Zoom in Citrix VDI (Part 2) HDX Offloading, Architecture and Zoom.us Security + Privacy

Introduction
In my first blog post http://axendatacentre.com/blog/2020/04/22/zoom-hdx-offloading-for-citrix-virtual-desktops-part-1/ I explored how frictionless it was to setup and deploy Zoom in a Citrix Virtual Desktop, this post builds upon my initial post looking at a wider device spectrum, fallback scenarios and further testing using iGel thin clients.

Overview of Optimised vs. Un-Optimised Zoom Meetings in Citrix VDI (DaaS)
The below image represents both an (un)optimised Zoom meeting running within a Citrix virtual desktop. If an employee access’s his/her Citrix virtual desktop from an endpoint e.g BYO that doesn’t have the “Zoom Media Plugin” installed like it was on there e.g CORP device then the once “Optimised” HDX offloaded A/V traffic for there Zoom Meeting is effectively now “Un-Optimised” and the A/V processing that was shifted onto the employee’s endpoint will now be processed within the Citrix virtual desktop in the resource location (data centre) causing a degraded experience, macro uplift in computing and networking resources to process the A/V for the Zoom meeting and the A/V traffic sent and received from the employees endpoint which is then sent out via the Zoom client within the Citrix virtual desktop.

UPDATED Zoom Pre-requisites & System Requirements
Follow my original guidance at – http://axendatacentre.com/blog/2020/04/22/zoom-hdx-offloading-for-citrix-virtual-desktops-part-1/. My initial test focused on testing the viability of using Zoom meetings in a Citrix virtual desktop when HDX Offloading was enabled to “Optimise” Zoom meetings and improve the employee experience by shift the A/V processing to the employee’s endpoint, the initial results where hugely promising with minimal effort.

I found some time to continue with further tests but I hit a wall the “Zoom Client for VDI” was displaying a “Grey blank screen” during the meeting and when checking the video settings within the “Zoom Client for VDI” app in system tray, you get the same result a “Grey blank screen” even though Citrix Workspace app is doing its job of automatically connecting “Microphones and Webcams” as I tested a GoToMeeing without any issues so I knew there where no policies conflicts or issues. I googled the problem briefly and found nothing useful, I then decide to revisit Zoom’s on-line documentation and found this important notification published within the last 6 days of this blog post stating that Zoom now requires both the “Zoom Media Plugin” + “Zoom Client for VDI” to match exactly from version 2.1.5 documented at – https://support.zoom.us/hc/en-us/articles/360031768011-New-Updates-for-Virtual-Desktop-Infrastructure-VDI- as, anything prior to the pending date 30/05/2020 you can configure the MinPluginVersion via registry settings – https://support.zoom.us/hc/en-us/articles/360032343371 to be able to use older versions for backwards compatibility – https://support.zoom.us/hc/en-us/articles/360041602711.

Zoom Meeting Test & Citrix Lab Overview
1.CVAD 1912 LTSR running in my personal AWS EC2 in N.Virgina, USA delivering a Citrix virtual desktop to me in London, England. The virtual desktop is running Windows Server 2019 its a “t2.medium” instance type running the 1912 LTSR Virtual Delivery Agent (VDA), also installed was the “Zoom Client for VDI” product version 4.6.15322 used during my orginal testing – https://twitter.com/lyndonjonmartin/status/1253036938992529408?s=20. To resolve the “Grey blank screen” download and install the latest product version I was running 4.6.15630.
2. Personal iPhone 7S running Zoom app setup with my account to start/stop Zoom meetings.
3. Zoom doesn’t support HDX Offloading on MacBooks therefore I used my wife Windows 10 laptop in these tests, which is running Citrix Workspace app 1912, and I installed the Zoom Plugin for Citrix Receiver product version 4.6.15630. You’ll notice that the product versions between the Citrix virtual desktop running the “Zoom Client for VDI” – https://zoom.us/download/vdi/ZoomInstallerVDI.msi and the Zoom Plugin “Zoom Media Plugin” – https://zoom.us/download/vdi/ZoomCitrixHDXMediaPlugin.msi on the endpoint are an exact match.
4. Zoom have published a VDI Backward Compatibility Matrix which is available at – https://support.zoom.us/hc/en-us/articles/360041602711.

Zoom VDI Optimisation Management
I think its important to recognise, when rolling out the Citrix + Zoom “Optimisation” capability you need to include both the “Zoom Client for VDI” + “Zoom Media Plugin” as part of your internal and external software deployment strategy. It is also worth noting the differences between Zoom meetings within “Citrix” VDI and on other platforms, Zoom has put together a comparison feature matrix at – https://support.zoom.us/hc/en-us/articles/360031441671-VDI-Client-Features-Comparison?zcid=1231#h_fceae51c-f385-4a20-bd54-c7c50f186c15. You should also be mindful of the native features by platform which is available at – https://support.zoom.us/hc/en-us/articles/360027397692.

Internal Strategy
Manage the “Zoom Client for VDI” using a Citrix App Layering “App Layer” – https://docs.citrix.com/en-us/citrix-app-layering/4/layer/create-app-layer.html in conjunction or separately with your existing preferred Citrix provisioning technology e.g Machine Creation Services (MSC) or Provisioning Services (PVS).

External Strategy
Management of the “Zoom Media Plugin” is better controlled for security + avoid breaking the employee experience on supported endpointshttps://support.zoom.us/hc/en-us/articles/360031096531-Getting-Started-with-VDI by enrolling the endpoints into Citrix Endpoint Management (CEM). For Windows endpoints use the *.MSI installer with the “Windows Agent” – https://docs.citrix.com/en-us/citrix-endpoint-management/policies/windows-agent-policy.html to deploy a script to update the “Zoom Media Plugin” and for iOS and Android you could send a push notification to employees to update to the latest Zoom app available in the public app store so that you have app versioning + device spectrum consistently re feature + security parity across the organisation.

LTSR vs. CR vs. Citrix Cloud Strategy for HDX Offloading of Zoom?
Zoom is not embedded into the Citrix stack like Teams is, therefore you can choose to deploy your own Zoom + Citrix HDX Offloading inline with your preferred CVAD release strategy BUT you must align to Zoom’s leading practises for “Citrix” VDI and Citrix’s for release strategy type. The reason this is possible it because you need to manually or automate the installation of the “Zoom Media Plugin” + Zoom Client for VDI” software both client and server/workstation sides outside of the Citrix stack, remembering that the Teams HDX offloading components are part of the VDA (server/workstation) and the CWa (client) – http://axendatacentre.com/blog/2019/08/06/hdx-offloading-for-microsoft-teams-within-a-citrix-virtual-desktop/.

Zoom 90 Day Security Plan Facts & Personal Opinions
Zoom recently published an updated communications on there 90 Day Security & Privacy Plan for June available to read at – https://blog.zoom.us/wordpress/2020/06/03/90-day-security-plan-progress-report-june-3/*. Since the beginning of this journey I will continue to update the security & privacy portion of this blog post below. Zoom is so committed to this its CEO Eric Yaun and “leader” holds LiVE sessions entitled “Ask Eric Anything“. If you wish to register to join these sessions LiVE register at – https://zoom.us/webinar/register/WN_9jdr63uuRuSRBX-yEJ2zVQ?id=3IWjZb4JTJm0II3A4lkBOg&zcid=1231 and if you want to ask a question email answers@zoom.us as per the blog post*. If you have doubts, you heard a “Chinese Whisper” surrounding Zooms security or privacy then you should watch the below, and be sure to submit that question to Zoom’s leader and his leadership team to reply on “Ask Eric Anything“.

I’ve yet to see a leader openly committed to and inclusive of customer, business, community and peer feedback to drive CHANGE and INNOVATION. Upon reflection I’m actually not surprised he’s an “Entrepreneur Leader” and therefore both change and innovation are built into his DNA likewise to learn from failure fast and then act to achieve continued success. These two values for me is missed while driving (Digital) Transformation in any organisation from paper to paperless vs. manual to co-hybrid automation.

Security & Privacy
Zoom is continuing to take security and privacy seriously and they continue to communicate that publicly on the company blog, they have as of releasing this blog post published the following blog articles – https://blog.zoom.us/wordpress/2020/05/04/navigating-a-new-chapter-for-zoom/, https://blog.zoom.us/wordpress/2020/05/05/use-zoom-to-securely-host-virtual-board-meeting/ and https://blog.zoom.us/wordpress/2020/05/05/zoom-disable-pmi-security-updates-for-basic-accounts-may-9/. The collective sum of these post indicates that Zoom is giving IT more security controls for Zoom meetings in an enterprises. The following list is just a high level summary of what can be found in the above blog pots on https://blog.zoom.us/.

-Zoom Encryption whitepaper published April 2020 – https://zoom.us/docs/doc/Zoom%20Encryption%20Whitepaper.pdf discussing the use of TLS 1.2, AES, AES-256 and SRTP or Secure Real-time Transport Protocol for Zoom to Zoom communication. The whitepaper looks at clients, browsers and 3rd party devices/services.
-Zoom client connection progress whitepaper published April 2020 – https://zoom.us/docs/doc/Zoom_Client_Connection%20Process_Whitepaper.pdf
-Leading practices when using a Zoom Personal Meeting IDs (PMI)
-Zoom 5.0 supports AES 256-bit GCM encryption*
-Scheduled security changes to come to FREE Zoom accounts
-Zoom watermarks in two flavours
-Industry certifications e.g SOC2 Type II, Privacy Shield Certified, GDPR e.t.c – https://zoom.us/docs/ent/privacy-and-security.html
-Lock meetings and require authentication –
https://support.zoom.us/hc/en-us/articles/360041848151-In-meeting-security-options?mobile_site=true

Final Thoughts
Zoom continue to step up on security and privacy frontier, and the second round of tests continue to demonstrate a real WOW moment for me in how frictionless the experience has been as a IT Professional and as an consumer of Zoom meetings personally within my lab. I will time permitting continue with my full tests in the future expanding the device spectrum being inclusive of employee experience optimisation strategies.

The views expressed here are my own and do not necessarily reflect the views of Citrix.