After spending a couple of days now with the best Citrix User Group in the world! (cugtech.no) I wanted to publish this blog post which was based on one of my sessions, which was about Citrix Cloud Gotchas. I got some personal feedback after the session because they felt like I delivered my honest feedback about the product in general and the current limitations, what works and what I feel that Citrix needs to improve on the product itself moving forward which I want to the blogs to focus about. Now the focus of this blog post is on the XenApp and XenDesktop offerings on Citrix Cloud, have another one on Analytics coming a bit later. Now some interesting fun facts about the backend architecture.
Backend:
Communication between the Control Plane and On-premises is done trough Cloud Connectors. The Cloud Connectors are just Windows Servers installed with that specific component. Most of the backend services are running on Microsoft Azure and using a combination of App Service, Service Bus, Storage Blog and Virtual Infrastructure. The Control Plane is now available either in the US, EMEA or Asia Pacific, and the NGaaS Service is available in 12 regions worldwide and uses a form of GSLB with proximity to route users to the closest region. Because of the Service Bus architecture the cloud connector acts as a Service Bus Subscriber and listens for jobs from the control plane, therefore the Cloud Connector doesn’t need any public IP since traffic is never initiated from the Citrix Cloud down to the Cloud Connectors. Also with Citrix Cloud, the Cloud Connectors replace the DDC role and acts as the control point for the VDA’s but the Cloud Connector is stateless, unlike the DDC.
- Note: If you are like me and an early adopter of Citrix Cloud you might be placed in the US plane, and as of now there are not any migration offerings to move one tenant from one location to another. In most cases, you would need to rebuild your environment.
Citrix has a goal is to maintain at least 99.9% SLA which is equal to 45 minutes downtime each month.
Offerings: Now Citrix Cloud with XenApp and XenDesktop comes in many different flavors. I’m not going into detail on each of these offerings because the differences between them are listed here –> https://www.citrix.com/content/dam/citrix/en_us/documents/reference-material/xa-xd-deployment-options-feat-comp-matrix.pdf the biggest challenge I have with these offerings right now are two things.
1: No capability to mix between different options. Which means that we cannot have for instance 10 users on XenApp Essentials and 20 users on XenDesktop essentials.
2: No ability to use concurrent licensing, only user/device.
3: No unified UI across the offerings, right now some are still using Citrix Studio while Citrix is also making a new web UI offering.
Now as part of Citrix Cloud, there are two components which are optional which are NGaaS and Citrix Workspace, both services can be enabled through the Control Plane.
NetScaler Gateway as a Service: This service which runs as a managed cloud service which replaces regular NetScaler ICA-Proxy to a Citrix environment, since the traffic is going through the Cloud Connector to the VDA. As mentioned there will always be traffic through the Cloud Connector through a Windows Service which is responsible for the traffic. When an end-user connects through a NetScaler (GaaS) it will be routed to one of the 12 closest endpoints worldwide.
Pros:
Runs as a Managed Service
Doesn’t require any dedicated public IP or certificate since the service is running on top of the Cloud Connector
Highly available worldwide (on 12 different Points of presence)
Cons:
Only ICA-proxy service
No options for advanced features such as Smart Access, HDX Insight (AppFlow) Some additional latency
No support for EDT (UDP based transport)
Citrix Workspace: Which is the new name for the cloud-based storefront, which is now available for all customers on Citrix Cloud after December 2017. (NB: Not yet available for the customer which subscribed to Citrix Cloud before yet, will be migrated soon) and like NGaaS is a fully managed service which now can aggregate all Citrix applications and has a feature in Tech Preview to provide SSO to 3.party based applications.
Pros:
Runs as a Managed Service
Doesn’t require any dedicated public IP or certificate
Cons:
No options for advanced features such as Optimal Gateway Routing
No options for advanced UI changes (Some features such as Logo changes and such are now possible)
No options for regular on-premises MFA providers can only be done trough Azure MFA.
Availability:
Now, most Citrix Cloud services are US based, but Citrix also announced that the control plane is also now available in EMEA as well, which makes management and selling a bit easier since it has quite lower latency to make management a bit easier. However you should be aware of that not all services are not available in EMEA yet, such as Applayering feature still requires to connect to the US endpoint.
Security:
When it comes to Security, all traffic is encrypted between the different components, and credentials such as Active Directory is not stored and needs to be entered each time we update a machine catalog or make some changes to an existing one. Credentials to the hypervisor and/or cloud are stored in the connection. Now since Citrix is managing the infrastructure we have no access to the underlying infrastructure and also we don’t have the administrative logging capabilities on Citrix Cloud, so if we want to get out logs on what has happened we would need to contact Citrix Cloud Support (within 30 days to get that information) Note that Citrix Cloud login can also be setup using Azure AD credentials, ensure that if you are using this, setup Azure AD setup with Azure MFA (Because if someone managed to gain access to your Azure AD account they can actually delete an entire machine catalog)
Other components:
Other components also support Citrix Cloud, such as PVS can support Citrix Cloud but this requires version 7.7 and download of a specific Citrix Cloud PowerShell SDK, but you would still need to set up an on-prem licensing server and SQL to store the information (https://docs.citrix.com/en-us/provisioning/cloud-connector.html) Applayering is available in Citrix Cloud but only the management plane you will still to have the on-prem appliance (ELM) to handle the actual layering jobs. WEM is not there but was recently announced that it will be available in Citrix Cloud soon. https://www.citrix.com/blogs/2018/04/30/workspace-environment-management-service-coming-soon-to-citrix-cloud/
Other things missing:
As part of the other missing capabilities, there are also some other features which as missing such as lack of App-V integration and also lacking monitoring support. Since we now are moving the DDC role away, not all monitoring vendors which many might use don’t support Citrix Cloud yet, and also some of the management packs which was part of the Comtrade deal, will no longer work since they are dependant on some of the services that the DDC is using. Also if we move NetScaler and Storefront as well they are no longer under our control and therefore we need to handle monitoring in some other way such as load testing tools. Also, one thing that caught my eye is the ability to run PowerShell commands natively which you can read more about here –> http://citrixtips.com/disabling-rearm-of-os-and-office-on-mcs-in-citrix-cloud/
Monitoring and troubleshooting:
When it comes to troubleshooting and monitoring Citrix Cloud we only have a few options, first of is the view if there are any issues on Citrix Cloud using the Citrix Cloud status board –> https://status.cloud.com (this allows us to subscribe to alerts using SMS, Phone or WebHook to forward to Microsoft Teams or Slack) The Cloud Connector itself doesn’t have a dedicated event log but provides events into the Application log on the server it is installed on. If you are looking for errors, sort after these event sources on the Cloud Connector Server.
Logs are also placed within C:\ProgramData\Citrix\WorkspaceCloud\Logs (In case you are using some log gathering tool such as Log Analytics) also we can view session information using the OData API against Director –> https://www.citrix.com/blogs/2018/03/23/monitor-data-for-xenapp-and-xendesktop-in-citrix-cloud-now-available-through-odata/
Best-practices for Cloud Connector:
Don’t install anything else on the Cloud Connector server (it is self-managed)
Setup AV exceptions and Proxy exceptions for the Cloud Connector traffic –> https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html and AV exceptions for Cloud Connector –> https://www.citrix.com/blogs/2016/12/02/citrix-recommended-antivirus-exclusions/
Setup Cloud Connector with Server Core –> https://xenappblog.com/2018/citrix-windows-server-core/ (allows for better throughput and higher security) but this kills the troubleshooting Citrix.
Setup Cloud Connector on Windows Server with Cubic Congestion algorithm –> netsh int tcp set supplemental template=internet congestionprovider=cubic
You need to have Cloud Connector for each AD Domain
You need to have at least two Cloud Connectors for redundancy
You should have a stable internet connection.
End-architecture:
Using most of the cloud-based components with Cloud Connectors with an hypervisor such as Nutanix or Cloud-based deployment you don’t need that much of infrastructure, but as of now if you want to leverage some of the advanced capabilities such as HDX Insight, Optimal Gateway Routing and using PVS and WEM you are still going to be needing some servers to host these different components, such as licensing, SQL and management servers.
High-availability:
For High-availability for the plain architecture you just need to have multiple cloud connectors installed, they are stateless, unlike the regular Cloud Connector. However the Cloud Connectors have Local Host Cache enabled by default, so all CC have a SQL Express installed to handle that. If internet drops out more then 20 seconds the LHC cache will kick-in to ensure existing users will be able to reconnect. Note that this doesn’t work with VDI sessions and it requires that we have a local Storefront server.
Conclusion: Still most of the management in Citrix Cloud is done trough Receiver for Web against Citrix Studio which is a still an MMC console which for me personally is not an elegant solution if we want to deliver the cloud message across. Citrix needs to make it more native web-based management combined with modern automation solutions to allow us to make it easy to script and automate. Also, Citrix needs to ensure that they remove the overhead with a Citrix deployment. Looking at Microsoft RDMI which is more PaaS services, Citrix should look at creating their services as a container instead of individual servers with roles. This could also reduce their own overhead on their infrastructure as well with more container-based deployments so we aren’t stuck with the 25 users limit. Also having more role based access control inside the platform itself combined with administrative configuration control is also something that should be implemented to ensure that companies with high level of security can adopt the solution. Also, they should have an easier way to do migration from on-prem to Cloud, at the end of the day a setup is just a bunch of configuration (luckily someone in the community fixed that for us –> http://citrixtips.com/citrix-cloud-migration-tool/)
Nextly ill follow up on Citrix Analytics and capabilities.