Introduction
The article describes the capabilities and architectural features of the Citrix Cloud cloud platform and the Citrix Workspace service set. These solutions are a central element and the basis for realizing the concept of digital workplaces (digital worksspace) from Citrix.
In this article, I tried to understand and formulate causal relationships between Citrix cloud platforms, services and subscriptions, the description of which in the company's open sources (citrix.com and docs.citrix.com) looks very vague in places. Cloud technologies - apparently no other way! It is worth noting that the architecture and technologies are generally disclosed sanely. Difficulties arise in understanding the hierarchical relationship between services and platforms:
- which platform is primary - Citrix Cloud or Citrix Workspace Platform?
- Which of the above platforms includes the many Citrix services needed to build a digital workspace infrastructure?
- how much does this pleasure cost and in what options can it be obtained?
- Is it possible to implement all the features of Citrix digital workspace without using Citrix Cloud?
The answers to these questions and an introduction to Citrix digital workspace solutions are under the cut.
Citrix Cloud
Citrix Cloud is a cloud platform that hosts all the services needed to organize digital workspaces. Citrix owns this cloud directly, it also maintains it and provides the specified (availability of services - at least 99,5% per month).
Customers (clients) of Citrix, depending on the selected subscription (service package), get access to a specific list of services using the SaaS model. For them, Citrix Cloud acts as a cloud-based control panel for the company's digital workspaces. Citrix Cloud has a multi-tenant architecture, customers and their infrastructures are isolated from each other.
Citrix Cloud acts as a control plane, hosting numerous Citrix cloud services, incl. service and management services of the digital worksspace infrastructure. The data plane, which includes user applications, desktops, and data, resides outside of Citrix Cloud. The only exception is the Secure Browser Service, which is provided entirely on a cloud model. The data plane can be hosted in the customer's data center (on-premises), service provider's data center, hyper-clouds (AWS, Azure, Google Cloud). Mixed and distributed solutions are possible when customer data is located in several sites and clouds, while their management is centrally carried out from Citrix Cloud.
This approach has a number of obvious advantages for customers:
- freedom to choose a platform for data placement;
- the ability to build a hybrid distributed infrastructure that involves many placements from different providers, in several clouds and on-premises;
- lack of direct access to user data by Citrix, since it is outside the Citrix Cloud;
- the ability to independently set the required level of performance, fault tolerance, reliability, confidentiality, data integrity and availability; after that, select the appropriate sites for placement;
- no need to host and maintain many digital workspace services, since they are all in the Citrix Cloud and are a headache for Citrix; as a result, cost reduction.
Citrix Workspace
Citrix Workspace is a transcendental, fundamental and comprehensive concept. Let's deal with it in more detail and it will become clear why.
In general, Citrix Workspace embodies the concept of digital workspaces from Citrix. It is both a solution, a service and a set of services to create a connected, secure, convenient and manageable workplace.
Users get seamless SSO for quick access to applications/services, desktops, and data from a single console from any device for productive work. They can happily forget about a lot of accounts, passwords and difficulties in finding applications (shortcuts, Start panel, browsers - all in different places).
The IT service receives tools for centralized management of services and client devices, security, access control, monitoring, updating, optimizing network interaction, and analytics.
Citrix Workspace allows you to provide consolidated access to the following resources:
- Citrix Virtual Apps and Desktops - virtualization of applications and desktops;
- Web applications;
- Cloud SaaS applications;
- Mobile applications;
- Files in various storages, incl. cloudy.
Citrix Workspace resources are accessed through:
- Standard Browser - Supports Chrome, Safari, MS IE and Edge, Firefox
- or "native" client application - Citrix Workspace App.
Access is possible from all popular client devices:
- Full computers running Windows, Linux, MacOS and even Chrome OS;
- Mobile devices with iOS or Android.
The Citrix Workspace Platform is part of the Citrix Cloud suite of cloud services for digital workspaces. It is worth noting that Workspace includes most of the services present in Citrix Cloud, we will dwell on them in more detail later.
Thus, end users get the functionality of digital workspaces on their favorite client devices through the Workspace App or its browser-based replacement (Workspace App for HTML5). To achieve this functionality, Citrix offers the Workspace Platform as a set of cloud services that company admins manage through Citrix Cloud.
Citrix Workspace is available at : Standard, Premium, Premium Plus. They differ in the number of services included in the package. Also, it is possible to buy some services separately, outside the package. For example, the core service Virtual Apps and Desktops is only included in the Premium Plus package, and its individual cost is higher than the Standard package and almost equal to Premium.
It turns out that Workspace is both a client application - Workspace App, and a cloud platform (part of it) - Workspace Platform, and the name of the types of service packages, and the concept of digital workplaces from Citrix as a whole. Here is such a multifaceted entity.
Architecture and system requirements
Conventionally, in the structure of Digital Workspace from Citrix, 3 areas can be distinguished:
- Multiple client devices with Workspace App or browser-based access to digital workspaces.
- Workspace Platform directly in the Citrix Cloud, which lives somewhere on the Internet in the cloud.com domain.
- Resource locations - own or rented sites, private or public clouds, which host resources with applications, virtual desktops and customer data published in Citrix Workspace. This is the same data-plane that was mentioned above, let me remind you that one customer can have several resource locations.
Examples of resources include hypervisors, servers, network devices, AD domains, and other elements required to provide appropriate digital workspace services to users.
A distributed infrastructure scenario may involve:
- several resource locations in the customer's own data centers,
- locations in public clouds,
- small locations in remote branches.
When planning locations, consider:
- proximity of users, data and applications;
- the possibility of scaling, incl. ensuring rapid build-up and curtailment of capacities;
- safety and regulatory requirements.
Communication between Citrix Cloud and customer resource locations is done through components called the Citrix Cloud Connector. These components allow the customer to focus on maintaining the resources provided to users, and forget about dancing with utility and management services that are already deployed in the cloud and are accompanied by Citrix.
For load balancing and failover, we recommend deploying at least two Cloud Connectors in each resource location. Cloud Connector can be installed on a dedicated physical or virtual machine running Windows Server (2012 R2 or 2016). It is preferable to place them in the internal resource location network, not in the DMZ.
Cloud Connector authenticates and encrypts traffic between Citrix Cloud and resource location via https, standard TCP port 443. Only outgoing sessions are allowed - from Cloud Connector to the cloud, incoming connections are prohibited.
Citrix Cloud requires an Active Directory (AD) service on the customer's infrastructure. AD acts as the primary IdAM provider and is required to authorize user access to Workspace resources. Cloud Connectors must have access to AD. For fault tolerance, it is good practice to have a pair of domain controllers in each resource location that will interact with the Cloud Connectors of that location.
Citrix Cloud Services
Now it's worth dwelling on the main Citrix Cloud services that underlie the Citrix Workspace platform and allow customers to deploy full-fledged digital workspaces.
Consider the purpose and functionality of these services.
Virtual Apps and Desktops
This is the main Citrix Digital Workspace service that allows you to provide terminal access to applications and full-fledged VDI. Supports virtualization of Windows and Linux applications and desktops.
As a Citrix Cloud service, the Virtual Apps and Desktops service has the same components as the traditional (non-cloud) Virtual Apps and Desktops service, as shown in the figure below. The difference is that all control components (control plane) in the case of a service are hosted in the Citrix Cloud. The customer no longer needs to deploy and maintain these components, allocate computing power for them, this is done by Citrix.
On its side, the customer must deploy the following components in resource locations:
- Cloud Connectors;
- AD domain controllers;
- Virtual Delivery Agents (VDAs);
- Hypervisors - as a rule they are, but there are situations where physics can be dispensed with;
- Optional components are Citrix Gateway and StoreFront.
All of the listed components, except for Cloud Connectors, are supported by the customer independently. This is logical, since the data-plane is located here, especially for physical nodes and hypervisors with VDA, where user applications and desktops are directly located.
Cloud Connectors only need to be installed by the customer, this is a very simple procedure performed from the Citrix Cloud console. Their further support is carried out automatically.
Access Control
This service provides the following features:
- SSO (single sign-on) to a large list of popular SaaS applications;
- Filtering access to Internet resources;
- Monitoring of user activity on the Internet.
SSO clients to SaaS services through Citrix Workspace is a more convenient and secure alternative than conventional browser access. The list of supported SaaS applications is quite large and is constantly expanding.
Internet access filtering can be configured based on manually created whitelists or blacklists of sites. In addition, it supports differentiation of access by categories of sites, based on extensive updated commercial URL lists. Users may be restricted access to such categories of sites as social networks, shopping, adult, malware, torrents, proxies, etc.
In addition to allowing access to sites/SaaS directly or blocking access to them, it is possible to redirect clients to Secure Browser. Those. to reduce risks, access to selected categories/lists of Internet resources will be possible only through the Secure Browser.
The service also provides detailed analytics for monitoring user activity on the Internet: visited sites and applications, dangerous resources and attacks, blocked access, volumes of uploaded/downloaded data.
Secure Browser
Allows you to publish an Internet browser (Google Chrome) as a virtual application to Citrix Workspace users. Secure Browser is a SaaS service managed and maintained by Citrix. It is entirely hosted in Citrix Cloud (including data-plane), the customer does not need to deploy and maintain it in their own resource locations.
Citrix is ββresponsible for allocating VDA resources in its cloud that host browsers published to customers, and keeps the OS and browsers secure and updated.
Clients access Secure Browser through the Workspace app or client browser. The session is encrypted over TLS. To use the service, the client does not need to download or install anything.
Websites and web applications launched through the Secure Browser are running in the cloud, the client only receives a picture of the terminal session, nothing is executed on the end device. This allows you to significantly increase the level of security and protect against browser attacks.
The service is connected and managed through the Citrix Cloud customer panel. The connection is made in a couple of clicks:
Management is also quite simple, it comes down to setting a policy and white sheets:
The policy allows you to adjust the following settings:
- Clipboard - allows you to enable copy-paste in the browser session;
- Printing - the ability to save web pages on a client device in PDF format;
- Non-kiosk - enabled by default, allows full use of the browser (several tabs, address bar);
- Region failover - the ability to restart the browser in another Citrix Cloud region when the main region crashes;
- Client drive mapping - the ability to mount a client device drive to download or upload browser session files.
White sheets (Whitelists) allow you to specify a list of sites to which clients will have access. Access to resources outside this list will be denied.
Content Collaboration
This service provides the possibility of combined access of Workspace users to files and documents hosted on the customer's internal resources (on-premises) and supported public cloud services. These can be the user's personal folders, corporate network balls, SharePoint documents, or cloud repositories such as OneDrive, DropBox, or Google Drive.
The service provides SSO for accessing data on all types of storage resources. Citrix Workspace users get secure access to work files from their devices not only in the office, but also remotely, without any additional complexity.
Content Collaboration provides the following data manipulation capabilities:
- file sharing between Workspace resources and client device (download and upload),
- synchronization of user files on all devices,
- file sharing and synchronization for multiple Workspace users,
- setting file and folder permissions for other Workspace users,
- request for access to files, generation of links to secure download (upload) of files.
In addition, additional protection mechanisms are provided:
- access to files with one-time passwords,
- file encryption,
- providing shared files with watermarks (watermark).
endpoint management
This service provides the functionality necessary for digital workplaces to manage mobile devices (Mobile Device Management - MDM) and applications (Mobile Application Management - MAM). Citrix is ββpositioning it as a SaaS-EMM solution - Enterprise Mobility Management as a Service.
MDM functionality allows:
- distribute applications, device policies, certificates for connecting to customer resources,
- keep track of devices
- block and perform full or partial erasure (wipe) devices.
MAM functionality allows:
- ensure the security of applications and data on mobile devices,
- deliver enterprise mobile applications.
From the point of view of architecture and the principle of providing services to the customer, Endpoint Management is very similar to the cloud version of Virtual Apps and Desktops described above. Control Plane and its constituent services are located in the Citrix Cloud, they are maintained by Citrix, which allows us to consider this service as a SaaS.
Data Plane in customer resource locations includes:
- Cloud Connectors required to interact with the Citrix cloud,
- Citrix Gateways providing secure remote user access to the customer's internal resources (applications, data) and micro-VPN functionality,
- Active Directory, PKI
- Exchange, files, virtual applications and desktops.
Gateway
Citrix Gateway provides the following functionality:
- remote access gateway - secure connection to corporate resources for mobile and remote users outside the secure perimeter,
- IdAM provider (Identity and Access Management) to provide SSO to corporate resources.
Corporate resources in this context should be understood not only as virtual applications and desktops, but also as numerous SaaS applications.
To optimize network traffic and obtain micro VPN functionality, you must deploy Citrix Gateway in each of the resource locations, typically in the DMZ. In this case, the allocation of the necessary capacities and support falls on the shoulders of the customer.
An alternative option is to use Citrix Gateway as a Citrix Cloud service, in this case, the customer does not need to deploy and maintain anything at home, Citrix does it for him in his cloud.
Analytics
This is a Citrix Cloud analytics service integrated with all the cloud services described above. It is designed to collect data generated by Citrix services and analyze it using built-in machine learning engines. This takes into account metrics related to users, applications, files, devices, and network.
As a result, reports are generated regarding security, performance and user operations.
In addition to generating statistical reports, Citrix Analytics knows how to act proactively. This consists in the formation of profiles of normal user behavior and the detection of anomalies. If a user begins to use the application outside the box or actively fumbles data, he and his device may be blocked automatically. The same will happen in case of access to dangerous Internet resources.
Attention is paid not only to security, but also to performance. Analytics allows you to monitor and quickly solve problems associated with long user logons and network delays.
Conclusion
We got acquainted with the architecture of the Citrix cloud, the Workspace platform and its main services necessary for organizing the infrastructure of digital workplaces. It is worth noting that we have considered far from all Citrix Cloud services, limited ourselves to the basic set for organizing digital workspace. Citrix cloud services also includes network tools, additional features for working with applications and workplaces.
It is also necessary to say that the main functionality of digital workplaces can be deployed without Citrix Cloud, exclusively on-premises. The base product Virtual Apps and Desktops is still available in the classic version, when not only VDA, but also all management services are deployed and maintained by the customer on their own site, no Cloud Connectors are needed in this case. The same applies to Endpoint Management - its on-pemises ancestor is called XenMobile Server, although in the cloud version it is a little more functional. The customer can also implement some of the Access Control capabilities at his site. The functionality of the Secure Browser can be implemented on-premises, and the choice of the browser is up to the customer.
The desire to deploy everything on its site is good in terms of security, control and sanctions distrust of bourgeois clouds. However, without Citrix Cloud, the Content Collaboration and Analytics functionality will be completely unavailable. The functionality of other Citrix on-premises solutions, as mentioned above, may be inferior to their cloud implementation. And most importantly, you will have to keep the control plane and administer it yourself.
Useful links:
, incl. Citrix Cloud
β technical videos, articles and diagrams
Source: habr.com