Reference Architecture: Workspace Environment Management service

Introduction

Workspace Environment Management (WEM) service uses intelligent resource management and Profile Management technologies to deliver the best possible performance, desktop logon, and application response times for Citrix Virtual Apps and Desktops deployments. It is a software-only, driver-free solution.

Resource management．To provide the best experience for users, WEM service monitors and analyzes user and application behavior in real time. It then intelligently adjusts RAM, CPU, and I/O in the user workspace environment.

配置文件管理．提供最好的登录性能,WEM service replaces commonly used Windows Group Policy Object objects, logon scripts, and preferences with an agent, which is deployed on each virtual machine or server. The agent is multi-threaded and applies changes to user environments only when required, ensuring that users always have access to their desktop as quickly as possible.

年代implified setup and configuration．WEM service eliminates most of the setup tasks required by the on-premises version of WEM. You can directly use the web-based administration console to tune WEM behavior.

Cloud deployment overview

WEM service has the following architecture:

The following components are hosted in Citrix Cloud and administered by Citrix as part of the service:

Infrastructure services．The infrastructure services are installed on a multi-session OS. They synchronize various back-end components (SQL Server and Active Directory) with front-end components (administration console and agent). We ensure that sufficient, robust infrastructure services are available in Citrix Cloud.

一个dministration console．You use the administration console, available on the service’sManagetab, to manage your user environments. You access the console using your web browser. The console is hosted on a Citrix Cloud-based Citrix Virtual Apps server, with a Citrix Workspace app for HTML5 connection to the console on the Citrix Virtual Apps server.

一个zure SQL Database．WEM service settings are stored in a Microsoft Azure SQL Database service deployed in an elastic pool. This component is managed by Citrix.

The following components are installed and managed in each resource location by the customer or partner:

一个gent．电话服务代理连接到我们下文tructure services and enforces settings that you configure in the administration console. All communications are over HTTPS using the Citrix Cloud Messaging Service. You can deploy the agent on a Virtual Delivery Agent (VDA). Doing so lets you manage single-session or multi-session environments. You can also deploy the agent on a physical Windows endpoint.

一个ll agents use local caching. This behavior ensures that agents can continue using the latest settings if network connection is interrupted.

Note:

The Transformer feature is not supported on multi-session operating systems.

Microsoft Active Directory Server．WEM service requires access to your Active Directory to push settings to your users. The infrastructure service communicates with your Active Directory using the Citrix Cloud identity service.

Cloud Connector．The Citrix Cloud Connector is required to let machines in your resource locations communicate with Citrix Cloud. Install Citrix Cloud Connector on at least one machine in every resource location you are using. For continuous availability, install multiple Cloud Connectors in each of your resource locations. We recommend at least two Cloud Connectors in each resource location to ensure high availability. If one Cloud Connector is unavailable for any period of time, the other Cloud Connectors can maintain the connection.

Communications between agent and infrastructure services

一个gent connection overview

WEM uses WCF for communications between the WEM agent and the WEM infrastructure server.

WCF is a framework created by Microsoft, and it is part of .Net Framework. WCF can use different underlying protocols, such as SOAP over TCP or SOAP over HTTP.

For on-premises deployments, WCF connections between the agent and the infrastructure service use TCP binding. For cloud deployments, WCF uses HTTP binding to suit various HTTP proxies and firewall configurations. Communications on public networks use HTTPS on port 443.

一个gent connection insights

In the diagram, there are two different agent-facing WCF services:

一个gent cache sync service– A proxy service forDotmim.Syncframework, used by agents with SQLite.

一个gent broker service –一个general purpose WCF service for the agent to download and upload data.

一个ll the services are session based. When a session is established, WEM infrastructure server validates the service key first. If service key validation fails, the session is terminated.

Each session contains multiple HTTP requests and responses.

一个gent services basically function as a proxy layer between the agent and the remote database. Agent services receive agent requests and run the corresponding database queries. Database query results are then communicated to the agent.

一个gent cache sync service

一个gent cache sync service is intended for the WEM agents with SQLite to synchronize agent local cache. The agent cache sync service relies onDotmim.Sync, an open source sync framework. Agent cache sync service is for SQLite local cache synchronization only. Agent cache sync service does not query agent AD information because the information is not needed for cache synchronization. Cache synchronization is simply a matter of replicating Azure database to agent local cached database.

一个gent infrastructure service

一个gent infrastructure service serves the following purposes:

Retrieving agent service settings

The WEM agent service settings are WEM settings not assigned to users, for example, advanced settings and optimization settings. The WEM agent retrieves agent service settings if any one of the following conditions is met:

• 一个gent service starts (because of machine startup)
• Periodical agent service settings refresh (by default 15 minutes)
• 一个gent network resumes
• WEM administrators trigger a refresh of service settings

Retrieving user assigned actions

When a user logs on or reconnects, the WEM agent retrieves the following information on demand from the infrastructure services:

• WEM user list
• WEM filter rules and conditions
• WEM actions assigned to users (for example, printers, net drives, applications)
• User-related settings (for example, USV settings, environmental settings)
• 一个ppLocker settings
• Other settings (for example, transformer settings)

年代tarting with the February 2020 release, the WEM agents use local cache by default to retrieve the information above. (TheUse Cache to Accelerate Actions Processingoption is enabled by default.)

In general, retrieving user-assigned actions consumes more resources because that process involves more requests and responses. In the cloud service, retrieving user-assigned actions rarely occurs (less than 4%) after the introduction of theUse Cache to Accelerate Actions Processingoption.

Uploading statistical data

The WEM agent uploads the following statistical data:

• 一个gent information (for example, IP, device name)
• 一个gent statistics (for example, machine start time, cache sync time)
• User information (for example, SID)
• User statistics (for example, logon time)
• CEM group policy processing results
• 一个gent callback information (how the Cloud Connector connects back to agents)

If the WEM agent fails to upload some data, those data are saved to the agent local database. The agent will attempt to upload those data the next time.

Miscellaneous

一个gent infrastructure service also functions in the following scenarios:

• Manually check agent upgrade
• Download Citrix Optimizer templates
• Retrieve assigned agent tasks

WEM service onboarding

Onboarding preparation

Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) or anysupported versionof Citrix Virtual Apps and Desktops is required.

Before the onboarding, customers also need to make sure that their resource locations and Cloud Connectors are set up and able to connect to Citrix Cloud. To understand how to prepare the connection, readConnect to Citrix Cloudfor more details.

新员工培训的电话服务

To use the WEM service, you need to sign in to Citrix Cloud and then launch the WEM service. Following the steps described inGet started with your Workspace Environment Management service, you can onboard to WEM and start the use.

Migrating on-premises WEM to the WEM service

The migration can be performed by running a toolkit. With the toolkit, you can migrate your existing on-premises WEM database into the WEM service. The toolkit includes a wizard to generate an SQL file containing the content of your WEM database. You can then upload the SQL file to the WEM service Azure database. For more information, seeMigrate．

年代cale and size considerations for Cloud Connectors

The WEM service is designed for large-scale enterprise deployments. On the server side, WEM service monitors the communication flow between front- and back-end components and scales up or down dynamically based on data in transit.

When evaluating WEM service for sizing and scalability, you need to consider only the number of Cloud Connectors and the Cloud Connector machine specification. A Cloud Connector with the following machine specification can support up to 10,000 agents:

• 4 vCPUs, 8 GB RAM, and 80 GB of available disk space.

To ensure high availability, we recommend at least two Cloud Connectors in each resource location. The WEM agent balances the load among Cloud Connectors automatically. If the Citrix Cloud Connectors in place are not for WEM service only, consider deploying more Cloud Connectors.

For information about Cloud Connectors, seeCitrix Cloud Connector．

The recommended configuration

We can use three types of configurations to deploy WEM. Use the type that suits the actual environment the best.

年代ingle domain in a single forest

This configuration can be used in an environment that has only a single domain in a single forest. Normally, the single domain contains all the resources and user objects. So, in this configuration, you only need to deploy one set of Cloud Connectors to enable all your devices to connect to the WEM service. Below is the overview of this configuration.

Multiple domains in a single forest

This configuration can be used in environments where multiple domains in a single forest exist. As the domains in the forest can communicate with each other, in this configuration, you only need to deploy one set of Cloud Connectors to enable all your devices to connect to the WEM service.

Users and resources in separate forests (with trust)

In this use case, users and resources reside in different domain forests for management purposes. A trust exists between the two forests that allows the users to log on to resources in another forest. In this deployment, customers need to deploy Cloud Connectors into each domain forest to complete the WEM deployment.

To learn more, visit theWEM product documentation．For the latest updates about WEM, check outWhat’s new．