Category Archives: Hybrid Cloud

2017 UKI #CitrixPartnerLove Challenge #7 Stop the Difference

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at https://t.co/nqooPlWElw to print.

My Best of #CitrixSynergy 2017

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
CITRIX USER GROUP COMMUNITY – cugc
HYPER CONVERGED INFRASTRUCTURE – hci

Introduction
Its my 5th #CitrixSynergy and this is def one of the best Synergy’s I have ever had the privilege of watching virtually from London, England. Why not in person? I prefer to watch virtually as I am to consume more content faster and translate that into content to update Citrix partners/customers in a timely manner at high level and tech deep dive where required in particular areas or topics. Finally this blog post will most likely change over the next 2-3 weeks as I consume all of the Synergy 2017 content as when/how I can.

My Highlights of the Key Notes
Vision Keynote

– 4:45 Citrix User Group Community – https://www.mycugc.org THANK YOU! Join the community today its powered by some of the most passionate Citrix and Technology advocates from around the global!
– 11:00 Red Bull Racing I’m not going to say anything you need to watch it!
– 21:45 Cloud powers the world
– 27:00 Digital Frontier Companies
– 39:00 Citrix Secure Digital Workspace with a software-defined preimeter
– 40:57 Citrix Workspace Services and a brief demonstration by Citrix’s CEO
– 42:25 SD-WAN / Gateway / WebApp Firewall / DDoS (NS 12+) as a Service
– 47:35 Citrix Analytics Service
– 1:01:00 “Better Together” and video message from Microsoft CEO Satya Nadella
– 1:12:25 Citrix + Google Chromebook (Skype for Business, Office365 and much more…)
– 1:18:00 Healthcare customer story “Partners Healthcare”

Technology Keynote

– 22:00 Unified Workspace (its Adaptive and Contextual by device/location and it changes the users published resources and its access type!) which brings together some of the most crucial aspects of todays modern apps, desktops, data & your location in a single view with casting capabilities but not demoed as instead instead*
– 29:00 *Workspace IoT (SmartSpaces) demonstration with a users own mobile phone enables an auto login to a Win 10 VD at guest location including welcoming the user based upon his/her smart phone used as there identity. Security people feel free or you will be going nuts right now!
– 32:30 Its all about layering you guessed it Citrix App Layer enabling IT to say YES! Note demo was demoed using a Samsung DEX check it out – https://www.citrix.com/blogs/2017/03/29/instant-desktop-computing-from-the-new-samsung-galaxy-s8-smartphone/
– 39:40 Workspace Appliance Program e.g HCI
– 42:35 Protect against Zero day attacks with XenServer and BitDefender which is available but is something which Citrix announced on 21/06/2016 yes thats right 2016 entitled “A Revolutionary Approach to Advanced Malware Protection” – https://www.citrix.com/blogs/2016/06/21/a-revolutionary-approach-to-advanced-malware-protection/ 21/06/2016 yes 2016!
– 47:00 Brad Anderson Corporate Vice President of the Enterprise Client & Mobility @Microsoft discusses shortly and then prefers to demonstrates our joint Citrix + Microsoft “Better Together” capabilities in Mobility, Virtualisation delivery from Azure and more.
– 1:01:38 Digital Jungle discussion its def worth your time if you about security and managing the experiences of your users workspace!
– 1:47:25 Vision of how the Digital Workspace is going to evolve

Citrix Synergy TV Breakout Sessions
The following are my current top sessions to watch in no particular order that I believe you’ll gain a lot of value out of watching BUT note that this may change as I continue to consume more of the on-demand content from Synergy 2017.

– SYN318 A to Z: best practices for delivering XenApp, XenDesktop – https://www.youtube.com/watch?v=jnnZTKBy18c&feature=youtu.be

– SYN111 – What’s new with Citrix Cloud and what’s to come – https://www.youtube.com/watch?v=C-UunHGKqLY

– SYN120 – NetScaler SD-WAN updates – https://www.youtube.com/watch?v=CdqIkCb86uU

– SYN103 – Citrix App Layering – https://www.youtube.com/watch?v=KBYoVeAYnSA

– SYN118 – What’s new with NetScaler ADC – https://www.youtube.com/watch?v=uMefjGwRMeU

– SYN121 – What’s new with NetScaler Unified Gateway – https://www.youtube.com/watch?v=-ovb4TIb5JY&t=28s

– SYN115 – Why should I use ShareFile if I already have Office 365? – https://www.youtube.com/watch?v=kESgKT7_mJw

Innovation Super Session
Awaiting for the on-demand video publication but for now I will leave you with the following Tweet as a thought or rather a reminder to make sure that you watch it if you missed it!

Synergy 2017 Advocates Blog Posts
Citrix Synergy 2017 – It’s a Wrap – See all the most important announcements listed here! By Christiaan Brinkhoff. – https://blog.infrashare.net/2017/05/29/citrix-synergy-2017-its-a-wrap-see-all-the-most-important-announcements-listed-here/

Deploy XenApp 7.x in AWS EC2 with PoC Leading Best Practises (Draft)

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops from AWS EC2 – https://aws.amazon.com powered by XenApp & XenDesktop 7.13+ prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
LOCAL HOST CACHE – lhc
XENAPP – xa
WINDOWS – win
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hex
VIRTUAL APPS – va
VIRTUAL DESKTOP – vd
SERVER – srv
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
DATA TRANSPORT LAYER – eat
FIREWALL – f/w
ACCESS CONTROL LISTS – all
INFRASTRUCTURE AS A SERVICE – iaas
IDENTITY & ACCESS MANAGEMENT – aim

Reader Notice: This blog post is NOT completely finished and some parts are in draft format! I will continue to update it through-out April/May 2017!

Sample Virtual Desktop from AWS powered by XenApp 7.x
In this example my VPC is in N.Virgina, USA hosting my Citrix XenApp 7.x workloads which are been delivered to me transatlantic to London, England thanks to the HDX.


Link to my original Tweet from 29/04/2016 at – https://twitter.com/lyndonjonmartin/status/726122016621891584 close to the delivery of a UKI Citrix partner enablement workshop on delivering XenApp 7.x PoC from AWS.

What is AWS EC2?
It’s a division with-in Amazon that sells IaaS to customers for consumption. AWS is incredibly simple in my personal view BUT equally at the very same time it’s also an exceptionally powerful Public (IaaS) Cloud platform! IT departments within organisations of all shapes and sizes have an equal capability with AWS’s elastic virtual data centre capacity to rapidly design and implement a VPC to setup, configure and deploy workspace workloads of their choice within a few hours or days dependant upon there IT’s dept’s delivery & execution skillsets. Typing into Google.co.uk “AWS first year” reveals AWS’s first year was 2006 thats now over a decade’s worth of experience, maturity and continued on-going development and innovation. Check out – https://en.wikipedia.org/wiki/Amazon_Web_Services#History or brief history lesson.

Concepts of AWS
Most of what I’ve described below is available on the AWS “Getting Started” web page at – http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/GetStarted.html so be sure to read through-it.

Virtual Private Cloud (VPC)
Think of this as a virtual datacentre that created onto of AWS IaaS which allows you to create virtual networks (IP addr ranges, subnets e.t.c), deploy VM instances of different sizes for your required workloads and storage accounts to facility your organisations needs and requirements to potential optimise workload delivery, experience or DR scenario’s.

VM Instances Types
AWS provides traditional VM’s that you’d typically assign compute, storage type to on-prem as pre-defined instance types that vary in size and capacity to meet virtually most organisations workspace requirements in AWS. For an up to date list please check out –
https://aws.amazon.com/ec2/instance-types/.

Security Groups
Think of these as your traditional or virtual f/w’s ACL’s BUT now assigned against VM instance(s) within your VPC either individually or in a group, to control what traffic type e.g ports vs. protocol are allowed in/outbound. Check out – http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group which also covers the standard “Default Security Groups” within your VPC that you can utilise and modify for your PoC.

*Availability Zones
A logical representation of one or more data centres facilities in a city, state/province/county or even country.

*Regions
Simply put its a Geo area and they are isolated form other regions for H/A. In a Citrix world a simple example could be to think of multiple sites (London, Paris, Oslo all built to N+1) managed using FMA 7.7+ Zones (Primary and Satellite) for H/A for geo area.

* http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

Identity & Access Management (IAM)
This one is quiet important to understand if you want to deploy your PoC with MCS provisioned XA VDA workloads in AWS from a master VM instance like you would traditionally on-prem with XenServer, Hyper-V, Acropolis or vSphere. Setting up IAM enables/allows Studio to communicate with the AWS EC2 cloud hypervisor to provision your VM instances –
http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html from your master VM instance in your VPC(s). If your not interested in deploying MCS workloads then skip learning IAM for now BUT please come back to it as it’s equally important as Security Groups for Pilot, UAT and PROD workloads in AWS with(out) Citrix workloads.

Suggested PoC Architecture
I tweeted the image at – https://twitter.com/lyndonjonmartin/status/854809306629361669 (its not intended to be accurate!) if you want a high resolution copy. Its intended to provide a high level only PoC deployment overview of delivering virtual apps & desktops (server) from AWS EC2 using Citrix XenApp 7.13+ fronted by NetScaler Unified Gateway and or you can utilise Citrix Smart Tools – https://www.citrix.com/products/citrix-cloud/services.html to deploy blueprint to stand up a XenApp PoC in AWS.

AWS & Citrix Pre-requisites, System Requirements
The following provides an brief and selective overview of standing up the bare min requirements to delivery Citrix secure workspace workloads from AWS.

0. Amazon Web Services (AWS) (cloud) hypervisor support – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/system-requirements.html#par_anchortitle_8a90
1. Sign-up for a AWS EC2 account at – https://console.aws.amazon.com it will redirect you to the default AWS login and sign-up web page. You will need a valid credit card that you own and be sure to read through AWS terms & conditions, UAP e.t.c.
2. Once your have signed-up select a EC2 region i typically utilise N.Virgina as I expense this myself and it also makes for good tests locations of my Citrix workloads when testing out legacy vs. current vs. the latest HDX (3D Pro) technologies & innovations transatlantic from the US too the London, England :-).
3. Now that you’ve chosen or decided upon your region you’ll need to deploy your VPC – http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html you can make use of the default AWS VPC configurations which you can easily modify as required to meet the needs of your PoC.
4. Now create a e.g Citrix VAD “Security Group” which acts as a firewall ACL controlling which ports/protocols and traffic by *.* or IP range(s)* e.t.c are permitted in/out bound of your VPC to your VM instance(s) associated to this security group so that the delivery of virtual apps & desktops is possible from VM instances running the Server VDA’s.

Suggested example Traffic flow from the Internet to a Virtual App & Desktop delivered by an EC2 Instance

– Untrusted network or public raw internet
– DMZ or edge of a network, network/vnet or (network) security group depending on your network deployment choice
– Trusted network or private secure network

WWW Internet Gateway Router VPC Availability Zone Security Group Network EC2 Instances

Suggested (Security Group – Mgmt. VM) Port Configuration for RDS access to your mgmt. VM running AD, DNS e.t.c

For this particular security group I’d strongly recommended that when you setup the security group you limit the access to a single IP addr or range that you know and trust RDS access to come from to your mgmt. VM sat in your VPC.

Protocol Port Inbound Outbound Internal VPC
TCP: SSH PuTTY (NS Mgmt. only) 22
TCP: HTTP (Internal Communication) 80
TCP: RDP/RDS 3389 * *

Suggested (Security Group – Citrix VAD) Port Configuration for Citrix Workloads to the World

The following table is actually more about the required TCP/UD Ports and dependant upon your deployment approach e.g with(out) a L2L IPSec VPN tunnel vs. NetScaler Unified Gateway i’ve decided for this section most of it available with the exception of a few which are a no no for external inbound access.

Warning once again caution this table ONLY represents primary PORTS typically required in a PoC and does not imply that you should use this as your ACL for your AWS security groups as you requirements for your particular PoC use case may differ from organisation to organisation! For a complete list of the ports and what they do please ref to http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/technical-overview/default-network-ports.html.

Protocol Port Inbound Outbound Internal VPC
TCP: HTTPS (TLS) 443 * *
UDP: HTTPS (TLS) 443 * *
TCP: ICA/HDX Thinwire 1494 * *
UDP: ICA/HDX EDT or Framehawk 1494 * *
TCP: Session Reliability 2598 * *
UDP: Session Reliability for EDT only 2598 * *
UDP: HDX RealTime e.g Skype for Business 16500-16509 * *

5. Lunch an NEW single instance from the EC2 dashboard under “Create Instance” this will be your mgmt. VM “wdc01” for the PoC and AWS will guide you through the deployment process (wizard).
6. Select your VM instance type to be deployed in your default or custom VPC and a suggested example instance type to utilise could be a AWS “t2.medium” instance type. You can find a complete list available at – https://aws.amazon.com/ec2/instance-types/.
6. Assign the default storage or increase and you can add another HDD later.
7. Assign the RDS mgmt. security group ensuring that RDS is enabled to connect to your mgmt VM.
8. Allow the VM to provision typically up to 5 minutes (depends on time of day, location of your VPC) then decrypt the passwd
9. Login and utilise this as your mgmt. VM and install the following suggested roles e.g AD, DNS and CA (Optional) as a bare minimum once you’ve assigned it an internal private static IP addr prior to installing and configuring.
10. Check a folder called e.g “Share” on C:\ and enable file sharing to this folder for your domain admin account.
11. Navigate to https://www.citrix.com/downloads/xenapp-and-xendesktop/ and download the latest XenApp/XenDesktop version available which is as of 12/04/2017 7.13 and copy it to the C:\Share to be used later to install XenApp 7.13+ onto your XA worker.
12. Now repeat steps 5 through 9 to deploy another single VM instance which will be your XenApp PoC VM e.g “xad01poc” and assign the following suggested instance type “t2.large’ with the exception of step 7 where you’d assigned the default VPC security group and login via RDS to this VM from your mgmt. VM e.g “wdc01”.
12. Once its ready login to your mgmt. VM “wdc01” and RDS to “xad01poc” provide it with a custom or use the default hostname and AD domain join it.
13. After successfully domain joining it login and create a folder on the C:\ drive called “Temp” on “xad01poc” and copy the *.iso from \\wdc01\Share to it.
14. Right click on the *.iso and “Mount” the media and the autorun should display the splash screen and select “XenApp”.
15. Select to install the “Delivery Controller” checking all the features e.g Studio, Director, Controller, MS SQL Express, StoreFront, License server and all the required ports.
16. You have now setup a mgmt. VM and a XenApp mgmt. VM.
17. Install and bound SSL certificate on “xad01poc” to be able to utilise https to protect username and passed credential handling when accessing RfW.

PoC Deployment of Virtual Apps & Desktops
Deployment Option 1 – NO MCS nor NetScaler UG & NOT SUGGESTED!!!
This option to be very clear is typically used to demonstrate the power of HDX from a public cloud e.g AWS and DOES IT WORK? Yes of course! I would strongly recommend that you don’t deploy your PoC with this approach but front it with a NetScaler UG but i’ve included it as I have covered this topic once before and sometime Citrix SysAdmins just want to test to see is it actually at all possible with little to know effort at all before actually deploying a PoC so I hope that this clears up this PoC deployment approach/path is messy and NOT SUPPORTED!!!!

1. Now also assign the Citrix VAD “Security Group” to “xad01poc” VM.
2. Re-mount the *.iso media if required and on the installation splash screen select to install the Server VDA choosing to enable existing connections selecting “Enable Remote PC Access” the VM will restart a few times which will take circa up to 5 minutes while the VDA installs.
3. Once the VDA is installed successfully launch “Studio” and complete creating a Site, machine catalog and delivery group based upon “xad01poc” VM.
4. Modify the SFS default.ica file for your default Store to include a line to utilise your external dynamic static IP addr and check that your Windows f/w rules are correctly configured to allow in/out bound access based upon the Citrix VAD “Security Group” or you can open the downloaded file you receive post login and modify the internal private static IP addr to the “xad01poc” VM’s dynamic public IP addr assigned by AWS and you should be able to launch your virtual app or desktop. Note: You’ll need to do it for each app or virtual desktop and if you modified the default.ica file with dynamic IP each time you stop and deallocate the VM you’ll need to modify the file again unless you utilise a AWS static public IP addr which is chargeable cost per month!
5. Navigate to https://xad01poc-dynamic-public-ip-addr/Citrix/StoreWeb/ with Citrix Receiver install on your Windows, Mac or Linux end-points and login as a domain admin or user and launch a virtual app or desktop that you’ve published.
6. Test the vitual app and our desktops performance by playing YouTube movie trailers here is fav one of mine – https://www.youtube.com/watch?v=sGbxmsDFVnE or download Google Chrome and publish it and access https://p3d.in. You’ll notice I have not mentioned what HDX graphics mode why? It should provide a good UX out of the box with 7.13+.
12. Shutdown and turn off your VM’s within your AWS VPC when finished to save costs. You will be billed for storage on-going e.g GB that you’ve consumed but I have to say its a very low cost per GB.

Deployment Option 2 – No MCS but fronted by NetScaler UG
Coming…

Deployment Option 3 – With MCS Workloads fronted by NetScaler UG
Coming…

Deployment Option 4 – Powered by Citrix Smart Tools
0. What is Smart Tools? Watch https://www.youtube.com/watch?v=RUTL1X_nBSg. I won’t expand on this topic more than what I have below for this particular blog post otherwise its going to get quiet length but I have to say you should explore Smart Tools post testing/deploying an AWS XenApp PoC.
1. Sign-up to Smart Tools Service at https://citrix.cloud.com/.
2. Create an AWS EC2 resource location with the Smart Tools Connector (formerly CLM our Lifecycle Management Connector) – https://manage-docs.citrix.com/hc/en-us/articles/212713903 and also please read – https://manage-docs.citrix.com/hc/en-us/articles/212713923 & https://manage-docs.citrix.com/hc/en-us/articles/212713963-Add-an-Amazon-Web-Services-resource-location.

3. Read the Blueprint available which explains deploying a blueprint to deploy workloads on AWS at – https://manage-docs.citrix.com/hc/en-us/articles/212714483-Deploy-a-blueprint-to-an-Amazon-Web-Services-resource-location which should give you a decent overview.
4. Download or read online the following getting started PoC guide for XenApp on AWS powered by Smart Tools Service (Smart Build using as Blueprint) available at the following URL with step by step instructions and images – https://docs.citrix.com/content/dam/docs/en-us/lifecycle-management/downloads/get-started-lifecycle-management-aws.pdf.

Leading Best Practises
1. Review the content available at – https://www.citrix.com/global-partners/amazon-web-services/xendesktop-on-aws.html
2. More coming…

Notes from the field
1. The number one leading best practise is “Shutdown and turn off your VM’s within your AWS VPC when finished” to save your own personal costs incurred and or your organisations costs that maybe incurred.
2. You do need a suggusted intermediate knowledge level of AWS EC2 and Citrix in order to deploy virtual apps & desktops CORRECTLY I personally believe to ensure that those testing on your behalf actually are getting the correct HD or balanced experience to ensure a successful PoC. I’ve many misconfigurations in a variety of areas since 2015.
3. Take a look at using Citrix Smart Tools as an enabler to help you with XenApp environment(s) on AWS – https://manage-docs.citrix.com/hc/en-us/articles/213723663-Create-a-XenApp-and-XenDesktop-production-deployment-on-AWS.

What’s New in XenApp & XenDesktop 7.13

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops powered by XenApp & XenDesktop 7.13 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
SECURITY ASSERTION MARKUP LANGUAGE – saml
LOCAL HOST CACHE – lhc
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
WINDOWS – win
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
VIRTUAL DESKTOP – vd
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
VIRTUAL APPS – va
DATA TRANSPORT LAYER – edt
FIREWALL – f/w
ACCESS CONTROL LISTS – acl
ADVANCED MICRO DEVICE – amd

What’s New
A full and complete list of what’s new is avaiable at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/whats-new.html. I’ll start with one of my Citrix passions which is any and everything surrounding HDX technologies.

1. HDX Adaptive Transport is disabled by default in XAD 7.13* also referred to as EDT is a new HDX graphics mode that utilises both the UDP and TCP protocols with a fallback to TCP where UDP isn’t available. The HDX engineering team have engineered this new Citrix protocol called Enlightened Data Transport (EDT) which utilises the existing Citrix ports 1494 (ICA/HDX) and 2598 (Session Reliability) for both TCP and now new UDP so f/w ACL changes are near enough straight forward. To test this new graphics mode internally:

– Configure the ACL between your test end-point and through your internal network (over a VPN) VM running the 7.13 VDA to allow UDP and TCP for 1494, 2598
– Your test VM instance could be running in Azure (connected on-prem via a VPN) or on XenServer 7.1 and remember must be running the latest desktop or server VDA
– Your test end-point must be running the following min Citrix Receiver versions for Windows 4.7, Mac 12.4 and for iOS 7.2
– *In Studio create a machine catalogue, delivery group or use an existing one with your VDA upgraded from e.g 7.12 to 7.13 and then create a new HDX policy e.g HDX-TestofEDT and select the following HDX policy entitled “” and choose “Preferred“.

2. AMD Multiuser GPU (MxGPU e.g GPU Virtualization works with vSphere only) on the AMD FirePro S-series server cards for HDX 3D Pro workloads only e.g Desktop OSes ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/hdx/gpu-acceleration-desktop.html+ with support for up to 6 monitors, custom blanking & resolution, high frame rate and only GPU Pass-through is supported on the following hypervisors XenServer and Hyper-V. For further details please ref to the AMD website at – http://www.amd.com/en-us/solutions/professional/virtualization.

3. Intel Iris Pro (5-6th Gen Intel Xeon Processor E3) graphics processors supports H.264 h/w encoding for virtual apps & desktops, HDX 3D Pro support for up to 3x monitors (Ref to install options+), custom blanking & resolution, high frame rate. For further details and compatible Intel processors ref to – http://www.intel.com/content/www/us/en/servers/data-center-graphics.html

4. Other HDX enhancements include:

– Bidirectional content redirection – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/policies/reference/ica-policy-settings/bidirectional-content-redirection.html
– Wacom tablets improvements & connection methods – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/hdx/usb.html and also see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/policies/reference/ica-policy-settings/usb-devices-policy-settings.html
– File copying performance enhancements for client drive mapping

5. StoreFront 3.9 support for the following below and for a closer look check out the following CTX blog article – https://www.citrix.com/blogs/2017/02/24/whats-new-in-storefront-3-9/

– HDX Adaptive Display
– CEIP automatic enrollment by default. To disable please ref to http://docs.citrix.com/en-us/storefront/3-9/install-standard.html#par_anchortitle_8ea6
– Importing of NUG configurations (ZIP file or via PowerShell) into StoreFront to setup through the XAD Wizard using the latest NetScaler UG 11.1.51.21+ ref – http://docs.citrix.com/en-us/storefront/3-9/integrate-with-netscaler-and-netscaler-gateway/import-netscaler-gateway.html to reduce and avoid misconfigurations.
– Not new but if you’re looking to security harden your StoreFront standalone or cluster ref to – http://docs.citrix.com/en-us/storefront/3-9/secure.html
– SAML auth through against your preferred Store with NetScaler Unified Gateway configured as your IdP – http://docs.citrix.com/en-us/storefront/3-9/configure-authentication-and-delegation/configure-authentication-service.html#par_anchortitle_d712

5. The Connection Quality Indicator is not part of the XAD 7.13 release but an invaluable Citrix tool for Citrix SysAdmins check out its capabilities at – https://www.citrix.com/blogs/2017/02/22/citrix-connection-is-slow-not-really/ and you can download it from – https://support.citrix.com/article/CTX220774 and it also inclues group policies for better SysAdmin controls to enable or disable the tool which is supported from XAD 7.6 LTSR and upwards ref the CTX220774 article. The below image is taken from a Window 10 virtual desktop powered by XenDesktop 7.x.

6. Linux Seamless published applications from a Linux supported OS using the 7.13 VDA – http://docs.citrix.com/en-us/linux-virtual-delivery-agent/7-13/whats-new.html and also please read the publishing apps for Linux at – http://docs.citrix.com/en-us/linux-virtual-delivery-agent/1-4/suse/configuring/publish-apps.html for advanced tips and guidance on seamless mode vs. window manger configuration.
7. LHC in 7.13 introduces a new support feature for brokering operations for Citrix Cloud when the internet connection between the Citrix Cloud Connector and the Citrix Cloud control plane at – https://citrix.cloud.com/ is in a failed state or unavailable due to an ISP outage. You can also force an outage following the documentation available at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/manage-deployment/local-host-cache.html++ by creating and manually modifying the following registry entry “HKLM\Software\Citrix\DesktopServer\LHC with entry of OutageModeForced” set to the value in the documentation++ to force an outage for testing and or evaluation purposes prior to implmenting Local Host Cache. I’ve embedded below a simple architectural recap of LHC introdcued in XAD 7.12 and you can read in more depth detail about Local Host Cache from a previous blog post available at – http://axendatacentre.com/blog/2016/12/13/whats-new-in-xenapp-xendesktop-7-12/.

Finally LHC still provides support for brokering operations for traditional XAD Controller Site Database on-prem ref ++. I’d also recommend that you watch this TechTalks To Go covering LHC in XAD 7.12 release.

8. Provisioning Services 7.13 now supports Linux streaming and a brand new caching technique only available and supported on XenServer 7.1 called PVS-Accelerator. Check the following YouTube video from Citrix entitled “Introducing PVS-Accelerator, only available with XenServer!” via https://twitter.com/juancitrix/status/835202277317148672.

9. HDX Thinwire enhancements in 7.13 have resulted in up to 60% bandwidth savings. Take a look at the following CTX blog post at – https://www.citrix.com/blogs/2017/01/11/hdx-next-cuts-bandwidth-by-up-to-60-yes-sixty-percent/ which has some great high level LoginVSI 4.1.6 graphics comparing Thinwire in 7.12 vs. 7.13 on Windows Server 2012 R2 and 2016.
10. AppDNA what’s new ref – http://docs.citrix.com/en-us/dna/7-13/whats-new.html now includes support for Windows 10 Anniversary Update (AU) and now defaultor analysis and reporting, Secure Web reports and finally improved importing to process to analysis OSes and apps. There are a few more to be sure to check out the whats news!

Deploying XenApp 7.13 for Evaluation & Testing Purposes
The fastest way to deploy and test the latest new features from Citrix XA 7.13 release with little to no effort is to deploy the “Citrix XenApp 7.13 Trial” from Microsoft Azure available and accessiable at – https://azuremarketplace.microsoft.com/en-us/marketplace/apps/citrix.citrix-xa?tab=Overview.

Removed from XenApp and XenDesktop 7.13
Please be sure to read and review the complete removed features and future removal features within XAD 7.x platform topics on Azure Classic, AppDisks, Desktop OS support and supported HDX Graphics Modes e.t.c –
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/whats-new/removed-features.html.

Viso Stencils from Citrix’s Ask the Architect – https://twitter.com/djfeller for XenApp and XenDesktop 7.13.


Image credit: https://twitter.com/djfeller/status/836557405173477376

https://virtualfeller.com/2017/02/28/visioxenappxendesktop713/

Understanding the Citrix Cloud, its Services, Architecture & Connectors (Draft)

The following content is a brief and unofficial prerequisites guide to better understand Citrix Cloud, Connector technology and the overall architecture required to setup, configure and test delivering virtual apps and desktops powered by XenApp & XenDesktop Service prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
HIGH-AVAILABILITY – h/a
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
CITRIX CLOUD – cc
INFRASTRUCTURE AS A SERVICE – iaas
CITRIX CLOUD CONNECTOR – connector

The Three Primary Cloud Types (Draft Section)
Firstly i’d like to provide my definition of public, private vs. hybrid cloud and in my personal view things like SaaS, PaaS have naturally been spin out or off from IaaS e.g Public Cloud.

Public Cloud is whereby a ISP provides you with SPLA licensing (OS, Application, Service), compute, storage and network capabilities which in turn enables you to create your very own VM instances running in a virtual datacentre on the ISP’s h/w and example providers may include AWS, Azure, Google Cloud Platform e.t.c

Private Cloud is where you the organisation owns there own OS, Application or Service licenses as well as the physical hardware that allows you to create your own VM instances within your virtual datacentre. In this scenario the h/w is could (a) be purely Colocatied (Colocation) at ISP with or without managed services over and above the Colocation and example providers could include Rackspace, Qubems, Peer1 or (b) your h/w is hosted within your own custom and purpose built data centres facility or comms room dependant upon the organisations size and IT/Technology requirements.

Hybrid Cloud is when public and private clouds are connected securely over a IPSec R/A, L2L or SSL VPN connection.

What is and how Citrix Cloud works
Citrix Cloud is an evergreen, managed control plane from Citrix that provides the traditional Citrix management technologies to delivery e.g Virtual Apps & Desktops as Services thereby reducing overhaul management updates & upgrades. This means that Citrix is responsible for the availability of your Citrix management infrastructure in there Control Plane including ensuring that it is on the latest up to day and production version of e.g XAD to deliver DaaS and or virtual apps. Citrix customers and partners are responsible for what is known as a resource location which is where your apps, network and data resides and can exist in a public, private or hybrid cloud deployment scenario and each resource location is securely connected to the control plane using the Citrix Cloud Connector which initiates an outbound HTTPS connection so your completely in control of your apps, network & data within your resource location(s) at all times.

If I have not technically explained what is and how Citrix Cloud works successfully then please feel free to watch the below embedded YouTUBE video.

Please note that Citrix Workspace Cloud is now know as Citrix Cloud

Citrix Cloud Services as of Jan 2017
The following is my own technical spin/view of each of the Citrix services you can review the Citrix official view of each service at – https://www.citrix.com/products/citrix-cloud/services.html.

XenApp and XenDesktop Service – HDX virtual app & desktop delivery from any supported resource location running server/workstation VDA(s) while all the XenApp/XenDesktop mgmt infrastructure (Studio/Director) resides in your tenant/account at https://citrix.cloud.com.

XenMobile Service – Deploy Secure Apps (MAM), MDM to control your organisation devices with no need to deploy the XenMobile v/a even at your resource location all you need is either an IPSeC VPN tunnel or the Connector to enumerate users in AD to be assigned to delivery groups.

ShareFile Service – Follow-me data now controlled within one WebUI.

NetScaler Gateway Service – Provides a simple and easy deployment method to gain external remote access to virtual apps & desktops from your resource location(s) via the Citrix Cloud Connector.

Smart Tools Service previously Lifecycle Management – Design, build, automate, auto check & update your resource locations with Citrix validated blue prints.

Secure Browser Service – Provides a secure remote virtual browser(s) to access web (internal vs. external), SaaS apps from the Citrix Cloud with zero configuration, with only a link to access your published web apps via the HTML5 Receiver.

Citrix Cloud Labs – My personal favourite as this area of Citrix Cloud allows you get to test out some of the latest Citrix Innovations from our Labs team as services e.g AppDNA Express; Citrix Provisioning for Microsoft Office 365; IoT Automation; Citrix Launch for Microsoft Access; XenMobile MDX Service and Session Manager

Connector Architecture & Security
The following diagram depicts the H/A deployment of Citrix Cloud Connector for use with the XenApp and XenDesktop Service from Citrix Cloud. Please note that this is a simple architectural diagram that does not include a NetScaler in resource location so the assumption is that you users will connect to their virtual apps and desktops either from within the actual Resource Location or via the NetScaler Gateway service hosted and managed by Citrix Cloud. My personal preference is to leverage a NetScaler physical or virtual appliance within your resource location as the benefits of a NetScaler far exceed and go above and beyond that of a simple ICA Proxy gateway for XenApp/XenDesktop. Perhaps a follow-up blog article why I presume NetScaler in the resource location from my personal view point only or I may decide to update this blog article.

To better understand how to best secure or harden your Cirix Cloud implmentation and its services please refer to – http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/secure-deployment-guide-for-the-citrix-cloud-platform.html for leading best practises, process & procedures and configuration requirements.

Citrix Cloud Connector
The following is deep dive overview of Citrix Cloud connector technology for all the services with the exception of the Smart Tools service which leverages its own connector which is used to check your Citrix workloads, scale up/down and or even build or tear down workloads in resource location(s) via blueprints.

Installation & Troubleshooting
You must download and only install the Citrix Cloud Connector for your resource location from “Identity and Access Management” that matched your domain forest, don’t mix and match these! The installation is fairly straight forward and simple as descriobed and outlined at http://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connector/installation.html, once the installation completes wait for the connectvity test to pop-up and complete successfully prior to navigating back to Citrix Cloud to validate that the Connector has scuessfully registered with Citrix Cloud+.

You can also perform automated installation leveraging the following command line arguments when installing the Connector “CWCConnector.exe /q /Customer:Customer /ClientId:ClientId /ClientSecret:ClientSecret /ResourceLocationId:ResourceLocationId /AcceptTermsOfService:true.

Although the Connector communicates outbound on HTTPS 443 it make also require one or more of the following ports outbound only as described at – http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/secure-deployment-guide-for-the-citrix-cloud-platform.html for one or more of the Citrix Cloud Services so please consultant the documenation for each Service carefuly for high security enviroments to ensure that the organisations firewall ACL’s for the PoC are correctly configured.

You can install hypervisor tools, anti-virus software (Tested as of 26/10/2016++ McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.8) on your VM instances that have the Citrix Cloud Connector technology installed however it is not recommended to install any other software or unnecessary system services nor should you allow any domain users access unless they are a Domain or System administrator of the Citrix environment. In summary treat these Connectors as you would your XAD Controller(Broker).

The installation logs are available at “%LOCALAPPDATA%\Temp\CitrixLogs\CloudServicesSetup” and post the installation its consolidated to the following location “%ProgramData%\Citrix\WorkspaceCloud\InstallLogs“.

Understanding Credential Handling
Coming…http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html

Monitoring your Citrix Cloud Services
1. http://status.cloud.com/ is your friend and will provide you with vital up to date information about the Citrix Cloud platform (control plane or SaaS tier) and each of its Services e.g XenApp and XenDesktop Service or Smart Tools.
2. Monitor the following Connector services described below ++
3. The leading best practises is for the Citrix Cloud Connectors to not be offline longer than two weeks as the connectors are regularly updated from Citrix Cloud with the latest updates (Evergreen) which is why each resource location requires at a bare min 2x or a pair of Connectors.

Connectivity & High-Availability
The Citrix Cloud Connector firstly should always be implemented in pairs at a minimum within any resource location and installed onto either Windows Server 2012 R2 or 2016 AD joined VM instances. The connectors are stateless and brokering requests are load-balanced via Citrix Cloud to the connectors within your resource location(s) and if a connector does not respond the queued tasks are redistributed to the remaining connector(s). As the connectors are stateless this also means that they do store any mgmt configuration for Citrix Workloads at the resource location as this is held within the Citrix Cloud by the Service that you are utilising e.g XenApp and XenDesktop Service.

+If you setup a PoC with a single Connector it will probably display as amber for a period of time prior to turning green as you have only configured 1x Connector for your resource location. You can check your Connector status for your resource locations by navigating from https://citrix.cloud.com/ to https://citrix.cloud.com/identity and under “Domains” select your domain forest(s) and expand it and you can review your Connectors name e.g servername.dommain e.g connector1.x1co.eu and its status (red, amber or green).

The leading best practise for h/a at your resource location is for your Citrix Cloud Connectors to be implemented as N+1 for redundancy – – https://en.wikipedia.org/wiki/N%2B1_redundancy.

Logs & Services++ of the Connector
The Connector logs are stored at “C:\ProgramData\Citrix\WorkspaceCloud\Logs or use %ProgramData%\Citrix\WorkspaceCloud\Logs” for verifying ongoing communication and helping with troubleshooting. Once the log(s) size exceeds a certain threshold its deleted BUT Administrators are able to control the log retention size by adjusting the following entry in the Windows registry “HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CloudServices\AgentAdministration\MaximumLogSpaceMegabytes” to meet your organisations logging/auditing requirements.

The core four primary functions/roles of the Connector are Authentication, Proxy, Provisioning and Identity which are powered by the following Citrix Cloud services listed below (as of Jan 2017). You can view a detailed architecture technical diagram of the Connector under the XenApp and XenDesktop Service online documentation at – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html.

Connector Functions/Roles
For a more accurate diagram please check out – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html

Authentication Proxy Provisioning Identity
NetScaler
Unified Gateway
StoreFront
(Optional)

Hypervisor 
Server VDA
 Server 2012 R2, 2016
Desktop VDA
Windows 10

Active Directory, DNS

I’ll update this section with what each of the Connector services actually does

Citrix Cloud AD Provider
Citrix Cloud Agent Logger
Citrix Cloud System
Citrix Cloud WatchDog
Citrix Cloud Credential Provider
Citrix Cloud WebRelay Provider
Citrix Cloud Config Synchronizer Service
Citrix Cloud High Availability Service
Citrix Cloud NetScaler Cloud Gateway
Citrix Cloud Remote Broker Provider
Citrix Cloud Remote HCL Server
Citrix Cloud Session Manager Proxy

Citrix Cloud PoC Guide for the XenApp and XenDesktop Service
I have writen a fairly detailed blog article describing how-to deploy the XenApp and XenDesktop Service here.

Front XenApp 7.11+ in Azure with NetScaler (Unified) Gateway 11.x.n

The following content is a brief and unofficial overview of how-to front your virtual apps & desktops powered by XenApp 7.11 with NetScaler 11.x.n using Microsoft Azure (ARM). The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions, best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENAPP – xa
XENSERVER – xs
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
INDEPENDENT COMPUTING ARCHITECTURE – ica
NETSCALER – ns
NETSCALER UNIFIED GATEWAY – nsug
AZURE RESOURCE MANAGER – arm
IDENTITY ACCESS & MANAGEMENT – iam
MULTI-FACTOR AUTHENTICATION – mfa
SECURITY ASSERTION MARKUP LANGUAGE – saml

Why this Blog Article?
I’ve had a lot of cloud 1st strategy conversations with IT Pro’s, Citrix SysAdmins & organisations alike recently so I thought everyone whom is searching for how-to front XenApp with an Azure NetScaler could benefit from this blog post :-). This blog post covers a how-to even with NetScaler in single IP mode to achieving https://FQDN (Image 2) for the gateway vs. https://FQDN:8443 (Image 1) when deploying NetScaler in Azure (ARM).

Deploying NetScaler 11.x.n using Azure Resource Manager (ARM)
1. Login to https://portal.azure.com
2. I presume that you have setup a your network, IAM if not refer to https://azure.microsoft.com/en-gb/get-started/ for getting started how-to from Microsoft.
3. Click on + New in the top left of the ARM web ui and type in NetScaler and select NetScaler VPX Bring Your Own License or for a quick review check out – https://azure.microsoft.com/en-gb/marketplace/partners/citrix/netscalervpx110-6531/.
4. Click Create
5. Enter in a name for your NS virtual appliance e.g ne1nug01 and select the VM disk type
5. Enter in a username and choose auth to be either SSH public key or Password I choose password to access the NS Admin WebUI for simplicity of all readers of this blog.
6. Select your chosen of default Subscription if you have more than one and then select your existing Resource Group where you XenApp 7.11+ environment and XenApp 7.11+ VDA Workers and your mgmt. VM running AD/DNS server resides. Remember I am keeping this simple as it’s intended for PoC’s only!
7. Continue to select your chosen Azure instance for NetScaler I choose DS2_V2 Standard which consists of 2 Cores, 7GB of RAM.
8. Select your storage account, virtual network & subnet e.t.c and high availability set then click Select to continue.
9. Review your purchase of NetScaler and then click Ok to purchase and Azure will begin building your NetScaler VPX in your Azure chosen subscription which will take no more typically than 10 minutes.

Setting up & Licensing your NetScaler on Azure
Firstly be aware that when deploying a NetScaler instance on Azure for virtual apps & desktops you’ll be setting up NetScaler to run in single IP mode (YES!) which means that you’re connecting to internal TRU resources on the NetScalers IP addr (NSIP) but you connect using different ports e.g ICA Proxy on 8443 so lets begin with the setup.

1. Login into your NetScaler using the NS Admin Web UI do not provide a SubnetIP Addr (SNIP) just select Do It Later and proceed with the initial setup as per normal.
2. Now that you have setup your NetScaler you need to license it so remain logged into and open a new tab in your browser of choice and Google “Citrix Eval Store” or save this link – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700
3. Select under Networking -> NetScaler ADC
4. Next select the following model “VPX” select variation e.g “Platinum 1000” select duration e.g “90 Days”.
5. Complete the onscreen process note that you will require a .Citrix.com account or you need to create an account.
6. Once you receive an e-mail with your key/code head over to at https://www.citrix.com/account/toolbox/manage-licenses/allocate.html or goto and select find and allocate your licenses or look for the licensing button (link) and select it.
7. If your key/code it not visible select “Don’t see your product?” in text in/around the top right-hand side. A pop-up appears now enter in the code provided on e-mail from the Citrix Eval Store e.g “CTX34-XXXXX-XXXXX-XXXXX-XXXXX” and continue.
8. You will need to enter in the Host Id of your NetScaler it can be found once logged in using the NS Admin Web UI “NetScaler -> System -> System Information” then look under the heading “Hardware Information” and you find “Host Id” copy and paste it into the required field and then download the license file.
9. In the NS Admin Web UI click the cog icon top right then select licensing and upload the license and select to reboot the NS to apply the license.
10. Log back in and enable the features that you require e.g right click on the “NetScaler Gateway” and select “enable” e.t.c

Setup Type Choice 8443 Default without an Azure L/B for XenApp using the XenApp/XenDesktop Wizard
Now that you have setup NetScaler within your Azure subscription in your chosen region you’re ready to begin setting up NetScaler to front virtual apps & desktops (Server OS 2012 R2 or 2016) powered by XenApp 7.11+.

Sample Text Based Diagram

User Azure NetScaler StoreFront XenApp
https://FQDN:8443/ Accepts requests from Azure to NSIP on https://8443 (Single IP Mode) Accepts requests on the Gateway & Call-back FQDN on https://FQDN:8443 Accepts & launches user’s virtual app(s) & desktop(s) as requested

1. Login to your NetScaler VPX click “Settings -> Licensing” now check that License type is Platinum and Model ID 1000
2. Select the XenApp/XenDesktop wizard and review the prerequisites carefully prior to continuing BUT in summary you’ll need an SSL Cert, LDAP service account + details, XenApp 7.11+ environment with StoreFront.
3. Enter in the static IP addr assigned by Azure or OTHER METHOD of your NetScaler VPX YES that’s right!
4. IMPORTANT STEP: Change the default port of 443 to 8443 on the Gateway IP addr
5. Set Up the rest of the XAD wizard as normal
6. IMPORTANT STEP: Setup StoreFront to allow remote access however the configured default gateway and Call-back FQDN addresses MUST include 8443 e.g https://go.x1co.eu:8443 instead of just https://go.x1co.eu
7. Setup external DNS entries e.g go.x1co.eu to point to your NetScalers static IP addr found in the Azure ARM Web UI and once you have verified it is functioning correctly using a shell (IPCONFIG /FLUSH after settin-up the DNS entries waiting 10-15 min depednant upon your ISP) the open up an internet browser and type in e.g https://go.x1co.eu:8443 and dont forget the :8443 at the end of the FQDN.
8. Attempt to login either using sAMAccountName e.g username or userPrincipalname e.g username@x1co.eu and then you should be able to successfully login and launch your virtual apps & desktop as per the below image.

Image 1


Setup Type 443 for XenApp using an Azure Load-Balancer & the NetScaler XenApp/XenDesktop Wizard

Sample Text Based Diagram

User Azure Azure Load-Balancer NetScaler StoreFront XenApp
https://FQDN/ https received request and forwarded to NetScaler on https://FQDN:8443

Accepts requests from Azure L/B on https://FQDN fwd to NSIP on https://8443 (Single IP Mode) Accepts requests on the Gateway from HTTPS://FQDN but the Call-back FQDN is on https://FQDN:8443 Accepts & launches user’s virtual app(s) & desktop(s) as requested
https://FQDN ↔ AzureL/B ↔ NetScaler:8443 NetScaler https://FQDN:8443 ↔https://FQDN StoreFront StoreFront Call-back https://FQDN:8443
StoreFront configured NetScaler Gateway https://FQDN

1. If you are choosing this option as your preferred lets hope then complete steps 1-5 and also step 7 to save you time!
2. IMPORTANT STEP: Setup StoreFront to allow remote access however the configured default gateway MUST BE e.g https://go.x1co.eu NOTICE NO :8433 YES not :8443 here. Now on the call-back FQDN addresses YOU MUST include 8443 e.g https://go.x1co.eu:8443 instead of just https://go.x1co.eu otherwise fronting NS with an Azure L/B to acheive HTTPS://FQDN for the XAD Gateway (ICA Proxy) will NOT WORK!!!!
3. Now switch to the Azure ARM Web UI. You should probably read the following useful resources – https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-overview/ and for PowerShell creation check out – https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-get-started-internet-arm-ps/ for any Citrix consultants out there.
4. Azure Load-balancer and click on the “+” at the top and provide a “Name” and for the type choose “Pubic” and select your Azure “Subscription” “Existing Resource Group” and its location (Same as NetScaler deployed instance) then click “Create”
5. Now it will list the available public IP addr just select the “+”
6. Enter in a name and choose your assignment choice “Dynamic” vs. “Static” and click OK.
7. Azure will then provision your Azure L/B (Wait….Maybe coffee or tea break?)
8. Once created select your Azure L/B
9. Select “Backend Pools” enter in a name then choose your availability set and then your VM’s or VM e.g NetScaler. Azure will then provision your Azure L/B with a backend pool (Wait….)
10. Select “Frontend IP Pool” click “+” enter in a name then choose your IP addr e.g NetScaler VM and then enter in a name (all names should differ makes identification easier so a good naming convention helps 🙂 now) and choose your assignment choice “Dynamic” vs. “Static” and click OK (Updating….)
11. IMPORTANT STEP: Select “Inbound NAT Rules” select the resource from your Frontend IP Pool list from the previous point (10). Select the service “HTTPS” and port to be 443 then select the target “NetScaler VM” and then vErY iMpOrtAnt select under “Port Mapping -> Custom” and in the “Target Port enter in 8443” and click save. (Wait…)
12: Now navigate to https://FQDN and attempt to login either using either sAMAccountName e.g username or userPrincipalname e.g username@x1co.eu and thereafter you should be able to successfully launch your virtual apps & desktop published by XenApp 7.11+. The below image represents the end goal when fronting an Azure NetScaler in Single IP Mode with an Azure Load-Balancer as per the below image.

NetScaler VPX in Azure Deployment Guide
http://docs.citrix.com/content/dam/docs/en-us/workspace-cloud/downloads/NetScaler-VPX-in-AZURE-Deployment-Guide.pdf

Advanced Setup & Configuration
The following how-to’s are from a 2016 Citrix Technology Advocates (CTA) – https://www.citrix.com/blogs/2016/05/23/expanding-recognition-for-community-contributors-citrix-technology-advocates/ Dave Bretty – http://bretty.me.uk/ which covers off how-to setup and configure FAS, NetScaler SAML/ADFS Proxy, Azure MFA and much more, so follow the links in order listed below.

1. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-1/
2. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-2/
3. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-3/
4. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-4/
5. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-5/
6. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-6/