The path to operating from the Citrix Cloud Platform for Citrix Virtual Apps and Desktops often can appear like your need to climb to the summit of K2, this is purely because for IT its foreseen as another key yet, rapid IT Transformation project to solve a multitude of business and business IT challenges (its different organisation by organisation). I’ve therefore put together a simple blended digital doodle on this very topic highlighting some key learnings, leading practises from the field and my own thoughts and thinking on this very topic.
Introduction I smile consistently these days hearing how organisations are keeping the UK economic moving forward, pivoting day 1 of the UK COVID-19 lockdown to full-time frictionless secure remote flexible working styles with minimal IT effort + friction powered by Citrix technologies.
I hear many unconsidered benefits from my customers, examples include keeping businesses operating helping their customers and supporting them during the height of the lock down to leap frogging competitors gaining significant market share through to winning new business because operationally they where available and ready with a Citrix powered securely centralised hybrid multi-cloud delivery strategy, when backed with a robust and annually tested Business Continuity Plan (BCP) set them up for instance successful shifting from day one of the UK COVID-19 lockdown to full-time work from home without any major hiccups.
For organisations that weren’t fully Citrix and had a hybrid strategy achieved full work from home swiftly swell using one or more of the following strategies:
1. Many existing hybrid Citrix customers scaled up licensing and re-framed physical workstations sat in the office through Citrix Workspace app to employees now sat at home using a browser on a personal device at home. To the employee everything is where it should be within there virtual desktop, for many this has now fundamentally changed perceptions of why they need to sat in an office for 5 working days in a post COVID-19 non-lockdown world. 2. Scaling up CVAD usage by optimising existing workloads or unlocking dark capacity turned off and deallocated ready within the data centre wherever they choose that to be. 3. The most popular one was to extend into one or multiple public clouds (AWS, Azure) to supporting elastic Citrix Virtual Apps & Desktops (CVAD) workloads whilst remaining in control of public cloud cost economics utilising Citrix AutoScale – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/manage-deployment/autoscale.html which is part of the CVAD Service.
Finally organisations shifted to focusing on strengthening security within 1-2 weeks, implementing contextual device security powered by Citrix Smart Control and Smart Access technologies beyond IT non-managed devices, as not every employee could take a device home, they didn’t have a device they could use or they just didn’t have the physical space for it at home as you just don’t know your employees WFH requirements, needs and including @home personal circumstances behind closed doors.
In these many organisations hearing all these great stories I noticed a common theme reoccurring in lock down months 1-2. I have a percentage of employees and its all abeit random across the entire organisation encountering good vs. fair vs. poor experiences. Due to the random nature pin pointing the issue was a huge challenge as by the time IT investigated the problem it was largely self-resolved if by magic? My response have you heard about and or deployed and are running Citrix Application Delivery Management (ADM)? A resounding NO 95% of the time. The below diagram 1 visualises the traffic flow of where I am vs. where my delivered Citrix Virtual Desktop is run out of, it likewise can visualise to IT the overhaul traffic, load demand, security & infrastructure health status ref diagram 2.
“Not visualising the employees “Workspace” traffic flow, is where the value of Citrix and ANY Workspace solution is LOST in IT Service delivery. Citrix Application Delivery Management (ADM) is a key enabler in helping remediate employee experience issues, whilst providing a crucial IT Employee Experience Scorecard.” Lyndon-Jon Martin June 2020
The Business IT Value of Citrix ADM A modern flexible platform with two unique halves much like our human brains with left vs. right hemispheres connected by a nervous system, however in this case ADM has analytical vs. management hemispheres providing fleet management with different roles vs. function; employee, security & infrastructure insights supported by a hybrid multi-cloud architectural strategy enabling less IT Ops friction and complexity on a daily basis. ADM’s centralised management + sense architecture provide simple and or advanced operational experience scorecards for auditors (PCI/DSS/ISO27001 with RBAC for read-only access), security + network teams, IT and Citrix System Administrators alike from a single framed lens who’s nervous system is connected to a hybrid multi-cloud fabric providing unconsidered insights and visibility into capacity, strengthened security posture through monitoring change control and config drifts incl automated fleet management which can be executed across multiple instances in ANY cloud simultaneously or on your own terms. ADM gives IT back the right level of “Control” enabling the less friction shifting workloads with true licensing flexibility + agility to the most commercially attractive vs. the most innovate cloud platform which suites IT and their business demands.
Having had the privilege of working with world class engineers in the past helping a single customer to process a £1 million pounds per minute through a payment gateway beyond typical web, app traffic of a front door of there website. I learnt that you always require something that you as the MSP or your customer can “Control” in an ANY Cloud + Services architecture for Business Continuity Planning (BCP) and sound IT Operational excellence so you can make better decisions at pace from more accurate data insights visualised. Placing your “Eggs” aka IT Business platform into a single supplier framework even the most trusted IaaS provider and enforcing that your preferred IaaS region is properly fault tolerant and highly-available is equally expensive in cost and complexity much like on-premises, do not be fooled. The IT Complexity Index increases significantly when consuming for example IaaS native site recovery services to enable near to real-time failover in another region when your primary region experience’s an (planned) outage or degraded performance, these services help to keep-a-live those existing “Sticky” connections which will eventually complete a transaction of some kind e.g credit card donation.
I’m all for public cloud in fact two operating styles “Native” vs. “Managed” Public Clouds strategies. I’ve ran my personal lab in AWS EC2 since 2016, easily amortised £1000 over these past 4 years with plenty of cashflow free. Really? How? Having a strong background + experience in the MSP world on the edge of the City of London and working with “Managed” Public Clouds platform I began to respect + understand how all IaaS providers operate inclusive of the full lifecycle management of workloads + the data centre platform itself which is to not leave everything on like you do at home or in a traditional managed colocation data centre. In a native vs. managed IaaS world you’ll turn off and deallocate capacity if you don’t require it and scale it up as you equally require it with little to no friction. I’ve digressed enough back to the IT Employees Experience Scorecard.
A number of my customers have overcome that randomness or pockets of employees complaining about a poor experience post deploying Citrix ADM as the issue can now be identified and remediated pretty efficiently. The solution is simple, deploy and run Citrix ADM for up to a week continuing as is, no changes and then run a report similar to the above and in parallel visualise all those support cases from your service desk platform and marry up employee names and you’ll quickly notice a pattern forming between employees with poor experiences vs. support cases + the number of them.
I suggested to organisations survey those employees and ask them a few simple questions the best ones “Who is your home broadband provider?” and the second “How many devices are connected in the house to the internet and number of people?”. The first question revealed what I expected its the employees consumer ISP and the suggested remediation could well be provide them a “stipend” exclusively for mobile data onto personal contracts or ship them a 4G mobile hub/dongle to use instead and the problem vanishes over night almost every time and video conferencing platforms perform better as a net result equating to happier employees with a better experience.
Introduction The purpose of this blog post to aim for a consistent modern authentication experience for employees when consuming Citrix Virtual Apps & Desktops (CVAD) + CVAD Service regardless of where the (CVAD) workloads are running, either in *Azure, *AWS, *GCP or *On-Premises. The primary priority is that the employees identity is owned and managed by a cloud identity platform e.g Azure Active Directory (AAD) and the employees identity within each resource location* for CVAD usage maps to AD shadow accounts. These AD shadow accounts represent the employee as a UPN e.g human.name@domain, with a RANDOM long complex password that the employee doesn’t need to ever know and all IT is required to do beyond creating a AD shadow account is then assign the right vs. relevant security privileges and access to CVAD including Policies meeting local, geo of industry compliance and governance while maintaining a great employee experience.
The second priority is that the employees device can frictionlessly access CVAD resources using either a Forward Proxy, SD-WAN Overlay Network or ICA Proxy. I do recognise that many organisations are still required to make use of a VPN style strategy at the current moment and therefore this solution can also work for those devices as well repurposing the existing Citrix Gateway to also support a Full VPN beyond ICA Proxy or you can use other well established and trusted VPN solution providers.
Leveraging a Bring Your Own “either Enterprise vs. Personal” Identity (ByoI) is a concept I ponded way back in 2017 and now feels like the right time to pick that up concept again during the current Workplace transformation happening all around the world due to world wide COVID-19 pandemic. Using a ByoI strategy as high level vision you can efficiently deploy CVAD to any *Azure, *AWS, *GCP region or *On-Premises with less friction and you don’t need to be worry about “Password Syncing” just replicate the employee’s UPN + AD Security Privileges + CVAD Access & Policies where its required. It has the added benefit if you want do mix and match public cloud workloads to avoid lock-in amongst other topics, you’ll be providing a common and consistent login interface + experience irrespective of where the workload is sat.
It another brilliant benefit is the on-boarding of 3rd Parties (3P’s) using ByoI concept with a business check at the edge, the 3P brings there owned Identity and in the current world we live in I don’t think that is bad thing it could even strength that employees individual security as there identity will be bound to a smartphone which knows more about your individuals habits and you that you know yourself. If we can unlock a co-shared responsibility identity model between the individual + organisation we can truly aim for a passwordless workspace that only uses virtual smartcards or tokens.
Finally the on-boarding of M&A employees can be faster as you can generate them a few days after commercial signing with a new brand identity that resides in Azure AD (or Google, OKTA e.t.c) whilst they continue accessing existing workplace apps + data with current AD credentials, IT + HR + Business can choose when to layer in the “NEW” Workspace Platform for Work from group perspective into the existing Workspace with less friction and complexity. Yes this final topic is complex when we think about merging different Business IT and IT Systems together, a CVAD strategy with FAS bridges the GAP reducing friction and complexity for IT to sun rise a new Workspace stack for that newly acquired organisation while sunsetting the exciting Workspace stack and those new M&A employees get to on-board beyond the Workspace into there new organisations people, its culture, vision and values and avoids the IP drain that often can easily happen.
High Level Architecture The scenario below depicts accessing a StoreFront server on any device type from within the Workplace fabric in any office locally or world wide or from a IT managed device that makes use of a Full VPN, Forward Proxy technology; WFH Citrix SD-WAN appliance where traffic passes over an SD-WAN overlay network; Citrix Endpoint Management enrolled smart device with per-app mVPN configured and finally irrespective of the devices management status you can use ICA Proxy* to access CVAD resources anywhere over the internet inclusive of any home via a Citrix ADC (formerly NetScaler) using the Gateway functionality which is “VPN-Less*”.
Azure AD Setup & Configuration – Personal Home Lab Edition If you have a separate Azure AD tenant in Azure you can proceed to the next section, however if you are an IT Pro that wants to test out how to convert Azure AD SAML logins to Citrix virtual smartcards for CVAD the following the below guidance below for setting up a personal ADD tenant with a personal Azure account for your home lab. WARNING I am not an Azure AD nor on-premises AD expert, therefor follow the leading practises found in Microsofts documentation for Azure AD.
1. Navigate to https://portal.azure.com and sign-in with your live vs. personal Microsoft account. Select “Create a resource”. 2. Select “Identity” then select “Azure Active Directory”. 3. Enter in an “Organisation Name, Initial domain name and select your Country or region”. 4. The wizard will begin creating your AAD tenant . 5. Once it completes click the hyperlink within “Click here to manage your new directory”. 6. At the Overview page of your new AAD tenant select “Users” under “Manage” section. 7. Select “+ New user” under the “All Users (Preview)” Overview you’ll notice your personal email addr. 8. You’ll notice when creating a new employee account for your AAD tenant that you can only append domain.onmicrosoft.com to the username, I’ll explain how-to convert that to user@domain and remove the UPN requirement of firstname.lastname@example.org in the next few steps. For now fill the following fields “User name”; “Name”; “First name”; “Last name”; “Password” (choose or auto-generate) and the select “Create” keeping the defaults as they are. 9. Your new AAD employee is successful created, you can assign roles. NOTE for my personal testing purposes I didn’t configure anything as I’ll delete that test employee AAD account after my testing. 10. At this point I’m not going to deploy nor setup the “Azure AD Connect” in my Citrix Cloud Resource Location as I want the employees primary identity to always reside in Azure AD as the single source of truth, and then bring that identity to my Citrix Cloud Resource Location e.g Bring your own Identity (ByoI) and after a successful AAD SAML login map that to a hardened AD Shadow account with long complex password that the employee will never know and all I need to do it assign the AD security privilege and access for CVAD resources. This approach means that employee will NEVER enter in a AD password within a Citrix Cloud Resource Location that is configured for AAD (or Google, OKTA e.t.c) when using CVAD 1912 LTSR StoreFront and the Federated Authentication Service (FAS) in a Resource Location(s). For complex environments yes you’ll likely deploy the “Azure AD Connect” software as a role somewhere to replicate the employees but you don’t need to replicate there passwd or you can provision the employee twice once in AAD as in the example above and then again manually in AD in the Resource Location as there corresponding AD shadow account which matches the UPN from AAD when authenticating using SAML to StoreFront, the choice is yours but I found for testing purposes a manual in each is far less frictionless.
On-Premises Active Directory (AD) within your Resource Location 1.Create a new AD “Shadow” account that matches the “User Principal Name (UPN)” in AAD e.g user@domain, generate a random long complex password which they don’t need know and then assign or inherit the right vs. relevant AD security groups, GPOs that you would usually assign to a CVAD consumer. 2. On-board your domain into Azure AD which required verifying it with a MX record to avoid using email@example.com so that you can use user@domain keeping it simple and less complex.
Installation and Configuring the Federated Authentication Service (FAS) 1. On the new VM that you just installed 1912 LTSR StoreFront role onto from the existing mounted ISO run the autorun splash screen and select “Federated Authentication Service”. 2.Read the EULA which you’ll need to “Accept the Licenses Agreement” to continue. 3. Accept the defaults and select “Next” on the “Core Components” page. 4. Accept the defaults and select “Next” on the “Firewall” page. 5. Once the installer is finished select “Finish” to close. 6. Open a PowerShell window in Admin mode then copy & paste the following code below, which will enable a trust between the CVAD Controller and the StoreFront server, minimise this window you’ll require it later.
7. Navigate to the following path “C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions\” on the current StoreFront server that you installed FAS role onto, copy the following two files “CitrixFederatedAuthenticationService.admx” and “CitrixBase.admx” the entire folder “en-US” to a network share which will need to be accessible from your Windows Domain Controller or WDC. 8. Connect to your Windows Domain Controller (WDC) via RDS from the current StoreFront + FAS server and copy the two *.admx FAS files including folder “en-US” from your network share to the following path on the “C:\Windows\PolicyDefinitions” on your WDC. 9. Open an “MMC” console and load the “Group Policy Management Editor” snap-in, at the prompt for a Group Policy Object, select “Browse” and then select ”Default Domain Policy”. 10. In the MMC console navigate to “Default Domain Policy [server name] > Computer Configuration > Policies > Administrative Templates > Citrix Components > Authentication” and you should see the following three policies available “Federated Authentication Service”, “StoreFront FAS Rule” and “In-session Certificates”. 11. Select and open the “Federated Authentication Service” policy, next select to “Enable” it followed by selecting the “Show” button parallel to “DNS Addresses” label and enter in the FQDN e.g. “server.domain” of your StoreFront + FAS server and then select “OK” and then select “OK” to save the policy configuration and enabling FAS. 12. Next select and open “In-session Certificates” and select “Enabled” and in the “Consent timeout (seconds):” field type in a value of “30” which is the default. 13. Next close the MMC console and open up the existing PowerShell (Admin mode) and copy and paste the following code to force a Group Policy Update.
14. Minimise the RDS connection from your WDC so that you are back on your StoreFront + FAS server. Search and open up Citrix FAS in Admin mode, if you don’t you will be notified in the UI and then select “run this program as administrator” which will reload the FAS UI in Admin mode. 15. Select to “Deploy” for “Deploy certificate templates”. 16. Select “Ok” on the pop-up window that appears. 17. You’ve now successfully deployed the certificate templates, now select “Publish” for “Set up a certificate authority”. 18. Select the right Enterprise Certificate Authority (CA) from the available list and select “Ok”. 19. You’ve now deployed the certificate templates successfully to your Enterprise CA, now select “Authorize” for “Authorize this service”. 20. Select the right Enterprise Certificate Authority (CA) from the available list (same as above) and select “Ok”. 21. The FAS UI will display a spinning icon as the authorisation request is pending on the Enterprise CA server. 22. Connect to your Enterprise CA via RDS and the “Microsoft Certification Authority” MMC Console and navigate to “CA > CA Server > Pending Requests” you’ll see pending certificate right click it select “All Tasks > Issue” and the certificate will be issued. 23. Verify the issues certificates are issued by selecting “Issued Certificates” and verify you can see two issues certificated that begin with “Citrix_RegistrationAu…”. 24. Minimise your RDS session to your Enterprise CA and return to the StoreFront + FAS server, you now notice the “Authorize this service” says “Reauthorize” which is correct as the FAS service is now authorised with the Enterprise CA. Next select “Create” for “Create a rule”, which launch a new window. 25. Accept the default “Create the default rule (recommended)” and select “Next”. 26. Accept the default “Citrix_SmartcardLogon (recommended)” and select “Next”. 27. Select the previously selected and configured Enterprise CA you Authorised and select “Next”. 28. Select “Allow in-session use” and select “Next” if you enabled the following policy “In-session Certificates” earlier. 29. Select “Manage StoreFront access permissions (access is currently denied)” in red text which will open a new window. 30. Remove “Domain Computers” and add the “Server” running the StoreFront + FAS roles and under “Permissions” to “Allow” then select “Apply” and “Ok”. 31. The screen will update with “Manage StoreFront access permissions” to now be in blue text, now select “Next”. 32. Select “Manage user access permissions (all users are currently allowed)” in red text which will open a new window. 33. You can change to default “Domain Users” to your own test AD security group, then under “Permissions” to “Allow” then select “Apply” and “Ok”. 34. The screen will update with “Manage user permissions (all users are currently allowed)” to now be blue text, now select “Manage VDA permissions (all VDAs are currently allowed)” which is in red text. 35. You can change to default “Domain Computers” to your own test AD security group that your Citrix Virtual Delivery Agents (VDA) are found within, then under “Permissions” to “Allow” then select “Apply” and “Ok”. 36. The screen will update with “Manage VDA permissions (all VDAs are currently allowed)” to now in blue text, now select “Next”. 37. Now select “Create” and a “Default” FAS rule. 38. You have now successfully setup and configured Citrix FAS, you still need to enable FAS Claims for your “AAD” store on StoreFront which is covered later in this blog post.
Creating a new Store call “AAD” for Azure AD SAML Authentication in StoreFront 1. Open Studio and select “StoreFront” then select “Stores” and the on the “Actions tab” select “Create Store”. 2. On the splash screen select “Next“. 3. Type in “AAD” for the “Store Name” field and click “Next”. 4. Select “Add” list a CVAD controller, a new window will appear where you need provide the following information a “Display Name” e.g Citrix Cloud Connectors vs. CVAD 1912 LTSR, for the “Type” select “Citrix Virtual Apps and Desktops” and under “Servers” list select “Add” and type in the Citrix Cloud Connector or CVAD 1912 LTSR addresses and choose “Transport type” either HTTP 80 or HTTPS 443 (Preferred) and click “OK”. 5. You are now returned to the “Delivery Controller” page with a list of either Citrix Cloud Connectors or CVAD Controllers 1912 LTSR, click “Next“. 6. Now on the “Configure Authentication Methods” page select “SAML Authentication” and leave “User name and password” checked as YES, then click “Next”. 7. Ignore “Remote Access” configuration and click “Next“. NOTE: I will update this blog post at a later date with the Remote Access via Citrix Gateway formerly NetScaler Gateway. 8. Accept the default’s on the “Configure XenApp Services URL” and click “Create”. 9. StoreFront will begin creating your new “AAD” Store on your StoreFront server, once the wizard completes select “Test Site” to verify you can see a webpage that displays Citrix Receiver or you can navigate to “https://FQDN/Citrix/AADWeb/” replacing the FQDN with your own to verify the webpage is available.
Generating AAD SAML Configuration for StoreFront 1. In the Azure AD UI in the Azure Portal select “Enterprise applications” node. 2. When the UI updates in the centre select “Select “New application”. 3. You are taken to the “Add an Application” wizard and presented with three options select “Non-gallery application“. 4. Next provide a name for your own application e.g AAD-SAML-CVAD1912LTSR and then click “Add” at the bottom. 5. The AAD wizard completes and you are taken to the “Overview” page for “AAD-SAML-CVAD1912LTSR“, now select “Users and groups” from within this view. 6. Add an native AAD user(s). Note do not add any employee that does not have a AD shadow account setup and configured in the Citrix Cloud Resource Location (RL). 7. Now from the same “Overview” page for “AAD-SAML-CVAD1912LTSR” select “SingleSign-on” and on the “Select a single sign-on method” wizard select “SAML” and will start the AAS SAML wizard. 8. Select the pencil icon for “Basic SAML Configuration” to configure the following fields as follows below and select “Add“.
Identifier (Entity ID): https://FQDN/Citrix/AADAuth Reply URL (Assertion Consumer Service URL):https://FQDN/Citrix/AADAuth/SamlForms/AssertionConsumerService Sign on URL: https://FQDN/Citrix/AADWeb
9. Check under “User Attributes & Claims” portion that the “Name” field is configured to “user.userprincipalname”. 10. Scroll to “SAML Signing Certificate” and click to download the “Federation Metadata XML” e.g. AAD-SAML-CVAD1912LTSR.xml, now save or transfer it to your StoreFront server at C:\Temp.
Create and Configure a Azure AD SAML Trust in StoreFront 1. If you have transferred the *.xml file e.g “AAD-SAML-CVAD1912LTSR.xml“, then on your StoreFront server create a folder called “Temp” on “C:\” and transfer the downloaded *.xml file. 2.Open PowerShell in admin mode or launch it from Studio 1912 LTSR. Copy & paste the following code below, however if opening the PowerShell with Admin privileges without Studio 1912 LTSR then copy & paste this cmdlet first before proceeding with the configuration & “$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1“. You will notice the virtual path for the Store is already set here to AAD so you can copy and paste it as is. This code sets up and configures SAML for the ADD Store.
3. Next copy and paste the following code which will ingest SAML configuration from the Azure AD *.xml that you downloaded earlier and copied to C:\Temp on the StoreFront server.
Get-Module “Citrix.StoreFront*” -ListAvailable | Import-Module # Remember to change this with the virtual path of your Store. $StoreVirtualPath = “/Citrix/AAD” $store = Get-STFStoreService -VirtualPath $StoreVirtualPath $auth = Get-STFAuthenticationService -StoreService $store Update-STFSamlIdPFromMetadata -AuthenticationService $auth -FilePath “C:\Temp\AAD-SAML-CVAD1912LTSR.xml”
4. Validate there are not error(s) on screen that need resolving. 5. Minimise your PowerShell window you’ll need it again shortly, now open up Studio or StoreFront MMC console and navigate to the “Stores” and select “AAD” and select “Manage Authentication Methods“. 6. Select the cog icon parallel to “SAML Authentication” and then select “Identity Provider” you should see that your AAD SAML configuration is setup and configured, leave it as is DO NOT TOUCH it! 7. Close all windows including Studio or StoreFront.
Enabling FAS for Converting Azure AD SAML Tokens to Virtual Smartcards 1.Open up your existing PowerShell window and copy and paste the following code below, which will ENABLE FAS for your ADD Store to convert AAD SAML tokens received into virtual smartcard that will be used to SSO the employee onto his/her Citrix virtual app and or desktop. You’ll notice the code is configured for the “AAD” Store so you can copy and paste as is.
2. Validate there are not error(s) on screen that need resolving, if there are none you can nose close the PowerShell window.
Testing your Azure AD SAML to Virtual Smartcard Login 1. Navigate to https://FQDN/Citrix/AADWeb which will redirect you to a AAD login. 2. Enter in your UPN e.g user@domain and then complete the required 2FA vs. MFA requirements setup by your organisation as requirement onscreen. 3. You will be returned to https://FQDN/Citrix/AADWeb and SSOed onto UI, depending on your setting your desktop will either auto launch of you’ll have to manually launch it yourself. The initial login will take slightly longer than usual as its generating you that initial virtual smartcard between StoreFront, FAS, AD and your Enterprise CA. 4. Your Citrix vDesktop or vApp should launch successfully and SSO the on without prompting for any credentials.
Troubleshooting 1.If you receive ANY error once returned to https://FQDN/Citrix/AADWeb post the AAD SAML login open a new browser tab in the same session and copy and paste the following URL https://FQDN/Citrix/StoreAuth/SamlTest to see if you have any oblivious errors firstname.lastname@example.org from Azure AD which doesn’t map to the AD Shadow account that is user@domain so its a UPN mismatch and the sign-on will continue to fail. 2. If the employee can sign on to https://FQDN/Citrix/AADWeb and the Citrix vApp or vDesktop launches but they see a credential prompt with “Other User” check and see that you configured FAS for the correct Store with SAML Authentication setup and configured if not using my example of “AAD” as the Store setup and configured on StoreFront.
ICA Proxy Remote Access with Azure AD SAML Coming…
Concept on Bring your own Identity (ByoI) Strengthening Security through Co-Shared Responsibility owned by IT with different operating models Its a simple concept which I like and yes it adds in complexity but it times today its far better to harden against unwanted 3rd party access whilst making it harder to achieve lateral movements. If the employee’s account is compromised by a 3rd party, they would need to compromise the employees identity in the cloud directory e.g AAD and in Active Directory (AD) on-premises as both passwords are completely different with different types of multi-factor authentication methods bound including access privileges.
Conceptual Bring your own Identity (ByoI)- Strengthening #Security through Co-Shared Responsibility owned by IT with different operating models WITHOUT PASSWORD SYNCING. pic.twitter.com/8XLt0wM19U
I’ve noticed a number of folks asking what do as my existing Citrix AutoScale + Power and Capacity Management policies aren’t powering on my public cloud workloads any more, especially when they need it most!? What is happening? Firstly “this is not a Citrix issue” it’s a public cloud capacity issue in all the major players by selective “POPULAR” instance types for commonly used workloads like delivering virtual apps & desktops and its affecting by indvidiual regions e.g UK and not the whole public cloud providers capacity world wide to be clear and transparent.
If you make use of Citrix AutoScale and Power Capacity Management for mission critical CVAD workloads for better P&L management vs. capacity peaks then please DISABLE IT for those Delivery Groups (DG) within the CVAD Service temporarily to maintain business operations and internal SLA’s for service delivery of CVAD workloads to employees WFH during CVOD-19. Disabling AutoScale is strategically very important during these current times, it enforces that identified mission critical workloads by Delivery Group are always on-demand 24/7 to meet operational business demands. Its important to highlight this applies to any vendors and even in-house vs. community built power and capacity management tooling platforms should also be DISABLED for all business mission critical workloads so that daily business operations are not impacted.
Why do organisations use Citrix AutoScale and Power Capacity Management? Its for a couple of scenarios, usecases which I will collectively sum up as follows below:
1. Save money not running VM instances in public clouds 24/7 when they aren’t required, therefore saving you a substantial amount of money when looking to better manage your P&L. 2. Your employees typically work 21 business days within a month (30 days) the rest is made up of time off e.g weekends, so why keep all that capacity powered on and consuming more money unnecessarily including carbon emissions. On that note how many of you leave your data centres fully powered on or even home labs when you they aren’t required? Our world needs us to make smarter and better decisions to lets act and save our world for our future unborn grand children. 3. Support spikes/peaks in virtual app & desktop consumption with a capacity buffer.
Why your should DISABLE it! COVID-19 is a world wide pandemic and hopefully a once in life time vs. century event. The number of employees now Working from Home (WFH) world wide is incredible, it’s placed a macro burden on many consumer services where some are in a degraded state or have intentionally degraded themselves to free up more bandwidth capacity over the internet in Europe for example Netflix – https://www.bbc.co.uk/news/technology-51968302. Its equally true for IT business services e.g virtual meetings and of course public cloud providers whom have run out of capacity for popular VM instance types in Europe, and this is why you want to disable AutoScale so that your mission critical workloads are not stopped + deallocated and then returned the public cloud provider pool where they will be consumed by someone else and keep up 24/7, other organisation’s may have paid upfront to reverse a number of instance types for a period of 30/60/90 days and this is achieved by holding back any/all returned capacity and finally likely redistributed to critical government agencies and department for example in the UK the National Health Service (NHS) to keep health workers productive managing COVID-19 and supporting patients.
Act & Think of Others Please be responsible and make sustainable choices and only keep mission critical workloads on-demand 24/7 that are essential to daily business operations. Finally a personal ask if you are an IT Professional who’s home lab partially runs in a public cloud as its extended from on-premises please be respectful, mindful and aware that if your region is experiencing capacity issues PLEASE turn off and deallocate those VM instances types so that capacity can be returned to the public cloud pool during working days of the week to support businesses whom need it vs. government agencies and or health departments supporting people in-need of help and support medical and or otherwise.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
CITRIX USER GROUP COMMUNITY – cugc
HYPER CONVERGED INFRASTRUCTURE – hci
Its my 5th #CitrixSynergy and this is def one of the best Synergy’s I have ever had the privilege of watching virtually from London, England. Why not in person? I prefer to watch virtually as I am to consume more content faster and translate that into content to update Citrix partners/customers in a timely manner at high level and tech deep dive where required in particular areas or topics. Finally this blog post will most likely change over the next 2-3 weeks as I consume all of the Synergy 2017 content as when/how I can.
My Highlights of the Key Notes Vision Keynote
– 4:45 Citrix User Group Community – https://www.mycugc.org THANK YOU! Join the community today its powered by some of the most passionate Citrix and Technology advocates from around the global!
– 11:00 Red Bull Racing I’m not going to say anything you need to watch it!
– 21:45 Cloud powers the world
– 27:00 Digital Frontier Companies
– 39:00 Citrix Secure Digital Workspace with a software-defined preimeter
– 40:57 Citrix Workspace Services and a brief demonstration by Citrix’s CEO
– 42:25 SD-WAN / Gateway / WebApp Firewall / DDoS (NS 12+) as a Service
– 47:35 Citrix Analytics Service
– 1:01:00 “Better Together” and video message from Microsoft CEO Satya Nadella
– 1:12:25 Citrix + Google Chromebook (Skype for Business, Office365 and much more…)
– 1:18:00 Healthcare customer story “Partners Healthcare”
– 22:00 Unified Workspace (its Adaptive and Contextual by device/location and it changes the users published resources and its access type!) which brings together some of the most crucial aspects of todays modern apps, desktops, data & your location in a single view with casting capabilities but not demoed as instead instead*
– 29:00 *Workspace IoT (SmartSpaces) demonstration with a users own mobile phone enables an auto login to a Win 10 VD at guest location including welcoming the user based upon his/her smart phone used as there identity. Security people feel free or you will be going nuts right now!
– 32:30 Its all about layering you guessed it Citrix App Layer enabling IT to say YES! Note demo was demoed using a Samsung DEX check it out – https://www.citrix.com/blogs/2017/03/29/instant-desktop-computing-from-the-new-samsung-galaxy-s8-smartphone/
– 39:40 Workspace Appliance Program e.g HCI
– 42:35 Protect against Zero day attacks with XenServer and BitDefender which is available but is something which Citrix announced on 21/06/2016 yes thats right 2016 entitled “A Revolutionary Approach to Advanced Malware Protection” – https://www.citrix.com/blogs/2016/06/21/a-revolutionary-approach-to-advanced-malware-protection/ 21/06/2016 yes 2016!
– 47:00 Brad Anderson Corporate Vice President of the Enterprise Client & Mobility @Microsoft discusses shortly and then prefers to demonstrates our joint Citrix + Microsoft “Better Together” capabilities in Mobility, Virtualisation delivery from Azure and more.
– 1:01:38 Digital Jungle discussion its def worth your time if you about security and managing the experiences of your users workspace!
– 1:47:25 Vision of how the Digital Workspace is going to evolve
Citrix Synergy TV Breakout Sessions
The following are my current top sessions to watch in no particular order that I believe you’ll gain a lot of value out of watching BUT note that this may change as I continue to consume more of the on-demand content from Synergy 2017.
Innovation Super Session
Awaiting for the on-demand video publication but for now I will leave you with the following Tweet as a thought or rather a reminder to make sure that you watch it if you missed it!
The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops from AWS EC2 – https://aws.amazon.com powered by XenApp & XenDesktop 7.13+ & 7.15 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.
Minor updates include links 7.15 LTSR and not just 7.13 as of 30/12/2018
LOCAL HOST CACHE – lhc
XENAPP – xa
WINDOWS – win
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hex
VIRTUAL APPS – va
VIRTUAL DESKTOP – vd
SERVER – srv
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
DATA TRANSPORT LAYER – eat
FIREWALL – f/w
ACCESS CONTROL LISTS – all
INFRASTRUCTURE AS A SERVICE – iaas
IDENTITY & ACCESS MANAGEMENT – aim
Reader Notice: This blog post is NOT completely finished and some parts are in draft format! I will continue to update it through-out April/May 2017!
Sample Virtual Desktop from AWS powered by XenApp 7.x
In this example my VPC is in N.Virgina, USA hosting my Citrix XenApp 7.x workloads which are been delivered to me transatlantic to London, England thanks to the HDX.
What is AWS EC2?
It’s a division with-in Amazon that sells IaaS to customers for consumption. AWS is incredibly simple in my personal view BUT equally at the very same time it’s also an exceptionally powerful Public (IaaS) Cloud platform! IT departments within organisations of all shapes and sizes have an equal capability with AWS’s elastic virtual data centre capacity to rapidly design and implement a VPC to setup, configure and deploy workspace workloads of their choice within a few hours or days dependant upon there IT’s dept’s delivery & execution skillsets. Typing into Google.co.uk “AWS first year” reveals AWS’s first year was 2006 thats now over a decade’s worth of experience, maturity and continued on-going development and innovation. Check out – https://en.wikipedia.org/wiki/Amazon_Web_Services#History or brief history lesson.
Virtual Private Cloud (VPC)
Think of this as a virtual datacentre that created onto of AWS IaaS which allows you to create virtual networks (IP addr ranges, subnets e.t.c), deploy VM instances of different sizes for your required workloads and storage accounts to facility your organisations needs and requirements to potential optimise workload delivery, experience or DR scenario’s.
VM Instances Types
AWS provides traditional VM’s that you’d typically assign compute, storage type to on-prem as pre-defined instance types that vary in size and capacity to meet virtually most organisations workspace requirements in AWS. For an up to date list please check out – https://aws.amazon.com/ec2/instance-types/.
A logical representation of one or more data centres facilities in a city, state/province/county or even country.
Simply put its a Geo area and they are isolated form other regions for H/A. In a Citrix world a simple example could be to think of multiple sites (London, Paris, Oslo all built to N+1) managed using FMA 7.7+ Zones (Primary and Satellite) for H/A for geo area.
Identity & Access Management (IAM)
This one is quiet important to understand if you want to deploy your PoC with MCS provisioned XA VDA workloads in AWS from a master VM instance like you would traditionally on-prem with XenServer, Hyper-V, Acropolis or vSphere. Setting up IAM enables/allows Studio to communicate with the AWS EC2 cloud hypervisor to provision your VM instances – http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html from your master VM instance in your VPC(s). If your not interested in deploying MCS workloads then skip learning IAM for now BUT please come back to it as it’s equally important as Security Groups for Pilot, UAT and PROD workloads in AWS with(out) Citrix workloads.
Suggested example Traffic flow from the Internet to a Virtual App & Desktop delivered by an EC2 Instance
◉ – Untrusted network or public raw internet ◉ – DMZ or edge of a network, network/vnet or (network) security group depending on your network deployment choice ◉ – Trusted network or private secure network
Suggested (Security Group – Mgmt. VM) Port Configuration for RDS access to your mgmt. VM running AD, DNS e.t.c
For this particular security group I’d strongly recommended that when you setup the security group you limit the access to a single IP addr or range that you know and trust RDS access to come from to your mgmt. VM sat in your VPC.
TCP: SSH PuTTY (NS Mgmt. only)
TCP: HTTP (Internal Communication)
Suggested (Security Group – Citrix VAD) Port Configuration for Citrix Workloads to the World
The following table is actually more about the required TCP/UD Ports and dependant upon your deployment approach e.g with(out) a L2L IPSec VPN tunnel vs. NetScaler Unified Gateway i’ve decided for this section most of it available with the exception of a few which are a no no for external inbound access.
5. Lunch an NEW single instance from the EC2 dashboard under “Create Instance” this will be your mgmt. VM “wdc01” for the PoC and AWS will guide you through the deployment process (wizard).
6. Select your VM instance type to be deployed in your default or custom VPC and a suggested example instance type to utilise could be a AWS “t2.medium” instance type. You can find a complete list available at – https://aws.amazon.com/ec2/instance-types/.
6. Assign the default storage or increase and you can add another HDD later.
7. Assign the RDS mgmt. security group ensuring that RDS is enabled to connect to your mgmt VM.
8. Allow the VM to provision typically up to 5 minutes (depends on time of day, location of your VPC) then decrypt the passwd
9. Login and utilise this as your mgmt. VM and install the following suggested roles e.g AD, DNS and CA (Optional) as a bare minimum once you’ve assigned it an internal private static IP addr prior to installing and configuring.
10. Check a folder called e.g “Share” on C:\ and enable file sharing to this folder for your domain admin account.
11. Navigate to https://www.citrix.com/downloads/xenapp-and-xendesktop/ and download the latest XenApp/XenDesktop version available which is as of 12/04/2017 7.13 and copy it to the C:\Share to be used later to install XenApp 7.13+ onto your XA worker.
12. Now repeat steps 5 through 9 to deploy another single VM instance which will be your XenApp PoC VM e.g “xad01poc” and assign the following suggested instance type “t2.large’ with the exception of step 7 where you’d assigned the default VPC security group and login via RDS to this VM from your mgmt. VM e.g “wdc01”.
12. Once its ready login to your mgmt. VM “wdc01” and RDS to “xad01poc” provide it with a custom or use the default hostname and AD domain join it.
13. After successfully domain joining it login and create a folder on the C:\ drive called “Temp” on “xad01poc” and copy the *.iso from \\wdc01\Share to it.
14. Right click on the *.iso and “Mount” the media and the autorun should display the splash screen and select “XenApp”.
15. Select to install the “Delivery Controller” checking all the features e.g Studio, Director, Controller, MS SQL Express, StoreFront, License server and all the required ports.
16. You have now setup a mgmt. VM and a XenApp mgmt. VM.
17. Install and bound SSL certificate on “xad01poc” to be able to utilise https to protect username and passed credential handling when accessing RfW.
PoC Deployment of Virtual Apps & Desktops Deployment Option 1 – NO MCS nor NetScaler UG & NOT SUGGESTED!!!
This option to be very clear is typically used to demonstrate the power of HDX from a public cloud e.g AWS and DOES IT WORK? Yes of course! I would strongly recommend that you don’t deploy your PoC with this approach but front it with a NetScaler UG but i’ve included it as I have covered this topic once before and sometime Citrix SysAdmins just want to test to see is it actually at all possible with little to know effort at all before actually deploying a PoC so I hope that this clears up this PoC deployment approach/path is messy and NOT SUPPORTED!!!!
1. Now also assign the Citrix VAD “Security Group” to “xad01poc” VM.
2. Re-mount the *.iso media if required and on the installation splash screen select to install the Server VDA choosing to enable existing connections selecting “Enable Remote PC Access” the VM will restart a few times which will take circa up to 5 minutes while the VDA installs.
3. Once the VDA is installed successfully launch “Studio” and complete creating a Site, machine catalog and delivery group based upon “xad01poc” VM.
4. Modify the SFS default.ica file for your default Store to include a line to utilise your external dynamic static IP addr and check that your Windows f/w rules are correctly configured to allow in/out bound access based upon the Citrix VAD “Security Group” or you can open the downloaded file you receive post login and modify the internal private static IP addr to the “xad01poc” VM’s dynamic public IP addr assigned by AWS and you should be able to launch your virtual app or desktop. Note: You’ll need to do it for each app or virtual desktop and if you modified the default.ica file with dynamic IP each time you stop and deallocate the VM you’ll need to modify the file again unless you utilise a AWS static public IP addr which is chargeable cost per month!
5. Navigate to https://xad01poc-dynamic-public-ip-addr/Citrix/StoreWeb/ with Citrix Receiver install on your Windows, Mac or Linux end-points and login as a domain admin or user and launch a virtual app or desktop that you’ve published.
6. Test the vitual app and our desktops performance by playing YouTube movie trailers here is fav one of mine – https://www.youtube.com/watch?v=sGbxmsDFVnE or download Google Chrome and publish it and access https://p3d.in. You’ll notice I have not mentioned what HDX graphics mode why? It should provide a good UX out of the box with 7.13+.
7. Shutdown and turn off your VM’s within your AWS VPC when finished to save costs. You will be billed for storage on-going e.g GB that you’ve consumed but I have to say its a very low cost per GB.
Deployment Option 2 – No MCS but fronted by NetScaler UG
Deployment Option 3 – With MCS Workloads fronted by NetScaler UG Coming…
Notes from the field
1. The number one leading best practise is “Shutdown and turn off your VM’s within your AWS VPC when finished” to save your own personal costs incurred and or your organisations costs that maybe incurred.
2. You do need a suggusted intermediate knowledge level of AWS EC2 and Citrix in order to deploy virtual apps & desktops CORRECTLY I personally believe to ensure that those testing on your behalf actually are getting the correct HD or balanced experience to ensure a successful PoC. I’ve many misconfigurations in a variety of areas since 2015.
3. Take a look at using Citrix Smart Tools as an enabler to help you with XenApp environment(s) on AWS – https://manage-docs.citrix.com/hc/en-us/articles/213723663-Create-a-XenApp-and-XenDesktop-production-deployment-on-AWS.
The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps from the Microsoft Azure Marketplace powered by the Citrix Cloud XenApp Essentials Service prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
MACHINE CREATION SERVICES – mcs
AZURE REMOTEAPP – ara
XENAPP ESSENTIALS SERVICE – xes
HIGH DEFINITION EXPERIENCE – hdx
REMOTE DESKTOP SERVICES – rds
What is it?
It is a replacement for the deprecated Microsoft Azure RemoteApp (ARA) – https://blogs.technet.microsoft.com/enterprisemobility/2016/08/12/application-remoting-and-the-cloud/ (“…Support existing Azure RemoteApp customers on the service through August 31st, 2017..“) which provides simplicitic beauty of Microsoft Azure RemoteApp now with the “Secure by Design” enterprise security methodology, platform scalability with FMA in 7.x and HDX virtual app delivery protocol capabilities & power of Citrix XenApp.
ARA brought Remote Desktop Services (RDS) capabiltiies from a multi private cloud deployments on Windows Server to Azure with non-persistent RDS/RDP sessions delivered from the Microsoft Azure Cloud only! The XA Essentials Service is only available from Microsoft Azure Marketplace hosted on Azure and only supports the delivery of Windows apps delivery from Windows Server 2012 R2, 2016 prepared Templates or Bring Your Own Templates (BYOT) uploaded. Citrix has prepared a full FAQ available at – https://www.citrix.com/global-partners/microsoft/resources/xenapp-essentials-faq.html
Overviews & Demonstrations
Introducing XenApp Essentials Service is a demonstration of the Service by Citrix.
Extend the Microsoft RDS platform in Azure through Citrix solutions was a presentation at Microsoft Ignite 2016.
High Level Getting Started, System Requirements & Pre-requistes
1. You’ll need an Azure subscription with a resource group defined with a virtual network.
2. Define your preferred Azure region which you can ref from – https://azure.microsoft.com/en-gb/regions/.
3. Decide on your AD stratergy which can be Active Directory sat in the Azure resource location using a min A3 Standard VM instance for AD or you can utilise “Azure Active Directory Domain Services” and eDocs suggested that you review – https://docs.microsoft.com/en-us/azure/active-directory-domain-services/#main prior to implementing AAD for the XA Essentials Services vs. traditional AD.
4. Define your preferred OS strategy for the service which currently supports server OSes for Windows Server 2012 R2 or 2016 and you’ll need to define master image stratergy e.g BYO image or a Citrix prepared image for the service! Notes: “(a)BYO with your own Server OS template including apps + licenses for those apps or choose Citrix prepared templates with Apps. (b)RDS CALS w/SA to Azure or purchase RDS SALs.”
5. Customer owned Azure Subscription as is responsible for per monthly IaaS consumption costs e.g compute, network, bandwidth & storage
6. Only MCS based provisioning is support for public (Iaas) clouds and for this Service hosted by Microsoft Azure.
7. Subscribe to XenApp Essentials Service through Azure Marketplace at – https://azuremarketplace.microsoft.com/en-us/marketplace/apps/Citrix.XenAppEssentials?tab=Overview.
8. Connect your Azure subscription to Control Plane operated by Citrix Cloud. Citrix Cloud controls customer Azure subscription via Citrix Cloud Connectors to provide capabilities to manage, provision and monitor your XenApp servers which will deliver your HDX virtual apps
1. Before you begin you will requires a subscription to XenApp Essentials Service from
2. Azure Marketplace + Server Images + RDS CALS w/SA
3. Create app collection similar to ARA
4. Create a name
5. Domain Joined (Popular) or Non-Domain Joined (TBC)
6. Link Azure subscription to XAE and select Resource Group, Virtual Networks & Subnet
7. Enter in Domain details which include Domain name, OU, Srv acct + passed
8. Select template image Citrix provided or your OWN
9. Select capacity and mange costs by selecting instance type and power settings scheme (saver logoff after 10min; standard after 1hr; performance after 4hrs or always on i.e do not perform any power mgmt
10. Enter in # of users concurrent and you’ll receive an estimate cost calculator prior to provisioning to understand the costs based on 40hr usage per month
Summary and the deploy
11. Time access is short as CC will provision your instances in your subscription
12. Select app collection click Apps tab then select apps to publish
13. Select users tab and search domain by user or group
14. Return to Manage home and you’ll see that your app collection is now ready with a green tick
15. Select app collection and you’ll see the StoreFront URL to send to users
16. Users login with domain\user + passed
17. Users are now able to launch there HDX virtual apps secured by there organisations Cloud-hosted StoreFront FQDN which provides secure remote access via the NetScaler Gateway Service also review caveats re bandwidth through-puts below.
1. Live.com accounts cannot be used for authenticaiton
2. Users cannot launch and app if an existing RDS session is present on the XA VDA worker.
3. Machine catalogue failures may occur if deploying a VM instance size in a region that does not support that instance type any more.
4. A premium storage account is not supported see “Prepare Your Azure Subscription”
5. Each end-user is limited to 1-GB outbound data transfer per month but you can increase the limit via by acquiring a 25 GB add-on via the Azure Marketplace see “StoreFront and NetScaler Gateway in XenApp Essentials Service”
6. See eDocs for more…
The following content is a brief and unofficial prerequisites guide to better understand Citrix Cloud, Connector technology and the overall architecture required to setup, configure and test delivering virtual apps and desktops powered by XenApp & XenDesktop Service prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.
HIGH-AVAILABILITY – h/a
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
CITRIX CLOUD – cc
INFRASTRUCTURE AS A SERVICE – iaas
CITRIX CLOUD CONNECTOR – connector
The Three Primary Cloud Types (Draft Section)
Firstly i’d like to provide my definition of public, private vs. hybrid cloud and in my personal view things like SaaS, PaaS have naturally been spin out or off from IaaS e.g Public Cloud.
Public Cloud is whereby a ISP provides you with SPLA licensing (OS, Application, Service), compute, storage and network capabilities which in turn enables you to create your very own VM instances running in a virtual datacentre on the ISP’s h/w and example providers may include AWS, Azure, Google Cloud Platform e.t.c
Private Cloud is where you the organisation owns there own OS, Application or Service licenses as well as the physical hardware that allows you to create your own VM instances within your virtual datacentre. In this scenario the h/w is could (a) be purely Colocatied (Colocation) at ISP with or without managed services over and above the Colocation and example providers could include Rackspace, Qubems, Peer1 or (b) your h/w is hosted within your own custom and purpose built data centres facility or comms room dependant upon the organisations size and IT/Technology requirements.
Hybrid Cloud is when public and private clouds are connected securely over a IPSec R/A, L2L or SSL VPN connection.
What is and how Citrix Cloud works
Citrix Cloud is an evergreen, managed control plane from Citrix that provides the traditional Citrix management technologies to delivery e.g Virtual Apps & Desktops as Services thereby reducing overhaul management updates & upgrades. This means that Citrix is responsible for the availability of your Citrix management infrastructure in there Control Plane including ensuring that it is on the latest up to day and production version of e.g XAD to deliver DaaS and or virtual apps. Citrix customers and partners are responsible for what is known as a resource location which is where your apps, network and data resides and can exist in a public, private or hybrid cloud deployment scenario and each resource location is securely connected to the control plane using the Citrix Cloud Connector which initiates an outbound HTTPS connection so your completely in control of your apps, network & data within your resource location(s) at all times.
If I have not technically explained what is and how Citrix Cloud works successfully then please feel free to watch the below embedded YouTUBE video.
Please note that Citrix Workspace Cloud is now know as Citrix Cloud
XenApp and XenDesktop Service – HDX virtual app & desktop delivery from any supported resource location running server/workstation VDA(s) while all the XenApp/XenDesktop mgmt infrastructure (Studio/Director) resides in your tenant/account at https://citrix.cloud.com.
XenMobile Service – Deploy Secure Apps (MAM), MDM to control your organisation devices with no need to deploy the XenMobile v/a even at your resource location all you need is either an IPSeC VPN tunnel or the Connector to enumerate users in AD to be assigned to delivery groups.
ShareFile Service – Follow-me data now controlled within one WebUI.
NetScaler Gateway Service – Provides a simple and easy deployment method to gain external remote access to virtual apps & desktops from your resource location(s) via the Citrix Cloud Connector.
Smart Tools Service previously Lifecycle Management – Design, build, automate, auto check & update your resource locations with Citrix validated blue prints.
Secure Browser Service – Provides a secure remote virtual browser(s) to access web (internal vs. external), SaaS apps from the Citrix Cloud with zero configuration, with only a link to access your published web apps via the HTML5 Receiver.
Citrix Cloud Labs – My personal favourite as this area of Citrix Cloud allows you get to test out some of the latest Citrix Innovations from our Labs team as services e.g AppDNA Express; Citrix Provisioning for Microsoft Office 365; IoT Automation; Citrix Launch for Microsoft Access; XenMobile MDX Service and Session Manager
Connector Architecture & Security
The following diagram depicts the H/A deployment of Citrix Cloud Connector for use with the XenApp and XenDesktop Service from Citrix Cloud. Please note that this is a simple architectural diagram that does not include a NetScaler in resource location so the assumption is that you users will connect to their virtual apps and desktops either from within the actual Resource Location or via the NetScaler Gateway service hosted and managed by Citrix Cloud. My personal preference is to leverage a NetScaler physical or virtual appliance within your resource location as the benefits of a NetScaler far exceed and go above and beyond that of a simple ICA Proxy gateway for XenApp/XenDesktop. Perhaps a follow-up blog article why I presume NetScaler in the resource location from my personal view point only or I may decide to update this blog article.
Citrix Cloud Connector
The following is deep dive overview of Citrix Cloud connector technology for all the services with the exception of the Smart Tools service which leverages its own connector which is used to check your Citrix workloads, scale up/down and or even build or tear down workloads in resource location(s) via blueprints.
Installation & Troubleshooting
You must download and only install the Citrix Cloud Connector for your resource location from “Identity and Access Management” that matched your domain forest, don’t mix and match these! The installation is fairly straight forward and simple as descriobed and outlined at http://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connector/installation.html, once the installation completes wait for the connectvity test to pop-up and complete successfully prior to navigating back to Citrix Cloud to validate that the Connector has scuessfully registered with Citrix Cloud+.
You can also perform automated installation leveraging the following command line arguments when installing the Connector “CWCConnector.exe” /q /Customer:Customer /ClientId:ClientId /ClientSecret:ClientSecret /ResourceLocationId:ResourceLocationId /AcceptTermsOfService:true.
You can install hypervisor tools, anti-virus software (Tested as of 26/10/2016++ McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.8) on your VM instances that have the Citrix Cloud Connector technology installed however it is not recommended to install any other software or unnecessary system services nor should you allow any domain users access unless they are a Domain or System administrator of the Citrix environment. In summary treat these Connectors as you would your XAD Controller(Broker).
The installation logs are available at “%LOCALAPPDATA%\Temp\CitrixLogs\CloudServicesSetup” and post the installation its consolidated to the following location “%ProgramData%\Citrix\WorkspaceCloud\InstallLogs“.
Monitoring your Citrix Cloud Services
1. http://status.cloud.com/ is your friend and will provide you with vital up to date information about the Citrix Cloud platform (control plane or SaaS tier) and each of its Services e.g XenApp and XenDesktop Service or Smart Tools.
2. Monitor the following Connector services described below ++
3. The leading best practises is for the Citrix Cloud Connectors to not be offline longer than two weeks as the connectors are regularly updated from Citrix Cloud with the latest updates (Evergreen) which is why each resource location requires at a bare min 2x or a pair of Connectors.
Connectivity & High-Availability
The Citrix Cloud Connector firstly should always be implemented in pairs at a minimum within any resource location and installed onto either Windows Server 2012 R2 or 2016 AD joined VM instances. The connectors are stateless and brokering requests are load-balanced via Citrix Cloud to the connectors within your resource location(s) and if a connector does not respond the queued tasks are redistributed to the remaining connector(s). As the connectors are stateless this also means that they do store any mgmt configuration for Citrix Workloads at the resource location as this is held within the Citrix Cloud by the Service that you are utilising e.g XenApp and XenDesktop Service.
+If you setup a PoC with a single Connector it will probably display as amber for a period of time prior to turning green as you have only configured 1x Connector for your resource location. You can check your Connector status for your resource locations by navigating from https://citrix.cloud.com/ to https://citrix.cloud.com/identity and under “Domains” select your domain forest(s) and expand it and you can review your Connectors name e.g servername.dommain e.g connector1.x1co.eu and its status (red, amber or green).
Logs & Services++ of the Connector
The Connector logs are stored at “C:\ProgramData\Citrix\WorkspaceCloud\Logs or use %ProgramData%\Citrix\WorkspaceCloud\Logs” for verifying ongoing communication and helping with troubleshooting. Once the log(s) size exceeds a certain threshold its deleted BUT Administrators are able to control the log retention size by adjusting the following entry in the Windows registry “HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CloudServices\AgentAdministration\MaximumLogSpaceMegabytes” to meet your organisations logging/auditing requirements.
The following content is a brief and unofficial overview of how-to front your virtual apps & desktops powered by XenApp 7.11 with NetScaler 11.x.n using Microsoft Azure (ARM). The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions, best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.
Why this Blog Article?
I’ve had a lot of cloud 1st strategy conversations with IT Pro’s, Citrix SysAdmins & organisations alike recently so I thought everyone whom is searching for how-to front XenApp with an Azure NetScaler could benefit from this blog post :-). This blog post covers a how-to even with NetScaler in single IP mode to achieving https://FQDN (Image 2) for the gateway vs. https://FQDN:8443 (Image 1) when deploying NetScaler in Azure (ARM).
Deploying NetScaler 11.x.n using Azure Resource Manager (ARM)
1. Login to https://portal.azure.com
2. I presume that you have setup a your network, IAM if not refer to https://azure.microsoft.com/en-gb/get-started/ for getting started how-to from Microsoft.
3. Click on + New in the top left of the ARM web ui and type in NetScaler and select NetScaler VPX Bring Your Own License or for a quick review check out – https://azure.microsoft.com/en-gb/marketplace/partners/citrix/netscalervpx110-6531/.
4. Click Create
5. Enter in a name for your NS virtual appliance e.g ne1nug01 and select the VM disk type
5. Enter in a username and choose auth to be either SSH public key or Password I choose password to access the NS Admin WebUI for simplicity of all readers of this blog.
6. Select your chosen of default Subscription if you have more than one and then select your existing Resource Group where you XenApp 7.11+ environment and XenApp 7.11+ VDA Workers and your mgmt. VM running AD/DNS server resides. Remember I am keeping this simple as it’s intended for PoC’s only!
7. Continue to select your chosen Azure instance for NetScaler I choose DS2_V2 Standard which consists of 2 Cores, 7GB of RAM.
8. Select your storage account, virtual network & subnet e.t.c and high availability set then click Select to continue.
9. Review your purchase of NetScaler and then click Ok to purchase and Azure will begin building your NetScaler VPX in your Azure chosen subscription which will take no more typically than 10 minutes.
Setting up & Licensing your NetScaler on Azure
Firstly be aware that when deploying a NetScaler instance on Azure for virtual apps & desktops you’ll be setting up NetScaler to run in single IP mode (YES!) which means that you’re connecting to internal TRU resources on the NetScalers IP addr (NSIP) but you connect using different ports e.g ICA Proxy on 8443 so lets begin with the setup.
1. Login into your NetScaler using the NS Admin Web UI do not provide a SubnetIP Addr (SNIP) just selectDo It Later and proceed with the initial setup as per normal.
2. Now that you have setup your NetScaler you need to license it so remain logged into and open a new tab in your browser of choice and Google “Citrix Eval Store” or save this link – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700
3. Select under Networking -> NetScaler ADC
4. Next select the following model “VPX” select variation e.g “Platinum 1000” select duration e.g “90 Days”.
5. Complete the onscreen process note that you will require a .Citrix.com account or you need to create an account.
6. Once you receive an e-mail with your key/code head over to at https://www.citrix.com/account/toolbox/manage-licenses/allocate.html or goto and select find and allocate your licenses or look for the licensing button (link) and select it.
7. If your key/code it not visible select “Don’t see your product?” in text in/around the top right-hand side. A pop-up appears now enter in the code provided on e-mail from the Citrix Eval Store e.g “CTX34-XXXXX-XXXXX-XXXXX-XXXXX” and continue.
8. You will need to enter in the Host Id of your NetScaler it can be found once logged in using the NS Admin Web UI “NetScaler -> System -> System Information” then look under the heading “Hardware Information” and you find “Host Id” copy and paste it into the required field and then download the license file.
9. In the NS Admin Web UI click the cog icon top right then select licensing and upload the license and select to reboot the NS to apply the license.
10. Log back in and enable the features that you require e.g right click on the “NetScaler Gateway” and select “enable” e.t.c
Setup Type Choice 8443 Default without an Azure L/B for XenApp using the XenApp/XenDesktop Wizard
Now that you have setup NetScaler within your Azure subscription in your chosen region you’re ready to begin setting up NetScaler to front virtual apps & desktops (Server OS 2012 R2 or 2016) powered by XenApp 7.11+.
Sample Text Based Diagram
Accepts requests from Azure to NSIP on https://8443 (Single IP Mode)
Accepts requests on the Gateway & Call-back FQDN on https://FQDN:8443
Accepts & launches user’s virtual app(s) & desktop(s) as requested
1. Login to your NetScaler VPX click “Settings -> Licensing” now check that License type is Platinum and Model ID 1000
2. Select the XenApp/XenDesktop wizard and review the prerequisites carefully prior to continuing BUT in summary you’ll need an SSL Cert, LDAP service account + details, XenApp 7.11+ environment with StoreFront.
3. Enter in the static IP addr assigned by Azure or OTHER METHOD of your NetScaler VPX YES that’s right!
4. IMPORTANT STEP: Change the default port of 443 to 8443 on the Gateway IP addr
5. Set Up the rest of the XAD wizard as normal
6. IMPORTANT STEP: Setup StoreFront to allow remote access however the configured default gateway and Call-back FQDN addresses MUST include 8443 e.g https://go.x1co.eu:8443 instead of just https://go.x1co.eu
7. Setup external DNS entries e.g go.x1co.eu to point to your NetScalers static IP addr found in the Azure ARM Web UI and once you have verified it is functioning correctly using a shell (IPCONFIG /FLUSH after settin-up the DNS entries waiting 10-15 min depednant upon your ISP) the open up an internet browser and type in e.g https://go.x1co.eu:8443 and dont forget the :8443 at the end of the FQDN.
8. Attempt to login either using sAMAccountName e.g username or userPrincipalname e.g email@example.com and then you should be able to successfully login and launch your virtual apps & desktop as per the below image.
Setup Type 443 for XenApp using an Azure Load-Balancer & the NetScaler XenApp/XenDesktop Wizard
Sample Text Based Diagram
https received request and forwarded to NetScaler on https://FQDN:8443
Accepts requests from Azure L/B on https://FQDN fwd to NSIP on https://8443 (Single IP Mode)
Accepts requests on the Gateway from HTTPS://FQDN but the Call-back FQDN is on https://FQDN:8443
Accepts & launches user’s virtual app(s) & desktop(s) as requested
1. If you are choosing this option as your preferred lets hope then complete steps 1-5 and also step 7 to save you time!
2. IMPORTANT STEP: Setup StoreFront to allow remote access however the configured default gateway MUST BE e.g https://go.x1co.eu NOTICE NO :8433 YES not :8443 here. Now on the call-back FQDN addresses YOU MUST include 8443 e.g https://go.x1co.eu:8443 instead of just https://go.x1co.eu otherwise fronting NS with an Azure L/B to acheive HTTPS://FQDN for the XAD Gateway (ICA Proxy) will NOT WORK!!!!
3. Now switch to the Azure ARM Web UI. You should probably read the following useful resources – https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-overview/ and for PowerShell creation check out – https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-get-started-internet-arm-ps/ for any Citrix consultants out there.
4. Azure Load-balancer and click on the “+” at the top and provide a “Name” and for the type choose “Pubic” and select your Azure “Subscription” “Existing Resource Group” and its location (Same as NetScaler deployed instance) then click “Create”
5. Now it will list the available public IP addr just select the “+”
6. Enter in a name and choose your assignment choice “Dynamic” vs. “Static” and click OK.
7. Azure will then provision your Azure L/B (Wait….Maybe coffee or tea break?)
8. Once created select your Azure L/B
9. Select “Backend Pools” enter in a name then choose your availability set and then your VM’s or VM e.g NetScaler. Azure will then provision your Azure L/B with a backend pool (Wait….)
10. Select “Frontend IP Pool” click “+” enter in a name then choose your IP addr e.g NetScaler VM and then enter in a name (all names should differ makes identification easier so a good naming convention helps 🙂 now) and choose your assignment choice “Dynamic” vs. “Static” and click OK (Updating….)
11. IMPORTANT STEP: Select “Inbound NAT Rules” select the resource from your Frontend IP Pool list from the previous point (10). Select the service “HTTPS” and port to be 443 then select the target “NetScaler VM” and then vErY iMpOrtAnt select under “Port Mapping -> Custom” and in the “Target Port enter in 8443” and click save. (Wait…)
12: Now navigate to https://FQDN and attempt to login either using either sAMAccountName e.g username or userPrincipalname e.g firstname.lastname@example.org and thereafter you should be able to successfully launch your virtual apps & desktop published by XenApp 7.11+. The below image represents the end goal when fronting an Azure NetScaler in Single IP Mode with an Azure Load-Balancer as per the below image.