Citrix Cloud has been on the market for over five years. It has evolved from cloud-based management for existing Citrix infrastructure into services that reduce the complexity of any Citrix Virtual Apps and Desktops environment.
Many organizations and IT shops consider a cloud-based workspace because it provides a higher level of flexibility, ease of management and scale compared with existing VDI. Moving to a Citrix Cloud-based Citrix Workspace also means a big change in the current architecture.
IT administrators need to learn the main steps and considerations for adopting a Citrix Cloud-based workspace.
Understanding the components of Citrix Cloud
Before IT administrators embark on this type of migration, it's imperative that they learn the core components of the Citrix Cloud offering. Simply put, Citrix Cloud provides traditional Citrix components as a service.
This is the replacement for Citrix Storefront, which provides the end user web portal to enumerate the users' applications and desktops (Figure 1). Citrix provides this via software as a service from Citrix Cloud. As of the time that this article was published, there has been no further development on Citrix Storefront.
Citrix Gateway Service
This is the replacement for Citrix NetScaler Gateway -- or access gateway -- which provides remote access for the end user. When a user launches a virtual application or a desktop, the Gateway Service will tunnel the traffic from the end user to the desktop or application (Figure 2). This service is optional, and organizations can still use regular Citrix Gateway ADC combined with the other Citrix Cloud services.
Citrix Cloud Connector
This is a replacement for the desktop delivery controller, which acts as a proxy for communication between the virtual delivery agent (VDA) and the Citrix Cloud control plane. The Cloud Connector also acts as a proxy for the end-user traffic coming from the Gateway Service.
This is only when the Rendezvous protocol is not active. If IT enables the Rendezvous protocol, the Gateway Service traffic will bypass the Cloud Connector and go straight to the VDA.
Citrix Virtual Apps and Desktops management plane
Because the cloud connector only acts as a proxy, the Citrix management plane ties it all together and serves as the management plane. Underneath the management plane, it also provides the licensing mechanism, and a web interface for management.
Building a Citrix Cloud-based architecture
Once an organization's IT admins and exectuvies get a sense of the components of Citrix Cloud, they should collaborate to design a new architecture with these components in mind. If an organizations is interested in moving to a public cloud, such as Microsoft Azure, to host future workloads, it can aim for an architecture that resembles the one shown in Figure 3.
Organizations can use the built-in services from Citrix to access capabilities such as the UI, app and desktop publishing that the end users will access while the actual traffic flow goes through the Gateway Service. IT can configure authentication against Azure Active Directory (AD), one of the supported identity providers.
IT admins can also integrate directly with Azure to support image creation and provisioning of virtual machines. Because the control plane runs in the cloud, Citrix stores all configurations, user assignments, policies and more.
With the built-in capabilities from Citrix Virtual Apps and Desktops, IT admins can provision machine catalogs, which then connect to the Citrix Control plane through the Cloud Connectors. This design is one option, but there are other supported topologies that depend on each organization's requirements.
What to know before migrating to Citrix Cloud
Before an organization begins the process of migrating from an existing on-premises Citrix Virtual Apps and Desktops environment, it should consider what Citrix Cloud capabilities to use and support.
Here are some current unsupported features and other limitations that virtual desktop administrators should be aware of:
- Citrix Gateway with VPN capabilities. Organizations that use the VPN capability built into the Gateway product should know that this is not available as part of the cloud-based gateway service.
- Radius-based authentication on Citrix Gateway. Radius-based authentication services such as Duo for multifactor authentication are also not supported as part of the Citrix Cloud Workspace when this article publishes. However, the focus is moving to more cloud-native authentication capabilities such as Azure AD.
- Proximity to Gateway Points of Presence (PoPs). With Citrix Cloud, the latency to the different Citrix Gateway Services PoPs might affect the latency so much that it hinders the end-user experience, depending on where VDI sessions and Cloud Connectors are located. While Citrix is constantly adding new PoPs, it is still something for IT to consider.
- AD-based single sign-on (SSO) authentication to Citrix Workspace. With Storefront today, organizations have the option to employ full SSO-based authentication using AD-based integration. Because Citrix Workspace is a cloud-based service, it does not support a full SSO experience from Active Directory. IT admins can only achieve this via Citrix federated authentication service (FAS) and Azure AD.
However, with Citrix Cloud, IT admins have the option to continue using Citrix Gateway and Storefront if they have at least one of the capabilities listed above, and they can just use Citrix Cloud for provisioning.
How to migrate to Citrix Cloud from existing Citrix infrastructure
With a full understanding of the components of Citrix Cloud and a fleshed out infrastructure plan, it's time for IT admins to begin the migration process.
The existing environment and prerequisites
Organizations that want to migrate from an existing CVAD environment to Citrix Cloud should migrate the following components of their existing environment:
- The golden image. This depends on whether an organization plans to move to a new hosting platform such as Azure. However, if the plan is to reuse the existing hypervisor or virtualization platform, the golden image doesn't need any changes.
- Configuration. This includes the configurations for delivery groups, published applications and custom parameters.
- Policies. Of course, this only pertains to Citrix policies.
- Desktop Delivery Controllers (DDCs). Cloud Connectors replaces these roles. Organizations with a static environment with persistent VDI desktops or RemotePC usage, for example, would need to re-register the VDAs to the Cloud Connectors.
IT also needs the following prerequisites in place and tasks completed before performing the migration.
- The organization should have a valid CVAD subscription.
- It should have fully installed Cloud Connectors that are domain-joined into the existing environment. IT should verify connectivity, health and access to the existing Active Directory using the Citrix Cloud management portal.
- Fully installed certificates on Cloud Connectors that allow access to the secure ticket authority (STA) service to run on HTTPS -- if it was a part of the existing infrastructure -- are required.
Running the migration to Citrix Cloud
As an example, this article will outline how to migrate an existing on-premises Citrix Virtual Apps and Desktop environment to the Citrix Cloud Virtual Apps and Desktop service. Citrix has an Automated Configuration tool to help with migration projects that use the Citrix PowerShell cmdlets to export configurations from the on-premises environment to Citrix Cloud.
Citrix administrators must work through the following steps to successfully complete this migration.
1. If organizations use Citrix Provisioning Service, they need to configure PVS to work against Citrix Cloud Connectors. This does not change the provided DDCs in the image before copying the configuration.
2. Install and run the Automation Configuration tool to export configurations and import into Citrix Cloud. The Configuration tool exports the existing configuration into YAML files, which is necessary to import configurations into Citrix Cloud (Figure 4).
After IT admins complete steps 1 and 2, they should perform the next steps during maintenance hours because it will affect end users' access.
3. Configure machines running VDAs to register to the Cloud Connectors. IT admins can accomplish this by updating the ListOfDDCs registry key on the golden image or using Group Policy.
4. Update the configurations on existing Storefront and Citrix Gateway ADC to point to the new DDCs. Apply them to the STA configuration, the Session Policy on the Gateway, and the DDC configuration on the Storefront site.
End users can now access the same site as they did before, but now their authentication is against the Citrix Cloud Connectors.
Limits of the Citrix Configuration Tool for migrations
The Citrix Configuration Tool has some limitations in what kind of objects it can export or import. To name a few, the Citrix Configurator tool can't support the following scenarios:
- Machine catalogs provisioned through Citrix's Machine Creation Services or their corresponding delivery groups. This means that if IT admins want to export application publishing or policies, they will need to re-create Machine Catalogs and Delivery Groups with the exact same name as the on-premises environment.
- Citrix does not apply icons to machines or desktops.
- IT must manually add Access Control using the Remote POSH SDK.
- IT also needs to configure delegated administration directly in the Citrix Cloud Management Console because it uses another identity catalogue as a source.
After this, IT admins can also move to Citrix Workspace and Citrix Gateway Service to simplify traffic flow and authentication.