Much has already been written about the changes at VMware Horizon (now Omnissa) and the implications for their customers, resulting in many starting to evaluate alternatives, such as Citrix. In this blog, we would like to go a bit deeper and discuss the technical details that make Citrix DaaS or Citrix Virtual Apps and Desktops (CVAD) a better solution for app and desktop virtualization. 

Hybrid environments

While a cloud-centric approach, with all workloads hosted on a public cloud platform remains the preferred path forward for some organizations, many are starting to reconsider this strategy and we can read about cloud repatriation increasingly often. Citrix has always been the “Any, Any, Any” company promoting choice and meeting customers where they are. This also holds true for the platforms Citrix DaaS and CVAD support and integrate with. As outlined in the diagram below and discussed in detail on Tech Zone, Citrix solutions integrate with all major on-prem and cloud platforms.

Citrix solutions integrate with all major on-prem and cloud platforms graphic

It is also important to point out that Citrix customers can build an on-prem Citrix environment (CVAD) and connect it to a cloud platform, such as Microsoft Azure or Google Cloud, Nutanix NC2, or start with a Citrix DaaS environment and integrate it with an on-prem platform, such as VMware vSphere or Nutanix AHV. Whatever best meets the financial, regulatory, or performance requirements.

In addition, Citrix also enables customers to combine on-prem infrastructure and cloud services, with greater flexibility. For example, users can access resources hosted on on-prem CVAD environments via Citrix Workspace (service). At the same time, admins can leverage the Citrix Gateway Service in combination with an on-prem StoreFront infrastructure or assess the performance and security of a CVAD environment with our Analytics Services. Again, choice and flexibility are core tenets of the Citrix product strategy.

In contrast, VMware has traditionally been focused on driving the adoption of their vSphere platform and hence has limited choice considerably. At the moment, on-prem Horizon 8 only integrates with VMware vSphere. While it is supported to host virtual desktops on physical systems and on AWS WorkSpaces Core, Horizon does not integrate with the AWS platform, which means provisioning and image management are manual tasks, making it difficult to manage large environments.

On the other hand, Horizon Cloud Service only directly integrates with Microsoft Azure and Windows 365 Cloud PC (tech preview, which “must only be installed in test/non-production environments”), providing very limited choice. In order to deliver on-prem virtual desktops to users, admins need to deploy a full-scale on-prem Horizon infrastructure and connect it to Horizon Cloud, by means of the Horizon Edge Gateway, resulting in significant operational complexity. 

Simplicity

Ease of use is key for efficient operations and Citrix provides a broad range of functionalities that simplify day-to-day operations. In addition, we have made significant investments to modernize and simplify the admin interfaces to remove unnecessary complexities, improve the discoverability of features, and add more in-product guidance and wizards, such as Quick Deploy for Azure or AWS.

Another aspect that has a significant impact on ease of use is the number of moving parts in a solution stack. Especially for environments that are hybrid multi-cloud, or span across multiple locations, the infrastructure requirements can be enormous with competing solutions. But with Citrix the infrastructure requirements are minimal, even for such complex scenarios. 

Let’s use an example, where an organization needs to deploy their app and desktop virtualization solution to two different Azure regions and an on-prem data center. 

With Citrix DaaS the infrastructure required is handled with a pair of Cloud Connectors in each site and the obligatory Virtual Delivery Agent (VDA) installed on each virtual desktop. In addition, the customer has the choice to deploy NetScaler Gateway appliances if needed. In scenarios where non-domain or Entra ID – joined virtual desktops are used, even connectorless deployments are possible, reducing the footprint even further. 

Cloud Connectors graphic

Let’s contrast this with the requirements for a VMware Horizon / Horizon Cloud solution stack. As mentioned before, it is possible to connect on-prem Horizon and Horizon Cloud. While this enables a level of unified management across on-prem Horizon and Horizon Cloud, it comes with limitations related to troubleshooting or advanced configuration and management, where admins are required to use the local management consoles. In addition, a full-scale Horizon deployment is required for the on-prem site. But even for the Azure-based sites more infrastructure components are required, as Omnissa does not provide an equivalent to the Citrix Gateway Service. 

Horizon Client graphic

When considering a pure on-prem environment with multiple sites, the result is similar. 

With Citrix, customers can lean on a mature zone model, which reduces the number of infrastructure components to a minimum and provides a single point of management while enabling detailed control over load balancing and site preferences for users and applications

Workspace app graphic

When contrasting this with VMware/Omnissa Horizon, it becomes obvious that more infrastructure components are required, as each site is a stand-alone Horizon installation that needs to be managed separately. To provide users with a single point of access a Cloud Pod can be configured, which federates multiple Horizon sites. But this adds another layer of management for allocating resources to users, only making it more complex. 

Horizon Client Federation of Sites graphic

Context-aware security and Conditional Access

Security is of outmost importance for all of our customers. They want to ensure only authorized users have access to company resources. At the same time, they are also concerned about imposing too many security restrictions or authentication hurdles to their users, which would impact user experience and adoption of the solution. This balancing act is met by means of the Citrix context-aware security and conditional access. Hereby, context-aware security enables admins to control:

  • 100+ session policies, which allow detailed configuration of the user sessions, including client device mappings for example 
  • Application-specific activation of screenshot and keylogging protection as well as session watermarks
  • Dynamic recording of user sessions

These security restrictions can be assigned to users by means of a broad variety of filters, including the security posture of the endpoint, as depicted in the screenshot below. 

Create policy interface

At the same time, conditional access controls: 

  • Authentication flow for users, where users from trusted locations or devices will have a simpler authentication experience while for other users multiple factors of authentication are required
  • Geofencing to prevent access to resources in certain locations
  • Resource access based on the security posture of the endpoint, even if the device is not managed by the organization

In contrast, the security controls with VMware Horizon are considerably less mature. For example, the vast majority of Horizon policies are based on Active Directory Group Policies, which are statically assigned to users or groups. The only exception are Smart Policies in Omnissa’s Dynamic Environment Manager, which provides six settings, that are dynamically applied, not improving the situation much. 

To make application access or the authentication flow context-aware, Horizon customers need to implement Workspace ONE Access. This component enables admins to control the behavior based on client IP or device type, unless the endpoint is managed by Workspace ONE UEM, effectively ruling out this approach for 3rd party access or BYOD scenarios.

Security

In addition to the previously discussed security functionalities related to resource access and authentication, Citrix provides a more mature set of security features than Horizon. Here are a few examples:

  • While Horizon provides screenshot and keylogging protection, it is only available on Windows and Mac endpoints, but not on Linux (ruling out many thin clients), it does not work for local, web or SaaS apps, and it cannot be applied contextually. 
  • Horizon does include a simple session recording, but it does not perform in-session event detection (e.g. file transfers, clipboard activities, or web browsing activities), can be triggered based on these events (or other parameters), and does not integrate with the help desk console
  • In contrast to Citrix, Horizon’s digital watermark is not shown in all scenarios (e.g. when Search, Activities, or Show Applications desktop features are in use) and if an old client is used to connect, the watermark is not shown at all.
  • Unlike Citrix, Omnissa does not support non-domain joined virtual desktops, which are a powerful way to keep desktops isolated from the organization, useful when supporting (security) researchers or 3rd party users.

Flexibility

At the moment, most applications delivered by means of app and desktop virtualization are Windows-based, but the number of customers leveraging Linux and macOS for secure app delivery is increasing. Citrix DaaS and CVAD enable customers to deploy resources on Windows, Linux, and macOS enabling more flexibility than Omnissa Horizon, which is limited to Windows and Linux. But even when comparing the capabilities for Linux-based workloads, it becomes obvious that Citrix is a more mature solution. 

In contrast to Citrix, Omnissa customers are limited in the following ways:

Now, we could further continue this blog post, as we have not discussed differentiators, such as CPU/RAM Optimization, Service Continuity, uberAgent, Consistent APIs across cloud and on-prem, Terraform Provider, Global App Config Service, Image Portability Service, Automated Configuration Tool, Security and Performance Analytics, Cloud Cost Optimization and many other features and functionalities that make Citrix DaaS and CVAD the best solution for enterprise customers. 

Migrating to Citrix

Replacing Horizon or Horizon Cloud with Citrix technologies may be daunting and certainly requires thorough planning and execution. But the entire Citrix team and our channel partners are here to help you using proven methodologies and experiences from a broad range of successful migration projects. In addition, our current offers for for new and existing Citrix customers migrating from VMware Horizon, help shorten the ROI dramatically. 


Disclaimer: This publication may include references to the planned testing, release and/or availability of Cloud Software Group, Inc. products and services. The information provided in this publication is for informational purposes only, its contents are subject to change without notice, and it should not be relied on in making a purchasing decision. The information is not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for products remains at the sole discretion of Cloud Software Group, Inc.