Both Infrastructure as a Service (IaaS) and Software as a Service (SaaS) are nothing new and have been around for a few years now. Just short of two months ago Citrix, along with Microsoft, announced the availability of XenDesktop 7 on Windows Azure. Finally, full Remote Desktop Services (RDS) availability in the Cloud, or so it seemed. Although I was instantly interested, my (spare) time was scares during that period so I had to postpone my ‘Cloud’ ambitions. About a week ago I came across a random article discussing RDS on Windows Azure, an interesting read. After that I decided to do some research and perhaps open up a temp Azure account so I could experience its look and feel for myself.
After reading various articles discussing the matter, I soon realized that implementing XenDesktop 7 on Windows Azure might just be a bit more complicated than most of us think. Especially when reading the Citrix XenDesktop 7 on Windows Azure | Design guide an architectural reference document well spread throughout the community, it’s easy to get the wrong idea (I used this document as a reference throughout this Blog post). Let me explain…
The XD7 Design guide
On page three, as part of the introduction, the design guide states, and I quote:
With the introduction of Azure support for Remote Desktop Services Subscriber Access Licenses (RDS SALs) a broad set of opportunities to leverage Azure for hosted Windows desktops and applications begin to unfold. As a platform Microsoft Azure provides a robust, state of the art infrastructure and global presence for enterprises and service providers.
Directly followed by:
Citrix customers wanting to leverage public cloud infrastructure as a service in order to expand their on premise datacenter capabilities, without investing in new capital resources, can now host virtual desktops based on XenDesktop 7 within Azure.
If we continue we come across an example use case to help us setting up the basics:
Let’s assume “World-wide Co, Inc.” (WWCo) plans to leverage Microsoft and Citrix products to deliver a hosted desktop solution for their accounting department. The solution will provide value to the department by enabling access to Windows desktops and applications from any device. The Citrix XenDesktop 7 solution hosted on Azure consisted of a small number of components: Citrix XenDesktop 7 Delivery controllers, Hosted Shared workers (Session Isolation), Server VDI Workers (VM/Server Isolation) and a few more. The remaining components were already in place in the World-wide Co. on premise corporate datacenter.
The rest of the document tells us how WWco completed their assessment by using the Citrix Project Accelerator, assisting them with their Windows Azure environment design. In the sections that follow (in the document) each part of the design is discussed separately. It has been split up into the following sections: User Group, Access layer, Desktop layer, Hardware layer and finally the Control layer. I’m not going to discuss them here since they’re irrelevant in making my point.
There’s just one more thing I’d like to highlight before moving on and that’s the ‘Desktop layer’ as stated above. If we look closely at the visual representation recommended by the Citrix Project Accelerator (unfortunately the image quality isn’t of the highest standards so it’s a bit hard to see, I copied it in anyway), it shows us two different catalogs, the first one is based on the Windows 7 client OS (Content creators, Pooled VDI) and the second one is based on the Hosted Shared Desktop principle, made up out of Windows Server 2008 R2 (Task workers).
Although the above is a relatively short summary, given the circumstances, it does give us a good idea on what’s needed, assessed and finally implemented, or a recommendation at least. It involves Hosted Shared Desktops, a small VDI implementation based on a Windows 7 image, external access and a bunch of other components and technology needed to create our first cloud based XD7 Site.
Some terms and statements from the design guide: Hosted Windows desktops and applications # for enterprises and service providers # host virtual desktops based on XenDesktop 7 within Azure # hosted desktop solution # Windows desktops and applications from any device # Hosted Shared workers (Session Isolation) # Server VDI Workers (VM/Server Isolation) # Windows 7 client OS.
Reading through the above and according to the design guide, or at least the way I interpreted it, it should be possible to create a XD7 Site containing Hosted Shared Desktops made up out of the Windows Server 2008 R2 and 2012 OSs as well as a VDI deployment based on a Windows 7 image (or Windows 8 for that matter) as the visual recommendation shows us. It also shouldn’t matter if you’re an enterprise company or a (Microsoft) service provider providing hosted services. So far you’re still with me right? In the next section I’ll explain why this design isn’t possible.
There’s a link on page 14 which leads us to the Windows Azure online Documentation section. It explains how to create VM’s within Azure based on a Server OS, there is a reason behind this: it isn’t allowed to run a client operating systems within Azure! But the design guide doesn’t tell us that, in fact, it talks about a environment partly based on Windows client operating systems (five VM’s based on Windows 7) It also states: The following Citrix components are currently supported within Azure: Citrix XenDesktop 7 Delivery controllers, Hosted Shared Workers and Server VDI Workers, which isn’t true.
These ‘Server VDI Workers’ are associated with the creation / provisioning of the five Windows 7 based VDI machines under the section ‘Desktop layer’ as discussed earlier. That just doesn’t make any sense. Even if I’ve missed something (and if I did let me know) it’s clear that this document is confusing to say the least. Let’s continue.
It all comes down to licensing. This is what Microsoft has to say with regards to client operating systems on cloud hosting platforms: Multi-tenant hosting is restricted in the Product Use Rights of Windows Clients, such as Windows 7 or Windows 8. Windows Client Desktops are not available on either Windows Azure or on any other Service Provider such as Amazon or Rackspace. You can read more about the Microsoft Product Use Rights here. And there you have it.
Let’s dig a bit deeper
To start, let’s first have a look on what can be deployed, and as such is supported, on Azure. If you want to install or move one of your physical machines into Azure, or any other cloud service provider for that matter, you first need to make sure that the associated operating system (and applications if applicable) license includes something called: license mobility. Next to that you also need to have a valid Software Assurance for all the software you own. All this is well documented in the Microsoft Product Use Rights MPUR) document This document also states: the Windows® client operating system, and desktop application products are not included in License Mobility through Software Assurance. Again highlighting the fact that it isn’t allowed to run client OSs in the cloud. Below you’ll find some of the more popular operating systems and applications available for use on Azure:
- Microsoft Windows Server™ 2008 R2 / 2012 Standard
- Microsoft Windows Server™ 2008 R2 / 2012 Datacenter
- Microsoft Exchange™ Server 2013 Enterprise
- Microsoft Exchange™ Server 2013 Standard
- Microsoft Forefront™ Identity Manager 2010 R2
- Microsoft Forefront™ Unified Access Gateway 2010
- Microsoft Lync™ Server 2013
- Microsoft SharePoint Server 2013
- Microsoft SQL Server™ 2012 Business Intelligence
- Microsoft BizTalk™ Server 2013 Enterprise
- Microsoft BizTalk™ Server 2013 Standard
- Microsoft SQL Server™ 2012 Enterprise
- Microsoft System Center™ Essentials 2010
- Microsoft System Center™ Essentials 2010 with SQL Server 2008 Technology
Be aware that there are more, have a look at the MPUR document mentioned above for more detailed information. But wait… it doesn’t end here.
Server operating systems
So far we’ve learned, or already knew, that Microsoft’s licensing only allows Hosted Shared Desktops based on Windows Server 2008 R2 or Windows Server 2012, no VDI based solutions where client OSs come into play are allowed. So yes, XenDesktop 7 can be implemented within Azure but with limited functionality.
Since I was focussing on the combination of Citrix XenDesktop 7 and, or on, Windows Azure, with the accompanying Design Guide in the back of my mind, I might have left out an important piece of information. Throughout my article I state, multiple times, that it isn’t possible to host client operating systems on a (multi tenant) cloud platform since Microsoft simply doesn’t allow it, see the Microsoft quote (it’s license related) on this mentioned earlier. Although this is true, I should have emphasized the multi tenant part! On a multi tenant platform (Azure, Amazone, Rackspace etc…) you’ll have to share all available infrastructural resources with other customers (tenants) on the same platform, this is because you have no control over the underlying hardware and / or hypervisor. One of the main reasons why client operating systems are not allowed.
But… if you are a Citrix Service Provider and you can offer a isolated virtual infrastructure including dedicated underlying hardware, per tenant (this is the important part), then you would be allowed to offer client operating systems from the cloud. Citrix calls this the Site isolation model, this, and the above, also applies to VDI-in-a-Box by the way. Again, None of the infrastructure components are shared and in most cases each Site will reside on a dedicated vLAN or physical network. I probably should have mentioned this earlier, I apologize, my bad.
To make use of the RDS functionality (limited to the Hosted Shared Desktop functionality) within Azure we would need the newly introduced RDS Subscriber Access Licenses (SALs) from Microsoft (assuming that license mobility and Software Assurance is covered) This is where it gets interesting, again. The RDS SALs are offered as part of Microsoft’s Services Provider Licensing Agreement (SPLA) licensing. This means, to obtain these licenses you’ll need to be a Microsoft Services Provider!
Uhm… but what about: ‘As a platform Microsoft Azure provides a robust, state of the art infrastructure and global presence for enterprises and service providers’ and… ‘Citrix customers wanting to leverage public cloud infrastructure as a service in order to expand their on premise datacenter capabilities, without investing in new capital resources, can now host virtual desktops based on XenDesktop 7 within Azure‘?
This basically means that if your company wants to make use of Azure’s RDS functionality it needs to be a Microsoft service provider or it needs to contact one so it can do the hosting for them. Something to be aware of since the design guide doesn’t mention the licenses involved, license mobility or any other restrictions you might need to consider for that matter. According to the design guide, enterprises as well as service providers can make use of Azure to expend their existing on-premises data centers. Unfortunately it isn’t that simple.
Here’s a quote from Microsoft: RDS Client Access Licenses (CALs) purchased from Microsoft Volume Licensing programs such as Enterprise Agreements, do not get license mobility to shared cloud platforms, hence they cannot be used on Azure. Microsoft’s explained. So ‘just’ CALs aren’t enough anymore.
There might be a way around this, by obtaining SPLA licensing, your company automatically becomes seen as a service provider, at least by Microsoft. This way you can buy and use RDS SAL’s the way you feel fit. But I’m not an expert on this field so don’t just take my word for it, have a look here Again something to look into before entering the cloud, not making it any easier.
- The MPUR document lists what is allowed and supported on Azure
- You need license mobility and Software Assurance
- Client operating systems are not supported on Azure
- Server operating systems are supported on Azure, limited to Server 2008 R2 and 2012
- When XD 7 is implemented on Azure only Hosted Shared Desktops are possible
- To make use of the RDS functionality within Azure you’ll need RDS SALs
- RDS CALs are not valid for use in Windows Azure.
- To obtain RDS SALs you need to be a Microsoft service provider
- By default, not every enterprise can make use of RDS on the Azure platform
Another drawback, Citrix Provisioning Services as well as MCS are both not supported within Azure. The provisioning of VM’s is done by hand. Larger scale environments can be provisioned using Azure PowerShell scripting. The appendix of the design guide contains multiple sample PowerShell scripts, you can find the cmdlets here. According to the design guide the primary information source on using these cmdlets come from this Blog.
There is talk of a ‘secret’ project Microsoft is working on called Mohoro which may offer true VDI scenarios enabling the use of client operating systems on cloud based, multi-tenant infrastructures. It’s speculated that we can expect to hear and see more around the second half of 2014. Here’s a nice article on Mohoro, it’s from redmondmag.com Once it’s out I’ll definitely do a review on it.
This might not be new information for some, but you must admit (or not :-) that the way Citrix introduced XD7’s availability on Azure, including the accompanying design document, isn’t their best work up to date. It’s confusing, at least that’s the way I see it. As far as the title goes, of course there’s nothing stopping from implementing XD7 on Azure if you want. But if you do, be aware that you will have to do with limited functionality. Personally I think it’s a waste of money. You buy XenDesktop 7, which we all know isn’t cheap, host it on Azure to find out that you can only use half of what you paid for. If it was me, I’d be patient and wait just a little while longer. Or instead, deploy XenApp for example, it offers some great use cases leveraging Azure. For now deploy your XD7 Sites on premises and make full use of all it has to offer. I’m sure Azure / Microsoft will support some, if not all, of the above in the near future. And if all else fails, we always have Mohoro to look forward to!
Bas van Kaam ©
Reference materials used: Windowsazure.com, Citrix.com, Support.Microsoft.com, Wikipedia.com, Redmondmag.com and Google.com