Citrix Cloud has a service level goal (note: goal - not agreement) of 99.9% uptime in a calendar month. Sounds good, but that equates as 43 minutes of downtime a month. We’re further constrained by the cloud conundrum which goes as follows: Before cloud: Move it all to the cloud. Citrix ADC in AWS Marketplace offers a unified application delivery solution designed to meet the needs of cloud adopters with hybrid, multi-cloud environments, and support them in scaling and evolving with future trends. Key benefits and features: Citrix Safeguard application uptime and ensure consistent performance 12. Citrix Cloud Engineering teams are actively investing in architectural and operational items focused on high availability and service resiliency. This continues to be our top priority to customers. As a reminder, status.cloud.com is where all outages and impacts to Citrix Cloud are communicated broadly to.

Citrix User Experience – A Key for Business Success

Citrix technology is used to provide remote users with access to key business applications. If Citrix access is not available or slow, users will be less productive and the business will suffer. To ensure Citrix success, administrators need to be sure that the Citrix user experience is always optimal.

There are many facets to the Citrix user experience. Key aspects include: logon time when the user connects to the service, application launch time when the user first accesses an application or a desktop, screen refresh latency when the user performs interactive tasks, and available bandwidth when a user performs actions in the application.

Challenges

Citrix is one of the most performance-sensitive applications in enterprise networks. A performance issue anywhere in the infrastructure can lead to users reporting that Citrix is slow or not working well.

To ensure great user experience, Citrix administrators must be able to monitor all the different aspects of Citrix user experience proactively. And when a user experience issue is detected, they must be able to quickly detect and resolve issues to minimize downtime.

eG Enterprise: All-in-One in One Solution for Citrix User Experience Monitoring

eG Enterprise is a purpose-built Citrix Ready certified solution to monitor, diagnose and report on Citrix user experience. With eG Enterprise, administrators can:

• Simulate Citrix logons to detect times when the Citrix farm is either not available or slow to logon users
• Simulate entire Citrix sessions to detect slowness during application access
• Monitor actual user logon times and diagnose why the logon process is slow
• Track application launch times and report slowness
• Monitor Citrix virtual channels to detect bandwidth or slow response issues

Features

• Identify Citrix Logon Issues Proactively with Simulated Logon Monitoring

  eG Enterprise Logon Simulator for Citrix XenApp and XenDesktop, a built-in tool available with eG Enterprise, simulates exactly the exact same steps that users perform when they logon to Citrix XenApp or XenDesktop and captures the time taken for the logon process. Using the results of the simulation, administrators can:

  • Easily identify what affects user logon experience: credential authentication, application enumeration, application launch, etc.
  • Establish baselines and compare user experience across multiple locations

• Diagnose the Root Cause of Logon Slowness with One Click

  • eG Enterprise monitors in real time the actual logon times seen by each and every user accessing the Citrix farm
  • Logon metrics are tracked from the Citrix Delivery Controller as well as from the Citrix XenApp servers and XenDesktop VMs
  • With just one click, administrators can see why logon is slow: whether it is being caused by GPO processing, logon script execution, profile loading, user authentication, or other factors
  • Additional diagnosis reveals why a user’s profile is large, or which group policies are causing logon slowdowns

• Proactively Detect Application Slowness with Full Session Emulation

  eG Enterprise records and replays an entire user session, all the way:

  • From logging in to launching an application or desktop (e.g., open the SAP portal)
  • Performing tasks in the application (e.g., access HR information, approve/revoke HR requests, etc.)
  • And then logging out of the application

  Admins can use the recorded script to simulate a full Citrix session—24x7—and report availability and performance at each step of the user interaction and from different locations.

• Report Launch Times for All Published Applications

  • Track who launched what application and at what time
  • Be alerted when application launch takes too long
  • Determine if slowness is specific to some applications only
  • Compare performance across applications and across servers to identify performance anomalies
  • Correlate application slowness with infrastructure usage and performance, to identify the real cause of slowness

• Correlate End-User Latency with Network Latency

  Citrix administrators frequently report that slow performance is caused by network connection issues between user terminals and the Citrix farm. Using eG Enterprise, administrators can track

  • The screen refresh latency in real time for every single user session
  • The network latency between the user terminals and the Citrix farm (without any additional instrumentation on the user terminals)

  Comparison of network latency with the screen refresh latency reveals the cause of slowness. For example, if the network latency is high, then an increased screen refresh latency is attributable to network slowness. Using this information, Citrix administrators can easily identify if slow performance is due to the Citrix servers or because of a user’s connection to the Citrix farm.

• Monitor All the Citrix Virtual Channels

  Monitoring of virtual channel usage for each Citrix session provides great insights into factors that can affect the Citrix user experience. eG Enterprise tracks the line speed at which the user is connecting to the farm, the overall bandwidth usage and details of the bandwidth used on each of the virtual channels. Using this information, administrators can determine if the user is performing any unusual activity that could be causing higher latency (for example, printing a large file in the background, watching a bandwidth-consuming video).

• Track Session Disconnects

  Abrupt disconnects from the Citrix farm cause users to lose work from their session. When disconnects happen, they also leave behind user processes on the Citrix server/desktop. This results in wasteful usage of resources on the Citrix server/desktop.

  eG Enterprise helps identify unusual session connection losses when they occur. By auto-correlating session performance with other activities on the Citrix servers/desktops, eG Enterprise helps identify the reasons for such disconnects—such as a bad printer driver causing sessions to be disconnected.

• Reduce Mean Time to Repair and Enhance Service Uptime

  When performance problems happen, if it takes hours or days to resolve the problem, users will be frustrated. To ensure user productivity and satisfaction, Citrix administrators must be able to quickly identify and resolve the cause of performance problems.

  With eG Enterprise, administrators can not only monitor every component of the Citrix Stack (XenApp, XenDesktop, XenMobile, XenServer, StoreFront, NetScaler, Provisioning Services, License Server, etc.) but also the supporting infrastructure tiers (Active Directory, virtualization, storage, network, applications, etc.)—all from a single, intuitive web console.

  • Discover topology maps showing how the Citrix infrastructure is setup and highlight inter-dependencies between the different tiers
  • Correlate Citrix user experience with the performance of each of the supporting tiers and help identify the root cause of a problem
  • Integration with service management tools like ServiceNow, JIRA, and more, to automatically creates trouble tickets

Who does Citrix use to monitor Citrix? eG Innovations.
Since mid-2014, eG Enterprise has been the exclusive performance monitoring solution for the on-site infrastructure running Citrix’s major user and partner events, Citrix Summit and Citrix Synergy.

Benefits of Citrix User Experience Monitoring

• Quantify the performance that users see when they access the Citrix farm
• Monitor all aspects of Citrix user experience—from logon times to application launch times
• Proactively detect times when Citrix users are seeing slowness
• Troubleshoot the cause of slowness in one click using eG Enterprise’s automated root cause diagnosis technology

Why eG? One Monitor to Manage All of IT.

• eG Enterprise is the only single pane-of-glass, virtualization-aware, auto-diagnostic IT infrastructure performance monitor
• Gain actionable answers to performance issues, wherever they originate, from application code to bare metal
• Understand the impact of infrastructure issues on application performance and user experience
• Unify IT performance monitoring, alerting, diagnosing, reporting, and capacity planning in a single console
• Ensure a great user experience and dramatically improve IT efficiency
• Benefit from flexible deployment options (on-premises and SaaS) and IT monitoring approaches (agentless and agent-based)

The access layer of your deployment relates to your StoreFront infrastructure, and NetScaler Gateway for Internal and Remote access respectively. These components facilitate access to Citrix resources in your environment.

When we look at a Cloud deployment – in this instance Citrix Cloud, there are many ways of hosting the access layer components, but these can largely be simplified down to Citrix Managed (Cloud Storefront/WorkSpace Service and NetScaler Gateway Service) or Customer Managed (BYO Storefront and NetScaler).

In order to make an informed choice of how to deploy your access layer, you need to understand the benefits and drawbacks of the different scenarios and how they can impact on your overall solution.

Citrix Cloud StoreFront/Workspace Service

One of the main strengths of Citrix Cloud is in its simplicity and Storefront is a strong example of this. As soon as your service is enabled, StoreFront in the cloud just works. You have a few configuration options – such as basic branding, enabling NetScaler Gateway Service, but it’s effectively already configured for internal users and only needs an option toggling on to enable.

Simple is good, but it can also have some drawbacks, as with Cloud hosted storefront.

Branding is still a bone of contention – more than a few customers would expect to be able to customise the look and feel of StoreFront beyond what is currently available. There are controls available to modify basic colours and add logos, however if your requirements exceed this then unfortunately you’re stuck. There’s currently no capability to modify the CSS beyond what’s exposed in the control panel, and there’s certainly no ability to add custom JavaScript (which is entirely understandable!).

Many customers leverage the ability to inject custom JavaScript to add functionality to storefront that does not exist today – for example a pre or post-login EULA, or perhaps for maintenance notifications. If some of these capabilities are available in the cloud hosted storefront, then perhaps it would reduce the amount of customisation needed? Or perhaps we always like to tinker?

Today, Cloud Storefront will only present resources from Citrix Cloud, however using the Citrix Workspace Service you will have the option to integrate non-cloud deployments into the Citrix Cloud world. This is a nice touch and has the potential to help organisations making use of their Hybrid rights while migrating to the cloud to present a consistent access point for all users.

Authentication

When you use Cloud Storefront your users authenticate through your Citrix Cloud storefront site – typically https://companyname.xendesktop.net. This authentication request is passed through your Cloud Connectors and validated against your Active Directory using the machine account of your Cloud Connector OS’es. All very simple, and works quite nicely, however there’s a couple of challenges you may face with this.

The Security Team – In larger organisations this may be a team, or it may be just a conversation with the nominated security guy, however in terms of security considerations, where authentication happens can change the conversation completely. If the organisation is Cloud-Happy and has adopted other Cloud solutions, this may be easier, but fundamentally when you are effectively delegating the authentication process to a Cloud Service this moves your security perimeter to the cloud service. Functionally this is fine, but it can be a harder pitch and receive more pointed questions.

Just using the XenApp and XenDesktop service is not a difficult sell to security teams. Data resides where it always has, you’re just moving the brokering process to the cloud. Limited PII (personally identifiable information) is stored, and the encryption policies are acceptable to most. There’s even a page dedicated to security information here: https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/secure.html. Interestingly, the security page only references Credential handling in the context of using a customer managed StoreFront instance.

In-fact there’s no real security statement on how they handle user credentials when using Cloud StoreFront. Perhaps if you’ve had to look it up, then the answer is use customer managed?

Multi-factor Authentication – this was a major customer request in the early days of Citrix Cloud, but it has recently been solved! Sort of. Customers using the new Workspace Service in Citrix Cloud (currently new customers and XenApp/Desktop Essentials) have the ability to use Azure AD to handle user authentication. This has been available for Administrative access for a while and broadly speaking the selection of Azure AD to integrate with is sound as this extends the opportunity to use any one of the many identity providers that integrate with Azure AD, so you can effectively choose your authentication poison.

This only takes you so far though. Azure AD will authenticate you and pass a SAML assertion back to Workspace Service. So, at this point, Citrix Cloud has a SAML assertion to prove your identity – and this is enough to enumerate your workspace entitlements. Then you launch something. Unfortunately, today, Windows doesn’t use SAML as a credential type, so you get another logon prompt – this time from the resource you’re connecting to. Double logons make for unhappy users.

In an on-premises world, this is where you would look to implement Federated Authentication Services (FAS) as it allows you to Authenticate using a SAML identity provider (IDP) and then FAS does the translation into a Windows Identity through the clever use of virtual smart cards.

Why can’t we do this with Citrix Cloud? FAS needs to integrate with StoreFront today. The smart money would suggest that at some stage this integration may appear in Citrix Cloud as a tick box option, allowing the integration with an on-premises FAS solution through the cloud connectors, however today that doesn’t exist. So if you require multi-factor authentication, you will have a double logon.

Remote Access (NetScaler Gateway Service)

NetScaler Gateway Service (NGS) is a fantastic concept at the moment, it allows you to enable remote access your resources through Citrix Cloud with a simple ON/OFF option. How simple is that? Now to support this we’ll accept my previous points and assume you’re happy using the Cloud Workspace Service/StoreFront. We must really as it’s not possible to use with on-premises StoreFront!

For it’s pure simplicity and reach NGS deserves some consideration. There are numerous PoP’s (Point of Presence) globally, meaning that even for smaller organisations, you have truly global reach.

However with simplicity comes compromise, and there are some limitations:

• Can’t mix and match – you either host your own NetScaler Gateway’s or use NGS. Or have split deployments.
• Limited Auditing – for most remote access solutions it’s a requirement to maintain logs of who has accessed remotely, what they accessed and how long for. Today that information is not exposed.
• No integration with On-Premises NetScaler MAS – if you use MAS to manage/monitor an internal/self-managed NetScaler deployment then you won’t get Gateway Insight or HDX Insight. Note: this is likely to be available as part of the Citrix Cloud MAS Service though.
• No Optimal Gateway Routing – User’s will get directed to a nearby PoP, but which one is not controllable.
• Just ICA Proxy – If you’re a tinkerer and like getting your NetScaler Session Policies “just right” this isn’t for you.
• No Endpoint Analysis – Internet café? Come on in!
• Global On/Off – remote access is enabled on a global level, so there’s no control today of who can access resources remotely as well as in the office.

Resiliency

Citrix Cloud has a Service Level Goal (Note: Goal not Agreement) of 99.9% uptime in a Calendar month. Sounds good, but that equates as 43 minutes of downtime a month. We’re further constrained by the cloud conundrum which goes as follows:

• Before Cloud: Move it all to the cloud then we won’t have to manage it!
• After Cloud: It’s broken! Why can’t we just reboot it?

To be clear, this isn’t specific to Citrix Cloud by any means, but with any cloud service lack of control over planned or unplanned downtime is a serious consideration.

So what can we do about this? This subject has been one of my longstanding reasons for keeping the access layer on premises. As of mid-late last year, your Citrix Cloud connectors have had Local Host Cache (LHC) in place. If you’re not familiar with LHC which has been available in the on-premises version for several releases now, LHC is where your Delivery Controller’s or in this case Cloud Connectors have a cache of the data required to run your site. This means that if Citrix Cloud becomes unavailable – or you lose internet connectivity to the Cloud Service, if you host your access layer on-premises then using the LHC on the Cloud Connectors, user’s can continue launching resources.

Let’s look at two scenarios:

Scenario	Operational State
	Cloud Access Layer	On-Premises Access Layer
XenApp/XenDesktop Service Down	Not Operational	Operational
No Internet and On-Premises Resources	Not Operational	Operational

Of course, we should all be using NetScaler SD-WAN and have abundant resiliency for our Internet Connectivity, so the second scenario should not happen, but these are common stumbling points when moving customers to a Cloud Service – “What happens if it goes down?”. With an on-premises access layer – in theory, nothing.

Summary

Overall, I’ve highlighted some of the limitations of the Cloud Services, but this is by no means saying don’t consider them. There are customers where the simplicity and fast time to value will offset some of the compromises, or others may not see them as issues at all. The purpose of this is to capture some of the considerations that need to be made when deciding what is best. Cloud is a delivery method, and not the only option available, making the correct decision based on individual requirements will make sure everyone has the best user experience.

Citrix Cloud Management

There is a lot of effort going into the development of both Workspace Service and NetScaler Gateway Service, so it is very much a decision that needs to be revisited as capabilities mature and new functionalities become available.

Citrix Cloud Portal

Service	Pro’s	Con’s
Cloud StoreFront/ WorkSpace Service	· Fast time to value · Low configuration effort · No SSL Certificates to manage	· Limited Customisation available · Single factor Authentication Only (Or double logon with MFA) · No Filtering of Resources · No Zone Preference Configuration · No FAS integration · No Vanity URL’s (Company.com instead of Xendesktop.net) · Single Store Only
NetScaler Gateway Service	· Fast time to value · Low configuration effort · No SSL Certificates to manage · Global Presence	· Can’t mix NGS and On-Premises NetScaler · No Integration with On-Premises MAS · Limited Auditing · ICA Proxy Only · No EPA Scans · Enabled for everyone or no-one. · Unauthenticated ICA Proxy
On-Premises StoreFront	· Enhanced Resiliency with LHC · Full Customisation · FAS Support · Filtering Possible · Zone Preference Configuration Possible · Optimal Gateway Routing possible · Multiple authentication options	· Additional Infrastructure · Requirement to Install/Configure/Maintain/Upgrade
On-Premises NetScaler Gateway	· Portal themes support · EPA Scan Support · Multiple Authentication options (LDAP/RADIUS/SAML) · Built-In OTP Solution (Enterprise Edition) · Authenticated ICA Proxy · Option to Provide VPN or Clientless Access (With Universal Licenses) · Integration with on-premises MAS for HDX Insight and Gateway Insight · Full Auditing capabilities	· Typically fewer PoP’s than NGS · Additional Resources to host · Requirement to Manage/Maintain/Operate