Category Archives: AWS

Azure AD SAML Sign-in with Virtual Smartcard to Citrix Virtual Apps & Desktops

Consider this an evergreen post as of 10/06/2020

Introduction
The purpose of this blog post to aim for a consistent modern authentication experience for employees when consuming Citrix Virtual Apps & Desktops (CVAD) + CVAD Service regardless of where the (CVAD) workloads are running, either in *Azure, *AWS, *GCP or *On-Premises. The primary priority is that the employees identity is owned and managed by a cloud identity platform e.g Azure Active Directory (AAD) and the employees identity within each resource location* for CVAD usage maps to AD shadow accounts. These AD shadow accounts represent the employee as a UPN e.g human.name@domain, with a RANDOM long complex password that the employee doesn’t need to ever know and all IT is required to do beyond creating a AD shadow account is then assign the right vs. relevant security privileges and access to CVAD including Policies meeting local, geo of industry compliance and governance while maintaining a great employee experience.

The second priority is that the employees device can frictionlessly access CVAD resources using either a Forward Proxy, SD-WAN Overlay Network or ICA Proxy. I do recognise that many organisations are still required to make use of a VPN style strategy at the current moment and therefore this solution can also work for those devices as well repurposing the existing Citrix Gateway to also support a Full VPN beyond ICA Proxy or you can use other well established and trusted VPN solution providers.

Leveraging a Bring Your Own “either Enterprise vs. Personal” Identity (ByoI) is a concept I ponded way back in 2017 and now feels like the right time to pick that up concept again during the current Workplace transformation happening all around the world due to world wide COVID-19 pandemic. Using a ByoI strategy as high level vision you can efficiently deploy CVAD to any *Azure, *AWS, *GCP region or *On-Premises with less friction and you don’t need to be worry about “Password Syncing” just replicate the employee’s UPN + AD Security Privileges + CVAD Access & Policies where its required. It has the added benefit if you want do mix and match public cloud workloads to avoid lock-in amongst other topics, you’ll be providing a common and consistent login interface + experience irrespective of where the workload is sat.

It another brilliant benefit is the on-boarding of 3rd Parties (3P’s) using ByoI concept with a business check at the edge, the 3P brings there owned Identity and in the current world we live in I don’t think that is bad thing it could even strength that employees individual security as there identity will be bound to a smartphone which knows more about your individuals habits and you that you know yourself. If we can unlock a co-shared responsibility identity model between the individual + organisation we can truly aim for a passwordless workspace that only uses virtual smartcards or tokens.

Finally the on-boarding of M&A employees can be faster as you can generate them a few days after commercial signing with a new brand identity that resides in Azure AD (or Google, OKTA e.t.c) whilst they continue accessing existing workplace apps + data with current AD credentials, IT + HR + Business can choose when to layer in the “NEW” Workspace Platform for Work from group perspective into the existing Workspace with less friction and complexity. Yes this final topic is complex when we think about merging different Business IT and IT Systems together, a CVAD strategy with FAS bridges the GAP reducing friction and complexity for IT to sun rise a new Workspace stack for that newly acquired organisation while sunsetting the exciting Workspace stack and those new M&A employees get to on-board beyond the Workspace into there new organisations people, its culture, vision and values and avoids the IP drain that often can easily happen.

The Employee Experience

High Level Architecture
The scenario below depicts accessing a StoreFront server on any device type from within the Workplace fabric in any office locally or world wide or from a IT managed device that makes use of a Full VPN, Forward Proxy technology; WFH Citrix SD-WAN appliance where traffic passes over an SD-WAN overlay network; Citrix Endpoint Management enrolled smart device with per-app mVPN configured and finally irrespective of the devices management status you can use ICA Proxy* to access CVAD resources anywhere over the internet inclusive of any home via a Citrix ADC (formerly NetScaler) using the Gateway functionality which is “VPN-Less*”.

Systems Requirements & Pre-requisites
1. A UAT or Test CVAD 1912 LTSR Site that already setup. My personal one runs in AWS EC2 as it retains hosting connections or public clouds to preform MCS provisioning of machines from customer own and managed control plane. You can also use the Citrix Virtual Apps & Desktops (CVAD) Service or sign-up at https://citrix.cloud.com/ and engage your local Citrix representatives to get a trial setup for the CVAD Service.
2. Deploy a new VM which will run the following Citrix 1912 LTRS StoreFront and Federated Authentication Service (FAS) roles to create a new “Store” on StoreFront called “AAD” which will be configured to accept the Azure AD SAML token which will then convert the AAD SAML tokens into a Citrix virtual smartcard to SSO the employee onto CVAD resources.
3. Install StoreFront – https://docs.citrix.com/en-us/storefront/1912-ltsr/install-standard.html after reading the system requirements – https://docs.citrix.com/en-us/storefront/1912-ltsr/system-requirements.html.
4. Setup and Configure FAS Role on your StoreFront Server – https://docs.citrix.com/en-us/federated-authentication-service/1912/install-configure.html after reading the system requirements carefully – https://docs.citrix.com/en-us/federated-authentication-service/1912/system-requirements.html, this part shouldn’t be a problem e.g leaning on on Security teams whom control the Enterprise CA Admins as you’ll hopefully be using a proper UAT or Test CVAD environment with all the Microsoft management servers and roles including an Enterprise CA which FAS requires and access to AD introduce new GPO’s.
5. An Azure AD “personal or business test” tenant.

Deployment Guide

Azure AD Setup & Configuration – Personal Home Lab Edition
If you have a separate Azure AD tenant in Azure you can proceed to the next section, however if you are an IT Pro that wants to test out how to convert Azure AD SAML logins to Citrix virtual smartcards for CVAD the following the below guidance below for setting up a personal ADD tenant with a personal Azure account for your home lab. WARNING I am not an Azure AD nor on-premises AD expert, therefor follow the leading practises found in Microsofts documentation for Azure AD.

1. Navigate to https://portal.azure.com and sign-in with your live vs. personal Microsoft account. Select “Create a resource”.
2. Select “Identity” then select “Azure Active Directory”.
3. Enter in an “Organisation Name, Initial domain name and select your Country or region”.
4. The wizard will begin creating your AAD tenant .
5. Once it completes click the hyperlink within “Click here to manage your new directory”.
6. At the Overview page of your new AAD tenant select “Users” under “Manage” section.
7. Select “+ New user” under the “All Users (Preview)” Overview you’ll notice your personal email addr.
8. You’ll notice when creating a new employee account for your AAD tenant that you can only append domain.onmicrosoft.com to the username, I’ll explain how-to convert that to user@domain and remove the UPN requirement of user@doamin.onmicrosoft.com in the next few steps. For now fill the following fields “User name”; “Name”; “First name”; “Last name”; “Password” (choose or auto-generate) and the select “Create” keeping the defaults as they are.
9. Your new AAD employee is successful created, you can assign roles. NOTE for my personal testing purposes I didn’t configure anything as I’ll delete that test employee AAD account after my testing.
10. At this point I’m not going to deploy nor setup the “Azure AD Connect” in my Citrix Cloud Resource Location as I want the employees primary identity to always reside in Azure AD as the single source of truth, and then bring that identity to my Citrix Cloud Resource Location e.g Bring your own Identity (ByoI) and after a successful AAD SAML login map that to a hardened AD Shadow account with long complex password that the employee will never know and all I need to do it assign the AD security privilege and access for CVAD resources. This approach means that employee will NEVER enter in a AD password within a Citrix Cloud Resource Location that is configured for AAD (or Google, OKTA e.t.c) when using CVAD 1912 LTSR StoreFront and the Federated Authentication Service (FAS) in a Resource Location(s). For complex environments yes you’ll likely deploy the “Azure AD Connect” software as a role somewhere to replicate the employees but you don’t need to replicate there passwd or you can provision the employee twice once in AAD as in the example above and then again manually in AD in the Resource Location as there corresponding AD shadow account which matches the UPN from AAD when authenticating using SAML to StoreFront, the choice is yours but I found for testing purposes a manual in each is far less frictionless.

On-Premises Active Directory (AD) within your Resource Location
1.Create a new AD “Shadow” account that matches the “User Principal Name (UPN)” in AAD e.g user@domain, generate a random long complex password which they don’t need know and then assign or inherit the right vs. relevant AD security groups, GPOs that you would usually assign to a CVAD consumer.
2. On-board your domain into Azure AD which required verifying it with a MX record to avoid using user@domain.onmicrosoft.com so that you can use user@domain keeping it simple and less complex.

Installation and Configuring the Federated Authentication Service (FAS)
1. On the new VM that you just installed 1912 LTSR StoreFront role onto from the existing mounted ISO run the autorun splash screen and select “Federated Authentication Service”.
2.Read the EULA which you’ll need to “Accept the Licenses Agreement” to continue.
3. Accept the defaults and select “Next” on the “Core Components” page.
4. Accept the defaults and select “Next” on the “Firewall” page.
5. Once the installer is finished select “Finish” to close.
6. Open a PowerShell window in Admin mode then copy & paste the following code below, which will enable a trust between the CVAD Controller and the StoreFront server, minimise this window you’ll require it later.

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

7. Navigate to the following path “C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions\” on the current StoreFront server that you installed FAS role onto, copy the following two files “CitrixFederatedAuthenticationService.admx” and “CitrixBase.admx” the entire folder “en-US” to a network share which will need to be accessible from your Windows Domain Controller or WDC.
8. Connect to your Windows Domain Controller (WDC) via RDS from the current StoreFront + FAS server and copy the two *.admx FAS files including folder “en-US” from your network share to the following path on the “C:\Windows\PolicyDefinitions” on your WDC.
9. Open an “MMC” console and load the “Group Policy Management Editor” snap-in, at the prompt for a Group Policy Object, select “Browse and then select ”Default Domain Policy”.
10. In the MMC console navigate to “Default Domain Policy [server name] > Computer Configuration > Policies > Administrative Templates > Citrix Components > Authentication” and you should see the following three policies available “Federated Authentication Service”, “StoreFront FAS Rule” and “In-session Certificates”.
11. Select and open the “Federated Authentication Service” policy, next select to “Enable” it followed by selecting the “Show” button parallel to “DNS Addresses” label and enter in the FQDN e.g. “server.domain” of your StoreFront + FAS server and then select “OK” and then select “OK” to save the policy configuration and enabling FAS.
12. Next select and open “In-session Certificates” and select “Enabled” and in the “Consent timeout (seconds):” field type in a value of “30” which is the default.
13. Next close the MMC console and open up the existing PowerShell (Admin mode) and copy and paste the following code to force a Group Policy Update. 

gpupdate /force

14. Minimise the RDS connection from your WDC so that you are back on your StoreFront + FAS server. Search and open up Citrix FAS in Admin mode, if you don’t you will be notified in the UI and then select “run this program as administrator” which will reload the FAS UI in Admin mode.
15. Select to “Deploy” for “Deploy certificate templates”.
16. Select “Ok” on the pop-up window that appears.
17. You’ve now successfully deployed the certificate templates, now select “Publish” for “Set up a certificate authority”.
18. Select the right Enterprise Certificate Authority (CA) from the available list and select “Ok”.
19. You’ve now deployed the certificate templates successfully to your Enterprise CA, now select “Authorize” for “Authorize this service”.
20. Select the right Enterprise Certificate Authority (CA) from the available list (same as above) and select “Ok”.
21. The FAS UI will display a spinning icon as the authorisation request is pending on the Enterprise CA server. 
22. Connect to your Enterprise CA via RDS and the “Microsoft Certification Authority” MMC Console and navigate to “CA > CA Server > Pending Requests” you’ll see pending certificate right click it select “All Tasks > Issue” and the certificate will be issued. 
23. Verify the issues certificates are issued by selecting “Issued Certificates” and verify you can see two issues certificated that begin with “Citrix_RegistrationAu…”.
24. Minimise your RDS session to your Enterprise CA and return to the StoreFront + FAS server, you now notice the “Authorize this service” says “Reauthorize” which is correct as the FAS service is now authorised with the Enterprise CA. Next select “Create” for “Create a rule”, which launch a new window.
25. Accept the default “Create the default rule (recommended)” and select “Next”.
26. Accept the default “Citrix_SmartcardLogon (recommended)” and select “Next”.
27. Select the previously selected and configured Enterprise CA you Authorised and select “Next”.
28. Select “Allow in-session use” and select “Next” if you enabled the following policy “In-session Certificates” earlier.
29. Select “Manage StoreFront access permissions (access is currently denied)” in red text which will open a new window.
30. Remove “Domain Computers” and add the “Server” running the StoreFront + FAS roles and under “Permissions” to “Allow” then select “Apply” and “Ok”.
31. The screen will update with “Manage StoreFront access permissions” to now be in blue text, now select “Next”.
32. Select “Manage user access permissions (all users are currently allowed)” in red text which will open a new window.
33. You can change to default “Domain Users” to your own test AD security group, then under “Permissions” to “Allow” then select “Apply” and “Ok”.
34. The screen will update with “Manage user permissions (all users are currently allowed)” to now be blue text, now select “Manage VDA permissions (all VDAs are currently allowed)” which is in red text.
35. You can change to default “Domain Computers” to your own test AD security group that your Citrix Virtual Delivery Agents (VDA) are found within, then under “Permissions” to “Allow” then select “Apply” and “Ok”.
36. The screen will update with “Manage VDA permissions (all VDAs are currently allowed)” to now in blue text, now select “Next”.
37. Now select “Create” and a “Default” FAS rule.
38. You have now successfully setup and configured Citrix FAS, you still need to enable FAS Claims for your “AAD” store on StoreFront which is covered later in this blog post.

Creating a new Store call “AAD” for Azure AD SAML Authentication in StoreFront
1. Open Studio and select “StoreFront” then select “Stores” and the on the “Actions tab” select “Create Store”.
2. On the splash screen select “Next“.
3. Type in “AAD” for the “Store Name” field and click “Next”.
4. Select “Add” list a CVAD controller, a new window will appear where you need provide the following information a “Display Name” e.g Citrix Cloud Connectors vs. CVAD 1912 LTSR, for the “Type” select “Citrix Virtual Apps and Desktops” and under “Servers” list select “Add” and type in the Citrix Cloud Connector or CVAD 1912 LTSR addresses and choose “Transport type” either HTTP 80 or HTTPS 443 (Preferred) and click “OK”.
5. You are now returned to the “Delivery Controller” page with a list of either Citrix Cloud Connectors or CVAD Controllers 1912 LTSR, click “Next“.
6. Now on the “Configure Authentication Methods” page select “SAML Authentication” and leave “User name and password” checked as YES, then click “Next”.
7. Ignore “Remote Access” configuration and click “Next“. NOTE: I will update this blog post at a later date with the Remote Access via Citrix Gateway formerly NetScaler Gateway.
8. Accept the default’s on the “Configure XenApp Services URL” and click “Create”.
9. StoreFront will begin creating your new “AAD” Store on your StoreFront server, once the wizard completes select “Test Site” to verify you can see a webpage that displays Citrix Receiver or you can navigate to “https://FQDN/Citrix/AADWeb/” replacing the FQDN with your own to verify the webpage is available.

Generating AAD SAML Configuration for StoreFront
1. In the Azure AD UI in the Azure Portal select “Enterprise applications” node.
2. When the UI updates in the centre select “Select “New application”.
3. You are taken to the “Add an Application” wizard and presented with three options select “Non-gallery application“.
4. Next provide a name for your own application e.g AAD-SAML-CVAD1912LTSR and then click “Add” at the bottom.
5. The AAD wizard completes and you are taken to the “Overview” page for “AAD-SAML-CVAD1912LTSR“, now select “Users and groups” from within this view.
6. Add an native AAD user(s). Note do not add any employee that does not have a AD shadow account setup and configured in the Citrix Cloud Resource Location (RL).
7. Now from the same “Overview” page for “AAD-SAML-CVAD1912LTSR” select “Single Sign-on” and on the “Select a single sign-on method” wizard select “SAML” and will start the AAS SAML wizard.
8. Select the pencil icon for “Basic SAML Configuration” to configure the following fields as follows below and select “Add“.

Identifier (Entity ID): https://FQDN/Citrix/AADAuth
Reply URL (Assertion Consumer Service URL):https://FQDN/Citrix/AADAuth/SamlForms/AssertionConsumerService
Sign on URL: https://FQDN/Citrix/AADWeb

9. Check under “User Attributes & Claims” portion that the “Name” field is configured to “user.userprincipalname”.
10. Scroll to “SAML Signing Certificate” and click to download the “Federation Metadata XML” e.g. AAD-SAML-CVAD1912LTSR.xml, now save or transfer it to your StoreFront server at C:\Temp.

Create and Configure a Azure AD SAML Trust in StoreFront
1. If you have transferred the *.xml file e.g “AAD-SAML-CVAD1912LTSR.xml“, then on your StoreFront server create a folder called “Temp” on “C:\” and transfer the downloaded *.xml file.
2.Open PowerShell in admin mode or launch it from Studio 1912 LTSR. Copy & paste the following code below, however if opening the PowerShell with Admin privileges without Studio 1912 LTSR then copy & paste this cmdlet first before proceeding with the configuration & “$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1“. You will notice the virtual path for the Store is already set here to AAD so you can copy and paste it as is. This code sets up and configures SAML for the ADD Store.

$storeVirtualPath = “/Citrix/AAD” 
$auth = Get-STFAuthenticationService -Store (Get-STFStoreService -VirtualPath $storeVirtualPath) 
$spId = $auth.AuthenticationSettings[“samlForms”].SamlSettings.ServiceProvider.Uri.AbsoluteUri 
$acs = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlForms/AssertionConsumerService”) 
$md = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlForms/ServiceProvider/Metadata”) 
$samlTest = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlTest”) 
Write-Host “SAML Service Provider information: 
Service Provider ID: $spId 
Assertion Consumer Service: $acs 
Metadata: $md 
Test Page: $samlTest “
 

3. Next copy and paste the following code which will ingest SAML configuration from the Azure AD *.xml that you downloaded earlier and copied to C:\Temp on the StoreFront server.

Get-Module “Citrix.StoreFront*” -ListAvailable | Import-Module
# Remember to change this with the virtual path of your Store.
$StoreVirtualPath = “/Citrix/AAD”
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Update-STFSamlIdPFromMetadata -AuthenticationService $auth -FilePath “C:\Temp\AAD-SAML-CVAD1912LTSR.xml”


4. Validate there are not error(s) on screen that need resolving.
5. Minimise your PowerShell window you’ll need it again shortly, now open up Studio or StoreFront MMC console and navigate to the “Stores” and select “AAD” and select “Manage Authentication Methods“.
6. Select the cog icon parallel to “SAML Authentication” and then select “Identity Provider” you should see that your AAD SAML configuration is setup and configured, leave it as is DO NOT TOUCH it!
7. Close all windows including Studio or StoreFront.

Enabling FAS for Converting Azure AD SAML Tokens to Virtual Smartcards
1.Open up your existing PowerShell window and copy and paste the following code below, which will ENABLE FAS for your ADD Store to convert AAD SAML tokens received into virtual smartcard that will be used to SSO the employee onto his/her Citrix virtual app and or desktop. You’ll notice the code is configured for the “AAD” Store so you can copy and paste as is.

Get-Module “Citrix.StoreFront.*” -ListAvailable | Import-Module
$StoreVirtualPath = “/Citrix/AAD”
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName “FASClaimsFactory”
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider “FASLogonDataProvider”


2. Validate there are not error(s) on screen that need resolving, if there are none you can nose close the PowerShell window.

Testing your Azure AD SAML to Virtual Smartcard Login
1. Navigate to https://FQDN/Citrix/AADWeb which will redirect you to a AAD login.
2. Enter in your UPN e.g user@domain and then complete the required 2FA vs. MFA requirements setup by your organisation as requirement onscreen.
3. You will be returned to https://FQDN/Citrix/AADWeb and SSOed onto UI, depending on your setting your desktop will either auto launch of you’ll have to manually launch it yourself. The initial login will take slightly longer than usual as its generating you that initial virtual smartcard between StoreFront, FAS, AD and your Enterprise CA.
4. Your Citrix vDesktop or vApp should launch successfully and SSO the on without prompting for any credentials.

Troubleshooting
1.If you receive ANY error once returned to https://FQDN/Citrix/AADWeb post the AAD SAML login open a new browser tab in the same session and copy and paste the following URL https://FQDN/Citrix/StoreAuth/SamlTest to see if you have any oblivious errors e.g user@domain.onmicrosoft.com from Azure AD which doesn’t map to the AD Shadow account that is user@domain so its a UPN mismatch and the sign-on will continue to fail.
2. If the employee can sign on to https://FQDN/Citrix/AADWeb and the Citrix vApp or vDesktop launches but they see a credential prompt with “Other User” check and see that you configured FAS for the correct Store with SAML Authentication setup and configured if not using my example of “AAD” as the Store setup and configured on StoreFront.

ICA Proxy Remote Access with Azure AD SAML
Coming…

Final Thoughts on Bring your own Identity (ByoI) Strengthening Security through Co-Shared Responsibility
Coming…

The views expressed here are my own and do not necessarily reflect the views of Citrix.


Get Smart with Citrix AutoScale & Power Capacity Management during COVID-19

I’ve noticed a number of folks asking what do as my existing Citrix AutoScale + Power and Capacity Management policies aren’t powering on my public cloud workloads any more, especially when they need it most!? What is happening? Firstly “this is not a Citrix issue” it’s a public cloud capacity issue in all the major players by selective “POPULAR” instance types for commonly used workloads like delivering virtual apps & desktops and its affecting by indvidiual regions e.g UK and not the whole public cloud providers capacity world wide to be clear and transparent.

If you make use of Citrix AutoScale and Power Capacity Management for mission critical CVAD workloads for better P&L management vs. capacity peaks then please DISABLE IT for those Delivery Groups (DG) within the CVAD Service temporarily to maintain business operations and internal SLA’s for service delivery of CVAD workloads to employees WFH during CVOD-19. Disabling AutoScale is strategically very important during these current times, it enforces that identified mission critical workloads by Delivery Group are always on-demand 24/7 to meet operational business demands. Its important to highlight this applies to any vendors and even in-house vs. community built power and capacity management tooling platforms should also be DISABLED for all business mission critical workloads so that daily business operations are not impacted.

Why do organisations use Citrix AutoScale and Power Capacity Management?
Its for a couple of scenarios, usecases which I will collectively sum up as follows below:

1. Save money not running VM instances in public clouds 24/7 when they aren’t required, therefore saving you a substantial amount of money when looking to better manage your P&L.
2. Your employees typically work 21 business days within a month (30 days) the rest is made up of time off e.g weekends, so why keep all that capacity powered on and consuming more money unnecessarily including carbon emissions. On that note how many of you leave your data centres fully powered on or even home labs when you they aren’t required? Our world needs us to make smarter and better decisions to lets act and save our world for our future unborn grand children.
3. Support spikes/peaks in virtual app & desktop consumption with a capacity buffer.

You can learn more about Citrix AutoScale at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/manage-deployment/autoscale.html#three-types-of-autoscale-user-interfaces included the supported CVAD use cases “Autoscale user interface for Multi-User OS e.g CVA Delivery Groups“, “Single-User OS e.g CVD pooled vs. static VDI Delivery Groups“. 31/03/2020 I noticed that Citrix TechZone published a technical document on the same date as this article and I think you’ll find if very useful and insightful as its very technical eDocument – https://docs.citrix.com/en-us/tech-zone/learn/tech-briefs/autoscale.html.

Why your should DISABLE it!
COVID-19 is a world wide pandemic and hopefully a once in life time vs. century event. The number of employees now Working from Home (WFH) world wide is incredible, it’s placed a macro burden on many consumer services where some are in a degraded state or have intentionally degraded themselves to free up more bandwidth capacity over the internet in Europe for example Netflix – https://www.bbc.co.uk/news/technology-51968302. Its equally true for IT business services e.g virtual meetings and of course public cloud providers whom have run out of capacity for popular VM instance types in Europe, and this is why you want to disable AutoScale so that your mission critical workloads are not stopped + deallocated and then returned the public cloud provider pool where they will be consumed by someone else and keep up 24/7, other organisation’s may have paid upfront to reverse a number of instance types for a period of 30/60/90 days and this is achieved by holding back any/all returned capacity and finally likely redistributed to critical government agencies and department for example in the UK the National Health Service (NHS) to keep health workers productive managing COVID-19 and supporting patients.

Act & Think of Others
Please be responsible and make sustainable choices and only keep mission critical workloads on-demand 24/7 that are essential to daily business operations. Finally a personal ask if you are an IT Professional who’s home lab partially runs in a public cloud as its extended from on-premises please be respectful, mindful and aware that if your region is experiencing capacity issues PLEASE turn off and deallocate those VM instances types so that capacity can be returned to the public cloud pool during working days of the week to support businesses whom need it vs. government agencies and or health departments supporting people in-need of help and support medical and or otherwise.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Deploy XenApp 7.x in AWS EC2 with PoC Leading Best Practises (Draft)

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops from AWS EC2 – https://aws.amazon.com powered by XenApp & XenDesktop 7.13+ & 7.15 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Minor updates include links 7.15 LTSR and not just 7.13 as of 30/12/2018

Shortened Names
LOCAL HOST CACHE – lhc
XENAPP – xa
WINDOWS – win
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hex
VIRTUAL APPS – va
VIRTUAL DESKTOP – vd
SERVER – srv
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
DATA TRANSPORT LAYER – eat
FIREWALL – f/w
ACCESS CONTROL LISTS – all
INFRASTRUCTURE AS A SERVICE – iaas
IDENTITY & ACCESS MANAGEMENT – aim

Reader Notice: This blog post is NOT completely finished and some parts are in draft format! I will continue to update it through-out April/May 2017!

Sample Virtual Desktop from AWS powered by XenApp 7.x
In this example my VPC is in N.Virgina, USA hosting my Citrix XenApp 7.x workloads which are been delivered to me transatlantic to London, England thanks to the HDX.


Link to my original Tweet from 29/04/2016 at – https://twitter.com/lyndonjonmartin/status/726122016621891584 close to the delivery of a UKI Citrix partner enablement workshop on delivering XenApp 7.x PoC from AWS.

What is AWS EC2?
It’s a division with-in Amazon that sells IaaS to customers for consumption. AWS is incredibly simple in my personal view BUT equally at the very same time it’s also an exceptionally powerful Public (IaaS) Cloud platform! IT departments within organisations of all shapes and sizes have an equal capability with AWS’s elastic virtual data centre capacity to rapidly design and implement a VPC to setup, configure and deploy workspace workloads of their choice within a few hours or days dependant upon there IT’s dept’s delivery & execution skillsets. Typing into Google.co.uk “AWS first year” reveals AWS’s first year was 2006 thats now over a decade’s worth of experience, maturity and continued on-going development and innovation. Check out – https://en.wikipedia.org/wiki/Amazon_Web_Services#History or brief history lesson.

Concepts of AWS
Most of what I’ve described below is available on the AWS “Getting Started” web page at – http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/GetStarted.html so be sure to read through-it.

Virtual Private Cloud (VPC)
Think of this as a virtual datacentre that created onto of AWS IaaS which allows you to create virtual networks (IP addr ranges, subnets e.t.c), deploy VM instances of different sizes for your required workloads and storage accounts to facility your organisations needs and requirements to potential optimise workload delivery, experience or DR scenario’s.

VM Instances Types
AWS provides traditional VM’s that you’d typically assign compute, storage type to on-prem as pre-defined instance types that vary in size and capacity to meet virtually most organisations workspace requirements in AWS. For an up to date list please check out –
https://aws.amazon.com/ec2/instance-types/.

Security Groups
Think of these as your traditional or virtual f/w’s ACL’s BUT now assigned against VM instance(s) within your VPC either individually or in a group, to control what traffic type e.g ports vs. protocol are allowed in/outbound. Check out – http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group which also covers the standard “Default Security Groups” within your VPC that you can utilise and modify for your PoC.

*Availability Zones
A logical representation of one or more data centres facilities in a city, state/province/county or even country.

*Regions
Simply put its a Geo area and they are isolated form other regions for H/A. In a Citrix world a simple example could be to think of multiple sites (London, Paris, Oslo all built to N+1) managed using FMA 7.7+ Zones (Primary and Satellite) for H/A for geo area.

* http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

Identity & Access Management (IAM)
This one is quiet important to understand if you want to deploy your PoC with MCS provisioned XA VDA workloads in AWS from a master VM instance like you would traditionally on-prem with XenServer, Hyper-V, Acropolis or vSphere. Setting up IAM enables/allows Studio to communicate with the AWS EC2 cloud hypervisor to provision your VM instances –
http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html from your master VM instance in your VPC(s). If your not interested in deploying MCS workloads then skip learning IAM for now BUT please come back to it as it’s equally important as Security Groups for Pilot, UAT and PROD workloads in AWS with(out) Citrix workloads.

Suggested PoC Architecture
I tweeted the image at – https://twitter.com/lyndonjonmartin/status/854809306629361669 (its not intended to be accurate!) if you want a high resolution copy. Its intended to provide a high level only PoC deployment overview of delivering virtual apps & desktops (server) from AWS EC2 using Citrix XenApp 7.15 fronted by NetScaler Unified Gateway and or you can utilise Citrix Smart Tools – https://www.citrix.com/products/citrix-cloud/services.html to deploy blueprint to stand up a XenApp PoC in AWS.

AWS & Citrix Pre-requisites, System Requirements
The following provides an brief and selective overview of standing up the bare min requirements to delivery Citrix secure workspace workloads from AWS.

0. Amazon Web Services (AWS) (cloud) hypervisor support – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/system-requirements.html#par_anchortitle_8a90 &  https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/system-requirements.html#hosts–virtualization-resources.
1. Sign-up for a AWS EC2 account at – https://console.aws.amazon.com it will redirect you to the default AWS login and sign-up web page. You will need a valid credit card that you own and be sure to read through AWS terms & conditions, UAP e.t.c.
2. Once your have signed-up select a EC2 region i typically utilise N.Virgina as I expense this myself and it also makes for good tests locations of my Citrix workloads when testing out legacy vs. current vs. the latest HDX (3D Pro) technologies & innovations transatlantic from the US too the London, England :-).
3. Now that you’ve chosen or decided upon your region you’ll need to deploy your VPC – http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html you can make use of the default AWS VPC configurations which you can easily modify as required to meet the needs of your PoC.
4. Now create a e.g Citrix VAD “Security Group” which acts as a firewall ACL controlling which ports/protocols and traffic by *.* or IP range(s)* e.t.c are permitted in/out bound of your VPC to your VM instance(s) associated to this security group so that the delivery of virtual apps & desktops is possible from VM instances running the Server VDA’s.

Suggested example Traffic flow from the Internet to a Virtual App & Desktop delivered by an EC2 Instance

– Untrusted network or public raw internet
– DMZ or edge of a network, network/vnet or (network) security group depending on your network deployment choice
– Trusted network or private secure network

WWW Internet Gateway Router VPC Availability Zone Security Group Network EC2 Instances

Suggested (Security Group – Mgmt. VM) Port Configuration for RDS access to your mgmt. VM running AD, DNS e.t.c

For this particular security group I’d strongly recommended that when you setup the security group you limit the access to a single IP addr or range that you know and trust RDS access to come from to your mgmt. VM sat in your VPC.

Protocol Port Inbound Outbound Internal VPC
TCP: SSH PuTTY (NS Mgmt. only) 22
TCP: HTTP (Internal Communication) 80
TCP: RDP/RDS 3389 * *

Suggested (Security Group – Citrix VAD) Port Configuration for Citrix Workloads to the World

The following table is actually more about the required TCP/UD Ports and dependant upon your deployment approach e.g with(out) a L2L IPSec VPN tunnel vs. NetScaler Unified Gateway i’ve decided for this section most of it available with the exception of a few which are a no no for external inbound access.

Warning once again caution this table ONLY represents primary PORTS typically required in a PoC and does not imply that you should use this as your ACL for your AWS security groups as you requirements for your particular PoC use case may differ from organisation to organisation! For a complete list of the ports and what they do please ref to http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/technical-overview/default-network-ports.html & https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/technical-overview/default-network-ports.html  .

Protocol Port Inbound Outbound Internal VPC
TCP: HTTPS (TLS) 443 * *
UDP: HTTPS (TLS) 443 * *
TCP: ICA/HDX Thinwire 1494 * *
UDP: ICA/HDX EDT or Framehawk 1494 * *
TCP: Session Reliability 2598 * *
UDP: Session Reliability for EDT only 2598 * *
UDP: HDX RealTime e.g Skype for Business 16500-16509 * *

5. Lunch an NEW single instance from the EC2 dashboard under “Create Instance” this will be your mgmt. VM “wdc01” for the PoC and AWS will guide you through the deployment process (wizard).
6. Select your VM instance type to be deployed in your default or custom VPC and a suggested example instance type to utilise could be a AWS “t2.medium” instance type. You can find a complete list available at – https://aws.amazon.com/ec2/instance-types/.
6. Assign the default storage or increase and you can add another HDD later.
7. Assign the RDS mgmt. security group ensuring that RDS is enabled to connect to your mgmt VM.
8. Allow the VM to provision typically up to 5 minutes (depends on time of day, location of your VPC) then decrypt the passwd
9. Login and utilise this as your mgmt. VM and install the following suggested roles e.g AD, DNS and CA (Optional) as a bare minimum once you’ve assigned it an internal private static IP addr prior to installing and configuring.
10. Check a folder called e.g “Share” on C:\ and enable file sharing to this folder for your domain admin account.
11. Navigate to https://www.citrix.com/downloads/xenapp-and-xendesktop/ and download the latest XenApp/XenDesktop version available which is as of 12/04/2017 7.13 and copy it to the C:\Share to be used later to install XenApp 7.13+ onto your XA worker.
12. Now repeat steps 5 through 9 to deploy another single VM instance which will be your XenApp PoC VM e.g “xad01poc” and assign the following suggested instance type “t2.large’ with the exception of step 7 where you’d assigned the default VPC security group and login via RDS to this VM from your mgmt. VM e.g “wdc01”.
12. Once its ready login to your mgmt. VM “wdc01” and RDS to “xad01poc” provide it with a custom or use the default hostname and AD domain join it.
13. After successfully domain joining it login and create a folder on the C:\ drive called “Temp” on “xad01poc” and copy the *.iso from \\wdc01\Share to it.
14. Right click on the *.iso and “Mount” the media and the autorun should display the splash screen and select “XenApp”.
15. Select to install the “Delivery Controller” checking all the features e.g Studio, Director, Controller, MS SQL Express, StoreFront, License server and all the required ports.
16. You have now setup a mgmt. VM and a XenApp mgmt. VM.
17. Install and bound SSL certificate on “xad01poc” to be able to utilise https to protect username and passed credential handling when accessing RfW.

Understanding Machine Creation Services requirements for AWS
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/manage-deployment/connections.html.

PoC Deployment of Virtual Apps & Desktops
Deployment Option 1 – NO MCS nor NetScaler UG & NOT SUGGESTED!!!
This option to be very clear is typically used to demonstrate the power of HDX from a public cloud e.g AWS and DOES IT WORK? Yes of course! I would strongly recommend that you don’t deploy your PoC with this approach but front it with a NetScaler UG but i’ve included it as I have covered this topic once before and sometime Citrix SysAdmins just want to test to see is it actually at all possible with little to know effort at all before actually deploying a PoC so I hope that this clears up this PoC deployment approach/path is messy and NOT SUPPORTED!!!!

1. Now also assign the Citrix VAD “Security Group” to “xad01poc” VM.
2. Re-mount the *.iso media if required and on the installation splash screen select to install the Server VDA choosing to enable existing connections selecting “Enable Remote PC Access” the VM will restart a few times which will take circa up to 5 minutes while the VDA installs.
3. Once the VDA is installed successfully launch “Studio” and complete creating a Site, machine catalog and delivery group based upon “xad01poc” VM.
4. Modify the SFS default.ica file for your default Store to include a line to utilise your external dynamic static IP addr and check that your Windows f/w rules are correctly configured to allow in/out bound access based upon the Citrix VAD “Security Group” or you can open the downloaded file you receive post login and modify the internal private static IP addr to the “xad01poc” VM’s dynamic public IP addr assigned by AWS and you should be able to launch your virtual app or desktop. Note: You’ll need to do it for each app or virtual desktop and if you modified the default.ica file with dynamic IP each time you stop and deallocate the VM you’ll need to modify the file again unless you utilise a AWS static public IP addr which is chargeable cost per month!
5. Navigate to https://xad01poc-dynamic-public-ip-addr/Citrix/StoreWeb/ with Citrix Receiver install on your Windows, Mac or Linux end-points and login as a domain admin or user and launch a virtual app or desktop that you’ve published.
6. Test the vitual app and our desktops performance by playing YouTube movie trailers here is fav one of mine – https://www.youtube.com/watch?v=sGbxmsDFVnE or download Google Chrome and publish it and access https://p3d.in. You’ll notice I have not mentioned what HDX graphics mode why? It should provide a good UX out of the box with 7.13+.
7. Shutdown and turn off your VM’s within your AWS VPC when finished to save costs. You will be billed for storage on-going e.g GB that you’ve consumed but I have to say its a very low cost per GB.

Deployment Option 2 – No MCS but fronted by NetScaler UG
Coming…

Deployment Option 3 – With MCS Workloads fronted by NetScaler UG
Coming…

Deployment Option 4 – Powered by Citrix Smart Tools (Notice some offers have been deprecated in 2018)
0. What is Smart Tools? Watch https://www.youtube.com/watch?v=RUTL1X_nBSg. I won’t expand on this topic more than what I have below for this particular blog post otherwise its going to get quiet length but I have to say you should explore Smart Tools post testing/deploying an AWS XenApp PoC.
1. Sign-up to Smart Tools Service at https://citrix.cloud.com/.
2. Create an AWS EC2 resource location with the Smart Tools Connector (formerly CLM our Lifecycle Management Connector) – https://manage-docs.citrix.com/hc/en-us/articles/212713903 and also please read – https://manage-docs.citrix.com/hc/en-us/articles/212713923 & https://manage-docs.citrix.com/hc/en-us/articles/212713963-Add-an-Amazon-Web-Services-resource-location.

3. Read the Blueprint available which explains deploying a blueprint to deploy workloads on AWS at – https://manage-docs.citrix.com/hc/en-us/articles/212714483-Deploy-a-blueprint-to-an-Amazon-Web-Services-resource-location which should give you a decent overview.
4. Download or read online the following getting started PoC guide for XenApp on AWS powered by Smart Tools Service (Smart Build using as Blueprint) available at the following URL with step by step instructions and images – https://docs.citrix.com/content/dam/docs/en-us/lifecycle-management/downloads/get-started-lifecycle-management-aws.pdf.

Leading Best Practises
1. Review the content available at – https://www.citrix.com/global-partners/amazon-web-services/xendesktop-on-aws.html
2. The number one AWS resource to check first and foremost is the AWS Well-Architected microsite at AWS EC2 at – https://aws.amazon.com/architecture/well-architected/ to help you get started. You should also understand how IAM in AWS works so be sure to check out –https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html.

Notes from the field
1. The number one leading best practise is “Shutdown and turn off your VM’s within your AWS VPC when finished” to save your own personal costs incurred and or your organisations costs that maybe incurred.
2. You do need a suggusted intermediate knowledge level of AWS EC2 and Citrix in order to deploy virtual apps & desktops CORRECTLY I personally believe to ensure that those testing on your behalf actually are getting the correct HD or balanced experience to ensure a successful PoC. I’ve many misconfigurations in a variety of areas since 2015.
3. Take a look at using Citrix Smart Tools as an enabler to help you with XenApp environment(s) on AWS – https://manage-docs.citrix.com/hc/en-us/articles/213723663-Create-a-XenApp-and-XenDesktop-production-deployment-on-AWS.

Deploying a PoC with the Citrix Workspace Cloud (CWC) Apps & Desktop Service now Citrix Cloud XenApp and XenDesktop Service (Draft)

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops powered by Citrix Workspace Cloud (CWC) – App’s & Desktop Service with a AWS EC2 resource location prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
AMAZON WEB SERVICES – aws
SECURITY GROUPS – sg
ELASTIC COMPUTE CLOUD – ec2
HYBRID CLOUD PROVISIONING – hcp
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
INDEPENDENT COMPUTING ARCHITECTURE – ica
CITRIX WORKSPACE CLOUD CONNECTOR – cwc connector/agent
EXPERIENCE 1st – x1
VIRTUAL DESKTOP – vd
VIRTUAL APPS – va
INFRASTRUCTURE AS A SERVICE – iaas
CITRIX WORKSPACE CLOUD – cwc
CITRIX LIFECYCLE MANAGE

Video Citrix Workspace Cloud: How It Works

PoC Introduction & Overview (This is a Public Draft Blog Article & May Contain Some Errors)
In this particular instance I will be deploying a Citrix Workspace Cloud (CWC) PoC using the Apps & Desktop service which is Citrix online service and is essentially made up of five compoments in my personal view these are people (Users, Consultants & SysAdmins), the Control Plane which is hosted by Citrix and is high available and accessible at – https://workspace.cloud.com/, Resource Locations which could be private, public (IaaS) or hybrid clouds which host and run your actual CItrix workloads e.g servers or desktops OSes with the VDA’s installed and optionally StoreFront and or NetScaler Unified Gateway, Receiver for access to your published virtual apps & desktops and finally the CWC connector which makes everything just work safe & securely.

Please note that I will update this blog post with a how-to re deploying NS for remote access from AWS EC2.

Datasheet for Citrix Workspace Cloud
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/explore-workspace-cloud-take-a-test-drive-or-trial.pdf

What you need
For this PoC I may refer to AWS and XenServer concepts as my home lab is deployed in a Hybrid Cloud model e.g some of my Citrix workloads are in hosted in AWS EC2 (N.Virgina) while others are running on a XenServer 6.5 SP1+ host at my house in London. You don’t have to use AWS like I am for your PoC you could use any IaaS provider e.g Azure, Rackspace, Peer1 or even on-prem with your own host(s) running XenServer, Hyper-V and of course vSphere :-).

1 – CWC trial account entitling you to the CWC Apps & Desktop Service and Identity & Access Management e.g for adding users from your domain and to download the CWC Connector.
2 – Your resource location of choice mine is AWS from here on in through-out this blog article.
3 – 1x Windows Server 2012 R2 I’ll call this VM WDC01 running AD, DNS at a minimum and the Citrix Receiver (http://receiver.citrix.com), CWC Connector downloaded on the desktop (explained later).
4 – 1x Windows Server 2012 R2 domain joined and I’ll call this VM CXA01 with the latest XA 7.8+ Server VDA (https://www.citrix.com/downloads.html which requires a valid Citrix.com customer/partner account with access details ) downloaded.
5 – AWS security groups (on-prem f/w ACL) to allow outbound traffic on TCP 443 (HTTPS) to the Internet, allow HTTPS/ICA/HDX/RDS traffic including HDX RealTime ports for audio and video between all VM’s within your chosen network.
6 – Some suggested test application examples could be Microsoft’s Office 2016 or OpenOffice, Notepad ++, The Gimp, Autodesk Viewer. WaRnInG!!! Disclaimer – Please refer to the ISV’s EULA for terms of usage prior to downloading, installing, configuring and publishing virtual apps to test and play with!.
7 – *Create friendly DNS entries to be used later for WDC01 e.g DNS entry of cwccontroller.axendatacentre.com or your could stick with host name.domainname format it’s your choice. Note: Be sure to setup and configure not just fwd. but also reverse DNS within resolution/look-up!

Setting up your Resource Location
1 – Login as the Domain Admin on WDC01 and navigate to https://workspace.cloud.com and sign in with your trial access details provided by Citrix.
2 – Select from the list on the very TOP left-hand corner Identity & Access Management next click the plus/+ sign and follow the onscreen prompts to download the CWC Connector/agent.
3 – Before installing the CWC Connector/Agent please be sure to read the following documenation – http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud/what-is-a-workspace-cloud-connector-/workspace-cloud-connector-technical-details.html. Once downloaded double click on the CWC Connector/agent and when prompted enter in your CWC trial access details and the installation will complete successfully if the access details provided are correct and if 443 HTTPS is enable outbound to the Internet from WDC01 to https://workspace.cloud.com.
4 – Take a short 1-3 min comfort break then refresh your web page for https://workspace.cloud.com and navigate back to Identity & Access Management and you should see your domain appear within the list, then you may proceed. If you don’t check your firewall ACL’s locally on the Windows server or virtual f/w at the edge of your VPC network and also check your AWS Security Groups are setup correctly to allow in/outbound access on HTTPS/443.

Note: If you turn off WDC01 you’ll receive and error at this page and manage & monitor tabs within the Apps & Desktop Service are NOT accessible until access is restored! Likewise if you only have 1x CWC Connector/agent then you may see an amber warning under domain within Identity & Access Management as you only have 1x CWC Connector/agent and it suggested even for a PoC to install 2x instead of 1x.

5 – Login as a Domain Admin on CXA01 and mount the XA 7.8+ VDA media by right clicking and left clicking on Mount then navigate to Windows Explorer and double click on D drive that has recently mounted with the XA 7.8 installation media and then proceed to select to install the Server VDA from the splash screen or if your downloaded the Server VDA *.exe (suggested & recommended) from Citrix.com then double click to install the VDA. In each case you’ll require 2x reboots as per normal like on-prem installations however now on CXA01 there is one exception at the controller step type in cwccontroller.axendatacente.com* or the hostname.domainname for WDC01 (Point to the CWC Connector/agent that you previously installed) and then continue with installation and once the installation is completed on CXA01, then verify that the VDA has registered and is communicating with WDC01 e.g cwccontroller.axendatacentre.com by reviewing CWC service or the event logs within Computer Management. Tip: Install to enabling remote connections initially to get your head around how the CWC Apps & Desktop Service actually works.
6 – You’ve now successfully completed setting up your XenApp worker for your chosen resource location in my case it’s an AWS EC2 located out of N.Virginia. If your curious about the CWC connector there is a tech overview avaiable at – http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud/what-is-a-workspace-cloud-connector-/workspace-cloud-connector-technical-details.html be sure to review it.
7 – Now we need to continue with creating a machine catalog, delivery group in the hosted Studio and obviously publishing your virtual apps & desktop (server based).

Create a Machine Catalogue and Delivery Groups to publish Virtual apps & desktops
1 – Now go back to the homepage at https://workspace.cloud.com and to the right of the Apps & Desktop Service click “Manage” to launch the management interface which provides you with an Overview page (Scroll to the bottom to find out your cloud hosted StoreFront address. Tip: If you get an red bar with an error message check that your CWC Connector/agent at your resource location is up and available and showing as green for your domain at the Identity & Access Management tab!.
2 – Scroll to bottom of the overview web page to find out exactly what your cloud hosted StoreFront addr is. It should follow the following format https://{TENANT NAME}.xendesktop.net/Citrix/StoreWeb/. Right click on it to open a new tab and to remain at https://apps.cloud.com/. You should be able to login using your test AD security group. Tip: You won’t see any published virtual apps or desktops currently as you have not created a machine catalogue or delivery group.
3 – Go back to the Manage Apps & Desktops Service web page and click Manage or Monitor this will embed a custom, hardened published app version of Studio or Director using the HTML5 Receiver so please ensure that you are utilising an HTML5 compliant internet browser that supports the HTML5 Receiver.
4 – Assuming you’ve clicked on Manage firstly navigate to Hosting Connections create a connection to your chosen resource location either on-prem or cloud (Private or Public) details for setting up hosting connections are available at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-8/manage-deployment/connections.html. Once setup wait 1-2 min before proceeding you don’t have to by the way! I do.
5 – Click Machine Catalogue and create as per normal for detailed on how-to please refer to – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-8/install-configure/machine-catalogs-create.html. Tip: I’d suggest as its your first time using the CWC Apps and Desktop service create your machine catalogue with a single VM with the VDA installed to allow remote connections as described earlier to allow you to get around how the CWC Apps and Desktops Service actually works. You don’t have to either it’s your choice.
6 – Click Delivery Groups and create as per normal aswell and please refer to – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-8/install-configure/delivery-groups-create.html for guidance delivering virtual apps (Skype for Business 2015 also implment the HDX Optimisation Pack 2.0 check out – https://www.citrix.com/blogs/2016/01/12/citrix-and-microsoft-unveil-v2-solution-for-skype-for-business/ for more information) & desktops (Windows Server 2012 R2). TIP: The name you provide your Delivery Group filters through to the Workspaces at – https://workspace.cloud.com/workspaces and becomes the default name of your published virtual & desktops services that you will assign to your subscribers (users) workspace.
7 – You’ve now successfully setup a Machine Catalog and Delivery Group using the CWC Apps & Desktop Service to published a virtual apps & desktop, however prior to accessing your virtual apps & desktops you’ll need to create a Workspace and add subscribers (users) including which published resources your subscribers (users) are able to access otherwise they wont be able to login nor access any published resources.

You should have the Server VDA and CWC Connector now installed see the below example image below.

Create a Workspace to Delivery published virtual apps & desktops
1 – A workspace consists of a collection of services from CWC e.g Secure Documents (ShareFile), Apps & Desktop Service (XenApp/XenDesktop) and so forth that SysAdmins can combine together to form e.g a Pre-Sales workspace that may consist of a virtual apps e.g Skype for Business 2015 that is also offloaded with the HDX Optimisation Pack 2.0 – https://docs.citrix.com/en-us/hdx-optimization/2-0/hdx-realtime-optimization-pack-about.html and a virtual desktop e.g a dedicated Windows 10 or 2012 R2 desktop. A workspace also consists of subscribers (users) who access the workspace which contains published resources created by Citrix SysAdmins. Please ref to http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud/get-started/creating-and-publishing-a-workspace.html which explains how-to create a workspace, define subscribers and published resources.
2 – Once you have created a Workspace and assigned subscribers, resources then users can login at https://{TENANT}.xendesktop.net/Citrix/StoreWeb/ from there resource location and gain access to there virtual apps & desktops.
3 – Managing your newly created Workspace is easy following this useful online document from eDocs – http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud/get-started/manage-a-workspace.html.

Example of my virtual desktop (Server based) delivered by CWC using the XenApp 7.8 VDA. I also use the same theme for my complete XenApp 7.8 deployment in AWS yes I have both deployed and configured 🙂

A first for me
This is the first time I’ve written a blog post (primarily) completed in the air traveling from somewhere between London – England, Oslo – Norway and Stockholm – Sweden.

Disclaimer
This blog article should be considered to be a draft still and therefore may contain errors and I will be updating and adjusting it time permitting and adding in how-to front this CWC Apps & Desktop service deployment in my AWS EC2 resource location with NetScaler Unified Gateway – https://www.youtube.com/watch?v=qT739UoR8d0.

Deploying XenApp 7.x in AWS EC2

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops powered by XenApp 7.8 in AWS EC2 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
AMAZON WEB SERVICES – aws
SECRUITY GROUPS – sg
ELASTIC COMPUTE CLOUD – ec2
HYBRID CLOUD PROVISIONING – hcp
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
INDEPENDENT COMPUTING ARCHITECTURE – ica
FEATURE PACK – fp
EXPERIENCE 1st – x1
VIRTUAL DESKTOP – vd
VIRTUAL APPS – va
INFRASTRUCTURE AS A SERVICE – iaas
CITRIX WORKSPACE CLOUD – cwc
CITRIX LIFECYCLE MANAGEMENT – clm
THINWIRE COMPATIBLE MODE – tcm also known as ecm

Experience Deploying My 1st Virtual Desktop & Apps in AWS
The following screenshot is of a virtual desktop (Windows Server 2012 R2 powered by XenApp 7.8) hosted in AWS EC2 located in N.Virginia, US delivered Windows 8.1 (Yes I know I need to get to Win 10 :-)) laptop running Citrix Receiver Windows 4.4 in London, England with the HDX Thinwire Compatible Mode graphics mode configured with a Preferred Color Depth set to 16-Bit and the performance is very good considering what Ive configured I then adjusted my HDX policies to then switch to HDX SuperCodec (H.264) the UX gets even better providing an even closer HD local like experience in my personal view only so give it ago for yourself.

The HDX policies overview is documented below so for now back to my experience deploying XenApp 7.8 on AWS.

It was substantially easier than I anticipated or even expected as the AWS documentation is easy to understand I believe however that maybe due to the fact I used to previously work for a Managed Services ISP in City of London so many concepts related to Managed Hosting, IaaS, Private and Hybrid Cloud come quiet naturally to me.

Thinwire+ (Thinwire Compatible Mode) 16-Bit Preferred Graphics

Supercodec (H.264)

Introduction to Provisioning XenApp Workloads on AWS EC2
Citrix has had the capability to deploy virtual applications and desktops powered by XenApp 6-7.x.n for quiet sometime utilising the traditional Manual CTX SysAdmin approach then Citrix introduced a concept entitled Hybrid Cloud Provisioning (HCP) under the unified FMA architecture for XAD some time ago which allows CTX SysAdmins the capability to expand there existing Citrix workloads e.g virtual apps and desktops (server based only) to IaaS providers e.g AWS or often generically referred to as the Cloud by adding in a secure new hosting connection within Studio for AWS the requirements include providing the Connection URL, API key and Secret key from your AWS EC2 account ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-connections.html. You can utilise this exact same concept to provision XenApp based workloads from within a AWS EC2 XenApp 7.x FMA Site as described in detail in the following deployment guide entitled “Deploy XenApp 7.5 and 7.6 and XenDesktop 7.5 and 7.6 with Amazon VPC” available at – http://support.citrix.com/article/CTX140427. Finally if I have not explained well enough what hybrid cloud provisioning actually is powered by XenApp 7.x then this short and simple YouTube video from Citrix below should hopefully re-enforce your understanding of HCP.

You can still utilise hybrid cloud provisioning within XenApp 7.8 today and Citrix continues to evolve with its next generation cloud 1st approach of provisioning of Citrix workloads within IaaS, Private and Hybrid clouds with Citrix Workspace Cloud (CWC) its now known as Citrix Cloud. How does it work? Once more there is a fantastic YouTube video which demonstrates setting up, configuring, publishing and delivering a Windows virtual application utilising CWC by one of Citrix’s CTO its well worth watching!

Finally you can utilise Citrix Lifecycle Management (CLM) to automate the deployment and auto scaling of your Citrix workloads on AWS EC2, however this topic is currently not in scope for this blog article however I may update this blog article in the future to include provisioning XenApp on AWS EC2 powered by Citrix Lifecycle Management (CLM).

Pre-requisites & System Requirements for Deploying a XA 7.8 PoC in AWS EC2 (Draft + The Basic’s Only)
0. Check that your XAD license entitlement is correct at – https://www.citrix.com/go/products/xendesktop/feature-matrix.html to provision XenApp workloads on AWS EC2. As of writing and publishing this blog article you require XenApp or XenDesktop Enterprise or above licensing in order to provision workloads on AWS and also Azure.
1. You need an AWS account, Credit card
2. Choose your EC2 region e.g N.Virgina
3. Create your “Security Groups” which acts as a virtual firewall for ICA 1494, 2598 Session Reliability, HTTPS 443, RDS 3389 (SysAdmin access)
4. Lunch an single instance from the EC2 dashboard under “Create Instance” this will be your mgmt. VM
5. Decrypt the passwd & login your mgmt. VM install your require roles e.g AD, DNS as a min requirement for XA 7.x
6. Lunch another single instance from the EC2 dashboard under “Create Instance” this will be your XA PoC VM
7. Download the media from Citrix.com and any FP’s and install all the components onto your XA PoC VM (Studio, Director, Controller, MS SQL Express, StoreFront, License server)
7. Install the latest VDA (existing connections) once ready launch Studio and create your Site, configure your machine catalogue and delivery groups.
8. Modify SFS default.ica file to include your external static IP and check your Windows f/w rules to ensure 1494 is correctly configured to allow traversing NAT’s
9. Navigate to https://AWS-XA-PoC-VM/Citrix/StoreWeb/ and login as a domain admin or user and launch a virtual app and or desktop.
10. Shutdown and turn off your VM’s within your AWS VPC when you are finished with your tests to ensure that your cost(s) are kept to a minimum.

Tuning Your AWS EC2 Virtual Apps & Desktop’s
1. Configuring TCM or ECM is very well documented at the following web links at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-8/hdx/thinwire-compatibility-mode.html, https://www.citrix.com/blogs/2015/10/23/thinwire-compatibility-tuning-lowering-your-bandwidth-even-further/ however I have also listed in table format below what polices you need to select and then apply to your test domain users or group (preferred).

Begin with the following HDX policies listed below to enable TCM/ECM/Thinwire+/Thinwire Compatible Mode and be sure to check out CTX202687 described below in-line with the Very High Definition Experience HDX Policy template.

Policy Name Default Value Comment
Preferred color depth for simple graphics 24 bits per pixel Legacy Mode
Target frame rate 30 fps Legacy Mode
Use video codec for compression Do not use Video codec Force ECM on explicitly by turning H.264 off (Testing)

2. Configuring the super codec (H.264) is actually very easy select the Very High Definition Experience form the HDX templates in Studio and create a policy from it applying again to your test security group (preferred) or domain users it’s your choice. Please note that this policy will enable H.264 however it will default to TCM if you connect from a device that does not support H.264.
3. Finally for all those advanced CTX consultants and SysAdmins out there check the following CTX article – http://support.citrix.com/article/CTX202687 entitled “HDX Graphics Modes – Which Policies Apply to DCR/Thinwire/H.264 – An Overview for XenDesktop/XenApp 7.6 FP3” which documents each policy for each HDX encoding or graphics mode supporter by XAD 7.8