Service continuity (Technical Preview)

Note:

This feature is currently in Technical Preview. Citrix recommends using this feature only in non-production environments. Sign up using this Podio form: Sign up: Service Continuity Tech Preview for Citrix Workspace.

Service continuity removes or minimizes dependence on the availability of components involved in the connection process. Users can launch their virtual apps and desktops regardless of the cloud services health status.

Service continuity allows users to connect to their virtual apps and desktops during outages, as long as the user device maintains a network connection to a resource location. Users can connect to virtual apps and desktops during outages in Citrix Cloud components or in public and private clouds. Users can connect directly to the resource location or through the Citrix Gateway service.

Service continuity improves the visual representation of published resources during outages by using Progressive Web Apps service worker technology to cache resources in the user interface.

Service continuity uses Workspace connection leases to allow users to access apps and desktops during outages. Workspace connection leases are long-lived authorization tokens. Workspace connection lease files are securely cached on the user device. When a user signs in to Citrix Workspace, Workspace connection lease files are saved to the user profile for each resource published to the user. Service continuity lets users access apps and desktops during an outage even if the user has never launched an app or desktop before. Workspace connection lease files are signed and encrypted and are associated with the user and the user device. When service continuity is enabled, a Workspace connection lease allows users to access apps and desktops for seven days by default. You can configure Workspace connection leases to allow access for up to 30 days.

When users exit Citrix Workspace app, Citrix Workspace app closes but the Workspace connection leases are retained. Users exit the Citrix Workspace app by right-clicking its icon in the system tray or by restarting the user device. You can configure service continuity to delete or retain Workspace connection leases when users sign out of Citrix Workspace during an outage. By default, Workspace connection leases are deleted from user devices when users sign out during an outage.

Service continuity is supported for the Citrix Workspace app for Windows in native app only. It is not supported for any web-based Citrix Workspace app or for operating systems other than Windows.

For an in-depth technical article about Citrix Cloud resiliency features, including service continuity, see Citrix Cloud Resiliency.

Note:

The deprecated Citrix Virtual Apps and Desktops feature called “connection leasing” resembles Workspace connection leases in that it improved connection resiliency during outages. Otherwise, that deprecated feature is unrelated to service continuity.

User device setup

To access resources during an outage, users must sign in to Citrix Workspace before the outage occurs. When you enable service continuity, users must perform the following steps on their devices:

  1. Download and install Citrix Workspace app 2012 for Windows, Citrix Workspace app 2102 for Mac, or Citrix Workspace app 2104 for Linux.

  2. Add the Workspace URL for your organization to Citrix Workspace app (for example, https://example.cloud.com).

  3. Sign in to Citrix Workspace.

User experience during an outage

When service continuity is enabled, the user experience during an outage varies depending on:

  • The type of outage.
  • Whether the Citrix Workspace app is configured with domain pass-through authentication.
  • Whether session sharing is enabled for desktop or app the user connects to.

For some outages, users continue accessing their virtual apps and desktops with no change to their user experience.

Depending on how Citrix Workspace app and the VDAs are configured, during an outage the VDA might prompt users to enter their credentials into the Windows Logon user interface. If this prompt occurs, users enter their Active Directory (AD) credentials or smart card PIN to access the app or desktop. This step is required when user credentials are not passed through during outages. Before accessing an app or desktop, users must reauthenticate to the VDA.

Users can access resources without entering their AD credentials if:

  • Citrix Workspace app is configured with domain pass-through authentication. Users can access any available resource during a Citrix Workspace outage without entering their credentials. For information about configuring domain pass-through authentication for Citrix Workspace app for Windows, see Authenticate.
  • Session sharing is enabled. Users can access apps or desktops hosted on the same VDA after they provide their credentials for one resource on that VDA. Session sharing is configured for the application group containing the resource on the VDA. For information about configuring application groups, see Create application groups.

In all other configurations, users are prompted to reenter their AD credentials before accessing resources.

During an outage in the Citrix-managed broker, users experience no changes to the Citrix Workspace app user interface. During this type of outage, users might be momentarily unable to launch apps and desktops until VDA re-registrations to the Citrix Cloud Connector are complete. Depending on your configuration, the VDA might prompt users to reenter their credentials.

During a Citrix Workspace outage, users see this message at the top of the Citrix Workspace home page: “Unable to connect to some of your resources. Some virtual apps and desktop may still be available.” Users see apps and desktops that they can connect to during the outage. If the app or desktop is not available, the icon appears dimmed. Citrix Workspace app home page showing service continuity outage message and apps

To access resources that are available during an outage, users select a resource icon that is not dimmed. If prompted, the user then reenters their AD credentials before accessing resources.

During an outage with the identity provider for workspace authentication, users might not be able to sign in to Citrix Workspace through the Workspace sign-in page. If this happens, users must close the Workspace sign-in page by clicking the X in the upper-left corner. Afterward, the Citrix Workspace home page appears. Users then access resources as they would during a Citrix Workspace outage.

Regardless of the type of outage, users can continue to access resources if they exit and relaunch Citrix Workspace app. Users can restart their user devices without losing access to resources. Users lose access to their resources if they sign out of Citrix Workspace, unless you specify that Workspace connection leases are retained when users sign out.

Requirements and limitations

Site requirements

  • Supported for Citrix Virtual Apps and Desktop service with Workspace Experience.

  • Not supported for Citrix Workspace with site aggregation to on-premises Virtual Apps and Desktops.

  • Not supported for on-premises Citrix Gateway.

  • For this technical preview, a test org ID is recommended.

User requirements

  • Citrix Workspace app 2012 for Windows, Citrix Workspace app 2102 for Mac, or Citrix Workspace app 2104 for Linux at a minimum.

  • Supported for the Citrix Workspace app in native app only. Not supported for Citrix Workspace app for Web.

  • Only one user per device is supported. Kiosk or “hot desk” user devices are not supported.

Supported workspace authentication methods

  • Active Directory
  • Active Directory plus token
  • Citrix Gateway (primary user claim must be from AD)

Authentication limitations

  • Citrix Federated Authentication Service (FAS) is not supported.
  • Local mapped accounts are not supported.
  • Single sign-on to VDA is not supported.
  • VDAs joined to Azure AD are not supported. All VDAs must be joined to an AD domain.

Citrix Cloud Connector scale and size

  • 4 vCPU or more
  • 4 GB memory or more

Citrix Cloud Connector connectivity

Citrix Cloud Connector must be able to reach https://rootoftrust.apps.cloud.com. Configure your firewall to allow this connection. For information about the Cloud Connector firewall, see Cloud Connector Proxy and Firewall Configuration.

VDA requirement and limitations

  • VDA 7.15 LTSR or any current release that has not reached end of life.
  • VDAs joined to Azure AD are not supported. All VDAs must be joined to an AD domain.
  • VDAs must be online for users to access VDA resources during an outage. VDA resources are not available when the VDA is affected by outages in:
    • Amazon Web Services (AWS).
    • Azure.
    • Cloud Delivery Controller, unless Autoscale is enabled for the delivery group delivering the resource.

Note:

If you are using Citrix Hypervisor or vSphere with Autoscale, then power management is available even during Cloud Delivery Controller outages.

  • VDA workloads supported during outages:
    • Hosted shared apps and desktops
    • Static non-persistent desktops
    • Random non-persistent desktops (pooled VDI desktop) with power management
    • Static persistent desktops, including Remote PC Access

    Note:

    Assign on first use is not support during outages.

For more information about available VDA functions during outages, see VDA management during outages.

Configure resource location network connectivity for service continuity

You can configure your resource location to accept connections from outside or inside your LAN.

To configure for connections from outside your LAN:

  1. From the Citrix Cloud menu, go to Workspace Configuration > Access.
  2. Select Configure Connectivity.
  3. Select Gateway Service as your connectivity type.
  4. Click Save.

To configure for connections inside your LAN:

  1. From the Citrix Cloud menu, go to Workspace Configuration > Access.
  2. Select Configure Connectivity.
  3. Select Internal Only as your connectivity type.
  4. Click Save.

Configure your Citrix Cloud Connector and VDA firewalls to accept connections over Common Gateway Protocol (CGP) TCP port 2598. This configuration is the default setting.

Configure service continuity

To enable service continuity for your site:

  1. From the Citrix Cloud menu, go to Workspace Configuration > Service continutity.
  2. Set Connection leasing for the Workspace to Enable. Service continuity console page
  3. Set Connection lease period to the number of days a Workspace connection lease can be used to maintain a connection. The Workspace connection lease period applies to all Workspace connection leases through your site. The Workspace connection lease period starts the first time a user signs in to the Citrix Cloud Workspace store. Workspace connection leases are refreshed each time the user signs in, up to once a day. The Workspace connection lease period can be from one day to 30 days. The default is seven days.
  4. Click Save.

By default, Workspace connection leases are deleted from the user device if the user signs out of Citrix Workspace during an outage. If you want Workspace connection leases to remain on user devices after users sign out, use the following PowerShell command:

Set-BrokerSite -DeleteResourceLeasesOnLogOff $false

How service continuity works

If there is no outage, users access virtual apps and desktops using ICA files. Citrix Workspace generates a unique ICA file each time a user selects a virtual app or desktop icon. Each ICA file contains a Secure Ticket Authority (STA) ticket and a logon ticket that can be redeemed only once to gain authorized access to virtual resources. The tickets in each ICA file expire after about 90 seconds. After the ticket in an ICA file is used or expires, the user needs another ICA file from Citrix Workspace to access resources. When service continuity is not enabled, outages can prevent users from accessing resources if Citrix Workspace can’t generate an ICA file.

Citrix Workspace generates ICA files when users launch virtual apps and desktops regardless of whether service continuity is enabled. When service continuity is enabled, Citrix Workspace also generates the unique set of files that make up a Workspace connection lease. Unlike ICA files, Workspace connection lease files are generated when the user signs into Citrix Workspace, not when the user launches the resource. When a user signs in to Citrix Workspace, connection lease files are generated for every resource published to that user. Workspace connection leases contain information that gives the user access to virtual resources. If an outage prevents a user from signing in to Citrix Workspace or accessing resources using an ICA file, the Workspace connection lease gives the user authorized access to the resource.

What makes it secure

All sensitive information in the Workspace connection lease files is encrypted with the AES-256 cipher. Workspace connection leases are bound to a public/private key pair uniquely associated with the specific client device and cannot be used on a different device. A built-in cryptographic mechanism enforces use of the unique key pair on each device.

Workspace connection leases are stored on the user device in AppData\Local\Citrix\SelfService\ConnectionLeases.

The security architecture of service continuity is built on public-key cryptography, similarly to a public key infrastructure (PKI), but without certificate chains and certificate authorities. Instead, all the components establish transitive trust by relying on a new Citrix Cloud service called the root of trust that acts like a certificate authority.

Revoke connection leases

If a user device is lost or stolen, or a user account is closed or compromised, you can revoke Workspace connection leases and block the devices from connecting to resources. You can revoke Workspace connection leases for a user or for all users in a user group. When you block connections to a user account, you block connection to that account on all devices associated with that account.

To revoke Workspace connection leases for a single user or user group, use this PowerShell command:

Set-BrokerConnectionLeaseRevocationDate -Name username -LeaseRevocationDays Days

Replace username with the user associated with the account you want to block from connecting. Replace username with a user group to block connection from all accounts in the user group. Replace Days with the number of days connections are blocked.

For example, to block connections for xd.local/user1 for the next 7 days, type:

Set-BrokerConnectionLeaseRevocationDate -Name xd.local/user1 -LeaseRevocationDays 7

To view the time period for which Workspace connection leases are revoked, use this PowerShell command:

Get-BrokerConnectionLeaseRevocationDate -Name username

Replace username with the user or user group you want to view the time period for.

For example, to view the time period for which Workspace connection leases are revoked for xd.local/user1, type:

Get-BrokerConnectionLeaseRevocationDate -Name xd.local/user2

This information appears:

FullName                        :
Name                            : XD\user2
UPN                             :
Sid                             : S-1-5-21-nnnnnn
LeaseRevocationDays             : 2
LeaseRevocationDateTimeInUtc    : 2020-12-17T17:34:25Z
LastUpdateDateTimeInUtc         : 2020-12-19T17:34:25Z

From this output you can see that user xd.local/user2 has Workspace connection leases revoked for two days, from December 17, 2020, through December 19, 2020, at 17:34:25 UTC on each day.

To allow a user account that has Workspace connection leases revoked to receive connection again, remove the block using this PowerShell command:

Remove-BrokerConnectionLeaseRevocationDate -Name username

Replace username with the blocked user or user group you want to receive connection. To allow all blocked user account to receive connections, omit the Name option.

VDA management during outages

Service continuity uses the Local Host Cache function within the Citrix Cloud Connector. Local Host Cache allows connection brokering to continue on a site when the connection between the Cloud Delivery Controller and the Cloud Connector fails. Because service continuity relies on Local Host Cache, it shares some limitations with Local Host Cache.

Note:

Although service continuity uses Local Host Cache within the Cloud Connector, unlike Local Host Cache, service continuity is not supported with on-premises StoreFront.

Power management of VDAs during outages

If your site uses Citrix Hypervisor or vSphere, Citrix Host Service can provide hypervisor credentials to Cloud Connector. If your site uses any other hypervisor, such as VMs stored in Azure, Citrix Host Service can’t provide hypervisor credentials to the Cloud Connector. This means:

  • If your site uses Citrix Hypervisor or vSphere: The Cloud Connector can perform power management operations, including the Pooled VDI case, during an outage.
  • If your site uses any other hypervisor: During an outage, all machines are in the unknown power state and no power operations can be issued. However, VMs on the host that are powered-on can be used for connection requests.

By default, power-managed desktop VDAs in pooled delivery groups that have the ShutdownDesktopsAfterUse property enabled are placed into maintenance mode when an outage in the Citrix-managed broker occurs. You can change this setting to allow those desktops to be used during an outage. However, power management is only available during an outage if you are using Autoscale with Citrix Hypervisor or vSphere. If those desktops are used during on outage, they might contain data from the previous user because they have not been restarted.

Power management resumes when normal operations resume after an outage.

Machine assignment and automatic enrollment

An assigned machine can be used only if the assignment occurred during normal operations. New assignments cannot be made during an outage.

Automatic enrollment and configuration of Remote PC Access machines is not possible. However, machines that were enrolled and configured during normal operation are usable.

VDA resources in different zones

Server-hosted applications and desktop users might use more sessions than their configured session limits, if the resources are in different zones.

Unlike Local Host Cache, service continuity can launch applications and desktops from registered VDAs in different zones, as long as the resource is published in more than one zone. Citrix Workspace app might take longer to find a healthy zone as it cycles sequentially through all the zones in the Workspace connection lease.

Monitoring and troubleshooting

Service continuity performs two main actions:

  • Download Workspace connection leases to the user device. Workspace connection leases are generated and synced with the Citrix Workspace app.
  • Launch Workspace connection leases. Virtual desktops and apps are launched using Workspace connection leases.

Troubleshooting downloading Workspace connection leases

You can view Workspace connection leases at this location on the user device:

%localappdata%\Citrix\SelfService\ConnectionLeases\Store\User\leases

Store is the name of your store and User is the user name.

Workspace connection leases are generated when the Citrix Workspace app connects to the Workspace store. View registry key values on the user device to determine whether the Citrix Workplace app has successfully contacted the Workspace connection lease service in Citrix Cloud.

Open regedit on the user device and view this key:

HKCU\Software\Citrix\Dazzle\Sites\store-5c0ec3f7

If these values appear in the registry key, the Citrix Workspace app contacted or attempted to contact the Workspace connection lease service:

  • leaseLastCallHomeTime
  • leaseLastSyncStatus

If the Citrix Workspace app tried unsuccessfully to contact the Workspace connection lease service, leaseLastCallHomeTime shows an error with an invalid time stamp:

leaseLastCallHomeTime REG_SZ 1/1/0001 12:00:00 AM

If leaseLastCallHomeTime is uninitialized, the Citrix Workspace app never attempted to contact the Workspace connection lease service.

Citrix Workspace app error codes for Workspace connection leases

When a service continuity error occurs on the user device, an error code appears in the error message. Common errors include:

Error code Description
3000 No connection lease files present
3002 Connection lease cannot be read
3003 No resource location found
3004 Connection details missing in the leases
3005 ICA file is empty
3006 Connection lease expired. Log back into Workspace.
3007 Connection lease is invalid
3008 Connection lease validation result: empty
3009 Connection lease validation result: invalid
3010 Parameter missing
3020 Connection lease validation failed
3021 No resource location found where the app is published
3022 Connection lease validation result: deny
3023 Citrix Workspace app timed out

Known issues in this Technical Preview

Warning:

Editing the registry incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of the Registry Editor can be solved. Use the Registry Editor at your own risk. Be sure to back up the registry before you edit it.

The Windows Logon user interface that prompts users to reauthenticate on the VDA does not support local keyboard language mapping. To allow users to reauthenticate during an outage if they have local keyboard language mapping on their devices, preload the keyboard layouts these users require. Edit this registry key in the VDA image:

HKEY_USERS\.DEFAULT\Keyboard Layout\Preload

The corresponding language pack in the virtual desktop image must be installed.

For a list of keyboard identifiers associated with keyboard languages, refer to Keyboard Identifiers and Input Method Editors for Windows.