Category Archives: Mobile Workspaces

HDX Offloading for Microsoft Teams within a Citrix Virtual Desktop

Consider this an evergreen article with *pro-active adds/moves/changes inclusive of errors/mistakes until I remove this statement.

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering Microsoft teams within a Citrix virtual desktop powered by Citrix Virtual Apps & Desktops (CVAD) Service – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service.html in Citrix Cloud prior to deploying in a PoC, Pilot or Production environment. The views, opinions and concepts expressed here are those by the author only and do not necessarily conform to industry descriptions nor leading practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
SKYPE FOR BUSINESS – skype4b
CITRIX VIRTUAL DESKTOP – cvd
CITRIX VIRTUAL APP & DESKTOP – cvad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
VIRTUAL DESKTOP – vd
VIRTUAL APPS – va
REALTIME MEDIA ENGINE – rtme
CITRIX WORKSPACE APP – cwa
MICROSOFT TEAMS – teams
CURRENT RELEASE – cr
LONG TERM SERVICE RELEASE – ltsr

Very Importantly Notice*
This feature depends on a future Microsoft Teams release. We will update this description as information about the version and release date become available.” referenced directly from – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#system-requirements.

Introduction
In May 2016 I published the following blog post entitled “Deploying Skype for Business 2015-16 (Offloaded) from a Citrix HDX Optimised Virtual App or Desktop” available at – https://axendatacentre.com/blog/2016/04/25/deploying-skype4b-2015-offloaded-from-a-citrix-hdx-virtual-app-or-desktop/. Suggested before you continue reading this post please read the “Optimization for Microsoft Teams” documentation on Citrix eDoc’s at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html or study if you are pressed for time the below architecture diagram for ease of use, of the joint Citrix + Microsoft solution to offload the audio/video processing of Teams from a Citrix Virtual Desktop to the employees local endpoint that is required to run a supported OS + Citrix Workspace app + Real-Time Media Engine (RTME). I still encourage you to please read the documentation in full prior to continuing reading.

It is also worth understanding Microsofts basic architecture overview of the solution which is available at – https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi#teams-on-vdi-with-calling-and-meetings.

The Employee Experiences with Teams HDX Offloaded

Windows

Linux (x64 Linux distributions only)

Understanding a HDX Optimised vs. Non-Optimised CVAD Deployment
The following HTML diagram depicts the differences between (un)optimised, I’ve also included a few suggested considerations as well.

Non-Optimised  Optimised for HDX Teams Offloading

Windows OS
VDA YYMM
Teams app 1.2.00.31357
Internet
End-point + Citrix Workspace app (CWa)

Windows OS
VDA YYMM

ICA/HDX Virtual Channel* 

 ↓
Teams app 1.2.00.31357
HDX Teams Services
Internet  ↑
 ↓

End-point + Citrix Workspace app (CWa) – Windows 1911*
A/V Traffic to other End-Point ←
HDX Embedded Media Engine

1. It’s very important to recognise that employees will find themselves in a situation where the connected end-point is unoptimised during work from home scenario e.g COVID-19 and therefore you should plan for these scenarios by implementing the right vs. relevant HDX policy strategy “Balanced” vs. “Preferred” see below guidance.
2. Educate employees when using a non corporate device e.g personal device at home during to COVID-19 they will likely be consuming an un-optimised version of Teams in CVAD, its important to set a exception to avoid unnecessary help desk tickets/calls.
3. Any and all exchanged IM’s and documents live within the CVAD lens meaning that your IP + Pii in any documents lives within the employees CVAD resource e.g Virtual Desktops when they exported it from a IM’s vs. channel(s) in Teams. It is also important to recognise that those same IMs’ vs. channel(s) originate and are available in Microsoft Teams on any device as the source, so if employees re-frame teams outside of your Citrix virtual desktop your IP + Pii in documents could be exfiltrated if the employee device(s) are not properly managed by IT e.g MEM, UEM, MAM, Secure SaaS check out – https://www.mycugc.org/blogs/lyndon-jon-martin/2020/03/27/secure-saas-on-zero-trusted-vs-earned-trusted-devi for more information.

LTSR vs. CR Strategy for HDX Offloading of Microsoft Teams?
It’s worth understanding that if your CVAD deployment strategy is to use the Long Term Service Release (LTSR) then you will not receive any new features only bug fixes this thinking keeps inline with the current CVAD strategy between CR vs. LTSR (stability and long-term – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr.html) release cycles. Consuming a CR branch means that you can unlock new features as they become available by upgrading your CVAD on-premises of upgrade the CVAD Service components within your Resource Locations (RL).

Release Strategy New Features Bug Fixes Documentation
CVAD Service
On-premises Current Release (CR)
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html
Long Term Service Release (LTSR)
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/multimedia/opt-ms-teams.html

Pre-requisites & System Requirements Key Highlights Only
The full and complete list is available at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html*, there is also a Citrix TechZone article published at – https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/optimizing-unified-communications-solutions.html. The below are the key highlights that should be focused on to be successful.

1. You will require the following MSFT teams version “1.2.00.31357” in order to be able to take advantage off the HDX Offloading capabilities within a supported CVAD environment. The following Citrix Workspace app (CWa) versions are the suggested vs. minimal versions that will be required to HDX offload Teams A/V traffic onto the employees endpoint:

Windows
Minimum Version: Citrix Workspace app 1911 for Windows
Download (1911): https://www.citrix.com/en-gb/downloads/workspace-app/legacy-workspace-app-for-windows/workspace-app-for-windows-1911.html
PDF Documentation (1911): https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/1911/citrix-workspace-app-for-windows-1911.pdf

Linux
Minimum Version: Citrix Workspace app 2006 for Linux running on x64 Linux distributions.
Download (2006): https://www.citrix.com/en-gb/downloads/workspace-app/linux/workspace-app-for-linux-latest.html
PDF Documentation (CR): https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/citrix-workspace-app-for-linux.pdf

Mac – Technology Preview
Technology Preview Version: Citrix Workspace app 2009 for Mac OSX running on 10.15.
Download (2009): https://www.citrix.com/en-in/downloads/workspace-app/betas-and-tech-previews/workspace-app-tp-for-mac.html
Provide Feedback https://podio.com/webforms/22969502/1632225


2. Avoid using the .exe installer for Teams – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#microsoft-teams-installation.
3.The Citrix HDX Teams policy “Microsoft Teams redirection” – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/multimedia-policy-settings.html#microsoft-teams-redirection, is ON by default as per https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#microsoft-teams-installation.
4.CTXMTOP is a Citrix HDX virtual channel used for command and control purposes and no media is therefore exchanged between the CWa running on the end-point and the VDA running in the resource location (data centre).
5. In terms of network connectivity requirements PLEASE NOTE that MSFT Teams utilises Media Processor servers in Office 365 for meetings which affects the behaviour of two peers in point-to-point call scenarios, you can learn more at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#network-requirements, you should be thinking about near to local breakout from end-points to ensure IP transmits to Office365 over the most efficient and faster available route to avoid any/all employee experience degradation this will also directly apply to any MSFT teams clients on native devices that aren’t HDX Offloaded so take note! If you are a Citrix SD-WAN customer take a look at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#citrix-sd-wan-optimized-network-connectivity-for-microsoft-teams likewise if you are not a Citrix SD-WAN customer please take the opportunity to understand why you need to be thinking about an SD-WAN solution for your modern workplace.
6. You will need to update your Windows Firewall ACL on Windows endpoints to avoid the offloading failing by allowing “HdxTeams.exe (HDX Overlay Teams)“, you learn more at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#firewall-considerations.
7. Understanding Screen sharing – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#screen-sharing-in-microsoft-teams.

Deploying HDX Offloading (HDX Optimisation Pack ) for Microsoft Teams in a Citrix Virtual App vs. Virtual Desktop
1.The minimum on-premises control plane required is 1906 running the 1906.2 VDA reference – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#system-requirements and
2.You need to enable the following policy in Studio for 1906 see page at 668 – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/downloads/citrix-virtual-apps-and-desktops-1906.pdf to enable “Microsoft Teams redirection” which is also documented at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#system-requirements.
3.Endpoints should be running Citrix Workspace app for Windows 1907 but the recommended version is 1909 and be sure to configure the Windows ACL for Windows Defender Firewall to allow the “HDX Overlay Teams” app to traverse the right vs. relevant networks for more information please check out – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#firewall-considerations.
4. The Citrix TechZone micro-site includes few detailed Proof of Concept web document at – https://docs.citrix.com/en-us/tech-zone/learn/poc-guides/microsoft-teams-optimizations.html#policy-settings entitled “Proof of Concept guide for Microsoft Teams optimization in Citrix Virtual Apps and Desktops environments” to help you setup, configure and deploy Microsoft Teams through a CVAD session or lens. It is a must read and therefore I have chosen to not repeat of any of the authors great work expect what was in my original post 06/08/2019. A fellow Citrix colleague Wendy Gay, published a simple guided step by step overview at – https://citrixie.com/2020/04/14/installing-teams-optimization-pack/ which is worth reading.

Microsoft Teams Leading Deployment Practises for Teams in Citrix VDI
1. Migrate Teams on VDI with chat and collaboration to Citrix with calling and meetings – https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi#migrate-teams-on-vdi-with-chat-and-collaboration-to-citrix-with-calling-and-meetings.
2. Teams on VDI performance considerations – https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi#teams-on-vdi-performance-considerations.
3. Known issues and limitations – https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi#known-issues-and-limitations

CWa Endpoint Update Release Strategy
It is important to recognise that you will need to manage the versions of supported CWa out in the field to avoid the HDX Offloading of Teams breaking and causing a degraded employee experience reverting to fallback of A/V. Please note that each supported OS platform has a different management strategy. You should also please take into account Microsofts recommendations – https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi#install-or-update-the-teams-desktop-app-on-vdi.

Platform Manual Automatic IT Controlled Link
Windows
https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/update.html#advanced-configuration-for-automatic-updates-citrix-workspace-updates
Linux
https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/install.html#update

Tech Insight – Microsoft Teams Optimization with Citrix
This video provides a detailed guided overview of the joint architecture, employee experience, optimisations inclusive of using Citrix SD-WAN, teams call routing and more. Originally posted to the Citrix TechZone at – https://docs.citrix.com/en-us/tech-zone/learn/tech-insights/microsoft-teams-optimization.html.

Suggested HDX Broadcast (Remote Graphics Mode) Policy for 7.15 Long Term Service Release (LTSR)
*Please be aware that Citrix eDocs is very clear when it states that Citrix does NOT support Teams HDX Offloading Optimisation for 7.15 Long Term Service Release (LTSR) as it is NOT listed as a supported CVAD platform, you still may wish however to test Microsoft Teams operationally e.g test out its impact on compute, I/O, user profile e.t.c and then purely for fallback failures aka NO HDX Offloading Optimisation BUT you will not be able to test the employee experience of HDX Offloading the audio/video traffic as it is NOT supported remember*). You’ll make use of your UAT 7.15 LTSR environment to be ready for a 2020-21 deployment on a supported CVAD release that supports HDX Offloading for Microsoft Teams, therefore use the built-in default HDX policy “Use video codec for compression” selecting  “Use video codec when preferred” which means the following “This is the default setting. No additional configuration is required. Keeping this setting as the default ensures that Thinwire is selected for all Citrix connections, and is optimized for scalability, bandwidth, and superior image quality for typical desktop workloads.” reference the 7.15 LTSR documentation at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/graphics/thinwire.html which will probably be ok for testing under the current release that you are consuming. Final Remember: CVAD formerly XAD 7.15 LTSR platform is NOT supported for Teams Optimisation. TIP: Definitions can change between CR vs. LTSR within the HDX stack which is consistently improving and being updated to offer better employee experiences all the time e.g introduction of net new H.264 standards so always be sure to check the differences between CR vs. LTSR and CR vs. CR versions.

Transitioning from Skype for Business to Teams
A number of few folks have asked the question can I mix and match Skype for Business and the Teams Optimisation Packs together? Its actually a complex answer but the immediate answer as of 03/08/2019 is below, BUT always be sure to circle back and review Citrix’s documentation for the latest supporting statements and interoperability at – https://docs.citrix.com around Teams Optimisation and when searching use “Teams Optimization”. Tip use American spelling for better results.

The response is complex and is as follows, answers received vary dependant upon your role Citrix vs. Skpye4B/Teams SysAdmin or Consultant. As I work at Citrix today (Aug 2019) lets focus on a Citrix based role to Teams response:

1. Complete LOB app readiness of Teams including new HDX services/API’s to enable HDX Offloading within a the master image but hidden + unavailable using techniques like disabling the services for each (whatever you prefer), Citrix app layering, MSFT app masking e.t.c. TIP: Pay attention to understand the compute utilisation differences between Teams vs. Skype4B there is a difference.

2. I still need to push out the required RTME to all employee end-points so I don’t want to break the employee experience while we transition to Teams. It is expected to have backwards compatible within Citrix Workspace app for older Virtual Delivery Agent (VDA) versions check eDocs for the backwards compatibility.

3. I only want to transition employees by AD or Citrix Delivery group (department, trusted test groups e.t.c) to Teams based upon point 2 and perform a staggered canary rollout like Citrix Cloud does for each of its services.

4. The person(s) within the Skype for Business/Teams based role(s) need to setup/conf and then test the audio/video codecs prior to enabling Teams at a company wide scale, for me personally this point is actually the most critical because as you offloading the audio/video to the end-point when using HDX Offloading the back-end compute + network resources low aka aren’t taken any much of a real hit HOWEVER if the HDX Offloading fails then you really, really need to understand the impact of processing of the A/V within the Citrix session and what affect it will have on the employees experience so when he/she is completed there final tests, you should prior to a final rollout perform a test side by side two identical end-points one optimised and the other un-optimised and be sure to capture the compute + network requirements client and server side, including the network traffic and score the experience out of 10 for voice and video, the test should be done with wired (where possible today), wireless (Wi-Fi) and 4G internet connectivity in two separate locations an Office (think QoS) and at home (no QoS).

5. Once you have the results from point 4 you may want to re-evaluate your existing HDX Broadcast policies (remote graphics mode e.t.c) and take into account a fall-back scenario if HDX Offloading fails whatever the reason, you may also prefer to leave it as is, however I would strongly suggest creating an emergency fallback HDX Broadcast policy stack but it should be DISABLED and only manually pushed out only if required. The fallback HDX Broadcast policy stack is to preserve the employee experience as best you can if something goes wrong and when I mean something goes wrong I mean a non-Citrix update breaks the optimisation somehow as in reality the Citrix components e.g VDA, HDX Services/API, RTME and Citrix Workspace app are less likely to change within a 12 month period.

6. Citrix’s CR documentation for CVAD is updated to include a digram and overview of “Microsoft Teams and Skype for Business Coexistance” – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#microsoft-teams-and-skype-for-business-coexistance.

Managing Employee Experience when Teams HDX Offloading is NOT available
Most folks are not aware that you can control what happens when Microsoft Teams is NOT been HDX offloaded also referred to as Optimised in a Citrix Virtual Apps & Desktops session. You can achieve or rather control the following when “Fallback Mode” occurs either when a the employees connects from an unsupported endpoint + CWa version e.g CWa for HTML5 or they switch from a IT managed endpoint to a BYO endpoint with the incorrect CWa installed (older and unsupported) or IT has not updated the VDA stack within the master image within the Citrix Cloud Resource Location or preferred cloud data centre type.

You can when the optimisation is unavailable enforce no fallback or audio only (suggested and preferred), if you don’t set either of these options the default is to fallback to allowing the Citrix ICA/HDX protocol to do what it does best optimises the remoted session, you can learn more at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#peripherals-in-microsoft-teams.

Suggested “Balanced” HDX Broadcast (Remote Graphics Mode) Policy for Fallback
In 2016 I proposed the following HDX policy for remote graphics “Use video codec for compression” to be set to “For actively changing regions” to preserve the employee experience in a fallback scenario, its now 2019 and my Suggested HDX policy remains unchanged as long as the key goal is to preserve the employee experience to meet that HD experience and it will come at a back-end compute + network traffic spike, including increased network traffic between server and client to process the video H.264/H.265 streams.

Once upon a time I was a SysAdmin and still am at my core so I’ll have an emergency HDX policy in place BUT disabled I call it “HDX Adaptive Display v2 (Balanced)” you configure it as follows selecting the following HDX policies in Studio:

1.”Use video codec for compression” then select  “For actively changing regions
2. “Preferred color depth for simple graphics” then select “16 bits per pixel” and also try 24.
3. Select “Frames Per Second” and select the target FPS to circa 25 from the default which is 30.

NEW 11/10/2019 you could look to utilise “Progressive Mode” – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/graphics/thinwire.html#progressive-mode, I have not tested this myself yet however it may work for your organisation if you already have it in-place actively.

I wrote a myCUGC article entitled “HDX Leading Best Practices for your Modern Secure Workspace” at – https://www.mycugc.org/blogs/cugc-blogs/2017/09/15/hdx-leading-best-practices-for-your-modern-secure which has some interesting thoughts and insights from nearly 2 years ago which you may find useful and yes I will write an updated article this year time permitting to complete my testing which requires extensive field testing with different devices I don’t just use a lab + network at home, I base 95% of all my article suggestions of what/how to configure settings vs. practises from my personal lab hosted in AWS EC2 in N.Virginia to delivered to end-points in the City of and Greater London, England so its not definitely poppy cop its real world + life scenarios and use cases that I test.

Suggested “Preferred” HDX Broadcast/RealTime/MediaStream (Remote Graphics Mode, Audio and Video) Policy inclusive of Fallback
YES I am contradicting the above suggested HDX Broadcast fallback policy, which I have now renamed to “Balanced” from my initial post and why it still remains is that it will support organisations of any size vs. scale vs. deployment rollout vs. connected devices supporting a balance between video, audio and the remoted display so when an outage occurs and neither I nor will you know what its going to be impacted for example it could be 1x MPLS circuit failure (tip check out Citrix SD-WAN link bonding demo from Jan 2016 vs. case study vs. product page) vs. degradation of all internet circuits due to bad BGP route injections, you get the idea. I’m cautious being an ex-SysAdmin/Consultant and therefore I will summary the key differentiators from my own perspectives as follows in order:

1. How important is the employee experience? For me personally this is always #1 as today’s 2019 reality, employees want an HD 4K experience consistently therefore my personal advise is utilise the built-in default HDX policies within the Current Release (CR) typically minus 2/3 of current CVAD release with your desired HDX employee experience policy tweaks.
2. Once you understand how the humans (employees) within your organisation work using Skype for Business vs. Teams you will have better context as to the WHAT should be in your fallback policy for DR, business continuity or just individual employee devices going into fallback mode. For example understanding your employees is key lets take a look at a practical example by industry vertical, a call centre employee is more interested in better audio quality with customers vs. a clinician on a video call discussing a patients surgical/recovery plan looking at patient records.
3. Re-evaluate once every 3-4 months by asking, polling quick surveys and looking at the metrics made available in both Skype for Business vs. Teams as lets be honest its not a light switch its a journey from one to the other.

Now that you understand your humans (employees) keeping point 3 in mind and begin building out your HDX employee experience policy which most likely be the using the defaults in the 19XN releases as the HDX product management team have done an brilliant job working with engineering decreasing the amount of toggles and dials to tweak the HDX protocol and its now these days automatically adapting and adjusting to maintain the human (employee) experience.

1.”Use video codec for compression” then select  “Use video codec when preferred
2. Select “Frames Per Second” use the default which is 30 or increase up to a maximum of 60.
3. Select “Visual quality” set to “High” going beyond this will incur high network bandwidth utilisation, but going beyond this is ok but remember if you are having continual networking performance issues unrelated to Citrix or the HDX offloading capability and employee experience has decreased overall think about a micro change for the current window and then revert. An example of using “Always lossless” is the clinician use case described above.

Tech Insight – Microsoft Teams Optimisation with Citrix

What Supported Hardware Can I Use With Microsoft Teams?
Strongly suggested to only use Microsoft Teams certified headsets, speaker phones, conference phones, cameras e.t.c are listed and available at – https://products.office.com/en-us/microsoft-teams/across-devices/devices. Are my existing Citrix Ready thin clients, headsets, cameras e.t.c using with Skype for Business using Citrix’s HDX Offloading capability compatible? You will need to check with your vendor for there support status with the new optimisation pack for Teams and Microsoft Teams as there have been changes made from both Citrix + Microsoft.

Collection of Suggested Troubleshooting for Microsoft Teams HDX Offloading in CVAD
Understand what Audio & Video (A/V) can be re-direction e.g web camera from supported Operating System (OS) vs. Citrix Workspace app (CWa) – https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/citrix-workspace-app-feature-matrix.pdf – Citrix Workspace App (Earlier known as Citrix Receiver) Feature Matrix.

1. The Citrix Support site has a detailed article – https://support.citrix.com/article/CTX253754 which covers off multiple topics for troubleshooting failed HDX optimisations in a CVAD session.
2. How do I know if Teams is Optimised? https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#enable-optimization-of-microsoft-teams.
3. Troubleshoot MSFT Teams – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#troubleshoot.
4. Chromebook – Teams webcam audio problem – https://discussions.citrix.com/topic/408319-chromebook-teams-webcam-audio-problem/#comment-2063142.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Did you know that Slack is interoperable with Citrix #SecureMail?

This is paramount to my productivity as I can get context externally from Citrix customers/partners and internally switch an email thread to a slack conversation(s) that are far more memorable and collaborative and if I or the other person is miss understood in anyway we can switch to a #SlackCall at the tap or click of a button and if necessary I can share my local vs. #virtualdesktop screen or view theres to get 360 degree feedback on a presentation, proposal e.t.c Check out – https://slack.com/apps/AAGN5FH9C-citrix-secure-mail to learn more today.

This micro blog post was originally posted at – https://www.linkedin.com/feed/update/urn:li:activity:6543957667881205762.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

How vs. where I worked from in 2018

I’m often asked why Citrix? The answer can be a simple vs. complex one, therefore I choose to demonstrate why Citrix through proactive evangelism by recording myself using my Citrix Workspace actively through-out the year, which initially began in 2016 and lead to the original How vs. where I worked from in 2017 video available at – https://twitter.com/lyndonjonmartin/status/949316537021812736.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Citrix Innovation Award Finalists for #CitrixSynergy 2018

Its that time of the year where you Citrix customers, partners can vote for your favourite Citrix Innovation Award Finalist.

This year see’s a great mixture of customers in different markets all leveraging Citrix technologies as the enabler for transformation within there organisations to embrace a new way of working or #ThisIsHowTheFutureWorks powered by Citrix Networking, Workspace and Security & Platform Analytics from https://www.cloud.com/.

I would encourage you to watch all three videos describing there journey before casting your vote as there is some really great innovation happening within these Citrix customers and if you want to get started visit https://www.citrix.com or https://www.cloud.com/ today.

Beazley from the UK – Insurance

Quote “A new mindset to work wherever I am, because I have the tools that Citrix provides and Beazley…” – @dalesteggles

Health Choice Network, US – Healthcare

WAGO, Germany – Engineering

All the very best to this years Finalists.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

How-to Deploy Citrix XenMobile Server 10.7

The following content is a brief and unofficial prerequisites guide to setup, configure and deploy Citrix XenMobile Server (XMS) 10.7 on-premises prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
NETSCALER – ns
XENMOBILE DEVICE MANAGER – xdm
XENMOBILR APPCONTROLLER – xac
XENMOBILE NETSCALER CONNECTOR – xnc
XENMOBILE MAIL MANAGER – xmm
WINDOWS – win
MOBILE DEVICE EXPERIENCE – mdx
REAL-TIME – r-t
MICRO VIRTUAL PRIVATE NETWORK – mvpn
FIREWALL – f/w
ACCESS CONTROL LISTS – acl
APPLE PUSH NOTIFICATION SERVICE – apns
UNIFIED ENDPOINT MANAGEMEMNT – uem
MOBILE DEVICE MANAGEMENT – mdm
MOBILE APPLICATION MANAGEMENT – mam
MOBILE CONTENT MANAGEMENT – mcm
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
ACTIVE DIRECTORY – ad
TRUSTED NETWORK – tru
FIRST TIME USER EXPERIENCE – FTU

Author Note
Please be aware that I published this article today 19/02/2018 but it should be considered evergreen until I remove this section thank you.

Introduction
This is going to be one of the longest posts that I am about to write so come back from the moment its published over Feb/March/April 2018 as I will most likely be making adds/moves/changes. This blog post serves to provide the most right vs. relevant information to help you better understand how-to deploy the current Citrix XenMobile on-premises server which is 10.7.x.n as of February 2018. I will be writing a follow-up blog post on deploying the XenMobile Service powered by Citrix Cloud – https://citrix.cloud.com/ in due course.

What is XenMobile?
XenMobile is a complete UEM or MEM via https://twitter.com/JJVLebon (mobility) solution for managing apps, data, and devices from a single unified platform with MDM & MAM (mobile apps cut, copy & paste) policies, automated actions for enrolled (supported platforms) devices that will keep employees safe, secure and productive on vs. offline enabling them to work on there own terms.

Preparation & Initial Guidance
I was one of the first set of individuals to pass the very first Citrix Certified Professional – Mobility (CCP-M) exam for XenMobile 9.x.n while at Citrix Summit in Jan 2014. Now that was one very tough exam as you needed to know Citrix NetScaler, XenMobile NetScaler Connector, (ZenPrise) XenMobile Device Manager, StoreFront, Citrix Mail Manager, Citrix AppController, ShareFile Control Plane and of course StorageZones. Its Fen 2018 and its still equally a tough exam to pass even though the XDM + XAC where merged into a virtual appliance now called the XenMobile Server (XMS).

If you have not deployed a mobility solution in the past or your an expert you’ll agree most likely that mobility or UEM/MEM is complex and is consistency changing with new devices, OS upgrades along with new vs. deprecated vs. behavioural changes to MDM APIs, app updates, push API’s vs. MDM platform + vendor signing of certificates and finally oh yes all those MDM ports that you need configured correctly through-out your organisations Wi-Fi network and so the list continues on and on….

In principle when preparing to deploy any mobility solution regardless of vendor, preparation is of paramount important to be successfully. The below is list of how I personally prepare for a mobility PoC for XenMobile on-premises (yes we at Citrix are cloud first and I live IaaS so I’ll be writing another post on deploy a XenMobile Service PoC in the future):

– Start by reading the XenMobile Security Whitepaper – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security-understanding-the-technology-used-by-xenmobile.pdf. This will provide a great insight into our XenMobile, FIPS compliance, how SSL VPN or mVPN for MDX enabled apps behaviour and so much more, that is definitely worth your time!
Configure the XMS with a public routable FQDN and NOT an IP addr if you intend to manage devices externally via the internet vs. internally over corporate Wi-Fi and if your enabling the self-help portal for personal management.
– Utilise the PostgreSQL database option for a PoC’s (up to 100 devices) however this will mean that you need to redeploy the XMS using a remote SQL database for PROD environments as you’ll most likely want to have your XMS v/a in a cluster for high-avaiability. NOTE: Do not pre-create a MS SQL database allow the XMS v/a to create your MS SQL database against the SQL server during the initial setup process when performing the initial FTU within the XMS CLI.
– Utilise local v6 licensing on the XMS v/a for a PoC’s but again for PROD utilise a remote Citrix licensing server which is 100% required to support a XMS Cluster as the XMS v/a are stateless with all the configuration held within the remote Microsoft SQL database.

TIP: You’ll need to active your XenMobile licenses from the available list when configuring the remote v6 license server prior to continuing!

– Create separate mobility admin mailboxes to then be used to create accounts with Apple, Google & Microsoft so that everyone has access to create, sign and revoke MDM push certificates vs. push API’s like FireBase.
– Deciding where to generate all of CSRs for all of your mobility + XMS + NS certs is quiet important not just for the initial PoC but thinking 12 months out when the cert begin to expire where did I generate those certs from now to begin the re-signing process hmmm….??? I prefer in my home lab to generate and renew all my certs on WDC but many SE’s I know will use NetScaler for this and the point I am making is that it does not matter BUT centralise and document the process, passwords e.t.c
– Setup a calendar invite vs. trigger in your choosen support platform to notify the mobility admin mailbox to alert you every 11 months to renew all your certs otherwise you’ll break your MDM deployment e.g no devices under mgmt anymore this applies to ANY MDM vendor to be 100% clear!
– Dont assume that one individual should be deploying the XenMobile (any mobility) PoC themselves as in my experience unless your 100% comfortable with networking, ACLs, SQL DBs, gateways. To be honest most often its 3 people from within the IT team for high security organisation its double I find. Typically the 3 people are the Citrix Admin whom will require help & support from a networking (f/w dude:-)) or netscaler admin and then the SQL guru.
– I typically advise partners and customers to focus and agree on 2x mobile devices and a defined list of UEM policies to configure for testing in the PoC against there use case(s).
– Ensure that all your required ports are opened up correctly in vs. outbound (internet <-> edge <-> dmx <-> tru).
– DO NOT USE A PROD NetScaler deploy a new and fresh NetScaler VPX for your XenMobile (Service) PoC on-premsies vs. your chosen resource location.
If you are intending to MDX wrap or enlighten your iOS – https://developer.apple.com/programs/enterprise/ and Android mobile apps then I’d suggest that you sign-up for the required developer accounts well in advance as some customers & partners have experienced delays up to 1-8 weeks. You have been warned and also ensure that you understand the rules around these dev accounts!
– Disable the ability to perform a Full Wipe of the enrolled devices (in particular for BYO scenarios you don’t want a lawsuit!) or if your not bothered and you would like to test this capability then I’d suggest that you only use new mobile devices that contain no corporate vs. personal content + data during the PoC. Finally my own personal leading best practise is to setup RBAC for mobility admins and remove the full wipe capability completely! 🙂
– Screen record the PoC deployment e.g GoToMeeting so if you make a mistake you can review the recording to understand what you misconfigured and most importantly where on the NetScaler vs. XMS e.t.c is was that the mistake occurred.
– If your not going to utilise a public CA signed certificates (Strongly Preferred) as your deploying the XMS v/a in your home lab only, then when exporting your cert from your Enterprise CA export using the Base64 format and then export as a full chained PFX format cert.
– Deploy the XMS v/a first and attempt to enrol your chosen mobile device(s) and remember those MDM ports you’ll need to make sure they are available over your corporate wifi including the over air enrolment port especially for Apple iOS devices otherwise your MDM enrolment will fail so you’ll be defaulted to only been able to enrol your device for MAM only e.g Secure MDX enlighten mobile apps
– The XMS mgmt. Web UI for administration is restricted from the internet as the mgmt. web UI is only accessible over https://XMS:4443 which is not part of the XM 10 wizard as of e.g NSG 10.5-55.8+ for security harden purposes (double check eDocs to be safe!). This often leads to Mobility/Citrix Admins thinking that they have misconfigured the wizard on the NetScaler when in fact it most likely is your connecting connection on https://XMS-vip:4443 via the VIP owned by the NetScaler but if you connect directly to the XMS’s configured IP addr via https://XMS-direct:4443 you’ll be able to access the XMS Admin Web UI.
– SuGgEsTeD personal tip utilise Mozilla Firefox for configuring and managing your XMS v/a for me it works the best!
– Ensure that all users/admins have first, last name & e-mail addr fields populated in AD prior to any enrolment otherwise they will receive an error e.g “Invalid user for SSO” when users attempt to sign-on.

Pre-requisites & System Requirements
The currently available XMS v/a as of writing this blog article is 10.7.x.n which is where these system requirements have been obtained from dated Feb 2018 – https://docs.citrix.com/en-us/xenmobile/server/system-requirements.html.

Trial Licensing for On-Premsies Only
Citrix Customer Evaluation licenses can be obtained at – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700 if you are having trouble please contact your local Citrix representative vs. partner for assistance and guidance.

Supported Devices
https://docs.citrix.com/en-us/xenmobile/server/system-requirements/supported-device-platforms.html

Certificates
– APNs see below
– SSL Listener used for HTTPS traffic communication e.g like securing your web server with https

AD/LDAP
– Open up 389 between the XMS v/a(s) and your AD server in your trusted network, you can optionally configure secure AD/LDAP on 636 but you will required extra certs for this configuration and its well documented in Citrix eDocs vs. obviously I believe.
– Windows service account for XMS v/a(s) to query AD/LDAP

NetScaler (Unified) Gateway
– Versions 10.5.x.n, 11.0.x.n, 11.1.x.n and 12.x.n (My current preferred firmware release now)
– 2vGPU, 4GB of RAM and 20GB available storage for HDD
– On-premises Hypervisors include XenServer 6.5 or 7.x.n; VMware ESXi 4.1, ESXi 5.1, ESXi 5.5, ESXi 6.0; Hyper-V Windows Server 2008 R2/2012/2012 R2
– Cloud Hypervisors include Azure (ARM is preferred); AWS EC2 not supported for XenMobile.
– NetScaler service account I’d advise against the default which is nsroot:nsroot slightly obvious but I see this time and again can you believe it!!!!
– AD/LDAP service account that is utilised to check validate and authenticate users against your organisations AD/LDAP.
– IP addressing (Please please please pay attention)

1x private static IP addr that is used for the NetScalers IP Addr (NSIP)

1x private static routable IP addr between your DMZ <-> TRU which is referred to a the NetScalers Subnet IP Addr (SNIP)

1x private static IP addr that is used for the XMS

1x public internet routable FQDN e.g uem.axendatacentre.com with 1x public static internet routable IP addr that resolves to 1x private static IP addr in your DMZ that are owned by the NetScaler.

1x public internet routable FQDN e.g mam.axendatacentre.com with 1x public static internet routable IP addr that resolves to 2x private static IP addrs in your DMZ that are owned by the NetScaler one for direct NAT and the other one is for *L/B of the MAM traffic.

Internet DMZ – NetScaler + XMS TRU
nug01 (NetScaler V/A) <-> NSIP 10.1.0.5
SNIP 10.1.0.100
uem.axendatacentre.com <-> 81.x.x.1 10.1.0.20 <-> UEM Listener on XMS
mam.axendatacentre.com <-> 81.x.x.2 10.1.0.21 + *10.1.0.22 <-> MAM Listener on XMS
uem.axendatacentre.com (XMS V/A) <-> 10.1.0.99

SUMMARY
Total private IP addrs required are 6x.
Total public static internet routable IP addrs required are 2x.
Total public internet routable FQDNs 2x.

MDM Certificates for Apple and Firebase Cloud Messaging (FGM) with Android for Mobile Notification Service Capabilities

Apple
Apple’s APNs Certificates portal is accessible at – https://identity.apple.com/pushcert, if you like a technical overview of how APNs works check out Apples developer documentation on the subject at – https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1 its quiet extensive and in-depth.

1. Create an organisation Apple ID at – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId
2. Generate your a CSR on NetScaler – https://support.citrix.com/article/CTX211887 or on a Windows Server e.g WDC using e.g IIS NOTE: Please use 2048 cipher encryption for the cert.
3. Navigate to https://xenmobiletools.citrix.com/ and sign in where prompted with your Citrix.com partner access details.
4. Follow the onscreen process for signing your XenMobile APNS CSR which will return a *.plist file.
5. Login to and upload your CSR to the APNS portal at – https://identity.apple.com/pushcert/ by following the onscreen process.
6. Download the generated *.pem file from the APNS portal to the Windows server that you initially created the CSR on.
7. Import the *.pem file into IIS using the complete a CSR response and specfic a friendly name. NOTE: Optional Import Apples Certificates (*.cer, *.crl) from – http://www.apple.com/certificateauthority/ also see http://support.apple.com/kb/ht5012
8. Export the imported certifcate as a *.pfx and specifiying a password. Note: DO NOT FORGET the password.
9. When prompted during the XMS configuration of the WebUI rememeber to enter the your chosen password and import it’s a keystore -> pfx format and select aPNS as the cert type.

Citrix provides a more detailed how-to and overview at – https://docs.citrix.com/en-us/xenmobile/server/authentication/apns.html.

Firebase Cloud Messaging (FCM)
Google or FireBase Cloud Messaging (GCM or FCM) enables push capabilities for Android vs. implement during enrolment an “Active poll period policy” for the Android handset to check back into the XMS to receive new policies, apps, check compliance e.t.c. Finally note that if you do any research FCM https://firebase.google.com/docs/cloud-messaging/ is the natural evolution of GCM platform, so think FireBase first for Android :-).

1. Create a organisation Google Developer account at – https://console.firebase.google.com/?pli=1, if your keen to understand how it works visit the XenMobile eDocs web page for Firebase at – https://docs.citrix.com/en-us/xenmobile/server/provision-devices/google-cloud-messaging.html.
2. The process to create the push capabilities is in my personal view way easier than APNs as all you need to do is generate an “API Key” and “Sender ID” which is then stored on the XMS at “Settings – > Google Cloud Messaging“. Visit the above URL to learn how to implement Firebase.
3. Please pay attention to the Firebase XenMobile diagram in the above eDocs link which includes the following Firebase ports 5228, 5229 and 5230 between the enrolled XenMobile handset and the GCM platform. Why is this important well these ports will beed to made available from the corporate network outbound like APNs to enable enrolment from within the corporate enterprise or high security environments otherwise you will need to enrol over 3/4G or via home/guest Wi-Fi.

Deploying the XMS v/a
Before you even attempt to begin I’d strongly advise you to read and or print out the following webpage via Citrix eDocs – *https://docs.citrix.com/en-us/xenmobile/server/install-configure.html which contains a Preinstallation checklist and deployment flowchart. My goal in this section to provide some context with some of the deployment options during the initial configuration of the XMS v/a, you can refer to * for full installation instructions.

1. Download the current XMS 10.7.x.n+ v/a from – https://www.citrix.com/downloads/.
2. Unzip the v/a and upload it to e.g Citrix XenServer 7.1 LTSR via XenCenter or you could use any other Citrix supported on-premises hypervisor. Once successfully uploaded check that your v/a has the minimum required computed requirements 2-4vCPU and 4-8GB of RAM assigned (increase to MAX if 10 or more users in the PoC as its all about the experience but for home lab purposes I utilise 2vCPU and 4GB of RAM as I only have 3 devices connected.
3. Start the XMS v/a via XenCenter it will take longer to boot-up if you have assigned the bare min compute resources and if your underlying storage is (shared) HDD based.
4. Once the XMS v/a has started decide if you are intending to create a XMS h/a cluster this is so that you select the correct options during there FTU, otherwise you will need to redeploy the XMS v/a and start all over. Notes:

4.1 – The CLI uses admin while the Admin account used for the Web UI uses administrator, also be aware they are LOWER CASE!
4.2 – Nothing appears when typing in select inputs.

5. Enter in a strong suitable passwd
6. Next you are promoted for network settings the IP addr will be e.g 10.1.0.99 as per my text diagram above.
7. Next your asked about an “Encrypting Phrase” most people select “y” to randomise it however you’ll never know what it is, nor can you obtain file to read it! If you are considering deploying a cluster of XMS v/a for H/A then most individuals will select “n” and create there own “encryption passphrase“.
8. I currently at the moment will not provide any context on FIPS so I will differ to https://docs.citrix.com/en-us/xenmobile/server/install-configure/fips.html#par_anchortitle_8dcb for configuration options otherwise this blog will get out of hand. I will do a follow-up or adjustment to this post in the future to cover FIPS in greater detail.
9. Next your asked about configuring a database for the v/a to store configuration information. The “l – Local” option will enable PostgreSQL which is now only supported for customer PoC’s while historically prior to Citrix acquiring ZenPrise is was a supported configuration but that was 5+ years ago under XDM, so be 100% clear PostgreSQL is for PoCs ONLY with a XMS v/a! It is also NOT supported with XMS clusters as the v/a’s are stateless relying on the SQL database for configuration information e.g users, policies, delivery groups e.t.c so you require a “r – Remote” SQL database.

TIP:

9.1 – Let the first XMS v/a that you configure as part of the your XMS cluster create the required XM database itself DO NOT pre-populate a database name on your MS SQL database cluster vs. server!
9.2 – If you select to enable XMS clustering you will need to enable port 80 within the XMS f/w ACL and do this BEFORE performing a clone to create your XMS cluster. Also in high security environments remember to include in your submitted ACL to allow the XMS v/a’s to communicate over TCP port 80 to enable R-T comms between all v/a members within the cluster.
9.3 – Finally Citrix does NOT support DB migration e.g PoC to UAT-PROD environments.

10. The most important step that I often see vs. hear vs. receive requests about is what do I type in for the “XenMobile hostname”? Please type in the fully qualified and internet routable FQDN e.g uem.axendatacentre.com, what does this mean? It means that if your where to type in uem.axendatacentre.com on your device that you reading this blog post inside the corporate file or at home it is reachable. Please do not type in e.g xms01 and then internal vs. external DNS entries are entered in for uem.axendatacentre.com to xms01 this will NOT work properly and devices will NOT enrolling you have been warned! If you do this you will beed to START all over with a fresh XMS v/a!
11. For the XMS comm port requirements i.e the v/a communicates with the users (SHP) and devices (UEM or MDM/MAM) it is perfecting fine to accept the defaults ports here unless you a high security organisation + e.g Bank, Government agency e.t.c and want to further harden yourself however remember the most complexity you add e.g changing ports here will mean that you will need to adjust the auto defined ports on the NetScaler if you do the XenMobile Wizard on the NetScaler v/a.
12. Skip the upgrading from a previous XMS version as its a PoC
13. Next we get to the Public Key Infrastructure (PKI) which I’d prefer to configure configure all the certs with the same passwd or pass phrase or you can define a different passwd or pass phrase for each of the four certs (root, intermediate for device enrolment, intermediate for SSL cert and finally an SSL for your connectors +. Finally you’ll require the eXaCt passwd(s) for an XMS v/a within your h/a cluster.
14. Finally now create a passwd for the default “administrator” account. I would personally as my own leading best practise make the CLI admin vs. Web UI administrator passwords different for security purposes as one member of the team maybe the hypervisor admin whom does all the CLI stuff aswell while the Mobility admin handles all the logical configuration via the Web UI administrator account.

TIP:

14.1 – Make both admin, administrator passwords random and securely store them BUT separately from one another. Setup and assign AD domain admins security group as FULL Administrators of the XMS v/a via RBAC – https://docs.citrix.com/en-us/xenmobile/server/users/rbac-roles-and-permissions.html.

15. Once you select “Return” to above set the initial configuration is stored and you are prompted to upgrade from a previous release please select “n” which is also the default! The XMS v/a will stop and start the app and once its completed the you see a FQDN e.g https://10.1.0.99:4443/ this now indicates that you can complete the Web UI part of the XMS v/a setup and configuration. Note this can take up to 5-7 mins dependant upon how much vCPU, RAM that you assigned to the v/a and if your on SSD vs. HDD storage this will speed up the process naturally.
16. The biggest mistake Mobility/Citrix Admins makes with XenMobile is that when they attempt to access and configure the Web UI part of the setup they will typically access it via the NetScaler owned VIP for uem.axendatacentre.com <-> 81.x.x.1 <-> 10.1.0.20 when they should be accessing the direct IP addr of the XMS v/a <-> 10.1.0.99. Most individual do this to test there NetScaler setup, please DO NOT setup the NetScaler do it after you have setup the XMS v/a. Finally the reason you can’t connect to the Web Admin UI via the NS VIP e.g https://uem.axendatacentre.com:4443 either internally or externally is that the NS disables 4443 via the VIP to harden and protect the Web Admin UI from the Internet so you’ll need to connect to the direct XMS v/a <-> 10.1.0.99 IP addr on https://10.1.0.9:4443. Once your at the login prompt of the Web UI type username “administrator” and your chosen passwd and “Sign-in” and the “Get Started page” appears only once to complete the Admin Web UI part of the XMS v/a setup and configuration.
17. The first web page provides an overview of the available licensing configuration options, for a PoC or if its your first time using XenMobile then I’d suggest that you utilise the built-in 30 day evaluation license to give you time better understand how to configure XenMobile so that you can enforce the required UEM policies against devices vs. (MDX) apps. If you intend to deploy a XMS h/a cluster then like the XMS database you’ll need to setup or make use of your existing remote v6 Citrix licensing server however IMPORTANT make sure that this lic server version meets the minimum release requirements of 11.12 for 10.7.x.n XMS firmware/release version. If you choose to use the 30 day trial LOCAL license servers on XMS and now wish to use a REMOTE lic server then please refer to https://docs.citrix.com/en-us/xenmobile/server/system-requirements/licensing.html. I would also suggest to test from each XMS v/a(s) within your cluster that you can successful connect to the remote v6 lic server which is available under the Wrench icon -> Licensing.
18. Next its cert mgmt. and a word of caution as this catches everyone out is that after uploading any certs reboot the XMS v/a(s) is required in order for the new certs to bound to the SSL listener interfaces and the existing ones to be unbind! You’ll need at this point your APNs and SSL certs for e.g uem.axendatacentre.com to upload the XMS v/a when importing your certs follow:

SSL Listener
Import: Keystore
Keystore Type: PKCS#12
Use as: APNs and or SSL Listener
Keystore file: Password: *********
Description: Date uploaded and what is it? APNs vs. SSL listener?

For in-depth information on Cert types and how-to’s for XenMobile check out – https://docs.citrix.com/en-us/xenmobile/server/authentication/client-certificate.html which includes guides on configuring PKI Entities, certificate-based authentication for SecureMai and finally NS cert delivery in XenMobile.
19. NUG

Wrench icon -> NetScaler Gateway
Authentication: ON (default)
Deliver user certificate for authentication: OFF (default)
Credential Provider: (default)

Select “Add”

Name: NUG
Alias: (default)
External URL: https://mam.axendatacentre.com
Logon Type: Domain only (default)
Password Required: OFF (default)
Export Configuration Script: Allows you to download conf bundle to upload to NUG to configure XenMobile. I prefer to do this manually myself.

Select “Save”

Next add the following to your NetScaler Gateway configuration on the XMS.

^Callback URL: FQDN to verify that the request originated from NetScaler Gateway BUT make sure the callback URL resolves to an IP addr that is reachable by the XMS v/a(s)
^Virtual IP: 10.1.0.21 (See text diagram above in HTML table format)

^ These settings are optional.

20. Next your promoted to setup your AD binding I always prefer using an FQDN vs. IP Addr here as IP addr’s can change however FQDN’s typically don’t otherwise a lot of things in your environment will break.

AD Binding
FQDN: ldap.axendatacentre.com
Port: 389 (Leave defaults unless changed within high security environments)
Domain name: axendatacentre.com
User Base DN: ou=Users,dc=axendatacentre,dc=com (I am just using the AD default location of the Users OU here when you would have setup AD so configure to meet your organisations default OU location of Users)
Group Base DN: cn=Users,dc=axendatacentre,dc=com
User ID: XMS AD service account used to query your AD e.g xms@axendatacentre.com
Password: *****
Domain Alias: axendatacentre.com (yours maybe different)
XenMobile Lockout Limit: 0 (default)
XenMobile Lockout Time: 1 (default)
Global Catalog TCP Port: 3268 (default)
Global Catalog Root Context: (default)
User search by: userPrincipalName (preferred for the modern world)
Use secure connection: (default)

21. Final configuration you’ll need to do is to setup XMS notifications – https://docs.citrix.com/en-us/xenmobile/server/users/notifications.html which is required for things like bulk enrolment (users e-mail addr must be in AD field), communicating with users when automated actions are configured and users have violated your organisations UEM strategy.
22. Now please logout of the Web Admin UI and log back into the XMS CLI via your chosen hypervisor and follow the below instructions to reboot your XMS v/a

Reboot XMS v/a
– Select “[2] System”
– Select “[10] Restart server”
– Select “Y”

Your XMS v/a will begin to restart and once it is successfully rebooted navigate to the XMS v/a direct FQDN https://uem.axendatacentre.com or IP addr and check that the HTTPS cert status in your internet browser to ensure that it is no longer self-assigned by the XMS v/a but matches your uploaded SSL cert bound the SSL Listener.

Fronting your XMS with a NetScaler v/a

1. Coming… but in the interim start with https://docs.citrix.com/en-us/xenmobile/server/authentication/netscaler-gateway-and-xenmobile.html.

Troubleshooting & Leading Best Practises
1. Citrix provides a XenMobile tools platform available at – https://xenmobiletools.citrix.com and also be sure to please refer to XenMobile compatibility documentation – https://docs.citrix.com/en-us/xenmobile/server/system-requirements/compatibility.html for compatibility of devices vs. MDX apps + release versions.
2. Users receive Profile Installation Failed The server certificate for “https://XM-FQDN:8443” is invalid when enrolling a device against XenMobile when using iOS devices. I have personally have not seen this issue occur again for quiet some time but I thought its worth including encase it reappears in the future. So what causes this issue? It is to do with the private key of your *.p12 or *.pfx full chained SSL/TLS cert and appears to only occur when exporting your cert from a new CSR on a Windows OS. To resolve the issue I’d suggest that you download, extract and run the DigiCert Certificate Utility available at – https://www.digicert.com/util/ on the originating windows server that you generated your CSR on for tier XMS v/a for your SSL Listener cert e.g HTTPS. Next follow the guide available from Digicert at – https://www.digicert.com/util/pfx-certificate-management-utility-import-export-instructions.htm to help you find and export your XMS v/a HTTPS cert correctly (advise to use TEST feature button before export) and re-upload it to the XMS v/a and remember to REBOOT the XMS v/a(s) when you change any certs on the XMS v/a(s)!!! You should now be able to begin re-enrolling your devices BUT I would strongly advise to remove any MDM certs via Settings in iOS and then delete SecureHub and re-download it and now the enrolment error messages should no longer appear to your users while enrolling there iOS devices.

2017 UKI #CitrixPartnerLove Challenge #8 Find My Location

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at https://t.co/TutUZ9taVS to print.

My New Secure Workspace Ready in less than 15 min the #CitrixLife

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Overview
Today I received my new Mac, yes I’ve decided to move from a PC to a Mac for various reasons (those whom know me are probably going really!?) but I still have a Windows 10 tablet PC which I use regually at home, but most importantly my Windows 10 Citrix issued virtual desktop powered by XenDesktop (Citrix on Citrix) follows me anywhere with Citrix Receiver or the HTML5 Citrix Receiver!

I didn’t even turn on my old PC I just started working within less than 15 min from my new MacBook connected to my Win10 VD via Receiver and i’ll just sort out what I need locally like Reflector, NAMP e.t.c over the weekend as its a busy week post our local partner event Citrix Partner Accelerator.

What Did I Do?
1. Unboxed my new Macbook
2. Plugged in the power and pushed the power button its been a while since I’ve heard that CHIME 🙂
3. Completed Apples on-boarding process including setting up iCloud including connecting to the Citrix employee Wi-Fi from our London, Paddington offices check it out at – https://twitter.com/CitrixUK/status/834742107055259650
4. Next I opened Safari and navigated to http://receiver.citrix.com and it auto detected for me that I am connecting from a Mac and presented me with a download link to Receiver for Mac 12.4.
5. Once downloaded I installed it simple!
6. Opened Citrix Receiver and i entered in my addr which then prompted me for my Citrix employee username, passwd and 2FA Token
7. BOOM Receiver synced all my virtual apps & desktops that I had previously selected on other device(s) within a few moments of signing in
8. I clicked on my Windows 10 Virtual Desktop powered by XenDesktop and my new mobile #SecureWorkspace is ready to go within less than 15 minutes!

Understanding XenApp & XenDesktop 7.12 and What’s New

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops powered by XenApp & XenDesktop 7.12 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
LOCAL HOST CACHE – lhc
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
FLEXCAST MANAGEMENT ARCHITECTURE – fma
EXPERIENCE 1st – x1
INTERNAL – int
VIRTUAL DESKTOP – vd
VIRTUAL APPS – va
DATA TRANSPORT LAYER – edt

What’s New XenApp/XenDesktop 7.12
1. Yes it’s now avaiable & back “Local Host Cache” or LHC as it was most commonly reffered to previously and its back now within XAD 7.x Flexcast Mangagment Architecture (FMA) platform and everything you need to know is avaiable at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/manage-deployment/local-host-cache.html* & https://www.citrix.com/blogs/2016/12/07/local-host-cache-for-fma/ but a few note worth points to mention below followed by an overview of LHC vs. Connection Leasing by a Citrix XenApp & XenDesktop PM Craig. I have also embedded a how-to enable below along with a basic and brief architectural overview of LHC in XAD 7.12 which is powered by FMA and not IMA which is for anything XA 6.5 and below.

N.B LHC is disabled by default to enable it open up PowerShell in Admin mode or launching a PowerShell session using Studio and enter in the following “Set-BrokerSite -LocalHostCacheEnabled $true -ConnectionLeasingEnabled $false” once the command completes execute the following cmdlet “Get-BrokerSite” and check that the following value of “LocalHostCacheEnabled” is set to “True“. Note that CL is now also disabled and both CL and LHC should not be running simultaneously together as this is not supported.
– VDAs re-register with the elected XAD controller (broker)
– Support for up to 5K VDA’s
– LHC services “High Availability Service” performs shadow copy of the control info that the XAD Controller requires and the “Configuration Sync Service” will sync control info/data.
– Adequately size your XAD controllers correctly to account for the compute load required during an outage, please ref to the “RAM size” and “CPU core and socket configuration” sections under “Design considerations and requirements” at LHC documentation at – *.
– LHC utilises Microsoft SQL Server Express LocalDB and is auto installed when you install the XAD 7.12 controller and is installed regardless of weather LHC it enabled or not.
– Local Host Cache is enabled if connection leasing was disabled before the upgrade vs. Local Host Cache is disabled if connection leasing was enabled before the upgrade.
– To force an outage to test LHC in your home lab or organisations test/uat environment on the XAD controller open regedit as a Admin navigate to HKLM\Software\Citrix\DesktopServer\LHC” thereafter create a registry key “OutageModeForced” and set the value to 1 to force an outage mode once you have completed your tests then revert the value to 0. I would suggest prior to attempting to perform this test place a load with a few test by active users for Server VDA based workloads (XenApp) to best understand how LHC works in a failure scenario.

2. Thinwire Compatible Mode 8-bit color depth support (7.12 VDA only otherwise fallback to 24-bit by default) which is configured by select the following HDX policies.

– “ Use video codec for compression” and ref to http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/policies/reference/ica-policy-settings/graphics-policy-settings.html#par_richtext_bc19 for a list of avaiable configurations please note that if configured for the entire screen then 8-bit is NOT SUPPORTED!
– “Preferred color depth for simple graphics” and select the “8-bit” value

3. HTML5 video redirection is now available for INT web sites (disabled by default) and can be enabled by configuring the “Windows Media Redirection” by referring to http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/policies/reference/ica-policy-settings/multimedia-policy-settings.html#par_richtext_5 and you also need require to add the following “JavaScript files are located in %Program Files%/Citrix/ICA Service/HTML5 Video of the VDA installer to your website” a sample external test web page can be found at the “HDX HTML5 video redirection test page at – https://www.citrix.com/virtualization/hdx/html5-redirect.html
4. Azure Hybrid Use Benefits support e.g enable or disable support for the Azure Hybrid Use Benefits (HUB).
5. Record sessions based on client IP addr or range, TLS 1.2 encryption during data transfer and finally highlight idle periods in Player
6. NetScaler UG now supports H/A of HDX Framehawk – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/hdx/framehawk.html with supported NS firmware builds for Framehawk which include 11.0.62 & 11.0.64.34 (+ preffered).
7. HDX Enlightened Data Transport (for evaluation only) or “EDT” – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/policies/reference/ica-policy-settings.html.

Very High Level Overview*

Adaptive Display
EDT
(Evaluation Only)
TCP
UDP
High Defintion eXperience (HDX 

– Only VDA’s configured with IPv4 addressing is supported
– Requirements XAD +VDA 7.12, StoreFront 3.8
UDP setup on 1494 and 2598 on the VDA remember this is typically TCP but now must also be for UDP
– Enable policy setting “HDX Enlightened Data Transport“. Remember its DISABLED by default and you can setup 3x values “Preferred” UDP data transport is used where possible with a fallback to TCP, “Diagnostic mode” forces a UDP data transports with a fallback to TCP & “Off meaning TCP is used & does’nt affect HDX RealTime”
– If you are evaluating this then please refer to the “Tech Preview of New Adaptive Transport in 7.12” forum at – http://discussions.citrix.com/forum/1663-tech-preview-of-new-adaptive-transport-in-712/
– Note when testing directly from eDoc’s “the new data transport layer (“EDT”) is allowed by default in Citrix Receiver for Windows, however, by default, it will only attempt to use EDT if the setting in the ICA file for HDXoverUDP is Preferred or On” also please ref to the notes relating to Receiver on Mac’s

You can learn more about this evaluation by reading the following blog posts – https://www.citrix.com/blogs/2016/12/14/overcoming-latency-to-serve-a-global-user-population/* and https://www.citrix.com/blogs/2016/12/08/take-a-look-under-the-hood-of-next-generation-hdx/ by Citrix’s HDX PM Derek.

8. You can very easily setup and try XenApp 7.12 in Microsoft Azure today via Azure Marketplace by searching for “XenApp 7.12” or click the following link – https://azure.microsoft.com/en-gb/marketplace/partners/citrix/citrix-xacitrix-xa-trial/ after signing into the Azure Portal at – https://portal.azure.com/.
9. Tagging with “App Groups” now provides the ability to a tag a VM(s) so that when published virtual apps in Application Group or virtual desktops in a Delivery Group are restricted to launch from VM(s) that have been tagged.

10. Advanced Reboot Schedules

11. In StoreFront 3.8 you can create multiple IIS sites and thereafter use the following PoSH cmdlet below to create a StoreFront deployment within your own IIS sites – http://docs.citrix.com/en-us/storefront/3-8/plan.html. What does this actually mean? You can host multiple RfW sites (stores) with each having its own domain name. In order to create your custom websites in IIS for your Stores and ReceiverforWeb firstly open up PowerShell using Studio (Simple way) then close Studio. Next you MUST ensure that NO other StoreFront MMC snap-in consoles are open within your StoreFront cluster and also on the individual Windows server (minimised) that you are setting up IIS sites. StoreFront will disable the mgmt console and displays a message. TIP: To learn how-to setup IIS sites/website please visit – https://support.microsoft.com/en-gb/kb/323972

– From your open PowerShell window enter in the following which will create a custom IIS site/website for virtual apps and one for virtual desktops
– Type “Add-STFDeployment -SiteID 1 -HostBaseURL “https://www.storefront.app.com”” (Virtual apps)
– Type “Add-STFDeployment -SiteID 2 -HostBaseURL “https://www.storefront.desktop.com”” (Virtual desktops)
– Type exit and close the Powershell window prior to opening up Studio or a StoreFront MMC snap-in on any server in the StoreFront cluster

12. Although this one is not strictly new to StoreFront 3.8 and XenApp/XenDesktop 7.12 its often an overlooked feature (For CTX SysAdmins) which is the ability to securely export and then re-import your entire StoreFront configuration including using PoSH credentials for (de)encryption of the backup configuration. To learn more please check out – http://docs.citrix.com/en-us/storefront/3-8/export-import-storefront-config.html and use the feature prior to any StoreFront upgrades or migrations.

Deprecation Forecast
I would strongly recommend that you review and understand the Deprecation forecast announcements made during the XenApp/XenDesktop 7.12 release which is avaiable at – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/whats-new.html#par_anchortitle_5da8.

Front XenApp 7.11+ in Azure with NetScaler (Unified) Gateway 11.x.n

The following content is a brief and unofficial overview of how-to front your virtual apps & desktops powered by XenApp 7.11 with NetScaler 11.x.n using Microsoft Azure (ARM). The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions, best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENAPP – xa
XENSERVER – xs
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
INDEPENDENT COMPUTING ARCHITECTURE – ica
NETSCALER – ns
NETSCALER UNIFIED GATEWAY – nsug
AZURE RESOURCE MANAGER – arm
IDENTITY ACCESS & MANAGEMENT – iam
MULTI-FACTOR AUTHENTICATION – mfa
SECURITY ASSERTION MARKUP LANGUAGE – saml

Why this Blog Article?
I’ve had a lot of cloud 1st strategy conversations with IT Pro’s, Citrix SysAdmins & organisations alike recently so I thought everyone whom is searching for how-to front XenApp with an Azure NetScaler could benefit from this blog post :-). This blog post covers a how-to even with NetScaler in single IP mode to achieving https://FQDN (Image 2) for the gateway vs. https://FQDN:8443 (Image 1) when deploying NetScaler in Azure (ARM).

Deploying NetScaler 11.x.n using Azure Resource Manager (ARM)
1. Login to https://portal.azure.com
2. I presume that you have setup a your network, IAM if not refer to https://azure.microsoft.com/en-gb/get-started/ for getting started how-to from Microsoft.
3. Click on + New in the top left of the ARM web ui and type in NetScaler and select NetScaler VPX Bring Your Own License or for a quick review check out – https://azure.microsoft.com/en-gb/marketplace/partners/citrix/netscalervpx110-6531/.
4. Click Create
5. Enter in a name for your NS virtual appliance e.g ne1nug01 and select the VM disk type
5. Enter in a username and choose auth to be either SSH public key or Password I choose password to access the NS Admin WebUI for simplicity of all readers of this blog.
6. Select your chosen of default Subscription if you have more than one and then select your existing Resource Group where you XenApp 7.11+ environment and XenApp 7.11+ VDA Workers and your mgmt. VM running AD/DNS server resides. Remember I am keeping this simple as it’s intended for PoC’s only!
7. Continue to select your chosen Azure instance for NetScaler I choose DS2_V2 Standard which consists of 2 Cores, 7GB of RAM.
8. Select your storage account, virtual network & subnet e.t.c and high availability set then click Select to continue.
9. Review your purchase of NetScaler and then click Ok to purchase and Azure will begin building your NetScaler VPX in your Azure chosen subscription which will take no more typically than 10 minutes.

Setting up & Licensing your NetScaler on Azure
Firstly be aware that when deploying a NetScaler instance on Azure for virtual apps & desktops you’ll be setting up NetScaler to run in single IP mode (YES!) which means that you’re connecting to internal TRU resources on the NetScalers IP addr (NSIP) but you connect using different ports e.g ICA Proxy on 8443 so lets begin with the setup.

1. Login into your NetScaler using the NS Admin Web UI do not provide a SubnetIP Addr (SNIP) just select Do It Later and proceed with the initial setup as per normal.
2. Now that you have setup your NetScaler you need to license it so remain logged into and open a new tab in your browser of choice and Google “Citrix Eval Store” or save this link – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700
3. Select under Networking -> NetScaler ADC
4. Next select the following model “VPX” select variation e.g “Platinum 1000” select duration e.g “90 Days”.
5. Complete the onscreen process note that you will require a .Citrix.com account or you need to create an account.
6. Once you receive an e-mail with your key/code head over to at https://www.citrix.com/account/toolbox/manage-licenses/allocate.html or goto and select find and allocate your licenses or look for the licensing button (link) and select it.
7. If your key/code it not visible select “Don’t see your product?” in text in/around the top right-hand side. A pop-up appears now enter in the code provided on e-mail from the Citrix Eval Store e.g “CTX34-XXXXX-XXXXX-XXXXX-XXXXX” and continue.
8. You will need to enter in the Host Id of your NetScaler it can be found once logged in using the NS Admin Web UI “NetScaler -> System -> System Information” then look under the heading “Hardware Information” and you find “Host Id” copy and paste it into the required field and then download the license file.
9. In the NS Admin Web UI click the cog icon top right then select licensing and upload the license and select to reboot the NS to apply the license.
10. Log back in and enable the features that you require e.g right click on the “NetScaler Gateway” and select “enable” e.t.c

Setup Type Choice 8443 Default without an Azure L/B for XenApp using the XenApp/XenDesktop Wizard
Now that you have setup NetScaler within your Azure subscription in your chosen region you’re ready to begin setting up NetScaler to front virtual apps & desktops (Server OS 2012 R2 or 2016) powered by XenApp 7.11+.

Sample Text Based Diagram

User Azure NetScaler StoreFront XenApp
https://FQDN:8443/ Accepts requests from Azure to NSIP on https://8443 (Single IP Mode) Accepts requests on the Gateway & Call-back FQDN on https://FQDN:8443 Accepts & launches user’s virtual app(s) & desktop(s) as requested

1. Login to your NetScaler VPX click “Settings -> Licensing” now check that License type is Platinum and Model ID 1000
2. Select the XenApp/XenDesktop wizard and review the prerequisites carefully prior to continuing BUT in summary you’ll need an SSL Cert, LDAP service account + details, XenApp 7.11+ environment with StoreFront.
3. Enter in the static IP addr assigned by Azure or OTHER METHOD of your NetScaler VPX YES that’s right!
4. IMPORTANT STEP: Change the default port of 443 to 8443 on the Gateway IP addr
5. Set Up the rest of the XAD wizard as normal
6. IMPORTANT STEP: Setup StoreFront to allow remote access however the configured default gateway and Call-back FQDN addresses MUST include 8443 e.g https://go.x1co.eu:8443 instead of just https://go.x1co.eu
7. Setup external DNS entries e.g go.x1co.eu to point to your NetScalers static IP addr found in the Azure ARM Web UI and once you have verified it is functioning correctly using a shell (IPCONFIG /FLUSH after settin-up the DNS entries waiting 10-15 min depednant upon your ISP) the open up an internet browser and type in e.g https://go.x1co.eu:8443 and dont forget the :8443 at the end of the FQDN.
8. Attempt to login either using sAMAccountName e.g username or userPrincipalname e.g username@x1co.eu and then you should be able to successfully login and launch your virtual apps & desktop as per the below image.

Image 1


Setup Type 443 for XenApp using an Azure Load-Balancer & the NetScaler XenApp/XenDesktop Wizard

Sample Text Based Diagram

User Azure Azure Load-Balancer NetScaler StoreFront XenApp
https://FQDN/ https received request and forwarded to NetScaler on https://FQDN:8443

Accepts requests from Azure L/B on https://FQDN fwd to NSIP on https://8443 (Single IP Mode) Accepts requests on the Gateway from HTTPS://FQDN but the Call-back FQDN is on https://FQDN:8443 Accepts & launches user’s virtual app(s) & desktop(s) as requested
https://FQDN ↔ AzureL/B ↔ NetScaler:8443 NetScaler https://FQDN:8443 ↔https://FQDN StoreFront StoreFront Call-back https://FQDN:8443
StoreFront configured NetScaler Gateway https://FQDN

1. If you are choosing this option as your preferred lets hope then complete steps 1-5 and also step 7 to save you time!
2. IMPORTANT STEP: Setup StoreFront to allow remote access however the configured default gateway MUST BE e.g https://go.x1co.eu NOTICE NO :8433 YES not :8443 here. Now on the call-back FQDN addresses YOU MUST include 8443 e.g https://go.x1co.eu:8443 instead of just https://go.x1co.eu otherwise fronting NS with an Azure L/B to acheive HTTPS://FQDN for the XAD Gateway (ICA Proxy) will NOT WORK!!!!
3. Now switch to the Azure ARM Web UI. You should probably read the following useful resources – https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-overview/ and for PowerShell creation check out – https://azure.microsoft.com/en-gb/documentation/articles/load-balancer-get-started-internet-arm-ps/ for any Citrix consultants out there.
4. Azure Load-balancer and click on the “+” at the top and provide a “Name” and for the type choose “Pubic” and select your Azure “Subscription” “Existing Resource Group” and its location (Same as NetScaler deployed instance) then click “Create”
5. Now it will list the available public IP addr just select the “+”
6. Enter in a name and choose your assignment choice “Dynamic” vs. “Static” and click OK.
7. Azure will then provision your Azure L/B (Wait….Maybe coffee or tea break?)
8. Once created select your Azure L/B
9. Select “Backend Pools” enter in a name then choose your availability set and then your VM’s or VM e.g NetScaler. Azure will then provision your Azure L/B with a backend pool (Wait….)
10. Select “Frontend IP Pool” click “+” enter in a name then choose your IP addr e.g NetScaler VM and then enter in a name (all names should differ makes identification easier so a good naming convention helps 🙂 now) and choose your assignment choice “Dynamic” vs. “Static” and click OK (Updating….)
11. IMPORTANT STEP: Select “Inbound NAT Rules” select the resource from your Frontend IP Pool list from the previous point (10). Select the service “HTTPS” and port to be 443 then select the target “NetScaler VM” and then vErY iMpOrtAnt select under “Port Mapping -> Custom” and in the “Target Port enter in 8443” and click save. (Wait…)
12: Now navigate to https://FQDN and attempt to login either using either sAMAccountName e.g username or userPrincipalname e.g username@x1co.eu and thereafter you should be able to successfully launch your virtual apps & desktop published by XenApp 7.11+. The below image represents the end goal when fronting an Azure NetScaler in Single IP Mode with an Azure Load-Balancer as per the below image.

NetScaler VPX in Azure Deployment Guide
http://docs.citrix.com/content/dam/docs/en-us/workspace-cloud/downloads/NetScaler-VPX-in-AZURE-Deployment-Guide.pdf

Advanced Setup & Configuration
The following how-to’s are from a 2016 Citrix Technology Advocates (CTA) – https://www.citrix.com/blogs/2016/05/23/expanding-recognition-for-community-contributors-citrix-technology-advocates/ Dave Bretty – http://bretty.me.uk/ which covers off how-to setup and configure FAS, NetScaler SAML/ADFS Proxy, Azure MFA and much more, so follow the links in order listed below.

1. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-1/
2. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-2/
3. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-3/
4. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-4/
5. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-5/
6. http://bretty.me.uk/putting-it-all-together-citrix-xendesktop-adfs-azure-mfa-netscaler-unified-gateway-and-citrix-fas-part-6/

Think Workspaces not 1995?

The views expressed here are my own and do not necessarily reflect the views of Citrix

Why
We now live in a world or era that is always on, digitally connected and contextual.

Users demand the same if not a BETTER user experience (UX) in there workplace or workspace environment as there UX at home with on-demand content, fibre broadband e.t.c is simple, fast, efficient, rich with an HD experience.

Deploying a next generation workplace strategy today in 2016 and beyond is fundamentally as critical as e-mail, unified communications e.g Skype4B vs. deploying your IT infrastructure for business continuity purposes in the unlikely event that disaster strikes.

Comparing The Same Holiday 21yrs Apart
So you maybe thinking well I don’t really gain anything from deploying a next generation or workspace in 2016 right?

Here is one of my own personal comparisons or one of the many ways I describe my workspace which for me is a mobile workspace.

It’s 1995 your on holiday with friends and family at the seaside and you want to watch a video at your seaside holiday home so you goto the video store and browse the movies by genres, select a few and perhaps buy some popcorn (fav your choice of course) and then rent a TV along with the VHS player. You take it home plug it in and watch the first movie happy times! It’s time for a quick comfort break select another bag of popcorn before starting the second movie and sure enough your off in 10-15 min more happy times!

It’s now 2016 this time it’s you on holiday at the seaside with your own children and there friends but there is NO video store anymore or you just don’t care to go out so instead your checking for 3/4G or Wi-Fi connectivity and how good it is, which you sort out some how 🙂 and now your browse then stream a few movies from the movie store on your tablets in some app (kids vs. you) and within a few min the kids are quiet and your off to the kitchen to microwave some of their favourite popcorn which your previously bought on the way at the supermarket to your holiday destination which now also equals happy times!

Outcome
Ultimately both holidays provided that feel good feeling with different but Rich & also HD experiences for there respective times but in today’s world we need to allow users to be agile, dynamic in the way that they want to work but still provide that UX that meets the old workplace or holiday experience along with today’s new digital rich & HD experiences.

What am I saying here?*

You need to bridge the divide or gap so to speak between those comming into the workforce today vs. those exsiting by implmenting a *software-defined workplace to enable workspaces that blend the best of 1995 and 2016 experiences together but working together smarter e.g use secure electronic form apps powered by EMM with workflows on a tablet vs. paper based static print outs (http://thinkbeforeprinting.org/) with comments on the side of the paper or the back which is then scanned to be sent via e-mail at the office.

Now you can fill-in the electronic form over a cup of coffee with your customer along with other employees at their premises discussing how much faster this process now is vs. the paper based approach over the telephone while you were back in the office and then coming to visit them once they downloaded the e-mail and scanned attachment on dial-up the previous day!

You could also undercover new business while building a better and stronger customer relationship. Finally if my holiday comparison between 1995 vs. 2016 to embrace a workspace doesn’t make sense to you then I’d encourage you to watch the embedded video below.

Citrix Helps You Say Yes