Tag Archives: BCP

What BCP Availability Strategy for Citrix DaaS? Service Continuity (SC) or Local Host Cache (LHC)

Consider this an evergreen article with *pro-active adds/moves/changes inclusive of errors/mistakes until I remove this statement.

Architectural Doodle
The diagram below provides a high level architectural difference between Local Host Cache (LHC) v Service Continuity (SC) and how you can weaponise Citrix Analytics for Performance to enable pro-active management of your workloads in a single hypersacler cloud or multi-cloud hyperscater strategy.

Visualising the Value of Change using a Force Field Analysis (FFA)
A FFA is a business methodology helping to visualise through a meaningful contextual analysis, why a business and or e.g technology decision for “change” is the right and relevant direction of travel. It helps by amplifying the understanding of ”the what the change is, the how, the what if and the why change” towards anew future desired state e.g buy a music title per song vs. a music subscription to rent the music over a period of time.

The example analysis below is a technology change decision shifting from Local Host Cache (LHC) current to Service Continuity (SC) future state – improving IT’s operational resiliency capability and capacity considering todays current climate and threat of digital warfare aligned to internal business priorities and or executive KPIs ranging from strict security compliance & governance, hybrid multi-cloud failover (between cloud hyperscalers) to becoming cloud first/native adopting aaS tooling where right and relevant e.g I/PaaS to help IT accelerate DEX at the required pace and execution agility.

This example analysis is representative of my personal field technologist landscape experience and backed by a robust and diverse pool of customers ranging in size and verticalisation. Remember you do not have to agree with my field experience the concept is to weaponise this business tool as a force for good change in organisations wanting change that is well meaningful and or to back and better understand cost v value driven business strategies during forces of change.

Score Hindering Forces Service Continuity (SC) Driving Forces Score
3 Traditional method doesn’t rely on cloud services Modern method to reduce and derisk operational outage 5
5 Strict Governance & Compliance requirements for on-premises workloads only – High security organisations e.g UK Gov entities e.g MoD/M6 Better employee affordance during outages with SC 5
5 Security requirement for on-premises remote access Gateway POP’s controlled by IT/Security to reduce attack surfaces by adversaries including derisking operational outages Cloud first Turn-Key Global v Regional POP Gateway as a Service Strategy 5
2 No support for Citrix Workspace Site Aggregation to On-Premises CVAD environment No technical implementation debit 5
2 â–“ Limitations of Service Continuity for Internet Browsers – use case 3rd parties VPN-Less access without installing CWa on supported endpoints No technical waste and debit – LHC management & monitoring 5
3 Citrix Receiver not supported – use case support for outdated thin clients Citrix Workspace app (CWa) aligned to employee affordance (EX strategy) – Business KPI 5
Alignment to Cloud first Time to Value strategy – Business KPI 5
No LHC BCP testing program to valid solution and verify sizing & scaling annualised changes 5

20

40

â–“ Updated 07/03/2022 – Several SC limitations e.g Internet Browsers as a barrier to adoption have now been address learn at – https://www.citrix.com/blogs/2022/03/01/service-continuity-in-citrix-cloud-a-recipe-for-resiliency/.

The outcome of this analysis reveals that while a number of key inner or outer loop stakeholders maybe opposed to the technology change strategy, the FFA outcome is well clear that the driving forces for change is in favour of Service Continuity (SC). You should make every attempt to remediate against the identified hindering forces for change which could be the simple result of:

1. The decision maker(s) perception through experience wasn’t positive.
2. Company culture is adverse to agile change.
3. IT Operations is required to retain more “control” when consuming cloud based I/PaaS services to better derisk outages.
3. Cloud security policies and frameworks have not been approved to enable new types of technologies like SC to be on-boarded and accepted by Enterprise/Cloud/Security Architects.
4. Accept the current business risks are they are and re-evaluate at a future time as the current value out weighs the micro hindering forces.

Understanding Service Continuity (SC)
This a modern way to reduce and derisk availability access to (virtual) applications and desktop during an outage provided the employees endpoint has the capability to access Citrix workloads within your hybrid and or hybrid multi-cloud resource location(s).

Cost v Value Driven Strategies
The following are generic but meaningful examples of the cost and value driven strategies why adopting Service Continuity (SC) to underpin your BCP/DR strategy is the right strategy.

  1. Modern field leading practise or method to reduce and derisk PaaS outages.
  2. Time to value is immediate – its a turn-key out of the box SaaS style experience with no configuration nor IT skills required, no technical nor technology debit incurred.
  3. Leverages Citrix Cloud global turn-key Gateway Service fabric – its service availability uptime is healthy as it operates between two hyperscaler public cloud providers, details accessible using the “Cloud Assurance” micro site on the Citrix Trust Centre at – https://www.citrix.com/about/trust-center/cloud-assurance.html then filtering to the Gateway service + Gateway POPs.
  4. No requirement for bi-annual v annual stress testing and compliance checks for BCP/DR testing. Typically this would involve up to 2-3 days (or more) for enterprise organisations to stress test each site/resource location excluding a further 5 full  business days of planning activities, virtual meetings, whiteboards, approvals e.t.c with multiple stakeholders prior to testing – its an expensive exercise.
  5. No pro-active requirement to manage and monitor a StoreFront pair/cluster configuration, SSL/TLS certificate management, LHC cache integrity at each site/resource location which significantly reduces overhead of monitoring and associated OS licensing and VM operating costs.
  6. The employee affordance (experience) is far superior vs Local Host Cache as a strategy – Icons are greyed out amplifying to the employee that his/her (virtual) application or desktop is unavailable while anything coloured is still accessible and available – this design thinking affordance feature is often overlooked by IT Professionals but evaluation through the lens of a employee e.g PA amplify what is and what is not available.
  7. Supports modern authentication however there are limitations that will occur when SC is evoked see – https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/service-continuity.html#requirements-and-limitations.

Service Continuity Support Matrix

Platform/Feature/Service Learn More Supported Notes
Citrix Workspace for Web (Chrome/Edge) https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/service-continuity.html#service-continuity-in-browser âś“* 1.*Requires CWa for Mac 2112 or Windows 2109
2.Kiosk usage is not supported e.g Hotdesking
3.Support internet browsers Google Chrome and Microsoft Edge with plug-in’s installed.
Mac https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/whats-new.html#2112 âś“ CWa 2106+
Windows https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/about.html#21121 âś“ CWa 2106+
Andriod https://docs.citrix.com/en-us/citrix-workspace-app-for-android/whats-new.html#whats-new-in-2220 âś“ CWa 22.2.0
Linux https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/whats-new.html#2109 âś“ CWa 2106 (GA 2109)
iOS https://docs.citrix.com/en-us/citrix-workspace-app-for-ios/whats-new.html#whats-new-in-2225 âś“ CWa 22.2.5 Tech Preview 03/2022
Security & Connectivity Limitations:
EPA Scans
Enlightened Data Transport (EDT) – During outages
Citrix Workspace IdP (Authentication) https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/service-continuity.html#requirements-and-limitations SAML 2.0
AD
AD plus Token
Azure AD
OKTA
Citrix Gateway (primary user claim must be from AD)
Authentication limitations:
SSO for FAS
SSO to VDA
Local mapped accounts
Only AD Domain joined VDAs are supported as of 03/2022

Technical Deep Dive
One of my fellow Citrix Technology Advocates (CTA) and current fellow Citrites Gavin Connolly – https://citrixie.wordpress.com/author/technologistgav/ has written a brilliant in-depth blog post on how it works, how to configure + test it and the employee experience “Affordance” – https://citrixie.wordpress.com/2020/12/22/service-continuity-for-virtual-apps-and-desktop-service/ – Service Continuity for Virtual Apps and Desktop Service.

Understanding Local Host Cache (LHC)
This is the traditional method while equally robust it requires a fair bit of feeding and watering to ensure cache accuracy and resiliency at scale when required to derisk PaaS or a hyperscaler region outage.

Cost v Value Driven Strategies
The following are generic but meaningful examples of the cost and value driven strategies why retaining your current strategy of using Local Host Cache (LHC) which underpins your BCP/DR strategy is the right strategy under the current strict compliance and or risk requirements.

  1. Strict regulatory compliance to maintain some form of “control” when using cloud services.
  2. Industry Specific by Certification and or Government regulation requirements that prohibit cloud based services from being consumed and where an on-premises IT strategy is the only viable option on the table.
  3. Greater control through a co-shared IT responsible operating model e.g brokering workloads using the vendors PaaS but owning the outage risk.
  4. Profound value based platform reliability and stability for bad app farms delivering mission cirtical line of business virtual apps that cant be moved to modern OSes and if become unavaiable may cause significant fiancial harm e.g Utilities
  5. Long term service release strategy alignment objectives

Understanding Citrix Analytics Service (CAS) for Performance
Coming…

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Optimising & Maximising Citrix ADC + Virtual Apps & Desktops during Extended Business Continuity Situations *** Draft

This is a LiVE evergreen post that contains spelling and grammar mistake’s at the moment BUT I wanted to get this out today 28/02/2020 as its important to be prepared.

The post is based upon my experience in but more so outside of Citrix during my time at a Managed Service Provider (MSP) in the City of London so the thinking is in-line with working with a world class engineering team helping my customers then maintain and manage hyper-scale web applications (web app) that processed substantial ÂŁ’s transaction per second in revenue however that is just one part of a multi-tiered web app in this case the transactions of payments through a payment gateway is one part of many complex parts however in order to maintain that payment hyper-scale you need to keep your website (front door) e.g www.company.name running consistently and reliability fast with little to no difference in page loading times and no degraded interactivity with with dynamic + interactive content otherwise people will lose focus and navigate away from your website and this ultimately equates to reduced ÂŁ’s transactions been completed incurring lost revenue as a net result.

The world this and last year is facing a WHO outbreak – https://www.who.int/emergencies/diseases/novel-coronavirus-2019 which appears to have forced numerous organisations to review current business continuity (BP) plans and higher degree more than I expected myself, found marco red readiness flags that need to be addressed immediately to be ready if there BP plans are triggered by executive leaders, which I for one am hopeful does NOT HAPPEN in the UK being a life long Londoner! Truth be told a number of customers appear conflicted on how-to manage Citrix workloads that they simply didn’t prepare for beyond 1-3 snow day(s) and the same applies to customers that use Citrix for remote working outside of the office that don’t have a flexible working style framework in-place yet or due to regulator governance & compliance prohibits this capability by industry and finally a few customers have found hidden micro flaws that where dismissed but now pose a very real threat on the horizon that is fast approaching to operationally keep business’s online and moving forwards that security + networking teams are breaking down silo’s and working closer than ever with IT systems teams to be ready to keep employees safe and productive at home irrespective of a Citrix lens or not. If I was a Citrix customer these topics below for me would be top of mind for me to operationally keeping my business online with a continued or near to level of experience and service delivery when my BP plans are triggered by executives. These are in no particular order just as they came to me in a conversation replying to fellow Citrite aka Citrix Employee and numerous customer conversations the past 2-3 weeks more so this week ending 28/02/2020.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

1.If you are deploying Citrix Virtual Apps & Desktops (CVAD) inclusive of the service from Citrix Cloud and you make use of on-premises Citrix ADC’s using the Gateway function then you should download, setup and configure Citrix Application Delivery Management (ADM)https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/overview.html or service – https://docs.citrix.com/en-us/citrix-application-delivery-management-service.html in Citrix Cloud. The key function that you want to consume is HDX Insighthttps://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/analytics/hdx-insight.html#identifying-the-root-cause-of-slow-performance-issues which is feature/function of Citrix ADM which will help you better understand end-to-end visibility for HDX traffic or in simpler terms begin running simple load tests by employee personas. Please be 100% sure to read the licensing feature matrix to understand what you get with Citrix ADC Advanced vs. Premium licensing – https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/licensing.html and finally you can download it today at – with a valid Citrix.com MyAccount and get started by reading the system requirements at – https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/system-requirements.html and the getting started guide at – https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/get-started.html. If you want to learn more about ADM beyond HDX Insight watch the embedded YouTube video below by the Citrix Network Masterclass Team.

2. Consider what have you configured within the HDX policy and what can you change? Are any of them even relevant for todays 2020 current site deployment? I have seen “screenshots” of customers master HDX policy configurations that well need to be overhauled by a Citrix SysAdmin, Citrix Partner of our own Citrix Consulting Services (CCS). Evaluating them at least twice a year if you are on a CR -2 stream or CVAD Service is a good leading practise in my view and if your on a LTSR at least annually as making a micro change can make a macro effect and ultimately will determine bandwidth through-put and processing load on Citrix ADC (Universal Gateway function) resulting is continued performance during macro peaks of sustained periods of macro Citrix usage beyond the average daily vs. weekly usage.

3. Do you have more than one HDX policy for different personas? I would at the very least have an internal (office based) vs. external (field people) HDX policy in-place, but experience tells me you need an HDX policy by persona exception and requirement classed as HD experiences been low, medium and high. For example a call centre worker doesn’t need more than 8-16Bit colour depth for looking up and inserting text into a Line of Business (LOB) app when answering and dealing with customer support calls nor do they need H.264 or EDT for watching HD videos right? A office worker living in Word documents and the companies CRM also doesn’t need H.264 or EDT they could configured with HDX Adaptive Display v2 with a colour depth of 24Bit and a lower Frames Per Second (FPS) target of 23 from the default of 30. You getting the picture yet? Having at least 3 HDX policies for low, medium and high expectations of HD experiences means that you can modify one or more to maintain the bulk of employees in medium or allow continued HD experiences at the highest level for these employees whose work results in completion of projects that affects revenue.

4. Always have a general purpose low-bandwidth and emergency HDX policies configured and in place for BP that has been tested and validated by multiple parts of the business through active role-play simulation. An example of low-bandwidth HDX policy could be constructed as follows which I wrote about in 2017 at – https://www.mycugc.org/blogs/cugc-blogs/2017/09/15/hdx-leading-best-practices-for-your-modern-secure entitled “HDX Adaptive Display v2 (Balanced)” the core principles remain largely unchanged for me, it consists of the following HDX policy configuration settings:

1.”Use video codec for compression” then select  “For actively changing regions
2. “Preferred color depth for simple graphics” then select “16 bits per pixel” and also try 24.
3. Select “Frames Per Second” and select the target FPS to circa 25 from the default which is 30.

An example of an emergency HDX policy configuration entitled “Thinwire Compatible Mode (Balanced)” could consist of the following HDX policy configuration settings:

1.”Use video codec for compression” then select the option to be “Do not use video codec
2. “Preferred color depth for simple graphics” then select “8 bits per pixel” and also try 16 or 24.
3. Select “Frames Per Second” and select the target FPS to circa 25 from the default which is 30.

The idea I am aiming to instil here create at the very least a HDX policy configuration for business continuity purposes, its critical now more than ever as numerous LOB apps consume services on-premises and in public clouds consume a rather larger volume of bandwidth and when BP is triggered if you take a Citrix lens out of the equation can you actually support all those modern apps and (hybrid) cloud based services where apps + content reside? Finally HDX Policy readiness means that you could get that extra 1x employee per multi-user OS x how many VMs in your estate?

5. When evaluating HDX policies be mindful of what your offloading to an endpoint and the offload path from the VDA to the endpoint through the Citrix ADC as that will mean more bandwidth + load on the Citrix ADC with the exception of HDX Offloading of UC platforms like Zoom provides VDI optimisation check out – https://support.zoom.us/hc/en-us/articles/360031441671 for more information and obviously Skype for Business, Teams when utilising the HDX Optimisation Pack – https://docs.citrix.com/en-us/hdx-optimization and provided that the solution doesn’t reverted to fallback mode due to a mismatch between the CWa client, HDX optimisation pack, VDA and Skype for Business or Teams package. Finally another consideration is Browser Content Redirection (BCR) be minded of what is configured and the traffic path and fallback – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/browser-content-redirection.html.

6. Something to consider BUT I have not tested this theory but expect an abnormal potential spike on the Citrix ADC and StoreFront (if on-premises) if a high volume of employees access LOB apps using the HTML5 Receiver as it affective downloads the app into the employees HTML5 enabled browser to then launch CVAD resources. I look at this purely from concept of a web server (StoreFront) is holding a file I need to download while its lite weight its extra overhead vs. a device with Citrix Receiver or CWa already installed that is also plumbed through the Citrix ADC.

7. Review your on-premises StoreFront landing and logged in pages and consider if BP where triggered and you received a high volume of login requests could your StoreFront cluster support the load? What if you implemented low bandwidth imagery reducing the colour depth and pixels by a factor of 50% for your logos, background image? How does that affect your loading time? Consider also placing the images on an alternative web server so that all StoreFront is processing is core app and style sheets it doesn’t seem obvious but at hyper scale this makes a huge difference for example on a Twitter handle in a browser and view the source you’ll notice that the core web app itself comes primarily from *.twitter.com but all the content (images, videos) will come from different image or content farms this ensures that the web app in this case on *.twiiter.com can rapidly process and outcome Tweets in your timeline and images render later especially in bandwidth constrained locations or where there is macro spectrum interference resulting in poor interactivity and loading times. Finally even if you reduce the imagery size and the load is still high its often better past experiences to scale up existing StoreFront servers in a cluster than scaling out by adding a net new StoreFront server into the cluster.

8. I reached out to a pool of Citrix Technology Advocates or CTA’s* to provide input into this blog and Bas Stapelbroek follow him at – https://twitter.com/hapster84/ initially suggested at a glance converting existing physical PC’s into remote enabled Citrix Virtual Desktops thus allowing employees to work from home quickly as all you need to do is deploy the Desktop VDA and configure the machine for RemotePC access. To learn more about this feature and to setup and configure it for on-premises CVAD fabric checkout – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/remote-pc-access.html and CVAD Service customers – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/install-configure.html#install-vdas, however be sure that you are correctly licensed for this feature by referring to the CVAD feature matrix at – https://www.citrix.com/products/citrix-virtual-apps-and-desktops/feature-matrix.html.

9. If you have spare capacity on your Citrix ADC (NetScaler) appliances and you need to connect external devices to your network fabric safe and securely beyond CVAD you can also deploy a VPN on the same appliance with pre-authentication scanning policies to checks a devices eligibility requirements from supported endpoints running Windows and Mac using the Citrix ADC’s EndPoint Analysis (EPA) scanning feature. The EPA agent is installed onto the devices endpoint (prompted at the login URL or you can push it from however your manage your Windows and Mac fleet) and runs a scan of the endpoint based upon the policies you assign to check the devices eligibility readiness prior to allowing them access to your network fabric. I wrote blog post at http://axendatacentre.com/blog/2016/11/14/setup-pre-authentication-endpoint-analysis-epa-policy-with-an-azure-netscaler-unified-gateway-11-x-n/  on how-to set this up and enable a few basic checks for EndPoint Analysis (EPA) scanning. For official documentation onto to configure EPA scans check out – https://docs.citrix.com/en-us/citrix-gateway/13/vpn-user-config/endpoint-policies/ng-endpoint-preauthentication-config-tsk.html and on the 13.x.n firmware you can setup EPA a scans for Ubuntu but the scans are limited see – https://docs.citrix.com/en-us/citrix-gateway/13/vpn-user-config/epa-scans-for-ubuntu.html for more information.

10. CVAD supports multi-type licensing within a single CVAD Site. These allows you to consume different licensing models e.g per user/device vs. concurrent within the same CVAD Site provided the assigned licensing edition is of the same product or on-premsies subscription type e.g Advanced edition which is configured for the whole CVAD Site. You cannot mix and match different product or on-premsies subscription editions e.g Advanced concurrent vs. Premium concurrent. The following Citrix eDocs articles – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/manage-deployment/licensing/multi-type-licensing.html provides a visual diagram demonstrating what is vs. isn’t possible.

In closing this post is about helping you achieve Business Continuity (BP) GREEN readiness flags by been smarter through optimising your current Citrix fabric to support abnormal peaks/spikes on the horizon coming ahead to sustain more load than expected for longer periods of time. You need to recognise that optimisation can only go so far when supporting extended BP plans.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

* CTA’s – https://www.citrix.com/en-gb/community/cta/awardees.html