Reference Architecture: Workspace Environment Management service (2022)

May 4, 2021

Author: Jian Luo, Cheng Zhang, Jack Zhou


Workspace Environment Management (WEM) service uses intelligent resource management and Profile Management technologies to deliver the best possible performance, desktop logon, and application response times for Citrix Virtual Apps and Desktops deployments. It is a software-only, driver-free solution.

Resource management. To provide the best experience for users, WEM service monitors and analyzes user and application behavior in real time. It then intelligently adjusts RAM, CPU, and I/O in the user workspace environment.

Profile Management. To deliver the best possible logon performance, WEM service replaces commonly used Windows Group Policy Object objects, logon scripts, and preferences with an agent, which is deployed on each virtual machine or server. The agent is multi-threaded and applies changes to user environments only when required, ensuring that users always have access to their desktop as quickly as possible.

Simplified setup and configuration. WEM service eliminates most of the setup tasks required by the on-premises version of WEM. You can directly use the web-based administration console to tune WEM behavior.

Cloud deployment overview

WEM service has the following architecture:

Reference Architecture: Workspace Environment Management service (1)

(Video) Architecting Workspace ONE: The Official Reference Architecture

The following components are hosted in Citrix Cloud and administered by Citrix as part of the service:

Infrastructure services. The infrastructure services are installed on a multi-session OS. They synchronize various back-end components (SQL Server and Active Directory) with front-end components (administration console and agent). We ensure that sufficient, robust infrastructure services are available in Citrix Cloud.

Administration console. You use the administration console, available on the service’s Manage tab, to manage your user environments. You access the console using your web browser. The console is hosted on a Citrix Cloud-based Citrix Virtual Apps server, with a Citrix Workspace app for HTML5 connection to the console on the Citrix Virtual Apps server.

Azure SQL Database. WEM service settings are stored in a Microsoft Azure SQL Database service deployed in an elastic pool. This component is managed by Citrix.

The following components are installed and managed in each resource location by the customer or partner:

Agent. The WEM service agent connects to the WEM infrastructure services and enforces settings that you configure in the administration console. All communications are over HTTPS using the Citrix Cloud Messaging Service. You can deploy the agent on a Virtual Delivery Agent (VDA). Doing so lets you manage single-session or multi-session environments. You can also deploy the agent on a physical Windows endpoint.

All agents use local caching. This behavior ensures that agents can continue using the latest settings if network connection is interrupted.


The Transformer feature is not supported on multi-session operating systems.

Microsoft Active Directory Server. WEM service requires access to your Active Directory to push settings to your users. The infrastructure service communicates with your Active Directory using the Citrix Cloud identity service.

Cloud Connector. The Citrix Cloud Connector is required to let machines in your resource locations communicate with Citrix Cloud. Install Citrix Cloud Connector on at least one machine in every resource location you are using. For continuous availability, install multiple Cloud Connectors in each of your resource locations. We recommend at least two Cloud Connectors in each resource location to ensure high availability. If one Cloud Connector is unavailable for any period of time, the other Cloud Connectors can maintain the connection.

Communications between agent and infrastructure services

Agent connection overview

WEM uses WCF for communications between the WEM agent and the WEM infrastructure server.

(Video) Reference Architecture: Building a Successful Solution

WCF is a framework created by Microsoft, and it is part of .Net Framework. WCF can use different underlying protocols, such as SOAP over TCP or SOAP over HTTP.

For on-premises deployments, WCF connections between the agent and the infrastructure service use TCP binding. For cloud deployments, WCF uses HTTP binding to suit various HTTP proxies and firewall configurations. Communications on public networks use HTTPS on port 443.

Agent connection insights

Reference Architecture: Workspace Environment Management service (2)

In the diagram, there are two different agent-facing WCF services:

Agent cache sync service – A proxy service for Dotmim.Sync framework, used by agents with SQLite.

Agent broker service – A general purpose WCF service for the agent to download and upload data.

All the services are session based. When a session is established, WEM infrastructure server validates the service key first. If service key validation fails, the session is terminated.

Each session contains multiple HTTP requests and responses.

Agent services basically function as a proxy layer between the agent and the remote database. Agent services receive agent requests and run the corresponding database queries. Database query results are then communicated to the agent.

Agent cache sync service

Agent cache sync service is intended for the WEM agents with SQLite to synchronize agent local cache. The agent cache sync service relies on Dotmim.Sync, an open source sync framework. Agent cache sync service is for SQLite local cache synchronization only. Agent cache sync service does not query agent AD information because the information is not needed for cache synchronization. Cache synchronization is simply a matter of replicating Azure database to agent local cached database.

Agent infrastructure service

Agent infrastructure service serves the following purposes:

Retrieving agent service settings

The WEM agent service settings are WEM settings not assigned to users, for example, advanced settings and optimization settings. The WEM agent retrieves agent service settings if any one of the following conditions is met:

(Video) A Reference Architecture for Hybrid Integration

  • Agent service starts (because of machine startup)
  • Periodical agent service settings refresh (by default 15 minutes)
  • Agent network resumes
  • WEM administrators trigger a refresh of service settings

Retrieving user assigned actions

When a user logs on or reconnects, the WEM agent retrieves the following information on demand from the infrastructure services:

  • WEM user list
  • WEM filter rules and conditions
  • WEM actions assigned to users (for example, printers, net drives, applications)
  • User-related settings (for example, USV settings, environmental settings)
  • AppLocker settings
  • Other settings (for example, transformer settings)

Starting with the February 2020 release, the WEM agents use local cache by default to retrieve the information above. (The Use Cache to Accelerate Actions Processing option is enabled by default.)

In general, retrieving user-assigned actions consumes more resources because that process involves more requests and responses. In the cloud service, retrieving user-assigned actions rarely occurs (less than 4%) after the introduction of the Use Cache to Accelerate Actions Processing option.

Uploading statistical data

The WEM agent uploads the following statistical data:

  • Agent information (for example, IP, device name)
  • Agent statistics (for example, machine start time, cache sync time)
  • User information (for example, SID)
  • User statistics (for example, logon time)
  • CEM group policy processing results
  • Agent callback information (how the Cloud Connector connects back to agents)

If the WEM agent fails to upload some data, those data are saved to the agent local database. The agent will attempt to upload those data the next time.


Agent infrastructure service also functions in the following scenarios:

  • Manually check agent upgrade
  • Download Citrix Optimizer templates
  • Retrieve assigned agent tasks

WEM service onboarding

Onboarding preparation

Customers who have the following Citrix Cloud entitlements are able to use WEM as a service:

  • Citrix Virtual Apps and Desktops
  • Citrix Virtual Apps
  • Citrix Endpoint Management service
  • Citrix Workspace Premium
  • Citrix Workspace Premium Plus


Customers using the above-mentioned services as trials get the WEM service trial as well. WEM trial is available for Cloud use only. With the trial, customers get full access to WEM service functionalities.

Before the onboarding, customers also need to make sure that their resource locations and Cloud Connectors are set up and able to connect to Citrix Cloud. To understand how to prepare the connection, read Connect to Citrix Cloud for more details.

Onboarding to the WEM service

To use the WEM service, you need to sign in to Citrix Cloud and then launch the WEM service. Following the steps described in Get started with your Workspace Environment Management service, you can onboard to WEM and start the use.

Migrating on-premises WEM to the WEM service

The migration can be performed by running a toolkit. With the toolkit, you can migrate your existing on-premises WEM database into the WEM service. The toolkit includes a wizard to generate an SQL file containing the content of your WEM database. You can then upload the SQL file to the WEM service Azure database. For more information, seeMigrate.

(Video) Cloud Reference Architecture CRA - P1 Foundation

Scale and size considerations for Cloud Connectors

The WEM service is designed for large-scale enterprise deployments. On the server side, WEM service monitors the communication flow between front- and back-end components and scales up or down dynamically based on data in transit.

When evaluating WEM service for sizing and scalability, you need to consider only the number of Cloud Connectors and the Cloud Connector machine specification. A Cloud Connector with the following machine specification can support up to 10,000 agents:

  • 4 vCPUs, 8 GB RAM, and 80 GB of available disk space.

To ensure high availability, we recommend at least two Cloud Connectors in each resource location. The WEM agent balances the load among Cloud Connectors automatically. If the Citrix Cloud Connectors in place are not for WEM service only, consider deploying more Cloud Connectors.

For information about Cloud Connectors, see Citrix Cloud Connector.

The recommended configuration

We can use three types of configurations to deploy WEM. Use the type that suits the actual environment the best.

Single domain in a single forest

This configuration can be used in an environment that has only a single domain in a single forest. Normally, the single domain contains all the resources and user objects. So, in this configuration, you only need to deploy one set of Cloud Connectors to enable all your devices to connect to the WEM service. Below is the overview of this configuration.

Reference Architecture: Workspace Environment Management service (3)

Multiple domains in a single forest

This configuration can be used in environments where multiple domains in a single forest exist. As the domains in the forest can communicate with each other, in this configuration, you only need to deploy one set of Cloud Connectors to enable all your devices to connect to the WEM service.

Reference Architecture: Workspace Environment Management service (4)

Users and resources in separate forests (with trust)

In this use case, users and resources reside in different domain forests for management purposes. A trust exists between the two forests that allows the users to log on to resources in another forest. In this deployment, customers need to deploy Cloud Connectors into each domain forest to complete the WEM deployment.

Reference Architecture: Workspace Environment Management service (5)

To learn more, visit the WEM product documentation. For the latest updates about WEM, check out What’s new.

(Video) Azure Architecture Center Step by Step - Basic Web Application


What is workspace environment management? ›

Workspace Environment Management uses intelligent resource management and profile management technologies to deliver the best possible performance, desktop logon, and application response times for Citrix Virtual Apps and Desktops deployments. It is a software-only, driver-free solution.

What is Citrix WEM used for? ›

WEM enables administrators to configure Citrix Profile Management (CPM) settings with WEM instead of with Studio Policy or Group Policy. It is a common misconception that WEM is a profile management tool. WEM is only used to configure CPM (as an alternative to Studio or Group Policy).

How do I update my WEM? ›

From the Start menu, select Citrix>Workspace Environment Management > WEM Database Management Utility. Click Upgrade Database. In the database upgrade wizard, type the required information. Server and instance name.

How do I read Citrix workspace logs? ›

View logs in the Event Viewer > Applications and Services Logs > Norskale Broker Service pane. Citrix WEM Infrastructure Service Debug. log. The log that lets you troubleshoot issues with the Citrix WEM infrastructure service (Norskale Broker Service.exe).

What are the components of workspace? ›

​A workspace consists of panes, windows, and a work area that can be customized to suit a user's specific needs. Dialog boxes are presented on top of the workspace. WorkStation positions panes at the edges of the main window. You can lock, release, and move these components to another location.

What is workspace management software? ›

Workspace management is a process by which companies attempt to boost employee productivity and efficiency, while cutting costs and optimising business performance. The latest statistics from CBRE indicate that, on average, prioritising wellbeing increases productivity by 10%.

What is a WEM system? ›

Workforce engagement management (WEM) is a collection of contact center software applications designed to increase agent engagement throughout the employment life cycle. They do this by automating tasks associated with scheduling, performance management, quality management, and more.

What is new WEM service? ›

A new, web-based Workspace Environment Management (WEM) console is now available. We are in the process of migrating the full set of functionalities from the legacy console to the web console. The web console generally responds faster than the legacy console.

What is the difference between IMA and FMA in Citrix? ›

Architecture. The Independent Management Architecture (IMA) used by XenApp 6.5 and earlier versions is a mesh architecture. The Flexcast Management Architecture (FMA) used by XA/XD 7. x on the other hand consolidates all brokering functionalities to the Desktop Delivery Controller (DDC).

What can Citrix workspace see on your computer? ›

The only what can be monitored is your work within the Citrix/Terminal session. This is what you do at your work computer. But whatever you do outside of the session at your personal home computer or your laptop cannot be monitored.

How does Citrix monitor activity? ›

Citrix Secure Private Access service collates and presents information on the activities of users, such as, websites visited, and the bandwidth spent. It also reports bandwidth use and detected threats, such as malware and phishing sites.

What is Citrix workspace and why is it on my computer? ›

Citrix Workspace is a cloud-based enterprise app store that provides secure and unified access to apps, desktops, and content (resources) from anywhere, on any device. These resources can be Citrix DaaS, content apps, local and mobile apps, SaaS and Web apps, and browser apps.

What are the three types of workspace views? ›

The Workspace has five tabs: Normal, Outline, Notes, Slide Sorter, and Handout.

What are the five tabs of workspace? ›

Workspace. The Workspace has five tabs: Normal, Outline, Notes, Handout, and Slide Sorter. These five tabs are called View Buttons.

Which is the workspace service? ›

Workspace as a Service (WaaS)

WaaS is a form of virtualized desktop used by organizations to provide a virtual workspace for the employees. Employees are allowed to access the companies applications and data via this platform anywhere at any time using any device.

What is the function of workspace? ›

It provides a graphical representation of the whos display, and allows you to perform the equivalent of the clear , load , open , and save functions.

What are the benefits of workspace? ›

Take a look at six of the key benefits associated with collaborative workspaces.
  • Better space utilization. ...
  • Improved employee socialization. ...
  • Better business agility and flexibility. ...
  • Increased productivity and motivation. ...
  • Pooled talent and insight. ...
  • More emphasis on workplace culture.

What is CPU clamping? ›

CPU clamping prevents processes using more than a specified percentage of the CPU's processing power. WEM “throttles” (or “clamps”) that process when it reaches the specified CPU percentage you set. This lets you prevent processes from consuming large amounts of CPU.

Is WEM a Scrabble word? ›

Yes, wem is a valid Scrabble word. More definitions: (n.)

What is Citrix virtual delivery agent? ›

Citrix Virtual Delivery Agent (VDA) is installed on each machine that delivers applications and/or desktops to users in your Citrix-based virtual desktop infrastructure (VDI). With Citrix VDA, machines can register with the Citrix Delivery Controller, making their resources accessible to your users.

What is Citrix analytics service? ›

Citrix Analytics is a Cloud-based service that works across Citrix portfolio products and third-party products. The Analytics service receives data from these products (or data sources) and uses built-in Machine Learning (ML) algorithms to detect anomalous behavior of a user or any other entity.

What is Citrix support? ›

Citrix Workspace app is the easy-to-install client software that provides seamless secure access to everything you need to get work done. Resources.

What is Citrix FMA architecture? ›

FMA stands for Flex Management Architecture and of XenDesktop version 7, includes a Desktop as well as Server VDA. It is the next generation architecture for XenDesktop and XenApp VDI and /or RDSH based deployments. Over the years it has evolved from 6 services to 11 services in total.

What is the difference between PVS and MCS in Citrix? ›

MCS takes a snapshot of a virtual machine, copies it to a storage location and clones are made that read this copy. PVS is network-based while MCS is a hypervisor-based but they both ultimately end up with virtual machines for users to establish sessions onto. Needing to upgrade VMware, XenServer and HyperV tools.

What are the different types of Citrix licenses? ›

Product Line***EditionsPerpetual
Citrix ADC VPX, MPX, SDX, and CPXStandard, Advanced, Premium ExpressAvailable (excluding CPX and Pooled Capacity)
Citrix GatewayStandard Advanced and PremiumAvailable
Citrix Secure Web GatewayStandard, Advanced, PremiumAvailable
Citrix SD-WANStandard, WANOp, and PremiumAvailable

How can I tell if my computer is being monitored at work 2022? ›

How to Know If Your Computer is Being Monitored
  1. Open Windows Settings.
  2. Choose “Privacy and security.”
  3. Select “Camera” from the options on the left.
  4. Go through this list and see which programs last accessed your webcam or which one is currently accessing it.

Can employers spy through Citrix? ›

If you leave Citrix open in the background or minimized, your employer cannot see what you do on your local browser, Steam, apps, etc. If you launch a web browser in Citrix and use it to browse on the internet then yes, your employer can see your activities because you are remotely connected to their browser.

Can your employer spy on you at home? ›

Is it legal to monitor remote employees in California? In California, employers can face criminal penalties for eavesdropping or recording their employees' private communications via telephone or email unless all parties to the communication consent to the monitoring (California Penal Code § 631).

Can my employer see my screen? ›

Your boss can monitor your website browsing activity if you're using a work computer and if you're using a personal computer but on a company network.

Can my employer see where I am working from? ›

Yes, it is possible that your boss (or whomever) is watching you. Using your IP address (a series of numbers with dots), someone can easily trace your location while you're logging in from out of office. But… there are also ways of making this impossible.

Can my employer listen to me through my computer? ›

Your employer does not have the right to “bug" your home, eavesdrop, or spy on you through a work computer or work phone. You have federal rights to privacy through the Electronic Communications Privacy Act (ECPA), and your work must legally ask for your consent to monitor your work calls or computer use while working.

What is difference between Citrix Receiver and Citrix Workspace? ›

Citrix Workspace app is a new client from Citrix that works similar to Citrix Receiver and is fully backward-compatible with your organization's Citrix infrastructure. Citrix Workspace app provides the full capabilities of Citrix Receiver, and new capabilities based on your organization's Citrix deployment.

Can I remove Citrix from my computer? ›

You can uninstall Citrix Workspace app using the Windows Programs and Features utility (Add or Remove Programs). Note: During Citrix Workspace app installation, you get a prompt to uninstall the Citrix HDX RTME package. Click OK to continue the uninstallation.

Is Citrix Workspace a virtual desktop? ›

Citrix solutions for desktop virtualization

Citrix offers some of the industry's most comprehensive desktop virtualization solutions. With Citrix DaaS (formerly Citrix Virtual Apps and Desktops service), users get secure access to all the apps and data they need, from any device and location—all while simplifying IT.

What is workspace app used for? ›

Citrix Workspace App (formerly known as Citrix Receiver) enables users to access applications, services, and data from several desktop and mobile devices. By using this product, you can instantly access all your software as a Service (SaaS) and web applications, files, and mobile apps.

What is workspace app and do I need it? ›

About Citrix Workspace app

Citrix Workspace app is a single point of entry to all workspace services for users. Users get seamless and secure access to all the apps that they need to stay productive, including features such as embedded browsing and single sign-on.

What is meant by Citrix workspace? ›

Citrix Workspace is a digital workspace solution that delivers secure and unified access to apps, desktops, and content (resources) from anywhere, on any device. These resources can be Citrix DaaS, content apps, local and mobile apps, SaaS and Web apps, and browser apps.

What do you mean by your workspace? ›

(wɜːk ˈɛərɪə ) noun. the place where a person, or people work. someone who comes into your office or your work area and either hovers over you or sits on your desk.

Is workspace a VPN? ›

Citrix Workspace provides a cloud- based, VPN-less solution to access all intranet web, SaaS, mobile, and virtual applications—whether using managed, unmanaged, or bring-your-own devices (BYOD) over any network.

What is difference between workspace and my workspace? ›

Workspaces are created on capacities. Essentially, they are containers for dashboards, reports, workbooks, datasets, and dataflows in Power BI. There are two types of workspaces: My workspace and workspaces. My workspace is the personal workspace for any Power BI customer to work with your own content.

What is the difference between Google and Google Workspace? ›

The major difference between free Gmail and business Gmail (Google Workspace) is the design of the product. While free Gmail is designed for personal users, Google Workspace is specifically designed for business use, with business Gmail and team collaboration capabilities.

Is Google Workspace needed? ›

We primarily recommend Google Workspace for clients that are needing email hosting for their business. However, Google Workspace is much more than just email. It also includes a variety of apps and features that can come in quite handy. In fact, you're probably already using or are familiar with some of them.

Is Google Workspace safe? ›

Google Workspace customers' data is encrypted when it's on a disk, stored on backup media, moving over the Internet, or traveling between data centers. Encryption is an important piece of the Google Workspace security strategy, helping to protect your emails, chats, Google Drive files, and other data.

What are the benefits of Citrix Workspace? ›

Citrix digital workspace solutions

With Citrix, you can: Improve how people work by unifying content, apps, and data into a unified, personal experience—and increase productivity by automating tasks and streamlining workflows.

Is Citrix Workspace a virtual machine? ›

Citrix gives your organization the tools it needs to benefit from virtualization software. With Citrix Virtual Apps and Desktops, you can simplify your infrastructure while giving users the secure virtual workspaces they need to be productive from anywhere.

Why do I have Citrix Workspace on my computer? ›

The Citrix Workspace platform enables IT administrators to manage all their enterprise applications, desktops and data from a single pane, providing them various access controls to build a secure digital perimeter around the user when accessing enterprise content from any device, hosted on any cloud, and from any ...

What is the main workspace of computer? ›

The workspace is usually a file or directory. 2. In a graphical interface, a workspace is a grouping of application windows used by a window manager applications to help reduce clutter on the desktop screen. Workspaces are commonly found on Unix operating systems.

What is another word for workspace? ›

What is another word for workspace?
working areacomputer terminal
1 more row

What is a workspace in development? ›

Workspace refers to storage areas where developers can implement and test code in accordance with the project's adopted standards in relative isolation from other developers.


1. Modern Security Operations w/ Microsoft Reference Architecture
(Matt Soseman)
2. Middle Mile Advisory Committee Meeting November 18, 2022
3. AWS end to end Architecture for Web App, web services and database
(Cloud Academy - All in One)
4. European Interoperability Reference Architecture (EIRA)
(Interoperable Europe)
5. Chapter-6: Azure Reference Architecture Networking Design
6. Planning and Sustainability Commission 11-22-2022
(Portland BPS)

Top Articles

You might also like

Latest Posts

Article information

Author: Mrs. Angelic Larkin

Last Updated: 10/02/2022

Views: 6073

Rating: 4.7 / 5 (47 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Mrs. Angelic Larkin

Birthday: 1992-06-28

Address: Apt. 413 8275 Mueller Overpass, South Magnolia, IA 99527-6023

Phone: +6824704719725

Job: District Real-Estate Facilitator

Hobby: Letterboxing, Vacation, Poi, Homebrewing, Mountain biking, Slacklining, Cabaret

Introduction: My name is Mrs. Angelic Larkin, I am a cute, charming, funny, determined, inexpensive, joyous, cheerful person who loves writing and wants to share my knowledge and understanding with you.