Fast Rollout of Remote Office Operations with MS Azure and Citrix - Derive Notes From the Field Series

"Fast Rollout of Remote Office Operations with MS Azure and Citrix" is another in Derive Technologies’ “Notes from the Field” blog series, written by our Professional Services team, providing insights about a variety of technology solutions from an engineering perspective. Look out for further entries over the coming weeks.


Fast Rollout of Remote Office Operations with MS Azure and Citrix



Over the last few months, organizations of all sizes have been adopting new ways of doing business at unprecedented speed. From workforces learning how to function effectively from home, to massive scale-ups of IT infrastructure to accommodate remote workers, businesses are embracing change as never before.

One of the challenges I’ve worked with recently is with a client that—previous to the COVID-19 outbreak—never allowed their employees to have remote access. Normally, only certain IT members had secured laptops with a VPN to allow emergency access; all employees had to work on-site.

The virus lockdown upended that situation.

Some time ago we completed a replacement of this client’s legacy Citrix XenApp infrastructure, updating to a Citrix Virtual Apps and Desktops platform that includes VDI capabilities for select employees. Even so, remote access was not in the picture for this organization, as the Citrix platforms were deployed for application delivery to internal workstations. Over the years, a great benefit was realized from being able to securely deliver applications to users without having to visit endpoints associated with the small teams managing the desktop infrastructure.


Fast forwarding to 2020… One morning in late February, I received a call to discuss viable options if things “went south” in the coming weeks. The client wanted something that would be easy to explain to users, secure, and Derive could stand up quickly. Normally I would simply recommend a Citrix ADC Gateway, but this customer has strict security regulations.

Any solution that would sit in the datacenter would have to be thoroughly vetted by multiple teams, and not just the appliance itself, but also anything that could potentially exploit it or be exploited by it. Even under the best of circumstances this can take weeks for approval. And while we are confident in the ability to deploy hardened Citrix ADC appliances, we just didn’t really have the time luxury for a full impact study.

What About Azure?

It turns out the client had been dabbling in Microsoft Azure and already had an ExpressRoute setup between the Azure cloud and their datacenter—though that infrastructure had not really been in production use yet.

Normally, you want as much of your application infrastructure grouped as closely as possible to ensure best performance. Separating these components risks introducing additional performance impact points with the solution.

Questions like, “Will the latency be too high?” “Will the applications load quickly enough?” And, “Will the backend database support this?” are all considerations under normal circumstances. But these weren’t normal circumstances. Rollout speed was of the essence.


One of the key things that Microsoft’s Azure cloud brings to the table is the easy ability to segregate an application in a cloud-based datacenter that already had strict controls, and completely separate the Citrix ADC VPX away from any other systems.

Leveraging Azure Network Security Groups, we were able to present a secure logon page, ensure any traffic that flowed through the Citrix ADC passed through multiple firewalls along the way to connect to resources back in the Citrix Virtual Apps and Desktops farm, and enable all traffic to be closely monitored.


Performance was quite good. We found that the latency between Azure and the datacenter wasn’t noticeable within user sessions, thus providing a high-quality user experience.

I’m not sure what made the client happier: the ability to get their workers operational faster than anticipated, passing the third-party penetration test with flying colors...

…or the fact that they could start working in their pajamas every day.


Mike Ilich is a Senior Systems Engineer and Practice Lead for Virtualization and End-User Computing at Derive Technologies. For the last 18 years, Mike has helped organizations of all sizes streamline their application delivery initiatives. His specialties include VDI, Application Virtualization, Citrix ADC, and Microsoft Solutions.



Contact Derive

Learn more about this and other technology solution topics by following our new blog series, or by contacting a member of the Derive Technologies Professional Services team at (212) 363-1111 [New York], (201) 299-9132 [New Jersey], or TOLL-FREE at (844) 363-1110. You may also reach us by completing the FORM ON THIS PAGE (please include "Citrix Virtual Apps and Desktops" in the comments).