Service continuity

Service continuity removes or minimizes dependence on the availability of components involved in the connection process. Users can launch their Citrix DaaS apps and desktops regardless of the cloud services health status.

Service continuity allows users to connect to their DaaS apps and desktops during outages, as long as the user device maintains a network connection to a resource location. Users can connect to DaaS apps and desktops during outages in Citrix Cloud components or in public and private clouds. Users can connect directly to the resource location or through the Citrix Gateway Service.

Service continuity improves the visual representation of published resources during outages by using Progressive Web Apps service worker technology to cache resources in the user interface.

Service continuity uses Workspace connection leases to allow users to access apps and desktops during outages. Workspace connection leases are long-lived authorization tokens. Workspace connection lease files are securely cached on the user device. When a user signs in to Citrix Workspace, Workspace connection lease files are saved to the user profile for each resource published to the user. Service continuity lets users access apps and desktops during an outage even if the user has never launched an app or desktop before. Workspace connection lease files are signed and encrypted and are associated with the user and the user device. When service continuity is enabled, a Workspace connection lease allows users to access apps and desktops for seven days by default. You can configure Workspace connection leases to allow access for up to 30 days.

When users exit Citrix Workspace app, Citrix Workspace app closes but the Workspace connection leases are retained. Users exit the Citrix Workspace app by right-clicking its icon in the system tray or by restarting the user device. You can configure service continuity to delete or retain Workspace connection leases when users sign out of Citrix Workspace during an outage. By default, Workspace connection leases are deleted from user devices when users sign out during an outage.

Service continuity is supported for double hop scenarios when Citrix Workspace app is installed on a virtual desktop.

For an in-depth technical article about Citrix Cloud resiliency features, including service continuity, see Citrix Cloud Resiliency.

Note:

The deprecated Citrix DaaS feature called “connection leasing” resembles Workspace connection leases in that it improved connection resiliency during outages. Otherwise, that deprecated feature is unrelated to service continuity.

User device setup

To access resources during an outage, users must sign in to Citrix Workspace before the outage occurs. When you enable service continuity, users must perform the following steps on their devices:

1. Download and install a supported version of Citrix Workspace app.

2. Add the Workspace URL for your organization to Citrix Workspace app (for example, https://example.cloud.com).

3. Sign in to Citrix Workspace.

When a user signs into Citrix Workspace for the first time, service continuity downloads Workspace connection leases to the user device.

Downloading Workspace connection leases might take up to 15 minutes for first-time sign-in.

User experience during an outage

When service continuity is enabled, the user experience during an outage varies depending on:

• The type of outage
• Whether the Citrix Workspace app is configured with domain pass-through authentication
• Whether session sharing is enabled for the app or desktop the user connects to

For some outages, users continue accessing their DaaS with no change to their user experience. For other outages, user might see a change in how Workspace appears or be prompted to take some action.

This table summarizes how service continuity helps users access apps and desktops during different types of outages.

During a Citrix Workspace outage, users see this message at the top of the Citrix Workspace home page: “Unable to connect to some of your resources. Some virtual apps and desktop may still be available.” Users see apps and desktops that they can connect to during the outage. If the app or desktop isn’t available, the icon appears dimmed.

To access available resources during an outage, users select a resource icon that isn’t dimmed. If prompted, the user then reenters their AD credentials at the VDA before accessing resources.

During an outage in the identity provider for workspace authentication, users might be unable to sign in to Citrix Workspace through the Workspace sign-in page. After 40 seconds, this message appears at the top of the Citrix Workspace home page.

Afterward, the Citrix Workspace home page appears. Users then access resources as they would during a Citrix Workspace outage.

Regardless of the type of outage, users can continue to access resources if they exit and relaunch Citrix Workspace app. Users can restart their user devices without losing access to resources.

In the default configuration of service continuity, users lose access to their resources if they sign out of Citrix Workspace. If you want users to retain access to their resources after signing out, specify that Workspace connection leases are kept when users sign out. See Configure service continuity.

Depending on how Citrix Workspace app and VDAs are configured, during an outage the VDA might prompt users to enter their credentials into the Windows Logon user interface. If this prompt occurs, users enter their Active Directory (AD) credentials or smart card PIN to access the app or desktop. This step is required when user credentials aren’t passed through during outages. Before accessing an app or desktop, users must reauthenticate to the VDA.

Users can access resources without entering their AD credentials if:

• Citrix Workspace is configured for single sign-on during installation by selecting the single sign-on box.

  

• Citrix Workspace app is configured with domain pass-through authentication. Users can access any available resource during a Citrix Workspace outage without entering their credentials. For information about configuring domain pass-through authentication for Citrix Workspace app for Windows, see Configure single sign-on using the graphical user interface, found in the Authenticate documentation.

  Note

  StoreFront isn’t needed to allow single sign-on to your VDA during an outage.

• Session sharing is enabled. Users can access apps or desktops hosted on the same VDA after they provide their credentials for one resource on that VDA. Session sharing is configured for the application group containing the resource on the VDA. For information about configuring application groups, see Create application groups.

In all other configurations, users are prompted to reenter their AD credentials at the VDA before accessing resources.

Requirements and limitations

Site requirements

• Supported in all editions of Citrix DaaS and Citrix DaaS Standard for Azure, when using Workspace Experience.

• Not supported for Citrix Workspace with site aggregation to on-premises Virtual Apps and Desktops.

• Not supported when on-premises Citrix Gateway is used as an ICA Proxy. (Using Citrix Gateway as a Workspace authentication method is supported.)

User device requirements

Minimum supported Citrix Workspace app versions:

• Citrix Workspace app 2106 for Windows
• Citrix Workspace app for Android 22.2.0
• Citrix Workspace app 2106 for Mac
• Citrix Workspace app for iOS 22.4.5
• Citrix Workspace app 2106 for Linux

Note:

For information on installing Citrix Workspace app for Linux, including information about installing the app for use with service continuity, see Citrix Workspace app for Linux.

• For users who access their apps and desktops using browsers:
  • Google Chrome or Microsoft Edge.
  • Citrix Workspace app 2109 for Windows at a minimum. Supported with Google Chrome and Microsoft Edge.
  • Citrix Workspace app for Mac version 2112 at a minimum for use with Google Chrome.
  • Citrix Workspace app for Mac version 2206 at a minimum for use with Safari browser.

  See Service continuity in browser.

• Only one user per device is supported. Kiosk or “hot desk” user devices aren’t supported.

Supported workspace authentication methods

• Active Directory
• Active Directory plus token
• Azure Active Directory
• Okta
• Citrix Gateway (primary user claim must be from AD)
• SAML 2.0

Authentication limitations

• Single sign-on with Citrix Federated Authentication Service (FAS) isn’t supported. Users enter their AD credentials into the Windows Logon user interface on the VDA.
• Single sign-on to VDA isn’t supported.
• Local mapped accounts aren’t supported.
• VDAs joined to Azure AD aren’t supported. All VDAs must be joined to an AD domain.

Citrix Cloud Connector scale and size

• 4 vCPU or more
• 4 GB memory or more

Citrix Cloud Connector connectivity

Citrix Cloud Connector must be able to reach https://rootoftrust.apps.cloud.com. Configure your firewall to allow this connection. For information about the Cloud Connector firewall, see Cloud Connector Proxy and Firewall Configuration.

Workspace app network connectivity

If you configure connection to your resource location from outside your LAN, the Workspace app on user devices must be able to reach the Citrix Gateway Service FQDN, https://*.g.nssvc.net. Ensure that your firewall is configured to allow outgoing traffic to https://global-s.g.nssvc.net:433, so that user devices can connect to the Citrix Gateway Service at all times.

Connectivity optimization limitations

Advanced Endpoint Analysis (EPA) isn’t supported.

Enlightened Data Transport (EDT) isn’t supported during outages.

VDA requirements and limitations

• VDA 7.15 LTSR or any current release that hasn’t reached end of life are supported.
• VDAs joined to Azure AD aren’t supported. All VDAs must be joined to an AD domain.
• VDAs must be online for users to access VDA resources during an outage. VDA resources aren’t available when the VDA is affected by outages in:
  • AWS
  • Azure
  • Cloud Delivery Controller, unless Autoscale is enabled for the delivery group delivering the resource

Note:

If you’re using Citrix Hypervisor or vSphere with Autoscale, then power management is available even during Cloud Delivery Controller outages.

• VDA workloads supported during outages:
  • Hosted shared apps and desktops
  • Random non-persistent desktops (pooled VDI desktop) with power management
  • Static non-persistent desktops
  • Static persistent desktops, including Remote PC Access

  Note:

  Assign on first use isn’t support during outages.

For more information about available VDA functions during outages, see VDA management during outages.

App protection limitations

If app protection policies are enabled for an app or desktop, the icon for that app or desktop doesn’t appear in the Citrix Workspace home page during outages. Users can’t access these resources during outages.

For more information about app protection policies, see App protection.

Local keyboard mapping requirements and limitations

The Windows Logon user interface that prompts users to reauthenticate on the VDA does not support local keyboard language mapping. To allow users to reauthenticate during an outage if they have local keyboard language mapping on their devices, preload the keyboard layouts these users require.

Warning:

Editing the registry incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix can’t guarantee that problems resulting from the incorrect use of the Registry Editor can be solved. Use the Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Edit this registry key in the VDA image:

HKEY_USERS\.DEFAULT\Keyboard Layout\Preload

The corresponding language pack in the virtual desktop image must be installed.

For a list of keyboard identifiers associated with keyboard languages, see Keyboard Identifiers and Input Method Editors for Windows.

Configure resource location network connectivity for service continuity

You can configure your resource location to accept connections from inside your LAN, outside your LAN, or both.

Configure for connections inside your LAN

1. From the Citrix Cloud menu, go to Workspace Configuration > Access.
2. Select Configure Connectivity.
3. Select Internal Only as your connectivity type.
4. Click Save.

Configure your Citrix Cloud Connector and VDA firewalls to accept connections over Common Gateway Protocol (CGP) TCP port 2598. This configuration is the default setting.

Configure for connections from outside your LAN

1. From the Citrix Cloud menu, go to Workspace Configuration > Access.
2. Select Configure Connectivity.
3. Select Gateway Service as your connectivity type.
4. Click Save.

Configure for connections both from outside and inside your LAN

Run this PowerShell command:

Set-ConfigZone -InputObject (get-configzone -ExternalUid resourceLocation GUID ) -EnableHybridConnectivityForResourceLeases $true

Replace resourceLocation GUID with the global unique identifier of the resource location.

This command allows direct connections to the Citrix Cloud Connector FQDN over TCP 2598 during outages. If that connection fails Gateway Service is used as fallback. Allow internal users to bypass the gateway and connect directly to the resource location reduces latency internal network traffic.

Note:

This PowerShell command is similar to Direct Workload Connection in that it optimizes connectivity to workspaces by allowing internal users to bypass the gateway and connect to VDAs directly. When service continuity is enabled, Direct Workload Connection is not available during outages.

Configure service continuity

To enable service continuity for your site:

1. From the Citrix Cloud menu, go to Workspace Configuration > Service continutity.
2. Set Connection leasing for the Workspace to Enable.
3. Set Connection lease period to the number of days a Workspace connection lease can be used to maintain a connection. The Workspace connection lease period applies to all Workspace connection leases through your site. The Workspace connection lease period starts the first time a user signs in to the Citrix Cloud Workspace store. Workspace connection leases are refreshed each time the user signs in, up to once a day. The Workspace connection lease period can be from one day to 30 days. The default is seven days.
4. Click Save.

When you enable service continuity, it is enabled for all delivery groups in your site. To disable service continuity for a delivery group, use the following PowerShell command:

Set-BrokerDesktopGroup -name <deliverygroup> -ResourceLeasingEnabled $false

Replace deliverygroup with the name of the delivery group.

By default, Workspace connection leases are deleted from the user device if the user signs out of Citrix Workspace during an outage. If you want Workspace connection leases to remain on user devices after users sign out, use the following PowerShell command:

Set-BrokerSite -DeleteResourceLeasesOnLogOff $false

Note:

Workspace connection leases can’t be set to remain on user devices after users sign out for users connecting with Citrix Workspace app for Mac. Citrix Workspace for Mac is unable to read the value of the DeleteResourceLeaseOnLogOff property.

How service continuity works

If there’s no outage, users access virtual apps and desktops using ICA files. Citrix Workspace generates a unique ICA file each time a user selects a virtual app or desktop icon. Each ICA file contains a Secure Ticket Authority (STA) ticket and a logon ticket that can be redeemed only once to gain authorized access to virtual resources. The tickets in each ICA file expire after about 90 seconds. After the ticket in an ICA file is used or expires, the user needs another ICA file from Citrix Workspace to access resources. When service continuity isn’t enabled, outages can prevent users from accessing resources if Citrix Workspace can’t generate an ICA file.

Citrix Workspace generates ICA files when users launch virtual apps and desktops regardless of whether service continuity is enabled. When service continuity is enabled, Citrix Workspace also generates the unique set of files that make up a Workspace connection lease. Unlike ICA files, Workspace connection lease files are generated when the user signs into Citrix Workspace, not when the user launches the resource. When a user signs in to Citrix Workspace, connection lease files are generated for every resource published to that user. Workspace connection leases contain information that gives the user access to virtual resources. If an outage prevents a user from signing in to Citrix Workspace or accessing resources using an ICA file, the connection lease provides authorized access to the resource.

How sessions launch during outages

When users click an icon for an app or desktop during an outage, the Citrix Workspace app finds the corresponding Workspace connection lease on the user device. Citrix Workspace app then opens a connection. If connectivity to the resource location that hosts the app or desktop is configured to accept connections from outside your LAN, a connection opens to Citrix Gateway Service. If you configure connectivity to the resource location that hosts the app or desktop to accept connections from inside your LAN only, a connection opens to the Cloud Connector.

When the Citrix Cloud broker is online, the Cloud Connector uses the Citrix Cloud broker to resolve which VDA is available. When the Citrix Cloud broker is offline, the secondary broker for the Cloud Connector (also known as the High Availability service) listens for and processes connection requests.

Users who are connected when an outage occurs can continue working uninterrupted. Reconnections and new connections experience minimal connection delays. This functionality is similar to Local Host Cache, but does not require an on-premises StoreFront.

When a user launches a session during an outage, this window appears indicating that Workspace connection leases were used for the session launch:

After the user has finished signing into the session, these properties appear in the Workspace Connection Center:

The launch mode property provides information about the Workspace connection leases used to launch the session.

On devices running Citrix Workspace app for Mac, Citrix Viewer displays information showing that Workspace connection leases were used for the session launch:

What makes it secure

All sensitive information in the Workspace connection lease files is encrypted with the AES-256 cipher. Workspace connection leases are bound to a public/private key pair uniquely associated with the specific client device and can’t be used on a different device. A built-in cryptographic mechanism enforces use of the unique key pair on each device.

Workspace connection leases are stored on the user device in AppData\Local\Citrix\SelfService\ConnectionLeases.

The security architecture of service continuity is built on public-key cryptography, similarly to a public key infrastructure (PKI), but without certificate chains and certificate authorities. Instead, all the components establish transitive trust by relying on a new Citrix Cloud service called the root of trust that acts like a certificate authority.

Block connection leases

If a user device is lost or stolen, or a user account is closed or compromised, you can block Workspace connection leases. When you block Workspace connection leases associated with a user, the user can’t connect to resources. Citrix Cloud no longer generates or synchronizes Workspace connection leases for the user.

When you block Workspace connection leases associated with a user account, you block connections to that account on all devices associated with it. You can block Workspace connection leases for a user or for all users in a user group.

To revoke Workspace connection leases for a single user or user group, use this PowerShell command:

Set-BrokerConnectionLeaseRevocationDate -Name username -LeaseRevocationDays Days

Replace username with the user associated with the account you want to block from connecting. Replace username with a user group to block connection from all accounts in the user group. Replace Days with the number of days connections are blocked.

For example, to block connections for xd.local/user1 for the next 7 days, type:

Set-BrokerConnectionLeaseRevocationDate -Name xd.local/user1 -LeaseRevocationDays 7