Optimize connectivity to workspaces with Direct Workload Connection 编辑

Optimize connectivity to workspaces with Direct Workload Connection

With Direct Workload Connection in Citrix Cloud, you can optimize internal traffic to the apps and desktops in workspaces to make HDX sessions faster. Ordinarily, users on both internal and external networks connect to VDAs through an external gateway. This gateway might be on-premises in your organization or provided as a service from Citrix and added to the resource location within Citrix Cloud. Direct Workload Connection allows internal users to bypass the gateway and connect to the VDAs directly, reducing latency for internal network traffic.

To set up Direct Workload Connection, you need network locations that correspond to where clients launch apps and desktops in your environment. Add a public address for each office location where these clients reside using the Network Location Service (NLS). You have two options for configuring network locations:

  • Using the Network Locations menu option in Citrix Cloud.
  • Using a PowerShell module that Citrix provides.

Network locations correspond to the public IP ranges of the networks that your internal users connect from, such as your office or branch locations. Citrix Cloud uses public IP addresses to determine whether networks from which virtual apps or desktops are launched are internal or external to the company network. If a subscriber connects from the internal network, Citrix Cloud routes the connection directly to the VDA, bypassing Citrix Gateway. If a subscriber connects externally, Citrix Cloud routes them through Citrix Gateway, then directs the session traffic through the Citrix Cloud Connector to the VDA in the internal network. If Citrix Gateway service is used and the Rendezvous protocol is enabled, Citrix Cloud routes external users through the Gateway service to the VDA in the internal network. Roaming clients such as laptops might use either of these network routes, depending on whether the client is inside or outside the corporate network when the launch occurs.

Important:

If your environment includes Citrix DaaS Standard for Azure alongside on-premises VDAs, configuring Direct Workload Connection causes launches from the internal network to fail.

Remote Browser Isolation, Citrix Virtual Apps Essentials, and Citrix Virtual Desktops Essentials resource launches always route through the gateway. These launches don’t gain performance improvements from configuring Direct Workload Connection.

Requirements

Network requirements

  • Corporate network and guest Wi-Fi networks must have separate public IP addresses. If your corporate and guest networks share public IP addresses, users on the guest network can’t launch DaaS sessions.
  • Use the public IP address ranges of the networks that your internal users connect from. Internal users on these networks must have a direct connection to the VDAs. Otherwise, launches of virtual resources will fail as Workspace tries to route internal users directly to the VDA, which isn’t possible.
  • Although VDAs are typically located within your on-premises network, you can also use VDAs hosted within a public cloud such as Microsoft Azure. Client launches must have a network route to contact the VDAs without being blocked by a firewall. This requires a VPN tunnel from your on-premises network to a virtual network where the VDAs reside.

TLS requirements

TLS 1.2 must be enabled in PowerShell when configuring your network locations. To force PowerShell to use TLS 1.2, use the following command before using the PowerShell module:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Workspace requirements

  • You have a workspace configured in Citrix Cloud.
  • Citrix DaaS is enabled in Workspace Configuration > Service Integrations.

Enable TLS for Workspace app for HTML5 connections

If your subscribers use Citrix Workspace app for HTML5 to launch apps and desktops, Citrix recommends that you have TLS configured on the VDAs in your internal network. Configuring your VDAs to use TLS connections ensures direct launches to VDAs are possible. If VDAs don’t have TLS enabled, app and desktop launches must be routed through a gateway when subscribers use Citrix Workspace app for HTML5. Launches using the Desktop Viewer aren’t affected. For more information about securing direct VDA connections with TLS, see CTX134123 in the Citrix Support Knowledge Center.

Citrix Cloud network location configuration

Direct Workload Connection configuration through Citrix Cloud involves creating network locations using the public IP address ranges of each branch location that your internal users connect from.

Create a network location

  1. In the Citrix Cloud console, navigate to Network Locations from the main menu. Network Locations menu item
  2. Select the Add network location button in the top right-hand corner. Network Locations page
  3. Enter a network location name, public IP address range for the location, and location tags. Add Network Location
  4. Repeat these steps for each new network location you want to add. Network Locations

Modify or remove network locations

  1. In the Citrix Cloud console, navigate to Network Locations from the main menu.
  2. Select the ellipses next to the network location that you want to modify or remove and then either:
    • Select Edit to modify a network location and then Save your changes to see them in the network locations page; or
    • Select Delete to remove a network location. You’re asked to confirm this decision before the network location is deleted. You can’t undo this action.

PowerShell network location configuration

Instead of using the Citrix Cloud management console interface, you can use a PowerShell script to configure Direct Workload Connection. Direct Workload Connection configuration with PowerShell involves the following tasks:

  1. Determine the public IP address ranges of each branch location that your internal users connect from.
  2. Download the PowerShell module.
  3. Create a secure API client in Citrix Cloud and make a note of the Client ID and secret.
  4. Import the PowerShell module and connect to the Network Location Service (NLS) with your API client details.
  5. Create NLS sites for each of your branch locations with the public IP address ranges that you previously determined. Direct Workload Connection is automatically enabled for any launches that come from the internal network locations you’ve specified.
  6. Launch an app or desktop from a device on your internal network and verify that the connection goes directly to the VDA, bypassing the Gateway. For more information, see ICA file logging in this article.

Download the PowerShell module

Before you set up your network locations, download the Citrix-provided PowerShell module (nls.psm1) from the Citrix GitHub repository. Using this module, you can set up as many network locations as needed for your VDAs.

  1. In a web browser, go to https://github.com/citrix/sample-scripts/blob/master/workspace/nls.psm1.
  2. Press ALT while clicking the Raw button. Github file view with Raw button highlighted
  3. Select a location on your computer and click Save.

Required configuration details

To set up your network locations, you need the following required information:

  • Citrix Cloud secure client customer ID, client ID, and client secret. To obtain these values, see Create a secure client in this article.
  • Public IP address ranges for the networks where your internal users will be connecting from. For more information about these public IP address ranges, see Requirements in this article.

Create a secure client

  1. Sign in to Citrix Cloud at https://citrix.cloud.com.
  2. From the Citrix Cloud menu, select Identity and Access Management and then select API Access.
  3. On the Secure Clients tab, note your customer ID. Secure Client console with Customer ID highlighted
  4. Enter a name for the client and then select Create Client.
  5. Copy the client ID and client secret. Secure Client ID and Secret dialog

Configure network locations

  1. Open a PowerShell command window and navigate to the same directory where you saved the PowerShell module.
  2. Import the module: Import-Module .\nls.psm1 -Force
  3. Set the required variables with your secure client information from Create a secure client:
    • $clientId = "YourSecureClientID"
    • $customer = "YourCustomerID"
    • $clientSecret = "YourSecureClientSecret"
  4. Connect to the Network Location Service with your secure client credentials:

    Connect-NLS -clientId $clientId -clientSecret $clientSecret -customer $customer
    

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:38 次

字数:12055

最后编辑:7 年前

编辑次数:0 次

更多

友情链接

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文