At a start-up of a project often the requirements and wishes of the organization are sky-high. Everything should be possible and included. Sometimes it just looks like they are ordering a dish at restaurant and ask to add all ingredients that are possible (Everything on Top). Logically when the project is actually starting and/or evolving those requirements and wishes are reflected to the available budget and the current infrastructure/environment, so the goals and targets are adjusted. However sometime everything should actually on top and I participated in such a project. In this article series I will describe the experiences during this project. Instead of using the standard approach I will discuss the biggest discussion points during the project and how those discussions ended. But first I will start with a short description of the current infrastructures and the requirements of the project.

Current Infrastructure


The project was initiated as a merge of two current Citrix infrastructures both used for the same business goals. Both infrastructures are a stepping stone for the employees of the company to perform maintenance and administration tasks to systems of their customers. Those tasks are performed on the same platform (Citrix servers) for several customers. Logically it should not be possible that an employee working for Customer A, should be able to access systems of Customer B. Because the teams are relatively small it is pretty expensive to build a silo for each customer and arrange the access using Firewall (layer 3 level). To fulfill that employees can only access the customer systems they are working for both infrastructures are using a filtering mechanism on layer 7. The first environment used RES Workspace manager, while the second infrastructure is using Microsoft ISA to accomplish the requirement. It’s important to know that the proof that the employees can only the systems they are authorized for is on this platform.

Both infrastructures has similarities as they are both based on Citrix Presentation Server 4.5 (or XenApp 5 for Windows 2003 if you like that name better), the infrastructure is running in their own data center and the infrastructures are offering access from both workspaces within the company as external workspace (home users, external office and so on). Both supporting IT teams are not responsible for the client the user is accessing the environment. The FYOD (Find Your Own Device) is being used; the users are using several clients in several domains with lots of different versions of Citrix Clients (more about that later on).

Beside similarities there are also several differences:

-          Access to the environment: The first environment is using Citrix Access Gateway (Advanced) for all connections (both internal as external). External includes two factor authentication based on SMS Passcode. The second environment is using Web Interface for internal access and Citrix Secure Gateway for the external access with standard authentication.

-          Servers: The first environment is based on virtualized Citrix Presentation Server Virtual Machines, while the second environment is using physical boxes for deploying CPS.

-          Installation: In the first environment the installation is performed using vCenter templates and scripted installations (for a semi-unattended installation). The second environment almost all steps are executed manually. Also in the second environment all applications are installed manually and physically, while the first environment is using App-V and applications required locally are installed using scripts.

As both platforms are offering the same functionality and more important the second environment is experiencing several issues to the end-users the management demanded to build a new steppingstone platform, which will combine both platforms. For this platform they created a big list of requirements (everything on top).


-          Use the standard service data center (IaaS/Paas)

The company exists of several divisions and one of those divisions is maintaining two fully connected data centers. We were required to build our infrastructure based on the layers they are offering. In the upcoming articles based of the discussions will be on this part, so prepared.

-          Re-Use current techniques where possible

Where possible we should re-use techniques which are already in place in one of the current platforms. As both platforms used several different techniques a decision should be made which of those will be used in the upcoming environment.

-          Alway available (no downtime)

The environment should be available 24 Hours a day, 7 days a week and 365 days a year. Logically there are moment that there is lower capacity requirements, but a connection should always be possible.

-          Different requirement/wishes per divions should be possible

As stated earlier several divisions are using the systems which have their own requirements and restrictions. The platform should be configured in such way that those different requirements and restrictions should be possible.

-          Security (and Reporting over the security) is key

The platform is responsible for the access to the customer networks and need to arrange that only the assigned persons can access the customer infrastructure. The platform should also prove that only those users can access those infrastructures and is some cases it is also required that platform can provide information when and how late employees have access the customer networks.

-          Use standard services available within the company if applicable

Beside re-using currently used techniques, there should also take into account when additional techniques are required the first step is to look if there standard service within the company are available.

-          Department is architectural, maintenance should be carried out by other division

Besides setting-up a new environment also the tasks of the team were shifting. The team should have a more architectural role and the actual daily administration should be performed by another team.

-          Design and deployment should be re-usable for other infrastructures

In the most optimal solution the design and building structure should be set-up variable and transparent, so the whole concept can also be implemented at other divisions/companies with minimal effort.


In this first part I described the current situation where two separate platforms are available both based on the same basis functionality (Citrix Presentation Server) and performing the same kind of role (access to customer network for administrating several systems). On the other hand the environments differ on several points both on architectural level as used techniques. The second part started with shortly describing the reason why a new platform was required, followed by the requirements the company made for this new platform. In following article(s) I will describe how the project evolved and how this infrastructure is finally built. I will do this based on the biggest discussion points, starting with the discussion point High Availability/Disaster Recovery.