Reference Architecture: Citrix Service Provider DaaS

Audience

This document is intended for IT decision makers, consultants, solution integrators, cloud engineers, and CSP Partners seeking to deploy or migrate an existing multitenant Citrix Virtual Apps and Desktops environment to the multitenant Citrix Cloud.

Executive Summary

The Citrix Service Provider Reference Architecture on Citrix Cloud uses a next-generation cloud service delivery approach that guides deployment architectures that scale quickly while increasing user-centric mobility for an expanding customer base.

Citrix Cloud enables the delivery of Microsoft® Windows® and Linux® workspaces with people-centric secure applications and desktops. Hosted in the Service Provider managed environments from on-premises data centers to private or public clouds. Citrix Service Providers can take advantage of the flexible licensing programs to deliver cost-effective services based on subscriber usage.

The reference architecture is easily adapted to meet specific provider and subscriber requirements. Service Providers can deliver a comprehensive set of workspace offerings and price points while simplifying management and scalability. The cloud-ready services model enables lower infrastructure and administrative costs, speed to market and scalability, greater customer satisfaction, and increased business success.

Introduction and Scope

This document provides architectural guidance for Citrix Service Providers (CSP) who use Citrix Cloud technologies to offer services to customers and subscribers. The Reference Architecture is intended to assist Service Providers scale from a small subscriber base to an extensive user base shared across multiple tenants and geographies.

The Citrix CSP Reference Architecture is flexible and can be used to implement hosting environments within an array of infrastructures during any implementation phase.

This documentation describes the design and implementation of the Citrix Cloud solution infrastructure to be vendor agnostic and uses standard wording for the specific technology in use.

Multitenant resource locations managed by Citrix Service Providers are highly scalable and available. Along with outstanding performance and end-user experience, including the management and incorporation of additional services.

This version of the Reference Architecture focuses on Citrix DaaS for Citrix Service Providers. At the time of publication, not all Workspace Services support multitenancy. We will expand the Scope of the reference architecture to cover the overall workspace services for CSPs in future versions.

Overview

Citrix Cloud

Citrix Cloud is a platform that hosts and administers Citrix services, such as Citrix Workspace and Citrix Virtual Apps and Desktops. It connects to hosted resources through the Citrix Cloud Connector on any cloud or infrastructure.

Citrix Cloud allows Citrix Service Providers to create multiple workspace-hosting environments as resource locations (for example, on-premises, public Cloud, private Cloud, or hybrid Cloud).

CSP-Image-001

More information Citrix Cloud

Citrix Workspace

Citrix Workspace is a unified, secure cloud platform managed by Citrix. Hosting providers can securely deliver applications and data while maintaining end-user experience and productivity in an increasingly mobile work style.

More information on Citrix Workspace

Citrix DaaS

Around 80% of our Citrix Service Providers offer application and desktop solutions to their customers. Traditionally these offerings are hosted and managed on-premises. Citrix DaaS adds flexibility by hosting Access and Control Layers in Citrix Cloud, providing the Service Provider flexibility and allowing them to focus on their customer workloads from their chosen Public Cloud or maintained on-premises.

More information on Citrix DaaS

Citrix Cloud Connectors

The Cloud Connector is a Citrix component that authenticates and encrypts all communications between Citrix Cloud and Service Provider managed resource locations. All communication between Citrix Cloud and the Resource Location environment is encrypted, negating the need for ingress firewall rules.

More information on Citrix Cloud Connectors

Architecture Models for Citrix Service Providers

Citrix Cloud for Citrix Service Providers (CSPs) is the platform for delivering and managing Citrix technologies, helping Service Providers extend existing hosting deployments or move their customers to a hosted cloud solution. CSPs can rapidly create and deploy secure digital workspaces using Citrix Cloud while maintaining the control of sensitive data and resources hosted on-prem or in a chosen cloud.

Citrix DaaS for CSP

For CSPs, the traditional deployment is hosting a Citrix Virtual Apps and Desktops environment on-premises, deployed in the Service Provider’s data center with highly available components. In the Citrix Cloud model for CSP, high availability is built into the management and control plane. The optional access layer lets the Citrix Service Provider focus on the customers’ application data and critical services. This model also allows the Service Provider to add more services hosted by Citrix in the Cloud quickly

CSP-Image-002

Security and Isolation

The Citrix DaaS Architecture consists of layers that connect to create a complete end-to-end solution for Service Providers. For general conceptual architecture and to understand how all layers flow together, refer to Citrix Tech Zone

CSP-Image-003

External Access Security

A multitenant environment is isolated from the internet using a blended approach. Using complimentary technologies such as Firewalls, Application Delivery Controllers, Packet Filtering, intrusion detection and prevention systems, and so forth. Access to a multitenant network from Citrix Cloud is made more accessible by using the Citrix Cloud Connectors or a Citrix Application Delivery Controller and Citrix StoreFront combination.

Management Separation

The core network services for a Service Provider are located in a separate partition that allows the hosting of shared services. Depending on the services offered, the components of this partition can include Active Directory Domain Controllers, Backup, Automation Services, DNS, and so forth.

Storage Security

Access to the file repositories of each tenant needs to be separated from other tenants. Isolation can be achieved by using dedicated shared servers that are protected using security partitions or permissions

Tenant Isolation

Partitioning of the tenants is defined by the level of separation demanded by the customers. Citrix recommends that each tenant be placed into a segregated network using a Software-defined Network (SDN) for their dedicated workloads and complimentary services, ensuring adequate security isolation boundaries with managed networks and IP management and routing.

Multitenant Architecture Models

Citrix Cloud multitenant DaaS enables Service Providers to manage multiple customers. Using the single instance of Citrix DaaS with shared multitenant Citrix Web Studio and Director consoles and using Role Based Access Control under the partner cloud account. Citrix license management is also centralized for easy allocation.

Multitenancy capabilities provide economies of scale on a single shared infrastructure while providing the required isolation and data protection. Service Providers can make trade-offs about price and features to meet individual tenant requirements.

The tenant isolation in multitenant deployments needs to include appropriate nomenclature to clearly define the objects that are shared or dedicated within the management consoles and control planes. For example {Tenant}-{Location}-{Group}. Multitenant DaaS supports two architecture models:

  1. Shared Resource Location for multiple tenants.
  2. Dedicated resource location per tenant.

Shared Resource Location

CSP-Image-004

[Shared Resource Location, showing an overview of the components that can be shared between tenants under Citrix Service Provider’s cloud account]

In this multitenant architecture model, customers or tenants of the Service Provider share the partner’s Citrix DaaS deployment, the same resource location, and a hosted Active Directory. Each Customer has a dedicated Workspace experience allowing them to customize their workspace configurations, including authentication, branding, and Workspace URL, to align closely with the Customer’s business name and brand.

The advantage of this model is to provide the best economics for hosting a wide range of shared customers using shared infrastructure and management components. Service Providers can elastically scale quickly and incorporate small customers rapidly. Shared resource locations can be on-premises or hosted in a public or private cloud. This option won’t allow for hosting at a customer data center.

It is recommended that the Machine Catalogs managed in a shared resource location are dedicated per tenant and assigned to specific Customer scope. However, it is possible to share machine catalogs of some typical applications for small tenants based on the Service Provider’s discretion. Additional Workspace Authentication considerations must be factored in when sharing Machine Catalogs across tenants. These topics are covered in the Considerations when using a Shared Resource Location section below. The naming convention also extends to objects managed by the Service Provider within the infrastructure. When managing shared Resource Location Delivery Groups, it is highly recommended that they are dedicated per tenant—assigned with correspondingly named Active Directory Security groups via the managing subscribers page on the cloud control plane. Adding individual users to a delivery group is not recommended due to the high administrative overhead and low scalability.

In summary, under the shared resource location model, each Customer has dedicated workspace experience and delivery groups, but share: • Active Directory • Resource location and cloud connectors • Citrix DaaS

The advantages of this model are the best economics, easy and fast cloud transition for an existing on-prem multitenant AD environment, and good elasticity and scalability. However, it has limitations for integrating custom environments with complex applications and high compliance requirements.

Dedicated Resource Location

CSP-Image-005

[Dedicated Resource Location, showing the dedicated and shared components between tenants under Citrix Service Providers cloud account]

Compared with the shared resource location model, customers that need more isolation from their hosting provider can use the dedicated Resource location model. Sharing the Service Provider’s DaaS instance but maintaining its isolated active directory, cloud connectors, and infrastructure resources.

The dedicated Active Directory and infrastructure resources ensure higher customer isolation and security. Sharing cloud service instances maintains the ease of the license allocation and centralized management via the partner control plane, Studio, and Monitor console. This model can be hosted using the Service Providers data center, public or private cloud locations, or a customer’s data center.

Citrix recommends a rationale behind the nomenclature in the Citrix Studio indicating information about the workload of the machine catalogs. Assign each catalog and delivery group to specific tenant scope. Similarly named Active Directory Security groups are used instead of adding individual users as subscribers to be assigned to corresponding libraries on the partner cloud portal.

This naming convention will be extended to all objects assigned or managed for the tenant, including but not limited to hosting connections, Active Directory objects, network subnet, and so forth.

The dedicated resource location is typically focused on small to medium customer adoption. In summary, Customers share CSP’s Citrix DaaS under the dedicated resource location model, but each Customer has dedicated: • Workspace experience, resource location, active directory • Machine Catalog, delivery groups • Most likely have dedicated subnet/vNet • Possible Hosting Connection and different cloud location • For small customers, it is not the most economical model; however, there are many advantages of this architecture model: • Less administration cost when compared to complete private isolation • Centralized management and easy license allocation • Supports hybrid and multi-cloud adoption • Good flexibility and scalability • Balanced approach and suits most common use cases

Private Workspace (Non-Multitenant)

CSP-Image-006

[Private Workspace, showing that the tenant has a fully isolated Workspace and no service instance is shared from the Service Provider’s Cloud account]

Some large enterprise customers need the ability to have a private Workspace managed by their Citrix Service Provider. For complex applications. With strict security and compliance requirements, the private Workspace does not have any shared components with other customers of the same Service Provider. The Customer invites the Service Provider to manage the Cloud environment. This isolation allows for flexibility and control for the Customer and Service Provider. The management and control from the Citrix Service Providers perspective are duplicated, with the complete service instance being dedicated to the Customer.

The design and deployment for this mode are the same as standalone enterprise accounts on Citrix Cloud. Except the Service Provider is invited to connect and administer these accounts, the deployment model before multitenant support became available at the end of 2019. The detailed design, deployment, and best practices of the single tenant-private workspace model can be found on Citrix Tech Zone.

Combination of Different Architecture Models

The different architecture models aren’t mutually exclusive. A Service Provider can apply each model or hybrid architecture under their partner cloud account or manage a separate Cloud Account for their large Customer. The Service Provider models are developed to be flexible to meet the needs of their customers, offering solutions for providing a return of investment on shared infrastructure or isolation to solve data sovereignty challenges

CSP-Image-007

[Combined architecture models for customer use cases managed under a single Citrix Service Provider Account]

Workspace Experience and Authentication

Each Customer or tenant has its Workspace; the authentication method used can vary from tenant to tenant if necessary. There are several identity providers available to the customers of a Citrix Service Provider.

Active Directory

Default provider for a CSP, offering Citrix DaaS and authenticating using Kerberos to a shared or dedicated Active Directory, allowing multiple Customer domains using distinct UPN suffixes.

Customers under a multitenant setup with a dedicated resource location under the partner account can use Active Directory credentials to authenticate users for their Office 365 access once the AD credentials are synced to their Azure AD.

Time-Based One-Time Password

Either single or multitenant with or without a token is a secondary authentication factor supporting the Times Based One-Time Password standards such as Citrix Single Sign On (SSO), Google, or Microsoft Authenticator.

Azure Active Directory

For customers with private Workspace (Single Tenant), a CSP can connect the Customer’s Azure AD to its Citrix Cloud account and authenticate users to the Workspace.

Citrix Gateway

Citrix DaaS supports the use per tenant of an on-premises Citrix ADC Gateway and StoreFront that enables multiple authentication and authorization functions.

OKTA

Using a Cloud-based identity provider such as OKTA allows CSPs to authenticate Customers by providing a standard sign-in procedure, simplifying the management of multiple authentication points for CSPs.

SAML

Citrix Cloud supports using SAML (Security Assertion Markup Language) as an identity provider to authenticate subscribers signing in to their workspaces. SAML 2.0 interfaces allow the CSP to bring a provider of their choice to connect to the on-premises Active Directory.

Considerations when using a Shared Resource Location

When using a Shared Resource Location between tenants, the tenants share a single Active Directory (AD) deployment. Suppose AD is used as the identity provider for Workspace. In that case, Citrix Cloud directly contacts this shared AD via the CSP’s Citrix Cloud Connector to validate the users’ credentials and establish the User’s identity. When Azure Active Directory (AAD), Citrix Gateway, Okta, or SAML is used as the identity provider, Citrix Cloud trusts the identity providers to validate the User’s credentials and establish the User’s identity.

When a federated identity provider is used, Citrix Cloud won’t allow it to assert an Identity for an AD domain to which the tenant does not have access. Because of this, even if the tenant owns the identity provider integration of the Workspace, it cannot assert the identity of another tenant. The Service Provider controls this by giving tenants access to particular domains, as shown in the Configure Federated Domain for the New Customer section below. Suppose the Service Provider wants to share an AD domain between tenants, for cost or ease of management purposes. In that case, these tenants cannot configure a Federated Identity Provider since the protection offered by Citrix Cloud is at the domain level. Suppose the Service Provider wants to use a Federated Identity Provider for these tenants. In that case, the identity provider must be fully managed by the Service Provider and not by any tenant. Failure to do so might allow a malicious tenant to assert the identity of a user in a different tenant.

Cloud Federated Authentication Service

The FAS service enables customers to connect their on-premises FAS deployment to the Service Provider account in Citrix Cloud. It allows end-users to achieve Single Sign On (SSO) to Citrix DaaS resources using a federated identity provider in Workspace such as Azure Active Directory or OKTA.

The Federated Authentication Service (FAS) is only currently supported on the Service Providers cloud account. Currently, it is not supported with the Federated Domain option for CSPs, which allows customers to use their workspace configuration.

Deployment Considerations

The Citrix Service Providers Cloud model allows for various deployment options suited to the needs of the Service Providers’ customers for a wide range of public clouds and hypervisors. Service Providers and their Customers can combine these deployment options to provide hybrid cloud migration or multi-cloud adoptions.

CSP-Image-008

[Combined deployment options for tenants managed under a single Citrix Service Provider Account]

When ordering Citrix DaaS from your chosen distributor, it is essential to consider the diverse customer base managed by the Service Provider via Citrix Cloud. If the Customer has an existing Citrix DaaS entitlement, they cannot be invited to participate as a tenant under the Citrix Service Provider’s service instance. However, they can be invited to connect subsequently managed by the CSP. Other customers without an existing service instance can be invited or added to the Citrix Service Provider’s instance to either a Shared or Dedicated Resource Location.

Concerning the architecture models, there are two SKUs available to CSPs:

Single Tenant SKU – The existing SKU that the Citrix Service Provider orders for their Customer and the entitlement and Service instance are allocated on the Customer Cloud Account. SKU maps to the single tenant-private workspace model.

Multitenant SKU – The new SKU with entitlement is only delivered to the Citrix Service Provider Partner account, which allows managing and distributing licenses between multiple customers.

Data centers

Some Service Providers have invested in long-term infrastructure and compute to host services or meet stringent compliance requirements. To use these existing resources, the suitable option is to have the Resource location deployed in the Citrix Service Provider Datacenter.

Citrix DaaS supports the leading hypervisors available. Including integration with Machine Creation Service and Provisioning Services, automating the delivery and operation of the compute resources.

Service Providers typically offer a tired storage option to their customers to ensure that there is distributed performance to allow for their current offering and future expansion.

Microsoft Azure

Many of our Citrix Service Providers are also Microsoft Cloud Solution Providers. Azure is a public cloud option from Microsoft for Service Providers looking to host workloads flexibly and elastically. Citrix DaaS has built-in support for Azure capabilities allowing for Machine Creation Services Integration. Citrix Autoscale proactively manages the workloads to balance the costs and service levels demanded by the Customer. Any unused workloads would be reduced during off-peak hours and increased before peak hours.

Service Providers hosting their customers in Resource Groups in Azure using a collection of assets (for example, Virtual networks, Virtual Machines, and Storage accounts) in logical allocations for easy automatic provisioning, monitoring, and access control. Dividing the dedicated or shared resource into separate Azure virtual networks, typically, the access is controlled by the Cloud Connectors linking the Azure resource to Citrix Cloud. For more recommendations about Citrix DaaS on Azure, see:

Microsoft Azure

AWS

AWS is another public hosting option for Citrix Service Providers looking to host workloads in a flexible and controllable environment. Using an operations cost model to grow their business according to customer demands. Citrix DaaS has built-in AWS capabilities allowing for Machine Creation Services Integration for on-demand provisioning with Citrix Autoscale to proactively manage the workloads to balance the Customer’s cost and service levels. Any unused workloads would be reduced during off-peak hours and increased before peak hours.

An Availability Group is a collection of assets in the Amazon Elastic Compute Cloud. For example(Virtual networks, Virtual Machines, and Storage accounts) in logical groups for easy or even automatic provisioning, monitoring, and access control. Resource Groups in EC2 are for grouping related resources that belong to Citrix Virtual Apps and Desktops deployment, as they share a unified resource.

The Virtual Machines used for Citrix Virtual Apps and Desktops workloads in EC2 are typically T-type machines. These Virtual Machines have the best balance for CPU and memory for Citrix Service Providers. Scaling up and down busing Autoscale to accommodate customer requirements and control costs. Any unused workloads would be reduced during off-peak hours and increased before peak hours.

For more details regarding Citrix Virtual Apps and Desktops on AWS, see:

AWS

Google Cloud

The Google Public Cloud offering for Citrix DaaS allows Service Providers to provision and manage machines within a Project on the Google Cloud Platform (GCP), using Machine Creation Services (MCS) to provision workloads and enable lifecycle image management.

The automated provisioning for GCP, working with Citrix Autoscale to scale up and down these workloads on demand. At least one Project is needed to run Citrix DaaS with the Compute Engine API and the “Cloud Resource Manager API. Controlled via a GCP Service Account and can be shared between multiple CGP Projects, and the MCS Service uses it to power manage the virtual machines.

For details on setting up a Citrix DaaS resource location on GCP, see:

Google Cloud

Deployment Steps

Onboard a Customer

Customer Dashboard

To add a new customer or invite an existing customer to be managed by the Citrix Service Provider, the onboarding process is the same for both multitenant and single-tenant customers.

To simplify account sprawl and centralize customer management, the CSP Team recommends that the add customer option is used within the Service Provider using a service account. This option reduces the number of administrator accounts used when setting up separate customer cloud accounts—allowing for continual service management when administrators leave the CSP organization.

Add a new Customer

On the Citrix Cloud Dashboard page, select Customers

CSP-Image-009

The Customer Dashboard displays a list of the Citrix Service Provider’s managed tenants. To Add a new Customer, select Invite or Add:

CSP-Image-010

Select Add and Continue

CSP-Image-011

Complete the onboarding information for the Customer; make sure the email address used here is unique and has not been used for any other Citrix Cloud accounts:

CSP-Image-012

This creates a new Customer with a unique Organization ID (Org ID).

Invite a Customer

To invite an existing Citrix Cloud Customer, managed by the Citrix Service Provider, you can select the Invite option.

CSP-Image-013

Select Invite and Continue.

CSP-Image-014

Copy the Invite Link and email it to the Administrator of the Customer you would like to invite:

Enable Citrix DaaS to a New Customer

After a new customer is onboarded or an existing customer accepts the invite, the Citrix Service Provider can enable services to that Customer (tenant).

Enable Single Tenant (private) Citrix DaaS

For a new customer in a private workspace to have single tenant service. For example, the Customer has their instance of Citrix DaaS. The CSP needs to make a $0 order via its distributor and “ship to” the Customer’s Citrix Cloud account.

Once the single tenant service instance is enabled for the Customer (stocking order fulfilled), the “Manage” option appears inside the Citrix DaaS tile. By selecting the “Manage” option, the Customer’s instance of Studio loads.

Enable Multitenant Citrix DaaS

Assuming the CSP partner already has the multitenant Citrix DaaS entitlement fulfilled (Otherwise, it is enabled via a $0 stocking order from the distributor).

Adding a new customer to be managed under the CSP’s multitenant service, follow the steps:

1 - In the Citrix Cloud Dashboard page, select Customers 2 - On the Customer Dashboard, locate the Customer you want to add services to and select the three-dot button, and select Add Services

CSP-Image-016

3 - Select “Continue” next to Citrix DaaS

CSP-Image-017

Once the “add service” process is completed (it can take a few minutes), the “Manage” option appears inside the DaaS tile within the tenant’s cloud account. However, when selecting the “Manage” option, the “This instance of the Citrix DaaS is managed by your Citrix Service Provider” message is displayed.

CSP-Image-018

Configure Multitenant Citrix DaaS for the New Customer

This document focuses on the deployment configurations of multitenant architecture models. For single-tenant Citrix DaaS, refer to:

Citrix DaaS

The following section of multitenant deployment uses a hybrid cloud solution as an example to run workloads in an on-premises data center.

Deploy a New Resource Location

The resource location and Domain are a 1:1 relationship.

Dedicated Resource Location

When onboarding a new tenant, a new active directory, resource location, and a pair of cloud connectors need to be configured for the tenant.

Shared Resource Location

The resource location, active directory, and cloud connectors only need to be set up when the first tenant of the resource location is onboarded. The subsequent tenants share the setup except for the actual resources to be consumed, for example, AD OU, VDAs, etc. The Service Provider is responsible for partitioning each tenant’s active directory and resources with secure isolation.

Process

When connected to the Citrix Cloud Console, select Resource Location (Edit or Add New)

CSP-Image-019 Select Add Resource Location, and name the Resource location to the multitenant nomenclature. To add the Cloud Connector. Download and install the Cloud Connector to at least two dedicated Servers. For detailed steps, follow

How to install Citrix Cloud Connector

You can view the Active Directory Domain and Cloud Connectors after deployment.

CSP-Image-020

Define Hosting Connection

Since it is possible that each resource location can be deployed in different cloud infrastructures, for example, Azure, GCP, AWS, and on-premises hypervisors, a new Hosting Connection to the resources need to be defined for the new resource location. Navigate to the hamburger menu at the top left of the page and choose Citrix Virtual Apps and Desktops.

CSP-Image-021

Select Manage Service, the Citrix Studio loads, and select hosting from the Left-Hand Studio menu.

CSP-Image-022

Select Add Connection or Resource from the Action pane. Select Create a new Connection, choose the Connection type, enter the credentials and address for the connection, and name the connection using the correct nomenclature.

CSP-Image-022

Select the storage location for the Resources.

Select the Network Associated with the new Customer.

CSP-Image-024

Select the Scope of the Customer recently onboarded, review the hosting connection and choose Finish.

CSP-Image-025

Configure Machine Catalogs for the New Customer

On the CSP partner’s Citrix Cloud portal page, navigate to Citrix DaaS and select Manage Service.

From the Citrix Studio, select Machine Catalogs, and Create Machine Catalogs from the Action Pane.

In this example, we are using machines created with Machine Creation Services hosted on a hypervisor in the data center that can control the power state. Select the appropriate Resource Location, Shared, Single, and so forth. For the corresponding Customer, assign the Machine Catalog, select Next

CSP-Image-026

Add the Machines from the Corresponding Active Directory and the Zone for the Customer. Enter the name of the machines(s) and select OK. Confirm the Zone and the minimal functional level of the VDA installed on the machines to be added. Shown is a VDA from version 1811 or newer, select Next.

CSP-Image-027

Choose the Scope of the new Customer, and select Next.

CSP-Image-028

Since machine catalogs are created for specific customer scopes, a predefined naming convention is necessary for a multitenant deployment. The Machines appear in the Machine Catalog list.

CSP-Image-029

Use the View Machines Search option to confirm the registration status of the new Machine Catalog.

CSP-Image-030

CSP-Image-031

Create Delivery Groups for the New Customer

Select Delivery Groupfrom the Citrix Studio, and Create Delivery Group from the Action Pane. Read the Getting Started information and select Next. Select a relevant Machine Catalog assigned with the Customer’s Scope, and select Next.

CSP-Image-032

The recommendation is to leave the management of Users to Citrix Cloud and select Next.

Select Add Applications from a source. Usually, it is the Start menu if an application appears on the corresponding VDA. All applications selected appear under the same delivery group and be available as Libraries to all subscribers that are later added via the Citrix Cloud portal. Separate delivery groups can be created for applications and user groups that need restricted access.

Under the multitenant deployment, some delivery groups can contain applications with the same name for different tenants. To avoid confusion and clearly define the ownership of these applications. The recommendation is to update the application naming to be tenant-specific, as shown in the example below. The application name for User can remain unchanged.

CSP-Image-033

CSP-Image-034

Assign the Scope of the Customer to the delivery group, and select Next

CSP-Image-035

A delivery group is only assigned to a specific customer scope to isolate customers in a multitenant setup securely. Different customer scopes do not share delivery groups. The predefined naming convention for delivery groups is also necessary for a multitenant deployment.

Configure Federated Domain for the New Customer

Even though the nomenclature is similar, the CSP Domain Federation is not the same as the Federated Authentication Service (FAS).

This step is not required for large customers under the single tenant (private Workspace) architecture model. Domains and resource locations are configured directly within the Customer’s cloud account.

For a new customer to be managed under the partner’s multitenant Citrix DaaS deployment and maintain its own workspace experience. For example, the Customer needs to be federated to the Domain configured under the partner account to enable the Customers Gateway URL. Within the partner’s Citrix Cloud account, select the Customers domain from the Domains tab in the Identity and access management page, and select Manage Federated Domain.

CSP-Image-036

Please select one or more customers to be added to the Domain, allowing the tenant to use their customized Workspace Configurations.

CSP-Image-037

Note: The Federated Domain for multitenant Citrix DaaS is for workspace configuration only. It is not integrated with ADFS or the Citrix Federated Authentication Service.

Subscribe Customer User Groups to Offerings

Under the Single Tenant architecture model, where each Customer has their service instance, managing subscribers to libraries are done directly within the Customer’s cloud account. For details, refer to the online document:

Assign users and groups to service offerings using Library

Under multitenant architecture models, subscribing user groups to libraries is done inside the CSP partner’s Citrix Cloud account. The preferred method is assigning well-named Active Directory groups to the library resources for easy administration and scalability.

Add users to a published application or desktop offering from either a Shared or Dedicated resource location of the multitenant service. Locate the Library Offerings from the Citrix Cloud home page in the Library offers. Select the View Library option, search, or find the resource you want to add users to using the three-dot menu. Manage Subscribers, choose from the list of Managed domains, and then add the Resource Group.

CSP-Image-038

Configure Tenant Workspace

CSP multitenant Citrix DaaSDaaS allows each tenant to maintain its own Workspace Experience. To change the Workspace for a customer from the Citrix Cloud Dashboard page, select Customersand View Details. Select a customer and Expand using the Arrow. Select View Customer Details.

CSP-Image-039

Select Access Customer Account (there is also an alternative way to access the Customer’s account via Change Customer)

CSP-Image-040

Confirm that you are leaving the Citrix Service Provider’s Account to enter the Customer Account and select Continue.

After entering the tenant’s Citrix Cloud account, navigate to the hamburger menu and choose, Workspace configuration:

CSP-Image-041

Access URL

Under the Access tab, the Customers Gateway URL can be customized. Edit the URL and select Save.

CSP-Image-042

Authentication

In the Authentication tab, specify the Authentication method for the Customer:

CSP-Image-043

If Active Directory Authentication is used and the tenant is configured within a shared resource location. For example, the tenant user accounts and groups reside within an OU of the hosted multitenant Active Directory. The users’ UPN suffix, which is usually the Customer’s Domain, differs from the AD system domain. For example, customer domain selwfashion.nz in the example below versus cms.azr system domain of the hosting AD. The User’s UPN domain will be recognized and authenticated through the custom Workspace URL. The UPN suffix must be added to the hosting Active Directory at the root level.

CSP-Image-044

Appearance

Customized branding and appearance often help the end-user experience. From the Customize tab, configure the customer logo and preferences.

CSP-Image-045

User Log in to Workspace

When the users of a customer login to the Workspace via the customized URL, for example, https://selwfashion.cloud.com, the same set of credentials of UPN and password (for example, the email address and password that match their Office 365 accounts) are used.

CSP-Image-046

After logging on, the User’s Workspace would look similar to the following:

CSP-Image-047

Performance and Monitoring

Citrix DaaS allows Citrix Service Providers to control and monitor the workloads centrally in the Cloud Console. Lowering the cost and administration effort of the management enables the operations team to deliver greater uptime.

Director

The Citrix Service Provider admins can manage their multitenant Shared and Dedicated Resource location Customers using a single Monitoring console. The CSP admin can choose to view an overview of all resources or drill down to a specific Customer. The Service Provider can also set Role Based Access Control permissions for its team to remember to manage particular customer scope or perform a subset of functions.

CSP-Image-048

CSP-Image-049

The Monitoring console is dedicated to single tenants in their private Workspace with their instance of Citrix DaaS. A Citrix Service Provider with administrator rights logs into the Customer’s cloud account to access and manage through this console.

Citrix Analytics Service

The Analytics service included in the Citrix Service Providers Workspace collects data across the hosting network, users, files, and endpoints. A Service Provider can centrally manage the insights to handle security threats, monitor service performance, optimize, and improve their offering.

CSP-Image-050

License Usage

Citrix Service Providers can gain insights on the number of User Licenses assigned against their total commitment amount within the “Licensing” page of Citrix Cloud.

When the Citrix Service Provider-specific entitlement is provisioned, the licensing rules on the page are aligned with the program rules. Service Providers can expect “Assigned” license counts to reset monthly and overage amounts to be highlighted separately from the committed amount. Refer to the associated number in the image for the relevant detail about the experience.

  1. Provides the “Assigned” license count across all tenants and the total commitment amount. This “Assigned” resets every month.
  2. A graphical representation of the monthly assigned licenses across all tenants against the commitment amount.
  3. The ability to export the current month’s detailed list of users listed in item 4.
  4. The detailed list of users with an assigned license in the current month. This list makes up the total “Assigned” count. More insights are provided when the first time that a license is assigned.

CSP-Image-051

Sources

The goal of this reference architecture is to assist you with planning your implementation. To make this job easier, we would like to provide you with source diagrams that you can adapt to your detailed designs and implementation guides: Source Diagrams

References

Resource Location

Identity and Access Management

Library Offerings and User Assignment

Cloud Connector Internet Connectivity Requirements

Cloud Connector Secure Deployment

Citrix FAS

Citrix Gateway Service

Virtual Delivery Agent

Hosting Connections

Reference Architecture: Citrix Service Provider DaaS