myCUGC announces Citrix Technology Advocates (CTA) class of 2017

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Today Citrix community leader Stephanie Roper – https://twitter.com/Roperjs announced the class of “Community Champions: Citrix Technology Advocates (CTA) for 2017” at – https://www.mycugc.org/blog/community-champions-cta which I have been honoured and humbled to become part of with a few other fellow Citrites whom consistently like our fellow CTA’s and CTP’s for that matter advocate and more often than not eat, sleep and breathe Citrix technologies daily. Finally thank you to, Stephanie Roper for leading the CTA programme, the #myCUGC team https://www.mycugc.org/ and of course the great company that I work for which is of course https://www.citrix.com.

2017 UKI #CitrixPartnerLove Challenge #8 Find My Location

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at https://t.co/TutUZ9taVS to print.

2017 UKI #CitrixPartnerLove Challenge #7 Stop the Difference

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at https://t.co/nqooPlWElw to print.

SAML Sign-in to Virtual Smartcard for Virtual Apps & Desktops

The following content is a brief and unofficial prerequisites guide to setup, configure and test accessing virtual apps and desktops authenticated via SAML IdP (Google OAuth) powered by XenApp & XenDesktop 7.14.1+ and NetScaler Unified Gateway 11.1 prior to deploying a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
FEDERATED AUTHENTICATION SERVICE – fas
SECURITY ASSERTION MARKUP LANGUAGE – saml
IDENTITY PROVIDER – idp
SERVICE PROVIDER – sp
USER AGENT – ug
NETSCALER UNIFIED GATEWAY – nug or netscaler ug
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
STOREFRONT – sf

What is OAuth?
Wikipedia definition – https://en.wikipedia.org/wiki/OAuth and Google’s definiton – https://developers.google.com/identity/protocols/OAuth2.

What is SAML?
Wikipedia definition – https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language.

Why this blog article?
For me as organisations begin shifting to a Cloud native or Cloud First (i prefer hybrid cloud) stratergy they begin too embrace PaaS e.g Citrix Cloud, Office 365 BUT a common major problem is where does the users identity live and do I need replicate it (read-only, passwd hashes e.t.c) and secondly mobilising of data repositories is another major requirement vs. problem. ShareFile can help in solving your data mobilisation problems which I will follow up in a separate blog article in the future to expand upon this, but for now back to SAML and Identity.

Utilising the Federation Authentication Service or FAS for short which is part of XenApp and XenDesktop (see feature matrix – https://www.citrix.co.uk/products/xenapp-xendesktop/feature-matrix.html) in-line with NetScaler UG enables organisations to solve numerous problems about identity (where is lives vs. its synced to data centres A through C e.t.c) enabling access to any type of app fronted by NetScaler Unified Gateway working inline with FAS.

NetScaler for me is your organisations front door (knock knock) e.g https://go.axendec.com or if you know me #10 Downing Street from on any device and it controls how the users authenticates requirements e.g AD, AAD, SAML vs. OAuth 2.0, Biometrics (e.g VeridiumID watch – https://www.veridiumid.com/video-citrix-ready-partnerspeak-veridium/ which is Citrix Ready and be sure to check out https://www.veridiumid.com/biometric-authentication-technology/biometric-connectors/), however in this scenario i’ll focus on access from devices that support a modern web browser (HTML5) to keep it simple. The below table depicts a user that has successfully loaded onto NUG with SMAL vs. OAuth 2.0 credentials and they can go left towards SaaS web apps or right towards virtual apps & desktops where FAS + StoreFront + Int Windows CA will generate a virtual smart card from the SAML token passed from NetScaler to SSO onto the required resource e.g Windows Server 2016 virtual desktop.

SaaS NetScaler Unified Gateway Virtual Apps & Desktops
User logins with SAML credentials e.g AAD, Google OAuth 2.0
← SAML or OAuth 2.0 Token →
Office365 XenApp & XenDesktop,
StoreFront, FAS & Internal Windows CA

PoC SuGgEsTeD Architecture Diagram – BASIC
I have gone for a very simple diagram approach here to help those will little to no knowledge on SAML, OAuth 2.0, AD Shadow accts, virtual smart cards get up to speed.

User Login Flow (Not Step by Step its High Level)
1. The user navigates to the SAML IdP logon webpage setup, configured and hosted by NetScaler UG.
2. The user is automatically redirect to the Google auth login web page to authenticate.
3. Once the user is successfully authenticated at Google they are re-directed back to the NetScaler UG and auto signed in and auto redirected (Responder Policy) to the configured Unified Gateway (my use case here) or ICA Proxy vServer.
4. The user can then select from a choice of Full vs. Clientless VPN or Virtual Apps & Desktops (Selected). Note that in the username will be user@domain while still on the NetScaler UG.
5. The user is SSO onto ReceiverforWeb hosted + powered by StoreFront and the user selects to launch an there choosen HDX virtual app and or desktop(s), you’ll now notice that the username is now first, last name.
6. StoreFront initiates and generates a ICA/HDX file for the user while communicating with FAS + internal Windows CA to generate a virtual smart card for the user that will be used to SSO the user onto there requested resource(s) e.g a Virtual Desktop.
7. The user receives the ICA/HDX file and Receiver automatically launches his/her virtual app and or desktop.

Demonstration WhoamI?

PoC SuGgEsTeD Architecture Diagram – ADVANCED

The Actual Login Flow
Coming…*

Pre-requistes & System Requirements – Google OAuth 2.0
1. Navigate to https://console.developers.google.com/projectselector/apis/credentials and sign-in with your Google credentials.
2. Select “Credentials” under API Manager then select to “Create” a Project
3. Enter in a new “Project Name” and read and review Googles EULA and notification service about updates etc.
4. Google will create your Project
5. Select “Create credentials” and from the drop down select “OAuth client ID”
6. Configure “OAuth consent screen” the bare minimum is to select “Product name shown to users” e.g MYProJectName and then select “Save” you can return later and complete …
7. Now you need to create a client ID select the application type to be “Web Application”
Enter in a friendly name:
– For “Authorized JavaScript origins” enter in “:4443”
– https://YOUR-FQDN:4443
– For “Authorized redirect URIs” enter in “:4443”
– https://YOUR-FQDN:4443/oauth/login
– Select “Create” twice
Google will now create your OAuth credentials and a popup screen will appear with your “Client ID” e.g xnxnxnxnxnxnxnxnxnxnx.apps.googleusercontent.com and “Client Secret” e.g 123456789xnxnxn
8. Now store of copy of these for later in a safe please as you’ll need it for the NetScaler configuration later.

Pre-requistes & System Requirements – Citrix
NetScaler
1. Review the deploying NetScaler guide for your chosen resource location at – http://docs.citrix.com/en-us/netscaler/12/deploying-vpx.html. If your wondering what a Resource Location click this link – http://docs.citrix.com/en-us/citrix-cloud/overview/about/what-are-resource-locations.html.
2. Download vs. deploy your NetScaler virtual appliance on your own terms e.g upload and boot on a hypervisor vs. deployed via a IaaS market place.

– Traditional hypervisors configurations for PoC vs. Home purposes only 2vCPU 2-4GB of RAM
– Cloud hypervisors e.g Azure, AWS for PoC vs. Home purposes only 2vCPU 3.5GB or RAM

3. Licensing Your NetScaler
3.1 You’ll need to license the appliance so obtain trial of e.g VPX 1000 and or 3000 from http://store.citrix.com/store/citrix/en_US/pd/productID.278306700/ThemeID.33753000 or search for Citrix Eval Store at Google.com.
3.2 The above link should redirect your to the NetScaler ADC part of the Eval Store
3.4 Select model type of “VPX” then select variation e.g “1000 vs. 3000 Platinum” and for duration select “30, 60 or 90 Days“.
3.5 Complete the onscreen steps and please note that you will require a valid Citrix.com account or you need to create an account in order to complete the trial request to obtain the eval license.
3.6 Once you’ve received your eval license via email navigate to at https://www.citrix.com/account/toolbox/manage-licenses/allocate.html and select find and allocate your licenses or look for the licensing button (link) and select it.
3.7 If your eval license it not visible e.g created by a Citrix rep or one of our partners –https://www.citrix.com/buy/partnerlocator/ select “Don’t see your product?” top right-hand side (small text!). A pop-up appears now enter in the eval lic provided in the format of “NNNN-XXXXX-XXXXX-XXXXX-XXXXX” and select to continue.
3.8 You will need to enter in the Host Id of your NetScaler it can be found once logged in using the NS Admin Web UI “NetScaler -> System -> System Information” then look under the heading “Hardware Information” and you find “Host Id” copy and paste it into the required field and then download the license file.
3.9 In the NS Admin Web UI click the cog icon top right then select licensing and upload the license and select to reboot the NS to apply the license.
3.10 Your NetScaler is now licensed now simple enable the required features that you need vs. require by right clicking a feature e.g NetScaler Gateway select “enable” e.t.c

4. If your in a Public Cloud setup your (Network) Security Groups to allow you external traffic to your NetScaler and i’d suggest that your disable SSH on port 22 from the world and only enable https 443 and use a Windows server + PuTTY within your Azure RG vs. EC2 VPC to interact with your NetScaler. Note: I am keeping it simple here re DMZ/Edge vs. TRU vs. Mgmt networks. Traditional rules apply for Private Cloud setups or WWW vs. DMZ vs. TRU vs. Mgmt networks.

Federated Authentication Service (FAS)
1. Download FAS Software is part of the XAD 7.9+ ISO – https://www.citrix.co.uk/downloads/xenapp-and-xendesktop/ and select 7.15 LTSR
2.
System Requirements – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/federated-authentication-service.html
3. Deploy GPO Policies – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/federated-authentication-service.html#par_anchortitle_6ba9/
– List + Enable XAD Broker/Controller
– Enable in-session certificate support
4. Certificate Authority – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/federated-authentication-service.html#par_anchortitle_27dd. You may require or choose an Internal Microsoft Windows CA 2012 R2 or 2016 (Test with in this PoC)
Active Directory Certificate Services – https://technet.microsoft.com/en-us/library/hh831740.aspx
– Configuring Windows for Certificate Logon – http://support.citrix.com/article/CTX206156
– Setup Certificate Authority – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/federated-authentication-service.html#par_anchortitle_8dfa
5. VERY IMPORTSANT When Configuring User Rules for FAS list all the required StoreFront Servers, VDA’s and User(s) either by individual object or group e.g. AD Security group PoC SAML Users – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/federated-authentication-service.html#par_anchortitle_6ba3
6. Enable FAS for the default or custom Store on StoreFront – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/federated-authentication-service.html#par_anchortitle_32e2
7. A full AD Admin account for all components will help and save time during the PoC

Deploying @gmail login to NetScaler using OAuth 2.0 / SAML
Coming….

Recommended Reading
Credit to Citrix *CTP Dave Brett – http://bretty.me.uk/citrix-xendesktop-7-9-google-accounts-and-fas-for-xendesktop/ and I’d strongly recommend your read his blog post! His approach vs. requirements differs slightly from that of my own requirements. He saved me a lot of time and in testing + reading through eDocs so @dbretty thank you!


#CitrixPartnerLove
However in the *interim if your a Citrix Partner and you want to learn more and how to deploy this today! You can access the following on-demand entitled “SAML to Virtual Smartcard Sign-in for Virtual Apps & Desktops” at – http://enablement.citrix.com/library/items/1261 BUT you will require a valid Citrix partner login.

2017 UKI #CitrixPartnerLove Challenge #6 Traffic Flows

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at https://lnkd.in/dN74-97 to print.

Why You’ll Love ShareFiles Workflows and eSignature Features

The following content is a brief and unofficial guide to testing and using ShareFile Workflows prior to implmenting it for a PoC. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
SHAREFILE – sf
WORKFLOWS – wf
CITRIX – ctx

Understanding what is ShareFile?
Its a cloud-based file sharing service that enables users to easily and securely exchange documents from any cloud to any device or location around the global securely (HTTPS) with auditing, eSignature, document workflow, check in/out, multi-factor auth capabilties and so much more! For a good overview visit https://www.sharefile.com/features.

I love this why ShareFile video its simply brilliant! A good 2 minutes well spent that leaves you felling happy and understanding why ShareFile?

What are ShareFile Workflows?
It’s about wrapping a collaborative workflow around the actual document to acheive an outcome more efficently at a faster pace that before as all invited parties are able to collobrate on the same document by annotating with comments in any area and start a conversational thread with the ability to finally mark the annotated comment(s) as “Resolved” and the initiator of the Workflow can “Agree” to comment(s) using a simple thumbs up. Finally the invited party(s) have the ability to approve the workflow.

Approving the Workflow disables any further collaborating capabilities and therefore allows the initiator and most likely the document author to begin making necessary changes to the documents via a traditional installed, web or virtual Office app.

You can read more about – https://support.citrix.com/article/CTX213782

A Sample Workflow Explained


High resolutions image available at – https://pbs.twimg.com/media/DBZ5PcWXYAAgHfW.png:large

1. Login into https://*.sharefile.eu or .com from your favourite internet browser.
2. Once logged into select to Upload a sample Word or PowerPoint document with a screenshot of your organisations website and some text from a different webpage beneath it. If you’re already using ShareFile Drive Mapper drop it into a folder within your “Personal Folder” and if you have no idea what I am talking about you should def 100% STOP download it now from – https://www.citrix.co.uk/downloads/sharefile/clients-and-plug-ins/sharefile-drive-mapper.html and then read this CTX article before continuing to read further – https://support.citrix.com/article/CTX207791.
3.Once you’ve upload or synced the sample document refresh your internet browser and under “Recent Files” select the file and your see a preview (powered by MS Office365 Preview) of the document on the left and some actions on the right hand side look for “Initiate Approval” and select it which will open up a new browser tab with the following URL e.g https://citrixworkflows.sharefile.com/workflows/new?sharefileStreamId=xxxxxxxx where xxxxxxxx represents the ID of this workflow.
4. You’ll see a preview of your document on the right hand-side and on the left hand side your see a three workflow types (a) Get Approval (b) Collect Feedback (c) Create Request List
5. For this sample workflow we’ll going with option (a) Get Approval so select it
6. Select a due date e.g the next days date or a date within 7 days from the date of initiating the workflow so your approvers have time to respond if you aren’t able to view there calendar(s) so they can provide annotate and provide feedback on the sample document.
7. Add Approver(s) (Add people who are required to approve this document) E-mail address and Name (optional but preferred) and you can require that they have to login and I love this check box feature “Every approver must re-approve newly uploaded versions”!
8. My next favourite feature “CC’s” allows you to include any individual(s) whom can access the workflow workspace and comment, BUT they cannot approve the document workflow 🙂 !
9. You can also add message that the recipients will receive when you start the workflow.
10. Review your approvers, CC’s and message and then select to “Start Workflow”.
11. You can begin to annotate the document in your chosen area(s) including starting a conversation with all participant(s), while ShareFile e-mails them.
12. Approvers and CC’s receive an e-mail notification with a secure link too join the ShareFile workflow workspace that you have already started to work on.
13. You’ll receive notifications that participant(s) are commenting on your annotations, replying to your activity thread.
14. The Approver in this case has now agreed to all my annotations and has chosen to “Approve” the document approval workflow as he/she agrees with the suggested document changes, which the author can now begin to edit the way he/she would like to e.g online directly from ShareFile provided that you have the correct Office 365 subscription for more info check out “CTX208340 ShareFile Office Online Editing” – https://support.citrix.com/article/CTX208340.
15. You’ll also receive an e-mail notifying you that the workflow has been approved!.

There is also a simple overview of the Feedback and Approvals Workflow by Citrix ShareFile available at – https://www.youtube.com/watch?v=ASEUqcaOt7k or watch the embedded video below.

In summary ShareFile Workflows helps you and your organisation collaborate on documents more efficiently to acheive outcomes at pace with better results!

Workflow API’s
Quiet often I’m asked are there any available APIs for ShareFile Workflows? Yes! Its accessible at the following URL at – http://api.sharefile.com/rest/docs/resource.aspx?name=Workflows.

eSignature ShareFile RightSignature
The eSignature capabilities within Citrix ShareFile is powered by the acquisition of RightSignature with more details available at https://www.sharefile.com/resources/rightsignature and https://rightsignature.com.

I’ll be providing a tour of eSignatures in due course…

My Best of #CitrixSynergy 2017

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
CITRIX USER GROUP COMMUNITY – cugc
HYPER CONVERGED INFRASTRUCTURE – hci

Introduction
Its my 5th #CitrixSynergy and this is def one of the best Synergy’s I have ever had the privilege of watching virtually from London, England. Why not in person? I prefer to watch virtually as I am to consume more content faster and translate that into content to update Citrix partners/customers in a timely manner at high level and tech deep dive where required in particular areas or topics. Finally this blog post will most likely change over the next 2-3 weeks as I consume all of the Synergy 2017 content as when/how I can.

My Highlights of the Key Notes
Vision Keynote

– 4:45 Citrix User Group Community – https://www.mycugc.org THANK YOU! Join the community today its powered by some of the most passionate Citrix and Technology advocates from around the global!
– 11:00 Red Bull Racing I’m not going to say anything you need to watch it!
– 21:45 Cloud powers the world
– 27:00 Digital Frontier Companies
– 39:00 Citrix Secure Digital Workspace with a software-defined preimeter
– 40:57 Citrix Workspace Services and a brief demonstration by Citrix’s CEO
– 42:25 SD-WAN / Gateway / WebApp Firewall / DDoS (NS 12+) as a Service
– 47:35 Citrix Analytics Service
– 1:01:00 “Better Together” and video message from Microsoft CEO Satya Nadella
– 1:12:25 Citrix + Google Chromebook (Skype for Business, Office365 and much more…)
– 1:18:00 Healthcare customer story “Partners Healthcare”

Technology Keynote

– 22:00 Unified Workspace (its Adaptive and Contextual by device/location and it changes the users published resources and its access type!) which brings together some of the most crucial aspects of todays modern apps, desktops, data & your location in a single view with casting capabilities but not demoed as instead instead*
– 29:00 *Workspace IoT (SmartSpaces) demonstration with a users own mobile phone enables an auto login to a Win 10 VD at guest location including welcoming the user based upon his/her smart phone used as there identity. Security people feel free or you will be going nuts right now!
– 32:30 Its all about layering you guessed it Citrix App Layer enabling IT to say YES! Note demo was demoed using a Samsung DEX check it out – https://www.citrix.com/blogs/2017/03/29/instant-desktop-computing-from-the-new-samsung-galaxy-s8-smartphone/
– 39:40 Workspace Appliance Program e.g HCI
– 42:35 Protect against Zero day attacks with XenServer and BitDefender which is available but is something which Citrix announced on 21/06/2016 yes thats right 2016 entitled “A Revolutionary Approach to Advanced Malware Protection” – https://www.citrix.com/blogs/2016/06/21/a-revolutionary-approach-to-advanced-malware-protection/ 21/06/2016 yes 2016!
– 47:00 Brad Anderson Corporate Vice President of the Enterprise Client & Mobility @Microsoft discusses shortly and then prefers to demonstrates our joint Citrix + Microsoft “Better Together” capabilities in Mobility, Virtualisation delivery from Azure and more.
– 1:01:38 Digital Jungle discussion its def worth your time if you about security and managing the experiences of your users workspace!
– 1:47:25 Vision of how the Digital Workspace is going to evolve

Citrix Synergy TV Breakout Sessions
The following are my current top sessions to watch in no particular order that I believe you’ll gain a lot of value out of watching BUT note that this may change as I continue to consume more of the on-demand content from Synergy 2017.

– SYN318 A to Z: best practices for delivering XenApp, XenDesktop – https://www.youtube.com/watch?v=jnnZTKBy18c&feature=youtu.be

– SYN111 – What’s new with Citrix Cloud and what’s to come – https://www.youtube.com/watch?v=C-UunHGKqLY

– SYN120 – NetScaler SD-WAN updates – https://www.youtube.com/watch?v=CdqIkCb86uU

– SYN103 – Citrix App Layering – https://www.youtube.com/watch?v=KBYoVeAYnSA

– SYN118 – What’s new with NetScaler ADC – https://www.youtube.com/watch?v=uMefjGwRMeU

– SYN121 – What’s new with NetScaler Unified Gateway – https://www.youtube.com/watch?v=-ovb4TIb5JY&t=28s

– SYN115 – Why should I use ShareFile if I already have Office 365? – https://www.youtube.com/watch?v=kESgKT7_mJw

Innovation Super Session
Awaiting for the on-demand video publication but for now I will leave you with the following Tweet as a thought or rather a reminder to make sure that you watch it if you missed it!

Synergy 2017 Advocates Blog Posts
Citrix Synergy 2017 – It’s a Wrap – See all the most important announcements listed here! By Christiaan Brinkhoff. – https://blog.infrashare.net/2017/05/29/citrix-synergy-2017-its-a-wrap-see-all-the-most-important-announcements-listed-here/

Deploy XenApp 7.x in AWS EC2 with PoC Leading Best Practises (Draft)

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops from AWS EC2 – https://aws.amazon.com powered by XenApp & XenDesktop 7.13+ prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
LOCAL HOST CACHE – lhc
XENAPP – xa
WINDOWS – win
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hex
VIRTUAL APPS – va
VIRTUAL DESKTOP – vd
SERVER – srv
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
DATA TRANSPORT LAYER – eat
FIREWALL – f/w
ACCESS CONTROL LISTS – all
INFRASTRUCTURE AS A SERVICE – iaas
IDENTITY & ACCESS MANAGEMENT – aim

Reader Notice: This blog post is NOT completely finished and some parts are in draft format! I will continue to update it through-out April/May 2017!

Sample Virtual Desktop from AWS powered by XenApp 7.x
In this example my VPC is in N.Virgina, USA hosting my Citrix XenApp 7.x workloads which are been delivered to me transatlantic to London, England thanks to the HDX.


Link to my original Tweet from 29/04/2016 at – https://twitter.com/lyndonjonmartin/status/726122016621891584 close to the delivery of a UKI Citrix partner enablement workshop on delivering XenApp 7.x PoC from AWS.

What is AWS EC2?
It’s a division with-in Amazon that sells IaaS to customers for consumption. AWS is incredibly simple in my personal view BUT equally at the very same time it’s also an exceptionally powerful Public (IaaS) Cloud platform! IT departments within organisations of all shapes and sizes have an equal capability with AWS’s elastic virtual data centre capacity to rapidly design and implement a VPC to setup, configure and deploy workspace workloads of their choice within a few hours or days dependant upon there IT’s dept’s delivery & execution skillsets. Typing into Google.co.uk “AWS first year” reveals AWS’s first year was 2006 thats now over a decade’s worth of experience, maturity and continued on-going development and innovation. Check out – https://en.wikipedia.org/wiki/Amazon_Web_Services#History or brief history lesson.

Concepts of AWS
Most of what I’ve described below is available on the AWS “Getting Started” web page at – http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/GetStarted.html so be sure to read through-it.

Virtual Private Cloud (VPC)
Think of this as a virtual datacentre that created onto of AWS IaaS which allows you to create virtual networks (IP addr ranges, subnets e.t.c), deploy VM instances of different sizes for your required workloads and storage accounts to facility your organisations needs and requirements to potential optimise workload delivery, experience or DR scenario’s.

VM Instances Types
AWS provides traditional VM’s that you’d typically assign compute, storage type to on-prem as pre-defined instance types that vary in size and capacity to meet virtually most organisations workspace requirements in AWS. For an up to date list please check out –
https://aws.amazon.com/ec2/instance-types/.

Security Groups
Think of these as your traditional or virtual f/w’s ACL’s BUT now assigned against VM instance(s) within your VPC either individually or in a group, to control what traffic type e.g ports vs. protocol are allowed in/outbound. Check out – http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group which also covers the standard “Default Security Groups” within your VPC that you can utilise and modify for your PoC.

*Availability Zones
A logical representation of one or more data centres facilities in a city, state/province/county or even country.

*Regions
Simply put its a Geo area and they are isolated form other regions for H/A. In a Citrix world a simple example could be to think of multiple sites (London, Paris, Oslo all built to N+1) managed using FMA 7.7+ Zones (Primary and Satellite) for H/A for geo area.

* http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

Identity & Access Management (IAM)
This one is quiet important to understand if you want to deploy your PoC with MCS provisioned XA VDA workloads in AWS from a master VM instance like you would traditionally on-prem with XenServer, Hyper-V, Acropolis or vSphere. Setting up IAM enables/allows Studio to communicate with the AWS EC2 cloud hypervisor to provision your VM instances –
http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html from your master VM instance in your VPC(s). If your not interested in deploying MCS workloads then skip learning IAM for now BUT please come back to it as it’s equally important as Security Groups for Pilot, UAT and PROD workloads in AWS with(out) Citrix workloads.

Suggested PoC Architecture
I tweeted the image at – https://twitter.com/lyndonjonmartin/status/854809306629361669 (its not intended to be accurate!) if you want a high resolution copy. Its intended to provide a high level only PoC deployment overview of delivering virtual apps & desktops (server) from AWS EC2 using Citrix XenApp 7.13+ fronted by NetScaler Unified Gateway and or you can utilise Citrix Smart Tools – https://www.citrix.com/products/citrix-cloud/services.html to deploy blueprint to stand up a XenApp PoC in AWS.

AWS & Citrix Pre-requisites, System Requirements
The following provides an brief and selective overview of standing up the bare min requirements to delivery Citrix secure workspace workloads from AWS.

0. Amazon Web Services (AWS) (cloud) hypervisor support – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/system-requirements.html#par_anchortitle_8a90
1. Sign-up for a AWS EC2 account at – https://console.aws.amazon.com it will redirect you to the default AWS login and sign-up web page. You will need a valid credit card that you own and be sure to read through AWS terms & conditions, UAP e.t.c.
2. Once your have signed-up select a EC2 region i typically utilise N.Virgina as I expense this myself and it also makes for good tests locations of my Citrix workloads when testing out legacy vs. current vs. the latest HDX (3D Pro) technologies & innovations transatlantic from the US too the London, England :-).
3. Now that you’ve chosen or decided upon your region you’ll need to deploy your VPC – http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html you can make use of the default AWS VPC configurations which you can easily modify as required to meet the needs of your PoC.
4. Now create a e.g Citrix VAD “Security Group” which acts as a firewall ACL controlling which ports/protocols and traffic by *.* or IP range(s)* e.t.c are permitted in/out bound of your VPC to your VM instance(s) associated to this security group so that the delivery of virtual apps & desktops is possible from VM instances running the Server VDA’s.

Suggested example Traffic flow from the Internet to a Virtual App & Desktop delivered by an EC2 Instance

– Untrusted network or public raw internet
– DMZ or edge of a network, network/vnet or (network) security group depending on your network deployment choice
– Trusted network or private secure network

WWW Internet Gateway Router VPC Availability Zone Security Group Network EC2 Instances

Suggested (Security Group – Mgmt. VM) Port Configuration for RDS access to your mgmt. VM running AD, DNS e.t.c

For this particular security group I’d strongly recommended that when you setup the security group you limit the access to a single IP addr or range that you know and trust RDS access to come from to your mgmt. VM sat in your VPC.

Protocol Port Inbound Outbound Internal VPC
TCP: SSH PuTTY (NS Mgmt. only) 22
TCP: HTTP (Internal Communication) 80
TCP: RDP/RDS 3389 * *

Suggested (Security Group – Citrix VAD) Port Configuration for Citrix Workloads to the World

The following table is actually more about the required TCP/UD Ports and dependant upon your deployment approach e.g with(out) a L2L IPSec VPN tunnel vs. NetScaler Unified Gateway i’ve decided for this section most of it available with the exception of a few which are a no no for external inbound access.

Warning once again caution this table ONLY represents primary PORTS typically required in a PoC and does not imply that you should use this as your ACL for your AWS security groups as you requirements for your particular PoC use case may differ from organisation to organisation! For a complete list of the ports and what they do please ref to http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/technical-overview/default-network-ports.html.

Protocol Port Inbound Outbound Internal VPC
TCP: HTTPS (TLS) 443 * *
UDP: HTTPS (TLS) 443 * *
TCP: ICA/HDX Thinwire 1494 * *
UDP: ICA/HDX EDT or Framehawk 1494 * *
TCP: Session Reliability 2598 * *
UDP: Session Reliability for EDT only 2598 * *
UDP: HDX RealTime e.g Skype for Business 16500-16509 * *

5. Lunch an NEW single instance from the EC2 dashboard under “Create Instance” this will be your mgmt. VM “wdc01” for the PoC and AWS will guide you through the deployment process (wizard).
6. Select your VM instance type to be deployed in your default or custom VPC and a suggested example instance type to utilise could be a AWS “t2.medium” instance type. You can find a complete list available at – https://aws.amazon.com/ec2/instance-types/.
6. Assign the default storage or increase and you can add another HDD later.
7. Assign the RDS mgmt. security group ensuring that RDS is enabled to connect to your mgmt VM.
8. Allow the VM to provision typically up to 5 minutes (depends on time of day, location of your VPC) then decrypt the passwd
9. Login and utilise this as your mgmt. VM and install the following suggested roles e.g AD, DNS and CA (Optional) as a bare minimum once you’ve assigned it an internal private static IP addr prior to installing and configuring.
10. Check a folder called e.g “Share” on C:\ and enable file sharing to this folder for your domain admin account.
11. Navigate to https://www.citrix.com/downloads/xenapp-and-xendesktop/ and download the latest XenApp/XenDesktop version available which is as of 12/04/2017 7.13 and copy it to the C:\Share to be used later to install XenApp 7.13+ onto your XA worker.
12. Now repeat steps 5 through 9 to deploy another single VM instance which will be your XenApp PoC VM e.g “xad01poc” and assign the following suggested instance type “t2.large’ with the exception of step 7 where you’d assigned the default VPC security group and login via RDS to this VM from your mgmt. VM e.g “wdc01”.
12. Once its ready login to your mgmt. VM “wdc01” and RDS to “xad01poc” provide it with a custom or use the default hostname and AD domain join it.
13. After successfully domain joining it login and create a folder on the C:\ drive called “Temp” on “xad01poc” and copy the *.iso from \\wdc01\Share to it.
14. Right click on the *.iso and “Mount” the media and the autorun should display the splash screen and select “XenApp”.
15. Select to install the “Delivery Controller” checking all the features e.g Studio, Director, Controller, MS SQL Express, StoreFront, License server and all the required ports.
16. You have now setup a mgmt. VM and a XenApp mgmt. VM.
17. Install and bound SSL certificate on “xad01poc” to be able to utilise https to protect username and passed credential handling when accessing RfW.

PoC Deployment of Virtual Apps & Desktops
Deployment Option 1 – NO MCS nor NetScaler UG & NOT SUGGESTED!!!
This option to be very clear is typically used to demonstrate the power of HDX from a public cloud e.g AWS and DOES IT WORK? Yes of course! I would strongly recommend that you don’t deploy your PoC with this approach but front it with a NetScaler UG but i’ve included it as I have covered this topic once before and sometime Citrix SysAdmins just want to test to see is it actually at all possible with little to know effort at all before actually deploying a PoC so I hope that this clears up this PoC deployment approach/path is messy and NOT SUPPORTED!!!!

1. Now also assign the Citrix VAD “Security Group” to “xad01poc” VM.
2. Re-mount the *.iso media if required and on the installation splash screen select to install the Server VDA choosing to enable existing connections selecting “Enable Remote PC Access” the VM will restart a few times which will take circa up to 5 minutes while the VDA installs.
3. Once the VDA is installed successfully launch “Studio” and complete creating a Site, machine catalog and delivery group based upon “xad01poc” VM.
4. Modify the SFS default.ica file for your default Store to include a line to utilise your external dynamic static IP addr and check that your Windows f/w rules are correctly configured to allow in/out bound access based upon the Citrix VAD “Security Group” or you can open the downloaded file you receive post login and modify the internal private static IP addr to the “xad01poc” VM’s dynamic public IP addr assigned by AWS and you should be able to launch your virtual app or desktop. Note: You’ll need to do it for each app or virtual desktop and if you modified the default.ica file with dynamic IP each time you stop and deallocate the VM you’ll need to modify the file again unless you utilise a AWS static public IP addr which is chargeable cost per month!
5. Navigate to https://xad01poc-dynamic-public-ip-addr/Citrix/StoreWeb/ with Citrix Receiver install on your Windows, Mac or Linux end-points and login as a domain admin or user and launch a virtual app or desktop that you’ve published.
6. Test the vitual app and our desktops performance by playing YouTube movie trailers here is fav one of mine – https://www.youtube.com/watch?v=sGbxmsDFVnE or download Google Chrome and publish it and access https://p3d.in. You’ll notice I have not mentioned what HDX graphics mode why? It should provide a good UX out of the box with 7.13+.
12. Shutdown and turn off your VM’s within your AWS VPC when finished to save costs. You will be billed for storage on-going e.g GB that you’ve consumed but I have to say its a very low cost per GB.

Deployment Option 2 – No MCS but fronted by NetScaler UG
Coming…

Deployment Option 3 – With MCS Workloads fronted by NetScaler UG
Coming…

Deployment Option 4 – Powered by Citrix Smart Tools
0. What is Smart Tools? Watch https://www.youtube.com/watch?v=RUTL1X_nBSg. I won’t expand on this topic more than what I have below for this particular blog post otherwise its going to get quiet length but I have to say you should explore Smart Tools post testing/deploying an AWS XenApp PoC.
1. Sign-up to Smart Tools Service at https://citrix.cloud.com/.
2. Create an AWS EC2 resource location with the Smart Tools Connector (formerly CLM our Lifecycle Management Connector) – https://manage-docs.citrix.com/hc/en-us/articles/212713903 and also please read – https://manage-docs.citrix.com/hc/en-us/articles/212713923 & https://manage-docs.citrix.com/hc/en-us/articles/212713963-Add-an-Amazon-Web-Services-resource-location.

3. Read the Blueprint available which explains deploying a blueprint to deploy workloads on AWS at – https://manage-docs.citrix.com/hc/en-us/articles/212714483-Deploy-a-blueprint-to-an-Amazon-Web-Services-resource-location which should give you a decent overview.
4. Download or read online the following getting started PoC guide for XenApp on AWS powered by Smart Tools Service (Smart Build using as Blueprint) available at the following URL with step by step instructions and images – https://docs.citrix.com/content/dam/docs/en-us/lifecycle-management/downloads/get-started-lifecycle-management-aws.pdf.

Leading Best Practises
1. Review the content available at – https://www.citrix.com/global-partners/amazon-web-services/xendesktop-on-aws.html
2. More coming…

Notes from the field
1. The number one leading best practise is “Shutdown and turn off your VM’s within your AWS VPC when finished” to save your own personal costs incurred and or your organisations costs that maybe incurred.
2. You do need a suggusted intermediate knowledge level of AWS EC2 and Citrix in order to deploy virtual apps & desktops CORRECTLY I personally believe to ensure that those testing on your behalf actually are getting the correct HD or balanced experience to ensure a successful PoC. I’ve many misconfigurations in a variety of areas since 2015.
3. Take a look at using Citrix Smart Tools as an enabler to help you with XenApp environment(s) on AWS – https://manage-docs.citrix.com/hc/en-us/articles/213723663-Create-a-XenApp-and-XenDesktop-production-deployment-on-AWS.