The Defense Logistics Agency and Citrix implemented a strong foundation for an on-premises VDI to Microsoft Azure Government transition
The scope of the U.S. Defense Logistics Agency (DLA) is massive. Imagine empowering the personnel who manage a global supply chain that handles everything from raw materials to end users to disposition. Factor in substantial internal customers, including the Army, Marine Corps, Navy, Air Force, Space Force, Coast Guard, 11 combatant commands, other federal agencies, and partner and allied nations. Then envision support for first responders and emergency personnel that manage natural disasters such as wildfires, hurricanes, and earthquakes. It takes a strong technology backbone to empower this widespread logistics team with access to applications and data from anywhere at any time. That’s exactly what the heavily used internal and external remote access Enterprise VDI environment does.
Initially, the DLA’s infrastructure of datacenters was as massive as its mission. The agency had eight or nine disparate datacenter locations. DLA quickly realized that this design would not provide a smooth migration to the cloud, which was DLA’s ultimate goal. In view of this, the team consolidated to two datacenter locations, creating a single enterprise VDI service.
This new enterprise VDI service would set the stage for meeting DoD’s (Department of Defense) direction of cloud adoption. Migrating to the cloud would enable economies of scale, ensure that each member of the DLA team was empowered with the technology needed to fulfill the agency’s mission, and provide the flexibility for a digital infrastructure that could be tapped into from any device, any network, and any location. The cloud also would give the IT team a solid foundation designed not only for government entities, but also for changing business conditions. Today, DLA continues to be a leader with DoD in cloud adoption.
In order to understand the value of some of the initiatives undertaken by the DLA in its journey, it helps to review goals that have been underscored in recent years:
Five initiatives on the path to cloud
Along with the overarching priority of moving to the cloud, the agency’s long-term strategy provided an ambitious set of goals for the DLA J6 (IT team) that would enable DLA’s path to get there. To assist with these monumental tasks, as a first step, DLA entered into a partnership with Citrix, leveraging several Citrix Consulting Services (CCS) FTEs (full time employee residents). Together the DLA J6 and CCS began to tackle each of the projects:
Before the COVID-19 pandemic significantly impacted every organization’s IT operations, DLA had only completed the first three of these projects. However, due to the success of those projects, DLA was able to continue moving full steam ahead, completing both the Citrix ADC SDX migration and Microsoft Azure Government PoC while implementing a full work from home (WFH) mandate.
Long before COVID-19, multiple Citrix solutions were in use throughout the DLA. The first foundational initiative DLA embarked upon was to take central control of all IT operations. This would allow DLA HQ to start the digital transformation into an enterprise IT environment, streamlining management and controlling costs. DLA and Citrix CCS consolidated the agency’s many CONUS datacenters into two active-active datacenters. The Citrix Virtual Apps and Desktops design in the CONUS datacenters then became the model for modernizing both the Pacific and European datacenters.
These actions opened up new capabilities for the DLA and its employees. One example is Workspace hoteling – a different model than less formal “hot desking”. Hoteling works much like an actual hotel, in which a guest pre-books a room. The employee must check in with the central booking system – either a person or a self-directed software app. The entire population of users follows the same procedure and the booking system maintains a record of each desk assignment. For the DLA, this system ensures that physical workspace needs are met in the event that an individual must travel to an office for work.
The Citrix implementation and enterprise data consolidation project also enabled the DLA to realize economies of scale in shutting down some of its smaller offices. This meant a better allocation of resources and more cost-effective operations by moving some groups of users to full-time WFH.
Another significant change that resulted from the consolidation project was the expansion of the bring your own device (BYOD) model to the entire DLA population, instead of just allowing employees to take advantage of the original home telework program. DLA employees simply need a smart card-enabled (CAC) device with the Citrix client to access the Enterprise VDI environment. The smart card access alleviates any risk of leaving data at rest (DAR) on the BYOD device. It also opens the door to the testing of iOS devices leveraging Purebred (derived credentials) and Samsung devices leveraging CAC authentication.
Contractors and government employees typically are issued government-furnished devices or GFEs. GFEs bring the added headache of management. The Citrix design helps alleviate that by allowing a large portion of these GFEs to be converted to user-managed laptops, part of the BYOD model. As user managed devices, with no possibility of downloading sensitive and confidential data, they no longer need to be maintained by the DLA IT team.
DLA contractors also are given devices to access the environment. However, it is not required to have a government-furnished device to be able to gain access. Citrix enables the BYOD model to be viable because information is stored in the datacenter and not on the device itself, thus mitigating the risk of lost data.
Citrix espouses a Zero Trust security model, a strategy based on the idea that organizations should not automatically trust anything inside or outside agency perimeters. Zero Trust relies on contextual awareness to adaptively grant access to authorized users. This security strategy capitalizes on patterns based on identity, time, and device posture. This tightens the reins on access.
In a VDI environment, zero clients are supported. Zero clients – small, powerful, endpoint devices, can enable an organization – especially one of substantial size – to significantly cut costs. Savings can be realized in procuring devices and in power consumption. Hardware footprint can be decreased, noise from larger devices alleviated, and many security issues that arise from non-VDI devices on which data is stored can be eliminated.
To create an enterprise VDI service that could be migrated to the cloud, DLA decided to consolidate its multiple regional datacenters into two main datacenters, with either being able to host all users in the event of a failover. These datacenters operate in an active/active design, with each housing roughly half of the DLA CONUS user population. Citrix ADC provides Global Server Load Balancing (GSLB) which can fail one datacenter over to the other in case of an emergency or large outage. The entire supporting infrastructure – such as networking and storage – was designed to regularly replicate vital user and application data. In addition to this failover capability, each datacenter’s Citrix environment was designed with a modular architecture, allowing maintenance and updating with no interruption to the user population.
Citrix ADC (formerly known as Citrix NetScaler) is the tunneling, or proxy, and GSLB solution. This provides FIPS (Federal Information Processing Standards) 140-2 Level 2 compliant data-in-transit (DIT), and seamless integration with the Citrix client. It is supported by the onsite Citrix consulting staff. Over time, new cipher requirements were mandated, and DLA wanted to reduce the amount of hardware in the DMZ.
While the original Citrix ADC solution required that the proxy and GSLB roles be separated onto different physical devices, when it was time to refresh, the DLA implemented the Citrix ADC SDX platform to reduce hardware footprint. The ADC SDX is a multi-tenant solution that runs multiple FIPS-compliant isolated ADC instances on one hardware box. The ADC SDX platform also contained a newer hardware security module (HSM) capable of meeting future DoD mandates.
These mandates are vital in helping DoD organizations ensure that sensitive and confidential information is not compromised in transit. The SDX multi-tenant platform enabled the DLA to run both proxy and GSLB instances on the same hardware while maintaining isolation. It will also allow the DLA to move additional workloads to the SDX platform in the future.
Citrix ADC virtual appliances (VPXs) will be part of the upcoming cloud-based solution, leveraging Azure Government Key Vault to achieve FIPS 140-2 Level 2 compliance. Use of a virtual ADC inside Azure Government also allows for flexibility in design and optimal routing. The result will be a reduction in user latency to the Azure Government based VDI deployment.
One of the hardest things for enterprise leaders is amassing metrics that equate to success or failure of a project. For IT teams, it is triaging an issue so it can be routed to the correct team and quickly resolved. Citrix is one of the solutions that helps solve these needs. Citrix Virtual Apps and Desktops includes Citrix Director, a web-based Tier 1 helpdesk tool. This tool provides a mechanism for the enterprise helpdesk to triage issues. Basic tasks, such as resetting a profile, ending a misbehaving app, or logging off a user, can be performed directly from Director. Metrics on external users that proxy into the environment via Citrix ADC can also be presented, identifying if latency issues are internal or external to the environment. More complicated issues can be routed to the correct team based on information discovered within Director. This leads to a more efficient helpdesk service and less user frustration.
While Director is an excellent tool for the helpdesk and Citrix administrators, its information does not provide great visibility at the leadership level. To overcome this, specific metrics can be derived from Director for integration into a higher-level enterprise dashboard. This capability allows DLA’s Enterprise VDI team to provide factual success metrics to DLA leadership.
The enterprise dashboard gave the DLA leadership greater visibility into the entire environment; Citrix Director facilitated helpdesk triage efforts.
The COVID-19 pandemic impacted employees and IT projects
Finishing the foundation project and managing the Azure Government POC was temporarily impacted by the COVID-19 pandemic. In March, DoD and DLA issued a full-time telework mandate that only those employees who were considered ‘mission essential’ could remain onsite in office locations. When COVID-19 hit, the organization was well-prepared because DLA was already a telework-centric organization. Between 6,000 and 7,800 remote users already accessed the Citrix platform every day, while most others used Citrix internally. Every day 16,000 DLA employees and contractors started remotely accessing Citrix, with as many as 20,000 unique sessions every month. Citrix is the most heavily used of the virtual remote solutions in place within the DLA.
The COVID-19 pandemic hit just as DLA was getting into the SDX migration. In a traditional environment, this work would have been highly impacted by lack of site access to manage the devices. However, the DLA already had built a solid foundation with its WFH initiatives. Both DLA IT staff and Citrix consultants continued the SDX migration, completing it even though the COVID-19 pandemic had shut down some traditional organizations.
When the telework mandate was enforced, not much changed for the workforce. It was business as usual, just from a different locale.
Many other organizations only have VPN capabilities for external users, requiring a scramble to increase capacity and bandwidth when COVID-19 hit. Because of the infrastructure it had implemented, DLA was able to provide a secure workspace to external users. The VDI solution enabled just about everybody in the agency to continue to do their normal jobs without interruption.
The foundation of Citrix will enable the DLA to quickly transition workers back to the office when the time is right. Citrix Virtual Apps and Desktops enables home-based employees and contractors to securely share information, collaborate, easily access files, and carry out tasks in much the same way that was possible in the office. The same technology will enable DLA to immediately make another transition to whatever the ‘new normal’ work style becomes. At the same time, IT has visibility and management control over the environment.
For the return to office, DLA has implemented a staged plan in three reconstitution phases. Every site, based on its locality, will operate differently based on local COVID-19 statistics and on whether the employee fits into a high-risk category due to health or family concerns. Many different hybrid work styles can be supported.
The cloud on the horizon is Azure Government
By creating an Enterprise VDI service with Citrix, DLA set the foundation for meeting the current DoD direction of migrating all workloads to the cloud. Already an Office 365 consumer, DLA engaged Microsoft and Citrix to plan and test moving the Citrix solution into Azure Government. After a successful proof-of-concept, DLA moved forward with creating a production design. The agency has now entered the build out phase.
New cloud technology and capabilities continue to become available during the cloud projects. The agility DLA has created with its solution allows them to evolve the design on the fly, bringing in capabilities such as Teams optimization using Citrix, smart card enhancements, and improved access to Office 365. DLA anticipates migrating the entire VDI service to Azure Government over a 14-month period that successfully kicked off during the COVID-19 pandemic.
The DLA, a combat support agency in the United States Department of Defense (DoD), must adhere to established cloud computing security requirements known as Impact Levels. All DoD Cloud Service Providers (CSPs) support these requirements, which are upheld by the Defense Information Systems Agency (DISA).
Azure Government is no different.
Impact Levels (ILs) are defined by the sensitivity level of the information in the cloud environment, the potential impact caused by a breach, and more. The current Cloud Security Model defines four Impact Levels: IL2, IL4, IL5, and IL6 – with IL2 being the lowest impact level and being comprised of data that is cleared for public release. IL6 includes classified national security information that is upheld as secret.
The DLA meets IL4/IL5 requirements with Microsoft’s mission-critical Azure Government DOD regions – a dedicated instance only accessible by US federal, state, local, and tribal governments. Operations are controlled by screened US citizens. Citrix capabilities, such as dedicated host support and encrypted disks, will allow DLA the option of expanding out into standard Azure Government regions, helping put organization resources even closer to end users.
A model for the DoD to follow for the future
Over the past years, the DLA has created a highly available, Enterprise VDI service in preparation to move to the cloud. This has provided greater flexibility, eased administration, and allowed for greater teleworking. While on this journey, the fact that there were no business interruptions, garnered praise from DLA leadership. Being able to maintain a high SLA during the COVID-19 pandemic, and a seamless transition to work from home, made DLA a shining example of proper pandemic response plan.
As DLA continues its transition into the cloud, it leads the way in how to further increase SLAs, reduce administrative overhead, and meet DoD guidance. Their experience has created a model that can be repeated by other DoD organizations moving forward.
Citrix (NASDAQ:CTXS) is powering a better way to work with unified workspace, networking, and analytics solutions that help organizations unlock innovation, engage customers, and boost productivity, without sacrificing security. With Citrix, users get a seamless work experience and IT has a unified platform to secure, manage, and monitor diverse technologies in complex cloud environments. Citrix solutions are in use by more than 400,000 organizations including 99 percent of the Fortune 100 and 98 percent of the Fortune 500.
Copyright © 2021 Citrix Systems, Inc. All rights reserved. Citrix, XenApp and XenDesktop are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.