Citrix

There are countless advantages to using Citrix, including:

• Most Advanced Virtualization Capabilities. Known for laying the groundwork and optimizing Microsoft Windows since 1997, Citrix is a pioneer in remote access infrastructure. This ongoing innovation in management, security, analytics, and performance has made Citrix the most advanced digital workspace platform, adaptable for diverse use cases across all major industries.
  
  
• Most Optimized User Experience. For over 30 years, Citrix’s ICA protocol has evolved to adeptly handle network constraints, diverse workloads like multimedia and 3D design, and varying client-server capabilities. It optimizes performance, ensuring applications run seamlessly, akin to local endpoint execution, while minimizing bandwidth. Despite improved network and Internet capabilities, network quality and latency issues persist in various scenarios. Built on ICA, Citrix’s HDX technology remains a market differentiator, outperforming competitors in most conditions. It’s highly adaptable, supports all endpoint devices, and delivers quality user experiences regardless of device or network conditions. Our comparative tests against other technologies, especially in challenging scenarios, consistently show Citrix providing a superior, usable user experience where others fall short.
• Strongest Security Features. Citrix is often recognized as the “original” zero-trust access solution, with security being a fundamental aspect of its architecture since inception. Continuously innovating in this field, Citrix not only enhances secure architectures and coding practices but also introduces vital security and auditing features. These developments are particularly crucial for sensitive sectors like Government, Healthcare, Finance, and Insurance. Citrix stands out for its extensive security capabilities, offering features like contextual and conditional access controls, session recording, anti-keylogging, screen scraping prevention, Zero Trust Network Access (ZTNA), end-to-end encryption, secure remote access, and remote browser isolation. This comprehensive security suite makes Citrix a leader in the digital workspace security domain.
  
  
• Highest Flexibility and Scalability. Citrix is highly flexible, not only in terms of what devices it can deliver to, but resources it can deliver (OS) and underlying platform. Citrix has the broadest support for public clouds and hypervisors in the industry, driving on-premises, hybrid cloud, and multi cloud flexibility based on organizational needs. Citrix’s control and access plane is available both as a suite of cloud services or a fully on-prem solution to best align with organizational objectives, and is the most proven platform at scale, with deployed scales reaching hundreds of thousands of users within an environment.
  
  
• Broadest Ecosystem. Citrix’s industry recognition, customer adoption, and long-standing tenure in the market created an entire ecosystem over the last several decades. Solutions that optimize, secure, or extend its native capabilities have ranged from use case specific peripherals and printer virtualization to advanced monitoring, user environment management, and app containerization. The Citrix Ready program includes hundreds of software and hardware products certified to work with Citrix solutions. The ICA protocol virtual channel architecture allows software and hardware vendors to extend their capabilities from the endpoint to the digital workspace, allowing high levels of integration.
  
  
• Comprehensive Digital Workspace Platform. Although Citrix’s virtual apps and desktops platforms are its hallmark product, Citrix also offers advanced security and performance analytics, ZTNA, endpoint management, and enterprise browser add-ons in its product suite.
  
  
• Industry Recognition. Citrix consistently receives high marks in industry and analyst reports reflecting its market position and trust earned from customer base. As the industry’s gold standard, Citrix is the preferred choice of the Fortune 1000 and software companies for delivering Windows, Linux, and soon MacOS apps and desktops. Developed over decades, Citrix consistently evolves to meet customer demands, enabling companies to surpass technological limitations.

Although login times are a challenge with all digital workspace platforms, Citrix and its ecosystem of technology partners have excellent tools like ControlUp for monitoring login times and pinpointing the best ways to speed them up. Ferroque is also an expert at analyzing and reducing login times, improving the digital employee experience and saving customers tens to hundreds of thousands of dollars annually in lost productivity.

Contributing factors vary but may include:

• GPO design and structure
• Improper use and presence of login scripts
• Applications and user environment
• User profile and drive design
• System resources
• AD topology, design, and configuration

Citrix has an install base supporting roughly 100 million users across diverse industries and organizations, pushing Citrix to consistently lead the field in security innovations.

Some of Citrix’s security and compliance features include:

• Conditional and contextual access controls via SmartAccess, SmartControl, and device posture scans to create customizable decision-based access logic to grant or block access to specific Citrix resources, and to grand or block access to certain client redirection capabilities such as printing, drive redirection, clipboard redirection, and more.
• Device posture scans via Endpoint Analysis (EPA) or the Adaptive Authentication service to grant or block access to SPA, Citrix or to certain Citrix resources, or redirection controls via SmartAccess or SmartControl policies.
• Session recording technology to record on-screen activities within Citrix sessions hosted on Windows operating systems for later playback to meet corporate or regulatory compliance.
• Citrix Security Analytics for Security to monitor and correlate data points for automated assessment of risky users and logins and take action to mitigate impacts.
• Session watermarking to display a text-based watermark on app or desktop sessions to deter and track data theft.
• Anti-keylogging and screen scraping via App Protection to safeguard corporate data against these attack vectors by scrambling keystrokes and saving screenshots as blank images.
• Multi-factor authentication support, supporting a wide range of authentication solutions including RSA, OAuth, SAML, LDAPS, Smart Cards, FIDO2, and more.
• Enterprise Browser and Remote Browser Isolation to apply stringent security policies to sensitive web apps, or to isolate potentially malicious websites from running directly on endpoint devices.
• Secure ICA proxy via Citrix Gateway service or customer-managed Citrix Gateways to securely proxy and encrypt Citrix sessions to endpoint devices.

Microsoft tends to say a lot of things in our experience. And the suitability of AVD on its own largely depends on the use case and willingness to settle for limited management, observability, security, availability, and performance capabilities.

In our experience, many organizations overestimate the capabilities of native AVD or underestimate the power of Citrix. Together, AVD and Citrix are a powerful combination that extends the benefits of AVD and amplifies its value proposition including cost optimization and a swath of features enterprises have come to depend on. 

Also noteworthy, AVD as of April 2024 still lacks financially-backed SLAs for the access and brokering services, unlike Citrix DaaS.

We believe the answer is yes for a number of reasons:

• Citrix has evolved to offer one unified workspace with a mix of solutions. Plus, users enjoy the added benefits of applying security and monitoring controls not otherwise available.
• The transition to web and SaaS apps does not solve for security and compliance requirements. While multi-factor and conditional access controls can assist with some elements such as device posture checks, risky logins, and IP filtering, they do not address the full gamut of security controls to mitigate data leakage and enhanced auditing amongst other capabilities.
• While the prevalence of published applications may be decreasing, the adoption of virtual desktops, VDIs, and Cloud PCs has increased.

Citrix DaaS (desktop-as-a-service) is one of several cloud-hosted solutions available from Citrix in their Citrix Cloud access and control plane. Citrix DaaS is:

• A platform-as-a-service (PaaS) offering which allows customers to build their own DaaS offerings to their organization.
• Citrix DaaS uplifts many of the components historically deployed by customers on-premises into a cloud tenant Citrix manages for the customer. This eliminates several elements of the Citrix infrastructure footprint in terms of the control (management) and access tier components (optional) to assist customers reduce their overhead. The workloads (OS instances running the Virtual Delivery Agent, or VDA software), are still the responsibility to be deployed and managed by the customer, on whatever platform they wish including major public clouds and hypervisors, to physical machines.
• Requires outbound Internet connectivity for certain components over HTTPS.
• Has cloud control planes in the United States, European Union, Asia Pacific South, and for U.S. Government. There are also several regions available for Google specifically, to align with requirements for Citrix procurement through Google Marketplace.

Citrix Virtual Apps and Desktops (CVAD) is:

• The original on-premises solution.
• Has no dependency on Internet access for the platform to function.
• While Citrix DaaS in recent years has been the focus of much feature innovation not available in CVAD, Citrix has been working hard to render the two products feature parity and providing customers choice without compromise for whichever control plane suits their business objectives or constraints. Please refer to the feature matrix for the latest information.

The answer depends on your objectives and constraints. It is possible to mix capabilities from both platforms in one holistic solution. For example, using CVAD can be used with WEM service from Citrix Cloud. Some even use a mix of both Citrix DaaS and CVAD to accommodate use cases with different security or compliance mandates. Others frequently use Citrix DaaS’s control plane but opt to retain the use of customer-managed access tier components such as StoreFront and NetScaler. Some considerations for a cloud-hosted access tier are found here.

Use Citrix DaaS if:

• You wish to access the latest features and capabilities as per feature matrix and Citrix Cloud Updates
• Your organization wishes to leverage cloud services wherever possible, to lessen maintenance burden and environment footprint.
• Cloud control plane regions align to your organization’s data residency compliance requirements if applicable.
• The Service Level Agreement (SLA) of 99.9% of monthly uptime (as of April 2024) is within the tolerance levels of the most critical workload you will be hosting on Citrix.

Use CVAD if:

• Your use case is network air-gapped or has stringent Internet access restrictions (i.e. outbound Internet access to Citrix Cloud endpoints would be problematic).
• Your use cases require data residency compliance and the present geographic locations of the Citrix Cloud control plane would impact compliance.
• The SLA of Citrix Cloud’s services such as Citrix DaaS or its access tier components are insufficient.

Yes. Ferroque has deep experience with all Citrix core and add-on features with a track record of designing and implementing them for diverse customers in industry and scale.

This includes but is not limited to:

• Provisioning (PVS)
• App Layering
• HDX 3D Pro
• Global App Configuration service
• Service Continuity
• User Profile Management (UPM/CPM)
• Autoscale
• Workspace Environment Management (WEM)
• Session Recording
• Workspace + Gateway service
• Federated Authentication Service (FAS)
• Secure Private Access
• Performance Analytics
• Security Analytics
• Deploying non-domain joined VDAs
• Universal Printing
• Image Portability service
• Adaptive Authentication
• App Protection, and more.

Ferroque also has extensive experience integrating Citrix with major public clouds including Azure, AWS, and GCP having completed dozens of projects on cloud platforms. We assist customers with the right instance sizing and scaling strategy to optimize costs for a given use case, balanced with availability. This includes unique considerations for disaster recovery planning and optimizing spend with mixtures of reserved capacity and on-demand provisioning. In addition, Ferroque has unique expertise developing cost modelling and chargeback frameworks for enterprise customers.

Ferroque has extensive experience in designing for use cases with a broad range of requirements affecting the delivery model and technologies used.

These include but not limited to:

• Factors affecting user data persistency
• Peripherals
• User location
• Compliance requirements
• Resource intensive apps
• Endpoints and Citrix client software
• Designing for elastic scalability
• High user turnover
• Minimizing technical debt
• Automation
• Balancing requirements with ease of management

If a use case exists, chances are we have tried-and-true solutions ready to go.

Check out the key differences here and discover Citrix’s two-prong release strategy for most of their software to balance the needs of different customer priorities.

To summarize, it depends if you want to capitalize on the latest innovations or if you’re satisfied with a core set of features and prefer a longer support cycle and minimal upgrade burden.

Typically, enterprise customers tend to prefer LTSR while smaller or more nimbler customers prefer CR. CR has a shorter support cycle of about 18 months (meaning continual upgrades are required to remain supported, even with an active support contract), while LTSR has five years of mainstream support which can be extended another five years for a total of 10 years of support.

However, some products like App Layering and WEM do not have LTSR versions and should be kept current. In addition, when using Citrix Cloud services such as DaaS, the control plane is always kept up to date on the latest release. Customers can choose whether or not they wish to align their VDAs to an LTSR or CR version, and can do so on a per-use case basis for the best of both worlds.

Indeed. Ferroque conducted some of the first professional services engagements related to this feature. Citrix Secure Private Access (SPA) is Citrix’s zero-trust network access (ZTNA) solution which includes Enterprise Browser and Remote Browser Isolation (RBI) capabilities. Combining next-generation VPN technology with a multitude of access controls, customers can provide secure access to internal resources of various kinds without the administrative and security burden of a full VPN client. It also provides isolation of web apps and Internet access to mitigate malware and ransomware risks from touching endpoints.

While in the same category as the likes of Palo Alto Prisma, CATO, ZScaler, and others, SPA is integrated into the Citrix control and access planes for a unified experience for both administrators and users. Furthermore, SPA is the only product on the market at present that comes in both a cloud and on-premises version. It provides customers with flexibility and choice for how they implement a ZTNA solution, enabling air-gapped and data-residency restricted environments to benefit from ZTNA technology.

These use cases often rely on VoIP or other collaboration and communications platforms. We have experience designing and tuning endpoint and Citrix parameters to optimize audio delivered over the Citrix HDX stack. Plus, we have solutions that leverage their own technologies (via plug-ins) to direct voice and video outside the Citrix channels for optimized delivery. Both scenarios have dependencies and caveats depending on the mix of endpoints and technologies in play.

Yes. The delivery model we recommend depends on the particulars of the use case, so get in touch with one of our experts today.

Persistent and non-persistent app or desktop delivery have their own pros and cons. Emerging technologies such as User Layers can bridge many of these gaps, allowing administrators to reap the management simplicity and lower cost benefits of non-persistent desktops while still allowing users to install their own apps and roam them between desktops. The use of provisioning models like Machine Creation Services (MCS), Provisioning (PVS), or third-party tools (for persistent workloads) depend on factors like the workload, the importance of rollout and rollback speed of images, and tolerance for additional infrastructure. We work with our customers to explore all facets of the use cases and advise on the most appropriate model that balances user experience and requirements with ease of administration.

Yes. Profile strategy is an ever-evolving topic in the digital workspaces field, spurred on not just by technological innovation and prevalence of non-persistent use cases, but by new customer requirements for user experience roaming, backup, and recovery. The Ferroque team have extensive experience designing and deploying profile solutions that align to use case and corporate mandates. Since profile strategy is not a one-size-fits-all paradigm, it is often best to use different strategies for different workloads to reduce costs and management overhead. Furthermore, ongoing management of profiles is important to avoid technical debt and wasteful storage sprawl. Ferroque also has extensive experience designing profile solutions for environments with recovery requirements and in public cloud environments which have their own storage platform limitations to consider when designing for thousands of users. From traditional profiles to profile containerization and layers, Ferroque remains at the forefront of profile strategy innovation and thought leadership.

This is another niche area of expertise for Ferroque. We have designed dozens of environments with disaster recovery (DR) in mind in architectural variations of on-premises, cloud-to-cloud, and hybrid cloud and aligned to different scales of users and different recovery technology capabilities driven by SLAs. We have designed and deployed such platforms for industries including but not limited to finance, telecom, transportation, government, insurance,  and healthcare. The Ferroque team also authored and maintains Citrix’s official DR planning guidance available here.

Absolutely. Our Citrix Managed Services benefit from the technological acumen of our consulting team and align to the ITIL framework. It’s overseen by the former director and architect of Citrix’s own managed services practice. Our service offering is available in a co-managed model and a fully managed model packed with benefits and value uncommon in our industry. Please reach out to learn more.

Yes. We understand that customers face technical and operational constraints that force legacy platforms to remain in operation as their business value far outweighs the risks associated with their continued operation. With our team members whose experiences go back to the days of Citrix WinFrame, we assure you we have the capacity to consult on and support your legacy end-of-life Citrix environments.