Citrix Solutioning for Ukraine

I recently received an interesting request for my “expertise” (their word, not mine). The ask itself was straightforward:?help organizations with employees in Ukraine get back online after reaching safety.?I’ll start by saying everything I’m going to talk about here is absolutely secondary to what is transpiring in Ukraine right now – I feel very fortunate to be in a place to even offer any help or assistance.??

The ask wasn’t that simple, though. “Employees” in this case also included contractors. (Ukraine is a large supplier of contract labor.) And “online” really meant providing secure, remote access to corporate apps and data. After thinking about all the other variables the situation introduced, I realized this wasn’t going to be a typical solutioning exercise. My first call with a CEO of a large enterprise asking for immediate help confirmed this.

Of course, I jumped at the chance to help. I couldn’t sleep for two days as I ran scenarios and brainstormed potential solutions. There was only one other time in my 18-year career at Citrix where I felt the same way as I did earlier this month — when the pandemic hit. I was asked in early 2020 about the best way to get several million new WFH users productive on Citrix overnight. One customer asked if we could deploy Citrix to a large field hospital over a weekend (something that would usually take a month+). This request was similar in nature but, at the same time, very different — speed and simplicity were going to be key, but the solutions ended up being pretty different.

I wanted to share a few of the solutions I came up with for our customers with Ukraine-based workers. Before I share them, it’s important to cover key assumptions, requirements and/or conditions:

• Some end users are employees, and some are contractors. That means both managed and unmanaged devices.
• Quite a few end users are developers, which meant horsepower and Linux were required.
• The end users are in Ukraine (often in a different city from their “home base”) or are now in a different country, such as Poland.
• There are?varying degrees of network connectivity. Some people have solid internet in larger cities in Western Ukraine (or outside the country, in cities like Warsaw, for example) and others have intermittent connectivity in Ukraine (some have even started experimenting with Starlink).
• Some organizations have existing Citrix footprints and some don’t. Likewise, some organizations have existing public cloud footprints and landing zones and some don’t.
• I spent a lot of time with each customer doing discovery. More specifically, we focused on where corporate backend data was located and which apps & data were truly mission-critical. And then we devised plans to get corporate data off local devices and transfer critical data to a public cloud or alternate network location via any means possible. After all, a desktop in the cloud without key apps & data (or connectivity to backend development systems in this case) isn't very useful.
• Time is of the essence and simplicity is key. Cost is secondary.

With these things in mind, here are three solutions I recommended, in this order:

• Existing Remote Connectivity and Persistent VDI via Public Cloud:?This is really the first option due to its immediate availability and ease of implementation. It essentially involves leveraging an existing VPN (or Azure ExpressRoute, etc.) and spinning up Linux or Windows-based VMs in the closest region. In the case of Azure or AWS, this meant leveraging regions in Germany (Google Cloud has a great option available in Poland). With pay-as-you-go and being able to access critical data from a file sharing solution like OneDrive, users can get quick, secure access to the resources they need. A couple notes about this option — the solution involves no Citrix technology or components. And I delivered a presentation about five years ago saying persistent desktops are a terrible idea. You can check out that presentation?here?if you want some context, but the gist was that persistent VDI can become a bit of a nightmare to manage long-term and true HA is almost impossible. But given the circumstances, it’s absolutely the easiest and quickest way to get up and running in a matter of hours. An elegant non-persistent VDI solution can take a year or longer to deploy.
• Citrix Virtual Apps and Desktops Standard for Azure:?This is the next solution I kept circling in my notebook, and it’s essentially Citrix’s DaaS offering on Azure. Why does it make sense in this case? It’s easy to purchase through the?Azure Marketplace?and you can buy different bundles with consolidated billing at a low monthly price (i.e. 200 desktops for $13/month/user). It’s also flexible in that you can use your existing Azure subscription or Citrix can provide it and manage it for you (and then we can leverage?Azure virtual network peering?for connectivity back to the corporate network). With this solution (and the main reason I considered it over?Windows 365 Cloud PC) you can also provision Windows and Linux desktops to cover both employees and contractors with different requirements. And while this solution might be slightly more expensive than the first option, it has its benefits. We make Citrix clients for almost any device, including mobile phones, tablets, and Chromebooks, and our ICA protocol really shines when you have highly latent network connections (which comes in handy when you might only have Starlink or your users are in more remote areas). We also have pre-built images that can save precious cycles in terms of provisioning.
• Citrix Gateway and Remote PC Access:?This was our?go-to solution?when the pandemic hit, and while the circumstances are certainly different, there were a couple scenarios where employees left work devices somewhere and they fortunately still had connectivity. But this solution entails installing our Remote PC Access agent on the connected device, which enables it to become the VDI machine itself. You can use an existing VPN or our?cloud-hosted Citrix Gateway service?with about 25 PoPs to authenticate and connect to your VDI machine remotely and securely. This is how many of our customers were able to work from home almost overnight when the pandemic hit. They left their devices in the office, we installed Remote PC Access agents on all of them via automated tools, and then we told employees to hit a URL and connect to their work computers. All their apps and data are available and they can again use any device they have handy (tablet, Chromebook, etc.). Please note, if an organization has an existing Citrix ADC footprint and needs more scalability, you can leverage a?multi-tiered VPX architecture. We did this trick a lot when the pandemic hit to provide almost instant scale-out capacity.

Of course we have plenty of other solutions that might’ve fit the bill here and I believe I considered all of them (SD-WAN, Secure Browser Service, Linux VDA, SIA, SPA, etc.).?? But this exercise made me realize you really must keep the requirements at the forefront when designing a solution. While many solutions we have in our toolkit are more scalable than the three I covered above, they require more time than most organizations have to deploy or require more infrastructure and complexity than necessary. This is also one of those situations where perfect is the enemy of good — we all agreed that speed and simplicity were the driving factors, so this is where we landed.

One final thought - time is such a luxury, and we’re often too rigid as Architects. Most of the projects in my career have been around advising very large global organizations with often idealistic, long-term goals in mind. And we do most projects “by the book,” using a formal methodology, and time is rarely a constraint. The COVID-19 pandemic or Ukraine conflict can really remind us to be a little more flexible and to always remember that “there are best practices and then there’s reality” (as I’ve said in the past?even correcting my own “best practices” time and time again). To put this in perspective, before the pandemic hit, I had only deployed Remote PC Access for one customer in 15 years. We deployed it about 100 times in a two-month window in early 2020. Before this situation in Ukraine, I would not have recommended persistent VDI to a customer. Never. And in total transparency, this was the first time I’ve designed or deployed Citrix Virtual Apps and Desktops Standard for Azure. That might come as a surprise to some, but it just reinforces that it’s important to remember your requirements, remain flexible, and don’t be afraid to take the road less traveled.