The views expressed here are my own and do not necessarily reflect the views of Citrix.
Citrix DaaS – HDX (3D Pro) Protocol
Infographic
The views expressed here are my own and do not necessarily reflect the views of Citrix.
What BCP Availability Strategy for Citrix DaaS? Service Continuity (SC) or Local Host Cache (LHC)
Consider this an evergreen article with *pro-active adds/moves/changes inclusive of errors/mistakes until I remove this statement.
Architectural Doodle
The diagram below provides a high level architectural difference between Local Host Cache (LHC) v Service Continuity (SC) and how you can weaponise Citrix Analytics for Performance to enable pro-active management of your workloads in a single hypersacler cloud or multi-cloud hyperscater strategy.
Visualising the Value of Change using a Force Field Analysis (FFA)
A FFA is a business methodology helping to visualise through a meaningful contextual analysis, why a business and or e.g technology decision for “change” is the right and relevant direction of travel. It helps by amplifying the understanding of ”the what the change is, the how, the what if and the why change” towards anew future desired state e.g buy a music title per song vs. a music subscription to rent the music over a period of time.
The example analysis below is a technology change decision shifting from Local Host Cache (LHC) current to Service Continuity (SC) future state – improving IT’s operational resiliency capability and capacity considering todays current climate and threat of digital warfare aligned to internal business priorities and or executive KPIs ranging from strict security compliance & governance, hybrid multi-cloud failover (between cloud hyperscalers) to becoming cloud first/native adopting aaS tooling where right and relevant e.g I/PaaS to help IT accelerate DEX at the required pace and execution agility.
This example analysis is representative of my personal field technologist landscape experience and backed by a robust and diverse pool of customers ranging in size and verticalisation. Remember you do not have to agree with my field experience the concept is to weaponise this business tool as a force for good change in organisations wanting change that is well meaningful and or to back and better understand cost v value driven business strategies during forces of change.
Score | Hindering Forces | Service Continuity (SC) | Driving Forces | Score |
---|---|---|---|---|
3 | Traditional method doesn’t rely on cloud services | Modern method to reduce and derisk operational outage | 5 | |
5 | Strict Governance & Compliance requirements for on-premises workloads only – High security organisations e.g UK Gov entities e.g MoD/M6 | Better employee affordance during outages with SC | 5 | |
5 | Security requirement for on-premises remote access Gateway POP’s controlled by IT/Security to reduce attack surfaces by adversaries including derisking operational outages | Cloud first Turn-Key Global v Regional POP Gateway as a Service Strategy | 5 | |
2 | No support for Citrix Workspace Site Aggregation to On-Premises CVAD environment | No technical implementation debit | 5 | |
2 | â–“ Limitations of Service Continuity for Internet Browsers – use case 3rd parties VPN-Less access without installing CWa on supported endpoints | No technical waste and debit – LHC management & monitoring | 5 | |
3 | Citrix Receiver not supported – use case support for outdated thin clients | Citrix Workspace app (CWa) aligned to employee affordance (EX strategy) – Business KPI | 5 | |
Alignment to Cloud first Time to Value strategy – Business KPI | 5 | |||
No LHC BCP testing program to valid solution and verify sizing & scaling annualised changes | 5 | |||
20 |
40 |
â–“ Updated 07/03/2022 – Several SC limitations e.g Internet Browsers as a barrier to adoption have now been address learn at – https://www.citrix.com/blogs/2022/03/01/service-continuity-in-citrix-cloud-a-recipe-for-resiliency/.
The outcome of this analysis reveals that while a number of key inner or outer loop stakeholders maybe opposed to the technology change strategy, the FFA outcome is well clear that the driving forces for change is in favour of Service Continuity (SC). You should make every attempt to remediate against the identified hindering forces for change which could be the simple result of:
1. The decision maker(s) perception through experience wasn’t positive.
2. Company culture is adverse to agile change.
3. IT Operations is required to retain more “control” when consuming cloud based I/PaaS services to better derisk outages.
3. Cloud security policies and frameworks have not been approved to enable new types of technologies like SC to be on-boarded and accepted by Enterprise/Cloud/Security Architects.
4. Accept the current business risks are they are and re-evaluate at a future time as the current value out weighs the micro hindering forces.
Understanding Service Continuity (SC)
This a modern way to reduce and derisk availability access to (virtual) applications and desktop during an outage provided the employees endpoint has the capability to access Citrix workloads within your hybrid and or hybrid multi-cloud resource location(s).
Cost v Value Driven Strategies
The following are generic but meaningful examples of the cost and value driven strategies why adopting Service Continuity (SC) to underpin your BCP/DR strategy is the right strategy.
- Modern field leading practise or method to reduce and derisk PaaS outages.
- Time to value is immediate – its a turn-key out of the box SaaS style experience with no configuration nor IT skills required, no technical nor technology debit incurred.
- Leverages Citrix Cloud global turn-key Gateway Service fabric – its service availability uptime is healthy as it operates between two hyperscaler public cloud providers, details accessible using the “Cloud Assurance” micro site on the Citrix Trust Centre at – https://www.citrix.com/about/trust-center/cloud-assurance.html then filtering to the Gateway service + Gateway POPs.
- No requirement for bi-annual v annual stress testing and compliance checks for BCP/DR testing. Typically this would involve up to 2-3 days (or more) for enterprise organisations to stress test each site/resource location excluding a further 5 full business days of planning activities, virtual meetings, whiteboards, approvals e.t.c with multiple stakeholders prior to testing – its an expensive exercise.
- No pro-active requirement to manage and monitor a StoreFront pair/cluster configuration, SSL/TLS certificate management, LHC cache integrity at each site/resource location which significantly reduces overhead of monitoring and associated OS licensing and VM operating costs.
- The employee affordance (experience) is far superior vs Local Host Cache as a strategy – Icons are greyed out amplifying to the employee that his/her (virtual) application or desktop is unavailable while anything coloured is still accessible and available – this design thinking affordance feature is often overlooked by IT Professionals but evaluation through the lens of a employee e.g PA amplify what is and what is not available.
- Supports modern authentication however there are limitations that will occur when SC is evoked see – https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/service-continuity.html#requirements-and-limitations.
Service Continuity Support Matrix
Platform/Feature/Service | Learn More | Supported | Notes |
---|---|---|---|
Citrix Workspace for Web (Chrome/Edge) | https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/service-continuity.html#service-continuity-in-browser | âś“* | 1.*Requires CWa for Mac 2112 or Windows 2109 2.Kiosk usage is not supported e.g Hotdesking 3.Support internet browsers Google Chrome and Microsoft Edge with plug-in’s installed. |
Mac | https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/whats-new.html#2112 | âś“ CWa 2106+ | |
Windows | https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/about.html#21121 | âś“ CWa 2106+ | |
Andriod | https://docs.citrix.com/en-us/citrix-workspace-app-for-android/whats-new.html#whats-new-in-2220 | âś“ CWa 22.2.0 | |
Linux | https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/whats-new.html#2109 | âś“ CWa 2106 (GA 2109) | |
iOS | https://docs.citrix.com/en-us/citrix-workspace-app-for-ios/whats-new.html#whats-new-in-2225 | âś“ CWa 22.2.5 | Tech Preview 03/2022 |
Security & Connectivity | Limitations: EPA Scans Enlightened Data Transport (EDT) – During outages |
||
Citrix Workspace IdP (Authentication) | https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/service-continuity.html#requirements-and-limitations |
SAML 2.0 AD AD plus Token Azure AD OKTA Citrix Gateway (primary user claim must be from AD) |
Authentication limitations: SSO for FAS SSO to VDA Local mapped accounts Only AD Domain joined VDAs are supported as of 03/2022 |
Technical Deep Dive
One of my fellow Citrix Technology Advocates (CTA) and current fellow Citrites Gavin Connolly – https://citrixie.wordpress.com/author/technologistgav/ has written a brilliant in-depth blog post on how it works, how to configure + test it and the employee experience “Affordance” – https://citrixie.wordpress.com/2020/12/22/service-continuity-for-virtual-apps-and-desktop-service/ – Service Continuity for Virtual Apps and Desktop Service.
Understanding Local Host Cache (LHC)
This is the traditional method while equally robust it requires a fair bit of feeding and watering to ensure cache accuracy and resiliency at scale when required to derisk PaaS or a hyperscaler region outage.
Cost v Value Driven Strategies
The following are generic but meaningful examples of the cost and value driven strategies why retaining your current strategy of using Local Host Cache (LHC) which underpins your BCP/DR strategy is the right strategy under the current strict compliance and or risk requirements.
- Strict regulatory compliance to maintain some form of “control” when using cloud services.
- Industry Specific by Certification and or Government regulation requirements that prohibit cloud based services from being consumed and where an on-premises IT strategy is the only viable option on the table.
- Greater control through a co-shared IT responsible operating model e.g brokering workloads using the vendors PaaS but owning the outage risk.
- Profound value based platform reliability and stability for bad app farms delivering mission cirtical line of business virtual apps that cant be moved to modern OSes and if become unavaiable may cause significant fiancial harm e.g Utilities
- Long term service release strategy alignment objectives
Understanding Citrix Analytics Service (CAS) for Performance
Coming…
The views expressed here are my own and do not necessarily reflect the views of Citrix.
Accelerate migrations to the Gateway Service
In recent article “Accelerate migrations to the CVAD Service” – http://axendatacentre.com/blog/2021/09/30/accelerate-migrations-to-the-cvad-service/ I explored and shared how to accelerate and migrate an on-premises Citrix Virtual Apps & Desktops (CVAD) environment to the CVAD Service from a field perspective working with customers in the City of Greater London – England. Often another prominent and common question rears its head how do I migrate to your Gateway Service, how does the Gateway Service differ from the a traditional Gateway physical or virtual appliance deployment strategy?
Accelerate and Automate your Migration Strategy to @Citrix CVAD Service with less effort + friction while reducing technical debit + financial costs by adopting the Gateway Service – https://t.co/PE4DIuTPjY for CVAD workloads. Don’t forget to pause & reflect for fleet mgmt v/a’s pic.twitter.com/MECOHQcRdA
— Lyndon-Jon (L-J) Martin 👨🏻‍💻 📲 (@lyndonjonmartin) October 18, 2021
There are handful of migration strategy’s to moving to the Gateway Service from an on-premises Gateway V/A environment:
Start A-Fresh
If you have a IT team that is battling with the economics of time, restricted financial budget(s) for projects, doesn’t have the required Citrix ADC networking skill sets due to M&A activities or people movements e.t.c then reset and restart by standardising and unlocking the IT and Employee affordance of the Citrix Gateway Service which is a turn-key service in the Citrix Cloud Platform and enabled by default for any “New” Citrix Cloud RL’s out of the box.
Evaluate & Pivot
There are a handful of very important technology and business reasons why you would want to pause before exciting this strategy, before adopting the Gateway Service for the CVAD Service.
- Your existing Citrix ADC utilises the Unified Gateway capabilities e.g it supports SSO with modern authentication e.g Google OAuth, OKTA or ADD SAML to Web, SaaS, Intranet web apps, Clientless apps through a universal portal and delivered through the Citrix ADC. This strategy is likely the most complex to evaluate before you pivot to the Gateway Service and typically requires a workshop to understand how the ADC is been used, what if it wasn’t there and what other ADC functions and features are been utilised e.g EPA scanning – http://axendatacentre.com/blog/2016/11/14/setup-pre-authentication-endpoint-analysis-epa-policy-with-an-azure-netscaler-unified-gateway-11-x-n/ or your performing advanced load-balancing of internal web vs. apps servers to employees e.g Finance systems.
- Another is reasonable or sensible reason to pause and evaluate is if you are running a fleet of Citrix ADC V/A’s managed by Citrix Application Delivery Management (ADM) V/A on-premises BUT which is regularly feed and watered then migrating this ADM configuration to the ADM Service in the Citrix Cloud platform aides in reducing the IT administrative and technical debit of managing an on-premises control plane for Citrix ADC Networking while retaining the status quo of remaining as is but enabling smart and not harder administration.
- The final potential reason to pause could be that you deploy and run you’re own Regional e.g Northern Europe vs. GEO e.g EMEA vs. Global Point of Presence (POP) in which you deploy and manage your own Private DIY style Gateway POP fabric globally using different clouds providers for economical costs, employee experience to reduce latency or Hybrid Mulit-Cloud resiliency for Disaster Recovery (DR) and Business Continuity. In these scenarios understand could you shift the purely the Gateway (ICA Proxy) only functionality for secure remote access for CVAD workloads to the Gateway Service and leave the existing ADC + ADM deployment to load-balance, accelerate and protect web, app servers and SQL databases.
Automate & Migrate
Current existing Citrix ADC virtual appliances (V/A) are only utilising the Gateway functionality for ICA Proxy enabling secure remote access to apps and data anytime, anywhere on any device. This strategy considerably reduces CAPEX and OPEX expenditures over a contract term reducing costs licensing the V/A; Premium Hypervisor (Optional); VM Instance costs – (v)CPU, RAM and HDD (IaaS vs. Other Cloud); Complexity of IT logical costs e.g Identity and Access Management (IAM), IP traffic routing e.t.c. This strategy significantly reduces the IT administrative and technical debit through a smile and single “Toogle” per Citrix Cloud Resource Location (RL) – https://docs.citrix.com/en-us/citrix-gateway-service/support-for-citrix-virtual-apps-and-desktops.html#enable-the-citrix-gateway-service, by default now the Gateway Service is enabled for all “New” Citrix Cloud RL’s out of the box.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
Accelerate migrations to the CVAD Service
A question I’m often asked in the field is how do I get to the Citrix Virtual Apps and Desktops (CVAD) Service at pace or more importantly on my own terms?
The answer can be simple and complex at the same time the previously consultant in me says now says “well it depends”. The challenge with the tag line of “well it depends” often can lead to assumptions like migrating from an on-premises CVAD environment to the CVAD Service is a long and lengthy process that’s cumbersome, however today it couldn’t be further from the truth.
I have worked with many a customer that rotated to the CVAD Service in less than a month to keep either business operations continuing at a time when a crisis hit or a number of impending mergers where occurring and they needed an agile and flexible IT delivery strategy which Citrix Cloud platform is well placed to facilitate and orchestrate bringing together many different workload types in any cloud type – private, public, hybrid and most importantly hybrid multi-cloud environments.
How did these customers achieve this feat? Before I get there remember there is a lot more that needs to be consider with a traditional CVAD deployment (install, upgrade etc), requiring multiple teams to be engaged simultaneously as one (a huge feat in itself which rarely works well as a well oiled machine) from IT to InfoSec, Network and Security teams e.t.c, when you pivot to the Citrix Cloud platform you’re moving to a combination of SaaS (Gateway Service) and PaaS (CVAD Service) and equally removing a fair amount of unnecessary technical and culture debit + resistance. The lost time and productivity due to culture resistance to changing operating models and moving to the CVAD Service cannot be measured but is by far the biggest barrier in my personal field perspective.Â
So how can you narrow the economic’s of time of getting to the CVAD Service? Citrix built and released an incredibly powerful tool called the “Automated Configuration Tool” or ACT for short, which allows for the exfiltration of your CVAD operational business logic which can be exported then evaluated and imported into your CVAD Service tenant in the Citrix Cloud by your chosen region e.g https://eu.cloud.com/. Light Bulb moment!
I previously wrote this article in http://axendatacentre.com/blog/2020/11/07/citrix-virtual-apps-desktops-or-cvad-service-migration-strategies/ – “Citrix Virtual Apps & Desktops or CVAD Service Migration Strategies” and the above and below expands upon this brief article from 2020, due to personal circumstances I stepped away largely from many communities and activities.
There are three migration strategy’s to moving to the CVAD Service from an on-premises CVAD environment:
Accelerate and Automate your Migration Strategy to @Citrix CVAD Service with less effort and friction using the Automated Configuration Tool https://t.co/rKmyOaBvRA & Site Aggregation – https://t.co/BHX55VtFf8 pic.twitter.com/5sP8besBDS
— Lyndon-Jon (L-J) Martin 👨🏻‍💻 📲(@lyndonjonmartin) September 30, 2021
Start A-Fresh
A complete re-evaluation of policies – employee experience vs. security, provisioning strategy. This strategy is wise if you’re well unfamiliar with new enhancements in a multi-dimensional way and been honest with that yourself your CVAD on-premises environment has not been well looked after e.g feed and watered.Â
Evaluate & Pivot
Migrate only key business operational IT logic requirements e.g. policies – employee experience vs. security and rebuild Machine Catalogs based upon you’re net new provisioning strategy e.g. MCS from PVS to support hybrid multi-cloud portable workloads. This strategy implies that you keep your on-premises CVAD environment feed and watered often and updated at minimum once every 12 months.
Automate & Migrate
Ingest the entire business operational IT logic from Machine Catalogs, Delivery Groups, Policies and Zones into the CVAD Service from your on-premises e.g. CVAD 1912 Long Term Service Release (LTSR) environment or preferred Current Release (CR) provided that this environment has been well looked after proactively. You will still require a brief evaluate phase during the migration as part of good leading practise and hygiene.Â
To get started with how-to use and get the ACT tool checkout this useful Citrix TechZone PoC guide/article – https://docs.citrix.com/en-us/tech-zone/learn/poc-guides/citrix-automated-configuration.html.
Finally the simplest and most powerful strategy is to not move any business operational IT logic at all to the CVAD Service initially but you leverage the power of “Affordance” or the appearance of providing the employee with the Citrix Workspace experience vs. StoreFront but technically nothing has changed, all that you are doing is changing the access the lens/portal to be Citrix Workspace. This strategy is fundamentally critical in enabling IT to pivot to the CVAD Service on there own terms as once the employee culture or shock has worn off with this new looking interface IT can in the background begin to use things like the ACT to migrate to the CVAD Service on there own terms and then equally shift there existing ICA proxy configurations to a turn-key SaaS operating model by unlocking the Gateway Service in the Citrix Cloud for the CVAD Service and many others Citrix Cloud Services e.g Secure Workspace Access, the Gateway Service in the Citrix Cloud platform is the default how-to access CVAD workloads, but if you still prefer an on-premises Citrix (ADC) Gateway V/A it’s a case of toggling off the Gateway Service. Customers choose to keep there Citrix ADC V/A for many different reasons and still highly relevant use cases and business or security and governance requirements.
To learn more about the “Site Aggregation” check out – https://docs.citrix.com/en-us/citrix-workspace/add-on-premises-site.html to get stated and to begin your pivot to CVAD Service on your own terms.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
The power of Affordance + Citriáş‹ for the Future of Work
What is “Affordance”? It’s Design Thinking terminology summarised as follows – you can look at a product or service and visualise in your mind how it works a great example is of this is the play ▶️ and stop 🛑 buttons you can use these to interact with a product or service to start or stop the action, interactivity or stream.
Another example is volume controls on car radio its usually round nob and to turn the volume up you turn the round nob clock wise and the reverse to lower the volume.
Now that you have a simple understanding of what I mean by affordance let’s get started.
We live in an age of a complex technology spectrum, that is suppose to remove friction and barriers for employees but its actually in many instances making it worse, to achieve more while in some cases through people cultures at companies its driving productivity trends in the wrong direction inclusive of negative affect’s on employee (human) well-being. A recent “The Economist” article puts the remote workforce working up to a 30% more during the pandemic yet there are productivity inefficiencies, the link to the article is available at – https://www.economist.com/business/2021/06/10/remote-workers-work-longer-not-more-efficiently.
How does Citrix aim solve some of that complexity in the technology spectrum? It embraces the power of Affordance enabling employees (humans) to work on there own terms to achieve more in meaningful ways through flexible work-styles. Today many talk about a hybrid workforce, its staple founding principle upon which Citrix was built upon and its in its DNA with over 30 years of tenure enabling the hybrid operating model between the physical workplaces, at home or somewhere in between with different marketing lines my favourite – Work is not a place.
I know invite you to watch the following 3 minute demonstration where I’ll take a vanilla windows endpoint and I’ll enable Signal Sign-On (SSO) to a Software-as-a-Service (SaaS) web apps in my example i’ll SSO to Salesforce in several ways to demonstrate the Affordance of Citrix enabling employees (humans) to work on there own terms on any endpoint.
Demonstration of the Employee Affordance powered by Citrix
In the video you see a Windows endpoint that doesn’t having access to Salesforce that’s because it’s a SaaS web app and you typically access those types of apps using your web browser not via the Start Menu on a Windows endpoint or the Dock on Mac OS X.
Once the employee completes a sign-in to Citrix Workspace much like the Netflix app on your smart TV it provides you with recommendations; access to stream either movies, TV series of documentaries and in Citrix Workspace app it allows access to stream different web, SaaS and micro apps with SSO enabled so its seamless.
The difference between the Netflix and Citrix Workspace apps is that the Citrix Workspace app (CWa) supports different affordance in how a employee (human) may want to work vs. how IT and security teams determine the “How” employee (human) consume these apps – local, sandboxed, traffic reflection or a combination inclusive of security depth in by enforcing session watermarking, restrictions on cut, copy, paste and printing e.t.c
I know invite you to study the below hand drawn diagram, to make the experience hopefully more personal. The diagram depicts the entire demonstration above and how the flow of traffic and data is controlled and how contextual security access can be applied to different web, SaaS and micro apps using cloud native turn-key Citrix Cloud Platform services.
Time line of the Demo
Time 0 min 0 seconds
The Citrix apps has already been installed onto the employee (human) endpoint, this could be achieved by using Citrix’s own Endpoint management service vs. another or alternatively by some other legacy/traditional means e.g Domain joined endpoint using a full device VPN.
Time 0 min 13 seconds
On-board employee (human) + endpoint with Citrix Workspace for modern secure data, web & SaaS app delivery with SSO.
Time 0 min 29 seconds
Once Citrix Workspace app (CWa) is signed and is beginning to retreive and layer in the right and relevant SaaS, Web, (Virtual Apps & Virtual Desktops – optional) with Windows Start Menu or Mac OS X Dock integration by entitlement by job role vs. Business function. You will notice that while CWa is initializing there is NO Salesforce in the Windows start menu.
Time 0 min 55 seconds
Citrix Workspace app (CWa) enables a effortless Single Sign-On (SSO) experience using a magic token to SSO the Citrix Files app to gain access to the employees (humans) Cloud “My Docs” managed by Citrix or allows access to OneDrive for Business, Google Drive, Box, Dropbox e.t.c – Note the employee will need to sign-in only once to any of these Enterprise File Sync and Share (EFSS) platforms to then allow CWa to SSO the employee (human) to any of these EFSS platform which IT can control and allow access to.
Time 1 min 26 seconds
CWa has layered in all the employees (humans) web and SaaS apps into the Windows Start Menu, which the human can now search for and launch with just in time security and SSO after the click on the icon.
There are two version in this demo Salesforce and Salesforce Secure this is to show the different types of contextual security that can be enforced or ON vs. OFF at app vs. network latitudes.
Citrix Workspace affordance enabling frictionless access including SSO to SaaS e.g. Salesforce via Windows Start Menu integration launching the preferred native local endpoint with the browser traffic protected by Citrix Secure Internet Access (SIA) Service and the SSO to Salesforce is handed by the Citrix Gateway Service configured by IT for SSO e.g SAML.
When accessing Salesforce even though IT has turn OFF all app security enforcement policies at the OS and presentation layer e.g what the human sees and interacts with e.g Start Menu and Chrome Browser so its a native experience, the Citrix SIA Service is capturing and redirecting all the network traffic prior to traversing the endpoints network interfaces and forcing the traffic to a centralised Citrix SIA service tenant in the Citrix Cloud Platform that allows for IT and Security teams to enforce just in time cloud network security policy adds/moves/changes in near to real-time all without impacting and employee affordance by avoiding pushing down any type of update/patch/upgrade software package.
Time 1 min 48 seconds
Citrix Workspace app inclusive of the web browser portal version allows employees to use the Citrix Universal Search to search for web, SaaS apps and content from within the portal if this is how they choose to work and then access the same Salesforce SaaS app with the same SSO and network security enforced when using the CWa.
Time 1 min 57 seconds
In this example searching and starting the Salesforce Secure SaaS app and in this example IT has turned ON all the app security enforcement policies at the OS and presentation layers to add further depth and breathe avoiding any IP, Pii exfiltration and more.
When app security polices for web, SaaS apps are configured, then depending upon how the employee (human) intends to access his/her web, SaaS apps e.g Salesforce Secure it will make a decision based upon the individual employees (humans) preffered Affordance access method how to securely deliver Salesforce Secure e.g at 2 min 29 seconds you’ll see that its open, SSOed, running in a local sandboxed browser that is session watermarked with cut/copy/paste and printing denied or disabled between the sandbox and endpoint.
Time 2 min 44 seconds
What if the employee (human) decides actually I am going to bypass all of Citrix’s security policies and governance? We’ll guess what that just in time at a network level protected by Citrix SIA Service will intercept and enforce app security policies, in the example I open a new tab navigate to Salesforce type in my tenant and attempt to sign-in outside of Citrix Workspace app and bypass all that security, the Citrix SIA Service intercepts the request between endpoint (source) and destination (https://<tenant>.my.salesforce.com and recognises that method requires a remote browser isolation session to avoid and de-risk IP, Pii exfiltration and lateral movements. IT can choose to enforce or allow cut/copy/paste and printing from these remote browser isolation services that are intercepted by the Citrix SIA Service.
DT Architecture Diagram
What services where used to achieve this experience?
Secure Internet Access – https://www.citrix.com/products/citrix-secure-internet-access/
Secure Private Access (formerly Access Control and Secure Workspace Access) –https://www.citrix.com/products/citrix-secure-private-access/
Secure Browsing Service – https://www.citrix.com/products/citrix-secure-browser/
Citrix Analytics for Security – https://www.citrix.com/products/citrix-analytics-security/
All of these services are turn-key S/PaaS in nature powered by the Citrix Cloud Platform – https://citrix.cloud.com/ and have good IT Affordance meaning they aren’t difficult to setup, configure and manage, you’re talking about handful or minutes or a few hours to get a Minimal Viable Product or Prototype (MVP) into your employees (humans) hands to test and provide you with insights and feedback to refine your MVP.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
Citrix Virtual Apps & Desktops 7 2012 Unlocking Potential with What’s New
The following article blends describes feature capabilities and changes to the Citrix Virtual Apps & Desktops (CVAD) 2012 Current Release (CR) either used on-premises or via the CVAD Service in Citrix Cloud platform – http://citrix.cloud.com/. The current documentation is officially accessible under the current release node within Citrix eDocs at What’s New* accessible at –
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/whats-new.html.
Suggested Upgrade Guidance to CVAD 7 2012
Citrix have published the following micro site “Citrix Upgrade Guide” – https://docs.citrix.com/en-us/upgrade, it is worth mentioning when using this web tool to understand the source vs. target release strategies, you’ll need to factor in the name change from e.g XenApp to Citrix Virtual Apps when using the tool.
It is advisable prior to embarking on any potential upgrades as a good leading and practical practise, perform due diligence review of connected endpoint ecosystem, thus ensuring and avoiding any potential blockers. Every Citrix Administrator (Admin) should bookmark the following online PDF document entitled – “Citrix Workspace app Feature Matrix” https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/citrix-workspace-app-feature-matrix.pdf.
Alternatively if you are finding it a challenge to successful prepare a plan to upgrade your CVAD environment from its current release cycle to the current 2012 release, then perhaps you should be evaluating a shift towards consuming your on-premises Access and Control Layers as a Service operating model from Citrix Cloud CVAD Service. There is a detailed online document available at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/migrate.html and if you require a reminder of who manages what then before sure to read the following technical security overview for the CVAD Service available at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/secure.html#security-overview which covers off the high level architecture, credential handling and the follow of data and isolation.
Overview of What’s New and Changes to CVAD 7 2012 Current Release (CR)
IT Administration
1.While this is NOT new please be minded that hosting connections to public clouds e.g CloudPlatform, AWS EC2, Azure and of course GCP are not supported with CVAD current releases (CR) – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/upgrade-migrate/upgrade.html#remove-pvd-appdisks-and-unsupported-hosts, if you require this capability you’ll need to adopt a Citrix Virtual Apps & Desktops (CVAD) Service operating model from the Citrix Cloud or standardise on the last Long Term Service Release (LTSR) which is 1912 – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr.
2.Citrix Workspace Environment Management (WEM) 2012 agent is now bundled into the Virtual Delivery Agent (VDA) installer for the GUI – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/install-vdas.html#step-7-wem-agent and for automation purposes – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/install-command.html#command-line-options-for-installing-a-vda which allowing you to configure WEM ACL f/w; agent port/cache location/data sync port; connectors vs. WEM server. The agent now includes new cache utility options (-RefreshSettins or -S; Reinitalize or -I); An optimised startup workflow which been resolved including a new Citrix Cloud connector behavioural awareness strategy; WEM agent is retiring associated legacy agent cache sync service inline with the End of Life (EoL) Microsoft Sync Framework 2.1 see – https://docs.citrix.com/en-us/workspace-environment-management/current-release/whats-new.html for move details and remediation readiness.
3.Support for transparent and non-transparent proxies for “Rendezvous” check out – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/hdx/rendezvous-protocol.html#proxy-configuration, to validate the configuration launch “cut session.exe. -v” in console and evaluate the output referencing – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/hdx/rendezvous-protocol.html#rendezvous-validation. If you are using a data/network redirection agent to fwd your network traffic to cloud like ZScaler Private Access (ZPA) be mindful of the current leading recommendations – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/hdx/rendezvous-protocol.html#additional-considerations. If you are not familiar with what and why “Rendezvous” then learn and understand how it works which includes a detailed connection flow diagram – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/hdx/rendezvous-protocol.html#how-rendezvous-works.
4. The 2012 Linux VDA supports Machine Creation Services (MCS) on Google Cloud Platform (GCP) which you can learn to setup and configure at – https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/installation-overview/use-mcs-to-create-linux-vms.html#use-mcs-to-create-linux-vms-on-gcp; continuing efforts to remote physical standard vs. high-end workstations sat in the Workplace the Wake on Local Area Network (LAN) capability is now available for Linux endpoints; finally support for new Linux distro releases Ubuntu 20.04 and RHEL 7.9 and 8.3; you can learn more about what else is new at – https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/whats-new.html.
5.Citrix Provisioning Service (PVS) 2012 includes a wealth of fixed issues – https://docs.citrix.com/en-us/provisioning/current-release/fixed-issues.html.
Employee Experience
1.Drag and Drop to copy files between your local endpoint and the delivered Citrix virtual app and or desktop. To learn more check out the “CTXDND” under “Multi-Stream virtual channel assignment setting” at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/multistream-connections-policy-settings.html#multi-stream-virtual-channel-assignment-settings, also be mindful or the current known limitations in the What’s New for Citrix Virtual Apps and Desktops (CVAD) 2012*.
2.Web Camera redirection issues resolved for Microsoft Surface Pro 4 endpoints*.
3.Support for the Windows Image Acquisition (WIA) API framework allows and enable scanning/imaging Citrix virtual apps feature and function access on scanning endpoints themselves.* You can learn more at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/devices/twain-devices.html.
4.The Linux Virtual Delivery Agent (VDA) 2012 release introduced a macro amount of meaningful experience features like automatically MTU discovery to avoid performance degradation and session connection failures of CVAD ICA/HDX sessions; support for the “Rendezvous protocol” allowing Linux ICA/HDX to bypass the Citrix Cloud Connector when using the Citrix Gateway Service with CVAD Services.
5.Drag and then drop files between a Citrix ICA/HDX session and the employees local endpoint*, this feature requires Windows CWa 2002 for Windows.
Security
1.Familiarise yourself withy the Deprecation announcements – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/whats-new/removed-features.html.
2.*While the drag and drop files features in CVAD 2012 offers a brilliant and frictionless employee experience, you should consider the security risks, prior to implementation for example do all employee’s require this feature? Evaluate who actually would benefit from the capability and do they have a managed endpoint which IT controls? I would also ask yourself to assess the risk by the employees role and function within the organisation e.g key revenue generating employees?
2.CTXS licensing server build 33000 now includes updated versions of Apache 2.4.46 and OpenSSL 1.1.1g and new conf options for usage telemetry, which cover off Personally Identifiable Information (Pii) options and associated descriptions, learn more at – https://docs.citrix.com/en-us/licensing/current-release/citrix-licensing-manager/settings.html#configure-usage-telemetry.
3. Federated Authentication Service (FAS) 2012 fixes a disconnect-on-lock feature ref [AUTH-787] if you are experiencing this issue you can find more detail at – https://docs.citrix.com/en-us/federated-authentication-service/whats-new/fixed-issues.html.
4. Session Recording (SR) 2012 adds a wealth of good new features and continues to keep employees working from home compliant in regulated industries or it can be used for internal training. Some of the new features incl support for blocking of sensitive information – https://docs.citrix.com/en-us/session-recording/current-release/log-events.html#sensitive-information-blocking;
The views expressed here are my own and do not necessarily reflect the views of Citrix.
I’m Always Minded of Public Cloud but Please Respect it.
Respect how #publicclouds are designed to be run and operate, with all the services they run, they can be comparable to an operating system e.g iOS which has services and background services that make your touch screen + FaceID work seamlessly with your mobile apps, but you must always regularly check your mobile app settings e.g turn off options/features so you get the better performance and value lead cost optimisation for examples turning off “background app refresh” meanings reducing energy waste or “mobile data” so your cellular data plan isn’t blown without you realising watching all those videos and movies that autoplay – Lyndon-Jon Martin Nov 2020.
Original posted on LinkedIn – https://www.linkedin.com/posts/lyndonjonmartin_publicclouds-activity-6734944687586729984-iHRZ.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
Citrix Virtual Apps & Desktops or CVAD Service Migration Strategies
The path to operating from the Citrix Cloud Platform for Citrix Virtual Apps and Desktops often can appear like your need to climb to the summit of K2, this is purely because for IT its foreseen as another key yet, rapid IT Transformation project to solve a multitude of business and business IT challenges (its different organisation by organisation). I’ve therefore put together a simple blended digital doodle on this very topic highlighting some key learnings, leading practises from the field and my own thoughts and thinking on this very topic.
If you want to go deep or even get started on your own migration project today, then i strongly recommend that you read and review the “Proof of Concept: Automated Configuration Tool” available at – https://docs.citrix.com/en-us/tech-zone/learn/poc-guides/citrix-automated-configuration.html, which covers off a step by step guide from installation to migration of on-premises CVAD configurations to the CVAD Service operating and run in the Citrix Cloud Platform – https://citrix.cloud.com. The following series of TechZone articles list at – https://docs.citrix.com/en-us/tech-zone.html#citrix-virtual-apps-and-desktops will also add value in your pivot to the CVAD Service.
If you have the right subscription access at https://training.citrix.com, then you can also complete the following on-demand eLearning course “eCWS-2014 | Automated Configuration Tool for Virtual Apps and Desktops” – https://training.citrix.com/elearning/coursequests/1/quest/184, which took me around 45 minutes to complete.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
Dyslexia Thinking + Thoughts on the power of Citrix Workspace + Citrix Modern Networking captured in a Blended Doodle
A Workspace technology that enabled Flexible Working styles 30+ years with a continuous Vision focused on the Current vs. Future of Work Acumen
I decided to put together my second blended doodle together to better explain Citrix Workspace + Citrix Modern Networking, how it works in a visual illustration format to have more meaningful conversations and discussions. I picture can tell a thousand micro stories and the big picture here depicts a simple story which tells you the IT + Business value unlocking your organisations potential using Citrix on Citrix, including the why and why now. A Citrix Workspace supports legacy, traditional and very forward thinking ways of working that prior to the COVID-19 world wide pandemic would take a while to get going however today organisations can leap at pace within there Transformation journeys by unlocking ready to consume Citrix as a Service operating models inclusive BUT also well beyond virtualisation to a world where you can swipe left or right vs. enter in up to 3-5 fields and tap submit/approve to achieve an business and human outcomes within seconds.
The stark truth is that a Citrix Workspace for Citrites is “AWESOME” and the productivity time I get back routinely using our own technologies inspires me more with each day, it allows me to accelerate ‘economics of time I get back’ or take a well deserved break when I need it on my own terms.
Understanding Citrix Workspace + Citrix Modern Networking “Best Together”
The following links below will help you better understand the different Citrix service offering capabilities, terminology, strategy and business + technical acumen (>).
- Leading the world to net zero carbon emissions – https://www.citrix.com/products/citrix-workspace/resources/sustainability-infographic.html
- Citrix—part of the solution – https://www.citrix.com/about/sustainability.html Decreasing our carbon footprint
- Zero Trust Architecture – https://docs.citrix.com/en-us/tech-zone/learn/tech-briefs/zero-trust.html
- Citrix Trust Center – https://www.citrix.com/about/trust-center/privacy-compliance.html
- Citrix Cloud – https://docs.citrix.com/en-us/citrix-cloud
- Citrix Cloud Connector – https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector.html
- Citrix Workspace – https://www.citrix.com/products/citrix-workspace/
- Take an interactive tour (Employee) – https://www.citrix.com/products/citrix-workspace/resources/interactive-product-tour.html
- Take the admin tour now – https://www.citrix.com/products/citrix-workspace/resources/interactive-product-tour-2.html
- Citrix Secure Internet Access – https://www.citrix.com/products/citrix-secure-internet-access/
- Citrix Secure Workspace Access – https://www.citrix.com/products/citrix-secure-workspace-access/
- Citrix Analytics for Security – https://www.citrix.com/products/citrix-analytics-security/ > https://docs.citrix.com/en-us/security-analytics.html
- Create microapps with ease – https://www.citrix.com/digital-workspace/microapps.html > https://docs.citrix.com/en-us/citrix-microapps
- Citrix Content Collaboration – https://www.citrix.com/products/citrix-content-collaboration/ > https://docs.citrix.com/en-us/citrix-content-collaboration
- Citrix Endpoint Management – https://www.citrix.com/products/citrix-endpoint-management/ > https://docs.citrix.com/en-us/citrix-endpoint-management
The views expressed here are my own and do not necessarily reflect the views of Citrix.