Service Continuity for Virtual Apps and Desktop Service

As the year that was 2020 comes to a close, Citrix has announced a Public tech preview of, in my opinion, a game changing new feature. Service Continuity is a new feature set in Citrix Cloud that will ensure connectivity and continuity of Virtual Apps & Desktop Service sessions.

I have spent a lot of time exploring this new feature during the private tech preview and have been impressed with what I have seen. In this blog I want to explore this new feature, give some detail on how it works and outline what is needed to get it up and running.

Local Host Cache

Citrix Administrators will be familiar with the concept of local host cache. This is often used for resiliency in a Citrix environment today by storing static information within a locally cached database, thus allowing connections to be made when issues arise within the environment.

Local Host Cache Connections

To enable Local Host Cache within a Citrix Virtual Apps & Desktop Service Environment an administrator needs to deploy an on-prem Storefront & Gateway within the environment. This results in customers not being able to utilize the Citrix Workspace Experience with all the latest and greatest features. When an environment has several Cloud Resource Locations this also adds a layer of complexity with Local host Cache – as LHC is configured on a per resource location basis resulting in complex Storefront Configurations.

Service Continuity adds resiliency to Citrix environments utilizing the Citrix Gateway Service and Citrix Workspace Experience (I.E. Cloud Storefront). This eliminates the need for these on-prem components to achieve resiliency and continuity with the deployment.

What is Service Continuity?

Today when Citrix Workspace cannot reach the Citrix Cloud Control Plane during, for example, a branch office network outage – the end user is met with the following error page:

Workspace Error Page

Resources do not enumerate which leads to bad user experience. Enter Service Continuity.

In simple terms Service Continuity uses a number of technologies and techniques to cache a Resources List, the Workspace User Interface and the connection details in order to facilitate connections during times of outage.

To achieve this Service Continuity Leverages Connection Leases.

Connection Leases

Connection Leases are a new type of ICA file that is used as a fallback in times of outage. Service Continuity leverages these secure concatenated files stored within the user’s local app data. These secure, encrypted files contain the resource details needed in order to launch the session.

Each resource is correlated to three individual files. These Connection Leases are long-lived authorization tokens, they are NOT long-lived authentication tokens. These can be set to expire after a defined period of time ranging from 1 to 30 days. We will look at this in later sections.

Launching a session with Service Continuity

Let’s take a look at what happens when a user launches a session. The session attempts to connect using an ICA file.  When this connection cannot be completed, we fall back to the Connection Lease. See the flow in the below the below:

  • Citrix Workspace application for Windows on the client machine makes a call to home to the Citrix Control Plane
  • Connection leases are generated in the Control Plane and Synced down to local end point device.
  • Later Workspace cannot reach the Citrix Cloud Control Plane
  • Citrix Workspace utilizes the leases to establish a connection via the Gateway Service, the Cloud Connector or directly to the VDA depending on configuration and connectivity.
Connection Leases sync from Control Plane. If Control Plane cannot be reached, Endpoint can connect to Gateway Service or Cloud Connectors using Connection Leases
  • The Cloud Connector talks to the Cloud Broker if network flow allows – otherwise utilises local host cache within the connector.
  • Finally, a session is prepared and launched via the VDA.

What do we need to get Service Continuity up and Running?

There are a number of prerequisites to get Service Continuity enabled within the account. Firstly this is a cloud based feature which means the account needs to be utilizing the Citrix Virtual Apps & Desktop Service as well as the Workspace Experience (I.E. Cloud Storefront). It is also designed to work with the Gateway Service or Direct Connection.

Virtual Delivery Agents (VDA) need to be minimum 7.15 or above. Citrix Workspace App for Windows needs to be a minimum of 2012.

Citrix Cloud Connector must be able to reach https://rootoftrust.apps.cloud.com. Configure your firewall to allow this connection. For information about the Cloud Connector firewall, see Cloud Connector Proxy and Firewall Configuration.

Up to date Citrix Cloud Connectors are also a requirement of Service Continuity. An interesting thing to note is that Service Continuity leverages Local Host Cache Service on the Citrix Cloud Connector. Citrix recommends that the Cloud Connectors are sized for Local Cache when Utilizing Service Continuity I.E. 4GB of Ram and 4 vCPU. See the below documentation for more details:

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/install-configure/resource-location/local-host-scale-and-size.html

https://docs.citrix.com/en-us/advanced-concepts/implementation-guides/local-host-cache-sizing-scaling.html

We also need Layer 3 network connectivity between the endpoint with CWA and Connector and VDA running the resource, either via

  • Direct (LAN) (in this case, Connector and VDA must be reachable over TCP 2598)
  • Citrix Gateway Service (TCP 443)

Enabling in the account

User Interface

You can find the Service Continuity under the Workspace Configuration section of the Citrix Cloud account.

Service Continuity tab under Workspace Configuration

Here we see the option to enable Connection Leasing. It is important to note that this is a site wide feature for your cloud environment.

Service Continuity also has the option to set a connection lease period ranging from 1-30 days. This takes the parameter and expires the leases after the set number of days. The Workspace would need to sync back with the control plane to bring down renewed leases to the client end point.

PowerShell

We can also leverage PowerShell to make some interesting tweaks to our connection leases.

One important point to note here is that interacting with Service Continuity through Power Shell requires the latest version of the Citrix PowerShell SDK. This can be found at the below link:

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/sdk-api.html

We can use a Set-BrokerSite command within PowerShell to set several parameters for Service Continuity.

PS C:\> Set-BrokerSite -ResourceLeasingEnabled $true -ResourceLeaseValidityPeriodInDays 7 -DeleteResourceLeasesOnLogOff $true -DnsResolutionEnabled $false

Let us break down the above:

ResourceLeasingEnabled – We need this set to true. This sets the feature as enabled for the site

ResourceLeaseValidityPeriodInDays – This can be set as 1-30 similar to the user interface.

DeleteResourceLeasesOnLogOff – This is enabled by default. When a user explicitly logs off from Workspace, leases are wiped from the device.

DnsResolutionEnabled – This must be set to false in order for Resource Leasing to work successfully.

Use PowerShell to Set Broker Site for Connection Leasing

We can also set the Resource Location Connectivity by using the following command:

PS C:\>Set-ConfigZone -InputObject (get-configzone -ExternalUid <resourceLocation guid> ) -EnableHybridConnectivityForResourceLeases $true

The above command allows us to set the Workspace to try to connect to both the Gateway & Cloud Connector – by default connector first and then Gateway.

We also have the ability to revoke the lease from a given user or all users/leases.

Set-BrokerConnectionLeaseRevocationDate -Name Gavlab/user1 -LeaseRevocationDays 21

End User Experience

When a user launches Citrix Workspace and the Workspace cannot reach the control plane a ribbon appears in the Workspace User interfaceL

Users are then able to continue to launch the virtualized resources, authenticate to a session and not be affected by any communication or connectivity issues.

Important Clarifications:

Some considerations to keep in mind if thinking about implementing Service Continuity

  • Note a user will need to authenticate when launching a chosen resource. Once authenticated to the resource this will launch as normal and a user can continue with their task unaffected by any connectivity issues to the Control Plane. I.E. User cannot connect to resource with Single Sign On.
  • The End point must be able to reach the VDA machine hosting the resource.
  • HDX Sessions connecting via the Gateway Service or Direct Connections are supported in this tech preview. NO on-prem gateway support.
  • Connection Leases must be synced to the client device containing Citrix Workspace prior to any connectivity issues.
  • This Tech preview includes continuity for Citrix Workspace App for windows only. Citrix has talked about extending this to Linux, Mac, HTML5 Web in the future.

The official Citrix Documentation can be found at the link below:

https://docs.citrix.com/en-us/citrix-workspace/service-continuity.html

The official announcement blog can be found:

https://docs.citrix.com/en-us/tech-zone/learn/tech-briefs/citrix-cloud-resiliency.html

I am very excited for what the future holds for Citrix Service Continuity. Virtualization is just the start for Service Continuity with more Cloud Services to come.

To Sign up to the preview Citrix have provided a podio form linked below:

https://podio.com/webforms/25148648/1854298

Merry Christmas and a happy New Year.

Gavin Connolly

Citrix Presales Specialist

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.