Citrix Cloud Digital Workspace Architecture

Introduction

This article describes the features and architectural features of the Citrix Cloud cloud platform and the Citrix Workspace suite of services. These solutions are the central element and basis for the implementation of the concept of digital workplaces from Citrix.



In this article, I tried to understand and formulate causal relationships between cloud platforms, services and Citrix subscriptions, the description of which in public sources of the company (citrix.com and docs.citrix.com) looks very foggy in places. Cloud technology - apparently nothing else! It is worth noting that architecture and technology are disclosed as a whole sane. Difficulties arise in understanding the hierarchical relationship between services and platforms:

• which platform is the primary - Citrix Cloud or Citrix Workspace Platform?
• Which of the platforms mentioned above includes the numerous Citrix services needed to build a digital workplace infrastructure?
• How much does this pleasure cost and in what options can it be obtained?
• Is it possible to implement all the features of Citrix's digital workspace without using Citrix Cloud?

Answers to these questions and an introduction to Citrix digital workstation solutions.

Citrix Cloud

Citrix Cloud is a cloud platform that houses all the services necessary for organizing digital workstations. Citrix owns this cloud directly, it is engaged in its maintenance and provides the specified SLA (service availability - at least 99.5% per month).



Customers (customers) of Citrix, depending on the selected subscription (service package), get access to a specific list of services using the SaaS model. For them, Citrix Cloud acts as the company's cloud-based digital workstation dashboard. Citrix Cloud has a multi-tenant architecture, customers and their infrastructures are isolated from each other.



Citrix Cloud acts as a control plane, it hosts numerous Citrix cloud services, including service and management services of the digital workspace infrastructure. The data plane, including user applications, desktops, and data, is outside of Citrix Cloud. The only exception is the Secure Browser Service, which is fully cloud based. The data plane can be located in the customer’s data center (on-premises), the data center of the service provider, hyper-clouds (AWS, Azure, Google Cloud). Mixed and distributed solutions are possible when customer data is located in several sites and clouds, and their management is centralized from Citrix Cloud.







This approach has several obvious advantages for customers:

• freedom to choose a site for data placement;
• the ability to build a hybrid distributed infrastructure, involving multiple locations from different providers, in multiple clouds and on-premises;
• lack of direct access to user data from Citrix, as they are located outside Citrix Cloud;
• the ability to independently set the required level of performance, fault tolerance, reliability, confidentiality, integrity and availability of data; after that, select the appropriate sites for placement;
• the lack of the need to host and maintain many digital workstation management services, since all of them are located in the Citrix Cloud and are a headache for Citrix; as a result, cost reduction.

Citrix Workspace

Citrix Workspace is a transcendental, fundamental, and comprehensive concept. We will deal with it in more detail and it will become clear - why.



Overall, Citrix Workspace represents Citrix's digital workplace concept. It is both a solution, a service and a set of services to create a unified, safe, convenient and manageable workplace.



Users get seamless SSO for quick access to applications / services, desktops, and data from a single console from any device for productive work. They can happily forget about the many accounts, passwords and difficulties with finding applications (shortcuts, the Start panel, browsers - all in different places).







The IT service receives tools for centralized management of services and client devices, security, access control, monitoring, updating, optimization of network interaction, analytics.



Citrix Workspace provides unified access to the following resources:

• Citrix Virtual Apps and Desktops - virtualization of applications and desktops;
• Web applications
• Cloud SaaS applications;
• Mobile applications;
• Files in various storages, including cloudy.

Access to Citrix Workspace resources is through:

• Standard browser - supports Chrome, Safari, MS IE and Edge, Firefox
• or “native” client application - Citrix Workspace App.

Access is possible from all popular client devices:

• Full-fledged computers running Windows, Linux, MacOS, and even Chrome OS;
• Mobile devices with iOS or Android.

The Citrix Workspace Platform is part of the many Citrix Cloud cloud services for organizing digital workspaces. It is worth noting that Workspace includes most of the services that are present in Citrix Cloud, we will dwell on them later.



Thus, end users get the functionality of digital workstations on their favorite client devices through the Workspace App or its browser replacement (Workspace App for HTML5). To achieve this functionality, Citrix offers the Workspace Platform in the form of a set of cloud services that the company's admins manage through the Citrix Cloud.



Citrix Workspace is available in three packages : Standard, Premium, Premium Plus. They differ in the number of services included in the package. Also, it is possible to buy some services separately, outside the package. For example, the fundamental service Virtual Apps and Desktops is included only in the Premium Plus package, and its separate cost is higher than the Standard package and is almost equal to Premium.



It turns out that Workspace is both the client application - the Workspace App, and the cloud platform (part of it) - the Workspace Platform, and the name of the variety of service packages, and the concept of digital workplaces from Citrix as a whole. Here is such a diverse entity.

Architecture and system requirements

Conventionally, in the structure of Citrix Digital Works, there are 3 areas:

• Many client devices with the Workspace App or browser-based access to digital workstations.
• Directly Workspace Platform in the Citrix Cloud cloud, which lives somewhere on the Internet in the cloud.com domain.
• Resource location - own or leased sites, private or public clouds, which host resources with applications, virtual desktops and customer data published in Citrix Workspace. This is the same data-plane, which was mentioned above, I recall that one customer may have several resource locations.

Examples of resources include hypervisors, servers, network devices, AD domains, and other elements necessary to provide users with appropriate digital workstation services.



A distributed infrastructure scenario may involve:

• several locations of resources in the customer’s own data centers,
• Location in public clouds
• Small locations in remote locations.

When planning locations, you should consider:

• proximity of users, data and applications;
• the ability to scale, including provision of rapid capacity building and winding up;
• safety requirements and regulators.

Communications between Citrix Cloud and customer resource locations are through components called the Citrix Cloud Connector. These components allow the customer to focus on maintaining the resources provided to users and forget about dances with service and management services that are already deployed in the cloud and are accompanied by Citrix.



For load balancing and fault tolerance, it is recommended that you deploy at least two Cloud Connectors in each resource location. Cloud Connector can be installed on a dedicated physical or virtual machine running Windows Server (2012 R2 or 2016). It is preferable to place them on the internal resource allocation network, not in the DMZ.



Cloud Connector authenticates and encrypts traffic between Citrix Cloud and the location of resources via https, by default - TCP port 443. Only outgoing sessions are allowed - from the Cloud Connector to the cloud, incoming connections are prohibited.



Citrix Cloud requires Active Directory (AD) in the customer’s infrastructure. AD acts as the main IdAM provider and is required to authorize user access to Workspace resources. Cloud Connectors must have access to AD. For fault tolerance, it will be good practice to have a pair of domain controllers in each location of resources that will interact with the Cloud Connectors of this location.

Citrix Cloud Services

Now it’s worthwhile to dwell on the main Citrix Cloud services that underlie the Citrix Workspace platform and allow customers to deploy full-fledged digital workstations.







Consider the purpose and functionality of these services.

Virtual Apps and Desktops

This is the main Citrix Digital Workspace service, which provides terminal access to applications and full VDI. It supports virtualization of Windows and Linux applications and desktops.



As a Citrix Cloud cloud service, the Virtual Apps and Desktops service has the same components as the traditional (non-cloud) Virtual Apps and Desktops, as shown in the figure below. The difference is that all control components in the case of a service are located in the Citrix Cloud. The customer no longer needs to deploy and maintain these components, allocate computing power for them, this is done by Citrix.







On its side, the customer must deploy the following components in resource locations:

• Cloud Connectors
• AD domain controllers
• Virtual Delivery Agents (VDAs);
• Hypervisors - as a rule, they are, but there are situations where physics can be dispensed with;
• Optional components are Citrix Gateway and StoreFront.

All of these components, except for Cloud Connectors, are maintained by the customer on their own. This is logical, since the data-plane is located here, especially for physical nodes and hypervisors with VDA, where user applications and desktops are located directly.



Cloud Connectors only need to be installed by the customer, this is a very simple procedure that is performed from the Citrix Cloud console. Their further support is carried out automatically.

Access control

This service provides the following features:

• SSO (single sign-on) to a large list of popular SaaS applications;
• Filtering access to Internet resources;
• Monitoring user activity on the Internet.

SSO clients to SaaS services through Citrix Workspace is a more convenient and secure alternative than regular browser access. The list of supported SaaS applications is quite large and is constantly expanding.



Internet access filtering can be configured based on manually created white or black lists of sites. In addition, access classification by site categories is supported based on extensive, updated, commercial URL lists. Users may be restricted from access to such categories of sites as social networks, purchases, for adults, malware, torrents, proxies, etc.



In addition to allowing access to sites / SaaS directly or blocking access to them, it is possible to redirect clients to Secure Browser. Those. To reduce risks, access to selected categories / lists of Internet resources will be possible only through Secure Browser.







The service also provides detailed analytics for monitoring user activity on the Internet: visited sites and applications, dangerous resources and attacks, blocked access, volumes of downloaded / downloaded data.

Secure browser

Allows you to publish an Internet browser (Google Chrome) for Citrix Workspace users as a virtual application. Secure Browser is a SaaS service managed and maintained by Citrix. It is entirely hosted on the Citrix Cloud (including the data-plane); the customer does not need to deploy and maintain it in its own resource locations.



Citrix is ​​responsible for allocating resources in its cloud for VDA, which host the browsers published for customers, and ensures the security and updating of the OS and browsers themselves.



Client access to Secure Browser is through the Workspace app or client browser. The session is encrypted using TLS. To use the service, the client does not need to download and install anything.



Sites and web applications launched through Secure Browser spin in the cloud, the client only receives a picture of the terminal session, nothing is done on the terminal device. This can significantly improve security and protect against browser attacks.



Service connection and management is carried out through the Citrix Cloud customer panel. Connection is carried out in a couple of clicks:





Management is also quite simple, it comes down to setting the policy and white sheets:





The policy allows you to adjust the following settings:

• Clipboard - allows you to enable the option of copy-paste in a browser session;
• Printing - the ability to save web pages on a client device in PDF format;
• Non-kiosk - enabled by default, allows full use of the browser (multiple tabs, address bar);
• Region failover - the ability to restart the browser in another Citrix Cloud region when the main region falls;
• Client drive mapping - the ability to mount a client device disk for downloading or downloading browser session files.

White sheets (Whitelists) allow you to specify a list of sites to which clients will have access. Access to resources outside this list will be denied.

Content collaboration

This service provides the possibility of joint access for Workspace users to files and documents posted on the customer’s internal resources (on-premises) and supported public cloud services. These can be user personal folders, corporate network balls, SharePoint documents, or cloud repositories such as OneDrive, DropBox, or Google Drive.



The service provides SSO for accessing data on all types of storage resources. Citrix Workspace users get secure access to work files from their devices, not only in the office, but also remotely, without any additional difficulties.



Content Collaboration provides the following features for working with data:

• file exchange between Workspace resources and the client device (downloading and downloading),
• synchronization of user files on all devices,
• file sharing and synchronization for multiple Workspace users,
• setting access rights to files and folders for other Workspace users,
• a request for access to files, the formation of links to securely upload (upload) files.

In addition, additional protection mechanisms are provided:

• access to files with one-time passwords,
• file encryption
• watermarked file sharing.

Endpoint management

This service provides the functionality necessary for digital workstations to manage mobile devices (Mobile Device Management - MDM) and applications (Mobile Application Management - MAM). Citrix is ​​positioning it as a SaaS-EMM solution - Enterprise Mobility Management as a service.



MDM functionality allows you to:

• Distribute applications, device policies, certificates for connecting to customer’s resources,
• keep track of devices
• block and perform full or partial wipe of devices.

MAM functionality allows you to:

• Secure apps and data on mobile devices
• Deliver corporate mobile apps.

From the point of view of architecture and the principle of providing services to the customer, Endpoint Management is very similar to the cloud version of Virtual Apps and Desktops described above. Control Plane and the services that form it are located in Citrix Cloud, Citrix is ​​responsible for their maintenance, which allows us to consider this service as SaaS.



Data Plane at customer resource locations includes:

• Cloud Connectors required to interact with Citrix Cloud,
• Citrix Gateway, providing secure remote access for users to the customer’s internal resources (applications, data) and micro-VPN functionality,
• Active Directory PKI
• Exchange, files, virtual applications and desktops.

Gateway

Citrix Gateway provides the following functionality:

• remote access gateway - secure connection to corporate resources for mobile and remote users outside the secure perimeter,
• IdAM provider (Identity and Access Management) for providing SSO to corporate resources.

In this context, corporate resources should be understood not only as virtual applications and desktops, but also as many SaaS applications.



To optimize network traffic and get micro VPN functionality, you need to deploy Citrix Gateway in each of the resource locations, usually in the DMZ. In this case, the allocation of the necessary capacities and support falls on the shoulders of the customer.



An alternative is to use Citrix Gateway as a Citrix Cloud service, in this case, the customer does not need to deploy and maintain anything for himself, for which Citrix does this in his cloud.

Analytics

This is a Citrix Cloud analytic service integrated with all of the cloud services described above. It is designed to collect and analyze data generated by Citrix services through built-in machine learning mechanisms. This takes into account metrics related to users, applications, files, devices and the network.



As a result, reports are generated regarding security, performance, and user operations.







In addition to generating statistical reports, Citrix Analytics can act proactively. This consists in forming profiles of normal user behavior and identifying anomalies. If the user begins to use the application non-standardly or actively fumbles with data, he and his device can be blocked automatically. The same thing happens if you access dangerous Internet resources.



Attention is paid not only to safety, but also to performance. Analytics allows you to monitor and quickly solve problems associated with long user logon and network delays.

Conclusion

We got acquainted with the architecture of the Citrix cloud, the Workspace platform and its basic services necessary for organizing the infrastructure of digital workplaces. It is worth noting that we did not consider all the services of Citrix Cloud, we limited ourselves to the basic set for organizing digital workspace. The full list of Citrix cloud services also includes network tools, additional features for working with applications and workstations.



It is also necessary to say that the basic functionality of digital workplaces can be deployed without Citrix Cloud, exclusively on-premises. The basic product Virtual Apps and Desktops is still available in the classic version, when not only VDA, but all the management services are deployed and maintained by the customer on their site, no Cloud Connectors are needed in this case. The same applies to Endpoint Management - its on-pemises ancestor is called XenMobile Server, although in the cloud version it is slightly more functional. The customer can also implement some of the capabilities of Access Control at their site. Secure Browser functionality can be implemented on-premises, and the choice of the browser is up to the client.



The desire to deploy everything on its site is good in terms of security, control and sanctions distrust of the bourgeois clouds. However, without Citrix Cloud, the functionality of Content Collaboration and Analytics will be completely inaccessible. The functionality of other Citrix on-premises solutions, as mentioned above, may be inferior to their cloud implementation. And the most important thing is that you will have to keep the control plane and administer yourself.

Useful links:

Citrix Product Datasheets , including Citrix Cloud

Citrix Tech Zone - technical videos, articles, and charts

Citrix Workspace Resource Library