Citrix Cloud Azure Ad

Citrix Cloud Azure Ad Conditional Access
Citrix Cloud On Azure
Citrix Cloud Azure Administrator
Citrix Cloud Mfa

Back to PostsPrevious Post

As of recent, there has been much discussion around about working remotely due to the Covid-19 outbreak that is causing an unprecedented amount of cloud usage. Most of us are working from home at the moment, and there are organisations still struggling to get around the grips of working remotely, due to their;

ICT Strategy
ICT Staff
Technological constraints
Business Continuity Plans that aren’t developed for a situation where staff cannot be physically onsite
Funding

Every so often a few of your favourite technologies intersect to create something magical and your passion for IT is renewed. That happened for me this week when configured Citrix NetScaler to authenticate to Azure Active Directory via SAML and enforce access to XenApp via Azure Multi-factor Authentication and Azure AD Conditional Access policies.
Citrix released Public Tech Preview for the new Active Directory + One Time Password based Multi-Factor Authentication solution in Citrix Workspace on Friday, March 22, 2019. For those of you who read my “A closer look at Citrix Workspace and Gateway Service in Citrix Cloud for companies moving off of on-premises StoreFront and NetScaler Gateway”,.

Whilst the above could only be a few reasons why some organisations struggle, I will try to outline them all in this post as best I can.

Windows Virtual Desktop w/ Multi-User Windows 10. What is it?

Microsoft has developed an extraordinary method that allows multiple-user desktop sessions on its cloud-based managed desktop and application virtualization service called Windows Virtual Desktop (WVD). The Remote Desktop Session Host is capable of permitting several parallel sessions on a single virtual machine, a capability that was previously restricted to Windows Server. The Azure-based Windows Virtual Desktop combines the benefits of Windows Server with the Windows 10 Enterprise Operating System.

Citrix leverages Microsoft investments in Azure and Remote Desktop Services to enable Citrix Cloud, the fastest and most flexible approach to deploying Citrix technology. Citrix Cloud simplifies how customers deploy VDI, virtual apps, desktops, and complete Citrix workspaces on one or more Azure-based resource locations. Azure Active Directory is your identity provider in the cloud and users authenticate against this provider to get access to the Windows Virtual Desktop service; When launching published Desktops and Applications – Windows still requires Active Directory authentication. Azure AD Connect is the tool that will provision accounts from AD to AAD.

Users have more power at their disposal on the familiar Windows 10 environment along with the Office 365 suite while minimizing the resource consumption. Most importantly, WVD can be remotely accessed from any device without compromising on the security of the applications.

Where is this WVD hosted?

This is an Azure PaaS Service, hosted in Microsoft Azure. Microsoft look after all the management interfaces for you, leaving you only looking after the Windows 10 image and . Its free (The service, not compute) So what are the other benefits?

Near unlimited scalability
- Scale to support 50 users to 5000 users in minutes
Unified management from the Azure portal
A productive, secure virtual desktop experience on Azure with Microsoft 365
Free and extended Windows security for Windows 7
Everything is centralized!

“So you’re telling me, I don’t need to build an RDSH?

Yes, that is correct – Check out this high level overview of WVD.

You don’t need to go through all the pain of setting up RDS, although there are some services that are required.
From a high level you will require the following items before you can deploy Windows Virtual Desktop.

An Azure Active Directory
An Active Directory
Azure Active Directory Connect
An Azure Virtual Network (Connected back to your DC’s)
An Azure subscription
A Windows Virtual Desktop tenant

Why do you need all of these?

Azure Active Directory is your identity provider in the cloud and users authenticate against this provider to get access to the Windows Virtual Desktop service
When launching published Desktops and Applications – Windows still requires Active Directory authentication.
Azure AD Connect is the tool that will provision accounts from AD to AAD to enable 1. above.
The Virtual Machines all need to be located on a Virtual Network. That vNet needs access to Active Directory, that can either be located in Azure or on-premises as long as there is connectivity. When Azure deploys new VM’s it will join these VM’s to your Active Directory domain and as such the VM’s need to locate the Domain Controller via DNS, without this DNS server setting being set the VM’s have no name resolution for the local AD, and hence won’t be able to join the domain. If your AD Domain Controllers are on-prem then you will need some connectivity back to on-prem to access those DC’s, either VPN or ExpressRoute.
It all runs in an Azure Subscription
A tenant is required inside the WVD management service

Management and Autoscaling

WVD management, if I’m completely honest, is probably the weakest aspect of the service right now. Currently there is no out-of-the-box, native portal so everything is managed from PowerShell. There are some great community tools (Microsoft Approved) that allow you to manage WVD Windows 10 Images, applications, which also include the management of scale-sets (autoscaling) in Azure! What more do you want 🙂

Without the community made management tools, or paid tools like Nerdio autoscaling needs to be configured through an Azure Automation account. Once this is configured, you should be on your way.

Benefits of autoscale

When your application demand increases, the load on the VM instances in your scale set increases. If this increased load is consistat during business hours you can configure autoscale rules to increase the number of VM instances in the scale set.

“But wait, what if I’m only a 9-5 business, and I only want them active during those hours?”

You can use the scaling tool to:

Schedule VMs to start and stop based on Peak and Off-Peak business hours.
Scale out VMs based on number of sessions per CPU core.
Scale in VMs during Off-Peak hours, leaving the minimum number of session host VMs running.

When these VM instances are created and your applications are deployed, the scale set starts to distribute traffic to them through the load balancer. You control what metrics to monitor, such as CPU or memory, how long the application load must meet a given threshold, and how many VM instances to add to the scale set.

On an evening or weekend, your application demand may decrease. If this decreased load is consistent over a period of time, you can configure autoscale rules to decrease the number of VM instances in the scale set. This scale-in action reduces the cost to run your scale set as you only run the number of instances required to meet the current demand.

SHOW ME THE MONEY! So you’re telling me, I can turn off a VM if no-one is using it?

Yes – Actually, this will automatically be done for you (if configured right, see above where I spoke about an Azure Automation Account).

So lets work this out together.

Scenario 1

Light to Medium use of applications
Business hours 9×5
15-20 users
VM Instance 2X D4s v3 (4vCpu 16GB Ram) with a 128GB Disk
VM’s turned off after hours
All staff working from home

The total amount of hours per month these VM instances will be on, is 160 hours, based on a 40 hour week.

Total cost per month: $163.96
Total cost per year: $1,967.52

Scenaro 2

Medium to Heavy use of applications
Business hours 24×7
350 Users
MAX VM Instance 25X D4s v3 (4vCpu 16GB Ram) with a 128GB Disk during Peak
MAX VM Instance 5X D4s v3 (4vCpu 16GB Ram) with a 128GB Disk
VM’s autoscaling during peak-offpeak hours
All staff working from home
Peak staff = 350 Users
Off-Peak staff = 35 Users

Total cost per month: $2,802.70
Total cost per year: $33,632.4‬

(This is also cheaper by $200 per month if you purchase 5 Azure RI)

WHAT! $8.00 PER User, Per month? To run a desktop? Yes. And I don’t need to worry about hardware? Nope. Warranty? Nope.
No problem, have a lovely day, boom. Anytime.

What do I need to worry about?

Citrix Cloud Azure Ad Conditional Access

There are a couple of things you need to be overlooking here. The first thing i’ll get started with is .

Licensing!

You are eligible to access Windows 10 and Windows 7 with Windows Virtual Desktop if you have one of the following licences*:

Microsoft 365 E3/E5
Microsoft 365 A3/A5/Student use benefits
Microsoft 365 F1
Microsoft 365 Business
Windows 10 Enterprise E3/E5
Windows 10 Education A3/A5
Windows 10 VDA per user

*Customers can access Windows Virtual Desktop from their non-Windows Pro endpoints if they have a Microsoft 365 E3/E5/F1/Business/A3/A5/Student use benefits or Windows 10 VDA per user licence.
https://azure.microsoft.com/en-au/pricing/details/virtual-desktop/

I cannot stress, how important this is to get right. Utilizing the WVD in Azure is very important, and a configuration could be a nightmare for you, and a big bill for the organisation. $2800 Per month could turn into $15,000 per month, if it has been misconfigured. Even if you are licensed, misconfiguration during the licensing process will come back to bite you.

Citrix Cloud On Azure

Windows 10 Enterprise multi-session can’t run in on-premises production environments because it’s optimized for the Windows Virtual Desktop service for Azure. It’s against the licensing agreement to run Windows 10 Enterprise multi-session outside of Azure for production purposes. Windows 10 Enterprise multi-session won’t activate against on-premises Key Management Services (KMS).

Don’t believe people who say cloud is expensive

It’s not, its because people misconfigure it. And they want your money.

Back to the worries >

Autoscaling!

Seriously! Why do you want a VM turned on 24/7 and its not being used? You’re essentially throwing money in the bin, where it could be going to other essential services services in the organisation (or creating really cool Azure Bots). Please refer to my statement above. CONFIGURE IT RIGHT!

Citrix Cloud

So I’ve gone on about WVD and Win 10 Multi User Desktop. Lets get into the mix with Citrix Cloud here.

Citrix Cloud and Microsoft Azure have common control plane integrations that establish identity, governance, and security for global operations. This is where Citrix Cloud and its control plane are a winner winner here.

Citrix Cloud . Why

Why? There is no server to setup. No more provisioning of

Delivery Controllers
Citrix Studio
Storefront
SQL Databases

Backups? What backups, no need for them. All taken care of for you.

The Citrix Virtual Apps and Desktops Service, which is a Citrix Cloud only Service, has many management features that allows you to seamlessly manage your Windows 10 Multi User Desktop session.

Autoscale is a feature exclusive to Citrix Virtual Apps and Desktops service that provides a consistent, high-performance solution to proactively power manage your machines. It aims to balance costs and user experience.

With the Citrix Cloud control plane, rather than the manually creating many host pools in Azure, Citrix Cloud allows you to seamlessly provision multiple delivery groups for different teams / departments based on usage, compute size etc without much effort. This is where Citrix Cloud has it over Azure, other than provisioning the initial image in Azure, you have a single management control interface that will prevent you from logging into Azure again… (Unless its been misconfigured!)

With Citrix Cloud, Azure becomes just another resource location. The different between the on-prem Citrix control plane and cloud control plane is its true cloud support. The on-premise control plane only supports 1:1 sessions. 1 desktop, 1 user. The Citrix Cloud control plane will support Windows 10 Multi User Desktop. 10 users, 1 desktop.
https://www.citrix.com/en-au/products/citrix-virtual-apps-and-desktops/release-feature-matrix.html

Licensing for Citrix Cloud

So here is where it gets very interesting. You are licensed for Citrix on-premise, but Citrix Cloud does come at a cost. This is where WVD has it over Citrix Cloud for licensing.

To get true Windows 10 Multi-user Session, in addition to the Microsoft Licensing you’re paying for, you also need to purchase Citrix Cloud licensing. But what is your end game here?

Decommissioning Citrix On-Prem
Citrix Cloud hosted Service
Complete provider hosted support
Windows 10 Multi-User

Sign me up!

Depending on your needs within your organisation, application support is what is determined. You will have 3rd party applications that don’t integrate with Citrix Cloud, but are fully supported on-premise and vice-versa.

The choices are endless …

Your choice between both will come down to what are your end goals with Cloud.

You can easily train ITS staff about both services. Since you don’t need to build every Citrix service on-premise, patch and monitor, its quite seamless to manage. The articles and tools that we are currently exposed to allow us to quickly develop the knowledge to maintain and manage the service. Having less to manage on-premise is always a bonus, the quicker you can remove that infrastructure, the more time staff can focus on more important tasks.

If you are already heavily invested into Citrix, then moving to a hybrid model with Citrix Cloud will benefit you long term, as transitioning your users becomes a much easier process.

So what about BCP? Having a fast proactive BCP for desktop infrastructure is critical. Windows Virtual Desktop has its benefits, due to it being free to setup the PaaS service and to quickly get a desktop up and running.

Citrix Cloud control plane is still far ahead in terms of user interface and features, and Citrix has much more experience in desktop virtualization than anyone else. But let’s face it, some customers do not need advanced features, and Windows Virtual Desktop could be a great fit for them.

Submit a Comment