Citrix Cloud Uptime

Posted on  by admin
  1. Citrix Cloud Diagram
  2. Citrix Cloud Downtime

The access layer of your deployment relates to your StoreFront infrastructure, and NetScaler Gateway for Internal and Remote access respectively. These components facilitate access to Citrix resources in your environment.

When we look at a Cloud deployment – in this instance Citrix Cloud, there are many ways of hosting the access layer components, but these can largely be simplified down to Citrix Managed (Cloud Storefront/WorkSpace Service and NetScaler Gateway Service) or Customer Managed (BYO Storefront and NetScaler).

  • Citrix ADC in AWS Marketplace offers a unified application delivery solution designed to meet the needs of cloud adopters with hybrid, multi-cloud environments, and support them in scaling and evolving with future trends. Key benefits and features: Citrix Safeguard application uptime.
  • Citrix maintains a 99.9% uptime SLA, so your workforce stays connected. We also offload upgrades and operational management tasks, reducing IT time spent on operations. Choose the plan that’s right for your business Whatever your needs are, our pricing options have you covered.

JetNEXUS is the best one for enterprises that want advanced traffic load management features. Other load balancer apps that are suitable for medium and big enterprises include Total Uptime Cloud Load Balancer, Citrix ADC, Nginx, and Avi Vantage Software Load Balancer. Citrix technology is used to provide remote users with access to key business applications. If Citrix access is not available or slow, users will be less productive and the business will suffer. To ensure Citrix success, administrators need to be sure that the Citrix user experience is always optimal. Citrix is making this custom reporting tool available for experimental evaluation and it is ideal for trial in a non-production environment. The experimental versions of this tool including this one will not be supported by Citrix. Note: Custom Report is now built into Director 7.12 and available to Platinum Edition customers.

In order to make an informed choice of how to deploy your access layer, you need to understand the benefits and drawbacks of the different scenarios and how they can impact on your overall solution.

Citrix Cloud StoreFront/Workspace Service

One of the main strengths of Citrix Cloud is in its simplicity and Storefront is a strong example of this. As soon as your service is enabled, StoreFront in the cloud just works. You have a few configuration options – such as basic branding, enabling NetScaler Gateway Service, but it’s effectively already configured for internal users and only needs an option toggling on to enable.

Simple is good, but it can also have some drawbacks, as with Cloud hosted storefront.

Branding is still a bone of contention – more than a few customers would expect to be able to customise the look and feel of StoreFront beyond what is currently available. There are controls available to modify basic colours and add logos, however if your requirements exceed this then unfortunately you’re stuck. There’s currently no capability to modify the CSS beyond what’s exposed in the control panel, and there’s certainly no ability to add custom JavaScript (which is entirely understandable!).

Many customers leverage the ability to inject custom JavaScript to add functionality to storefront that does not exist today – for example a pre or post-login EULA, or perhaps for maintenance notifications. If some of these capabilities are available in the cloud hosted storefront, then perhaps it would reduce the amount of customisation needed? Or perhaps we always like to tinker?

Today, Cloud Storefront will only present resources from Citrix Cloud, however using the Citrix Workspace Service you will have the option to integrate non-cloud deployments into the Citrix Cloud world. This is a nice touch and has the potential to help organisations making use of their Hybrid rights while migrating to the cloud to present a consistent access point for all users.

Authentication

When you use Cloud Storefront your users authenticate through your Citrix Cloud storefront site – typically https://companyname.xendesktop.net. This authentication request is passed through your Cloud Connectors and validated against your Active Directory using the machine account of your Cloud Connector OS’es. All very simple, and works quite nicely, however there’s a couple of challenges you may face with this.

The Security Team – In larger organisations this may be a team, or it may be just a conversation with the nominated security guy, however in terms of security considerations, where authentication happens can change the conversation completely. If the organisation is Cloud-Happy and has adopted other Cloud solutions, this may be easier, but fundamentally when you are effectively delegating the authentication process to a Cloud Service this moves your security perimeter to the cloud service. Functionally this is fine, but it can be a harder pitch and receive more pointed questions.

Citrix Cloud Diagram

Just using the XenApp and XenDesktop service is not a difficult sell to security teams. Data resides where it always has, you’re just moving the brokering process to the cloud. Limited PII (personally identifiable information) is stored, and the encryption policies are acceptable to most. There’s even a page dedicated to security information here: https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/secure.html. Interestingly, the security page only references Credential handling in the context of using a customer managed StoreFront instance.

In-fact there’s no real security statement on how they handle user credentials when using Cloud StoreFront. Perhaps if you’ve had to look it up, then the answer is use customer managed?

Multi-factor Authentication – this was a major customer request in the early days of Citrix Cloud, but it has recently been solved! Sort of. Customers using the new Workspace Service in Citrix Cloud (currently new customers and XenApp/Desktop Essentials) have the ability to use Azure AD to handle user authentication. This has been available for Administrative access for a while and broadly speaking the selection of Azure AD to integrate with is sound as this extends the opportunity to use any one of the many identity providers that integrate with Azure AD, so you can effectively choose your authentication poison.

This only takes you so far though. Azure AD will authenticate you and pass a SAML assertion back to Workspace Service. So, at this point, Citrix Cloud has a SAML assertion to prove your identity – and this is enough to enumerate your workspace entitlements. Then you launch something. Unfortunately, today, Windows doesn’t use SAML as a credential type, so you get another logon prompt – this time from the resource you’re connecting to. Double logons make for unhappy users.

Citrix Cloud Downtime

In an on-premises world, this is where you would look to implement Federated Authentication Services (FAS) as it allows you to Authenticate using a SAML identity provider (IDP) and then FAS does the translation into a Windows Identity through the clever use of virtual smart cards.

Why can’t we do this with Citrix Cloud? FAS needs to integrate with StoreFront today. The smart money would suggest that at some stage this integration may appear in Citrix Cloud as a tick box option, allowing the integration with an on-premises FAS solution through the cloud connectors, however today that doesn’t exist. So if you require multi-factor authentication, you will have a double logon.

Remote Access (NetScaler Gateway Service)

NetScaler Gateway Service (NGS) is a fantastic concept at the moment, it allows you to enable remote access your resources through Citrix Cloud with a simple ON/OFF option. How simple is that? Now to support this we’ll accept my previous points and assume you’re happy using the Cloud Workspace Service/StoreFront. We must really as it’s not possible to use with on-premises StoreFront!

For it’s pure simplicity and reach NGS deserves some consideration. There are numerous PoP’s (Point of Presence) globally, meaning that even for smaller organisations, you have truly global reach.

However with simplicity comes compromise, and there are some limitations:

  • Can’t mix and match – you either host your own NetScaler Gateway’s or use NGS. Or have split deployments.
  • Limited Auditing – for most remote access solutions it’s a requirement to maintain logs of who has accessed remotely, what they accessed and how long for. Today that information is not exposed.
  • No integration with On-Premises NetScaler MAS – if you use MAS to manage/monitor an internal/self-managed NetScaler deployment then you won’t get Gateway Insight or HDX Insight. Note: this is likely to be available as part of the Citrix Cloud MAS Service though.
  • No Optimal Gateway Routing – User’s will get directed to a nearby PoP, but which one is not controllable.
  • Just ICA Proxy – If you’re a tinkerer and like getting your NetScaler Session Policies “just right” this isn’t for you.
  • No Endpoint Analysis – Internet café? Come on in!
  • Global On/Off – remote access is enabled on a global level, so there’s no control today of who can access resources remotely as well as in the office.

Resiliency

Citrix Cloud has a Service Level Goal (Note: Goal not Agreement) of 99.9% uptime in a Calendar month. Sounds good, but that equates as 43 minutes of downtime a month. We’re further constrained by the cloud conundrum which goes as follows:

  • Before Cloud: Move it all to the cloud then we won’t have to manage it!
  • After Cloud: It’s broken! Why can’t we just reboot it?

To be clear, this isn’t specific to Citrix Cloud by any means, but with any cloud service lack of control over planned or unplanned downtime is a serious consideration.

So what can we do about this? This subject has been one of my longstanding reasons for keeping the access layer on premises. As of mid-late last year, your Citrix Cloud connectors have had Local Host Cache (LHC) in place. If you’re not familiar with LHC which has been available in the on-premises version for several releases now, LHC is where your Delivery Controller’s or in this case Cloud Connectors have a cache of the data required to run your site. This means that if Citrix Cloud becomes unavailable – or you lose internet connectivity to the Cloud Service, if you host your access layer on-premises then using the LHC on the Cloud Connectors, user’s can continue launching resources.

Let’s look at two scenarios:

Scenario

Operational State

Cloud Access LayerOn-Premises Access Layer
XenApp/XenDesktop Service Down

Not Operational

Operational

No Internet and On-Premises Resources

Not Operational

Operational

Of course, we should all be using NetScaler SD-WAN and have abundant resiliency for our Internet Connectivity, so the second scenario should not happen, but these are common stumbling points when moving customers to a Cloud Service – “What happens if it goes down?”. With an on-premises access layer – in theory, nothing.

Summary

Overall, I’ve highlighted some of the limitations of the Cloud Services, but this is by no means saying don’t consider them. There are customers where the simplicity and fast time to value will offset some of the compromises, or others may not see them as issues at all. The purpose of this is to capture some of the considerations that need to be made when deciding what is best. Cloud is a delivery method, and not the only option available, making the correct decision based on individual requirements will make sure everyone has the best user experience.

There is a lot of effort going into the development of both Workspace Service and NetScaler Gateway Service, so it is very much a decision that needs to be revisited as capabilities mature and new functionalities become available.

ServicePro’s

Con’s

Cloud StoreFront/ WorkSpace Service· Fast time to value

· Low configuration effort

· No SSL Certificates to manage

· Limited Customisation available

· Single factor Authentication Only (Or double logon with MFA)

· No Filtering of Resources

· No Zone Preference Configuration

· No FAS integration

· No Vanity URL’s (Company.com instead of Xendesktop.net)

· Single Store Only

NetScaler Gateway Service· Fast time to value

· Low configuration effort

· No SSL Certificates to manage

· Global Presence

· Can’t mix NGS and On-Premises NetScaler

· No Integration with On-Premises MAS

· Limited Auditing

· ICA Proxy Only

· No EPA Scans

· Enabled for everyone or no-one.

· Unauthenticated ICA Proxy

On-Premises StoreFront· Enhanced Resiliency with LHC

· Full Customisation

· FAS Support

· Filtering Possible

· Zone Preference Configuration Possible

· Optimal Gateway Routing possible

· Multiple authentication options

· Additional Infrastructure

· Requirement to Install/Configure/Maintain/Upgrade

On-Premises NetScaler Gateway· Portal themes support

· EPA Scan Support

· Multiple Authentication options (LDAP/RADIUS/SAML)

· Built-In OTP Solution (Enterprise Edition)

· Authenticated ICA Proxy

· Option to Provide VPN or Clientless Access (With Universal Licenses)

· Integration with on-premises MAS for HDX Insight and Gateway Insight

· Full Auditing capabilities

· Typically fewer PoP’s than NGS

· Additional Resources to host

· Requirement to Manage/Maintain/Operate

downloadWhy can't I download this file?

Select the type of report you want to generate. if you want application based report select Application. If you want to generate report based on Desktop session usage, select Desktop.

For our example, we will select the Type as Application.

Report Name

This field is used to name the report. The Exported report will be saved with the same file name.

For our example, we will change the report name to “OutLook Application”.

Conditions

These are the conditions or filters you want to apply on the report. This is a drop down with all available fields that can be used as filter.

For our example the condition should be like “PublishedName contains outlook”.

Citrix Cloud Uptime

Output Columns

These are the columns that appears in the report.
For our Example, we have to select Name, Username, ClientName.

OData Query

This field is specially designed to help director admins generate the odata query. The field dynamically gets updated as an when there is modification on Conditions and Output Columns. This query can be copied and used on other tools to generate the same report.

The final report UI looks like this:

Now Clicking on Export will export the required report In CSV format.

Refer to the image below of an Exported report.