Unless you are completely new to working with XenDesktop and/or XenApp products, you must have heard a thing or two about the Citrix Workspace Cloud (CWC) by now. Since it also heavily relies on the FlexCast Management Architecture I couldn’t write this book without at least mentioning it. In fact, as soon as Citrix introduces a new feature or functionality that touches the FMA, CWC will have it first. Being a cloud platform / service it has the added advantage of getting new code out to customers relatively quickly. For this they apply a so-called phased ‘bucket’ approach, which unfortunately, is still under NDA at this time.
Since CWC is still a relatively new offering / product, and evolving as we speak, I wouldn’t be surprised if the current subscription model, the services involved and perhaps even its name will change before the end of 2016.
Citrix Workspace Cloud is actually more of a managed or management platform than anything else. It offers us several different services; these are Apps and Desktops (XenDesktop and XenApp), Mobility Management (XenMobile), Secure Documents (ShareFile) and Life Cycle Management, which is sort of new. For the purpose of this book I will focus on the Apps and Desktop and Life Cycle Management services.
The idea behind this project? Before commenting, read the introduction blog post here
The CWC control centre, or control plane, is at the top of the stack: it’s where all the magic happens, so to speak, and what you as an administrator would use, or interact with, to manage and configure your CWC-based deployments. Below that are the Resource Locations: that is where the XenDesktop / XenDesktop VDAs, data and applications reside, which are managed, controlled and owned by you, the customer or a partner in between – a CSP, for example. These Resource Locations can be located on-premises, within a datacentre or on a public or privately owned cloud: it doesn’t really matter, as you are in control. They are connected to the Workspace Cloud services platform through Cloud Connectors.
So how does all this work? Let me walk you through it. Simply put, you take a ‘normal’ XenDesktop / XenApp deployment and then ‘cloudify’ the infrastructural or management pieces and components.
Or better said, Citrix has already taken care of that for you. Your Delivery Controllers, SQL database, License Server, Studio, Director and/or StoreFront servers will all live up in the Citrix Workspace Cloud as part of the Apps and Desktops service.
You tell Citrix what you need and they will set it up and configure it for you. From there on they will also take care of any ongoing management and maintenance tasks. Now all you will be left with are your VDAs and NetScaler, from a Citrix infrastructure point of view, that is, and you can host them wherever you like (Resource Location). It is the ultimate hybrid cloud model and the way forward according to most, me included. And if you have a look at the accompanying E-docs page you will find that there currently is an AppDisks Tech Preview for CWC as well!
FMA fact: Because of Microsoft’s licensing restriction with regard to desktop Operating Systems, it is very hard to come up with a true DaaS solution based on an actual desktop OS while keeping costs acceptable. With CWC you can host all of your infrastructural components up in the cloud and leverage your own on-premises VDAs, which can be VDI and 100% desktop OS-based deployments. While not exactly the same, it comes close to a desktop OS-based DaaS (private cloud) offering.
You may have noticed that I used ‘and/or’ when mentioning StoreFront: this is because with StoreFront you can choose where to actually host it. This has a lot to do with the ability to customise your own domain names and URLs. Your options are:
- A cloud-hosted StoreFront: The applications and desktops service in Workspace Cloud hosts a StoreFront site for each customer. The benefit of the cloud-hosted StoreFront is that there is zero effort to deploy, and it is kept evergreen by Citrix. Cloud-hosted is recommended for all new customers, previews, and proofs-of-concept (PoCs).
- An on-premises StoreFront: Customers may also use an existing StoreFront to aggregate applications and desktops in Workspace Cloud. This offers greater security, including support for two-factor authentication and prevents users from entering their password into the cloud service. It also allows customers to customise their domain names and URLs. This is recommended for any existing XenApp and XenDesktop customers that already have StoreFront deployed.
- A combination of on-premises StoreFront andcloud-hosted
Citrix E-docs website
This is the component that connects your VDA resources to, in this case, the Apps and Desktop Workspace Cloud Services. The Cloud Connector is made up of several providers or services, which in turn take care of things like registering VDAs and the ability to connect into your on-premises Hypervisor or public cloud platform of choice.
FMA fact: The Cloud Connector is what your VDAs will point to and use as a broker, instead of a Delivery Controller when compared to an on-premises deployment.
The Cloud Connector is installed on a Windows Server 2012 R2, domain-joined (within your own Resource Location) machine. Although installed on-premises, or at least within one of your own Resource Locations, which can be cloud-based as well, as a component it is fully managed from and by CWC.
It consists of a fairly light touch installation, and since it will be managed from CWC it will always be up to date with the latest patches and so on. It will allow secure communications only through port 443 (outbound), and if needed or desired it can be placed behind NAT and Web proxy services as well.
Made possible with the support of my sponsor IGEL
FMA fact: You will need to set up at least two Cloud Connectors per Resource Location to achieve HA. You won’t have to configure load balancing in any way for these two Cloud Connectors. CWC will send requests and data to one of the two Connectors, and if it gets too busy or stops responding, the data will be sent over to the idle Connector, or the load will be spread amongst the two.
Authentication and credential handling
Security is top of mind when discussing cloud-based solutions, and it is no different with the CWC offering. Here are some security facts to hopefully give you some peace of mind.
- When an Administrator authenticates to CWC, he or she will do so using the sign-on system from Citrix online. During the authentication process a one-time signed JSON Web Token will be generated, which will give the Administrator access to the apps and desktop service within CWC.
- All user credentials will be encrypted by the Cloud Connector component using AES-256 encryption combined with a random one-time key, which will be generated for each launch. This key will be forwarded to the Citrix Receiver (it doesn’t go into the cloud, ever) from where it will be passed over to the VDA so it will be able to decrypt the user password when a session is launched, creating a single sign-on experience.
- When Machine Creation Services creates machine accounts in the customer’s AD through the Cloud Connector, the Administrator will be prompted for each operation that will need to take place. This is because the machine account of the Cloud Connector only has read permissions within the Active Directory.
- Hypervisor passwords needed for authentication will be generated by the Administrator, encrypted and stored in the cloud-based SQL database.
Life Cycle Management Services
Citrix Lifecycle Management is a CWC cloud-based service life cycle management solution used to accelerate, automate and simplify the design, deployment and ongoing management of Citrix workloads including Enterprise applications. Using predefined and Citrix-certified blueprints, customers can roll-out complete Citrix-based environments fully automated onto their Hypervisor or cloud platform of choice, which are also referred to as Resource Locations as highlighted earlier.
Depending on your Life Cycle package subscription / license (Deploy, Design and Deploy, Design, Deploy and Manage) you will be able to design your own blueprints and edit existing ones, and of course you will have access to the Citrix library holding all Citrix-certified and predefined blueprints, made by either Citrix or third-party partners.
Next to that you have several options with regard to alerting, monitoring, disaster recovery, a fully automated upgrade from XenApp 6.5 (including application and policy configurations) and a bunch more. All you have to do is select your deployment of choice, configure the size and scale and Citrix, or CWC will take care of the rest!
FMA fact: Citrix offers out-of-the-box blueprints for XenDesktop, XenApp, XenMobile, NetScaler and the Workspace Suite.
Ongoing management is something that will still take some work from your side but by leveraging some of the robust and automated monitoring capabilities together with the ability to specify recovery of specific service components or entire services, including multiple recovery destinations, it will make your life a whole lot easier.
To finalise, the earlier highlighted Cloud Connector is used to connect to your on-premises or cloud-based Resource Location, including Active Directory. The provisioning and configuration of the blueprint-based machines will also leverage the Connector.
- CWC offers customers the ultimate hybrid model and an easy way to get used to and migrate to the cloud.
- All the latest and greatest FMA features will first be made available to CWC before being built into the on-premises XenApp and XenDesktop products. And this also applies to both ShareFile as well as XenMobile.
- They use a unique, but very simple updating and testing mechanism for this, which unfortunately is still under NDA at the time of writing.
- Although when using the life cycle management service, you will still need to maintain and manage your VDAs, StoreFront and NetScalers to some extent, it will make life a lot easier. Take it for a test-drive.
- Resource Locations include: on-premises / your own datacentres, Azure, AWS and/or the Citrix CloudPlatform, and more will follow I’m sure.
- Ongoing management and monitoring are done from the CWC consoles; they have the exact same look and feel as the on-premises Studio and Director consoles.