Citrix Virtual Apps and Desktops Service on Azure (Part 1) — Understanding the Control Plane and Planning the Access Layer

Rabindranath Tagore, the first non-European to win the Nobel Prize in Literature, said in his book Stray Birds: “Clouds come floating into my life, no longer to carry rain or usher storm, but to add color to my sunset sky.” While this great writer has little relationship to “The Cloud,” as we know it, I could not find his quote more appealing. Probably because I am a geek and I love everything around cloud technologies. And, as you probably know by now, public cloud utilization is increasingly becoming more common. In Citrix Cloud Success, we see many customers wanting to deploy their Citrix Virtual Apps and Desktop Service in combination with Microsoft Azure. In order to “add color to our sunset sky,” I’d like to share with you some lessons learned in the field while helping customers implement their environments – and hopefully make your life a little easier when deploying your own!

In part one of this three-part blog series, I will talk about the Citrix Cloud Control Plane, Resource Locations, and Access Layer considerations.

The Citrix Cloud Control Plane

In order to understand and properly plan which components you need to deploy in Microsoft Azure, you want to make sure you understand which components Citrix manages for you as part of the Apps and Desktops Service. As opposed to traditional on-premises environments, where you need to manage ALL of the components, we will manage the following components for you:

  • Citrix Delivery Controller
  • Citrix Studio & Director
  • Citrix Licensing Server
  • Citrix Databases
  • And optionally: Citrix Workspace Experience (aka StoreFront) and Citrix Gateway Service

As you may have already figured, we will deploy, manage, update, and support the above components for you – taking away all of the management complexities so you can concentrate on what really matters: deploying your applications and desktops to your users.

Something you may have also noticed is that Citrix Workspace Experience and Citrix Gateway Service (aka the Access Layer) are also managed by Citrix as part of the Apps and Desktops Service. With this said, these components are optional since you also have the choice to deploy them as part of your resource location in Azure and have full control over them. This is one of the main things you want to think about when planning your deployment and we will go deeper into these decisions in the upcoming sections.

Your Resource Location

Resource locations contain the resources required to deliver services to your subscribers. As you may have already guessed, these are the components that you will manage inside your Azure subscription, including:

  • Citrix Cloud Connector
  • Master Images
  • Citrix VDAs
  • Citrix UPM Profiles Server

The Citrix Cloud Connector is a Citrix component that serves as a channel for communication between Citrix Cloud and your resource locations, enabling cloud management without requiring any complex networking or infrastructure configuration. As such, Cloud Connectors are mandatory for your Azure environment to communicate with the Citrix Cloud Control Plane.

Planning the Access Layer

As I mentioned in our first section, one of the main things you want to think about when planning your deployment is where you want to place your StoreFront and Citrix Gateway. Do you want to manage them yourself, or do you want Citrix to manage them for you as part of the Apps and Desktops service?

The first component to consider is the Citrix Workspace Experience, previously known as the Citrix Hosted StoreFront. This is a Citrix managed solution that enables IT to securely deliver access to apps from any device, which by the way, may also look different to what your subscribers are used to working with today.

As part of the Citrix Workspace Experience, you have the option to customize the following options:

  • Your own (Citrix managed) cloud.com URL
  • Service integrations
  • Branding and appearance
  • Authentication methods (regular AD or Azure AD Federated Authentication)
  • Your own Citrix Gateway for ICA Proxy

Another extremely cool new feature of Workspace Experience is the Site Aggregation functionality (tech preview). With this option, you can aggregate resources from an existing XenApp 6.5 or XenApp & XenDesktop 7.x site on-premises so that users will be able to launch their on-premises Citrix apps and desktops through Workspace. This functionality is particularly useful for those customers looking to migrate their current environments to the Apps and Desktop service. Learn more about Site Aggregation!

The second component to consider is the Citrix Gateway Service, which is completely managed by Citrix and is fully integrated with your Apps and Desktops service to handle the ICA Proxy functionality. In addition to this, you have the option to utilize your own on-premises Citrix Gateway to handle the ICA proxy functionality for Workspace Experience. What this means is that you have 3 options when planning the StoreFront and Citrix Gateway placement:

  • You can let Citrix manage them for you, by leveraging both the Workspace Experience and Citrix Gateway Service
  • You can combine the Workspace Experience with your on-premises Citrix Gateway
  • You can use both StoreFront and Citrix Gateway on-premises to ensure you can fully manage them. If you use an on-premises StoreFront, you must use an on-premises Citrix Gateway.

To learn more about the Citrix Gateway Service, please check out this link.

Something important to keep in mind is that when you use the Citrix Workspace Experience with the Citrix Gateway Service (or your on-premises Citrix Gateway), there is no such thing as external or internal connections. Since the service does not have beacon check, all connections will be treated as external and will. therefore, be processed through NetScaler Gateway. In this case, the ICA files generated by Workspace Experience will contain the STA ticket information and not the internal private IP of the VDA. On the other hand, you also have the option to configure “internal only” access. In this case, the connection will not be “proxied” through a Citrix Gateway, and the ICA files generated by Workspace Experience will contain the internal private IP address of the VDA. This means these connections will only work from a computer on the internal network (that computer will still need internet access in order to reach the Workspace Experience URL). For more information on how to configure the Citrix Workspace Experience, make sure to check out this link.

After all this, you are probably wondering what the trend is and what drives our customer towards one way (Citrix-hosted) or the other (customer-hosted). Here are some questions that can help you make this decision:

  • Are you ok with using a cloud.com URL for your users to access? If the answer is yes, that is a good first sign to go with Workspace Experience. If you need your own custom URL, on-premises StoreFront and Citrix Gateway will be required.
  • Do you want to avoid having to manage and maintain your own StoreFront and Citrix Gateway on-premises? Again, if the answer is yes, the Workspace Experience is a good option for you.
  • Do you need to use two-factor authentication? If the answer is yes, then you have two options:
    • If you use Azure AD with two-factor authentication, you can enable Azure AD federated authentication on the Citrix Workspace Experience.
    • If you use another service for your two-factor authentication, on-premises StoreFront and Citrix Gateway will be required.

Takeaways:

  • Make sure to properly understand which components will be located in the Citrix Cloud control plane, which will be in your Resource Location, and which of them are optional.
  • The Citrix Cloud Connector will always be required to connect your Resource Location to Citrix Cloud, whether it is a public cloud or an on-premises datacenter.
  • For StoreFront and Citrix Gateway, you have 3 deployment options:
    • You can let Citrix manage them for you, by leveraging both the Workspace Experience and Citrix Gateway Service
    • You can use the Workspace Experience with your on-premises Citrix Gateway
    • You can use both StoreFront and Citrix Gateway on-premises to ensure you can fully manage them. If you use an on-premises StoreFront, you must use an on-premises Citrix Gateway.
  • Make sure to ask yourself the appropriate questions (see above!) when deciding where to place your StoreFront and Citrix Gateway.

And as our friend Rabindranath Tagore said at the conclusion of many of his books (and this is a mere assumption): The End! Make sure to stay tuned for upcoming Cloud Guideposts to read parts 2 and 3 of this series on Citrix Apps and Desktops Service on Azure. Next up I will cover considerations when planning your resource location on Azure.

JP Alfaro 
Cloud Success Engineer