Category Archives: Citrix Cloud

What BCP Availability Strategy for Citrix DaaS? Service Continuity (SC) or Local Host Cache (LHC)

Consider this an evergreen article with *pro-active adds/moves/changes inclusive of errors/mistakes until I remove this statement.

Architectural Doodle
The diagram below provides a high level architectural difference between Local Host Cache (LHC) v Service Continuity (SC) and how you can weaponise Citrix Analytics for Performance to enable pro-active management of your workloads in a single hypersacler cloud or multi-cloud hyperscater strategy.

Visualising the Value of Change using a Force Field Analysis (FFA)
A FFA is a business methodology helping to visualise through a meaningful contextual analysis, why a business and or e.g technology decision for “change” is the right and relevant direction of travel. It helps by amplifying the understanding of ”the what the change is, the how, the what if and the why change” towards anew future desired state e.g buy a music title per song vs. a music subscription to rent the music over a period of time.

The example analysis below is a technology change decision shifting from Local Host Cache (LHC) current to Service Continuity (SC) future state – improving IT’s operational resiliency capability and capacity considering todays current climate and threat of digital warfare aligned to internal business priorities and or executive KPIs ranging from strict security compliance & governance, hybrid multi-cloud failover (between cloud hyperscalers) to becoming cloud first/native adopting aaS tooling where right and relevant e.g I/PaaS to help IT accelerate DEX at the required pace and execution agility.

This example analysis is representative of my personal field technologist landscape experience and backed by a robust and diverse pool of customers ranging in size and verticalisation. Remember you do not have to agree with my field experience the concept is to weaponise this business tool as a force for good change in organisations wanting change that is well meaningful and or to back and better understand cost v value driven business strategies during forces of change.

Score Hindering Forces Service Continuity (SC) Driving Forces Score
3 Traditional method doesn’t rely on cloud services Modern method to reduce and derisk operational outage 5
5 Strict Governance & Compliance requirements for on-premises workloads only – High security organisations e.g UK Gov entities e.g MoD/M6 Better employee affordance during outages with SC 5
5 Security requirement for on-premises remote access Gateway POP’s controlled by IT/Security to reduce attack surfaces by adversaries including derisking operational outages Cloud first Turn-Key Global v Regional POP Gateway as a Service Strategy 5
2 No support for Citrix Workspace Site Aggregation to On-Premises CVAD environment No technical implementation debit 5
2 â–“ Limitations of Service Continuity for Internet Browsers – use case 3rd parties VPN-Less access without installing CWa on supported endpoints No technical waste and debit – LHC management & monitoring 5
3 Citrix Receiver not supported – use case support for outdated thin clients Citrix Workspace app (CWa) aligned to employee affordance (EX strategy) – Business KPI 5
Alignment to Cloud first Time to Value strategy – Business KPI 5
No LHC BCP testing program to valid solution and verify sizing & scaling annualised changes 5

20

40

â–“ Updated 07/03/2022 – Several SC limitations e.g Internet Browsers as a barrier to adoption have now been address learn at – https://www.citrix.com/blogs/2022/03/01/service-continuity-in-citrix-cloud-a-recipe-for-resiliency/.

The outcome of this analysis reveals that while a number of key inner or outer loop stakeholders maybe opposed to the technology change strategy, the FFA outcome is well clear that the driving forces for change is in favour of Service Continuity (SC). You should make every attempt to remediate against the identified hindering forces for change which could be the simple result of:

1. The decision maker(s) perception through experience wasn’t positive.
2. Company culture is adverse to agile change.
3. IT Operations is required to retain more “control” when consuming cloud based I/PaaS services to better derisk outages.
3. Cloud security policies and frameworks have not been approved to enable new types of technologies like SC to be on-boarded and accepted by Enterprise/Cloud/Security Architects.
4. Accept the current business risks are they are and re-evaluate at a future time as the current value out weighs the micro hindering forces.

Understanding Service Continuity (SC)
This a modern way to reduce and derisk availability access to (virtual) applications and desktop during an outage provided the employees endpoint has the capability to access Citrix workloads within your hybrid and or hybrid multi-cloud resource location(s).

Cost v Value Driven Strategies
The following are generic but meaningful examples of the cost and value driven strategies why adopting Service Continuity (SC) to underpin your BCP/DR strategy is the right strategy.

  1. Modern field leading practise or method to reduce and derisk PaaS outages.
  2. Time to value is immediate – its a turn-key out of the box SaaS style experience with no configuration nor IT skills required, no technical nor technology debit incurred.
  3. Leverages Citrix Cloud global turn-key Gateway Service fabric – its service availability uptime is healthy as it operates between two hyperscaler public cloud providers, details accessible using the “Cloud Assurance” micro site on the Citrix Trust Centre at – https://www.citrix.com/about/trust-center/cloud-assurance.html then filtering to the Gateway service + Gateway POPs.
  4. No requirement for bi-annual v annual stress testing and compliance checks for BCP/DR testing. Typically this would involve up to 2-3 days (or more) for enterprise organisations to stress test each site/resource location excluding a further 5 full  business days of planning activities, virtual meetings, whiteboards, approvals e.t.c with multiple stakeholders prior to testing – its an expensive exercise.
  5. No pro-active requirement to manage and monitor a StoreFront pair/cluster configuration, SSL/TLS certificate management, LHC cache integrity at each site/resource location which significantly reduces overhead of monitoring and associated OS licensing and VM operating costs.
  6. The employee affordance (experience) is far superior vs Local Host Cache as a strategy – Icons are greyed out amplifying to the employee that his/her (virtual) application or desktop is unavailable while anything coloured is still accessible and available – this design thinking affordance feature is often overlooked by IT Professionals but evaluation through the lens of a employee e.g PA amplify what is and what is not available.
  7. Supports modern authentication however there are limitations that will occur when SC is evoked see – https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/service-continuity.html#requirements-and-limitations.

Service Continuity Support Matrix

Platform/Feature/Service Learn More Supported Notes
Citrix Workspace for Web (Chrome/Edge) https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/service-continuity.html#service-continuity-in-browser âś“* 1.*Requires CWa for Mac 2112 or Windows 2109
2.Kiosk usage is not supported e.g Hotdesking
3.Support internet browsers Google Chrome and Microsoft Edge with plug-in’s installed.
Mac https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/whats-new.html#2112 âś“ CWa 2106+
Windows https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/about.html#21121 âś“ CWa 2106+
Andriod https://docs.citrix.com/en-us/citrix-workspace-app-for-android/whats-new.html#whats-new-in-2220 âś“ CWa 22.2.0
Linux https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/whats-new.html#2109 âś“ CWa 2106 (GA 2109)
iOS https://docs.citrix.com/en-us/citrix-workspace-app-for-ios/whats-new.html#whats-new-in-2225 âś“ CWa 22.2.5 Tech Preview 03/2022
Security & Connectivity Limitations:
EPA Scans
Enlightened Data Transport (EDT) – During outages
Citrix Workspace IdP (Authentication) https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/service-continuity.html#requirements-and-limitations SAML 2.0
AD
AD plus Token
Azure AD
OKTA
Citrix Gateway (primary user claim must be from AD)
Authentication limitations:
SSO for FAS
SSO to VDA
Local mapped accounts
Only AD Domain joined VDAs are supported as of 03/2022

Technical Deep Dive
One of my fellow Citrix Technology Advocates (CTA) and current fellow Citrites Gavin Connolly – https://citrixie.wordpress.com/author/technologistgav/ has written a brilliant in-depth blog post on how it works, how to configure + test it and the employee experience “Affordance” – https://citrixie.wordpress.com/2020/12/22/service-continuity-for-virtual-apps-and-desktop-service/ – Service Continuity for Virtual Apps and Desktop Service.

Understanding Local Host Cache (LHC)
This is the traditional method while equally robust it requires a fair bit of feeding and watering to ensure cache accuracy and resiliency at scale when required to derisk PaaS or a hyperscaler region outage.

Cost v Value Driven Strategies
The following are generic but meaningful examples of the cost and value driven strategies why retaining your current strategy of using Local Host Cache (LHC) which underpins your BCP/DR strategy is the right strategy under the current strict compliance and or risk requirements.

  1. Strict regulatory compliance to maintain some form of “control” when using cloud services.
  2. Industry Specific by Certification and or Government regulation requirements that prohibit cloud based services from being consumed and where an on-premises IT strategy is the only viable option on the table.
  3. Greater control through a co-shared IT responsible operating model e.g brokering workloads using the vendors PaaS but owning the outage risk.
  4. Profound value based platform reliability and stability for bad app farms delivering mission cirtical line of business virtual apps that cant be moved to modern OSes and if become unavaiable may cause significant fiancial harm e.g Utilities
  5. Long term service release strategy alignment objectives

Understanding Citrix Analytics Service (CAS) for Performance
Coming…

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Accelerate migrations to the Gateway Service

In recent article “Accelerate migrations to the CVAD Service” – http://axendatacentre.com/blog/2021/09/30/accelerate-migrations-to-the-cvad-service/ I explored and shared how to accelerate and migrate an on-premises Citrix Virtual Apps & Desktops (CVAD) environment to the CVAD Service from a field perspective working with customers in the City of Greater London – England. Often another prominent and common question rears its head how do I migrate to your Gateway Service, how does the Gateway Service differ from the a traditional Gateway physical or virtual appliance deployment strategy?

There are handful of migration strategy’s to moving to the Gateway Service from an on-premises Gateway V/A environment:

Start A-Fresh
If you have a IT team that is battling with the economics of time, restricted financial budget(s) for projects, doesn’t have the required Citrix ADC networking skill sets due to M&A activities or people movements e.t.c then reset and restart by standardising and unlocking the IT and Employee affordance of the Citrix Gateway Service which is a turn-key service in the Citrix Cloud Platform and enabled by default for any “New” Citrix Cloud RL’s out of the box.

Evaluate & Pivot
There are a handful of very important technology and business reasons why you would want to pause before exciting this strategy, before adopting the Gateway Service for the CVAD Service.

  1. Your existing Citrix ADC utilises the Unified Gateway capabilities e.g it supports SSO with modern authentication e.g Google OAuth, OKTA or ADD SAML to Web, SaaS, Intranet web apps, Clientless apps through a universal portal and delivered through the Citrix ADC. This strategy is likely the most complex to evaluate before you pivot to the Gateway Service and typically requires a workshop to understand how the ADC is been used, what if it wasn’t there and what other ADC functions and features are been utilised e.g EPA scanning – http://axendatacentre.com/blog/2016/11/14/setup-pre-authentication-endpoint-analysis-epa-policy-with-an-azure-netscaler-unified-gateway-11-x-n/ or your performing advanced load-balancing of internal web vs. apps servers to employees e.g Finance systems.
  2. Another is reasonable or sensible reason to pause and evaluate is if you are running a fleet of Citrix ADC V/A’s managed by Citrix Application Delivery Management (ADM) V/A on-premises BUT which is regularly feed and watered then migrating this ADM configuration to the ADM Service in the Citrix Cloud platform aides in reducing the IT administrative and technical debit of managing an on-premises control plane for Citrix ADC Networking while retaining the status quo of remaining as is but enabling smart and not harder administration.
  3. The final potential reason to pause could be that you deploy and run you’re own Regional e.g Northern Europe vs. GEO e.g EMEA vs. Global Point of Presence (POP) in which you deploy and manage your own Private DIY style Gateway POP fabric globally using different clouds providers for economical costs, employee experience to reduce latency or Hybrid Mulit-Cloud resiliency for Disaster Recovery (DR) and Business Continuity. In these scenarios understand could you shift the purely the Gateway (ICA Proxy) only functionality for secure remote access for CVAD workloads to the Gateway Service and leave the existing ADC + ADM deployment to load-balance, accelerate and protect web, app servers and SQL databases.

Automate & Migrate
Current existing Citrix ADC virtual appliances (V/A) are only utilising the Gateway functionality for ICA Proxy enabling secure remote access to apps and data anytime, anywhere on any device. This strategy considerably reduces CAPEX and OPEX expenditures over a contract term reducing costs licensing the V/A; Premium Hypervisor (Optional); VM Instance costs – (v)CPU, RAM and HDD (IaaS vs. Other Cloud); Complexity of IT logical costs e.g Identity and Access Management (IAM), IP traffic routing e.t.c. This strategy significantly reduces the IT administrative and technical debit through a smile and single “Toogle” per Citrix Cloud Resource Location (RL) – https://docs.citrix.com/en-us/citrix-gateway-service/support-for-citrix-virtual-apps-and-desktops.html#enable-the-citrix-gateway-service, by default now the Gateway Service is enabled for all “New” Citrix Cloud RL’s out of the box.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Accelerate migrations to the CVAD Service

A question I’m often asked in the field is how do I get to the Citrix Virtual Apps and Desktops (CVAD) Service at pace or more importantly on my own terms?

The answer can be simple and complex at the same time the previously consultant in me says now says “well it depends”. The challenge with the tag line of “well it depends” often can lead to assumptions like migrating from an on-premises CVAD environment to the CVAD Service is a long and lengthy process that’s cumbersome, however today it couldn’t be further from the truth.

I have worked with many a customer that rotated to the CVAD Service in less than a month to keep either business operations continuing at a time when a crisis hit or a number of impending mergers where occurring and they needed an agile and flexible IT delivery strategy which Citrix Cloud platform is well placed to facilitate and orchestrate bringing together many different workload types in any cloud type – private, public, hybrid and most importantly hybrid multi-cloud environments.

How did these customers achieve this feat? Before I get there remember there is a lot more that needs to be consider with a traditional CVAD deployment (install, upgrade etc), requiring multiple teams to be engaged simultaneously as one (a huge feat in itself which rarely works well as a well oiled machine) from IT to InfoSec, Network and Security teams e.t.c, when you pivot to the Citrix Cloud platform you’re moving to a combination of SaaS (Gateway Service) and PaaS (CVAD Service) and equally removing a fair amount of unnecessary technical and culture debit + resistance. The lost time and productivity due to culture resistance to changing operating models and moving to the CVAD Service cannot be measured but is by far the biggest barrier in my personal field perspective. 

So how can you narrow the economic’s of time of getting to the CVAD Service? Citrix built and released an incredibly powerful tool called the “Automated Configuration Tool” or ACT for short, which allows for the exfiltration of your CVAD operational business logic which can be exported then evaluated and imported into your CVAD Service tenant in the Citrix Cloud by your chosen region e.g https://eu.cloud.com/. Light Bulb moment!

I previously wrote this article in http://axendatacentre.com/blog/2020/11/07/citrix-virtual-apps-desktops-or-cvad-service-migration-strategies/ – “Citrix Virtual Apps & Desktops or CVAD Service Migration Strategies” and the above and below expands upon this brief article from 2020, due to personal circumstances I stepped away largely from many communities and activities.

There are three migration strategy’s to moving to the CVAD Service from an on-premises CVAD environment:

Start A-Fresh
A complete re-evaluation of policies – employee experience vs. security, provisioning strategy. This strategy is wise if you’re well unfamiliar with new enhancements in a multi-dimensional way and been honest with that yourself your CVAD on-premises environment has not been well looked after e.g feed and watered. 

Evaluate & Pivot
Migrate only key business operational IT logic requirements e.g. policies – employee experience vs. security and rebuild Machine Catalogs based upon you’re net new provisioning strategy e.g. MCS from PVS to support hybrid multi-cloud portable workloads. This strategy implies that you keep your on-premises CVAD environment feed and watered often and updated at minimum once every 12 months.

Automate & Migrate
Ingest the entire business operational IT logic from Machine Catalogs, Delivery Groups, Policies and Zones into the CVAD Service from your on-premises e.g. CVAD 1912 Long Term Service Release (LTSR) environment or preferred Current Release (CR) provided that this environment has been well looked after proactively. You will still require a brief evaluate phase during the migration as part of good leading practise and hygiene. 

To get started with how-to use and get the ACT tool checkout this useful Citrix TechZone PoC guide/article – https://docs.citrix.com/en-us/tech-zone/learn/poc-guides/citrix-automated-configuration.html.

Finally the simplest and most powerful strategy is to not move any business operational IT logic at all to the CVAD Service initially but you leverage the power of “Affordance” or the appearance of providing the employee with the Citrix Workspace experience vs. StoreFront but technically nothing has changed, all that you are doing is changing the access the lens/portal to be Citrix Workspace. This strategy is fundamentally critical in enabling IT to pivot to the CVAD Service on there own terms as once the employee culture or shock has worn off with this new looking interface IT can in the background begin to use things like the ACT to migrate to the CVAD Service on there own terms and then equally shift there existing ICA proxy configurations to a turn-key SaaS operating model by unlocking the Gateway Service in the Citrix Cloud for the CVAD Service and many others Citrix Cloud Services e.g Secure Workspace Access, the Gateway Service in the Citrix Cloud platform is the default how-to access CVAD workloads, but if you still prefer an on-premises Citrix (ADC) Gateway V/A it’s a case of toggling off the Gateway Service. Customers choose to keep there Citrix ADC V/A for many different reasons and still highly relevant use cases and business or security and governance requirements.

To learn more about the “Site Aggregation” check out – https://docs.citrix.com/en-us/citrix-workspace/add-on-premises-site.html to get stated and to begin your pivot to CVAD Service on your own terms.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

The power of Affordance + Citriáş‹ for the Future of Work

What is “Affordance”? It’s Design Thinking terminology summarised as follows – you can look at a product or service and visualise in your mind how it works a great example is of this is the play â–¶ď¸Ź and stop đź›‘ buttons you can use these to interact with a product or service to start or stop the action, interactivity or stream.

Another example is volume controls on car radio its usually round nob and to turn the volume up you turn the round nob clock wise and the reverse to lower the volume.

Now that you have a simple understanding of what I mean by affordance let’s get started.

We live in an age of a complex technology spectrum, that is suppose to remove friction and barriers for employees but its actually in many instances making it worse, to achieve more while in some cases through people cultures at companies its driving productivity trends in the wrong direction inclusive of negative affect’s on employee (human) well-being. A recent “The Economist” article puts the remote workforce working up to a 30% more during the pandemic yet there are productivity inefficiencies, the link to the article is available at – https://www.economist.com/business/2021/06/10/remote-workers-work-longer-not-more-efficiently.

How does Citrix aim solve some of that complexity in the technology spectrum? It embraces the power of Affordance enabling employees (humans) to work on there own terms to achieve more in meaningful ways through flexible work-styles. Today many talk about a hybrid workforce, its staple founding principle upon which Citrix was  built upon and its in its DNA with over 30 years of tenure enabling the hybrid operating model between the physical workplaces, at home or somewhere in between with different marketing lines my favourite – Work is not a place.

I know invite you to watch the following 3 minute demonstration where I’ll take a vanilla windows endpoint and I’ll enable Signal Sign-On (SSO) to a Software-as-a-Service (SaaS) web apps in my example i’ll SSO to Salesforce in several ways to demonstrate the Affordance of Citrix enabling employees (humans) to work on there own terms on any endpoint.

Demonstration of the Employee Affordance powered by Citrix

In the video you see a Windows endpoint that doesn’t having access to Salesforce that’s because it’s a SaaS web app and you typically access those types of apps using your web browser not via the Start Menu on a Windows endpoint or the Dock on Mac OS X.

Once the employee completes a sign-in to Citrix Workspace much like the Netflix app on your smart TV it provides you with recommendations; access to stream either  movies, TV series of documentaries and in Citrix Workspace app it allows access to stream different web, SaaS and micro apps with SSO enabled so its seamless.

The difference between the Netflix and Citrix Workspace apps is that the Citrix Workspace app (CWa) supports different affordance in how a employee (human) may want to work vs. how IT and security teams determine the “How” employee (human) consume these apps – local, sandboxed, traffic reflection or a combination inclusive of security depth in by enforcing session watermarking, restrictions on cut, copy, paste and printing e.t.c 

I know invite you to study the below hand drawn diagram, to make the experience hopefully more personal. The diagram depicts the entire demonstration above and how the flow of traffic and data is controlled and how contextual security access can be applied to different web, SaaS and micro apps using cloud native turn-key Citrix Cloud Platform services.

Time line of the Demo

Time 0 min 0 seconds
The Citrix apps has already been installed onto the employee (human) endpoint, this could be achieved by using Citrix’s own Endpoint management service vs. another or alternatively by some other legacy/traditional means e.g Domain joined endpoint using a full device VPN.

Time 0 min 13 seconds
On-board employee (human) + endpoint with Citrix Workspace for modern secure data, web & SaaS app delivery with SSO.

Time 0 min 29 seconds
Once Citrix Workspace app (CWa) is signed and is beginning to retreive and layer in the right and relevant SaaS, Web, (Virtual Apps & Virtual Desktops – optional) with Windows Start Menu or Mac OS X Dock integration by entitlement by job role vs. Business function. You will notice that while CWa is initializing there is NO Salesforce in the Windows start menu.

Time 0 min 55 seconds

Citrix Workspace app (CWa) enables a effortless Single Sign-On (SSO) experience using a magic token to SSO the Citrix Files app to gain access to the employees (humans) Cloud “My Docs” managed by Citrix or allows access to OneDrive for Business, Google Drive, Box, Dropbox e.t.c – Note the employee will need to sign-in only once to any of these Enterprise File Sync and Share (EFSS) platforms to then allow CWa to SSO the employee (human) to any of these EFSS platform which IT can control and allow access to.

Time 1 min 26 seconds

CWa has layered in all the employees (humans) web and SaaS apps into the Windows Start Menu, which the human can now search for and launch with just in time security and SSO after the click on the icon.

There are two version in this demo Salesforce and Salesforce Secure this is to show the different types of contextual security that can be enforced or ON vs. OFF at app vs. network latitudes.

Citrix Workspace affordance enabling frictionless access including SSO to SaaS e.g. Salesforce via Windows Start Menu integration launching the preferred native local endpoint with the browser traffic protected by Citrix Secure Internet Access (SIA) Service and the SSO to Salesforce is handed by the Citrix Gateway Service configured by IT for SSO e.g SAML.

When accessing Salesforce even though IT has turn OFF all app security enforcement policies at the OS and presentation layer e.g what the human sees and interacts with e.g Start Menu and Chrome Browser so its a native experience, the Citrix SIA Service is capturing and redirecting all the network traffic prior to traversing the endpoints network interfaces and forcing the traffic to a centralised Citrix SIA service tenant in the Citrix Cloud Platform that allows for IT and Security teams to enforce just in time cloud network security policy adds/moves/changes in near to real-time all without impacting and employee affordance by avoiding pushing down any type of update/patch/upgrade software package.

Time 1 min 48 seconds

Citrix Workspace app inclusive of the web browser portal version allows employees to use the Citrix Universal Search to search for web, SaaS apps and content from within the portal if this is how they choose to work and then access the same Salesforce SaaS app with the same SSO and network security enforced when using the CWa.

Time 1 min 57 seconds

In this example searching and starting the Salesforce Secure SaaS app and in this example IT has turned ON all the app security enforcement policies at the OS and presentation layers to add further depth and breathe avoiding any IP, Pii exfiltration and more.

When app security polices for web, SaaS apps are configured, then depending upon how the employee (human) intends to access his/her web, SaaS apps e.g Salesforce Secure it will make a decision based upon the individual employees (humans) preffered Affordance access method how to securely deliver Salesforce Secure e.g at 2 min 29 seconds you’ll see that its open, SSOed, running in a local sandboxed browser that is session watermarked with cut/copy/paste and printing denied or disabled between the sandbox and endpoint.

Time 2 min 44 seconds

What if the employee (human) decides actually I am going to bypass all of Citrix’s security policies and governance? We’ll guess what that just in time at a network level protected by Citrix SIA Service will intercept and enforce app security policies, in the example I open a new tab navigate to Salesforce type in my tenant and attempt to sign-in outside of Citrix Workspace app and bypass all that security, the Citrix SIA Service intercepts the request between endpoint (source) and destination (https://<tenant>.my.salesforce.com  and recognises that method requires a remote browser isolation session to avoid and de-risk IP, Pii exfiltration and lateral movements. IT can choose to enforce or allow cut/copy/paste and printing from these remote browser isolation services that are intercepted by the Citrix SIA Service.

DT Architecture Diagram

What services where used to achieve this experience? 
Secure Internet Access – https://www.citrix.com/products/citrix-secure-internet-access/
Secure Private Access (formerly Access Control and Secure Workspace Access) –https://www.citrix.com/products/citrix-secure-private-access/
Secure Browsing Service – https://www.citrix.com/products/citrix-secure-browser/
Citrix Analytics for Security – https://www.citrix.com/products/citrix-analytics-security/

All of these services are turn-key S/PaaS in nature powered by the Citrix Cloud Platform – https://citrix.cloud.com/ and have good IT Affordance meaning they aren’t difficult to setup, configure and manage, you’re talking  about handful or minutes or a few hours to get a Minimal Viable Product or Prototype (MVP) into your employees (humans) hands to test and provide you with insights and feedback to refine your MVP.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Citrix Virtual Apps & Desktops 7 2012 Unlocking Potential with What’s New

The following article blends describes feature capabilities and changes to the Citrix Virtual Apps & Desktops (CVAD) 2012 Current Release (CR) either used on-premises or via the CVAD Service in Citrix Cloud platform – http://citrix.cloud.com/. The current documentation is officially accessible under the current release node within Citrix eDocs at What’s New* accessible at –
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/whats-new.html.

Suggested Upgrade Guidance to CVAD 7 2012
Citrix have published the following micro site “Citrix Upgrade Guide” – https://docs.citrix.com/en-us/upgrade, it is worth mentioning when using this web tool to understand the source vs. target release strategies, you’ll need to factor in the name change from e.g XenApp to Citrix Virtual Apps when using the tool.

It is advisable prior to embarking on any potential upgrades as a good leading and practical practise, perform due diligence review of connected endpoint ecosystem, thus ensuring and avoiding any potential blockers. Every Citrix Administrator (Admin) should bookmark the following online PDF document entitled – “Citrix Workspace app Feature Matrix” https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/citrix-workspace-app-feature-matrix.pdf.

Alternatively if you are finding it a challenge to successful prepare a plan to upgrade your CVAD environment from its current release cycle to the current 2012 release, then perhaps you should be evaluating a shift towards consuming your on-premises Access and Control Layers as a Service operating model from Citrix Cloud CVAD Service. There is a detailed online document available at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/migrate.html and if you require a reminder of who manages what then before sure to read the following technical security overview for the CVAD Service available at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/secure.html#security-overview which covers off the high level architecture, credential handling and the follow of data and isolation.

Overview of What’s New and Changes to CVAD 7 2012 Current Release (CR)

IT Administration
1.While this is NOT new please be minded that hosting connections to public clouds e.g CloudPlatform, AWS EC2, Azure and of course GCP are not supported with CVAD current releases (CR) – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/upgrade-migrate/upgrade.html#remove-pvd-appdisks-and-unsupported-hosts, if you require this capability you’ll need to adopt a Citrix Virtual Apps & Desktops (CVAD) Service operating model from the Citrix Cloud or standardise on the last Long Term Service Release (LTSR) which is 1912 – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr.
2.Citrix Workspace Environment Management (WEM) 2012 agent is now bundled into the Virtual Delivery Agent (VDA) installer for the GUI – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/install-vdas.html#step-7-wem-agent and for automation purposes – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/install-command.html#command-line-options-for-installing-a-vda which allowing you to configure WEM ACL f/w; agent port/cache location/data sync port; connectors vs. WEM server. The agent now includes new cache utility options (-RefreshSettins or -S; Reinitalize or -I); An optimised startup workflow which been resolved including a new Citrix Cloud connector behavioural awareness strategy; WEM agent is retiring associated legacy agent cache sync service inline with the End of Life (EoL) Microsoft Sync Framework 2.1 see – https://docs.citrix.com/en-us/workspace-environment-management/current-release/whats-new.html for move details and remediation readiness.
3.Support for transparent and non-transparent proxies for “Rendezvous” check out – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/hdx/rendezvous-protocol.html#proxy-configuration, to validate the configuration launch “cut session.exe. -v” in console and evaluate the output referencing – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/hdx/rendezvous-protocol.html#rendezvous-validation. If you are using a data/network redirection agent to fwd your network traffic to cloud like ZScaler Private Access (ZPA) be mindful of the current leading recommendations – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/hdx/rendezvous-protocol.html#additional-considerations. If you are not familiar with what and why “Rendezvous” then learn and understand how it works which includes a detailed connection flow diagram – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/hdx/rendezvous-protocol.html#how-rendezvous-works.
4. The 2012 Linux VDA supports Machine Creation Services (MCS) on Google Cloud Platform (GCP) which you can learn to setup and configure at – https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/installation-overview/use-mcs-to-create-linux-vms.html#use-mcs-to-create-linux-vms-on-gcp; continuing efforts to remote physical standard vs. high-end workstations sat in the Workplace the Wake on Local Area Network (LAN) capability is now available for Linux endpoints; finally support for new Linux distro releases Ubuntu 20.04 and RHEL 7.9 and 8.3; you can learn more about what else is new at – https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/whats-new.html.
5.Citrix Provisioning Service (PVS) 2012 includes a wealth of fixed issues – https://docs.citrix.com/en-us/provisioning/current-release/fixed-issues.html.

Employee Experience
1.Drag and Drop to copy files between your local endpoint and the delivered Citrix virtual app and or desktop. To learn more check out the “CTXDND” under “Multi-Stream virtual channel assignment setting” at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/multistream-connections-policy-settings.html#multi-stream-virtual-channel-assignment-settings, also be mindful or the current known limitations in the What’s New for Citrix Virtual Apps and Desktops (CVAD) 2012*.
2.Web Camera redirection issues resolved for Microsoft Surface Pro 4 endpoints*.
3.Support for the Windows Image Acquisition (WIA) API framework allows and enable scanning/imaging Citrix virtual apps feature and function access on scanning endpoints themselves.* You can learn more at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/devices/twain-devices.html.
4.The Linux Virtual Delivery Agent (VDA) 2012 release introduced a macro amount of meaningful experience features like automatically MTU discovery to avoid performance degradation and session connection failures of CVAD ICA/HDX sessions; support for the “Rendezvous protocol” allowing Linux ICA/HDX to bypass the Citrix Cloud Connector when using the Citrix Gateway Service with CVAD Services.
5.Drag and then drop files between a Citrix ICA/HDX session and the employees local endpoint*, this feature requires Windows CWa 2002 for Windows.

Security
1.Familiarise yourself withy the Deprecation announcements – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/whats-new/removed-features.html.
2.*While the drag and drop files features in CVAD 2012 offers a brilliant and frictionless employee experience, you should consider the security risks, prior to implementation for example do all employee’s require this feature? Evaluate who actually would benefit from the capability and do they have a managed endpoint which IT controls? I would also ask yourself to assess the risk by the employees role and function within the organisation e.g key revenue generating employees?
2.CTXS licensing server build 33000 now includes updated versions of Apache 2.4.46 and OpenSSL 1.1.1g and new conf options for usage telemetry, which cover off Personally Identifiable Information (Pii) options and associated descriptions, learn more at – https://docs.citrix.com/en-us/licensing/current-release/citrix-licensing-manager/settings.html#configure-usage-telemetry.
3. Federated Authentication Service (FAS) 2012 fixes a disconnect-on-lock feature ref [AUTH-787] if you are experiencing this issue you can find more detail at – https://docs.citrix.com/en-us/federated-authentication-service/whats-new/fixed-issues.html.
4. Session Recording (SR) 2012 adds a wealth of good new features and continues to keep employees working from home compliant in regulated industries or it can be used for internal training. Some of the new features incl support for blocking of sensitive information – https://docs.citrix.com/en-us/session-recording/current-release/log-events.html#sensitive-information-blocking;

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Citrix Virtual Apps & Desktops or CVAD Service Migration Strategies

The path to operating from the Citrix Cloud Platform for Citrix Virtual Apps and Desktops often can appear like your need to climb to the summit of K2, this is purely because for IT its foreseen as another key yet, rapid IT Transformation project to solve a multitude of business and business IT challenges (its different organisation by organisation). I’ve therefore put together a simple blended digital doodle on this very topic highlighting some key learnings, leading practises from the field and my own thoughts and thinking on this very topic.

If you want to go deep or even get started on your own migration project today, then i strongly recommend that you read and review the “Proof of Concept: Automated Configuration Tool” available at – https://docs.citrix.com/en-us/tech-zone/learn/poc-guides/citrix-automated-configuration.html, which covers off a step by step guide from installation to migration of on-premises CVAD configurations to the CVAD Service operating and run in the Citrix Cloud Platform – https://citrix.cloud.com. The following series of TechZone articles list at – https://docs.citrix.com/en-us/tech-zone.html#citrix-virtual-apps-and-desktops will also add value in your pivot to the CVAD Service.

If you have the right subscription access at https://training.citrix.com, then you can also complete the following on-demand eLearning course “eCWS-2014 | Automated Configuration Tool for Virtual Apps and Desktops” – https://training.citrix.com/elearning/coursequests/1/quest/184, which took me around 45 minutes to complete.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Dyslexia Thinking + Thoughts on the power of Citrix Workspace + Citrix Modern Networking captured in a Blended Doodle

A Workspace technology that enabled Flexible Working styles 30+ years with a continuous Vision focused on the Current vs. Future of Work Acumen
I decided to put together my second blended doodle together to better explain Citrix Workspace + Citrix Modern Networking, how it works in a visual illustration format to have more meaningful conversations and discussions. I picture can tell a thousand micro stories and the big picture here depicts a simple story which tells you the IT + Business value unlocking your organisations potential using Citrix on Citrix, including the why and why now. A Citrix Workspace supports legacy, traditional and very forward thinking ways of working that prior to the COVID-19 world wide pandemic would take a while to get going however today organisations can leap at pace within there Transformation journeys by unlocking ready to consume Citrix as a Service operating models inclusive BUT also well beyond virtualisation to a world where you can swipe left or right vs. enter in up to 3-5 fields and tap submit/approve to achieve an business and human outcomes within seconds.

The stark truth is that a Citrix Workspace for Citrites is “AWESOME” and the productivity time I get back routinely using our own technologies inspires me more with each day, it allows me to accelerate ‘economics of time I get back’ or take a well deserved break when I need it on my own terms.

View this post on Instagram

L-J’s (My) #Dyslexia thinking + thoughts on the power of #CitrixWorkspace + #Citrix Modern Networking “Best Together” captured in this blended #doodle talking about modernising IT services, multi-dimensional sustainable IT thinking, zero trust architecture, flexible working styles, diversity and inclusion, the modern vs. traditional device spectrum, agile working powered by a smart phone, SIA + SASE + SD-WAN and so much more. #citrixCTA #employeeexperience Blended Doodle is hand drawn with pencil ✏️ + paper, with final editing using Apple iPages on my #iPhone 7📱 The views expressed here are my own and do not necessarily reflect the views of Citrix.

A post shared by Lyndon-Jon Martin 👨🏻‍💻📲 (@lyndon_jon_martin) on

Understanding Citrix Workspace + Citrix Modern Networking “Best Together”
The following links below will help you better understand the different Citrix service offering capabilities, terminology, strategy and business + technical acumen (>).

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Dyslexia Thinking + Thoughts on the power of Citrix SDWAN captured in a Blended Doodle

SD-WAN is a Complex Subject, I’ll Simply It
I decided to put together this blended doodle together to better explain Citrix SD-WAN, how it works in a visual illustration to have more meaningful conversations and discussions. I picture can tell a thousand micro stories and the big picture here depicts a simple story which tells you the IT + Business value of SD-WAN including the why and it also tells an important industry story often never told which is that implementing ANY SD-WAN is NOT frictionless with an out of the box experience, it takes effort but once that effort is done and done right then Citrix SD-WAN’s Zero Touch strategy will takeover and make it frictionless from IT to the branch to key workers at home. Another top of mind reason to consider as a real world field example is that you simply cannot do a (Citrix) SD-WAN PoC 99.5% of the time to evaluate it. Wait what? Why? It’s always going to be a pilot, and the why is simple you are taking over co-control of an organisations underlay network to create an SD-WAN overlay network, while inserting (Citrix) SD-WAN packets into the organisations network fabric. This is a fact of every SD-WAN vendor in the marketplace.

View this post on Instagram

L-J’s (My) #Dyslexia thinking + thoughts on the power of #Citrix #SDWAN captured in a blended #doodle talking about Citrix Workspace services in/on/over Citrix Networking, DPI engine to identify apps/protocols + align QoS priorities, IT experience scorecard with a new meaningful way to measure SLA’s, the honesty MSP/ISP IT visualiser scorecard, zero touch provisioning for any office workplace, hybrid multi-cloud use cases and of course #workfromhome appliances for key identified workers by role/function and leaders. #citrixCTA Blended Doodle is hand drawn with pencil ✏️ + paper, with final editing using Apple iPages on my #iPhone 7📱 The views expressed here are my own and do not necessarily reflect the views of Citrix.

A post shared by Lyndon-Jon Martin 👨🏻‍💻📲 (@lyndon_jon_martin) on

Technically Understanding Citrix SD-WAN
The following links below will help you better understand Citrix SD-WAN’s terminology, strategy and technical acumen and thinking when deploying, managing and monitoring an SD-WAN overlay network bonding two or more underlay networks e.g Business broadband and 4/5G LTE internet circuits together into a single seamless internet pipe, while giving IT back control over its WAN including allow them to better measure meaningfully your MSP/ISP internet circuit providers performance including complete vs. brown outages, while visualising and seamless failover due to packet loss in a single direction with any internet circuits.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Building an IT Employee Experience Scorecard

Consider this an evergreen post as of 22/09/2020

Introduction
I smile consistently these days hearing how organisations are keeping the UK economic moving forward, pivoting day 1 of the UK COVID-19 lockdown to full-time frictionless secure remote flexible working styles with minimal IT effort + friction powered by Citrix technologies.

I hear many unconsidered benefits from my customers, examples include keeping businesses operating helping their customers and supporting them during the height of the lock down to leap frogging competitors gaining significant market share through to winning new business because operationally they where available and ready with a Citrix powered securely centralised hybrid multi-cloud delivery strategy, when backed with a robust and annually tested Business Continuity Plan (BCP) set them up for instance successful shifting from day one of the UK COVID-19 lockdown to full-time work from home without any major hiccups.

For organisations that weren’t fully Citrix and had a hybrid strategy achieved full work from home swiftly swell using one or more of the following strategies:

1. Many existing hybrid Citrix customers scaled up licensing and re-framed physical workstations sat in the office through Citrix Workspace app to employees now sat at home using a browser on a personal device at home. To the employee everything is where it should be within there virtual desktop, for many this has now fundamentally changed perceptions of why they need to sat in an office for 5 working days in a post COVID-19 non-lockdown world.
2. Scaling up CVAD usage by optimising existing workloads or unlocking dark capacity turned off and deallocated ready within the data centre wherever they choose that to be.
3. The most popular one was to extend into one or multiple public clouds (AWS, Azure) to supporting elastic Citrix Virtual Apps & Desktops (CVAD) workloads whilst remaining in control of public cloud cost economics utilising Citrix AutoScale – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/manage-deployment/autoscale.html which is part of the CVAD Service.

Finally organisations shifted to focusing on strengthening security within 1-2 weeks, implementing contextual device security powered by Citrix Smart Control and Smart Access technologies beyond IT non-managed devices, as not every employee could take a device home, they didn’t have a device they could use or they just didn’t have the physical space for it at home as you just don’t know your employees WFH requirements, needs and including @home personal circumstances behind closed doors.

In these many organisations hearing all these great stories I noticed a common theme reoccurring in lock down months 1-2. I have a percentage of employees and its all abeit random across the entire organisation encountering good vs. fair vs. poor experiences. Due to the random nature pin pointing the issue was a huge challenge as by the time IT investigated the problem it was largely self-resolved if by magic? My response have you heard about and or deployed and are running Citrix Application Delivery Management (ADM)? A resounding NO 95% of the time. The below diagram 1 visualises the traffic flow of where I am vs. where my delivered Citrix Virtual Desktop is run out of, it likewise can visualise to IT the overhaul traffic, load demand, security & infrastructure health status ref diagram 2.

Diagram 1

Not visualising the employees “Workspace” traffic flow, is where the value of Citrix and ANY Workspace solution is LOST in IT Service delivery. Citrix Application Delivery Management (ADM) is a key enabler in helping remediate employee experience issues, whilst providing a crucial IT Employee Experience Scorecard.” Lyndon-Jon Martin June 2020

The Business IT Value of Citrix ADM
A modern flexible platform with two unique halves much like our human brains with left vs. right hemispheres connected by a nervous system, however in this case ADM has analytical vs. management hemispheres providing fleet management with different roles vs. function; employee, security & infrastructure insights supported by a hybrid multi-cloud architectural strategy enabling less IT Ops friction and complexity on a daily basis. ADM’s centralised management + sense architecture provide simple and or advanced operational experience scorecards for auditors (PCI/DSS/ISO27001 with RBAC for read-only access), security + network teams, IT and Citrix System Administrators alike from a single framed lens who’s nervous system is connected to a hybrid multi-cloud fabric providing unconsidered insights and visibility into capacity, strengthened security posture through monitoring change control and config drifts incl automated fleet management which can be executed across multiple instances in ANY cloud simultaneously or on your own terms. ADM gives IT back the right level of “Control” enabling the less friction shifting workloads with true licensing flexibility + agility to the most commercially attractive vs. the most innovate cloud platform which suites IT and their business demands.

Diagram 2

Having had the privilege of working with world class engineers in the past helping a single customer to process a ÂŁ1 million pounds per minute through a payment gateway beyond typical web, app traffic of a front door of there website. I learnt that you always require something that you as the MSP or your customer can “Control” in an ANY Cloud + Services architecture for Business Continuity Planning (BCP) and sound IT Operational excellence so you can make better decisions at pace from more accurate data insights visualised. Placing your “Eggs” aka IT Business platform into a single supplier framework even the most trusted IaaS provider and enforcing that your preferred IaaS region is properly fault tolerant and highly-available is equally expensive in cost and complexity much like on-premises, do not be fooled. The IT Complexity Index increases significantly when consuming for example IaaS native site recovery services to enable near to real-time failover in another region when your primary region experience’s an (planned) outage or degraded performance, these services help to keep-a-live those existing “Sticky” connections which will eventually complete a transaction of some kind e.g credit card donation.

I’m all for public cloud in fact two operating styles “Native” vs. “Managed” Public Clouds strategies. I’ve ran my personal lab in AWS EC2 since 2016, easily amortised ÂŁ1000 over these past 4 years with plenty of cashflow free. Really? How? Having a strong background + experience in the MSP world on the edge of the City of London and working with “Managed” Public Clouds platform I began to respect + understand how all IaaS providers operate inclusive of the full lifecycle management of workloads + the data centre platform itself which is to not leave everything on like you do at home or in a traditional managed colocation data centre. In a native vs. managed IaaS world you’ll turn off and deallocate capacity if you don’t require it and scale it up as you equally require it with little to no friction. I’ve digressed enough back to the IT Employees Experience Scorecard.

A number of my customers have overcome that randomness or pockets of employees complaining about a poor experience post deploying Citrix ADM as the issue can now be identified and remediated pretty efficiently. The solution is simple, deploy and run Citrix ADM for up to a week continuing as is, no changes and then run a report similar to the above and in parallel visualise all those support cases from your service desk platform and marry up employee names and you’ll quickly notice a pattern forming between employees with poor experiences vs. support cases + the number of them.

I suggested to organisations survey those employees and ask them a few simple questions the best ones “Who is your home broadband provider?” and the second “How many devices are connected in the house to the internet and number of people?”. The first question revealed what I expected its the employees consumer ISP and the suggested remediation could well be provide them a “stipend” exclusively for mobile data onto personal contracts or ship them a 4G mobile hub/dongle to use instead and the problem vanishes over night almost every time and video conferencing platforms perform better as a net result equating to happier employees with a better experience.

The second question is about understanding what is happening within the home and as a result tweak or deploy a new HDX policy which again almost every time the employee experience was significantly improved. An example is switching out “Thinwire” – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/graphics/thinwire.html for “EDT” – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/technical-overview/hdx/adaptive-transport.html or visa versa. You can Optimise the “EDT” HDX protocol bandwidth over high latency connections – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/technical-overview/hdx/bandwidth-connections.html as its roots are entrenched from the “Framehawk” protocol which was originally engineered from the ground up to deliver a better experience with macro rising increases of spectral interference and multipath propagation, you can learn more about that by reading this article – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/graphics/framehawk.html. An important note you should be actively using the “EDT” protocol with or beyond 1912 LTSR if you want something like “Framehawk“.

Getting Started with Citrix Application Delivery Management (ADM)
It can be consumed as a Citrix Cloud Service – https://docs.citrix.com/en-us/citrix-application-delivery-management-service.html or you can deploy a customer owned and operated platform – https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13.html.

The views expressed here are my own and do not necessarily reflect the views of Citrix.