Jump to content
Updated Privacy Statement

Reference Architecture: DaaS for Contact Centers Reference Architectures

  • Contributed By: Citrix Technical Marketing


Contact Centers are vital when it comes to customer interaction and satisfaction. Often customer service agents are the “face” of a company and represent the only interface between a company and its customers. Contact centers during the pandemic saw average handle, queue, and hold times increasing which made it frustrating for customers. Meanwhile, contact centers face high employee turn-over. Employee turn-over causes an increase in cost as each new agent needs to be set up and trained before being able to work productively. Contact centers need to redefine the agent experience to retain existing employees while attracting new talent. Therefore, the entire contact center environment, including call quality and application performance, can play an important role for the agent in providing the best customer experience and satisfaction.

CompanyA is a contact center company. As COVID-19 occurred, CompanyA became even more vital to its customers. CompanyA knew it had to rethink its IT strategy going forward to reduce operational expenses, reduce the risk of outages and downtime, increase security, and build an environment focused on customer and agent experience that would lead to revenue growth. During COVID-19 over 75% of CompanyA's agents had to work from home. CompanyA wants to continue allowing agents to work from home in some capacity even after restrictions are lifted. They decided this because according to Harvard Business Review, at-home agents can answer 13.5% more calls than their office-bound peers. Also, a flexible WFH strategy allows them to expand their talent pool and retain existing talent, while reducing their overall cost. CompanyA decided to migrate to Citrix Cloud services and standardize on Google Chromebooks to have a reliable, flexible, and secure environment.

This reference architecture explains how CompanyA is planning their environment that allows them to maintain a WFH strategy, scale quickly and easily, and reduce costs.

Success Criteria

Company A has defined a list of success criteria that formed the basis for the overarching design.

User Experience

Success Criteria Description Solution
Seamless experience To reduce user disruption, end users have a similar look and feel Citrix Workspace
Easy onboarding New agents must be able to onboard quickly and efficiently without requiring third party assistance Citrix Workspace + Google Chromebooks
Flexibility of remote work Work from anywhere, anytime, and on any device Citrix Workspace + Citrix Enterprise Browser
Single sign-on Secure access to all apps (Windows, SaaS, and Web apps) without reauthentication Citrix DaaS
Contact Center apps, peripherals, and endpoints supported Support for the needed contact center applications, endpoints, and peripherals Chromebooks
Optimized end-user experience Equal or better user experience on virtual apps than they do on local apps HDX

Admin Experience

Success Criteria Description Solution
Expense reduction Standardize on company-owned devices that can be sent to agents at a low cost Google Chromebooks
Protect from internet-based threats Increase security to protect their IP Citrix Secure Private Access
Reduce on-premises footprint Reduce on-going costs to maintain on-prem environments Citrix Cloud services
Zero Trust Network Access Remove VPN dependencies to allow agents to work remotely Citrix DaaS + Citix Secure Private Access
Protect from insider threats Protect customers information from zero-day attacks and malicious insiders Citrix Analytics for Security
Surge protection Scale quickly and efficiently when surges occur Citrix Autoscale
Managed endpoints Be able to manage the endpoints given to the agents Citrix Endpoint Management

Conceptual Architecture

Based on the preceding requirements, CompanyA created the following high-level, conceptual architecture. This architecture meets all of the preceding requirements while giving CompanyA the foundation to expand to other use cases in the future.


The architecture framework is divided into multiple layers. The framework provides a foundation for understanding the technical architecture for the mergers and acquisitions scenario. All layers flow together to create a complete, end-to-end solution.

At a high-level:

User Layer: The user layer describes the end-user environment and endpoint devices that are used to connect to resources.

  • Regardless of device, users access resources from Workspace app, resulting in an experience that is identical across every form factor and device platform.
  • CompanyA provides their agents with Google Chromebooks for a fast and easy onboarding experience. The Chromebooks are shipped directly to the agents and automatically configured on first logon.
  • End users are able to use peripherals such as headsets and webcams.
  • CompanyA wants to ensure that no data is stored on the device and can be removed in case the endpoint gets lost, stolen, or the agent leaves the company.

Access Layer: The access layer describes details surrounding how users authenticate to their Workspace and secondary resources.

  • Citrix Workspace provides the primary authentication broker for all subsequent resources. CompanyA requires multifactor authentication to improve authentication security.
  • Many of the authorized resources within the environment use a different set of credentials than the ones used for the primary Workspace identity. CompanyA uses the single sign-on capabilities of each service to better protect these secondary identities. For SaaS apps, the applications only allow SAML-based authentication, which prevents users from accessing the SaaS apps directly and bypassing the security policies.
  • Citrix Device Posture service enforces certain requirements that the end devices must meet to gain access to Citrix DaaS or Citrix Secure Private Access resources. CompanyA requires the ability to establish device trust.

Resource Layer: The resource layer authorizes specific SaaS, web, and virtual resources for defined users and groups while defining the security policies associated with the resource.

  • User has access to apps and desktops that are pertinent to their role.
  • CompanyA provides the necessary contact center applications through Citrix Workspace to their agents.
  • To better protect data, CompanyA requires policies that disable the ability to print, download, and copy/paste content from the managed resource to and from the endpoint. Additionally, a watermark should be embedded to protect from screenshotting and sharing with others.
  • CompanyA requires zero trust network access to resources with the use of managed Enterprise Browsers, isolated browsers, or virtualized sessions on managed or BYO devices.
  • HDX technology allows agents to have optimal user experience critical for voice and video communication.

Control Layer: The control layer defines how the underlying solution adjusts based on the underlying activities of the user.

  • Even within a protected Workspace resource, users can interact with untrusted Internet resources. CompanyA uses Secure Internet Access to protect the user from external threats from SaaS apps, web apps, virtual apps, and apps on endpoint devices.
  • With all of the policies in place to protect the users when working in a flexible environment, there are still risks. CompanyA uses the Security Analytics service to identified compromised users and automatically take actions to maintain a secure environment.
  • Citrix DaaS manages the authorization and brokering of the virtual apps and desktops.
  • Citrix Endpoint Management ensures that the administrators can manage the Chromebooks that are sent to the agents.

The subsequent sections provide greater detail into specific design decisions for CompanyA's contact center reference architecture.

User Layer

User Endpoints and Peripherals

CompanyA has decided to provision Google Chromebooks to their agents. This allows agents to standardize on one device. CompanyA uses Citrix Endpoint Management to manage the Chromebooks and to push the latest version of Citrix Workspace app for Chrome OS onto the Chromebooks.

Users only have to enroll the device on initial set-up. During enrollment, the appropriate applications and security policies are automatically applied and maintained. After that, agents access all their applications and desktops through Citrix Workspace.

A demo on how the agents enroll the devices can be found here.

End-users use approved Citrix Ready peripherals. CompanyA provides Sennheiser and Poly headsets to their agents.

Microsoft Teams Optimization

With a distributed workforce, CompanyA uses a Contact Center application that relies heavily on virtual conferencing using Microsoft Teams integration. By optimizing the way Microsoft Teams voice and video communication packets cross the wire, Citrix DaaS delivers a virtual meeting experience identical to that of a traditional PC. To learn more about Microsoft Teams integration and optimization, review the following:

Resource Layer

Contact Center Applications

When determining which contact center application they should standardize on, CompanyA wanted to ensure that the application was tested and validated for use with the Citrix and Google solution. The Citrix Ready Program provides technical support and resources to help 3rd-party partners complete their integration and earn the Citrix Ready validation designation. Below is a list of partners that have completed the validation process, along with some of those that we plan to compete testing soon.

The above is not a comprehensive list of contact center applications that work with Citrix.

Access Layer


Due to security concerns, CompanyA requires a strong authentication policy. CompanyA uses a 2-staged approach. Stage 1 is focused on securing the user's primary identity into Citrix Workspace with a contextual, multi-factor approach.


The authentication policy denies access if the device does not pass an endpoint security scan. The scan verifies that the device is managed and secured with corporate security policies. Once the scan succeeds, the user is able to use their Active Directory credentials and a TOTP token to authenticate. The stage 2 authentication scheme focuses on the secondary resources (SaaS apps, web apps, virtual apps and desktops). Almost every secondary resource requires authentication. Some use the same identity provider as the user's primary identity, while others use an independent identity provider, most common with SaaS apps.

  • SaaS Apps: For SaaS applications, CompanyA uses SAML-based authentication with Citrix Workspace acting as an identity broker for Active Directory. Once configured, the SaaS applications only allow SAML-based authentication. Any attempt to log on with a username/password specific to the SaaS app fails. This policy allows CompanyA to improve the strength of the authentication while making it easier to disable access due to a compromised user account.
  • Web Apps: The inventory of web applications in CompanyA all use the user's Active Directory credentials. For web applications, CompanyA uses a combination of forms, Kerberos, and SAML-based authentication to provide single sign-on. The choice between the options is based on the unique aspects of each Web application.
  • Virtual Apps/Desktops: For the virtual apps and desktops, CompanyA uses pass-through authentication from Citrix Workspace, eliminating the secondary authentication challenge.

The Workspace Single Sign-On Tech Brief contains additional information regarding single sign-on for SaaS, web, virtual apps, virtual desktops, and IdP chaining options.

Resource Access

CompanyA needs to consider how agents can access internal resources. Internal, corporate resources must be protected from untrusted and unsecured locations. To help prevent malware intrusion, devices are not allowed direct access to the internal network. To provide access to internal resources like private web apps, virtual apps, and virtual desktops, CompanyA plans to use Citrix DaaS and Citrix Secure Private Access. These two services use a zero-trust network access approach, which is a more secure alternative to traditional VPNs.

Citrix DaaS use the outbound control channel connections established in the data center deployed connectors. Those connections allow the user to remotely access internal resources. However, those connections are

  • Limited in scope so that only the defined resource is accessible
  • Based on the user's primary, secured identity
  • Only for specific protocols, which disallow network traversal

Control Layer

Citrix DaaS

CompanyA has chosen to use Citrix DaaS because it gives them the flexibility, they need to deploy resources from multiple resource locations from a unified management console. It also reduces the administrative overhead to deploy and manage their virtual apps and desktop environment. It allows them to minimize hardware costs and deploy DaaS resources. With Citrix DaaS, the Delivery Controllers, SQL Database, Studio, Director, and Licensing are the core components in the Control layer. These components are provisioned on Citrix Cloud by Citrix during the activation of the Virtual Apps and Desktop service. Citrix handles the redundancy, the updates, and the installation of these components.

More in-depth information on Citrix DaaS can be found here.

Service Continuity

It is important for CompanyA that their users don't experience lost productivity due to outages or cloud issues. Therefore, they have turned on service continuity within Citrix Cloud. Service continuity allows users to connect to resources that are reachable during outages or when Citrix Cloud components are unreachable. This functionality has given CompanyA peace of mind to ensure that even in the rare occasion of a cloud outage, their users are still productive. Service continuity improves the visual representation of published resources during outages by using Progressive Web Apps service worker technology to cache resources in the user interface. Service continuity indicates which resources are available during an outage.

Service continuity uses Workspace connection leases to allow users to access apps and desktops during outages. Workspace connection leases are long-lived authorization tokens.

More information on how Service continuity works can be found here.


CompanyA chose to deploy Autoscale to optimize cloud costs. Autoscale allows you to intelligently use, allocate, and deallocate resources.

CompanyA initially uses the following schedule based Autoscale parameters based on the typical workday:

Day Peak Times Off-Peak Times Machines Active
Weekdays 7am-5pm 5pm-7am Peak: 50% Off-Peak: 10%
Weekends 9am-6pm 6pm-9am Peak: 50% Off-Peak: 10%

To accommodate more users, CompanyA also enabled load-based scaling with the following parameters:

Day Capacity Buffer (Peak) Capacity Buffer (Off-peak)
Weekdays 20% 5%
Weekend 20% 5%

More information about Autoscale can be found here.

Secure Private Access

As users interact with SaaS, web, virtual, local, and mobile apps, they are often accessing public internet sites. Although CompanyA has an Internet Security Compliance class all agents must complete on a yearly basis, it has not completely prevented attacks, most often originating through phishing scams.

To help protect the agents and the organization, CompanyA incorporates Secure Private Access service and Security Analytics into their architecture.


Secure Private Access enables end users to safely browse the internet with a centrally managed and secured enterprise browser on managed and BYO devices. When an end user launches a SaaS or private web app, several decisions are dynamically made to decide how best to serve this application.


Citrix Endpoint Management


CompanyA uses Citrix Endpoint Management to manage the Chromebooks that are sent to the agents. CompanyA pushes Citrix Workspace to the Chromebooks which is the primary way that agents access their apps. The Secure Internet Access agent is also be pushed via Citrix Endpoint Management.

CompanyA also uses Citrix Endpoint Management to push the following device policies:

  • App Restrictions Policy: CompanyA uses this to restrict any applications that they don't want to allow on the company-owned Chromebooks
  • Control OS updates: CompanyA uses this to ensure that all endpoints are on a specific OS version. They use this to delay updates if needed.
  • Content device policy: CompanyA uses this policy to set their browser's home page
  • Restrictions policy: CompanyA uses this policy to set the following restrictions:
    • Disable printing-on
    • Disable proceeding from the safe browsing warning page-on
    • Safe browsing mode-on
    • External storage accessibility- Disabled

Security Analytics

CompanyA uses Security Analytics to mitigate and stop threats.

To help protect the environment, CompanyA uses Citrix Security Analytics to identity insider threats, and compromised users. Often, a single instance of a threat does not warrant drastic action, but a series of threats can indicate a security breach.

CompanyA developed the following initial security policies:

Name Conditions Action Reason
Unusual Access Log on from suspicious IP and access from an unusual location Lock user If a user logs in from an unusual location and a suspicious IP, there is a strong indication the user was compromised.
Unusual app behavior Unusual time of app usage and access from unusual location Request user response If a user accesses a virtual app at a strange time and location, there is the potential the user is compromised. Security analytics notifies the user to confirm if the user identifies the activity.
Potential credential exploits Excessive authentication failures and access from an unusual location Add to watchlist If a user has many authentication failures from an unusual location, it can indicate that someone is trying to break into the system. However, the attacker has yet to succeed. Only need to add the user to the watchlist.

User Feedback

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...