Direct Workload Connection

I don’t know of anyone who likes road construction, especially road construction that sends you on a multi-mile detour you around the construction. Detours are not as efficient as the direct route. They take more time for you to get to your destination.

We will usually get the best experience if we can take the most direct route.

Let’s turn our attention to cloud and Citrix Virtual Apps and Desktops Service.

I’ve often highlighted the benefits of using the Gateway cloud service. You might have seen me use this diagram before where I highlight the value the service provides:

Using the Gateway Service greatly simplifies our deployment. But there is one thing that always bugged me with the model… the internal user.

When a user (internal or external) establishes a connection to an internal virtual desktop/app, they must go through the Gateway Service, as shown in the following diagram.

Although this does work, my biggest concern is that we are creating a detour for the user. Although there are numerous Points of Presence (PoPs) for the Gateway Service to try and minimize the latency, the overall connection is not the most optimized because we are sending an internal user to an external cloud service to reach an internal virtual desktop/app.

This adds latency.

Latency is the path to the unhappy users. Latency leads to frustration. Frustration leads to anger. Anger leads to suffering.

A better approach is the direct approach as shown:

Internal users make direct connections to the virtual desktop/app instead of being forced to go external and route through the Gateway Service.

So how does Workspace know that you are an internal user? By the user’s public IP address.

I said public IP address and NOT end point IP address. This is extremely important.

If direct connection decisions were based on the end point IP address we would quickly run into trouble. How many of us use a internal-only IP address scheme (,, and If my home internal IP address scheme is the same as the organization’s internal network address scheme, Workspace would think I’m internal and bypass the Gateway Service, resulting in failed connections.

But instead, the direct connection decisions are based on the public IP address.

When identifying which locations can use the direct route, it might be obvious but it still needs stating; users within those locations MUST be able to make a direct connection to the VM.

To set this up in your Citrix cloud environment, you can use the Citrix article: Optimize connectivity to workspaces with Direct Workload Connection.

Daniel (Twitter: @djfeller)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.