Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

Why the Citrix Cloud is not ready for all (Enterprises) yet

As a consultant I’m mostly engaged at the larger companies (large for the Dutch market) the Citrix Cloud was not come along my path a lot. Logically I followed the progress and enhancements made to the services. Recently I got involved at a smaller customer with currently did not have a Citrix environment yet (the party they acquired are using Citrix, so that’s why Citrix came into play). A perfect fit for Citrix Cloud as the environment is pretty small and the IT organization is not really familiar with Citrix. As size does not matter, the organization had to comply with specific regulations that are similar as Enterprise organizations.  However during the design phase and Proof of Concept phase we found out that there are still gaps between the on-premises and the cloud offering, that could cause that the Citrix Cloud solution is not ready yet for all/your organization(s).

First of all I think Citrix is doing a great job with their Citrix Cloud infrastructures and the enhancements they are providing lately. The vision is clear. This article is definitely not meant to bash the Citrix Cloud, but to warn you with parts/components are not (fully) available if you are already working with Citrix on-premises. Of course it depends a lot of the wishes and requirements of your organization and you should consider if the current challenges are issues for your organization.

But first……




Before continuing the article Citrix is in the middle of renaming all the products. Therefore you will find currently two names for the product on the sites and documentation. I will use the “old” names as I think most people will know them and makes the article more readable currently. Logically where you read the old name this can be replaced with the new name. For your convenience we will start with a table where the old and new names are next to each other (for this article)

Old Name

New Name

Citrix XenApp and XenDeskop Service

Citrix Virtual Apps and Desktops

Citrix XenApp and XenDesktop

Citrix Virtual Apps and Desktops

Citrix Receiver

Citrix Workspace App

StoreFront

StoreFront

NetScaler Gateway (as a) Service

Citrix Gateway

NetScaler Management and Analytics Service (MAS)

Citrix Application Delivery Management

NetScaler VPX

Netscaler ADC VXP

NetScaler Access Gateway

Citrix Gateway

Citrix Cloud

A good starting point is discussing the reasons why the Citrix Cloud should be considered in comparison with the on-premises infrastructure from a XenDesktop/XenApp perspective. The probably most used reason to lower the amount of systems and corresponding maintenance tasks (including updates) on the Control Plane stack. With the Citrix Cloud the Delivery Controllers, StoreFront Servers, Director Servers, SQL database and License Server are included in the XenApp and XenDesktop Service. Also Citrix is maintaining this functionality including adding new enhancements on the Cloud infrastructure first. From the beginning of August 2018 also the Citrix Workspace Environment Management (WEM) product is now available as a Citrix Cloud service (included in the XenDesktop and XenApp service offering), so if you use that product no need anymore for WEM brokers and corresponding SQL databases. With the NetScaler Gateway as a Service also no NetScaler’s are required anymore, as this is provided by Citrix. Although I think the service is pretty expensive for many companies this is a big plus as the NetScaler is still a difficult device for many IT organizations.

Besides the less required systems with the new Citrix Workspace Citrix is aiming to offer a unified workspace for both Citrix based applications as SaaS applications and (when in use) ShareFile files as well. Also more services are available that are only available from the Citrix Cloud. Logically these are good reasons to take a look at the Citrix Cloud as well. For this article I will only focus on the XenDesktop and XenApp service (together with the NetScaler Gateway as a Service).

From the XenDesktop and XenApp service the VDAs can be hosted both at a Cloud Provider (for example Azure) or on-premises. Within the Cloud authentication can be based on the on-premises Active Directory or Azure Active Directory. To connect the VDAs with the Citrix Cloud Services a Citrix Cloud Connector is added to the stack. The Cloud Connector is the man in the middle for the communication and requires port 443 available to the Internet.

During one of my projects the Citrix XenApp and XenDesktop Service and NetScaler Gateway Service came into play as the organization did not have Citrix currently (they needed it for an acquisition they made) and the environment was not that large. A perfect candidate was my first response as they also would like to minimize the amount of infrastructure they needed to manage. However the organization is on strict regulations so we needed to take a good look. Therefore we did a deep-dive in the Cloud offering and that showed that there are still some challenges for Enterprises or companies under strict regulations. I will go through the challenges that I currently see in random order.

Citrix Cloud Connector

Ten years ago it was almost worse than swearing, connecting a Windows machine directly to the Internet or placing in in the DMZ. Nowadays still lots of companies don’t want to have Windows in their DMZ, although it seems it not that strict anymore than in the past. As already mentioned a Citrix Cloud Connector is required as the man in the middle between the Citrix Cloud services and the VDAs. This Citrix Cloud Connector is running on Windows Server, where the server needs be domain joined (for authentication). The Citrix Cloud Connector needs to have 443 open to the Internet. In some documentation Citrix is stating that the Cloud Connector should be in the same network preferable as the VDAs, but this is not a hard requirement. It will work when placed in the DMZ for example (as long as the component can communicate with each other. I can imagine that there are security officers that won’t agree on such requirements within their network, especially on the domain-joined requirement. (https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector/technical-details.html).

Limited Delegation of Control --> Missing the option to create custom roles

Within Citrix XenDesktop Delegation of Control is available on a real granular level. Besides the default available roles, custom roles can be created with lots of details and assigned to different users and/or groups. Within the XenApp and XenDesktop service there is a more simplistic Delegation of Control available. When writing the document for the actual XenDesktop and XenApp part only helpdesk role and full administrator role were available. However almost together with the publishing of the document Citrix adddes more roles on this part. Actually the same roles are now available as within the on-premises product. You can also assign the roles to specific parts of the infrastructure. The only thing that is missing is the possbility to create a custom role when the default roles won't find it. On the Cloud plane you can assign four different roles. For most organization this will fit probably, but for large Enterprise there is change that they would like to have the same capabilities as the on-premises variant offers.

No Configuration Logging

More and more organizations require that all actions of the system administrators are logged. Citrix XenDesktop has the configuration logging available for this, so each action is written in the database. In the latest released this option is enabled by default. Within the XenApp and XenDesktop service this option is currently not available. Citrix is stating that it is on the roadmap, but no dates are provided when it will become available. In the case that auditing of system administrator is a requirement that the Citrix XenApp and XenDesktop service cannot fulfill that requirement in the product. Logically as most regulations are high over you can work around this with a process where system administrators are noting their actions in some other way (but logically much more error sensitive).

Configuration Logging is added on 13 September 2018 to Cloud services, so this point is not valid anymore (see figure below).

FAS Support

With the upcoming of SaaS applications and unified workspace as also Citrix is offering with the Citrix Workspace (App) the wish/requirement for a Single Sign On (SSO) for all resources is becoming more and more relevant. To achieve SSO for all such resources SAML/oAuth is needed for that. Citrix support SAML for XenDesktop via Citrix FAS (Federated Authentication Service). For Citrix FAS to work StoreFront and NetScaler need to be configured to use/support SAML. Currently this is only possible with on-premises StoreFront and NetScaler Gateway as the XenApp and XenDesktop nor the NetScaler as a Service don’t support that (https://support.citrix.com/article/CTX221712). Logically in this case you don’t need the NetScaler Gateway Service. In this case you are not using the full XenApp and XenDesktop service (“only” the Delivery Controller, SQL database and license service) as StoreFront is located on-premises and the question can be raised if you would not want to have all components on-premises).

Less Customization Options

Within the NetScaler Gateway and StoreFront nowadays the look and feel can be customized on a detailed level via CSS files. Within the Citrix Cloud this is currently not available, the customization is “limited” to the options that are available within the StoreFront GUI as well. So you can adjust the logos and colors. So if you are using lots of customization on this part Citrix Cloud is not that far at this moment, but probably most companies are satisfied currently offered.

Logging of the Citrix Cloud (Gateway as a Service)

In several organizations there are requirements that logfiles should be collected and added to a SIEM product (Security Information & Event Management) from a security standpoint. For the Citrix Cloud offerings this is not (directly) possible for all services. For example for the Gateway service this is not available, you need to enable/purchase the MAS service as well. Next to the additional costs this service can also a bit too much for organization that only requires the Gateway Service (ICA SSL tunneling).

Unclearness/lack of info on Citrix Cloud

During my project I did not the answers on all question about the Citrix Cloud services. I found out that the information public available is really high level and not technical. Finding the correct answers is pretty difficult. Even within Citrix organization not everyone is up to speed/up to date on features, limitations and so on. I even understand it as the development is going quickly and the portfolio is growing quickly. But from a customer perspective it can look like that the organization it self is not ready for supporting the service.

No App-V integration

A good suggestion made by David Wilkonson as un update on the original article is that App-V integration currenlty is not available in the Citrix Cloud. App-V Integration is nice feature for companies for simplying the publishing process for applications, that are virtualized with App-V, in the Citrix XenDesktop infrastructure. As this is not available at all in the cloud, companies who are relying a lot on this features need to use the on-premises version for this moment.  

License model/costs

Last but not least the license model of the Citrix Cloud service is only available for named users, while the on-premises product also has concurrent licenses. Many customers are using the concurrent license model for their current infrastructure as it the most cost-effective especially using the XenApp functionality. When such customers need to switch to named users (especially 7x24 companies) the license cost can be much higher than the are used to be. Logically other factors need to taken into account as well like less VMs required and less maintenance, maybe no need for SQL enterprise. However in large companies a few VMs less and SQL Enterprise is there already, it can become a tough calculation to trun on-premises components to Citrix Cloud services.

Summarization

As already stated I think the Citrix Cloud services is evolving quickly and definitely deserve a place in the market. When updating/migrating to the latest Citrix version the Citrix Cloud offering should in my opinion taken into account (especially with the Gateway Service) in each design phase. With this article I’m just warning that some options that are available in the on-premises are not (fully) available in the Cloud service and that can cause that the Cloud is not the best choice for each organization (yet).