Category Archives: Data Centre

Azure AD SAML Sign-in with Virtual Smartcard to Citrix Virtual Apps & Desktops

Consider this an evergreen post as of 10/06/2020

Introduction
The purpose of this blog post to aim for a consistent modern authentication experience for employees when consuming Citrix Virtual Apps & Desktops (CVAD) + CVAD Service regardless of where the (CVAD) workloads are running, either in *Azure, *AWS, *GCP or *On-Premises. The primary priority is that the employees identity is owned and managed by a cloud identity platform e.g Azure Active Directory (AAD) and the employees identity within each resource location* for CVAD usage maps to AD shadow accounts. These AD shadow accounts represent the employee as a UPN e.g human.name@domain, with a RANDOM long complex password that the employee doesn’t need to ever know and all IT is required to do beyond creating a AD shadow account is then assign the right vs. relevant security privileges and access to CVAD including Policies meeting local, geo of industry compliance and governance while maintaining a great employee experience.

The second priority is that the employees device can frictionlessly access CVAD resources using either a Forward Proxy, SD-WAN Overlay Network or ICA Proxy. I do recognise that many organisations are still required to make use of a VPN style strategy at the current moment and therefore this solution can also work for those devices as well repurposing the existing Citrix Gateway to also support a Full VPN beyond ICA Proxy or you can use other well established and trusted VPN solution providers.

Leveraging a Bring Your Own “either Enterprise vs. Personal” Identity (ByoI) is a concept I ponded way back in 2017 and now feels like the right time to pick that up concept again during the current Workplace transformation happening all around the world due to world wide COVID-19 pandemic. Using a ByoI strategy as high level vision you can efficiently deploy CVAD to any *Azure, *AWS, *GCP region or *On-Premises with less friction and you don’t need to be worry about “Password Syncing” just replicate the employee’s UPN + AD Security Privileges + CVAD Access & Policies where its required. It has the added benefit if you want do mix and match public cloud workloads to avoid lock-in amongst other topics, you’ll be providing a common and consistent login interface + experience irrespective of where the workload is sat.

It another brilliant benefit is the on-boarding of 3rd Parties (3P’s) using ByoI concept with a business check at the edge, the 3P brings there owned Identity and in the current world we live in I don’t think that is bad thing it could even strength that employees individual security as there identity will be bound to a smartphone which knows more about your individuals habits and you that you know yourself. If we can unlock a co-shared responsibility identity model between the individual + organisation we can truly aim for a passwordless workspace that only uses virtual smartcards or tokens.

Finally the on-boarding of M&A employees can be faster as you can generate them a few days after commercial signing with a new brand identity that resides in Azure AD (or Google, OKTA e.t.c) whilst they continue accessing existing workplace apps + data with current AD credentials, IT + HR + Business can choose when to layer in the “NEW” Workspace Platform for Work from group perspective into the existing Workspace with less friction and complexity. Yes this final topic is complex when we think about merging different Business IT and IT Systems together, a CVAD strategy with FAS bridges the GAP reducing friction and complexity for IT to sun rise a new Workspace stack for that newly acquired organisation while sunsetting the exciting Workspace stack and those new M&A employees get to on-board beyond the Workspace into there new organisations people, its culture, vision and values and avoids the IP drain that often can easily happen.

The Employee Experience

High Level Architecture
The scenario below depicts accessing a StoreFront server on any device type from within the Workplace fabric in any office locally or world wide or from a IT managed device that makes use of a Full VPN, Forward Proxy technology; WFH Citrix SD-WAN appliance where traffic passes over an SD-WAN overlay network; Citrix Endpoint Management enrolled smart device with per-app mVPN configured and finally irrespective of the devices management status you can use ICA Proxy* to access CVAD resources anywhere over the internet inclusive of any home via a Citrix ADC (formerly NetScaler) using the Gateway functionality which is “VPN-Less*”.

Systems Requirements & Pre-requisites
1. A UAT or Test CVAD 1912 LTSR Site that already setup. My personal one runs in AWS EC2 as it retains hosting connections or public clouds to preform MCS provisioning of machines from customer own and managed control plane. You can also use the Citrix Virtual Apps & Desktops (CVAD) Service or sign-up at https://citrix.cloud.com/ and engage your local Citrix representatives to get a trial setup for the CVAD Service.
2. Deploy a new VM which will run the following Citrix 1912 LTRS StoreFront and Federated Authentication Service (FAS) roles to create a new “Store” on StoreFront called “AAD” which will be configured to accept the Azure AD SAML token which will then convert the AAD SAML tokens into a Citrix virtual smartcard to SSO the employee onto CVAD resources.
3. Install StoreFront – https://docs.citrix.com/en-us/storefront/1912-ltsr/install-standard.html after reading the system requirements – https://docs.citrix.com/en-us/storefront/1912-ltsr/system-requirements.html.
4. Setup and Configure FAS Role on your StoreFront Server – https://docs.citrix.com/en-us/federated-authentication-service/1912/install-configure.html after reading the system requirements carefully – https://docs.citrix.com/en-us/federated-authentication-service/1912/system-requirements.html, this part shouldn’t be a problem e.g leaning on on Security teams whom control the Enterprise CA Admins as you’ll hopefully be using a proper UAT or Test CVAD environment with all the Microsoft management servers and roles including an Enterprise CA which FAS requires and access to AD introduce new GPO’s.
5. An Azure AD “personal or business test” tenant.

Deployment Guide

Azure AD Setup & Configuration – Personal Home Lab Edition
If you have a separate Azure AD tenant in Azure you can proceed to the next section, however if you are an IT Pro that wants to test out how to convert Azure AD SAML logins to Citrix virtual smartcards for CVAD the following the below guidance below for setting up a personal ADD tenant with a personal Azure account for your home lab. WARNING I am not an Azure AD nor on-premises AD expert, therefor follow the leading practises found in Microsofts documentation for Azure AD.

1. Navigate to https://portal.azure.com and sign-in with your live vs. personal Microsoft account. Select β€œCreate a resource”.
2. Select β€œIdentity” then select β€œAzure Active Directory”.
3. Enter in an β€œOrganisation Name, Initial domain name and select your Country or region”.
4. The wizard will begin creating your AAD tenant .
5. Once it completes click the hyperlink within β€œClick here to manage your new directory”.
6. At the Overview page of your new AAD tenant select β€œUsers” under β€œManage” section.
7. Select β€œ+ New user” under the β€œAll Users (Preview)” Overview you’ll notice your personal email addr.
8. You’ll notice when creating a new employee account for your AAD tenant that you can only append domain.onmicrosoft.com to the username, I’ll explain how-to convert that to user@domain and remove the UPN requirement of user@doamin.onmicrosoft.com in the next few steps. For now fill the following fields β€œUser name”; β€œName”; β€œFirst name”; β€œLast name”; β€œPassword” (choose or auto-generate) and the select β€œCreate” keeping the defaults as they are.
9. Your new AAD employee is successful created, you can assign roles. NOTE for my personal testing purposes I didn’t configure anything as I’ll delete that test employee AAD account after my testing.
10. At this point I’m not going to deploy nor setup the β€œAzure AD Connect” in my Citrix Cloud Resource Location as I want the employees primary identity to always reside in Azure AD as the single source of truth, and then bring that identity to my Citrix Cloud Resource Location e.g Bring your own Identity (ByoI) and after a successful AAD SAML login map that to a hardened AD Shadow account with long complex password that the employee will never know and all I need to do it assign the AD security privilege and access for CVAD resources. This approach means that employee will NEVER enter in a AD password within a Citrix Cloud Resource Location that is configured for AAD (or Google, OKTA e.t.c) when using CVAD 1912 LTSR StoreFront and the Federated Authentication Service (FAS) in a Resource Location(s). For complex environments yes you’ll likely deploy the β€œAzure AD Connect” software as a role somewhere to replicate the employees but you don’t need to replicate there passwd or you can provision the employee twice once in AAD as in the example above and then again manually in AD in the Resource Location as there corresponding AD shadow account which matches the UPN from AAD when authenticating using SAML to StoreFront, the choice is yours but I found for testing purposes a manual in each is far less frictionless.

On-Premises Active Directory (AD) within your Resource Location
1.Create a new AD “Shadow” account that matches the “User Principal Name (UPN)” in AAD e.g user@domain, generate a random long complex password which they don’t need know and then assign or inherit the right vs. relevant AD security groups, GPOs that you would usually assign to a CVAD consumer.
2. On-board your domain into Azure AD which required verifying it with a MX record to avoid using user@domain.onmicrosoft.com so that you can use user@domain keeping it simple and less complex.

Installation and Configuring the Federated Authentication Service (FAS)
1. On the new VM that you just installed 1912 LTSR StoreFront role onto from the existing mounted ISO run the autorun splash screen and select β€œFederated Authentication Service”.
2.Read the EULA which you’ll need to β€œAccept the Licenses Agreement” to continue.
3. Accept the defaults and select β€œNext” on the “Core Components” page.
4. Accept the defaults and select β€œNext” on the “Firewall” page.
5. Once the installer is finished select β€œFinish” to close.
6. Open a PowerShell window in Admin mode then copy & paste the following code below, which will enable a trust between the CVAD Controller and the StoreFront server, minimise this window you’ll require it later.

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

7. Navigate to the following path β€œC:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions\” on the current StoreFront server that you installed FAS role onto, copy the following two files β€œCitrixFederatedAuthenticationService.admx” and β€œCitrixBase.admx” the entire folder β€œen-US” to a network share which will need to be accessible from your Windows Domain Controller or WDC.
8. Connect to your Windows Domain Controller (WDC) via RDS from the current StoreFront + FAS server and copy the two *.admx FAS files including folder β€œen-US” from your network share to the following path on the β€œC:\Windows\PolicyDefinitions” on your WDC.
9. Open an β€œMMC” console and load the β€œGroup Policy Management Editor” snap-in, at the prompt for a Group Policy Object, select β€œBrowse” and then select ”Default Domain Policy”.
10. In the MMC console navigate to β€œDefault Domain Policy [server name] > Computer Configuration > Policies > Administrative Templates > Citrix Components > Authentication” and you should see the following three policies available β€œFederated Authentication Service”, β€œStoreFront FAS Rule” and β€œIn-session Certificates”.
11. Select and open the β€œFederated Authentication Service” policy, next select to β€œEnable” it followed by selecting the β€œShow” button parallel to β€œDNS Addresses” label and enter in the FQDN e.g. β€œserver.domain” of your StoreFront + FAS server and then select β€œOK” and then select β€œOK” to save the policy configuration and enabling FAS.
12. Next select and open β€œIn-session Certificates” and select β€œEnabled” and in the β€œConsent timeout (seconds):” field type in a value of “30” which is the default.
13. Next close the MMC console and open up the existing PowerShell (Admin mode) and copy and paste the following code to force a Group Policy Update. 

gpupdate /force

14. Minimise the RDS connection from your WDC so that you are back on your StoreFront + FAS server. Search and open up Citrix FAS in Admin mode, if you don’t you will be notified in the UI and then select β€œrun this program as administrator” which will reload the FAS UI in Admin mode.
15. Select to β€œDeploy” for β€œDeploy certificate templates”.
16. Select β€œOk” on the pop-up window that appears.
17. You’ve now successfully deployed the certificate templates, now select β€œPublish” for β€œSet up a certificate authority”.
18. Select the right Enterprise Certificate Authority (CA) from the available list and select β€œOk”.
19. You’ve now deployed the certificate templates successfully to your Enterprise CA, now select β€œAuthorize” for β€œAuthorize this service”.
20. Select the right Enterprise Certificate Authority (CA) from the available list (same as above) and select β€œOk”.
21. The FAS UI will display a spinning icon as the authorisation request is pending on the Enterprise CA server. 
22. Connect to your Enterprise CA via RDS and the β€œMicrosoft Certification Authority” MMC Console and navigate to β€œCA > CA Server > Pending Requests” you’ll see pending certificate right click it select β€œAll Tasks > Issue” and the certificate will be issued. 
23. Verify the issues certificates are issued by selecting β€œIssued Certificates” and verify you can see two issues certificated that begin with β€œCitrix_RegistrationAu…”.
24. Minimise your RDS session to your Enterprise CA and return to the StoreFront + FAS server, you now notice the β€œAuthorize this service” says β€œReauthorize” which is correct as the FAS service is now authorised with the Enterprise CA. Next select β€œCreate” for β€œCreate a rule”, which launch a new window.
25. Accept the default β€œCreate the default rule (recommended)” and select β€œNext”.
26. Accept the default β€œCitrix_SmartcardLogon (recommended)” and select β€œNext”.
27. Select the previously selected and configured Enterprise CA you Authorised and select β€œNext”.
28. Select β€œAllow in-session use” and select β€œNext” if you enabled the following policy β€œIn-session Certificates” earlier.
29. Select β€œManage StoreFront access permissions (access is currently denied)” in red text which will open a new window.
30. Remove β€œDomain Computers” and add the β€œServer” running the StoreFront + FAS roles and under β€œPermissions” to β€œAllow” then select β€œApply” and β€œOk”.
31. The screen will update with β€œManage StoreFront access permissions” to now be in blue text, now select β€œNext”.
32. Select β€œManage user access permissions (all users are currently allowed)” in red text which will open a new window.
33. You can change to default β€œDomain Users” to your own test AD security group, then under β€œPermissions” to β€œAllow” then select β€œApply” and β€œOk”.
34. The screen will update with β€œManage user permissions (all users are currently allowed)” to now be blue text, now select β€œManage VDA permissions (all VDAs are currently allowed)” which is in red text.
35. You can change to default β€œDomain Computers” to your own test AD security group that your Citrix Virtual Delivery Agents (VDA) are found within, then under β€œPermissions” to β€œAllow” then select β€œApply” and β€œOk”.
36. The screen will update with β€œManage VDA permissions (all VDAs are currently allowed)” to now in blue text, now select β€œNext”.
37. Now select β€œCreate” and a “Default” FAS rule.
38. You have now successfully setup and configured Citrix FAS, you still need to enable FAS Claims for your “AAD” store on StoreFront which is covered later in this blog post.

Creating a new Store call “AAD” for Azure AD SAML Authentication in StoreFront
1. Open Studio and select “StoreFront” then select β€œStores” and the on the β€œActions tab” select β€œCreate Store”.
2. On the splash screen select “Next“.
3. Type in β€œAAD” for the β€œStore Name” field and click β€œNext”.
4. Select β€œAdd” list a CVAD controller, a new window will appear where you need provide the following information a β€œDisplay Name” e.g Citrix Cloud Connectors vs. CVAD 1912 LTSR, for the “Type” select β€œCitrix Virtual Apps and Desktops” and under β€œServers” list select β€œAdd” and type in the Citrix Cloud Connector or CVAD 1912 LTSR addresses and choose β€œTransport type” either HTTP 80 or HTTPS 443 (Preferred) and click “OK”.
5. You are now returned to the “Delivery Controller” page with a list of either Citrix Cloud Connectors or CVAD Controllers 1912 LTSR, click “Next“.
6. Now on the “Configure Authentication Methods” page select β€œSAML Authentication” and leave β€œUser name and password” checked as YES, then click β€œNext”.
7. Ignore “Remote Access” configuration and click “Next“. NOTE: I will update this blog post at a later date with the Remote Access via Citrix Gateway formerly NetScaler Gateway.
8. Accept the default’s on the “Configure XenApp Services URL” and click “Create”.
9. StoreFront will begin creating your new “AAD” Store on your StoreFront server, once the wizard completes select “Test Site” to verify you can see a webpage that displays Citrix Receiver or you can navigate to β€œhttps://FQDN/Citrix/AADWeb/” replacing the FQDN with your own to verify the webpage is available.

Generating AAD SAML Configuration for StoreFront
1. In the Azure AD UI in the Azure Portal select β€œEnterprise applications” node.
2. When the UI updates in the centre select “Select β€œNew application”.
3. You are taken to the “Add an Application” wizard and presented with three options select “Non-gallery application“.
4. Next provide a name for your own application e.g AAD-SAML-CVAD1912LTSR and then click “Add” at the bottom.
5. The AAD wizard completes and you are taken to the “Overview” page for “AAD-SAML-CVAD1912LTSR“, now select “Users and groups” from within this view.
6. Add an native AAD user(s). Note do not add any employee that does not have a AD shadow account setup and configured in the Citrix Cloud Resource Location (RL).
7. Now from the same “Overview” page for “AAD-SAML-CVAD1912LTSR” select “Single Sign-on” and on the “Select a single sign-on method” wizard select “SAML” and will start the AAS SAML wizard.
8. Select the pencil icon for “Basic SAML Configuration” to configure the following fields as follows below and select “Add“.

Identifier (Entity ID): https://FQDN/Citrix/AADAuth
Reply URL (Assertion Consumer Service URL):https://FQDN/Citrix/AADAuth/SamlForms/AssertionConsumerService
Sign on URL: https://FQDN/Citrix/AADWeb

9. Check under “User Attributes & Claims” portion that the “Name” field is configured to β€œuser.userprincipalname”.
10. Scroll to “SAML Signing Certificate” and click to download the β€œFederation Metadata XML” e.g. AAD-SAML-CVAD1912LTSR.xml, now save or transfer it to your StoreFront server at C:\Temp.

Create and Configure a Azure AD SAML Trust in StoreFront
1. If you have transferred the *.xml file e.g “AAD-SAML-CVAD1912LTSR.xml“, then on your StoreFront server create a folder called β€œTemp” on β€œC:\” and transfer the downloaded *.xml file.
2.Open PowerShell in admin mode or launch it from Studio 1912 LTSR. Copy & paste the following code below, however if opening the PowerShell with Admin privileges without Studio 1912 LTSR then copy & paste this cmdlet first before proceeding with the configuration & “$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1“. You will notice the virtual path for the Store is already set here to AAD so you can copy and paste it as is. This code sets up and configures SAML for the ADD Store.

$storeVirtualPath = “/Citrix/AAD” 
$auth = Get-STFAuthenticationService -Store (Get-STFStoreService -VirtualPath $storeVirtualPath) 
$spId = $auth.AuthenticationSettings[“samlForms”].SamlSettings.ServiceProvider.Uri.AbsoluteUri 
$acs = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlForms/AssertionConsumerService”) 
$md = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlForms/ServiceProvider/Metadata”) 
$samlTest = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlTest”) 
Write-Host “SAML Service Provider information: 
Service Provider ID: $spId 
Assertion Consumer Service: $acs 
Metadata: $md 
Test Page: $samlTest “
 

3. Next copy and paste the following code which will ingest SAML configuration from the Azure AD *.xml that you downloaded earlier and copied to C:\Temp on the StoreFront server.

Get-Module “Citrix.StoreFront*” -ListAvailable | Import-Module
# Remember to change this with the virtual path of your Store.
$StoreVirtualPath = “/Citrix/AAD”
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Update-STFSamlIdPFromMetadata -AuthenticationService $auth -FilePath “C:\Temp\AAD-SAML-CVAD1912LTSR.xml”


4. Validate there are not error(s) on screen that need resolving.
5. Minimise your PowerShell window you’ll need it again shortly, now open up Studio or StoreFront MMC console and navigate to the “Stores” and select “AAD” and select “Manage Authentication Methods“.
6. Select the cog icon parallel to β€œSAML Authentication” and then select β€œIdentity Provider” you should see that your AAD SAML configuration is setup and configured, leave it as is DO NOT TOUCH it!
7. Close all windows including Studio or StoreFront.

Enabling FAS for Converting Azure AD SAML Tokens to Virtual Smartcards
1.Open up your existing PowerShell window and copy and paste the following code below, which will ENABLE FAS for your ADD Store to convert AAD SAML tokens received into virtual smartcard that will be used to SSO the employee onto his/her Citrix virtual app and or desktop. You’ll notice the code is configured for the “AAD” Store so you can copy and paste as is.

Get-Module “Citrix.StoreFront.*” -ListAvailable | Import-Module
$StoreVirtualPath = “/Citrix/AAD”
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName “FASClaimsFactory”
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider “FASLogonDataProvider”


2. Validate there are not error(s) on screen that need resolving, if there are none you can nose close the PowerShell window.

Testing your Azure AD SAML to Virtual Smartcard Login
1. Navigate to https://FQDN/Citrix/AADWeb which will redirect you to a AAD login.
2. Enter in your UPN e.g user@domain and then complete the required 2FA vs. MFA requirements setup by your organisation as requirement onscreen.
3. You will be returned to https://FQDN/Citrix/AADWeb and SSOed onto UI, depending on your setting your desktop will either auto launch of you’ll have to manually launch it yourself. The initial login will take slightly longer than usual as its generating you that initial virtual smartcard between StoreFront, FAS, AD and your Enterprise CA.
4. Your Citrix vDesktop or vApp should launch successfully and SSO the on without prompting for any credentials.

Troubleshooting
1.If you receive ANY error once returned to https://FQDN/Citrix/AADWeb post the AAD SAML login open a new browser tab in the same session and copy and paste the following URL https://FQDN/Citrix/StoreAuth/SamlTest to see if you have any oblivious errors e.g user@domain.onmicrosoft.com from Azure AD which doesn’t map to the AD Shadow account that is user@domain so its a UPN mismatch and the sign-on will continue to fail.
2. If the employee can sign on to https://FQDN/Citrix/AADWeb and the Citrix vApp or vDesktop launches but they see a credential prompt with “Other User” check and see that you configured FAS for the correct Store with SAML Authentication setup and configured if not using my example of “AAD” as the Store setup and configured on StoreFront.

ICA Proxy Remote Access with Azure AD SAML
Coming…

Final Thoughts on Bring your own Identity (ByoI) Strengthening Security through Co-Shared Responsibility
Coming…

The views expressed here are my own and do not necessarily reflect the views of Citrix.


Get Smart with Citrix AutoScale & Power Capacity Management during COVID-19

I’ve noticed a number of folks asking what do as my existing Citrix AutoScale + Power and Capacity Management policies aren’t powering on my public cloud workloads any more, especially when they need it most!? What is happening? Firstly “this is not a Citrix issue” it’s a public cloud capacity issue in all the major players by selective “POPULAR” instance types for commonly used workloads like delivering virtual apps & desktops and its affecting by indvidiual regions e.g UK and not the whole public cloud providers capacity world wide to be clear and transparent.

If you make use of Citrix AutoScale and Power Capacity Management for mission critical CVAD workloads for better P&L management vs. capacity peaks then please DISABLE IT for those Delivery Groups (DG) within the CVAD Service temporarily to maintain business operations and internal SLA’s for service delivery of CVAD workloads to employees WFH during CVOD-19. Disabling AutoScale is strategically very important during these current times, it enforces that identified mission critical workloads by Delivery Group are always on-demand 24/7 to meet operational business demands. Its important to highlight this applies to any vendors and even in-house vs. community built power and capacity management tooling platforms should also be DISABLED for all business mission critical workloads so that daily business operations are not impacted.

Why do organisations use Citrix AutoScale and Power Capacity Management?
Its for a couple of scenarios, usecases which I will collectively sum up as follows below:

1. Save money not running VM instances in public clouds 24/7 when they aren’t required, therefore saving you a substantial amount of money when looking to better manage your P&L.
2. Your employees typically work 21 business days within a month (30 days) the rest is made up of time off e.g weekends, so why keep all that capacity powered on and consuming more money unnecessarily including carbon emissions. On that note how many of you leave your data centres fully powered on or even home labs when you they aren’t required? Our world needs us to make smarter and better decisions to lets act and save our world for our future unborn grand children.
3. Support spikes/peaks in virtual app & desktop consumption with a capacity buffer.

You can learn more about Citrix AutoScale at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/manage-deployment/autoscale.html#three-types-of-autoscale-user-interfaces included the supported CVAD use cases “Autoscale user interface for Multi-User OS e.g CVA Delivery Groups“, “Single-User OS e.g CVD pooled vs. static VDI Delivery Groups“. 31/03/2020 I noticed that Citrix TechZone published a technical document on the same date as this article and I think you’ll find if very useful and insightful as its very technical eDocument – https://docs.citrix.com/en-us/tech-zone/learn/tech-briefs/autoscale.html.

Why your should DISABLE it!
COVID-19 is a world wide pandemic and hopefully a once in life time vs. century event. The number of employees now Working from Home (WFH) world wide is incredible, it’s placed a macro burden on many consumer services where some are in a degraded state or have intentionally degraded themselves to free up more bandwidth capacity over the internet in Europe for example Netflix – https://www.bbc.co.uk/news/technology-51968302. Its equally true for IT business services e.g virtual meetings and of course public cloud providers whom have run out of capacity for popular VM instance types in Europe, and this is why you want to disable AutoScale so that your mission critical workloads are not stopped + deallocated and then returned the public cloud provider pool where they will be consumed by someone else and keep up 24/7, other organisation’s may have paid upfront to reverse a number of instance types for a period of 30/60/90 days and this is achieved by holding back any/all returned capacity and finally likely redistributed to critical government agencies and department for example in the UK the National Health Service (NHS) to keep health workers productive managing COVID-19 and supporting patients.

Act & Think of Others
Please be responsible and make sustainable choices and only keep mission critical workloads on-demand 24/7 that are essential to daily business operations. Finally a personal ask if you are an IT Professional who’s home lab partially runs in a public cloud as its extended from on-premises please be respectful, mindful and aware that if your region is experiencing capacity issues PLEASE turn off and deallocate those VM instances types so that capacity can be returned to the public cloud pool during working days of the week to support businesses whom need it vs. government agencies and or health departments supporting people in-need of help and support medical and or otherwise.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Citrix Workspace app is released Hello World

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Introduction
What is Citrix Workspace app? It brings together all your LOB tools which in todays modern world consists of (virtual/micro/installed/mobile) apps, SaaS, desktops & content. I’ve embedded a sample of what this actually looks like below.

Overview
The new Citrix Workspace app way more than purely an upgrade of Citrix Receiver e.g grey to blue icon and a skin change, this NEW Citrix client app release is simply extraordinary, working for Citrix I can be considered bias however once you actually begin to consume the Citrix Workspace app you’ll understand exactly what I mean. Citrix Workspace app is for me all about an experience, and that experience is extraordinarily AWESOME! As I begin consuming my LOB (Line of Business) tools wherever I am + want and in a setting/context that suites me (home, Paddington vs. partner offices, trains, taxi e.t.c) the chosen LOB tool delivered context can change dependant upon criteria (I won’t be covering this today) or how IT (say YES!) has chosen to deliver the LOB tool through Citrix Access Control Service – https://docs.citrix.com/en-us/citrix-cloud/access-control/get-started.html.

I now have all my content available all in the same AWESOME app thank you Citrix Content & Collaboration aka ShareFile. I can upload, download and even favourite particular content e.g “L-J’s H1/2 Citrix Partner Tech Super Deck” which is then available directly from the home view/tab. In the below example I am uploading the LeasePlan Citrix SD-WAN case study – https://www.citrix.co.uk/customers/leaseplan-en.html and the actual video is available at – https://www.youtube.com/watch?v=4Hq-yryxfS0 take a look and remember to listen to the outcomes Citrix SD-WAN provides LeasePlan.

How do I get started today?
Firstly I will do a more detail blog post on getting it all up and running with use cases time dependant of course.

1.Start by navigating to https://docs.citrix.com/en-us/citrix-workspace-app.html and then goto Citrix.com and login with your access details, next navigate to https://www.citrix.com/downloads/workspace-app/ and download Citrix Workspace app for your chosen end-point. If you are running a TP of Citrix Workspace app code base please UNINSTALL it prior to installing the GA production code base as a few community individuals I know had issues upgrading from TP code base. I would like to state for the record I upgraded from PRODUCTION Citrix Receiver to the Citrix Workspace app for Mac 1808 on my Mac without ANY issues see below tweet.

2. Please carefully read the System Requirements for your chosen platform here is the link for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/system-requirements.html and Windows https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/system-requirements.html.

3. Review the installation guidance for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/install-configure.html and Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/install.html.

4. Please carefully read the configuration of Workspace app for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/configure.html
and Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/install.html e.t.c. for other platform and if you are looking for multi-monitor support or Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/improve-user-experience.html#using-multiple-monitors for Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/improve.html#multi-monitor-support, and securing communications between Workspace app and your StoreFront for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/secure-communications.html and Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/secure-communication.html (Pay attention to deprecated cipher suites node) and finally if your are you a Smart Card user pay attention to the recitations at the bottom of both docs for Mac – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/requirements-for-smartcard-authentication.html and for Windows – https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/authentication/config-smart-card.html and for WIF 5.4 (yes I know really however some of you still may need it while your upgrading to XAD 7.x platform) https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/secure-communication/config-smart-card–for-web-interface.html.

5. Sign-up vs. Login to Citrix Cloud today and trial vs. acquire a Citrix Cloud service e.g ShareFile Service or the XAD Service and if you want to aggregate on-premises LOB apps into the new Citrix Workspace experience then setup “Site Aggregation” today. To learn how please read this CTXS blog post and watch the embedded YouTUBE video which provides a how-to overview at – https://www.citrix.com/blogs/2018/08/03/site-aggregation-for-citrix-workspace-is-now-ga/.

Thats all folks for now on the technical overview its brief I know so I will follow-up in future with more detailed overview + how-to e.t.c either here or on the https://www.mycugc.org website in the experts area.

Upgrading to Citrix Workspace from Citrix Receiver for smart devices

In Closing
I work for Citrix, I have been a Citrix + IaaS advocate for well over a decade (now SD-WAN swell) so I am mostly likely bias you’ll think however Citrix Workspace app is truly AWESOME and way more than what you see at a glance, I encourage you all to begin consuming it today to see for yourself just what I am talking about and why I personally say its “AWESOME“.

How-to Deploy Citrix XenMobile Server 10.7

The following content is a brief and unofficial prerequisites guide to setup, configure and deploy Citrix XenMobile Server (XMS) 10.7 on-premises prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
NETSCALER – ns
XENMOBILE DEVICE MANAGER – xdm
XENMOBILR APPCONTROLLER – xac
XENMOBILE NETSCALER CONNECTOR – xnc
XENMOBILE MAIL MANAGER – xmm
WINDOWS – win
MOBILE DEVICE EXPERIENCE – mdx
REAL-TIME – r-t
MICRO VIRTUAL PRIVATE NETWORK – mvpn
FIREWALL – f/w
ACCESS CONTROL LISTS – acl
APPLE PUSH NOTIFICATION SERVICE – apns
UNIFIED ENDPOINT MANAGEMEMNT – uem
MOBILE DEVICE MANAGEMENT – mdm
MOBILE APPLICATION MANAGEMENT – mam
MOBILE CONTENT MANAGEMENT – mcm
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
ACTIVE DIRECTORY – ad
TRUSTED NETWORK – tru
FIRST TIME USER EXPERIENCE – FTU

Author Note
Please be aware that I published this article today 19/02/2018 but it should be considered evergreen until I remove this section thank you.

Introduction
This is going to be one of the longest posts that I am about to write so come back from the moment its published over Feb/March/April 2018 as I will most likely be making adds/moves/changes. This blog post serves to provide the most right vs. relevant information to help you better understand how-to deploy the current Citrix XenMobile on-premises server which is 10.7.x.n as of February 2018. I will be writing a follow-up blog post on deploying the XenMobile Service powered by Citrix Cloud – https://citrix.cloud.com/ in due course.

What is XenMobile?
XenMobile is a complete UEM or MEM via https://twitter.com/JJVLebon (mobility) solution for managing apps, data, and devices from a single unified platform with MDM & MAM (mobile apps cut, copy & paste) policies, automated actions for enrolled (supported platforms) devices that will keep employees safe, secure and productive on vs. offline enabling them to work on there own terms.

Preparation & Initial Guidance
I was one of the first set of individuals to pass the very first Citrix Certified Professional – Mobility (CCP-M) exam for XenMobile 9.x.n while at Citrix Summit in Jan 2014. Now that was one very tough exam as you needed to know Citrix NetScaler, XenMobile NetScaler Connector, (ZenPrise) XenMobile Device Manager, StoreFront, Citrix Mail Manager, Citrix AppController, ShareFile Control Plane and of course StorageZones. Its Fen 2018 and its still equally a tough exam to pass even though the XDM + XAC where merged into a virtual appliance now called the XenMobile Server (XMS).

If you have not deployed a mobility solution in the past or your an expert you’ll agree most likely that mobility or UEM/MEM is complex and is consistency changing with new devices, OS upgrades along with new vs. deprecated vs. behavioural changes to MDM APIs, app updates, push API’s vs. MDM platform + vendor signing of certificates and finally oh yes all those MDM ports that you need configured correctly through-out your organisations Wi-Fi network and so the list continues on and on….

In principle when preparing to deploy any mobility solution regardless of vendor, preparation is of paramount important to be successfully. The below is list of how I personally prepare for a mobility PoC for XenMobile on-premises (yes we at Citrix are cloud first and I live IaaS so I’ll be writing another post on deploy a XenMobile Service PoC in the future):

– Start by reading the XenMobile Security Whitepaper – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security-understanding-the-technology-used-by-xenmobile.pdf. This will provide a great insight into our XenMobile, FIPS compliance, how SSL VPN or mVPN for MDX enabled apps behaviour and so much more, that is definitely worth your time!
Configure the XMS with a public routable FQDN and NOT an IP addr if you intend to manage devices externally via the internet vs. internally over corporate Wi-Fi and if your enabling the self-help portal for personal management.
– Utilise the PostgreSQL database option for a PoC’s (up to 100 devices) however this will mean that you need to redeploy the XMS using a remote SQL database for PROD environments as you’ll most likely want to have your XMS v/a in a cluster for high-avaiability. NOTE: Do not pre-create a MS SQL database allow the XMS v/a to create your MS SQL database against the SQL server during the initial setup process when performing the initial FTU within the XMS CLI.
– Utilise local v6 licensing on the XMS v/a for a PoC’s but again for PROD utilise a remote Citrix licensing server which is 100% required to support a XMS Cluster as the XMS v/a are stateless with all the configuration held within the remote Microsoft SQL database.

TIP: You’ll need to active your XenMobile licenses from the available list when configuring the remote v6 license server prior to continuing!

– Create separate mobility admin mailboxes to then be used to create accounts with Apple, Google & Microsoft so that everyone has access to create, sign and revoke MDM push certificates vs. push API’s like FireBase.
– Deciding where to generate all of CSRs for all of your mobility + XMS + NS certs is quiet important not just for the initial PoC but thinking 12 months out when the cert begin to expire where did I generate those certs from now to begin the re-signing process hmmm….??? I prefer in my home lab to generate and renew all my certs on WDC but many SE’s I know will use NetScaler for this and the point I am making is that it does not matter BUT centralise and document the process, passwords e.t.c
– Setup a calendar invite vs. trigger in your choosen support platform to notify the mobility admin mailbox to alert you every 11 months to renew all your certs otherwise you’ll break your MDM deployment e.g no devices under mgmt anymore this applies to ANY MDM vendor to be 100% clear!
– Dont assume that one individual should be deploying the XenMobile (any mobility) PoC themselves as in my experience unless your 100% comfortable with networking, ACLs, SQL DBs, gateways. To be honest most often its 3 people from within the IT team for high security organisation its double I find. Typically the 3 people are the Citrix Admin whom will require help & support from a networking (f/w dude:-)) or netscaler admin and then the SQL guru.
– I typically advise partners and customers to focus and agree on 2x mobile devices and a defined list of UEM policies to configure for testing in the PoC against there use case(s).
– Ensure that all your required ports are opened up correctly in vs. outbound (internet <-> edge <-> dmx <-> tru).
– DO NOT USE A PROD NetScaler deploy a new and fresh NetScaler VPX for your XenMobile (Service) PoC on-premsies vs. your chosen resource location.
If you are intending to MDX wrap or enlighten your iOS – https://developer.apple.com/programs/enterprise/ and Android mobile apps then I’d suggest that you sign-up for the required developer accounts well in advance as some customers & partners have experienced delays up to 1-8 weeks. You have been warned and also ensure that you understand the rules around these dev accounts!
– Disable the ability to perform a Full Wipe of the enrolled devices (in particular for BYO scenarios you don’t want a lawsuit!) or if your not bothered and you would like to test this capability then I’d suggest that you only use new mobile devices that contain no corporate vs. personal content + data during the PoC. Finally my own personal leading best practise is to setup RBAC for mobility admins and remove the full wipe capability completely! πŸ™‚
– Screen record the PoC deployment e.g GoToMeeting so if you make a mistake you can review the recording to understand what you misconfigured and most importantly where on the NetScaler vs. XMS e.t.c is was that the mistake occurred.
– If your not going to utilise a public CA signed certificates (Strongly Preferred) as your deploying the XMS v/a in your home lab only, then when exporting your cert from your Enterprise CA export using the Base64 format and then export as a full chained PFX format cert.
– Deploy the XMS v/a first and attempt to enrol your chosen mobile device(s) and remember those MDM ports you’ll need to make sure they are available over your corporate wifi including the over air enrolment port especially for Apple iOS devices otherwise your MDM enrolment will fail so you’ll be defaulted to only been able to enrol your device for MAM only e.g Secure MDX enlighten mobile apps
– The XMS mgmt. Web UI for administration is restricted from the internet as the mgmt. web UI is only accessible over https://XMS:4443 which is not part of the XM 10 wizard as of e.g NSG 10.5-55.8+ for security harden purposes (double check eDocs to be safe!). This often leads to Mobility/Citrix Admins thinking that they have misconfigured the wizard on the NetScaler when in fact it most likely is your connecting connection on https://XMS-vip:4443 via the VIP owned by the NetScaler but if you connect directly to the XMS’s configured IP addr via https://XMS-direct:4443 you’ll be able to access the XMS Admin Web UI.
– SuGgEsTeD personal tip utilise Mozilla Firefox for configuring and managing your XMS v/a for me it works the best!
– Ensure that all users/admins have first, last name & e-mail addr fields populated in AD prior to any enrolment otherwise they will receive an error e.g β€œInvalid user for SSO” when users attempt to sign-on.

Pre-requisites & System Requirements
The currently available XMS v/a as of writing this blog article is 10.7.x.n which is where these system requirements have been obtained from dated Feb 2018 – https://docs.citrix.com/en-us/xenmobile/server/system-requirements.html.

Trial Licensing for On-Premsies Only
Citrix Customer Evaluation licenses can be obtained at – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700 if you are having trouble please contact your local Citrix representative vs. partner for assistance and guidance.

Supported Devices
https://docs.citrix.com/en-us/xenmobile/server/system-requirements/supported-device-platforms.html

Certificates
– APNs see below
– SSL Listener used for HTTPS traffic communication e.g like securing your web server with https

AD/LDAP
– Open up 389 between the XMS v/a(s) and your AD server in your trusted network, you can optionally configure secure AD/LDAP on 636 but you will required extra certs for this configuration and its well documented in Citrix eDocs vs. obviously I believe.
– Windows service account for XMS v/a(s) to query AD/LDAP

NetScaler (Unified) Gateway
– Versions 10.5.x.n, 11.0.x.n, 11.1.x.n and 12.x.n (My current preferred firmware release now)
– 2vGPU, 4GB of RAM and 20GB available storage for HDD
– On-premises Hypervisors include XenServer 6.5 or 7.x.n; VMware ESXi 4.1, ESXi 5.1, ESXi 5.5, ESXi 6.0; Hyper-V Windows Server 2008 R2/2012/2012 R2
– Cloud Hypervisors include Azure (ARM is preferred); AWS EC2 not supported for XenMobile.
– NetScaler service account I’d advise against the default which is nsroot:nsroot slightly obvious but I see this time and again can you believe it!!!!
– AD/LDAP service account that is utilised to check validate and authenticate users against your organisations AD/LDAP.
– IP addressing (Please please please pay attention)

1x private static IP addr that is used for the NetScalers IP Addr (NSIP)

1x private static routable IP addr between your DMZ <-> TRU which is referred to a the NetScalers Subnet IP Addr (SNIP)

1x private static IP addr that is used for the XMS

1x public internet routable FQDN e.g uem.axendatacentre.com with 1x public static internet routable IP addr that resolves to 1x private static IP addr in your DMZ that are owned by the NetScaler.

1x public internet routable FQDN e.g mam.axendatacentre.com with 1x public static internet routable IP addr that resolves to 2x private static IP addrs in your DMZ that are owned by the NetScaler one for direct NAT and the other one is for *L/B of the MAM traffic.

Internet DMZ – NetScaler + XMS TRU
nug01 (NetScaler V/A) <-> NSIP 10.1.0.5
SNIP 10.1.0.100
uem.axendatacentre.com <-> 81.x.x.1 10.1.0.20 <-> UEM Listener on XMS
mam.axendatacentre.com <-> 81.x.x.2 10.1.0.21 + *10.1.0.22 <-> MAM Listener on XMS
uem.axendatacentre.com (XMS V/A) <-> 10.1.0.99

SUMMARY
Total private IP addrs required are 6x.
Total public static internet routable IP addrs required are 2x.
Total public internet routable FQDNs 2x.

MDM Certificates for Apple and Firebase Cloud Messaging (FGM) with Android for Mobile Notification Service Capabilities

Apple
Apple’s APNs Certificates portal is accessible at – https://identity.apple.com/pushcert, if you like a technical overview of how APNs works check out Apples developer documentation on the subject at – https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1 its quiet extensive and in-depth.

1. Create an organisation Apple ID at – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId
2. Generate your a CSR on NetScaler – https://support.citrix.com/article/CTX211887 or on a Windows Server e.g WDC using e.g IIS NOTE: Please use 2048 cipher encryption for the cert.
3. Navigate to https://xenmobiletools.citrix.com/ and sign in where prompted with your Citrix.com partner access details.
4. Follow the onscreen process for signing your XenMobile APNS CSR which will return a *.plist file.
5. Login to and upload your CSR to the APNS portal at – https://identity.apple.com/pushcert/ by following the onscreen process.
6. Download the generated *.pem file from the APNS portal to the Windows server that you initially created the CSR on.
7. Import the *.pem file into IIS using the complete a CSR response and specfic a friendly name. NOTE: Optional Import Apples Certificates (*.cer, *.crl) from – http://www.apple.com/certificateauthority/ also see http://support.apple.com/kb/ht5012
8. Export the imported certifcate as a *.pfx and specifiying a password. Note: DO NOT FORGET the password.
9. When prompted during the XMS configuration of the WebUI rememeber to enter the your chosen password and import it’s a keystore -> pfx format and select aPNS as the cert type.

Citrix provides a more detailed how-to and overview at – https://docs.citrix.com/en-us/xenmobile/server/authentication/apns.html.

Firebase Cloud Messaging (FCM)
Google or FireBase Cloud Messaging (GCM or FCM) enables push capabilities for Android vs. implement during enrolment an “Active poll period policy” for the Android handset to check back into the XMS to receive new policies, apps, check compliance e.t.c. Finally note that if you do any research FCM https://firebase.google.com/docs/cloud-messaging/ is the natural evolution of GCM platform, so think FireBase first for Android :-).

1. Create a organisation Google Developer account at – https://console.firebase.google.com/?pli=1, if your keen to understand how it works visit the XenMobile eDocs web page for Firebase at – https://docs.citrix.com/en-us/xenmobile/server/provision-devices/google-cloud-messaging.html.
2. The process to create the push capabilities is in my personal view way easier than APNs as all you need to do is generate an “API Key” and “Sender ID” which is then stored on the XMS at “Settings – > Google Cloud Messaging“. Visit the above URL to learn how to implement Firebase.
3. Please pay attention to the Firebase XenMobile diagram in the above eDocs link which includes the following Firebase ports 5228, 5229 and 5230 between the enrolled XenMobile handset and the GCM platform. Why is this important well these ports will beed to made available from the corporate network outbound like APNs to enable enrolment from within the corporate enterprise or high security environments otherwise you will need to enrol over 3/4G or via home/guest Wi-Fi.

Deploying the XMS v/a
Before you even attempt to begin I’d strongly advise you to read and or print out the following webpage via Citrix eDocs – *https://docs.citrix.com/en-us/xenmobile/server/install-configure.html which contains a Preinstallation checklist and deployment flowchart. My goal in this section to provide some context with some of the deployment options during the initial configuration of the XMS v/a, you can refer to * for full installation instructions.

1. Download the current XMS 10.7.x.n+ v/a from – https://www.citrix.com/downloads/.
2. Unzip the v/a and upload it to e.g Citrix XenServer 7.1 LTSR via XenCenter or you could use any other Citrix supported on-premises hypervisor. Once successfully uploaded check that your v/a has the minimum required computed requirements 2-4vCPU and 4-8GB of RAM assigned (increase to MAX if 10 or more users in the PoC as its all about the experience but for home lab purposes I utilise 2vCPU and 4GB of RAM as I only have 3 devices connected.
3. Start the XMS v/a via XenCenter it will take longer to boot-up if you have assigned the bare min compute resources and if your underlying storage is (shared) HDD based.
4. Once the XMS v/a has started decide if you are intending to create a XMS h/a cluster this is so that you select the correct options during there FTU, otherwise you will need to redeploy the XMS v/a and start all over. Notes:

4.1 – The CLI uses admin while the Admin account used for the Web UI uses administrator, also be aware they are LOWER CASE!
4.2 – Nothing appears when typing in select inputs.

5. Enter in a strong suitable passwd
6. Next you are promoted for network settings the IP addr will be e.g 10.1.0.99 as per my text diagram above.
7. Next your asked about an “Encrypting Phrase” most people select “y” to randomise it however you’ll never know what it is, nor can you obtain file to read it! If you are considering deploying a cluster of XMS v/a for H/A then most individuals will select “n” and create there own “encryption passphrase“.
8. I currently at the moment will not provide any context on FIPS so I will differ to https://docs.citrix.com/en-us/xenmobile/server/install-configure/fips.html#par_anchortitle_8dcb for configuration options otherwise this blog will get out of hand. I will do a follow-up or adjustment to this post in the future to cover FIPS in greater detail.
9. Next your asked about configuring a database for the v/a to store configuration information. The “l – Local” option will enable PostgreSQL which is now only supported for customer PoC’s while historically prior to Citrix acquiring ZenPrise is was a supported configuration but that was 5+ years ago under XDM, so be 100% clear PostgreSQL is for PoCs ONLY with a XMS v/a! It is also NOT supported with XMS clusters as the v/a’s are stateless relying on the SQL database for configuration information e.g users, policies, delivery groups e.t.c so you require a “r – Remote” SQL database.

TIP:

9.1 – Let the first XMS v/a that you configure as part of the your XMS cluster create the required XM database itself DO NOT pre-populate a database name on your MS SQL database cluster vs. server!
9.2 – If you select to enable XMS clustering you will need to enable port 80 within the XMS f/w ACL and do this BEFORE performing a clone to create your XMS cluster. Also in high security environments remember to include in your submitted ACL to allow the XMS v/a’s to communicate over TCP port 80 to enable R-T comms between all v/a members within the cluster.
9.3 – Finally Citrix does NOT support DB migration e.g PoC to UAT-PROD environments.

10. The most important step that I often see vs. hear vs. receive requests about is what do I type in for the “XenMobile hostname”? Please type in the fully qualified and internet routable FQDN e.g uem.axendatacentre.com, what does this mean? It means that if your where to type in uem.axendatacentre.com on your device that you reading this blog post inside the corporate file or at home it is reachable. Please do not type in e.g xms01 and then internal vs. external DNS entries are entered in for uem.axendatacentre.com to xms01 this will NOT work properly and devices will NOT enrolling you have been warned! If you do this you will beed to START all over with a fresh XMS v/a!
11. For the XMS comm port requirements i.e the v/a communicates with the users (SHP) and devices (UEM or MDM/MAM) it is perfecting fine to accept the defaults ports here unless you a high security organisation + e.g Bank, Government agency e.t.c and want to further harden yourself however remember the most complexity you add e.g changing ports here will mean that you will need to adjust the auto defined ports on the NetScaler if you do the XenMobile Wizard on the NetScaler v/a.
12. Skip the upgrading from a previous XMS version as its a PoC
13. Next we get to the Public Key Infrastructure (PKI) which I’d prefer to configure configure all the certs with the same passwd or pass phrase or you can define a different passwd or pass phrase for each of the four certs (root, intermediate for device enrolment, intermediate for SSL cert and finally an SSL for your connectors +. Finally you’ll require the eXaCt passwd(s) for an XMS v/a within your h/a cluster.
14. Finally now create a passwd for the default “administrator” account. I would personally as my own leading best practise make the CLI admin vs. Web UI administrator passwords different for security purposes as one member of the team maybe the hypervisor admin whom does all the CLI stuff aswell while the Mobility admin handles all the logical configuration via the Web UI administrator account.

TIP:

14.1 – Make both admin, administrator passwords random and securely store them BUT separately from one another. Setup and assign AD domain admins security group as FULL Administrators of the XMS v/a via RBAC – https://docs.citrix.com/en-us/xenmobile/server/users/rbac-roles-and-permissions.html.

15. Once you select “Return” to above set the initial configuration is stored and you are prompted to upgrade from a previous release please select “n” which is also the default! The XMS v/a will stop and start the app and once its completed the you see a FQDN e.g https://10.1.0.99:4443/ this now indicates that you can complete the Web UI part of the XMS v/a setup and configuration. Note this can take up to 5-7 mins dependant upon how much vCPU, RAM that you assigned to the v/a and if your on SSD vs. HDD storage this will speed up the process naturally.
16. The biggest mistake Mobility/Citrix Admins makes with XenMobile is that when they attempt to access and configure the Web UI part of the setup they will typically access it via the NetScaler owned VIP for uem.axendatacentre.com <-> 81.x.x.1 <-> 10.1.0.20 when they should be accessing the direct IP addr of the XMS v/a <-> 10.1.0.99. Most individual do this to test there NetScaler setup, please DO NOT setup the NetScaler do it after you have setup the XMS v/a. Finally the reason you can’t connect to the Web Admin UI via the NS VIP e.g https://uem.axendatacentre.com:4443 either internally or externally is that the NS disables 4443 via the VIP to harden and protect the Web Admin UI from the Internet so you’ll need to connect to the direct XMS v/a <-> 10.1.0.99 IP addr on https://10.1.0.9:4443. Once your at the login prompt of the Web UI type username “administrator” and your chosen passwd and “Sign-in” and the “Get Started page” appears only once to complete the Admin Web UI part of the XMS v/a setup and configuration.
17. The first web page provides an overview of the available licensing configuration options, for a PoC or if its your first time using XenMobile then I’d suggest that you utilise the built-in 30 day evaluation license to give you time better understand how to configure XenMobile so that you can enforce the required UEM policies against devices vs. (MDX) apps. If you intend to deploy a XMS h/a cluster then like the XMS database you’ll need to setup or make use of your existing remote v6 Citrix licensing server however IMPORTANT make sure that this lic server version meets the minimum release requirements of 11.12 for 10.7.x.n XMS firmware/release version. If you choose to use the 30 day trial LOCAL license servers on XMS and now wish to use a REMOTE lic server then please refer to https://docs.citrix.com/en-us/xenmobile/server/system-requirements/licensing.html. I would also suggest to test from each XMS v/a(s) within your cluster that you can successful connect to the remote v6 lic server which is available under the Wrench icon -> Licensing.
18. Next its cert mgmt. and a word of caution as this catches everyone out is that after uploading any certs reboot the XMS v/a(s) is required in order for the new certs to bound to the SSL listener interfaces and the existing ones to be unbind! You’ll need at this point your APNs and SSL certs for e.g uem.axendatacentre.com to upload the XMS v/a when importing your certs follow:

SSL Listener
Import: Keystore
Keystore Type: PKCS#12
Use as: APNs and or SSL Listener
Keystore file: Password: *********
Description: Date uploaded and what is it? APNs vs. SSL listener?

For in-depth information on Cert types and how-to’s for XenMobile check out – https://docs.citrix.com/en-us/xenmobile/server/authentication/client-certificate.html which includes guides on configuring PKI Entities, certificate-based authentication for SecureMai and finally NS cert delivery in XenMobile.
19. NUG

Wrench icon -> NetScaler Gateway
Authentication: ON (default)
Deliver user certificate for authentication: OFF (default)
Credential Provider: (default)

Select “Add”

Name: NUG
Alias: (default)
External URL: https://mam.axendatacentre.com
Logon Type: Domain only (default)
Password Required: OFF (default)
Export Configuration Script: Allows you to download conf bundle to upload to NUG to configure XenMobile. I prefer to do this manually myself.

Select “Save”

Next add the following to your NetScaler Gateway configuration on the XMS.

^Callback URL: FQDN to verify that the request originated from NetScaler Gateway BUT make sure the callback URL resolves to an IP addr that is reachable by the XMS v/a(s)
^Virtual IP: 10.1.0.21 (See text diagram above in HTML table format)

^ These settings are optional.

20. Next your promoted to setup your AD binding I always prefer using an FQDN vs. IP Addr here as IP addr’s can change however FQDN’s typically don’t otherwise a lot of things in your environment will break.

AD Binding
FQDN: ldap.axendatacentre.com
Port: 389 (Leave defaults unless changed within high security environments)
Domain name: axendatacentre.com
User Base DN: ou=Users,dc=axendatacentre,dc=com (I am just using the AD default location of the Users OU here when you would have setup AD so configure to meet your organisations default OU location of Users)
Group Base DN: cn=Users,dc=axendatacentre,dc=com
User ID: XMS AD service account used to query your AD e.g xms@axendatacentre.com
Password: *****
Domain Alias: axendatacentre.com (yours maybe different)
XenMobile Lockout Limit: 0 (default)
XenMobile Lockout Time: 1 (default)
Global Catalog TCP Port: 3268 (default)
Global Catalog Root Context: (default)
User search by: userPrincipalName (preferred for the modern world)
Use secure connection: (default)

21. Final configuration you’ll need to do is to setup XMS notifications – https://docs.citrix.com/en-us/xenmobile/server/users/notifications.html which is required for things like bulk enrolment (users e-mail addr must be in AD field), communicating with users when automated actions are configured and users have violated your organisations UEM strategy.
22. Now please logout of the Web Admin UI and log back into the XMS CLI via your chosen hypervisor and follow the below instructions to reboot your XMS v/a

Reboot XMS v/a
– Select “[2] System”
– Select “[10] Restart server”
– Select “Y”

Your XMS v/a will begin to restart and once it is successfully rebooted navigate to the XMS v/a direct FQDN https://uem.axendatacentre.com or IP addr and check that the HTTPS cert status in your internet browser to ensure that it is no longer self-assigned by the XMS v/a but matches your uploaded SSL cert bound the SSL Listener.

Fronting your XMS with a NetScaler v/a

1. Coming… but in the interim start with https://docs.citrix.com/en-us/xenmobile/server/authentication/netscaler-gateway-and-xenmobile.html.

Troubleshooting & Leading Best Practises
1. Citrix provides a XenMobile tools platform available at – https://xenmobiletools.citrix.com and also be sure to please refer to XenMobile compatibility documentation – https://docs.citrix.com/en-us/xenmobile/server/system-requirements/compatibility.html for compatibility of devices vs. MDX apps + release versions.
2. Users receive Profile Installation Failed The server certificate for β€œhttps://XM-FQDN:8443” is invalid when enrolling a device against XenMobile when using iOS devices. I have personally have not seen this issue occur again for quiet some time but I thought its worth including encase it reappears in the future. So what causes this issue? It is to do with the private key of your *.p12 or *.pfx full chained SSL/TLS cert and appears to only occur when exporting your cert from a new CSR on a Windows OS. To resolve the issue I’d suggest that you download, extract and run the DigiCert Certificate Utility available at – https://www.digicert.com/util/ on the originating windows server that you generated your CSR on for tier XMS v/a for your SSL Listener cert e.g HTTPS. Next follow the guide available from Digicert at – https://www.digicert.com/util/pfx-certificate-management-utility-import-export-instructions.htm to help you find and export your XMS v/a HTTPS cert correctly (advise to use TEST feature button before export) and re-upload it to the XMS v/a and remember to REBOOT the XMS v/a(s) when you change any certs on the XMS v/a(s)!!! You should now be able to begin re-enrolling your devices BUT I would strongly advise to remove any MDM certs via Settings in iOS and then delete SecureHub and re-download it and now the enrolment error messages should no longer appear to your users while enrolling there iOS devices.

2017 UKI #CitrixPartnerLove Challenge #7 Stop the Difference

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at https://t.co/nqooPlWElw to print.

2017 UKI #CitrixPartnerLove Challenge #6 Traffic Flows

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at https://lnkd.in/dN74-97 to print.

My Best of #CitrixSynergy 2017

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
CITRIX USER GROUP COMMUNITY – cugc
HYPER CONVERGED INFRASTRUCTURE – hci

Introduction
Its my 5th #CitrixSynergy and this is def one of the best Synergy’s I have ever had the privilege of watching virtually from London, England. Why not in person? I prefer to watch virtually as I am to consume more content faster and translate that into content to update Citrix partners/customers in a timely manner at high level and tech deep dive where required in particular areas or topics. Finally this blog post will most likely change over the next 2-3 weeks as I consume all of the Synergy 2017 content as when/how I can.

My Highlights of the Key Notes
Vision Keynote

– 4:45 Citrix User Group Community – https://www.mycugc.org THANK YOU! Join the community today its powered by some of the most passionate Citrix and Technology advocates from around the global!
– 11:00 Red Bull Racing I’m not going to say anything you need to watch it!
– 21:45 Cloud powers the world
– 27:00 Digital Frontier Companies
– 39:00 Citrix Secure Digital Workspace with a software-defined preimeter
– 40:57 Citrix Workspace Services and a brief demonstration by Citrix’s CEO
– 42:25 SD-WAN / Gateway / WebApp Firewall / DDoS (NS 12+) as a Service
– 47:35 Citrix Analytics Service
– 1:01:00 “Better Together” and video message from Microsoft CEO Satya Nadella
– 1:12:25 Citrix + Google Chromebook (Skype for Business, Office365 and much more…)
– 1:18:00 Healthcare customer story “Partners Healthcare”

Technology Keynote

– 22:00 Unified Workspace (its Adaptive and Contextual by device/location and it changes the users published resources and its access type!) which brings together some of the most crucial aspects of todays modern apps, desktops, data & your location in a single view with casting capabilities but not demoed as instead instead*
– 29:00 *Workspace IoT (SmartSpaces) demonstration with a users own mobile phone enables an auto login to a Win 10 VD at guest location including welcoming the user based upon his/her smart phone used as there identity. Security people feel free or you will be going nuts right now!
– 32:30 Its all about layering you guessed it Citrix App Layer enabling IT to say YES! Note demo was demoed using a Samsung DEX check it out – https://www.citrix.com/blogs/2017/03/29/instant-desktop-computing-from-the-new-samsung-galaxy-s8-smartphone/
– 39:40 Workspace Appliance Program e.g HCI
– 42:35 Protect against Zero day attacks with XenServer and BitDefender which is available but is something which Citrix announced on 21/06/2016 yes thats right 2016 entitled “A Revolutionary Approach to Advanced Malware Protection” – https://www.citrix.com/blogs/2016/06/21/a-revolutionary-approach-to-advanced-malware-protection/ 21/06/2016 yes 2016!
– 47:00 Brad Anderson Corporate Vice President of the Enterprise Client & Mobility @Microsoft discusses shortly and then prefers to demonstrates our joint Citrix + Microsoft “Better Together” capabilities in Mobility, Virtualisation delivery from Azure and more.
– 1:01:38 Digital Jungle discussion its def worth your time if you about security and managing the experiences of your users workspace!
– 1:47:25 Vision of how the Digital Workspace is going to evolve

Citrix Synergy TV Breakout Sessions
The following are my current top sessions to watch in no particular order that I believe you’ll gain a lot of value out of watching BUT note that this may change as I continue to consume more of the on-demand content from Synergy 2017.

– SYN318 A to Z: best practices for delivering XenApp, XenDesktop – https://www.youtube.com/watch?v=jnnZTKBy18c&feature=youtu.be

– SYN111 – What’s new with Citrix Cloud and what’s to come – https://www.youtube.com/watch?v=C-UunHGKqLY

– SYN120 – NetScaler SD-WAN updates – https://www.youtube.com/watch?v=CdqIkCb86uU

– SYN103 – Citrix App Layering – https://www.youtube.com/watch?v=KBYoVeAYnSA

– SYN118 – What’s new with NetScaler ADC – https://www.youtube.com/watch?v=uMefjGwRMeU

– SYN121 – What’s new with NetScaler Unified Gateway – https://www.youtube.com/watch?v=-ovb4TIb5JY&t=28s

– SYN115 – Why should I use ShareFile if I already have Office 365? – https://www.youtube.com/watch?v=kESgKT7_mJw

Innovation Super Session
Awaiting for the on-demand video publication but for now I will leave you with the following Tweet as a thought or rather a reminder to make sure that you watch it if you missed it!

Synergy 2017 Advocates Blog Posts
Citrix Synergy 2017 – It’s a Wrap – See all the most important announcements listed here! By Christiaan Brinkhoff. – https://blog.infrashare.net/2017/05/29/citrix-synergy-2017-its-a-wrap-see-all-the-most-important-announcements-listed-here/

Deploy XenApp 7.x in AWS EC2 with PoC Leading Best Practises (Draft)

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops from AWS EC2 – https://aws.amazon.com powered by XenApp & XenDesktop 7.13+ & 7.15 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Minor updates include links 7.15 LTSR and not just 7.13 as of 30/12/2018

Shortened Names
LOCAL HOST CACHE – lhc
XENAPP – xa
WINDOWS – win
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hex
VIRTUAL APPS – va
VIRTUAL DESKTOP – vd
SERVER – srv
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
DATA TRANSPORT LAYER – eat
FIREWALL – f/w
ACCESS CONTROL LISTS – all
INFRASTRUCTURE AS A SERVICE – iaas
IDENTITY & ACCESS MANAGEMENT – aim

Reader Notice: This blog post is NOT completely finished and some parts are in draft format! I will continue to update it through-out April/May 2017!

Sample Virtual Desktop from AWS powered by XenApp 7.x
In this example my VPC is in N.Virgina, USA hosting my Citrix XenApp 7.x workloads which are been delivered to me transatlantic to London, England thanks to the HDX.


Link to my original Tweet from 29/04/2016 at – https://twitter.com/lyndonjonmartin/status/726122016621891584 close to the delivery of a UKI Citrix partner enablement workshop on delivering XenApp 7.x PoC from AWS.

What is AWS EC2?
It’s a division with-in Amazon that sells IaaS to customers for consumption. AWS is incredibly simple in my personal view BUT equally at the very same time it’s also an exceptionally powerful Public (IaaS) Cloud platform! IT departments within organisations of all shapes and sizes have an equal capability with AWS’s elastic virtual data centre capacity to rapidly design and implement a VPC to setup, configure and deploy workspace workloads of their choice within a few hours or days dependant upon there IT’s dept’s delivery & execution skillsets. Typing into Google.co.uk “AWS first year” reveals AWS’s first year was 2006 thats now over a decade’s worth of experience, maturity and continued on-going development and innovation. Check out – https://en.wikipedia.org/wiki/Amazon_Web_Services#History or brief history lesson.

Concepts of AWS
Most of what I’ve described below is available on the AWS “Getting Started” web page at – http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/GetStarted.html so be sure to read through-it.

Virtual Private Cloud (VPC)
Think of this as a virtual datacentre that created onto of AWS IaaS which allows you to create virtual networks (IP addr ranges, subnets e.t.c), deploy VM instances of different sizes for your required workloads and storage accounts to facility your organisations needs and requirements to potential optimise workload delivery, experience or DR scenario’s.

VM Instances Types
AWS provides traditional VM’s that you’d typically assign compute, storage type to on-prem as pre-defined instance types that vary in size and capacity to meet virtually most organisations workspace requirements in AWS. For an up to date list please check out –
https://aws.amazon.com/ec2/instance-types/.

Security Groups
Think of these as your traditional or virtual f/w’s ACL’s BUT now assigned against VM instance(s) within your VPC either individually or in a group, to control what traffic type e.g ports vs. protocol are allowed in/outbound. Check out – http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group which also covers the standard “Default Security Groups” within your VPC that you can utilise and modify for your PoC.

*Availability Zones
A logical representation of one or more data centres facilities in a city, state/province/county or even country.

*Regions
Simply put its a Geo area and they are isolated form other regions for H/A. In a Citrix world a simple example could be to think of multiple sites (London, Paris, Oslo all built to N+1) managed using FMA 7.7+ Zones (Primary and Satellite) for H/A for geo area.

* http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

Identity & Access Management (IAM)
This one is quiet important to understand if you want to deploy your PoC with MCS provisioned XA VDA workloads in AWS from a master VM instance like you would traditionally on-prem with XenServer, Hyper-V, Acropolis or vSphere. Setting up IAM enables/allows Studio to communicate with the AWS EC2 cloud hypervisor to provision your VM instances –
http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html from your master VM instance in your VPC(s). If your not interested in deploying MCS workloads then skip learning IAM for now BUT please come back to it as it’s equally important as Security Groups for Pilot, UAT and PROD workloads in AWS with(out) Citrix workloads.

Suggested PoC Architecture
I tweeted the image at – https://twitter.com/lyndonjonmartin/status/854809306629361669 (its not intended to be accurate!) if you want a high resolution copy. Its intended to provide a high level only PoC deployment overview of delivering virtual apps & desktops (server) from AWS EC2 using Citrix XenApp 7.15 fronted by NetScaler Unified Gateway and or you can utilise Citrix Smart Tools – https://www.citrix.com/products/citrix-cloud/services.html to deploy blueprint to stand up a XenApp PoC in AWS.

AWS & Citrix Pre-requisites, System Requirements
The following provides an brief and selective overview of standing up the bare min requirements to delivery Citrix secure workspace workloads from AWS.

0. Amazon Web Services (AWS) (cloud) hypervisor support – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/system-requirements.html#par_anchortitle_8a90Β & Β https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/system-requirements.html#hosts–virtualization-resources.
1. Sign-up for a AWS EC2 account at – https://console.aws.amazon.com it will redirect you to the default AWS login and sign-up web page. You will need a valid credit card that you own and be sure to read through AWS terms & conditions, UAP e.t.c.
2. Once your have signed-up select a EC2 region i typically utilise N.Virgina as I expense this myself and it also makes for good tests locations of my Citrix workloads when testing out legacy vs. current vs. the latest HDX (3D Pro) technologies & innovations transatlantic from the US too the London, England :-).
3. Now that you’ve chosen or decided upon your region you’ll need to deploy your VPC – http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html you can make use of the default AWS VPC configurations which you can easily modify as required to meet the needs of your PoC.
4. Now create a e.g Citrix VAD β€œSecurity Group” which acts as a firewall ACL controlling which ports/protocols and traffic by *.* or IP range(s)* e.t.c are permitted in/out bound of your VPC to your VM instance(s) associated to this security group so that the delivery of virtual apps & desktops is possible from VM instances running the Server VDA’s.

Suggested example Traffic flow from the Internet to a Virtual App & Desktop delivered by an EC2 Instance

β—‰ – Untrusted network or public raw internet
β—‰ – DMZ or edge of a network, network/vnet or (network) security group depending on your network deployment choice
β—‰ – Trusted network or private secure network

WWW Internet Gateway Router VPC Availability Zone Security Group Network EC2 Instances
β—‰ β—‰ β—‰ β—‰ β—‰ β—‰ β—‰ β—‰

Suggested (Security Group – Mgmt. VM) Port Configuration for RDS access to your mgmt. VM running AD, DNS e.t.c

For this particular security group I’d strongly recommended that when you setup the security group you limit the access to a single IP addr or range that you know and trust RDS access to come from to your mgmt. VM sat in your VPC.

Protocol Port Inbound Outbound Internal VPC
TCP: SSH PuTTY (NS Mgmt. only) 22 βœ– βœ– βœ“
TCP: HTTP (Internal Communication) 80 βœ– βœ– βœ“
TCP: RDP/RDS 3389 * * βœ“

Suggested (Security Group – Citrix VAD) Port Configuration for Citrix Workloads to the World

The following table is actually more about the required TCP/UD Ports and dependant upon your deployment approach e.g with(out) a L2L IPSec VPN tunnel vs. NetScaler Unified Gateway i’ve decided for this section most of it available with the exception of a few which are a no no for external inbound access.

Warning once again caution this table ONLY represents primary PORTS typically required in a PoC and does not imply that you should use this as your ACL for your AWS security groups as you requirements for your particular PoC use case may differ from organisation to organisation! For a complete list of the ports and what they do please ref to http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/technical-overview/default-network-ports.htmlΒ & https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/technical-overview/default-network-ports.htmlΒ  .

Protocol Port Inbound Outbound Internal VPC
TCP: HTTPS (TLS) 443 * * βœ“
UDP: HTTPS (TLS) 443 * * βœ“
TCP: ICA/HDX Thinwire 1494 * * βœ“
UDP: ICA/HDX EDT or Framehawk 1494 * * βœ“
TCP: Session Reliability 2598 * * βœ“
UDP: Session Reliability for EDT only 2598 * * βœ“
UDP: HDX RealTime e.g Skype for Business 16500-16509 * * βœ“

5. Lunch an NEW single instance from the EC2 dashboard under β€œCreate Instance” this will be your mgmt. VM “wdc01” for the PoC and AWS will guide you through the deployment process (wizard).
6. Select your VM instance type to be deployed in your default or custom VPC and a suggested example instance type to utilise could be a AWS “t2.medium” instance type. You can find a complete list available at – https://aws.amazon.com/ec2/instance-types/.
6. Assign the default storage or increase and you can add another HDD later.
7. Assign the RDS mgmt. security group ensuring that RDS is enabled to connect to your mgmt VM.
8. Allow the VM to provision typically up to 5 minutes (depends on time of day, location of your VPC) then decrypt the passwd
9. Login and utilise this as your mgmt. VM and install the following suggested roles e.g AD, DNS and CA (Optional) as a bare minimum once you’ve assigned it an internal private static IP addr prior to installing and configuring.
10. Check a folder called e.g “Share” on C:\ and enable file sharing to this folder for your domain admin account.
11. Navigate to https://www.citrix.com/downloads/xenapp-and-xendesktop/ and download the latest XenApp/XenDesktop version available which is as of 12/04/2017 7.13 and copy it to the C:\Share to be used later to install XenApp 7.13+ onto your XA worker.
12. Now repeat steps 5 through 9 to deploy another single VM instance which will be your XenApp PoC VM e.g “xad01poc” and assign the following suggested instance type “t2.large’ with the exception of step 7 where you’d assigned the default VPC security group and login via RDS to this VM from your mgmt. VM e.g “wdc01”.
12. Once its ready login to your mgmt. VM “wdc01” and RDS to “xad01poc” provide it with a custom or use the default hostname and AD domain join it.
13. After successfully domain joining it login and create a folder on the C:\ drive called “Temp” on “xad01poc” and copy the *.iso from \\wdc01\Share to it.
14. Right click on the *.iso and “Mount” the media and the autorun should display the splash screen and select “XenApp”.
15. Select to install the “Delivery Controller” checking all the features e.g Studio, Director, Controller, MS SQL Express, StoreFront, License server and all the required ports.
16. You have now setup a mgmt. VM and a XenApp mgmt. VM.
17. Install and bound SSL certificate on “xad01poc” to be able to utilise https to protect username and passed credential handling when accessing RfW.

Understanding Machine Creation Services requirements for AWS
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/manage-deployment/connections.html.

PoC Deployment of Virtual Apps & Desktops
Deployment Option 1 – NO MCS nor NetScaler UG & NOT SUGGESTED!!!
This option to be very clear is typically used to demonstrate the power of HDX from a public cloud e.g AWS and DOES IT WORK? Yes of course! I would strongly recommend that you don’t deploy your PoC with this approach but front it with a NetScaler UG but i’ve included it as I have covered this topic once before and sometime Citrix SysAdmins just want to test to see is it actually at all possible with little to know effort at all before actually deploying a PoC so I hope that this clears up this PoC deployment approach/path is messy and NOT SUPPORTED!!!!

1. Now also assign the Citrix VAD β€œSecurity Group” to “xad01poc” VM.
2. Re-mount the *.iso media if required and on the installation splash screen select to install the Server VDA choosing to enable existing connections selecting “Enable Remote PC Access” the VM will restart a few times which will take circa up to 5 minutes while the VDA installs.
3. Once the VDA is installed successfully launch “Studio” and complete creating a Site, machine catalog and delivery group based upon “xad01poc” VM.
4. Modify the SFS default.ica file for your default Store to include a line to utilise your external dynamic static IP addr and check that your Windows f/w rules are correctly configured to allow in/out bound access based upon the Citrix VAD β€œSecurity Group” or you can open the downloaded file you receive post login and modify the internal private static IP addr to the “xad01poc” VM’s dynamic public IP addr assigned by AWS and you should be able to launch your virtual app or desktop. Note: You’ll need to do it for each app or virtual desktop and if you modified the default.ica file with dynamic IP each time you stop and deallocate the VM you’ll need to modify the file again unless you utilise a AWS static public IP addr which is chargeable cost per month!
5. Navigate to https://xad01poc-dynamic-public-ip-addr/Citrix/StoreWeb/ with Citrix Receiver install on your Windows, Mac or Linux end-points and login as a domain admin or user and launch a virtual app or desktop that you’ve published.
6. Test the vitual app and our desktops performance by playing YouTube movie trailers here is fav one of mine – https://www.youtube.com/watch?v=sGbxmsDFVnE or download Google Chrome and publish it and access https://p3d.in. You’ll notice I have not mentioned what HDX graphics mode why? It should provide a good UX out of the box with 7.13+.
7. Shutdown and turn off your VM’s within your AWS VPC when finished to save costs. You will be billed for storage on-going e.g GB that you’ve consumed but I have to say its a very low cost per GB.

Deployment Option 2 – No MCS but fronted by NetScaler UG
Coming…

Deployment Option 3 – With MCS Workloads fronted by NetScaler UG
Coming…

Deployment Option 4 – Powered by Citrix Smart Tools (Notice some offers have beenΒ deprecated in 2018)
0. What is Smart Tools? Watch https://www.youtube.com/watch?v=RUTL1X_nBSg. I won’t expand on this topic more than what I have below for this particular blog post otherwise its going to get quiet length but I have to say you should explore Smart Tools post testing/deploying an AWS XenApp PoC.
1. Sign-up to Smart Tools Service at https://citrix.cloud.com/.
2. Create an AWS EC2 resource location with the Smart Tools Connector (formerly CLM our Lifecycle Management Connector) – https://manage-docs.citrix.com/hc/en-us/articles/212713903 and also please read – https://manage-docs.citrix.com/hc/en-us/articles/212713923 & https://manage-docs.citrix.com/hc/en-us/articles/212713963-Add-an-Amazon-Web-Services-resource-location.

3. Read the Blueprint available which explains deploying a blueprint to deploy workloads on AWS at – https://manage-docs.citrix.com/hc/en-us/articles/212714483-Deploy-a-blueprint-to-an-Amazon-Web-Services-resource-location which should give you a decent overview.
4. Download or read online the following getting started PoC guide for XenApp on AWS powered by Smart Tools Service (Smart Build using as Blueprint) available at the following URL with step by step instructions and images – https://docs.citrix.com/content/dam/docs/en-us/lifecycle-management/downloads/get-started-lifecycle-management-aws.pdf.

Leading Best Practises
1. Review the content available at – https://www.citrix.com/global-partners/amazon-web-services/xendesktop-on-aws.html
2.Β The number one AWS resource to check first and foremost is theΒ AWS Well-Architected microsite at AWS EC2 at –Β https://aws.amazon.com/architecture/well-architected/Β to help you get started. You should also understand how IAM in AWS works so be sure to check out –https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html.

Notes from the field
1. The number one leading best practise is “Shutdown and turn off your VM’s within your AWS VPC when finished” to save your own personal costs incurred and or your organisations costs that maybe incurred.
2. You do need a suggusted intermediate knowledge level of AWS EC2 and Citrix in order to deploy virtual apps & desktops CORRECTLY I personally believe to ensure that those testing on your behalf actually are getting the correct HD or balanced experience to ensure a successful PoC. I’ve many misconfigurations in a variety of areas since 2015.
3. Take a look at using Citrix Smart Tools as an enabler to help you with XenApp environment(s) on AWS – https://manage-docs.citrix.com/hc/en-us/articles/213723663-Create-a-XenApp-and-XenDesktop-production-deployment-on-AWS.

XenApp Essentials Services Understood powered by Citrix Cloud

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps from the Microsoft Azure Marketplace powered by the Citrix Cloud XenApp Essentials Service prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
MACHINE CREATION SERVICES – mcs
AZURE REMOTEAPP – ara
XENAPP ESSENTIALS SERVICE – xes
HIGH DEFINITION EXPERIENCE – hdx
REMOTE DESKTOP SERVICES – rds

What is it?
It is a replacement for the deprecated Microsoft Azure RemoteApp (ARA) – https://blogs.technet.microsoft.com/enterprisemobility/2016/08/12/application-remoting-and-the-cloud/ (“…Support existing Azure RemoteApp customers on the service through August 31st, 2017..“) which provides simplicitic beauty of Microsoft Azure RemoteApp now with the “Secure by Design” enterprise security methodology, platform scalability with FMA in 7.x and HDX virtual app delivery protocol capabilities & power of Citrix XenApp.

ARA brought Remote Desktop Services (RDS) capabiltiies from a multi private cloud deployments on Windows Server to Azure with non-persistent RDS/RDP sessions delivered from the Microsoft Azure Cloud only! The XA Essentials Service is only available from Microsoft Azure Marketplace hosted on Azure and only supports the delivery of Windows apps delivery from Windows Server 2012 R2, 2016 prepared Templates or Bring Your Own Templates (BYOT) uploaded. Citrix has prepared a full FAQ available at – https://www.citrix.com/global-partners/microsoft/resources/xenapp-essentials-faq.html

Overviews & Demonstrations
Introducing XenApp Essentials Service is a demonstration of the Service by Citrix.

Extend the Microsoft RDS platform in Azure through Citrix solutions was a presentation at Microsoft Ignite 2016.

What Feature’s Are Available?
The following feature matrix compares XenApp, XenDesktop Platinum vs. XenApp & XenDesktop Service vs. Azure Marketplace XenApp Essentials vs. Azure Marketplace XenDesktop Essentials
https://www.citrix.com/content/dam/citrix/en_us/documents/reference-material/xa-xd-deployment-options-feat-comp-matrix.pdf.

High Level Getting Started, System Requirements & Pre-requistes
1. You’ll need an Azure subscription with a resource group defined with a virtual network.
2. Define your preferred Azure region which you can ref from – https://azure.microsoft.com/en-gb/regions/.
3. Decide on your AD stratergy which can be Active Directory sat in the Azure resource location using a min A3 Standard VM instance for AD or you can utilise “Azure Active Directory Domain Services” and eDocs suggested that you review – https://docs.microsoft.com/en-us/azure/active-directory-domain-services/#main prior to implementing AAD for the XA Essentials Services vs. traditional AD.
4. Define your preferred OS strategy for the service which currently supports server OSes for Windows Server 2012 R2 or 2016 and you’ll need to define master image stratergy e.g BYO image or a Citrix prepared image for the service! Notes: “(a)BYO with your own Server OS template including apps + licenses for those apps or choose Citrix prepared templates with Apps. (b)RDS CALS w/SA to Azure or purchase RDS SALs.
5. Customer owned Azure Subscription as is responsible for per monthly IaaS consumption costs e.g compute, network, bandwidth & storage
6. Only MCS based provisioning is support for public (Iaas) clouds and for this Service hosted by Microsoft Azure.
7. Subscribe to XenApp Essentials Service through Azure Marketplace at – https://azuremarketplace.microsoft.com/en-us/marketplace/apps/Citrix.XenAppEssentials?tab=Overview.
8. Connect your Azure subscription to Control Plane operated by Citrix Cloud. Citrix Cloud controls customer Azure subscription via Citrix Cloud Connectors to provide capabilities to manage, provision and monitor your XenApp servers which will deliver your HDX virtual apps

Deploying your Virtual Apps (Draft!!!)

The above is an graphic from the official XA Essentials Service documentation from Citrix eDocs at – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/xenapp-essentials.html and the below is my personal text based step by step summary explaining how to get started with the XA Essential Service powered by Citrix Cloud and Microsoft Azure based upon the Ignite session at – https://www.youtube.com/embed/Ck0mtVXqOuM. Please note that these steps can change as the service is delivered from Citrix Cloud which is a secure SaaS style evergreen control plane – http://docs.citrix.com/en-us/citrix-cloud/overview/about.html.

1. Before you begin you will requires a subscription to XenApp Essentials Service from
2. Azure Marketplace + Server Images + RDS CALS w/SA
3. Create app collection similar to ARA
4. Create a name
5. Domain Joined (Popular) or Non-Domain Joined (TBC)
6. Link Azure subscription to XAE and select Resource Group, Virtual Networks & Subnet
7. Enter in Domain details which include Domain name, OU, Srv acct + passed
8. Select template image Citrix provided or your OWN
9. Select capacity and mange costsΒ  by selecting instance type and power settings scheme (saver logoff after 10min; standard after 1hr; performance after 4hrs or always on i.e do not perform any power mgmt
10. Enter in # of users concurrent and you’ll receive an estimate cost calculator prior to provisioning to understand the costs based on 40hr usage per month
Summary and the deploy
11. Time access is short as CC will provision your instances in your subscription
12. Select app collection click Apps tab then select apps to publish
13. Select users tab and search domain by user or groupΒ 
14. Return to Manage home and you’ll see that your app collection is now ready with a green tick
15. Select app collection and you’ll see the StoreFront URL to send to users
16. Users login with domain\user + passed
17. Users are now able to launch there HDX virtual apps secured by there organisations Cloud-hosted StoreFront FQDN which provides secure remote access via the NetScaler Gateway Service also review caveats re bandwidth through-puts below.

Caveats, Current Known Issues with the Service
The list of current know issues one are my ones to pay attention to most as of 04/04/2017 and a full list is available at http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/xenapp-essentials.html so please check and read them all!

1. Live.com accounts cannot be used for authenticaiton
2. Users cannot launch and app if an existing RDS session is present on the XA VDA worker.
3. Machine catalogue failures may occur if deploying a VM instance size in a region that does not support that instance type any more.
4. A premium storage account is not supported see “Prepare Your Azure Subscription
5. Each end-user is limited to 1-GB outbound data transfer per month but you can increase the limit via by acquiring a 25 GB add-on via the Azure Marketplace see “StoreFront and NetScaler Gateway in XenApp Essentials Service
6. See eDocs for more…

What’s New in XenApp & XenDesktop 7.13

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops powered by XenApp & XenDesktop 7.13 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
SECURITY ASSERTION MARKUP LANGUAGE – saml
LOCAL HOST CACHE – lhc
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
WINDOWS – win
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
VIRTUAL DESKTOP – vd
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
VIRTUAL APPS – va
DATA TRANSPORT LAYER – edt
FIREWALL – f/w
ACCESS CONTROL LISTS – acl
ADVANCED MICRO DEVICE – amd

What’s New
A full and complete list of what’s new is avaiable at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/whats-new.html. I’ll start with one of my Citrix passions which is any and everything surrounding HDX technologies.

1. HDX Adaptive Transport is disabled by default in XAD 7.13* also referred to as EDT is a new HDX graphics mode that utilises both the UDP and TCP protocols with a fallback to TCP where UDP isn’t available. The HDX engineering team have engineered this new Citrix protocol called Enlightened Data Transport (EDT) which utilises the existing Citrix ports 1494 (ICA/HDX) and 2598 (Session Reliability) for both TCP and now new UDP so f/w ACL changes are near enough straight forward. To test this new graphics mode internally:

– Configure the ACL between your test end-point and through your internal network (over a VPN) VM running the 7.13 VDA to allow UDP and TCP for 1494, 2598
– Your test VM instance could be running in Azure (connected on-prem via a VPN) or on XenServer 7.1 and remember must be running the latest desktop or server VDA
– Your test end-point must be running the following min Citrix Receiver versions for Windows 4.7, Mac 12.4 and for iOS 7.2
– *In Studio create a machine catalogue, delivery group or use an existing one with your VDA upgraded from e.g 7.12 to 7.13 and then create a new HDX policy e.g HDX-TestofEDT and select the following HDX policy entitled “” and choose “Preferred“.

2. AMD Multiuser GPU (MxGPU e.g GPU Virtualization works with vSphere only) on the AMD FirePro S-series server cards for HDX 3D Pro workloads only e.g Desktop OSes ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/hdx/gpu-acceleration-desktop.html+ with support for up to 6 monitors, custom blanking & resolution, high frame rate and only GPU Pass-through is supported on the following hypervisors XenServer and Hyper-V. For further details please ref to the AMD website at – http://www.amd.com/en-us/solutions/professional/virtualization.

3. Intel Iris Pro (5-6th Gen Intel Xeon Processor E3) graphics processors supports H.264 h/w encoding for virtual apps & desktops, HDX 3D Pro support for up to 3x monitors (Ref to install options+), custom blanking & resolution, high frame rate. For further details and compatible Intel processors ref to – http://www.intel.com/content/www/us/en/servers/data-center-graphics.html

4. Other HDX enhancements include:

– Bidirectional content redirection – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/policies/reference/ica-policy-settings/bidirectional-content-redirection.html
– Wacom tablets improvements & connection methods – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/hdx/usb.html and also see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/policies/reference/ica-policy-settings/usb-devices-policy-settings.html
– File copying performance enhancements for client drive mapping

5. StoreFront 3.9 support for the following below and for a closer look check out the following CTX blog article – https://www.citrix.com/blogs/2017/02/24/whats-new-in-storefront-3-9/

– HDX Adaptive Display
– CEIP automatic enrollment by default. To disable please ref to http://docs.citrix.com/en-us/storefront/3-9/install-standard.html#par_anchortitle_8ea6
– Importing of NUG configurations (ZIP file or via PowerShell) into StoreFront to setup through the XAD Wizard using the latest NetScaler UG 11.1.51.21+ ref – http://docs.citrix.com/en-us/storefront/3-9/integrate-with-netscaler-and-netscaler-gateway/import-netscaler-gateway.html to reduce and avoid misconfigurations.
– Not new but if you’re looking to security harden your StoreFront standalone or cluster ref to – http://docs.citrix.com/en-us/storefront/3-9/secure.html
– SAML auth through against your preferred Store with NetScaler Unified Gateway configured as your IdP – http://docs.citrix.com/en-us/storefront/3-9/configure-authentication-and-delegation/configure-authentication-service.html#par_anchortitle_d712

5. The Connection Quality Indicator is not part of the XAD 7.13 release but an invaluable Citrix tool for Citrix SysAdmins check out its capabilities at – https://www.citrix.com/blogs/2017/02/22/citrix-connection-is-slow-not-really/ and you can download it from – https://support.citrix.com/article/CTX220774 and it also inclues group policies for better SysAdmin controls to enable or disable the tool which is supported from XAD 7.6 LTSR and upwards ref the CTX220774 article. The below image is taken from a Window 10 virtual desktop powered by XenDesktop 7.x.

6. Linux Seamless published applications from a Linux supported OS using the 7.13 VDA – http://docs.citrix.com/en-us/linux-virtual-delivery-agent/7-13/whats-new.html and also please read the publishing apps for Linux at – http://docs.citrix.com/en-us/linux-virtual-delivery-agent/1-4/suse/configuring/publish-apps.html for advanced tips and guidance on seamless mode vs. window manger configuration.
7. LHC in 7.13 introduces a new support feature for brokering operations for Citrix Cloud when the internet connection between the Citrix Cloud Connector and the Citrix Cloud control plane at – https://citrix.cloud.com/ is in a failed state or unavailable due to an ISP outage. You can also force an outage following the documentation available at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/manage-deployment/local-host-cache.html++ by creating and manually modifying the following registry entry “HKLM\Software\Citrix\DesktopServer\LHC with entry of OutageModeForced” set to the value in the documentation++ to force an outage for testing and or evaluation purposes prior to implmenting Local Host Cache. I’ve embedded below a simple architectural recap of LHC introdcued in XAD 7.12 and you can read in more depth detail about Local Host Cache from a previous blog post available at – http://axendatacentre.com/blog/2016/12/13/whats-new-in-xenapp-xendesktop-7-12/.

Finally LHC still provides support for brokering operations for traditional XAD Controller Site Database on-prem ref ++. I’d also recommend that you watch this TechTalks To Go covering LHC in XAD 7.12 release.

8. Provisioning Services 7.13 now supports Linux streaming and a brand new caching technique only available and supported on XenServer 7.1 called PVS-Accelerator. Check the following YouTube video from Citrix entitled “Introducing PVS-Accelerator, only available with XenServer!” via https://twitter.com/juancitrix/status/835202277317148672.

9. HDX Thinwire enhancements in 7.13 have resulted in up to 60% bandwidth savings. Take a look at the following CTX blog post at – https://www.citrix.com/blogs/2017/01/11/hdx-next-cuts-bandwidth-by-up-to-60-yes-sixty-percent/ which has some great high level LoginVSI 4.1.6 graphics comparing Thinwire in 7.12 vs. 7.13 on Windows Server 2012 R2 and 2016.
10. AppDNA what’s new ref – http://docs.citrix.com/en-us/dna/7-13/whats-new.html now includes support for Windows 10 Anniversary Update (AU) and now defaultor analysis and reporting, Secure Web reports and finally improved importing to process to analysis OSes and apps. There are a few more to be sure to check out the whats news!

Deploying XenApp 7.13 for Evaluation & Testing Purposes
The fastest way to deploy and test the latest new features from Citrix XA 7.13 release with little to no effort is to deploy the “Citrix XenApp 7.13 Trial” from Microsoft Azure available and accessiable at – https://azuremarketplace.microsoft.com/en-us/marketplace/apps/citrix.citrix-xa?tab=Overview.

Removed from XenApp and XenDesktop 7.13
Please be sure to read and review the complete removed features and future removal features within XAD 7.x platform topics on Azure Classic, AppDisks, Desktop OS support and supported HDX Graphics Modes e.t.c –
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/whats-new/removed-features.html.

Viso Stencils from Citrix’s Ask the Architect – https://twitter.com/djfeller for XenApp and XenDesktop 7.13.


Image credit: https://twitter.com/djfeller/status/836557405173477376

https://virtualfeller.com/2017/02/28/visioxenappxendesktop713/