Category Archives: NetScaler Gateway Service

Accelerate migrations to the Gateway Service

In recent article “Accelerate migrations to the CVAD Service” – http://axendatacentre.com/blog/2021/09/30/accelerate-migrations-to-the-cvad-service/ I explored and shared how to accelerate and migrate an on-premises Citrix Virtual Apps & Desktops (CVAD) environment to the CVAD Service from a field perspective working with customers in the City of Greater London – England. Often another prominent and common question rears its head how do I migrate to your Gateway Service, how does the Gateway Service differ from the a traditional Gateway physical or virtual appliance deployment strategy?

There are handful of migration strategy’s to moving to the Gateway Service from an on-premises Gateway V/A environment:

Start A-Fresh
If you have a IT team that is battling with the economics of time, restricted financial budget(s) for projects, doesn’t have the required Citrix ADC networking skill sets due to M&A activities or people movements e.t.c then reset and restart by standardising and unlocking the IT and Employee affordance of the Citrix Gateway Service which is a turn-key service in the Citrix Cloud Platform and enabled by default for any “New” Citrix Cloud RL’s out of the box.

Evaluate & Pivot
There are a handful of very important technology and business reasons why you would want to pause before exciting this strategy, before adopting the Gateway Service for the CVAD Service.

  1. Your existing Citrix ADC utilises the Unified Gateway capabilities e.g it supports SSO with modern authentication e.g Google OAuth, OKTA or ADD SAML to Web, SaaS, Intranet web apps, Clientless apps through a universal portal and delivered through the Citrix ADC. This strategy is likely the most complex to evaluate before you pivot to the Gateway Service and typically requires a workshop to understand how the ADC is been used, what if it wasn’t there and what other ADC functions and features are been utilised e.g EPA scanning – http://axendatacentre.com/blog/2016/11/14/setup-pre-authentication-endpoint-analysis-epa-policy-with-an-azure-netscaler-unified-gateway-11-x-n/ or your performing advanced load-balancing of internal web vs. apps servers to employees e.g Finance systems.
  2. Another is reasonable or sensible reason to pause and evaluate is if you are running a fleet of Citrix ADC V/A’s managed by Citrix Application Delivery Management (ADM) V/A on-premises BUT which is regularly feed and watered then migrating this ADM configuration to the ADM Service in the Citrix Cloud platform aides in reducing the IT administrative and technical debit of managing an on-premises control plane for Citrix ADC Networking while retaining the status quo of remaining as is but enabling smart and not harder administration.
  3. The final potential reason to pause could be that you deploy and run you’re own Regional e.g Northern Europe vs. GEO e.g EMEA vs. Global Point of Presence (POP) in which you deploy and manage your own Private DIY style Gateway POP fabric globally using different clouds providers for economical costs, employee experience to reduce latency or Hybrid Mulit-Cloud resiliency for Disaster Recovery (DR) and Business Continuity. In these scenarios understand could you shift the purely the Gateway (ICA Proxy) only functionality for secure remote access for CVAD workloads to the Gateway Service and leave the existing ADC + ADM deployment to load-balance, accelerate and protect web, app servers and SQL databases.

Automate & Migrate
Current existing Citrix ADC virtual appliances (V/A) are only utilising the Gateway functionality for ICA Proxy enabling secure remote access to apps and data anytime, anywhere on any device. This strategy considerably reduces CAPEX and OPEX expenditures over a contract term reducing costs licensing the V/A; Premium Hypervisor (Optional); VM Instance costs – (v)CPU, RAM and HDD (IaaS vs. Other Cloud); Complexity of IT logical costs e.g Identity and Access Management (IAM), IP traffic routing e.t.c. This strategy significantly reduces the IT administrative and technical debit through a smile and single “Toogle” per Citrix Cloud Resource Location (RL) – https://docs.citrix.com/en-us/citrix-gateway-service/support-for-citrix-virtual-apps-and-desktops.html#enable-the-citrix-gateway-service, by default now the Gateway Service is enabled for all “New” Citrix Cloud RL’s out of the box.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Accelerate migrations to the CVAD Service

A question I’m often asked in the field is how do I get to the Citrix Virtual Apps and Desktops (CVAD) Service at pace or more importantly on my own terms?

The answer can be simple and complex at the same time the previously consultant in me says now says “well it depends”. The challenge with the tag line of “well it depends” often can lead to assumptions like migrating from an on-premises CVAD environment to the CVAD Service is a long and lengthy process that’s cumbersome, however today it couldn’t be further from the truth.

I have worked with many a customer that rotated to the CVAD Service in less than a month to keep either business operations continuing at a time when a crisis hit or a number of impending mergers where occurring and they needed an agile and flexible IT delivery strategy which Citrix Cloud platform is well placed to facilitate and orchestrate bringing together many different workload types in any cloud type – private, public, hybrid and most importantly hybrid multi-cloud environments.

How did these customers achieve this feat? Before I get there remember there is a lot more that needs to be consider with a traditional CVAD deployment (install, upgrade etc), requiring multiple teams to be engaged simultaneously as one (a huge feat in itself which rarely works well as a well oiled machine) from IT to InfoSec, Network and Security teams e.t.c, when you pivot to the Citrix Cloud platform you’re moving to a combination of SaaS (Gateway Service) and PaaS (CVAD Service) and equally removing a fair amount of unnecessary technical and culture debit + resistance. The lost time and productivity due to culture resistance to changing operating models and moving to the CVAD Service cannot be measured but is by far the biggest barrier in my personal field perspective. 

So how can you narrow the economic’s of time of getting to the CVAD Service? Citrix built and released an incredibly powerful tool called the “Automated Configuration Tool” or ACT for short, which allows for the exfiltration of your CVAD operational business logic which can be exported then evaluated and imported into your CVAD Service tenant in the Citrix Cloud by your chosen region e.g https://eu.cloud.com/. Light Bulb moment!

I previously wrote this article in http://axendatacentre.com/blog/2020/11/07/citrix-virtual-apps-desktops-or-cvad-service-migration-strategies/ – “Citrix Virtual Apps & Desktops or CVAD Service Migration Strategies” and the above and below expands upon this brief article from 2020, due to personal circumstances I stepped away largely from many communities and activities.

There are three migration strategy’s to moving to the CVAD Service from an on-premises CVAD environment:

Start A-Fresh
A complete re-evaluation of policies – employee experience vs. security, provisioning strategy. This strategy is wise if you’re well unfamiliar with new enhancements in a multi-dimensional way and been honest with that yourself your CVAD on-premises environment has not been well looked after e.g feed and watered. 

Evaluate & Pivot
Migrate only key business operational IT logic requirements e.g. policies – employee experience vs. security and rebuild Machine Catalogs based upon you’re net new provisioning strategy e.g. MCS from PVS to support hybrid multi-cloud portable workloads. This strategy implies that you keep your on-premises CVAD environment feed and watered often and updated at minimum once every 12 months.

Automate & Migrate
Ingest the entire business operational IT logic from Machine Catalogs, Delivery Groups, Policies and Zones into the CVAD Service from your on-premises e.g. CVAD 1912 Long Term Service Release (LTSR) environment or preferred Current Release (CR) provided that this environment has been well looked after proactively. You will still require a brief evaluate phase during the migration as part of good leading practise and hygiene. 

To get started with how-to use and get the ACT tool checkout this useful Citrix TechZone PoC guide/article – https://docs.citrix.com/en-us/tech-zone/learn/poc-guides/citrix-automated-configuration.html.

Finally the simplest and most powerful strategy is to not move any business operational IT logic at all to the CVAD Service initially but you leverage the power of “Affordance” or the appearance of providing the employee with the Citrix Workspace experience vs. StoreFront but technically nothing has changed, all that you are doing is changing the access the lens/portal to be Citrix Workspace. This strategy is fundamentally critical in enabling IT to pivot to the CVAD Service on there own terms as once the employee culture or shock has worn off with this new looking interface IT can in the background begin to use things like the ACT to migrate to the CVAD Service on there own terms and then equally shift there existing ICA proxy configurations to a turn-key SaaS operating model by unlocking the Gateway Service in the Citrix Cloud for the CVAD Service and many others Citrix Cloud Services e.g Secure Workspace Access, the Gateway Service in the Citrix Cloud platform is the default how-to access CVAD workloads, but if you still prefer an on-premises Citrix (ADC) Gateway V/A it’s a case of toggling off the Gateway Service. Customers choose to keep there Citrix ADC V/A for many different reasons and still highly relevant use cases and business or security and governance requirements.

To learn more about the “Site Aggregation” check out – https://docs.citrix.com/en-us/citrix-workspace/add-on-premises-site.html to get stated and to begin your pivot to CVAD Service on your own terms.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Citrix Workspace app is released Hello World

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Introduction
What is Citrix Workspace app? It brings together all your LOB tools which in todays modern world consists of (virtual/micro/installed/mobile) apps, SaaS, desktops & content. I’ve embedded a sample of what this actually looks like below.

Overview
The new Citrix Workspace app way more than purely an upgrade of Citrix Receiver e.g grey to blue icon and a skin change, this NEW Citrix client app release is simply extraordinary, working for Citrix I can be considered bias however once you actually begin to consume the Citrix Workspace app you’ll understand exactly what I mean. Citrix Workspace app is for me all about an experience, and that experience is extraordinarily AWESOME! As I begin consuming my LOB (Line of Business) tools wherever I am + want and in a setting/context that suites me (home, Paddington vs. partner offices, trains, taxi e.t.c) the chosen LOB tool delivered context can change dependant upon criteria (I won’t be covering this today) or how IT (say YES!) has chosen to deliver the LOB tool through Citrix Access Control Service – https://docs.citrix.com/en-us/citrix-cloud/access-control/get-started.html.

I now have all my content available all in the same AWESOME app thank you Citrix Content & Collaboration aka ShareFile. I can upload, download and even favourite particular content e.g “L-J’s H1/2 Citrix Partner Tech Super Deck” which is then available directly from the home view/tab. In the below example I am uploading the LeasePlan Citrix SD-WAN case study – https://www.citrix.co.uk/customers/leaseplan-en.html and the actual video is available at – https://www.youtube.com/watch?v=4Hq-yryxfS0 take a look and remember to listen to the outcomes Citrix SD-WAN provides LeasePlan.

How do I get started today?
Firstly I will do a more detail blog post on getting it all up and running with use cases time dependant of course.

1.Start by navigating to https://docs.citrix.com/en-us/citrix-workspace-app.html and then goto Citrix.com and login with your access details, next navigate to https://www.citrix.com/downloads/workspace-app/ and download Citrix Workspace app for your chosen end-point. If you are running a TP of Citrix Workspace app code base please UNINSTALL it prior to installing the GA production code base as a few community individuals I know had issues upgrading from TP code base. I would like to state for the record I upgraded from PRODUCTION Citrix Receiver to the Citrix Workspace app for Mac 1808 on my Mac without ANY issues see below tweet.

2. Please carefully read the System Requirements for your chosen platform here is the link for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/system-requirements.html and Windows https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/system-requirements.html.

3. Review the installation guidance for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/install-configure.html and Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/install.html.

4. Please carefully read the configuration of Workspace app for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/configure.html
and Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/install.html e.t.c. for other platform and if you are looking for multi-monitor support or Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/improve-user-experience.html#using-multiple-monitors for Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/improve.html#multi-monitor-support, and securing communications between Workspace app and your StoreFront for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/secure-communications.html and Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/secure-communication.html (Pay attention to deprecated cipher suites node) and finally if your are you a Smart Card user pay attention to the recitations at the bottom of both docs for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/requirements-for-smartcard-authentication.html and for Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/authentication/config-smart-card.html and for WIF 5.4 (yes I know really however some of you still may need it while your upgrading to XAD 7.x platform) https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/secure-communication/config-smart-card–for-web-interface.html.

5. Sign-up vs. Login to Citrix Cloud today and trial vs. acquire a Citrix Cloud service e.g ShareFile Service or the XAD Service and if you want to aggregate on-premises LOB apps into the new Citrix Workspace experience then setup “Site Aggregation” today. To learn how please read this CTXS blog post and watch the embedded YouTUBE video which provides a how-to overview at – https://www.citrix.com/blogs/2018/08/03/site-aggregation-for-citrix-workspace-is-now-ga/.

Thats all folks for now on the technical overview its brief I know so I will follow-up in future with more detailed overview + how-to e.t.c either here or on the https://www.mycugc.org website in the experts area.

Upgrading to Citrix Workspace from Citrix Receiver for smart devices

In Closing
I work for Citrix, I have been a Citrix + IaaS advocate for well over a decade (now SD-WAN swell) so I am mostly likely bias you’ll think however Citrix Workspace app is truly AWESOME and way more than what you see at a glance, I encourage you all to begin consuming it today to see for yourself just what I am talking about and why I personally say its “AWESOME“.

Session Watermarking for App & Desktop Security by Citrix XenApp & XenDesktop 7.17 or #CitrixCloud

The following content is a brief and unofficial prerequisites guide to setup, configure and deploy Session Watermark policy feature with the XenApp & XenDesktop Service (April 2018) or XenApp & XenDesktop 7.17 on-premises prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
SECURITY – sec
NETSCALER – ns
NETSCALER GATEWAY SERVICE – nsg service
WINDOWS – win
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad

Introduction to “Session Watermark”
The latest release of the XenApp & XenDesktop Service powered by Citrix Cloud or if you are performing a private cloud (on-premises) upgrade or net new installation of XenApp & XenDesktop 7.17 has some NEW features (another post brewing) and one that I have been waiting on for quiet sometime now has not finally arrived (WAHOO!) and its VERY VERY simple to configure and aids in improving your security posture (I believe) for delivery of apps & desktops powered by Citrix against e.g IP theft. In the below tweet can you see it?

The above is from my initial tests using a Windows Server 2016 VM hosted in Azure Northern Europe region running the 7.17 VDA configured to my Citrite #CitrixCloud XenApp & XenDesktop Service so I did not need to upgrade anything to get this new SHINY cool feature yes I said it SHINY. All I was required to do was deploy a new Windows Server 2016 VM from the Azure marketplace, domain join it, install the VDA and connect it to my Cloud Connector and I was ready in less than 25 minutes from initially deploying the VM from the marketplace.

Finally on a personal note for me Citrix SysAdmins enabling the “Session Watermark” feature obviously initally tested in a safe environment e.g UAT with a few users from a couple of departments and then rolling it out into production (as when/how your ready) will be making IT the modern “App & Desktop Security Heroes“. IT can apply and configure these new policies to be the most right vs. relevant for your organisations security needs while not hindering the end-users Rich HD eXperience.

Session Watermark Policies
You have 8 watermarking policies to apply with the 9th one enabling this security capability or feature set with the following list of quirks, suggested policy configuration and more available at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/current-release/policies/reference/ica-policy-settings/session-watermark-policy-setting.html.

Before we get started it is worth mentioning that this feature does add an overhead to the compute on the backend (VDA side) and therefore it is suggested to enable up to two water marking features or items. In my overview of this feature I will wont cover off the cost of implementing this security policy as there are multiple variables to consider e.g HDX Graphics Mode and associated policies to provide the right vs. relevant end-user experience vs. how many watermark items do I apply? I have begun testing so bare with me and I’ll publish my findings either on my personal blog here or on https://www.mycugc.org under the “Expert Insights” area.

Enable session watermark
By default this feature is DISABLED as the default behaviour which I believe is the right approach considering its Citrix’s initial release of this #security feature (in my personal view) and secondly online documentation at eDocs suggested recommendations it to enable NOT more than two watermark text items. Finally * indicates that this policy is DISABLED by default when Session Watermark is enabled.

Include client IP address
* This is the IP addr of the device connecting to the virtual app & desktop.

Include connection time
* Utilises the following format yyyy/mm/dd hh:mm to display the users initial connection time to there virtual app or desktop.

Include logon user name
ENABLED by default when you enable Session Watermark as a policy and uses the following format USERNAME@DOMAINNAME is most optimise for 20 characters or less otherwise truncation might occur of the users logon username.

Include VDA host name
ENABLED by default when you enable Session Watermark as a policy and provides the VDA hostname e.g ne1vad01

Include VDA IP address
* Provides the internal IP addr that corresponding the VDA’s hostname e.g ne1vad01 = 10.1.0.7

Session watermark style
ENABLED by default using “Multiple e.g displays five watermark labels” when you enable Session Watermark as a policy or you can configure “Single e.g displays a single watermark label in the centre of the session“. TIP switching to SINGLE and sticking to two watermark text items for me in my initial tests is a good starting policy however time will tell as I continue to test out this new feature and its capabilities with different HDX Graphics Modes and associated tweaks.

Watermark custom text
* A unicode maximum of 25 characters is supported if you exceed this limit it will be truncated.

Watermark transparency
ENABLED by default set to “17 out of 100” when you enable Session Watermark as a policy, personally I think setting it to just 1 is fine in my initial tests as you want it to be not so in your face to the end-users to be bluntly honest.

2017 UKI #CitrixPartnerLove Challenge #6 Traffic Flows

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at https://lnkd.in/dN74-97 to print.

Deploying & Understanding the NetScaler Gateway Service from Citrix Cloud

The following content is a brief and unofficial prerequisites guide to better understand NetScaler Gateway Service from Citrix Cloud test delivering virtual apps and desktops powered by XenApp & XenDesktop Service prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
NETSCALER GATEWAY SERVICE – nsg service or ngs
CITRIX CLOUD CONNECTOR – connector
NETSCALER – ns
HIGH-AVAILABILITY – h/a
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
CITRIX CLOUD – cc
INFRASTRUCTURE AS A SERVICE – iaas
VIRTUAL APPLIANCE – vpx
USER EXPERIENCE – ux
ICA PROXY – hdx proxy

Introduction & Overview
The NetScaler Gateway Service is a simple, clean. effortless and but most importantly a powerful way to demonstrate the power of Citrix Cloud by providing secure remote access to your HDX virtual apps and desktops from your resources location over the internet (https) securely. While this service is very very powerful & simple to implement and use, you should under the keep in-mind that NS VPX/MPX/SDX is fully featured vs. the NSG Service which is focused on delivery of HDX virtual apps & desktops! So in summary when implementing service undering what is right vs. relevant for the customer needs and requirements is very important. Finally you can read more about the service and its benefits at https://www.citrix.com/products/citrix-cloud/services.html.

+Enabling the NetScaler Gateway Service
1. Login to https://citrix.cloud.com
2. Select to Manage your XAD Service which will take you to https://xenapp.cloud.com/.
3. Select from the drop down menu “Service Delivery” which is beneath the top menu item displayed “Service Creation
4. Now Select to toggle “ON” and choose to use the NSG service (preferred for blog article only) or your own NetScaler (Unified) Gateway at your resource location and if you enable to the NSG Service you can choose to check the session reliability (2598) checkbox.

The UX
Users connect to https://.xendesktop.net and then login using there AD UPN domain credentials e.g lyndon-jon@x1co.eu and the user’s credentials are encrypted through-out the login process. User’s can equally choose between using a full Citrix Receiver (HDX Optimisation Pack 2.x.n for offloading Skype for Business 2015-2016) vs. HTML5 Receiver (HTML5 compliant internet browser) experience by selecting their username in the top right hand corner and selecting to “Change Receiver” to their preferred choice of Receiver. It also important to set the correct +HDX Policy to get the best UX that is good and balanced (backend vs. network vs. client connected device) so I’d suggest that you implement HDX Adaptive Display v2 by selecting the following policy entitled “Use video codec for compression” and select the following option “For actively changing regions” and thereafter tweak the frame rate and adjust the Thinwire color depth support as described at http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/whats-new.html#par_anchortitle_59c9 and you can also read more about benefits and a YouTUBE demostration on HDX Adaptive Display v2 at the following blog article I wrote in 2016 at – http://axendatacentre.com/blog/2016/10/01/foractivelychangingregions/.

HDX Traffic flow of the NSG Service
Please note that traffic flow is based upon the diagram avaiable at – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/netscaler-gateway-as-a-service.html as of Jan 2017.

1. User MUST login into cloud hosted StoreFront e.g https://.xendesktop.net. There credentials are securely handled please refer to – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html to understand the traffic follow.
2. Once the user has authenticated successfully he/she can select to launch a virtual app or desktop.
3. User connects to the NSG Service powered by Citrix Cloud
4. Traffic is securely brokered to the Connector in your resource location that is severing up the user’s selected virtual app or desktop or both from the server or desktop VDA.

Tech Overview of the NSG Service
1. The Citrix Cloud NetScaler Cloud Gateway service on your Connector allows and provides the secure remote access feature of the NSG Service from your chosen resource location. I have written a blog article about the Connector services and leading best practises which you can read at – http://axendatacentre.com/blog/2017/01/27/understanding-the-citrix-cloud-its-services-architecture-connectors/.
2. To ensure high availability you should always deploy at a min a pair of Connectors within your resource location and increase the compute capacity of your Connectors as user demand increases initially and thereafter deploy another Connector based upon usage of service.
3. *To use the NSG Service you MUST configure to use the cloud-hosted StoreFront provided by Citrix Cloud under “Service Delivery” tab at https://xenapp.cloud.com/delivery.
4. The NSG Service only supports HDX Traffic only and the service is currently only available on Eastern, Western coasts within the USA and in Europe so for those users accessing virtual apps and desktops via the NSG Service outside of these geos or not in close proximity to an entry point will experience higher latency so tweak your HDX policy(s)+ accordingly or deploy a NS VPX in your resource location.
5. ICA files are STA signed the below example is a small snippet from my own PoC and testing*. I have also intentionally scrammed some of the unreliable text to :-).

Sample ICA file
My Azure vDesktop $S19-38]
Address=;40;CWSSTA;9D09CE5552BDE4581E888CD87EEEEFC
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPSecurityTicket=On
ClearPassword=5FFE184444B0A0
ClientAudio=On
ConnectionBar=1
DesiredColor=8
DesiredHRES=4294967295
DesiredVRES=4294967295
DesktopRestartAllowed=1
Domain=\78034E8888586B61

The NSG Service currently does not support and or is limited as of writing this blog article in Jan 2017 and based upon the embedded Twitter image – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/netscaler-gateway-as-a-service.html. Finally please remember that Citrix Cloud is consistently been updated and upgraded with new feature so please please refer to the online documentation and the service overview of Citrix Cloud even a day after posting the blog article as it may become out of date! You’ve been warned!

6. No support for Unified experiences (e.g Branding with your logo, colour scheme).
7. No support for Two Factor Authentication.
8. No support for authentication via outbound proxies for access outside of the resource location over the internet.

Citrix Cloud – NetScaler Gateway Service (NGS) Offering
You can find out more about the NGS subscription options which is avaiable at – https://www.citrix.com/products/citrix-cloud/subscriptions.html#tab-41499 and the service overview at – https://www.citrix.com/products/citrix-cloud/services.html#tab-23235

Understanding the Citrix Cloud, its Services, Architecture & Connectors (Draft)

The following content is a brief and unofficial prerequisites guide to better understand Citrix Cloud, Connector technology and the overall architecture required to setup, configure and test delivering virtual apps and desktops powered by XenApp & XenDesktop Service prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
HIGH-AVAILABILITY – h/a
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
CITRIX CLOUD – cc
INFRASTRUCTURE AS A SERVICE – iaas
CITRIX CLOUD CONNECTOR – connector

The Three Primary Cloud Types (Draft Section)
Firstly i’d like to provide my definition of public, private vs. hybrid cloud and in my personal view things like SaaS, PaaS have naturally been spin out or off from IaaS e.g Public Cloud.

Public Cloud is whereby a ISP provides you with SPLA licensing (OS, Application, Service), compute, storage and network capabilities which in turn enables you to create your very own VM instances running in a virtual datacentre on the ISP’s h/w and example providers may include AWS, Azure, Google Cloud Platform e.t.c

Private Cloud is where you the organisation owns there own OS, Application or Service licenses as well as the physical hardware that allows you to create your own VM instances within your virtual datacentre. In this scenario the h/w is could (a) be purely Colocatied (Colocation) at ISP with or without managed services over and above the Colocation and example providers could include Rackspace, Qubems, Peer1 or (b) your h/w is hosted within your own custom and purpose built data centres facility or comms room dependant upon the organisations size and IT/Technology requirements.

Hybrid Cloud is when public and private clouds are connected securely over a IPSec R/A, L2L or SSL VPN connection.

What is and how Citrix Cloud works
Citrix Cloud is an evergreen, managed control plane from Citrix that provides the traditional Citrix management technologies to delivery e.g Virtual Apps & Desktops as Services thereby reducing overhaul management updates & upgrades. This means that Citrix is responsible for the availability of your Citrix management infrastructure in there Control Plane including ensuring that it is on the latest up to day and production version of e.g XAD to deliver DaaS and or virtual apps. Citrix customers and partners are responsible for what is known as a resource location which is where your apps, network and data resides and can exist in a public, private or hybrid cloud deployment scenario and each resource location is securely connected to the control plane using the Citrix Cloud Connector which initiates an outbound HTTPS connection so your completely in control of your apps, network & data within your resource location(s) at all times.

If I have not technically explained what is and how Citrix Cloud works successfully then please feel free to watch the below embedded YouTUBE video.

Please note that Citrix Workspace Cloud is now know as Citrix Cloud

Citrix Cloud Services as of Jan 2017
The following is my own technical spin/view of each of the Citrix services you can review the Citrix official view of each service at – https://www.citrix.com/products/citrix-cloud/services.html.

XenApp and XenDesktop Service – HDX virtual app & desktop delivery from any supported resource location running server/workstation VDA(s) while all the XenApp/XenDesktop mgmt infrastructure (Studio/Director) resides in your tenant/account at https://citrix.cloud.com.

XenMobile Service – Deploy Secure Apps (MAM), MDM to control your organisation devices with no need to deploy the XenMobile v/a even at your resource location all you need is either an IPSeC VPN tunnel or the Connector to enumerate users in AD to be assigned to delivery groups.

ShareFile Service – Follow-me data now controlled within one WebUI.

NetScaler Gateway Service – Provides a simple and easy deployment method to gain external remote access to virtual apps & desktops from your resource location(s) via the Citrix Cloud Connector.

Smart Tools Service previously Lifecycle Management – Design, build, automate, auto check & update your resource locations with Citrix validated blue prints.

Secure Browser Service – Provides a secure remote virtual browser(s) to access web (internal vs. external), SaaS apps from the Citrix Cloud with zero configuration, with only a link to access your published web apps via the HTML5 Receiver.

Citrix Cloud Labs – My personal favourite as this area of Citrix Cloud allows you get to test out some of the latest Citrix Innovations from our Labs team as services e.g AppDNA Express; Citrix Provisioning for Microsoft Office 365; IoT Automation; Citrix Launch for Microsoft Access; XenMobile MDX Service and Session Manager

Connector Architecture & Security
The following diagram depicts the H/A deployment of Citrix Cloud Connector for use with the XenApp and XenDesktop Service from Citrix Cloud. Please note that this is a simple architectural diagram that does not include a NetScaler in resource location so the assumption is that you users will connect to their virtual apps and desktops either from within the actual Resource Location or via the NetScaler Gateway service hosted and managed by Citrix Cloud. My personal preference is to leverage a NetScaler physical or virtual appliance within your resource location as the benefits of a NetScaler far exceed and go above and beyond that of a simple ICA Proxy gateway for XenApp/XenDesktop. Perhaps a follow-up blog article why I presume NetScaler in the resource location from my personal view point only or I may decide to update this blog article.

To better understand how to best secure or harden your Cirix Cloud implmentation and its services please refer to – http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/secure-deployment-guide-for-the-citrix-cloud-platform.html for leading best practises, process & procedures and configuration requirements.

Citrix Cloud Connector
The following is deep dive overview of Citrix Cloud connector technology for all the services with the exception of the Smart Tools service which leverages its own connector which is used to check your Citrix workloads, scale up/down and or even build or tear down workloads in resource location(s) via blueprints.

Installation & Troubleshooting
You must download and only install the Citrix Cloud Connector for your resource location from “Identity and Access Management” that matched your domain forest, don’t mix and match these! The installation is fairly straight forward and simple as descriobed and outlined at http://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connector/installation.html, once the installation completes wait for the connectvity test to pop-up and complete successfully prior to navigating back to Citrix Cloud to validate that the Connector has scuessfully registered with Citrix Cloud+.

You can also perform automated installation leveraging the following command line arguments when installing the Connector “CWCConnector.exe /q /Customer:Customer /ClientId:ClientId /ClientSecret:ClientSecret /ResourceLocationId:ResourceLocationId /AcceptTermsOfService:true.

Although the Connector communicates outbound on HTTPS 443 it make also require one or more of the following ports outbound only as described at – http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/secure-deployment-guide-for-the-citrix-cloud-platform.html for one or more of the Citrix Cloud Services so please consultant the documenation for each Service carefuly for high security enviroments to ensure that the organisations firewall ACL’s for the PoC are correctly configured.

You can install hypervisor tools, anti-virus software (Tested as of 26/10/2016++ McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.8) on your VM instances that have the Citrix Cloud Connector technology installed however it is not recommended to install any other software or unnecessary system services nor should you allow any domain users access unless they are a Domain or System administrator of the Citrix environment. In summary treat these Connectors as you would your XAD Controller(Broker).

The installation logs are available at “%LOCALAPPDATA%\Temp\CitrixLogs\CloudServicesSetup” and post the installation its consolidated to the following location “%ProgramData%\Citrix\WorkspaceCloud\InstallLogs“.

Understanding Credential Handling
Coming…http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html

Monitoring your Citrix Cloud Services
1. http://status.cloud.com/ is your friend and will provide you with vital up to date information about the Citrix Cloud platform (control plane or SaaS tier) and each of its Services e.g XenApp and XenDesktop Service or Smart Tools.
2. Monitor the following Connector services described below ++
3. The leading best practises is for the Citrix Cloud Connectors to not be offline longer than two weeks as the connectors are regularly updated from Citrix Cloud with the latest updates (Evergreen) which is why each resource location requires at a bare min 2x or a pair of Connectors.

Connectivity & High-Availability
The Citrix Cloud Connector firstly should always be implemented in pairs at a minimum within any resource location and installed onto either Windows Server 2012 R2 or 2016 AD joined VM instances. The connectors are stateless and brokering requests are load-balanced via Citrix Cloud to the connectors within your resource location(s) and if a connector does not respond the queued tasks are redistributed to the remaining connector(s). As the connectors are stateless this also means that they do store any mgmt configuration for Citrix Workloads at the resource location as this is held within the Citrix Cloud by the Service that you are utilising e.g XenApp and XenDesktop Service.

+If you setup a PoC with a single Connector it will probably display as amber for a period of time prior to turning green as you have only configured 1x Connector for your resource location. You can check your Connector status for your resource locations by navigating from https://citrix.cloud.com/ to https://citrix.cloud.com/identity and under “Domains” select your domain forest(s) and expand it and you can review your Connectors name e.g servername.dommain e.g connector1.x1co.eu and its status (red, amber or green).

The leading best practise for h/a at your resource location is for your Citrix Cloud Connectors to be implemented as N+1 for redundancy – – https://en.wikipedia.org/wiki/N%2B1_redundancy.

Logs & Services++ of the Connector
The Connector logs are stored at “C:\ProgramData\Citrix\WorkspaceCloud\Logs or use %ProgramData%\Citrix\WorkspaceCloud\Logs” for verifying ongoing communication and helping with troubleshooting. Once the log(s) size exceeds a certain threshold its deleted BUT Administrators are able to control the log retention size by adjusting the following entry in the Windows registry “HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CloudServices\AgentAdministration\MaximumLogSpaceMegabytes” to meet your organisations logging/auditing requirements.

The core four primary functions/roles of the Connector are Authentication, Proxy, Provisioning and Identity which are powered by the following Citrix Cloud services listed below (as of Jan 2017). You can view a detailed architecture technical diagram of the Connector under the XenApp and XenDesktop Service online documentation at – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html.

Connector Functions/Roles
For a more accurate diagram please check out – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html

Authentication Proxy Provisioning Identity
NetScaler
Unified Gateway
StoreFront
(Optional)

Hypervisor 
Server VDA
 Server 2012 R2, 2016
Desktop VDA
Windows 10

Active Directory, DNS

I’ll update this section with what each of the Connector services actually does

Citrix Cloud AD Provider
Citrix Cloud Agent Logger
Citrix Cloud System
Citrix Cloud WatchDog
Citrix Cloud Credential Provider
Citrix Cloud WebRelay Provider
Citrix Cloud Config Synchronizer Service
Citrix Cloud High Availability Service
Citrix Cloud NetScaler Cloud Gateway
Citrix Cloud Remote Broker Provider
Citrix Cloud Remote HCL Server
Citrix Cloud Session Manager Proxy

Citrix Cloud PoC Guide for the XenApp and XenDesktop Service
I have writen a fairly detailed blog article describing how-to deploy the XenApp and XenDesktop Service here.

Deploying a Citrix Cloud – XenApp and XenDesktop Service PoC

The following content is a brief and unofficial overview of how-to front your virtual apps & desktops powered by Citrix Cloud XenApp & XenDesktop Service and the NetScaler Gateway Service using an Azure (IaaS) resource location. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions, best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENAPP – xa
XENDESKTOP – xd
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
VIRTUAL DESKTOP – vd
THINWIRE COMPATIBLE MODE – tcm also known as ecm or thinwire+
SELF-SERVICE PASSWORD RESET – sspr
VIRTUAL GPU – vgpu
PROOF OF CONCEPT – poc
XENAPP AND XENDESKTOP SERVICE – xad service
CITRIX CLOUD CONNECTOR – CC Connector
ACCESS CONTROL LISTS – acl
FIREWALL – f/w

What is Citrix Cloud?
Firstly this blog post will be updated through-out Nov, Dec 2016 as I still have a few minor additions and adjustments to make but in principle this blog post should help you stand up a Citrix Cloud – XAD Service PoC successfully with your chosen resource location.

Citrix Cloud provides a control plane that includes Citrix technologies as services e.g XenApp and XenDesktop Service that allows Citrix SysAdmin’s to setup, configure and deliver virtual apps & desktops to users on any device, anytime and from any location from your chosen resource location which could be hosts runnings in a data centre running XenServer, Hyper-V, Acropolis*, vSphere vs. hyper-converged appliances (Nutanix*, Atlantis) or it could running in an IaaS or public cloud providers e.g Azure or AWS e.t.c

Your resource location of choice is connected to the Citrix Cloud control plane through something called the Citrix Cloud Connector which is installed onto a supported Windows server OSes that is domain-joined in pairs which runs a services that communicates to the control plane outbound on HTTPS/443 which also has the added benefit of NOT requiring any type of VPN (SSL, R/A or IPSec GRE Tunnel)!

Adopting Citrix Cloud introduces an evergreen or SaaS-style update(s) approach to the Citrix infrastructure components as an example within the XenApp and XenDesktop Service e.g the controller, licensing server, storefront are hosted and managed by Citrix and auto updated (evergreen) thus reducing infrastructure updates, upgrades so IT can focus on other workspace projects e.g implementing Skype for Business – http://axendatacentre.com/blog/2016/04/25/deploying-skype4b-2015-offloaded-from-a-citrix-hdx-virtual-app-or-desktop/ or daily tasks, activities thus reducing System Administration time which equates to cost savings or shifting more IT time onto providing the very best near to local like delivery and user experience as they have more time.

The Goal of this PoC
In this blog post I will describe how-to setup and deploy the “Citrix Cloud – XenApp and XenDesktop Service” using Microsoft Azure as my resource location of choice for this PoC to deliver virtual apps & desktops (Server based) including enabling remote access in its simplest form using the NetScaler Gateway Service which enables secure, remote access to virtual apps & desktops from anywhere with an internet connection using the Citrix Receiver or the HTML5 Receiver all without having to deploy a NetScaler in your resource location – https://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/netscaler-gateway-as-a-service.html and accesing a published Skype for Business 2015 HDX optimised virtual app powered by the HDX Optimisation Pack 2.x.n – http://docs.citrix.com/en-us/hdx-optimization/2-1.html published from a Windows Server 2012 R2 OS server to virtual desktop powered by Windows Server 2016.

Traffic Flows, Metadata & Credential Handling
The following provides insight into the traffic flows when/how users connect to there virtual apps & desktop when using the Citrix Cloud – XenApp and XenDesktop Service.

NetScaler Gateway Service
http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/netscaler-gateway-as-a-service.html

XAD Service
http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html

Comparing services and pricing is available at – https://www.citrix.com/products/citrix-cloud/subscriptions.html

Pre-requisites & System Requirements
0. Trial Checklist – http://docs.citrix.com/content/dam/docs/en-us/workspace-cloud/downloads/apps-desktops-trial-checklist.pdf which via the XAD Service eDoc root at – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service.html.
1. An Azure subscription with sufficient credits and compute resources for your own personal requirements for your own PoC. You’ll also need to understand the concepts of Azure so I’d suggest you begin with reviewing the online documentation available at – https://azure.microsoft.com/ or visit VMFocus blog at https://vmfocus.com/2016/11/07/70-533-implementing-microsoft-azure-infrastructure-solutions-prep-exam-experience/ and scroll to the prepartion text in bold.
2. A Citrix Cloud account with access to the XAD Service check out – https://www.citrix.com/products/citrix-cloud/ for details and information about a trial.
3. Citrix Cloud Connector downloaded from your XAD Service to your Azure resource location onto a shared folder e.g network share on your Windows domain controller or file server. For the basic’s of how-to download and install check out the installation overview at – http://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connector/installation.html.
4. Download the VDA’s from https://apps.cloud.com/downloads which is only accessiable once your have sucessfully authenticated at https://citrix.cloud.com/.
5. A Windows Server 2012 R2 VM running at a min “Active Directory”, “DNS” and the “Citrix Cloud Connector” and one more VM optional only if you want to keep costs down but preferred to match a real-work scenario would be to have a second Windows Server 2012 R2 VM running the “Citrix Cloud Connector” so that you have a pair of connectors talking to Citrix Cloud.
6. A pair of Windows Server 2012 R2 one to be used for or as a +hosted shared server virtual desktop and the other to deliver virtual apps e.g Skype for Business 2015-16 HDX Optimised Doc’s – http://docs.citrix.com/en-us/hdx-optimization/2-1/hdx-realtime-optimization-pack-overview.html, video overview at – https://www.youtube.com/watch?v=IpOSi_FkA7c.
7. A Windows Server 2016 VM to be your second +hosted shared server virtual desktop (Preferred choice for me :-)) so you can demonstrate publishing virtual apps into both +virtual desktops and demonstrate Windows Server 2016 as a DaaS VD or just a show and tell back to your organisations management to begin thinking moving to Windows Server 2016 from 2008 R2 or 2012 R2.

Deploying your Citrix Cloud Connectors
1. Prior to starting your installation please be sure to switch “Enhanced Security Configuration (ESC)” off during the installation.
2. Right-click on the CC Connector and run as Administrator.
3. Enter in your Citrix Cloud Administrator access details and you’ll receive a list of available customer accounts in your case you should only have one so select it and continue.
4. The installation will install the required software components and prior to finishing it will perform “connectivity test” this will take up to 60 seconds.
5. Make some coffee or tea if you’re British or a British South African born while the Citrix Cloud Connector communicates with the Citrix CLoud control plane successfully registers.
6. Navigate to Citrix Cloud select from the menu bar in the top left-hand corner “Identity & Access Management” on the “Domains” tab you should now see your domain with a status of “Ready ” if you see amber anywhere this is because one of your connectors is not in a ready state or you only have 1x connector in your choosen resource location.
7. Don’t proceed until your connector(s) are in a Ready state in Citrix Cloud, this is very important!

Deploy your Virtual Apps & Desktops
1. At https://citrix.cloud.com/ select under “Services List” parallel to the “XenApp and XenDesktop Service” click on “Manage” blue button. Note that you can also get to mgmt consoles by clicking the menu icon top left-hand corner and from the list select the service that you wish to administer e.g XAD Service.
2. You’ll now be redirected to https://apps.cloud.com/ and scroll to the bottom of the webpage to identify what your cloud hosted StoreFront server address is e.g https://tttemea10.xendesktop.net/Citrix/StoreWeb/, right click and say open in a new tab.
3. Now click on the downwards arrow on “Manage” and you’ll see two options e.g “Service Creation” and “Service Delivery”. Please click on Service Delivery which should take you to https://apps.cloud.com/delivery and you’ll see the below available options. Simply toggle to select your preferred delivery options for delivery of your virtual apps & desktops choosing in this case to utilise the Citrix Cloud – XAD Service cloud hosted StoreFront and or NetScaler Gateway Service. I will follow-up with another blog post in the future covering off deploying this PoC BUT using StoreFront and NetScaler (Unified) Gateway in your chosen “resource location” BUT for now I am keeping it clean and simple. Please verify that your toggle’s match what you see in the below image prior to proceeding (Also see the 3rd tip!!!). If want to use StoreFront – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/setting-up-storefront.html and NetScaler – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/getting-started.html#par_anchortitle_1403 in your resource location the read the provided links above.


TIP/HINT 1: You can choose to toggle off “Session Reliability”.
TIP/HINT 2: Where you configure the XAD Controller point this to the Citrix Cloud Connector.
TIP/HINT 3: The NetScaler Gateway Service is sold separately from the XAD Service as of 2017 Q1 ref – https://www.citrix.com/products/citrix-cloud/subscriptions.html

4. Now click on the downwards arrow on “Manage” and now please click on Service Creation which should take you to https://apps.cloud.com/manage you’ll notice a spinning icon in the middle of your screen for a few seconds and then your securely hardened Studio console will be avaiable to you published using the latest HTML5 Receiver which includes auto screen resizing dynamically (change the browser window size :-)), copy and paste.
5. Create your “Machine Catalog(s)” as per normal if your unsure then follow the steps as outlined at http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/install-configure/machine-catalogs-create.html then return back to Citrix Cloud published Studio. Create three machine catalog’s if following the blog post 1x machine catalog for virtual apps powered by Win Srv 2012 R2, 2x virtual desktops one powered by Win Server 2012 R2 and one by 2016. Once you have created your machine catalog’s then check that the VM within each “Machine Catalog(s)” have a successful Registered State if the VM(s) in your each catalog(s) don’t register then review my quick troubleshooting guidance below at the end of this blog article.
6. Next create a “Delivery Group” almost like normal once agian if your are unsure the how-to is avaiable at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/install-configure/delivery-groups-create.html remeber agin if following this blog post 1x delivery group for virtual apps powered by Win Srv 2012 R2 and 2x delivery groups for virtual desktops powered by Win Server 2012 R2 and 2016 BUT there is one very important exception which is that once you select the machines and you get to the user section be very sure to select “⚹Leave user management to Citrix Cloud. This makes the Delivery Group available as an offering when configuring your Citrix Cloud Workspaces.”http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/creating-and-publishing-a-workspace.html.



6. Now that you have created a Machine Catalog, Delivery Group you need to assign users to these resources so click the menu icon in the top left-hand corner and select “Workspaces“. You’ll see “My First Workspace” just ignore it for now and select the “+ Workspaces” icon it’s large you just cannot miss it! Note that workspaces are now referred service offerings which you assign to users from your Library – http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/assigning-users-to-offerings-using-library.html.
7. Enter in a name for your workspace e.g PoC Workspace.
8. Select “✎ Manage” under your Workspace name and now from the available “Citrix Cloud Services” list select the “XenApp and XenDesktop Service” and you’ll see your delivery group(s) dependant if you completely followed this blog post on the right-hand side so simply select your virtual apps and virtual desktops that you wish to publish to this workspace, it’s your choice but in this PoC we’ll be selecting all avaiable delivery groups to delivery virtual apps & desktops. Once selected click on “Update Workspace” blue button above.
9. Your workspace now contains virtual apps & desktops that can be consumed by subscribers e.g users.
10. Now that you have created your first Workspace e.g PoC Workspace in Citrix Cloud using the XenApp & XenDesktop Service all that is left to do is to add users BUT in a Citrix Cloud world they are known as “subscribers“!
11. Select your e.g PoC Workspace once more and click on “Subscribers” tab and you’ll see a domain list below on your left-hand side so select your “domain” and to your right you’ll see an input field type in your subscriber’s username e.g lynd which will then query your AD via the Citrix Cloud connector securely and it will find and return your user(s) e.g lyndon-jon@x1co.eu and once it is listed select the user(s) from your query and they will be added to the list below, now repeat the process to add all other test/poc subscribers or AD test/poc security groups to your e.g PoC Workspace and then click on the “Update Workspace” blue button above to save the subscribers to this workspace.


TIP/HINT: You can also select AD Security Groups not just AD users.

Initial Test
Your users/subscribers should now be able to login to the Cloud hosted StoreFront available at e.g https://YOURCUSTOMERNAME.xendesktop.net using an HTML5 internet browser or Citrix Receiver.

HDX Policies
Please assign your policies as you prefer to users, delivery groups e.t.c. You’ll also notice that I have not applied a FPS limit to every policy only the ones that are balanced as most often these need to adjusted to be fit for purpose for standard office workers to enable user density gains on the backend and bandwidth savings while maintaining a decent and good UX. My personal preference is “HDX Adaptive Display v2“.

HDX Adaptive Display v2 HDX Adaptive Display v2 (Balanced) Thinwire Compatible Mode Thinwire Compatible Mode (Balanced) H.264
1.”Use video codec for compression” then select the option to be “For actively changing regions 1.”Use video codec for compression” then select  “For actively changing regions
2. “Preferred color depth for simple graphics” then select “16 bits per pixel” and also try 24.
1.”Use video codec for compression” then select the option to be “Do not use video codec 1.”Use video codec for compression” then select the option to be “Do not use video codec
2. “Preferred color depth for simple graphics” then select “16 bits per pixel” and also try 24.
3. “Frames Per Second” then enter in a value of “25-30“.
1.”Use video codec for compression” then select the option to be “For the entire screen
2. “Frames Per Second” then enter in a value of “30” (Optional)
My personal preferred choice My 2nd personal preferred choice

Advanced Remote Access using a NetScaler in your Resource Location with(out) StoreFront
The following has been tested using the latest NS firmware 11.1 available in the Azure marketplace as of 05/03/2017.

1. Login to NetScaler admin WebUI using the following firmware 11.1.x.n
2. Check that your appliance is correctly licensed.
3. Select the “Unified Gateway” wizard.
4. Enter in your assigned VIP (private IP addr or in Azure NSIP:8443) and enter in a vServer friendly name e.g myUG
5. Select to “Install Cert” a valid public CA signed cert either *.pfx vs. *.pem.
6. Configure LDAP either use an exciting or add a new server for LDAP auth and choose the “Server Logon Name Attribute” as userPrincipalName .
7. Select “Portal Theme” and select “RfWebUI”
8. Now under the under “Applications” select and add “XenApp/XenDesktop” and now enter in your resource location or Cloud-Hosted StoreFront “FQDN” and select “Test Connection” which should retrieve and auto configure the required settings and thereafter a green bar will appear if successful if not then manually configured based upon the following guidance below.

– Enter in “Site Path” e.g /Citrix/StoreWeb/
– Enter in your Sign Sign-on Domain e.g x1co.eu
– Enter in “Store Name” e.g Store
– Enter in “Secure Ticket Authority (STA) Server” which will be the Citrix Cloud Connector IP addr
– StoreFront server IP Addr:

Option 1 – If using the cloud-hosted StoreFront FQDN e.g https://*.xendesktop.net then please use the IP addr of the Citrix Cloud Connector in your resource location.
Option 2 – If using a StoreFront server in the resource location please use its IP addr.

9. Do not configure a “Xen Farm” please just select and “Continue” and complete steps to finish the Wizard.
10. The dashboard overview of “Unified Gateway” should indicate all up and green.

Remote PowerShell SDK for the XenApp and XenDesktop Service
Coming but have a read of – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/remote-powershell-sdk.html in the intermin.

Troubleshooting Guidance
VDA Registration Issue
1. Make sure that forward and reverse DNS is setup correctly for the VDA’s and the CC Connectors.
2. Check that the following Citrix Cloud services “Citrix Remote Broker Provider” and “Citrix Cloud Agent System, Logger & WatchDog“are successfully started on your Citrix Cloud Connector(s) VM instances.
3. Ensure that HTTPS/443 is NOT disabled outbound on any of your CC Connectors either via the Windows Firewall or your hardware or virtual f/w ACL’s.