citrix cloud – virtual apps & desktop · –administrators use their identity to access...
TRANSCRIPT
Citrix Cloud – Virtual Apps & DesktopCitrix Workspace – Track Virtual Apps & Desktops
Claudio MascaroSenior Systems Engineer / Trainer / ConsultantBCD-SINTRAG AG13. NOVEMBER 2018
Workspace App
User
Tablet
Laptop
Phone
Workspace
User
Tablet
Laptop
Phone
Workspace AppOverview
Citrix Workspace App
Engines
Native access to SaaS apps with enhanced security
Remote access to virtual desktops, apps and browsers
Secure and optimized connectivity to backend resources
Integrated access to all cloud and on-prem storage repositories
Seamless auto-update and centralized management
User and device behavior monitoring and risk analysis
Embedded BrowserHDX
NetworkingAnalytics
Management
Content Collaboration
PersonalPhone/Tablet
Public Kiosk
Workspace AppOverview
Workspace
User
Workspace App(Desktop)
Workspace App(Mobile)
Workspace App(Web)
Corporate Device
XenApp & XenDesktop
Endpoint Management
Gateway
Access Control
XenApp & XenDesktopCloud Connector
Content Collaboration
Secure Browser
Resource Feed
Citr
ix C
loud
Se
rvic
esIT
M
anag
ed
• Engines – deployed as needed
• Platforms–Windows–Linux–Mac–iOS–Android–HTML5
Workspace AppDesign Considerations
Citrix Workspace App
EnginesEmbedded Browser
HDX
NetworkingAnalytics
Management
Content Collaboration
Secure BrowserService Browser Apps
Workspace Virtual Apps/DesktopsService
Endpoint ManagementService
User
Content CollaborationService
Access ControlService
Storage Apps
Virtual Apps and Desktops
SaaS and Web Apps
Local Apps
BYO Identity
BYO IdentityWhy
User Box Identity
SalesForce Identity
Workday Identity
SAP Identity
Office 365 Identity
BYO IdentityOverview
User
Workspace
Single Sign-on µ-service
WindowsActive Directory
Azure Active Directory
Identityµ-service
or
• Set Identity and Access Management authentication
BYO IdentityConfiguration
• Set Identity and Access Management authentication
• Set Workspace authentication
BYO IdentityConfiguration
• Azure AD with Virtual Apps and Desktops–Users prompted for a Windows AD account–Or setup Federated Authentication Services (FAS)
BYO IdentityDesign Considerations
Citrix Cloud Services
Citrix Workspace• Citrix Virtual Apps
and Desktops Service
• Citrix Endpoint Management Premium Service
• Citrix Content Collaboration Advanced Service
• Citrix Gateway* Service
Virtual Apps and Desktops Service
Virtual Apps Service
Virtual Desktop Service
Secure Browser Service
Virtual Apps EssentialsService
Virtual Desktops EssentialsService
Citrix Endpoint Management StandardService
Citrix Endpoint Management AdvancedService
Citrix Endpoint Management PremiumService
Citrix Content Collaboration
Citrix Gateway StandardService
Citrix Web App Firewall Service
Citrix Analytics
Citrix Application Delivery Management Service
License Usage Insights Service
SD-WAN Cloud-Managed Service
Overview of Available Services
VirtualApps &
Desktops
ContentCollaboration
Endpoint Management NetworkingWorkspaces Analytics For Service
Providers
*Only ICA Proxy included. Full NetScaler Service features available as as separate purchase.
Services Included Minimum purchase 25 subscribers or devices
Virtual Desktop Service Subscription
Virtual Apps and Virtual Desktops Subscription
Citrix Virtual Apps and Desktops
Desktop Delivery
App Delivery o
Multiple resource locations o
Smart Tools
Smart Build
Smart Migrate
Smart Scale
Smart Check
ADD-ON SERVICE
Citrix Gateway ICA/HDX Proxy 1 Gbps data per user per month 1 Gbps data per user per month
Citrix Virtual Apps and Desktops Entitlements and Licensing
Citrix WorkspaceEntitlements and Licensing
Services Included Minimum purchase 25 subscribers or devices
Citrix Workspace Subscription
Citrix Virtual Apps and Desktops
Desktop Delivery
App Delivery
Multiple resource locations
Citrix Endpoint Management Premium Service
Mobile Device Management
Mobile App Management
Mobile Productivity Apps
Citrix Content Collaboration
Storage Zone Connectors
Bring-your-own storage
1 GB file sharing data per user
Citrix Gateway 1 Gbps data per user per month
Services Included Minimum purchase 50 subscribers or devices Secure Browser Subscription
Secure Browser Service
Isolated, Cloud Hosted Browser
Includes Cloud IaaS for Browser
StoreFront Integration
5000 hours of secure browsing per organization
1000 hour add-on pack Add-on available
Citrix Secure Browser ServiceEntitlements and Licensing
Enabling New Services
Easily add and configure hosted services.
Citrix Cloud Architecture & Operations
Traditional Deployment
On-Premises or CloudCustomer/Partner-Managed
User Layer
Internal Users
External Users
Access Layer
StoreFront
Citrix Gateway
Firewall
Control Layer
Delivery Controller
Domain Controller
SQL
License Server
Resource Layer
Server OS Assigned Desktop OS
Random Desktop OS Remote PC
Firewall
Hardware Layer
StorageWifiNetwork Processor GraphicsMemory Hypervisor
Citrix Virtual Apps and Desktops Cloud Service Details
Resource LocationOn-Premise or Cloud(Customer/Partner-Managed)
Citrix Cloud (Citrix-Managed)
Optional on-premisesor Citrix Cloud managed.
License Server
Delivery Controller
Site Database
StoreFront
Net Scaler Gateway
User Layer
Internal Users
External Users
Access Layer
StoreFront
Citrix Gateway
Firewall
Control Layer Resource Layer
Server OS Assigned Desktop OS
Random Desktop OS Remote PC
Firewall
Hardware Layer
StorageWifiNetwork Processor GraphicsMemory Hypervisor
Domain Controller
Cloud Connector
Cloud Connector
Service Levels
99.9%
• Citrix’s goal is that in any 30 calendar day period 99.9% of the time users can access their app or desktop session through the Service.
• Limitation examples:–Customer failure to follow configuration requirements for the service.–Customer controlled physical and virtual machines. –Customer installed and maintained operating systems.–Customer installed and controlled networking equipment or other
hardware. –Customer defined and controlled security settings, group policies and other
configuration policies. –Public cloud provider failures, Internet Service Provider failures or other
external to Citrix’s control.–Service disruption due to reasons beyond Citrix’s control, including natural
disaster, war or acts of terrorism, government action.
Citrix Cloud Locations
• Choose a region when signing in for the first time.
• US and EMEA available now.
• The region cannot be changed later.
• Only one region is supported per subscription.
Customer B Customer CCustomer A
Acce
ss C
ontr
ol
Customer A Metadata
Customer B Metadata
Customer C Metadata
Admin
Customer Application
DataResources
Connector
Customer Application
DataResources
Connector
Customer Application
DataResources
Connector
SecurityEvery customer’s metadata
is secured in separate containers.
Application data remains on-premise.
• Security Development Lifecycle–Regular security training for the entire team
–Threat modeling before any code is written–Both static and human code analysis for vulnerabilities
–Quarterly independent penetration tests
–Ongoing security reviews and auditing
• 24/7 Monitoring & Alerting for Security and Availability
Security
• Data at Rest:–Citrix Cloud only stores metadata, such as:
• Usernames• Application Names• Icons–Sensitive data remains in the resource location, under the
customer’s control:• Machine Images• User and Application Data
• Data in Transit:–All data is encrypted with TLS while in transit–HDX data (pixels, keystrokes, etc.) transit the Citrix Gateway–User credentials transit Citrix Workspace, but are not persisted
• Alternatively, StoreFront may be deployed by the customer to encrypt credentials before they leave the customer’s premises.
Compliance Handling of Data
SecurityEncryption
Password
Encryption Key / ICA Ticket
Password Single Sign-On for Windows Logon
AES Encrypted Password
Citrix Gateway
StoreFront
VDA
Cloud Connector
Cloud Connector
Citrix Cloud Administration
• Cloud Administration Console
• Cloud Studio
• Cloud Director
• Cloud Updates
Consoles
ConsolesChecking on a Resource
Location
Identity and Access
ManagementThere are 2 sets of
identities for Citrix Cloud
• Administrators:–Administrators use their identity to access Citrix Cloud, perform
management activities and deploy the Citrix Cloud Connector.–By default, Citrix Cloud uses the Citrix Identity provider to manage
the identity information for administrators in Citrix Cloud. Alternatively, Azure Active Directory can be used instead.
• Subscribers:–Subscriber identity defines which subscribers (users) have access to
services through Citrix Cloud. These identities come from Active Directory domain accounts provided from the domains within the resource location.–Citrix Cloud administrators can control which domains can be used
to provide these identities from the Domains tab in Identity and Access Management pages in Citrix Cloud.–Subscribers can also be Azure Active Directory users and can benefit
from multifactor authentication provided by Azure AD.
Citrix Cloud Connector Architecture
• All traffic is secured over HTTPS (port 443)
• Works behind NATs and HTTP proxies
• Inbound:–Messages sent to the connector(s)
rendezvous in the cloud at a special cloud service. Messages are then transferred via a Web Socket architecture–These messages are load balanced across
connectors
• Outbound:–Standard HTTPs Web requests
Cloud ConnectorCommunication Flow
XenApp and XenDesktop Service
with NetScaler Gateway Service
Hypervisors
AD
Server VDAs
Server VDAs
Server VDAs Server
VDAs
Server VDAs
Desktop VDAs
Cloud Connector
HTTPS / API Calls
Binary Encoded Message Passing
Cloud ConnectorArchitecture
Cloud Connector:• Provides a variety of services to
connect resources to the cloud• Supports the same protocols as a
Delivery Controllers in XenApp and XenDesktop, allowing the cloud service to share the same VDAs and Gateway.
XenApp and XenDesktop Service
Cloud ConnectorIdentityAuthentication
Active Directory
NetScalerGateway
ProvisioningProxy
HTTPS (port 443)
Hypervisors
Server VDAs
Server VDAs
Server VDAs Server
VDAs
Server VDAs
Desktop VDAs
Cloud ConnectorFunctions
• Active Directory (AD): Enables AD management, allowing the use of AD forests and domains within your resource locations. It removes the need for adding any additional AD trusts.
• Virtual Apps & Desktops: Enables publishing from resources in your resource locations.
• Endpoint Management: Enables a Endpoint Mgmt. enterprise mobility management (EMM) environment for managing apps and devices as well as users or groups of users.
• Machine Catalog provisioning: Enables provisioning of machines directly into your resource locations.
Cloud ConnectorScaling and
recommendations
• Always deploy on dedicated Windows Servers.–Citrix may reboot the machine during updates or as part of active
maintenance.
• Two Cloud Connectors can support 5k VDAs and 20k Sessions.–4 vCPU and 4 GB Ram recommended.
• Cloud Connectors are stateless and will balance load automatically.
• Keep Cloud Connectors online.–If a Cloud Connector misses two updates in a row, it may lose connectivity
with Citrix Cloud.
Citrix Virtual Apps & Desktops Deployment Models
Traditional On-premises
Customer Location
User Layer
Internal Users
External Users
Access Layer
StoreFront
NetScaler Gateway
Firewall
Control Layer
Delivery Controller
Domain Controller
SQL
License Server
Resource Layer
Server OS Assigned Desktop OS
Random Desktop OS Remote PC
Firewall
Hardware Layer
StorageWifiNetwork Processor GraphicsMemory Hypervisor
Citrix Virtual Apps and
Desktops Service with Public Cloud• All components hosted
by Partner or on Customer.
• Also known as the forklift model.
Public Cloud
Public Cloud
User Layer
Internal Users
External Users
Access Layer
StoreFront
NetScaler Gateway
Firewall
Control Layer
Delivery Controller
Domain Controller
SQL
License Server
Resource Layer
Server OS Assigned Desktop OS
Random Desktop OS Remote PC
Firewall
Hardware Layer
StorageWifiNetwork Processor GraphicsMemory Hypervisor
On-prem
ises
Citrix Cloud
Citrix Virtual Apps and Desktops Service with On-premises Resources
Citrix Cloud(operated by Citrix)
Customer or partner-managed,
on-premises hosted
Access LayerUser Layer
Firewall
Firewall
Resource LayerControl Layer
Compute Layer
Studio Director
Citrix Gateway Service
Workspace
License Server
Delivery Controller
Site Database
Active Directory Server
Cloud Connector
Citrix Gateway
StoreFrontInternal Users
External Users
StorageWifiNetwork Processor GraphicsMemory Hypervisor
Server OS Assigned Desktop OS
Random Desktop OS Remote PC
Public Cloud
Citrix Cloud
Citrix Virtual Apps and Desktops Service with Public Cloud
Citrix Cloud(operated by Citrix)
Customer or partner managed,
public-hosted
Access LayerUser Layer
Firewall
Resource LayerControl Layer
Compute Layer
Studio Director
Citrix Gateway Service
Workspace
License Server
Delivery Controller
Site Database
Firewall
Active Directory Server
Citrix Gateway
StoreFront Cloud Connector
Server OS Assigned Desktop OS
Random Desktop OS Remote PC
StorageWifiNetwork Processor GraphicsMemory Hypervisor
Internal Users
External Users
Citrix Virtual Apps and Desktops Service with Hybrid CloudCitrix Cloud
On Prem
isesPubl
ic C
loud
User Layer
Access Layer
Firewall
Resource LayerControl LayerAccess Layer
Firewall
Resource LayerControl Layer
Citrix Cloud(operated by Citrix)
Customer or partner managed,
public hostedand
on-Premises
Studio Director
Citrix Gateway Service
Workspace
License Server
Delivery Controller
Site Database
Active Directory Server
Citrix Gateway
StoreFront Cloud Connector
Active Directory Server
Citrix Gateway
StoreFront Cloud Connector
Server OS
Assigned Desktop OSRandom Desktop OS
Server OS
Internal Users
External Users
Design and Deployment
Differences from traditional deployments
• High Availability built into the platform–Only worry about VDAs
• GSLB built into the platform
• Single Site per subscription–Zones / resource locations used to define where VDAs are hosted
• Zones –Contain Cloud Connectors instead of Delivery Controllers
• Site Database–Hosted by Citrix–No High Speed Network Link required between Zones
• Delegated Administration–Less flexible than on-premises
Citrix Virtual Apps & Desktops with Nutanix InstantOn
Citrix Virtual Apps & Desktops Remote PowerShell SDK
An Overview: XenApp and XenDesktop Remote PowerShell SDK• SDKs help automate complex and
repetitive tasks.
• PowerShell SDKs installed with on-premises XenApp and XenDesktop cannot cross the resource location to Control Plane boundary.
• Remote PowerShell SDK can access the Control Plane the same way an on-premises Delivery Controller can be administered using PowerShell.
Admin workstation
C:\
Prerequisites and Installation
Prerequisites: • Remote SDKs should be installed on domain joined machine within a resource location. • Remote SDK machine should have PoSH 3.0 installed.• Citrix recommends to not run PowerShell SDK from Cloud Connector servers.
Installation:• The download package contains both x86 and x64 implementations.• Installation is supported from GUI and Command line. • Location of install logs: %TEMP%\CitrixLogs\CitrixPoshSdk
Installation logs are located at %TEMP%\CitrixLogs\CitrixPoshSdk
Citrix Cloud BCDSINTRAGAG-------------------------------------Customer ID: BCDSINTRAGAGName: Remote-SDKClientID: 5e8666be-2772-42b9-8245-75082d256bbeSecret: J3nmzl_poofQ8ohRetLGVg==Resource Location ID: eea574e1-2936-42e4-aa95-6b9b9f42ff50
#Create credential profile for Citrix Cloudasnp citrix*Set-XDCredentials -CustomerId "BCDSINTRAGAG" -SecureClientFile "C:\users\Administrator.software-onine\Downloads\secureclient.csv" -ProfileType CloudApi -StoreAs "CloudAdmin“
# Silent Connector InstallC:\CWCConnector.exe /q /Customer:"Account Name" /ClientId:"Unique" /clientSecret:"Unique" /ResourceLocationId:"Unique" /AcceptTermsOfService:true
C:\CWCConnector.exe /q /Customer:"BCDSINTRAGAG" /ClientId:"5e8666be-2772-42b9-8245-75082d256bbe" /clientSecret:"J3nmzl_poofQ8ohRetLGVg==" /ResourceLocationId:"eea574e1-2936-42e4-aa95-6b9b9f42ff50" /AcceptTermsOfService:true
Using PVS with Virtual Apps & Desktops
PVS Architecture• On-premises PVS Servers
• Citrix License Server
• SQL Database
• Service Account
On-prem
ises Datacenter
Citrix Cloud
Access LayerUser Layer
Internal Users
External Users Firewall
Firewall
Resource Layer
Random Desktop OS
Server OS
Control Layer
Network Storage Memory Graphics HypervisorProcessor
Compute Layer
Databases
PVS Console w Cloud SDK
PVS Server
NetScaler Gateway Service
Workspace
License Server
Delivery Controller
Site Database
Active Directory
Cloud Connector
NetScaler Gateway
StoreFront
License Server
Uninstall this program on Provisioning Server
Install PowerShell SDK for Provisioning Server
Validate Remaining Program
PVS Considerations
• PVS environment on-premises only
• Authentication to Citrix Cloud required when using XenDesktop Setup Wizard
• On-premises Citrix License Server
• On-premises SQL Database for PVS
• PVS minimum version 7.7
• Replace SDK on PVS Console
• Personal vDisk is not supported
• AppDisk is not supported