Citrix Cloud – Virtual Apps & Desktop · –Administrators use their identity to access Citrix...

Citrix Cloud – Virtual Apps & DesktopCitrix Workspace – Track Virtual Apps & Desktops

Claudio MascaroSenior Systems Engineer / Trainer / ConsultantBCD-SINTRAG AG13. NOVEMBER 2018

Workspace App

User

Tablet

Laptop

Phone

Workspace

User

Tablet

Laptop

Phone

Workspace AppOverview

Citrix Workspace App

Engines

Native access to SaaS apps with enhanced security

Remote access to virtual desktops, apps and browsers

Secure and optimized connectivity to backend resources

Integrated access to all cloud and on-prem storage repositories

Seamless auto-update and centralized management

User and device behavior monitoring and risk analysis

Embedded BrowserHDX

NetworkingAnalytics

Management

Content Collaboration

PersonalPhone/Tablet

Public Kiosk

Workspace AppOverview

Workspace

User

Workspace App(Desktop)

Workspace App(Mobile)

Workspace App(Web)

Corporate Device

XenApp & XenDesktop

Endpoint Management

Gateway

Access Control

XenApp & XenDesktopCloud Connector


Secure Browser

Resource Feed

Citr

ix C

loud

Se

rvic

esIT

M

anag

ed

• Engines – deployed as needed

• Platforms–Windows–Linux–Mac–iOS–Android–HTML5

Workspace AppDesign Considerations

Citrix Workspace App

EnginesEmbedded Browser

HDX

NetworkingAnalytics

Management


Secure BrowserService Browser Apps

Workspace Virtual Apps/DesktopsService

Endpoint ManagementService

User

Content CollaborationService

Access ControlService

Storage Apps

Virtual Apps and Desktops

SaaS and Web Apps

Local Apps

BYO Identity

BYO IdentityWhy

User Box Identity

SalesForce Identity

Workday Identity

SAP Identity

Office 365 Identity

BYO IdentityOverview

User

Workspace

Single Sign-on µ-service

WindowsActive Directory

Azure Active Directory

Identityµ-service

or

• Set Identity and Access Management authentication

BYO IdentityConfiguration

• Set Identity and Access Management authentication

• Set Workspace authentication

BYO IdentityConfiguration

• Azure AD with Virtual Apps and Desktops–Users prompted for a Windows AD account–Or setup Federated Authentication Services (FAS)

BYO IdentityDesign Considerations

Citrix Cloud Services

Citrix Workspace• Citrix Virtual Apps

and Desktops Service

• Citrix Endpoint Management Premium Service

• Citrix Content Collaboration Advanced Service

• Citrix Gateway* Service

Virtual Apps and Desktops Service

Virtual Apps Service

Virtual Desktop Service

Secure Browser Service

Virtual Apps EssentialsService

Virtual Desktops EssentialsService

Citrix Endpoint Management StandardService

Citrix Endpoint Management AdvancedService

Citrix Endpoint Management PremiumService

Citrix Content Collaboration

Citrix Gateway StandardService

Citrix Web App Firewall Service

Citrix Analytics

Citrix Application Delivery Management Service

License Usage Insights Service

SD-WAN Cloud-Managed Service

Overview of Available Services

VirtualApps &

Desktops

ContentCollaboration

Endpoint Management NetworkingWorkspaces Analytics For Service

Providers

*Only ICA Proxy included. Full NetScaler Service features available as as separate purchase.

Services Included Minimum purchase 25 subscribers or devices

Virtual Desktop Service Subscription

Virtual Apps and Virtual Desktops Subscription

Citrix Virtual Apps and Desktops

Desktop Delivery

App Delivery o

Multiple resource locations o

Smart Tools

Smart Build

Smart Migrate

Smart Scale

Smart Check

ADD-ON SERVICE

Citrix Gateway ICA/HDX Proxy 1 Gbps data per user per month 1 Gbps data per user per month

Citrix Virtual Apps and Desktops Entitlements and Licensing

Citrix WorkspaceEntitlements and Licensing

Services Included Minimum purchase 25 subscribers or devices

Citrix Workspace Subscription

Citrix Virtual Apps and Desktops

Desktop Delivery

App Delivery

Multiple resource locations

Citrix Endpoint Management Premium Service

Mobile Device Management

Mobile App Management

Mobile Productivity Apps

Citrix Content Collaboration

Storage Zone Connectors

Bring-your-own storage

1 GB file sharing data per user

Citrix Gateway 1 Gbps data per user per month

Services Included Minimum purchase 50 subscribers or devices Secure Browser Subscription

Secure Browser Service

Isolated, Cloud Hosted Browser

Includes Cloud IaaS for Browser

StoreFront Integration

5000 hours of secure browsing per organization

1000 hour add-on pack Add-on available

Citrix Secure Browser ServiceEntitlements and Licensing

Enabling New Services

Easily add and configure hosted services.

Citrix Cloud Architecture & Operations

Traditional Deployment

On-Premises or CloudCustomer/Partner-Managed

User Layer

Internal Users

External Users

Access Layer

StoreFront

Citrix Gateway

Firewall

Control Layer

Delivery Controller

Domain Controller

SQL

License Server

Resource Layer

Server OS Assigned Desktop OS

Random Desktop OS Remote PC

Firewall

Hardware Layer

StorageWifiNetwork Processor GraphicsMemory Hypervisor

Citrix Virtual Apps and Desktops Cloud Service Details

Resource LocationOn-Premise or Cloud(Customer/Partner-Managed)

Citrix Cloud (Citrix-Managed)

Optional on-premisesor Citrix Cloud managed.

License Server

Delivery Controller

Site Database

StoreFront

Net Scaler Gateway

User Layer

Internal Users

External Users

Access Layer

StoreFront

Citrix Gateway

Firewall

Control Layer Resource Layer



Firewall

Hardware Layer


Domain Controller

Cloud Connector

Cloud Connector

Service Levels

99.9%

• Citrix’s goal is that in any 30 calendar day period 99.9% of the time users can access their app or desktop session through the Service.

• Limitation examples:–Customer failure to follow configuration requirements for the service.–Customer controlled physical and virtual machines. –Customer installed and maintained operating systems.–Customer installed and controlled networking equipment or other

hardware. –Customer defined and controlled security settings, group policies and other

configuration policies. –Public cloud provider failures, Internet Service Provider failures or other

external to Citrix’s control.–Service disruption due to reasons beyond Citrix’s control, including natural

disaster, war or acts of terrorism, government action.

Citrix Cloud Locations

• Choose a region when signing in for the first time.

• US and EMEA available now.

• The region cannot be changed later.

• Only one region is supported per subscription.

Customer B Customer CCustomer A

Acce

ss C

ontr

ol

Customer A Metadata

Customer B Metadata

Customer C Metadata

Admin

Customer Application

DataResources

Connector


DataResources

Connector


DataResources

Connector

SecurityEvery customer’s metadata

is secured in separate containers.

Application data remains on-premise.

• Security Development Lifecycle–Regular security training for the entire team

–Threat modeling before any code is written–Both static and human code analysis for vulnerabilities

–Quarterly independent penetration tests

–Ongoing security reviews and auditing

• 24/7 Monitoring & Alerting for Security and Availability

Security

• Data at Rest:–Citrix Cloud only stores metadata, such as:

• Usernames• Application Names• Icons–Sensitive data remains in the resource location, under the

customer’s control:• Machine Images• User and Application Data

• Data in Transit:–All data is encrypted with TLS while in transit–HDX data (pixels, keystrokes, etc.) transit the Citrix Gateway–User credentials transit Citrix Workspace, but are not persisted

• Alternatively, StoreFront may be deployed by the customer to encrypt credentials before they leave the customer’s premises.

Compliance Handling of Data

SecurityEncryption

Password

Encryption Key / ICA Ticket

Password Single Sign-On for Windows Logon

AES Encrypted Password

Citrix Gateway

StoreFront

VDA

Cloud Connector

Cloud Connector

Citrix Cloud Administration

• Cloud Administration Console

• Cloud Studio

• Cloud Director

• Cloud Updates

Consoles

ConsolesChecking on a Resource

Location

Identity and Access

ManagementThere are 2 sets of

identities for Citrix Cloud

• Administrators:–Administrators use their identity to access Citrix Cloud, perform

management activities and deploy the Citrix Cloud Connector.–By default, Citrix Cloud uses the Citrix Identity provider to manage

the identity information for administrators in Citrix Cloud. Alternatively, Azure Active Directory can be used instead.

• Subscribers:–Subscriber identity defines which subscribers (users) have access to

services through Citrix Cloud. These identities come from Active Directory domain accounts provided from the domains within the resource location.–Citrix Cloud administrators can control which domains can be used

to provide these identities from the Domains tab in Identity and Access Management pages in Citrix Cloud.–Subscribers can also be Azure Active Directory users and can benefit

from multifactor authentication provided by Azure AD.

Citrix Cloud Connector Architecture

• All traffic is secured over HTTPS (port 443)

• Works behind NATs and HTTP proxies

• Inbound:–Messages sent to the connector(s)

rendezvous in the cloud at a special cloud service. Messages are then transferred via a Web Socket architecture–These messages are load balanced across

connectors

• Outbound:–Standard HTTPs Web requests

Cloud ConnectorCommunication Flow

XenApp and XenDesktop Service

with NetScaler Gateway Service

Hypervisors

AD

Server VDAs

Server VDAs

Server VDAs Server

VDAs

Server VDAs

Desktop VDAs

Cloud Connector

HTTPS / API Calls

Binary Encoded Message Passing

Cloud ConnectorArchitecture

Cloud Connector:• Provides a variety of services to

connect resources to the cloud• Supports the same protocols as a

Delivery Controllers in XenApp and XenDesktop, allowing the cloud service to share the same VDAs and Gateway.

XenApp and XenDesktop Service

Cloud ConnectorIdentityAuthentication

Active Directory

NetScalerGateway

ProvisioningProxy

HTTPS (port 443)

Hypervisors

Server VDAs

Server VDAs

Server VDAs Server

VDAs

Server VDAs

Desktop VDAs

Cloud ConnectorFunctions

• Active Directory (AD): Enables AD management, allowing the use of AD forests and domains within your resource locations. It removes the need for adding any additional AD trusts.

• Virtual Apps & Desktops: Enables publishing from resources in your resource locations.

• Endpoint Management: Enables a Endpoint Mgmt. enterprise mobility management (EMM) environment for managing apps and devices as well as users or groups of users.

• Machine Catalog provisioning: Enables provisioning of machines directly into your resource locations.

Cloud ConnectorScaling and

recommendations

• Always deploy on dedicated Windows Servers.–Citrix may reboot the machine during updates or as part of active

maintenance.

• Two Cloud Connectors can support 5k VDAs and 20k Sessions.–4 vCPU and 4 GB Ram recommended.

• Cloud Connectors are stateless and will balance load automatically.

• Keep Cloud Connectors online.–If a Cloud Connector misses two updates in a row, it may lose connectivity

with Citrix Cloud.

Citrix Virtual Apps & Desktops Deployment Models

Traditional On-premises

Customer Location

User Layer

Internal Users

External Users

Access Layer

StoreFront

NetScaler Gateway

Firewall

Control Layer

Delivery Controller

Domain Controller

SQL

License Server

Resource Layer



Firewall

Hardware Layer


Citrix Virtual Apps and

Desktops Service with Public Cloud• All components hosted

by Partner or on Customer.

• Also known as the forklift model.

Public Cloud

Public Cloud

User Layer

Internal Users

External Users

Access Layer

StoreFront

NetScaler Gateway

Firewall

Control Layer

Delivery Controller

Domain Controller

SQL

License Server

Resource Layer



Firewall

Hardware Layer


On-prem

ises

Citrix Cloud

Citrix Virtual Apps and Desktops Service with On-premises Resources

Citrix Cloud(operated by Citrix)

Customer or partner-managed,

on-premises hosted

Access LayerUser Layer

Firewall

Firewall

Resource LayerControl Layer

Compute Layer

Studio Director

Citrix Gateway Service

Workspace

License Server

Delivery Controller

Site Database

Active Directory Server

Cloud Connector

Citrix Gateway

StoreFrontInternal Users

External Users




Public Cloud

Citrix Cloud

Citrix Virtual Apps and Desktops Service with Public Cloud


Customer or partner managed,

public-hosted


Firewall


Compute Layer

Studio Director


Workspace

License Server

Delivery Controller

Site Database

Firewall


Citrix Gateway

StoreFront Cloud Connector




Internal Users

External Users

Citrix Virtual Apps and Desktops Service with Hybrid CloudCitrix Cloud

On Prem

isesPubl

ic C

loud

User Layer

Access Layer

Firewall

Resource LayerControl LayerAccess Layer

Firewall



Customer or partner managed,

public hostedand

on-Premises

Studio Director


Workspace

License Server

Delivery Controller

Site Database


Citrix Gateway



Citrix Gateway


Server OS

Assigned Desktop OSRandom Desktop OS

Server OS

Internal Users

External Users

Design and Deployment

Differences from traditional deployments

• High Availability built into the platform–Only worry about VDAs

• GSLB built into the platform

• Single Site per subscription–Zones / resource locations used to define where VDAs are hosted

• Zones –Contain Cloud Connectors instead of Delivery Controllers

• Site Database–Hosted by Citrix–No High Speed Network Link required between Zones

• Delegated Administration–Less flexible than on-premises

Citrix Virtual Apps & Desktops with Nutanix InstantOn

Citrix Virtual Apps & Desktops Remote PowerShell SDK

An Overview: XenApp and XenDesktop Remote PowerShell SDK• SDKs help automate complex and

repetitive tasks.

• PowerShell SDKs installed with on-premises XenApp and XenDesktop cannot cross the resource location to Control Plane boundary.

• Remote PowerShell SDK can access the Control Plane the same way an on-premises Delivery Controller can be administered using PowerShell.

Admin workstation

C:\

Prerequisites and Installation

Prerequisites: • Remote SDKs should be installed on domain joined machine within a resource location. • Remote SDK machine should have PoSH 3.0 installed.• Citrix recommends to not run PowerShell SDK from Cloud Connector servers.

Installation:• The download package contains both x86 and x64 implementations.• Installation is supported from GUI and Command line. • Location of install logs: %TEMP%\CitrixLogs\CitrixPoshSdk

Installation logs are located at %TEMP%\CitrixLogs\CitrixPoshSdk

Citrix Cloud BCDSINTRAGAG-------------------------------------Customer ID: BCDSINTRAGAGName: Remote-SDKClientID: 5e8666be-2772-42b9-8245-75082d256bbeSecret: J3nmzl_poofQ8ohRetLGVg==Resource Location ID: eea574e1-2936-42e4-aa95-6b9b9f42ff50

#Create credential profile for Citrix Cloudasnp citrix*Set-XDCredentials -CustomerId "BCDSINTRAGAG" -SecureClientFile "C:\users\Administrator.software-onine\Downloads\secureclient.csv" -ProfileType CloudApi -StoreAs "CloudAdmin“

# Silent Connector InstallC:\CWCConnector.exe /q /Customer:"Account Name" /ClientId:"Unique" /clientSecret:"Unique" /ResourceLocationId:"Unique" /AcceptTermsOfService:true

C:\CWCConnector.exe /q /Customer:"BCDSINTRAGAG" /ClientId:"5e8666be-2772-42b9-8245-75082d256bbe" /clientSecret:"J3nmzl_poofQ8ohRetLGVg==" /ResourceLocationId:"eea574e1-2936-42e4-aa95-6b9b9f42ff50" /AcceptTermsOfService:true

Using PVS with Virtual Apps & Desktops

PVS Architecture• On-premises PVS Servers

• Citrix License Server

• SQL Database

• Service Account

On-prem

ises Datacenter

Citrix Cloud


Internal Users

External Users Firewall

Firewall

Resource Layer

Random Desktop OS

Server OS

Control Layer

Network Storage Memory Graphics HypervisorProcessor

Compute Layer

Databases

PVS Console w Cloud SDK

PVS Server

NetScaler Gateway Service

Workspace

License Server

Delivery Controller

Site Database

Active Directory

Cloud Connector

NetScaler Gateway

StoreFront

License Server

Uninstall this program on Provisioning Server

Install PowerShell SDK for Provisioning Server

Validate Remaining Program

PVS Considerations

• PVS environment on-premises only

• Authentication to Citrix Cloud required when using XenDesktop Setup Wizard

• On-premises Citrix License Server

• On-premises SQL Database for PVS

• PVS minimum version 7.7

• Replace SDK on PVS Console

• Personal vDisk is not supported

• AppDisk is not supported

Citrix Cloud – Virtual Apps & Desktop · –Administrators use their identity to access Citrix...

Documents

Transcript of Citrix Cloud – Virtual Apps & Desktop · –Administrators use their identity to access Citrix...