to spot. Note this all works on a whitelist so you only open the doors you want your users to walk through.

But there’s more…!

Let’s take a closer look at some of the other integration on the Citrix side starting with Citrix Director. This is where the majority of Citrix troubleshooting and performance information is kept. How is ICA performing, what about the logon times and their breakdown? What processes are hurting that formerly perfect desktop deployment? Nutanix adds VM IOps, storage bandwidth and storage latency into Director so desktop admins have a detailed view of the stack from top to bottom. We don’t expect to be the source of the problem but it’s good to see where the problem is not, right?

In Citrix Studio, where desktop groups are created and assigned, you’ll find Nutanix as a new host connection where we become a new platform to connect to – this is to support AHV. Simply install the Nutanix plug-in onto all the Controllers and you’ll then be able to select Nutanix AHV and connect to the cluster VIP before starting to provision desktops and apps. As you can see in the pic below we’re using the Provisioning SDK that in turn talks to our Rest API. Very simple and invisible to the customer.

One of the latest innovations from Citrix is being able to remove the need for any on-prem Citrix management components. As an option, customers can chose to use Citrix Cloud to host Studio, Director and StoreFront and all the other sub components like SQL. The pains of managing and maintaining that infrastructure are offloaded and delivered back as a service and we’re seeing a lot of take up for this on our side.

If customers chose Citrix Cloud rather than building the management servers themselves deploying desktops to the on-prem Nutanix Cluster is exclusively done using Machine Creation Services. If you believe the rumours MCS has all sorts of scalability issues but this simply isn’t accurate. It didn’t scale when using a SAN because, being storage based, it could only perform well while the SAN wasn’t under stress or heaven forbid serving more desktops that it was designed to – ya know, unpredictable scalability…

The really swish part comes when customers want to spin up more VMs for things like seasonal events such as Black Friday that require more desktops but maybe for a short period of time. I’ll be the first person to tell you that buying more Nutanix nodes for a temporary requirement is a waste of money so why not use a public cloud for those elastic workloads? Citrix Studio connects to Azure and deploys desktops and applications just as easily as they do to an on-prem Nutanix cluster. That hybrid cloud story you’ve been hearing about is already here.

Here are a couple of pictures to illustrate what I’m talking about:

So what are we really doing here?

I’ve spent a lot of time talking about two technology companies but EUC, or whatever we settle on calling it, is about people. Get a desktop experience wrong and your project will fail. End users will push back and ask for the big clunky physical desktop again. Users don’t want to be exposed to technology unnecessarily they simply want to embrace the outcome of a well managed and well presented end user experience.

To me, this is the most impressive achievement Citrix and Nutanix have built together. To ensure user experience is fast and consistent for users and to allow organisations to build smarter, work smarter and keep the wizard’s curtain closed.

Cheers all – and by all I mean just you.



“This blog was proof read and approved by K.Baggerman :D”

1 Comment

  1. Chris Marks

    Great blog Dave, really enjoyed reading it. Focus on the user is fundamental. Simplifying the stack to make that easier is essential -you’ve hit the nail on the head there.

    ICA=Independant Computing Architecture BTW 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2021 Nutanix Noob

Theme by Anders NorenUp ↑