by Uddave Jajoo, Indianapolis CUGC Leader, CTA
With enterprises moving toward cloud, their first strategy would be to deploy a solution which will be highly available and resilient. With this recent outage, Networking issues impacting Azure Services in the Central US Region, a subset of customers experienced issues with their services and intermittent connection issues.
To overcome this outage scenario and enable your business operations to be highly resilient, Citrix offers two great features which would let users access their resources from Cloud even if an outage is reported within the region. In my previous blog post, I talked about Local Host Cache. In this post, I will describe in detail on how Enabling Citrix Service Continuity could benefit customers in Citrix DaaS deployments.
Citrix Service Continuity enables users to connect to their DaaS Apps and Desktops during outages, by using workspace connection leases to allow users access. Workspace connection leases are long-lived authorization tokens that reside on the user’s local machine. Workspace connection lease files are securely cached on user device.
Workspace connection lease files are signed and encrypted and are associated with the user and the user device. When service continuity is enabled, a workspace connection lease allows users to access apps and desktops for seven days by default. You can configure workspace connection leases to allow access for up to 30 days.
Requirements and Limitations
- Supported in all editions of Citrix DaaS and Citrix DaaS Standard for Azure, when using Workspace Experience.
- Not supported for Citrix Workspace with site aggregation to on-premises Virtual Apps and Desktops.
- Not supported when on-premises Citrix Gateway is used as an ICA Proxy. (Using Citrix Gateway as a Workspace authentication method is supported.)
- VDAs joined to Azure AD aren’t supported. All VDAs must be joined to an AD domain.
- VDAs must be online for users to access VDA resources during an outage. VDA resources aren’t available when the VDA is affected by outages in:
- Cloud Delivery Controller, unless Autoscale is enabled for the delivery group delivering the resource
Configure Citrix Service Continuity
To enable service continuity for your site:
- From the Citrix Cloud menu, go to Workspace Configuration > Service Continuity.
- Set Connection leasing for the Workspace to Enable.
- Set connection lease period to the number of days a workspace connection lease can be used to maintain a connection.
- Click Save. When you enable service continuity, it is enabled for all delivery groups in your site.
To disable service continuity for a delivery group, use the following PowerShell command:
Set-BrokerDesktopGroup -name <deliverygroup> -ResourceLeasingEnabled $false
deliverygroup with the name of the delivery group.
By default, Workspace connection leases are deleted from the user device if the user signs out of Citrix Workspace during an outage. If you want Workspace connection leases to remain on user devices after users sign out, use the following PowerShell command:
Set-BrokerSite -DeleteResourceLeasesOnLogOff $false
How service continuity works
- If there’s no outage, users access virtual apps and desktops using ICA files. Citrix Workspace generates a unique ICA file each time a user selects a virtual app or desktop icon.
- Each ICA file contains a Secure Ticket Authority (STA) ticket and a logon ticket that can be redeemed only once to gain authorized access to virtual resources.
- The tickets in each ICA file expire after about 90 seconds. After the ticket in an ICA file is used or expires, the user needs another ICA file from Citrix Workspace to access resources. When service continuity isn’t enabled, outages can prevent users from accessing resources if Citrix Workspace can’t generate an ICA file.
- When service continuity is enabled, Citrix Workspace also generates the unique set of files that make up a Workspace connection lease.
- When a user signs in to Citrix Workspace, connection lease files are generated for every resource published to that user.
- Workspace connection leases contain information that gives the user access to virtual resources. If an outage prevents a user from signing in to Citrix Workspace or accessing resources using an ICA file, the connection lease provides authorized access to the resource.
How sessions launch during outages
When users click an icon for an app or desktop during an outage, the Citrix Workspace app finds the corresponding Workspace connection lease on the user device.
When the Citrix Cloud broker is online, the Cloud Connector uses the Citrix Cloud broker to resolve which VDA is available. When the Citrix Cloud broker is offline, the secondary broker for the Cloud Connector (also known as the High Availability service) listens for and processes connection requests.
Users who are connected when an outage occurs can continue working uninterrupted. Reconnections and new connections experience minimal connection delays. This functionality is similar to Local Host Cache, but does not require an on-premises StoreFront.
The workspace app would show the icons as below during an outage mode (image is from the Citrix Docs, as I was not able to force outage to verify Citrix Service Continuity).
Error Message: “Unable to connect to some of your resources. Some virtual apps and desktop may still be available.” Some virtual apps and desktop may still be available.”
Users see apps and desktops that they can connect to during the outage. If the app or desktop isn’t available, the icon appears dimmed.
Depending on how Citrix Workspace app and VDAs are configured, during an outage the VDA might prompt users to enter their credentials into the Windows Logon user interface.
If this prompt occurs, users enter their Active Directory (AD) credentials or smart card PIN to access the app or desktop. This step is required when user credentials aren’t passed through during outages. Before accessing an app or desktop, users must reauthenticate to the VDA.
When a user launches a session during an outage, this window appears indicating that Workspace connection leases were used for the session launch:
After the session is launched, within the Citrix workspace app, right click and select Connection Center to view session details:
Service Continuity can allow users to launch resources during outages in double hop scenarios, explained very well in the Citrix Docs section – Double Hop Scenarios- VDA Launch
Service Continuity in Browser
Extensions for Google Chrome and Microsoft Edge make service continuity available to Windows users who access their apps and desktops using those browsers. The extensions are called Citrix Workspace Web Extension and are available at the Chrome web store and the Microsoft Edge Add-on website.
These browser extensions require a native Citrix Workspace app on the user device to support service continuity.
The native Workspace app communicates with the Citrix Workspace Web extension using the native messaging host protocol for browser extensions. Together, the native Workspace app and the Workspace Web extension use Workspace connection leases to give browser users access to their apps and desktops during outages.
To use service continuity in a browser, users must perform the following steps on their devices:
- Download and install a version of Citrix Workspace app that is supported for browser users.
- Download and install the Citrix Workspace Web extension for Chrome or Edge.