Citrix Cloud Storefront

  



I’ve definitely seen more interest in Citrix Cloud over the last 6 months but I wanted to ask a question — I thought there used to be an option to use an “on prem” NetScaler which could really be hosted in a public cloud for that matter in conjunction with the Workspace service (as opposed to on prem Storefront). Test an internal Citrix Session to the Citrix Cloud. Open the internal StoreFront Url and enter in the credentials. And yes, the Desktop and Apps from my XenApp and XenDesktop Service in Citrix Cloud are working! Test an external Citrix Session to the Citrix Cloud. Open the External NetScaler Url and enter in the credentials. StoreFront is free and available to use with XenDesktop and XenApp 5.5 or higher, and it also integrates with Citrix's XenMobile enterprise mobility management platform to provide self-service access to mobile apps. It's often cheaper for Citrix shops than using a third-party vendor such as Apperian, AppDirect, Embarcadero or Partnerpedia.

After attending Citrix Synergy this week, there is no denying that Citrix is quite serious about their cloud offerings and announced more offers that will be arriving later this year. This includes offerings like their Citrix Analytics Services and Workspace Service, but still it will take some time before these services will be available. Today Citrix Cloud consists of multiple services such as XenApp and XenDesktop Essentials, ShareFile, XenMobile and the “plain” XenDesktop deployments which are labeled Apps & Desktops.

So if you plan to start using Citrix Cloud today, what do you need to think about? It is an important fact to know that Citrix Cloud is not a solution which manages your VDA agents (meaning where you applications and data is stored) it is about controlled management plane with additional services.

Brief overview of the architecture
This shows the architecture on Citrix Cloud with Apps and Desktop Service. You have an active subscription with Citrix Cloud and you setup a integration between your resources and Citrix Cloud using a Cloud Connector whic his the link between your resources and Citrix Cloud. These Cloud Connectors are stateless and
To ensure security compliance, the Connector will self-manage. So do not disable reboots or put other restrictions on the Connector virtual machines. These actions prevent the Connector from updating itself when there is a critical update.

Limitations
In Citrix Cloud, Citrix will manage the XenDesktop infrastructure for you, this includes delivery controllers, backend site database, license server and such. Also you will automatically get updated every two weeks as part of it as well which provides us with access to new functionality directly. So what do we as customers need to maintain?

  • * VDA Agents (endpoints such as VDI or Session Hosts)
    * NetScaler appliances (Unless using NetScaler Gateway as a Service)
    * Storefront (Unless using Citrix Cloud Hosted Storefront)
    * RDS Licenses and RDS License Server
    * Active Directory (We need to bring our own)

So what else are we missing out on?
* Logging and Auditing (Since we do not have the option to check logs on who has been logged into Citrix Cloud from a management perspective.) In case we need to figure out who has logged in Citrix has extensive internal auditing information. If a customer has a concern, contact Citrix within 30 days. They will review the audit logs to determine which of the customer’s administrators performed an operation, on what date, from which IP address, etc.
* The Citrix Cloud control plane is only hosted in the United States, which might pose as an issue for customers who want their resources to be in EMEA.
* The customer owns and manages the Resource Locations. It can be created in any data center, cloud, location, or geo desired. All critical business data (such as documents, spreadsheets, etc.) are in the Resource Locations and are under customer control.

Cloud

Access from the end-users and management
In regular Citrix XenDesktop and XenApp enviroments we can give end-users access from multiple types of authentication mechanisms such as Smart Cards, SAML, OAuth, KDC Constrained Delegation and even regular LDAP based as well. This allows us to utilize Azure AD or Google IAM to delegate authentication to them as identity providers. Citrix Cloud only supported regular Active Directory authentication for regular end-users. From a management perspective they support Azure AD which allows us to specify which people are allowed to access the management plane.

Citrix Cloud Storefront

Using Azure AD as identity provider allows us to get some more insight into who has authenticated into Citrix Cloud, but it does not give us any insight into who has done “what”.

Using Storefront in Cloud
You also have the option if you want to have Storefront hosted from Citrix Cloud as well. When you set this up the end-users can access it from the .xendesktop.net/Citrix/StoreWeb/'>https://<customername>.xendesktop.net/Citrix/StoreWeb/ address. This address cannot be changed. Using this service has still some limitations when it comes to UI customization options, also the ability to do more advanced features such as Optimal Gateway Routing and other Authentication options such as SAML. But again it is a question if you want to manage your own Storefront servers or consume it as a service.

Using NetScaler Gateway as a Service
If you plan on using Citrix XenApp Essentials, NetScaler Gateway as a Service is the default option since it does not require any type of configuration or deployment of virtual instances since it is actually running as a Windows Service on the Citrix Cloud Connector machine. This service is actually “ICA-proxy” as a service it does not provide anyof the Smart Access features such as SSL VPN, Endpoint Analysis, support for the newer protocols such as Framehawk and EDT as well. Also from an authentication perspective it does not provide any other options that regular pass-trough from Storefront option.

You can also use NetScaler Gateway as a service as an option for regular Citrix Cloud deployments as well. You need to be aware of since this is a cloud service running in Citrix Cloud all traffic will be routed trough from your endpoint to Citrix Cloud to the Cloud Connectors and to the VDA agents. This feature is natively supported in Citrix Reciver and Receiver for Web as well.

NGaaS is a multi region geo load balanced services which is available on different locations around the world, and will always try to route a user to the closest PoP. Note that if you do not have PoP which is close to your location you might suffer with higher latency values than setting up your own NetScaler virtual appliances. Also NGaaS does not provide any AppFlow analytics which means that we do not have the insight we might be used to in Insight Center or MAS, it will give information about ICA RTT and such within Citrix Director.

Here is a chart of where the closest PoPs are located:

Eight PoPs in Azure
Azure South Central US
Azure West Europe
Azure Australia East
Azure East US
Azure West US
Azure North Europe
Azure Japan East
Azure Brazil South

Three PoPs in Amazon
US-East
US-West
EU-Centra

Concurrent Users: No Limit
Data Transfer Limit per user: No Limit
Overall Bandwidth Up to 250 Mbps – Can be scaled up with setting up multiple Citrix Cloud Connectors wherever your resources are located.

Cloud health and SLA
Citrix has an SLA for all their different cloud services on 99.9 every 30 days. They also have their own status page for all cloud offerings here –> http://status.cloud.com/

And they have also implemented an subscribe option which allows us to send notifications to Slack or other Webhooks directly to our Service Management tool –> http://status.cloud.com/subscribers/new


NOTE: The status page does not show if there is any planned Maintance.

Is Citrix Cloud an option for me?
After having a lot of good conversations and discussions with customers and partner at Citrix Synergy I got a lot of good feedback which I want to share directly.

* I don’t wanna manage Citrix I just want to deliver my apps and desktops and make it easy for my end-users
* I like the OpEx model for Citrix but they need to make it easier for adjust licenses for our end-users directly.
* For large enterprises we require complete visibility and full role based access control based upon what kind of responbiility our IT-staff has, Citrix Cloud does not have that option yet.

Citrix cloud log in

Now I don’t think that Citrix Cloud is going to replace any large XenApp/XenDesktop Enterprise solutions anytime soon, I belive that Citrix cloud will provide customers with an even broader range of deployment options to choose from depending on what kind of setup they are looking for. If you are considering a Citrix Cloud setup, you can use a finished a deployment guide from Citrix here –> http://tools.cloud.com/

I am currently working on a XenDesktop 7 project where the requirement is to have an Active Active dual design with NetScaler GSLB and StoreFront.

Below I have detailed how I have configured StoreFront for this setup.

In the example there are two XenDesktop Farms, FarmA in the UK and FarmB somewhere in the EU. Both will host common and also unique applications.

Click on images to enlarge

StoreFront High Availablity and Aggregation
StoreFront High Availability and Aggregation (lets call it HAA from now on) can only be configured using the StoreFront XML config files and cannot be done through the GUI.

You start by configuring your StoreFront as normal to talk to the different XenDesktop farms. Without configuring StoreFront HAA, StoreFront would contact both farms when a user logs in and show them all the apps they have been permissioned with from both farms, even if some of the apps are exactly the same.

Once you have configured HAA properly, StoreFront will show only 1 icon for apps that have exactly the same names and when users click on that icon they will be directed to a particular farm based on the settings that you have specified.

This means that you can always direct users to one particular farm unless for whatever reason the application cannot be launched within that farm. This can then also be overridden on an application by application basis by using StoreFront KEYWORDS in the application description.

StoreFront 2.1 High Availability is discussed in this Citrix eDocs article with an example configuration found in this eDocs article.

So to summaries this is what we want to achieve

Local StoreFront deployments enumerate applications from both farms that are in geographically different locations.
Based on Active Directory groups the user launches HAA applications in their home farm first.
If an HAA application has the Primary keyword it should launch first regardless of rule number 2.
If an HAA application is unavailable in Primary farm for whatever reason, the application should launch in the Backup farm
Non HAA applications from both farms must also be enumerated.
StoreFront High Availability and Aggregation Flow
I created this diagram to explain how the logon process works when HAA is involved.

Keywords
Keywords can be used in the description of individual published Desktops or Applications to override the default behaviour configured in HAA.

This means if you have configured Farm A as Primary and Farm B as Backup and you published Word in both farms but in Farm A you set KEYWORDS:Secondary and in Farm B you set KEYWORDS:Primary in the application description, Word will always try to launch first in Farm B.

Note: You must set the KEYWORDS in the description of both applications. Only setting it in one farm and not the other does not work.

Session Sharing
Session sharing is only considered after the HAA rules and the KEYWORD rules have been evaluated and does not override any of them.

Example:

Farm A primary
Farm B secondary
Excel published in both farms
Word published in both farms
Word set to be Primary in Farm B
In this instance if a user were to launch both Excel and Word they launch on the separate farms rather than session sharing as would be the normal case.

Multiple Mapping Groups
If you have added a user to multiple AD groups that are specified in different userFarmMapping portions of web.config then you will get some inconsistent results. Application icons are still aggregated but the Primary and Backup rules are not followed.

Before you Start
Configure your StoreFront Store’s Farm and Delivery controller settings exactly how you want them.

Once you have made manual changes to web.config, Studio prevents you from making further changes via the GUI.

If you click on a Store and then click Manage Delivery Controllers you will see the message

To configure delivery controllers and servers for this store, use PowerShell scripts

Install Microsoft XML Notepad which is free and about 100 times easier than editing XML files in normal Notepad

Create four Active Directory groups, one domain global and one domain local for UK and one domain global and one domain local for EU (following the AGDLP rule we nest global into local).

From an Active Directory domain controller load Active Directory Module for Windows PowerShell and run the following command to get the domain local group’ SIDs

Get-ADGroup -Identity ADGroupName
Web.Config
All StoreFront store configurations can be found in the respective web.config file .inetpubwwwrootCitrixweb.config.

This is where we add the configuration for StoreFront High availability.

To make things more simple I made a backup copy of each web.config file and then opened the web.config file via the admin share on the StoreFront server <storefrontserver>c$inetpub<storename>web.config

As you will be making a lot of changes it is much simpler to edit the file direct on the server and not have to keep copying it back and forth to your machine each time.

I recommend you copy the example configuration from Citrix (link in previous section above)

Then in XML notepad, expand citrix.deliveryservices –> resourcesCommon and delete anything underneath resourcesCommon

Then right click citrix.deliveryservices and click paste.

Your web.config should now look like this

Citrix

For this example we only have 2 farms so we only require 2 equivalentFarmSet nodes so we will delete one of the equivalentFarmSet nodes.

If you then expand out the configuration you will see this

In this example we have two farms so we only require 2 farm nodes for the PrimaryFarmRefs and 1 for backupFarmRefs for the first equalentFarmSet and 1 farm for the PrimaryFarmRefs and no farms for the backupFarmRefs for the second equalentFarmSet.

The reason we have 2 equivilentFarmSets (the second one with no backupFarmRefs) is if we did not have the second one, StoreFront would only enumerate applications from FarmB if FarmA was not available, whereas we want StoreFront to also enumerate applications from FarmB so that we get the unqiue, non-HAA applications from FarmB at each logon.

After deleting the unrequired nodes in the XML files your config should now look like this

Now expand out the configuration and start filling in the details with the groups and SIDs that you got earlier and the farm names. Remember the farm names need to match what you have configured in your StoreFront configuration.

The name used in the aggregationGroup setting must be the same in each equalentFarmSet, this is what ensures that duplicate published application icons are not displayed.

Now copy the userFarmMapping node you have just configured, paste it again at the same level as the other one and reverse the configuration so that DL_FarmBUsers primary farm is FarmB, backup is FarmA etc.

Save your web.config and make sure you make the same changes to all of your StoreFront servers in the deployment.

Testing
You can test your configuration by publishing 4 applications. 1 unique application on each farm and 1 with the same name on each farm.

Add yourself to one of the Global Groups you created (that are nested in the local groups).

When you log into Receiver it should aggregate the applications so you see an icon for each of the unique applications but only 1 icon for the application that is the same in both farms.

When you launch one of the HAA apps it should direct you to the primary farm relating to the AD group you are in.

If you then place the servers or delivery group in the Primary farm in maintenance mode you should then get directed to the Backup farm when you try to launch the application again (make sure it is fully closed down though, session reconnection will occur even if servers are in maintenance mode).

Cannot complete your request

If you get this error after logging onto StoreFront or NetScaler Gateway take a look in the event logs on your StoreFront servers.

Citrix Cloud Storefront Service

If you find

Event ID 7 – Unhandled exception thrown for route “DazzleResources/List”

Citrix Cloud Storefront

Take a look in the detail of the event and it will have the text

Citrix Cloud Storefront Sign In

Missing farms for names: [FarmA]

Citrix Cloud Storefront Url

This means that a farm name that you have configured in equivalentFarmSet in your web.config could not be found in the list of farms configured in the Manage Delivery Controllers section of the Store.