Not For Resale or Distribution: C XD-251-3I: Citrix Virtual Apps and Desktops Service On Microsoft Azure

N
ot
fo
rr
es
al
e
or
di
CXD-251-3I: Citrix Virtual Apps and Desktops Service on
s
tri
Microsoft Azure
b
ut
io
n
Table Of Contents
Module 0 - Course Introduction.................................................................................................................................................................2

Module 1 - Citrix Virtual Apps and Desktops on Microsoft Azure Overview............................................................................................24
Define IaaS..................................................................................................................................................................................26
N
Citrix Virtual Apps and Desktops Azure Models.........................................................................................................................34
ot
Azure Basics................................................................................................................................................................................47
Azure Management.....................................................................................................................................................................71
fo
Azure Locations...........................................................................................................................................................................80
rr
Module 2 - Virtual Apps and Desktops Azure Active Directory Integration.............................................................................................88
es
Active Directory Basics................................................................................................................................................................90
Active Directory Usage..............................................................................................................................................................100
al
Connecting On-premises AD to Azure......................................................................................................................................114
e
Azure Role Based Access Control............................................................................................................................................125
or
Module 3 - Connecting to Microsoft Azure............................................................................................................................................153
Azure Connectivity.....................................................................................................................................................................155
di
Cloud Connector in Azure.........................................................................................................................................................181
s tri
Creating Azure Host Connections.............................................................................................................................................199
Module 4 - Deploy Apps and Desktops using Machine Creation Services (MCS)................................................................................218
b ut
Master Image Preparation.........................................................................................................................................................220
Machine Creation Services........................................................................................................................................................240
io
Considerations...........................................................................................................................................................................260
n
Module 5 - Providing Access to End Users...........................................................................................................................................281
StoreFront Locations.................................................................................................................................................................283
Citrix ADC and Citrix Gateway Location Considerations...........................................................................................................297
Connecting to the Closest Resources.......................................................................................................................................314
Module 6 - Maintaining Infrastructure and VDAs in Microsoft Azure.....................................................................................................324
Maintaining Infrastructure..........................................................................................................................................................326
Maintaining VDAs......................................................................................................................................................................341
Power Management..................................................................................................................................................................363
Module 7 - Deploy a Successful POC...................................................................................................................................................383
The next steps to start a successful POC.................................................................................................................................385
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Citrix Virtual Apps and Desktops
Service on Microsoft Azure
N
ot
Course Introduction
fo
rr
es
al
CXD-251-2I: October 11, 2021
e
Lab Manual v3.3
or
Module 0
di
s
tri
b
ut
io
n
2 © 2021 Citrix Authorized Content

Course Overview
• Prepare the Azure environment for secure
N
integration with Virtual Apps and Desktops.
ot
• Integrate Citrix Cloud and Virtual Apps and
Desktops with Microsoft Azure Active Directory.
fo
rr
• Deploy and manage Virtual Delivery Agent
machines in Microsoft Azure using Machine
es
Creation Services.
al
• Design Machine Catalogs and virtual machines on
e
Microsoft Azure Resource Manager.
or
• Provide remote access with Citrix StoreFront and
di
Citrix Gateway on Microsoft Azure.
s
tri
b
ut
© 2021 Citrix Authorized Content
io
n

Citrix Workspace
Drive digital transformation
N
with an intelligent workspace
ot
platform.
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

App Delivery and
Security
Formerly Networking
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Student Introduction
Introduce yourself to the class.
N
Include the following information:
ot
• Name and company
fo
• Job title
rr
• Job responsibility
es
• Networking and Virtualization experience
al
• Citrix hardware and software experience
e
or
• Class expectations
di
s
tri
b
ut
io
n

Facilities
Review:
N
• Parking and transportation information
ot
• Class policies
fo
• Break and lunch schedules
rr
• Emergency contact information
es
al
e
or
di
s
tri
b
ut
io
n

Course Prerequisites
• CWS-215 or experience deploying and managing
N
Virtual Apps and Desktops 7 in an on-premises or
ot
cloud environment.
• CXD-250-2I or experience with Citrix Cloud.
fo
rr
• Basic knowledge of the Microsoft Azure platform
including:
es
• Virtual machine management
al
• Azure Resource Manager portals
e
• Storage
• Networking
or
di
s
tri
b
ut
io
n

Course Outline – Day 1
• Module 1: Virtual Apps and Desktops on Azure
N
Overview
ot
• Module 2: Virtual Apps and Desktops Azure Active
Directory Integration
fo
rr
• Module 3: Connecting to Microsoft Azure
es
• Module 4: Deploying Apps and Desktops using
Machine Creation Services
al
e
or
di
s
tri
b
ut
io
n

Course Outline – Day 2
• Module 4: Deploying Apps and Desktops using
N
Machine Creation Services (continued)
ot
• Module 5: Providing Access to End Users
fo
• Module 6: Maintaining Infrastructure and VDAs in
rr
Microsoft Azure
es
al
e
or
di
s
tri
b
ut
io
n

Cloud Disclaimer
• Both Citrix Cloud and Azure changes frequently.
N
• Additional features and functionalities added every
ot
month.
fo
• Lab guide steps and slide screenshots may not
rr
match the Consoles.
es
• Power down Azure VMs after class each day.
al
e
or
di
s
tri
b
ut
io
n

Citrix Class Labs
Connection Overview Process
N
Class Experience Citrix Class Lab Access
ot
2 6
1 Citrix Class Labs
fo
Student Desktop
CCI Students
rr
3
2 4
es
al
Citrix Classroom
RDP
e
Support
2 Client 5
Lab Host
or
CALC Student
Endpoint
di
s
Citrix Labs CCI/CALC Students RDP Client RDP Student Desktop
tri
b ut
io
n
Key Notes:
• Students access the labs in this course not via the Training.Citrix.Com MyTraining tab, (where the manuals are accessed)
but rather via connection information shared directly to the student either from the Citrix Certified Instructor (CCI) or the
Citrix Authorized Learning Center (CALC) that is hosting the class.
• The following step-by-step explains the process:
1. Citrix Classroom Support provisions the labs for the students.

2. Citrix Classroom Support sends the connection information for all registered students under the class SRK
link to both the CALC and the CCI.
3. The CALC and/or the CCI will send the lab connection information directly to the students when the class
begins.
4. Students will use the connection information and if necessary download an RDP client for this connection.
5. The Student Endpoint makes an RDP connection to the Citrix Class Labs.
N
6. The Student Desktop is explained in the Lab Manual. All labs will be performed using tools and consoles
ot
from this desktop.
fo
rr
es
al
e
or
di
stri
b ut
io
n

Lab Requirements
• Check connectivity to the environment and report any issues.

• All lab environment details are also provided in the lab guide.
N
ot
Citrix Cloud Azure US East
fo
Infrastructure Access Access VDAs Infrastructure
rr
Citrix Cloud Connector Cloud Connector
es
Delivery Controller Citrix
Gateway Gateway
Win2016 Win2016
al
Master Active Directory
Storage Account
e
Win10
Master
Site Database Workspace Users StoreFront
or
License Server Image
Management Management
di
s
tri
Admin Service
Director Studio Azure Portal Principal
utb
io
n

Student Desktop
• Remote Desktop Connection
N
Manager for general
ot
management.
• ARM Console for virtual
fo
machine management and
rr
power operations.
es
al
e
or
di
s
tri
b
ut
io
n

Remote Desktop
Connection
Manager
• Preconfigured for your lab
N
environment.
ot
• Main access point for lab
exercises.
fo
rr
• Easy to copy/paste.
es
al
e
or
di
s
tri
b
ut
io
n

Azure Resource
Manager
• Create virtual machines.
N
• Manage storage, networks,
ot
and virtual machines.
fo
• Power operations.
rr
es
al
e
or
di
s
tri
b
ut
io
n

Printing
• You can download, save, and print electronic
N
courseware.
ot
• To print, click Student Resources > Courseware >
Student Manual > Launch.
fo
rr
es
al
e
or
di
s
tri
utb
io
n

Classroom Support
N
ot
fo
rr
es
al
e
or
1. Navigate to training.citrix.com
di
2. Click on the “Contact Us” dropdown.
s
3. Select “Classroom Support”.
tri
utb
io
n

Training you might also like
• CWS-315: Citrix Virtual Apps and Desktops 7
Advanced Administration
• This class will cover the use of Workspace Environment
Management, Citrix Provisioning, Application Layering,
advanced features, and troubleshooting tools.
• CNS-220: Citrix ADC 12.x Essentials and Traffic
N
Management
ot
• This class will cover key Citrix ADC capabilities such as
high availability, security and performance, and explore
fo
SSL offload, load balancing and monitoring.
rr
• CNS-222: Citrix ADC 12.x Essentials and Unified
es
Gateway
• This class will cover Citrix ADC essentials, including
al
secure load balancing, high availability and operations
e
management, and focuses on Unified Gateway, and
or
Citrix Gateway.
di
s
tri
utb
io
n

Looking Ahead:
End of Course Survey
Your opinion matters!
N
ot
fo
rr
Help shape the next course.
es
al
Tell us what you liked!
e
or
What can we do better?
di
s
tri
utb
io
n

Citrix Measures your Feedback with NPS
How is Net Promoter Score Calculated?
N
Not at all How likely is it you would recommend Citrix Courses to a friend? Extremely
ot
Likely Likely
0 1 2 3 4 5 6 7 8 9 10
fo
rr
es
\/
al
e
or
di
Detractor Passive Promoter
s
tri
but
io
n

Connect with Citrix Education
N
ot
fo
rr
es
Facebook Twitter LinkedIn
al
e
Become a fan of Citrix Services Follow @citrixservices Join the Citrix Education Group
or
di
Visit http://training.citrix.com to find more information on training, certifications, and exams.
s tri
b ut
io
n

N
ot
Citrix Virtual Apps and Desktops on
fo
Microsoft Azure Overview
rr
es
al
e
Module 1
or
di
s
tri
b
ut
io
n

Learning Objectives
• Define Infrastructure as a Service.
N
• Identify Virtual Apps and Desktops Azure
ot
Deployment Models.
fo
• Review the Azure Components.
rr
• Examine Azure Management.
es
• Confirm the Azure Datacenter Locations.
al
e
or
di
s
tri
b
ut
io
n

N
ot
Define IaaS
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

What is IaaS, PaaS and SaaS?
• IaaS is an instant computing infrastructure, provisioned and managed over the Internet.
N
• Allowing you to quickly scale up and down with demand, while only paying for the compute
ot
power you use.
fo
SaaS
rr
PaaS
es
IaaS
al
e
or
di
s
Hosted Development tools, Operating Servers and Networking Data center
tri
Application database management, systems storage firewall/security physical
b
business analytics plant/building
ut
io
n
Key Notes:
• IaaS:
• Infrastructure as a Service (IaaS) is an instant computing infrastructure provisioned and managed over the Internet.
Allowing you to quickly scale up and down with demand, and pay only for what you use.
• IaaS helps you avoid the expense and complexity of buying and managing your own physical servers and other
datacenter infrastructure. Each resource is offered as a separate service component, and you only need to rent a
particular one for as long as you need it. The cloud computing service provider manages the infrastructure, while you

purchase, install, configure, and manage your own software—operating systems, middleware, and
applications.
• PaaS:
• Platform as a Service (PaaS) is a complete development and deployment environment in the cloud, with
resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-
enabled enterprise applications.
• Like IaaS, PaaS includes infrastructure—servers, storage, and networking—but also middleware,
N
development tools, Business Intelligence (BI) services, database management systems, and more. PaaS is
ot
designed to support the complete web application lifecycle: building, testing, deploying, managing, and
fo
updating.
• SaaS:
rr
• Software as a Service (SaaS) allows users to connect to and use cloud-based apps over the Internet.
es
Common examples are email, calendaring, and other business software (such as Microsoft Office 365).
al
• SaaS provides a complete software solution that you purchase on a pay-as-you-go basis from a cloud
service provider. You rent the use of an app for your organization, and your users connect to it over the
e
Internet.
or
• IaaS avoids the expense of the purchase of the hardware and setup, we changed from a procurement model,
di
to where our time to value is reduced greatly, to allow a quick scale up or scaler down, to allow for bursts, for
example, If you look at this from a control level as well; the data center is managed by the IAAS vendor, the
s tri
blue items managed by the vendor, but you have OS control and power up and down. PAAS you do not have
b
OS power options, because the OS could be a multi-tenant, but a good solution for web apps; the level of
ut
control is a very important aspect to understand the importance of each.
io
Additional Resources:
n
• What is IaaS? https://azure.microsoft.com/en-us/overview/what-is-iaas/
• What is PaaS? https://azure.microsoft.com/en-us/overview/what-is-paas/
• What is SaaS? https://azure.microsoft.com/en-us/overview/what-is-saas/

What is Citrix Cloud?
Citrix Virtual Apps

and Desktops Service
with Citrix Gateway Service
• Citrix Cloud includes a growing number of services
N
including:
ot
• Virtual Apps and Desktops Service
Citrix Cloud
• Citrix Endpoint Management Service
fo
• Secure Browser
• Citrix Content Collaboration
rr
HTTPS / API Calls
• App Layering Service
es
• Citrix Gateway Service Cloud Connector
• And many more…
al
e
• The Citrix Cloud Virtual Apps and Desktops is
essentially a platform as a service.
or
Active
Directory
Server
• Citrix hosts and operates the platform and services.
di
Server Desktop
OS VDAs OS VDAs
s
• The customer host and operates the applications,
tri
data, networks, and VDAs.
but
io
n
Key Notes:
• Citrix Cloud is a Platform as a Service that hosts and administers Citrix services. It connects to your resources, via the
Citrix Cloud Connector, on any cloud or infrastructure you choose. It allows you to create, manage, and deploy
workspaces with apps and data to your end-users from a single console.
• Citrix Services included are:
• Virtual Apps and Desktops
• Deliver secure virtual apps and desktops to any device, and leave the product installation, setup, configuration,

upgrades and monitoring to Citrix.
• Virtual Apps Secure Browser
• Deliver secure remote access to web and SaaS applications from the cloud with zero endpoint
configuration.
• Citrix Endpoint Management Service
• Provide cloud-based, comprehensive Enterprise Mobility Management (EMM) – including Mobile Device
Management (MDM), mobile application management and enterprise-grade productivity apps.
N
• Citrix Content Collaboration Service
ot
• Meet the mobility and collaboration needs of employees and the data security requirements of the
fo
enterprise with this secure enterprise file sync and sharing service.
• Citrix Gateway Service
rr
• Citrix Gateway Service is a cloud-based offering that is simple to deploy and manage, ensures security
es
and availability of Virtual Apps and Desktops resources on any network, and provides an excellent user
al
experience.
• Citrix Cloud Labs Service
e
• These services are new experimental product features, exposed within the Citrix Cloud for customers to
or
test and evaluate. The services are not supported by Citrix.
di
s tri
• Citrix Cloud Overview - https://docs.citrix.com/en-us/citrix-cloud/overview.html
b
• About Citrix Cloud - http://docs.citrix.com/en-us/citrix-cloud/overview/about.html
ut
io
n

What is Microsoft Azure?
1
• Leading IaaS vendor.
N
• Datacenters in 55 regions and 140 countries.
ot
• A framework that can support both on-premises and cloud deployments.
fo
• Comprehensive compliance with Azure Government.
rr
• Used by 90% of Fortune 500.
es
• Supports a broad selection of operating systems, programming languages, frameworks, databases, and devices.
al
e
• Powerful add-on to Citrix Cloud for hosting resources.
or
di
s
tri
but
io
n
Key Notes:
• Microsoft Azure is a growing collection of integrated cloud services that developers and IT professionals use to build,
deploy, and manage applications through a global network of datacenters managed by Microsoft.
• Azure Government has an ongoing commitment to maintaining the most certifications and attestations for mission-
critical government workloads. Azure has engineered its datacenters to meet or exceed the complex and critical
requirements for US Federal, Department of Defense, state, and local government.

• What is Azure? - https://azure.microsoft.com/en-us/overview/what-is-azure/
• Azure Government - https://azure.microsoft.com/en-us/overview/clouds/government/
• Azure Regions - https://azure.microsoft.com/en-us/regions/
N
ot
fo
rr
es
al
e
or
di
stri
but
io
n

Lesson Objective Review
N
ot
Where are the applications and data typically
stored when using Citrix Cloud with Azure as a
fo
resource location?
rr
es
The applications and data remain within the customers
control and will as such be located either in the
al
customers Azure subscription or in their on-premises
e
datacenter.
or
di
s
tri
utb
io
n

N
ot
Azure Models
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Citrix Virtual Apps
and Desktops
Service with Azure Users
Resource Location
Citrix Cloud Customer Azure Subscription
• Control plane hosted by Infrastructure Access Access VDAs Infrastructure
N
Citrix.
ot
Cloud Cloud
• Everything else is customer- Delivery Controller
Citrix
Gateway
Citrix
Gateway
Win10 Connector Connector
managed and Azure hosted.
fo
Master AD Server
rr
Storage Account
Master
es
License Server Site Database Workspace StoreFront Win2016
Image
al
e
or
Director Studio PowerShell Service Principal Azure Portal PowerShell
di
s tri
b
Admin
ut
io
n
Key Notes:
• Citrix Virtual Apps and Desktops with Azure as the resource location is the primary focus of the CXD-251 course. CXD-
252 combines both Citrix Cloud, Azure, and on-premises resource locations.
• All the brokering is done within Citrix Cloud. Citrix deploys, maintains and updates the control plane, and we utilize the
Azure plugin to deploy Machine Catalogs into Azure, leveraging the Azure API to deploy VDAs, copy disks, power manage
VDAs and de-allocate the VDAs when they are no longer needed.
• The Delivery Controllers hosted in Citrix Cloud will use the Service Principal in Azure for all communication with the Azure

API.
• VDAs will register with the Cloud Connectors which in turn will forward all the registration attempts to the
Delivery Controllers in Citrix Cloud.
• Additionally to the VDAs being placed in Azure, we also need Cloud Connectors and Active Directory deployed
in Azure as a minimum.
• Depending on the design, users will either authenticate to the access layer in Citrix Cloud or Citrix ADC and
StoreFront deployed in the Azure resource location.
N
• Any user authentication made in Citrix Cloud will be sent back to the Cloud Connectors, which will then
ot
authenticate the user credentials against the Active Directory.
fo
rr
es
al
e
or
di
s tri
but
io
n

Complete
Move/Forklift
External Customer Azure Subscription
Access VDAs Storage Account Infrastructure

• All components hosted in
N
Microsoft Azure.
ot
External Users Citrix
License Server Delivery Controller
• Also called the forklift model. Gateway Win10
fo
On-premises Master
Master
Image
rr
Win2016
StoreFront AD Server Site Database
es
Internal Users
Management
al
e
Tunnel Tunnel
Azure Portal PowerShell Service Principal
or
di
s tri
b
Admin
ut
io
n
Key Notes:
• A forklift approach constitutes moving the entire Citrix stack from on-premises into Azure.
• Using this approach, you will deploy and maintain your own Delivery Controllers and will not be using Cloud Connectors,
since you are not using Citrix Cloud.
• Ensure that your design includes HA on all the components.
• By moving the full stack to Azure, you will also need to host and maintain the SQL databases in Azure, which might lead to
higher complexity compared to Citrix Cloud.

• While the graphic shows Citrix ADC and StoreFront being deployed in Azure, those components could also be
deployed in the on-premises network.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Extend
Environment
Users
On-premises datacenter Customer Azure Subscription
• One or more Citrix Virtual Infrastructure VDAs Access Access VDAs Infrastructure
N
Apps and Desktops Zones in
ot
Azure. Delivery Controller Win2016 Citrix Citrix
Delivery Controller
Win10
Gateway Gateway
Master
• The Database and Primary
fo
Active Directory
Site Database
Zone on-premises.
rr
Win2016 Storage Account
Win2016
Master
• StoreFront and Citrix ADC
es
StoreFront StoreFront Image
License Server
considerations.
al
e
Tunnel Tunnel
Director Studio PowerShell Azure Portal
or
PowerShell Service Principal
di
s tri
b
Admin
ut
io
n
Key Notes:
• The extend approach involves creating a new Zone in your on-premises Citrix Virtual Apps and Desktops infrastructure.
This new Zone will be in Azure, and you will then deploy additional Delivery Controllers and optionally StoreFront and
Citrix ADCs in Azure.
• After getting the infrastructure in place, you can then use the Azure plugin to deploy MCS catalogs to Azure directly from
Studio.
• Much like the forklift method, you are deploying the on-premises product and will not need Cloud Connectors.

• All maintenance and updates will be handled by you.
• To be successful in this deployment, you will most likely need a VPN between on-premises datacenters and
Azure.
• Consider where the apps and data will be stored and the latency and bandwidth involved in accessing apps
and data.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Disaster Recovery
Users

Infrastructure VDAs Access Access VDAs Infrastructure
• Duplicate site.
N
• Deallocate to save money.
ot
Delivery Controller Win2016 Citrix Citrix Win2016 Master Delivery Controller
Gateway Gateway
• Measure time to boot. Win10
fo
Site Database Site Database
• Consider access and Storage Account
rr
Win2016
automation. StoreFront StoreFront
Master
Image
es
License Server Delivery Controller License Server
al
e
Tunnel Tunnel
Director Studio PowerShell Azure Portal PowerShell Service Principal
or
di
s tri
b
Admin
ut
io
n
Key Notes:
• Using Azure as the Disaster Recovery datacenter is almost the same design as extending the environment, except we can
de-allocate the resources while they are not being used.
• De-allocating the resources means that we will only be paying for Storage in Azure while the VMs are not running.
• Ensure to have a process in place for spinning up the Disaster Zone and make sure the process is tested.
• A large number of VMs might take a longer time to spin up in Azure than using on-premises hypervisors.
• Microsoft does not have the endless idle capacity so this might not work for deployments above 1000 VMs.

• For larger deployments, Microsoft recommends reserved instances to ensure availability, which means
additional cost.
• Disaster Recovery for Citrix Virtual Apps Made Easy with Azure Site Recovery -
https://www.citrix.com/blogs/2016/12/19/disaster-recovery-for-xenapp-made-easy-with-azure-site-recovery/
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Citrix Virtual Apps
and Desktops
Essentials Users
• Simple solution. Infrastructure Access Access VDAs Infrastructure
N
• Buy from the Azure
ot
Cloud Connector Cloud Connector
marketplace. Delivery Controller
Citrix
Gateway
Win10
fo
• Bring your own image. Master Active Directory
rr
Storage Account
• Replaces Microsoft Win2016
Master
es
License Server Site Database Workspace Image
RemoteApp.
al
e
Director Studio Azure Portal Service Principal
or
di
s tri
b
Admin
ut
io
n
Key Notes:
• Citrix Virtual Apps Essentials Service allows you to deliver Windows applications from Microsoft Azure to any user on any
device. The service combines the industry-leading Virtual Apps service with the power and flexibility of Microsoft Azure.
The service is recommended by Microsoft as the replacement for Azure RemoteApp.
• Citrix Virtual Desktops Essentials Service is designed specifically for the Azure Marketplace. Citrix and Microsoft partner to
deliver an integrated experience for Citrix Virtual Desktops Essentials and Azure IaaS. This partnership gives you a single
interface to deliver a complete Windows 10 digital workspace from Azure.

• The two products have been optimized to reduce administrator complexity.
• Administrators can upload their own image and create Machine Catalogs and Delivery Groups with just a few
clicks.
• Citrix Virtual Desktops Essentials - https://docs.citrix.com/en-us/citrix-cloud/citrix-virtual-desktops-essentials
• Citrix Virtual Apps Essentials - https://docs.citrix.com/en-us/citrix-cloud/citrix-virtual-apps-essentials
N
• Citrix Virtual Apps Essentials Service – Frequently Asked Questions - https://www.citrix.com/global-
ot
partners/microsoft/resources/citrix-virtual-apps-essentials-faq.html
fo
• Citrix Virtual Desktops Essentials Service – Frequently Asked Questions - https://www.citrix.com/global-
partners/microsoft/resources/citrix-virtual-desktops-essentials-faq.html
rr
es
al
e
or
di
s tri
b ut
io
n

What We Are Going To Build?
The Course Lab Plan
N
ot
fo
Gateway Gateway
Win2016 Win2016
rr
es
Win10 Win10 Storage Account
Master
al
License Server Site Database Workspace Users StoreFront
Image
e
or
Admin Service
Director Studio Azure Portal
di
Principal
s
tri
utb
io
n
Key Notes:
• To fit as much learning as possible into two days the gray VMs are not being deployed, however, they have been included
in the diagram as a reference for leading practices.

N
ot
What is the biggest difference between Extend and
fo
Disaster Recovery?
rr
es
Extending to Azure is typically a new Zone within the
on-premises site.
al
e
A Disaster Recovery is typically a separate site with a
or
separate SQL database.
di
s
tri
b
ut
io
n

N
ot
Azure Basics
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Azure Agreements, Accounts, and
Subscriptions
Agreement Workspacelab
• Enterprise customers typically have an
N
Enterprise Enrollment, which is the top-most
Account AMERICAS EUROPE ASIA
ot
resource in the hierarchy and is associated with
one or more accounts.
fo
IT-Production IT-Production IT-Production
• For consumers and customers without an
rr
Enterprise Enrollment, the top-most resource IT-Testing IT-Testing IT-Testing
es
is the account.
IT-R&D Development Development
al
• Subscriptions are associated to accounts, Subscription
e
HR QA
and there can be one or more subscriptions
or
per account. Azure records billing information Finance Sandbox
at the subscription level.
di
Development
s tri
b ut
io
n
Key Notes:
• To work with Azure, you need one or more Azure subscriptions and Azure subscriptions are owned by an account.
• Enterprise customers typically have an Azure agreement, allowing them to create multiple accounts.
• Resources like virtual machines (VMs) or virtual networks exist in hose subscriptions.
• There are advantages and disadvantages of having dedicated subscriptions for Citrix components.
• Having a dedicated subscription for each department, such as Citrix, means that it is easier to provide the Citrix
Hosting Connection with full permissions to the subscription.

• Sharing subscriptions between different departments/functions typically forces customers to implement
more strict access control.
• Azure Subscriptions and Accounts - https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/infrastructure-subscription-accounts-guidelines
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Networking
Express Route
ISP GW
N
ot
Site to Site VPN
VPN GW
fo
rr
Network
VPN GW Azure Network stack
es
On-Premises
al
vNet to vNet Peering

Public IPs Public IPs Public IPs Public IPs
e
Subnet Subnet Subnet Subnet
or
Gateway Gateway vNet to vNet VPN Gateway Gateway
di
Subnet Subnet Subnet Subnet
s
vNet vNet vNet vNet
tri
Global vNet Peering
b
Azure Region A Azure Region B
ut
io
n
Key Notes:
• Virtual networks are necessary to support communications between virtual machines (VMs). You can define subnets,
custom IP address, DNS settings, security filtering, and load balancing.
• By using a VPN gateway or Express Route circuit, you can connect Azure virtual networks to your on-premises networks.
• VNet to VNet VPN is used to allow communication between different Azure Regions.
• The Azure Virtual Network service enables you to securely connect Azure resources to each other with virtual networks
(VNets).

• A VNet is a representation of your own network in the cloud.
• A VNet is a logical isolation of the Azure cloud dedicated to your subscription.
• You can also connect VNets to your on-premises network and other Azure regions and Subscriptions
• VNet to VNet Peering enables the connection of two Azure virtual networks. The traffic between virtual
machines in the peered virtual networks is routed through the Microsoft backbone infrastructure.
• VNet peering - connecting VNets within the same Azure region
• Global VNet peering - connecting VNets across Azure regions
N
ot
fo
• Azure Networking - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/infrastructure-
networking-guidelines
rr
• Virtual network peering - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-
es
overview
al
e
or
di
s tri
b ut
io
n

Storage
N
ot
Unmanaged Disks Azure Managed Disks
fo
• Standard storage accounts: • Standard and Premium disks.
rr
• Blob storage (Containers: used for storing
• Azure manages the disk placement and
es
Azure VM disks).
replication.
• Table storage.
al
• Queue storage. • No Storage Accounts limitations.
e
• File storage.
or
• Pay for disk size not usage.
• Premium storage accounts:
di
• High-performance low-latency blob storage
s
(Container).
tri
• Azure VM Disks only.
but
io
n
Key Notes:
• Azure Storage is a key part of deploying and managing virtual machines (VMs) and applications.
• Azure Storage provides services for storing file data, unstructured data, and messages, and it is also part of the
infrastructure supporting VMs.
• Ensure the storage design you select has enough IOPS to support your needs as you start to deploy Citrix Virtual Apps
and Desktops on Azure.
• With Azure managed disks you pay for the entire size of the disk versus unmanaged, you pay for only the blocks that are

in use.
• Azure Managed Disks only support VMs – no table and file storage.
• Azure Storage - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/infrastructure-
example#storage
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Resource Group Containers
• Resource Groups are used to group related items Win10 NIC

Win2016 NIC
StoreFront
N
together as one administrative entity.
RG Desktop VDAs
RG Server VDAs
ot
RG StoreFront
• There are different approaches, such as: Win10 NIC
Win2016 NIC
• Resource Groups for each application deployment
fo
containing all components needed. Load Balancer
rr
• Centralized Resource Groups that contain your core Win10
Win2016
NIC
NIC
es
networks, subnets, storage accounts.
• Individual Resource Groups for VMs, network
al
interfaces, and load balancers. Win2016 StoreFront
Win10 NIC
e
NIC
• Every Component deployed must reside in a
or
resource group container.
RG Core Infrastructure
di
• Components can only reside in one resource group
s
at a time.
tri
Storage
Networks Subnets
b
Accounts
ut
io
n
Key Notes:
• In Azure, you logically group related resources such as storage accounts, virtual networks, and virtual machines (VMs) to
deploy, manage, and maintain them as a single entity.
• Resource Groups make it easier to deploy applications while keeping all the related resources together from a
management perspective, or to grant others access to that group of resources.
• Resource group names can be a maximum of 90 characters in length
• Typically an Enterprise will split their core resources into individual resource groups (For example Networking

components in a Network Resource Group owned by the Network team, AD in a Resource Group, etc.)
• Resource Groups - https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/overview#resource-groups
N
ot
fo
rr
es
al
e
or
di
stri
but
io
n

Availability Sets
Fault Domain Fault Domain
Rack Rack
• Use availability sets to ensure that VMs running the
N
same service are placed on different hardware
Update Domain 1
ot
clusters.
• Each hardware cluster is divided into multiple
fo
update domains and fault domains.
rr
StoreFront StoreFront
• Fault Domains protect you by spreading the workload
es
between different racks.
• Update Domains provides protection in terms of
al
planned maintenance, Microsoft will never plan StoreFront
Update Domain 2
StoreFront
e
maintenance on two update domains at the same
StoreFront Role
or
time.
di
s
tri
but
io
n
Key Notes:
• Virtual machines (VMs) can be placed into a logical grouping called an availability set.
• When you create VMs within an availability set, the Azure platform distributes the placement of those VMs across the
underlying infrastructure.
• Should there be a planned maintenance event to the Azure platform or an underlying hardware/infrastructure fault, the use
of availability sets ensures that at least one VM remains running.
• The number of fault domains varies based on the Azure datacenter. Some have 3. Most have 2.

• In addition to availability sets, customers can also use availability zones to further extend their high availability
configurations.
• Availability Zones are unique physical locations within an Azure region.
• Manage the availability of Windows virtual machines in Azure - https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/infrastructure-example#availability-sets
N
• Overview of Availability Zones in Azure - https://docs.microsoft.com/en-us/azure/availability-zones/az-overview
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Compute
Type Sizes Description
N
Dsv3, Dv3, DSv2, Dv2, DS, Balanced CPU-to-memory ratio. Ideal for testing and development,
General purpose
ot
D, Av2, A0-7 small to medium databases, and low to medium traffic web servers.
High CPU-to-memory ratio. Good for medium traffic web servers,
fo
Compute optimized Fsv2, Fs, F
network appliances, batch processes, and application servers.
rr
Esv3, Ev3, M, GS, G, DSv2, High memory-to-core ratio. Great for relational database servers,
Memory optimized
es
DS, Dv2, D medium to large caches, and in-memory analytics.
High disk throughput and IO. Ideal for Big Data, SQL, and NoSQL
al
Storage optimized Ls
databases.
e
or
Specialized virtual machines targeted for heavy graphic rendering
GPU NCv2, NCv3, ND, NV, NC
and video editing. Available with single or multiple GPUs.
di
High performance Our fastest and most powerful CPU virtual machines with optional
s
H, A8-11
compute high-throughput network interfaces (RDMA).
tri
b ut
io
n
Key Notes:
• Selecting the right Compute size to suit your needs is important as there are many different SKUs available in Azure.
• Typically for Citrix environments, especially for hosting VDAs - customers select the General Purpose VMs because they
have a good balance of CPU to Memory or the Compute Optimized VMs because they have a high CPU to Memory ratio,
depending on which applications they are hosting.

• VM Sizes - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes
• General Purpose - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-general
• Compute Optimized - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-compute
• Memory Optimized - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-memory
• Storage Optimized - https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-sizes-
storage
• GPU - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-gpu
N
• High performance compute VM sizes - https://docs.microsoft.com/en-us/azure/virtual-
ot
machines/windows/sizes-hpc
fo
rr
es
al
e
or
di
s tri
but
io
n

Network Security Groups
• A Network Security Group (NSG) contains a list of security rules that allow or deny network traffic to resources
N
connected to Azure Virtual Networks.
ot
• Can be associated with:
• Subnets
fo
• Individual network interfaces
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• A Network Security Group (NSG) contains a list of security rules that allow or deny network traffic to resources connected
to Azure Virtual Networks (VNet).
• NSGs can be associated with subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs
(Resource Manager).
• When an NSG is associated with a subnet, the rules apply to all resources connected to the subnet.
• Traffic can further be restricted by also associating an NSG to a single NIC.

• Azure Network Security Groups - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Templates
• Azure Resource Manager
N
(ARM) Templates can Resource
Groups
Networks Storage Virtual
Machines
ot
contain complete
configurations in a JSON
fo
file.
rr
• ARM Templates can be
es
deployed both via the Azure
al
Portal or PowerShell.
e
or
ARM Template Azure
di
s tri
b ut
io
n
Key Notes:
• Templates can be used within ARM or PowerShell.
• It can be used to create single VMs or whole environments programmatically.
• Based on JSON.
• Templates can be exported from ARM.
• Templates can be shared amongst Accounts and Subscriptions.
• GitHub is a great way to get familiar with templates.

• Azure Resource Manager allows you to provision your applications using a declarative template.
• In a single template, you can deploy multiple services along with their dependencies.
• You use the same template to repeatedly deploy your application during every stage of the application
lifecycle.
• Create your first template - https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-
N
manager-create-first-template
ot
• Virtual machines in an Azure Resource Manager template - https://docs.microsoft.com/en-us/azure/virtual-
fo
machines/windows/template-description
rr
• Azure Template QuickStart - https://azure.microsoft.com/en-us/resources/templates/
• Citrix Cloud Citrix Virtual Desktops Resource Location Creation ARM Template -
es
https://www.citrix.com/blogs/2017/07/27/citrix-cloud-xendesktop-resource-location-creation-arm-template/
al
e
or
di
s tri
b ut
io
n

Azure Automation
• It can be used to automate repetitive processes or configurations.
N
• Runbooks typically used for process automation.
• Desired State Configuration typically used for configuration automation.
ot
• Runbooks can be created in PowerShell or in a graphical editor in ARM.
fo
rr
• Desired State Configuration is a PowerShell component in Windows that can integrate with Azure Automation.
es
• Refer to Runbook Gallery for templates.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Microsoft Azure Automation provides a way for users to automate the manual, long-running, error-prone, and frequently
repeated tasks that are commonly performed in a cloud and enterprise environment.
• It saves time and increases the reliability of regular administrative tasks and even schedules them to be automatically
performed at regular intervals.
• You can automate processes using runbooks or automate configuration management using the Desired State
Configuration.

• Example:
• Runbooks can be used for scheduled startup and shutdown of VMs in Azure.
• Desired State Configuration allows you to specify a preferred configuration and have Azure automation
to ensure that your configuration does not drift away from your criteria.
• Azure Automation overview - https://docs.microsoft.com/en-us/azure/automation/automation-intro
N
• Azure automation Script resources for IT professionals (Gallery) -
ot
https://gallery.technet.microsoft.com/scriptcenter/site/search?f[0].Type=RootCategory&f[0].Value=WindowsAz
fo
ure&f[1].Type=SubCategory&f[1].Value=WindowsAzure_automation&f[1].Text=Automation
rr
• The what, why and how of Azure Automation Desired State Configuration (DSC) -
https://azure.microsoft.com/en-us/blog/what-why-how-azure-automation-desired-state-configuration/
es
al
e
or
di
s tri
but
io
n

Storage Spaces
Direct
SMB 3.1 Connection

Highly available, highly
N
scalable software-defined
ot
storage using inexpensive
Win2016 Server Win2016 Server Win2016 Server Win2016 Server
local disks.
fo
Scale-Out File Server
rr
Storage Spaces Direct
es
al
e
or
di
s
tri
b ut
io
n
Key Notes:
• Storage Spaces Direct leverages a combination of features in Windows Server, such as Failover Clustering, the Cluster
Shared Volume (CSV) file system, Server Message Block (SMB) 3, and of course Storage Spaces.
• By replicating the data automatically between the local disks and cache repositories, S2D can create high performance
and availability without having to rely on expensive storage systems.
• Storage Spaces Direct will use more disk space than a traditional RAID system to host the data due to the replication
between hosts.

• Benefits:
• Simplicity. Go from industry-standard servers running Windows Server 2016 to your first Storage Spaces
Direct cluster in under 15 minutes.
• Unrivaled Performance. Whether all-flash or hybrid, Storage Spaces Direct easily exceeds 150,000 mixed
4k random IOPS per server with consistent, low latency.
• Fault Tolerance. Built-in resiliency handles the drive, server, or component failures with continuous
availability.
N
• Scalability. Go up to 16 servers and over 400 drives, for up to 1 petabyte (1,000 terabytes) of storage per
ot
cluster. To scale out, simply add drives or add more servers.
fo
rr
• Deploy a two-node Storage Spaces Direct scale-out file server for UPD storage in Azure -
es
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-storage-spaces-direct-
al
deployment
e
or
di
s tri
b ut
io
n

Role-Based Access Control Role-Based Access Control
(RBAC)
• Using Role-Based Access Control:
N
Delegated Scope of Assignment
• Permissions can be delegated to:
ot
Permissions
• Users
• Groups
fo
Azure Subscription
• Apps (Service Principals)
rr
User
• Scope of assignment can be:
es
• Subscription
al
• Resource group Resource
Groups Group
• Single resource
e
or
Apps Resource
di
Group
s tri
Resources
but
io
n
Key Notes:
• Security Principal : Identity to which the permission will apply.
• Role Definition : A collection of permission.
• Azure Service Principal : It is a security identity used by user created apps, services and automation tools to access
specific azure resources.
• Users, Groups, and Service Principals from Azure AD can all be delegated permission in Azure.
• Permissions can be assigned through the Azure Portal, Azure command line tools or via the many Azure APIs available.

• Get started with Role-Based Access Control in the Azure portal - https://docs.microsoft.com/en-us/azure/role-
based-access-control/overview
• Built-in roles for Azure role-based access control - https://docs.microsoft.com/en-us/azure/role-based-access-
control/built-in-roles
N
• Create custom roles for Azure Role-Based Access Control - https://docs.microsoft.com/en-us/azure/role-
ot
based-access-control/custom-roles
fo
rr
es
al
e
or
di
s tri
but
io
n

N
ot
Which components can be associated with
fo
Network Security Groups from the ARM console?
rr
es
Subnets and NICs
al
e
or
di
s tri
but
io
n
Key Notes:
• Associating NSGs to VMs was available in the Classic Portal, but this feature has been removed with the discontinuation
of the Classic Portal in January 2018.

N
ot
Azure Management
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Azure Resource
Manager (ARM)
• Portal.azure.com
N
• Supports Resource Groups
ot
• Supports Templates
fo
• Supports RBAC
rr
• Supports Tags
es
• Detailed billing information
al
by Tags
e
or
di
s tri
but
io
n
Key Notes:
• Azure Resource Manager (ARM) enables you to work with the resources in your solution as a group. You can deploy,
update, or delete all the resources for your solution in a single, coordinated operation. You use a template for deployment
and that template can work for different environments such as testing, staging, and production. Resource Manager
provides security, auditing, and tagging features to help you manage your resources after deployment
• Benefits of ARM:
• You can deploy, manage, and monitor all the resources for your solution as a group.

• You can manage your infrastructure through templates rather than scripts.
• You can define the dependencies between resources so they are deployed in the correct order.
• You can apply access control to all services in your resource group because Role-Based Access Control
(RBAC) is natively integrated into the management platform.(Discussed in detail in Module 02 AD
Integration)
• You can apply tags to resources to logically organize all the resources in your subscription.
• You can clarify your organization's billing by viewing costs for a group of resources sharing the same tag.
N
ot
fo
• ARM - https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
rr
es
al
e
or
di
s tri
b ut
io
n

Storage Explorer
Use this tool to view and
N
manage Blobs, Unmanaged
ot
Disks, File Storage, and Table
Storage.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Azure Storage Explorer is a standalone app that enables you to easily work with Azure Storage data on Windows,
MacOS, and Linux.
• Lets you:
• Connect to storage accounts associated with your Azure subscriptions.
• Connect to storage accounts and services that are shared from other Azure subscriptions.
• Connect to and manage local storage by using the Azure Storage Emulator.

• Azure Storage Explorer is useful for uploading files and images from on-premises to Azure or between Azure
subscriptions.
• Azure Storage Explorer does not show Azure Managed Disks or Managed snapshots.
• Blob storage is ideal for:
• Serving images or documents directly to a browser.
• Storing files for distributed access.
N
• Streaming video and audio.
ot
• Storing data for backup and restore, disaster recovery, and archiving.
• Storing data for analysis by an on-premises or Azure-hosted service.
fo
• Azure Files enables you to set up highly available network file shares that can be accessed by using the
rr
standard Server Message Block (SMB) protocol. That means that multiple VMs can share the same files with
both read and write access.
es
• Premium storage provides high-performance storage for page blobs, which are primarily used for VHD files.
al
Premium storage accounts use SSD to store data. Microsoft recommends using Premium Storage for all of
e
your VMs.
or
di
• Get started with Storage Explorer - https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-
s
with-storage-explorer?tabs=windows
tri
• Azure Storage Documentation - https://docs.microsoft.com/en-us/azure/storage/
b ut
io
n

Azure EA Portal
• Portal only available to
N
Enterprise Agreement
ot
Customers.
• Create new Accounts and
fo
track billing for multiple
rr
accounts and subscriptions.
es
al
e
or
di
s tri
but
io
n
Key Notes:
• The Azure EA Portal is only available to customers with an Enterprise Agreement.
• The tool allows a customer to effectively manage multiple Azure accounts and Azure subscriptions.
• Track cost and billing across the entire enterprise agreement.
• Reduces the ability to create new accounts to certain IT Admins and keep the number of accounts to a minimum.

Additional Management
1
• Azure CLI
N
• Azure PowerShell
ot
• Visual Studio Code
fo
• Azure REST API
rr
• .NET API
es
• JAVA API
al
e
• PYTHON API
or
• Node.js API
di
s
tri
but
io
n
Key Notes:
• In addition to managing Azure through the Azure Resource Manager portal, there are numerous tools and SDKs available
for administrators and developers to manage and automate their Azure environments.
• We will only focus on the Azure Portal and PowerShell during the course, but most of the features of Azure are exposed
through all the APIs.

• SDKs/Tools - https://docs.microsoft.com/en-us/azure/#pivot=sdkstools
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

N
ot
Which portal allows certain customers to create
fo
and manage multiple accounts and subscriptions?
rr
es
The Azure EA Portal is only available for customers
with an Enterprise Agreement.
al
e
or
di
s
tri
b
ut
io
n

N
ot
Azure Locations
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Azure Datacenters
55 regions available
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Not all products and SKUs are available in all regions.
• For example, Availability Zones are only available in certain regions.
• Azure Regions - https://azure.microsoft.com/en-us/regions/

Deploy Citrix Virtual Apps and
Desktops Close to Users
• One of the key factors in performance and user
N
experience when using HDX is latency.
ot
• Azure can allow you to deploy VDAs close to users
geographical locations and thereby reduce latency.
fo
rr
• Ensure that Routes and VPNs are planned
accordingly.
es
• Ensure that Citrix ADC and StoreFront
al
configurations are optimized for the new
e
deployment methods.
or
di
stri
b ut
io
n
Key Notes:
• Place VDA resources in Azure regions close to your users to reduce latency and improve HDX performance.
• Typical Latency recommendations from Citrix Consulting, Assuming the environment has been tuned properly:
• Up to 150ms: great user experience.
• 150ms – 300ms: good/acceptable user experience.
• Over 300ms: degraded user experience.
• Alternatively, deploy VDAs in multiple Azure regions if the user base is spread out globally.

• HDX - https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/technical-overview/hdx.html
• How Network Latency Impacts User Experience? https://www.citrix.com/blogs/2017/09/25/how-network-
latency-impacts-user-experience/
• https://www.citrix.com/blogs/2018/10/30/turbo-charging-ica-part-1/
N
• https://www.citrix.com/blogs/2018/12/17/turbo-charging-ica-part-2/
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

What to do with Apps, Data, and Profiles
• Consider moving/extending Apps to Azure to ensure App performance.
N
• Database Mirroring or Replication.
• Consult Application providers for multisite configuration.
ot
• Consider DFSR, Storage Spaces Direct, or Azure File Storage for Data replication.
fo
• Avoid long file load and save actions.
rr
• Keep user profiles close to VDAs
es
• Reduce profile size to a minimum.
al
• Consider a unique profile per location to avoid profile replication.
• Use folder redirection to reduce data transfer and ensure consistency across different profiles.
e
• Examine AppData usage before redirecting.
or
• Double Hop HDX is still an option if some apps cannot be moved.
di
s tri
b ut
io
n
Key Notes:
• Clustering is not supported in Azure.
• Azure File Storage is not supported for Roaming profiles or profile disks.
• Double-hop HDX means that you run an HDX session inside another HDX session, for example:
• The user connects to an HDX desktop session in Azure, within that HDX session, they open up Workspace app and
launch a published HDX app from another VDA – for the nature of this example, the second connection will be made to
a VDA hosted on-premises, serving an application that can not be moved to Azure.

Lab Exercise
• Exercise 1-1: Connect to Microsoft Azure.
N
• Exercise 1-2: Verify Resource Groups and
ot
Permissions in Azure.
fo
• Exercise 1-3: Create a Virtual Network in Azure.
rr
• Exercise 1-4: Peer Networks in Azure.
es
• Exercise 1-5: Create Storage Account.
al
• Exercise 1-6: Create a new VM for Cloud
e
Connector.
or
di
s
tri
b
ut
io
n

N
ot
What is the biggest benefit of deploying VDAs in
fo
Azure regions close to users?
rr
es
To reduce the latency impact on the HDX connection
and optimize the user experience.
al
e
or
di
s
tri
b
ut
io
n

Key Takeaways
• Citrix integrates with Infrastructure as a Service
N
much like with on-premises hypervisors.
ot
• Citrix Virtual Apps and Desktops can be deployed in
Azure in many ways to suit your business needs.
fo
rr
• Azure has many moving parts but adds a lot of
flexibility to your Citrix deployments.
es
• Azure Resource Manager is the main administration
al
console for Azure.
e
or
• Microsoft is constantly adding new datacenters to
Azure.
di
s
tri
b
ut
io
n

N
ot
Virtual Apps and Desktops Azure
fo
Active Directory Integration
rr
es
al
e
Module 2
or
di
s
tri
b
ut
io
n

Learning Objectives
• Investigate Active Directory Basics in Azure.
N
• Highlight Active Directory Usage From a Citrix
ot
Perspective.
fo
• Connect On-premises Active Directory to Azure.
rr
• Define Azure Role-Based Access Control.
es
al
e
or
di
s
tri
utb
io
n

N
ot
Active Directory Basics
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

On-Premises AD
Citrix Cloud
Citrix Gateway Workspace Delivery Controller Site Database
• Leaving Active Directory on-premises means that
N
every authentication must traverse the Network and
ot
VPN back to your organization.
• Login and Authentication delays.
fo
Azure
Citrix Gateway StoreFront Cloud Connector VDAs
rr
• Potential timeouts due to latency.
es
• Link or VPN failure will interrupt all AD-related
functionality.
al
e
On-premise
• Supports OUs, GPOs, LDAP, and Kerberos.
or
Citrix Gateway StoreFront Active Directory
di
s tri
but
io
n
Key Notes:
• While this deployment method technically will work if the necessary VPN tunnels are in place, it is not recommended by
either Citrix or Microsoft.
• Without a domain controller in Azure, all domain related traffic would need to flow through the VPN to the on-premises
datacenter.

Azure AD
Citrix Cloud
• Azure AD is a Cloud-based Directory typically used
N
for SSO to SaaS applications.
ot
• Azure AD can be used for Delegated Administrators
Azure AD
in Citrix Cloud.
fo
Azure
rr
• Azure AD can be used for user authentication to
resources.
es
• Users from on-premises AD can be synchronized to
al
Azure AD.
On-premise
or
• Azure AD cannot be used with MCS, GPOs, and Citrix Gateway StoreFront Active Directory
Kerberos.
di
• Azure AD supports SAML, WS-Federation, and
s tri
OAuth.
b ut
io
n
Key Notes:
• Azure AD can be used for authenticating to resources in Workspace as well as delegated administration in Citrix Cloud.
• The users in Azure AD must be synchronized from a traditional AD for these features to work.
• Citrix Federated Authentication must also be configured for the logon ticket to be passed into the HDX session during
launch.
• Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity management service
primarily used to provide SSO to SaaS applications.

• Both Azure AD and on-premises Active Directory (Active Directory Domain Services or AD DS) are systems
that store directory data and manage communication between users and resources, including user logon
processes, authentication, and directory searches.
• In Azure AD, users and groups are created in a flat structure without OUs or GPOs. Authentication is
performed through protocols such as SAML, WS-Federation, and OAuth.
• User accounts for Windows Server Active Directory (On-Premises) can be synced with Azure AD.
• Citrix machines (Virtual Apps and Desktops workers and supporting infrastructure machines) have a
N
requirement to be joined to an Active Directory domain. This is required for domain computer accounts, new
ot
machine provisioning (MCS), user association, and pass-through/Kerberos authentication to resources. It is
fo
because of these requirements that Azure Active Directory cannot be used alone.
rr
es
• What is Azure AD? - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis
al
• Azure Active Directory and Citrix Virtual Apps and Desktops - https://support.citrix.com/article/CTX224111
e
or
di
s tri
b ut
io
n

Azure AD Domain Services
Citrix Cloud
• Azure AD Domain Services provides domain join,
N
group policy, LDAP read, and Kerberos/NTLM
ot
authentication without the overhead of deploying
and maintaining VMs in Azure. Azure AD Domain Services
fo
Azure
• Relies on micro services.
rr
• Supports MCS and Kerberos.
es
• Limited administrative permission.
al
e
On-premise
or
di
s tri
b ut
io
n
Key Notes:
• Azure AD Domain Services provides AD domain controllers as a service, eliminating the complexity of setting up AD, the
ongoing maintenance costs of patching and backing up domain controllers, and the operational expense of domain
controller VMs in Azure.
• Azure AD Domain Services provides managed domain services such as domain join, group policy, LDAP read,
Kerberos/NTLM authentication that are fully compatible with Windows Server Active Directory.

• Limitations: No domain/enterprise admin permissions, no schema extension, no forest or domain trusts, no
LDAP Write, and no geo-distributed deployments (sites and services).
• What is Azure AD Domain Services? - https://docs.microsoft.com/en-us/azure/active-directory-domain-
services/active-directory-ds-overview
• Virtual Apps and Desktops Support Azure AD Domain Services -
N
https://www.citrix.com/blogs/2017/04/11/xenapp-xendesktop-services-support-azure-ad-domain-services/
ot
• Azure Active Directory (AD) Domain Services - https://docs.microsoft.com/en-us/azure/active-directory-
fo
domain-services/active-directory-ds-overview
rr
es
al
e
or
di
s tri
but
io
n

Full AD in Azure
Citrix Cloud
• AD DS in Azure joined to an on-premises forest.
N
• There may be some synchronization latency between
the domain servers in the cloud and the servers
ot
running on-premises.
fo
Active Directory
Azure
• Read-only Domain Controllers are not supported for
Citrix Virtual Apps and Desktops.
rr
• AD DS in Azure with a separate forest.
es
• Requires appropriate trust relationships between
al
forests.
e
• Citrix Cloud Connectors cannot traverse back through
On-premise
domain trusts, so additional Cloud Connectors may
or
be needed on-premises.
di
s
tri
b
ut
io
n
Key Notes:
• The customer is required to deploy domain controllers using virtual machines in Azure.
• The customer is required to manage, secure, patch, monitor, backup, and troubleshoot the AD virtual machines.
• Deployments of AD DS in Azure can be joined to an existing on-premises Forest or AD DS that can be deployed in Azure
as a separate forest.
• Each separate domain containing either users or VDAs should have a set of Cloud Connectors deployed.

• https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/considerations
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Feature Comparison
N
Functionality On-Premises AD Azure AD Azure AD DS Full AD in Azure
ot
Delegated Admin in Citrix Cloud
fo
rr
es
LDAP/Kerberos
al
GPOs
e
Authentication to resources
or
Domain join
di
s tri
but
io
n
Key Notes:
• Determine the right AD design for your solution before staring to build the environment.
• Azure AD can only be used for delegated administration, and user authentication, it does not support the features used for
desktop brokering in Virtual Apps and Desktops.

N
ot
fo
Does Azure Active Directory support MCS?
rr
es
No, Azure Active Directory does not support Kerberos
or LDAP and therefore does not support MCS.
al
e
Deploy full AD or Azure AD Domain Services for MCS
or
support.
di
s
tri
b
ut
io
n

N
ot
Active Directory Usage
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Identity and Access Management
in Citrix Cloud
• Two credential providers are supported for Citrix
N
Cloud:
ot
• Azure AD Credentials
• MyCitrix Credentials
fo
• Integrating Azure AD allows the managing of both
rr
Citrix Cloud and Azure with the same credentials.
es
• Easy provisioning and de-provisioning of delegated
al
admins.
e
• Multifactor authentication available through Azure
or
AD.
di
s tri
b ut
io
n
Key Notes:
• Azure AD and MyCitrix credential providers are supported for Citrix Cloud.
• Integrating Citrix Cloud and Azure AD enables customers to:
• Use their existing Active Directory, where they can audit, control password policies, and disable accounts if necessary.
• Use enhanced security features with multi-factor authentication.
• Provide a branded sing-in page.
• Support federation to an identity provider of choice, AD-FS, Okta, Ping, and others.

• Central control of user accounts.
• New! Azure Active Directory Support for Citrix Cloud Administrators -
https://www.citrix.com/blogs/2017/01/09/new-azure-active-directory-support-for-citrix-cloud-administrators/
• What Is Identity and Access Management? http://docs.citrix.com/en-us/citrix-cloud/overview/about/what-is-
identity-and-access-management.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

MCS Provisioning with Citrix Cloud Studio
• MCS can create Active Directory Computer accounts for all VMs in a catalog, or you can specify existing
N
accounts.
ot
• Cloud Connector or Delivery Controller computer account must have a connection to Active Directory.
fo
• Azure AD does not support computer accounts or Kerberos and therefore is not supported with MCS.
rr
• Citrix Cloud Studio prompts for administrator credentials to create Computer Accounts.
es
• On-premises Studio uses the signed in administrator to create Computer Accounts.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• During MCS provisioning, Citrix Cloud Studio requests admins to enter credentials that will be used to create the computer
accounts for the VDA VMs in the Machine Catalog.
• In on-premises Virtual Apps and Desktops deployments, these computer accounts are created in the context of the admin
running Studio, however, in Citrix Cloud since the Delivery Controller is not part of the customers’ domain, this process is
different.
• Pre-created computer accounts can also be used with Citrix Cloud.

• In a traditional Virtual Apps and Desktops deployment, the user running Citrix Studio is being used to create
the Computer Accounts for an MCS Catalog, in Citrix Cloud Studio will prompt for a user account because
Studio is running in another domain context.
• Virtual Apps and Desktops Support Azure AD Domain Services -
https://www.citrix.com/blogs/2017/04/11/xenapp-xendesktop-services-support-azure-ad-domain-services/
N
• Create machine catalogs - https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/install-
ot
configure/machine-catalogs-create.html
fo
rr
es
al
e
or
di
s tri
but
io
n

VDA Registration
• VDAs use Kerberos to register to Cloud Connectors or Delivery Controllers.
N
• Cloud Connectors and Delivery Controllers use Kerberos to broker connections to VDAs.
ot
• Full AD DS or Azure AD DS to support registration and brokering.
fo
• Azure AD does not support Kerberos.
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• While Azure AD can be used for user and administrator authentication in Citrix Cloud, it does not support VDA registration
or brokering.
• Deploy Azure AD DS or a full AD in Azure for VDA brokering and Kerberos.
• The only difference in VDA registration between on-premises deployments and Citrix Cloud is the fact that the VDAs
register with Cloud Connectors, rather than Delivery Controllers. The Cloud Connectors then relay the registration
notification to the Delivery Controllers in Citrix Cloud.

• VDA registration (on-premises and Cloud Connectors) - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/current-release/manage-deployment/vda-registration.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Authenticating to Resources
• All forms of Active Directory can be used to authenticate to resources.
N
• Azure AD with Workspace Experience only.
• Azure AD DS.
ot
• On-premises AD extended to Azure.
fo
• Full AD in Azure.
rr
• Azure AD can provide multifactor authentication.
es
• Citrix Gateway Service in Citrix Cloud supports OTP.
al
• Deploy your own Citrix ADC and StoreFront for other multifactor solutions.
e
or
di
s tri
b ut
io
n
Key Notes:
• By using Azure AD with Citrix Cloud, you can:
• Leverage your own Active Directory, so you can control auditing, password policies, and easily disable accounts when
needed.
• Configure multi-factor authentication for a higher level of security against the possibility of stolen sign-in credentials.
• Use a branded sign-in page, so your users know they’re signing in at the right place.
• Use federation to an identity provider of your choice including ADFS, Okta, and Ping, among others.

• Citrix Gateway Service supports Azure AD MFA. Customers looking to use on-premises AD can use 2-
factor authentication with native One-Time Password (OTP). The second factor will be a One-Time
Password (OTP) generated on the user device and authenticated by the gateway service itself.
Depending on the user’s smartphone OS, users can download and install Google Authenticator (iOS
and Android) or Microsoft Authenticator (Windows OS) apps that are free. This means you don’t need a
third party OTP solution to provide a 2nd-factor authentication. Once the user device is enrolled using
Citrix’ self-service page, users can use OTP from their Smartphones to login and access your
N
applications. Once the end-users login to the Citrix Workspace portal, they will see icons to applications
ot
to which they have access.
fo
• Integrating Azure AD might impact the logon experience for users.
• Citrix FAS is required to create a single sign-on experience with Azure AD. Without FAS, the user will be
rr
prompted to enter their domain credentials while launching their HDX session.
es
al
• Citrix Unveils Gateway Service with Secure and Single Sign-On to SaaS, Enterprise Web & VDI Apps-
e
https://www.citrix.com/blogs/2018/04/12/citrix-unveils-secure-gateway-service-with-single-sign-on-to-saas-
or
enterprise-vdi-apps/
di
• Federated Authentication Service Azure AD integration- https://docs.citrix.com/en-us/xenapp-and-
s
xendesktop/7-15-ltsr/secure/federated-authentication-service/fas-architectures/fas-azure-ad.html
tri
but
io
n

Creating Azure AD
• Azure AD is included in any Azure Subscription.
N
• In Azure AD, an organization is called a tenant.
ot
• Choose the Organization name and initial domain
fo
name to create a new tenant.
rr
• Upgrade to Premium
es
• Self Service Password Reset with Password
WriteBack
al
• MultiFactor Authentication, and more.
e
or
di
s tri
but
io
n
Key Notes:
• In Azure Active Directory (Azure AD), a tenant is representative of an organization. It is a dedicated instance of the Azure
AD service that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure or Office
365. Each Azure AD tenant is distinct and separate from other Azure AD tenants.
• A tenant houses the users in a company and the information about them - their passwords, user profile data, permissions,
etc. It also contains groups, applications, and other information pertaining to an organization and its security.
• To enhance your Azure Active Directory, you can add paid capabilities using the Azure Active Directory Basic, Premium

P1, and Premium P2 editions.
• Steps involved in creating an Azure AD:
• Browse to the Azure portal and sign in with an account that has an Azure subscription.
• Select the plus icon (+) and search for Azure Active Directory.
• Select Azure Active Directory in the search results.
• Select Create.
• Provide a name for the organization along with the initial domain name.
N
ot
fo
• Azure Active Directory editions - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-
editions
rr
• How to get an Azure Active Directory tenant? https://docs.microsoft.com/en-us/azure/active-
es
directory/develop/active-directory-howto-tenant
al
e
or
di
s tri
b ut
io
n

Creating Azure AD Domain Services
N
ot
fo
rr
Task 2: Task 3: Task 5:
es
Task 1: Task 4:
Configure Create Enable
Create Basic Update DNS
Network Administrator Password
al
Settings settings
Settings Group Synchronization
e
or
di
s tri
utb
io
n
Key Notes:
• Azure AD Domain Services is a micro service it is not a set of VMs that can be managed directly in Azure.
• You do not have Domain Administrator or Enterprise Administrator permissions on the managed domain that you created
by using Azure Active Directory Domain Services.
• On managed domains, these permissions are reserved by the service and are not made available to users within the
tenant. However, you can create a special administrative group to perform some privileged operations.
• These operations include joining computers to the domain, belonging to the administration group on domain-joined

machines, and configuring Group Policy.
• Previously Azure AD DS was only available in the Classic Portal but is now fully supported in Azure Resource
Manager.
• Creating an Azure AD DS can be done using the following 5 overall tasks.
• Task 1: In the Basics page of the wizard, specify the DNS domain name for the managed domain. You
can also choose the resource group and Azure location to which the managed domain should be
deployed.
N
• Task 2: The next configuration task is to create an Azure virtual network and a dedicated subnet within it.
ot
You enable Azure Active Directory Domain Services in this subnet within your virtual network. You may
fo
also pick an existing virtual network and create the dedicated subnet within it.
• Task 3: In this configuration task, you create an administrative group in your Azure AD directory. This
rr
special administrative group is called AAD DC Administrators. Members of this group are granted
es
administrative permissions on machines that are domain-joined to the managed domain. On domain-
al
joined machines, this group is added to the administrators’ group. Additionally, members of this group can
use Remote Desktop to connect remotely to domain-joined machines.
e
• Task 4: Next, enable computers within the virtual network to connect and consume these services. You
or
update the DNS server settings for your virtual network to point to the two IP addresses where Azure
di
Active Directory Domain Services is available on the virtual network.
• Task 5: The next task is to enable the synchronization of password hashes required for NT LAN Manager
s tri
(NTLM) and Kerberos authentication to Azure AD Domain Services. After you've set up password hash
b
synchronization, users can sign in to the managed domain with their corporate credentials.
ut
io
• Enable Azure Active Directory Domain Services - https://docs.microsoft.com/en-us/azure/active-directory-
n
domain-services/active-directory-ds-getting-started

N
ot
Which two types of credentials can be used to log
fo
in to Citrix Cloud?
rr
es
MyCitrix and Azure AD Credentials.
al
e
or
di
s
tri
b
ut
io
n

N
Connecting On-premises AD to
ot
Azure
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Azure AD Connect
Azure
• Integrate on-premises directories with Azure
N
Active Directory.
ot
Azure AD Microsoft Office 365 SaaS Apps Your Apps
• Common Identity both on-premises and in
Azure, Office365, and SaaS apps.
fo
rr
• Use filters to synchronize specific objects.
es
• Password Sync ensures password consistency
and allows you to use on-premises password
al
User Devices On-Premise
policies.
e
or
• Password write-back allows users to change
their passwords in the cloud and have your
di
Workspace app Endpoints Active Directory
on-premises password policy applied.
s tri
but
io
n
Key Notes:
• Azure AD Connect will integrate your on-premises directories with Azure Active Directory.
• Integrating your on-premises directories with Azure AD provides a common identity for accessing both cloud and on-
premises resources. This could encompass SSO for Azure, Office365, and SaaS Apps.
• Azure AD connect provides several features that are enabled by default or features that you can enable. These features
include but are not limited to filtering, password synchronization, password writeback, and device writeback.
• Password write-back honors local AD password policies.

• Integrate your on-premises directories with Azure Active Directory - https://docs.microsoft.com/en-
us/azure/active-directory/connect/active-directory-aadconnect
• Azure AD Connect sync: Configure filtering - https://docs.microsoft.com/en-us/azure/active-
directory/connect/active-directory-aadconnectsync-configure-filtering
N
• Implement password synchronization with Azure AD Connect sync - https://docs.microsoft.com/en-
ot
us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization
• Quick Start: Azure AD self-service password reset - https://docs.microsoft.com/en-us/azure/active-
fo
directory/active-directory-passwords-getting-started
rr
es
al
e
or
di
s tri
but
io
n

Azure AD Connect Installation
• Azure AD Connect must be installed on a Windows
N
Server.
ot
• Minimum 2012R2 for ADFS support.
• Installs SQL Server 2012 Express LocalDB
fo
• Existing SQL can be used instead.
rr
• Express Settings.
es
• Custom Settings.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Azure AD Connect server requirements
• Windows Server standard or better and must be Windows Server 2008 or later. Minimum 2012R2 for ADFS support
• Full GUI installed. Server core is not supported.
• The server may be a domain controller or a member server when using express settings. If a custom install, then the
server can also be stand-alone and does not have to be joined to a domain.

• If you install Azure AD Connect on Windows Server 2008 or Windows Server 2008 R2, then make sure to
apply the latest hotfixes from Windows Update. The installation is not able to start with an unpatched
server.
• If you plan to use the feature password synchronization, then the Azure AD Connect server must be on
Windows Server 2008 R2 SP1 or later.
• If you plan to use a group managed service account, then the Azure AD Connect server must be on
N
Windows Server 2012 or later.
ot
• The Azure AD Connect server must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or
later installed.
fo
• The Azure AD Connect server must not have PowerShell Transcription Group Policy enabled.
rr
• If Active Directory Federation Services is being deployed, the servers where AD FS or Web Application
es
Proxy are installed must be Windows Server 2012 R2 or later. Windows remote management must be
enabled on these servers for remote installation.
al
• If Active Directory Federation Services is being deployed, you need SSL Certificates.
e
• If Active Directory Federation Services is being deployed, then you need to configure name resolution.
or
• If your global administrators have MFA enabled, then the URL https://secure.aadcdn.microsoftonline-p.com
di
must be in the trusted sites list. You are prompted to add this site to the trusted sites list when you are
s
prompted for an MFA challenge, and it has not added before. You can use Internet Explorer to add it to your
tri
trusted sites.
b
• SQL Server used by Azure AD Connect
ut
• Azure AD Connect requires a SQL Server database to store identity data. By default, a SQL Server 2012
io
Express LocalDB (a light version of SQL Server Express) is installed.
n
• A separate SQL Server is also supported, the requirements are:
• Azure AD Connect supports Microsoft SQL Server from SQL Server 2008 (with the latest Service Pack)
to SQL Server 2016 SP1. Microsoft Azure SQL Database is not supported as a database.
• You must use a case-insensitive SQL collation.
• You can only have one sync engine per SQL instance.

• Express Settings is the default option and is used for the most commonly deployed scenario.
• Custom settings are used when you want more options for the installation. It is used if you have multiple
forests, more than 100.000 users or if you want to configure optional features not covered in the express
installation.
N
• Custom Settings - https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-
ot
aadconnect-get-started-custom
• Express Settings - https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-
fo
aadconnect-get-started-express
rr
es
al
e
or
di
s tri
b ut
io
n

Azure AD Connect Synchronization
When to use which settings?
Express Settings Custom Settings
N
• You have a single Active Directory forest on-premises. • You do not have access to an enterprise admin account
ot
in Active Directory.
fo
• You have less than 100,000 objects in your on-premises • You have more than one forest, or you plan to
rr
Active Directory. synchronize more than one forest in the future.
• You have an enterprise administrator account that can • You have domains in your forest not reachable from the
es
be used for the installation. Connect server.
al
• Re-run wizard to select specific OUs to synchronize. • You plan to use federation or pass-through
e
authentication for user sign-in.
or
• Re-run wizard to enable Azure AD Premium features. • You have more than 100,000 objects and need to use a
full SQL Server.
di
• You plan to use group-based filtering and not only
s
domain or OU-based filtering.
tri
b ut
io
n
Key Notes:
• Express installation is the most common method used.
• Use an Express installation when:
• A Single Active directory Forest on-premises.
• An enterprise admin account to be used for the Azure AD connect installation.
• Less than 100,000 objects in your active directory.
• Use a custom installation when:

• You do not have access to an enterprise admin account in Active Directory.
• You have more than one forest or you plan to synchronize more than one forest in the future.
• You have domains in your forest not reachable from the Connect server.
• You plan to use federation or pass-through authentication for user sign-in.
• You have more than 100,000 objects and need to use a full SQL Server.
• You plan to use group-based filtering and not only domain or OU-based filtering.
N
ot
• Select which installation type to use for Azure AD Connect - https://docs.microsoft.com/en-us/azure/active-
fo
directory/connect/active-directory-aadconnect-select-installation
rr
es
al
e
or
di
s tri
but
io
n

Azure AD Connect Leading Practices
• Use IdFix to identify errors such as duplicates and formatting problems in your directory, before you synchronize
N
to Azure AD.
ot
• Enable the Active Directory to recycle bin.
fo
• Azure AD Connect (version 1.1.614.0 and after) by default uses TLS 1.2 for encrypting communication between
rr
the sync engine and Azure AD. If TLS 1.2 isn't available on the underlying operating system, Azure AD Connect
incrementally falls back to older protocols (TLS 1.1 and TLS 1.0).
es
• Review Firewall, Proxy, and Certificate requirements.
al
e
• Citrix has already deprecated TLS 1.0 and TLS 1.1
or
di
s tri
b ut
io
n
Key Notes:
• Always ensure that the Active Directory is in good health before starting any synchronization.
• IdFix can determine any issues before starting the synchronization.
• Always enable AD Recycle Bin as human mistakes in the configuration could potentially delete user accounts in the on-
premises AD.
• Adjust the below registry key to increase TLS security.
• For all operating systems, set this registry key and restart the

server. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
"SchUseStrongCrypto"=dword:00000001
• Prerequisites for Azure AD Connect - https://docs.microsoft.com/en-us/azure/active-directory/connect/active-
directory-aadconnect-prerequisites
• Hybrid Identity Required Ports and Protocols - https://docs.microsoft.com/en-us/azure/active-
N
directory/connect/active-directory-aadconnect-ports
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

N
ot
Which tool should be used to verify your Directory
for consistency before migrating users to Azure
fo
AD?
rr
es
IDFix can be used to identify errors or inconsistencies
before synchronization.
al
e
or
di
s
tri
b
ut
io
n

N
ot
Azure Role Based Access Control
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

What is RBAC?
Using Role-Based Access Control: Role-Based Access Control
• Permissions can be delegated to: Scope of Assignment

Delegated Permissions
N
• Users
• Groups
ot
• Apps (Service Principals)
fo
Azure
Subscription
• Scope of assignment can be: User
rr
• Subscription
es
• Resource group
• Single resource Groups Resource Group
al
e
or
Apps
Resource Group
di
s tri
Resources
b ut
io
n
Key Notes:
• Each Azure subscription is associated with an Azure Active Directory (AD) directory. Users, groups, and applications from
that directory can manage resources in the Azure subscription. Assign these access rights using the Azure portal, Azure
command-line tools, and Azure Management APIs.
• Users, Groups, and Service Principals from Azure AD can all be delegated permission in Azure.
• The level of permission can be controlled on the Subscription level, the Resource Group level or the individual resource
level.

• Permissions can be assigned through the Azure Portal, Azure command line tools or via the many Azure APIs
available.
• Get started with Role-Based Access Control in the Azure portal - https://docs.microsoft.com/en-us/azure/role-
based-access-control/overview
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Roles
• There are 3 Basic built-in roles that can apply to all resource types.
• Owner
• Contributor
N
• Reader
ot
• There are more than 35 application specific roles available.
fo
rr
es
al
Contributor
Owner
e
Has full access to all
Can create and Reader
manage all types of
or
resources including Can view existing
Azure resources, Azure resources.
the right to delegate
di
but can’t grant
access to others.
access to others.
s tri
b ut
io
n
Key Notes:
• Azure RBAC has three basic roles that apply to all resource types:
• The owner has full access to all resources, including the right to delegate access to others.
• A contributor can create and manage all types of Azure resources but can’t grant access to others.
• The reader can view existing Azure resources.
• In addition to the basic roles, there are numerous RBAC roles that allow management of specific Azure resources.
• Furthermore, you can define custom RBAC roles through Azure PowerShell, Azure Command-Line Interface or the REST

API.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Actions
• The permissions of a role is defined by:
N
• Actions enable functionalities
• NotActions disables functionalities
ot
• Write enables PUT, POST, PATCH, and DELETE
fo
operations.
• Read enables GET operations.
rr
• Wildcards can be used to define several
es
providers in one string.
al
• Scopes can be used to limit permissions
e
further.
or
di
s tri
b ut
io
n
Key Notes:
• The actions property specifies the allowed actions on Azure resources. Action strings can use wildcard characters. The
notations property specifies the actions that are excluded from the allowed actions.
• NotActions restrict a specific action – the NotActions are subtracted from the Actions.
• Write permission allows for additions changes or deletion of objects.
• Read permission allows for a read of the object but does not allow changes.

• Built-in roles for Azure Role-Based Access Control - https://docs.microsoft.com/en-us/azure/active-
directory/role-based-access-built-in-roles
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Custom Roles
Creation Subscription-Wide Requirements
N
• Can be created using:
ot
• Create a custom role for Azure Host Connections to
• Azure PowerShell
ensure least privileges on subscription-wide objects in
• Azure Command-Line Interface (CLI)
fo
Azure.
• REST API
rr
• The access granted by a custom role is computed by • This role is in addition to the Contributor permissions the
es
subtracting the NotActions operations from the Actions Narrow Scope Service Principal needs on the Resource
operations. Groups.
al
• Assignable Scopes determines on which object the
e
• Assign this role with a Narrow Scope Service Principal.
permissions are given–typically a subscription.
or
• Proof of concept Virtual Apps and Desktops installation. • Can be defined in JSON.
di
s
• Virtual Apps and Desktops administrators already has
tri
contributor access at Azure subscription scope.
b ut
io
n
Key Notes:
• Custom Roles are used when you need to set more specific Role Based Access Control set of permissions than the built-
in roles allow you to do.
• Roles contain the Actions and NotActions covered in the previous slide.
• Each tenant can create up to 2000 custom roles.
• Assignable Scope is used to specify on which objects the roles are deployed – this typically refers to one or more
subscriptions.

• A Narrow Scope Service Principal will need permissions on the following objects in Azure:
• The master image VHD
• JSON definitions for catalog creation:
• Microsoft.Storage/storageAccounts/read
• Microsoft.Storage/storageAccounts/listKeys/action
• Microsoft.Resources/subscriptions/resourceGroups/read
• JSON definitions for the virtual network for the machines
N
• Microsoft.Network/virtualNetworks/read
ot
• Microsoft.Network/virtualNetworks/subnets/join/action
fo
• The resource groups into which the machines are to be provisioned
• Actions for narrow scope service principals can be given explicitly on each object to the service principal, or in
rr
this example through the use of a custom role.
es
• The term Citrix-Custom-Reader is for reference to the Citrix documentation only, the role does not need to
al
reference this particular name.
• Can be defined in JSON using:
e
• {
or
• "Id": "{custom-role-definition-id}",
di
• "Name": "Citrix-Custom-Reader",
• "Description": "Grants access to Citrix XenDesktop images and virtual networks.",
s tri
• "Actions": [
b
• "Microsoft.Storage/storageAccounts/read",
ut
• "Microsoft.Storage/storageAccounts/listKeys/action",
io
• "Microsoft.Network/virtualNetworks/read",
• "Microsoft.Network/virtualNetworks/subnets/join/action",
n
• "Microsoft.Resources/subscriptions/resourceGroups/read"
• ],
• "AssignableScopes": [
• "/subscriptions/{subscription-id}"
• ]

• }
• Create custom roles for Azure Role-Based Access Control - https://docs.microsoft.com/en-us/azure/active-
directory/role-based-access-control-custom-roles
• Azure Role Based Access Control in Virtual Apps and Desktops -
https://www.citrix.com/blogs/2016/11/09/azure-role-based-access-control-in-xenapp-xendesktop/
N
ot
• Microsoft Azure Resource Manager virtualization environments - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/service/install-configure/resource-location/azure-resource-manager.html
fo
• How to Grant Virtual Apps and Desktops Access to Your Azure Subscription?
rr
https://support.citrix.com/article/CTX219243
es
al
e
or
di
s tri
b ut
io
n

How to Assign RBAC Permissions?
• RBAC permissions can be configured using:
N
• Azure Portal.
• Azure command-line tools.
ot
• Azure Management APIs.
fo
• ARM Templates.
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• RBAC – Role Based Access Control.
• RBAC permissions can be set using four methods:
• Through the use of the Azure Portal – either on the subscription level or the individual components using the IAM
menu.
• Through Azure Command line – such as PowerShell.
• Through the Azure Management API – such as REST API.

• Lastly, through ARM Templates.
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Helpdesk RBAC
• A typical use case for RBAC is Helpdesk admins.
N
• Typical actions
ot
• VM Start
• VM Restart
fo
• VM Connect
rr
• VM Diagnostics
es
• Typical Scope
al
• VDA Resource Groups.
e
• Shadowing enabled via AD policies.
or
• Virtual Apps and Desktops supports delegated administration:
• Full Admins
di
• Admins per service
s
• Helpdesk Admins
tri
b ut
io
n
Key Notes:
• RBAC – Role Based Access Control.
• Define which permissions your helpdesk staff needs to support Citrix users in Azure.
• Re-use a built-in role to supply them with the needed permissions or create a new custom role to provide more specific
permissions.
• The typical scope for helpdesk admins would be the Resource Groups containing the VDA VMs.

Creating a Custom Administrator
1. Create a User or Group in AAD.
N
2. Define a Custom Role.
ot
3. Bind User and Custom Role in Subscriptions >
fo
Access Control (IAM).
rr
es
al
e
or
di
stri
b ut
io
n
Key Notes:
• A Custom Administrator in Azure can be created using 3 simple steps.
1. Create the Administrator account in AAD.
2. Define the set of permissions using a custom role.
3. Use Access Control (IAM) menu on the object where you want to deploy the permissions to bind the user and the role
to the object.

• Assign custom roles for internal and external users - https://docs.microsoft.com/en-us/azure/active-
directory/role-based-access-control-create-custom-roles-for-internal-external-users
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

What is a Service Principal?
• A Service Principal defines the policy and permissions for an application's use in a specific tenant.
N
• Citrix Virtual Apps and Desktops can integrate with ARM using the ARM Plugin.
ot
• The Azure Resource Manager (ARM) Plugin needs a Service Principal with permissions to all relevant Azure
fo
resources.
rr
• Service Principals are configured using Role Based Access Control.
es
al
e
or
di
s tri
but
io
n
Key Notes:
• Support for Azure Resource Manager (ARM) is encapsulated in a component known as the ARM Plugin, and it is a
standard feature of Virtual Apps and Desktops. In order to provision machines in Azure, the ARM Plugin must be granted
access to your Azure subscription via a service principal that has been assigned permissions to the relevant Azure
resources. A service principal serves the same basic purpose as a user account: it provides the ARM Plugin with an Azure
Active Directory identity; credentials for authentication and permissions on Azure resources. Just like user accounts,
service principals are configured using Role Based Access Control (RBAC).

• Application and service principal objects in Azure Active Directory - https://docs.microsoft.com/en-
us/azure/active-directory/develop/active-directory-application-objects
N
• Microsoft Azure Resource Manager virtualization environments - https://docs.citrix.com/en-us/xenapp-and-
ot
xendesktop/service/install-configure/resource-location/azure-resource-manager.html
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Subscription Scope Service Principals
• The studio has the ability to create a Service Principal in Azure automatically.
N
• This Service Principal will have Contributor permissions on the entire subscription.
ot
• The ARM Plugin can create, delete, read, and write all resources in the subscription.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Subscription Scope Service Principals have Contributor permissions on all resources in the subscription which makes
them easy to create and manage.
• Citrix Studio can handle the process of creating Subscription Scope Service Principals, or they can be created manually in
PowerShell.
• When using the Subscription Scope Service Principal, Studio is allowed to create Azure Resource Groups and completely
automate the management of resources.

• The disadvantage is that the ARM Plugin may have permissions to resources in the subscription that are
unrelated to the resources that the ARM Plugin is tasked with managing.
• Using the Contributor role allows the ARM Plugin to create, delete, read and write all resources in the
subscription, but permissions do not extend to objects in any Azure Active Directory nor are Subscription
Scope Service Principals allowed to grant other users or service principals access to resources.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Narrow Scope Service Principals
• Minimum Azure permissions are given to the Citrix ARM Plugin.
N
• Host Connections created using a preconfigured Service Principal.
ot
• Support for pre-created resource groups.
fo
• Resource groups must be empty.
rr
• One resource group per Machine Catalog.
• The service principal must be a contributor to each resource group.
es
• Machine Catalogs can also be created through PowerShell.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Narrow Scope Service Principals allow the ARM Plugin access to a limited set of resources defined by you. Azure requires
subscription scope permissions in order to create resource groups and the ARM Plugin is therefore unable to create
resource groups when using Narrow Scope Service Principals.
• In addition to creating the service principal, you are required to provide a pool of resource groups for each catalog into
which machines are to be provisioned.

• Manually Granting Citrix Cloud Access to Your Azure Subscription -
• How to Grant Virtual Apps and Desktops Access to Your Azure Subscription? (PowerShell)
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

When to Use Which Principal
Subscription Scope Service Principal Narrow Scope Service Principal
N
ot
Simplest management experience. Azure subscription is hosting multiple unrelated services.
fo
rr
No need to define custom roles, service principals and Azure administrators have different subscription permissions
es
RBAC permissions. depending on their role.
al
Azure subscription is dedicated to a single Virtual Apps and Organization has security standards that require access
Desktops. control at a fine-grained level.
e
or
Organization has knowledge of Azure RBAC and Service
Proof of concept Virtual Apps and Desktops installation.
Principals.
di
Virtual Apps and Desktops administrators already has
s
Resource groups can be pre-created in Azure Portal.
contributor access at Azure subscription scope.
tri
b ut
io
n
Key Notes:
• You can create “child” subscriptions that are billed as part of your primary subscription and refer to the default Azure Active
Directory in your primary subscription. This provides another mechanism for controlling access to unrelated resources.

Creating a Subscription Scope
Service Principal
• Step 1: Add an Azure Hosting Connection.
N
• Step 2: Chose a connection name.
ot
• Step 3: Enter your Azure Subscription ID.
fo
• Step 4: Click Create new and authenticate as a
rr
Subscription Owner.
es
• Wizard will create a new Service Principal with
Contributor privileges on the entire subscription.
al
e
or
di
s
tri
b ut
io
n
Key Notes:
• To create a new Service Principal customers must enter the following:
• Subscription ID.
• Hosting Connection Name.
• Azure Subscription owner username and password.

Creating a Basic Narrow Scope Service Principal
N
ot
fo
Step 3: Step 4:
Step 2:
rr
Step 1: Assign RBAC Add the Azure Step 5:
Create Custom
es
Create Azure permissions on Hosting Enter SUB ID,
Role for
Service Resource Connection SPN ID, AAD ID
al
subscription
principal for Groups and using existing and SPN
wide RBAC
e
Citrix Cloud Custom Role to App Password
permission
or
SPN Registration
di
stri
b
ut
io
n
Key Notes:
• Step 1: Manually create an Azure Service Principal registration for Citrix Cloud
• Define the SPN registration
• Grant Access to the Azure API
• Create the SPN secret access key
• Step 2:
• Create the Custom Role through PowerShell or REST

• Step 3: Assign Resource permissions to the Azure SPN for Citrix Cloud
• Assigning Resource Permissions
• Resource Group(s)
• Virtual Networks
• Master Image Storage Account
• Step 4:
• Add the Azure Hosting Connection using an existing Azure App registration
N
• Step 5:
ot
• Enter the following values in the Wizard
fo
• Application ID
• Azure AD ID
rr
• Subscription ID
es
• Password
al
e
• Manually Granting Citrix Cloud Access to Your Azure Subscription -
or
di
• How to Grant Virtual Apps and Desktops Access to Your Azure Subscription (PowerShell) -
s
tri
• Now Available: Citrix Studio Support for “BYO” Azure Resource Groups -
b
https://www.citrix.com/blogs/2017/09/27/now-available-citrix-studio-support-for-byo-azure-resource-groups/
ut
io
n

Lab Exercise Prep
Exercise 2-1: Log on Using Azure PowerShell.
N
ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n

N
ot
Which permissions will be delegated to the Service
Principal created automatically by the Host
fo
Connection Wizard?
rr
es
Contributor permissions on the entire Azure
Subscription.
al
e
or
di
s
tri
utb
io
n

Key Takeaways
• Azure AD does not support Kerberos and cannot be
N
the only directory in a Citrix resource location.
ot
• Azure AD users can be added as Delegated Admins
in Citrix Cloud.
fo
rr
• Azure AD Connect can be used to synchronize
users from on-premises AD to Azure AD.
es
• To create the most secure Azure integration, a
al
Narrow Scope Service Principal should be used.
e
or
di
s
tri
b
ut
io
n

N
ot
Connecting to Microsoft Azure
fo
rr
es
al
e
Module 3
or
di
s
tri
b
ut
io
n

Learning Objectives
• Identify the connectivity options in Azure.
N
• Examine Cloud Connector in Azure.
ot
• Define Host Connections in Azure.
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

N
ot
Azure Connectivity
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Overview of Connectivity Options to Azure
1
• Jump Box
N
• Point to Site VPN
ot
• Site to Site VPN
fo
• vNet to vNet VPN
rr
• vNet Peering
es
• Express Route
al
e
or
di
s
tri
b ut
io
n
Key Notes:
• This section identifies the different methods of creating connectivity in Azure, both between the outside networks and
Azure networks, but also internally between Azure networks in the same region and other regions.
• Generally, the Jump Box and the point to site VPN are used when you want to keep the Azure environment and the
networks in Azure isolated from on-premises networks.
• Site to Site VPN and Express Routes are used when you need connectivity between the networks in Azure and your on-
premises deployments.

• vNet to vNet VPN and vNet Peering are used inside Azure, to connect different Azure networks to each other.
• https://azure.microsoft.com/en-us/blog/expressroute-or-virtual-network-vpn-whats-right-for-me/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Jump Box
1
• The Jump Box connectivity option consists of a VM with a public IP and RDS enabled.
N
• Allows RDS connections (double hop) to VMs on private Azure networks.
ot
• Use cases are for test and development lab accessibility.
fo
• Also referred to as Bastion Hosts.
rr
• Lockdown VM and reduce the attack surface.
es
• Patching, firewall, execution restriction, least privilege permissions.
al
e
or
di
s
tri
b ut
io
n
Key Notes:
• A fast and efficient way of getting remote desktop access to VMs running inside Azure on a private network, however, it is
not without security concerns.
• Avoid using domain joined VMs as Jump boxes as they can expose your domain credentials to brute force attacks or
account lockouts.
• Microsoft hardening recommendations:
• Active scanning and patching. Deploy antimalware software, perform regular vulnerability scans, and update all

workstations by using the latest security update in a timely fashion.
• Limited functionality. Uninstall any applications that are not needed and disable unnecessary (startup)
services.
• Network hardening. Use Windows Firewall rules to allow only valid IP addresses, ports, and URLs related to
Azure management. Ensure that inbound remote connections to the workstation are also blocked.
• Execution restriction. Allow only a set of predefined executable files that are needed for the management to
run (referred to as “default-deny”). By default, users should be denied permission to run any program
N
unless it is explicitly defined in the allow list.
ot
• Least privilege. Management workstation users should not have any administrative privileges on the local
fo
machine itself. This way, they cannot change the system configuration or the system files, either
intentionally or unintentionally.
rr
es
al
• Hardened workstation for management - https://docs.microsoft.com/en-us/azure/security/azure-security-
management#hardened-workstation-for-management
e
or
di
s tri
but
io
n

Point to Site VPN
Point to Site VPN Example
• Typically less than 100 Mbps of bandwidth. Laptop/Notebook

P2S SSTP
Tunnel
N
• Allows connection to Azure via the built-in Windows
ot
VPN client.
fo
• Uses Secure Sockets Tunneling Protocol (SSTP) to
rr
allow connecting from anywhere. VPN
Gateway
Azure
Subscription
es
• Typical uses are prototyping, dev/test/ lab scenarios
for cloud services and virtual machines.
al
Desktop P2S SSTP
e
Tunnel
or
di
s tri
b ut
io
n
Key Notes:
• A Point-to-Site (P2S) configuration lets create a secure connection from an individual client computer to a virtual network
using the native Windows VPN client or a Mac OS X computer with the required software installed.
• This approach can be used instead of the jump box approach and will add an additional layer of security to the connection.
• Point-to-Site connections do not require a VPN device or a public-facing IP address.
• RADIUS authentication can be added for extra security.

• Configure a Point-to-Site connection to a VNet using the Azure portal - https://docs.microsoft.com/en-
us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
• Integrate Azure VPN gateway RADIUS authentication with NPS server for Multi-Factor Authentication -
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-radius-mfa-nsp
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Site to Site VPN
Site to Site VPN Example
• The secure connection between your on-premise
N
locations and your Azure virtual networks.
ot
• Uses IPSec VPN for interoperability with most VPN
devices.
fo
IPsec IKE
rr
Customer
• Allows connection of up to 10 on-premises sites. Network
S2S VPN IPSEC S2S
VPN
Azure
Subscription
Tunnel
es
Gateway
• IP Level connectivity between your on-premises
and Azure virtual networks.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an
IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
• This type of connection requires a VPN device located on-premises that has an externally facing public IP address
assigned to it.
• Ensure that your VPN device is compatible VPN device – see the link in additional resources.

• Create a Site-to-Site connection in the Azure portal- https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-
gateway-howto-site-to-site-resource-manager-portal
• Add a Site-to-Site connection to a VNet with an existing VPN gateway connection-
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-multi-site-to-site-resource-manager-
portal
N
• ExpressRoute or Virtual Network VPN – What’s right for me? - https://azure.microsoft.com/en-
ot
us/blog/expressroute-or-virtual-network-vpn-whats-right-for-me/
• About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections -
fo
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
rr
es
al
e
or
di
s tri
b ut
io
n

Express Route
Express Route Example
• ExpressRoute is a private connection between
N
Microsoft Datacenters and your on-premises Primary
ot
connection
infrastructure.
• ExpressRoute connections do not traverse the
fo
Partner Microsoft
Edge Edge
internet.
rr
Customer
Network Azure
Subscription
• ExpressRoute connections are Layer 3.
es
Secondary
connection
• Key benefits include:
al
• Higher security & reliability.
e
• Greater speed.
or
• Consistent lower latencies.
di
s tri
b ut
io
n
Key Notes:
• Microsoft Azure ExpressRoute lets extend your on-premises networks into the Microsoft cloud over a dedicated private
connection facilitated by a connectivity provider.
• Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection
through a connectivity provider at a co-location facility.
• ExpressRoute connections do not go over the public Internet. This allows ExpressRoute connections to offer more
reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.

• Key benefits
• Layer 3 connectivity between your on-premises network and the Microsoft Cloud through a connectivity
provider. Connectivity can be from an any-to-any (IPVPN) network, a point-to-point Ethernet connection, or
through a virtual cross-connection via an Ethernet exchange.
• Connectivity to Microsoft cloud services across all regions in the geopolitical region.
• Global connectivity to Microsoft services across all regions with ExpressRoute premium add-on.
• Dynamic routing between your network and Microsoft over industry standard protocols (BGP).
N
• Built-in redundancy in every peering location for higher reliability.
ot
• Connection uptime SLA.
fo
• QoS support for Skype for Business.
rr
es
• ExpressRoute overview - https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction
al
• ExpressRoute FAQ - https://docs.microsoft.com/en-us/azure/expressroute/expressroute-faqs
e
or
di
s tri
but
io
n

vNet to vNet VPN
vNet to vNet VPN Example
• Used to connect different subscriptions and different
N
regions.
ot
• Use when enabling cross-region geo-redundancy
and geo-presence.
fo
rr
• Can be created using: Azure
IPsec IKE
IPSEC S2S S2S VPN IPSEC S2S Azure
• Resource Manager.
es
Subscription VPN Tunnel VPN Subscription
Gateway Gateway
• PowerShell Script (ARM).
al
• Azure CLI.
e
• vNet to vNet connections can be from different
or
regions, different subscriptions, and different
deployment models.
di
s tri
b ut
io
n
Key Notes:
• Connecting a virtual network to another virtual network (vNet-to-vNet) is similar to connecting a vNet to an on-premises
site location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE.
• A vNet to vNet VPN allows a connection between two virtual networks.
• The virtual networks can be in the same or different regions, and from the same or different subscriptions.
• When connecting vNets from different subscriptions, subscriptions do not need to be associated with the same Active
Directory tenant.

• What is VPN Gateway? - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-
vpngateways
N
ot
fo
rr
es
al
e
or
di
stri
but
io
n

vNet to vNet Peering Example
• Traffic is routed on Azure backbone, no gateways or
N
additional encryption needed.
ot
• Low latency.
fo
• Bandwidth limited to VM size.
rr
Global vNet
Peering
• Two options: Azure Region 1 Azure Region 2
es
• VNet peering - connecting vNets within the same
Azure region.
al
• Global VNet peering - connecting vNets across Azure
e
regions.
or
di
s
tri
b ut
io
n
Key Notes:
• Virtual network peering enables you to seamlessly connect two Azure virtual networks. Once peered, the virtual networks
appear as one, for connectivity purposes.
• The traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone
infrastructure, much like traffic is routed between virtual machines in the same virtual network, through private IP
addresses only.
• Two Peering options:

• vNet peering - connecting vNets within the same Azure region.
• Global VNet peering - connecting VNets across Azure regions.
• Virtual network peering - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-
overview
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

When to use Which Approach
Proof of Concept Small Large Multi Site
N
(POC) Deployments Deployments Multi Subscription
ot
Jump Box
fo
Point to Site
rr
Site to Site
es
vNet to vNet
al
Express Route
e
or
di
stri
b
ut
io
n
Key Notes:
• Although connectivity preferences may vary by customers, large deployments typically tend to use the more expensive
express routes, where smaller deployments will keep the cost down and optimize time to value by using Site to Site VPNs.
• VNet-to-VNet: Connecting Virtual Networks in Azure across Different Regions - https://azure.microsoft.com/en-
us/blog/vnet-to-vnet-connecting-virtual-networks-in-azure-across-different-regions/

• https://azure.microsoft.com/en-us/blog/expressroute-or-virtual-network-vpn-whats-right-for-me/
• https://azure.microsoft.com/en-us/pricing/details/expressroute/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

How to Configure
Site to Site VPN
6. Configure your VPN device
• A public facing compatible VPN appliance is
N
required.
ot
• In Azure:
1. Create a Virtual Network
fo
2. Specify a DNS server IPsec IKE
rr
On-Premise IPSEC S2S Azure
S2S VPN
3. Create the Gateway Subnet Customer
Tunnel VPN Subscription
es
Network
4. Create the VPN Gateway Gateway
5. Create the local network gateway
al
7. Create the VPN connection 1. Create a Virtual Network
e
2. Specify a DNS sever
• On-premises:
or
3. Create the Gateway Subnet
6. Configure your VPN device 4. Create the VPN Gateway
5. Create the local network
di
gateway
s
7. Create the VPN connection
tri
b ut
io
n
Key Notes:
1. Create a virtual network
• Create the virtual network in Azure that you want to connect to the Site to Site VPN.
2. Specify a DNS server
• Not a requirement but setting a DNS server on the vNet allows all VMs and gateways connected to this network to use
the DNS server for name resolution.
3. Create the gateway subnet

• The gateway subnet is part of the virtual network IP address range that you specify when configuring your
virtual network.
• It contains the IP addresses that the virtual network gateway resources and services use.
• The subnet must be named 'GatewaySubnet' in order for Azure to deploy the gateway resources
4. Create the VPN gateway
• Add the product “virtual network gateway” from the Azure portal.
• Select the VPN type (Route Based or Policy Based)
N
• Select the VPN SKU size (Basic, VpnGw1, VpnGw2, VpnGw3) that match your needs.
ot
• Select the virtual network to which you want to add this gateway.
fo
• Select or create a new public IP for the VPN Gateway.
5. Create the local network gateway
rr
• Configure Azure to identify your local gateway.
es
• Add a name for the local gateway
al
• Enter the IP address of your local gateway.
• Define the local networks that are reachable from this gateway.
e
6. Configure your VPN device
or
• The steps involved in configuring your local gateway to accept connections from the Azure VPN gateway
di
will vary by brand.
• Configuration scripts are available from Microsoft for many compatible VPN devices.
s tri
• Generally, you will need to IP address and the Shared Key used in the next step.
b
7. Create the VPN connection
ut
• This step creates the connection between the local gateway and the Azure gateway.
io
• Define the Connection type as Site to Site (IPsec)
• Select the Azure VPN Gateway defined in step 4.
n
• Select the local network gateway defined in step 5.
• Enter the same shared key as defined in step 6.
8. Verify the VPN connection

• What is VPN Gateway? - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-
vpngateways
• About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections -
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
• Create a Site-to-Site connection in the Azure portal - https://docs.microsoft.com/en-us/azure/vpn-
gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

How to Configure
vNet to vNet VPN? 1. Verify Networks
2. Create Gateway Subnets
Gateway
4. Add a vNet-to-vNet
connection
In Azure: 5. Verify connection
N
1. Verify the connected locations have virtual
ot
networks created.
fo
2. Create a Gateway Subnets per location.
rr
IPsec IKE
3. Create a Virtual Network Gateway per location. Azure IPSEC S2S S2S VPN IPSEC S2S Azure
es
Subscription VPN Tunnel VPN Subscription
Gateway Gateway
4. Add a vNet-to-vNet connection type per location.
al
Create a connection using the same Shared Key. 1. Verify Networks
e
5. Verify connection. 2. Create Gateway Subnets
or
Gateway
di
4. Add a vNet-to-vNet
connection
s
5. Verify connection
tri
b ut
io
n
Key Notes:
1. Create and configure the first vNet
• If you already have a VNet, verify that the settings are compatible with your VPN gateway design. Pay particular
attention to any subnets that may overlap with other networks. If you have overlapping subnets, your connection won't
work properly.
2. Add additional address space and create subnets
• You can add additional address space and create subnets once your VNet has been created.

3. Create a gateway subnet
• The gateway subnet contains the IP addresses that are used by the virtual network gateway. If possible, it's
best to create a gateway subnet using a CIDR block of /28 or /27 in order to provide enough IP addresses
to accommodate additional future configuration requirements.
4. Specify a DNS server (optional)
5. Create a virtual network gateway
• Creating a gateway can often take 45 minutes or more.
N
• Define a name for the Gateway.
ot
• Set Gateway type to VPN.
fo
• Select the VPN SKU depending on the size and performance you need.
• Select the virtual network and the Gateway IP configuration.
rr
6. Create and configure the second vNet
es
• Ensure that you do not have overlapping IP configuration between the first and second vNet.
al
7. Configure the vNet1 gateway connection
• If your vNets are in different subscriptions, you must use PowerShell rather than the Azure portal to make
e
the connection.
or
• This step requires the virtual network gateways for both virtual networks have completed.
di
• Define a name for the connection.
• Select vNet to vNet as the connection type.
s tri
• Select the first and the second Virtual Network Gateways.
b
• Set the shared key, this will also be entered on the next connection.
ut
8. Configure the vNet2 gateway connection
io
• Define a name for the connection.
• Select vNet to vNet as the connection type.
n
• Select the first and the second Virtual Network Gateways.
• Set the shared key, this must match the shared key defined in the previous step.
9. Verify your connections

• Configure a vNet-to-vNet VPN gateway connection using the Azure portal - https://docs.microsoft.com/en-
us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

How to Configure
Express Route?
2. Order connectivity from
service provider
• Prerequisites:
N
• Azure Account. Primary
• Azure Resource Manager.
ot
connection
• Supported service provider.
fo
Partner Microsoft
• In Azure: Edge Edge
rr
Customer
1. Create Express Route circuit in Azure. Network Azure
Subscription
es
2. Test connectivity from Azure PowerShell. Secondary
connection
3. Layer2 connections: configure routing domains.
al
4. Link a virtual network to an Express Route circuit.
1. Create Express Route circuit
e
• On-Premise: 2. Test connectivity from
or
2. Order connectivity from the supported service PowerShell
3. Layer 2 connections:
provider.
di
configure routing domains
• Usually takes 1-5 days. 4. Link a virtual network to an
s
ExpressRoute circuit
tri
b ut
io
n
Key Notes:
1. Use PowerShell or Azure portal to configure an ExpressRoute circuit.
• Provide Circuit name, Provider, Peering Location, Bandwidth, Standard or Premium SKU, and whether to get unlimited
or metered connection.
2. Order connectivity from the service provider. This process varies. Contact your connectivity provider for more details
about how to order connectivity.
• You will need to provide a Service Key to your internet provider this can be found under the properties of the circuit

created in step 1.
3. Ensure that the circuit has been provisioned successfully by verifying the ExpressRoute circuit provisioning
state through PowerShell or the Azure portal.
• The circuit will change to “Provisioning” when the provider is enabling the connection and once the circuit is
fully functional and enabled, the state will show as “Provisioned”.
4. Configure routing domains. If your connectivity provider manages Layer 3 for you, they will configure routing
for your circuit.
N
• If your connectivity provider only offers Layer 2 services, you must configure routing.
ot
• Enable Azure private peering - You must enable this peering to connect to VMs / cloud services deployed
fo
within virtual networks.
• Enable Azure public peering - You must enable Azure public peering if you wish to connect to Azure
rr
services hosted on public IP addresses. This is a requirement to access Azure resources if you have
es
chosen to enable default routing for Azure private peering.
al
• Enable Microsoft peering - You must enable this to access Office 365 and Dynamics 365.
5. Linking virtual networks to ExpressRoute circuits - You can link virtual networks to your ExpressRoute circuit.
e
These vNets can either be in the same Azure subscription as the ExpressRoute circuit or can be in a different
or
subscription.
di
• Standard Express Routes support up to 10 vNets.
• Premium Express Routes > 4000 vNets.
s tri
but
• ExpressRoute workflows for circuit provisioning and circuit states - https://docs.microsoft.com/en-
io
us/azure/expressroute/expressroute-workflows
n
• ExpressRoute partners and peering locations - https://docs.microsoft.com/en-
us/azure/expressroute/expressroute-locations#partners
• Create and modify an ExpressRoute circuit (ARM) - https://docs.microsoft.com/en-
us/azure/expressroute/expressroute-howto-circuit-portal-resource-manager

N
ot
Your manager wants to replace the existing Site to
Site VPN with an Express Route, what should you
fo
verify before proceeding with the configuration?
rr
es
That your company's Service Provider is on the Azure
supported list of service providers for your area.
al
e
or
di
s
tri
b
ut
io
n

N
ot
Cloud Connector in Azure
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Cloud Connector Citrix Cloud Connectors Recommended System Requirements and
Configuration
VM
Sizing & Requirements
Cloud Connector
Specs per Cloud Connector
• Win2019, Win2016,
Win2012R2
• 4 vCPU
Cloud Connector • 4 GB RAM
N
• 40 GB HD
ot
fo
Cloud Connector
rr
es
al
e
Citrix Virtual Apps and Desktops Session Machines
Running the VDA and User Connections
or
di
~5000 VDAs/Users
s
VDA Users
tri
b ut
io
n
Key Notes:
• Windows 2012 R2 ,Windows 2016 Server and Windows Server 2019.
• 40 GB of disk space and 4 GB of memory.
• .NET 4.7.2+
• Active Directory membership.
• Computer accounts having Read/Write permissions on the user and computer objects.
• A set of three 4-vCPU Cloud Connectors can handle ~5000 VDAs/Users.

• Using Citrix Gateway as a Service will incur additional CPU load on the Cloud Connectors, each Cloud
Connector can handle around 140 Mbps throughput.
• Citrix Cloud: System Requirements - https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-
locations/citrix-cloud-connector/technical-details.html
• Citrix Cloud Virtual Apps and Desktops Sizing and Scalability Considerations - https://docs.citrix.com/en-
N
us/citrix-virtual-apps-desktops-service/install-configure/install-cloud-connector/cc-scale-and-size.html
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Cloud Connectors in Azure
1
• Deploy a minimum of two Cloud Connectors per Azure location.
N
• Use Availability Sets to ensure High Availability.
ot
• Deploy Cloud Connectors on Azure Managed Disks.
fo
• Cloud Connectors create Computer Accounts during the MCS process.
rr
• VDAs must be able to communicate with Cloud Connectors for registration and brokering.
es
• Configure NSG if placed on a different network than VDAs.
al
• Always uninstall Cloud Connector software before deleting the VM.
e
or
di
s
tri
utb
io
n
Key Notes:
• Availability sets can be used to ensure that Cloud Connectors are spread across different updates and fault domains in
Azure to ensure their availability.
• Managed disks are recommended because Microsoft will automatically replicate the disks to multiple storage arrays.
• Ensure that NSGs are configured to allow VDAs to register with the Cloud Connectors – typically port 80 or 443.
• If you delete a VM that has the Cloud Connector software installed, you risk leaving orphaned Cloud Connector entries in
your Cloud Subscription. These can be difficult to remove and will likely cause you to open a support ticket.

• Citrix Cloud Connector - https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-connector.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Citrix Cloud Resource Locations
Resource Locations are used to define where the
N
resources reside from a Citrix Cloud control plane
ot
perspective.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• A Resource Location should be defined for each datacenter or Azure region that contains VDAs.
• A Resource Location is sometimes also created to expose an Active Directory to Citrix Cloud although the datacenter does
not contain VDAs.
• Resource Locations can contain:
• Citrix ADCs
• Hypervisors

• Citrix Virtual Desktop Agents (VDAs)
• StoreFront servers
• Resource Locations must be associated with Zones in Cloud Studio.
• Resource Locations on Azure typically corresponds to an Azure region.
• No limits on the amount of Resource Locations.
• Each Resource Location should have a minimum of two Cloud Connectors.
• Place Resource Locations where they best meet your business needs. Resource Locations can be in a public
N
cloud, in a branch office, private cloud, or a data center.
ot
• The choice of location may be impacted by the following:
fo
• Proximity to subscribers
• Proximity to data
rr
• Scale requirements
es
• Security attributes
al
• There is no restriction on the number of Resource Locations you can build. The overhead of a resource
location is small.
e
• To provide identity management for subscribers and resources you need to install a Connector to access an
or
Active Directory.
di
• This makes it easy to distribute the resources across as many Resource Locations as you need without
needing to make compromises.
s tri
• As an example you could:
b
• Build a Resource Location in your data center for the head office based on subscribers and applications
ut
that need to be close to the data.
io
• Add a separate Resource Location for your global users in a public cloud. Or build separate Resource
Locations in branch offices to provide the applications best served close to the branch workers.
n
• Add a further Resource Location on a separate network that provides restricted applications. This provides
restricted visibility to other resources and subscribers without the need to adjust the other Resource
Locations.

• Azure regions - https://azure.microsoft.com/en-us/regions/
• What Are Resource Locations? - https://docs.citrix.com/en-us/citrix-cloud/overview/about/what-are-resource-
locations.html
• Syncing Zones to Resource Location - https://www.citrix.com/blogs/2017/08/16/syncing-zones-to-resource-
locations/
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Zones
• The Citrix Virtual Apps and Desktops use Zones to
N
identify different locations.
ot
• A Zone must be created for each Resource
Location.
fo
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• Zones in Citrix Cloud are similar to Zones on-premises.
• Use Zones in Studio to map to Citrix Virtual Apps and Desktops components to Resource Locations:
• Cloud Connectors
• Resource Locations
• Machine Catalogs
• Host Connections

• Users
• Application Groups
• Citrix Cloud Zones are not Primary/Secondary and does not support registration failover.
• Place Resource Locations where they best meet your business needs. Resource Locations can be in a public
cloud, in a branch office, private cloud, or a data center.
• The choice of location may be impacted by the following:
• Proximity to subscribers
N
• Proximity to data
ot
• Scale requirements
fo
• Security attributes
• There is no restriction on the number of Resource Locations you can build. The overhead of a resource
rr
location is small.
es
• To provide identity management for subscribers, and resources you need to install a Connector to access an
al
Active Directory.
• This makes it easy to distribute the resources across as many Resource Locations as you need without
e
needing to make compromises.
or
• As an example you could:
di
• Build a Resource Location in your data center for the head office based on subscribers and applications
that need to be close to the data.
s tri
• Add a separate Resource Location for your global users in a public cloud or build separate Resource
b
Locations in branch offices to provide the applications best served close to the branch workers.
ut
• Add a further Resource Location on a separate network that provides restricted applications. This provides
io
restricted visibility to other resources and subscribers without the need to adjust the other Resource
Locations.

Installing Cloud Connector
PowerShell
1
• VM in Azure can be deployed manually or automatically via ARM Templates.
N
• Cloud Connector could be deployed as a Custom Script Extension for full automation.
ot
• CWCConnector.exe /q
/Customer:Customer /ClientId:ClientId /ClientSecret:ClientSecret/ResourceLocationId:ResourceLocationId /AcceptTermsOf
fo
Service:true
rr
• Cloud Connector software is updated bi-weekly.
es
al
e
or
di
s
tri
b ut
io
n
Key Notes:
• /Customer: This is the customer ID available in the console on the API Access page (within Identity and Access
Management). This is required.
• /ClientId: Found on the API Access page. This is the secure client ID an administrator can create. This is required.
• /ClientSecret: Found on the API Access page. This is the secure client secret available via download after a secure client
is created. This is required.
• /ResourceLocationId: This ID can be retrieved on the Resource Locations page using the ID button. This is not required.

• /AcceptTermsOfService: Yes. This is required.
• Automating the Cloud Connector Installation - https://www.citrix.com/blogs/2017/03/15/automating-the-cloud-
connector-installation/
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Securing Cloud Connector
XML and STA Traffic
Azure
N
ot
Default
fo
StoreFront XML Cloud Connector TLS 443
rr
es
Default
TCP 80
al
User Endpoints Cloud Connector
e
Citrix Cloud
or
STA
di
Citrix Gateway Cloud Connector
s tri
b ut
io
n
Key Notes:
• By default, Cloud Connectors do not use a certificate nor allow for SSL traffic to the XML or STA functionality.
• Use these steps to add a Certificate and move the traffic to a secure port:
• Create or import SSL Certificate.
• Obtain Certificate Hash Number.
• Open Certificate in MMC > Details pane > Thumbprint.
• Copy to notepad and delete all spaces.

• Obtain Citrix Broker Service GUID.
• Open Regedit, navigate to HKEY_CLASSES_ROOT\Installer\Products\. and search for Citrix Broker
Service.
• Copy to notepad and add hyphens to the value in the format 8-4-4-4-12.
• Register SSL Certificate with Citrix Broker Service.
• C:\netsh http add sslcert ipport=<IP address>:<Port Number> certhash=<Certificate Hash Number>
appid={<Citrix Broker Service GUID>}”
N
• C:\netsh http add sslcert ipport=10.0.0.7:443 certhash=bc96f958848639fd101a793b87915d5f2829b0b6
ot
appid={33258705-EE40-1E64-98BD-EC1BDC0B578E}
fo
rr
es
al
e
or
di
stri
but
io
n

Securing Cloud Connector
Azure Network Security Group (NSG)
Cloud Connectors can be protected with an Azure Network

Security Group
N
ot
fo
Server Network Security Group VDA Network Security Group
rr
es
al
Active Directory Active Directory VDA VDA
e
or
Cloud Connector Cloud Connector VDI VDI
di
s tri
b ut
io
n
Key Notes:
• Network Security Groups work like firewalls, and they can be used to protect servers from VDAs.
• Ensure to open all necessary ports between the different networks.
• Remember that NSGs cannot be tied to vNets, so either defines them on different Subnets or individual NICs.

Cloud Connector Communications
N
Roles Protocol and Ports How to secure
ot
StoreFront -> Cloud Connector TCP 80 or 443 Encrypt with certificates on Cloud Connector
fo
Citrix ADC -> Cloud Connector TCP 80 or 443 Encrypt with certificates on Cloud Connector
rr
TCP 80 Traffic already encrypted using Kerberos
VDA -> Cloud Connector
es
TCP 1494 and 2598 Encrypted in the next hop
al
Cloud Connector -> VDA TCP 80 Traffic encrypted using Kerberos
e
Cloud Connector -> Internet TCP 443 SSL by default
or
Plus RDS, AD, DNS, WinRM and other
services
di
s tri
but
io
n
• Communication Ports Used by Citrix Technologies - https://support.citrix.com/article/CTX101810#Citrix_Cloud

Lab Exercise
• Exercise 3-1: Deploy a Citrix Cloud Connector from
N
GUI.
ot
• Exercise 3-2: Deploy a Citrix Cloud Connector using
PowerShell.
fo
rr
• Exercise 3-3: Verify that Cloud Resource Locations
are aligned with Zones in Citrix Virtual Apps and
es
Desktops Service.
al
e
or
di
s
tri
b
ut
io
n

N
ot
Why should Cloud Connectors be deployed in an
fo
Azure Availability Set?
rr
es
To force Azure to distribute the servers between
multiple Fault and Update Domains, thus reducing the
al
risk of downtime on this role.
e
or
di
s
tri
utb
io
n

N
ot
Creating Azure Host Connections
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Azure Host
Citrix Cloud
Connections
Overview
Host Integration Host Integration Azure ARM
Service Service Plugin
Citrix Cloud
N
Connection Direct
ot
through Cloud connection to
Connectors Azure API
fo
On-Premise Azure
rr
es
al
Cloud Connector Cloud Connector Cloud Connector Cloud Connector
e
or
HCL HCL
di
s
Traditional Azure API
tri
Hypervisor
b ut
io
n
Key Notes:
• Azure Host Connections can be created from Studio on-prem or Citrix Cloud Studio.
• Uses Azure plugin functionality.
• Communicates directly to Azure API (HCL bypass) or through Cloud Connector HCL Service for other hypervisors.
• Multiple connections supported:
• Different subscriptions
• Different regions

• Dev/Test/Prod
• Connecting to Azure Resource Manager in Citrix Virtual Apps and Desktops -
https://www.citrix.com/blogs/2016/07/21/connecting-to-azure-resource-manager-in-xenapp-xendesktop/
• Azure Resource Manager Now Available in Citrix Virtual Apps and Desktops Service -
https://www.citrix.com/blogs/2016/07/07/azure-resource-manager-now-available-in-xenapp-xendesktop-
N
service/
ot
fo
rr
es
al
e
or
di
stri
but
io
n

Azure Host Connections
What are they used for?
1
• Create a Service Principal (optional).
N
• Create Machine Catalogs.
ot
• Create VMs, Disks, Storage Accounts, Resource Groups & NSGs
fo
• Update Machine Catalogs.
rr
• Delete Machine Catalogs.
es
• VM power operations.
al
e
or
di
s
tri
b
ut
io
n
Key Notes:
• Azure Host Connections are used for a number of tasks, such as creating and deleting Machine Catalogs, updating the
Catalogs and, controlling power operations.
• The main difference between a regular hypervisor hosting connection and the Azure specific host connection is the ability
to create a service principal in Azure – remember that this relies on the Full Scope vs Narrow scope covered previously.
• Prerequisites:
• An Azure Subscription.

• An account which is a member of the Azure Active Directory (Azure AD) associated with your subscription,
which is also co-administrator of the subscription.
• An ARM virtual network and subnet in your preferred region with connectivity to an AD controller.
• Azure Resource Manager Now Available in Citrix Virtual Apps and Desktops Service -
N
https://www.citrix.com/blogs/2016/07/07/azure-resource-manager-now-available-in-xenapp-xendesktop-
ot
service/
fo
rr
es
al
e
or
di
s tri
but
io
n

Host Connection Wizard
• Host connections are created Studio within the
N
Hosting pane.
ot
• Azure Host connections available in:
• Citrix Virtual Apps and Desktops product on-
fo
premises.
rr
• Citrix Virtual Apps and Desktops in Citrix Cloud.
es
• For Azure connections input the following:
al
• Azure Region
• Azure Subscription ID
e
• Azure credentials to authenticate to Azure
or
• Azure owner -> wizard creates Service Principal
• Azure narrow scope pre-created Service Principal
di
s
tri
utb
io
n
Key Notes:
• When creating the first connection through Studio, Azure will prompt the admin to grant it the necessary permissions.
• When creating future connections, Azure will still require the admin to authenticate, but Azure will remember the previous
consent and not to display the consent prompt again.

• Create a connection and resources - https://docs.citrix.com/en-us/xenapp-and-xendesktop/current-release/
manage-deployment/connections.html#par_anchortitle_d664
• Microsoft Azure Resource Manager virtualization environments - https://docs.citrix.com/en-us/xenapp-
and-xendesktop/current-release/install-configure/install-prepare/azure-resource-manager.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Setup Azure Network
1
• Must specify Azure Virtual Network and Subnet.
N
• VMs created will be connected to this Virtual Network and Subnet.
ot
• Networks are filtered based on the previous region selection and Service Principal permission.
fo
• Storage Accounts are created during MCS Catalog creation within the VDA Resource Group.
rr
• Only with unmanaged disks Catalogs.
es
• Resource Groups:
• Created automatically using Full Scope Service Principal.
al
• Pre-created by an administrator using the Narrow Scope Service Principal.
e
or
di
s
tri
b ut
io
n
Key Notes:
• After selecting the Azure Region, the admin must select the Network and Subnet to associate with the hosting connection.
• The network and subnet should be large enough to host the number of machines required.
• Storage works differently than with a regular Host connection – in Azure, we use either managed or unmanaged disks.
• For managed disks, no storage accounts are needed.
• For unmanaged disks, storage accounts are created during the Catalog creation.

• Resource Groups are also created during the Catalog creation if the Service Principal has permission to do
it.
• Alternatively, pre-created Resource Groups are supported – these are also specified during Catalog
creation.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Granting the Service Principal Full Scope Permission
• The Service Principal can be created in Azure AD by Host Connection if, you have Owner permissions.
N
• Service Principal will have Contributor permission on the entire Azure Subscription.
ot
• A corresponding Application will also appear in Azure AD.
fo
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• When allowing the Host Connection wizard to create the Service Principal, it will be defined as having contributor
permission on the entire subscription.
• Service Principals and Applications are two separate things in Azure but they are often used interchangeably.
• The Service Principal cannot be viewed in the Azure Portal but rather only through PowerShell.
• In addition to the Service Principal, an Azure Application is also created, the Application can be viewed in the Azure Portal.
• Microsoft definitions:

• When you register an Azure AD application in the Azure portal, two objects are created in your Azure AD
tenant: an application object, and a service principal object.
• In order to access resources that are secured by an Azure AD tenant, the entity that requires access must be
represented by a security principal.
N
ot
• Application and service principal objects in Azure Active Directory - https://docs.microsoft.com/en-
fo
us/azure/active-directory/develop/active-directory-application-objects
rr
es
al
e
or
di
s tri
b ut
io
n

Using the Pre-created Narrow Scope Service Principal
• A Service Principal can be pre-created in Azure and used in the Host Connection Wizard.
N
• Supply:
ot
• Subscription name
• Active Directory ID
fo
• Application ID
rr
• Application secret
es
• Option to limit permissions.
al
e
or
di
stri
b ut
io
n
Key Notes:
• To create a service principal manually, connect to your Azure Resource Manager subscription and use the PowerShell
cmdlets provided below. Host connections can also be created by PowerShell.
• Prerequisites:
• $SubscriptionId: Azure Resource Manager SubscriptionID for the subscription where you want to provision VDAs.
• $AADUser: Azure AD user account for your subscription’s AD tenant.
• Make the $AADUser the co-administrator for your subscription.

• $ApplicationName: Name for the application to be created in Azure AD.
• $ApplicationPassword: Password for the application. You will use this password as the application
secret when creating the host connection.
• To create a service principal:
• Step 1: Connect to your Azure Resource Manager subscription.
• Login-AzureRmAccount.
• Step 2: Select the Azure Resource Manager subscription where you want to create the service principal.
N
• Select-AzureRmSubscription -SubscriptionID $SubscriptionId;
ot
• Step 3: Create the application in your AD tenant.
fo
• $AzureADApplication = New-AzureRmADApplication -DisplayName $ApplicationName -
HomePage "https://localhost/$ApplicationName" -IdentifierUris https://$ApplicationName -
rr
Password $ApplicationPassword
es
• Step 4: Create a service principal.
al
• New-AzureRmADServicePrincipal -ApplicationId $AzureADApplication.ApplicationId
• Step 5: Assign a role to the service principal.
e
• New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName
or
$AzureADApplication.ApplicationId –scope /subscriptions/$SubscriptionId
di
• Step 6: From the output window of the PowerShell console, note the ApplicationId. You will provide that
ID when creating the host connection.
s tri
b ut
io

Host Connection Properties
• Ensure Host Connection properties match Azure
N
capabilities.
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• For most customers, these default values will be adequate.
• Only adjust these values if you are having problems.
• Adjust higher to create Catalogs faster, but monitor how many requests you are sending to Azure.
• Adjust lower if you start having problems with Catalog creation.
• Remember that MCS will not be the only thing putting a load on the Azure API.

Azure Rate Limiting
• Azure Resource Manager limits for each subscription and tenant.
N
• Read requests 15,000 per hour.
• Write requests 1,200 per hour.
ot
• Reaching this limit can cause MCS to fail.
fo
• HTTP status code 429 Too many requests.
rr
• Other services may also be sending write requests.
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If the subscription is only used for Citrix, the Citrix Azure plugin will throttle itself to avoid reaching these thresholds.
• You can check the remaining requests available using PowerShell:
• $r = Invoke-WebRequest -Uri https://management.azure.com/subscriptions/{guid}/resourcegroups?api-version=2016-
09-01 -Method GET -Headers $authHeaders $r.Headers["x-ms-ratelimit-remaining-subscription-reads"]

• Protect your API with rate limits using Azure API Management- https://docs.microsoft.com/en-us/azure/api-
management/api-management-howto-product-with-rules
• Throttling Resource Manager requests - https://docs.microsoft.com/en-us/azure/azure-resource-
manager/resource-manager-request-limits
• Azure subscription and service limits, quotas, and constraints - https://docs.microsoft.com/en-us/azure/azure-
subscription-service-limits
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Lab Exercise Prep
• Exercise 3-4: Create a Host Connection from Citrix
N
Studio using Pre-created Service Principal.
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

N
ot
Which permissions will the Service Principal
created by the Hosting Connection Wizard have in
fo
Azure?
rr
es
Contributor on the entire Azure Subscription.
al
e
or
di
s
tri
utb
io
n

Key Takeaways
• Express Routes to Azure are direct connections
N
from your network to Azure they are typically
ot
handled by your ISP.
• Always deploy two Cloud Connectors per Azure
fo
location, use availability sets to minimize downtime.
rr
• Azure Host Connections can be created using Full
es
Scope or Limited Scope Service Principals in Azure
al
AD.
e
or
di
s
tri
b
ut
io
n

N
ot
Deploy Apps and Desktops using
fo
Machine Creation Services (MCS)
rr
es
al
e
Module 4
or
di
s
tri
b
ut
io
n

Learning Objectives
• Define the steps of Master image preparation.
N
• Examine the functionality of Machine Creation
ot
Services.
fo
• Identify considerations involved with MCS in Azure.
rr
es
al
e
or
di
s
tri
b
ut
io
n

N
ot
Master Image Preparation
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Creating a Master VM
• Master VMs can be created using two general methods:
N
• Create a new VM from the Azure Marketplace.
• Upload an existing Master image from your on-premises deployment, use this image to deploy a new VM.
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• Creating a net new image and deploying all your software again can be a big task.
• Some customers prefer to re-use the image they already have running in their on-premises environment.
• The considerations for a new image are:
• Clean slate deployment.
• Operating system refresh.
• Design change/adjustment.

• The considerations for re-using existing image are:
• When an image cannot easily be rebuilt.
• The image must be sys-prepped.
• Any hypervisor or hardware tools must be removed.
N
ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n

Deploy From
Marketplace
• Deploy Manually
N
• Resource Group
• Azure Location
ot
• VM Size
fo
• Managed Disks
• Network and Subnet
rr
• Storage Group
es
• Alternatively, deploy using
al
ARM Template
e
• Automation
• Custom configuration
or
di
s tri
b ut
io
n
Key Notes:
• Virtual Machines with default operating systems can be deployed from the Azure marketplace.
• Steps to create a VM from Azure Marketplace:
1. Define the VM name. (Top Left)
2. Chose the disk type (SSD or HDD) selecting SSD will limit the VM sizes later on. SSD is not typically needed when
creating a master.
3. Enter username and password. (admin or administrator cannot be used)

4.Select the subscription, resource group, and region for the VM.
5.Select the VM SKU size. (Bottom Left)
6.High availability should not be configured for the master. (Right)
7.Select to use managed or unmanaged disks, and both are supported when defining a master for MCS
purposes.
8. Select the network and subnet, public IP should not be added to a Master VDA.
9. Extensions can be added to for example join a domain or run any PowerShell script during deployment.
N
10.The auto shutdown can help the admin to save money by shutting down the VM automatically at a certain
ot
time of day.
fo
11.Boot diagnostics and Guest OS diagnostic provide additional troubleshooting information for the virtual
machine.
rr
12.Register with Azure Active Directory is not supported at this point for a master VDA.
es
13.Backup can be enabled, but customers should determine a complete backup strategy for their Azure
al
deployment.
• All the options supported in the Azure portal are also supported using ARM Templates.
e
• ARM Templates can be used to create a configuration set that can be executed many times with little effort.
or
di
• Create a Windows virtual machine with the Azure portal - https://docs.microsoft.com/en-us/azure/virtual-
s tri
machines/windows/quick-create-portal
b
• Create a Windows virtual machine from a Resource Manager template - https://docs.microsoft.com/en-
ut
us/azure/virtual-machines/windows/ps-template
io
n

Bring Your Own Image
An alternative method to creating a new VM inside Azure.
• Generalize the source VM using Sysprep.
N
• Identify the destination storage account.
ot
• Upload the VHD to the storage account.
fo
• AzCopy.
rr
• Azure Storage Copy Blob API.
• Azure Storage Explorer Uploading Blobs.
es
• Storage Import/Export Service REST API Reference.
al
• Create a managed image from the uploaded VHD.
e
• Create a Virtual Machine.
or
di
s
tri
but
io
n
Key Notes:
• As an alternative to creating a new VM inside Azure and deploying the VDA software and all the applications again, some
customers chose to copy their existing Master Image into Azure and using that as a base image for a new Azure VM.
• This means that customers can skip the process of re-creating the image including deploying the VDA software,
applications, patches, and testing application functionality.
• The process of moving over an existing image is:
• Remove any hardware or hypervisor specific tools, such as XenTools.

• Sysprep the image to remove the domain SID and domain dependency (remember this can only be done a
finite number of times on any given image)
• Upload the VHD to a storage account in Azure using AzCopy, Storage Explorer or a similar tool.
• Convert the VHD to a managed image using Azure PowerShell.
• Create a VM from the managed image using Azure PowerShell.
N
• Upload a generalized VHD and use it to create new VMs in Azure - https://docs.microsoft.com/en-
ot
us/azure/virtual-machines/windows/upload-generalized-managed
fo
rr
es
al
e
or
di
s tri
but
io
n

Bring Your Own Windows License
• When creating a VM you can choose to apply your
N
own Windows License which:
ot
• Can be used to reduce Azure cost.
• Requires KMS infrastructure to support MCS.
fo
• Windows 10 requires Microsoft EA subscription and
rr
Current Branch for Business.
es
• Citrix Virtual Apps workloads require RDS Licenses
al
and infrastructure.
e
or
di
stri
b ut
io
n
Key Notes:
• Some customers have existing license entitlements or on-premises licenses with hybrid usage rights, examine if your
organization is already licensed in Azure, or if the license is cheaper through a Microsoft EA agreement.
• For additional Azure Virtual Machine Licensing information, please refer to the licensing FAQ in the additional resources
section.
• Windows 10 does not support hybrid usage at the time of writing.

• Virtual Machines Licensing FAQ - https://azure.microsoft.com/en-us/pricing/licensing-faq/
• How to use Azure Hybrid Use Benefit? https://support.citrix.com/article/CTX220104
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Storage
• Citrix recommends deploying the Master VM on Azure Managed Disks.
N
• MCS can create Catalogs based from:
ot
• Managed Disks
• Managed Snapshots
fo
• Unmanaged VHD files
rr
• Service Principal needs permission on the Master disk.
es
• MCS supports storage flexibility.
al
• Azure Managed Disks vs Unmanaged Disks
e
• Standard vs Premium
or
di
s
tri
but
io
n
Key Notes:
• The master can be deployed on both managed or unmanaged disks in Azure.
• Customers also have the flexibility to choose standard or premium storage.
• When you create a machine catalog in Studio, the Master Image page of the catalog creation wizard lists managed disks,
managed snapshots as well as VMs and VHDs.
• Citrix typically recommends deploying Master VMs on managed disks, to reduce the need for maintaining storage
accounts and controlling replication of images.

• There are two types of storage available in Azure, Standard, and Premium. Standard Storage utilizes spinning
disks and is meant for low cost, low criticality workloads.
• The challenge with Standard Storage for Citrix workloads is that IOPS and throughput of a disk are not
provisioned, therefore there can be variance in the performance of a VM disk. Premium Storage utilizes solid-
state drives for higher performance and low latency and requires instances such as DS-series, GS-series, Ls-
series, and Fs-series. Performance is provisioned for VM disks providing more consistency for the workload.
• Standard and Premium VM disks also come in managed and unmanaged varieties. Unmanaged disks
N
leverage storage accounts. Storage accounts have a set amount of IOPS (20k for Standard, 50k for Premium)
ot
and these resources must be managed by the customer.
fo
• From a cost perspective, there are charges associated with the IOPS and each unique GB consumed within a
storage account. The disadvantage of storage accounts (unmanaged) is availability.
rr
• Each storage account is within a storage scale unit (stamp). If a stamp fails due to hardware or software
es
failure, the VM instances with disks on those stamps fail. When provisioning multiple storage accounts it is not
al
possible to control the stamp where their accounts are stored.
e
or
• Support for Azure Managed Disks Goes Into Production - https://www.citrix.com/blogs/2018/02/21/support-for-
di
azure-managed-disks-goes-into-production/
• Citrix TIPs Series: Citrix on Azure FAQs - https://www.citrix.com/blogs/2018/03/07/citrix-tips-series-citrix-on-
s tri
azure-faqs/
but
io
n

Deploy the VDA
Installation Options
There are two overall deployment methods for the VDA:
N
• Manual Deployment
ot
• Server OS machine - VDAServerSetup.exe.
• Workstation OS machine - VDAWorkstationSetup.exe.
fo
rr
• PowerShell Deployment
• ARM Template
es
• Azure Custom Script Extension
al
• Automation Accounts
e
During VDA deployment ensure to specify Cloud Connectors as the Delivery Controllers.
or
di
s
tri
but
io
n
Key Notes:
• Manual Deployment
• The manual deployment of the VDA agent on a Server or Desktop OS follows the same procedure as an on-premises
installation.
• The customer will choose to register with the cloud connector(s) within the same Azure region during the installation
process.
• The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is useful for post

deployment configuration, software installation, or any other configuration/management task. Scripts can be
downloaded from Azure storage or GitHub, or provided to the Azure portal at extension run time.
• The Custom Script extension integrates with Azure Resource Manager templates, and can also run using the
Azure CLI, PowerShell, Azure portal, or the Azure Virtual Machine REST API.
• Custom Script Extension for Windows - https://docs.microsoft.com/en-us/azure/virtual-
N
machines/extensions/custom-script-windows
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Deploy the VDA
Using PowerShell
• Copy VDA software to Central Storage Blob.
N
• Use AZCopy or PowerShell Copy to download file.
ot
• Use CMDline options to define installation:
fo
• VDAWorkstationSetup.exe /quiet /components vda /exclude "Citrix User Profile Manager" /controllers
rr
“CloudConnector01.domain.com" /enable_hdx_ports /noreboot
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• The command line parameters on this slide are just an example you must define what you want to install and build your
command line string accordingly.
• Additional resources covering all the options can be found on eDocs.
• Command line options are the same as the on-premises deployment.

Deploy the VD
Other Methods
• ARM Template.
N
• Custom Script Extension for Windows.
ot
• Automation Accounts.
fo
• 3rd party tools such as:
rr
• Chef or Puppet.
es
• Citrix does not provide the VDA software available as a VM extension.
al
e
or
di
s tri
but
io
n
Key Notes:
• For customers just creating a single Master VDA and using that as a basis for creating an MCS catalog, automation may
not be worth the effort, but for customers creating many identical deployments or not using MCS to create their VDAs,
automating software installation, including the VDA might be worth investigating.
• ARM Templates and custom script extensions are the simplest automation method available in Azure.
• More advanced automation features can be found in 3rd party tools like Puppet and Chef.

Optimize the Master VM
Considerations
• Same recommendations as on-premises deployments.
N
• Use the built in optimization wizard.
• Disable unused services.
ot
• Defragment the Master VDA virtual disks.
fo
• Optimize antivirus and malware scanners.
rr
es
al
e
or
di
s
tri
b ut
io
n
Key Notes:
• There are no specific image optimization recommendations for running Citrix workloads in Azure.
• Use the same guidelines as in on-premises deployments.
• Keep CPU, Memory, and Storage load to a minimum by:
• Disabling unused services.
• Implementing the optimizations suggested by the VDA installer.
• Reducing the impact of antivirus and malware scanning.

Azure Security Extensions
• Security Extensions can be used to protect VDAs
N
and Servers in Azure.
ot
• However, not supported in MCS.
• Microsoft Antimalware is free in Azure.
fo
rr
• Enable in virtual machine configuration or
PowerShell
es
• Set-AzureVMMicrosoftAntimalwareExtension
al
• Other vendors also provide extensions.
e
• Consult your vendors’ documentation.
or
di
stri
but
io
n
Key Notes:
• Azure Security Extensions are not supported on MCS created catalogs, but can be used as manually created catalogs
and on other infrastructure servers.
• Examples of key scenarios, these extensions can be used for:
• VM configurations can use PowerShell DSC (Desired State Configuration), Chef, Puppet and Custom Script
Extensions to install VM configuration agents to configure a VM.
• Anti-Virus products, such as Symantec and ESET.

• VM vulnerability tools, such as Qualys, Rapid7 and HPE.
• VM and App monitoring tools, such as DynaTrace, Azure Network Watcher, Site24x7 and Stackify.
• Microsoft Antimalware for Azure is a free real-time protection capability that helps identify and remove viruses,
spyware, and other malicious software, with configurable alerts when known malicious or unwanted software
attempts to install itself or run on your Azure systems.
N
• Azure Specific Extensions - https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/overview
ot
• Microsoft Antimalware for Azure Cloud Services and Virtual Machines - https://docs.microsoft.com/en-
fo
us/azure/security/azure-security-antimalware
• Symantec Vendor Documentation -
rr
https://help.symantec.com/cs/SCWP/SCWP/v123027882_v111037498/Installing-an-agent-using-Azure-virtual-
es
machine-extension?locale=EN_US
al
e
or
di
s tri
b ut
io
n

Lab Exercise
• Exercise 4-1: Deploy Master Server VDA
N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

N
ot
Can you host the Master VM on Azure Managed
fo
disks and use MCS to deploy to Premium Disks?
rr
es
Yes, MCS can create Catalogs based on Master VMs
on Managed Disks, Managed Snapshots, and
al
unmanaged VHD files.
e
or
di
s
tri
b
ut
io
n

N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

How MCS Works Hypervisor
With On-premises 1
Hypervisors?
VM-A
1. Create VM.
N
2. Create a snapshot.
ot
3. Creates a full copy.
fo
2
rr
es
Storage Repository
al
e
or
A A A’ A A A
di
s tri
3
b
ut
io
n
Key Notes:
• MCS leverages is a linked-clone approach to provisioning, with virtual machines reading from a read-only master image
that has been de-personalized. Each virtual machine is assigned an identity disk that gives the machine a unique identity
and a differencing disk that handles the writes for the virtual machine.
• Step 1: Create VM
• In this step, the administrator is creating a virtual machine that has the necessary configurations and applications
required for the targeted use case.

• Note that deleting, moving, or renaming master images will prevent administrators from being able to revert
a machine catalog if necessary.
• Step 2: Create a snapshot
• There are two options:
• Manual: The administrator takes a snapshot of the master VM. This option is considered a leading
practice because it enables the administrator to determine a desired, meaningful naming convention.
• Automatic: if a snapshot is not taken, when the administrator selects the master VM in the MCS
N
wizard, Studio will automatically take a thin snapshot of the VM using an automatic naming scheme
ot
and will provide that snapshot to MCS.
fo
• Step 3: Creates a Full Copy
• MCS is creating a full copy of the snapshot that was provided so that all machines that will be provisioned
rr
will have the same desired properties and configurations from the master VM.
es
• MCS creates a full copy of the snapshot and stores it so that it can be updated in order to provision multiple
al
VMs, and so that there is no impact if the administrator deletes the original snapshot.
e
or
di
s tri
b ut
io
n

With On-premises 6
Hypervisors? 1 4
VM-A VM-A’
4. Creates a Preparation VM.
N
5. Attaches Instruction Disk 7
ot
to Preparation VM.
fo
2
6. Powers on Preparation
rr
VM.
es
7. Begins image preparation
Storage Repository
process.
al
e
or
A A’ A A A
di
s
5
tri
3 Instruction Disk Identity Disk Differencing Disk
utb
io
n
Key Notes:
• Step 4: Creates a Preparation VM
• A temporary virtual machine is created from the snapshot so that an image preparation process can be run to
depersonalize the VM.
• The Preparation VM is created with the network disconnected to prevent any issues with the operation of the original
master image.
• Step 5: Attaches instruction Disk to The Preparation VM

• The Instruction Disk will tell the Preparation VM steps that need to be run in order to depersonalize the VM.
• Step 6: Powers on Preparation VM
• Step 7: Begins image preparation process
• The PvD inventory step is only applicable if the Personal vDisk feature is being used, which will be
discussed later in the module.
• The image preparation process is where the Preparation VM runs through the list of instructions that it
obtained from the Instruction Disk. It is depersonalizing the copy of the snapshot to change the base OS so
N
that it can be used to provision multiple machines. This is why Sysprep does not need to be run manually
ot
when creating a master image with MCS because the image preparation process automatically performs
fo
the necessary de-personalization.
rr
es
al
e
or
di
s tri
b ut
io
n

With On-premises 6
Hypervisors? 1 4 9
11
VM-A VM-A’
8. Preparation VM updates
N
snapshot A’.
7
ot
9. Shuts down Preparation
VM.
fo
2 8
rr
10.Instruction Disk reports
back and is deleted.
es
Storage Repository
11.Detaches OS disk and
al
deletes Preparation VM.
e
or
12.Replicates a copy of
A A’’ A A A
updated snapshot A’’ to
di
each SR.
s
5 10
12
tri
b ut
io
n
Key Notes:
• Step 8: Preparation VM updates snapshot A’.
• The preparation VM updates the copy of the snapshot following the image update process, represented in the diagram
by the copy of the snapshot being updated from A’ to A’’.
• Step 9: Shuts down Preparation VM.
• Step 10: Instruction Disk reports back and is deleted.
• The instruction disk reports the success/failure of the steps run during the image preparation process and only moves

on with the MCS process if the steps were successfully completed. After reading the report back to MCS,
the instruction disk is then deleted.
• Step 11: Detaches OS disk and deletes Preparation VM.
• Step 12: Replicates a copy of updated snapshot A’’ to each SR.
• Now that the copy of the snapshot has been updated and prepared for use with multiple VMs, the copy can
be replicated to each storage repository configured for the host connection. The copy of the snapshot is
read-only, and the virtual machines will reference the copy of the snapshot in the applicable storage
N
repository.
ot
• Important to note that because the snapshot copy needs to be placed in each storage repository, the
fo
number of storage repositories will affect storage requirements.
rr
es
• Machine Creation Service: Image Preparation Overview and Fault-Finding:
al
https://www.citrix.com/blogs/2016/04/04/machine-creation-service-image-preparation-overview-and-fault-
e
finding/
or
di
s tri
but
io
n

With On-premises 6 14
Hypervisors? 1 4 9
11
VM-A VM-A’ VM-B VM-B VM-B
13.Creates Identity Disks in
N
memory.
7
ot
14.Creates VMs by attaching
Identity Disks and creating
fo
2 8
and attaching Differencing
rr
Disks.
es
Storage Repository
al
e
or
A A’’
di
s
5 10
12 13
tri
b ut
io
n
Key Notes:
• Step 13: The hypervisor creates the Identity Disks in memory.
• Step 14: Each VM defined in the Machine Catalog will be created, the identity disks will be attached and a differencing
disk for each VM will be created and attached as well.

How MCS Works in Master Resource Group
Azure? 1
Master VM 1
VM-A
1. Create Master VM.
N
2. Master VHD is created in
ot
2
Storage Account.
fo
rr
Master Storage Account
es
al
1
e
A
or
di
s
tri
utb
io
n
Key Notes:
• Step 1: A master VM is created in Azure, either manually in the Azure Portal or via the API.
• Step 2: The master disk is created and associated with the master. If the VM is created using unmanaged disks, the VHD
will be placed in a Storage Account. If the VM is created with a managed disk, the disk will not be placed in a Storage
Account.

How MCS Works in Master Resource
Group
Azure? 1
Pre-Flight Check 1
VM-A
3. MCS Wizard executed.
N
4. Check available resources
ot
2
with Azure API for
requested VMs.
fo
• Cores
rr
Master Storage
• NICs Account
es
• Storage
al
1
e
A
or
di
s
Citrix ARM Plugin Azure API
tri
3 4
b ut
io
n
Key Notes:
• Step 3: Admin starts the MCS wizard.
• Step 4: MCS wizard initiates a preflight check with the Azure API to ensure that we have the necessary connectivity and
enough capacity to deploy the selected amount of VMs.

How MCS Works in Master Resource Group
5 Resource Group (citrix-xd-<provSchemeId>-<xxxx>)
Azure? 1
Network Security Group 7
Pre-Machine Catalog Creation 1
VM-A
5. Resource Group is created
N
(full scope)
ot
• One RG per 240 VMs 2
Storage Accounts not used
with Azure Managed Disks
6. Storage Account created.
fo
• One SA per 40VMs
rr
Master Storage
• (standard or premium) Account
Storage Account for MCS (citrixxdxxxx)
6
Storage Account for MCS 6
es
• Storage Accounts are not
created for Azure Managed
al
disks 1
e
A
7. Create Network Security
or
Group (Citrix-Deny-All-
<provschemeId>)
di
s
tri
3 4
b ut
io
n
Key Notes:
• Step 5: While creating MCS catalogs using Full Scope permissions, the wizard will initiate the creation of resource groups
in Azure. A resource group can only contain 240 VMs, so for larger catalogs, more resource groups will be created.
• Step 6: While deploying MCS catalogs with unmanaged disks, the storage accounts will be created. A new storage
account will be created for each 40 VMs in the catalog.
• Step 7: A Security Group is created to isolate the prep VM from the rest of the network. This blocks any inbound or
outbound traffic to Prep VM during its lifetime.

Group
Azure? 1
Network Security Group
7
Provisioning Task 1 of 3 Image 1
Prep VM VM-A
8. Validate Service Principal
N
connectivity.
ot
2
9. Consolidate Image and 8
prepare for copy.
fo
rr
10.Master image is copied to Master Storage Storage Account for MCS (citrixxdxxxx)
6
Storage Account for MCS
6
Account
first Storage Accounts
es
10
defined for catalog.
al
1
(Preparati-xxxxx-xxxx.vhd) Full
e
A
Copy
or
9
di
s
tri
3 4
b ut
io
n
Key Notes:
• Step 8: Validate Connection Settings – MCS asks the plugin to make sure service principal access to the Azure resources.
• Step 9: Consolidate Master Image – In this phase, it will prepare the master image snapshot from master image VM for
other hypervisors, but from Azure perspective, we don’t need to perform any snapshot or image, but it is necessary to
implement this method to use machine creation APIs.
• Step 10: A full copy of the master image is copied to the storage account, the VHD file will be named preparati-xxxxx.vhd.

Group
Azure? 1
7
1
Prep VM VM-A
2 1
3
1
Preparation VM-A’ 4
11.Identity disk for
N
Preparation VM.
ot
2
12.Preparation VM Created. 8
(Preparati-xxxxx).
fo
rr
13.Preparation VM stopped. Master Storage Storage Account for MCS (citrixxdxxxx)
6
6
Account
es
14.Identity Disk attached to 10
Preparation VM.
al
Full
1 Copy
e
A
or
1
1
9
di
s
tri
3 4
b ut
io
n
Key Notes:
• Step 11: An identity disk is created for the preparation VM.
• Step 12: The preparation VM is created, and it will start automatically because it is already deployed in Azure.
• Step 13: We force the preparation VM to stop, so we can make changes to it.
• Step 14: After the preparation VM stops, the identity disk is added to the VM.

Group
Azure? 1
7
12
Prep VM VM-A
13
14
Preparation VM-A’
15 16 19
15.Preparation VM started.
N
16.Preparation VM stops after
ot
2
preparation. 8
fo
17.Preparation VM disk
rr
copied to a new container Master Storage Storage Account for MCS (citrixxdxxxx)
6
6
Account
and used as the base
es
10
image.
al
18
Full Base Base
1 Copy Image Image
18.Replicate base image to all
e
A
Storage Accounts. 11
or
17
19.Delete Preparation VM and 9
di
Identity disk.
s
tri
3 4
b ut
io
n
Key Notes:
• Step 15: The preparation VM starts with the identity disk attached and runs through the preparation sequence, this
involves writing the identity to the identity disk and anonymizing the master image to be used with MCS.
• Step 16: The preparation VM is stopped after the preparation process is complete.
• Step 17: The base image from the preparation VM is replicated to all storage accounts associated with the Catalog. (only
if using unmanaged disks)
• Step 18: The preparation VM and identity disk is deleted.

How MCS Works in Master Resource Group Resource Group (citrix-xd-<provSchemeId>-<xxxx>)
Azure?
Pre-Flight Check 1
VM-A
20.All created resources are
N
checked before the VM
ot
creation process is started.
fo
rr
Master Storage Account Storage Account for MCS (citrixxdxxxx) Storage Account for MCS
es
al
Base Base
1 Image Image
e
A
or
di
s
tri
20
b ut
io
n
Key Notes:
• Step 20: Another pre-flight check is done to ensure that the base image has replicated successfully and that the proper
permissions are in place before starting the VM creation process.

Group
Resource Group (citrix-xd-<provSchemeId>-<xxxx>)
Azure?
Provisioning Task 1
On-Demand Provisioning VM-A
1. Only Identity Disks and
N
NICs are created during
NIC NIC NIC NIC
ot
MCS.
fo
rr
Master Storage Storage Account for MCS (citrixxdxxxx) Storage Account for MCS
Account
es
Base Base
al
1 Image Image
e
A
or
21
di
s
tri
20
b ut
io
n
Key Notes:
• These steps are only relevant if using the on-demand provisioning feature. This feature has now defaulted for all new
customers.
• Step 21: Only the NICs are the Identity Disks are created during the VM creation part of the MCS process. All the
preparation steps are still relevant.

Azure?
Provisioning Task 1
23
On-Demand Provisioning VM-A VM-01
1. OS Disk created at VM
N
launch time. NIC NIC
NIC NIC
ot
2. VM created and linked to
OS Disks at VM launch
fo
time.
rr
Master Storage Account Storage Account for MCS (citrixxdxxxx) Storage Account for MCS
3. Identity Disk attached to
es
VM at VM launch time. OS
al
Base Base
1 Image 24 Image
e
A
22
or
21
di
s
tri
20
b ut
io
n
Key Notes:
• These steps are only relevant if using the on-demand provisioning feature. This feature has now defaulted for all new
customers.
• Step 22: During the start of a VM, the operating system disk is created.
• Step 23: The VM is subsequently created during the start operation, and the VM is bound to the OS disk created in
step 22.
• Step 24: The ID disks created in step 21 is associated with the VM before starting the VM.

Azure?
Provisioning Task 1
23 25
On-Demand Provisioning VM-A VM-01
1. VM deleted at shutdown.
N
2. OS Disks deleted at NIC NIC NIC NIC
ot
shutdown.
fo
3. Identity Disk and NIC
rr
retained for the next Master Storage Account Storage Account for MCS (citrixxdxxxx) Storage Account for MCS
startup.
es
26
OS
al
Base Base
1 Image 24 Image
e
A
22
or
21 27
di
s
tri
20
b ut
io
n
Key Notes:
• These steps are only relevant if using the on-demand provisioning feature. This feature is now default for all new
customers.
• Step 25: When stopping VMs created with the on-demand provisioning feature, the VMs are deleted from Azure
during the shutdown process.
• Step 26: After deleting the VM, the OS disks are deleted as well.
• Step 27: The identity disks and the NICs will be left in Azure for whenever the VMs need to start again.

Lab Exercise
• Exercise 4-2: Deploy Machines using MCS to a Pre-
N
created Resource Group.
ot
• Exercise 4-3: Deploy Windows 10 Using an ARM
Template.
fo
rr
es
al
e
or
di
s
tri
utb
io
n

N
ot
What are the two objects created by MCS for each
fo
VM during Machine Catalog creation?
rr
es
With on-demand provisioning, only Identity Disks and
NICs are created during Machine Catalog creation.
al
e
VMs and OS disks only exist in Azure when the
or
resource is running.
Less storage used = smaller Azure invoice.
di
s tri
but
io
n
Key Notes:
• Storage in Azure is billed to customers even when VMs are shut down and de-allocated. This can be expensive, especially
when using Azure managed disks.
• To reduce the cost, Citrix deletes both the VMs and the OS disks when the VMs are shut down.

N
ot
Considerations
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

VMs and IOPS per Storage Account
Unmanaged Disks
• When using unmanaged disks in Azure, a Storage Account can only support 20,000 IOPS.
N
• Premium Storage 50,000 IOPS.
ot
• MCS allow 40 VMs per Storage Account.
fo
• 20,000/40 = 500 IOPS per VM on Standard Storage.
rr
• MCS will create additional Storage Accounts when a number of VMs in a Machine Catalog exceed 40.
es
• SSD recommended for temporary storage.
al
• Managed Disks are recommended for better HA.
e
or
di
s tri
but
io
n
Key Notes:
• A standard storage account has a maximum total request rate of 20,000 IOPS. The total IOPS across all of your virtual
machine disks in a standard storage account should not exceed this limit. For example, for a Basic Tier VM, the maximum
number of highly utilized disks is about 66 (20,000/300 IOPS per disk), and for a Standard Tier VM, it is about 40
(20,000/500 IOPS per disk), as shown in the table below.
• A premium storage account has a maximum total throughput rate of 50 Gbps. The total throughput across all of your VM
disks should not exceed this limit.

• Virtual Desktops will provision a maximum of 40 VMs in a single storage account due to IOPS limitations in
Azure. For example, if you want to create 100 VM catalog, you will find 3 storage accounts created and VM
distribution in each storage account will be 40, 40 and 20.
• A Storage Account is on a single Storage Stamp within Azure and considered a single point of failure.
Therefore theoretically a Machine Catalog with less than 40 VMs has a single point of failure.
N
ot
• Azure Storage Scalability and Performance Targets - https://docs.microsoft.com/en-us/azure/storage/storage-
scalability-targets
fo
• Using Virtual Apps and Desktops in Azure Resource Manager - https://www.citrix.com/blogs/2016/09/12/using-
rr
xenapp-xendesktop-in-azure-resource-manager/
es
al
e
or
di
s tri
but
io
n

VMs and IOPS per Storage Account
Managed Disks
• Select between Standard and Premium storage.
N
• Azure Managed Disks supports fast provisioning of 1000s of virtual disks.
ot
• Azure Managed Disks replicates your data to three different replicas by default to ensure high availability.
fo
• Managed Disks in Azure does not rely on Storage Accounts.
rr
• SSD recommended for temporary storage.
es
• Managed Disks are invoiced by the size and not the amount of data inside the disk.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Managed Disks provides scalable and highly available storage without the need to create storage accounts and worry
about IOPS constraints.
• An Azure resource group can hold no more than 800 Managed Disks. By default, Virtual Desktops provision three disks
per machine: OS Disk, Identity Disk and Write Back Cache Disk.
• Virtual Desktops will provision no more than 240 machines per resource group, Catalogs with more than 240 machines
will, therefore, span multiple resource groups.

• Machine reliability is improved as Managed Disks are allocated to storage clusters in a manner that optimizes
the distribution across fault domains.
• Managed Disks are charged for the full disk of the next size level regardless of the storage used. For example,
Azure charges for a 32 GB disk just for the identity disk. Storage Accounts charge only for the unique block.
• Azure Storage Scalability and Performance Targets - https://docs.microsoft.com/en-us/azure/storage/storage-
N
scalability-targets
ot
• Using Virtual Apps and Desktops in Azure Resource Manager - https://www.citrix.com/blogs/2016/09/12/using-
fo
xenapp-xendesktop-in-azure-resource-manager/
rr
es
al
e
or
di
s tri
but
io
n

Performance Comparison
Unmanaged vs Managed Disks
N
1000 Pooled Machines
Unmanaged Disks Managed Disks
ot
(minutes)
fo
Create Catalog 155 120
rr
Start all VMs 56 138
es
al
Stop all VMs 51 51
e
Update Catalog Image 58 20
or
Delete Catalog (machines stopped) 56 148
di
s tri
b ut
io
n
Key Notes:
• For pooled machines, a new copy of the master image is made easy every time to start the machine, so the time it takes
to copy the OS disk is directly reflected in the time it takes to start the machine.
• When using storage accounts, the master image is replicated to each storage account when the catalog is created or
updated, and OS disks are copied from the replicated master image local to the storage account the machine is allocated
to. This results in near instantaneous copies.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

MCS and Multiple Storage Accounts
• MCS is programmatically limited to 6 Storage Accounts per Resource Group.
N
• 6 x 40 = 240 VMs per Resource Group.
ot
• A Storage Account is not deleted until the Machine Catalog is deleted.
fo
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• Remember that Storage Accounts are automatically created by MCS both with Full Scope and Narrow Scope permissions.
• Storage Accounts should not hold other items than VDA VMs.
• The same limit of 240 VMs per resource group is in place when using managed disks because Azure limits 800 disks per
resource group.

VMs per Resource Group or Catalog
• MCS is programmatically limited to 240 VMs per Resource Group for all storage types.
N
• Do not add other VMs to VDA Resource Groups.
ot
• The ARM Plugin assumes that it has exclusive use of the Resource Group.
fo
• Machine Catalogs spanning multiple Resource Groups is supported.
rr
• Designing one Machine Catalog per Resource Group will be easier to support and maintain.
es
• MCS can create the Resource Groups automatically, or you can re-create the Resource Groups to limit the
al
permissions required by MCS.
e
or
di
s tri
b ut
io
n
Key Notes:
• The limitation of 240 VMs per resource group is the Azure limitation that we enforce to avoid errors during provisioning.
• The limitation is derived from Azure limiting a Resource Group to 800 Managed Disk objects. 3 virtual disks per VDA plus
other objects.
• Custom Resource Groups is now supported in the Citrix Cloud GUI. Multiple Resource Groups must be identified at the
time of provisioning, and this cannot be changed after the Catalog is created.

• Citrix recommends provisioning one catalog per resource group pool -
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

MCS and Managed Disks
• A Resource Group can only support 800 Managed Disk objects.
N
• Up to 3 disk objects per VM
ot
• OS
• Identity
fo
• Write Back Cache
rr
• For larger MCS Catalogs several RGs will be created.
es
• Write-back cache is not recommended in Azure.
al
e
or
di
s tri
but
io
n
Key Notes:
• Full Scope permissions are required to create additional Resource Groups per Machine Catalog.
• Citrix recommends disabling write-back cache on Azure based MCS catalogs for now.
• Azure subscription and service limits, quotas, and constraints - https://docs.microsoft.com/en-us/azure/azure-subscription-
service-limits#resource-group-limits

Don't Put Too Many Eggs in One Basket
The larger the Machine Catalog, the longer it takes to upload.
• Azure Rate limits mean VM and Storage actions can take a longer time than with on-premises hypervisors.
N
• Machine Catalog updates.
• Machine Catalog rollbacks.
ot
• Boot storms on one Storage Account.
fo
• Create several Machine Catalogs, use Delivery Groups to present them as one pool of resources.
rr
es
al
e
or
di
s tri
b
ut
io
n
Key Notes:
• Very large Machine Catalogs are not recommended as it will increase the time it takes to update a catalog.
• Use Azure managed disks to reduce the risk of overloading storage accounts with IOPS.

MCS and Availability Sets
• MCS does not support Availability Sets.
N
• VMs cannot be associated with an Availability Set after creation.
ot
• Use multiple Machine Catalogs and Azure Regions to gain HA.
fo
• Alternatively, provision VMs manually to use Availability Sets.
rr
es
al
e
or
di
s tri
utb
io
n

Personal vDisk and AppDisk
• Personal vDisk is not supported by Azure and Citrix Cloud.
N
• AppDisk is not supported by Azure and Citrix Cloud.
ot
• AppLayering should be used instead.
fo
rr
es
al
e
or
di
s tri
b ut
io
n
• Known Issues - https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/known-issues.html
• Citrix App Layering 4 - http://docs.citrix.com/en-us/citrix-app-layering/4.html
• App Layering in Azure - https://docs.citrix.com/en-us/citrix-app-layering/4/install-appliance/ms-azure.html

Keep Citrix Virtual Apps Workloads Small
• Sizing of Citrix Virtual Apps in Azure should not be done like on-premises.
N
• Smaller VMs are cheaper.
ot
• In a 9 to 5 organization, we can save money by shutting down workloads as users start logging off.
fo
• In a “follow the sun” organization, we will likely extend our Azure presence to more regions and be in a 9 to 5
rr
situation per region.
es
• Fewer users per VM means we can drain a VM quicker.
al
• MCS deletes the VM at shutdown including the VHD (Managed Disks).
e
or
di
s tri
b ut
io
n
Key Notes:
• The concept presented here is based on Azure pay as you go for pricing.
• These assumptions change when customer purchases reserved instances. Reserved instances offer deep hourly
discounts if you purchase capacity over a year or more, and power cycling doesn't matter. Reserved instances are
available on Azure.

• Citrix Scalability in a Cloud World – 2018 Edition: https://www.citrix.com/blogs/2018/08/16/citrix-scalability-in-
a-cloud-world-2018-edition/
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Azure Reserved Instances
VM usage by hour
3
Reserved
Instances
2.5
• Agreement to buy capacity for 1 to 3 years.

2
N
• Discount up to 72% compared to pay-as-you-go.
ot
• Reservations are divided into one-hour runtime 1.5
fo
blocks.
rr
• Consumption above reservations billed as pay-as-
es
1
you-go.
al
e
0.5
or
0
di
Hour 1 Hour 2 Hour 3 Hour 4
s
VM 1 VM2 VM3
tri
b ut
io
n
Key Notes:
• After you buy a Reserved VM Instance, the reservation discount is automatically applied to virtual machines matching the
attributes and quantity of the reservation.
• A reservation covers the infrastructure costs of your virtual machines. The following graph illustrates the costs for your
virtual machine after you purchase a reservation. In all cases, you are charged for storage and networking at the normal
rates.
• The reservation discount is applied to running VM instances on an hourly basis. The reservations that you have purchased

are matched to the usage emitted by the running VMs to apply the reservation discount. For VMs that may not
run the full hour, the reservation will be filled from other VMs not using a reservation, including concurrently
running VMs.
• Azure Reserved VM Instances - https://azure.microsoft.com/en-us/pricing/reserved-vm-instances/
• Understand how the Reserved Virtual Machine Instance discount is applied - https://docs.microsoft.com/en-
N
us/azure/billing/billing-understand-vm-reservation-charges
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Lab Exercise
• Exercise 4-4: Install VDA Using PowerShell and
N
Create a Manual Catalog.
ot
• Exercise 4-5: Create Delivery Groups and Assign
Resources to Users.
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

N
ot
How many VMs are supported per Resource Group
fo
when using MCS provisioning?
rr
es
240 VMs per Resource Group.
al
e
or
di
s
tri
utb
io
n

Key Takeaways
• The VDA software can be deployed manually or
N
using PowerShell, VM extensions are not currently
ot
available.
• With the on-demand provisioning feature in MCS,
fo
OS disks are created at power on and deleted at
rr
power off.
es
• Using on-demand provisioning will lower your Azure
al
storage bill and ensure fast provisioning.
e
or
di
s
tri
b
ut
io
n

N
ot
Providing Access to End Users
fo
rr
es
al
e
Module 5
or
di
s
tri
b
ut
io
n

Learning Objectives
• Define StoreFront locations when integrating with
N
Azure.
ot
• Identify Citrix ADC locations when integrating with
Azure.
fo
rr
• Review connectivity features for multi-location
deployments.
es
al
e
or
di
s
tri
utb
io
n

N
ot
StoreFront Locations
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

StoreFront Placement Options
N
ot
fo
rr
es
al
On-premises Citrix Cloud Azure resource locations
e
or
di
s tri
b
ut
io
n
Key Notes:
• StoreFront in Citrix Cloud has been replaced by Workspace Experience, which is a more feature rich multi-tenant aware
access layer.
• What’s New with Citrix Workspace in February 2019? https://www.citrix.com/blogs/2019/12/20/whats-new-with-citrix-
workspace-december-2019/

• Workspace configuration - https://docs.citrix.com/en-us/citrix-cloud/workspace-configuration.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Using Workspace Experience in Citrix Cloud
1
• Part of Citrix Cloud subscription.
N
• Enabled by default.
ot
• It can be disabled by support.
fo
• Zero maintenance.
rr
• Integrated with Citrix Gateway as a Service by default.
es
• Option to integrate with Citrix Gateways in the resource location.
al
e
or
di
s
tri
b ut
io
n
Key Notes:
• The first part of the workspace URL is customizable. You can change the URL from, for example,
https://example.cloud.com, to https://newexample.cloud.com.
• The customizable part of the URL (“newexample”) must be between 6 and 63 characters long. If you want to change
the customizable part of the URL to fewer than 6 characters, please open a ticket in Citrix Cloud.
• It must consist of only letters and numbers.
• It cannot include Unicode characters.

• When you rename a URL, the old URL is immediately removed and no longer available.
• If you change the workspace URL, your subscribers cannot access their workspaces until the new URL is
active (takes about 10 minutes). You’ll also need to tell them what the new URL is and manually update all
local Citrix Workspace app apps to use the new URL.
• Provide secure access for your remote subscribers by adding Citrix Gateways to the resource locations.
• You can add Citrix Gateways from Workspace Configuration > Access > External Connectivity or from Citrix
Cloud > Resource Locations.
N
ot
fo
• About StoreFront - https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/storefront.html
• About Citrix Gateway - https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/netscaler.html
rr
es
al
e
or
di
s tri
b ut
io
n

Deploying StoreFront in Azure
1
• Deploy at least two StoreFront servers for HA.
N
• Use Availability Sets to ensure HA.
• Domain joined for Server Group functionality.
ot
• 4 vCPU/ 8GB RAM VM recommended.
fo
• Premium storage recommended for infrastructure servers.
rr
• Consider F4s, F4s_v2, D3s_v2, or D4s_v3.
es
• Use either Cloud Connectors or Azure Delivery Controllers for XML Servers.
al
e
or
di
s
tri
utb
io
n
Key Notes:
• The customer is responsible for building and maintaining the StoreFront Virtual machines and applicable infrastructure in
Azure.
• Deploying StoreFront in Azure adds functionality not present in the Citrix Cloud deployment of StoreFront.
• The additional standalone Storefront functionality includes, but not limited to:
• UI Customization
• Workspace app Deployment

• Multiple Stores
• Support for Two-factor Authentication
• Local Password Processing
• Anonymous Access
• Federated Authentication
• Support for Single Sign On
N
ot
• System requirements - https://docs.citrix.com/en-us/storefront/current-release/system-requirements.html
fo
rr
es
al
e
or
di
s tri
but
io
n

Availability Sets for StoreFront
1
• Use Availability Sets to ensure StoreFront servers are deployed in different racks.
N
• Update Domain
• Fault Domain
ot
• Availability Sets can only be configured at VM creation.
fo
rr
• Use Managed Disks when deploying Availability Sets.
es
• Limited number of fault domains per region.
• Typically 2 or 3
al
e
or
di
s
tri
but
io
n
Key Notes:
• Each virtual machine in your availability set is assigned an updated domain and a fault domain by underlying the Azure
platform.
• The order of updated domains being rebooted may not proceed sequentially during planned maintenance, but only one
updated domain is rebooted at a time. A rebooted updated domain is given 30 minutes to recover before maintenance is
initiated on a different updated domain.
• Managed disks provide better reliability for Availability Sets by ensuring that the disks of VMs in an Availability Set are

sufficiently isolated from each other to avoid single points of failure.
• The number of fault domains for managed availability sets varies by region - either two or three per region.
• Configure multiple virtual machines in an availability set for redundancy - https://docs.microsoft.com/en-
us/azure/virtual-machines/windows/manage-availability#configure-multiple-virtual-machines-in-an-availability-
set-for-redundancy
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Load Balancing StoreFront in Azure
1
• Load balancing of StoreFront servers can be done in two ways:
N
• Azure Load Balancer
• Citrix ADC VPX
ot
• Citrix ADC has a built-in StoreFront monitor.
fo
• Azure has basic HTTP and TCP monitoring.
rr
• Citrix ADC has advanced Application Delivery Controller functionalities.
es
• Rewrite
al
• Content switching
• GSLB
e
or
di
s
tri
but
io
n
Key Notes:
• Azure Load Balancer is free of charge but not offered with Basic Virtual machines.
• The Citrix ADC VPX virtual appliance is available as an image in the Microsoft Azure Marketplace.
• You can deploy Citrix ADC VPX instances on Azure Resource Manager either as standalone instances or as high
availability pairs in active-active or active-standby modes.
• Additional Storefront monitoring is available with Citrix ADC.
• For Citrix ADC Azure deployments, GSLB is only supported on the Citrix ADC 12.0 VPX. GSLB is not supported on the

Citrix ADC 11.0 VPX
• Azure Load Balancer overview - https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
• Load Balancer Pricing - https://azure.microsoft.com/en-us/pricing/details/load-balancer/
• Deploying Citrix ADC VPX on Microsoft Azure - https://docs.citrix.com/en-us/citrix-adc/13/deploying-
N
vpx/deploy-vpx-on-azure.html
ot
fo
rr
es
al
e
or
di
stri
b ut
io
n

Network Security Group for StoreFront
Use a Network Security Group to block unwanted connections to StoreFront.
Source Destination Type Port Details

User Connecting to the Store or Receiver for Web site hosted on StoreFront
StoreFront Server TCP 80/443
Device server.
TCP/
389 LDAP connection to query user-friendly name and email addresses.
UDP
N
TCP/
ot
Domain Controller 88 Kerberos.
UDP
fo
TCP/ Native Windows authentication protocol to allow users to change expired
464
UDP passwords.
rr
Randomly Used for Peer-to-peer Services (Credential Wallet, Subscriptions Store 1 per
es
selected Store).
StoreFront TCP
unreserved port This service uses MS .Net NetPeerTcpBinding which negotiates a random
Server
al
StoreFront Server per service. port on each server between the peers.
e
Used for Subscription Replication Services. Not installed by default. Used to
TCP 808
replicate subscriptions between associated clusters.
or
Virtual Desktops
di
Controller, Virtual Apps
TCP 80/443 For application and desktop requests.
Controller, Citrix Endpoint
s
Management
tri
Citrix ADC TCP 8000 For Monitoring Service used by Citrix ADC load balancer.
b ut
io
n
Key Notes:
• Network Security Groups can be used in Azure to secure the communication between the different NICs or subnets.
• The list provided on this slide only covers the ports and services needed to enable the Citrix traffic more ports and
services may be needed for underlying OS functionality.
• Network security groups - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg

Lab Exercise Prep
• Exercise 5-1: Launch Applications from Citrix
N
Workspace in Citrix Cloud.
ot
• Exercise 5-2: Setup an On-premises StoreFront and
Create a StoreFront Store.
fo
rr
• Exercise 5-3: Launch Resources through
StoreFront.
es
al
e
or
di
s
tri
utb
io
n

Which 3 ways can users connect to their
N
applications and desktops when deploying
ot
Citrix Cloud with Azure as a resource
fo
location?
rr
es
StoreFront can be hosted in Azure or on-
premises. Citrix Workspace Experience is
al
e
available in Citrix Cloud.
or
di
s
tri
utb
io
n

N
Citrix ADC and Citrix Gateway
ot
Location Considerations
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Citrix Gateway Placement Options
N
ot
fo
rr
es
al
On-premises Citrix Cloud Azure resource locations
e
or
di
s tri
b ut
io
n
Key Notes:
• Customers has three options for deploying Citrix Gateway.
1. Citrix Gateway as a Service is included in the Citrix Cloud subscription and can be used as an HDX proxy only.
2. Citrix Gateways can also be deployed in the on-premises networks or in Azure.
3. Citrix Gateway/ADC in Azure can either be purchased through Azure, or it can be deployed as a bring your own.

Deploying Citrix Gateway Service
in Citrix Cloud
• Easy and no-touch deployment.
N
• No firewall changes.
ot
• Included in Citrix Workspace and Virtual Apps and
fo
Desktops subscriptions.
rr
• HDX data is proxied through Cloud
es
Connector to Citrix Cloud.
al
• Scaling and latency should be monitored.
e
• Requires Citrix Workspace Experience.
or
• Increases CPU utilization on Cloud Connectors.
di
s tri
but
io
n
Key Notes:
• The service is available from 12 points of presence around the world, including both Azure and AWS datacenters.
• The service is currently enabled only for use with HDX traffic and SSON as part of the Virtual Apps and Desktops. Other
Citrix Gateway functionality is not enabled.
• Includes 1 GB data transfer per user per month.
• Known issues:
• The Citrix Gateway Service is enabled for use with HDX traffic as part of the Virtual Apps and Desktops only. Other

Citrix Gateway functionality is not enabled.
• The Citrix Cloud Connector located in your Citrix Cloud resource location communicates with Citrix-
managed cloud services communicating through the internet. This communication channel does not support
authentication at outbound proxies for access to the internet.
• All network traffic is protected by SSL, but to provide the Citrix Gateway functionality, HDX traffic is present
in memory in an unencrypted form.
• To use the Citrix Gateway Service, you must use Workspace hosted within Citrix Cloud.
N
• Smart Access does not work for sessions connected through the Citrix Gateway Service.
ot
• Scalability limits ~1000 concurrent users/140 Mbps throughput per Cloud Connector.
fo
rr
• Citrix Gateway Service - https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/netscaler.html
es
• Simple, Secure & Better Connectivity with Citrix Gateway Service -
al
https://www.citrix.com/blogs/2017/08/04/simple-secure-better-connectivity-with-netscaler-gateway-service/
e
• Citrix Cloud services subscriptions - https://www.citrix.com/products/citrix-cloud/subscriptions.html
or
• Citrix Gateway Service — The secure way to deliver Citrix Virtual Apps and Desktops using Citrix Cloud -
https://www.citrix.com/content/dam/citrix/en_us/documents/product-overview/netscaler-gateway-service-
di
product-overview.pdf
s tri
b ut
io
n

Citrix Gateway as a Service
Points of Presence (PoP)
Points of Presence Points of Presence

• GSLB and Optimal Gateway Routing built-in to in Azure in AWS
N
Citrix Cloud architecture. Azure South Central US US-East
ot
• HDX traffic proxied through the most optimal PoP. Azure East US US-West
fo
Azure West US EU-Central
• Transparent to customers and users.
rr
Azure West Europe
es
Azure North Europe
al
Azure Australia East
e
Azure Japan East
or
Azure Brazil South
di
Azure Southeast Asia
s tri
b ut
io
n
Key Notes:
• The service is available from 12 points of presence around the world including, both Azure and AWS datacenters.
• Citrix Gateway Service — The secure way to deliver Citrix Virtual Apps and Desktops using Citrix Cloud -
https://www.citrix.com/content/dam/citrix/en_us/documents/product-overview/netscaler-gateway-service-product-
overview.pdf

Citrix Gateway HA in Azure
Citrix ADC HA in Azure
Azure Load
Balancer
• Configure a Resource Group.
N
• Configure a Network Security Group.
ot
Citrix Gateway Citrix Gateway
• Configure Virtual Network and its Subnets.
fo
• Configure a Storage Account.
rr
• Configure an Availability Set. StoreFront
es
Endpoints
Session
• Configure Citrix ADC VPX instances. Machines
al
e
or
StoreFront
di
Session
Machines
s tri
b ut
io
n
Key Notes:
• Note the following before you begin configuring the Citrix ADC VPX instances in high availability mode in the Azure virtual
network.
• The two Citrix ADC virtual machines that you want to add to a load balanced set should be provisioned in the same
virtual network.
• A load balanced set applies only to the default NIC of the virtual instance. Therefore, the VIP has to be configured on

the default NIC of the Citrix ADC VPX.
• In an active-passive deployment, the Azure load balancer monitors both the primary and the secondary
Citrix ADC virtual machine by sending them TCP probes. These TCP probes are sent on port 9000.
• Configuring an HA Setup with Multiple IP Addresses and NICs - https://docs.citrix.com/en-us/citrix-
N
adc/13/deploying-vpx/deploy-vpx-on-azure/configure-vpx-pair-ha-inc.html
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Citrix ADC vs Citrix Gateway
Examine your needs before buying the Citrix ADC license.
Citrix ADC Citrix Gateway
N
ot
Citrix ADC • Citrix Gateway
• Standard • Bandwidth
fo
• Advanced • Smart Access
rr
• Premium
• Citrix Gateway as a Service
es
• Bandwidth
• Included in Citrix Cloud subscriptions.
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Citrix ADC
• Standard License
• Delivers reliable application availability, comprehensive L4-7 load balancing, robust performance optimization
features, and secure remote access.
• Advanced License
• Adds advanced traffic management, clustering support, stronger security features, extended optimizations, SSO, and

more.
• Premium License
• Encompasses powerful security features, expanded application acceleration capabilities, enhanced
management, and visibility resources.
• Bandwidth
• Citrix ADC VPX supported on Azure are VPX 10, VPX 25, VPX 200, VPX 1000, and VPX 3000. Their
corresponding bandwidths are 10 Mbps, 25 Mbps, 200 Mbps, 1 Gbps, and 3 Gbps respectively.
N
• Citrix Gateway
ot
• Citrix Gateway requires a Platform license.
fo
• The Platform license allows an unlimited amount of connections to Virtual Apps, Virtual Desktops, or
StoreFront by using ICA proxy.
rr
• To allow VPN connections to the network from the Citrix Gateway Plug-in, a Smart Access logon point, or
es
Worx Home, WorxWeb, or WorxMail, you must also add a Universal license. Citrix Gateway VPX comes
al
with the Platform license.
• SmartAccess allows you to control access to published applications and desktops on a server through the
e
use of Citrix Gateway session policies.
or
• Citrix ADC HDX Proxy or Citrix Gateway Service
di
• Citrix Gateway Service is enabled for use with HDX traffic as part of the Citrix Workspace and Citrix Virtual
s
Apps and Desktops only.
tri
but
• Networking - https://www.citrix.com/buy/licensing/product.html
io
• Citrix ADC overview - https://www.citrix.com/products/netscaler-adc/netscaler-deployment-guide.html
n
• Citrix Gateway FAQ - https://docs.citrix.com/en-us/citrix-gateway/13/faq.html

Deploying Citrix ADC in Azure
1
• Bring your own license or purchase through Azure.
N
• Citrix Cloud licensing includes Citrix ADC HDX proxy only licenses.
ot
• Multi NIC and Multi IP is supported with Citrix ADC v11+.
fo
• HA supported through ARM load balancer.
rr
• Active-Active
es
• Active-Passive
al
• Clustering is not supported.
e
or
di
s
tri
but
io
n
Key Notes:
• When you deploy Citrix ADC VPX on Microsoft Azure Resource Manager (ARM), you can leverage the Azure cloud
computing capabilities and use Citrix ADC load balancing and traffic management features for your business needs. You
can deploy Citrix ADC VPX instances on Azure Resource Manager either as standalone instances or as high availability
pairs in active-active or active-standby modes.
• Citrix ADC VPX VMs in high availability is controlled by external or internal load balancers that have inbound rules defined
on them to control the load balancing traffic. The external traffic is first intercepted by these load balancers, and the traffic

is diverted according to the load balancing rules configured, which has backend pools, NAT rules, and health
probes defined on the load balancers.
• The Azure architecture does not accommodate support for the following Citrix ADC features:
• Clustering
• IPv6
• Gratuitous ARP (GARP)
• L2 Mode
N
• Tagged VLAN
ot
• Dynamic Routing
fo
• Virtual MAC (VMAC)
• USIP
rr
• CloudBridge Connector
es
• The following ports are reserved by the Citrix ADC virtual machine. You cannot define these as private ports
al
when using the Public IP address for requests from the Internet.
Ports 21, 22, 80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011, 4001, 5061, 9000, 7000.
e
• GSLB is supported on NS 12 VPXs in Azure. However, GSLB is not supported on NS 11 VPXs in Azure.
or
di
s tri
but
io
n

Citrix ADC HA INC
Active/Passive HA
1
• Independent Network Configuration mode.
N
• Typically used when Citrix ADCs in active/passive HA is deployed on two different networks.
• Used in Azure because Layer 2 and GARP is not available.
ot
• Azure Load Balancer owns the Floating PIPs.
fo
rr
• VIPs are floating between the Active and Passive Citrix ADC.
es
• SNIPs added to each Citrix ADC instance.
al
• Supports HDX session failover.
e
or
di
s
tri
b ut
io
n
Key Notes:
• Citrix ADC active-passive environments normally use GARP to ensure that traffic is redirected to the passive Citrix ADC in
case of a failover. Since GARP and Layer2 networking is not exposed in Azure, HA-INC can be implemented to enable the
Citrix ADCs to support unique SNIPs on each Citrix ADC instance. Because Azure Load Balancers have access to Layer
2, they can be used to float the incoming VIP traffic between the two HA instances.
• In an active-passive deployment, the ALB floating public IP (PIP) addresses are added as the VIP addresses in each Citrix
ADC node. In HA-INC configuration, the VIP addresses are floating and SNIP addresses are instance specific.

• ALB monitors each Citrix ADC instances by sending health probe at every 5 seconds and redirects traffic to
that instance only that sends health probes response on a regular interval. So in an HA setup, the primary
node responds to health probes and secondary does not. If the primary instances avoid two consecutive
health probes, ALB does not redirect traffic to that instance. On failover, the new primary starts responding to
health probes and the ALB redirects traffic to it. The standard Citrix ADC HA failover time is three seconds.
The total failover time that might take for traffic switching can be a maximum of 13 seconds.
• HA INC mode enabled HDX session failover, but users will experience a short session lock while the failover
N
happens.
ot
fo
• Configuring High Availability Nodes in Different Subnets - https://docs.citrix.com/en-us/citrix-gateway/13/high-
rr
availability/ng-ha-routed-networks-con.html
es
al
e
or
di
s tri
but
io
n

Citrix ADC Multi NIC Multi IP Citrix ADC Multi NIC Multi IP
PIP1:443 PIP2:80
Azure Load Balancer
Front-End Pool1 Front-End Pool2
Back-End Pool1 Back-End Pool2

• Active/Passive with INC mode also uses multi-NIC.
N
• Active-Passive requires:
ot
IP1 IP2 IP5 IP3 IP4 IP6
• An HA Independent Network Configuration (INC)
configuration.
fo
NIC1 NIC2 NIC3 NIC4
• The Azure Load Balancer (ALB) in Direct Server Citrix ADC Citrix ADC
rr
Return (DSR) mode.
es
• Adding multiple NICs and multiple IPs to Citrix ADC
al
can be done through the Azure Portal or StoreFront
PowerShell.
e
Session
Machines
or
• Useful for hosting multiple services on the same
Citrix ADC Pair.
di
s
StoreFront
tri
Session
Machines
but
io
n
Key Notes:
• In Azure Resource Manager (ARM), you can deploy a Citrix ADC virtual appliance with multiple NICs. Each NIC can
contain multiple IP addresses.
• In an active-active High-Availability (HA) setup, two Citrix ADC VPX instances are deployed independently, but each is
ready to assume the other's load in the event of a failure. In this type of deployment, you must configure the NICs
identically in both instances.
• Active-Active Citrix ADC HA should be load balanced by either Azure LB or another Citrix ADC load balancer to ensure full

high availability. Citrix Application Delivery Management can help manage the Citrix ADCs.
• For a Citrix ADC HA deployment on Azure cloud to work, you need a floating public IP (PIP) that can be
moved between the two Citrix ADC HA nodes. The Azure Load Balancer (ALB) provides that floating PIP,
which is moved to the second node automatically in the event of a failover.
• ICA connections through Citrix ADCs in Azure can failover if the Citrix ADCs are configured to user HA INC.
• Configuring Citrix ADC VPX in Azure in HA Mode with multiple Azure NICs and IP addresses include the
following tasks:
N
• Create a Resource Group where the Citrix ADC VPXs will be deployed.
ot
• Create Storage Account for the Citrix ADC VPX virtual disks (only if using unmanaged disks).
fo
• Create Availability Set before creating the Citrix ADC VPXs.
• Create Network Security Group to define which traffic is allowed to and from the Citrix ADC VPXs.
rr
• Create Virtual Network only if you are defining a separate network for the Citrix ADC deployment,
es
alternatively, create a new subnet within the existing network.
al
• Create Public IPs used to host the incoming traffic, these IPs will be assigned to the Azure Load Balancer.
• Create IP Configuration used for the Citrix ADC VPXs.
e
• Create NICs used for the Citrix ADC VPXs.
or
• Create Citrix ADC VPX 1 and Citrix ADC VPX 2 and add them to the availability set and assign the NICs
di
and IP configuration to them.
s
• Create the Azure Load Balancer that will balance the traffic between the Citrix ADC VPX pair.
tri
• Associate NIC IP-Config with Azure LB Back-end Pool.
b
• Associate NAT Rules of NICs' IP-Config with Azure LB NAT Rules.
ut
io
n
• Configure a high-availability setup with multiple IP addresses and NICs - https://docs.citrix.com/en-us/citrix-
adc/13/deploying-vpx/deploy-vpx-on-azure/configure-vpx-pair-ha-inc.html
• Add network interfaces to or remove from virtual machines - https://docs.microsoft.com/en-us/azure/virtual-
network/virtual-network-network-interface-vm

Lab Exercise Prep
• Exercise 5-4: Deploy Citrix ADC in Azure.
N
• Exercise 5-5: Import Citrix ADC Configuration.
ot
• Exercise 5-6: Enable Remote Access in StoreFront.
fo
• Exercise 5-7: Launch Resources through Citrix
rr
ADC.
es
al
e
or
di
s
tri
b
ut
io
n

N
ot
How can you add multiple NICs to Citrix ADC in
fo
Azure?
rr
es
In the Azure portal or through the use of Azure
PowerShell commandlets.
al
e
New-AzureRmNetworkInterface -Name -
or
ResourceGroupName -Location –IpConfiguration
Add-AzureRMVMNetworkInterface -VM -Id
di
s
tri
utb
io
n

N
Connecting to the Closest
ot
Resources
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

GSLB
1
• Global Server Load Balancing is based on DNS functionality.
N
• Used to distribute connections between multiple datacenters based on:
ot
• State of datacenters
• Proximity to datacenters
fo
• Internal or external connections.
rr
• Helpful when creating a single logon URL for Citrix Gateway and StoreFront.
es
• Citrix ADC becomes an Authoritative DNS server for the FQDN.
al
• Citrix ADC GSLB can replace Azure LB in Active/Active HA configurations.
e
or
di
s
tri
but
io
n
Key Notes:
• Global Server Load Balancing (GSLB) provides disaster recovery and ensures continuous availability of applications by
protecting against points of failure in a Wide Area Network (WAN).
• GSLB can balance the load across data centers by directing client requests to the closest or best-performing data center,
or to surviving data centers in case of an outage.
• DNS is a key component in a GSLB environment.
• Customers can use GSLB instead of Azure LB for Active/Active Citrix ADCs. The drawback is that DNS failover is not as

instant as the Azure LB.
• How GSLB Works? https://docs.citrix.com/en-us/citrix-adc/13/global-server-load-balancing.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

GSLB
Architecture Example
Citrix ADC US East
Azure US East
NS LDAP Gateway VDI
StoreFront
vServer1 CallBack
vServer1
Gateway
N
vServer1 StoreFront VDI
ot
GSLB
Gateway
fo
vServer
GSLB
rr
Gateway
es
vServer2
GSLB
al
Azure Europe West
StoreFront VDI
Gateway
e
NS LDAP CallBack
or
vServer2 vServer2
StoreFront
di
VDI
Citrix ADC Europe West
s tri
b ut
io
n
Key Notes:
• This diagram references a simple GSLB architecture overview, not specific to Azure.
• How to Configure GSLB on Citrix Gateway? https://support.citrix.com/article/CTX205277
• How GSLB Works? https://docs.citrix.com/en-us/citrix-adc/13/global-server-load-balancing.html

• Citrix ADC, GSLB & Microsoft Azure: What a Combination! -
https://www.citrix.com/blogs/2017/05/09/netscaler-gslb-microsoft-azure-what-a-combination/
• Configuring GSLB on Citrix ADC VPX Instances - https://docs.citrix.com/en-us/netscaler/12/deploying-
vpx/deploy-vpx-on-azure/configuring-gslb-on-netscaler-vpx-appliance.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

StoreFront Optimal Gateway Routing
1
• Separates the logon Gateway from the launch Gateway.
N
• Routes the HDX connection through the Citrix Gateway closest to users.
ot
• Combine with GSLB to create a single logon URL and individual Citrix ADC HDX Gateways in each datacenter.
fo
• Use StoreFront to map individual HDX Gateways to Zones.
rr
es
al
e
or
di
s
tri
but
io
n
Key Notes:
• If you have configured separate Citrix Gateway appliances for your deployments, StoreFront enables you to define the
optimal appliance for users to access each of the deployments providing resources for a store.
• For example, if you create a store that aggregates resources from two geographical locations, each with a Citrix Gateway
appliance, users connecting through an appliance in one location can start a desktop or application in the other location.
However, by default, the connection to the resource is then routed through the appliance to which the user originally
connected and must, therefore, traverse the corporate WAN.

• To improve the user experience and reduce network traffic over the WAN, you can specify the optimal Citrix
Gateway appliance for each of your deployments. With this configuration, user connections to resources are
automatically routed through the appliance local to the deployment providing the resources, regardless of the
location of the appliance through which the user accesses the store.
• Configure optimal gateway routing - https://docs.citrix.com/en-us/storefront/current-release/plan/high-
N
availability-and-multi-site-configuration.html
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

StoreFront Optimal Azure US East
Gateway Routing
Architecture Example Citrix ADC US East
Azure US East
StoreFront Cloud
Gateway Connector
CallBack
vServer1
VDA Machines
Gateway
N
StoreFront Cloud
vServer1 Connector
ot
fo
rr
Workspace App
Endpoints Azure Europe West
es
Gateway
al
Azure Europe West
vServer2
e
StoreFront Cloud
Gateway Connector
or
CallBack
vServer2
di
VDA Machines
s
StoreFront Cloud
tri
Connector
Citrix ADC Europe West
b ut
io
n
Key Notes:
• This diagram references a simple Optimal Gateway architecture overview, not specific to Azure.
• StoreFront high availability and multi-site configuration - https://docs.citrix.com/en-us/storefront/current-release/plan/high-
availability-and-multi-site-configuration.html

N
ot
When configuring GSLB which DNS server must
fo
be authoritative for the logon FQDN?
rr
es
The Citrix ADC must be the Authoritative DNS server
for the logon FQDN.
al
e
or
di
s
tri
b
ut
io
n

Key Takeaways
• Use availability sets when deploying StoreFront in
N
Azure.
ot
• Azure load balancer is used to enable Citrix ADC
High Availability in Azure.
fo
rr
• GSLB can be used to create a single logon point
that directs users to the Azure region closest to their
es
location.
al
e
or
di
s
tri
b
ut
io
n

N
ot
Maintaining Infrastructure and VDAs
fo
in Microsoft Azure
rr
es
al
e
Module 6
or
di
s
tri
b
ut
io
n

Learning Objectives
• Review the infrastructure maintenance
N
requirements for Citrix Cloud and with Azure as a
ot
resource location.
• Examine the best practices for maintaining
fo
resources in Azure.
rr
• Cover the power management options for deploying
es
VDAs in Azure with Citrix Cloud.
al
e
or
di
s
tri
b
ut
io
n

N
ot
Maintaining Infrastructure
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Citrix Cloud
• Citrix updates, manages, and maintains:
N
• Delivery Controllers
• Site Databases
ot
• Workspace Experience
fo
• Citrix Gateway as a Service
• Studio
rr
• Director
es
• Citrix Cloud updates deployed every two weeks.
al
• Evergreen
e
or
di
s tri
b ut
io
n
Key Notes:
• Site Databases refer to the 3 databases containing the Citrix Site metadata, configuration logging, and monitoring data.
• Citrix targets doing an update cycle every two weeks for all customers in Citrix Cloud – the process is referred as
evergreen.

Cloud Connectors
• VM and Operating System is customer managed. Automatic
N
Update
• Cloud Connector software is updated and managed
ot
by Citrix.
• Follows the evergreen 2-week cycle.
fo
rr
• Deploy at least two Cloud Connectors per resource Cloud Cloud Cloud N+1
location to avoid update outages. Connector Connector Connector
es
• N+1 sizing.
al
Hypervisors
e
• For enterprise, the recommendation is N+2 for AD
Server Desktop
or
connectors (so we never have a point in time with a Server Server
Server
VDAs Server
VDAs
single point of failure). VDAs
VDAs
VDAs
VDAs
di
• One Cloud Connector updated at a time.
s tri
but
io
n
Key Notes:
• The Cloud Connector should be installed on a dedicated domain joined machine.
• Ensure to keep all of the Cloud Connectors powered on at all times for proper operation.
• Always install connectors in pairs. The number of Cloud Connectors you should install is N+1 where N is the capacity
needed to support the infrastructure within your Citrix Cloud Resource Location.
• Although 2 is technically enough to ensure HA under normal operations, having 3 would ensure that HA and capacity are

also in place while a single connector update.
• Cloud Connectors automatically distribute the load.
• Automatic updates from Citrix Cloud may cause Cloud Connectors to restart, therefore having a single Cloud
Connector in a resource location, will lead to outages.
• Do not turn a Cloud Connector off for more than two weeks that may lead the Cloud Connector to miss an
update cycle and therefore lose connectivity with Citrix Cloud.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Workspace and StoreFront
Workspace in Citrix Cloud StoreFront in Azure
N
• The Virtual Apps and Desktops in Citrix Cloud includes a
ot
• StoreFront can also be deployed by the customer in Azure.
Workspace site for each customer.
fo
• Zero Effort to deploy. • Shrink-wrap product.
rr
• Hosted and operated by Citrix. • Hosted and operated by the customer.
es
• Kept Evergreen and updated by Citrix • Updates are done by the customer.
al
• HA should be considered.
e
or
di
s tri
but
io
n
Key Notes:
• A cloud-hosted Workspace: The Virtual Apps and Desktops in Citrix Cloud includes a Workspace site for each customer.
The benefit of the cloud-hosted Workspace is that there is zero effort to deploy, and it is kept evergreen by Citrix.
Workspace is recommended for all new customers, previews, and Proofs-of-Concept (PoCs).
• An on-premises StoreFront: Customers may also use an existing StoreFront to aggregate applications and desktops in
Citrix Cloud. The customer is responsible for maintaining the site and its resources within Azure. This offers greater
security, including support for two-factor authentication and prevents users from entering their password into the cloud

service. It also allows customers to customize their domain names and URLs. This is recommended for any
existing Virtual Apps and Desktops customers that already have StoreFront deployed.
• Workspace configuration - https://docs.citrix.com/en-us/citrix-cloud/workspace-configuration.html
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Citrix ADC
N
Citrix Gateway Service in Citrix Cloud Citrix ADC VPX in Azure
ot
• Included in Workspace and Virtual Apps and Desktops
fo
• Citrix ADC can also be deployed by the customer in Azure.
subscriptions.
rr
• Zero Effort to deploy. • Can be deployed directly from Azure console.
es
• Hosted and operated by Citrix. • Hosted and operated by the customer.
al
• Kept Evergreen and updated by Citrix • Updates are done by the customer.
e
• HA should be considered.
or
di
s tri
but
io
n
Key Notes:
• The Citrix Gateway as a Service hosted in Citrix Cloud is a no touch no maintenance deployment.
• All components are maintained and operated by Citrix, and the Citrix ADC software is automatically kept updated as a part
of the evergreen process.
• When deploying Citrix ADC VPX in Azure, the maintenance and update process is similar to deploying VPX appliances
on-premises, and the customer is responsible for all updates and patching of the Citrix ADCs.
• When deploying your own Citrix ADC VPX solution, always consider deploying them in a High Availability configuration.

• Citrix ADC VPX pairs in Azure should be updated like the on-premises VPX appliances.
• Citrix Gateway Service - https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/netscaler.html
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Backup and Restore
• Citrix Cloud components and services are maintained and backed up by Citrix.
N
• Delivery Controllers
• Site Databases
ot
• Workspace
fo
• Citrix ADC
• Studio
rr
• Director
es
• The customer is responsible for backing up their Azure-based workloads.
al
• Azure Backup or other third-party solutions can be used to back up your Azure-based resources.
e
• Back up Master Images and Static VDAs–not stateless VDAs.
or
di
s tri
b ut
io
n
Key Notes:
• Citrix keeps backups of all components in Citrix Cloud and will be able to restore every customer in case of any issues.
• In addition to the Citrix Cloud backup strategy, all components operated by Citrix Cloud is replicated amongst different
datacenters to avoid single points of failure.
• Customers are responsible for creating their own backup and replication strategy for any components deployed in their
own datacenters or their own Azure subscriptions.
• The backup and replication strategy should include components such as:

• Cloud Connectors
• StoreFront servers
• Citrix ADC VPX appliances
• User Profile file servers
• VDA Master Images
• Static VDAs
N
ot
• Use Azure portal to restore virtual machines - https://docs.microsoft.com/en-us/azure/backup/backup-azure-
fo
arm-restore-vms
rr
• Overview of the features in Azure Backup - https://docs.microsoft.com/en-us/azure/backup/backup-
introduction-to-azure-backup
es
• Azure Backup - https://azure.microsoft.com/en-us/services/backup/
al
e
or
di
s tri
but
io
n

Azure Backup Product
What is
Limitations Use case
protected
No VSS support
Azure Backup Files, Folders, No Linux support User profile
Agent (MARS) System State No tape backup shares
No backup to disk
Files, Folders, SQL Server
• There are four products that Volumes, VMs, Exchange
System Center Requires System
N
can be used to back up Applications, On-premises
DPM Center License
ot
resources in Azure. Workloads, VMs (Hyper-V
System State and VmWare)
• Each product has different
fo
use cases. Files, Folders, SQL Server
rr
Volumes, VMs, Exchange
Azure Backup
es
Applications, No tape backup On-premises
Server
Workloads, VMs (Hyper-V
al
System State and VmWare)
e
No tape backup
VMs, All disks
or
Azure IaaS VM No compression
(using Azure VMs
Backup No backup to disk
di
PowerShell)
1 backup per day
s tri
b ut
io
n
Key Notes:
• Azure Backup offers multiple components that you can download and deploy on the appropriate computer, server, or in
the cloud. The component, or agent that you deploy depends on what you want to protect.
• All Azure Backup components (no matter whether you're protecting data on-premises or in the cloud) can be used to back
up data to a Recovery Services vault in Azure.

• Overview of the features in Azure Backup - https://docs.microsoft.com/en-us/azure/backup/backup-
introduction-to-azure-backup
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Monitoring Log Analytics
Infrastructure in OMS
Alert
Agents
Dashboard
Cloud Log
Export
Log Analytics
• Azure Operations Management Suite can be Repository
Search
N
utilized to monitor and actively maintain Citrix
ot
infrastructure in Azure.
API API
• Log Analytics
fo
rr
• Azure Automation Azure Automation
es
al
Log Alert
e
Search
or
di
s tri
Email Webhook Runbook
b ut
io
n
Key Notes:
• The Operations Management Suite (OMS) is a cloud-based IT management solution that helps you manage and protect
your cloud and on-premises environments. Rather than being deployed on-premises to manage your resources, the OMS
components are hosted entirely in Azure. The required configuration is minimal, and you can be up and running literally in
a matter of minutes.
• Log Analytics
• Monitor and analyze the availability and performance of different resources including physical and virtual machines.

• Azure Automation
• Automate manual processes and enforce configurations for physical and virtual machines.
• What is Operations Management Suite (OMS)? https://docs.microsoft.com/en-us/azure/operations-
management-suite/operations-management-suite-overview
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

N
ot
Who is responsible for updating the Cloud
fo
Connector software?
rr
es
Citrix Cloud will automatically push updates to Cloud
Connectors – one at a time.
al
e
or
di
s
tri
b
ut
io
n

N
ot
Maintaining VDAs
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Maintaining Master Images
• In Azure, MCS Catalogs are based on a Master VDA image.
N
• Get Master VDA image by either:
ot
• Create Master VM and configure accordingly.
• Upload sysprepped Master VHD from on-premises.
fo
rr
• MCS will copy the Master VDA image during Catalog creation.
es
• If using the same Master VDA for multiple Catalogs, manually copy the Master image before Catalog creation.
al
• Start Master VDA VM to apply incremental updates, turn off and deallocate before Catalog update.
e
• Using copies allows rollback to a previous image.
or
di
s tri
but
io
n
Key Notes:
• The master VDA VM is created solely to create the master VDA image.
• Once we are happy with the master VDA image, we technically do not need the master VDA VM anymore.
• A new master VDA VM can always be created to maintain the master VDA Image.
• As a best practice, you should always create a copy of your master image and use the copied image as input to the
provisioning process. In the future, if you want to update the catalog, you can start the master image VM and make
necessary changes, shut it down and again create a copy of the image which will be your updated image. This helps you

to use the master image VM to create multiple image updates.
• Using Virtual Apps & Virtual Desktops in Azure Resource Manager -
https://www.citrix.com/blogs/2016/09/12/using-xenapp-xendesktop-in-azure-resource-manager/
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

App Layering
Use App Layering in Azure to reduce Master VDA User Layer
N
image management. Deploy ELM appliance in Azure.
ot
• Add SMB share on premium disk to the ELM server. App Layer
fo
• Create Base OS Layer VM in Azure Portal. Platform Layer
rr
• Deploy Citrix Optimizer for App Layering.
OS Layer
es
• Define Azure Connector in ELM.
al
• Create the OS Layer in ELM and import OS Image. ELM
e
• Create Remote Desktop Services Platform Layer.
or
• Create Applications Layers. Enterprise Layer Manager
di
• Create Image Template in ELM.
s tri
b ut
io
n
Key Notes:
• Citrix provides an installation script for deploying the ELM server on Azure. The installation script is included in the
installation package does the following. It:
• Copies the included VHD to the Azure location you specify.
• Creates a virtual machine in Azure using the VHD.
• Attaches the repository disk.
• Boots the Azure appliance.

• When you run the script:
• IMPORTANT: Be sure to note the Resource group location you select, as you will need this information
later. For more information about resource groups, refer to Using the Azure Portal to manage your Azure
resources.
• When selecting a virtual machine size, it is strongly recommended that you create a D3 Standard machine.
• The name you specify for the new virtual machine must comply with Azure naming conventions.
• Select a Virtual Network in which HTTP port: 80 is accessible (Public IP can be disabled).
N
• On the Monitoring Diagnostics entry, select Disabled.
ot
• SMB share:
fo
• Currently, the App Layering Appliance does not support the Azure File Share feature. For best performance,
it is best to create a file share server in Azure using a fast system with a Premium Disk, for example, a DS
rr
class machine.
es
• Azure Connector in ELM:
al
• A Connector Configuration contains the credentials and location information that the appliance needs to
access a specific location in Azure. For example, your organization may have one Azure account and
e
several storage locations, and you will need a Connector Configuration so the appliance can access each
or
storage location.
di
s tri
• App Layering in Azure - https://docs.citrix.com/en-us/citrix-app-layering/4/azure.html
b
• Azure Connector Configuration - https://docs.citrix.com/en-us/citrix-app-layering/4/connect/ms-azure.html
ut
io
n

Deploy New Master VDA VM
• Option to script deploy a new Master VDA VM for each update to the base image.
N
• The more challenging approach that typically requires a 3rd party tool.
ot
• Script install VDA and all other software on the VM.
fo
• Update existing Catalog by pointing to the new Master VDA VM or image.
rr
• Investigate utilities such as:
es
• Azure Automation Accounts/Run books
al
• Puppet
e
• Chef
or
di
s tri
but
io
n
Key Notes:
• Some customers prefer script deploy, a new master VM each time when they update the base image.
• The more challenging solution that typically requires a 3rd party tool.
• Create a new Master Image to avoid inheriting any errors or misconfigurations.
• Use Scripts to automate the installation of updates and applications.

• Using Virtual Apps & Virtual Desktops in Azure Resource Manager -
https://www.citrix.com/blogs/2016/09/12/using-xenapp-xendesktop-in-azure-resource-manager/
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Update Catalogs
After Master VDA image has been updated:
N
• Copy the Master VDA image to storage BLOB.
ot
(CTXMasterUpdates)
fo
• Select the Machine Catalog to update.
rr
• Click next on Overview.
es
• Expand the correct Storage Account and select the
al
updated Master image.
e
• Ensure the Master VDA image is not attached to a
or
running VM.
di
stri
b ut
io
n
• Update and Rollback Virtual Desktops Azure Resource Manager Catalog -
https://www.citrix.com/blogs/2016/11/23/update-and-rollback-xendesktop-azure-resource-manager-catalog/

Rollout Strategy
When to apply the update to VMs in the Machine
N
Catalog:
ot
• On next shutdown
fo
• Immediately
rr
• Update All VMs at the same time
• Distribute period
es
• Internal algorithm
al
• Notification
e
• Time
or
• Frequency
di
s tri
b ut
io
n
Key Notes:
• Distribution time: You can choose to update all machines at the same time, or specify the total length of time it should take
to begin updating all machines in the catalog. An internal algorithm determines when each machine is updated and
restarted during that interval.
• Notification: In the left notification dropdown, choose whether to display a notification message on the machines before an
update begins. By default, no message is displayed. If you choose to display a message 15 minutes before the update
begins, you can choose (in the right dropdown) to repeat the message every five minutes after the initial message. By

default, the message is not repeated. Unless you choose to update all machines at the same time, the
notification message displays on each machine at the appropriate time before the update begins, calculated
by an internal algorithm.
• Remember to consider the size of the Catalog and the Update Duration, refer back to Module 4, Slide 36.
• Update the catalog - https://support.citrix.com/article/CTX219330
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Rollback Catalogs
• Virtual Apps and Desktops Database keeps track of
N
vDisks and locations during Catalog updates.
ot
• Rollback machine update in Catalog actions pane
to change to the previous Master image.
fo
rr
• Rollout Strategy.
• Select when to apply the previous Master image.
es
• Requirements:
al
• Copy disks manually for every Catalog and for every
e
update.
or
• Rollback does not work if changes are done in the
current Master image.
di
• Rename, deleting, or moving Master images will
s
cause rollback to fail.
tri
b
ut
io
n
Key Notes:
• If you are maintaining a master image VM in Azure, always create a copy associated master VHD and use that for
creating a catalog. For catalog update, after you make changes in your master image, again create a copy of the
associated VHD and use that copy to update the catalog. If you follow this method, you can maintain one master image
VM in Azure and use it for multiple image updates, rollback, etc.
• Do not rename, delete or move a master image, otherwise, you won’t be able to rollback the update if required.
• Broker Reboot Cycle after catalog update/rollback happens only for those machines which are added in the delivery

group. If you have only created a catalog but not added machines in the delivery group, machines will not get
automatically rebooted after update/rollback, you will have to manually reboot the machines from the Studio
console for the new image to take the effect.
• The rollback is applied only to machines that need to be reverted. For machines that have not been updated
with the new/updated master image (for example, machines with users who have not logged off), users do not
receive notification messages and are not forced to log off.
• During the broker reboot cycle after the image update, machines eligible for the reboot are divided into two
N
groups. The reboot cycle is started on all machines in the first group. The cycle then waits for at least one
ot
machine to register. If the machine fails to register in the configured timeout the cycle is abandoned. This is by
fo
design and is intended to avoid taking all the machines in a delivery group out of service due to a bad update.
rr
es
• Update and Rollback Virtual Desktops Azure Resource Manager Catalog -
al
e
or
di
s tri
b ut
io
n

Template Management
• For large deployments, Azure Templates can be used to ensure consistent deployments of:
N
• Master VMs
• Storage Accounts
ot
• Networks and Subnets
fo
• Resource Groups
• Network Security Groups
rr
• Azure Templates are based on JSON.
es
• GitHub is a great resource for getting started.
al
e
or
di
s tri
but
io
n
Key Notes:
• Templates can also be created for Active Directory, Cloud Connectors, StoreFront, Availability Sets.
• Design patterns for Azure Resource Manager templates when deploying complex solutions -
https://docs.microsoft.com/en-us/azure/azure-resource-manager/best-practices-resource-manager-design-templates
• World Class Azure Resource Manager Templates Considerations and Proven Practices -

http://download.microsoft.com/download/8/E/1/8E1DBEFA-CECE-4DC9-A813-
93520A5D7CFE/World%20Class%20ARM%20Templates%20-
%20Considerations%20and%20Proven%20Practices.pdf
• Create your first Azure Resource Manager template - https://docs.microsoft.com/en-us/azure/azure-resource-
manager/resource-manager-create-first-template
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Windows Updates
• Windows Updates are turned off by the VDA Image Optimization Wizard.
N
• Non-persistent Catalogs
ot
• Run Windows Update on Master VDA VMs, test updates, and update Catalog.
fo
• Persistent Catalogs
rr
• Test Windows Updates first.
• Use OMS Update Management to schedule deployment.
es
• Deploy Windows Server Update Services (WSUS) for faster deployment and single instance download.
al
e
or
di
s tri
but
io
n
Key Notes:
• You can deploy and install software updates on computers that require the updates by creating a scheduled deployment.
Updates classified as Optional are not included in the deployment scope for Windows computers, only required updates.
• The scheduled deployment defines what target computers will receive the applicable updates, either by explicitly
specifying computers or selecting a computer group that is based off of log searches of a particular set of computers. You
also specify a schedule to approve and designate a period of time when updates are allowed to be installed within.
• Updates are installed by runbooks in Azure Automation. You cannot view these runbooks, and they don’t require any

configuration.
• When an Update Deployment is created, it creates a schedule that starts a master update runbook at the
specified time for the included computers. This master runbook starts a child runbook on each agent that
performs installation of required updates.
• At the date and time specified in the update deployment, the target computers executes the deployment in
parallel. A scan is first performed to verify the updates are still required and installs them. It is important to
note for WSUS client computers, if the updates are not approved in WSUS, the update deployment will fail.
N
• The results of the applied updates are forwarded to OMS to be processed and summarized in the dashboards
ot
or by the searching the events.
fo
rr
• Update Management solution in OMS - https://docs.microsoft.com/en-us/azure/operations-management-
es
suite/oms-solution-update-management#installing-updates
al
• Citrix VDI Best Practices for Virtual Apps and Desktops 7.15 LTSR - https://docs.citrix.com/en-us/xenapp-and-
e
xendesktop/7-15-ltsr/citrix-vdi-best-practices.html
or
di
s tri
b ut
io
n

Monitoring VDAs in Cloud Studio and Director
Cloud Studio Cloud Director
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• Using Cloud Director, administrators can do the following operations to manage VDAs:
• Power manage the VDA.
• Enable/disable maintenance mode on a VDA.
• End selective user processes.
• Shadow a user session to monitor issues.
• Generate customized reports to monitor VDA performance/Session performance.

• Keep track of machine failures/user failures.
• Additionally, from maintenance perspective Citrix Studio is used to update Machine Catalogs.
• Remember:
• Cloud Studio
• The Virtual Apps and Desktops do not have licenses node in Cloud Studio because licensing is based
on per user per year subscription model. This does not require an on-premises license server.
• The Logging node enables and disables logging to the site database and has been removed to make
N
the service more secure and stable.
ot
• Administrators node allows to configure permissions on site-objects within a Virtual Apps and Desktops
fo
Site. This is referred as the Delegated Administration model. Currently, Virtual Apps and Desktops do
not support Delegated Administration.
rr
• Currently, App-V Publishing is not supported by Citrix Cloud.
es
• The controllers node is not shown in Cloud Studio to add more security.
al
• The Zones node contains the name of Cloud Connectors and not the name of Virtual Apps and
Desktops Controllers.
e
• Cloud Director
or
• Cloud Director is not accessed through a HDX connection like Cloud Studio.
di
• Citrix ADC Insight is currently not supported in Cloud Director.
• Hosting Connections and Licensing information is not currently shown in Cloud Director.
s tri
but
io
n

Monitoring VDAs in Operations
Management Suite
Azure Monitoring in Operations Management Suite (OMS)
Use Azure Log Analytics in OMS to capture:

Performance
N
VDA
• Event Log Data. MMA Metrics
ot
• Performance Counter Data.
fo
VDA
rr
MMA
Azure OMS
es
al
VDA Event Data
e
MMA
or
di
s tri
b ut
io
n
Key Notes:
• Log Analytics collects data from your Connected Sources and stores it in your Log Analytics workspace. The data that is
collected from each is defined by the Data Sources that you configure. Data in Log Analytics is stored as a set of records.
Each data source creates records of a particular type with each type having its own set of properties.
• Windows Event logs are one of the most common data sources for collecting data using Windows agents since many
applications write to the Windows event log. You can collect events from standard logs such as System and Application in
addition to specifying any custom logs created by applications you need to monitor.

• Performance counters in Windows and Linux provide insight into the performance of hardware components,
operating systems, and applications. Log Analytics can collect performance counters at frequent intervals for
Near Real Time (NRT) analysis in addition to aggregating performance data for longer-term analysis and
reporting.
• MMA – Microsoft Monitoring Agent.
• In order to monitor and manage virtual machines or physical computers in your local datacenter or another
cloud environment with Log Analytics, you need to deploy the Microsoft Monitoring Agent (MMA) and
N
configure it to report to one or more Log Analytics workspaces. The agent also supports the Hybrid
ot
Runbook Worker role for Azure Automation.
fo
rr
• Windows event log data sources in Log Analytics - https://docs.microsoft.com/en-us/azure/log-analytics/log-
es
analytics-data-sources-windows-events
al
• Windows and Linux performance data sources in Log Analytics - https://docs.microsoft.com/en-us/azure/log-
e
analytics/log-analytics-data-sources-performance-counters
or
• Connect Windows computers to the Log Analytics service in Azure - https://docs.microsoft.com/en-
us/azure/log-analytics/log-analytics-agent-windows
di
s tri
but
io
n

Lab Exercise Prep
Exercise 6-1: Update Master Image
N
Exercise 6-2: Deploy Update to Machine Catalog
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

N
ot
For a Catalog to support rollback after an update,
which manual action must be done before the
fo
Catalog is updated?
rr
es
The Master VDA image must be copied before every
Catalog update.
al
e
or
di
s
tri
b
ut
io
n

N
ot
Power Management
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Power Management
Why is it important?
• Azure supports Pay-As-You-Go or Reserved Instances.
N
• Power management is important for Pay-As-You-Go customers.
ot
• Only allocated resources are charged.
fo
• Power Management allows the customer to reduce costs by limiting allocated resources.
rr
• Billing is per minute until the resource is deallocated.
es
• Disks cost money even when the VM is powered off.
al
e
or
di
s
tri
but
io
n
Key Notes:
• For customers that use Azure Reserved Instances, power management is less important, because Reserved Instances
are designed to run 24/7. In short, you get the discount up front when you reserve a number of VMs for a given timeframe.
• The number of VMs you reserve become a fixed cost instead of being a variable cost. Furthermore, you will pay the fixed
cost, whether the VMs are running or not.
• Some customers mix Reserved Instances and Pay-As-You-Go to ensure that their baseline amount of VMs are Reserved
Instances and their peak capacity is covered by adding additional Pay-As-You-Go instances.

• Remember that in order to save money in Azure, VMs must be deallocated, not just shut down from Windows.
N
ot
fo
rr
es
al
e
or
di
stri
but
io
n

Power Management
Pooled VDI
• Power Management through Delivery Group.
N
• Advanced settings through PowerShell.
ot
• Adjust the buffer size to avoid boot storms.
fo
• Keep Idle Pool as low as possible to reduce cost.
rr
• Peak hours and Off-peak hours.
es
• Don’t use suspend in Azure it will not deallocate VM.
al
• Consider shutdown at logoff.
e
or
di
s
tri
but
io
n
Key Notes:
• You can power manage only virtual Desktop OS machines, not physical ones (including Remote PC Access machines).
Desktop OS machines with GPU capabilities cannot be suspended, so power-off operations fail.
• In Delivery Groups containing pooled machines, virtual Desktop OS machines can be in one of the following states:
• Randomly allocated and in use.
• Unallocated and unconnected.
• Pools and buffers: For pooled Delivery Groups and static Delivery Groups with unallocated machines, a pool is a set of

unallocated or temporarily allocated machines that are kept in a powered-on state, ready for users to connect;
a user gets a machine immediately after logon. The pool size (the number of machines kept powered-on) is
configurable by the time of day. For static Delivery Groups, use the SDK to configure the pool.
• A buffer is an additional standby set of unallocated machines that are turned on when the number of machines
in the pool falls below a threshold that is a percentage of the Delivery Group size. For large Delivery Groups, a
significant number of machines might be turned on when the threshold is exceeded, so plan Delivery Group
sizes carefully or use the SDK to adjust the default buffer size.
N
• Power state timers: You can use power state timers to suspend machines after users have disconnected for a
ot
specified amount of time. For examples, machines will suspend automatically outside of office hours if users
fo
have been disconnected for at least 10 minutes. Random machines or machines with personal vDisks
automatically shut down when users log off unless you configure the Shutdown Desktops After Use Delivery
rr
Group property in the SDK.
es
• Use the SDK to:
al
• Shut down, rather than suspend, machines in response to power state timers, or if you want the timers to
be based on logoffs, rather than disconnections.
e
• Change the default weekday and weekend definitions.
or
di
• Power manage machines in a Delivery Group - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-
s tri
ltsr/install-configure/delivery-groups-manage.html
b
• Power Management of a Virtual Apps & Virtual Desktops Service Resource Location -
ut
https://www.citrix.com/blogs/2017/03/28/power-management-of-a-xenapp-xendesktop-service-resource-
io
location/

Power Management
Persistent VDI
• Three states:
N
• Permanently allocated and in use.
• Permanently allocated and unconnected (but ready).
ot
fo
• Permanently allocated machines supports power state timers only-not pools or buffers.
rr
• All allocated VMs turned on at the defined hour.
es
• Consider Start on demand through StoreFront.
al
• Users will wait while desktop boots.
e
or
di
s
tri
b ut
io
n
Key Notes:
• In Delivery Groups containing static machines, virtual Desktop OS machines can be:
• Permanently allocated and in use.
• Permanently allocated and unconnected (but ready).
• During normal use, static Delivery Groups typically contain both permanently allocated and unallocated machines. Initially,
all machines are unallocated (except for those manually allocated when the Delivery Group was created). As users

connect, machines become permanently allocated. You can fully power manage the unallocated machines in
those Delivery Groups, but only partially manage the permanently allocated machines.
• Partial power management of permanently allocated machines: For permanently allocated machines, you can
set power state timers, but not pools or buffers. The machines are turned on at the start of each peak period
and turned off at the start of each off-peak period. You do not have the fine control that you have with
unallocated machines over the number of machines that become available to compensate for machines that
are consumed.
N
ot
fo
rr
location/
es
al
e
or
di
s tri
b ut
io
n

Power Management
Server OS VDAs
• Server OS VDAs cannot be power managed through Delivery Group settings.
N
• Only reboot schedules can be defined through Studio.
ot
fo
rr
es
al
e
or
di
s tri
but
io
n
Key Notes:
• You can power managed only in Virtual Desktop OS machines in Azure.
• For Hosted Shared (Server OS) VDA machines, you can create a restart schedule, which is also described in this article.
• Autoscale can handle power management of Hosted Shared (Server OS) VDA machines; Autoscale is presented later in
this module.

• Power Management of a Virtual Apps & Virtual Desktops Service Resource Location-
location/
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Session Policies
Session policies can be
N
configured to ensure that the
ot
unused sessions are logged
off, to allow the machines
fo
running the VDA to be
rr
powered down.
es
al
e
or
di
s tri
but
io
n
Key Notes:
• Using policies could reduce costs by disconnecting and logging off unused sessions once all the sessions are drained the
VDAs can be shut down to save cost.
https://www.citrix.com/blogs/2017/03/28/power-management-of-a-xenapp-xendesktop-service-resource-location/

StoreFront Connection Timeouts
• StoreFront may in some cases timeout while attempting to launch a HDX session to a VDA that is powered off in
N
Azure.
ot
• Use the registry keys to ensure StoreFront allows adequate time for Desktop VDAs to power on and register with
Delivery Controllers.
fo
• DesktopServer\MaxSessionEstablishmentTimeSecs
rr
• DesktopServer\ExtraSpinUpTimeSecs
es
al
e
or
di
s tri
but
io
n
Key Notes:
• When using an on-premises StoreFront deployment, additional timeout settings can be configured to ensure StoreFront
allows enough time for the VDAs to start on demand in Azure.
• DesktopServer\MaxSessionEstablishmentTimeSecs
• DWORD
• 60 Seconds
• Time after which a session launch is assumed to have failed by the DDC if no active session has been established on

the target machine, or if a disconnected session has not returned to the active state following a reconnect
operation.
• DesktopServer\ExtraSpinUpTimeSecs
• DWORD
• 120 Seconds
• Additional time to allow for session establishment if the target power-managed VM must be started as part
of a session launch.
N
• This value is added to that specified by MaxSessionEstablishmentTimeSecs.
ot
fo
• Advanced store settings - https://docs.citrix.com/en-us/storefront/current-release/configure-manage-
rr
stores/advanced-store-settings.html
es
al
location/
e
• Registry Keys Documentation: https://support.citrix.com/article/CTX126704Registry?recommended
or
di
s tri
but
io
n

Autoscale
Introduction
• Provides a high-performance solution, allowing for the configuration of multiple power management schedules
N
based on Weekdays, Weekends and peak hours.
ot
• Proactive power management of all registered Server and Desktop OS machines within a Delivery Group.
fo
• Controls costs by powering machines with load-based or schedule-based power management.
rr
• Supports a variety of cloud infrastructure platforms.
es
• Works with both Remote Desktop Service (RDS) and Virtual Desktop Infrastructure (VDI).
al
e
or
di
stri
utb
io
n
Key Notes:
• Autoscale supports a variety of cloud infrastructure platforms:
• Amazon Web Services (AWS)
• Citrix Hypervisor
• Google Cloud Platform
• Microsoft Azure Resource Manager
• Microsoft System Center Virtual Machine Manager

• Nutanix Acropolis
• Oracle Cloud Infrastructure (OCI) Classic
• VMware vSphere(vCenter + ESXi)
• VDI). Autoscale works with both Remote Desktop Service (RDS) and Virtual Desktop Infrastructure (There are
three user interfaces to be aware of):
• Autoscale user interface for RDS Delivery Groups
• Autoscale user interface for pooled VDI Delivery Groups
N
• Autoscale user interface for static VDI Delivery Groups
ot
• Peak times:
fo
• You can define the peak times for days you applied in a selected schedule.
• Once you define the peak times, the remaining, undefined times default to off-peak times.
rr
• By default, the 7:00 AM to 7:00 PM time slot is defined as peak times for the days included in the
es
selected schedule.
al
e
• Autoscale: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/manage-
or
deployment/autoscale.html
di
• Hosts / virtualization resources: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/system-
s
requirements.html#hosts--virtualization-resources
tri
but
io
n

Migration from
Smart Scale
Citrix has an in place process • Manual Migration:
N
to migrate infrastructures that • Recommended if the number of Delivery Groups is less than 10.
• Exports data from all Delivery Groups in Smart Scale and then imports the data
ot
are currently using Smart
Scale to the newer Autoscale to Autoscale, per Delivery Group.
fo
• Involves manually configuring the Autoscale user interface in Citrix Studio by
technology. associating the Smart Scale user interface, per Delivery Group.
rr
• Migrations can be done:
es
• Manual
• Automated (via PowerShell • Automated Migration:
al
scripting) • PowerShell scripts are ran to import the data to Autoscale.
e
• Imported data includes defined schedules, machine cost, power-off delay, and
or
capacity buffer.
• If Smart Scale is enabled, Autoscale is automatically enabled after script
di
execution.
s
• Roll back of migration is supported. Doing so restores your previous Smart
tri
Scale configuration.
but
io
n
Key Notes:
• For RDS Delivery Groups, if you enable both Autoscale and Smart Scale, only Autoscale will power manage the
machines.
• You must run the migration outside of times that Smart Scale is scheduled to power manage machines.
• Citrix recommends that you run the migration during off-peak times.
• Manual migration:

• When migrating capacity buffer:
• Smart Scale has only one field for capacity buffer.
• Autoscale lets you determine the capacity buffer separately for peak and off-peak times. You can either
fill in the two capacity buffer fields with the value referenced from Smart Scale ,or define different values
for peak and off-peak times.
• Merging schedules.
• When migrating the schedules:
N
• It might be needed to merge schedules, as Smart Scale allows the same day to be included in multiple
ot
schedules, but Autoscale does not.
fo
• Migrating session count. To migrate session count (the maximum number of sessions), use Group Policy.
• Automated migration: (PowerShell scripting)
rr
• Prerequisites:
es
• Windows PowerShell 3.0 or later is available on the machine within your resource location.
al
• The PowerShell script is granted write access to the folder where the GenerateScript.ps1 script is
e
located.
or
• Remote PowerShell SDK is installed on the machine within your resource location
• The API key and secret password associated with the applicable user account are available. (To get the
di
API key and secret password associated with a user account, go to Citrix Cloud > Smart Tools > Settings
s
> My Profile).
tri
• Any existing schedules in Autoscale must be deleted.
b ut
• The generated PowerShell scripts have two name formats:
io
• For VDI Delivery Groups, the script names have a prefix “VDI-.”
n
• For RDS Delivery Groups, the script names have a prefix “RDS-.”
• If there are errors during script execution, you review them in the logs in the
“C:\Example\logs\currentRunTimeStamp” folder.
• Summary report is created for the scripts: “C:\Example\GenerateScriptFolder\scripts\currentRunTimeStamp\”
folder.

• The summary report includes:
• A name list of Delivery Groups whose scripts were successfully generated.
• A name list of Delivery Groups that you have to migrate manually because the data retrieved from Smart
Scale might be incomplete or invalid.
• A name list of Delivery Groups that have existing schedules in Autoscale.
• A name list of Autoscale-enabled Delivery Groups.
• A name list of Delivery Groups whose scripts were not generated because of errors.
N
• A list of Group Policy settings to be configured.
ot
• Important Notes:
fo
• The Session count metric in Smart Scale lets you set a maximum number of sessions that are allowed on
rr
each machine in the Delivery Group. This configuration (MaxSessionsPerServer configuration) is not
imported into Autoscale by the migration scripts.
es
• To import the data, create a Group Policy setting (Citrix Studio > Policies > Create Policy) for the maximum
al
number of sessions and then assign it to the applicable Delivery Group. Assign a higher priority to the policy
e
compared to other the existing ones.
or
• After migration, the schedules in Autoscale might not have a one-to-one mapping to the schedules defined
in Smart Scale, because unlike Smart Scale, Autoscale does not allow the same day to be present in
di
multiple schedules.
s tri
but
• Smart Scale to Autoscale Migration: https://support.citrix.com/article/CTX250034
io
• Autoscale: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/manage-
n
deployment/autoscale.html

Lab Exercise Prep
Exercise 6-3: Configure Session Policies
N
Exercise 6-4: Verify the Machine Catalog update
ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n

N
ot
Which is the only way you can power manage
fo
Server based VDAs?
rr
es
Autoscale. Server VDAs cannot be power
managed through Delivery Group properties in
al
e
Studio.
or
di
s
tri
b
ut
io
n

Key Takeaways
• When subscribing to Virtual Apps and Desktops, the
N
control plane is maintained and operated by Citrix.
ot
• The VDAs are owned and maintained by the
customer or a Citrix partner.
fo
rr
• Autoscale is a tool in Citrix Cloud that can assist in
power managing VDAs.
es
al
e
or
di
s
tri
b
ut
io
n

N
ot
Deploy a Successful POC
fo
rr
es
al
e
Module 7
or
di
s
tri
b
ut
io
n

Learning Objectives
• Examine the next steps for starting a successful
N
Proof Of Concept (POC).
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

N
The next steps to start a
ot
successful POC
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Design Your POC
Proof of Concept Running On Azure Considerations
• Determine what you need to prove.
N
• Select the deployment method for POC.
ot
• Forklift
• Extend on-premises to Azure
fo
• Citrix Cloud with Azure resource locations
rr
• Select the regions in Azure.
es
• Select the Network, VPN and Access strategy.
al
• Express routes are expensive for a POC
e
• Configure:
or
• Data and file shares
• Apps and databases
di
• Profiles and redirected folders
s
• And more
tri
b
ut
io
n
Key Notes:
• Forklift migration consists of migrating all on-premises resources into Azure.
• Extending your on-premises infrastructure to Azure would result in hybrid on-premises and Azure solution
• Deploying Citrix Cloud with Azure would result in a Citrix Cloud and Azure hybrid solution.
• Remember, always keep the user data close to the users for the best user experience and to minimize latency.
• Remember, always perform application migration assessments, database dependencies, and more during the design
phase.

• User profiles and roaming folders should be kept close to the VDAs to minimize logon duration and session
responsiveness.
• Consider other factors or systems that might cause an application or the VDAs to communicate across high
latency VPNs – keep the user experience in mind.
N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

Citrix Azure
Cost Calculator
• Use the cost calculator to find the right VM
N
specifications and their cost.
ot
• Remember:
• Storage – replication, size, and speed
fo
• Bandwidth – Egress = cost
rr
• VPN – to on-premises and other regions
es
• Hours – de-allocate resources to save money
• High Availability
al
https://costcalculator.azurewebsites.net/costCalculator
e
or
di
s
tri
b ut
io
n
• Virtual Apps and Virtual Desktops on Azure Cost Calculator: https://costcalculator.azurewebsites.net/estimate

Starting a POC
The Beginning Step Considerations
1. Register for trial accounts.
N
• Azure
• Citrix Cloud
ot
2. Design AD in Azure.
fo
• Azure AD DS.
rr
• On-premises domain in Azure, child domain, new forest + trust.
es
3. Build Networks, RGs, Sas, and VMs in Azure.
al
4. Configure VPN to on-premises.
e
5. Configure Cloud Connectors or Delivery Controllers.
or
6. Configure VDAs, Catalogs and Delivery Groups.
di
7. Configure the Access layer.
s tri
• Deploy StoreFront and Citrix Gateway.
• Use Workspace and Citrix Gateway as a Service.
utb
io
n
Key Notes:
• First step in starting a POC is to get trial accounts for the different services.
• Azure trial account is easy – all you need is a credit card, and you will receive a 200 USD usage credit.
• Citrix Cloud Service trials can be requested from Citrix.Cloud.com – each request is evaluated before approval.
• Decide how you want your Active Directory deployment to be designed. Creating a stand-alone Active Directory in Azure is
the easiest way to get a POC started.
• Azure AD DS is easy and cheap but has some limitations compared to a full AD in Azure.

• Define the design for the following:
• Networks and subnets – ensure that your networks in Azure do not overlap with any on-premises networks
if you need to connect the Azure and on-premises networks in the future. Make the network big enough to
suit any future needs.
• Decide on the resource group strategy early – do you prefer product based Resource Groups; such as a
resource group for network objects, storage objects, server VMs etc, or do you prefer to have all resources
tied to a solution in one resource group; such as Citrix resources, Active Directory servers, Web servers etc.
N
• Storage Accounts are being replaced by Azure Managed Disks, but should still be considered in the design
ot
because they can reduce the storage cost compared to Managed Disks.
fo
• If you need VPN connectivity to on-premises, ensure that your VPN device is supported and if necessary,
work with the network team to create the connectivity.
rr
• Deploy Cloud Connectors or Delivery Controllers in Azure, depending on your design.
es
• For Example,
al
• Deploy a pair of Cloud Connectors or Delivery Controllers per resource location.
• Deploy a pair of Cloud Connectors or Delivery Controllers per Active Directory when the machines
e
running the VDA and the Users are in separate forests.
or
• Configure the Master VDAs in Azure or upload your on-premises VDA image, depending on your design.
di
• Create Catalogs and Delivery Groups to meet the desired POC solution. Add your test users to the Delivery
Groups.
s tri
• Deploy StoreFront and Citrix ADC in Azure or use Citrix Cloud Workspace + Citrix Gateway as a Service to
b
enable users to launch their resources.
ut
io
• Create your Azure free account today - https://azure.microsoft.com/en-us/free/

Register for a
Citrix Cloud Trial Account
• Go to onboarding.cloud.com.
N
• Fill out the form or log in with an existing account.
ot
• Cloud trials are manually approved.
fo
• Non-legitimate requests will not be approved.
rr
• Contact your local Citrix rep if the request is not
es
approved within 7 days.
al
e
or
di
stri
but
io
n
Key Notes:
• Remember that these Cloud Service trial requests are manually approved because Citrix incurs a cost for running each
trial.
• Trial requests that does not reflect a legitimate business/customer/partner are not likely to be approved.

Register for a Azure Trial Account
• Ensure Citrix Cloud trial has been approved first—
N
Azure approval is automatic.
ot
• Go to azure.microsoft.com/en-us/free/
fo
• Create a Microsoft account or log on with an
rr
existing account.
• Add credit card, and you will not be billed
es
automatically after expiration.
al
• 200 $ credits and 30 days.
e
• Many free services and products.
or
• Some scalability limitations may apply to an Azure
di
free trial account.
s tri
b ut
io
n
Key Notes:
• There are a number of limitations in the free Azure trial account – one of the biggest limitations is that only 4 vCPU cores
can run at any time.
• Consider changing to a Pay-As-You-Go Azure subscription to do a full POC.
• GitHub ARM templates are available from Citrix to deploy complete trial environments in Azure.

• Azure subscription and service limits, quotas, and constraints - https://docs.microsoft.com/en-us/azure/azure-
subscription-service-limits
• Citrix Cloud Virtual Desktops Resource Location Creation ARM Template - https://github.com/citrix/Citrix-
Cloud-ResourceLocation-Arm-Template
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Citrix Recommended Reading List
of Links
• The fastest POC in the cloud.

• Deploying-Citrix-Virtual Apps-75-on-Microsoft-
N
Azure-Cloud.
ot
• Whitepaper Virtual Apps 7.11 Scalability Azure RM.
fo
• Blog seamlessly extend your existing Virtual Apps
rr
deployment into Microsoft Azure.
es
• Azure Resource Manager Templates for Citrix Cloud
al
Workloads.
e
• Apps and Desktops Trial Checklist.
or
Recommended
• Azure Quick Deploy. Reading List
di
• Scalability Considerations for Using the Virtual Apps
s
and Virtual Desktops Local Host Cache Feature
tri
with Citrix Cloud Connector.
but
io
n
• The fastest POC in the cloud - Virtual Apps in the Azure marketplace - https://www.citrix.com/blogs/2016/03/28/the-fastest-
poc-in-the-cloud-xenapp-in-the-azure-marketplace/
• Whitepaper Virtual Apps 7.11 Scalability Azure RM - https://www.citrix.com/content/dam/citrix/en_us/documents/white-
paper/xa711-scalability-azure-rm.pdf
• Blog seamlessly extend your existing Virtual Apps deployment into Microsoft Azure -

https://www.citrix.com/blogs/2016/11/04/seamlessly-extend-your-existing-xenapp-deployment-into-microsoft-
azure/
• Azure Resource Manager Templates for Citrix Cloud Workloads -
https://www.citrix.com/blogs/2017/08/02/azure-resource-manager-templates-for-citrix-cloud-workloads/
• CitrixCloud-ARMTemplates - https://github.com/citrix/CitrixCloud-ARMTemplates
• Apps and Desktops Trial Checklist - https://docs.citrix.com/en-us/citrix-cloud/overview/citrix-cloud-service-
N
trials.html
ot
• Azure Quick Deploy - https://docs.citrix.com/en-us/xenapp-and-xendesktop/service/install-configure/azure-
quick-deploy.html
fo
• Scalability Considerations for Using the Virtual Apps and Virtual Desktops Local Host Cache Feature with
rr
Citrix Cloud Connector - https://docs.citrix.com/en-us/citrix-cloud/downloads/xenapp-xendesktop-local-host-
es
cache-cloud-connector-scalability.pdf
al
e
or
di
s tri
but
io
n

What we Have Built in This Class?
N
ot
fo
Gateway Gateway
rr
Win2016 Win2016
es
Master
al
License Server Site Database Workspace Users StoreFront
Image
e
or
Admin Azure Portal Service Principal
di
Director Studio
s
tri
utb
io
n
Key Notes:
• We have built 2 Cloud Connectors, a Master VDA, a Manually installed VDA, two Machine Catalogs, two Delivery Groups,
StoreFront and Citrix ADC in Azure.

Reference POC Architecture
Forklift to Azure Resource Location
Customer Azure Subscription

External
N
Access VDAs Storage Account Infrastructure
ot
External Users Citrix Win10 License Server Delivery Controller
fo
Gateway
On-Premise
Forklift to Azure Resource
Master Location
rr
Image
Master
es
Win2016 AD Server Site Database
StoreFront
Internal Users
al
Management
e
or
Tunnel Tunnel
Azure Portal PowerShell Service Principal
di
s
Data
tri
b ut
Apps
© 2021 Citrix Authorized Content Admin
io
n
Key Notes:
• The forklift architecture is similar to an on-premises deployment, all the infrastructure such as: Delivery Controllers,
Databases, License Server, StoreFront, and Citrix ADC are all hosted within the Azure subscription.
• With this deployment method, you are not gaining any of the Citrix Cloud benefits and you are responsible for maintaining
and upgrading all the infrastructure servers as if they were deployed on-premises.

Extend on-premises to Azure Resource Location
Users
N
ot
Infrastructure VDAs Access Access VDAs Infrastructure
fo
rr
Citrix Citrix Delivery Controller
Delivery Controller
Win2016 Gateway Gateway Win10
es
Master
Active Directory Server
Site Database
al
Win2016
Master
e
StoreFront StoreFront
License Server Image
or
Tunnel Tunnel
di
s tri
Admin
b ut
io
Admin
n
Key Notes:
• The extended model is ideal for customers who have maxed out their on-premises capacity and do not want to invest in
additional infrastructure in their datacenters, or for customers making a slow move to Azure, potentially moving certain
user groups at a time.
• The model also makes a lot of sense for seasonal workers, where capacity is only needed during certain times of the year.

Citrix Cloud with Azure Resource Location
Users
N
ot
Cloud Connector Cloud Connector
Citrix Citrix Win10
fo
Delivery Controller Gateway
Gateway
rr
Master AD Server
es
Storage Account
Workspace Master
License Server Site Database StoreFront Win2016
Image
al
e
or
di
s tri
but
© 2021 Citrix Authorized Content Admin
io
n
Key Notes:
• The Citrix Cloud with Azure as the resource location can be designed in a number of different ways.
• The benefits of this deployment method are:
• Avoid the overhead of managing and maintaining the brokering infrastructure.
• Gain access to Workspace and Citrix Gateway as a Service with worldwide points of presence without having to
maintain the expensive and complex Citrix ADC infrastructure.
• Utilize Azure to deploy apps and desktops close to the users.

• Reduce the capital expenditures of owning and maintaining datacenters.
• And much more.
N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

Group Discussion
Which POC deployment type are you likely to chose
N
and which obstacles have you identified?
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

N
If you’re doing a POC of Citrix Cloud with Azure as
ot
a resource location and no VDAs on-premises, do
you need to deploy Cloud Connectors on-
fo
premises?
rr
es
No, only in a situation where you have a separate AD
forest in Azure, and you establish trusts to your on-
al
premises AD.
e
or
di
s tri
but
io
n
Key Notes:
• The only reason to deploy Cloud Connectors in locations that do not have VDAs is to enable AD authentication to a
separate AD forest.
• Another example of deploying Cloud Connectors on-premises would be to enable access to local applications that cannot
be migrated into Azure, and in that situation, customers would also need VDAs deployed on-premises.

Key Takeaways
• It is important to get your Citrix Cloud trial approved
N
before registering for the Azure trial account.
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Training you might also like
• CXD-310: Citrix Virtual Apps and Desktops 7.1x
Advanced Administration
• This class will cover the use of Workspace Environment
Management, Citrix Provisioning, Application Layering,
advanced features, and troubleshooting tools.
• CTX-270: Securing Citrix Virtualization Solutions
N
• This class will cover the different techniques and
ot
procedures used to secure a Citrix Virtualization solution,
including Virtual Apps and Desktops, Citrix ADC and
fo
Citrix Endpoint Management.
rr
• CNS-220: Citrix ADC 12.x Essentials and Traffic
es
Management
• This class will cover key Citrix ADC capabilities such as
al
high availability, security and performance, and explore
e
SSL offload, load balancing and monitoring.
or
• CNS-222: Citrix ADC 12.x Essentials and Unified
di
Gateway
• This class will cover Citrix ADC essentials, including
s
tri
secure load balancing, high availability and operations
management, and also focuses on Unified Gateway, and
utb
Citrix Gateway.
io
n

Citrix Measures your Feedback with NPS
How is Net Promoter Score Calculated?
N
Not at all How likely is it you would recommend Citrix Courses to a friend? Extremely
ot
Likely Likely
0 1 2 3 4 5 6 7 8 9 10
fo
rr
es
\/
al
e
or
di
Detractor Passive Promoter
s
tri
but
io
n

N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

Not For Resale or Distribution: C XD-251-3I: Citrix Virtual Apps and Desktops Service On Microsoft Azure

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Not For Resale or Distribution: C XD-251-3I: Citrix Virtual Apps and Desktops Service On Microsoft Azure

Uploaded by

Copyright:

Available Formats

N

Module 0 - Course Introduction.................................................................................................................................................................2

2 © 2021 Citrix Authorized Content

• Prepare the Azure environment for secure

3 © 2021 Citrix Authorized Content

Drive digital transformation

4 © 2021 Citrix Authorized Content

5 © 2021 Citrix Authorized Content

Introduce yourself to the class.

6 © 2021 Citrix Authorized Content

7 © 2021 Citrix Authorized Content

• CWS-215 or experience deploying and managing

8 © 2021 Citrix Authorized Content

• Module 1: Virtual Apps and Desktops on Azure

9 © 2021 Citrix Authorized Content

• Module 4: Deploying Apps and Desktops using

10 © 2021 Citrix Authorized Content

• Both Citrix Cloud and Azure changes frequently.

11 © 2021 Citrix Authorized Content

12 © 2021 Citrix Authorized Content

13 © 2021 Citrix Authorized Content

• Check connectivity to the environment and report any issues.

14 © 2021 Citrix Authorized Content

• Remote Desktop Connection

15 © 2021 Citrix Authorized Content

• Preconfigured for your lab

16 © 2021 Citrix Authorized Content

• Create virtual machines.

17 © 2021 Citrix Authorized Content

• You can download, save, and print electronic

18 © 2021 Citrix Authorized Content

19 © 2021 Citrix Authorized Content

20 © 2021 Citrix Authorized Content

Your opinion matters!

21 © 2021 Citrix Authorized Content

22 © 2021 Citrix Authorized Content

23 © 2021 Citrix Authorized Content

24 © 2021 Citrix Authorized Content

• Define Infrastructure as a Service.

25 © 2021 Citrix Authorized Content

26 © 2021 Citrix Authorized Content

27 © 2021 Citrix Authorized Content

28 © 2021 Citrix Authorized Content

Citrix Virtual Apps

29 © 2021 Citrix Authorized Content

30 © 2021 Citrix Authorized Content

• Leading IaaS vendor.

31 © 2021 Citrix Authorized Content

32 © 2021 Citrix Authorized Content

33 © 2021 Citrix Authorized Content

34 © 2021 Citrix Authorized Content

managed and Azure hosted.

35 © 2021 Citrix Authorized Content

36 © 2021 Citrix Authorized Content

External Customer Azure Subscription

Access VDAs Storage Account Infrastructure

37 © 2021 Citrix Authorized Content

38 © 2021 Citrix Authorized Content

On-premises datacenter Customer Azure Subscription

39 © 2021 Citrix Authorized Content

40 © 2021 Citrix Authorized Content

On-premises datacenter Customer Azure Subscription

41 © 2021 Citrix Authorized Content