The Hybrid Design Pattern


The Hybrid design pattern builds upon the Cloud Forward design pattern. It introduces customer-managed access layer components from Citrix (➊) to flexibly meet the needs of specific customer demographics and use cases. These customer-managed components include the following:

  • Citrix ADC/Gateway(❷): deployed as virtual appliances on GCP, this component is often used for use cases requiring one or more of the following:
    • Advanced authentication scenarios, such as SAML/OAUTH 2/OpenID federation, RADIUS, smart card, and conditional access requirements.
    • Highly optimized and flexible session access for end user devices on public networks.
    • Advanced networking services such as content switching, web app firewall, integrated web caching, attack mitigation, application load balancing, and SSL offload.
    • Ability to direct specific users/devices to specific ‘stores’ based on advanced, highly flexible, and contextually aware policies. Policy decisions can be based on user profile attributes, location, device type, device health, authentication results, and more.
  • Citrix StoreFront(❸): The predecessor of the Citrix Workspace service, StoreFront is Citrix’s ‘classic’ provider of UI services. Installed on customer-managed Windows Server instances, StoreFront is often used for use cases requiring one or more of the following:
    • Extreme high availability, capable of surviving a broader range of failure scenarios, particularly when deployed in a highly available configuration.
    • Flexible session routing, with the ability to route internal user session traffic directly to VDAs while sending external users through Citrix Gateways.
    • Single sign-on from customer-managed, on-premises devices.
    • The need to provide multiple ‘stores’ with different configuration properties to support diverse use cases on the same system.
    • The need for highly customized or branded, HTML based user interfaces.


With the Hybrid design pattern, Citrix access layer components are deployed in the customer’s Google Cloud environment (➊). The components are typically deployed in pairs spread across multiple zones for high availability.

This pattern uses Citrix’s ADC/Gateway VPX (virtual) appliances to securely proxy HDX sessions into the VDAs in the customer’s environment (❷). Citrix ADC/Gateway appliances can be used with the Citrix Workspace service for simple session proxy services or complex authentication scenarios, or both (UI option A). It can also be paired with Citrix StoreFront (UI option B).

This pattern optionally uses Citrix StoreFront (❸) for UI services, allowing the system to meet the requirements for more complex use cases as outlined above. It pairs with Citrix ADC/Gateway, which handles authentication in addition to UI and HDX session proxy services.

To put the hybrid design pattern into the context of the five components of a Citrix virtualization system:

Virtualization system function: Provided by:
Session brokering and administration Citrix Virtual App and Desktop Service (CVADS) (cloud service)
User interface (UI) services Citrix Workspace service (cloud service) OR Citrix StoreFront (customer managed)
Authentication Many combinations available to Citrix Workspace service (cloud service) OR Citrix StoreFront by introducing Citrix ADC/Gateway (customer managed)
HDX session proxy Citrix Gateway Service (cloud service) OR Citrix ADC/Gateway (customer managed)
Analytics Citrix Analytics Service (cloud service)

There are many other functional items you may also find important to consider before choosing between the cloud service or customer managed components. We provide you with a deeper dive into Citrix ADC/Gateway and Citrix StoreFront on GCP in later sections. You can use different combinations of technologies at each layer to achieve specific outcomes or meet specific needs - at the expense of simplicity.

For example: Citrix ADC/Gateway VPX appliances can be added to a system and used for Authentication or HDX proxy functionality while using Citrix Workspace for UI services. This gives the system the ability to support almost any identity and authentication strategy (including federation scenarios), plus the ability to use HDX’s Enlightened Data Transport for the best session performance over suboptimal networks.

You can also introduce Citrix StoreFront to use for UI services, in parallel to or instead of Citrix Workspace. StoreFront requires Citrix ADC/Gateway for most use cases, but this combination would serve use cases with extreme high availability requirements, heavy UI customization requirements, and the ability to create multiple different ‘stores’, with different properties, for different groups of users, device properties, physical locations, and so on.

The Hybrid Design Pattern