Duration 43:02
16+
Play
Video

Citrix Synergy TV - SYN230 - Citrix Cloud and Azure: real-world experiences...

Paul Stansel
Director, National EUC Practice at Presidio
+ 1 speaker
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 23, 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN230 - Citrix Cloud and Azure: real-world experiences...
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
681
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

Paul Stansel
Director, National EUC Practice at Presidio
Jason Samuel
Technical Solutions Management Security Architect at Alchemy Technology Group, LLC

Citrix Technology Professional (CTP) and VMware vExpert. Strong Architect skills focused on VDI and Virtual Servers with Citrix and VMWare with design and implementation from 20 users to 55,000. 25 years of technology experience with 22 of them working with Virtualization and EUC technologies in multiple Fortune 100 companies.

View the profile

About the talk

In this session, we cover real-world experiences of several Fortune 500 customers from the field during the past year of deploying Citrix Cloud in Azure. What should your considerations be around identity and Azure resource limits? What is your strategy for networking and traffic management and workspace configuration? We’ll discuss common architectural challenges and how to solve them, as well as our personal tips and tricks for successful deployments of Citrix Workspace.Note: This session will be available for on-demand viewing post-event on Citrix Synergy TV.

Share

Good morning, everybody. Thank you. Those of you coming in. Hopefully you can get a a seat that you can see the slide deck. I admit this room is a little awkwardly formatted here. This is a cloud and Azure real-world experiences in tips for successful deployment. I am Paul Stancil. And my name is Jason Samuel. So who am I I am a soldier CTP have been for the last five years. I've architected and implemented multiple Fortune 100 environments all the way up to 55,000 plus seats. I've got

22 years of working with Citrus wingspan Citrus products. So I go back to win frame and u.s. Robotics modem Banks and all that other fun stuff, right? I'm an author and editor and I own Citrix tips.com where we somewhat infrequently post content and free tools. So if you haven't seen it before check it out. We've got some good stuff up there and currently I am the director of presidio's end-user compute practice nationally, so I own all pre and post sales resources for the end-user compute space for Presidio. And who am I so I'm also is BPP the architect of multiple

Fortune 500 Fortune 100 Citrus environments. I got 20 plus years of working with Citrix products and don't be out there today cuz I know. Calm and I'm the Technical Solutions management security architect. Alkami Technology Group, which was the 2017 commercial partner of the year. So if you feel inspired and we hope you do please tweet about this session today. It's s y n 234 the hashtag and personally, I'm at P Stancil and did he is at underscore Jason Samuel make sure you got that under underscore and post presentation. All slides and recordings are going to be up obviously on

the Synergy website and I will also put the stick up on Citrix tips.com. So today what we're going to talk about is what should your considerations be around identity as your resource limits, those are both very important topics when you're looking to design a Citrix implementation on a sure way to talk about your strategy for networking and traffic management and workspace configuration with traffic management, which is a subject near and dear to my heart. I talked about common architectural challenges and how to solve those challenges. And then we've got some general advice, you know things

that we see a lot of people miss when they first go to look at doing a Citrix implementation on Azure, whether it's Citrix cloud or just as yours Andreas location. So first, what I'm going to do is I'm going to talk about common design types for Azure deployment. These are the things that when we go into customers and these are the designs that we tend to be doing for the most part. The first one is Greenfield on Asher. So this is everything built within your Azure resource locations. This is azure as a pure as play. You were

taking your your normal Citrix on-prem deployment model you're extending it up to Asher and you're using it the exact same way. You would use any on from deployment. Right? We do a ton of these people for whatever reason want to dip a toe into Azure. They want to use Azure and test it and see what the performances like, but they don't want to commit Whole Hog to Citrix cloud or or extended a current zone or anything. So they build this isolated environment. We seen a lot of these turn from POC to production. Sometimes that's a good thing. Sometimes that's a bad thing. You didn't build it to

be production out of the gate. But the thing that you you really want to remember when you're designing this is you want to use segmentation for availability set so that you have full fault redundancy for your environment and I'll talk a little more about availability sets later in the in the process. The other thing you need to remember his net scalars on a sure you do not have a lawyer to access on Azure for netscaler. So you can't just do a typical active-passive load balance like you could like you would with your netscaler. Sorry. I keep saying that cure Gateway

ATC. I'm going to get it one of these days sometime in about 5 years. So you're Citrix abc's on Azure you need to use as your load balancers to front-end any VIP that you were trying to do traffic routing when you have multiple net scalars and Asher and that was as your load balancers actually take Traffic and apply the traffic routing policies and then send it to the correct netscaler you have to do that because like I said, you don't have that layer 2 so you can't get the heartbeat between the h a pair of net scalars for them to tell which ones

up which ones doubt there is a different method to do this which Chris Rogers demonstrated two years ago. I think it's energy. You can find out on YouTube where you actually single instance net scalars and you gslb them instead. So that is another way to do this. But typically what we're doing is deploying with Azure load balancers both externally for your gateway traffic and internally for load balancing storefront or any other VIPs that you you want to load down. So you have to have separate Azure load balancer for that. The next one we're doing a lot of is Dr. Zones on Azure. So

if you have a non-prime installation and you want to just extend that to Azure as a Dr. Resource location, it requires what's infrastructure, obviously because you're not having to put as much stuff up into a seizure, but the reality is it's almost the same design as a green field at the end of the day, you're just eliminating certain components that you might otherwise had to have one thing. I really want to stresses the importance of having a nadie controller up in your Azure resource location. If you try and send your authentication traffic back

to on-prem if you think oh I'm going to either save myself time effort or you know, security-wise. It's better not to have an Azure you're going to kill your log on performance. It is awful and by the same token, if you're using any type of profile management solution, you need to have file servers and Asher that host of profile management because if you're trying to send that back and forth Across the back plane. Again, that is an awful experience for you. I can just tell you from from unfortunately many tries. So the third one that we're doing obviously is Citrix cloud

with Azure ABC's. So because of some traffic limitation problems that we're going to talk about here in a little bit. We are still doing quite a bit of this where we are deploying virtual atc's and as you're still even though we're using Citrix cloud is the control plant. So we're not taking advantage of the Gateway service features and functionality of Citrix Cloud for a few reasons, we'll get into but it's still built out entirely as a deployment. So you have your cloud and your resource locations again, you still going to want active directory, you're still going to

want file servers all of that infrastructure that you normally would put next to your Citrix servers is still critically important. And then this is the last as I work space. So this is the one that's it hurts really wants you to go to write all this week. All we've heard is workspace workspace workplace. They really really want you to use workspace workspace is a cool product. It's got a lot of features to it. If you look at the Citrix Cloud components of workspace, you can see you know, we now have the Gateway point of presence. Will she will talk about in a minute. We've got web-based

director up there yet Studio, you have the workspace console you have SQL Server. So all of that infrastructure is now out of your data center to manage or Azure to manage SQL we're seeing as it is a definite when people like that they no longer have to pay for that sequel license. They like that. They don't have to directly manage that SQL Server. Caveat if you're using PVS with a non Prim deployment, you still have to have people locally for that. So it doesn't take away all of your SQL requirements, but for a Citrix Cloud on Azure using MCS deployment SQL isn't an issue for you

anymore. Let's talk a little bit now about resource limits. So how I'm going to I'm going to say this again all citrus infrastructure on Azure, I should say that should use availability sets. If you have two storefront servers you want to use an availability set. If you have to Cloud connectors, you have to use an availability set not have two must should really strongly recommend write. The reason for that is availability sets the term enough time. So if you have two servers

and Microsoft decides that they want to roll a patch and they want to patch both of those servers and they want to reboot them at the same time which they will do. If you do not have availability set. It'll just boot him whenever it wants to do them and your net scalars might go down your domain controllers might go down if you have multiple domain controllers your delivered your Cloud connectors definitely will go down its It happens all the time because people don't Define availability sets correctly for their Citrix infrastructure. So if you don't have Cloud connectors up

Then you're in trouble because you can't authenticate you can't broker sessions at that point. They proxy all the authentication traffic that you're doing between Citrix cloud and that resource application. So you need to make sure that you're using availability sets to protect your up time of those Cloud components. The other big point is until 6-8 months ago all of the traffic flowed through the cloud connector back to the control play. Now the suitors has a release where the that vda traffic flows directly from the VTA back to the Citrix

Cloud control plane, right? Great. You don't have to scale. Your Cloud connectors is large. There's lots of benefits to that. But if for some reason it can't make that direct connection if you have traffic policies routing etcetera that denies that direct connection it still falls back to routing that to the cloud connector. So yeah if your Cloud connectors aren't up your in a whole lot of trouble. I'll pass it over to Jason. So let's get into identity disc Costco in a drawer is one of the things that most people don't think about is the cost of those identity this wingspan of a VM claudon

is really your friend for this when you log into a seizure on the left hand side. There's a section called cost management plus billing when you click on that. It'll show you a little section called cloud and it's actually getting deprecated is currently a separate site. So it. She tell you a little message there, but then there's a little blue icon that says go to Cloud then once you click on that buried at the top of the resources of the section call Azure resource Explorer when you click on that you set your date range and then there's a little search field in that search field type in the

word identity disc and this'll list all the identity discs that are being used in your address is region. Know what you'll see is all you're a juror all your identity discs listed out and deal with lb 1-gig identity disc, but will say premium SSD manage disk next to it. Look for vm's that have been running for pretty much the whole month which is which will be sooner than 30 hours or just the ones that have only been running for a few hours and you'll notice that the charges the same for both of them. No matter what if those if

mts's created any type of VM. It's just sitting there unpowered. It's still there still going to charge you $4.80 for identity disc now that $4.80 charge is actually a 32 gig minimum charge that Microsoft charges he was so regardless of in the VM. You see that then he just showing his 1-gig you will get charged for 480. So what does this mean when it comes to scale up and scale down if you wanted to spin up let's save 10000 virtual desktops in Azure regardless of MCS doing orchestration tearing down those be empowering. I'm up you're still going to have to pay for that. So that's 480 x

10,000 which is $48,000 a month just for those identity discs. Now there are different lower tiers of discs that you can use like the standard SSD or the standard HDD does bees have a significant performance hit but you can't actually use these this with MCS because it's not support. All you can do is that premium SSD, which is $48,000 per month. So I know what everybody's thinking and I had to say don't panic and I'll put that up there with three exclamation marks. When you look in Cloud, then there's a list price and there's a cost price. There's

there's two fields of two two rows going down. The list price is kind of the retail price. The cost is what your real cost is and you're an Enterprise agreement with Microsoft may give you some discounts. So look at the price per unit and look at that cost feel to know what your total could be. So it might not be the $48,000 is what I'm saying. Now at the end of the day MCS orchestration is going to save you a ton of money regardless, even with the cost of his identity this in factored in the cost of doing dies were like a

warm disaster recovery-as-a-service option for your company with MCS versus some other mechanism is usually a lot more expensive. For example, let's say that you were trying to just give 10,000 laptops out. These are going to be our scenario which by the way is something I've seen out there in the Enterprise World.. Sudhir Dr. Strategy at that point, you're spending like $3,000 for laptop, which can be 30 million dollar. So, you know, that's a big price difference there. I'm not an accountant in your company, but I would say that 48,000 is slightly less than

$13. So, you know, just think about that when you're planning out your cost. Now getting into subscriptions in a Niger or tenant is is one thing as it's what you have put Pop level, right? That's rad radiators eyes from there. You can have as many subscriptions as you want. And then from there you have as many resource resource Group if you want underneath this description what we recommend for large Enterprise deployment is to go multi subscription. This is to alleviate a lot of the limits that Microsoft's places at the both the subscription

and the resource Group level the most important limit to remember is that you can only do 240v emperor Resource Group with Envia NCS and Azure managed. If this is a limitation of how many discs that you can have in a resource Group and then it's actually further cut down because MCS has multiple disks attached to hbm. So the limit for MCS and in a research group is going to be 240 V MS. Now the other limits to consider that that we commonly see hit by large organization is that first one there the VM total for subscription? It's 24

Regency. You can quickly hit that limit the good news cuz you just call Microsoft support and they will raise that limit for you. The second limit we see is around the number of BM Spurr series TV 2 and 1/2, which are two of the most common ones for Citrix workloads. They have 24 region against you call Microsoft. They will they will list this. The last one that I've seen before is beings prescriptions. 25,000 Parisian. This isn't very commonly hit but I did see one organization where they were using a specific region as their Dr. Location. I just piling on VM after BM, so they're actually

approaching this and then for a full list of limits that you need to be aware of you can hit that link from Microsoft. The other big limit that we need to talk about is azure resource manager throttling there is armed throttling of apis and MCS. All it does all day long is TalkBack to Azure using apis. So MCS can really slow down to a halt or even just time out completely if you start hitting somebody's limits in those limits are 12,000 reader Quest per hour and 1,200 write request per hour. The other thing I want to talk about is as your tags

MCS uses tags at resource groups on BMS and storage accounts. And if you change or delete any of these tags and see us stops working it will cause all sorts of problems. So what I seen in large organizations is that their automation a Reconciliation scripts in place and they're going in and touching these tags and then MC it stops working. So you just need to be mindful of that. No, I want to point out that resource groups have about three tags. Right now. BMS have two tags on it. You can just go into each of the end of the book on tags and you'll be able to see him in

the last week of storage account xef6 different tags on them at some point in the future Citrix might change that may I add additional tax, but there is a commonality here every single one of those packs starts with the word Citrix. So if you're writing scripts just say hey, if you see Citrix Asterix, then you don't change that particular tag, and you should be all right. All right. So let's talk a little bit about my favorite subject traffic routing if you were in the session yesterday or if you've ever looked at Jason site, you might recognize this

map. This is the Gateway service points of presents. So Citrix has around the world points of presents for Gateway service. You might notice there are a couple very large gaps in this map. Certainly an entire continent would would be a large gap and we we do hope that Citrix recognizes that there's Azure resource owns that are now so maybe they might want to put something down there when you go out to the public and you hit your gateway service URL It route you based on

its load balancing gslb algorithms to what it considers your closest point of presents. So, you know, if you're in the US, you've got a bunch of choices if you are in South Africa, you're probably going to Singapore or maybe West Europe, right? So it's just important when you're trying to understand traffic routing and where the heck you are in point is actually going in terms of traffic now, this is really important when we start talking about workspace. So workspace you have a user you have a point of presents that they go

to you have work space which goes to your VM which goes back to your point of presence, which goes back to your user. Now. I know you're thinking good Lord. That's an awful drawing and you're right. So luckily this chart here on his website. If you ever go and grab his Vizio pack or is he's got PowerPoint icons as well that way out that whole process in a lot more detail and certainly a lot clearer than my little scribblings on the screen, right, but what you need to

understand is and if you were in my session yesterday, I apologize for repeating this but it's really important you need to understand that work space has no method of differentiating your internal traffic from your external traffic. If you are an external user you hit the public internet you go to the closest point of presents that point of presents then send you to work space which since you to your VTA, which sends you back to your point of presence would send you back to your endpoint device. If you are an internal user sitting next to the machine hosting your VM and

you want to use workspace and workspaces configured for both internal and external users. Then you're still going to go out to public internet. You're still going to go to the point of presents, which hopefully it's somewhere near you you're still going to go to the workspace service to the VA and it's going to make that return Loop that is hairpin traffic routing. There is no way to use the workspace environment today for both internal and external and used the Gateway service. If you don't use that external routing path to the point of presence,

so you just have to keep that in mind when you're doing that now for a lot of users. That's not necessarily a problem. Right? Especially if you're in the US or close to your point of presents, you're probably not going to see any significant changes by doing that other than your network administrators are probably going to be like why is our internet usage so much higher now that we put this works with product in well now all your users are going out and back in rather than just straight across not great. There's other problems to it the right. There's no

enlightened did a transport on the Gateway service today. So if you are a high latency low bandwidth customer you're trying to do very high definition Graphics video. You can't use EBT with Gateway service, which means that your experience is probably going to suffer. So you just need to be aware of that. But one of the things that we do want to stress is what we found in deployment, is that the out of the box template for your experience is wrong. Out of the box. They don't give you a great experience. We

recommend setting the very high definition user experience and your citric policies and starting with that as your Baseline. And then if you need to ratchet it back from there, but we've seen tremendous session Improvement by using that and yeah, you're going to use more bandwidth. I'm not going to sit here and tell you there's no cost to doing that but it makes for an infinitely more usable session when you're using workspace and Azure base resources. The other option which is the one we're still doing a ton of like I said before in the when I showed you the designs is to do storefront

plus ADC it works. It works. Well, you still get all the benefits of EDT. There's no hairpin traffic because you're putting your ABCs right next to your resource locations for all of your VMS you miss though all of the benefits of work space, which is clearly the direction that Cedric wants you to be going so you can do it and it works great and it's what we're probably doing still eighty-five 90% of the time but it won't get you in a future thinking or future-proof as you look at what Citrix has coming down the pipe. We'll talk a little bit about Ingress traffic. So

your HD of traffic needs to hit the internet directly. Like I said it, you know, we've seen people try and do crazy things where they want to they want to whitelist IP address for the Gateway service and then let you know they wanted you to do all that don't do that. Don't even try to do that if it's a nightmare for you. You're never going to get it right UDP. Like I said HDX online data transport EDT is a UDP base protocol and today that doesn't work with the workspace Gateway service. One of the things that we see

people get wrong is how they use express route. So you want to limit the express route traffic with your Citrix as infrastructure on a shirt adjust your back in traffic. You only want it to be doing the stuff where what's an Azure has to talk with what's on friend. That's what you want that pipe or if you start routing your other traffic across that you're going to kill that pretty quickly and you're going to be spending a lot of money doing it. And this one's really important and it goes back to the point of presents, right? You must split

tunnel your VPN users if your VPN user is sitting in India as a developer and they VPN back to your US based in a Data Center and you don't split tunnel them. Think about it. They launch a workspace session. They're not going India to us over VPN. They're going out to public internet. They're going to the point of presence there going to the video. We are going back to Flint presents are going back to the VPN Ender and going back to the end user. Right? That's no good. That would be so much better just using the public internet riding it to

the closest point of presents and then getting to their sister Tipper structure. We see a lot of people skip that and their experiences incredibly painful. So just make sure that you're allowing your VPN users to split tunnel like that. I know split tunnels a bad word if your security guy I get it, but it honestly will make their experience so much better. I'll talk a little bit about egress traffic now. So one thing that as we broached Azure deployments with newer

customers, a lot of them didn't realize that you spent up a VM in Azure by default has got direct internet access, right? So we spent up a bunch of videos and they say hey, how come they're not getting my policies. How come they're not going through my firewall because you didn't tell us what you wanted to do that you should always use next-generation firewalls or secure web gateways to secure that outbound traffic and provide your content filtering because if you're not doing that than they are wide open to the web which may be okay, but for most places is probably a big No-No Don't

route your address sessions back to the local egress point that little snail will be your users and the turtle will be your bandwidth. You know, we've seen a lot of people think hey, hey, I don't want to put anything up and ask her for a firewall. So what I'm going to do is I'm just going to take them all across the back playing back to my local data center and Route them out that way that is a bad plan and your user will hate you if they have to do anything that involves the internet. All right, my favorite topic. So we're getting inside entity and access management considerations.

So today with work space and Gateway service. There's a few different options actually for auction still here on to the right. The first option is going to be 80 password only how many people are currently using this. I guess it really you should not be using that if you really think about it. This is the stuff that has no multi-factor authentication whatsoever. And if you really think about it works work space offers virtual apps virtual desktops and files presented at the perimeter and the only thing that's

preventing the bad guy and all your data is one week password. So do not use this option. What you should be using if you don't have an existing if a solution is a snooze option call AD password plus Tok and what that is. It's a totp code that you can use for your users. Are they just register on it very quickly. It's a very simple onboarding experience and then immediately you have an MFA solution. This is probably good for enterprise but have no MFA Solutions in place. And also I just want to point out that it is included with all flavors workspace. As

long as you have work space. All you need is your tenants and you got work space you get this often. So there's no reason not to use it what we see most Enterprises use actually is a charade. This was one of the first auctions that was included with work space with this you get password plus Azure MFA. So you got you got the traditional password and you got a traditional really strong multi-factor authentication solution Additionally, you can do pastorless phone Sinai with Microsoft authenticator, but currently windows. So I won't work if it'll actually prompt you for

a password. So it's not a full Pastor the solution just yet. And then the third thing you can do is Federation from a JD to whatever you like. The most common thing that we see is a TFS, but you can Federer Aid to other identity providers so very easily. That the last one I want to point out and the one that circled in red is the 80-plus Gateway AAA auctions. It's currently in private Tech preview. It's going to become take for you here shortly, but this is probably what most large Enterprises with no Azure 84 have an existing Citrix ATC improve sintomas netscaler on-prem

and have existing MSI Solutions. It's very simple to set up all it is is an OSI DP profile on the ATC and after that it unlocks everything it went to wire that up to your workspace. It just unlocks everything on that ATC that you have configured. So we're talkin about radius authentication San Juan sanitation and open ID connect. So what this means is that you can use OCTA pink better a Google secure off 80th has anything that you have on that on that ATC on Prim with the Gateway service? The other option that a lot of people used to use

intercom moving away from is the storefront + 80 ATC auction. This is for both authentication and traffic what this gives you do is all the options as I just covered on your on Prime ATC and it also doesn't give you that traffic hairpin issue that Paul was talking about earlier at the con is that you lose all the work space benefit. So you don't get any of the new stuff that that you've seen here at Cinergy. This is kind of a legacy approach. So really start thinking about where she works Facebook Gateway service rate company. Once The Hairpin issue is

resolved. It's really no reason to be deploying this Legacy method Now fast integration with Citrix cloud is going to be thick baby very soon. It was actually announced just yesterday. I don't know if some of you got to see that session with Oscar and Rick but actually demonstrated this it gives you the ability to stand up fast servers and ncaa's in as early as you can use a cloud native HSM if you need to do anything with the keys, but once you do this, you can actually wire that environment up to your gateway service and what that gives you is the ability to use any type of modern

authentication pose any password with new modern password option with your gateway service. There's a number of different password with options out there. But since this is an Azure is focused session most everybody in the Rose polygon have address ID. So one of the things that you can do is this new feature in as Rady that you can able to call Pastor was phone sign in with Microsoft Authenticator. Once a user types in their email address at the as ready login page once they hit next they're used to seeing a password field. But instead of that Pastor feel now, you're going to see the

screen where it says. Hey go look it up then Decatur and look for this number. At the exact same moment in authenticator. It's going to show you a little pop up at the bottom and it's going to show you three numbers and you have to pick what and match the number that thing showed on your screen. What this does is it forces you to authenticate for that particular session to really prove it to you that's actually kind of Medicaid. So that's the first Factor. No password. The second factor is a biometric in this case has Touch ID, but you can use face ID and you can even use a pin if that's

what you do if that's what you're using one of you's but you enforce that you have the capability in for cyst in a Drey do so. It is full Paso to finish station all the way through the with fast now with once that gets integrated once you launch a virtual app for virtual desktop, you'll no longer get a password prompt there. It'll do full episo all the way on through for a full past work experience. Now another thing we want to talk about is the first time login experience at work space when I use her first logs in to work space after a day's going to pop up with this message

thing permissions requested and it's going to say something is permissions means that you allow this app to use your data specified in the terms of the Privacy statement. And then it says the publisher has not provided links to their terms for you to review the users have to blindly hit the accept button here. And if you have trained her uses very well, they'll think this is a fishing message. So hopefully they closed the browser window or otherwise, I'll just break down call the service desk. Either way. It's not the best option. So what you can do as an admin on behalf of users go look

at the sitter's cloud Enterprise application. I ain't as r a t and go cook on permissions and there's an auction in there to Grant consent for all the users in your company. Go ahead and click that button. Once you do that you're going to get this prom and it's going to say if you accept this apple get access to all the resources that it needs and no one else in your position will be prompted by the Message once you do that then when your users first log in the workspace, they're going to see the spinny Works workspace logo, and then immediately said see they were for last desktops in file.

So it's a much better first time user experience. So let's talk about power management a little bit when I power management is the only way that you will make an Azure based virtual desktop anywhere near the same price as a non from virtual desktop. If you are not controlling your machines by power management in the allocation, then the reality is you're going to spend probably infinitely more money than if you were just hosting a locally, right? So power management is key Citrix has had for a while a tool called called smart scale smart

scale is being deprecated as of May 31st. I believe it will no longer be available. So what the replacement for smart scale is is autoscale. Now here's gacha smart scale wasn't on Prime products. You could use it both on for a man. And Citrix cloud autoscale is Citrix Cloud only. So if you have not embraced the cloud you will not have the scaling capabilities. There are Community scripts out there that you can get that will Simulate some of the same functionality but to use Citrix is tools you must be on Citrix cloud is your control plant autoskillz pretty good. It's a

per delivery group setting so you will set this on each of your delivery groups. Now if you got a million delivery groups, I'm sorry because this is going to take you awhile, but you can create schedules you can create Windows that those schedules apply to you can create your capacity buffers Peak off-peak what those what those windows are. You can go in and say I want to pre-stage a bunch of machines. Right? So if you know your users typically come on at 8 and you want to start spitting up machines at 7, especially if you have a lot of machines and you're worried

about the eye the io buffers in the the limitations that Jason talked about earlier you can set that so you can start scaling those machines up ahead of time at specific times. You can apply that scheduled days of the week. So if you're up, you know Monday to Friday shop and then on the weekends, you can leave want to leave it all spun down you can do that. And then the last thing that it's got is this cool little machine cost. If you know your true machine cost or you just want to guess it's putting a number in there. I guess you can put that cost per hour in that window and what'll happen

is overtime. It will actually generate data which I do not have because I didn't do it. That you can then seeing director. So this is in the citrus cloud web-based director. There is a report that you can run that shows you your estimated savings based on a scale. So this will show you know a good report that you can give to management and say hey and I am being proactive and saving you all this money. So that's a good thing. We want to talk a little bit about just general advice. Right? So we've given you a bunch of specific technology

stuff, but there's things that we tend to see when we're rolling this out to customers that we just want to blow through pretty quickly here cuz we're actually running low on time. So as your service principles APNs, so sit that's what Citrix uses as its security credentials to communicate between the cloud control plane and your Azure resource locations. The easy default answer is you use a global admin account that has all rights and can create everything and Destroy Everything But most places have problems with that from a security

perspective. So if you can't get a global admin to help you create that connection originally, what you can do is use the sea TX to 24110 article, which gives you a lovely long script that you can use to create that can I Now we will tell you nobody gets it right the first time. I don't know what it is. The script is is very complete but I've never seen a single customer actually get it right the first so don't be worried. If it doesn't go right the first time you're in good company. The other thing I will say is you

should not modify that script that we've had customers that thought. They were smarter than Citrix and said, I'm going to rewrite the script or I'm going to cut this part out cuz Shirley Citrix doesn't need this and they don't tell us that they do that and we spend a week on the phone between Citrix and Microsoft trying to figure out why MCS won't provision correctly. Guess what they modify the script so that script is available for you. If you don't just want to use a global admin. So one of those misconceptions that we see is that Office 365 in Azure are treated the same in reality

and Azure are two different things. Are there actually two separate clouds if I was a bunch of microservices, right? So you can be hitting all sorts of things OneDrive for business goes this way teams goes that way and if you actually take map of all the other C5 front doors and overlay it over an ashram at 54 Regent you'll see that the dots don't align exactly why should he was a lot more roaches to buy front doors. So what that means is when you have virtual ass or virtual desktops and add your eyes they may not be steered to the proper notice by front door. Microsoft has an excellent

guide hear that talks about all these issues and they also have a tool that you can run in your virtual apps and your virtual desktops where you can see if traffic is being steered correctly. If it's not they give you some guidance on how to fix this and what most organizations end up doing if they use an SD wheel and Technology to help steer this go through C5 traffic. The other thing that we want to talk about us antivirus and endpoint security exclusions. Most people don't realize that text don't actually has an anti-virus best practices out there and

for the cloud connector specifically there's a list of things that you need to whitelist specifically the process xdxd Cloud proxy. Exe is so important because I put frosting on your traffic through the next thing of course is the va's those have a several things as well that we need to whitelist. The next thing you want to talk about is proxy and firewall, exclusions large organizations tend to have many appliances in cervix service services that are touching the the date of scream and you need identify all those things that touch your HDX traffic anything that you could pass

through many times it in an Enterprise. We are Citrus Engineers. We don't know what's being used. We have to go to the network team and actually asked him so I encourage everybody to go and ask questions your network team figure out what's happening cuz that it's not going to be readily in front of you you have to actually have conversations with people about this things to look for is IPS IDs Deepak inspection SSL decryption content filtering and a light and there's a bunch of you are out there that you need a white listen to work with your network team on. The last thing I want to say is

around. Cloud connectors and Windows updates when you put all your Cloud connectors in the same SCCM update policy if they all reboot at the same time, your HDX traffic will just drop out on him. So what citrus recommends is you'll go ahead and do your Windows updates, but set it to where it doesn't do the auto reboot Citrix Cloud will actually see that there's a Windows update that needs a reboot and it will actually reboot the servers one at a time for you. So it doesn't impact your user traffic. The last thing I want to talk about is stability Citrix has a

published uptime of 99.5% monthly as a metric for Citrix Cloud. That's a great metric. But you need to be aware that that metric does not include any of the other components that actually get you to Citrix cloud like your internet like Azure like anything that's in between you and citrus cloud. So when they say 99.5% and they hit that that is specific only to the Citrix Cloud components. If Asher has an outage they do not include that in their uptime park at numbers. So for organizations that have a very high requirement,

you know, 3959 is whatever you need to be aware that you probably will not meet that with Citrix Cloud. Once you include all of the other components into that process, so they have they do a very good job and it's not like they control Azure, right? But the reality is that plays a big part in their availability. So that's what we got today before you leave. We did want to recommend this afternoon syn2 31 architect into work space for high security looks like it should be really great session conference surveys. Obviously you all get those through your

app or three male. So do those like I said, the sessions are going to be available and rape the session through the mobile app use the game. Thank you for coming and do you have any question if you do there's a microphone right here.

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN230 - Citrix Cloud and Azure: real-world experiences...”
Available
In cart
Free
Free
Free
Free
Free
Free

Access to all the recordings of the event

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “Software development”?

You might be interested in videos from this event

September 28, 2018
Moscow
16
157
app store, apps, development, google play, mobile, soft

Similar talks

Shane O'Neill
Senior Solutions Architect at Enterprise Solutions Ltd
+ 1 speaker
Paul Stansel
Director, National EUC Practice at Presidio
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Leo Singleton
Principal Architect, XenDesktop at Citrix
+ 1 speaker
Angelo Saraceno
Product Manager at Citrix
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Daniel L'Hommedieu
Director of Product Management at Citrix
+ 1 speaker
Bryan Smoltz
Senior Director, Business Development at Okta, Inc.
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN230 - Citrix Cloud and Azure: real-world experiences...”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
551 conferences
21656 speakers
8016 hours of content