Deploy XenApp 7.x in AWS EC2 with PoC Leading Best Practises (Draft)

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops from AWS EC2 – https://aws.amazon.com powered by XenApp & XenDesktop 7.13+ & 7.15 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Minor updates include links 7.15 LTSR and not just 7.13 as of 30/12/2018

Shortened Names
LOCAL HOST CACHE – lhc
XENAPP – xa
WINDOWS – win
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hex
VIRTUAL APPS – va
VIRTUAL DESKTOP – vd
SERVER – srv
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
DATA TRANSPORT LAYER – eat
FIREWALL – f/w
ACCESS CONTROL LISTS – all
INFRASTRUCTURE AS A SERVICE – iaas
IDENTITY & ACCESS MANAGEMENT – aim

Reader Notice: This blog post is NOT completely finished and some parts are in draft format! I will continue to update it through-out April/May 2017!

Sample Virtual Desktop from AWS powered by XenApp 7.x
In this example my VPC is in N.Virgina, USA hosting my Citrix XenApp 7.x workloads which are been delivered to me transatlantic to London, England thanks to the HDX.


Link to my original Tweet from 29/04/2016 at – https://twitter.com/lyndonjonmartin/status/726122016621891584 close to the delivery of a UKI Citrix partner enablement workshop on delivering XenApp 7.x PoC from AWS.

What is AWS EC2?
It’s a division with-in Amazon that sells IaaS to customers for consumption. AWS is incredibly simple in my personal view BUT equally at the very same time it’s also an exceptionally powerful Public (IaaS) Cloud platform! IT departments within organisations of all shapes and sizes have an equal capability with AWS’s elastic virtual data centre capacity to rapidly design and implement a VPC to setup, configure and deploy workspace workloads of their choice within a few hours or days dependant upon there IT’s dept’s delivery & execution skillsets. Typing into Google.co.uk “AWS first year” reveals AWS’s first year was 2006 thats now over a decade’s worth of experience, maturity and continued on-going development and innovation. Check out – https://en.wikipedia.org/wiki/Amazon_Web_Services#History or brief history lesson.

Concepts of AWS
Most of what I’ve described below is available on the AWS “Getting Started” web page at – http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/GetStarted.html so be sure to read through-it.

Virtual Private Cloud (VPC)
Think of this as a virtual datacentre that created onto of AWS IaaS which allows you to create virtual networks (IP addr ranges, subnets e.t.c), deploy VM instances of different sizes for your required workloads and storage accounts to facility your organisations needs and requirements to potential optimise workload delivery, experience or DR scenario’s.

VM Instances Types
AWS provides traditional VM’s that you’d typically assign compute, storage type to on-prem as pre-defined instance types that vary in size and capacity to meet virtually most organisations workspace requirements in AWS. For an up to date list please check out –
https://aws.amazon.com/ec2/instance-types/.

Security Groups
Think of these as your traditional or virtual f/w’s ACL’s BUT now assigned against VM instance(s) within your VPC either individually or in a group, to control what traffic type e.g ports vs. protocol are allowed in/outbound. Check out – http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group which also covers the standard “Default Security Groups” within your VPC that you can utilise and modify for your PoC.

*Availability Zones
A logical representation of one or more data centres facilities in a city, state/province/county or even country.

*Regions
Simply put its a Geo area and they are isolated form other regions for H/A. In a Citrix world a simple example could be to think of multiple sites (London, Paris, Oslo all built to N+1) managed using FMA 7.7+ Zones (Primary and Satellite) for H/A for geo area.

* http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

Identity & Access Management (IAM)
This one is quiet important to understand if you want to deploy your PoC with MCS provisioned XA VDA workloads in AWS from a master VM instance like you would traditionally on-prem with XenServer, Hyper-V, Acropolis or vSphere. Setting up IAM enables/allows Studio to communicate with the AWS EC2 cloud hypervisor to provision your VM instances –
http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html from your master VM instance in your VPC(s). If your not interested in deploying MCS workloads then skip learning IAM for now BUT please come back to it as it’s equally important as Security Groups for Pilot, UAT and PROD workloads in AWS with(out) Citrix workloads.

Suggested PoC Architecture
I tweeted the image at – https://twitter.com/lyndonjonmartin/status/854809306629361669 (its not intended to be accurate!) if you want a high resolution copy. Its intended to provide a high level only PoC deployment overview of delivering virtual apps & desktops (server) from AWS EC2 using Citrix XenApp 7.15 fronted by NetScaler Unified Gateway and or you can utilise Citrix Smart Tools – https://www.citrix.com/products/citrix-cloud/services.html to deploy blueprint to stand up a XenApp PoC in AWS.

AWS & Citrix Pre-requisites, System Requirements
The following provides an brief and selective overview of standing up the bare min requirements to delivery Citrix secure workspace workloads from AWS.

0. Amazon Web Services (AWS) (cloud) hypervisor support – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/system-requirements.html#par_anchortitle_8a90 &  https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/system-requirements.html#hosts–virtualization-resources.
1. Sign-up for a AWS EC2 account at – https://console.aws.amazon.com it will redirect you to the default AWS login and sign-up web page. You will need a valid credit card that you own and be sure to read through AWS terms & conditions, UAP e.t.c.
2. Once your have signed-up select a EC2 region i typically utilise N.Virgina as I expense this myself and it also makes for good tests locations of my Citrix workloads when testing out legacy vs. current vs. the latest HDX (3D Pro) technologies & innovations transatlantic from the US too the London, England :-).
3. Now that you’ve chosen or decided upon your region you’ll need to deploy your VPC – http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html you can make use of the default AWS VPC configurations which you can easily modify as required to meet the needs of your PoC.
4. Now create a e.g Citrix VAD “Security Group” which acts as a firewall ACL controlling which ports/protocols and traffic by *.* or IP range(s)* e.t.c are permitted in/out bound of your VPC to your VM instance(s) associated to this security group so that the delivery of virtual apps & desktops is possible from VM instances running the Server VDA’s.

Suggested example Traffic flow from the Internet to a Virtual App & Desktop delivered by an EC2 Instance

– Untrusted network or public raw internet
– DMZ or edge of a network, network/vnet or (network) security group depending on your network deployment choice
– Trusted network or private secure network

WWW Internet Gateway Router VPC Availability Zone Security Group Network EC2 Instances

Suggested (Security Group – Mgmt. VM) Port Configuration for RDS access to your mgmt. VM running AD, DNS e.t.c

For this particular security group I’d strongly recommended that when you setup the security group you limit the access to a single IP addr or range that you know and trust RDS access to come from to your mgmt. VM sat in your VPC.

Protocol Port Inbound Outbound Internal VPC
TCP: SSH PuTTY (NS Mgmt. only) 22
TCP: HTTP (Internal Communication) 80
TCP: RDP/RDS 3389 * *

Suggested (Security Group – Citrix VAD) Port Configuration for Citrix Workloads to the World

The following table is actually more about the required TCP/UD Ports and dependant upon your deployment approach e.g with(out) a L2L IPSec VPN tunnel vs. NetScaler Unified Gateway i’ve decided for this section most of it available with the exception of a few which are a no no for external inbound access.

Warning once again caution this table ONLY represents primary PORTS typically required in a PoC and does not imply that you should use this as your ACL for your AWS security groups as you requirements for your particular PoC use case may differ from organisation to organisation! For a complete list of the ports and what they do please ref to http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/technical-overview/default-network-ports.html & https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/technical-overview/default-network-ports.html  .

Protocol Port Inbound Outbound Internal VPC
TCP: HTTPS (TLS) 443 * *
UDP: HTTPS (TLS) 443 * *
TCP: ICA/HDX Thinwire 1494 * *
UDP: ICA/HDX EDT or Framehawk 1494 * *
TCP: Session Reliability 2598 * *
UDP: Session Reliability for EDT only 2598 * *
UDP: HDX RealTime e.g Skype for Business 16500-16509 * *

5. Lunch an NEW single instance from the EC2 dashboard under “Create Instance” this will be your mgmt. VM “wdc01” for the PoC and AWS will guide you through the deployment process (wizard).
6. Select your VM instance type to be deployed in your default or custom VPC and a suggested example instance type to utilise could be a AWS “t2.medium” instance type. You can find a complete list available at – https://aws.amazon.com/ec2/instance-types/.
6. Assign the default storage or increase and you can add another HDD later.
7. Assign the RDS mgmt. security group ensuring that RDS is enabled to connect to your mgmt VM.
8. Allow the VM to provision typically up to 5 minutes (depends on time of day, location of your VPC) then decrypt the passwd
9. Login and utilise this as your mgmt. VM and install the following suggested roles e.g AD, DNS and CA (Optional) as a bare minimum once you’ve assigned it an internal private static IP addr prior to installing and configuring.
10. Check a folder called e.g “Share” on C:\ and enable file sharing to this folder for your domain admin account.
11. Navigate to https://www.citrix.com/downloads/xenapp-and-xendesktop/ and download the latest XenApp/XenDesktop version available which is as of 12/04/2017 7.13 and copy it to the C:\Share to be used later to install XenApp 7.13+ onto your XA worker.
12. Now repeat steps 5 through 9 to deploy another single VM instance which will be your XenApp PoC VM e.g “xad01poc” and assign the following suggested instance type “t2.large’ with the exception of step 7 where you’d assigned the default VPC security group and login via RDS to this VM from your mgmt. VM e.g “wdc01”.
12. Once its ready login to your mgmt. VM “wdc01” and RDS to “xad01poc” provide it with a custom or use the default hostname and AD domain join it.
13. After successfully domain joining it login and create a folder on the C:\ drive called “Temp” on “xad01poc” and copy the *.iso from \\wdc01\Share to it.
14. Right click on the *.iso and “Mount” the media and the autorun should display the splash screen and select “XenApp”.
15. Select to install the “Delivery Controller” checking all the features e.g Studio, Director, Controller, MS SQL Express, StoreFront, License server and all the required ports.
16. You have now setup a mgmt. VM and a XenApp mgmt. VM.
17. Install and bound SSL certificate on “xad01poc” to be able to utilise https to protect username and passed credential handling when accessing RfW.

Understanding Machine Creation Services requirements for AWS
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/manage-deployment/connections.html.

PoC Deployment of Virtual Apps & Desktops
Deployment Option 1 – NO MCS nor NetScaler UG & NOT SUGGESTED!!!
This option to be very clear is typically used to demonstrate the power of HDX from a public cloud e.g AWS and DOES IT WORK? Yes of course! I would strongly recommend that you don’t deploy your PoC with this approach but front it with a NetScaler UG but i’ve included it as I have covered this topic once before and sometime Citrix SysAdmins just want to test to see is it actually at all possible with little to know effort at all before actually deploying a PoC so I hope that this clears up this PoC deployment approach/path is messy and NOT SUPPORTED!!!!

1. Now also assign the Citrix VAD “Security Group” to “xad01poc” VM.
2. Re-mount the *.iso media if required and on the installation splash screen select to install the Server VDA choosing to enable existing connections selecting “Enable Remote PC Access” the VM will restart a few times which will take circa up to 5 minutes while the VDA installs.
3. Once the VDA is installed successfully launch “Studio” and complete creating a Site, machine catalog and delivery group based upon “xad01poc” VM.
4. Modify the SFS default.ica file for your default Store to include a line to utilise your external dynamic static IP addr and check that your Windows f/w rules are correctly configured to allow in/out bound access based upon the Citrix VAD “Security Group” or you can open the downloaded file you receive post login and modify the internal private static IP addr to the “xad01poc” VM’s dynamic public IP addr assigned by AWS and you should be able to launch your virtual app or desktop. Note: You’ll need to do it for each app or virtual desktop and if you modified the default.ica file with dynamic IP each time you stop and deallocate the VM you’ll need to modify the file again unless you utilise a AWS static public IP addr which is chargeable cost per month!
5. Navigate to https://xad01poc-dynamic-public-ip-addr/Citrix/StoreWeb/ with Citrix Receiver install on your Windows, Mac or Linux end-points and login as a domain admin or user and launch a virtual app or desktop that you’ve published.
6. Test the vitual app and our desktops performance by playing YouTube movie trailers here is fav one of mine – https://www.youtube.com/watch?v=sGbxmsDFVnE or download Google Chrome and publish it and access https://p3d.in. You’ll notice I have not mentioned what HDX graphics mode why? It should provide a good UX out of the box with 7.13+.
7. Shutdown and turn off your VM’s within your AWS VPC when finished to save costs. You will be billed for storage on-going e.g GB that you’ve consumed but I have to say its a very low cost per GB.

Deployment Option 2 – No MCS but fronted by NetScaler UG
Coming…

Deployment Option 3 – With MCS Workloads fronted by NetScaler UG
Coming…

Deployment Option 4 – Powered by Citrix Smart Tools (Notice some offers have been deprecated in 2018)
0. What is Smart Tools? Watch https://www.youtube.com/watch?v=RUTL1X_nBSg. I won’t expand on this topic more than what I have below for this particular blog post otherwise its going to get quiet length but I have to say you should explore Smart Tools post testing/deploying an AWS XenApp PoC.
1. Sign-up to Smart Tools Service at https://citrix.cloud.com/.
2. Create an AWS EC2 resource location with the Smart Tools Connector (formerly CLM our Lifecycle Management Connector) – https://manage-docs.citrix.com/hc/en-us/articles/212713903 and also please read – https://manage-docs.citrix.com/hc/en-us/articles/212713923 & https://manage-docs.citrix.com/hc/en-us/articles/212713963-Add-an-Amazon-Web-Services-resource-location.

3. Read the Blueprint available which explains deploying a blueprint to deploy workloads on AWS at – https://manage-docs.citrix.com/hc/en-us/articles/212714483-Deploy-a-blueprint-to-an-Amazon-Web-Services-resource-location which should give you a decent overview.
4. Download or read online the following getting started PoC guide for XenApp on AWS powered by Smart Tools Service (Smart Build using as Blueprint) available at the following URL with step by step instructions and images – https://docs.citrix.com/content/dam/docs/en-us/lifecycle-management/downloads/get-started-lifecycle-management-aws.pdf.

Leading Best Practises
1. Review the content available at – https://www.citrix.com/global-partners/amazon-web-services/xendesktop-on-aws.html
2. The number one AWS resource to check first and foremost is the AWS Well-Architected microsite at AWS EC2 at – https://aws.amazon.com/architecture/well-architected/ to help you get started. You should also understand how IAM in AWS works so be sure to check out –https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html.

Notes from the field
1. The number one leading best practise is “Shutdown and turn off your VM’s within your AWS VPC when finished” to save your own personal costs incurred and or your organisations costs that maybe incurred.
2. You do need a suggusted intermediate knowledge level of AWS EC2 and Citrix in order to deploy virtual apps & desktops CORRECTLY I personally believe to ensure that those testing on your behalf actually are getting the correct HD or balanced experience to ensure a successful PoC. I’ve many misconfigurations in a variety of areas since 2015.
3. Take a look at using Citrix Smart Tools as an enabler to help you with XenApp environment(s) on AWS – https://manage-docs.citrix.com/hc/en-us/articles/213723663-Create-a-XenApp-and-XenDesktop-production-deployment-on-AWS.