Professional Documents
Culture Documents
Not For Resale or Distribution: C XD-251-3I: Citrix Virtual Apps and Desktops Service On Microsoft Azure
Not For Resale or Distribution: C XD-251-3I: Citrix Virtual Apps and Desktops Service On Microsoft Azure
ot
fo
rr
es
al
e
or
di
CXD-251-3I: Citrix Virtual Apps and Desktops Service on
s
tri
Microsoft Azure
b
ut
io
n
Table Of Contents
N
Citrix Virtual Apps and Desktops Azure Models.........................................................................................................................34
ot
Azure Basics................................................................................................................................................................................47
Azure Management.....................................................................................................................................................................71
fo
Azure Locations...........................................................................................................................................................................80
rr
Module 2 - Virtual Apps and Desktops Azure Active Directory Integration.............................................................................................88
es
Active Directory Basics................................................................................................................................................................90
Active Directory Usage..............................................................................................................................................................100
al
Connecting On-premises AD to Azure......................................................................................................................................114
e
Azure Role Based Access Control............................................................................................................................................125
or
Module 3 - Connecting to Microsoft Azure............................................................................................................................................153
Azure Connectivity.....................................................................................................................................................................155
di
Cloud Connector in Azure.........................................................................................................................................................181
s tri
Creating Azure Host Connections.............................................................................................................................................199
Module 4 - Deploy Apps and Desktops using Machine Creation Services (MCS)................................................................................218
b ut
Master Image Preparation.........................................................................................................................................................220
Machine Creation Services........................................................................................................................................................240
io
Considerations...........................................................................................................................................................................260
n
Module 5 - Providing Access to End Users...........................................................................................................................................281
StoreFront Locations.................................................................................................................................................................283
Citrix ADC and Citrix Gateway Location Considerations...........................................................................................................297
Connecting to the Closest Resources.......................................................................................................................................314
Module 6 - Maintaining Infrastructure and VDAs in Microsoft Azure.....................................................................................................324
Maintaining Infrastructure..........................................................................................................................................................326
Maintaining VDAs......................................................................................................................................................................341
Power Management..................................................................................................................................................................363
Module 7 - Deploy a Successful POC...................................................................................................................................................383
The next steps to start a successful POC.................................................................................................................................385
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Citrix Virtual Apps and Desktops
Service on Microsoft Azure
N
ot
Course Introduction
fo
rr
es
al
CXD-251-2I: October 11, 2021
e
Lab Manual v3.3
or
Module 0
di
s
tri
b
ut
io
n
N
integration with Virtual Apps and Desktops.
ot
• Integrate Citrix Cloud and Virtual Apps and
Desktops with Microsoft Azure Active Directory.
fo
rr
• Deploy and manage Virtual Delivery Agent
machines in Microsoft Azure using Machine
es
Creation Services.
al
• Design Machine Catalogs and virtual machines on
e
Microsoft Azure Resource Manager.
or
• Provide remote access with Citrix StoreFront and
di
Citrix Gateway on Microsoft Azure.
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
with an intelligent workspace
ot
platform.
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
Formerly Networking
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
Include the following information:
ot
• Name and company
fo
• Job title
rr
• Job responsibility
es
• Networking and Virtualization experience
al
• Citrix hardware and software experience
e
or
• Class expectations
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
Review:
N
• Parking and transportation information
ot
• Class policies
fo
• Break and lunch schedules
rr
• Emergency contact information
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
Virtual Apps and Desktops 7 in an on-premises or
ot
cloud environment.
• CXD-250-2I or experience with Citrix Cloud.
fo
rr
• Basic knowledge of the Microsoft Azure platform
including:
es
• Virtual machine management
al
• Azure Resource Manager portals
e
• Storage
• Networking
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
Overview
ot
• Module 2: Virtual Apps and Desktops Azure Active
Directory Integration
fo
rr
• Module 3: Connecting to Microsoft Azure
es
• Module 4: Deploying Apps and Desktops using
Machine Creation Services
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
Machine Creation Services (continued)
ot
• Module 5: Providing Access to End Users
fo
• Module 6: Maintaining Infrastructure and VDAs in
rr
Microsoft Azure
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
• Additional features and functionalities added every
ot
month.
fo
• Lab guide steps and slide screenshots may not
rr
match the Consoles.
es
• Power down Azure VMs after class each day.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
Class Experience Citrix Class Lab Access
ot
2 6
1 Citrix Class Labs
fo
Student Desktop
CCI Students
rr
3
2 4
es
al
Citrix Classroom
RDP
e
Support
2 Client 5
Lab Host
or
CALC Student
Endpoint
di
s
Citrix Labs CCI/CALC Students RDP Client RDP Student Desktop
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Students access the labs in this course not via the Training.Citrix.Com MyTraining tab, (where the manuals are accessed)
but rather via connection information shared directly to the student either from the Citrix Certified Instructor (CCI) or the
Citrix Authorized Learning Center (CALC) that is hosting the class.
• The following step-by-step explains the process:
1. Citrix Classroom Support provisions the labs for the students.
N
6. The Student Desktop is explained in the Lab Manual. All labs will be performed using tools and consoles
ot
from this desktop.
fo
rr
es
al
e
or
di
stri
b ut
io
n
N
ot
Citrix Cloud Azure US East
fo
Infrastructure Access Access VDAs Infrastructure
rr
Citrix Cloud Connector Cloud Connector
es
Delivery Controller Citrix
Gateway Gateway
Win2016 Win2016
al
Master Active Directory
Storage Account
e
Win10
Master
Site Database Workspace Users StoreFront
or
License Server Image
Management Management
di
s
tri
Admin Service
Director Studio Azure Portal Principal
utb
© 2021 Citrix Authorized Content
io
n
N
Manager for general
ot
management.
• ARM Console for virtual
fo
machine management and
rr
power operations.
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
environment.
ot
• Main access point for lab
exercises.
fo
rr
• Easy to copy/paste.
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
• Manage storage, networks,
ot
and virtual machines.
fo
• Power operations.
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
courseware.
ot
• To print, click Student Resources > Courseware >
Student Manual > Launch.
fo
rr
es
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
N
ot
fo
rr
es
al
e
or
1. Navigate to training.citrix.com
di
2. Click on the “Contact Us” dropdown.
s
3. Select “Classroom Support”.
tri
utb
© 2021 Citrix Authorized Content
io
n
N
Management
ot
• This class will cover key Citrix ADC capabilities such as
high availability, security and performance, and explore
fo
SSL offload, load balancing and monitoring.
rr
• CNS-222: Citrix ADC 12.x Essentials and Unified
es
Gateway
• This class will cover Citrix ADC essentials, including
al
secure load balancing, high availability and operations
e
management, and focuses on Unified Gateway, and
or
Citrix Gateway.
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
N
ot
fo
rr
Help shape the next course.
es
al
Tell us what you liked!
e
or
What can we do better?
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
N
Not at all How likely is it you would recommend Citrix Courses to a friend? Extremely
ot
Likely Likely
0 1 2 3 4 5 6 7 8 9 10
fo
rr
es
\/
al
e
or
di
Detractor Passive Promoter
s
tri
but
© 2021 Citrix Authorized Content
io
n
N
ot
fo
rr
es
Facebook Twitter LinkedIn
al
e
Become a fan of Citrix Services Follow @citrixservices Join the Citrix Education Group
or
di
Visit http://training.citrix.com to find more information on training, certifications, and exams.
s tri
b ut
© 2021 Citrix Authorized Content
io
n
N
ot
Citrix Virtual Apps and Desktops on
fo
Microsoft Azure Overview
rr
es
al
e
Module 1
or
di
s
tri
b
ut
io
n
N
• Identify Virtual Apps and Desktops Azure
ot
Deployment Models.
fo
• Review the Azure Components.
rr
• Examine Azure Management.
es
• Confirm the Azure Datacenter Locations.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
• IaaS is an instant computing infrastructure, provisioned and managed over the Internet.
N
• Allowing you to quickly scale up and down with demand, while only paying for the compute
ot
power you use.
fo
SaaS
rr
PaaS
es
IaaS
al
e
or
di
s
Hosted Development tools, Operating Servers and Networking Data center
tri
Application database management, systems storage firewall/security physical
b
business analytics plant/building
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• IaaS:
• Infrastructure as a Service (IaaS) is an instant computing infrastructure provisioned and managed over the Internet.
Allowing you to quickly scale up and down with demand, and pay only for what you use.
• IaaS helps you avoid the expense and complexity of buying and managing your own physical servers and other
datacenter infrastructure. Each resource is offered as a separate service component, and you only need to rent a
particular one for as long as you need it. The cloud computing service provider manages the infrastructure, while you
N
development tools, Business Intelligence (BI) services, database management systems, and more. PaaS is
ot
designed to support the complete web application lifecycle: building, testing, deploying, managing, and
fo
updating.
• SaaS:
rr
• Software as a Service (SaaS) allows users to connect to and use cloud-based apps over the Internet.
es
Common examples are email, calendaring, and other business software (such as Microsoft Office 365).
al
• SaaS provides a complete software solution that you purchase on a pay-as-you-go basis from a cloud
service provider. You rent the use of an app for your organization, and your users connect to it over the
e
Internet.
or
• IaaS avoids the expense of the purchase of the hardware and setup, we changed from a procurement model,
di
to where our time to value is reduced greatly, to allow a quick scale up or scaler down, to allow for bursts, for
example, If you look at this from a control level as well; the data center is managed by the IAAS vendor, the
s tri
blue items managed by the vendor, but you have OS control and power up and down. PAAS you do not have
b
OS power options, because the OS could be a multi-tenant, but a good solution for web apps; the level of
ut
control is a very important aspect to understand the importance of each.
io
Additional Resources:
n
• What is IaaS? https://azure.microsoft.com/en-us/overview/what-is-iaas/
• What is PaaS? https://azure.microsoft.com/en-us/overview/what-is-paas/
• What is SaaS? https://azure.microsoft.com/en-us/overview/what-is-saas/
N
including:
ot
• Virtual Apps and Desktops Service
Citrix Cloud
• Citrix Endpoint Management Service
fo
• Secure Browser
• Citrix Content Collaboration
rr
HTTPS / API Calls
• App Layering Service
es
• Citrix Gateway Service Cloud Connector
• And many more…
al
e
• The Citrix Cloud Virtual Apps and Desktops is
essentially a platform as a service.
or
Active
Directory
Server
• Citrix hosts and operates the platform and services.
di
Server Desktop
OS VDAs OS VDAs
s
• The customer host and operates the applications,
tri
data, networks, and VDAs.
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Citrix Cloud is a Platform as a Service that hosts and administers Citrix services. It connects to your resources, via the
Citrix Cloud Connector, on any cloud or infrastructure you choose. It allows you to create, manage, and deploy
workspaces with apps and data to your end-users from a single console.
• Citrix Services included are:
• Virtual Apps and Desktops
• Deliver secure virtual apps and desktops to any device, and leave the product installation, setup, configuration,
N
• Citrix Content Collaboration Service
ot
• Meet the mobility and collaboration needs of employees and the data security requirements of the
fo
enterprise with this secure enterprise file sync and sharing service.
• Citrix Gateway Service
rr
• Citrix Gateway Service is a cloud-based offering that is simple to deploy and manage, ensures security
es
and availability of Virtual Apps and Desktops resources on any network, and provides an excellent user
al
experience.
• Citrix Cloud Labs Service
e
• These services are new experimental product features, exposed within the Citrix Cloud for customers to
or
test and evaluate. The services are not supported by Citrix.
di
Additional Resources:
s tri
• Citrix Cloud Overview - https://docs.citrix.com/en-us/citrix-cloud/overview.html
b
• About Citrix Cloud - http://docs.citrix.com/en-us/citrix-cloud/overview/about.html
ut
io
n
N
• Datacenters in 55 regions and 140 countries.
ot
• A framework that can support both on-premises and cloud deployments.
fo
• Comprehensive compliance with Azure Government.
rr
• Used by 90% of Fortune 500.
es
• Supports a broad selection of operating systems, programming languages, frameworks, databases, and devices.
al
e
• Powerful add-on to Citrix Cloud for hosting resources.
or
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Microsoft Azure is a growing collection of integrated cloud services that developers and IT professionals use to build,
deploy, and manage applications through a global network of datacenters managed by Microsoft.
• Azure Government has an ongoing commitment to maintaining the most certifications and attestations for mission-
critical government workloads. Azure has engineered its datacenters to meet or exceed the complex and critical
requirements for US Federal, Department of Defense, state, and local government.
N
ot
fo
rr
es
al
e
or
di
stri
but
io
n
N
ot
Where are the applications and data typically
stored when using Citrix Cloud with Azure as a
fo
resource location?
rr
es
The applications and data remain within the customers
control and will as such be located either in the
al
customers Azure subscription or in their on-premises
e
datacenter.
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
ot
Azure Models
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
Resource Location
Citrix Cloud Customer Azure Subscription
• Control plane hosted by Infrastructure Access Access VDAs Infrastructure
N
Citrix.
ot
Cloud Cloud
• Everything else is customer- Delivery Controller
Citrix
Gateway
Citrix
Gateway
Win10 Connector Connector
fo
Master AD Server
rr
Storage Account
Master
es
License Server Site Database Workspace StoreFront Win2016
Image
al
Management Management
e
or
Director Studio PowerShell Service Principal Azure Portal PowerShell
di
s tri
b
Admin
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Citrix Virtual Apps and Desktops with Azure as the resource location is the primary focus of the CXD-251 course. CXD-
252 combines both Citrix Cloud, Azure, and on-premises resource locations.
• All the brokering is done within Citrix Cloud. Citrix deploys, maintains and updates the control plane, and we utilize the
Azure plugin to deploy Machine Catalogs into Azure, leveraging the Azure API to deploy VDAs, copy disks, power manage
VDAs and de-allocate the VDAs when they are no longer needed.
• The Delivery Controllers hosted in Citrix Cloud will use the Service Principal in Azure for all communication with the Azure
N
• Any user authentication made in Citrix Cloud will be sent back to the Cloud Connectors, which will then
ot
authenticate the user credentials against the Active Directory.
fo
rr
es
al
e
or
di
s tri
but
io
n
N
Microsoft Azure.
ot
External Users Citrix
License Server Delivery Controller
• Also called the forklift model. Gateway Win10
fo
On-premises Master
Master
Image
rr
Win2016
StoreFront AD Server Site Database
es
Internal Users
Management
al
e
Tunnel Tunnel
Azure Portal PowerShell Service Principal
or
di
s tri
b
Admin
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• A forklift approach constitutes moving the entire Citrix stack from on-premises into Azure.
• Using this approach, you will deploy and maintain your own Delivery Controllers and will not be using Cloud Connectors,
since you are not using Citrix Cloud.
• Ensure that your design includes HA on all the components.
• By moving the full stack to Azure, you will also need to host and maintain the SQL databases in Azure, which might lead to
higher complexity compared to Citrix Cloud.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
• One or more Citrix Virtual Infrastructure VDAs Access Access VDAs Infrastructure
N
Apps and Desktops Zones in
ot
Azure. Delivery Controller Win2016 Citrix Citrix
Delivery Controller
Win10
Gateway Gateway
Master
• The Database and Primary
fo
Active Directory
Site Database
Zone on-premises.
rr
Win2016 Storage Account
Win2016
Master
• StoreFront and Citrix ADC
es
StoreFront StoreFront Image
License Server
considerations.
al
Management Management
e
Tunnel Tunnel
Director Studio PowerShell Azure Portal
or
PowerShell Service Principal
di
s tri
b
Admin
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The extend approach involves creating a new Zone in your on-premises Citrix Virtual Apps and Desktops infrastructure.
This new Zone will be in Azure, and you will then deploy additional Delivery Controllers and optionally StoreFront and
Citrix ADCs in Azure.
• After getting the infrastructure in place, you can then use the Azure plugin to deploy MCS catalogs to Azure directly from
Studio.
• Much like the forklift method, you are deploying the on-premises product and will not need Cloud Connectors.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
Users
N
• Deallocate to save money.
ot
Delivery Controller Win2016 Citrix Citrix Win2016 Master Delivery Controller
Gateway Gateway
• Measure time to boot. Win10
fo
Site Database Site Database
• Consider access and Storage Account
rr
Win2016
automation. StoreFront StoreFront
Master
Image
es
License Server Delivery Controller License Server
Management Management
al
e
Tunnel Tunnel
Director Studio PowerShell Azure Portal PowerShell Service Principal
or
di
s tri
b
Admin
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Using Azure as the Disaster Recovery datacenter is almost the same design as extending the environment, except we can
de-allocate the resources while they are not being used.
• De-allocating the resources means that we will only be paying for Storage in Azure while the VMs are not running.
• Ensure to have a process in place for spinning up the Disaster Zone and make sure the process is tested.
• A large number of VMs might take a longer time to spin up in Azure than using on-premises hypervisors.
• Microsoft does not have the endless idle capacity so this might not work for deployments above 1000 VMs.
Additional Resources:
• Disaster Recovery for Citrix Virtual Apps Made Easy with Azure Site Recovery -
https://www.citrix.com/blogs/2016/12/19/disaster-recovery-for-xenapp-made-easy-with-azure-site-recovery/
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• Buy from the Azure
ot
Cloud Connector Cloud Connector
marketplace. Delivery Controller
Citrix
Gateway
Win10
fo
• Bring your own image. Master Active Directory
rr
Storage Account
• Replaces Microsoft Win2016
Master
es
License Server Site Database Workspace Image
RemoteApp.
al
Management Management
e
Director Studio Azure Portal Service Principal
or
di
s tri
b
Admin
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Citrix Virtual Apps Essentials Service allows you to deliver Windows applications from Microsoft Azure to any user on any
device. The service combines the industry-leading Virtual Apps service with the power and flexibility of Microsoft Azure.
The service is recommended by Microsoft as the replacement for Azure RemoteApp.
• Citrix Virtual Desktops Essentials Service is designed specifically for the Azure Marketplace. Citrix and Microsoft partner to
deliver an integrated experience for Citrix Virtual Desktops Essentials and Azure IaaS. This partnership gives you a single
interface to deliver a complete Windows 10 digital workspace from Azure.
Additional Resources:
• Citrix Virtual Desktops Essentials - https://docs.citrix.com/en-us/citrix-cloud/citrix-virtual-desktops-essentials
• Citrix Virtual Apps Essentials - https://docs.citrix.com/en-us/citrix-cloud/citrix-virtual-apps-essentials
N
• Citrix Virtual Apps Essentials Service – Frequently Asked Questions - https://www.citrix.com/global-
ot
partners/microsoft/resources/citrix-virtual-apps-essentials-faq.html
fo
• Citrix Virtual Desktops Essentials Service – Frequently Asked Questions - https://www.citrix.com/global-
partners/microsoft/resources/citrix-virtual-desktops-essentials-faq.html
rr
es
al
e
or
di
s tri
b ut
io
n
N
Infrastructure Access Access VDAs Infrastructure
ot
fo
Citrix Cloud Connector Cloud Connector
Delivery Controller Citrix
Gateway Gateway
Win2016 Win2016
rr
Master Active Directory
es
Win10 Win10 Storage Account
Master
al
License Server Site Database Workspace Users StoreFront
Image
e
Management Management
or
Admin Service
Director Studio Azure Portal
di
Principal
s
tri
utb
© 2021 Citrix Authorized Content
io
n
Key Notes:
• To fit as much learning as possible into two days the gray VMs are not being deployed, however, they have been included
in the diagram as a reference for leading practices.
N
ot
What is the biggest difference between Extend and
fo
Disaster Recovery?
rr
es
Extending to Azure is typically a new Zone within the
on-premises site.
al
e
A Disaster Recovery is typically a separate site with a
or
separate SQL database.
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
Agreement Workspacelab
• Enterprise customers typically have an
N
Enterprise Enrollment, which is the top-most
Account AMERICAS EUROPE ASIA
ot
resource in the hierarchy and is associated with
one or more accounts.
fo
IT-Production IT-Production IT-Production
• For consumers and customers without an
rr
Enterprise Enrollment, the top-most resource IT-Testing IT-Testing IT-Testing
es
is the account.
IT-R&D Development Development
al
• Subscriptions are associated to accounts, Subscription
e
HR QA
and there can be one or more subscriptions
or
per account. Azure records billing information Finance Sandbox
di
Development
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• To work with Azure, you need one or more Azure subscriptions and Azure subscriptions are owned by an account.
• Enterprise customers typically have an Azure agreement, allowing them to create multiple accounts.
• Resources like virtual machines (VMs) or virtual networks exist in hose subscriptions.
• There are advantages and disadvantages of having dedicated subscriptions for Citrix components.
• Having a dedicated subscription for each department, such as Citrix, means that it is easier to provide the Citrix
Hosting Connection with full permissions to the subscription.
Additional Resources:
• Azure Subscriptions and Accounts - https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/infrastructure-subscription-accounts-guidelines
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Express Route
ISP GW
N
ot
Site to Site VPN
VPN GW
fo
rr
Network
VPN GW Azure Network stack
es
On-Premises
al
vNet to vNet Peering
e
Subnet Subnet Subnet Subnet
or
Gateway Gateway vNet to vNet VPN Gateway Gateway
di
Subnet Subnet Subnet Subnet
s
vNet vNet vNet vNet
tri
Global vNet Peering
b
Azure Region A Azure Region B
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Virtual networks are necessary to support communications between virtual machines (VMs). You can define subnets,
custom IP address, DNS settings, security filtering, and load balancing.
• By using a VPN gateway or Express Route circuit, you can connect Azure virtual networks to your on-premises networks.
• VNet to VNet VPN is used to allow communication between different Azure Regions.
• The Azure Virtual Network service enables you to securely connect Azure resources to each other with virtual networks
(VNets).
N
ot
Additional Resources:
fo
• Azure Networking - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/infrastructure-
networking-guidelines
rr
• Virtual network peering - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-
es
overview
al
e
or
di
s tri
b ut
io
n
N
ot
Unmanaged Disks Azure Managed Disks
fo
• Standard storage accounts: • Standard and Premium disks.
rr
• Blob storage (Containers: used for storing
• Azure manages the disk placement and
es
Azure VM disks).
replication.
• Table storage.
al
• Queue storage. • No Storage Accounts limitations.
e
• File storage.
or
• Pay for disk size not usage.
• Premium storage accounts:
di
• High-performance low-latency blob storage
s
(Container).
tri
• Azure VM Disks only.
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure Storage is a key part of deploying and managing virtual machines (VMs) and applications.
• Azure Storage provides services for storing file data, unstructured data, and messages, and it is also part of the
infrastructure supporting VMs.
• Ensure the storage design you select has enough IOPS to support your needs as you start to deploy Citrix Virtual Apps
and Desktops on Azure.
• With Azure managed disks you pay for the entire size of the disk versus unmanaged, you pay for only the blocks that are
Additional Resources:
• Azure Storage - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/infrastructure-
example#storage
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
together as one administrative entity.
RG Desktop VDAs
RG Server VDAs
ot
RG StoreFront
• There are different approaches, such as: Win10 NIC
Win2016 NIC
• Resource Groups for each application deployment
fo
containing all components needed. Load Balancer
rr
• Centralized Resource Groups that contain your core Win10
Win2016
NIC
NIC
es
networks, subnets, storage accounts.
• Individual Resource Groups for VMs, network
al
interfaces, and load balancers. Win2016 StoreFront
Win10 NIC
e
NIC
or
resource group container.
RG Core Infrastructure
di
• Components can only reside in one resource group
s
at a time.
tri
Storage
Networks Subnets
b
Accounts
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• In Azure, you logically group related resources such as storage accounts, virtual networks, and virtual machines (VMs) to
deploy, manage, and maintain them as a single entity.
• Resource Groups make it easier to deploy applications while keeping all the related resources together from a
management perspective, or to grant others access to that group of resources.
• Resource group names can be a maximum of 90 characters in length
• Typically an Enterprise will split their core resources into individual resource groups (For example Networking
Additional Resources:
• Resource Groups - https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/overview#resource-groups
N
ot
fo
rr
es
al
e
or
di
stri
but
io
n
Rack Rack
• Use availability sets to ensure that VMs running the
N
same service are placed on different hardware
Update Domain 1
ot
clusters.
• Each hardware cluster is divided into multiple
fo
update domains and fault domains.
rr
StoreFront StoreFront
• Fault Domains protect you by spreading the workload
es
between different racks.
• Update Domains provides protection in terms of
al
planned maintenance, Microsoft will never plan StoreFront
Update Domain 2
StoreFront
e
maintenance on two update domains at the same
StoreFront Role
or
time.
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Virtual machines (VMs) can be placed into a logical grouping called an availability set.
• When you create VMs within an availability set, the Azure platform distributes the placement of those VMs across the
underlying infrastructure.
• Should there be a planned maintenance event to the Azure platform or an underlying hardware/infrastructure fault, the use
of availability sets ensures that at least one VM remains running.
• The number of fault domains varies based on the Azure datacenter. Some have 3. Most have 2.
Additional Resources:
• Manage the availability of Windows virtual machines in Azure - https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/infrastructure-example#availability-sets
N
• Overview of Availability Zones in Azure - https://docs.microsoft.com/en-us/azure/availability-zones/az-overview
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
Dsv3, Dv3, DSv2, Dv2, DS, Balanced CPU-to-memory ratio. Ideal for testing and development,
General purpose
ot
D, Av2, A0-7 small to medium databases, and low to medium traffic web servers.
High CPU-to-memory ratio. Good for medium traffic web servers,
fo
Compute optimized Fsv2, Fs, F
network appliances, batch processes, and application servers.
rr
Esv3, Ev3, M, GS, G, DSv2, High memory-to-core ratio. Great for relational database servers,
Memory optimized
es
DS, Dv2, D medium to large caches, and in-memory analytics.
High disk throughput and IO. Ideal for Big Data, SQL, and NoSQL
al
Storage optimized Ls
databases.
e
or
Specialized virtual machines targeted for heavy graphic rendering
GPU NCv2, NCv3, ND, NV, NC
and video editing. Available with single or multiple GPUs.
di
High performance Our fastest and most powerful CPU virtual machines with optional
s
H, A8-11
compute high-throughput network interfaces (RDMA).
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Selecting the right Compute size to suit your needs is important as there are many different SKUs available in Azure.
• Typically for Citrix environments, especially for hosting VDAs - customers select the General Purpose VMs because they
have a good balance of CPU to Memory or the Compute Optimized VMs because they have a high CPU to Memory ratio,
depending on which applications they are hosting.
Additional Resources:
N
• High performance compute VM sizes - https://docs.microsoft.com/en-us/azure/virtual-
ot
machines/windows/sizes-hpc
fo
rr
es
al
e
or
di
s tri
but
io
n
• A Network Security Group (NSG) contains a list of security rules that allow or deny network traffic to resources
N
connected to Azure Virtual Networks.
ot
• Can be associated with:
• Subnets
fo
• Individual network interfaces
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• A Network Security Group (NSG) contains a list of security rules that allow or deny network traffic to resources connected
to Azure Virtual Networks (VNet).
• NSGs can be associated with subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs
(Resource Manager).
• When an NSG is associated with a subnet, the rules apply to all resources connected to the subnet.
• Traffic can further be restricted by also associating an NSG to a single NIC.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
(ARM) Templates can Resource
Groups
Networks Storage Virtual
Machines
ot
contain complete
configurations in a JSON
fo
file.
rr
• ARM Templates can be
es
deployed both via the Azure
al
Portal or PowerShell.
e
or
ARM Template Azure
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Templates can be used within ARM or PowerShell.
• It can be used to create single VMs or whole environments programmatically.
• Based on JSON.
• Templates can be exported from ARM.
• Templates can be shared amongst Accounts and Subscriptions.
• GitHub is a great way to get familiar with templates.
Additional Resources:
• Create your first template - https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-
N
manager-create-first-template
ot
• Virtual machines in an Azure Resource Manager template - https://docs.microsoft.com/en-us/azure/virtual-
fo
machines/windows/template-description
rr
• Azure Template QuickStart - https://azure.microsoft.com/en-us/resources/templates/
• Citrix Cloud Citrix Virtual Desktops Resource Location Creation ARM Template -
es
https://www.citrix.com/blogs/2017/07/27/citrix-cloud-xendesktop-resource-location-creation-arm-template/
al
e
or
di
s tri
b ut
io
n
N
• Runbooks typically used for process automation.
• Desired State Configuration typically used for configuration automation.
ot
• Runbooks can be created in PowerShell or in a graphical editor in ARM.
fo
rr
• Desired State Configuration is a PowerShell component in Windows that can integrate with Azure Automation.
es
• Refer to Runbook Gallery for templates.
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Microsoft Azure Automation provides a way for users to automate the manual, long-running, error-prone, and frequently
repeated tasks that are commonly performed in a cloud and enterprise environment.
• It saves time and increases the reliability of regular administrative tasks and even schedules them to be automatically
performed at regular intervals.
• You can automate processes using runbooks or automate configuration management using the Desired State
Configuration.
Additional Resources:
• Azure Automation overview - https://docs.microsoft.com/en-us/azure/automation/automation-intro
N
• Azure automation Script resources for IT professionals (Gallery) -
ot
https://gallery.technet.microsoft.com/scriptcenter/site/search?f[0].Type=RootCategory&f[0].Value=WindowsAz
fo
ure&f[1].Type=SubCategory&f[1].Value=WindowsAzure_automation&f[1].Text=Automation
rr
• The what, why and how of Azure Automation Desired State Configuration (DSC) -
https://azure.microsoft.com/en-us/blog/what-why-how-azure-automation-desired-state-configuration/
es
al
e
or
di
s tri
but
io
n
N
scalable software-defined
ot
storage using inexpensive
Win2016 Server Win2016 Server Win2016 Server Win2016 Server
local disks.
fo
Scale-Out File Server
rr
Storage Spaces Direct
es
al
e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Storage Spaces Direct leverages a combination of features in Windows Server, such as Failover Clustering, the Cluster
Shared Volume (CSV) file system, Server Message Block (SMB) 3, and of course Storage Spaces.
• By replicating the data automatically between the local disks and cache repositories, S2D can create high performance
and availability without having to rely on expensive storage systems.
• Storage Spaces Direct will use more disk space than a traditional RAID system to host the data due to the replication
between hosts.
N
• Scalability. Go up to 16 servers and over 400 drives, for up to 1 petabyte (1,000 terabytes) of storage per
ot
cluster. To scale out, simply add drives or add more servers.
fo
Additional Resources:
rr
• Deploy a two-node Storage Spaces Direct scale-out file server for UPD storage in Azure -
es
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-storage-spaces-direct-
al
deployment
e
or
di
s tri
b ut
io
n
N
Delegated Scope of Assignment
• Permissions can be delegated to:
ot
Permissions
• Users
• Groups
fo
Azure Subscription
• Apps (Service Principals)
rr
User
• Scope of assignment can be:
es
• Subscription
al
• Resource group Resource
Groups Group
• Single resource
e
or
Apps Resource
di
Group
s tri
Resources
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Security Principal : Identity to which the permission will apply.
• Role Definition : A collection of permission.
• Azure Service Principal : It is a security identity used by user created apps, services and automation tools to access
specific azure resources.
• Users, Groups, and Service Principals from Azure AD can all be delegated permission in Azure.
• Permissions can be assigned through the Azure Portal, Azure command line tools or via the many Azure APIs available.
N
• Create custom roles for Azure Role-Based Access Control - https://docs.microsoft.com/en-us/azure/role-
ot
based-access-control/custom-roles
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
Which components can be associated with
fo
Network Security Groups from the ARM console?
rr
es
Subnets and NICs
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Associating NSGs to VMs was available in the Classic Portal, but this feature has been removed with the discontinuation
of the Classic Portal in January 2018.
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
• Portal.azure.com
N
• Supports Resource Groups
ot
• Supports Templates
fo
• Supports RBAC
rr
• Supports Tags
es
• Detailed billing information
al
by Tags
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure Resource Manager (ARM) enables you to work with the resources in your solution as a group. You can deploy,
update, or delete all the resources for your solution in a single, coordinated operation. You use a template for deployment
and that template can work for different environments such as testing, staging, and production. Resource Manager
provides security, auditing, and tagging features to help you manage your resources after deployment
• Benefits of ARM:
• You can deploy, manage, and monitor all the resources for your solution as a group.
N
ot
Additional Resources:
fo
• ARM - https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
rr
es
al
e
or
di
s tri
b ut
io
n
N
manage Blobs, Unmanaged
ot
Disks, File Storage, and Table
Storage.
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure Storage Explorer is a standalone app that enables you to easily work with Azure Storage data on Windows,
MacOS, and Linux.
• Lets you:
• Connect to storage accounts associated with your Azure subscriptions.
• Connect to storage accounts and services that are shared from other Azure subscriptions.
• Connect to and manage local storage by using the Azure Storage Emulator.
N
• Streaming video and audio.
ot
• Storing data for backup and restore, disaster recovery, and archiving.
• Storing data for analysis by an on-premises or Azure-hosted service.
fo
• Azure Files enables you to set up highly available network file shares that can be accessed by using the
rr
standard Server Message Block (SMB) protocol. That means that multiple VMs can share the same files with
both read and write access.
es
• Premium storage provides high-performance storage for page blobs, which are primarily used for VHD files.
al
Premium storage accounts use SSD to store data. Microsoft recommends using Premium Storage for all of
e
your VMs.
or
Additional Resources:
di
• Get started with Storage Explorer - https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-
s
with-storage-explorer?tabs=windows
tri
• Azure Storage Documentation - https://docs.microsoft.com/en-us/azure/storage/
b ut
io
n
N
Enterprise Agreement
ot
Customers.
• Create new Accounts and
fo
track billing for multiple
rr
accounts and subscriptions.
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The Azure EA Portal is only available to customers with an Enterprise Agreement.
• The tool allows a customer to effectively manage multiple Azure accounts and Azure subscriptions.
• Track cost and billing across the entire enterprise agreement.
• Reduces the ability to create new accounts to certain IT Admins and keep the number of accounts to a minimum.
• Azure CLI
N
• Azure PowerShell
ot
• Visual Studio Code
fo
• Azure REST API
rr
• .NET API
es
• JAVA API
al
e
• PYTHON API
or
• Node.js API
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• In addition to managing Azure through the Azure Resource Manager portal, there are numerous tools and SDKs available
for administrators and developers to manage and automate their Azure environments.
• We will only focus on the Azure Portal and PowerShell during the course, but most of the features of Azure are exposed
through all the APIs.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
Which portal allows certain customers to create
fo
and manage multiple accounts and subscriptions?
rr
es
The Azure EA Portal is only available for customers
with an Enterprise Agreement.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Not all products and SKUs are available in all regions.
• For example, Availability Zones are only available in certain regions.
Additional Resources:
• Azure Regions - https://azure.microsoft.com/en-us/regions/
N
experience when using HDX is latency.
ot
• Azure can allow you to deploy VDAs close to users
geographical locations and thereby reduce latency.
fo
rr
• Ensure that Routes and VPNs are planned
accordingly.
es
• Ensure that Citrix ADC and StoreFront
al
configurations are optimized for the new
e
deployment methods.
or
di
stri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Place VDA resources in Azure regions close to your users to reduce latency and improve HDX performance.
• Typical Latency recommendations from Citrix Consulting, Assuming the environment has been tuned properly:
• Up to 150ms: great user experience.
• 150ms – 300ms: good/acceptable user experience.
• Over 300ms: degraded user experience.
• Alternatively, deploy VDAs in multiple Azure regions if the user base is spread out globally.
N
• https://www.citrix.com/blogs/2018/12/17/turbo-charging-ica-part-2/
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• Database Mirroring or Replication.
• Consult Application providers for multisite configuration.
ot
• Consider DFSR, Storage Spaces Direct, or Azure File Storage for Data replication.
fo
• Avoid long file load and save actions.
rr
• Keep user profiles close to VDAs
es
• Reduce profile size to a minimum.
al
• Consider a unique profile per location to avoid profile replication.
• Use folder redirection to reduce data transfer and ensure consistency across different profiles.
e
• Examine AppData usage before redirecting.
or
• Double Hop HDX is still an option if some apps cannot be moved.
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Clustering is not supported in Azure.
• Azure File Storage is not supported for Roaming profiles or profile disks.
• Double-hop HDX means that you run an HDX session inside another HDX session, for example:
• The user connects to an HDX desktop session in Azure, within that HDX session, they open up Workspace app and
launch a published HDX app from another VDA – for the nature of this example, the second connection will be made to
a VDA hosted on-premises, serving an application that can not be moved to Azure.
N
• Exercise 1-2: Verify Resource Groups and
ot
Permissions in Azure.
fo
• Exercise 1-3: Create a Virtual Network in Azure.
rr
• Exercise 1-4: Peer Networks in Azure.
es
• Exercise 1-5: Create Storage Account.
al
• Exercise 1-6: Create a new VM for Cloud
e
Connector.
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
What is the biggest benefit of deploying VDAs in
fo
Azure regions close to users?
rr
es
To reduce the latency impact on the HDX connection
and optimize the user experience.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
much like with on-premises hypervisors.
ot
• Citrix Virtual Apps and Desktops can be deployed in
Azure in many ways to suit your business needs.
fo
rr
• Azure has many moving parts but adds a lot of
flexibility to your Citrix deployments.
es
• Azure Resource Manager is the main administration
al
console for Azure.
e
or
• Microsoft is constantly adding new datacenters to
Azure.
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
Virtual Apps and Desktops Azure
fo
Active Directory Integration
rr
es
al
e
Module 2
or
di
s
tri
b
ut
io
n
N
• Highlight Active Directory Usage From a Citrix
ot
Perspective.
fo
• Connect On-premises Active Directory to Azure.
rr
• Define Azure Role-Based Access Control.
es
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
Citrix Cloud
Citrix Gateway Workspace Delivery Controller Site Database
N
every authentication must traverse the Network and
ot
VPN back to your organization.
• Login and Authentication delays.
fo
Azure
Citrix Gateway StoreFront Cloud Connector VDAs
rr
• Potential timeouts due to latency.
es
• Link or VPN failure will interrupt all AD-related
functionality.
al
e
On-premise
• Supports OUs, GPOs, LDAP, and Kerberos.
or
Citrix Gateway StoreFront Active Directory
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• While this deployment method technically will work if the necessary VPN tunnels are in place, it is not recommended by
either Citrix or Microsoft.
• Without a domain controller in Azure, all domain related traffic would need to flow through the VPN to the on-premises
datacenter.
Citrix Cloud
Citrix Gateway Workspace Delivery Controller Site Database
N
for SSO to SaaS applications.
ot
• Azure AD can be used for Delegated Administrators
Azure AD
in Citrix Cloud.
fo
Azure
rr
• Azure AD can be used for user authentication to
Citrix Gateway StoreFront Cloud Connector VDAs
resources.
es
• Users from on-premises AD can be synchronized to
al
Azure AD.
On-premise
or
• Azure AD cannot be used with MCS, GPOs, and Citrix Gateway StoreFront Active Directory
Kerberos.
di
• Azure AD supports SAML, WS-Federation, and
s tri
OAuth.
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure AD can be used for authenticating to resources in Workspace as well as delegated administration in Citrix Cloud.
• The users in Azure AD must be synchronized from a traditional AD for these features to work.
• Citrix Federated Authentication must also be configured for the logon ticket to be passed into the HDX session during
launch.
• Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity management service
primarily used to provide SSO to SaaS applications.
N
requirement to be joined to an Active Directory domain. This is required for domain computer accounts, new
ot
machine provisioning (MCS), user association, and pass-through/Kerberos authentication to resources. It is
fo
because of these requirements that Azure Active Directory cannot be used alone.
rr
Additional Resources:
es
• What is Azure AD? - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis
al
• Azure Active Directory and Citrix Virtual Apps and Desktops - https://support.citrix.com/article/CTX224111
e
or
di
s tri
b ut
io
n
Citrix Cloud
Citrix Gateway Workspace Delivery Controller Site Database
N
group policy, LDAP read, and Kerberos/NTLM
ot
authentication without the overhead of deploying
and maintaining VMs in Azure. Azure AD Domain Services
fo
Azure
• Relies on micro services.
rr
Citrix Gateway StoreFront Cloud Connector VDAs
• Supports MCS and Kerberos.
es
• Limited administrative permission.
al
e
On-premise
or
Citrix Gateway StoreFront Active Directory
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure AD Domain Services provides AD domain controllers as a service, eliminating the complexity of setting up AD, the
ongoing maintenance costs of patching and backing up domain controllers, and the operational expense of domain
controller VMs in Azure.
• Azure AD Domain Services provides managed domain services such as domain join, group policy, LDAP read,
Kerberos/NTLM authentication that are fully compatible with Windows Server Active Directory.
Additional Resources:
• What is Azure AD Domain Services? - https://docs.microsoft.com/en-us/azure/active-directory-domain-
services/active-directory-ds-overview
• Virtual Apps and Desktops Support Azure AD Domain Services -
N
https://www.citrix.com/blogs/2017/04/11/xenapp-xendesktop-services-support-azure-ad-domain-services/
ot
• Azure Active Directory (AD) Domain Services - https://docs.microsoft.com/en-us/azure/active-directory-
fo
domain-services/active-directory-ds-overview
rr
es
al
e
or
di
s tri
but
io
n
Citrix Cloud
Citrix Gateway Workspace Delivery Controller Site Database
N
• There may be some synchronization latency between
the domain servers in the cloud and the servers
ot
running on-premises.
fo
Active Directory
Azure
• Read-only Domain Controllers are not supported for
Citrix Virtual Apps and Desktops.
rr
Citrix Gateway StoreFront Cloud Connector VDAs
• AD DS in Azure with a separate forest.
es
• Requires appropriate trust relationships between
al
forests.
e
• Citrix Cloud Connectors cannot traverse back through
On-premise
domain trusts, so additional Cloud Connectors may
or
Citrix Gateway StoreFront Active Directory
be needed on-premises.
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The customer is required to deploy domain controllers using virtual machines in Azure.
• The customer is required to manage, secure, patch, monitor, backup, and troubleshoot the AD virtual machines.
• Deployments of AD DS in Azure can be joined to an existing on-premises Forest or AD DS that can be deployed in Azure
as a separate forest.
• Each separate domain containing either users or VDAs should have a set of Cloud Connectors deployed.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
Functionality On-Premises AD Azure AD Azure AD DS Full AD in Azure
ot
Delegated Admin in Citrix Cloud
fo
rr
Machine Creation Services
es
LDAP/Kerberos
al
GPOs
e
Authentication to resources
or
Domain join
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Determine the right AD design for your solution before staring to build the environment.
• Azure AD can only be used for delegated administration, and user authentication, it does not support the features used for
desktop brokering in Virtual Apps and Desktops.
N
ot
fo
Does Azure Active Directory support MCS?
rr
es
No, Azure Active Directory does not support Kerberos
or LDAP and therefore does not support MCS.
al
e
Deploy full AD or Azure AD Domain Services for MCS
or
support.
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
Cloud:
ot
• Azure AD Credentials
• MyCitrix Credentials
fo
• Integrating Azure AD allows the managing of both
rr
Citrix Cloud and Azure with the same credentials.
es
• Easy provisioning and de-provisioning of delegated
al
admins.
e
• Multifactor authentication available through Azure
or
AD.
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure AD and MyCitrix credential providers are supported for Citrix Cloud.
• Integrating Citrix Cloud and Azure AD enables customers to:
• Use their existing Active Directory, where they can audit, control password policies, and disable accounts if necessary.
• Use enhanced security features with multi-factor authentication.
• Provide a branded sing-in page.
• Support federation to an identity provider of choice, AD-FS, Okta, Ping, and others.
Additional Resources:
• New! Azure Active Directory Support for Citrix Cloud Administrators -
https://www.citrix.com/blogs/2017/01/09/new-azure-active-directory-support-for-citrix-cloud-administrators/
• What Is Identity and Access Management? http://docs.citrix.com/en-us/citrix-cloud/overview/about/what-is-
identity-and-access-management.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
• MCS can create Active Directory Computer accounts for all VMs in a catalog, or you can specify existing
N
accounts.
ot
• Cloud Connector or Delivery Controller computer account must have a connection to Active Directory.
fo
• Azure AD does not support computer accounts or Kerberos and therefore is not supported with MCS.
rr
• Citrix Cloud Studio prompts for administrator credentials to create Computer Accounts.
es
• On-premises Studio uses the signed in administrator to create Computer Accounts.
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• During MCS provisioning, Citrix Cloud Studio requests admins to enter credentials that will be used to create the computer
accounts for the VDA VMs in the Machine Catalog.
• In on-premises Virtual Apps and Desktops deployments, these computer accounts are created in the context of the admin
running Studio, however, in Citrix Cloud since the Delivery Controller is not part of the customers’ domain, this process is
different.
• Pre-created computer accounts can also be used with Citrix Cloud.
Additional Resources:
• Virtual Apps and Desktops Support Azure AD Domain Services -
https://www.citrix.com/blogs/2017/04/11/xenapp-xendesktop-services-support-azure-ad-domain-services/
N
• Create machine catalogs - https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/install-
ot
configure/machine-catalogs-create.html
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• Cloud Connectors and Delivery Controllers use Kerberos to broker connections to VDAs.
ot
• Full AD DS or Azure AD DS to support registration and brokering.
fo
• Azure AD does not support Kerberos.
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• While Azure AD can be used for user and administrator authentication in Citrix Cloud, it does not support VDA registration
or brokering.
• Deploy Azure AD DS or a full AD in Azure for VDA brokering and Kerberos.
• The only difference in VDA registration between on-premises deployments and Citrix Cloud is the fact that the VDAs
register with Cloud Connectors, rather than Delivery Controllers. The Cloud Connectors then relay the registration
notification to the Delivery Controllers in Citrix Cloud.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• Azure AD with Workspace Experience only.
• Azure AD DS.
ot
• On-premises AD extended to Azure.
fo
• Full AD in Azure.
rr
• Azure AD can provide multifactor authentication.
es
• Citrix Gateway Service in Citrix Cloud supports OTP.
al
• Deploy your own Citrix ADC and StoreFront for other multifactor solutions.
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• By using Azure AD with Citrix Cloud, you can:
• Leverage your own Active Directory, so you can control auditing, password policies, and easily disable accounts when
needed.
• Configure multi-factor authentication for a higher level of security against the possibility of stolen sign-in credentials.
• Use a branded sign-in page, so your users know they’re signing in at the right place.
• Use federation to an identity provider of your choice including ADFS, Okta, and Ping, among others.
N
applications. Once the end-users login to the Citrix Workspace portal, they will see icons to applications
ot
to which they have access.
fo
• Integrating Azure AD might impact the logon experience for users.
• Citrix FAS is required to create a single sign-on experience with Azure AD. Without FAS, the user will be
rr
prompted to enter their domain credentials while launching their HDX session.
es
Additional Resources:
al
• Citrix Unveils Gateway Service with Secure and Single Sign-On to SaaS, Enterprise Web & VDI Apps-
e
https://www.citrix.com/blogs/2018/04/12/citrix-unveils-secure-gateway-service-with-single-sign-on-to-saas-
or
enterprise-vdi-apps/
di
• Federated Authentication Service Azure AD integration- https://docs.citrix.com/en-us/xenapp-and-
s
xendesktop/7-15-ltsr/secure/federated-authentication-service/fas-architectures/fas-azure-ad.html
tri
but
io
n
N
• In Azure AD, an organization is called a tenant.
ot
• Choose the Organization name and initial domain
fo
name to create a new tenant.
rr
• Upgrade to Premium
es
• Self Service Password Reset with Password
WriteBack
al
• MultiFactor Authentication, and more.
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• In Azure Active Directory (Azure AD), a tenant is representative of an organization. It is a dedicated instance of the Azure
AD service that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure or Office
365. Each Azure AD tenant is distinct and separate from other Azure AD tenants.
• A tenant houses the users in a company and the information about them - their passwords, user profile data, permissions,
etc. It also contains groups, applications, and other information pertaining to an organization and its security.
• To enhance your Azure Active Directory, you can add paid capabilities using the Azure Active Directory Basic, Premium
N
ot
Additional Resources:
fo
• Azure Active Directory editions - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-
editions
rr
• How to get an Azure Active Directory tenant? https://docs.microsoft.com/en-us/azure/active-
es
directory/develop/active-directory-howto-tenant
al
e
or
di
s tri
b ut
io
n
N
ot
fo
rr
Task 2: Task 3: Task 5:
es
Task 1: Task 4:
Configure Create Enable
Create Basic Update DNS
Network Administrator Password
al
Settings settings
Settings Group Synchronization
e
or
di
s tri
utb
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure AD Domain Services is a micro service it is not a set of VMs that can be managed directly in Azure.
• You do not have Domain Administrator or Enterprise Administrator permissions on the managed domain that you created
by using Azure Active Directory Domain Services.
• On managed domains, these permissions are reserved by the service and are not made available to users within the
tenant. However, you can create a special administrative group to perform some privileged operations.
• These operations include joining computers to the domain, belonging to the administration group on domain-joined
N
• Task 2: The next configuration task is to create an Azure virtual network and a dedicated subnet within it.
ot
You enable Azure Active Directory Domain Services in this subnet within your virtual network. You may
fo
also pick an existing virtual network and create the dedicated subnet within it.
• Task 3: In this configuration task, you create an administrative group in your Azure AD directory. This
rr
special administrative group is called AAD DC Administrators. Members of this group are granted
es
administrative permissions on machines that are domain-joined to the managed domain. On domain-
al
joined machines, this group is added to the administrators’ group. Additionally, members of this group can
use Remote Desktop to connect remotely to domain-joined machines.
e
• Task 4: Next, enable computers within the virtual network to connect and consume these services. You
or
update the DNS server settings for your virtual network to point to the two IP addresses where Azure
di
Active Directory Domain Services is available on the virtual network.
• Task 5: The next task is to enable the synchronization of password hashes required for NT LAN Manager
s tri
(NTLM) and Kerberos authentication to Azure AD Domain Services. After you've set up password hash
b
synchronization, users can sign in to the managed domain with their corporate credentials.
ut
Additional Resources:
io
• Enable Azure Active Directory Domain Services - https://docs.microsoft.com/en-us/azure/active-directory-
n
domain-services/active-directory-ds-getting-started
N
ot
Which two types of credentials can be used to log
fo
in to Citrix Cloud?
rr
es
MyCitrix and Azure AD Credentials.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
ot
Azure
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
Azure
N
Active Directory.
ot
Azure AD Microsoft Office 365 SaaS Apps Your Apps
• Common Identity both on-premises and in
Azure, Office365, and SaaS apps.
fo
rr
• Use filters to synchronize specific objects.
es
• Password Sync ensures password consistency
and allows you to use on-premises password
al
User Devices On-Premise
policies.
e
or
• Password write-back allows users to change
their passwords in the cloud and have your
di
Workspace app Endpoints Active Directory
on-premises password policy applied.
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure AD Connect will integrate your on-premises directories with Azure Active Directory.
• Integrating your on-premises directories with Azure AD provides a common identity for accessing both cloud and on-
premises resources. This could encompass SSO for Azure, Office365, and SaaS Apps.
• Azure AD connect provides several features that are enabled by default or features that you can enable. These features
include but are not limited to filtering, password synchronization, password writeback, and device writeback.
• Password write-back honors local AD password policies.
N
• Implement password synchronization with Azure AD Connect sync - https://docs.microsoft.com/en-
ot
us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization
• Quick Start: Azure AD self-service password reset - https://docs.microsoft.com/en-us/azure/active-
fo
directory/active-directory-passwords-getting-started
rr
es
al
e
or
di
s tri
but
io
n
N
Server.
ot
• Minimum 2012R2 for ADFS support.
• Installs SQL Server 2012 Express LocalDB
fo
• Existing SQL can be used instead.
rr
• Express Settings.
es
• Custom Settings.
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure AD Connect server requirements
• Windows Server standard or better and must be Windows Server 2008 or later. Minimum 2012R2 for ADFS support
• Full GUI installed. Server core is not supported.
• The server may be a domain controller or a member server when using express settings. If a custom install, then the
server can also be stand-alone and does not have to be joined to a domain.
N
Windows Server 2012 or later.
ot
• The Azure AD Connect server must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or
later installed.
fo
• The Azure AD Connect server must not have PowerShell Transcription Group Policy enabled.
rr
• If Active Directory Federation Services is being deployed, the servers where AD FS or Web Application
es
Proxy are installed must be Windows Server 2012 R2 or later. Windows remote management must be
enabled on these servers for remote installation.
al
• If Active Directory Federation Services is being deployed, you need SSL Certificates.
e
• If Active Directory Federation Services is being deployed, then you need to configure name resolution.
or
• If your global administrators have MFA enabled, then the URL https://secure.aadcdn.microsoftonline-p.com
di
must be in the trusted sites list. You are prompted to add this site to the trusted sites list when you are
s
prompted for an MFA challenge, and it has not added before. You can use Internet Explorer to add it to your
tri
trusted sites.
b
• SQL Server used by Azure AD Connect
ut
• Azure AD Connect requires a SQL Server database to store identity data. By default, a SQL Server 2012
io
Express LocalDB (a light version of SQL Server Express) is installed.
n
• A separate SQL Server is also supported, the requirements are:
• Azure AD Connect supports Microsoft SQL Server from SQL Server 2008 (with the latest Service Pack)
to SQL Server 2016 SP1. Microsoft Azure SQL Database is not supported as a database.
• You must use a case-insensitive SQL collation.
• You can only have one sync engine per SQL instance.
Additional Resources:
N
• Custom Settings - https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-
ot
aadconnect-get-started-custom
• Express Settings - https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-
fo
aadconnect-get-started-express
rr
es
al
e
or
di
s tri
b ut
io
n
N
• You have a single Active Directory forest on-premises. • You do not have access to an enterprise admin account
ot
in Active Directory.
fo
• You have less than 100,000 objects in your on-premises • You have more than one forest, or you plan to
rr
Active Directory. synchronize more than one forest in the future.
• You have an enterprise administrator account that can • You have domains in your forest not reachable from the
es
be used for the installation. Connect server.
al
• Re-run wizard to select specific OUs to synchronize. • You plan to use federation or pass-through
e
authentication for user sign-in.
or
• Re-run wizard to enable Azure AD Premium features. • You have more than 100,000 objects and need to use a
full SQL Server.
di
• You plan to use group-based filtering and not only
s
domain or OU-based filtering.
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Express installation is the most common method used.
• Use an Express installation when:
• A Single Active directory Forest on-premises.
• An enterprise admin account to be used for the Azure AD connect installation.
• Less than 100,000 objects in your active directory.
• Use a custom installation when:
N
Additional Resources:
ot
• Select which installation type to use for Azure AD Connect - https://docs.microsoft.com/en-us/azure/active-
fo
directory/connect/active-directory-aadconnect-select-installation
rr
es
al
e
or
di
s tri
but
io
n
• Use IdFix to identify errors such as duplicates and formatting problems in your directory, before you synchronize
N
to Azure AD.
ot
• Enable the Active Directory to recycle bin.
fo
• Azure AD Connect (version 1.1.614.0 and after) by default uses TLS 1.2 for encrypting communication between
rr
the sync engine and Azure AD. If TLS 1.2 isn't available on the underlying operating system, Azure AD Connect
incrementally falls back to older protocols (TLS 1.1 and TLS 1.0).
es
• Review Firewall, Proxy, and Certificate requirements.
al
e
• Citrix has already deprecated TLS 1.0 and TLS 1.1
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Always ensure that the Active Directory is in good health before starting any synchronization.
• IdFix can determine any issues before starting the synchronization.
• Always enable AD Recycle Bin as human mistakes in the configuration could potentially delete user accounts in the on-
premises AD.
• Adjust the below registry key to increase TLS security.
• For all operating systems, set this registry key and restart the
Additional Resources:
• Prerequisites for Azure AD Connect - https://docs.microsoft.com/en-us/azure/active-directory/connect/active-
directory-aadconnect-prerequisites
• Hybrid Identity Required Ports and Protocols - https://docs.microsoft.com/en-us/azure/active-
N
directory/connect/active-directory-aadconnect-ports
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
ot
Which tool should be used to verify your Directory
for consistency before migrating users to Azure
fo
AD?
rr
es
IDFix can be used to identify errors or inconsistencies
before synchronization.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
• Users
• Groups
ot
• Apps (Service Principals)
fo
Azure
Subscription
• Scope of assignment can be: User
rr
• Subscription
es
• Resource group
• Single resource Groups Resource Group
al
e
or
Apps
Resource Group
di
s tri
Resources
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Each Azure subscription is associated with an Azure Active Directory (AD) directory. Users, groups, and applications from
that directory can manage resources in the Azure subscription. Assign these access rights using the Azure portal, Azure
command-line tools, and Azure Management APIs.
• Users, Groups, and Service Principals from Azure AD can all be delegated permission in Azure.
• The level of permission can be controlled on the Subscription level, the Resource Group level or the individual resource
level.
Additional Resources:
• Get started with Role-Based Access Control in the Azure portal - https://docs.microsoft.com/en-us/azure/role-
based-access-control/overview
• Built-in roles for Azure role-based access control - https://docs.microsoft.com/en-us/azure/role-based-access-
N
control/built-in-roles
ot
• Create custom roles for Azure Role-Based Access Control - https://docs.microsoft.com/en-us/azure/role-
fo
based-access-control/custom-roles
rr
es
al
e
or
di
s tri
but
io
n
• There are 3 Basic built-in roles that can apply to all resource types.
• Owner
• Contributor
N
• Reader
ot
• There are more than 35 application specific roles available.
fo
rr
es
al
Contributor
Owner
e
Has full access to all
Can create and Reader
manage all types of
or
resources including Can view existing
Azure resources, Azure resources.
the right to delegate
di
but can’t grant
access to others.
access to others.
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure RBAC has three basic roles that apply to all resource types:
• The owner has full access to all resources, including the right to delegate access to others.
• A contributor can create and manage all types of Azure resources but can’t grant access to others.
• The reader can view existing Azure resources.
• In addition to the basic roles, there are numerous RBAC roles that allow management of specific Azure resources.
• Furthermore, you can define custom RBAC roles through Azure PowerShell, Azure Command-Line Interface or the REST
Additional Resources:
• Built-in roles for Azure role-based access control - https://docs.microsoft.com/en-us/azure/role-based-access-
control/built-in-roles
• Create custom roles for Azure Role-Based Access Control - https://docs.microsoft.com/en-us/azure/role-
based-access-control/custom-roles
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• Actions enable functionalities
• NotActions disables functionalities
ot
• Write enables PUT, POST, PATCH, and DELETE
fo
operations.
• Read enables GET operations.
rr
• Wildcards can be used to define several
es
providers in one string.
al
• Scopes can be used to limit permissions
e
further.
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The actions property specifies the allowed actions on Azure resources. Action strings can use wildcard characters. The
notations property specifies the actions that are excluded from the allowed actions.
• NotActions restrict a specific action – the NotActions are subtracted from the Actions.
• Write permission allows for additions changes or deletion of objects.
• Read permission allows for a read of the object but does not allow changes.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• Can be created using:
ot
• Create a custom role for Azure Host Connections to
• Azure PowerShell
ensure least privileges on subscription-wide objects in
• Azure Command-Line Interface (CLI)
fo
Azure.
• REST API
rr
• The access granted by a custom role is computed by • This role is in addition to the Contributor permissions the
es
subtracting the NotActions operations from the Actions Narrow Scope Service Principal needs on the Resource
operations. Groups.
al
• Assignable Scopes determines on which object the
e
• Assign this role with a Narrow Scope Service Principal.
permissions are given–typically a subscription.
or
• Proof of concept Virtual Apps and Desktops installation. • Can be defined in JSON.
di
s
• Virtual Apps and Desktops administrators already has
tri
contributor access at Azure subscription scope.
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Custom Roles are used when you need to set more specific Role Based Access Control set of permissions than the built-
in roles allow you to do.
• Roles contain the Actions and NotActions covered in the previous slide.
• Each tenant can create up to 2000 custom roles.
• Assignable Scope is used to specify on which objects the roles are deployed – this typically refers to one or more
subscriptions.
N
• Microsoft.Network/virtualNetworks/read
ot
• Microsoft.Network/virtualNetworks/subnets/join/action
fo
• The resource groups into which the machines are to be provisioned
• Actions for narrow scope service principals can be given explicitly on each object to the service principal, or in
rr
this example through the use of a custom role.
es
• The term Citrix-Custom-Reader is for reference to the Citrix documentation only, the role does not need to
al
reference this particular name.
• Can be defined in JSON using:
e
• {
or
• "Id": "{custom-role-definition-id}",
di
• "Name": "Citrix-Custom-Reader",
• "Description": "Grants access to Citrix XenDesktop images and virtual networks.",
s tri
• "Actions": [
b
• "Microsoft.Storage/storageAccounts/read",
ut
• "Microsoft.Storage/storageAccounts/listKeys/action",
io
• "Microsoft.Network/virtualNetworks/read",
• "Microsoft.Network/virtualNetworks/subnets/join/action",
n
• "Microsoft.Resources/subscriptions/resourceGroups/read"
• ],
• "AssignableScopes": [
• "/subscriptions/{subscription-id}"
• ]
Additional Resources:
• Create custom roles for Azure Role-Based Access Control - https://docs.microsoft.com/en-us/azure/active-
directory/role-based-access-control-custom-roles
• Azure Role Based Access Control in Virtual Apps and Desktops -
https://www.citrix.com/blogs/2016/11/09/azure-role-based-access-control-in-xenapp-xendesktop/
N
ot
• Microsoft Azure Resource Manager virtualization environments - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/service/install-configure/resource-location/azure-resource-manager.html
fo
• How to Grant Virtual Apps and Desktops Access to Your Azure Subscription?
rr
https://support.citrix.com/article/CTX219243
es
al
e
or
di
s tri
b ut
io
n
N
• Azure Portal.
• Azure command-line tools.
ot
• Azure Management APIs.
fo
• ARM Templates.
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• RBAC – Role Based Access Control.
• RBAC permissions can be set using four methods:
• Through the use of the Azure Portal – either on the subscription level or the individual components using the IAM
menu.
• Through Azure Command line – such as PowerShell.
• Through the Azure Management API – such as REST API.
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n
N
• Typical actions
ot
• VM Start
• VM Restart
fo
• VM Connect
rr
• VM Diagnostics
es
• Typical Scope
al
• VDA Resource Groups.
e
• Shadowing enabled via AD policies.
or
• Virtual Apps and Desktops supports delegated administration:
• Full Admins
di
• Admins per service
s
• Helpdesk Admins
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• RBAC – Role Based Access Control.
• Define which permissions your helpdesk staff needs to support Citrix users in Azure.
• Re-use a built-in role to supply them with the needed permissions or create a new custom role to provide more specific
permissions.
• The typical scope for helpdesk admins would be the Resource Groups containing the VDA VMs.
N
2. Define a Custom Role.
ot
3. Bind User and Custom Role in Subscriptions >
fo
Access Control (IAM).
rr
es
al
e
or
di
stri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• A Custom Administrator in Azure can be created using 3 simple steps.
1. Create the Administrator account in AAD.
2. Define the set of permissions using a custom role.
3. Use Access Control (IAM) menu on the object where you want to deploy the permissions to bind the user and the role
to the object.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
• A Service Principal defines the policy and permissions for an application's use in a specific tenant.
N
• Citrix Virtual Apps and Desktops can integrate with ARM using the ARM Plugin.
ot
• The Azure Resource Manager (ARM) Plugin needs a Service Principal with permissions to all relevant Azure
fo
resources.
rr
• Service Principals are configured using Role Based Access Control.
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Support for Azure Resource Manager (ARM) is encapsulated in a component known as the ARM Plugin, and it is a
standard feature of Virtual Apps and Desktops. In order to provision machines in Azure, the ARM Plugin must be granted
access to your Azure subscription via a service principal that has been assigned permissions to the relevant Azure
resources. A service principal serves the same basic purpose as a user account: it provides the ARM Plugin with an Azure
Active Directory identity; credentials for authentication and permissions on Azure resources. Just like user accounts,
service principals are configured using Role Based Access Control (RBAC).
N
• Microsoft Azure Resource Manager virtualization environments - https://docs.citrix.com/en-us/xenapp-and-
ot
xendesktop/service/install-configure/resource-location/azure-resource-manager.html
fo
rr
es
al
e
or
di
s tri
b ut
io
n
• The studio has the ability to create a Service Principal in Azure automatically.
N
• This Service Principal will have Contributor permissions on the entire subscription.
ot
• The ARM Plugin can create, delete, read, and write all resources in the subscription.
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Subscription Scope Service Principals have Contributor permissions on all resources in the subscription which makes
them easy to create and manage.
• Citrix Studio can handle the process of creating Subscription Scope Service Principals, or they can be created manually in
PowerShell.
• When using the Subscription Scope Service Principal, Studio is allowed to create Azure Resource Groups and completely
automate the management of resources.
Additional Resources:
N
• How to Grant Virtual Apps and Desktops Access to Your Azure Subscription?
ot
https://support.citrix.com/article/CTX219243
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Host Connections created using a preconfigured Service Principal.
ot
• Support for pre-created resource groups.
fo
• Resource groups must be empty.
rr
• One resource group per Machine Catalog.
• The service principal must be a contributor to each resource group.
es
• Machine Catalogs can also be created through PowerShell.
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Narrow Scope Service Principals allow the ARM Plugin access to a limited set of resources defined by you. Azure requires
subscription scope permissions in order to create resource groups and the ARM Plugin is therefore unable to create
resource groups when using Narrow Scope Service Principals.
• In addition to creating the service principal, you are required to provide a pool of resource groups for each catalog into
which machines are to be provisioned.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
Simplest management experience. Azure subscription is hosting multiple unrelated services.
fo
rr
No need to define custom roles, service principals and Azure administrators have different subscription permissions
es
RBAC permissions. depending on their role.
al
Azure subscription is dedicated to a single Virtual Apps and Organization has security standards that require access
Desktops. control at a fine-grained level.
e
or
Organization has knowledge of Azure RBAC and Service
Proof of concept Virtual Apps and Desktops installation.
Principals.
di
Virtual Apps and Desktops administrators already has
s
Resource groups can be pre-created in Azure Portal.
contributor access at Azure subscription scope.
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• You can create “child” subscriptions that are billed as part of your primary subscription and refer to the default Azure Active
Directory in your primary subscription. This provides another mechanism for controlling access to unrelated resources.
N
• Step 2: Chose a connection name.
ot
• Step 3: Enter your Azure Subscription ID.
fo
• Step 4: Click Create new and authenticate as a
rr
Subscription Owner.
es
• Wizard will create a new Service Principal with
Contributor privileges on the entire subscription.
al
e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• To create a new Service Principal customers must enter the following:
• Subscription ID.
• Hosting Connection Name.
• Azure Subscription owner username and password.
N
ot
fo
Step 3: Step 4:
Step 2:
rr
Step 1: Assign RBAC Add the Azure Step 5:
Create Custom
es
Create Azure permissions on Hosting Enter SUB ID,
Role for
Service Resource Connection SPN ID, AAD ID
al
subscription
principal for Groups and using existing and SPN
wide RBAC
e
Citrix Cloud Custom Role to App Password
permission
or
SPN Registration
di
stri
b
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Step 1: Manually create an Azure Service Principal registration for Citrix Cloud
• Define the SPN registration
• Grant Access to the Azure API
• Create the SPN secret access key
• Step 2:
• Create the Custom Role through PowerShell or REST
N
• Step 5:
ot
• Enter the following values in the Wizard
fo
• Application ID
• Azure AD ID
rr
• Subscription ID
es
• Password
al
Additional Resources:
e
• Manually Granting Citrix Cloud Access to Your Azure Subscription -
or
https://support.citrix.com/article/CTX224110
di
• How to Grant Virtual Apps and Desktops Access to Your Azure Subscription (PowerShell) -
s
https://support.citrix.com/article/CTX219243
tri
• Now Available: Citrix Studio Support for “BYO” Azure Resource Groups -
b
https://www.citrix.com/blogs/2017/09/27/now-available-citrix-studio-support-for-byo-azure-resource-groups/
ut
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
N
ot
Which permissions will be delegated to the Service
Principal created automatically by the Host
fo
Connection Wizard?
rr
es
Contributor permissions on the entire Azure
Subscription.
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
N
the only directory in a Citrix resource location.
ot
• Azure AD users can be added as Delegated Admins
in Citrix Cloud.
fo
rr
• Azure AD Connect can be used to synchronize
users from on-premises AD to Azure AD.
es
• To create the most secure Azure integration, a
al
Narrow Scope Service Principal should be used.
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
Connecting to Microsoft Azure
fo
rr
es
al
e
Module 3
or
di
s
tri
b
ut
io
n
N
• Examine Cloud Connector in Azure.
ot
• Define Host Connections in Azure.
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
• Jump Box
N
• Point to Site VPN
ot
• Site to Site VPN
fo
• vNet to vNet VPN
rr
• vNet Peering
es
• Express Route
al
e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• This section identifies the different methods of creating connectivity in Azure, both between the outside networks and
Azure networks, but also internally between Azure networks in the same region and other regions.
• Generally, the Jump Box and the point to site VPN are used when you want to keep the Azure environment and the
networks in Azure isolated from on-premises networks.
• Site to Site VPN and Express Routes are used when you need connectivity between the networks in Azure and your on-
premises deployments.
Additional Resources:
• https://azure.microsoft.com/en-us/blog/expressroute-or-virtual-network-vpn-whats-right-for-me/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
• The Jump Box connectivity option consists of a VM with a public IP and RDS enabled.
N
• Allows RDS connections (double hop) to VMs on private Azure networks.
ot
• Use cases are for test and development lab accessibility.
fo
• Also referred to as Bastion Hosts.
rr
• Lockdown VM and reduce the attack surface.
es
• Patching, firewall, execution restriction, least privilege permissions.
al
e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• A fast and efficient way of getting remote desktop access to VMs running inside Azure on a private network, however, it is
not without security concerns.
• Avoid using domain joined VMs as Jump boxes as they can expose your domain credentials to brute force attacks or
account lockouts.
• Microsoft hardening recommendations:
• Active scanning and patching. Deploy antimalware software, perform regular vulnerability scans, and update all
N
unless it is explicitly defined in the allow list.
ot
• Least privilege. Management workstation users should not have any administrative privileges on the local
fo
machine itself. This way, they cannot change the system configuration or the system files, either
intentionally or unintentionally.
rr
es
Additional Resources:
al
• Hardened workstation for management - https://docs.microsoft.com/en-us/azure/security/azure-security-
management#hardened-workstation-for-management
e
or
di
s tri
but
io
n
N
• Allows connection to Azure via the built-in Windows
ot
VPN client.
fo
• Uses Secure Sockets Tunneling Protocol (SSTP) to
rr
allow connecting from anywhere. VPN
Gateway
Azure
Subscription
es
• Typical uses are prototyping, dev/test/ lab scenarios
for cloud services and virtual machines.
al
Desktop P2S SSTP
e
Tunnel
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• A Point-to-Site (P2S) configuration lets create a secure connection from an individual client computer to a virtual network
using the native Windows VPN client or a Mac OS X computer with the required software installed.
• This approach can be used instead of the jump box approach and will add an additional layer of security to the connection.
• Point-to-Site connections do not require a VPN device or a public-facing IP address.
• RADIUS authentication can be added for extra security.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
locations and your Azure virtual networks.
ot
• Uses IPSec VPN for interoperability with most VPN
devices.
fo
IPsec IKE
rr
Customer
• Allows connection of up to 10 on-premises sites. Network
S2S VPN IPSEC S2S
VPN
Azure
Subscription
Tunnel
es
Gateway
• IP Level connectivity between your on-premises
and Azure virtual networks.
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an
IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
• This type of connection requires a VPN device located on-premises that has an externally facing public IP address
assigned to it.
• Ensure that your VPN device is compatible VPN device – see the link in additional resources.
N
• ExpressRoute or Virtual Network VPN – What’s right for me? - https://azure.microsoft.com/en-
ot
us/blog/expressroute-or-virtual-network-vpn-whats-right-for-me/
• About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections -
fo
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
rr
es
al
e
or
di
s tri
b ut
io
n
N
Microsoft Datacenters and your on-premises Primary
ot
connection
infrastructure.
• ExpressRoute connections do not traverse the
fo
Partner Microsoft
Edge Edge
internet.
rr
Customer
Network Azure
Subscription
• ExpressRoute connections are Layer 3.
es
Secondary
connection
al
• Higher security & reliability.
e
• Greater speed.
or
• Consistent lower latencies.
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Microsoft Azure ExpressRoute lets extend your on-premises networks into the Microsoft cloud over a dedicated private
connection facilitated by a connectivity provider.
• Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection
through a connectivity provider at a co-location facility.
• ExpressRoute connections do not go over the public Internet. This allows ExpressRoute connections to offer more
reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.
N
• Built-in redundancy in every peering location for higher reliability.
ot
• Connection uptime SLA.
fo
• QoS support for Skype for Business.
rr
Additional Resources:
es
• ExpressRoute overview - https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction
al
• ExpressRoute FAQ - https://docs.microsoft.com/en-us/azure/expressroute/expressroute-faqs
e
or
di
s tri
but
io
n
N
regions.
ot
• Use when enabling cross-region geo-redundancy
and geo-presence.
fo
rr
• Can be created using: Azure
IPsec IKE
IPSEC S2S S2S VPN IPSEC S2S Azure
• Resource Manager.
es
Subscription VPN Tunnel VPN Subscription
Gateway Gateway
• PowerShell Script (ARM).
al
• Azure CLI.
e
• vNet to vNet connections can be from different
or
regions, different subscriptions, and different
deployment models.
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Connecting a virtual network to another virtual network (vNet-to-vNet) is similar to connecting a vNet to an on-premises
site location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE.
• A vNet to vNet VPN allows a connection between two virtual networks.
• The virtual networks can be in the same or different regions, and from the same or different subscriptions.
• When connecting vNets from different subscriptions, subscriptions do not need to be associated with the same Active
Directory tenant.
N
ot
fo
rr
es
al
e
or
di
stri
but
io
n
N
additional encryption needed.
ot
• Low latency.
fo
• Bandwidth limited to VM size.
rr
Global vNet
Peering
• Two options: Azure Region 1 Azure Region 2
es
• VNet peering - connecting vNets within the same
Azure region.
al
• Global VNet peering - connecting vNets across Azure
e
regions.
or
di
s
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Virtual network peering enables you to seamlessly connect two Azure virtual networks. Once peered, the virtual networks
appear as one, for connectivity purposes.
• The traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone
infrastructure, much like traffic is routed between virtual machines in the same virtual network, through private IP
addresses only.
• Two Peering options:
Additional Resources:
• Virtual network peering - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-
overview
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
(POC) Deployments Deployments Multi Subscription
ot
Jump Box
fo
Point to Site
rr
Site to Site
es
vNet to vNet
al
Express Route
e
or
di
stri
b
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Although connectivity preferences may vary by customers, large deployments typically tend to use the more expensive
express routes, where smaller deployments will keep the cost down and optimize time to value by using Site to Site VPNs.
Additional Resources:
• VNet-to-VNet: Connecting Virtual Networks in Azure across Different Regions - https://azure.microsoft.com/en-
us/blog/vnet-to-vnet-connecting-virtual-networks-in-azure-across-different-regions/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
required.
ot
• In Azure:
1. Create a Virtual Network
fo
2. Specify a DNS server IPsec IKE
rr
On-Premise IPSEC S2S Azure
S2S VPN
3. Create the Gateway Subnet Customer
Tunnel VPN Subscription
es
Network
4. Create the VPN Gateway Gateway
al
7. Create the VPN connection 1. Create a Virtual Network
e
2. Specify a DNS sever
• On-premises:
or
3. Create the Gateway Subnet
6. Configure your VPN device 4. Create the VPN Gateway
5. Create the local network
di
gateway
s
7. Create the VPN connection
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
1. Create a virtual network
• Create the virtual network in Azure that you want to connect to the Site to Site VPN.
2. Specify a DNS server
• Not a requirement but setting a DNS server on the vNet allows all VMs and gateways connected to this network to use
the DNS server for name resolution.
3. Create the gateway subnet
N
• Select the VPN SKU size (Basic, VpnGw1, VpnGw2, VpnGw3) that match your needs.
ot
• Select the virtual network to which you want to add this gateway.
fo
• Select or create a new public IP for the VPN Gateway.
5. Create the local network gateway
rr
• Configure Azure to identify your local gateway.
es
• Add a name for the local gateway
al
• Enter the IP address of your local gateway.
• Define the local networks that are reachable from this gateway.
e
6. Configure your VPN device
or
• The steps involved in configuring your local gateway to accept connections from the Azure VPN gateway
di
will vary by brand.
• Configuration scripts are available from Microsoft for many compatible VPN devices.
s tri
• Generally, you will need to IP address and the Shared Key used in the next step.
b
7. Create the VPN connection
ut
• This step creates the connection between the local gateway and the Azure gateway.
io
• Define the Connection type as Site to Site (IPsec)
• Select the Azure VPN Gateway defined in step 4.
n
• Select the local network gateway defined in step 5.
• Enter the same shared key as defined in step 6.
8. Verify the VPN connection
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
1. Verify the connected locations have virtual
ot
networks created.
fo
2. Create a Gateway Subnets per location.
rr
IPsec IKE
3. Create a Virtual Network Gateway per location. Azure IPSEC S2S S2S VPN IPSEC S2S Azure
es
Subscription VPN Tunnel VPN Subscription
Gateway Gateway
4. Add a vNet-to-vNet connection type per location.
al
Create a connection using the same Shared Key. 1. Verify Networks
e
5. Verify connection. 2. Create Gateway Subnets
or
3. Create a Virtual Network
Gateway
di
4. Add a vNet-to-vNet
connection
s
5. Verify connection
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
1. Create and configure the first vNet
• If you already have a VNet, verify that the settings are compatible with your VPN gateway design. Pay particular
attention to any subnets that may overlap with other networks. If you have overlapping subnets, your connection won't
work properly.
2. Add additional address space and create subnets
• You can add additional address space and create subnets once your VNet has been created.
N
• Define a name for the Gateway.
ot
• Set Gateway type to VPN.
fo
• Select the VPN SKU depending on the size and performance you need.
• Select the virtual network and the Gateway IP configuration.
rr
6. Create and configure the second vNet
es
• Ensure that you do not have overlapping IP configuration between the first and second vNet.
al
7. Configure the vNet1 gateway connection
• If your vNets are in different subscriptions, you must use PowerShell rather than the Azure portal to make
e
the connection.
or
• This step requires the virtual network gateways for both virtual networks have completed.
di
• Define a name for the connection.
• Select vNet to vNet as the connection type.
s tri
• Select the first and the second Virtual Network Gateways.
b
• Set the shared key, this will also be entered on the next connection.
ut
8. Configure the vNet2 gateway connection
io
• Define a name for the connection.
• Select vNet to vNet as the connection type.
n
• Select the first and the second Virtual Network Gateways.
• Set the shared key, this must match the shared key defined in the previous step.
9. Verify your connections
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
• Prerequisites:
N
• Azure Account. Primary
• Azure Resource Manager.
ot
connection
fo
Partner Microsoft
• In Azure: Edge Edge
rr
Customer
1. Create Express Route circuit in Azure. Network Azure
Subscription
es
2. Test connectivity from Azure PowerShell. Secondary
connection
3. Layer2 connections: configure routing domains.
al
4. Link a virtual network to an Express Route circuit.
1. Create Express Route circuit
e
• On-Premise: 2. Test connectivity from
or
2. Order connectivity from the supported service PowerShell
3. Layer 2 connections:
provider.
di
configure routing domains
• Usually takes 1-5 days. 4. Link a virtual network to an
s
ExpressRoute circuit
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
1. Use PowerShell or Azure portal to configure an ExpressRoute circuit.
• Provide Circuit name, Provider, Peering Location, Bandwidth, Standard or Premium SKU, and whether to get unlimited
or metered connection.
2. Order connectivity from the service provider. This process varies. Contact your connectivity provider for more details
about how to order connectivity.
• You will need to provide a Service Key to your internet provider this can be found under the properties of the circuit
N
• If your connectivity provider only offers Layer 2 services, you must configure routing.
ot
• Enable Azure private peering - You must enable this peering to connect to VMs / cloud services deployed
fo
within virtual networks.
• Enable Azure public peering - You must enable Azure public peering if you wish to connect to Azure
rr
services hosted on public IP addresses. This is a requirement to access Azure resources if you have
es
chosen to enable default routing for Azure private peering.
al
• Enable Microsoft peering - You must enable this to access Office 365 and Dynamics 365.
5. Linking virtual networks to ExpressRoute circuits - You can link virtual networks to your ExpressRoute circuit.
e
These vNets can either be in the same Azure subscription as the ExpressRoute circuit or can be in a different
or
subscription.
di
• Standard Express Routes support up to 10 vNets.
• Premium Express Routes > 4000 vNets.
s tri
Additional Resources:
but
• ExpressRoute workflows for circuit provisioning and circuit states - https://docs.microsoft.com/en-
io
us/azure/expressroute/expressroute-workflows
n
• ExpressRoute partners and peering locations - https://docs.microsoft.com/en-
us/azure/expressroute/expressroute-locations#partners
• Create and modify an ExpressRoute circuit (ARM) - https://docs.microsoft.com/en-
us/azure/expressroute/expressroute-howto-circuit-portal-resource-manager
N
ot
Your manager wants to replace the existing Site to
Site VPN with an Express Route, what should you
fo
verify before proceeding with the configuration?
rr
es
That your company's Service Provider is on the Azure
supported list of service providers for your area.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
• 40 GB HD
ot
fo
Cloud Connector
rr
es
al
e
Citrix Virtual Apps and Desktops Session Machines
Running the VDA and User Connections
or
di
~5000 VDAs/Users
s
VDA Users
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Windows 2012 R2 ,Windows 2016 Server and Windows Server 2019.
• 40 GB of disk space and 4 GB of memory.
• .NET 4.7.2+
• Active Directory membership.
• Computer accounts having Read/Write permissions on the user and computer objects.
• A set of three 4-vCPU Cloud Connectors can handle ~5000 VDAs/Users.
Additional Resources:
• Citrix Cloud: System Requirements - https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-
locations/citrix-cloud-connector/technical-details.html
• Citrix Cloud Virtual Apps and Desktops Sizing and Scalability Considerations - https://docs.citrix.com/en-
N
us/citrix-virtual-apps-desktops-service/install-configure/install-cloud-connector/cc-scale-and-size.html
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• Use Availability Sets to ensure High Availability.
ot
• Deploy Cloud Connectors on Azure Managed Disks.
fo
• Cloud Connectors create Computer Accounts during the MCS process.
rr
• VDAs must be able to communicate with Cloud Connectors for registration and brokering.
es
• Configure NSG if placed on a different network than VDAs.
al
• Always uninstall Cloud Connector software before deleting the VM.
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Availability sets can be used to ensure that Cloud Connectors are spread across different updates and fault domains in
Azure to ensure their availability.
• Managed disks are recommended because Microsoft will automatically replicate the disks to multiple storage arrays.
• Ensure that NSGs are configured to allow VDAs to register with the Cloud Connectors – typically port 80 or 443.
• If you delete a VM that has the Cloud Connector software installed, you risk leaving orphaned Cloud Connector entries in
your Cloud Subscription. These can be difficult to remove and will likely cause you to open a support ticket.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
resources reside from a Citrix Cloud control plane
ot
perspective.
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• A Resource Location should be defined for each datacenter or Azure region that contains VDAs.
• A Resource Location is sometimes also created to expose an Active Directory to Citrix Cloud although the datacenter does
not contain VDAs.
• Resource Locations can contain:
• Citrix ADCs
• Hypervisors
N
cloud, in a branch office, private cloud, or a data center.
ot
• The choice of location may be impacted by the following:
fo
• Proximity to subscribers
• Proximity to data
rr
• Scale requirements
es
• Security attributes
al
• There is no restriction on the number of Resource Locations you can build. The overhead of a resource
location is small.
e
• To provide identity management for subscribers and resources you need to install a Connector to access an
or
Active Directory.
di
• This makes it easy to distribute the resources across as many Resource Locations as you need without
needing to make compromises.
s tri
• As an example you could:
b
• Build a Resource Location in your data center for the head office based on subscribers and applications
ut
that need to be close to the data.
io
• Add a separate Resource Location for your global users in a public cloud. Or build separate Resource
Locations in branch offices to provide the applications best served close to the branch workers.
n
• Add a further Resource Location on a separate network that provides restricted applications. This provides
restricted visibility to other resources and subscribers without the need to adjust the other Resource
Locations.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
identify different locations.
ot
• A Zone must be created for each Resource
Location.
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Zones in Citrix Cloud are similar to Zones on-premises.
• Use Zones in Studio to map to Citrix Virtual Apps and Desktops components to Resource Locations:
• Cloud Connectors
• Resource Locations
• Machine Catalogs
• Host Connections
N
• Proximity to data
ot
• Scale requirements
fo
• Security attributes
• There is no restriction on the number of Resource Locations you can build. The overhead of a resource
rr
location is small.
es
• To provide identity management for subscribers, and resources you need to install a Connector to access an
al
Active Directory.
• This makes it easy to distribute the resources across as many Resource Locations as you need without
e
needing to make compromises.
or
• As an example you could:
di
• Build a Resource Location in your data center for the head office based on subscribers and applications
that need to be close to the data.
s tri
• Add a separate Resource Location for your global users in a public cloud or build separate Resource
b
Locations in branch offices to provide the applications best served close to the branch workers.
ut
• Add a further Resource Location on a separate network that provides restricted applications. This provides
io
restricted visibility to other resources and subscribers without the need to adjust the other Resource
Locations.
N
• Cloud Connector could be deployed as a Custom Script Extension for full automation.
ot
• CWCConnector.exe /q
/Customer:Customer /ClientId:ClientId /ClientSecret:ClientSecret/ResourceLocationId:ResourceLocationId /AcceptTermsOf
fo
Service:true
rr
• Cloud Connector software is updated bi-weekly.
es
al
e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• /Customer: This is the customer ID available in the console on the API Access page (within Identity and Access
Management). This is required.
• /ClientId: Found on the API Access page. This is the secure client ID an administrator can create. This is required.
• /ClientSecret: Found on the API Access page. This is the secure client secret available via download after a secure client
is created. This is required.
• /ResourceLocationId: This ID can be retrieved on the Resource Locations page using the ID button. This is not required.
Additional Resources:
• Automating the Cloud Connector Installation - https://www.citrix.com/blogs/2017/03/15/automating-the-cloud-
connector-installation/
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
Azure
N
ot
Default
fo
StoreFront XML Cloud Connector TLS 443
rr
es
Default
TCP 80
al
User Endpoints Cloud Connector
e
Citrix Cloud
or
STA
di
Citrix Gateway Cloud Connector
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• By default, Cloud Connectors do not use a certificate nor allow for SSL traffic to the XML or STA functionality.
• Use these steps to add a Certificate and move the traffic to a secure port:
• Create or import SSL Certificate.
• Obtain Certificate Hash Number.
• Open Certificate in MMC > Details pane > Thumbprint.
• Copy to notepad and delete all spaces.
N
• C:\netsh http add sslcert ipport=10.0.0.7:443 certhash=bc96f958848639fd101a793b87915d5f2829b0b6
ot
appid={33258705-EE40-1E64-98BD-EC1BDC0B578E}
fo
rr
es
al
e
or
di
stri
but
io
n
N
ot
fo
Server Network Security Group VDA Network Security Group
rr
es
al
Active Directory Active Directory VDA VDA
e
or
Cloud Connector Cloud Connector VDI VDI
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Network Security Groups work like firewalls, and they can be used to protect servers from VDAs.
• Ensure to open all necessary ports between the different networks.
• Remember that NSGs cannot be tied to vNets, so either defines them on different Subnets or individual NICs.
N
Roles Protocol and Ports How to secure
ot
StoreFront -> Cloud Connector TCP 80 or 443 Encrypt with certificates on Cloud Connector
fo
Citrix ADC -> Cloud Connector TCP 80 or 443 Encrypt with certificates on Cloud Connector
rr
TCP 80 Traffic already encrypted using Kerberos
VDA -> Cloud Connector
es
TCP 1494 and 2598 Encrypted in the next hop
al
Cloud Connector -> VDA TCP 80 Traffic encrypted using Kerberos
e
Cloud Connector -> Internet TCP 443 SSL by default
or
Plus RDS, AD, DNS, WinRM and other
services
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Additional Resources:
• Communication Ports Used by Citrix Technologies - https://support.citrix.com/article/CTX101810#Citrix_Cloud
N
GUI.
ot
• Exercise 3-2: Deploy a Citrix Cloud Connector using
PowerShell.
fo
rr
• Exercise 3-3: Verify that Cloud Resource Locations
are aligned with Zones in Citrix Virtual Apps and
es
Desktops Service.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
Why should Cloud Connectors be deployed in an
fo
Azure Availability Set?
rr
es
To force Azure to distribute the servers between
multiple Fault and Update Domains, thus reducing the
al
risk of downtime on this role.
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
Citrix Cloud
N
Connection Direct
ot
through Cloud connection to
Connectors Azure API
fo
On-Premise Azure
rr
es
al
Cloud Connector Cloud Connector Cloud Connector Cloud Connector
e
or
HCL HCL
di
s
Traditional Azure API
tri
Hypervisor
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure Host Connections can be created from Studio on-prem or Citrix Cloud Studio.
• Uses Azure plugin functionality.
• Communicates directly to Azure API (HCL bypass) or through Cloud Connector HCL Service for other hypervisors.
• Multiple connections supported:
• Different subscriptions
• Different regions
Additional Resources:
• Connecting to Azure Resource Manager in Citrix Virtual Apps and Desktops -
https://www.citrix.com/blogs/2016/07/21/connecting-to-azure-resource-manager-in-xenapp-xendesktop/
• Azure Resource Manager Now Available in Citrix Virtual Apps and Desktops Service -
https://www.citrix.com/blogs/2016/07/07/azure-resource-manager-now-available-in-xenapp-xendesktop-
N
service/
ot
fo
rr
es
al
e
or
di
stri
but
io
n
N
• Create Machine Catalogs.
ot
• Create VMs, Disks, Storage Accounts, Resource Groups & NSGs
fo
• Update Machine Catalogs.
rr
• Delete Machine Catalogs.
es
• VM power operations.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure Host Connections are used for a number of tasks, such as creating and deleting Machine Catalogs, updating the
Catalogs and, controlling power operations.
• The main difference between a regular hypervisor hosting connection and the Azure specific host connection is the ability
to create a service principal in Azure – remember that this relies on the Full Scope vs Narrow scope covered previously.
• Prerequisites:
• An Azure Subscription.
N
https://www.citrix.com/blogs/2016/07/07/azure-resource-manager-now-available-in-xenapp-xendesktop-
ot
service/
fo
rr
es
al
e
or
di
s tri
but
io
n
N
Hosting pane.
ot
• Azure Host connections available in:
• Citrix Virtual Apps and Desktops product on-
fo
premises.
rr
• Citrix Virtual Apps and Desktops in Citrix Cloud.
es
• For Azure connections input the following:
al
• Azure Region
• Azure Subscription ID
e
• Azure credentials to authenticate to Azure
or
• Azure owner -> wizard creates Service Principal
• Azure narrow scope pre-created Service Principal
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
Key Notes:
• When creating the first connection through Studio, Azure will prompt the admin to grant it the necessary permissions.
• When creating future connections, Azure will still require the admin to authenticate, but Azure will remember the previous
consent and not to display the consent prompt again.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• VMs created will be connected to this Virtual Network and Subnet.
ot
• Networks are filtered based on the previous region selection and Service Principal permission.
fo
• Storage Accounts are created during MCS Catalog creation within the VDA Resource Group.
rr
• Only with unmanaged disks Catalogs.
es
• Resource Groups:
• Created automatically using Full Scope Service Principal.
al
• Pre-created by an administrator using the Narrow Scope Service Principal.
e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• After selecting the Azure Region, the admin must select the Network and Subnet to associate with the hosting connection.
• The network and subnet should be large enough to host the number of machines required.
• Storage works differently than with a regular Host connection – in Azure, we use either managed or unmanaged disks.
• For managed disks, no storage accounts are needed.
• For unmanaged disks, storage accounts are created during the Catalog creation.
Additional Resources:
• Connecting to Azure Resource Manager in Citrix Virtual Apps and Desktops -
N
https://www.citrix.com/blogs/2016/07/21/connecting-to-azure-resource-manager-in-xenapp-xendesktop/
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
• The Service Principal can be created in Azure AD by Host Connection if, you have Owner permissions.
N
• Service Principal will have Contributor permission on the entire Azure Subscription.
ot
• A corresponding Application will also appear in Azure AD.
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• When allowing the Host Connection wizard to create the Service Principal, it will be defined as having contributor
permission on the entire subscription.
• Service Principals and Applications are two separate things in Azure but they are often used interchangeably.
• The Service Principal cannot be viewed in the Azure Portal but rather only through PowerShell.
• In addition to the Service Principal, an Azure Application is also created, the Application can be viewed in the Azure Portal.
• Microsoft definitions:
Additional Resources:
• Connecting to Azure Resource Manager in Citrix Virtual Apps and Desktops -
N
https://www.citrix.com/blogs/2016/07/21/connecting-to-azure-resource-manager-in-xenapp-xendesktop/
ot
• Application and service principal objects in Azure Active Directory - https://docs.microsoft.com/en-
fo
us/azure/active-directory/develop/active-directory-application-objects
rr
es
al
e
or
di
s tri
b ut
io
n
• A Service Principal can be pre-created in Azure and used in the Host Connection Wizard.
N
• Supply:
ot
• Subscription name
• Active Directory ID
fo
• Application ID
rr
• Application secret
es
• Option to limit permissions.
al
e
or
di
stri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• To create a service principal manually, connect to your Azure Resource Manager subscription and use the PowerShell
cmdlets provided below. Host connections can also be created by PowerShell.
• Prerequisites:
• $SubscriptionId: Azure Resource Manager SubscriptionID for the subscription where you want to provision VDAs.
• $AADUser: Azure AD user account for your subscription’s AD tenant.
• Make the $AADUser the co-administrator for your subscription.
N
• Select-AzureRmSubscription -SubscriptionID $SubscriptionId;
ot
• Step 3: Create the application in your AD tenant.
fo
• $AzureADApplication = New-AzureRmADApplication -DisplayName $ApplicationName -
HomePage "https://localhost/$ApplicationName" -IdentifierUris https://$ApplicationName -
rr
Password $ApplicationPassword
es
• Step 4: Create a service principal.
al
• New-AzureRmADServicePrincipal -ApplicationId $AzureADApplication.ApplicationId
• Step 5: Assign a role to the service principal.
e
• New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName
or
$AzureADApplication.ApplicationId –scope /subscriptions/$SubscriptionId
di
• Step 6: From the output window of the PowerShell console, note the ApplicationId. You will provide that
ID when creating the host connection.
s tri
Additional Resources:
b ut
• Connecting to Azure Resource Manager in Citrix Virtual Apps and Desktops -
io
https://www.citrix.com/blogs/2016/07/21/connecting-to-azure-resource-manager-in-xenapp-xendesktop/
N
capabilities.
ot
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• For most customers, these default values will be adequate.
• Only adjust these values if you are having problems.
• Adjust higher to create Catalogs faster, but monitor how many requests you are sending to Azure.
• Adjust lower if you start having problems with Catalog creation.
• Remember that MCS will not be the only thing putting a load on the Azure API.
N
• Read requests 15,000 per hour.
• Write requests 1,200 per hour.
ot
• Reaching this limit can cause MCS to fail.
fo
• HTTP status code 429 Too many requests.
rr
• Other services may also be sending write requests.
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• If the subscription is only used for Citrix, the Citrix Azure plugin will throttle itself to avoid reaching these thresholds.
• You can check the remaining requests available using PowerShell:
• $r = Invoke-WebRequest -Uri https://management.azure.com/subscriptions/{guid}/resourcegroups?api-version=2016-
09-01 -Method GET -Headers $authHeaders $r.Headers["x-ms-ratelimit-remaining-subscription-reads"]
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
Studio using Pre-created Service Principal.
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
Which permissions will the Service Principal
created by the Hosting Connection Wizard have in
fo
Azure?
rr
es
Contributor on the entire Azure Subscription.
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
N
from your network to Azure they are typically
ot
handled by your ISP.
• Always deploy two Cloud Connectors per Azure
fo
location, use availability sets to minimize downtime.
rr
• Azure Host Connections can be created using Full
es
Scope or Limited Scope Service Principals in Azure
al
AD.
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
Deploy Apps and Desktops using
fo
Machine Creation Services (MCS)
rr
es
al
e
Module 4
or
di
s
tri
b
ut
io
n
N
• Examine the functionality of Machine Creation
ot
Services.
fo
• Identify considerations involved with MCS in Azure.
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
• Create a new VM from the Azure Marketplace.
• Upload an existing Master image from your on-premises deployment, use this image to deploy a new VM.
ot
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Creating a net new image and deploying all your software again can be a big task.
• Some customers prefer to re-use the image they already have running in their on-premises environment.
• The considerations for a new image are:
• Clean slate deployment.
• Operating system refresh.
• Design change/adjustment.
N
ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n
• Deploy Manually
N
• Resource Group
• Azure Location
ot
• VM Size
fo
• Managed Disks
• Network and Subnet
rr
• Storage Group
es
• Alternatively, deploy using
al
ARM Template
e
• Automation
• Custom configuration
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Virtual Machines with default operating systems can be deployed from the Azure marketplace.
• Steps to create a VM from Azure Marketplace:
1. Define the VM name. (Top Left)
2. Chose the disk type (SSD or HDD) selecting SSD will limit the VM sizes later on. SSD is not typically needed when
creating a master.
3. Enter username and password. (admin or administrator cannot be used)
N
10.The auto shutdown can help the admin to save money by shutting down the VM automatically at a certain
ot
time of day.
fo
11.Boot diagnostics and Guest OS diagnostic provide additional troubleshooting information for the virtual
machine.
rr
12.Register with Azure Active Directory is not supported at this point for a master VDA.
es
13.Backup can be enabled, but customers should determine a complete backup strategy for their Azure
al
deployment.
• All the options supported in the Azure portal are also supported using ARM Templates.
e
• ARM Templates can be used to create a configuration set that can be executed many times with little effort.
or
Additional Resources:
di
• Create a Windows virtual machine with the Azure portal - https://docs.microsoft.com/en-us/azure/virtual-
s tri
machines/windows/quick-create-portal
b
• Create a Windows virtual machine from a Resource Manager template - https://docs.microsoft.com/en-
ut
us/azure/virtual-machines/windows/ps-template
io
n
N
• Identify the destination storage account.
ot
• Upload the VHD to the storage account.
fo
• AzCopy.
rr
• Azure Storage Copy Blob API.
• Azure Storage Explorer Uploading Blobs.
es
• Storage Import/Export Service REST API Reference.
al
• Create a managed image from the uploaded VHD.
e
• Create a Virtual Machine.
or
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• As an alternative to creating a new VM inside Azure and deploying the VDA software and all the applications again, some
customers chose to copy their existing Master Image into Azure and using that as a base image for a new Azure VM.
• This means that customers can skip the process of re-creating the image including deploying the VDA software,
applications, patches, and testing application functionality.
• The process of moving over an existing image is:
• Remove any hardware or hypervisor specific tools, such as XenTools.
Additional Resources:
N
• Upload a generalized VHD and use it to create new VMs in Azure - https://docs.microsoft.com/en-
ot
us/azure/virtual-machines/windows/upload-generalized-managed
fo
rr
es
al
e
or
di
s tri
but
io
n
N
own Windows License which:
ot
• Can be used to reduce Azure cost.
• Requires KMS infrastructure to support MCS.
fo
• Windows 10 requires Microsoft EA subscription and
rr
Current Branch for Business.
es
• Citrix Virtual Apps workloads require RDS Licenses
al
and infrastructure.
e
or
di
stri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Some customers have existing license entitlements or on-premises licenses with hybrid usage rights, examine if your
organization is already licensed in Azure, or if the license is cheaper through a Microsoft EA agreement.
• For additional Azure Virtual Machine Licensing information, please refer to the licensing FAQ in the additional resources
section.
• Windows 10 does not support hybrid usage at the time of writing.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• MCS can create Catalogs based from:
ot
• Managed Disks
• Managed Snapshots
fo
• Unmanaged VHD files
rr
• Service Principal needs permission on the Master disk.
es
• MCS supports storage flexibility.
al
• Azure Managed Disks vs Unmanaged Disks
e
• Standard vs Premium
or
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The master can be deployed on both managed or unmanaged disks in Azure.
• Customers also have the flexibility to choose standard or premium storage.
• When you create a machine catalog in Studio, the Master Image page of the catalog creation wizard lists managed disks,
managed snapshots as well as VMs and VHDs.
• Citrix typically recommends deploying Master VMs on managed disks, to reduce the need for maintaining storage
accounts and controlling replication of images.
N
leverage storage accounts. Storage accounts have a set amount of IOPS (20k for Standard, 50k for Premium)
ot
and these resources must be managed by the customer.
fo
• From a cost perspective, there are charges associated with the IOPS and each unique GB consumed within a
storage account. The disadvantage of storage accounts (unmanaged) is availability.
rr
• Each storage account is within a storage scale unit (stamp). If a stamp fails due to hardware or software
es
failure, the VM instances with disks on those stamps fail. When provisioning multiple storage accounts it is not
al
possible to control the stamp where their accounts are stored.
e
Additional Resources:
or
• Support for Azure Managed Disks Goes Into Production - https://www.citrix.com/blogs/2018/02/21/support-for-
di
azure-managed-disks-goes-into-production/
• Citrix TIPs Series: Citrix on Azure FAQs - https://www.citrix.com/blogs/2018/03/07/citrix-tips-series-citrix-on-
s tri
azure-faqs/
but
io
n
N
• Manual Deployment
ot
• Server OS machine - VDAServerSetup.exe.
• Workstation OS machine - VDAWorkstationSetup.exe.
fo
rr
• PowerShell Deployment
• ARM Template
es
• Azure Custom Script Extension
al
• Automation Accounts
e
During VDA deployment ensure to specify Cloud Connectors as the Delivery Controllers.
or
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Manual Deployment
• The manual deployment of the VDA agent on a Server or Desktop OS follows the same procedure as an on-premises
installation.
• The customer will choose to register with the cloud connector(s) within the same Azure region during the installation
process.
• The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is useful for post
Additional Resources:
• Custom Script Extension for Windows - https://docs.microsoft.com/en-us/azure/virtual-
N
machines/extensions/custom-script-windows
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• Use AZCopy or PowerShell Copy to download file.
ot
• Use CMDline options to define installation:
fo
• VDAWorkstationSetup.exe /quiet /components vda /exclude "Citrix User Profile Manager" /controllers
rr
“CloudConnector01.domain.com" /enable_hdx_ports /noreboot
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The command line parameters on this slide are just an example you must define what you want to install and build your
command line string accordingly.
• Additional resources covering all the options can be found on eDocs.
• Command line options are the same as the on-premises deployment.
• ARM Template.
N
• Custom Script Extension for Windows.
ot
• Automation Accounts.
fo
• 3rd party tools such as:
rr
• Chef or Puppet.
es
• Citrix does not provide the VDA software available as a VM extension.
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• For customers just creating a single Master VDA and using that as a basis for creating an MCS catalog, automation may
not be worth the effort, but for customers creating many identical deployments or not using MCS to create their VDAs,
automating software installation, including the VDA might be worth investigating.
• ARM Templates and custom script extensions are the simplest automation method available in Azure.
• More advanced automation features can be found in 3rd party tools like Puppet and Chef.
N
• Use the built in optimization wizard.
• Disable unused services.
ot
• Defragment the Master VDA virtual disks.
fo
• Optimize antivirus and malware scanners.
rr
es
al
e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• There are no specific image optimization recommendations for running Citrix workloads in Azure.
• Use the same guidelines as in on-premises deployments.
• Keep CPU, Memory, and Storage load to a minimum by:
• Disabling unused services.
• Implementing the optimizations suggested by the VDA installer.
• Reducing the impact of antivirus and malware scanning.
N
and Servers in Azure.
ot
• However, not supported in MCS.
• Microsoft Antimalware is free in Azure.
fo
rr
• Enable in virtual machine configuration or
PowerShell
es
• Set-AzureVMMicrosoftAntimalwareExtension
al
• Other vendors also provide extensions.
e
• Consult your vendors’ documentation.
or
di
stri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure Security Extensions are not supported on MCS created catalogs, but can be used as manually created catalogs
and on other infrastructure servers.
• Examples of key scenarios, these extensions can be used for:
• VM configurations can use PowerShell DSC (Desired State Configuration), Chef, Puppet and Custom Script
Extensions to install VM configuration agents to configure a VM.
• Anti-Virus products, such as Symantec and ESET.
Additional Resources:
N
• Azure Specific Extensions - https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/overview
ot
• Microsoft Antimalware for Azure Cloud Services and Virtual Machines - https://docs.microsoft.com/en-
fo
us/azure/security/azure-security-antimalware
• Symantec Vendor Documentation -
rr
https://help.symantec.com/cs/SCWP/SCWP/v123027882_v111037498/Installing-an-agent-using-Azure-virtual-
es
machine-extension?locale=EN_US
al
e
or
di
s tri
b ut
io
n
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
Can you host the Master VM on Azure Managed
fo
disks and use MCS to deploy to Premium Disks?
rr
es
Yes, MCS can create Catalogs based on Master VMs
on Managed Disks, Managed Snapshots, and
al
unmanaged VHD files.
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
Hypervisors?
VM-A
1. Create VM.
N
2. Create a snapshot.
ot
3. Creates a full copy.
fo
2
rr
es
Storage Repository
al
e
or
A A A’ A A A
di
s tri
3
b
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• MCS leverages is a linked-clone approach to provisioning, with virtual machines reading from a read-only master image
that has been de-personalized. Each virtual machine is assigned an identity disk that gives the machine a unique identity
and a differencing disk that handles the writes for the virtual machine.
• Step 1: Create VM
• In this step, the administrator is creating a virtual machine that has the necessary configurations and applications
required for the targeted use case.
N
wizard, Studio will automatically take a thin snapshot of the VM using an automatic naming scheme
ot
and will provide that snapshot to MCS.
fo
• Step 3: Creates a Full Copy
• MCS is creating a full copy of the snapshot that was provided so that all machines that will be provisioned
rr
will have the same desired properties and configurations from the master VM.
es
• MCS creates a full copy of the snapshot and stores it so that it can be updated in order to provision multiple
al
VMs, and so that there is no impact if the administrator deletes the original snapshot.
e
or
di
s tri
b ut
io
n
With On-premises 6
Hypervisors? 1 4
VM-A VM-A’
N
5. Attaches Instruction Disk 7
ot
to Preparation VM.
fo
2
6. Powers on Preparation
rr
VM.
es
7. Begins image preparation
Storage Repository
process.
al
e
or
A A’ A A A
di
s
5
tri
3 Instruction Disk Identity Disk Differencing Disk
utb
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Step 4: Creates a Preparation VM
• A temporary virtual machine is created from the snapshot so that an image preparation process can be run to
depersonalize the VM.
• The Preparation VM is created with the network disconnected to prevent any issues with the operation of the original
master image.
• Step 5: Attaches instruction Disk to The Preparation VM
N
that it can be used to provision multiple machines. This is why Sysprep does not need to be run manually
ot
when creating a master image with MCS because the image preparation process automatically performs
fo
the necessary de-personalization.
rr
es
al
e
or
di
s tri
b ut
io
n
With On-premises 6
Hypervisors? 1 4 9
11
VM-A VM-A’
8. Preparation VM updates
N
snapshot A’.
7
ot
9. Shuts down Preparation
VM.
fo
2 8
rr
10.Instruction Disk reports
back and is deleted.
es
Storage Repository
11.Detaches OS disk and
al
deletes Preparation VM.
e
or
12.Replicates a copy of
A A’’ A A A
updated snapshot A’’ to
di
each SR.
s
5 10
12
tri
3 Instruction Disk Identity Disk Differencing Disk
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Step 8: Preparation VM updates snapshot A’.
• The preparation VM updates the copy of the snapshot following the image update process, represented in the diagram
by the copy of the snapshot being updated from A’ to A’’.
• Step 9: Shuts down Preparation VM.
• Step 10: Instruction Disk reports back and is deleted.
• The instruction disk reports the success/failure of the steps run during the image preparation process and only moves
N
repository.
ot
• Important to note that because the snapshot copy needs to be placed in each storage repository, the
fo
number of storage repositories will affect storage requirements.
rr
Additional Resources:
es
• Machine Creation Service: Image Preparation Overview and Fault-Finding:
al
https://www.citrix.com/blogs/2016/04/04/machine-creation-service-image-preparation-overview-and-fault-
e
finding/
or
di
s tri
but
io
n
With On-premises 6 14
Hypervisors? 1 4 9
11
VM-A VM-A’ VM-B VM-B VM-B
N
memory.
7
ot
14.Creates VMs by attaching
Identity Disks and creating
fo
2 8
rr
Disks.
es
Storage Repository
al
e
or
A A’’
di
s
5 10
12 13
tri
3 Instruction Disk Identity Disk Differencing Disk
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Step 13: The hypervisor creates the Identity Disks in memory.
• Step 14: Each VM defined in the Machine Catalog will be created, the identity disks will be attached and a differencing
disk for each VM will be created and attached as well.
Azure? 1
Master VM 1
VM-A
N
2. Master VHD is created in
ot
2
Storage Account.
fo
rr
Master Storage Account
es
al
1
e
A
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Step 1: A master VM is created in Azure, either manually in the Azure Portal or via the API.
• Step 2: The master disk is created and associated with the master. If the VM is created using unmanaged disks, the VHD
will be placed in a Storage Account. If the VM is created with a managed disk, the disk will not be placed in a Storage
Account.
Azure? 1
Pre-Flight Check 1
VM-A
N
4. Check available resources
ot
2
with Azure API for
requested VMs.
fo
• Cores
rr
Master Storage
• NICs Account
es
• Storage
al
1
e
A
or
di
s
Citrix ARM Plugin Azure API
tri
3 4
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Step 3: Admin starts the MCS wizard.
• Step 4: MCS wizard initiates a preflight check with the Azure API to ensure that we have the necessary connectivity and
enough capacity to deploy the selected amount of VMs.
Azure? 1
Network Security Group 7
Pre-Machine Catalog Creation 1
VM-A
N
(full scope)
ot
• One RG per 240 VMs 2
Storage Accounts not used
with Azure Managed Disks
fo
• One SA per 40VMs
rr
Master Storage
• (standard or premium) Account
Storage Account for MCS (citrixxdxxxx)
6
Storage Account for MCS 6
es
• Storage Accounts are not
created for Azure Managed
al
disks 1
e
A
7. Create Network Security
or
Group (Citrix-Deny-All-
<provschemeId>)
di
s
Citrix ARM Plugin Azure API
tri
3 4
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Step 5: While creating MCS catalogs using Full Scope permissions, the wizard will initiate the creation of resource groups
in Azure. A resource group can only contain 240 VMs, so for larger catalogs, more resource groups will be created.
• Step 6: While deploying MCS catalogs with unmanaged disks, the storage accounts will be created. A new storage
account will be created for each 40 VMs in the catalog.
• Step 7: A Security Group is created to isolate the prep VM from the rest of the network. This blocks any inbound or
outbound traffic to Prep VM during its lifetime.
Azure? 1
Network Security Group
7
Provisioning Task 1 of 3 Image 1
Prep VM VM-A
N
connectivity.
ot
2
9. Consolidate Image and 8
fo
rr
10.Master image is copied to Master Storage Storage Account for MCS (citrixxdxxxx)
6
Storage Account for MCS
6
Account
first Storage Accounts
es
10
defined for catalog.
al
1
(Preparati-xxxxx-xxxx.vhd) Full
e
A
Copy
or
9
di
s
Citrix ARM Plugin Azure API
tri
3 4
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Step 8: Validate Connection Settings – MCS asks the plugin to make sure service principal access to the Azure resources.
• Step 9: Consolidate Master Image – In this phase, it will prepare the master image snapshot from master image VM for
other hypervisors, but from Azure perspective, we don’t need to perform any snapshot or image, but it is necessary to
implement this method to use machine creation APIs.
• Step 10: A full copy of the master image is copied to the storage account, the VHD file will be named preparati-xxxxx.vhd.
Azure? 1
Network Security Group
7
Provisioning Task 2 of 3 Image 1
1
Prep VM VM-A
2 1
3
1
Preparation VM-A’ 4
N
Preparation VM.
ot
2
12.Preparation VM Created. 8
(Preparati-xxxxx).
fo
rr
13.Preparation VM stopped. Master Storage Storage Account for MCS (citrixxdxxxx)
6
Storage Account for MCS
6
Account
es
14.Identity Disk attached to 10
Preparation VM.
al
Full
1 Copy
e
A
or
1
1
9
di
s
Citrix ARM Plugin Azure API
tri
3 4
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Step 11: An identity disk is created for the preparation VM.
• Step 12: The preparation VM is created, and it will start automatically because it is already deployed in Azure.
• Step 13: We force the preparation VM to stop, so we can make changes to it.
• Step 14: After the preparation VM stops, the identity disk is added to the VM.
Azure? 1
Network Security Group
7
Provisioning Task 3 of 3 Image 1
12
Prep VM VM-A
13
14
Preparation VM-A’
15 16 19
15.Preparation VM started.
N
16.Preparation VM stops after
ot
2
preparation. 8
fo
17.Preparation VM disk
rr
copied to a new container Master Storage Storage Account for MCS (citrixxdxxxx)
6
Storage Account for MCS
6
Account
and used as the base
es
10
image.
al
18
Full Base Base
1 Copy Image Image
18.Replicate base image to all
e
A
Storage Accounts. 11
or
17
19.Delete Preparation VM and 9
di
Identity disk.
s
Citrix ARM Plugin Azure API
tri
3 4
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Step 15: The preparation VM starts with the identity disk attached and runs through the preparation sequence, this
involves writing the identity to the identity disk and anonymizing the master image to be used with MCS.
• Step 16: The preparation VM is stopped after the preparation process is complete.
• Step 17: The base image from the preparation VM is replicated to all storage accounts associated with the Catalog. (only
if using unmanaged disks)
• Step 18: The preparation VM and identity disk is deleted.
Azure?
Pre-Flight Check 1
VM-A
N
checked before the VM
ot
creation process is started.
fo
rr
Master Storage Account Storage Account for MCS (citrixxdxxxx) Storage Account for MCS
es
al
Base Base
1 Image Image
e
A
or
di
s
Citrix ARM Plugin Azure API
tri
20
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Step 20: Another pre-flight check is done to ensure that the base image has replicated successfully and that the proper
permissions are in place before starting the VM creation process.
Azure?
Provisioning Task 1
On-Demand Provisioning VM-A
N
NICs are created during
NIC NIC NIC NIC
ot
MCS.
fo
rr
Master Storage Storage Account for MCS (citrixxdxxxx) Storage Account for MCS
Account
es
Base Base
al
1 Image Image
e
A
or
21
di
s
Citrix ARM Plugin Azure API
tri
20
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• These steps are only relevant if using the on-demand provisioning feature. This feature has now defaulted for all new
customers.
• Step 21: Only the NICs are the Identity Disks are created during the VM creation part of the MCS process. All the
preparation steps are still relevant.
Azure?
Provisioning Task 1
23
On-Demand Provisioning VM-A VM-01
1. OS Disk created at VM
N
launch time. NIC NIC
NIC NIC
ot
2. VM created and linked to
OS Disks at VM launch
fo
time.
rr
Master Storage Account Storage Account for MCS (citrixxdxxxx) Storage Account for MCS
es
VM at VM launch time. OS
al
Base Base
1 Image 24 Image
e
A
22
or
21
di
s
Citrix ARM Plugin Azure API
tri
20
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• These steps are only relevant if using the on-demand provisioning feature. This feature has now defaulted for all new
customers.
• Step 22: During the start of a VM, the operating system disk is created.
• Step 23: The VM is subsequently created during the start operation, and the VM is bound to the OS disk created in
step 22.
• Step 24: The ID disks created in step 21 is associated with the VM before starting the VM.
Azure?
Provisioning Task 1
23 25
On-Demand Provisioning VM-A VM-01
1. VM deleted at shutdown.
N
2. OS Disks deleted at NIC NIC NIC NIC
ot
shutdown.
fo
3. Identity Disk and NIC
rr
retained for the next Master Storage Account Storage Account for MCS (citrixxdxxxx) Storage Account for MCS
startup.
es
26
OS
al
Base Base
1 Image 24 Image
e
A
22
or
21 27
di
s
Citrix ARM Plugin Azure API
tri
20
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• These steps are only relevant if using the on-demand provisioning feature. This feature is now default for all new
customers.
• Step 25: When stopping VMs created with the on-demand provisioning feature, the VMs are deleted from Azure
during the shutdown process.
• Step 26: After deleting the VM, the OS disks are deleted as well.
• Step 27: The identity disks and the NICs will be left in Azure for whenever the VMs need to start again.
N
created Resource Group.
ot
• Exercise 4-3: Deploy Windows 10 Using an ARM
Template.
fo
rr
es
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
N
ot
What are the two objects created by MCS for each
fo
VM during Machine Catalog creation?
rr
es
With on-demand provisioning, only Identity Disks and
NICs are created during Machine Catalog creation.
al
e
VMs and OS disks only exist in Azure when the
or
resource is running.
Less storage used = smaller Azure invoice.
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Storage in Azure is billed to customers even when VMs are shut down and de-allocated. This can be expensive, especially
when using Azure managed disks.
• To reduce the cost, Citrix deletes both the VMs and the OS disks when the VMs are shut down.
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
• When using unmanaged disks in Azure, a Storage Account can only support 20,000 IOPS.
N
• Premium Storage 50,000 IOPS.
ot
• MCS allow 40 VMs per Storage Account.
fo
• 20,000/40 = 500 IOPS per VM on Standard Storage.
rr
• MCS will create additional Storage Accounts when a number of VMs in a Machine Catalog exceed 40.
es
• SSD recommended for temporary storage.
al
• Managed Disks are recommended for better HA.
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• A standard storage account has a maximum total request rate of 20,000 IOPS. The total IOPS across all of your virtual
machine disks in a standard storage account should not exceed this limit. For example, for a Basic Tier VM, the maximum
number of highly utilized disks is about 66 (20,000/300 IOPS per disk), and for a Standard Tier VM, it is about 40
(20,000/500 IOPS per disk), as shown in the table below.
• A premium storage account has a maximum total throughput rate of 50 Gbps. The total throughput across all of your VM
disks should not exceed this limit.
Additional Resources:
N
ot
• Azure Storage Scalability and Performance Targets - https://docs.microsoft.com/en-us/azure/storage/storage-
scalability-targets
fo
• Using Virtual Apps and Desktops in Azure Resource Manager - https://www.citrix.com/blogs/2016/09/12/using-
rr
xenapp-xendesktop-in-azure-resource-manager/
es
al
e
or
di
s tri
but
io
n
N
• Azure Managed Disks supports fast provisioning of 1000s of virtual disks.
ot
• Azure Managed Disks replicates your data to three different replicas by default to ensure high availability.
fo
• Managed Disks in Azure does not rely on Storage Accounts.
rr
• SSD recommended for temporary storage.
es
• Managed Disks are invoiced by the size and not the amount of data inside the disk.
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Managed Disks provides scalable and highly available storage without the need to create storage accounts and worry
about IOPS constraints.
• An Azure resource group can hold no more than 800 Managed Disks. By default, Virtual Desktops provision three disks
per machine: OS Disk, Identity Disk and Write Back Cache Disk.
• Virtual Desktops will provision no more than 240 machines per resource group, Catalogs with more than 240 machines
will, therefore, span multiple resource groups.
Additional Resources:
• Azure Storage Scalability and Performance Targets - https://docs.microsoft.com/en-us/azure/storage/storage-
N
scalability-targets
ot
• Using Virtual Apps and Desktops in Azure Resource Manager - https://www.citrix.com/blogs/2016/09/12/using-
fo
xenapp-xendesktop-in-azure-resource-manager/
• Support for Azure Managed Disks Goes Into Production - https://www.citrix.com/blogs/2018/02/21/support-for-
rr
azure-managed-disks-goes-into-production/
es
al
e
or
di
s tri
but
io
n
N
1000 Pooled Machines
Unmanaged Disks Managed Disks
ot
(minutes)
fo
Create Catalog 155 120
rr
Start all VMs 56 138
es
al
Stop all VMs 51 51
e
Update Catalog Image 58 20
or
Delete Catalog (machines stopped) 56 148
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• For pooled machines, a new copy of the master image is made easy every time to start the machine, so the time it takes
to copy the OS disk is directly reflected in the time it takes to start the machine.
• When using storage accounts, the master image is replicated to each storage account when the catalog is created or
updated, and OS disks are copied from the replicated master image local to the storage account the machine is allocated
to. This results in near instantaneous copies.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• 6 x 40 = 240 VMs per Resource Group.
ot
• A Storage Account is not deleted until the Machine Catalog is deleted.
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Remember that Storage Accounts are automatically created by MCS both with Full Scope and Narrow Scope permissions.
• Storage Accounts should not hold other items than VDA VMs.
• The same limit of 240 VMs per resource group is in place when using managed disks because Azure limits 800 disks per
resource group.
• MCS is programmatically limited to 240 VMs per Resource Group for all storage types.
N
• Do not add other VMs to VDA Resource Groups.
ot
• The ARM Plugin assumes that it has exclusive use of the Resource Group.
fo
• Machine Catalogs spanning multiple Resource Groups is supported.
rr
• Designing one Machine Catalog per Resource Group will be easier to support and maintain.
es
• MCS can create the Resource Groups automatically, or you can re-create the Resource Groups to limit the
al
permissions required by MCS.
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The limitation of 240 VMs per resource group is the Azure limitation that we enforce to avoid errors during provisioning.
• The limitation is derived from Azure limiting a Resource Group to 800 Managed Disk objects. 3 virtual disks per VDA plus
other objects.
• Custom Resource Groups is now supported in the Citrix Cloud GUI. Multiple Resource Groups must be identified at the
time of provisioning, and this cannot be changed after the Catalog is created.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• Up to 3 disk objects per VM
ot
• OS
• Identity
fo
• Write Back Cache
rr
• For larger MCS Catalogs several RGs will be created.
es
• Write-back cache is not recommended in Azure.
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Full Scope permissions are required to create additional Resource Groups per Machine Catalog.
• Citrix recommends disabling write-back cache on Azure based MCS catalogs for now.
Additional Resources:
• Azure subscription and service limits, quotas, and constraints - https://docs.microsoft.com/en-us/azure/azure-subscription-
service-limits#resource-group-limits
• Azure Rate limits mean VM and Storage actions can take a longer time than with on-premises hypervisors.
N
• Machine Catalog updates.
• Machine Catalog rollbacks.
ot
• Boot storms on one Storage Account.
fo
• Create several Machine Catalogs, use Delivery Groups to present them as one pool of resources.
rr
es
al
e
or
di
s tri
b
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Very large Machine Catalogs are not recommended as it will increase the time it takes to update a catalog.
• Use Azure managed disks to reduce the risk of overloading storage accounts with IOPS.
N
• VMs cannot be associated with an Availability Set after creation.
ot
• Use multiple Machine Catalogs and Azure Regions to gain HA.
fo
• Alternatively, provision VMs manually to use Availability Sets.
rr
es
al
e
or
di
s tri
utb
© 2021 Citrix Authorized Content
io
n
N
• AppDisk is not supported by Azure and Citrix Cloud.
ot
• AppLayering should be used instead.
fo
rr
es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Additional Resources:
• Known Issues - https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/known-issues.html
• Citrix App Layering 4 - http://docs.citrix.com/en-us/citrix-app-layering/4.html
• App Layering in Azure - https://docs.citrix.com/en-us/citrix-app-layering/4/install-appliance/ms-azure.html
• Sizing of Citrix Virtual Apps in Azure should not be done like on-premises.
N
• Smaller VMs are cheaper.
ot
• In a 9 to 5 organization, we can save money by shutting down workloads as users start logging off.
fo
• In a “follow the sun” organization, we will likely extend our Azure presence to more regions and be in a 9 to 5
rr
situation per region.
es
• Fewer users per VM means we can drain a VM quicker.
al
• MCS deletes the VM at shutdown including the VHD (Managed Disks).
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The concept presented here is based on Azure pay as you go for pricing.
• These assumptions change when customer purchases reserved instances. Reserved instances offer deep hourly
discounts if you purchase capacity over a year or more, and power cycling doesn't matter. Reserved instances are
available on Azure.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Discount up to 72% compared to pay-as-you-go.
ot
• Reservations are divided into one-hour runtime 1.5
fo
blocks.
rr
• Consumption above reservations billed as pay-as-
es
1
you-go.
al
e
0.5
or
0
di
Hour 1 Hour 2 Hour 3 Hour 4
s
VM 1 VM2 VM3
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• After you buy a Reserved VM Instance, the reservation discount is automatically applied to virtual machines matching the
attributes and quantity of the reservation.
• A reservation covers the infrastructure costs of your virtual machines. The following graph illustrates the costs for your
virtual machine after you purchase a reservation. In all cases, you are charged for storage and networking at the normal
rates.
• The reservation discount is applied to running VM instances on an hourly basis. The reservations that you have purchased
Additional Resources:
• Azure Reserved VM Instances - https://azure.microsoft.com/en-us/pricing/reserved-vm-instances/
• Understand how the Reserved Virtual Machine Instance discount is applied - https://docs.microsoft.com/en-
N
us/azure/billing/billing-understand-vm-reservation-charges
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
Create a Manual Catalog.
ot
• Exercise 4-5: Create Delivery Groups and Assign
Resources to Users.
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
How many VMs are supported per Resource Group
fo
when using MCS provisioning?
rr
es
240 VMs per Resource Group.
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
N
using PowerShell, VM extensions are not currently
ot
available.
• With the on-demand provisioning feature in MCS,
fo
OS disks are created at power on and deleted at
rr
power off.
es
• Using on-demand provisioning will lower your Azure
al
storage bill and ensure fast provisioning.
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
Providing Access to End Users
fo
rr
es
al
e
Module 5
or
di
s
tri
b
ut
io
n
N
Azure.
ot
• Identify Citrix ADC locations when integrating with
Azure.
fo
rr
• Review connectivity features for multi-location
deployments.
es
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
fo
rr
es
al
On-premises Citrix Cloud Azure resource locations
e
or
di
s tri
b
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• StoreFront in Citrix Cloud has been replaced by Workspace Experience, which is a more feature rich multi-tenant aware
access layer.
Additional Resources:
• What’s New with Citrix Workspace in February 2019? https://www.citrix.com/blogs/2019/12/20/whats-new-with-citrix-
workspace-december-2019/
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• Enabled by default.
ot
• It can be disabled by support.
fo
• Zero maintenance.
rr
• Integrated with Citrix Gateway as a Service by default.
es
• Option to integrate with Citrix Gateways in the resource location.
al
e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The first part of the workspace URL is customizable. You can change the URL from, for example,
https://example.cloud.com, to https://newexample.cloud.com.
• The customizable part of the URL (“newexample”) must be between 6 and 63 characters long. If you want to change
the customizable part of the URL to fewer than 6 characters, please open a ticket in Citrix Cloud.
• It must consist of only letters and numbers.
• It cannot include Unicode characters.
N
ot
Additional Resources:
fo
• About StoreFront - https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/storefront.html
• About Citrix Gateway - https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/netscaler.html
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Use Availability Sets to ensure HA.
• Domain joined for Server Group functionality.
ot
• 4 vCPU/ 8GB RAM VM recommended.
fo
• Premium storage recommended for infrastructure servers.
rr
• Consider F4s, F4s_v2, D3s_v2, or D4s_v3.
es
• Use either Cloud Connectors or Azure Delivery Controllers for XML Servers.
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The customer is responsible for building and maintaining the StoreFront Virtual machines and applicable infrastructure in
Azure.
• Deploying StoreFront in Azure adds functionality not present in the Citrix Cloud deployment of StoreFront.
• The additional standalone Storefront functionality includes, but not limited to:
• UI Customization
• Workspace app Deployment
N
Additional Resources:
ot
• System requirements - https://docs.citrix.com/en-us/storefront/current-release/system-requirements.html
fo
rr
es
al
e
or
di
s tri
but
io
n
• Use Availability Sets to ensure StoreFront servers are deployed in different racks.
N
• Update Domain
• Fault Domain
ot
• Availability Sets can only be configured at VM creation.
fo
rr
• Use Managed Disks when deploying Availability Sets.
es
• Limited number of fault domains per region.
• Typically 2 or 3
al
e
or
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Each virtual machine in your availability set is assigned an updated domain and a fault domain by underlying the Azure
platform.
• The order of updated domains being rebooted may not proceed sequentially during planned maintenance, but only one
updated domain is rebooted at a time. A rebooted updated domain is given 30 minutes to recover before maintenance is
initiated on a different updated domain.
• Managed disks provide better reliability for Availability Sets by ensuring that the disks of VMs in an Availability Set are
Additional Resources:
• Configure multiple virtual machines in an availability set for redundancy - https://docs.microsoft.com/en-
us/azure/virtual-machines/windows/manage-availability#configure-multiple-virtual-machines-in-an-availability-
set-for-redundancy
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• Azure Load Balancer
• Citrix ADC VPX
ot
• Citrix ADC has a built-in StoreFront monitor.
fo
• Azure has basic HTTP and TCP monitoring.
rr
• Citrix ADC has advanced Application Delivery Controller functionalities.
es
• Rewrite
al
• Content switching
• GSLB
e
or
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure Load Balancer is free of charge but not offered with Basic Virtual machines.
• The Citrix ADC VPX virtual appliance is available as an image in the Microsoft Azure Marketplace.
• You can deploy Citrix ADC VPX instances on Azure Resource Manager either as standalone instances or as high
availability pairs in active-active or active-standby modes.
• Additional Storefront monitoring is available with Citrix ADC.
• For Citrix ADC Azure deployments, GSLB is only supported on the Citrix ADC 12.0 VPX. GSLB is not supported on the
Additional Resources:
• Azure Load Balancer overview - https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
• Load Balancer Pricing - https://azure.microsoft.com/en-us/pricing/details/load-balancer/
• Deploying Citrix ADC VPX on Microsoft Azure - https://docs.citrix.com/en-us/citrix-adc/13/deploying-
N
vpx/deploy-vpx-on-azure.html
ot
fo
rr
es
al
e
or
di
stri
b ut
io
n
N
TCP/
ot
Domain Controller 88 Kerberos.
UDP
fo
TCP/ Native Windows authentication protocol to allow users to change expired
464
UDP passwords.
rr
Randomly Used for Peer-to-peer Services (Credential Wallet, Subscriptions Store 1 per
es
selected Store).
StoreFront TCP
unreserved port This service uses MS .Net NetPeerTcpBinding which negotiates a random
Server
al
StoreFront Server per service. port on each server between the peers.
e
Used for Subscription Replication Services. Not installed by default. Used to
TCP 808
replicate subscriptions between associated clusters.
or
Virtual Desktops
di
Controller, Virtual Apps
TCP 80/443 For application and desktop requests.
Controller, Citrix Endpoint
s
Management
tri
Citrix ADC TCP 8000 For Monitoring Service used by Citrix ADC load balancer.
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Network Security Groups can be used in Azure to secure the communication between the different NICs or subnets.
• The list provided on this slide only covers the ports and services needed to enable the Citrix traffic more ports and
services may be needed for underlying OS functionality.
Additional Resources:
• Network security groups - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg
N
Workspace in Citrix Cloud.
ot
• Exercise 5-2: Setup an On-premises StoreFront and
Create a StoreFront Store.
fo
rr
• Exercise 5-3: Launch Resources through
StoreFront.
es
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
N
applications and desktops when deploying
ot
Citrix Cloud with Azure as a resource
fo
location?
rr
es
StoreFront can be hosted in Azure or on-
premises. Citrix Workspace Experience is
al
e
available in Citrix Cloud.
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
ot
Location Considerations
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
fo
rr
es
al
On-premises Citrix Cloud Azure resource locations
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Customers has three options for deploying Citrix Gateway.
1. Citrix Gateway as a Service is included in the Citrix Cloud subscription and can be used as an HDX proxy only.
2. Citrix Gateways can also be deployed in the on-premises networks or in Azure.
3. Citrix Gateway/ADC in Azure can either be purchased through Azure, or it can be deployed as a bring your own.
N
• No firewall changes.
ot
• Included in Citrix Workspace and Virtual Apps and
fo
Desktops subscriptions.
rr
• HDX data is proxied through Cloud
es
Connector to Citrix Cloud.
al
• Scaling and latency should be monitored.
e
• Requires Citrix Workspace Experience.
or
• Increases CPU utilization on Cloud Connectors.
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The service is available from 12 points of presence around the world, including both Azure and AWS datacenters.
• The service is currently enabled only for use with HDX traffic and SSON as part of the Virtual Apps and Desktops. Other
Citrix Gateway functionality is not enabled.
• Includes 1 GB data transfer per user per month.
• Known issues:
• The Citrix Gateway Service is enabled for use with HDX traffic as part of the Virtual Apps and Desktops only. Other
N
• Smart Access does not work for sessions connected through the Citrix Gateway Service.
ot
• Scalability limits ~1000 concurrent users/140 Mbps throughput per Cloud Connector.
fo
Additional Resources:
rr
• Citrix Gateway Service - https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/netscaler.html
es
• Simple, Secure & Better Connectivity with Citrix Gateway Service -
al
https://www.citrix.com/blogs/2017/08/04/simple-secure-better-connectivity-with-netscaler-gateway-service/
e
• Citrix Cloud services subscriptions - https://www.citrix.com/products/citrix-cloud/subscriptions.html
or
• Citrix Gateway Service — The secure way to deliver Citrix Virtual Apps and Desktops using Citrix Cloud -
https://www.citrix.com/content/dam/citrix/en_us/documents/product-overview/netscaler-gateway-service-
di
product-overview.pdf
s tri
b ut
io
n
N
Citrix Cloud architecture. Azure South Central US US-East
ot
• HDX traffic proxied through the most optimal PoP. Azure East US US-West
fo
Azure West US EU-Central
• Transparent to customers and users.
rr
Azure West Europe
es
Azure North Europe
al
Azure Australia East
e
Azure Japan East
or
Azure Brazil South
di
Azure Southeast Asia
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The service is available from 12 points of presence around the world including, both Azure and AWS datacenters.
Additional Resources:
• Citrix Gateway Service — The secure way to deliver Citrix Virtual Apps and Desktops using Citrix Cloud -
https://www.citrix.com/content/dam/citrix/en_us/documents/product-overview/netscaler-gateway-service-product-
overview.pdf
Azure Load
Balancer
N
• Configure a Network Security Group.
ot
Citrix Gateway Citrix Gateway
fo
• Configure a Storage Account.
rr
• Configure an Availability Set. StoreFront
es
Endpoints
Session
• Configure Citrix ADC VPX instances. Machines
al
e
or
StoreFront
di
Session
Machines
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Note the following before you begin configuring the Citrix ADC VPX instances in high availability mode in the Azure virtual
network.
• The two Citrix ADC virtual machines that you want to add to a load balanced set should be provisioned in the same
virtual network.
• A load balanced set applies only to the default NIC of the virtual instance. Therefore, the VIP has to be configured on
Additional Resources:
• Configuring an HA Setup with Multiple IP Addresses and NICs - https://docs.citrix.com/en-us/citrix-
N
adc/13/deploying-vpx/deploy-vpx-on-azure/configure-vpx-pair-ha-inc.html
ot
• Deploying Citrix ADC VPX on Microsoft Azure - https://docs.citrix.com/en-us/citrix-adc/13/deploying-
vpx/deploy-vpx-on-azure.html
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
Citrix ADC • Citrix Gateway
• Standard • Bandwidth
fo
• Advanced • Smart Access
rr
• Premium
• Citrix Gateway as a Service
es
• Bandwidth
• Included in Citrix Cloud subscriptions.
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Citrix ADC
• Standard License
• Delivers reliable application availability, comprehensive L4-7 load balancing, robust performance optimization
features, and secure remote access.
• Advanced License
• Adds advanced traffic management, clustering support, stronger security features, extended optimizations, SSO, and
N
• Citrix Gateway
ot
• Citrix Gateway requires a Platform license.
fo
• The Platform license allows an unlimited amount of connections to Virtual Apps, Virtual Desktops, or
StoreFront by using ICA proxy.
rr
• To allow VPN connections to the network from the Citrix Gateway Plug-in, a Smart Access logon point, or
es
Worx Home, WorxWeb, or WorxMail, you must also add a Universal license. Citrix Gateway VPX comes
al
with the Platform license.
• SmartAccess allows you to control access to published applications and desktops on a server through the
e
use of Citrix Gateway session policies.
or
• Citrix ADC HDX Proxy or Citrix Gateway Service
di
• Citrix Gateway Service is enabled for use with HDX traffic as part of the Citrix Workspace and Citrix Virtual
s
Apps and Desktops only.
tri
Additional Resources:
but
• Networking - https://www.citrix.com/buy/licensing/product.html
io
• Citrix ADC overview - https://www.citrix.com/products/netscaler-adc/netscaler-deployment-guide.html
n
• Deploying Citrix ADC VPX on Microsoft Azure - https://docs.citrix.com/en-us/citrix-adc/13/deploying-
vpx/deploy-vpx-on-azure.html
• Citrix Gateway FAQ - https://docs.citrix.com/en-us/citrix-gateway/13/faq.html
N
• Citrix Cloud licensing includes Citrix ADC HDX proxy only licenses.
ot
• Multi NIC and Multi IP is supported with Citrix ADC v11+.
fo
• HA supported through ARM load balancer.
rr
• Active-Active
es
• Active-Passive
al
• Clustering is not supported.
e
or
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• When you deploy Citrix ADC VPX on Microsoft Azure Resource Manager (ARM), you can leverage the Azure cloud
computing capabilities and use Citrix ADC load balancing and traffic management features for your business needs. You
can deploy Citrix ADC VPX instances on Azure Resource Manager either as standalone instances or as high availability
pairs in active-active or active-standby modes.
• Citrix ADC VPX VMs in high availability is controlled by external or internal load balancers that have inbound rules defined
on them to control the load balancing traffic. The external traffic is first intercepted by these load balancers, and the traffic
N
• Tagged VLAN
ot
• Dynamic Routing
fo
• Virtual MAC (VMAC)
• USIP
rr
• CloudBridge Connector
es
• The following ports are reserved by the Citrix ADC virtual machine. You cannot define these as private ports
al
when using the Public IP address for requests from the Internet.
Ports 21, 22, 80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011, 4001, 5061, 9000, 7000.
e
• GSLB is supported on NS 12 VPXs in Azure. However, GSLB is not supported on NS 11 VPXs in Azure.
or
Additional Resources:
di
• Deploying Citrix ADC VPX on Microsoft Azure - https://docs.citrix.com/en-us/citrix-adc/13/deploying-
s tri
vpx/deploy-vpx-on-azure.html
but
io
n
N
• Typically used when Citrix ADCs in active/passive HA is deployed on two different networks.
• Used in Azure because Layer 2 and GARP is not available.
ot
• Azure Load Balancer owns the Floating PIPs.
fo
rr
• VIPs are floating between the Active and Passive Citrix ADC.
es
• SNIPs added to each Citrix ADC instance.
al
• Supports HDX session failover.
e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Citrix ADC active-passive environments normally use GARP to ensure that traffic is redirected to the passive Citrix ADC in
case of a failover. Since GARP and Layer2 networking is not exposed in Azure, HA-INC can be implemented to enable the
Citrix ADCs to support unique SNIPs on each Citrix ADC instance. Because Azure Load Balancers have access to Layer
2, they can be used to float the incoming VIP traffic between the two HA instances.
• In an active-passive deployment, the ALB floating public IP (PIP) addresses are added as the VIP addresses in each Citrix
ADC node. In HA-INC configuration, the VIP addresses are floating and SNIP addresses are instance specific.
N
happens.
ot
Additional Resources:
fo
• Configuring High Availability Nodes in Different Subnets - https://docs.citrix.com/en-us/citrix-gateway/13/high-
rr
availability/ng-ha-routed-networks-con.html
es
al
e
or
di
s tri
but
io
n
PIP1:443 PIP2:80
Azure Load Balancer
N
• Active-Passive requires:
ot
IP1 IP2 IP5 IP3 IP4 IP6
• An HA Independent Network Configuration (INC)
configuration.
fo
NIC1 NIC2 NIC3 NIC4
• The Azure Load Balancer (ALB) in Direct Server Citrix ADC Citrix ADC
rr
Return (DSR) mode.
es
• Adding multiple NICs and multiple IPs to Citrix ADC
al
can be done through the Azure Portal or StoreFront
PowerShell.
e
Session
Machines
or
• Useful for hosting multiple services on the same
Citrix ADC Pair.
di
s
StoreFront
tri
Session
Machines
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• In Azure Resource Manager (ARM), you can deploy a Citrix ADC virtual appliance with multiple NICs. Each NIC can
contain multiple IP addresses.
• In an active-active High-Availability (HA) setup, two Citrix ADC VPX instances are deployed independently, but each is
ready to assume the other's load in the event of a failure. In this type of deployment, you must configure the NICs
identically in both instances.
• Active-Active Citrix ADC HA should be load balanced by either Azure LB or another Citrix ADC load balancer to ensure full
N
• Create a Resource Group where the Citrix ADC VPXs will be deployed.
ot
• Create Storage Account for the Citrix ADC VPX virtual disks (only if using unmanaged disks).
fo
• Create Availability Set before creating the Citrix ADC VPXs.
• Create Network Security Group to define which traffic is allowed to and from the Citrix ADC VPXs.
rr
• Create Virtual Network only if you are defining a separate network for the Citrix ADC deployment,
es
alternatively, create a new subnet within the existing network.
al
• Create Public IPs used to host the incoming traffic, these IPs will be assigned to the Azure Load Balancer.
• Create IP Configuration used for the Citrix ADC VPXs.
e
• Create NICs used for the Citrix ADC VPXs.
or
• Create Citrix ADC VPX 1 and Citrix ADC VPX 2 and add them to the availability set and assign the NICs
di
and IP configuration to them.
s
• Create the Azure Load Balancer that will balance the traffic between the Citrix ADC VPX pair.
tri
• Associate NIC IP-Config with Azure LB Back-end Pool.
b
• Associate NAT Rules of NICs' IP-Config with Azure LB NAT Rules.
ut
Additional Resources:
io
n
• Configure a high-availability setup with multiple IP addresses and NICs - https://docs.citrix.com/en-us/citrix-
adc/13/deploying-vpx/deploy-vpx-on-azure/configure-vpx-pair-ha-inc.html
• Add network interfaces to or remove from virtual machines - https://docs.microsoft.com/en-us/azure/virtual-
network/virtual-network-network-interface-vm
N
• Exercise 5-5: Import Citrix ADC Configuration.
ot
• Exercise 5-6: Enable Remote Access in StoreFront.
fo
• Exercise 5-7: Launch Resources through Citrix
rr
ADC.
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
How can you add multiple NICs to Citrix ADC in
fo
Azure?
rr
es
In the Azure portal or through the use of Azure
PowerShell commandlets.
al
e
New-AzureRmNetworkInterface -Name -
or
ResourceGroupName -Location –IpConfiguration
Add-AzureRMVMNetworkInterface -VM -Id
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
ot
Resources
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
• Used to distribute connections between multiple datacenters based on:
ot
• State of datacenters
• Proximity to datacenters
fo
• Internal or external connections.
rr
• Helpful when creating a single logon URL for Citrix Gateway and StoreFront.
es
• Citrix ADC becomes an Authoritative DNS server for the FQDN.
al
• Citrix ADC GSLB can replace Azure LB in Active/Active HA configurations.
e
or
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Global Server Load Balancing (GSLB) provides disaster recovery and ensures continuous availability of applications by
protecting against points of failure in a Wide Area Network (WAN).
• GSLB can balance the load across data centers by directing client requests to the closest or best-performing data center,
or to surviving data centers in case of an outage.
• DNS is a key component in a GSLB environment.
• Customers can use GSLB instead of Azure LB for Active/Active Citrix ADCs. The drawback is that DNS failover is not as
Additional Resources:
• How GSLB Works? https://docs.citrix.com/en-us/citrix-adc/13/global-server-load-balancing.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Azure US East
NS LDAP Gateway VDI
StoreFront
vServer1 CallBack
vServer1
Gateway
N
vServer1 StoreFront VDI
ot
GSLB
Gateway
fo
vServer
GSLB
rr
Gateway
es
vServer2
GSLB
al
Azure Europe West
StoreFront VDI
Gateway
e
NS LDAP CallBack
or
vServer2 vServer2
StoreFront
di
VDI
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• This diagram references a simple GSLB architecture overview, not specific to Azure.
Additional Resources:
• How to Configure GSLB on Citrix Gateway? https://support.citrix.com/article/CTX205277
• How GSLB Works? https://docs.citrix.com/en-us/citrix-adc/13/global-server-load-balancing.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
• Routes the HDX connection through the Citrix Gateway closest to users.
ot
• Combine with GSLB to create a single logon URL and individual Citrix ADC HDX Gateways in each datacenter.
fo
• Use StoreFront to map individual HDX Gateways to Zones.
rr
es
al
e
or
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• If you have configured separate Citrix Gateway appliances for your deployments, StoreFront enables you to define the
optimal appliance for users to access each of the deployments providing resources for a store.
• For example, if you create a store that aggregates resources from two geographical locations, each with a Citrix Gateway
appliance, users connecting through an appliance in one location can start a desktop or application in the other location.
However, by default, the connection to the resource is then routed through the appliance to which the user originally
connected and must, therefore, traverse the corporate WAN.
Additional Resources:
• Configure optimal gateway routing - https://docs.citrix.com/en-us/storefront/current-release/plan/high-
N
availability-and-multi-site-configuration.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Gateway Routing
Architecture Example Citrix ADC US East
Azure US East
StoreFront Cloud
Gateway Connector
CallBack
vServer1
VDA Machines
Gateway
N
StoreFront Cloud
vServer1 Connector
ot
fo
rr
Workspace App
Endpoints Azure Europe West
es
Gateway
al
Azure Europe West
vServer2
e
StoreFront Cloud
Gateway Connector
or
CallBack
vServer2
di
VDA Machines
s
StoreFront Cloud
tri
Connector
Citrix ADC Europe West
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• This diagram references a simple Optimal Gateway architecture overview, not specific to Azure.
Additional Resources:
• StoreFront high availability and multi-site configuration - https://docs.citrix.com/en-us/storefront/current-release/plan/high-
availability-and-multi-site-configuration.html
N
ot
When configuring GSLB which DNS server must
fo
be authoritative for the logon FQDN?
rr
es
The Citrix ADC must be the Authoritative DNS server
for the logon FQDN.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
Azure.
ot
• Azure load balancer is used to enable Citrix ADC
High Availability in Azure.
fo
rr
• GSLB can be used to create a single logon point
that directs users to the Azure region closest to their
es
location.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
Maintaining Infrastructure and VDAs
fo
in Microsoft Azure
rr
es
al
e
Module 6
or
di
s
tri
b
ut
io
n
N
requirements for Citrix Cloud and with Azure as a
ot
resource location.
• Examine the best practices for maintaining
fo
resources in Azure.
rr
• Cover the power management options for deploying
es
VDAs in Azure with Citrix Cloud.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
• Delivery Controllers
• Site Databases
ot
• Workspace Experience
fo
• Citrix Gateway as a Service
• Studio
rr
• Director
es
• Citrix Cloud updates deployed every two weeks.
al
• Evergreen
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Site Databases refer to the 3 databases containing the Citrix Site metadata, configuration logging, and monitoring data.
• Citrix targets doing an update cycle every two weeks for all customers in Citrix Cloud – the process is referred as
evergreen.
N
Update
• Cloud Connector software is updated and managed
ot
by Citrix.
• Follows the evergreen 2-week cycle.
fo
rr
• Deploy at least two Cloud Connectors per resource Cloud Cloud Cloud N+1
location to avoid update outages. Connector Connector Connector
es
• N+1 sizing.
al
Hypervisors
e
• For enterprise, the recommendation is N+2 for AD
Server Desktop
or
connectors (so we never have a point in time with a Server Server
Server
VDAs Server
VDAs
single point of failure). VDAs
VDAs
VDAs
VDAs
di
• One Cloud Connector updated at a time.
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The Cloud Connector should be installed on a dedicated domain joined machine.
• Ensure to keep all of the Cloud Connectors powered on at all times for proper operation.
• Always install connectors in pairs. The number of Cloud Connectors you should install is N+1 where N is the capacity
needed to support the infrastructure within your Citrix Cloud Resource Location.
• Although 2 is technically enough to ensure HA under normal operations, having 3 would ensure that HA and capacity are
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• The Virtual Apps and Desktops in Citrix Cloud includes a
ot
• StoreFront can also be deployed by the customer in Azure.
Workspace site for each customer.
fo
• Zero Effort to deploy. • Shrink-wrap product.
rr
• Hosted and operated by Citrix. • Hosted and operated by the customer.
es
• Kept Evergreen and updated by Citrix • Updates are done by the customer.
al
• HA should be considered.
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• A cloud-hosted Workspace: The Virtual Apps and Desktops in Citrix Cloud includes a Workspace site for each customer.
The benefit of the cloud-hosted Workspace is that there is zero effort to deploy, and it is kept evergreen by Citrix.
Workspace is recommended for all new customers, previews, and Proofs-of-Concept (PoCs).
• An on-premises StoreFront: Customers may also use an existing StoreFront to aggregate applications and desktops in
Citrix Cloud. The customer is responsible for maintaining the site and its resources within Azure. This offers greater
security, including support for two-factor authentication and prevents users from entering their password into the cloud
Additional Resources:
• Workspace configuration - https://docs.citrix.com/en-us/citrix-cloud/workspace-configuration.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
Citrix Gateway Service in Citrix Cloud Citrix ADC VPX in Azure
ot
• Included in Workspace and Virtual Apps and Desktops
fo
• Citrix ADC can also be deployed by the customer in Azure.
subscriptions.
rr
• Zero Effort to deploy. • Can be deployed directly from Azure console.
es
• Hosted and operated by Citrix. • Hosted and operated by the customer.
al
• Kept Evergreen and updated by Citrix • Updates are done by the customer.
e
• HA should be considered.
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The Citrix Gateway as a Service hosted in Citrix Cloud is a no touch no maintenance deployment.
• All components are maintained and operated by Citrix, and the Citrix ADC software is automatically kept updated as a part
of the evergreen process.
• When deploying Citrix ADC VPX in Azure, the maintenance and update process is similar to deploying VPX appliances
on-premises, and the customer is responsible for all updates and patching of the Citrix ADCs.
• When deploying your own Citrix ADC VPX solution, always consider deploying them in a High Availability configuration.
Additional Resources:
• Citrix Gateway Service - https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/netscaler.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
• Citrix Cloud components and services are maintained and backed up by Citrix.
N
• Delivery Controllers
• Site Databases
ot
• Workspace
fo
• Citrix ADC
• Studio
rr
• Director
es
• The customer is responsible for backing up their Azure-based workloads.
al
• Azure Backup or other third-party solutions can be used to back up your Azure-based resources.
e
• Back up Master Images and Static VDAs–not stateless VDAs.
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Citrix keeps backups of all components in Citrix Cloud and will be able to restore every customer in case of any issues.
• In addition to the Citrix Cloud backup strategy, all components operated by Citrix Cloud is replicated amongst different
datacenters to avoid single points of failure.
• Customers are responsible for creating their own backup and replication strategy for any components deployed in their
own datacenters or their own Azure subscriptions.
• The backup and replication strategy should include components such as:
N
Additional Resources:
ot
• Use Azure portal to restore virtual machines - https://docs.microsoft.com/en-us/azure/backup/backup-azure-
fo
arm-restore-vms
rr
• Overview of the features in Azure Backup - https://docs.microsoft.com/en-us/azure/backup/backup-
introduction-to-azure-backup
es
• Azure Backup - https://azure.microsoft.com/en-us/services/backup/
al
e
or
di
s tri
but
io
n
N
can be used to back up Applications, On-premises
DPM Center License
ot
resources in Azure. Workloads, VMs (Hyper-V
System State and VmWare)
• Each product has different
fo
use cases. Files, Folders, SQL Server
rr
Volumes, VMs, Exchange
Azure Backup
es
Applications, No tape backup On-premises
Server
Workloads, VMs (Hyper-V
al
System State and VmWare)
e
No tape backup
VMs, All disks
or
Azure IaaS VM No compression
(using Azure VMs
Backup No backup to disk
di
PowerShell)
1 backup per day
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Azure Backup offers multiple components that you can download and deploy on the appropriate computer, server, or in
the cloud. The component, or agent that you deploy depends on what you want to protect.
• All Azure Backup components (no matter whether you're protecting data on-premises or in the cloud) can be used to back
up data to a Recovery Services vault in Azure.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
Infrastructure in OMS
Alert
Agents
Dashboard
Cloud Log
Export
Log Analytics
• Azure Operations Management Suite can be Repository
Search
N
utilized to monitor and actively maintain Citrix
ot
infrastructure in Azure.
API API
• Log Analytics
fo
rr
• Azure Automation Azure Automation
es
al
Log Alert
e
Search
or
di
s tri
Email Webhook Runbook
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The Operations Management Suite (OMS) is a cloud-based IT management solution that helps you manage and protect
your cloud and on-premises environments. Rather than being deployed on-premises to manage your resources, the OMS
components are hosted entirely in Azure. The required configuration is minimal, and you can be up and running literally in
a matter of minutes.
• Log Analytics
• Monitor and analyze the availability and performance of different resources including physical and virtual machines.
Additional Resources:
• What is Operations Management Suite (OMS)? https://docs.microsoft.com/en-us/azure/operations-
management-suite/operations-management-suite-overview
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
ot
Who is responsible for updating the Cloud
fo
Connector software?
rr
es
Citrix Cloud will automatically push updates to Cloud
Connectors – one at a time.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
• Get Master VDA image by either:
ot
• Create Master VM and configure accordingly.
• Upload sysprepped Master VHD from on-premises.
fo
rr
• MCS will copy the Master VDA image during Catalog creation.
es
• If using the same Master VDA for multiple Catalogs, manually copy the Master image before Catalog creation.
al
• Start Master VDA VM to apply incremental updates, turn off and deallocate before Catalog update.
e
• Using copies allows rollback to a previous image.
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The master VDA VM is created solely to create the master VDA image.
• Once we are happy with the master VDA image, we technically do not need the master VDA VM anymore.
• A new master VDA VM can always be created to maintain the master VDA Image.
• As a best practice, you should always create a copy of your master image and use the copied image as input to the
provisioning process. In the future, if you want to update the catalog, you can start the master image VM and make
necessary changes, shut it down and again create a copy of the image which will be your updated image. This helps you
Additional Resources:
• Using Virtual Apps & Virtual Desktops in Azure Resource Manager -
https://www.citrix.com/blogs/2016/09/12/using-xenapp-xendesktop-in-azure-resource-manager/
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
image management. Deploy ELM appliance in Azure.
ot
• Add SMB share on premium disk to the ELM server. App Layer
fo
• Create Base OS Layer VM in Azure Portal. Platform Layer
rr
• Deploy Citrix Optimizer for App Layering.
OS Layer
es
• Define Azure Connector in ELM.
al
• Create the OS Layer in ELM and import OS Image. ELM
e
• Create Remote Desktop Services Platform Layer.
or
• Create Applications Layers. Enterprise Layer Manager
di
• Create Image Template in ELM.
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Citrix provides an installation script for deploying the ELM server on Azure. The installation script is included in the
installation package does the following. It:
• Copies the included VHD to the Azure location you specify.
• Creates a virtual machine in Azure using the VHD.
• Attaches the repository disk.
• Boots the Azure appliance.
N
• On the Monitoring Diagnostics entry, select Disabled.
ot
• SMB share:
fo
• Currently, the App Layering Appliance does not support the Azure File Share feature. For best performance,
it is best to create a file share server in Azure using a fast system with a Premium Disk, for example, a DS
rr
class machine.
es
• Azure Connector in ELM:
al
• A Connector Configuration contains the credentials and location information that the appliance needs to
access a specific location in Azure. For example, your organization may have one Azure account and
e
several storage locations, and you will need a Connector Configuration so the appliance can access each
or
storage location.
di
Additional Resources:
s tri
• App Layering in Azure - https://docs.citrix.com/en-us/citrix-app-layering/4/azure.html
b
• Azure Connector Configuration - https://docs.citrix.com/en-us/citrix-app-layering/4/connect/ms-azure.html
ut
io
n
• Option to script deploy a new Master VDA VM for each update to the base image.
N
• The more challenging approach that typically requires a 3rd party tool.
ot
• Script install VDA and all other software on the VM.
fo
• Update existing Catalog by pointing to the new Master VDA VM or image.
rr
• Investigate utilities such as:
es
• Azure Automation Accounts/Run books
al
• Puppet
e
• Chef
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Some customers prefer script deploy, a new master VM each time when they update the base image.
• The more challenging solution that typically requires a 3rd party tool.
• Create a new Master Image to avoid inheriting any errors or misconfigurations.
• Use Scripts to automate the installation of updates and applications.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
• Copy the Master VDA image to storage BLOB.
ot
(CTXMasterUpdates)
fo
• Select the Machine Catalog to update.
rr
• Click next on Overview.
es
• Expand the correct Storage Account and select the
al
updated Master image.
e
• Ensure the Master VDA image is not attached to a
or
running VM.
di
stri
b ut
© 2021 Citrix Authorized Content
io
n
Additional Resources:
• Update and Rollback Virtual Desktops Azure Resource Manager Catalog -
https://www.citrix.com/blogs/2016/11/23/update-and-rollback-xendesktop-azure-resource-manager-catalog/
N
Catalog:
ot
• On next shutdown
fo
• Immediately
rr
• Update All VMs at the same time
• Distribute period
es
• Internal algorithm
al
• Notification
e
• Time
or
• Frequency
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Distribution time: You can choose to update all machines at the same time, or specify the total length of time it should take
to begin updating all machines in the catalog. An internal algorithm determines when each machine is updated and
restarted during that interval.
• Notification: In the left notification dropdown, choose whether to display a notification message on the machines before an
update begins. By default, no message is displayed. If you choose to display a message 15 minutes before the update
begins, you can choose (in the right dropdown) to repeat the message every five minutes after the initial message. By
Additional Resources:
• Update the catalog - https://support.citrix.com/article/CTX219330
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
vDisks and locations during Catalog updates.
ot
• Rollback machine update in Catalog actions pane
to change to the previous Master image.
fo
rr
• Rollout Strategy.
• Select when to apply the previous Master image.
es
• Requirements:
al
• Copy disks manually for every Catalog and for every
e
update.
or
• Rollback does not work if changes are done in the
current Master image.
di
• Rename, deleting, or moving Master images will
s
cause rollback to fail.
tri
b
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• If you are maintaining a master image VM in Azure, always create a copy associated master VHD and use that for
creating a catalog. For catalog update, after you make changes in your master image, again create a copy of the
associated VHD and use that copy to update the catalog. If you follow this method, you can maintain one master image
VM in Azure and use it for multiple image updates, rollback, etc.
• Do not rename, delete or move a master image, otherwise, you won’t be able to rollback the update if required.
• Broker Reboot Cycle after catalog update/rollback happens only for those machines which are added in the delivery
N
groups. The reboot cycle is started on all machines in the first group. The cycle then waits for at least one
ot
machine to register. If the machine fails to register in the configured timeout the cycle is abandoned. This is by
fo
design and is intended to avoid taking all the machines in a delivery group out of service due to a bad update.
rr
Additional Resources:
es
• Update and Rollback Virtual Desktops Azure Resource Manager Catalog -
al
https://support.citrix.com/article/CTX219330
e
or
di
s tri
b ut
io
n
• For large deployments, Azure Templates can be used to ensure consistent deployments of:
N
• Master VMs
• Storage Accounts
ot
• Networks and Subnets
fo
• Resource Groups
• Network Security Groups
rr
• Azure Templates are based on JSON.
es
• GitHub is a great resource for getting started.
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Templates can also be created for Active Directory, Cloud Connectors, StoreFront, Availability Sets.
Additional Resources:
• Design patterns for Azure Resource Manager templates when deploying complex solutions -
https://docs.microsoft.com/en-us/azure/azure-resource-manager/best-practices-resource-manager-design-templates
• World Class Azure Resource Manager Templates Considerations and Proven Practices -
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
• Windows Updates are turned off by the VDA Image Optimization Wizard.
N
• Non-persistent Catalogs
ot
• Run Windows Update on Master VDA VMs, test updates, and update Catalog.
fo
• Persistent Catalogs
rr
• Test Windows Updates first.
• Use OMS Update Management to schedule deployment.
es
• Deploy Windows Server Update Services (WSUS) for faster deployment and single instance download.
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• You can deploy and install software updates on computers that require the updates by creating a scheduled deployment.
Updates classified as Optional are not included in the deployment scope for Windows computers, only required updates.
• The scheduled deployment defines what target computers will receive the applicable updates, either by explicitly
specifying computers or selecting a computer group that is based off of log searches of a particular set of computers. You
also specify a schedule to approve and designate a period of time when updates are allowed to be installed within.
• Updates are installed by runbooks in Azure Automation. You cannot view these runbooks, and they don’t require any
N
• The results of the applied updates are forwarded to OMS to be processed and summarized in the dashboards
ot
or by the searching the events.
fo
Additional Resources:
rr
• Update Management solution in OMS - https://docs.microsoft.com/en-us/azure/operations-management-
es
suite/oms-solution-update-management#installing-updates
al
• Citrix VDI Best Practices for Virtual Apps and Desktops 7.15 LTSR - https://docs.citrix.com/en-us/xenapp-and-
e
xendesktop/7-15-ltsr/citrix-vdi-best-practices.html
or
di
s tri
b ut
io
n
N
ot
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Using Cloud Director, administrators can do the following operations to manage VDAs:
• Power manage the VDA.
• Enable/disable maintenance mode on a VDA.
• End selective user processes.
• Shadow a user session to monitor issues.
• Generate customized reports to monitor VDA performance/Session performance.
N
the service more secure and stable.
ot
• Administrators node allows to configure permissions on site-objects within a Virtual Apps and Desktops
fo
Site. This is referred as the Delegated Administration model. Currently, Virtual Apps and Desktops do
not support Delegated Administration.
rr
• Currently, App-V Publishing is not supported by Citrix Cloud.
es
• The controllers node is not shown in Cloud Studio to add more security.
al
• The Zones node contains the name of Cloud Connectors and not the name of Virtual Apps and
Desktops Controllers.
e
• Cloud Director
or
• Cloud Director is not accessed through a HDX connection like Cloud Studio.
di
• Citrix ADC Insight is currently not supported in Cloud Director.
• Hosting Connections and Licensing information is not currently shown in Cloud Director.
s tri
but
io
n
N
VDA
• Event Log Data. MMA Metrics
ot
• Performance Counter Data.
fo
VDA
rr
MMA
Azure OMS
es
al
VDA Event Data
e
MMA
or
di
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Log Analytics collects data from your Connected Sources and stores it in your Log Analytics workspace. The data that is
collected from each is defined by the Data Sources that you configure. Data in Log Analytics is stored as a set of records.
Each data source creates records of a particular type with each type having its own set of properties.
• Windows Event logs are one of the most common data sources for collecting data using Windows agents since many
applications write to the Windows event log. You can collect events from standard logs such as System and Application in
addition to specifying any custom logs created by applications you need to monitor.
N
configure it to report to one or more Log Analytics workspaces. The agent also supports the Hybrid
ot
Runbook Worker role for Azure Automation.
fo
Additional Resources:
rr
• Windows event log data sources in Log Analytics - https://docs.microsoft.com/en-us/azure/log-analytics/log-
es
analytics-data-sources-windows-events
al
• Windows and Linux performance data sources in Log Analytics - https://docs.microsoft.com/en-us/azure/log-
e
analytics/log-analytics-data-sources-performance-counters
or
• Connect Windows computers to the Log Analytics service in Azure - https://docs.microsoft.com/en-
us/azure/log-analytics/log-analytics-agent-windows
di
s tri
but
io
n
N
Exercise 6-2: Deploy Update to Machine Catalog
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
For a Catalog to support rollback after an update,
which manual action must be done before the
fo
Catalog is updated?
rr
es
The Master VDA image must be copied before every
Catalog update.
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
• Power management is important for Pay-As-You-Go customers.
ot
• Only allocated resources are charged.
fo
• Power Management allows the customer to reduce costs by limiting allocated resources.
rr
• Billing is per minute until the resource is deallocated.
es
• Disks cost money even when the VM is powered off.
al
e
or
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• For customers that use Azure Reserved Instances, power management is less important, because Reserved Instances
are designed to run 24/7. In short, you get the discount up front when you reserve a number of VMs for a given timeframe.
• The number of VMs you reserve become a fixed cost instead of being a variable cost. Furthermore, you will pay the fixed
cost, whether the VMs are running or not.
• Some customers mix Reserved Instances and Pay-As-You-Go to ensure that their baseline amount of VMs are Reserved
Instances and their peak capacity is covered by adding additional Pay-As-You-Go instances.
N
ot
fo
rr
es
al
e
or
di
stri
but
io
n
N
• Advanced settings through PowerShell.
ot
• Adjust the buffer size to avoid boot storms.
fo
• Keep Idle Pool as low as possible to reduce cost.
rr
• Peak hours and Off-peak hours.
es
• Don’t use suspend in Azure it will not deallocate VM.
al
• Consider shutdown at logoff.
e
or
di
s
tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• You can power manage only virtual Desktop OS machines, not physical ones (including Remote PC Access machines).
Desktop OS machines with GPU capabilities cannot be suspended, so power-off operations fail.
• In Delivery Groups containing pooled machines, virtual Desktop OS machines can be in one of the following states:
• Randomly allocated and in use.
• Unallocated and unconnected.
• Pools and buffers: For pooled Delivery Groups and static Delivery Groups with unallocated machines, a pool is a set of
N
• Power state timers: You can use power state timers to suspend machines after users have disconnected for a
ot
specified amount of time. For examples, machines will suspend automatically outside of office hours if users
fo
have been disconnected for at least 10 minutes. Random machines or machines with personal vDisks
automatically shut down when users log off unless you configure the Shutdown Desktops After Use Delivery
rr
Group property in the SDK.
es
• Use the SDK to:
al
• Shut down, rather than suspend, machines in response to power state timers, or if you want the timers to
be based on logoffs, rather than disconnections.
e
• Change the default weekday and weekend definitions.
or
Additional Resources:
di
• Power manage machines in a Delivery Group - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-
s tri
ltsr/install-configure/delivery-groups-manage.html
b
• Power Management of a Virtual Apps & Virtual Desktops Service Resource Location -
ut
https://www.citrix.com/blogs/2017/03/28/power-management-of-a-xenapp-xendesktop-service-resource-
io
location/
• Three states:
N
• Permanently allocated and in use.
• Permanently allocated and unconnected (but ready).
ot
• Unallocated and unconnected.
fo
• Permanently allocated machines supports power state timers only-not pools or buffers.
rr
• All allocated VMs turned on at the defined hour.
es
• Consider Start on demand through StoreFront.
al
• Users will wait while desktop boots.
e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• In Delivery Groups containing static machines, virtual Desktop OS machines can be:
• Permanently allocated and in use.
• Permanently allocated and unconnected (but ready).
• Unallocated and unconnected.
• During normal use, static Delivery Groups typically contain both permanently allocated and unallocated machines. Initially,
all machines are unallocated (except for those manually allocated when the Delivery Group was created). As users
N
ot
Additional Resources:
fo
• Power Management of a Virtual Apps & Virtual Desktops Service Resource Location -
https://www.citrix.com/blogs/2017/03/28/power-management-of-a-xenapp-xendesktop-service-resource-
rr
location/
es
al
e
or
di
s tri
b ut
io
n
N
• Only reboot schedules can be defined through Studio.
ot
fo
rr
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• You can power managed only in Virtual Desktop OS machines in Azure.
• For Hosted Shared (Server OS) VDA machines, you can create a restart schedule, which is also described in this article.
• Autoscale can handle power management of Hosted Shared (Server OS) VDA machines; Autoscale is presented later in
this module.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
configured to ensure that the
ot
unused sessions are logged
off, to allow the machines
fo
running the VDA to be
rr
powered down.
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Using policies could reduce costs by disconnecting and logging off unused sessions once all the sessions are drained the
VDAs can be shut down to save cost.
Additional Resources:
• Power Management of a Virtual Apps & Virtual Desktops Service Resource Location -
https://www.citrix.com/blogs/2017/03/28/power-management-of-a-xenapp-xendesktop-service-resource-location/
• StoreFront may in some cases timeout while attempting to launch a HDX session to a VDA that is powered off in
N
Azure.
ot
• Use the registry keys to ensure StoreFront allows adequate time for Desktop VDAs to power on and register with
Delivery Controllers.
fo
• DesktopServer\MaxSessionEstablishmentTimeSecs
rr
• DesktopServer\ExtraSpinUpTimeSecs
es
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• When using an on-premises StoreFront deployment, additional timeout settings can be configured to ensure StoreFront
allows enough time for the VDAs to start on demand in Azure.
• DesktopServer\MaxSessionEstablishmentTimeSecs
• DWORD
• 60 Seconds
• Time after which a session launch is assumed to have failed by the DDC if no active session has been established on
N
• This value is added to that specified by MaxSessionEstablishmentTimeSecs.
ot
Additional Resources:
fo
• Advanced store settings - https://docs.citrix.com/en-us/storefront/current-release/configure-manage-
rr
stores/advanced-store-settings.html
es
• Power Management of a Virtual Apps & Virtual Desktops Service Resource Location -
al
https://www.citrix.com/blogs/2017/03/28/power-management-of-a-xenapp-xendesktop-service-resource-
location/
e
• Registry Keys Documentation: https://support.citrix.com/article/CTX126704Registry?recommended
or
di
s tri
but
io
n
• Provides a high-performance solution, allowing for the configuration of multiple power management schedules
N
based on Weekdays, Weekends and peak hours.
ot
• Proactive power management of all registered Server and Desktop OS machines within a Delivery Group.
fo
• Controls costs by powering machines with load-based or schedule-based power management.
rr
• Supports a variety of cloud infrastructure platforms.
es
• Works with both Remote Desktop Service (RDS) and Virtual Desktop Infrastructure (VDI).
al
e
or
di
stri
utb
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Autoscale supports a variety of cloud infrastructure platforms:
• Amazon Web Services (AWS)
• Citrix Hypervisor
• Google Cloud Platform
• Microsoft Azure Resource Manager
• Microsoft System Center Virtual Machine Manager
N
• Autoscale user interface for static VDI Delivery Groups
ot
• Peak times:
fo
• You can define the peak times for days you applied in a selected schedule.
• Once you define the peak times, the remaining, undefined times default to off-peak times.
rr
• By default, the 7:00 AM to 7:00 PM time slot is defined as peak times for the days included in the
es
selected schedule.
al
Additional Resources:
e
• Autoscale: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/manage-
or
deployment/autoscale.html
di
• Hosts / virtualization resources: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/system-
s
requirements.html#hosts--virtualization-resources
tri
but
io
n
N
to migrate infrastructures that • Recommended if the number of Delivery Groups is less than 10.
• Exports data from all Delivery Groups in Smart Scale and then imports the data
ot
are currently using Smart
Scale to the newer Autoscale to Autoscale, per Delivery Group.
fo
• Involves manually configuring the Autoscale user interface in Citrix Studio by
technology. associating the Smart Scale user interface, per Delivery Group.
rr
• Migrations can be done:
es
• Manual
• Automated (via PowerShell • Automated Migration:
al
scripting) • PowerShell scripts are ran to import the data to Autoscale.
e
• Imported data includes defined schedules, machine cost, power-off delay, and
or
capacity buffer.
• If Smart Scale is enabled, Autoscale is automatically enabled after script
di
execution.
s
• Roll back of migration is supported. Doing so restores your previous Smart
tri
Scale configuration.
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• For RDS Delivery Groups, if you enable both Autoscale and Smart Scale, only Autoscale will power manage the
machines.
• You must run the migration outside of times that Smart Scale is scheduled to power manage machines.
• Citrix recommends that you run the migration during off-peak times.
• Manual migration:
N
• It might be needed to merge schedules, as Smart Scale allows the same day to be included in multiple
ot
schedules, but Autoscale does not.
fo
• Migrating session count. To migrate session count (the maximum number of sessions), use Group Policy.
• Automated migration: (PowerShell scripting)
rr
• Prerequisites:
es
• Windows PowerShell 3.0 or later is available on the machine within your resource location.
al
• The PowerShell script is granted write access to the folder where the GenerateScript.ps1 script is
e
located.
or
• Remote PowerShell SDK is installed on the machine within your resource location
• The API key and secret password associated with the applicable user account are available. (To get the
di
API key and secret password associated with a user account, go to Citrix Cloud > Smart Tools > Settings
s
> My Profile).
tri
• Any existing schedules in Autoscale must be deleted.
b ut
• The generated PowerShell scripts have two name formats:
io
• For VDI Delivery Groups, the script names have a prefix “VDI-.”
n
• For RDS Delivery Groups, the script names have a prefix “RDS-.”
• If there are errors during script execution, you review them in the logs in the
“C:\Example\logs\currentRunTimeStamp” folder.
• Summary report is created for the scripts: “C:\Example\GenerateScriptFolder\scripts\currentRunTimeStamp\”
folder.
N
• A list of Group Policy settings to be configured.
ot
• Important Notes:
fo
• The Session count metric in Smart Scale lets you set a maximum number of sessions that are allowed on
rr
each machine in the Delivery Group. This configuration (MaxSessionsPerServer configuration) is not
imported into Autoscale by the migration scripts.
es
• To import the data, create a Group Policy setting (Citrix Studio > Policies > Create Policy) for the maximum
al
number of sessions and then assign it to the applicable Delivery Group. Assign a higher priority to the policy
e
compared to other the existing ones.
or
• After migration, the schedules in Autoscale might not have a one-to-one mapping to the schedules defined
in Smart Scale, because unlike Smart Scale, Autoscale does not allow the same day to be present in
di
multiple schedules.
s tri
Additional Resources:
but
• Smart Scale to Autoscale Migration: https://support.citrix.com/article/CTX250034
io
• Autoscale: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/manage-
n
deployment/autoscale.html
N
Exercise 6-4: Verify the Machine Catalog update
ot
fo
rr
es
al
e
or
di
s
tri
utb
© 2021 Citrix Authorized Content
io
n
N
ot
Which is the only way you can power manage
fo
Server based VDAs?
rr
es
Autoscale. Server VDAs cannot be power
managed through Delivery Group properties in
al
e
Studio.
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
control plane is maintained and operated by Citrix.
ot
• The VDAs are owned and maintained by the
customer or a Citrix partner.
fo
rr
• Autoscale is a tool in Citrix Cloud that can assist in
power managing VDAs.
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
ot
Deploy a Successful POC
fo
rr
es
al
e
Module 7
or
di
s
tri
b
ut
io
n
N
Proof Of Concept (POC).
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
ot
successful POC
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
• Select the deployment method for POC.
ot
• Forklift
• Extend on-premises to Azure
fo
• Citrix Cloud with Azure resource locations
rr
• Select the regions in Azure.
es
• Select the Network, VPN and Access strategy.
al
• Express routes are expensive for a POC
e
• Configure:
or
• Data and file shares
• Apps and databases
di
• Profiles and redirected folders
s
• And more
tri
b
ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Forklift migration consists of migrating all on-premises resources into Azure.
• Extending your on-premises infrastructure to Azure would result in hybrid on-premises and Azure solution
• Deploying Citrix Cloud with Azure would result in a Citrix Cloud and Azure hybrid solution.
• Remember, always keep the user data close to the users for the best user experience and to minimize latency.
• Remember, always perform application migration assessments, database dependencies, and more during the design
phase.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
N
specifications and their cost.
ot
• Remember:
• Storage – replication, size, and speed
fo
• Bandwidth – Egress = cost
rr
• VPN – to on-premises and other regions
es
• Hours – de-allocate resources to save money
• High Availability
al
https://costcalculator.azurewebsites.net/costCalculator
e
or
di
s
tri
b ut
© 2021 Citrix Authorized Content
io
n
Additional Resources:
• Virtual Apps and Virtual Desktops on Azure Cost Calculator: https://costcalculator.azurewebsites.net/estimate
N
• Azure
• Citrix Cloud
ot
2. Design AD in Azure.
fo
• Azure AD DS.
rr
• On-premises domain in Azure, child domain, new forest + trust.
es
3. Build Networks, RGs, Sas, and VMs in Azure.
al
4. Configure VPN to on-premises.
e
5. Configure Cloud Connectors or Delivery Controllers.
or
6. Configure VDAs, Catalogs and Delivery Groups.
di
7. Configure the Access layer.
s tri
• Deploy StoreFront and Citrix Gateway.
• Use Workspace and Citrix Gateway as a Service.
utb
© 2021 Citrix Authorized Content
io
n
Key Notes:
• First step in starting a POC is to get trial accounts for the different services.
• Azure trial account is easy – all you need is a credit card, and you will receive a 200 USD usage credit.
• Citrix Cloud Service trials can be requested from Citrix.Cloud.com – each request is evaluated before approval.
• Decide how you want your Active Directory deployment to be designed. Creating a stand-alone Active Directory in Azure is
the easiest way to get a POC started.
• Azure AD DS is easy and cheap but has some limitations compared to a full AD in Azure.
N
• Storage Accounts are being replaced by Azure Managed Disks, but should still be considered in the design
ot
because they can reduce the storage cost compared to Managed Disks.
fo
• If you need VPN connectivity to on-premises, ensure that your VPN device is supported and if necessary,
work with the network team to create the connectivity.
rr
• Deploy Cloud Connectors or Delivery Controllers in Azure, depending on your design.
es
• For Example,
al
• Deploy a pair of Cloud Connectors or Delivery Controllers per resource location.
• Deploy a pair of Cloud Connectors or Delivery Controllers per Active Directory when the machines
e
running the VDA and the Users are in separate forests.
or
• Configure the Master VDAs in Azure or upload your on-premises VDA image, depending on your design.
di
• Create Catalogs and Delivery Groups to meet the desired POC solution. Add your test users to the Delivery
Groups.
s tri
• Deploy StoreFront and Citrix ADC in Azure or use Citrix Cloud Workspace + Citrix Gateway as a Service to
b
enable users to launch their resources.
ut
Additional Resources:
io
• Create your Azure free account today - https://azure.microsoft.com/en-us/free/
• Go to onboarding.cloud.com.
N
• Fill out the form or log in with an existing account.
ot
• Cloud trials are manually approved.
fo
• Non-legitimate requests will not be approved.
rr
• Contact your local Citrix rep if the request is not
es
approved within 7 days.
al
e
or
di
stri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• Remember that these Cloud Service trial requests are manually approved because Citrix incurs a cost for running each
trial.
• Trial requests that does not reflect a legitimate business/customer/partner are not likely to be approved.
N
Azure approval is automatic.
ot
• Go to azure.microsoft.com/en-us/free/
fo
• Create a Microsoft account or log on with an
rr
existing account.
• Add credit card, and you will not be billed
es
automatically after expiration.
al
• 200 $ credits and 30 days.
e
• Many free services and products.
or
• Some scalability limitations may apply to an Azure
di
free trial account.
s tri
b ut
© 2021 Citrix Authorized Content
io
n
Key Notes:
• There are a number of limitations in the free Azure trial account – one of the biggest limitations is that only 4 vCPU cores
can run at any time.
• Consider changing to a Pay-As-You-Go Azure subscription to do a full POC.
• GitHub ARM templates are available from Citrix to deploy complete trial environments in Azure.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
Azure-Cloud.
ot
• Whitepaper Virtual Apps 7.11 Scalability Azure RM.
fo
• Blog seamlessly extend your existing Virtual Apps
rr
deployment into Microsoft Azure.
es
• Azure Resource Manager Templates for Citrix Cloud
al
Workloads.
e
• Apps and Desktops Trial Checklist.
or
Recommended
• Azure Quick Deploy. Reading List
di
• Scalability Considerations for Using the Virtual Apps
s
and Virtual Desktops Local Host Cache Feature
tri
with Citrix Cloud Connector.
but
© 2021 Citrix Authorized Content
io
n
Additional Resources:
• The fastest POC in the cloud - Virtual Apps in the Azure marketplace - https://www.citrix.com/blogs/2016/03/28/the-fastest-
poc-in-the-cloud-xenapp-in-the-azure-marketplace/
• Whitepaper Virtual Apps 7.11 Scalability Azure RM - https://www.citrix.com/content/dam/citrix/en_us/documents/white-
paper/xa711-scalability-azure-rm.pdf
• Blog seamlessly extend your existing Virtual Apps deployment into Microsoft Azure -
N
trials.html
ot
• Azure Quick Deploy - https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/install-configure/azure-
quick-deploy.html
fo
• Scalability Considerations for Using the Virtual Apps and Virtual Desktops Local Host Cache Feature with
rr
Citrix Cloud Connector - https://docs.citrix.com/en-us/citrix-cloud/downloads/xenapp-xendesktop-local-host-
es
cache-cloud-connector-scalability.pdf
al
e
or
di
s tri
but
io
n
N
Infrastructure Access Access VDAs Infrastructure
ot
fo
Citrix Cloud Connector Cloud Connector
Delivery Controller Citrix
Gateway Gateway
rr
Win2016 Win2016
Master Active Directory
es
Win10 Storage Account
Master
al
License Server Site Database Workspace Users StoreFront
Image
e
Management Management
or
Admin Azure Portal Service Principal
di
Director Studio
s
tri
utb
© 2021 Citrix Authorized Content
io
n
Key Notes:
• We have built 2 Cloud Connectors, a Master VDA, a Manually installed VDA, two Machine Catalogs, two Delivery Groups,
StoreFront and Citrix ADC in Azure.
N
Access VDAs Storage Account Infrastructure
ot
External Users Citrix Win10 License Server Delivery Controller
fo
Gateway
On-Premise
Forklift to Azure Resource
Master Location
rr
Image
Master
es
Win2016 AD Server Site Database
StoreFront
Internal Users
al
Management
e
or
Tunnel Tunnel
Azure Portal PowerShell Service Principal
di
s
Data
tri
b ut
Apps
© 2021 Citrix Authorized Content Admin
io
n
Key Notes:
• The forklift architecture is similar to an on-premises deployment, all the infrastructure such as: Delivery Controllers,
Databases, License Server, StoreFront, and Citrix ADC are all hosted within the Azure subscription.
• With this deployment method, you are not gaining any of the Citrix Cloud benefits and you are responsible for maintaining
and upgrading all the infrastructure servers as if they were deployed on-premises.
Users
N
ot
On-premises datacenter Customer Azure Subscription
Infrastructure VDAs Access Access VDAs Infrastructure
fo
rr
Citrix Citrix Delivery Controller
Delivery Controller
Win2016 Gateway Gateway Win10
es
Master
Active Directory Server
Site Database
al
Win2016 Storage Account
Win2016
Master
e
StoreFront StoreFront
License Server Image
or
Management Management
Tunnel Tunnel
di
Director Studio PowerShell Azure Portal PowerShell Service Principal
s tri
Admin
b ut
© 2021 Citrix Authorized Content
io
Admin
n
Key Notes:
• The extended model is ideal for customers who have maxed out their on-premises capacity and do not want to invest in
additional infrastructure in their datacenters, or for customers making a slow move to Azure, potentially moving certain
user groups at a time.
• The model also makes a lot of sense for seasonal workers, where capacity is only needed during certain times of the year.
Users
N
Infrastructure Access Access VDAs Infrastructure
ot
Cloud Connector Cloud Connector
Citrix Citrix Win10
fo
Delivery Controller Gateway
Gateway
rr
Master AD Server
es
Storage Account
Workspace Master
License Server Site Database StoreFront Win2016
Image
al
Management Management
e
or
Director Studio PowerShell Azure Portal PowerShell Service Principal
di
s tri
but
© 2021 Citrix Authorized Content Admin
io
n
Key Notes:
• The Citrix Cloud with Azure as the resource location can be designed in a number of different ways.
• The benefits of this deployment method are:
• Avoid the overhead of managing and maintaining the brokering infrastructure.
• Gain access to Workspace and Citrix Gateway as a Service with worldwide points of presence without having to
maintain the expensive and complex Citrix ADC infrastructure.
• Utilize Azure to deploy apps and desktops close to the users.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
N
and which obstacles have you identified?
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
If you’re doing a POC of Citrix Cloud with Azure as
ot
a resource location and no VDAs on-premises, do
you need to deploy Cloud Connectors on-
fo
premises?
rr
es
No, only in a situation where you have a separate AD
forest in Azure, and you establish trusts to your on-
al
premises AD.
e
or
di
s tri
but
© 2021 Citrix Authorized Content
io
n
Key Notes:
• The only reason to deploy Cloud Connectors in locations that do not have VDAs is to enable AD authentication to a
separate AD forest.
• Another example of deploying Cloud Connectors on-premises would be to enable access to local applications that cannot
be migrated into Azure, and in that situation, customers would also need VDAs deployed on-premises.
N
before registering for the Azure trial account.
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n
N
• This class will cover the different techniques and
ot
procedures used to secure a Citrix Virtualization solution,
including Virtual Apps and Desktops, Citrix ADC and
fo
Citrix Endpoint Management.
rr
• CNS-220: Citrix ADC 12.x Essentials and Traffic
es
Management
• This class will cover key Citrix ADC capabilities such as
al
high availability, security and performance, and explore
e
SSL offload, load balancing and monitoring.
or
• CNS-222: Citrix ADC 12.x Essentials and Unified
di
Gateway
• This class will cover Citrix ADC essentials, including
s
tri
secure load balancing, high availability and operations
management, and also focuses on Unified Gateway, and
utb
Citrix Gateway.
© 2021 Citrix Authorized Content
io
n
N
Not at all How likely is it you would recommend Citrix Courses to a friend? Extremely
ot
Likely Likely
0 1 2 3 4 5 6 7 8 9 10
fo
rr
es
\/
al
e
or
di
Detractor Passive Promoter
s
tri
but
io
n