Design Decision: User Data and Profile considerations

Profile management solutions are designed to make a user’s local profile portable so that it can be accessed from any session or device. Both Citrix User Profile Management (UPM) and Microsoft FSLogix improve on the traditional roaming profile model used in data centers. Both solutions improve the response time for users and store the user profile using Azure Files. The benefits of each solution are outlined below.

  • Citrix User Profile Management
    • Integrates with the following products:
      • Citrix Virtual Apps and Desktops (Citrix DaaS)
      • Citrix Workspace Environment Management (WEM) service
      • Azure Files
      • Microsoft FSLogix
    • Virtualizes user profiles so the user settings can be applied to the user desktop or application
    • Streams profile data so that it is not downloaded until needed
    • Offers large file handling which allows large files to be redirected individually providing a native (local) file experience
    • Supports profile exclusions to reduce bloat
    • Supports multiple concurrent file accesses for multi-session users
    • Supports profile containerization
    • Improves logon speed
  • Microsoft FSLogix
    • Implements containerization through redirection of users profiles to a virtual hard disk
    • Supports profile containers and Microsoft Office containers
    • Maintains user data for non-persistent environments, such as Citrix session or Azure Virtual Desktop
    • Reduces logon times by mounting a VHD instead of copying user profile data across the network
    • Supports profile exclusions to reduce bloat
    • Provides a native (local) profile experience for users
    • Integrates with OneDrive and Azure Files

Some applications are not designed with roaming users in mind and rely on local file caches and indexes that do not roam between sessions. Microsoft Outlook is one of the more popular applications with this behavior. Both Citrix User Profile Manager and Microsoft FSLogix can provide an improved user experience with these types of applications. Other design considerations include:

  • Users accessing their data from multiple sessions simultaneously require solutions that support that level of file access.

  • Keep user data as close as possible to the user’s session. When users are accessing from both on-premises and cloud-based sessions, choose the cloud when possible.

  • With both profile management solutions, permissions for profile stores must be configured manually. Support for multi-session simultaneous access requires extra configuration.

    • Always combine profile management with folder redirection to reduce the amount of data copied locally
    • Always configure profile folder exclusions to reduce bloat, since they are not configured by default
    • Always enable large file handing for Citrix User Profile Management so that large files, such as PSTs or OSTs, are not copied down
  • Antivirus exclusions are required for both FSLogix and Citrix User Profile Management profile solutions because they implement system-level drivers for redirection.

  • When using Microsoft FSLogix, you must exclude VHD(X) containers from AV scanning when hosted internally on traditional file shares.

  • Azure Files sync can replicate containers quickly and easily for staged deployments.

One of the biggest challenges with migrating to Azure includes how to manage user profiles and access to personal and department data. Users require their data to perform their job and they need to access it from any device they are using. This section provides guidance for the challenges associated with user data and considerations that influence the design.

The goals for user data are:

  • provide access to the data securely
  • provide access to it always from any location
  • provide access with the lowest latency possible

Meeting these goals is a challenge with a hybrid environment where some Citrix workloads are in the cloud and some remain on-premises. The user’s data cannot be in both places at once without creating data collision opportunities. Selecting a single location introduces security, latency, or access concerns. This dilemma is true for both the user data and the shared department data.

Windows still relies on the concept of profiles to store user data. The loading of those profiles can significantly impact a user’s logon experience, especially when the user’s desktop contains a large amount of data. The logon experience is made worse when the user’s session has a significant amount of latency between the profile store and the session host. Several technologies, such as Citrix Profile Manager and Microsoft FSLogix, have been developed to help remove these pain points. The information below helps you select which technology is best for your users.

When should I use the traditional file server technologies for hosting user data?

The traditional file server technologies are file sharing solutions that are used in data centers today. Often these technologies use Distributed Files System Replication (DFS-R) or Distributed File System - Namespaces (DFS-N) to make file shares highly available across multiple locations. Accessing these file shares from an on-premises location typically introduces high latency because of routing and protocol latency. The different file server technologies along with their benefits and drawbacks are provided below.

  • Standalone File Servers: Windows Server configured as file servers

    • Requires management and maintenance
    • Has potential cost advantages when hosted in the cloud compared to other server-based technologies
    • Compatible with familiar backup/restore products
    • The standalone server is a single point of failure since it has downtime during updates that force the server to reboot
  • Storage Replicas: Windows Server technology that enables synchronous replication of volumes between servers or clusters

    • Requires management and maintenance
    • Supports block-level replication (synchronous or asynchronous)
    • Supports the SMB 3.0 protocol which includes security enhancements such as encryption
    • Has only minimal downtime during manual failover between replicas
  • Storage Spaces: Windows Server technology that allows drive pooling in a RAID-type configuration and can be clustered across multiple server nodes for high-availability

    • Requires management and maintenance
    • Supports SMB 3.1 which includes transparent failover mechanisms
    • Has a multi-node topology that can scale up/out as necessary,
    • Has a transparent failover,
    • Uses 3 times more disk space than a traditional file server
    • Not always supported by third-party backup/restore products
  • Traditional file servers work best in a data center where the Citrix workloads have direct access to the file share.

  • Traditional file servers support the installation of governance and security software, such as:
    • Data loss prevention (DLP)
    • Antivirus (AV)
    • Backup
    • Encryption software
    • Host-based Intrusion Prevention System (HIPS)
    • Host-based Security System (HBSS)
  • Some traditional file server deployment configurations result in lower overall costs compared to the PaaS shares.

  • Use traditional file servers when your organization needs complete control over the data. With a traditional file server, governance and legal ownership is easy to maintain and data classification is easier to implement.

  • Traditional file server technologies are used when applications need nearby for compute or when an extensive amount of read/writes are expected on the data.

  • Traditional file server technologies represent less durable data storage when compared to cloud-based alternatives such as Azure Files.

  • Look at the scalability path for meeting demand, scale out or scale up with current hardware.

When should the PaaS file shares be used?

These cloud-based file services were built specifically as a service instead of an application and optimized to operate over the internet.

  • Azure Files: File shares as a service backed by Azure storage

    • Platform as a Service (PaaS)
    • Supports SMB 3.1/NFS 4.1 protocols
    • No server maintenance, Microsoft handles all maintenance
    • Mountable in Azure VM and Windows Server 2012 and later
    • Can be mounted from on-premises hosts
    • Supports different performance tiers: hot, cold, and high performance
    • Supports NTFS permissions and ACLs
    • Costs vary based on storage performance requirements
  • Azure NetApp Files: NetApp Filers as a service backed by Azure Files

    • Platform as a Service (PaaS) using NetApp Filers
    • No server maintenance, Microsoft handles all maintenance
    • Mountable in Azure VM and Windows Server 2012 and later
    • Can be mounted from on-premises hosts
    • Includes Extreme Performance compared to Azure Files options
    • Supports NTFS permissions and ACLs
    • Increased cost compared to Azure Files
  • PaaS file shares have unlimited highly-durable data storage.

  • PaaS file shares have limits on performance, throughput, and protocol support.

  • PaaS file shares are more complex to setup with Active Directory NTFS permissions.

  • PaaS file shares can be mounted from most operating systems.

  • PaaS file shares integrate with other cloud-bases services such as logging and metrics.

  • PaaS file shares are best when the user workloads are also in Azure. Using PaaS file shares reduces the egress data charges and saves on monthly charges.

  • PaaS file shares work best for sharing data internally across departments when user workloads are in Azure.

  • PaaS file shares do not work as well for sharing files externally because permissions are tied to the Azure AD users.

  • When using PaaS file shares, verify that users accessing their data shares from on-premises are receiving acceptable response times.

  • Select the lowest performance tier that meets the user’s expectations.

  • Governance and legal requirements are imposed based on the region hosting the data.

  • Cloud-based file services do not support the installation of third-party software such as DLP, AVS or encryption software.

  • Backups can be easily configured using Azure Backup.

When should I use Azure NetApp Files vs Azure Files?

This decision is based on what your users consider acceptable. Generally speaking, when you have less than 100 users accessing the file share simultaneously, an Azure Files, Transactional performance level works best. With workloads of between 100 and 2000 users, depending on the frequency of the file updates, consider Azure Files Premium performance level. With workloads over 2000 users, consider using the Azure NetApp Files. To reduce the traffic on the file share, consider using Citrix User Profile Management with profile streaming and large file handling enabled. You can also reduce traffic on the file share by using Microsoft FSLogix containers.

When should the File Sharing Collaboration solutions be used?

File Sharing and collaboration services are designed to make share files accessible using the HTTPS protocol over the internet. These services allow not only individuals to store and retrieve files from the service, but also support collaboration between departments and even outside entities. They have security built in and provide a single point of access. These solutions are best for storing data securely that must be shared both internally and externally. Though they have been adapted to work as personal storage locations for users, they don’t always work well for storing user profiles.

  • ShareFile: Secure file-sharing cloud-based service hosted by Citrix

    • File sharing repository accessible over HTTPS/CIFS
    • Light management required around user security
    • Limited maintenance of local StorageZone controllers. Citrix maintains the rest of the infrastructure
    • Data owners can easily grant permissions to internal and external entities
    • Integrates with Active Directory
    • Citrix-managed StorageZones are protected by durable cloud storage (in Azure)
    • Customer-managed StorageZones allows use of local customer data centers
    • Citrix handles all the backups, antivirus, and indexing operations
    • All files stored encrypted with AES-256
    • Integrates with SharePoint and OneDrive
    • Supports mobile access to network shares
    • ShareFile Sync client can synchronize local user data with ShareFile storage
    • Includes document management, workflow management, content collaboration, and e-signing capabilities
    • Costs vary depending on functionality selected
  • SharePoint in Microsoft 365: Cloud-based SharePoint service hosted by Microsoft

    • Limited management of user security and access
    • Microsoft maintains all servers
    • File-sharing repository accessible over HTTPS/CIFS
    • Light-weight version of SharePoint server
    • Data owners can easily grant permissions to internal and external entities
    • Integrates with Active Directory
    • Supports mobile access to network shares
    • Includes document management, workflow management, and content collaboration capabilities
    • Costs vary depending on functionality selected
    • Integrates with OneDrive to synchronize content
  • OneDrive: OneDrive provides synchronization of user data between a local Windows workstation and a back end data storage location

    • Local agent client installed and configured to synchronize user data with SharePoint or ShareFile
    • Can be configured to automatically backup the Documents, Desktop, and Pictures folders to OneDrive in Microsoft 365
    • Included with Microsoft 365 licenses

Cloud storage technologies have changed the landscape of personal data storage expectations. Fortunately, most users now treat the extra latency as an acceptable tradeoff for being able to access their data securely from anywhere. Other design considerations when using these collaborative file shares include:

  • Cloud-based file sharing and collaboration services have unlimited data storage.

  • With collaborative file sharing services, highly durable data storage is used and backups are included in the cost of the service.

  • Cloud-based file sharing and collaboration services do not support the installation of third-party data protection software. You are expecting the vendor to provide the protection against data loss, viruses, and loss of confidentiality.

    • These technologies are preferred when a need exists to share the files externally, such as with other businesses or third parties.
    • Using the ShareFile Sync agent with ShareFile or the OneDrive with SharePoint provides an excellent user data backup solution for their local device files.
    • Collaborative file shares are excellent for remote users that keep a large number of documents locally on their assigned device.
    • When collaborative file shares are used from non-persistent sessions, use the Session Linger setting so data can be synchronized before the session terminates.
  • When using SharePoint

    • Keep the top-level parent portals to minimum to improve security, usability, navigation and adoption.
    • Avoid using deep hierarchies with unique permissions to improve performance.
    • Do not bury content or keep stale content as it impacts usability and deters users from using the site.
    • Use standard groups first (Members, Visitors, Owners) followed by AD Groups or SharePoint groups next, and direct user access last.
    • Take advantage of permission inheritance.
  • OneDrive clients interoperate with GPOs and support folder redirection.

  • OneDrive clients integrate with profile management solutions.

What if my users are accessing their data from both on-premises and in the Azure cloud?

  • Collaborative file services work for sharing data internally and externally and also function as user data file repositories

  • PaaS file services can be integrated directly with Windows since they can be mounted and accessed like internal file shares

  • Augment PaaS file services with profile management solutions that virtualize the file system. This approach reduces the amount of data on the wire and reduces the monthly charges from outbound Azure Files data.

  • Using PaaS file services prepares the way for complete cloud adoption while providing an improved experience for users accessing their data out of the cloud

What data methods work best together?

  • Different methods are acceptable for different user groups based on their data access requirements

  • To reduce costs, avoid combinations that store the same data in multiple locations, for instance do not use Citrix ShareFileSync and Citrix User Profile Manager with Azure Files

  • For cloud-based Citrix workloads, combining a profile management solution with cloud-based file service has proven to be a good combination
    • Citrix User Profile Management with large file handing enabled on an Azure Files share
    • Using Microsoft FSLogix with Azure Files
    • Citrix ShareFileSync backed by Citrix ShareFile with Microsoft FSLogix
  • For on-premises Citrix workloads, combine a profile management solution with the traditional file server technologies
    • Citrix User Profile Management with large file handing enabled on a traditional file server share
    • Using Microsoft FSLogix with a traditional file server share

Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services

Deployment Guide: Deploying Azure Files for Citrix Profile Management and Citrix User personalization layers

Design Decision: Citrix Profile Management with Azure Files

Introduction to SharePoint in Microsoft 365

Introduction to SharePoint information architecture

Provisioning ShareFile on Microsoft Azure Storage

Redirect and move Windows known folders to OneDrive

Reference Architecture: Content Collaboration with storage zones on Azure IaaS

Storage Replica overview

Storage Spaces overview

Use an Azure file share with Windows

What is FSLogix?

Design Decision: User Data and Profile considerations

In this article