Suggestions on ditching Citrix

I need to ask all of you enterprise guys a question. First off, a small story for all interested:

Summary

The company I’m working for (“We”) recently fell victim to the latest Citrix Vulnerability.
Why: We are a small IT team in charge of everything so we weren’t able to check proactively for issues. Citrix failed to inform in advance (Their response later on was: “Didn’t we? We thought you were on the list…”)

We don’t have issues with mistakes. They are human. They are everywhere. Everybody makes them. But what we have issues with, is how it was handled afterwards: False promises, recommended procedures that didn’t work (Again answers like: “it didn’t? Well, it should… We’ll get back to you” - 10 days silence).

So we all agreed - which is rare: IT and management agreeing - that it’s time for a change.

What we are currently planning is ditching Citrix all together. We have some things solved already:

  • Sharefile we’ll replace with Nextcloud Hub and an Outlook plugin.
  • Reverse proxy & Forward proxy will be done by our FW using squid.
  • Netscalers for Remote Access… well, there’s the problem.

What we need:

  • We need different desktops for different groups. Currently we use 5 different profiles.
  • We’d like to have a solution as easy as it is now for our employees: Login to Webportal -> Virtual desktop opens -> done.
  • We’d like to have some technology change between login and Desktops, hence no direct RDP (Desktops are Windows only… not my idea)
  • We’d prefer it to be Open Source. Not free necessarily, but Open Source.
  • We need it to be performant and reliable.
  • We’d like to be able to publish applications like we can now, but could live without.
  • 2FA is a must

Any ideas? Is there anything you guys are using that you might recommend? We’re only talking about 60 concurrent users/connections. And I’d appreciate @wendell and team and @lawrencesystems inputs as well, if you guys like and can. I figure you may have way more experience in that regard than we have.

We looked at some different offers but there is surprisingly little information and real world experience on the web. At least easily found.

EDIT: Added 2FA as a must.

Proxmox comes to mind

1 Like

I’m not too familiar with Proxmox but isn’t it basically a Hypervisor on Steroids? We are covered in that regard by XEN, soon to be xcp-ng. Sorry, didn’t mention that.

I don’t have a done solution in mind, but I’m thinking it should be possible to perhaps have:

  1. thinly provisioned VMs pre spun up and running (how many different types of VMs do you have? just have a python script run in a loop that ensures a few virgin VMs are always available)
  2. web app that you build yourself and tailor to your needs that allows the user to reserve a VM (no longer a virgin VM), connect to it, do their work, once logged out, destroys the thinly provisioned VM.

but I don’t understand - why not RDP?

1 Like

Proxmox lets a user log in to a server on an account made for them and lets them run any os.

Since you have xen I guess thats not an issue.

1 Like

Apache Guacamole? and have it connect to VMs on xcp-ng?

1 Like

Good plan. Only: 3 IT guys, ~ 140 servers (including the “desktops”), all the network, security, projects, hand-holding our BI and explaining SQL to their “Infrastructure Architects”, coordinating different countries and Micro-ITs and… well… users. Not to sound unthankful but building our own is out of the question.

“We” is always difficult. Since I try to summarize all of the wishes and opinions. We aren’t against RDP. Citrix builds on it or wraps it. We just want to have technology-changes so to speak in our connections. Right now it is (from outside the company) FW -> Netscaler -> “Citrix” RDP. We’d like to keep an abstraction in between as to make hopping less likely.

Could you elaborate on that? So the accounts have to be created using Proxmox or can regular AD-Profiles be used for the users?

That actually could work. Having stuff full screen would be nice since the machines used to login are only thin clients and or users are… users. They like it easy and looking like it’s local. But I will add it to the ones to check out. Thanks!

EDIT: typo

I only used it in a class so IDK about AD management or anything like that.

But yeah, theres a web ui you log into and you go from there.

1 Like

Do you issue and manage client side certs today?

I don’t know enough about RBD RDP to know if it’s possible to steer the TLS connection to the right endpoint based on some kind of SNI. That kind of proxying would be trivial to implement in a few hundred lines in Go. … but then again, build vs. buy.

There’s a uri scheme for RDP that may make easy for your users to connect to the right endpoint. Not sure if that can help with provisioning of these.

Proxmox can use PAM for the web authentication, so using AD LDAP is probably the way to go there. That being said, I don’t think Proxmox would be the cleanest integration for end users without some custom stuff make sure they don’t get lost or confused. As much as I like Proxmox, Gucamole looks cleaner.

1 Like

Ok, I’ll have to check out Proxmox then. Maybe some others in here are already using it. Might make a new post once we narrowed it down. Thanks!

Yes, both tickets and certs. Tickets are handled by AD, Certs are handled by Internal Root-CA.

Our issue exactly. None of us are programmers. We’re “Script Kiddies” at best in that regard. Yes, we all have some coding experience and are fine with scripting to a degree but well… And home brew (no pun intended) solutions are a PIA to administer, troubleshoot and expand in a professional environment.

Thanks for chiming in. Yes, it seems Proxmox would be way more hassle than we can handle. Especially in the long run.

Thanks to all of you guys. Not exactly what I was hoping for but still good pointers. I guess we’ll have to keep on looking and evaluate what you proposed. And maybe do a user acceptance test regarding the HTML5 only clients…

Oh dude theres a new proxmox thread every week just keep an eye out.

I know! But there is soooo much to brush up on and learn all the time. The days simply do not have enough hours. :wink:

ALso, dont forget to check user passwords against the HIBP API so that they wont be using weak passwords

1 Like