Citrix Cloud – Cloud Connector in-depth review.

To give an overview of where the cloud connector sits in the context of the overall citrix cloud solution the following lists the components involved in both citrix cloud and resource location:-

Components in Citrix Cloud:-

Citrix installs and manages the following components in Citrix Cloud.

• Delivery Controller
• Citrix license management
• Citrix Studio
• Citrix Director
• Citrix StoreFront*
• NetScaler Gateway*

*You can also optionally install NetScaler Gateway/Storefront in resource locations to allow for more flexability/customisation

Components located in resource locations:-

Client/Customer must manages the following components in each resource location:-

• Cloud Connector
• VDA’s
• Active Directory
• Hypervisor/Cloud Services

Cloud Connector 

Citrix Cloud Connector performs on-premises operations on behalf of all the cloud services and proxies the information to Citrix Cloud.

What functions does the Cloud Connector provide?

• Active Directory (AD): Enables AD management, allowing the use of AD forests and domains within your Resource Locations. It removes the need for adding any additional AD trusts.
• XenApp and XenDesktop publishing: Enables publishing from resources in your Resource Locations.
• XenMobile: Enables a XenMobile enterprise mobility management (EMM) environment for managing apps and devices as well as users or groups of users.
• Machine Catalog provisioning: Enables provisioning of machines directly into your Resource Locations.

The following is an overview of placement of the Cloud Connector within Citrix Cloud.

Cloud Connector Requirements:-

• Must be installed on Windows 2012R2/Windows 2016 domain joined
• Connection to the internet from data centres only requires port 443 on TCP protocol to be open for outbound connections.
• 40GB Disk space and 6.2GB Memory = 4GB (standard) + 1.2GB (see local Host Cache additional requirements)
• AD Computer Accounts requires Read Permission on containers/read-write permission on user and computer objects
• Clock on server has the correct UTC time.

Cloud Connector Architecture

The cloud connector provides a variety of services to connect your resources to the citrix cloud. The following gives an overview of some of the services:-

Cloud Connector Services

*Services can be added after updates to cloud connector

Citrix Config Synchronizer Service	Citrix Cloud AD Provider
Citrix High Availability Service	Citrix Cloud Agent Logger
Citrix NetScaler Cloud Gateway	Citrix Cloud Agent System
Citrix Remote Broker Provider	Citrix Cloud Agent Watchdog
Citrix Remote HCL Server	Citrix Cloud Credentials Provider
Citrix Session Manager Proxy	Citrix Cloud WebRelay Provider

Added Aug 18 (Service NOW ITSM & WEM Cloud Service)

Citrix ITSM Adapter Provider	Citrix WEM Cloud Authentication Service
Citrix WEM Cloud Messaging Service

These services should be added into SCOM for monitoring, as there is no Management Pack available for Citrix Cloud Connector.

Citrix Cloud AD Provider

• This provides connectivity into Active Directory, as used by the Identity and Access Management.
• The Citrix Cloud AD Provider enables the Citrix Cloud to facilitate management of resources associated with the Active Directory domain accounts it is installed into.

Citrix Cloud Agent Logger

• The Citrix Cloud Agent Logger provides a support logging framework for the Citrix Cloud providers enabling diagnosis support for the resource location both locally and within the Citrix Cloud. This service picks up local logs, adds metadata to them, and uploads them to Citrix Cloud where they are then pushed into SumoLogic.

Citrix Cloud Agent System

• This is the one-and-only process that runs as Local System, which it must do in order to perform software installations. This service handles the System Calls necessary for the onpremises agents.

Citrix Cloud Agent Watchdog

• Monitors and upgrades the on-premises agents.
• This service provides the evergreen functionality. It can also upgrade itself. This service also maintains the connector ID and access keys; other windows services running as NetworkService can obtain these as needed.

Citrix Cloud Credentials Provider

• The Citrix Cloud Credential Provider

Citrix Cloud WebRelay Provider

• The Citrix Cloud WebRelay Provider enables HTTP Requests received from WebRelayCloud service to be forwarded to On-Premises Web Servers.

Citrix Config Synchronizer Service

• Copies brokering configuration locally for high availability mode

Citrix High Availability Service

• The Citrix High Availability service provides continuity of service during outage of central site.

Citrix NetScaler Cloud Gateway

• Citrix NetScaler Cloud Gateway provides Internet connectivity to on-premises desktops and applications without the need to open in-bound firewall rules or deploying components in the DMZ.

Citrix Remote Broker Provider

• Enables communication to a remote Broker service from local VDAs and StoreFront servers.

Citrix Remote HCL Server

• The Remote HCL Server proxies communications between the Delivery Controller and the Hypervisor(s).

Citrix Session Manager Proxy

• Manages anonymous prelaunched sessions, and uploads session count information to the cloud based Session Manager service

Citrix ITSM Adaptor

• Automate provisioning and management of virtual apps and desktops through ServiceNow

Citrix WEM Cloud Authentication Service

• Provides authentication service for Citrix WEM agents to connect to cloud infrastructure servers

Citrix WEM Cloud Messaging Service

• Provides service for Citrix WEM cloud service to receive messages from cloud infrastructure servers.

Cloud Connector Logs file location:

Cloud Connector Install log files are located in the following location:-

%ProgramData%\Citrix\WorkspaceCloud\InstallLogs

Cloud Connector log files are located in the following location:-

%ProgramData%\Citrix\WorkspaceCloud\Logs

What happens if Cloud Connectors are unavailable?

Without Local Host Cache (up until Dec 17)

Using Citrix Cloud provided Gateway Service & Storefront

• All brokering and power management will not work.
• Gateway Service will not work as unable to reach cloud connector that would proxy the connection toVDA’s

Using Customer Managed Netscaler Gateway Service & Storefront

• All brokering and power management will not work.
• Gateway Service will continue to function but new requests will fail.
• Existing connections within the resource location will continue but new requests will fail.

Local Host Cache (Added Aug 18)

NOTE: i can’t confirmed if this has been rolled out to all existing and new customer as my Citrix Cloud account does not have LHC enabled and key does not work. Also the documentation on citrix e-docs does not confirm this.

But with some recent changes a local host cache is now maintained in the cloud connector which contains the configuration of XenApp and XenDesktop Service. This is now enabled by default on the XenApp and XenDesktop Service.

Using Citrix Cloud provided Gateway Service & Storefront

• All brokering will be provided by Local Host Cache on Cloud Connector using the High Availability Service.
• Cloud Hosted Gateway Service will not work as cloud connector is not available to proxy the connection to VDA’s

Using Customer Managed Netscaler Gateway Service & Storefront

• All brokering will be provided by Local Host Cache on Cloud Connector using the High Availability Service.
• Gateway Service will continue to function and new requests will be serviced.
• Existing connections within the resource location will continue and new requests will be processes as normal.

 

The following should be taken into consideration

• LocalDB service can use approximately 1.2 GB of RAM + High Availability Service can use up to 1 GB of RAM if an outage lasts for an extended interval
• You cannot use Studio/Remote SDK during an outage
• No monitoring activity is captured during the outage period therefore a gap will appear where the outage has occured.
• Pooled VDI’s have been enhanced with Local Host Cache. Please run the following to ensure shutdown of VM does not occur and they are re-used.

Set-BrokerSite -ReuseMachinesWithoutShutdownInOutageAllowed $true Set-BrokerDesktopGroup -Name "name" -ReuseMachinesWithoutShutdownInOutage $true

• During an Outage One Cloud Connector handles all brokering even if multiple Cloud Connectors are available. This could change during outage therefor all cloud connectors should be spec’d to handle the additional load outage entails.

Cloud Connector Updates process

• At least 2 Cloud Connectors should exist per Resource Location and N+1 should be adopted as automatic updates can reboot without notice.
• If a Cloud Connector misses two updates in a row, it may lose connectivity with Citrix Cloud.
• Cloud Connectors updates may reboot the server after installation, do not install the cloud connector on critical servers (file, db etc) and it is recommend that it only host this function.
• If a Single Cloud Connector is installed automatic updates will not be enabled.

Scaling the Cloud Connector

• Two Cloud Connectors can support 5k VDAs and 20k Sessions. (Based on 2 vCPU and 4 GB Ram VM recommended.) – This is only for brokering
• Cloud Connectors will balance load automatically. No need to Load balance them through a Netscaler
• HDX Proxy connections through the Cloud Connector has not been included in the sizing above and need to be factored into number of server/Specification of servers.
• Deploy Citrix Cloud Connector on Server Core, as documented by Phil Wiffen – https://kabri.uk/2018/09/22/install-citrix-cloud-connector-on-server-core-2016/

Cloud Connector Security Considerations

How Secure is the data between Citrix Cloud & Cloud Connector?

• All communication between Citrix Cloud and Resource Location is proxied via the Cloud Connector which used Port 443 TLS therefore is completely encrypted.
• All Traffic is Outbound, therefore no Inbound rules required.
• If using URL filtering on web proxy for whitelisting, add the following to allow Citrix Cloud to Cloud Connnector connectivity
  • https://* .citrixworkspacesapi.net
  • https://*.cloud.com
  • https://*.servicebus.windows.net
• Cloud Connector cannot transverse domain-level trusts, therefore additional cloud connector should be installed per user domain
• See Configuring the Connector to Support a Web Proxy – https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector/proxy-firewall-configuration.html

What data is stored in Citrix Cloud?

Citrix Cloud only stores metadata, such as:

• Usernames
• Application Names
• Icons

All data is encrypted with TLS while in transit.

This will first in a series of blogs reviewing each components of citrix cloud. Further articles to be published when i can get the time.