Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

Tricerat Simplify Suite V5

Introduction

Currently one of the latest trends in the IT infrastructure arena is to look for a central management tool to help with all of the different platform choices out there like, Terminal Services, Workstations, Laptops and VDI. Besides the central management from the IT perspective there is big user demand to have the same configuration independent on which platform the users is connected to. For example the user would like to have the same setting in his Word application as configured on his fat client, while working at home at the SBC infrastructure. For Terminal Services such management tools are already available for some years and these products are appearing nowadays for other platforms such as VDI and workstations. I always call such products Desktop Management Products, because they are managing mainly the desktop user environment. The products which can be labeled into this category are all comparable with each other, but all have their own unique features, and characteristics. The Tricerat Simplify Suite is a good example of such a product, and really stands out with features that are pretty unique for this category.

According triCerat their uniqueness is how they determine their feature set. triCerat first and foremost is in close touch with their primary users, the System Administrators and end users who are the users of the various in application delivery strategies. By listening and paying attention to their clients, they have learned there was a need for products that not only prevent known system limitations but maintain and improve the end users experience.  In targeting everyday problems that exist within any application delivery strategy, triCerat has been able to develop software that eradicates these problems. Now in its fifth version, triCerat calls this software the Simplify Suite V5.




This new version has the following new features:

 

 

  • Windows 2008 support
  • Workstation/VDI support
  • Concurrent Licensing
  • Add Files and Folders Support to Simplify Profiles
  • New File Operation object
  • Online license activation from  License Manager
  • Folder Redirection Enhancements
  • More robustness, stability and scalability.  

Installation

The installation of the Tricerat Simplify Suite consists of one executable which actually holds a MSI file. The suite needs be installed on each Terminal Server and/or workstation which you would like to use the software for. This software component will use the configuration and settings specified in a central database. So the tool does not have a traditional client server model, but only a combined client/server part on every system the software is installed on. Tricerat supports Microsoft SQL Server only. For small or test environments SQL 2005 Express can be used, but it is advisable to use a dedicated MS SQL Server 2000 or 2005. The database can be created before the installation is started (for example by the DBA administrator) or during the installation of the first server.

The installation wizard starts with the license agreement and location of where the software need to be installed, followed by a warning for those who upgrade from Tricerat Simplify Suite 4 that they should update all servers at the same time, because the database upgrades are incompatible with the earlier versions. Also you can decide which components you would like to install based on the main components of the suite.

Image
Figure 1: Choosing database server for the Tricerat Product

As mentioned, the installation will ask you to provide the SQL server and the logon ID. If this is the first server the database will be created automatically (logically if the specified user has enough rights). When a database already exists the server will be added to the configuration. Because of this behavior the database should be named exactly as the software product expects, so there is no possibility to use your own database naming convention. Also the software cannot be installed from a network drive, so the installation file should be located locally on the machine itself. For fault tolerance and multi-sites Tricerat supports a SQL clustered environment (the products needs a connection with the database to function).

The console of the product is installed together with the other software parts, but you can also install the console separately on a specific management workstation or server.

The MSI file installation supports an unattended installation using MSIEXEX parameters when using the full SQL product (SQL express unattended not supported). This is definitely a plus point for the product. After the installation no reboot is required for the Terminal Servers, only when you upgrade the product a reboot is required and also the workstations operating systems need to be restarted after the installation.

Tricerat Simplify Console

Especially for a Desktop Management product it is difficult to create a console which is easy to understand and administer. TriCerat has taken a different approach with their console than most other manufacturers. When you see the Simplify Management Console for the first time you really need to get used to it. The console consists of several panes, three of which are visible at most times. Together, these three panes are used to configure the user environment. The rightmost pane is called Objects, and consists of "objects" which represent components (applications, printers, etc.) in your environment.  You create and configure objects, which are then applied to your infrastructure and users.  Your infrastructure is represented by an Owners pane, which, by default, appears as the leftmost pane in the console.  Entries in the Owners pane consist of items in your Active Directory environment, local users and groups for the server, and optional custom computers which can be created through the use of IP addresses and IP address ranges.  The application (or "assignment") of objects to users, groups, computers, OUs, etc. is accomplished by selecting a row (i.e. an owner) in the Owners pane, and then dragging objects into a third pane - the Assignments pane, which typically appears between the Owners and Objects panes.  The Assignments pane is used to display and/or change the set of objects which have been applied (or "assigned") to the owner currently selected in the Owners pane.  As mentioned previously, this approach is somewhat different from other Desktop Management products, but you will soon find the nature of the configuration process.

Image
Figure 2: Simplify Console

Configuration

When Tricerat started they first released several different products which are nowadays combined into the Tricerat Management Suite. This can be seen by the naming of the components, which reflect the names of the previous separate products. This partitioning of the components cannot be found in the console, but for this review I follow this components structure for explaining all the possibilities.

Simplify Profile

The first component is called Simplify Profile. This is Tricerat's solution for the profile challenges many infrastructures providing a hybrid solution arranging that users will keep their settings, but normally have a quicker logon and logoff process and casuses that profile corruption issues are bygone days. 

Tricerat uses the default methodology by specifying which registry keys should be saved and restored. In the object pane you can browse through the registry of the machine and your user account to specify which keys and values you would like to be included in the hybrid profile of the users. If the key does not exist you can create one yourself. You can create an object and connect more save/restore actions into this object. Normally only user profile settings are saved and restored using hybrid profile (HKCU), but Tricerat also has the possibility to do the same for HKLM settings.  After asking Tricerat it appears that this functionality is built for some specific customer wishes, but can be used for local machine registry. Of course this should be done with care, because those settings apply to all users on that system.

Image
Figure 3: Setting Registry Settings for the hybrid profile.

Besides saving and restoring settings this part of the software can also be use to delete keys and set values into the registry. The set value will set this value every time the user will logon, if you would like to set an settings one you can define that as the starting value within the save/restore option. The settings of the users are all stored in and loaded out of the Tricerat database. Within the product the tool trireg is included. With this tool the registry settings available in the database for every user can be viewed, removed and changed if necessary. 

The second part of hybrid profile solution is the user profile folders. These folders are also containing personalized settings. Tricerat chooses to use folder redirection to a network share to store the settings. This is established Windows Policies - Folder Redirection component. Within this part you can check which user profile folders you would to redirect to which locations.

Actually this is the normal operations of a hybrid profile solution, but Tricerat is mentioning several other functionalities within this component. I personally would categorize those with Simplify Desktop, but for consistency I will mention those here.

Most of these configuration options are also available within the Windows Policies part. Beside the folder redirection you can set here

  • drive mappings, in basic environments you would configure these using a login script via Active Directory. The configuration is simple and easy by specifying a drive letter and a UNC path
  • drive restrictions, in here you can easy configure which drive letters should be hidden and/or should not be accessed by the end user.
  • explorer, within this option the functionality of the explorer can be customized/restricted with settings which can also be configured with group policy objects.

Image
Figure 4: Drive Restrictions

New with Simplify Suite version 5 and closely connected to the above described functionalities is the File Operations feature. This feature arranges that files and folder can be copied, or moved from one location to another or renamed. These actions can be performed during at logon or at logoff. If specified at logon there is also an option available to write back the file or folder at logoff to his original location. You can specify every location you would like and Tricerat is providing some standard variables for most used locations. Personally I think this is great new option that adds value to the product.

Simplify Printing

The second component is one of the unique selling points of the Tricerat Management Suite. This is the only desktop management product that also includes a Universal Printer Driver product. The Simplify Printing product supports both client printers as printing via print servers. For the client printing a client installation product is required, this is because the solution of Tricerat reads out the printer driver properties from the client and maps those to the mapped printer within the session. Tricerat guarantees that the driver is 100% compatible with the options of the manufacturer driver located locally on the client. The suite also offers the possibility to use the universal driver for printservers connections (this is only supported by special third party printer products). Also the ScrewDrivers solution also compresses the print job.

To accomplish that on the printer server the ScrewDrivers Print Server agents need to be installed. This is a simple MSI with a very straight forwarded installation process.  When that part is available the print server need to be queried out of the console to search for available printer queues. These printers will be displayed within the object created on v4 Print Server Printers. Theses printers can be assigned to the users within the middle pane. Tricerat offers here three options for assignment of those printers, which I really like. Printers can be assigned as

  • Admin Assigned: These printers will be connected within the session to the user and the user can not remove these printers. Printers assigned to this part will always be shown in the users session.
  • User Allowed: These printers will not be connected within the session, but the users can select these printer out of the User Assigned Printers (UAP) application to be connected into the session.
  • User Assigned: Theses printers will be available in the session when the user logs on, just like the admin assigned. The difference with admin assigned is that the user assigned printers can be removed by the user out of the session if necessary using the UAP tool.

Image
Figure 5: Assigning Printers

The Simplify Printing also supports saving documents to a PDF or BMP file, so there is no need for additional PDF writer product. This feature can also push that file to the client machine. Sort of a short term solution to print to a mac or linux client.

Simplify Desktop

By default Windows uses the explorer.exe to provide the user with a shell. Within this shell the users have lots of options to access resources you would not like to provide to end users on a Terminal Server. Of course you can use policies to lockdown the Windows Desktop, but you can also use an alternative shell provided by some of the Desktop Management software. Such a shell offers a very secure environment and most times such shell offers specific functionality for the end user to control the workspace. However there are some applications that require that the explorer shell is available, so such an alternative shell is not suitable for all environment and applications. However when possible to use the shell I would definitely recommend it. Tricerat is one of those products that offer an alternative shell and calls their shell triShell. The type of Shell is the only one (as far as know) setting that is directly configured in the middle pane at shell option. You can inherit the setting form a higher level or choose triShell, explorer or no shell for each user. This last option arranges that this specific owner cannot logon to the environment. Below this console you can configure the shortcuts to the desktop, quick launch, startup and Start Menu. The applications shortcuts are defined in the object pane which I will cover it a bit later in this paragraph.

Image
Figure 6: Configuring Shell Configuration

First I want to continue with the configuration of the shell settings. This part is again configured in the right pane and offers the possibilities to configure the appearance and available options for the desktop, start menu and the taskbar. The desktop tab offers general options to configure the colors, wallpaper, displaying desktop icons and arranging of the icons. But this tab also offers some very cool options which are on every system administrator's wish list. Good examples are the options to allow/disallow users to rearrange the icons on the desktop and the possibility to specify what a user can or cannot store on the desktop like document shortcuts, documents or executables (one additional option to specify the maximum size of the file and this option is perfect). Besides the desktop also for the start menu and taskbar several settings are available for configuring of those two objects. The most configured options are available for configuration which should be available in desktop management software. It is a pity that there is not option available to load ADM templates to configure more similar options. I prefer to set this kind of settings on one place and preferable into the Desktop Management product, so all the configuration is done out of one console.

I already touched the option to assign application shortcuts to the users via the shell configuration via the start menu, quick launch, startup or desktop folders. Therefore the application shortcuts need to be created in the objects pane. For each object an executable can be specified with all the necessary and logical configuration settings. With the sorting rank application location in the list can be configured. Also some limitations can be configured for the amount the application can be started (per session or per machine). Besides this part the application object has three more tabs. The signatures and trust list tab will be described in the paragraph Simplify Lockdown, while more information about the stability tab can be found in the Simplify Resources. It is a pity that there is not a direct connection with the configured registry settings and the application shortcut configuration. Technically this is not an issue, but it from a central viewpoint this would be nice that all corresponding information can be viewed at one central location.

Image
Figure 7: Configuring Applications

Simplify Lockdown

One of the most important tasks is to guarantee a stable Terminal Server, because more users are working together on the same servers. If one user causes a problem, other users can also noticing this problem and in one worst case scenarios one user can cause a server crash and all users on the same server will lose their work. Therefore in Terminal Server infrastructures there is big need to control which applications are started and can be started. Tricerat offers such functionality within the component Simplify Lockdown.

The lockdown has several working modes which just like the shell configuration is directly set within the middle pane. The available options are

  • Inherited Lock down mode: The settings for the simplify lockdown are inherited from a higher level.
  • Use Trust List: The applications and/or executables (and the optional specified Child Trust List) in the Trusted list are allowed to start within the user session. Applications not specified are not allowed to start.
  • Use Banned List: All executables can be started except the ones that are specified in the banned list.
  • Learn Mode: Although no applications and executables are blocked using this option, but all applications started are  compared with the banned or trusted list and if there is conflict with the started executables this will be logged. The logged applications can be imported within the tool using the Import Learn Apps out of the Tools menu. The applications/executables will appear in the Objects pane below applications. From there the executables and/or applications can be assigned to the banned of trusted list of the selected owner in the middle pane.
  • Don't use Lockdown: Pretty obvious what this option will arrange. The specific owner does not have a locked down desktop and can start all applications (if other rights permits logically).

Image
Figure 8: Configuration of Simplify Lockdown

As already described the allowed or banned applications are selected from the objects pane where they can be created manually or imported from the learned application log. Logically only specifying an executable gives the opportunity to trick the system by replacing the executable by another application or rename an application to an allowed executable in another directory. To prevent this kind of tricks the lockdown component has the tab signatures. Within this tab the path can be included (so starting the same application name from another directory is not possible) and using a hash for the file (so the application cannot be replaced by another application).  With the trust list tab you can specify if it is allowed or disallowed to start other executables out of this application and if allowed if all trusted applications are allowed of just a couple.

There is also a possibility to change the messages displayed when a user tries to launch a blocked application using the Customize Lockdown Messages within the Tools menu.

Simplify Resources / Stability 

The last component within the Tricerat Simplify Suite is the Simplify Resources or Stability component. With this component the CPU and Memory resources can be controlled. First take a look at the CPU possibilities. There are several ways to control the CPU resources, but three methodologies are the most used:

  • Fair Sharing: This technique arranges that the CPU resources are equally divided between the processes. This technique does not prevent that the CPU is being used for 100%, but takes care that no single process can claim all CPU resources.
  • Lower Priority Level: This technique will lower the priority level of the process that is causing the extensive CPU resource, so it will have less access to the CPU resources.
  • Clamping: This technique will put a hard level to the CPU usage if the process is using more CPU resources than configured. In other words the process cannot use more CPU resources at that time then configured in the clamping configuration.

Most Desktop Management products have one of these three methodologies embedded in their product, but Tricerat uses two of those techniques in their product, which is pretty unique. Also there are some additional advanced options in the product available concerning resource management. Within the stability part in the objects pane you can configure the default settings which should be applied. On the first tab General the configuration of the component can be configured like the time to wait before the service will start monitoring resources (so startup processes are not interrupted by the stability services) and the times the product should be checking for changes. The next tab is arranging the CPU management configuration. The Default Priority Management is the lower priority mechanism implementation in the suite. Settings which can be configured are the threshold (CPU level and interval) an interval when the lower priority rule should be applied and when the process will get his default priority level back. 

The clamping technique is called System Stability CPU monitoring. Again you can configure the threshold (CPU level and interval) when the clamping method should be started and the same settings when the clamping method will release the process. Also a supermax limit can be configured. When this limit is reached the processes clamped by the stability option will be clamped even a bit more so the total CPU usage will be lowered below the configured threshold.

On the Memory Management tab a maximum level of memory usage can be defined which can be used by the application. If the threshold is reached the following options are available:

  • Send Alert: a log event will be created about the memory usage
  • Terminate Application: the application will be closed and if it is a service the service will be restarted

Image
Figure 9: CPU configuration

The stability tab is also available per defined application executable. On this tab you can set different settings for the application. The same settings are available for the CPU configuration, but there is an additional option available to define a maximum and minimum priority level for the application. The CPU Limit Override and maximum memory usage can also be defined on a per application base on this tab. Addition you can limit the CPU of the application so you can investigate the memory usage of the application. If you enable specific settings per application via the stability tab of the application you need to assign the application using the assignment pane to a specific owner at the option application resources. If the application is not added to the startmenu, desktop or quick launch options you need to assign the application to the part application resources to enable the stability options configured per application.

Summarized by giving Users a triShell instead of the Explorer shell, the Administrator has complete control over the configuration and programs (Objects) that a User may access resulting in a very secure Desktop and Session.  By configuring and using the Simplify Lockdown product, the Administrator can ensure that only the programs assigned to the User can be executed and close any "back doors" that clever Users may find.  By configuring and using the Simplify Resources product, the Administrator has control over the CPU and memory resources of the Server and can ensure that no single program can consume all available resources.

Delegation of Control

Tricerat also offers the possibility to delegate control within the console. To accomplish this within the console within the options menu the security should be enabled by specify a XML file which holds the configured security roles. After enabling this option within an additional MMC the roles can be assigned. This works by creating a role based on task definitions. When the role is created the role can be assigned to a group within Active Directory. As displayed in below figure the tasks are pretty detailed, so you can configure pretty specific roles.  

Image
Figure 10: Delegation of Control

Management

Within the console there are several options available to manage the environment. Most of these options are available within the Tools menu part. For example there are the so called external tools to see the differences between registry changes (RegDiff) and easy migrating of the current roaming profiles to Simplify Profile (Simplify Migration Utility. The RegDiff can also be used to view the registry settings that are saved for the user in the database. If needed the settings of the user can also be changed via this utility (a very good feature).

From the same Tools menu there are also options to display:
- the users running in Learning mode;
- the applications which are denied to start (log of applications, which are disallowed to start by end users).

The last every useful option within the Tools menu is het option (Find Apps to Import) to find available applications. The tool does a search on the specified location and will display all available executables. After the search multiple applications can be selected and with a single mouse click added to the objects pane.  

Also when delegation of control of control is configured within the console the audit option is available to show which configuration changes are done by who at a specified time.

The product will show in the assignment pane in the second column that a setting is inherited from a higher level and from which assignment this setting is inherited. For a more detailed overview you can use the reporting option available at the owner pane. The reporting function required Chrystal Reports files (which are freely available and included in the product).

Tricerat has another unique feature in progress called Simplify Visibility. With Simplify Visibility it is possible to monitor hardware resources. It is a pity that this option is not available right now in this release, but according Tricerat it will be available in first half of 2009.

For troubleshooting purposes you can enable extensive logging for several components.

The Suite in action

Of course all these configuration and management tasks are there for one final goal, to provide the users with a consistent and secure user environment. In the below displayed figure you can see an example desktop from the end user perspective. The configured start menu, desktop icons and start menu are displayed. It would be nice if there was an option for the end user to add icons to the quick launch for example on the same way as the printer assignment. The printer utility for the end user is displayed and I think this is the way to assign printer to the end user. At last I also displayed the (default) Simplify Lockdown message when starting an application which is not allowed to start.

Image
Figure 11: The Simplify Suite in action

Conclusion

It is striking that every Desktop Management product has own characteristics. Tricerat is no exception on this "rule" with their Simplify Printing solution with excellent managing options, extensive CPU management and their very own console. Tricerat did in my opinion the correct move to also support workstations within their suite, because those systems are growing closer to each other (especially with the VDI products). The improvements and new features made to this version are really a added value. Also Tricerat offers very usable functionalities which are not available within other product, the best example is the Screwdriver functionality (which is also implemented very well). Other well implemented features are the extensive CPU management options, deleting or editing profile settings per application per user out of the console (avoiding delting entire user profiles), assign settings based op IP address (ranges), auditing possibilities and additional utilities included to integrate the solution like learn mode, migration utility, and regdiff

Of course there are also some improvements possible. Personally I would to see the possibility to add ADM templates so the complete user configuration can be done at one place and I love to give the user some more options so they have the feeling they can adjust the desktop to their needs. I'm also looking forward to Simplify Visibility part, because this will be (as far as I know) pretty unique that a monitor component is available in de desktop management environment. 

 

Advantages:

  • Most extensive options for CPU management (both clamping as priority methodologies);
  • Product is definitely more stable than previous versions;
  • Very strong Printing implementation with all options available.

Disadvantages: 

  • User Experience can be improved by allowing the end user to change the desktop a bit more;
  • User Management cannot be done completely within the simplify console (User based GPO's are still necessary);
  • Product relies complete on the availability of the database.

About the Author

Wilco van Bragt is an independent consultant and author based in the Netherlands. He is the owner of the Server Based Computing and Virtualization website called VanBragt.Net Virtualization, where he is publishing several articles related to Terminal Services and Virtualization topics and product reviews. Besides Wilco van Bragt presents on several independent conferences and also writes articles for several other websites. Wilco van Bragt is self employed (VanBragt.Net Consultancy) providing consultancy services in the Netherlands and Belgium.  Wilco van Bragt is a MVP on Terminal Server, a RES Valuable Professional, a Provision Networks VIP and a Citrix Technology Professional.

About Tricerat

triCerat is a Citrix Ready Technology Partner, a Certified Microsoft Partner, and VMWare Technology Alliance Partner. These critical industry alliances ensure not only the benefits of today's technology, but the compatibility for longstanding service in the future. Along the way, triCerat has created partnerships with 350 value-added resellers, consultants, and systems integrators as well as with 7,000 licensed customers worldwide. ?After ten years in the business, triCerat has experienced rapid growth yet maintained the privately owned and operated atmosphere of a company that is determined to stay on top with true staying power.

Tricerat Simplify Suite

PDF Product Review Tricerat Simplify Suite V5