Citrix Cloud – The missing elements

Citrix

Let me start by saying that this blog will centre around the XenApp and XenDesktop service within Citrix Cloud. XenApp and XenDesktop service allows you move parts or all of your Citrix control tier infrastructure into the Cloud. So you can utilise StoreFront, NetScaler Gateway and Citrix Studio and Director and remove the requirements to have delivery controllers, StoreFront servers and SQL infrastructure. This is a very attractive option for many customers and provides flexibility while minimising the on-premises infrastructure requirements. All that is required for a customer on-premises is a supported hypervisor, a base image and 3 cloud connector servers per region to provide high availability. The cloud connectors are installed on standard server operating systems and all that the customer needs to manage is the operating system updates. Citrix will auto update the agent software making management a breeze.

This unfortunately also comes with a few con’s at the moment while Citrix are developing the platform which may cause some quite important difficulties for customers. For starters if you want to use PVS on-premises then you’ll still need a licence server and SQL backend but that’s to be expected.

Browser dependant – It appears that the only reliable way to get the Cloud HTML5 consoles to work is through Chrome. IE, Edge et-al appear to work sporadically or not at all.

 

Citrix Studio

Configuration logging – That’s currently not available within Citrix Cloud.

Administrators – Configuration of granular permissions for helpdesk/admins users and groups is not available at all within Citrix Studio. There is an option to configure some permissions at the cloud level when you add administrators but the granularity is just not there yet. You only have the option of full administrator or helpdesk.

 

Citrix Director

There is no granularity of access at all to Director at present, whether you are configured at the cloud level as a helpdesk or full administrator then you get the full administrator level of access to Director.

 

So there’s a bit of a problem that whilst at first glance may not seem too bad if you scale up suddenly becomes a rather large problem. If you imagine you are a global company who have purchased Citrix Cloud XenApp and XenDesktop service. Once you have configured your regions and zones and begun deploying applications and desktops globally you also add administrative users to the cloud plane. You would typically have a number of full administrators and then a whole raft of staff that would get the helpdesk role customised to lock them down to the zone that they are responsible for. On-Premises this is not a problem however using Citrix Cloud where if you remember a helpdesk user gets administrators access to director and you cannot limit it by regional machine catalogs, a helpdesk user suddenly has an awful log of power for not just their geographical region but all of the deployed resources within Citrix Cloud.

So example if you had a helpdesk user in Country A there is currently nothing to stop them putting a whole delivery group into maintenance mode anywhere around the world. Also they can shadow sessions for any user or reboot any SBC or VDI instance anywhere. So anyone with any level of access to the Cloud.com plane anywhere in the would can cause a huge headache for someone the other side of the world.

It does unfortunately also get worse as if you need to grant administrators studio console access then the same rules apply. adding in the fact that there is no configuration logging currently available you will have no record of who actually changed anything. I understand that the majority of this is caused by the fact that when you log into Cloud.com and launch either Studio or Director your HTML5 session is actually logged in as an anonymous user.

That’s not to say that Citrix Cloud is a bad service but as security and compliance is rightly constantly being improved and tightened then these omissions at present may be a bit of a problem. Again as it’s a cloud service it is evolving all the time hopefully this post will become irrelevant very soon and the missing elements that are present in the on-premises version of XenApp and XenDesktop are readded and enhanced further.

 

 

 

Leave a Reply