The following content is a brief and unofficial prerequisites guide to better understand NetScaler Gateway Service from Citrix Cloud test delivering virtual apps and desktops powered by XenApp & XenDesktop Service prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.
Shortened Names
NETSCALER GATEWAY SERVICE – nsg service or ngs
CITRIX CLOUD CONNECTOR – connector
NETSCALER – ns
HIGH-AVAILABILITY – h/a
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
CITRIX CLOUD – cc
INFRASTRUCTURE AS A SERVICE – iaas
VIRTUAL APPLIANCE – vpx
USER EXPERIENCE – ux
ICA PROXY – hdx proxy
Introduction & Overview
The NetScaler Gateway Service is a simple, clean. effortless and but most importantly a powerful way to demonstrate the power of Citrix Cloud by providing secure remote access to your HDX virtual apps and desktops from your resources location over the internet (https) securely. While this service is very very powerful & simple to implement and use, you should under the keep in-mind that NS VPX/MPX/SDX is fully featured vs. the NSG Service which is focused on delivery of HDX virtual apps & desktops! So in summary when implementing service undering what is right vs. relevant for the customer needs and requirements is very important. Finally you can read more about the service and its benefits at https://www.citrix.com/products/citrix-cloud/services.html.
+Enabling the NetScaler Gateway Service
1. Login to https://citrix.cloud.com
2. Select to Manage your XAD Service which will take you to https://xenapp.cloud.com/.
3. Select from the drop down menu “Service Delivery” which is beneath the top menu item displayed “Service Creation”
4. Now Select to toggle “ON” and choose to use the NSG service (preferred for blog article only) or your own NetScaler (Unified) Gateway at your resource location and if you enable to the NSG Service you can choose to check the session reliability (2598) checkbox.
The UX
Users connect to https://.xendesktop.net and then login using there AD UPN domain credentials e.g lyndon-jon@x1co.eu and the user’s credentials are encrypted through-out the login process. User’s can equally choose between using a full Citrix Receiver (HDX Optimisation Pack 2.x.n for offloading Skype for Business 2015-2016) vs. HTML5 Receiver (HTML5 compliant internet browser) experience by selecting their username in the top right hand corner and selecting to “Change Receiver” to their preferred choice of Receiver. It also important to set the correct +HDX Policy to get the best UX that is good and balanced (backend vs. network vs. client connected device) so I’d suggest that you implement HDX Adaptive Display v2 by selecting the following policy entitled “Use video codec for compression” and select the following option “For actively changing regions” and thereafter tweak the frame rate and adjust the Thinwire color depth support as described at http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/whats-new.html#par_anchortitle_59c9 and you can also read more about benefits and a YouTUBE demostration on HDX Adaptive Display v2 at the following blog article I wrote in 2016 at – http://axendatacentre.com/blog/2016/10/01/foractivelychangingregions/.
1. User MUST login into cloud hosted StoreFront e.g https://.xendesktop.net. There credentials are securely handled please refer to – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html to understand the traffic follow.
2. Once the user has authenticated successfully he/she can select to launch a virtual app or desktop.
3. User connects to the NSG Service powered by Citrix Cloud
4. Traffic is securely brokered to the Connector in your resource location that is severing up the user’s selected virtual app or desktop or both from the server or desktop VDA.
Tech Overview of the NSG Service
1. The Citrix Cloud NetScaler Cloud Gateway service on your Connector allows and provides the secure remote access feature of the NSG Service from your chosen resource location. I have written a blog article about the Connector services and leading best practises which you can read at – http://axendatacentre.com/blog/2017/01/27/understanding-the-citrix-cloud-its-services-architecture-connectors/.
2. To ensure high availability you should always deploy at a min a pair of Connectors within your resource location and increase the compute capacity of your Connectors as user demand increases initially and thereafter deploy another Connector based upon usage of service.
3. *To use the NSG Service you MUST configure to use the cloud-hosted StoreFront provided by Citrix Cloud under “Service Delivery” tab at https://xenapp.cloud.com/delivery.
4. The NSG Service only supports HDX Traffic only and the service is currently only available on Eastern, Western coasts within the USA and in Europe so for those users accessing virtual apps and desktops via the NSG Service outside of these geos or not in close proximity to an entry point will experience higher latency so tweak your HDX policy(s)+ accordingly or deploy a NS VPX in your resource location.
5. ICA files are STA signed the below example is a small snippet from my own PoC and testing*. I have also intentionally scrammed some of the unreliable text to :-).
The NSG Service currently does not support and or is limited as of writing this blog article in Jan 2017 and based upon the embedded Twitter image – http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/netscaler-gateway-as-a-service.html. Finally please remember that Citrix Cloud is consistently been updated and upgraded with new feature so please please refer to the online documentation and the service overview of Citrix Cloud even a day after posting the blog article as it may become out of date! You’ve been warned!
6. No support for Unified experiences (e.g Branding with your logo, colour scheme).
7. No support for Two Factor Authentication.
8. No support for authentication via outbound proxies for access outside of the resource location over the internet.
The following content is a brief and unofficial overview of how-to front your virtual apps & desktops powered by XenApp 7.11 with NetScaler 11.x.n using Microsoft Azure (ARM). The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions, best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.
Why this Blog Article?
I’ve had a lot of cloud 1st strategy conversations with IT Pro’s, Citrix SysAdmins & organisations alike recently so I thought everyone whom is searching for how-to front XenApp with an Azure NetScaler could benefit from this blog post :-). This blog post covers a how-to even with NetScaler in single IP mode to achieving https://FQDN (Image 2) for the gateway vs. https://FQDN:8443 (Image 1) when deploying NetScaler in Azure (ARM).
Deploying NetScaler 11.x.n using Azure Resource Manager (ARM)
1. Login to https://portal.azure.com
2. I presume that you have setup a your network, IAM if not refer to https://azure.microsoft.com/en-gb/get-started/ for getting started how-to from Microsoft.
3. Click on + New in the top left of the ARM web ui and type in NetScaler and select NetScaler VPX Bring Your Own License or for a quick review check out – https://azure.microsoft.com/en-gb/marketplace/partners/citrix/netscalervpx110-6531/.
4. Click Create
5. Enter in a name for your NS virtual appliance e.g ne1nug01 and select the VM disk type
5. Enter in a username and choose auth to be either SSH public key or Password I choose password to access the NS Admin WebUI for simplicity of all readers of this blog.
6. Select your chosen of default Subscription if you have more than one and then select your existing Resource Group where you XenApp 7.11+ environment and XenApp 7.11+ VDA Workers and your mgmt. VM running AD/DNS server resides. Remember I am keeping this simple as it’s intended for PoC’s only!
7. Continue to select your chosen Azure instance for NetScaler I choose DS2_V2 Standard which consists of 2 Cores, 7GB of RAM.
8. Select your storage account, virtual network & subnet e.t.c and high availability set then click Select to continue.
9. Review your purchase of NetScaler and then click Ok to purchase and Azure will begin building your NetScaler VPX in your Azure chosen subscription which will take no more typically than 10 minutes.
Setting up & Licensing your NetScaler on Azure
Firstly be aware that when deploying a NetScaler instance on Azure for virtual apps & desktops you’ll be setting up NetScaler to run in single IP mode (YES!) which means that you’re connecting to internal TRU resources on the NetScalers IP addr (NSIP) but you connect using different ports e.g ICA Proxy on 8443 so lets begin with the setup.
1. Login into your NetScaler using the NS Admin Web UI do not provide a SubnetIP Addr (SNIP) just selectDo It Later and proceed with the initial setup as per normal.
2. Now that you have setup your NetScaler you need to license it so remain logged into and open a new tab in your browser of choice and Google “Citrix Eval Store” or save this link – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700
3. Select under Networking -> NetScaler ADC
4. Next select the following model “VPX” select variation e.g “Platinum 1000” select duration e.g “90 Days”.
5. Complete the onscreen process note that you will require a .Citrix.com account or you need to create an account.
6. Once you receive an e-mail with your key/code head over to at https://www.citrix.com/account/toolbox/manage-licenses/allocate.html or goto and select find and allocate your licenses or look for the licensing button (link) and select it.
7. If your key/code it not visible select “Don’t see your product?” in text in/around the top right-hand side. A pop-up appears now enter in the code provided on e-mail from the Citrix Eval Store e.g “CTX34-XXXXX-XXXXX-XXXXX-XXXXX” and continue.
8. You will need to enter in the Host Id of your NetScaler it can be found once logged in using the NS Admin Web UI “NetScaler -> System -> System Information” then look under the heading “Hardware Information” and you find “Host Id” copy and paste it into the required field and then download the license file.
9. In the NS Admin Web UI click the cog icon top right then select licensing and upload the license and select to reboot the NS to apply the license.
10. Log back in and enable the features that you require e.g right click on the “NetScaler Gateway” and select “enable” e.t.c
Setup Type Choice 8443 Default without an Azure L/B for XenApp using the XenApp/XenDesktop Wizard
Now that you have setup NetScaler within your Azure subscription in your chosen region you’re ready to begin setting up NetScaler to front virtual apps & desktops (Server OS 2012 R2 or 2016) powered by XenApp 7.11+.
Sample Text Based Diagram
User
Azure
NetScaler
StoreFront
XenApp
https://FQDN:8443/
↔
Accepts requests from Azure to NSIP on https://8443 (Single IP Mode)
Accepts requests on the Gateway & Call-back FQDN on https://FQDN:8443
Accepts & launches user’s virtual app(s) & desktop(s) as requested
1. Login to your NetScaler VPX click “Settings -> Licensing” now check that License type is Platinum and Model ID 1000
2. Select the XenApp/XenDesktop wizard and review the prerequisites carefully prior to continuing BUT in summary you’ll need an SSL Cert, LDAP service account + details, XenApp 7.11+ environment with StoreFront.
3. Enter in the static IP addr assigned by Azure or OTHER METHOD of your NetScaler VPX YES that’s right!
4. IMPORTANT STEP: Change the default port of 443 to 8443 on the Gateway IP addr
5. Set Up the rest of the XAD wizard as normal
6. IMPORTANT STEP: Setup StoreFront to allow remote access however the configured default gateway and Call-back FQDN addresses MUST include 8443 e.g https://go.x1co.eu:8443 instead of just https://go.x1co.eu
7. Setup external DNS entries e.g go.x1co.eu to point to your NetScalers static IP addr found in the Azure ARM Web UI and once you have verified it is functioning correctly using a shell (IPCONFIG /FLUSH after settin-up the DNS entries waiting 10-15 min depednant upon your ISP) the open up an internet browser and type in e.g https://go.x1co.eu:8443 and dont forget the :8443 at the end of the FQDN.
8. Attempt to login either using sAMAccountName e.g username or userPrincipalname e.g username@x1co.eu and then you should be able to successfully login and launch your virtual apps & desktop as per the below image.
Image 1
Setup Type 443 for XenApp using an Azure Load-Balancer & the NetScaler XenApp/XenDesktop Wizard
Sample Text Based Diagram
User
Azure
Azure Load-Balancer
NetScaler
StoreFront
XenApp
https://FQDN/
https received request and forwarded to NetScaler on https://FQDN:8443
Accepts requests from Azure L/B on https://FQDN fwd to NSIP on https://8443 (Single IP Mode)
Accepts requests on the Gateway from HTTPS://FQDN but the Call-back FQDN is on https://FQDN:8443
Accepts & launches user’s virtual app(s) & desktop(s) as requested
1. If you are choosing this option as your preferred lets hope then complete steps 1-5 and also step 7 to save you time!
2. IMPORTANT STEP: Setup StoreFront to allow remote access however the configured default gateway MUST BE e.g https://go.x1co.eu NOTICE NO :8433 YES not :8443 here. Now on the call-back FQDN addresses YOU MUST include 8443 e.g https://go.x1co.eu:8443 instead of just https://go.x1co.eu otherwise fronting NS with an Azure L/B to acheive HTTPS://FQDN for the XAD Gateway (ICA Proxy) will NOT WORK!!!!
3. Now switch to the Azure ARM Web UI. You should probably read the following useful resources – https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-overview/ and for PowerShell creation check out – https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-get-started-internet-arm-ps/ for any Citrix consultants out there.
4. Azure Load-balancer and click on the “+” at the top and provide a “Name” and for the type choose “Pubic” and select your Azure “Subscription” “Existing Resource Group” and its location (Same as NetScaler deployed instance) then click “Create”
5. Now it will list the available public IP addr just select the “+”
6. Enter in a name and choose your assignment choice “Dynamic” vs. “Static” and click OK.
7. Azure will then provision your Azure L/B (Wait….Maybe coffee or tea break?)
8. Once created select your Azure L/B
9. Select “Backend Pools” enter in a name then choose your availability set and then your VM’s or VM e.g NetScaler. Azure will then provision your Azure L/B with a backend pool (Wait….)
10. Select “Frontend IP Pool” click “+” enter in a name then choose your IP addr e.g NetScaler VM and then enter in a name (all names should differ makes identification easier so a good naming convention helps 🙂 now) and choose your assignment choice “Dynamic” vs. “Static” and click OK (Updating….)
11. IMPORTANT STEP: Select “Inbound NAT Rules” select the resource from your Frontend IP Pool list from the previous point (10). Select the service “HTTPS” and port to be 443 then select the target “NetScaler VM” and then vErY iMpOrtAnt select under “Port Mapping -> Custom” and in the “Target Port enter in 8443” and click save. (Wait…)
12: Now navigate to https://FQDN and attempt to login either using either sAMAccountName e.g username or userPrincipalname e.g username@x1co.eu and thereafter you should be able to successfully launch your virtual apps & desktop published by XenApp 7.11+. The below image represents the end goal when fronting an Azure NetScaler in Single IP Mode with an Azure Load-Balancer as per the below image.
The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops powered by Citrix Workspace Cloud (CWC) – App’s & Desktop Service with a AWS EC2 resource location prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.
Shortened Names
AMAZON WEB SERVICES – aws
SECURITY GROUPS – sg
ELASTIC COMPUTE CLOUD – ec2
HYBRID CLOUD PROVISIONING – hcp
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
INDEPENDENT COMPUTING ARCHITECTURE – ica
CITRIX WORKSPACE CLOUD CONNECTOR – cwc connector/agent
EXPERIENCE 1st – x1
VIRTUAL DESKTOP – vd
VIRTUAL APPS – va
INFRASTRUCTURE AS A SERVICE – iaas
CITRIX WORKSPACE CLOUD – cwc
CITRIX LIFECYCLE MANAGE
Video Citrix Workspace Cloud: How It Works
PoC Introduction & Overview (This is a Public Draft Blog Article & May Contain Some Errors)
In this particular instance I will be deploying a Citrix Workspace Cloud (CWC) PoC using the Apps & Desktop service which is Citrix online service and is essentially made up of five compoments in my personal view these are people (Users, Consultants & SysAdmins), the Control Plane which is hosted by Citrix and is high available and accessible at – https://workspace.cloud.com/, Resource Locations which could be private, public (IaaS) or hybrid clouds which host and run your actual CItrix workloads e.g servers or desktops OSes with the VDA’s installed and optionally StoreFront and or NetScaler Unified Gateway, Receiver for access to your published virtual apps & desktops and finally the CWC connector which makes everything just work safe & securely.
Please note that I will update this blog post with a how-to re deploying NS for remote access from AWS EC2.
What you need
For this PoC I may refer to AWS and XenServer concepts as my home lab is deployed in a Hybrid Cloud model e.g some of my Citrix workloads are in hosted in AWS EC2 (N.Virgina) while others are running on a XenServer 6.5 SP1+ host at my house in London. You don’t have to use AWS like I am for your PoC you could use any IaaS provider e.g Azure, Rackspace, Peer1 or even on-prem with your own host(s) running XenServer, Hyper-V and of course vSphere :-).
1 – CWC trial account entitling you to the CWC Apps & Desktop Service and Identity & Access Management e.g for adding users from your domain and to download the CWC Connector.
2 – Your resource location of choice mine is AWS from here on in through-out this blog article.
3 – 1x Windows Server 2012 R2 I’ll call this VM WDC01 running AD, DNS at a minimum and the Citrix Receiver (http://receiver.citrix.com), CWC Connector downloaded on the desktop (explained later).
4 – 1x Windows Server 2012 R2 domain joined and I’ll call this VM CXA01 with the latest XA 7.8+ Server VDA (https://www.citrix.com/downloads.html which requires a valid Citrix.com customer/partner account with access details ) downloaded.
5 – AWS security groups (on-prem f/w ACL) to allow outbound traffic on TCP 443 (HTTPS) to the Internet, allow HTTPS/ICA/HDX/RDS traffic including HDX RealTime ports for audio and video between all VM’s within your chosen network.
6 – Some suggested test application examples could be Microsoft’s Office 2016 or OpenOffice, Notepad ++, The Gimp, Autodesk Viewer. WaRnInG!!! Disclaimer – Please refer to the ISV’s EULA for terms of usage prior to downloading, installing, configuring and publishing virtual apps to test and play with!.
7 – *Create friendly DNS entries to be used later for WDC01 e.g DNS entry of cwccontroller.axendatacentre.com or your could stick with host name.domainname format it’s your choice. Note: Be sure to setup and configure not just fwd. but also reverse DNS within resolution/look-up!
Setting up your Resource Location
1 – Login as the Domain Admin on WDC01 and navigate to https://workspace.cloud.com and sign in with your trial access details provided by Citrix.
2 – Select from the list on the very TOP left-hand corner Identity & Access Management next click the plus/+ sign and follow the onscreen prompts to download the CWC Connector/agent.
3 – Before installing the CWC Connector/Agent please be sure to read the following documenation – http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud/what-is-a-workspace-cloud-connector-/workspace-cloud-connector-technical-details.html. Once downloaded double click on the CWC Connector/agent and when prompted enter in your CWC trial access details and the installation will complete successfully if the access details provided are correct and if 443 HTTPS is enable outbound to the Internet from WDC01 to https://workspace.cloud.com.
4 – Take a short 1-3 min comfort break then refresh your web page for https://workspace.cloud.com and navigate back to Identity & Access Management and you should see your domain appear within the list, then you may proceed. If you don’t check your firewall ACL’s locally on the Windows server or virtual f/w at the edge of your VPC network and also check your AWS Security Groups are setup correctly to allow in/outbound access on HTTPS/443.
Note: If you turn off WDC01 you’ll receive and error at this page and manage & monitor tabs within the Apps & Desktop Service are NOT accessible until access is restored! Likewise if you only have 1x CWC Connector/agent then you may see an amber warning under domain within Identity & Access Management as you only have 1x CWC Connector/agent and it suggested even for a PoC to install 2x instead of 1x.
5 – Login as a Domain Admin on CXA01 and mount the XA 7.8+ VDA media by right clicking and left clicking on Mount then navigate to Windows Explorer and double click on D drive that has recently mounted with the XA 7.8 installation media and then proceed to select to install the Server VDA from the splash screen or if your downloaded the Server VDA *.exe (suggested & recommended) from Citrix.com then double click to install the VDA. In each case you’ll require 2x reboots as per normal like on-prem installations however now on CXA01 there is one exception at the controller step type in cwccontroller.axendatacente.com* or the hostname.domainname for WDC01 (Point to the CWC Connector/agent that you previously installed) and then continue with installation and once the installation is completed on CXA01, then verify that the VDA has registered and is communicating with WDC01 e.g cwccontroller.axendatacentre.com by reviewing CWC service or the event logs within Computer Management. Tip: Install to enabling remote connections initially to get your head around how the CWC Apps & Desktop Service actually works.
6 – You’ve now successfully completed setting up your XenApp worker for your chosen resource location in my case it’s an AWS EC2 located out of N.Virginia. If your curious about the CWC connector there is a tech overview avaiable at – http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud/what-is-a-workspace-cloud-connector-/workspace-cloud-connector-technical-details.html be sure to review it.
7 – Now we need to continue with creating a machine catalog, delivery group in the hosted Studio and obviously publishing your virtual apps & desktop (server based).
Create a Machine Catalogue and Delivery Groups to publish Virtual apps & desktops
1 – Now go back to the homepage at https://workspace.cloud.com and to the right of the Apps & Desktop Service click “Manage” to launch the management interface which provides you with an Overview page (Scroll to the bottom to find out your cloud hosted StoreFront address. Tip: If you get an red bar with an error message check that your CWC Connector/agent at your resource location is up and available and showing as green for your domain at the Identity & Access Management tab!.
2 – Scroll to bottom of the overview web page to find out exactly what your cloud hosted StoreFront addr is. It should follow the following format https://{TENANT NAME}.xendesktop.net/Citrix/StoreWeb/. Right click on it to open a new tab and to remain at https://apps.cloud.com/. You should be able to login using your test AD security group. Tip: You won’t see any published virtual apps or desktops currently as you have not created a machine catalogue or delivery group.
3 – Go back to the Manage Apps & Desktops Service web page and click Manage or Monitor this will embed a custom, hardened published app version of Studio or Director using the HTML5 Receiver so please ensure that you are utilising an HTML5 compliant internet browser that supports the HTML5 Receiver.
4 – Assuming you’ve clicked on Manage firstly navigate to Hosting Connections create a connection to your chosen resource location either on-prem or cloud (Private or Public) details for setting up hosting connections are available at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-8/manage-deployment/connections.html. Once setup wait 1-2 min before proceeding you don’t have to by the way! I do.
5 – Click Machine Catalogue and create as per normal for detailed on how-to please refer to – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-8/install-configure/machine-catalogs-create.html. Tip: I’d suggest as its your first time using the CWC Apps and Desktop service create your machine catalogue with a single VM with the VDA installed to allow remote connections as described earlier to allow you to get around how the CWC Apps and Desktops Service actually works. You don’t have to either it’s your choice.
6 – Click Delivery Groups and create as per normal aswell and please refer to – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-8/install-configure/delivery-groups-create.html for guidance delivering virtual apps (Skype for Business 2015 also implment the HDX Optimisation Pack 2.0 check out – https://www.citrix.com/blogs/2016/01/12/citrix-and-microsoft-unveil-v2-solution-for-skype-for-business/ for more information) & desktops (Windows Server 2012 R2). TIP: The name you provide your Delivery Group filters through to the Workspaces at – https://workspace.cloud.com/workspaces and becomes the default name of your published virtual & desktops services that you will assign to your subscribers (users) workspace.
7 – You’ve now successfully setup a Machine Catalog and Delivery Group using the CWC Apps & Desktop Service to published a virtual apps & desktop, however prior to accessing your virtual apps & desktops you’ll need to create a Workspace and add subscribers (users) including which published resources your subscribers (users) are able to access otherwise they wont be able to login nor access any published resources.
You should have the Server VDA and CWC Connector now installed see the below example image below.
Create a Workspace to Delivery published virtual apps & desktops
1 – A workspace consists of a collection of services from CWC e.g Secure Documents (ShareFile), Apps & Desktop Service (XenApp/XenDesktop) and so forth that SysAdmins can combine together to form e.g a Pre-Sales workspace that may consist of a virtual apps e.g Skype for Business 2015 that is also offloaded with the HDX Optimisation Pack 2.0 – https://docs.citrix.com/en-us/hdx-optimization/2-0/hdx-realtime-optimization-pack-about.html and a virtual desktop e.g a dedicated Windows 10 or 2012 R2 desktop. A workspace also consists of subscribers (users) who access the workspace which contains published resources created by Citrix SysAdmins. Please ref to http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud/get-started/creating-and-publishing-a-workspace.html which explains how-to create a workspace, define subscribers and published resources.
2 – Once you have created a Workspace and assigned subscribers, resources then users can login at https://{TENANT}.xendesktop.net/Citrix/StoreWeb/ from there resource location and gain access to there virtual apps & desktops.
3 – Managing your newly created Workspace is easy following this useful online document from eDocs – http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud/get-started/manage-a-workspace.html.
Example of my virtual desktop (Server based) delivered by CWC using the XenApp 7.8 VDA. I also use the same theme for my complete XenApp 7.8 deployment in AWS yes I have both deployed and configured 🙂
A first for me
This is the first time I’ve written a blog post (primarily) completed in the air traveling from somewhere between London – England, Oslo – Norway and Stockholm – Sweden.
Disclaimer
This blog article should be considered to be a draft still and therefore may contain errors and I will be updating and adjusting it time permitting and adding in how-to front this CWC Apps & Desktop service deployment in my AWS EC2 resource location with NetScaler Unified Gateway – https://www.youtube.com/watch?v=qT739UoR8d0.
What’s New At A Glance
1: The re-introduction of Zones within the FMA architecture is a leading key NEW feature known as “Multi-geo Zone”.
2: Application Limits (AppLimits) allows you to limit the number of application instants launched which is also shown in existing views/counts within Director.
3: MCS provisioning support in Microsoft Azure for XenApp workloads.
4: Proactive e-mail notifications, alerts and Integrated Windows Authentication for SSO for Director
5: Installation improvements allowing SysAdmins to choose the SQL databases names and server(s) during the creation Site creation.
6: New API support for provisioning VMs from hypervisor templates
7: HDX Optimization Pack 2.0 for offloading of Lync 2013, Skype for Business 2015 within a virtual ICA/HDX session.
8: API support for managing session roaming.
9: Windows 10 support for VDA’s and Studio.
10: HDX Ready has been overhauled for Citrix’s supported thin clients.
Database
You can now choose to deploy your XAD SQL databases for on one or more SQL database server(s) during the creation of your Site including defining the names for each DB instance.
Understanding Zones
Its important to understand a few key things which is that FMA Zones are NOT IMA Zones and the second point to stress is that this is an re-introduction feature of Zones within the Flexcast Management Architecture (FMA) that has powered XAD platform since the 7.x.n release and that this is a v1 or version 1 release. I would very strongly encourage anyone reading this blog post to watch the embedded YouTube by Craig Hinchliffe a PM within Citrix focused on XenApp & XenDesktop.
Some important notes prior to watching the video:
1. The official documentation for Zones is available at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-7/manage-deployment/zones.html
2. Zone in-geo support for XAD 7.x FMA Site’s over secure WAN’s e.g London, Paris, Munich as there is a latency challenge as described at – https://www.citrix.com/blogs/2016/01/12/deep-dive-xenapp-and-xendesktop-7-7-zones/.
3. There is ALWAYS a Primary Zone and then two types of Satellite Zones. The first Satellite Zone consists of VDA’s and N1+ controllers and second type of Satellite Zone consists of VDA’s and a single only controller.
4. A Satellite Zone consisting of VDA’s ONLY is NOT Supported!
5. Zones can be managed by Studio or PoSH.
6. In the event of a connection failure over the secure WAN connecting a Primary & Satellite Zone Connection Leasing (CL) is the default fallback until access to Primary Zone is restored enabling access to the SQL database(s), Controller(s), StoreFront server(s) in the Primary Zone. The CL functionality is exactly the same as XAD 7.6 so please be sure to https://www.citrix.com/blogs/2014/11/11/xendesktop-7-6-connection-leasing-design-considerations/.
7. SuGgEsTeD create a Secure WAN connection between two or more geographic locations to create your Zone utilising the CloudBridge Connector which is a feature of the NetScaler which allows you to creates secure L2L IPSec VPN tunnels between two separate data centre’s, thus saving you during a PoC implementing additional virtual or physical appliances to create secure L2L IPSec VPN simple re-use your NetScaler if the appliance is correctly licensed so please refer to the NetScaler datasheets at https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-netscaler-vpx-data-sheet.pdf, https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-data-sheet.pdf.
8: VDA’s will default to registering to Controller(s) within there own zone! A VDA in the primary zone will only ever attempt to register with controller(s) in the Primary Zone and VDA’s in the Satellite Zone will register there local or (preferred) controller(s) by default. In the event of a controller failure the VDA’s will register the secondary controller in the Satellite Zone if one doesn’t exist the VDA’s will then register with the controller(s) in the Primary Zone.
9: The SuGgEsTeD number of Zones per Site is 10 https://www.citrix.com/blogs/2016/01/12/deep-dive-xenapp-and-xendesktop-7-7-zones/.
Missing or No Zones Feature Post Upgrade of XAD 7.6 FP3 to 7.7
After upgrading from XA/XD 7.6 FP3 to XA/XD 7.7, the MultiGeo Zones feature does NOT appear in Citrix Studio. To resolve this behavior, in an Elevated rights PoSH Window, navigate to “C:\Program Files\Citrix\XenDesktopPoshSdk\Module\Citrix.XenDesktop.Admin.V1\Citrix.XenDesktop.Admin\StudioRoleConfig” and run the following “Import-AdminRoleConfiguration .\RoleConfigSigned.xml”. Now close both the PoSH window and Studio and re-open Studio and you should notice that the Zone’s feature is now available under App-V Publishing. The following PoSH cmdlet and two other known issues can be found at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-7/what-is-new/known-issues.html.
AppLimits or Application Limits
Once you have configured your application limits – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-7/install-configure/delivery-groups-manage/applications-manage.html per published XenApp app begin your testing and your notice that your users receive the following error message Cannot start “APP NAME”. If you want to better understand why the user received these error messages open the event viewer on the XenApp worker and search for the following event ID’s 1117 which translates to “The Citrix Broker Service failed to broker a connection for user ‘DOMAIN\USER’ to application ‘APP NAME’. The maximum allowed instances of this application in the site are already running” and 1118 “The Citrix Broker Service failed to broker a connection for user ‘DOMAIN\USER’ to application ‘APP NAME’. The user is already running the maximum number of instances of this application that they are allowed.“.
The following content is a brief and unofficial prerequisites guide to setup, configure and test Linux VDA 1.1 (NOTE: The HDX 3D Pro video is a preview only from the Citrix YouTube channel) with XAD 7.3 FP3+ prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.
Preview of HDX 3D Pro with a Linux VDA
Please note that the following YouTUBE video represents a preview only of HDX 3D Pro with the Citrix Linux VDA.
An Introduction & Overview
Citrix released the Linux VDA 1.0 which enables and allows for the safe, secure delivery of Linux based virtual desktops that are controlled by Citrix Studio however VM provisioning and on-going image management is maintained by traditional Linux tools these include but are by no means limited to Puppet or Chef.
What’s New
1. Obviously my fav is “Support for Thinwire Compatible Mode” 🙂
2. The Linux VDA supports dual monitor out-of-the box with maximum resolution of 2560×1600 per monitor and can be configured to support up to 9 monitors.
3. Improved Active Directory and Centrify support*
4. Further extended OS support for Redhat and SuSE Linux enterprise editions. Please read the following for CTX blog article re support issues for other Linux OS disto’s at – https://www.citrix.com/blogs/2015/10/16/supporting-linux-distributions.
5. Linux XDPing which is available at – http://support.citrix.com/article/CTX202015.
6. Support for Linux Dedicated VDI Desktops which in the initial Linux VDA 1.0 released targeted a hosted shared VD approach as Linux is a multi-user OS.
7: * For a comprehensive overview of all the features in the Linux VDA 1.1 please check out – https://www.citrix.com/blogs/2015/10/23/whats-new-in-linux-virtual-desktop-v1-1/.
Use Case(s)
Its essentially about providing customers with the choice and flexibility to delivery either a VD that is based upon Windows OS with Microsoft Office 20xn, 3rd party apps OR a supported Linux OS with OpenOffice/Libra Office, 3rd party apps.
Pre-requisites & System Requirements for Deploying the Linux VDA 1.1 (Draft + The Basic’s Only)
1: Download one or both Linux VDA’s for there Redhat or SuSE along with the script which is available at the Linux VDA download area – http://www.citrix.com/downloads/xenapp/components/linux-virtual-desktop-11.html.
2: The following Citrix Receivers are currently supported: Windows Receiver version v4.2+, Linux Receiver version v13.0+, Mac OSX Receiver v12+, Android Receiver v3.4+, iOS Receiver 5.9.4+, HTML5 Receiver 1.6 (via Access Gateway).
3:…..
The following content is a brief and unofficial prerequisites guide to upgrade from NetScaler Gateway 10.5.x.n to NetScaler Unified Gateway 11.x.n prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.
1: Download the firmware of your choice if more than one is available at – http://www.citrix.com/downloads/netscaler-adc.html. Please note that your will require either a valid Citrix account to download the firmware.
2: Upload the *.tgz file you downloaded to the following location on your NS V/A “/var/install“. Once you have confirmed its successfully uploaded disconnect and close your (s)FTP application. I use WinSCP myself which can be downloaded at – https://winscp.net/ as my (s)FTP client.
3: Open a Secure Shell (SSH) connection to the NS V/A and enter in the username and password access details where prompted. Once your have successfully logged in type “shell” then type “cd /var/nsinstall” to change to the nsinstall directory and then type “ls” to confirm the uploaded file is there.
4: Now to unpack the tarball package by typing in “tar –xvzf build_X_XX.tgz”, where build_X_XX.tgz (TIP: Enter in B and press TAB to complete typing the name of the file) is the name of the NS firmware build that we will be upgrading to. Once the tarball is successfully unpacked type in “ls” verifying that you can see the extracted files from the tarball.
5: Now type in “./installns” to begin the upgrade process and where prompted type in “Y” to reboot the NS V/A
6: Move to your hypervisors mgmt. console and watch the NS CLI reboot and once you can see the NS login prompt within the CLI navigate to the NS mgmt. IP addr and login using your NS access details and verify that the NS V/A has been successfully upgrade to your firmware of choice by looking at the firmware version in the top right-hand corner of the WebUI.
The following content is a brief and unofficial prerequisites guide to setup, configure and test a NetScaler Gateway 10.5.x.n or NetScaler Unified Gateway 11.x.n fronting a XenMobile 10.x.n XMS virtual appliance prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views expressed here are my own and do not necessarily reflect the views of Citrix.
Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
FEDERAL INFORMATION PROCESSING STANDARDs – fips
NETSCALER GATEWAY – nsg
NETSCALER UNIFIED GATEWAY – nug
VIRTUAL IP ADDRESS – vip
MOBILE APPLICATION MANAGEMENT – mam
MOBILE DEVICE MANAGEMENT -mdm
CERTIFICATE AUTHORITY – ca
Deployment Preparation Overview (DRAFT & MAY CONTAIN ERROR(S))
0. The section also contain the pre-requite, system requirements for each virtual appliance (V/A) for NetScaler and the XenMobile Server (XMS).
1. Review the XenMobile comparability matrix at – http://docs.citrix.com/en-us/xenmobile/10-1/xmob-system-requirements/xmob-10-understand-compatibilitymatrix-con.html to choose the correct NS build vs. XMS build.
2. Download the V/A’s for each at signing in with your Citrix partner access details.
3. You need an SSL certificate a wildcard is recommend for simplicity and this should be using at min a 2048-bit key for your CSR that you submit to your CA. If you are experiencing the following issue enrolment issue Profile Installation Failed “The server certificate for ‘https://’ is invalid“ the please review http://axendatacentre.com/blog/2015/03/29/xenmobile-10-0-poc-considerations/ to help resolve this issue.
4. Generate an APNS certificate following this process at http://docs.citrix.com/en-us/xenmobile/9/xmob-dm-config-requesting-apns-con.html and sign your APNS certificate with Citrix at – https://xenmobiletools.citrix.com/.
5. You need to be aware that the port communication between the different components has changed and also the placement of the XMS V/A in XenMobile 10. A network diagram can be viewed at – http://docs.citrix.com/en-us/xenmobile/10-1/xmob-arch-overview-con.html I would recommended that you please refer to the figure 4. MDM and MAM modes and also figure 5. Cluster deployments.
6. XenMobile 10 today as of writing this blog post requires the following FQDN and IP ADDR reservations to be made available when fronting a XMS V/A with NS appliance either virtual or physical 10.5.x.n and 11.x.n. Please note that for simplicity I will refer to a NetScaler Virtual Appliance V/A from here on in.
a – 1x Public routable FQDN for MDM e.g enroll.axendatacentre.com
b – 1x Public routable static IP addr that resolves to the MDM FQDN
c – 1x Public routable FQDN for MAM e.g apps.axendatacentre.com as Secure/Worx’s apps utilise a mVPN via WorxHome now SecureHub
d – 1x Public routable static IP addr that resolves to the public FQDN MAM
e – 1x DMZ private static IP addr for Gateway for your mVPN traffic
f – 1x DMZ private static IP addr for Load-balancing the MAM traffic
g – 1x DMZ private static IP addr for MDM traffic e.g enrolling and on-going device mgmt.
h – 1x DMZ private static IP addr for the actual XMS V/A
Sample PoC Diagram
* refers to the “.axendatacentre.com” ending the FQDN.
MDM (b)
Firewall
MDM (a/g)
NetScaler
Installation FQDN (h)
XMS
enroll.*
81.xxx.nnn.100
enroll.*
192.168.2.30
enroll.enroll.axendatacentre.com
MAM (d)
MAM (c/e/f)
apps.*
81.xxx.nnn.101
apps.*
192.168.2.31
192.168.2.33
7. NetScaler today as of writing this blog article requires the following IP ADDR reservations for NetScaler to allow you to front Citrix e.g “XenMobile”, ShareFile e.t.c and none-Citrix workloads e.g web services, exchange servers, application servers and much more.
– 1x DMZ private static NetScaler IP addr
– 1x DMZ private static NetScaler Mgmt IP addr for mgmt. of your NS virtual or physical appliance
– 1x DMZ private static Subnet IP addr for the NetScaler to access resources within your TRU network
Let’s Deploy XMS fronted by a NS (DRAFT & MAY CONTAIN ERROR(S))
1. Login into NS Admin WebUI and navigate to the licensing tab and validate that you have all green ticks and ensure that you have 99-104 Universal licenses if not please read step 8 above before proceeding.
2. In the bottom left-hand corner click on “XenMobile” and select “XenMobile 10” from the dropdown list on the XenMobile initial wizard welcome page.
3. Under the NetScaler for XenMobile section to the left-hand side select the following “Access through NetScaler Gateway” (MAM e.g Worx’s Apps) and “Load Balance XenMobile Servers” (MDM) and then click on Continue.
4. Enter in the IP addr e and leave the port as 443 and provide a Virtual Server Name then click Continue.
5. Select and existing wildcard card certificate or upload a new wildcard certificate then click Continue.
6. Select and existing LDAP binding or create a new LDAP binding and then click Continue. Example of a Base DN for the domain axendc.co.za with domain users residing with the default Users folder within AD would e.f “Cn=Users,dc=axenc,dc=co,dc=za“.
7. Under Load-Balancing FQDN for MAM enter in a for the FQDN and for the IP addr beneath is enter in IP addr f and then click Continue. Please leave the defaults as is for now BUT please be aware that we will are not be performing any SSL Offloading, split tunnelling.
8. Select the same SSL cert as per step 5 above unless its NOT a wild card certificate in-which case then please upload the SSL cert for the MDM FQDN before proceeding. Click Continue.
9. Click “Add Server” under the XenMobile Servers section and enter in IP addr h and the click Continue. Note: Port for communication is 8443!
10. Click “Load Balance Device Manager/XenMobile Servers“.
11. Enter in the IP addr g and alter or leave the default name of the Virtual Server and click Continue. Note: Communication is HTTPS or SSL_Bridge as we choose not to perform HTTP or SSL Offloading in step 7 above.
12. You’ll notice that your XenMobile Servers IP addr’s are already automatically inserted under the XenMobile Servers section click Continue. Note: The Ports for communication are 443, 8443!
13. Click Done!
14. You have now successfully deployed a single XMS V/A fronted by a NS V/A. Once the wizard has completed you can click Edit under the “NetScaler Gateway” section on the top right-hand side under the Test Connectivity button to back into the wizard and modify the split tunnelling options to meet your organisations needs and or requirements.
The following content is a brief and unofficial prerequisites guide to setup, configure and test Lync 2013 with XAD 7.6 and the HDX RealTime Optimization Pack 1.7-8.x.n for Microsoft Lync prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.
Shortened Names
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
UNIFIED COMMUNICATIONS – uc
MICROSOFT – ms
NETSCALER GATEWAY – NS(G)
ACCESS GATEWAY – AG
Generic HDX Realtime *
Pure ICA/HDX between two end-points and the infrastructure.
HDX RealTime Optimization Pack for Lync® *
Optimised softphone with offloading of the media engine by Citrix Receiver at end-points.
Microsoft® Lync® VDI Plug-in
Optimised softphone with offloading of the media engine by Microsoft however this approach does require Windows end-points.
Local App Access *
XAD policy applied to utilise (preferred) the locally installed Lync app over delivered Lync app.
HDX RealTime Optimization Pack 1.8
The latest released optimisation pack 1.8 supports the Lync Server 2013 Autodiscover Service and Microsoft Skype for Business client in Lync UI mode, the Microsoft Lync 2013 client, and the Microsoft Lync 2010 client (Call Park, Call Pick Up & Call forwarding and simultaneous ringing controls). There is also now support for Mac with support for the Microsoft Windows 10 technical preview, for more information check out the official documentation at – http://docs.citrix.com/en-us/hdx-optimization/1-8.html and what’s new in XAD FP2 – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-whats-new.html.
HDX RealTime Optimization Pack 1.7
HDX RealTime Optimization Pack consists of two component’s the client (media engine is integrated into Citrix Receiver) and server (HDX Realtime connector). A technical overview of how the optimisation pack works and helps to improve the users over all experience with Lync 2013 can be found at – http://support.citrix.com/proddocs/topic/hdx-realtime-optimization-pack-17/hdx-realtime-optimization-pack-about-17.html including a network diagram. Citrix have also recently released at the time of writing this blog article a great CTX article entitled “Remote Access with Citrix HDX RealTime Optimization Pack” available at – http://support.citrix.com/article/CTX201116 explaining how-to and where to deploy NS(G) for Lync 2013.
The below is an embedded Citrix TV video entitled – Ask the Architect “Citrix Optimisation Pack for Microsoft Lync”:
The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Device Manager 9.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.
Shortened Names
XENMOBILE APPCONTROLLER – xac
APPLE PUSH NOTIFICATION SERVICE – apns
ROLE BASED ACCESS CONTROL – rbac
LIGHT WEIGHT DIRECTORY PROTOCOL – ldap
ACTIVE DIRECTORY – ad
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
RECEIVER FOR WEB – rfw
CERTIFICATE AUTHORITY – ca
STOREFRONT SERVICES – sfs
PUBLIC KEY INFRASTRUCTURE – pki
NETSCALER GATEWAY – nsg
XENMOBILE DEVICE MANAGER – xdm
XENMOBILE NETSCALER CONNECTOR – xnc
SECURE TICKET AUTHORITY – sta
DOMAIN NAME SERVER – dns
Self-paced Online (SPO) XenMobile Device Manager Training
1: Course # CXM-200 entitled “Deploying Citrix XenMobile Device Manager Server” at – http://training.citrix.com/mod/ctxcatalog/course.php?id=834. Note at the time of writing this blog entry Thursday 17/07/2014 this SPO was freely available with a valid Citrix.com account.
2: Course # CXM-201
Administering and Managing Devices with Citrix XenMobile 9.0 – http://training.citrix.com/mod/ctxcatalog/course.php?id=923. Login to view the price at http://training.citrix.com.
Handset Security
1: How do you know a handset is secure outside of MDM or EMM providers? Well I typically search for a security Whitepaper or security micro sites that covers off the h/w and or software security hardening of these mobile handsets and I have listed a few below enjoy. Note the resources are not listed in any particular order.
The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile AppController 9.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.
Shortened Names
XENMOBILE APPCONTROLLER – xac
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
RECEIVER FOR WEB – rfw
CERTIFICATE AUTHORITY – ca
STOREFRONT SERVICES – sfs
PUBLIC KEY INFRASTRUCTURE – pki
NETSCALER GATEWAY – nsg
XENMOBILE DEVICE MANAGER – xdm
XENMOBILE NETSCALER CONNECTOR – xnc
SECURE TICKET AUTHORITY – sta
DOMAIN NAME SERVER – dns
New & Existing XenMobile AppController (XAC) Admin & User Consoles
1: The NEWEST console is a troubleshooting one which is accessible at https://XAC-FQDN:4443/ControlPoint/support which allows troubleshooting of NetScaler Gateway, XenMobile Device Manager
2: Control Point Admin console – https://XAC-FQDN:4443/ControlPoint/
3: Hidden Admin console – https://XAC-FQDN:4443/admin.
4: Receiver for Web (RfW) provides user access to SaaS, Web-links – https://XAC-FQDN:4443/Citrix/StoreWeb/ natively. You can integrate XAC with StoreFront to enumerate published Windows apps, Sever and Desktop VDI’s from XenApp, XenDesktop 7.x.
2: New troubleshooting and support console that can download logs, perform connectivity tests and upload logs to http://taas.citrix.com. The console is available at – https://XAC-FQDN:4443/ControlPoint/support once you have successful authenticated at https://XAC-FQDN:4443/ControlPoint/. You will need to know the admin access details for NSG, XAC and XDM in order to effectively use this console.
3: Wrapping iOS Worx Apps Video.
4: Wrapping Andriod Worx Apps including covering off how-to sign multiple *.APK files using a BASH script. Refer to the XenMobile 9.0 MDX Toolkit Documentation
– http://support.citrix.com/article/CTX140458 for more information once you have watched this video.
