Service continuity 编辑
Service continuity
Service continuity removes or minimizes dependence on the availability of components involved in the connection process. Users can launch their Citrix DaaS apps and desktops regardless of the cloud services health status.
Service continuity allows users to connect to their DaaS apps and desktops during outages, as long as the user device maintains a network connection to a resource location. Users can connect to DaaS apps and desktops during outages in Citrix Cloud components or in public and private clouds. Users can connect directly to the resource location or through the Citrix Gateway Service.
Service continuity improves the visual representation of published resources during outages by using Progressive Web Apps service worker technology to cache resources in the user interface.
Service continuity uses Workspace connection leases to allow users to access apps and desktops during outages. Workspace connection leases are long-lived authorization tokens. Workspace connection lease files are securely cached on the user device. When a user signs in to Citrix Workspace, Workspace connection lease files are saved to the user profile for each resource published to the user. Service continuity lets users access apps and desktops during an outage even if the user has never launched an app or desktop before. Workspace connection lease files are signed and encrypted and are associated with the user and the user device. When service continuity is enabled, a Workspace connection lease allows users to access apps and desktops for seven days by default. You can configure Workspace connection leases to allow access for up to 30 days.
When users exit Citrix Workspace app, Citrix Workspace app closes but the Workspace connection leases are retained. Users exit the Citrix Workspace app by right-clicking its icon in the system tray or by restarting the user device. You can configure service continuity to delete or retain Workspace connection leases when users sign out of Citrix Workspace during an outage. By default, Workspace connection leases are deleted from user devices when users sign out during an outage.
Service continuity is supported for double hop scenarios when Citrix Workspace app is installed on a virtual desktop.
For an in-depth technical article about Citrix Cloud resiliency features, including service continuity, see Citrix Cloud Resiliency.
Note:
The deprecated Citrix DaaS feature called “connection leasing” resembles Workspace connection leases in that it improved connection resiliency during outages. Otherwise, that deprecated feature is unrelated to service continuity.
User device setup
To access resources during an outage, users must sign in to Citrix Workspace before the outage occurs. When you enable service continuity, users must perform the following steps on their devices:
Download and install a supported version of Citrix Workspace app.
Add the Workspace URL for your organization to Citrix Workspace app (for example,
https://example.cloud.com
).Sign in to Citrix Workspace.
When a user signs into Citrix Workspace for the first time, service continuity downloads Workspace connection leases to the user device.
Downloading Workspace connection leases might take up to 15 minutes for first-time sign-in.
User experience during an outage
When service continuity is enabled, the user experience during an outage varies depending on:
- The type of outage
- Whether the Citrix Workspace app is configured with domain pass-through authentication
- Whether session sharing is enabled for the app or desktop the user connects to
For some outages, users continue accessing their DaaS with no change to their user experience. For other outages, user might see a change in how Workspace appears or be prompted to take some action.
This table summarizes how service continuity helps users access apps and desktops during different types of outages.
Where the outage occurs | How service continuity maintains user access | User experience during outage |
---|---|---|
Citrix Workspace service | Citrix Workspace app enumerates apps and desktops based on local cache on the user device. | Icons for unavailable apps and desktops appear dimmed. Users can still access apps and desktops that have undimmed icons. After clicking an undimmed icon, users might be prompted to reenter their credentials at the VDA. To regain access to all their apps and desktops, users can try to establish their connection to Workspace by clicking the “Reconnect to Workspace” link. |
Identity provider | Citrix Workspace app and enumerates apps and desktops based on local cache on the user device. | Users might be unable to sign in to Workspace. Users click the “Use Workspace offline” link to access some apps and desktops in an experience identical to a Workspace service outage. |
Citrix Cloud Broker Service | The High Availability Service in the Cloud Connector takes over brokering. All VDAs that were registered with the Cloud Broker Service register with the High Availability Service. | Some users might be unable to access virtual resources while VDAs register with the High Availability Service. Existing sessions aren’t affected. No user action needed. |
Secure Ticket Authority | Workspace connection leases provide access to virtual resources when ICA files can’t. | Sessions launches might take a few seconds longer. No user action needed. |
Citrix Gateway service | Network traffic fails over to the closest healthy Citrix Gateway service point of presence (POP). | Existing sessions might take a few seconds to reconnect. No user action needed. |
Internet connection on the LAN | Citrix Workspace app enumerates apps and desktops based on local cache on the user device. If a user has a direct network connection to the resource location, Citrix Workspace app bypasses the Citrix Gateway service when the user clicks undimmed icons. Citrix Workspace app contacts the Cloud Connector over TCP 2598 and contacts VDAs over TCP 2598 or UDP 2598. | Icons for unavailable apps and desktops appear dimmed. Users can still access apps and desktops that have undimmed icons. After clicking an undimmed icon, users might be prompted to reenter their credentials at the VDA. To regain access to all their apps and desktops, users can try to establish their connection to Workspace by clicking the “Reconnect to Workspace” link. |
During a Citrix Workspace outage, users see this message at the top of the Citrix Workspace home page: “Unable to connect to some of your resources. Some virtual apps and desktop may still be available.” Users see apps and desktops that they can connect to during the outage. If the app or desktop isn’t available, the icon appears dimmed.
To access available resources during an outage, users select a resource icon that isn’t dimmed. If prompted, the user then reenters their AD credentials at the VDA before accessing resources.
During an outage in the identity provider for workspace authentication, users might be unable to sign in to Citrix Workspace through the Workspace sign-in page. After 40 seconds, this message appears at the top of the Citrix Workspace home page.
Afterward, the Citrix Workspace home page appears. Users then access resources as they would during a Citrix Workspace outage.
Regardless of the type of outage, users can continue to access resources if they exit and relaunch Citrix Workspace app. Users can restart their user devices without losing access to resources.
In the default configuration of service continuity, users lose access to their resources if they sign out of Citrix Workspace. If you want users to retain access to their resources after signing out, specify that Workspace connection leases are kept when users sign out. See Configure service continuity.
Depending on how Citrix Workspace app and VDAs are configured, during an outage the VDA might prompt users to enter their credentials into the Windows Logon user interface. If this prompt occurs, users enter their Active Directory (AD) credentials or smart card PIN to access the app or desktop. This step is required when user credentials aren’t passed through during outages. Before accessing an app or desktop, users must reauthenticate to the VDA.
Users can access resources without entering their AD credentials if:
Citrix Workspace is configured for single sign-on during installation by selecting the single sign-on box.
Citrix Workspace app is configured with domain pass-through authentication. Users can access any available resource during a Citrix Workspace outage without entering their credentials. For information about configuring domain pass-through authentication for Citrix Workspace app for Windows, see Configure single sign-on using the graphical user interface, found in the Authenticate documentation.
Note
StoreFront isn’t needed to allow single sign-on to your VDA during an outage.
Session sharing is enabled. Users can access apps or desktops hosted on the same VDA after they provide their credentials for one resource on that VDA. Session sharing is configured for the application group containing the resource on the VDA. For information about configuring application groups, see Create application groups.
In all other configurations, users are prompted to reenter their AD credentials at the VDA before accessing resources.
Requirements and limitations
Site requirements
Supported in all editions of Citrix DaaS and Citrix DaaS Standard for Azure, when using Workspace Experience.
Not supported for Citrix Workspace with site aggregation to on-premises Virtual Apps and Desktops.
Not supported when on-premises Citrix Gateway is used as an ICA Proxy. (Using Citrix Gateway as a Workspace authentication method is supported.)
User device requirements
Minimum supported Citrix Workspace app versions:
- Citrix Workspace app 2106 for Windows
- Citrix Workspace app for Android 22.2.0
- Citrix Workspace app 2106 for Mac
- Citrix Workspace app for iOS 22.4.5
- Citrix Workspace app 2106 for Linux
Note:
For information on installing Citrix Workspace app for Linux, including information about installing the app for use with service continuity, see Citrix Workspace app for Linux.
- For users who access their apps and desktops using browsers:
- Google Chrome or Microsoft Edge.
- Citrix Workspace app 2109 for Windows at a minimum. Supported with Google Chrome and Microsoft Edge.
- Citrix Workspace app for Mac version 2112 at a minimum for use with Google Chrome.
- Citrix Workspace app for Mac version 2206 at a minimum for use with Safari browser.
- Only one user per device is supported. Kiosk or “hot desk” user devices aren’t supported.
Supported workspace authentication methods
- Active Directory
- Active Directory plus token
- Azure Active Directory
- Okta
- Citrix Gateway (primary user claim must be from AD)
- SAML 2.0
Authentication limitations
- Single sign-on with Citrix Federated Authentication Service (FAS) isn’t supported. Users enter their AD credentials into the Windows Logon user interface on the VDA.
- Single sign-on to VDA isn’t supported.
- Local mapped accounts aren’t supported.
- VDAs joined to Azure AD aren’t supported. All VDAs must be joined to an AD domain.
Citrix Cloud Connector scale and size
- 4 vCPU or more
- 4 GB memory or more
Citrix Cloud Connector connectivity
Citrix Cloud Connector must be able to reach https://rootoftrust.apps.cloud.com
. Configure your firewall to allow this connection. For information about the Cloud Connector firewall, see Cloud Connector Proxy and Firewall Configuration.
Workspace app network connectivity
If you configure connection to your resource location from outside your LAN, the Workspace app on user devices must be able to reach the Citrix Gateway Service FQDN, https://*.g.nssvc.net
. Ensure that your firewall is configured to allow outgoing traffic to https://global-s.g.nssvc.net:433
, so that user devices can connect to the Citrix Gateway Service at all times.
Connectivity optimization limitations
Advanced Endpoint Analysis (EPA) isn’t supported.
Enlightened Data Transport (EDT) isn’t supported during outages.
VDA requirements and limitations
- VDA 7.15 LTSR or any current release that hasn’t reached end of life are supported.
- VDAs joined to Azure AD aren’t supported. All VDAs must be joined to an AD domain.
- VDAs must be online for users to access VDA resources during an outage. VDA resources aren’t available when the VDA is affected by outages in:
- AWS
- Azure
- Cloud Delivery Controller, unless Autoscale is enabled for the delivery group delivering the resource
Note:
If you’re using Citrix Hypervisor or vSphere with Autoscale, then power management is available even during Cloud Delivery Controller outages.
- VDA workloads supported during outages:
- Hosted shared apps and desktops
- Random non-persistent desktops (pooled VDI desktop) with power management
- Static non-persistent desktops
- Static persistent desktops, including Remote PC Access
Note:
Assign on first use isn’t support during outages.
For more information about available VDA functions during outages, see VDA management during outages.
App protection limitations
If app protection policies are enabled for an app or desktop, the icon for that app or desktop doesn’t appear in the Citrix Workspace home page during outages. Users can’t access these resources during outages.
For more information about app protection policies, see App protection.
Local keyboard mapping requirements and limitations
The Windows Logon user interface that prompts users to reauthenticate on the VDA does not support local keyboard language mapping. To allow users to reauthenticate during an outage if they have local keyboard language mapping on their devices, preload the keyboard layouts these users require.
Warning:
Editing the registry incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix can’t guarantee that problems resulting from the incorrect use of the Registry Editor can be solved. Use the Registry Editor at your own risk. Be sure to back up the registry before you edit it.
Edit this registry key in the VDA image:
HKEY_USERS\.DEFAULT\Keyboard Layout\Preload
The corresponding language pack in the virtual desktop image must be installed.
For a list of keyboard identifiers associated with keyboard languages, see Keyboard Identifiers and Input Method Editors for Windows.
Configure resource location network connectivity for service continuity
You can configure your resource location to accept connections from inside your LAN, outside your LAN, or both.
Configure for connections inside your LAN
- From the Citrix Cloud menu, go to Workspace Configuration > Access.
- Select Configure Connectivity.
- Select Internal Only as your connectivity type.
- Click Save.
Configure your Citrix Cloud Connector and VDA firewalls to accept connections over Common Gateway Protocol (CGP) TCP port 2598. This configuration is the default setting.
Configure for connections from outside your LAN
- From the Citrix Cloud menu, go to Workspace Configuration > Access.
- Select Configure Connectivity.
- Select Gateway Service as your connectivity type.
- Click Save.
Configure for connections both from outside and inside your LAN
Run this PowerShell command:
Set-ConfigZone -InputObject (get-configzone -ExternalUid resourceLocation GUID ) -EnableHybridConnectivityForResourceLeases $true
Replace resourceLocation GUID
with the global unique identifier of the resource location.
This command allows direct connections to the Citrix Cloud Connector FQDN over TCP 2598 during outages. If that connection fails Gateway Service is used as fallback. Allow internal users to bypass the gateway and connect directly to the resource location reduces latency internal network traffic.
Note:
This PowerShell command is similar to Direct Workload Connection in that it optimizes connectivity to workspaces by allowing internal users to bypass the gateway and connect to VDAs directly. When service continuity is enabled, Direct Workload Connection is not available during outages.
Configure service continuity
To enable service continuity for your site:
- From the Citrix Cloud menu, go to Workspace Configuration > Service continutity.
- Set Connection leasing for the Workspace to Enable.
- Set Connection lease period to the number of days a Workspace connection lease can be used to maintain a connection. The Workspace connection lease period applies to all Workspace connection leases through your site. The Workspace connection lease period starts the first time a user signs in to the Citrix Cloud Workspace store. Workspace connection leases are refreshed each time the user signs in, up to once a day. The Workspace connection lease period can be from one day to 30 days. The default is seven days.
- Click Save.
When you enable service continuity, it is enabled for all delivery groups in your site. To disable service continuity for a delivery group, use the following PowerShell command:
Set-BrokerDesktopGroup -name <deliverygroup> -ResourceLeasingEnabled $false
Replace deliverygroup
with the name of the delivery group.
By default, Workspace connection leases are deleted from the user device if the user signs out of Citrix Workspace during an outage. If you want Workspace connection leases to remain on user devices after users sign out, use the following PowerShell command:
Set-BrokerSite -DeleteResourceLeasesOnLogOff $false
Note:
Workspace connection leases can’t be set to remain on user devices after users sign out for users connecting with Citrix Workspace app for Mac. Citrix Workspace for Mac is unable to read the value of the
DeleteResourceLeaseOnLogOff
property.
How service continuity works
If there’s no outage, users access virtual apps and desktops using ICA files. Citrix Workspace generates a unique ICA file each time a user selects a virtual app or desktop icon. Each ICA file contains a Secure Ticket Authority (STA) ticket and a logon ticket that can be redeemed only once to gain authorized access to virtual resources. The tickets in each ICA file expire after about 90 seconds. After the ticket in an ICA file is used or expires, the user needs another ICA file from Citrix Workspace to access resources. When service continuity isn’t enabled, outages can prevent users from accessing resources if Citrix Workspace can’t generate an ICA file.
Citrix Workspace generates ICA files when users launch virtual apps and desktops regardless of whether service continuity is enabled. When service continuity is enabled, Citrix Workspace also generates the unique set of files that make up a Workspace connection lease. Unlike ICA files, Workspace connection lease files are generated when the user signs into Citrix Workspace, not when the user launches the resource. When a user signs in to Citrix Workspace, connection lease files are generated for every resource published to that user. Workspace connection leases contain information that gives the user access to virtual resources. If an outage prevents a user from signing in to Citrix Workspace or accessing resources using an ICA file, the connection lease provides authorized access to the resource.
How sessions launch during outages
When users click an icon for an app or desktop during an outage, the Citrix Workspace app finds the corresponding Workspace connection lease on the user device. Citrix Workspace app then opens a connection. If connectivity to the resource location that hosts the app or desktop is configured to accept connections from outside your LAN, a connection opens to Citrix Gateway Service. If you configure connectivity to the resource location that hosts the app or desktop to accept connections from inside your LAN only, a connection opens to the Cloud Connector.
When the Citrix Cloud broker is online, the Cloud Connector uses the Citrix Cloud broker to resolve which VDA is available. When the Citrix Cloud broker is offline, the secondary broker for the Cloud Connector (also known as the High Availability service) listens for and processes connection requests.
Users who are connected when an outage occurs can continue working uninterrupted. Reconnections and new connections experience minimal connection delays. This functionality is similar to Local Host Cache, but does not require an on-premises StoreFront.
When a user launches a session during an outage, this window appears indicating that Workspace connection leases were used for the session launch:
After the user has finished signing into the session, these properties appear in the Workspace Connection Center:
The launch mode property provides information about the Workspace connection leases used to launch the session.
On devices running Citrix Workspace app for Mac, Citrix Viewer displays information showing that Workspace connection leases were used for the session launch:
What makes it secure
All sensitive information in the Workspace connection lease files is encrypted with the AES-256 cipher. Workspace connection leases are bound to a public/private key pair uniquely associated with the specific client device and can’t be used on a different device. A built-in cryptographic mechanism enforces use of the unique key pair on each device.
Workspace connection leases are stored on the user device in AppData\Local\Citrix\SelfService\ConnectionLeases.
The security architecture of service continuity is built on public-key cryptography, similarly to a public key infrastructure (PKI), but without certificate chains and certificate authorities. Instead, all the components establish transitive trust by relying on a new Citrix Cloud service called the root of trust that acts like a certificate authority.
Block connection leases
If a user device is lost or stolen, or a user account is closed or compromised, you can block Workspace connection leases. When you block Workspace connection leases associated with a user, the user can’t connect to resources. Citrix Cloud no longer generates or synchronizes Workspace connection leases for the user.
When you block Workspace connection leases associated with a user account, you block connections to that account on all devices associated with it. You can block Workspace connection leases for a user or for all users in a user group.
To revoke Workspace connection leases for a single user or user group, use this PowerShell command:
Set-BrokerConnectionLeaseRevocationDate -Name username -LeaseRevocationDays Days
Replace username
with the user associated with the account you want to block from connecting. Replace username
with a user group to block connection from all accounts in the user group. Replace Days
with the number of days connections are blocked.
For example, to block connections for xd.local/user1 for the next 7 days, type:
Set-BrokerConnectionLeaseRevocationDate -Name xd.local/user1 -LeaseRevocationDays 7
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论