I recently received an interesting request for my “expertise” (their word, not mine). The ask itself was straightforward: help organizations with employees in Ukraine get back online after reaching safety. I feel very fortunate to even be in a place to offer any help or assistance.

The ask wasn’t that simple, though. “Employees” in this case also included contractors. (Ukraine is a large supplier of contract labor.) And “online” really meant providing secure, remote access to corporate apps and data. After thinking about all the other variables the situation introduced, I realized this wasn’t going to be a typical solutioning exercise.

Of course, I jumped at the chance to help. I couldn’t sleep for two days as I ran scenarios and brainstormed potential solutions. There was only one other time in my 18-year career at Citrix where I felt the same way I do right now — when the pandemic hit. I was asked in early 2020 about the best way to get several million new WFH users productive on Citrix overnight. One customer asked if we could deploy Citrix to a large field hospital over a weekend. This request was similar in nature but, at the same time, very different — speed and simplicity were going to be key, but the solutions ended up being pretty different.

I wanted to share a few of the solutions I came up with for our customers with Ukraine-based workers. Before I share them, it’s important to cover key requirements or conditions:

  • Some end users are employees, and some are contractors. That means both managed and unmanaged devices.
  • Quite a few end users are developers, which meant horsepower and Linux were required.
  • The end users are in Ukraine (often in a different city from their “home base”) or are now in a different country, such as Poland.
  • There are varying degrees of network connectivity. Some people have solid internet in larger cities in Western Ukraine (or outside the country, in cities like Warsaw, for example) and others have intermittent connectivity in Ukraine (some have even started experimenting with Starlink).
  • Some organizations have existing Citrix footprints and some don’t. Likewise, some organizations have existing public cloud footprints and landing zones and some don’t. For the purposes of this post, I’ll be talking about Azure and using their nomenclature.
  • Time is of the essence and simplicity is key. Cost is secondary.

With these things in mind, here are three solutions I recommended, in this order:

  • Existing Remote Connectivity and Persistent VDI via Public Cloud: This is really the first option due to its immediate availability and ease of implementation. It essentially involves leveraging the existing VPN (or Azure ExpressRoute, etc.) and spinning up Linux or Windows-based VMs in the closest region. In the case of Azure or AWS, this meant leveraging regions in Germany (Google Cloud has a great option available in Poland). With pay-as-you-go and being able to access critical data from a file sharing solution like OneDrive, users can get quick, secure access to the resources they need. A couple notes about this option — the solution involves no Citrix technology or components. And I delivered a presentation about five years ago saying persistent desktops are a terrible idea. You can check out that presentation here if you want some context, but the gist was that persistent VDI can become a bit of a nightmare to manage long-term and true HA is almost impossible. But given the circumstances, it’s absolutely the easiest and quickest way to get up and running in a matter of hours. An elegant non-persistent VDI solution can take a year or longer to deploy.
  • Citrix Virtual Apps and Desktops Standard for Azure: This is the next solution I kept circling in my notebook, and it’s essentially Citrix’s DaaS offering on Azure. Why does it make sense in this case? It’s easy to purchase through the Azure Marketplace and you can buy different bundles with consolidated billing at a low monthly price (i.e. 200 desktops for $13/month/user). It’s also flexible in that you can use your existing Azure subscription or Citrix can provide it and manage it for you (and then we can leverage Azure virtual network peering for connectivity back to the corporate network). With this solution (and the main reason I considered it over Windows 365 Cloud PC) you can also provision Windows and Linux desktops to cover both contractors and employees with different requirements. And while this solution might be slightly more expensive than the first option, it has its benefits. We make Citrix clients for almost any device, including mobile phones, tablets, and Chromebooks, and our ICA protocol really shines when you have highly latent network connections (which comes in handy when you might only have Starlink or your people are in a more remote area). We also have pre-built images that can save precious cycles in terms of provisioning.
  • Citrix Gateway and Remote PC Access: This was our go-to solution when the pandemic hit, and while the circumstances are certainly different, there were a couple scenarios where employees left work devices somewhere and they fortunately still had connectivity. But this solution entails installing our Remote PC Access agent on the connected device, which enables it to become the VDI machine itself. You can use an existing VPN or our cloud-hosted Citrix Gateway service with about 25 PoPs to authenticate and connect to your VDI machine remotely and securely. This is how many of our customers were able to work from home almost overnight when the pandemic hit. They left their devices in the office, we installed Remote PC Access agents on all of them via automated tools, and then we told employees to hit a URL and connect to their work computers. All their apps and data are available and they can again use any device they have handy (tablet, Chromebook, etc.). Please note, if an organization has an existing Citrix ADC footprint and needs more scalability, you can leverage a multi-tiered VPX architecture. We did this a lot when the pandemic hit to provide almost instant scale-out capacity.

Before you get started down any of these paths, you need to get corporate data off local devices and transfer critical data to a public cloud via any means possible. But this exercise made me realize you really must keep the requirements at the forefront when designing a solution. While many solutions we have in our toolkit are more scalable than the three I covered above, they require more time than most organizations have to deploy or require more infrastructure and complexity than necessary. This is also one of those situations where perfect is the enemy of good — we all agreed that speed and simplicity were the driving factors, so this is where we landed.

Finally, time is such a luxury, and we’re often too rigid as architects. Most of the projects in my career have been around advising very large global organizations with often idealistic, long-term goals in mind. And we do most projects “by the book,” using a formal methodology, and time is rarely a constraint.

The COVID-19 pandemic or the situation in Ukraine can really remind us to be a little more flexible and to always remember that “there are best practices and then there’s reality” (as I’ve said in the past even correcting my own “best practices” time and time again). To put this in perspective, before the pandemic hit, I had only deployed Remote PC Access for one customer in 15 years. We deployed it about 100 times in a two-month window in early 2020. Before this crisis in Ukraine, I would not have recommended persistent VDI to a customer. Never. And in total transparency, this was the first time I’ve designed or deployed Citrix Virtual Apps and Desktops Standard for Azure. That might come as a surprise to some, but it just reinforces that it’s important to remember your requirements, remain flexible, and don’t be afraid to take the road less traveled.