When discussing the Citrix Cloud Virtual Apps and Desktops Service with customers, the elephant in the room was always the question, “What happens if there is an issue on the backend in Citrix Cloud?”. Up until now, the only response to that was to use the Local Host Cache feature of the Citrix Cloud Connectors. This meant in effect that customers had to keep running their on-premises Citrix ADC Gateway and Citrix Storefront, and were not able to fully transition to using the Citrix Gateway Service instead. What have Citrix done to address this, enter Service Continuity.
Service Continuity is currently in tech preview and once it goes GA, will be a big leap forward in the resiliency of Citrix Cloud. The goal is to ensure that if there is an issue with the backend services in Citrix Cloud, the user can still connect to the resources so long as they have a network connection available to that resource location.
When a user signs into their Citrix Workspace App and Service Continuity it enabled, a connection lease token will be generated and saved on the user’s device to AppData\Local\Citrix\SelfService\ConnectionLeases. A token is generated for all resources that a user has access to, not just the ones that they have launched. This is because the tokens are generated on sign on and not on resource launch.
The tokens are encrypted with AES-256 and will only work on that device. If you copy them to a different device, they will not work. Token validity can be set from 1 to 30 days and there are PowerShell cmdlets available to revoke tokens if required should a device be lost or stolen, or a user account compromised. In this example, connections are blocked for the user for 30 days, the maximum lease time period.
Set-BrokerConnectionLeaseRevocationDate -Name domain/username -LeaseRevocationDays 30
When an outage occurs, users will still be able to launch available resources as they normally would. The one thing to note here though is that they will be prompted for AD credentials in order to access the VDA. However, if domain pass-through is configured on the Citrix Workspace App or Session Sharing is enabled, they should be able to access resources without having to provide AD credentials. If for another other reason, a resource is not available, that icon will be dimmed out and inaccessible.
Users will be able to continue to access resources throughout an outage, even if they reboot their device, as long as they don’t sign out of the Citrix Workspace App. Once they sign out of this, any tokens are deleted. This can be changed though via PowerShell so that tokens are retained if the Citrix Workspace App is signed out off.
Set-BrokerSite -DeleteResourceLeasesOnLogOff $false
There are some limitations of course right now, key among them are:
- Only one user and one device so this will not work in any desk sharing scenarios.
- Azure AD joined VDA’s are not supported.
- Citrix Federated Authentication Services (FAS) and SSO to the VDA is not supported.
- Only works for the native Citrix Workspace App, no support for web.
The supported workload types are:
- Hosted shared apps and desktops
- Random non-persistent desktops (pooled VDI desktop) with power management
- Static non-persistent desktops
- Static persistent desktops, including Remote PC Access
So while it is not yet the finished product, this is going to be a vast improvement on the current situation. I’m in the process of testing this out and will post about my results here then.