Category Archives: Private Cloud

Citrix Virtual Apps & Desktops or CVAD Service Migration Strategies

The path to operating from the Citrix Cloud Platform for Citrix Virtual Apps and Desktops often can appear like your need to climb to the summit of K2, this is purely because for IT its foreseen as another key yet, rapid IT Transformation project to solve a multitude of business and business IT challenges (its different organisation by organisation). I’ve therefore put together a simple blended digital doodle on this very topic highlighting some key learnings, leading practises from the field and my own thoughts and thinking on this very topic.

If you want to go deep or even get started on your own migration project today, then i strongly recommend that you read and review the “Proof of Concept: Automated Configuration Tool” available at – https://docs.citrix.com/en-us/tech-zone/learn/poc-guides/citrix-automated-configuration.html, which covers off a step by step guide from installation to migration of on-premises CVAD configurations to the CVAD Service operating and run in the Citrix Cloud Platform – https://citrix.cloud.com. The following series of TechZone articles list at – https://docs.citrix.com/en-us/tech-zone.html#citrix-virtual-apps-and-desktops will also add value in your pivot to the CVAD Service.

If you have the right subscription access at https://training.citrix.com, then you can also complete the following on-demand eLearning course “eCWS-2014 | Automated Configuration Tool for Virtual Apps and Desktops” – https://training.citrix.com/elearning/coursequests/1/quest/184, which took me around 45 minutes to complete.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Building an IT Employee Experience Scorecard

Consider this an evergreen post as of 22/09/2020

Introduction
I smile consistently these days hearing how organisations are keeping the UK economic moving forward, pivoting day 1 of the UK COVID-19 lockdown to full-time frictionless secure remote flexible working styles with minimal IT effort + friction powered by Citrix technologies.

I hear many unconsidered benefits from my customers, examples include keeping businesses operating helping their customers and supporting them during the height of the lock down to leap frogging competitors gaining significant market share through to winning new business because operationally they where available and ready with a Citrix powered securely centralised hybrid multi-cloud delivery strategy, when backed with a robust and annually tested Business Continuity Plan (BCP) set them up for instance successful shifting from day one of the UK COVID-19 lockdown to full-time work from home without any major hiccups.

For organisations that weren’t fully Citrix and had a hybrid strategy achieved full work from home swiftly swell using one or more of the following strategies:

1. Many existing hybrid Citrix customers scaled up licensing and re-framed physical workstations sat in the office through Citrix Workspace app to employees now sat at home using a browser on a personal device at home. To the employee everything is where it should be within there virtual desktop, for many this has now fundamentally changed perceptions of why they need to sat in an office for 5 working days in a post COVID-19 non-lockdown world.
2. Scaling up CVAD usage by optimising existing workloads or unlocking dark capacity turned off and deallocated ready within the data centre wherever they choose that to be.
3. The most popular one was to extend into one or multiple public clouds (AWS, Azure) to supporting elastic Citrix Virtual Apps & Desktops (CVAD) workloads whilst remaining in control of public cloud cost economics utilising Citrix AutoScale – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/manage-deployment/autoscale.html which is part of the CVAD Service.

Finally organisations shifted to focusing on strengthening security within 1-2 weeks, implementing contextual device security powered by Citrix Smart Control and Smart Access technologies beyond IT non-managed devices, as not every employee could take a device home, they didn’t have a device they could use or they just didn’t have the physical space for it at home as you just don’t know your employees WFH requirements, needs and including @home personal circumstances behind closed doors.

In these many organisations hearing all these great stories I noticed a common theme reoccurring in lock down months 1-2. I have a percentage of employees and its all abeit random across the entire organisation encountering good vs. fair vs. poor experiences. Due to the random nature pin pointing the issue was a huge challenge as by the time IT investigated the problem it was largely self-resolved if by magic? My response have you heard about and or deployed and are running Citrix Application Delivery Management (ADM)? A resounding NO 95% of the time. The below diagram 1 visualises the traffic flow of where I am vs. where my delivered Citrix Virtual Desktop is run out of, it likewise can visualise to IT the overhaul traffic, load demand, security & infrastructure health status ref diagram 2.

Diagram 1

Not visualising the employees “Workspace” traffic flow, is where the value of Citrix and ANY Workspace solution is LOST in IT Service delivery. Citrix Application Delivery Management (ADM) is a key enabler in helping remediate employee experience issues, whilst providing a crucial IT Employee Experience Scorecard.” Lyndon-Jon Martin June 2020

The Business IT Value of Citrix ADM
A modern flexible platform with two unique halves much like our human brains with left vs. right hemispheres connected by a nervous system, however in this case ADM has analytical vs. management hemispheres providing fleet management with different roles vs. function; employee, security & infrastructure insights supported by a hybrid multi-cloud architectural strategy enabling less IT Ops friction and complexity on a daily basis. ADM’s centralised management + sense architecture provide simple and or advanced operational experience scorecards for auditors (PCI/DSS/ISO27001 with RBAC for read-only access), security + network teams, IT and Citrix System Administrators alike from a single framed lens who’s nervous system is connected to a hybrid multi-cloud fabric providing unconsidered insights and visibility into capacity, strengthened security posture through monitoring change control and config drifts incl automated fleet management which can be executed across multiple instances in ANY cloud simultaneously or on your own terms. ADM gives IT back the right level of “Control” enabling the less friction shifting workloads with true licensing flexibility + agility to the most commercially attractive vs. the most innovate cloud platform which suites IT and their business demands.

Diagram 2

Having had the privilege of working with world class engineers in the past helping a single customer to process a Β£1 million pounds per minute through a payment gateway beyond typical web, app traffic of a front door of there website. I learnt that you always require something that you as the MSP or your customer can “Control” in an ANY Cloud + Services architecture for Business Continuity Planning (BCP) and sound IT Operational excellence so you can make better decisions at pace from more accurate data insights visualised. Placing your “Eggs” aka IT Business platform into a single supplier framework even the most trusted IaaS provider and enforcing that your preferred IaaS region is properly fault tolerant and highly-available is equally expensive in cost and complexity much like on-premises, do not be fooled. The IT Complexity Index increases significantly when consuming for example IaaS native site recovery services to enable near to real-time failover in another region when your primary region experience’s an (planned) outage or degraded performance, these services help to keep-a-live those existing “Sticky” connections which will eventually complete a transaction of some kind e.g credit card donation.

I’m all for public cloud in fact two operating styles “Native” vs. “Managed” Public Clouds strategies. I’ve ran my personal lab in AWS EC2 since 2016, easily amortised Β£1000 over these past 4 years with plenty of cashflow free. Really? How? Having a strong background + experience in the MSP world on the edge of the City of London and working with “Managed” Public Clouds platform I began to respect + understand how all IaaS providers operate inclusive of the full lifecycle management of workloads + the data centre platform itself which is to not leave everything on like you do at home or in a traditional managed colocation data centre. In a native vs. managed IaaS world you’ll turn off and deallocate capacity if you don’t require it and scale it up as you equally require it with little to no friction. I’ve digressed enough back to the IT Employees Experience Scorecard.

A number of my customers have overcome that randomness or pockets of employees complaining about a poor experience post deploying Citrix ADM as the issue can now be identified and remediated pretty efficiently. The solution is simple, deploy and run Citrix ADM for up to a week continuing as is, no changes and then run a report similar to the above and in parallel visualise all those support cases from your service desk platform and marry up employee names and you’ll quickly notice a pattern forming between employees with poor experiences vs. support cases + the number of them.

I suggested to organisations survey those employees and ask them a few simple questions the best ones “Who is your home broadband provider?” and the second “How many devices are connected in the house to the internet and number of people?”. The first question revealed what I expected its the employees consumer ISP and the suggested remediation could well be provide them a “stipend” exclusively for mobile data onto personal contracts or ship them a 4G mobile hub/dongle to use instead and the problem vanishes over night almost every time and video conferencing platforms perform better as a net result equating to happier employees with a better experience.

The second question is about understanding what is happening within the home and as a result tweak or deploy a new HDX policy which again almost every time the employee experience was significantly improved. An example is switching out “Thinwire” – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/graphics/thinwire.html for “EDT” – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/technical-overview/hdx/adaptive-transport.html or visa versa. You can Optimise the “EDT” HDX protocol bandwidth over high latency connections – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/technical-overview/hdx/bandwidth-connections.html as its roots are entrenched from the “Framehawk” protocol which was originally engineered from the ground up to deliver a better experience with macro rising increases of spectral interference and multipath propagation, you can learn more about that by reading this article – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/graphics/framehawk.html. An important note you should be actively using the “EDT” protocol with or beyond 1912 LTSR if you want something like “Framehawk“.

Getting Started with Citrix Application Delivery Management (ADM)
It can be consumed as a Citrix Cloud Service – https://docs.citrix.com/en-us/citrix-application-delivery-management-service.html or you can deploy a customer owned and operated platform – https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13.html.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Azure AD SAML Sign-in with Virtual Smartcard to Citrix Virtual Apps & Desktops

Consider this an evergreen post as of 10/06/2020

Introduction
The purpose of this blog post to aim for a consistent modern authentication experience for employees when consuming Citrix Virtual Apps & Desktops (CVAD) + CVAD Service regardless of where the (CVAD) workloads are running, either in *Azure, *AWS, *GCP or *On-Premises. The primary priority is that the employees identity is owned and managed by a cloud identity platform e.g Azure Active Directory (AAD) and the employees identity within each resource location* for CVAD usage maps to AD shadow accounts. These AD shadow accounts represent the employee as a UPN e.g human.name@domain, with a RANDOM long complex password that the employee doesn’t need to ever know and all IT is required to do beyond creating a AD shadow account is then assign the right vs. relevant security privileges and access to CVAD including Policies meeting local, geo of industry compliance and governance while maintaining a great employee experience.

The second priority is that the employees device can frictionlessly access CVAD resources using either a Forward Proxy, SD-WAN Overlay Network or ICA Proxy. I do recognise that many organisations are still required to make use of a VPN style strategy at the current moment and therefore this solution can also work for those devices as well repurposing the existing Citrix Gateway to also support a Full VPN beyond ICA Proxy or you can use other well established and trusted VPN solution providers.

Leveraging a Bring Your Own “either Enterprise vs. Personal” Identity (ByoI) is a concept I ponded way back in 2017 and now feels like the right time to pick that up concept again during the current Workplace transformation happening all around the world due to world wide COVID-19 pandemic. Using a ByoI strategy as high level vision you can efficiently deploy CVAD to any *Azure, *AWS, *GCP region or *On-Premises with less friction and you don’t need to be worry about “Password Syncing” just replicate the employee’s UPN + AD Security Privileges + CVAD Access & Policies where its required. It has the added benefit if you want do mix and match public cloud workloads to avoid lock-in amongst other topics, you’ll be providing a common and consistent login interface + experience irrespective of where the workload is sat.

It another brilliant benefit is the on-boarding of 3rd Parties (3P’s) using ByoI concept with a business check at the edge, the 3P brings there owned Identity and in the current world we live in I don’t think that is bad thing it could even strength that employees individual security as there identity will be bound to a smartphone which knows more about your individuals habits and you that you know yourself. If we can unlock a co-shared responsibility identity model between the individual + organisation we can truly aim for a passwordless workspace that only uses virtual smartcards or tokens.

Finally the on-boarding of M&A employees can be faster as you can generate them a few days after commercial signing with a new brand identity that resides in Azure AD (or Google, OKTA e.t.c) whilst they continue accessing existing workplace apps + data with current AD credentials, IT + HR + Business can choose when to layer in the “NEW” Workspace Platform for Work from group perspective into the existing Workspace with less friction and complexity. Yes this final topic is complex when we think about merging different Business IT and IT Systems together, a CVAD strategy with FAS bridges the GAP reducing friction and complexity for IT to sun rise a new Workspace stack for that newly acquired organisation while sunsetting the exciting Workspace stack and those new M&A employees get to on-board beyond the Workspace into there new organisations people, its culture, vision and values and avoids the IP drain that often can easily happen.

The Employee Experience

High Level Architecture
The scenario below depicts accessing a StoreFront server on any device type from within the Workplace fabric in any office locally or world wide or from a IT managed device that makes use of a Full VPN, Forward Proxy technology; WFH Citrix SD-WAN appliance where traffic passes over an SD-WAN overlay network; Citrix Endpoint Management enrolled smart device with per-app mVPN configured and finally irrespective of the devices management status you can use ICA Proxy* to access CVAD resources anywhere over the internet inclusive of any home via a Citrix ADC (formerly NetScaler) using the Gateway functionality which is “VPN-Less*”.

Systems Requirements & Pre-requisites
1. A UAT or Test CVAD 1912 LTSR Site that already setup. My personal one runs in AWS EC2 as it retains hosting connections or public clouds to preform MCS provisioning of machines from customer own and managed control plane. You can also use the Citrix Virtual Apps & Desktops (CVAD) Service or sign-up at https://citrix.cloud.com/ and engage your local Citrix representatives to get a trial setup for the CVAD Service.
2. Deploy a new VM which will run the following Citrix 1912 LTRS StoreFront and Federated Authentication Service (FAS) roles to create a new “Store” on StoreFront called “AAD” which will be configured to accept the Azure AD SAML token which will then convert the AAD SAML tokens into a Citrix virtual smartcard to SSO the employee onto CVAD resources.
3. Install StoreFront – https://docs.citrix.com/en-us/storefront/1912-ltsr/install-standard.html after reading the system requirements – https://docs.citrix.com/en-us/storefront/1912-ltsr/system-requirements.html.
4. Setup and Configure FAS Role on your StoreFront Server – https://docs.citrix.com/en-us/federated-authentication-service/1912/install-configure.html after reading the system requirements carefully – https://docs.citrix.com/en-us/federated-authentication-service/1912/system-requirements.html, this part shouldn’t be a problem e.g leaning on on Security teams whom control the Enterprise CA Admins as you’ll hopefully be using a proper UAT or Test CVAD environment with all the Microsoft management servers and roles including an Enterprise CA which FAS requires and access to AD introduce new GPO’s.
5. An Azure AD “personal or business test” tenant.

Deployment Guide

Azure AD Setup & Configuration – Personal Home Lab Edition
If you have a separate Azure AD tenant in Azure you can proceed to the next section, however if you are an IT Pro that wants to test out how to convert Azure AD SAML logins to Citrix virtual smartcards for CVAD the following the below guidance below for setting up a personal ADD tenant with a personal Azure account for your home lab. WARNING I am not an Azure AD nor on-premises AD expert, therefor follow the leading practises found in Microsofts documentation for Azure AD.

1. Navigate toΒ https://portal.azure.comΒ and sign-in with your live vs. personal Microsoft account. Select β€œCreate a resource”.
2. Select β€œIdentity” then select β€œAzure Active Directory”.
3. Enter in an β€œOrganisation Name, Initial domain name and select your Country or region”.
4. The wizard will begin creating your AAD tenantΒ .
5. Once it completes click the hyperlink within β€œClick here to manage your new directory”.
6. At the Overview page of your new AAD tenant select β€œUsers” under β€œManage” section.
7. Select β€œ+ New user” under the β€œAll Users (Preview)” Overview you’ll notice your personal email addr.
8. You’ll notice when creating a new employee account for your AAD tenant that you can only append domain.onmicrosoft.com to the username, I’ll explain how-to convert that to user@domain and remove the UPN requirement of user@doamin.onmicrosoft.com in the next few steps. For now fill the following fields β€œUser name”; β€œName”; β€œFirst name”; β€œLast name”; β€œPassword” (choose or auto-generate) and the select β€œCreate” keeping the defaults as they are.
9. Your new AAD employee is successful created, you can assign roles. NOTE for my personal testing purposes I didn’t configure anything as I’ll delete that test employee AAD account after my testing.
10. At this point I’m not going to deploy nor setup the β€œAzure AD Connect” in my Citrix Cloud Resource Location as I want the employees primary identity to always reside in Azure AD as the single source of truth, and then bring that identity to my Citrix Cloud Resource Location e.g Bring your own Identity (ByoI) and after a successful AAD SAML login map that to a hardened AD Shadow account with long complex password that the employee will never know and all I need to do it assign the AD security privilege and access for CVAD resources. This approachΒ means that employee will NEVER enter in a AD password within a Citrix Cloud Resource Location that is configured for AAD (or Google, OKTA e.t.c) when using CVAD 1912 LTSR StoreFront and the Federated Authentication Service (FAS) in a Resource Location(s). For complex environments yes you’ll likely deploy the β€œAzure AD Connect” software as a role somewhere to replicate the employees but you don’t need to replicate there passwd or you can provision the employee twice once in AAD as in the example above and then again manually in AD in the Resource Location as there corresponding AD shadow account which matches the UPN from AAD when authenticating using SAML to StoreFront, the choice is yours but I found for testing purposes a manual in each is far less frictionless.

On-Premises Active Directory (AD) within your Resource Location
1.Create a new AD “Shadow” account that matches the “User Principal Name (UPN)” in AAD e.g user@domain, generate a random long complex password which they don’t need know and then assign or inherit the right vs. relevant AD security groups, GPOs that you would usually assign to a CVAD consumer.
2. On-board your domain into Azure AD which required verifying it with a MX record to avoid using user@domain.onmicrosoft.com so that you can use user@domain keeping it simple and less complex.

Installation and Configuring the Federated Authentication Service (FAS)
1. On the new VM that you just installed 1912 LTSR StoreFront role onto from the existing mounted ISO run the autorun splash screen and select β€œFederated Authentication Service”.
2.Read the EULA which you’ll need to β€œAccept the Licenses Agreement” to continue.
3. Accept the defaults and select β€œNext” on the “Core Components” page.
4. Accept the defaults and select β€œNext” on the “Firewall” page.
5. Once the installer is finished select β€œFinish” to close.
6. Open a PowerShell window in Admin mode then copy & paste the following code below, which will enable a trust between the CVAD Controller and the StoreFront server, minimise this window you’ll require it later.

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

7. Navigate to the following path β€œC:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions\” on the current StoreFront server that you installed FAS role onto, copy the following two files β€œCitrixFederatedAuthenticationService.admx” and β€œCitrixBase.admx” the entire folder β€œen-US” to a network share which will need to be accessible from your Windows Domain Controller or WDC.
8. Connect to your Windows Domain Controller (WDC) via RDS from the current StoreFront + FAS server and copy the two *.admx FAS files including folder β€œen-US” from your network share to the following path on the β€œC:\Windows\PolicyDefinitions” on your WDC.
9. Open an β€œMMC” console and load the β€œGroup Policy Management Editor” snap-in, at the prompt for a Group Policy Object, select β€œBrowse” and then select ”Default Domain Policy”.
10. In the MMC console navigate to β€œDefault Domain Policy [server name] > Computer Configuration > Policies > Administrative Templates > Citrix Components > Authentication” and you should see the following three policies available β€œFederated Authentication Service”, β€œStoreFront FAS Rule” and β€œIn-session Certificates”.
11. Select and open the β€œFederated Authentication Service” policy, next select to β€œEnable” it followed by selecting the β€œShow” button parallel to β€œDNS Addresses” label and enter in the FQDN e.g. β€œserver.domain” of your StoreFront + FAS server and then select β€œOK” and then select β€œOK” to save the policy configuration and enabling FAS.
12. Next select and open β€œIn-session Certificates” and select β€œEnabled” and in the β€œConsent timeout (seconds):” field type in a value of “30” which is the default.
13. Next close the MMC console and open up the existing PowerShell (Admin mode) and copy and paste the following code to force a Group Policy Update. 

gpupdate /force

14. Minimise the RDS connection from your WDC so that you are back on your StoreFront + FAS server. Search and open up Citrix FAS in Admin mode, if you don’t you will be notified in the UI and then select β€œrun this program as administrator” which will reload the FAS UI in Admin mode.
15. Select to β€œDeploy” for β€œDeploy certificate templates”.
16. Select β€œOk” on the pop-up window that appears.
17. You’ve now successfully deployed the certificate templates, now select β€œPublish” for β€œSet up a certificate authority”.
18. Select the right Enterprise Certificate Authority (CA) from the available list and select β€œOk”.
19. You’ve now deployed the certificate templates successfully to your Enterprise CA, now select β€œAuthorize” for β€œAuthorize this service”.
20. Select the right Enterprise Certificate Authority (CA) from the available list (same as above) and select β€œOk”.
21. The FAS UI will display a spinning icon as the authorisation request is pending on the Enterprise CA server. 
22. Connect to your Enterprise CA via RDS and the β€œMicrosoft Certification Authority” MMC Console and navigate to β€œCA > CA Server > Pending Requests” you’ll see pending certificate right click it select β€œAll Tasks > Issue” and the certificate will be issued. 
23. Verify the issues certificates are issued by selecting β€œIssued Certificates” and verify you can see two issues certificated that begin with β€œCitrix_RegistrationAu…”.
24. Minimise your RDS session to your Enterprise CA and return to the StoreFront + FAS server, you now notice the β€œAuthorize this service” says β€œReauthorize” which is correct as the FAS service is now authorised with the Enterprise CA. Next select β€œCreate” for β€œCreate a rule”, which launch a new window.
25. Accept the default β€œCreate the default rule (recommended)” and select β€œNext”.
26. Accept the default β€œCitrix_SmartcardLogon (recommended)” and select β€œNext”.
27. Select the previously selected and configured Enterprise CA you Authorised and select β€œNext”.
28. Select β€œAllow in-session use” and select β€œNext” if you enabled the following policy β€œIn-session Certificates” earlier.
29. Select β€œManage StoreFront access permissions (access is currently denied)” in red text which will open a new window.
30. Remove β€œDomain Computers” and add the β€œServer” running the StoreFront + FAS roles and under β€œPermissions” to β€œAllow” then select β€œApply” and β€œOk”.
31. The screen will update with β€œManage StoreFront access permissions” to now be in blue text, now select β€œNext”.
32. Select β€œManage user access permissions (all users are currently allowed)” in red text which will open a new window.
33. You can change to default β€œDomain Users” to your own test AD security group, then under β€œPermissions” to β€œAllow” then select β€œApply” and β€œOk”.
34. The screen will update with β€œManage user permissions (all users are currently allowed)” to now be blue text, now select β€œManage VDA permissions (all VDAs are currently allowed)” which is in red text.
35. You can change to default β€œDomain Computers” to your own test AD security group that your Citrix Virtual Delivery Agents (VDA) are found within, then under β€œPermissions” to β€œAllow” then select β€œApply” and β€œOk”.
36. The screen will update with β€œManage VDA permissions (all VDAs are currently allowed)” to now in blue text, now select β€œNext”.
37. Now select β€œCreate” and a “Default” FAS rule.
38. You have now successfully setup and configured Citrix FAS, you still need to enable FAS Claims for your “AAD” store on StoreFront which is covered later in this blog post.

Creating a new Store call “AAD” for Azure AD SAML Authentication in StoreFront
1. Open Studio and select “StoreFront” then select β€œStores” and the on the β€œActions tab” select β€œCreate Store”.
2. On the splash screen select “Next“.
3. Type in β€œAAD” for the β€œStore Name” field and click β€œNext”.
4. Select β€œAdd” list a CVAD controller, a new window will appear where you need provide the following information a β€œDisplay Name” e.g Citrix Cloud Connectors vs. CVAD 1912 LTSR, for the “Type” select β€œCitrix Virtual Apps and Desktops” and under β€œServers” list select β€œAdd” and type in the Citrix Cloud Connector or CVAD 1912 LTSR addresses and choose β€œTransport type” either HTTP 80 or HTTPS 443 (Preferred) and click “OK”.
5. You are now returned to the “Delivery Controller” page with a list of either Citrix Cloud Connectors or CVAD Controllers 1912 LTSR, click “Next“.
6. Now on the “Configure Authentication Methods” page select β€œSAML Authentication” and leave β€œUser name and password” checked as YES, then click β€œNext”.
7. Ignore “Remote Access” configuration and click “Next“. NOTE: I will update this blog post at a later date with the Remote Access via Citrix Gateway formerly NetScaler Gateway.
8. Accept the default’s on the “Configure XenApp Services URL” and click “Create”.
9. StoreFront will begin creating your new “AAD” Store on your StoreFront server, once the wizard completes select “Test Site” to verify you can see a webpage that displays Citrix Receiver or you can navigate to β€œhttps://FQDN/Citrix/AADWeb/” replacing the FQDN with your own to verify the webpage is available.

Generating AAD SAML Configuration for StoreFront
1. In the Azure AD UI in the Azure Portal select β€œEnterprise applications” node.
2. When the UI updates in the centre select “Select β€œNew application”.
3. You are taken to the “Add an Application” wizard and presented with three options select “Non-gallery application“.
4. Next provide a name for your own application e.g AAD-SAML-CVAD1912LTSR and then click “Add” at the bottom.
5. The AAD wizard completes and you are taken to the “Overview” page for “AAD-SAML-CVAD1912LTSR“, now select “Users and groups” from within this view.
6. Add an native AAD user(s). Note do not add any employee that does not have a AD shadow account setup and configured in the Citrix Cloud Resource Location (RL).
7. Now from the same “Overview” page for “AAD-SAML-CVAD1912LTSR” select “Single Sign-on” and on the “Select a single sign-on method” wizard select “SAML” and will start the AAS SAML wizard.
8. Select the pencil icon for “Basic SAML Configuration” to configure the following fields as follows below and select “Add“.

Identifier (Entity ID): https://FQDN/Citrix/AADAuth
Reply URL (Assertion Consumer Service URL):https://FQDN/Citrix/AADAuth/SamlForms/AssertionConsumerService
Sign on URL: https://FQDN/Citrix/AADWeb

9. Check under “User Attributes & Claims” portion that the “Name” field is configured to β€œuser.userprincipalname”.
10. Scroll to “SAML Signing Certificate” and click to download the β€œFederation Metadata XML” e.g. AAD-SAML-CVAD1912LTSR.xml, now save or transfer it to your StoreFront server at C:\Temp.

Create and Configure a Azure AD SAML Trust in StoreFront
1. If you have transferred the *.xml file e.g “AAD-SAML-CVAD1912LTSR.xml“, then on your StoreFront server create a folder called β€œTemp” on β€œC:\” and transfer the downloaded *.xml file.
2.Open PowerShell in admin mode or launch it from Studio 1912 LTSR. Copy & paste the following code below, however if opening the PowerShell with Admin privileges without Studio 1912 LTSR then copy & paste this cmdlet first before proceeding with the configuration & “$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1“. You will notice the virtual path for the Store is already set here to AAD so you can copy and paste it as is. This code sets up and configures SAML for the ADD Store.

$storeVirtualPath = “/Citrix/AAD” 
$auth = Get-STFAuthenticationService -Store (Get-STFStoreService -VirtualPath $storeVirtualPath) 
$spId = $auth.AuthenticationSettings[“samlForms”].SamlSettings.ServiceProvider.Uri.AbsoluteUri 
$acs = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlForms/AssertionConsumerService”) 
$md = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlForms/ServiceProvider/Metadata”) 
$samlTest = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlTest”) 
Write-Host “SAML Service Provider information: 
Service Provider ID: $spId 
Assertion Consumer Service: $acs 
Metadata: $md 
Test Page: $samlTest “
 

3. Next copy and paste the following code which will ingest SAML configuration from the Azure AD *.xml that you downloaded earlier and copied to C:\Temp on the StoreFront server.

Get-Module “Citrix.StoreFront*” -ListAvailable | Import-Module
# Remember to change this with the virtual path of your Store.
$StoreVirtualPath = “/Citrix/AAD”
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Update-STFSamlIdPFromMetadata -AuthenticationService $auth -FilePath “C:\Temp\AAD-SAML-CVAD1912LTSR.xml”


4. Validate there are not error(s) on screen that need resolving.
5. Minimise your PowerShell window you’ll need it again shortly, now open up Studio or StoreFront MMC console and navigate to the “Stores” and select “AAD” and select “Manage Authentication Methods“.
6. Select the cog icon parallel to β€œSAML Authentication” and then select β€œIdentity Provider” you should see that your AAD SAML configuration is setup and configured, leave it as is DO NOT TOUCH it!
7. Close all windows including Studio or StoreFront.

Enabling FAS for Converting Azure AD SAML Tokens to Virtual Smartcards
1.Open up your existing PowerShell window and copy and paste the following code below, which will ENABLE FAS for your ADD Store to convert AAD SAML tokens received into virtual smartcard that will be used to SSO the employee onto his/her Citrix virtual app and or desktop. You’ll notice the code is configured for the “AAD” Store so you can copy and paste as is.

Get-Module “Citrix.StoreFront.*” -ListAvailable | Import-Module
$StoreVirtualPath = “/Citrix/AAD”
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName “FASClaimsFactory”
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider “FASLogonDataProvider”


2. Validate there are not error(s) on screen that need resolving, if there are none you can nose close the PowerShell window.

Testing your Azure AD SAML to Virtual Smartcard Login
1. Navigate to https://FQDN/Citrix/AADWeb which will redirect you to a AAD login.
2. Enter in your UPN e.g user@domain and then complete the required 2FA vs. MFA requirements setup by your organisation as requirement onscreen.
3. You will be returned to https://FQDN/Citrix/AADWeb and SSOed onto UI, depending on your setting your desktop will either auto launch of you’ll have to manually launch it yourself. The initial login will take slightly longer than usual as its generating you that initial virtual smartcard between StoreFront, FAS, AD and your Enterprise CA.
4. Your Citrix vDesktop or vApp should launch successfully and SSO the on without prompting for any credentials.

Troubleshooting
1.If you receive ANY error once returned to https://FQDN/Citrix/AADWeb post the AAD SAML login open a new browser tab in the same session and copy and paste the following URL https://FQDN/Citrix/StoreAuth/SamlTest to see if you have any oblivious errors e.g user@domain.onmicrosoft.com from Azure AD which doesn’t map to the AD Shadow account that is user@domain so its a UPN mismatch and the sign-on will continue to fail.
2. If the employee can sign on to https://FQDN/Citrix/AADWeb and the Citrix vApp or vDesktop launches but they see a credential prompt with “Other User” check and see that you configured FAS for the correct Store with SAML Authentication setup and configured if not using my example of “AAD” as the Store setup and configured on StoreFront.

ICA Proxy Remote Access with Azure AD SAML
Coming…

ConceptΒ on Bring your own Identity (ByoI) Strengthening Security through Co-SharedΒ Responsibility owned by IT with different operating models
Its a simple concept which I like and yes it adds in complexity but it times today its far better to harden against unwanted 3rd party access whilst making it harder to achieve lateral movements. If the employee’s account is compromised by a 3rd party, they would need to compromise the employees identity in the cloud directory e.g AAD and in Active Directory (AD) on-premises as both passwords are completely different with different types of multi-factor authentication methods bound including access privileges.

The views expressed here are my own and do not necessarily reflect the views of Citrix.


What’s New in XenApp & XenDesktop 7.13

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops powered by XenApp & XenDesktop 7.13 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
SECURITY ASSERTION MARKUP LANGUAGE – saml
LOCAL HOST CACHE – lhc
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
WINDOWS – win
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
VIRTUAL DESKTOP – vd
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
VIRTUAL APPS – va
DATA TRANSPORT LAYER – edt
FIREWALL – f/w
ACCESS CONTROL LISTS – acl
ADVANCED MICRO DEVICE – amd

What’s New
A full and complete list of what’s new is avaiable at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/whats-new.html. I’ll start with one of my Citrix passions which is any and everything surrounding HDX technologies.

1. HDX Adaptive Transport is disabled by default in XAD 7.13* also referred to as EDT is a new HDX graphics mode that utilises both the UDP and TCP protocols with a fallback to TCP where UDP isn’t available. The HDX engineering team have engineered this new Citrix protocol called Enlightened Data Transport (EDT) which utilises the existing Citrix ports 1494 (ICA/HDX) and 2598 (Session Reliability) for both TCP and now new UDP so f/w ACL changes are near enough straight forward. To test this new graphics mode internally:

– Configure the ACL between your test end-point and through your internal network (over a VPN) VM running the 7.13 VDA to allow UDP and TCP for 1494, 2598
– Your test VM instance could be running in Azure (connected on-prem via a VPN) or on XenServer 7.1 and remember must be running the latest desktop or server VDA
– Your test end-point must be running the following min Citrix Receiver versions for Windows 4.7, Mac 12.4 and for iOS 7.2
– *In Studio create a machine catalogue, delivery group or use an existing one with your VDA upgraded from e.g 7.12 to 7.13 and then create a new HDX policy e.g HDX-TestofEDT and select the following HDX policy entitled “” and choose “Preferred“.

2. AMD Multiuser GPU (MxGPU e.g GPU Virtualization works with vSphere only) on the AMD FirePro S-series server cards for HDX 3D Pro workloads only e.g Desktop OSes ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/hdx/gpu-acceleration-desktop.html+ with support for up to 6 monitors, custom blanking & resolution, high frame rate and only GPU Pass-through is supported on the following hypervisors XenServer and Hyper-V. For further details please ref to the AMD website at – http://www.amd.com/en-us/solutions/professional/virtualization.

3. Intel Iris Pro (5-6th Gen Intel Xeon Processor E3) graphics processors supports H.264 h/w encoding for virtual apps & desktops, HDX 3D Pro support for up to 3x monitors (Ref to install options+), custom blanking & resolution, high frame rate. For further details and compatible Intel processors ref to – http://www.intel.com/content/www/us/en/servers/data-center-graphics.html

4. Other HDX enhancements include:

– Bidirectional content redirection – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/policies/reference/ica-policy-settings/bidirectional-content-redirection.html
– Wacom tablets improvements & connection methods – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/hdx/usb.html and also see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/policies/reference/ica-policy-settings/usb-devices-policy-settings.html
– File copying performance enhancements for client drive mapping

5. StoreFront 3.9 support for the following below and for a closer look check out the following CTX blog article – https://www.citrix.com/blogs/2017/02/24/whats-new-in-storefront-3-9/

– HDX Adaptive Display
– CEIP automatic enrollment by default. To disable please ref to http://docs.citrix.com/en-us/storefront/3-9/install-standard.html#par_anchortitle_8ea6
– Importing of NUG configurations (ZIP file or via PowerShell) into StoreFront to setup through the XAD Wizard using the latest NetScaler UG 11.1.51.21+ ref – http://docs.citrix.com/en-us/storefront/3-9/integrate-with-netscaler-and-netscaler-gateway/import-netscaler-gateway.html to reduce and avoid misconfigurations.
– Not new but if you’re looking to security harden your StoreFront standalone or cluster ref to – http://docs.citrix.com/en-us/storefront/3-9/secure.html
– SAML auth through against your preferred Store with NetScaler Unified Gateway configured as your IdP – http://docs.citrix.com/en-us/storefront/3-9/configure-authentication-and-delegation/configure-authentication-service.html#par_anchortitle_d712

5. The Connection Quality Indicator is not part of the XAD 7.13 release but an invaluable Citrix tool for Citrix SysAdmins check out its capabilities at – https://www.citrix.com/blogs/2017/02/22/citrix-connection-is-slow-not-really/ and you can download it from – https://support.citrix.com/article/CTX220774 and it also inclues group policies for better SysAdmin controls to enable or disable the tool which is supported from XAD 7.6 LTSR and upwards ref the CTX220774 article. The below image is taken from a Window 10 virtual desktop powered by XenDesktop 7.x.

6. Linux Seamless published applications from a Linux supported OS using the 7.13 VDA – http://docs.citrix.com/en-us/linux-virtual-delivery-agent/7-13/whats-new.html and also please read the publishing apps for Linux at – http://docs.citrix.com/en-us/linux-virtual-delivery-agent/1-4/suse/configuring/publish-apps.html for advanced tips and guidance on seamless mode vs. window manger configuration.
7. LHC in 7.13 introduces a new support feature for brokering operations for Citrix Cloud when the internet connection between the Citrix Cloud Connector and the Citrix Cloud control plane at – https://citrix.cloud.com/ is in a failed state or unavailable due to an ISP outage. You can also force an outage following the documentation available at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/manage-deployment/local-host-cache.html++ by creating and manually modifying the following registry entry “HKLM\Software\Citrix\DesktopServer\LHC with entry of OutageModeForced” set to the value in the documentation++ to force an outage for testing and or evaluation purposes prior to implmenting Local Host Cache. I’ve embedded below a simple architectural recap of LHC introdcued in XAD 7.12 and you can read in more depth detail about Local Host Cache from a previous blog post available at – http://axendatacentre.com/blog/2016/12/13/whats-new-in-xenapp-xendesktop-7-12/.

Finally LHC still provides support for brokering operations for traditional XAD Controller Site Database on-prem ref ++. I’d also recommend that you watch this TechTalks To Go covering LHC in XAD 7.12 release.

8. Provisioning Services 7.13 now supports Linux streaming and a brand new caching technique only available and supported on XenServer 7.1 called PVS-Accelerator. Check the following YouTube video from Citrix entitled “Introducing PVS-Accelerator, only available with XenServer!” via https://twitter.com/juancitrix/status/835202277317148672.

9. HDX Thinwire enhancements in 7.13 have resulted in up to 60% bandwidth savings. Take a look at the following CTX blog post at – https://www.citrix.com/blogs/2017/01/11/hdx-next-cuts-bandwidth-by-up-to-60-yes-sixty-percent/ which has some great high level LoginVSI 4.1.6 graphics comparing Thinwire in 7.12 vs. 7.13 on Windows Server 2012 R2 and 2016.
10. AppDNA what’s new ref – http://docs.citrix.com/en-us/dna/7-13/whats-new.html now includes support for Windows 10 Anniversary Update (AU) and now defaultor analysis and reporting, Secure Web reports and finally improved importing to process to analysis OSes and apps. There are a few more to be sure to check out the whats news!

Deploying XenApp 7.13 for Evaluation & Testing Purposes
The fastest way to deploy and test the latest new features from Citrix XA 7.13 release with little to no effort is to deploy the “Citrix XenApp 7.13 Trial” from Microsoft Azure available and accessiable at – https://azuremarketplace.microsoft.com/en-us/marketplace/apps/citrix.citrix-xa?tab=Overview.

Removed from XenApp and XenDesktop 7.13
Please be sure to read and review the complete removed features and future removal features within XAD 7.x platform topics on Azure Classic, AppDisks, Desktop OS support and supported HDX Graphics Modes e.t.c –
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/whats-new/removed-features.html.

Viso Stencils from Citrix’s Ask the Architect – https://twitter.com/djfeller for XenApp and XenDesktop 7.13.


Image credit: https://twitter.com/djfeller/status/836557405173477376

https://virtualfeller.com/2017/02/28/visioxenappxendesktop713/

Understanding the Citrix Cloud, its Services, Architecture & Connectors (Draft)

The following content is a brief and unofficial prerequisites guide to better understand Citrix Cloud, Connector technology and the overall architecture required to setup, configure and test delivering virtual apps and desktops powered by XenApp & XenDesktop Service prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
HIGH-AVAILABILITY – h/a
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
CITRIX CLOUD – cc
INFRASTRUCTURE AS A SERVICE – iaas
CITRIX CLOUD CONNECTOR – connector

The Three Primary Cloud Types (Draft Section)
Firstly i’d like to provide my definition of public, private vs. hybrid cloud and in my personal view things like SaaS, PaaS have naturally been spin out or off from IaaS e.g Public Cloud.

Public Cloud is whereby a ISP provides you with SPLA licensing (OS, Application, Service), compute, storage and network capabilities which in turn enables you to create your very own VM instances running in a virtual datacentre on the ISP’s h/w and example providers may include AWS, Azure, Google Cloud Platform e.t.c

Private Cloud is where you the organisation owns there own OS, Application or Service licenses as well as the physical hardware that allows you to create your own VM instances within your virtual datacentre. In this scenario the h/w is could (a) be purely Colocatied (Colocation) at ISP with or without managed services over and above the Colocation and example providers could include Rackspace, Qubems, Peer1 or (b) your h/w is hosted within your own custom and purpose built data centres facility or comms room dependant upon the organisations size and IT/Technology requirements.

Hybrid Cloud is when public and private clouds are connected securely over a IPSec R/A, L2L or SSL VPN connection.

What is and how Citrix Cloud works
Citrix Cloud is an evergreen, managed control plane from Citrix that provides the traditional Citrix management technologies to delivery e.g Virtual Apps & Desktops as Services thereby reducing overhaul management updates & upgrades. This means that Citrix is responsible for the availability of your Citrix management infrastructure in there Control Plane including ensuring that it is on the latest up to day and production version of e.g XAD to deliver DaaS and or virtual apps. Citrix customers and partners are responsible for what is known as a resource location which is where your apps, network and data resides and can exist in a public, private or hybrid cloud deployment scenario and each resource location is securely connected to the control plane using the Citrix Cloud Connector which initiates an outbound HTTPS connection so your completely in control of your apps, network & data within your resource location(s) at all times.

If I have not technically explained what is and how Citrix Cloud works successfully then please feel free to watch the below embedded YouTUBE video.

Please note that Citrix Workspace Cloud is now know as Citrix Cloud

Citrix Cloud Services as of Jan 2017
The following is my own technical spin/view of each of the Citrix services you can review the Citrix official view of each service at – https://www.citrix.com/products/citrix-cloud/services.html.

XenApp and XenDesktop Service – HDX virtual app & desktop delivery from any supported resource location running server/workstation VDA(s) while all the XenApp/XenDesktop mgmt infrastructure (Studio/Director) resides in your tenant/account at https://citrix.cloud.com.

XenMobile Service – Deploy Secure Apps (MAM), MDM to control your organisation devices with no need to deploy the XenMobile v/a even at your resource location all you need is either an IPSeC VPN tunnel or the Connector to enumerate users in AD to be assigned to delivery groups.

ShareFile Service – Follow-me data now controlled within one WebUI.

NetScaler Gateway Service – Provides a simple and easy deployment method to gain external remote access to virtual apps & desktops from your resource location(s) via the Citrix Cloud Connector.

Smart Tools Service previously Lifecycle Management – Design, build, automate, auto check & update your resource locations with Citrix validated blue prints.

Secure Browser Service – Provides a secure remote virtual browser(s) to access web (internal vs. external), SaaS apps from the Citrix Cloud with zero configuration, with only a link to access your published web apps via the HTML5 Receiver.

Citrix Cloud Labs – My personal favourite as this area of Citrix Cloud allows you get to test out some of the latest Citrix Innovations from our Labs team as services e.g AppDNA Express; Citrix Provisioning for Microsoft Office 365; IoT Automation; Citrix Launch for Microsoft Access; XenMobile MDX Service and Session Manager

Connector Architecture & Security
The following diagram depicts the H/A deployment of Citrix Cloud Connector for use with the XenApp and XenDesktop Service from Citrix Cloud. Please note that this is a simple architectural diagram that does not include a NetScaler in resource location so the assumption is that you users will connect to their virtual apps and desktops either from within the actual Resource Location or via the NetScaler Gateway service hosted and managed by Citrix Cloud. My personal preference is to leverage a NetScaler physical or virtual appliance within your resource location as the benefits of a NetScaler far exceed and go above and beyond that of a simple ICA Proxy gateway for XenApp/XenDesktop. Perhaps a follow-up blog article why I presume NetScaler in the resource location from my personal view point only or I may decide to update this blog article.

To better understand how to best secure or harden your Cirix Cloud implmentation and its services please refer to – http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/secure-deployment-guide-for-the-citrix-cloud-platform.html for leading best practises, process & procedures and configuration requirements.

Citrix Cloud Connector
The following is deep dive overview of Citrix Cloud connector technology for all the services with the exception of the Smart Tools service which leverages its own connector which is used to check your Citrix workloads, scale up/down and or even build or tear down workloads in resource location(s) via blueprints.

Installation & Troubleshooting
You must download and only install the Citrix Cloud Connector for your resource location from “Identity and Access Management” that matched your domain forest, don’t mix and match these! The installation is fairly straight forward and simple as descriobed and outlined at http://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connector/installation.html, once the installation completes wait for the connectvity test to pop-up and complete successfully prior to navigating back to Citrix Cloud to validate that the Connector has scuessfully registered with Citrix Cloud+.

You can also perform automated installation leveraging the following command line arguments when installing the Connector “CWCConnector.exe /q /Customer:Customer /ClientId:ClientId /ClientSecret:ClientSecret /ResourceLocationId:ResourceLocationId /AcceptTermsOfService:true.

Although the Connector communicates outbound on HTTPS 443 it make also require one or more of the following ports outbound only as described at – http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/secure-deployment-guide-for-the-citrix-cloud-platform.html for one or more of the Citrix Cloud Services so please consultant the documenation for each Service carefuly for high security enviroments to ensure that the organisations firewall ACL’s for the PoC are correctly configured.

You can install hypervisor tools, anti-virus software (Tested as of 26/10/2016++ McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.8) on your VM instances that have the Citrix Cloud Connector technology installed however it is not recommended to install any other software or unnecessary system services nor should you allow any domain users access unless they are a Domain or System administrator of the Citrix environment. In summary treat these Connectors as you would your XAD Controller(Broker).

The installation logs are available at “%LOCALAPPDATA%\Temp\CitrixLogs\CloudServicesSetup” and post the installation its consolidated to the following location “%ProgramData%\Citrix\WorkspaceCloud\InstallLogs“.

Understanding Credential Handling
Coming…http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html

Monitoring your Citrix Cloud Services
1. http://status.cloud.com/ is your friend and will provide you with vital up to date information about the Citrix Cloud platform (control plane or SaaS tier) and each of its Services e.g XenApp and XenDesktop Service or Smart Tools.
2. Monitor the following Connector services described below ++
3. The leading best practises is for the Citrix Cloud Connectors to not be offline longer than two weeks as the connectors are regularly updated from Citrix Cloud with the latest updates (Evergreen) which is why each resource location requires at a bare min 2x or a pair of Connectors.

Connectivity & High-Availability
The Citrix Cloud Connector firstly should always be implemented in pairs at a minimum within any resource location and installed onto either Windows Server 2012 R2 or 2016 AD joined VM instances. The connectors are stateless and brokering requests are load-balanced via Citrix Cloud to the connectors within your resource location(s) and if a connector does not respond the queued tasks are redistributed to the remaining connector(s). As the connectors are stateless this also means that they do store any mgmt configuration for Citrix Workloads at the resource location as this is held within the Citrix Cloud by the Service that you are utilising e.g XenApp and XenDesktop Service.

+If you setup a PoC with a single Connector it will probably display as amber for a period of time prior to turning green as you have only configured 1x Connector for your resource location. You can check your Connector status for your resource locations by navigating from https://citrix.cloud.com/ to https://citrix.cloud.com/identity and under “Domains” select your domain forest(s) and expand it and you can review your Connectors name e.g servername.dommain e.g connector1.x1co.eu and its status (red, amber or green).

The leading best practise for h/a at your resource location is for your Citrix Cloud Connectors to be implemented as N+1 for redundancy – – https://en.wikipedia.org/wiki/N%2B1_redundancy.

Logs & Services++ of the Connector
The Connector logs are stored at “C:\ProgramData\Citrix\WorkspaceCloud\Logs or use %ProgramData%\Citrix\WorkspaceCloud\Logs” for verifying ongoing communication and helping with troubleshooting. Once the log(s) size exceeds a certain threshold its deleted BUT Administrators are able to control the log retention size by adjusting the following entry in the Windows registry “HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CloudServices\AgentAdministration\MaximumLogSpaceMegabytes” to meet your organisations logging/auditing requirements.

The core four primary functions/roles of the Connector are Authentication, Proxy, Provisioning and Identity which are powered by the following Citrix Cloud services listed below (as of Jan 2017). You can view a detailed architecture technical diagram of the Connector under the XenApp and XenDesktop Service online documentation at – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html.

Connector Functions/Roles
For a more accurate diagram please check out – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html

Authentication Proxy Provisioning Identity
↕
NetScaler
Unified Gateway
StoreFront
(Optional)

↕
Hypervisor 
Server VDA
 Server 2012 R2, 2016
Desktop VDA
Windows 10
↕

Active Directory, DNS

I’ll update this section with what each of the Connector services actually does

Citrix Cloud AD Provider
Citrix Cloud Agent Logger
Citrix Cloud System
Citrix Cloud WatchDog
Citrix Cloud Credential Provider
Citrix Cloud WebRelay Provider
Citrix Cloud Config Synchronizer Service
Citrix Cloud High Availability Service
Citrix Cloud NetScaler Cloud Gateway
Citrix Cloud Remote Broker Provider
Citrix Cloud Remote HCL Server
Citrix Cloud Session Manager Proxy

Citrix Cloud PoC Guide for the XenApp and XenDesktop Service
I have writen a fairly detailed blog article describing how-to deploy the XenApp and XenDesktop Service here.

Front XenApp 7.11+ in Azure with NetScaler (Unified) Gateway 11.x.n

The following content is a brief and unofficial overview of how-to front your virtual apps & desktops powered by XenApp 7.11 with NetScaler 11.x.n using Microsoft Azure (ARM). The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions, best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENAPP – xa
XENSERVER – xs
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
INDEPENDENT COMPUTING ARCHITECTURE – ica
NETSCALER – ns
NETSCALER UNIFIED GATEWAY – nsug
AZURE RESOURCE MANAGER – arm
IDENTITY ACCESS & MANAGEMENT – iam
MULTI-FACTOR AUTHENTICATION – mfa
SECURITY ASSERTION MARKUP LANGUAGE – saml

Why this Blog Article?
I’ve had a lot of cloud 1st strategy conversations with IT Pro’s, Citrix SysAdmins & organisations alike recently so I thought everyone whom is searching for how-to front XenApp with an Azure NetScaler could benefit from this blog post :-). This blog post covers a how-to even with NetScaler in single IP mode to achieving https://FQDN (Image 2) for the gateway vs. https://FQDN:8443 (Image 1) when deploying NetScaler in Azure (ARM).

Deploying NetScaler 11.x.n using Azure Resource Manager (ARM)
1. Login to https://portal.azure.com
2. I presume that you have setup a your network, IAM if not refer to https://azure.microsoft.com/en-gb/get-started/ for getting started how-to from Microsoft.
3. Click on + New in the top left of the ARM web ui and type in NetScaler and select NetScaler VPX Bring Your Own License or for a quick review check out – https://azure.microsoft.com/en-gb/marketplace/partners/citrix/netscalervpx110-6531/.
4. Click Create
5. Enter in a name for your NS virtual appliance e.g ne1nug01 and select the VM disk type
5. Enter in a username and choose auth to be either SSH public key or Password I choose password to access the NS Admin WebUI for simplicity of all readers of this blog.
6. Select your chosen of default Subscription if you have more than one and then select your existing Resource Group where you XenApp 7.11+ environment and XenApp 7.11+ VDA Workers and your mgmt. VM running AD/DNS server resides. Remember I am keeping this simple as it’s intended for PoC’s only!
7. Continue to select your chosen Azure instance for NetScaler I choose DS2_V2 Standard which consists of 2 Cores, 7GB of RAM.
8. Select your storage account, virtual network & subnet e.t.c and high availability set then click Select to continue.
9. Review your purchase of NetScaler and then click Ok to purchase and Azure will begin building your NetScaler VPX in your Azure chosen subscription which will take no more typically than 10 minutes.

Setting up & Licensing your NetScaler on Azure
Firstly be aware that when deploying a NetScaler instance on Azure for virtual apps & desktops you’ll be setting up NetScaler to run in single IP mode (YES!) which means that you’re connecting to internal TRU resources on the NetScalers IP addr (NSIP) but you connect using different ports e.g ICA Proxy on 8443 so lets begin with the setup.

1. Login into your NetScaler using the NS Admin Web UI do not provide a SubnetIP Addr (SNIP) just select Do It Later and proceed with the initial setup as per normal.
2. Now that you have setup your NetScaler you need to license it so remain logged into and open a new tab in your browser of choice and Google β€œCitrix Eval Store” or save this link – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700
3. Select under Networking -> NetScaler ADC
4. Next select the following model “VPX” select variation e.g “Platinum 1000” select duration e.g “90 Days”.
5. Complete the onscreen process note that you will require a .Citrix.com account or you need to create an account.
6. Once you receive an e-mail with your key/code head over to at https://www.citrix.com/account/toolbox/manage-licenses/allocate.html or goto and select find and allocate your licenses or look for the licensing button (link) and select it.
7. If your key/code it not visible select β€œDon’t see your product?” in text in/around the top right-hand side. A pop-up appears now enter in the code provided on e-mail from the Citrix Eval Store e.g β€œCTX34-XXXXX-XXXXX-XXXXX-XXXXX” and continue.
8. You will need to enter in the Host Id of your NetScaler it can be found once logged in using the NS Admin Web UI “NetScaler -> System -> System Information” then look under the heading “Hardware Information” and you find “Host Id” copy and paste it into the required field and then download the license file.
9. In the NS Admin Web UI click the cog icon top right then select licensing and upload the license and select to reboot the NS to apply the license.
10. Log back in and enable the features that you require e.g right click on the “NetScaler Gateway” and select “enable” e.t.c

Setup Type Choice 8443 Default without an Azure L/B for XenApp using the XenApp/XenDesktop Wizard
Now that you have setup NetScaler within your Azure subscription in your chosen region you’re ready to begin setting up NetScaler to front virtual apps & desktops (Server OS 2012 R2 or 2016) powered by XenApp 7.11+.

Sample Text Based Diagram

User Azure NetScaler StoreFront XenApp
https://FQDN:8443/ ↔ Accepts requests from Azure to NSIP on https://8443 (Single IP Mode) Accepts requests on the Gateway & Call-back FQDN on https://FQDN:8443 Accepts & launches user’s virtual app(s) & desktop(s) as requested

1. Login to your NetScaler VPX click “Settings -> Licensing” now check that License type is Platinum and Model ID 1000
2. Select the XenApp/XenDesktop wizard and review the prerequisites carefully prior to continuing BUT in summary you’ll need an SSL Cert, LDAP service account + details, XenApp 7.11+ environment with StoreFront.
3. Enter in the static IP addr assigned by Azure or OTHER METHOD of your NetScaler VPX YES that’s right!
4. IMPORTANT STEP: Change the default port of 443 to 8443 on the Gateway IP addr
5. Set Up the rest of the XAD wizard as normal
6. IMPORTANT STEP: Setup StoreFront to allow remote access however the configured default gateway and Call-back FQDN addresses MUST include 8443 e.g https://go.x1co.eu:8443 instead of just https://go.x1co.eu
7. Setup external DNS entries e.g go.x1co.eu to point to your NetScalers static IP addr found in the Azure ARM Web UI and once you have verified it is functioning correctly using a shell (IPCONFIG /FLUSH after settin-up the DNS entries waiting 10-15 min depednant upon your ISP) the open up an internet browser and type in e.g https://go.x1co.eu:8443 and dont forget the :8443 at the end of the FQDN.
8. Attempt to login either using sAMAccountName e.g username or userPrincipalname e.g username@x1co.eu and then you should be able to successfully login and launch your virtual apps & desktop as per the below image.

Image 1


Setup Type 443 for XenApp using an Azure Load-Balancer & the NetScaler XenApp/XenDesktop Wizard

Sample Text Based Diagram

User Azure Azure Load-Balancer NetScaler StoreFront XenApp
https://FQDN/ https received request and forwarded to NetScaler on https://FQDN:8443

Accepts requests from Azure L/B on https://FQDN fwd to NSIP on https://8443 (Single IP Mode) Accepts requests on the Gateway from HTTPS://FQDN but the Call-back FQDN is on https://FQDN:8443 Accepts & launches user’s virtual app(s) & desktop(s) as requested
↔ https://FQDN ↔ AzureL/B β†” NetScaler:8443 NetScaler https://FQDN:8443 β†”https://FQDN StoreFront StoreFront Call-back https://FQDN:8443
StoreFront configured NetScaler Gateway https://FQDN

1. If you are choosing this option as your preferred lets hope then complete steps 1-5 and also step 7 to save you time!
2. IMPORTANT STEP: Setup StoreFront to allow remote access however the configured default gateway MUST BE e.g https://go.x1co.eu NOTICE NO :8433 YES not :8443 here. Now on the call-back FQDN addresses YOU MUST include 8443 e.g https://go.x1co.eu:8443 instead of just https://go.x1co.eu otherwise fronting NS with an Azure L/B to acheive HTTPS://FQDN for the XAD Gateway (ICA Proxy) will NOT WORK!!!!
3. Now switch to the Azure ARM Web UI. You should probably read the following useful resources – https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-overview/ and for PowerShell creation check out – https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-get-started-internet-arm-ps/ for any Citrix consultants out there.
4. Azure Load-balancer and click on the “+” at the top and provide a “Name” and for the type choose “Pubic” and select your Azure “Subscription” “Existing Resource Group” and its location (Same as NetScaler deployed instance) then click “Create”
5. Now it will list the available public IP addr just select the “+”
6. Enter in a name and choose your assignment choice “Dynamic” vs. “Static” and click OK.
7. Azure will then provision your Azure L/B (Wait….Maybe coffee or tea break?)
8. Once created select your Azure L/B
9. Select “Backend Pools” enter in a name then choose your availability set and then your VM’s or VM e.g NetScaler. Azure will then provision your Azure L/B with a backend pool (Wait….)
10. Select “Frontend IP Pool” click “+” enter in a name then choose your IP addr e.g NetScaler VM and then enter in a name (all names should differ makes identification easier so a good naming convention helps πŸ™‚ now) and choose your assignment choice “Dynamic” vs. “Static” and click OK (Updating….)
11. IMPORTANT STEP: Select “Inbound NAT Rules” select the resource from your Frontend IP Pool list from the previous point (10). Select the service “HTTPS” and port to be 443 then select the target “NetScaler VM” and then vErY iMpOrtAnt select under “Port Mapping -> Custom” and in the “Target Port enter in 8443” and click save. (Wait…)
12: Now navigate to https://FQDN and attempt to login either using either sAMAccountName e.g username or userPrincipalname e.g username@x1co.eu and thereafter you should be able to successfully launch your virtual apps & desktop published by XenApp 7.11+. The below image represents the end goal when fronting an Azure NetScaler in Single IP Mode with an Azure Load-Balancer as per the below image.

NetScaler VPX in Azure Deployment Guide
http://docs.citrix.com/content/dam/docs/en-us/workspace-cloud/downloads/NetScaler-VPX-in-AZURE-Deployment-Guide.pdf

Advanced Setup & Configuration
The following how-to’s are from a 2016 Citrix Technology Advocates (CTA) – https://www.citrix.com/blogs/2016/05/23/expanding-recognition-for-community-contributors-citrix-technology-advocates/ Dave Bretty – http://bretty.me.uk/ which covers off how-to setup and configure FAS, NetScaler SAML/ADFS Proxy, Azure MFA and much more, so follow the links in order listed below.

1. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-1/
2. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-2/
3. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-3/
4. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-4/
5. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-5/
6. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-6/