“Do we have a place where we can go through these questions and answers after this call?”
You asked, and we delivered!
We recently hosted our very first ACE (Ask the Cloud Experts) meetup. This monthly series is designed to provide a channel to connect with Citrix experts to help answer your Citrix Cloud questions. In our first-ever session, we covered Cloud Connectors.
As promised, we have gathered the all the questions you asked (and their corresponding answers), in case you missed the event or just an answer. There were a lot of questions, so we’re posting half today and half tomorrow (check out Part 2 here).
How many Cloud Connectors do we need in our environment?
The number of Cloud Connectors is similar to the number of on-premises Delivery Controllers. For redundancy purposes, you want to have at least two per resource location. And especially if you want to take advantage of Local Host Cache (LHC), you want to make sure that you have them sized appropriately. It is also important to know that although there’s a minimum amount, there is no limit on the number of Cloud connectors you can have. So if you have 15-20 resource locations, having two or three Cloud Connectors per location is fine.
Does the Microsoft Active Directory Analytics integration require Cloud Connectors?
Yes. You need a communication channel between your environment and Citrix Cloud. The Cloud Connector components will function as such and enable Citrix Analytics to gather the data pertaining your active directory users.
Can the Powershell SDK be installed on a Cloud Connector?
There are two places where you never want to install the Powershell SDK: your Cloud Connectors and your on-premises Delivery Controllers. If you do this, in both scenarios, Powershell will no longer work as expected and will keep prompting you for Cloud credentials. You will have to recreate the machine to fix this.
How should we size a Cloud Connector?
We size Cloud Connectors the same way we size Delivery Controllers. We generally start with four vCPUS and 8G of RAM. We have noticed this seems to be optimal for starting out your Cloud Connectors sizing. If you have on-premises hypervisors, you want to make sure you specify single socket, four-core to take advantage of the local host cache (LHC) because this only uses a single socket.
Are cross-forest logons supported here? For example, I am a member of a group in forest2.local but I log into forest1.local.
That functionality is not supported today. What we can do in a limited fashion involves having cross-forest trust going on. If the forests are completely independent, this is not supported.
Please explain the communication flow and where the Cloud Connectors take part in that flow.
The Cloud Connectors are the communication liaison between the Citrix Cloud control plane hosted by Citrix and your resource location, whether this is a public-cloud provider or an on-premises hypervisor. The Cloud Connector is the middleman between these two locations. This communication is secured over SSL, and it is outbound.
When installing Cloud Connectors, there is a prompt to input your username and password. Will I lose Cloud Connector connectivity if that account password changes later?
The Cloud Connector will not stop working if the logon changes. These credentials are not stored but are exchanged with a hash/token that continues to be used on that connector and across its services.
One of our Cloud Connectors shows as down in the Cloud portal after maintenance. We realized we didn’t have the antivirus exclusions on this machine and have since fixed that, but it still shows as down. How do we make it go online again?
You need to uninstall the Cloud Connector software, remove the faulty Cloud Connector machine from the resource location, and then reinstall the Cloud Connector. It should go back online after that.
We have an on-premises hypervisor and Microsoft Azure. We also have a VPN that connects the MS Azure environment to the on-premises environment. Per the recommendations, two Cloud Connectors were added on the hypervisor on-premises and two in Azure, and now there’s four Cloud Connectors. However, under the cloud portal, when we go to the resource locations, all of the connectors seem to be contained within there. Why did this happen, and would it affect anything if I keep it this way?
When your environment is interconnected like that, it’s expected to see everything under the same resource location. However, we want to have separate locations for each hypervisor or public-cloud provider to be able to leverage zone-related features such as users or application assignment to specific zones. Also, for MCS purposes, you want to have connectors on each geographical zone that contains VDAs.
To fix this, you can remove the two Cloud Connectors that don’t belong in there, create a new resource location (you can name it after your hosting method to avoid confusion), then reinstall the Cloud Connector software on these machines to add them to the new resource location.
For Citrix Access Control, why is there a need for a Gateway connector if we already have Cloud Connectors? What’s the difference between these connectors?
Both connector types have their own purposes. The Gateway connector is on tech-preview right now. It is a different type of appliance and is required to deliver web applications through Citrix Access Control for domain-based single sign-on to web applications. You can think of this Gateway connector as a simplified version of a Citrix ADC. The Cloud Connectors, on the other hand, are required to establish a communication channel between your environment on-premises with Citrix Cloud, irrespective of the fact that you use Access Control.
Is EDT support coming in the near future for Citrix Cloud or is it on Citrix’s radar?
EDT is supported with on-premises ADC on your resource locations. There are plans to support this with the cloud-hosted services, but we don’t have a timeline for this.
For the session-launch scalability in the presentation, was the gateway service utilized?
There were actually a couple tests run. One of them did have an on-premises Storefront, which requires the Citrix ADC to be in the test environment, as well. We did have a session launch with the Workspace service, too, although I don’t think this was published in the actual presentation.
Can you explain how the access for internal users with Citrix VAVD Services works (specifically speaking through the Cloud Connectors)?
It really depends if your StoreFront is in your own resource location or if you’re using the Citrix Workspace service. If you’re using StoreFront on premises and if your users are accessing your store via the Base URL, those will be treated as internal. If you’re using the Citrix Workspace service, the connection will be treated as external.
Is there any way to force an update window (i.e. only update Cloud Connectors between a certain time of the day)?
This is feature is not yet available, but it’s on the roadmap. There’s a tech preview going on for this feature at the moment so this will be coming out once it’s been tested.
Is there a plan to support the Cloud Connector on Windows Core or is there any date when this might be supported?
We currently don’t have any plans to support it on Core. However we’re currently testing to support it on 2019.
Is there a matrix that displays when you should be using Citrix ADC/StoreFront on-premises instead of Gateway service/Workspace?
We are developing a reference architecture portal for customers with lots of recommendations around Citrix Cloud in general. This matrix does not exist today, but we’ll add this as one of the items we can include in this portal. From a general perspective, the reasons we recommend on-premises vs. cloud are constantly changing because of all of the advancements we make to the services. But an updated matrix that can help and guide customers through making this decision process simpler is a great idea. In the meantime, please leverage your Customer Success Manager and/or Citrix Consulting Services if you require guidance on specific design decisions.
Is there a plan to make the Cloud Connectors more robust and have them be truly an active/active HA pair?
Please be on the lookout around Citrix Synergy time for new announcements in terms of new features and other important items. From a general roadmap perspective, it’s safe to say that Citrix Cloud is always evolving.
Remember that as part of your Cloud subscription, you will be assigned a dedicated Customer Success Manager. Make sure to leverage them if you need any additional information, want to join a tech-preview, or have specific or follow-up questions. Don’t forget to join our ACE meetups the second Tuesday of each month at 9 a.m. ET for a new cloud topic.
Thanks for reading, and check out Part 2 of our Q&A tomorrow!