What I Learned from CXD-252 Moving to the Citrix Virtual Apps and Desktops Service with Microsoft Azure Course

Share this post!

It’s not every day I get an opportunity to take an official in-person or virtual classroom lecture and lab course! It’s quite easy to get busy working and consulting in the field with clients, that official classroom based training takes a backseat. So, when the opportunity arose to take a five-day online class and knock out a new requirement for my early days Citrix partnership, I was excited to see what new things I might learn. While this course is not brand new (it released in early 2018), it has been well updated and stays somewhat current with the changes in technologies.

While I have been fortunate to stay focused squarely on End User Computing (EUC) technologies for many years, I will be the first to recognize and fully admit there is always something new to learn.

It doesn’t matter that I’ve been regularly working with Citrix tech for nearly 15 years, that I have been a Citrix Technology Professional (CTP) for 6 years, or have been poking on the Citrix “aaS” offerings since 2014 alpha/prototype days before they were officially named Citrix Workspace Services (CWS). None of that matters, and frankly, most of you won’t care.

What matters is that Citrix Cloud, and specifically the Citrix Virtual Apps and Desktops (CVAD) Service is now mainstream. Deploying Citrix Cloud in combination with Microsoft Azure is an architecture with perhaps the most rapid adoption that I see in the field, for a number of reasons which I can go into at a later time. If your organization is considering “Citrix Cloud with Azure” or you have already started the deployment…

THIS COURSE IS FOR YOU!

I must be careful not to share too much content directly from the course materials, as this content is protected against distribution, but I wanted to share some highlights. To read a three-page overview of the course, click the link below:

As you can see from the course description, the CXD-252 course is actually two courses in one (although the visual on page 1 mentions CWS 215, which must be an old course number). The first three days focused exclusively on content from CXD-250 – Moving to the Citrix Virtual Apps and Desktops Service on Citrix Cloud (Modules 1-8). The last two days focused on the Microsoft Azure aspects, i.e. understanding how Citrix Cloud works with Azure (Modules 9-15). Interestingly, the corresponding hands-on-labs for these courses were also broken into two parts, we had one lab environment for the first three days and a different lab environment for the last two days. To get the most out of the class, I even spent the $20 in shipping and got the paper based workbooks and lab guides…At 1,250+ total pages in four parts, these were quite the hefty set of manuals!

Since there was so much content covered, I’ll share some of my cliff notes of the most interesting pieces, that I either never saw documented before, or learned as part of the class. To organize my thoughts, I’ve grouped these notes into the sections from which they were covered.

Module 1 – Introduction to Citrix Cloud

  • Service Levels:
  • Citrix Cloud Locations:
  • Security
    • Lots of great data flow diagrams and descriptions about in-flight and data at rest encryption, along with numerous other security considerations.
  • Citrix Cloud Updates
    • Canary updates with evergreen deployments, following DevOps methodology (two identical Release A and Release B environments)
    • Browser tools can typically identify which environment is being utilized, by invoking F12 debugging. Look for “https://console-eastus-release-a.citrixworkspacesapi.net”
    • Customers can “Opt-Out” to be put into a deployment group that gets pushed in the last stage to achieve 100% deployment status. “Opt-In” puts them in a deployment group to receive updates as soon as they’re available.
  • Consoles
    • Resource locations are automatically created in Studio as Zones.
    • Citrix Cloud Connectors added to resource locations are automatically associated with the respective Zone they were provisioned to.
    • Azure AD can be used for administrator identities, in addition to built-in Citrix identity provider

Module 2 – Citrix Cloud Connectors

Module 3 – Intro to the Citrix Virtual Apps and Desktops Service

  • Citrix Cloud Ownership Summary
    • Citrix owns and maintains the Control Plane, including:
      • Controllers
      • Databases and SQL Servers
      • Studio
      • Director
      • Workspace
      • Gateway Service
    • Customer/partner owns and maintains the Infrastructure, including:
      • On-prem hypervisor/management (Citrix Hypervisor aka XenServer, VMware vSphere, Hyper-V/SCVMM)
      • Azure
      • AWS
      • Third-party cloud vendor (CloudPlatform)
    • Citrix or Customer/Partner owns and maintains the Resource, including:
      • Virtual Delivery Agents
      • Citrix only hosts and maintains the VDAs in the Secure Browser cloud offering. All other VDAs are owned and maintained by either the end customer or a Service Provider Partner.
  • Machine Creation Services
    • Studio in the cloud creates provisioning requests
    • Provisioning requests sent to the hosting connection
    • Cloud Connector Remote HCL service interacts with on-prem hypervisor
    • Machines are created and will register with the Cloud Connector Remote Broker service on book.
    • MCS catalogs deployed to public clouds do not typically communicate through Cloud Connector. Citrix Cloud will typically communicate directly to the public cloud API.

Module 4 – Manage the Citrix Virtual Apps and Desktops Service

  • Studio
    • App-V Publishing is not supported with Citrix Cloud
    • Zones contain Cloud Connectors and not Delivery Controllers
    • Delegated Administration handled through Cloud Administration Console, not directly within Studio. Only Full Admin and Help Desk roles are currently available.
    • Configuration Logging is not available with Citrix Cloud
  • Director
    • Application Delivery Management can be purchased as a separate service, but doesn’t integrate with Cloud Director (HDX Insight)
    • Hosting Connections and Licensing information are not exposed in Cloud Director
  • Automation
  • Citrix Provisioning (aka PVS, formerly Provisioning Services)
    • Licenses not included by default, but customers can contact Citrix directly for a license entitlement
    • Requires License Server, SQL Database, and multiple PVS Servers (adds complexity as these components are entirely customer managed). On-Prem License Server also required for other products such as on-prem WEM and AppDNA
    • Requires a special SDK for integration to Citrix Cloud hosted Studio for Catalog creation
    • In a PVS Farm, don’t mix Citrix Cloud and On-Prem CVAD workloads, always build a separate farm for Citrix Cloud, due to SDK requirement
    • Personal vDisk and AppDisks are not supported (no surprise!)
    • Using PVS with Citrix Cloud Blog: https://www.citrix.com/blogs/2016/01/08/using-pvs-with-the-citrix-workspace-cloud-apps-and-desktop-service/

Module 5 – Provide Access in Citrix Cloud

  • Workspace Experience
    • New multi-tenant access platform in Citrix Cloud (replaces StoreFront)
    • Accessible from <customer>.cloud.com
    • Available for use with:
      • Virtual Apps Essentials Service
      • Virtual Desktops Essentials Service
      • Virtual Apps Service
      • Virtual Desktops Service
      • Virtual Apps and Desktops
    • Requires Receiver for Windows version 4.4 or later
    • Biggest hesitation point for customers is having the authentication point hosted in the cloud (vs. On-Prem Gateway/StoreFront)
    • Limited customization available today. For full CSS/JS customization, consider on-prem Gateway/StoreFront.
    • Pros: Easy to enable, no maintenance. Required for all the “new hotness” including Citrix Content Collaboration integration (ShareFile), Access Control, etc.
    • Cons: Limited customization, 2-factor authentication only with Azure AD (no RADIUS!), passwords processed in the cloud, Workspace Experience accessible from the internet, from any device. Gateway settings at the Resource Location can limit launching of resources from internal networks only.
  • On-Prem StoreFront
    • Recommended to secure XML/STA Traffic from Gateway/StoreFront to Cloud Connectors (see link above)
    • Only direct authentication is supported (affects Federated Authentication Service / Trust Requests Sent To The Xml Service Port). On-Prem StoreFront with Cloud Connectors cannot be used for delegated authentication!
  • Citrix Cloud ADC (Gateway Service) vs. Customer Managed Citrix ADC
    • Zero effort setup/administration
    • Automatic Updates
    • Citrix Managed
    • Limited Customization
    • No HDX Optimal Routing
    • Azure AD only for Two-Factor Authentication
    • No SSL Certificate Management
    • Built-in Global Server Load Balancing across 12 global regions
    • Included in CVAD Subscription (limited to 1GB of data per user per month, which could be a challenge depending on workload)
    • Proxies traffic through Cloud Connectors, unless Rendezvous is configured. See:
      https://virtualfeller.com/2018/07/17/cloud-connector-vda-to-gateway-service/
    • Features such as session policies, group extraction and LDAP options are missing
  • Deployment Options
    • Workspace Experience in Citrix Cloud
      • With Citrix Gateway in Citrix Cloud
      • With Citrix Gateway on-premises
    • StoreFront on-premises
      • Without Citrix Gateway integration
      • With Citrix Gateway on-prem
    • Citrix Gateway in Citrix Cloud
      • With Workspace Experience in Citrix Cloud Only
    • Citrix Gateway on-premises
      • With Workspace Experience in Citrix Cloud
      • With on-premises StoreFront

Module 6 – Operations and Support in Citrix Cloud

  • Smart Tools
    • Smart Scale – Currently available, but being deprecated by May 31, 2019. Being replaced by Autoscale functionality, which will be built into Studio but only available to Citrix Cloud customers (based on current information available).
    • Smart Build – Automated Blueprint Designer
    • Smart Check – Schedule and run automated health checks on the deployment
  • Cloud Connector Insights
  • Cloud Director
    • Multiple reports available
    • Data retention in Cloud Director is limited to 90 Days

Module 7 – Public Cloud Considerations

Module 8 – On-Premises Migration

  • Use Site Aggregation features of Workspace Experience or StoreFront to bring together existing and new infrastructure
  • Re-register VDA machines from on-prem Delivery Controllers to Cloud Connectors. Add them to an “Existing” manual catalog
  • Convert Studio Policies to AD Policies to retain configurations of Citrix specific settings from the Site database
  • Identify complexity of existing PVS infrastructure, as a new Farm will be required if PVS will remain once migrated
  • Identify if Personal vDisks, AppDNA, or AppDisks are in use prior to migration, as these components are not supported in Citrix Cloud

Module 9 – Citrix Virtual Apps and Desktops on Azure Overview

  • Storage Explorer
  • Azure EA Portal
    • Available to Enterprise Agreement customers for managing multiple accounts and subscriptions
  • Management Options
    • Azure Resource Manager (portal.azure.com)
    • Azure CLI
    • Azure PowerShell
    • Visual Studio Code
    • Azure REST API
    • .NET API
    • JAVA API
    • PYTHON API
    • Node.js API

Module 10 – Citrix Virtual Apps and Desktops Azure Active Directory Integration

Module 11 – Connecting to Microsoft Azure

Module 12 – Deploy Apps and Desktops using Machine Creation Services (MCS)

  • Bring Your Own Image
    • Generalize before uploading using Sysprep
    • Use Storage Explorer to upload
    • Create a managed image from the uploaded VHD
  • VDA Installation
    • Use Azure Automation through Custom Script Extensions to deploy Virtual Delivery Agent (VDA) software:
      • VDAWorkstationSetup.exe /quiet /components vda /exclude “Citrix User Profile Manager” /controllers “CloudConnector01.domain.com” /enable_hdx_ports /noreboot
  • Security
    • Security Extensions can be used, but are not supported in MCS (including Microsoft Antimalware, Symantec, ESET, Qualys, Rapid7, HPE, etc.). Use only with manually created catalogs.
  • VM Provisioning
    • MCS process differs significantly when comparing on-premises based hypervisor deployments to Azure, especially for Managed Disks. Consult documentation to see how On-Demand Provisioning works in Azure, and specifically how to troubleshoot when issues/errors occur.
    • Storage in Azure is billed even when VMs are shut down and de-allocated. This can be expensive, especially when using Azure Managed Disks. To reduce cost, Citrix deletes the VMs and OS Disks when VMs are shut down, leaving only the NIC and Identity Disk. To reduce cost even further, change Identity Disks to Standard, when using Premium storage for VM and OS disks.
    • Managed Disks are invoiced by the size, and not the amount of data inside the disk (imagine thick vs. thin provisioning). Microsoft charges 32GB just for the Identity Disk, when only 16MB is used. This is why it’s important to use Standard Disks for Identity Disks to save money. Feature enhancement request: Citrix should automatically provision Managed Disks used for the Identity Disk as Standard, even when using Premium for other disk types.
    • An Azure Resource Group can hold no more than 800 Managed Disks. By default, Virtual Desktops create three disks per machine, hence the 240 VM per RG limitation.
    • Managed Disks perform better/faster than Unmanaged Disks in all operations except Catalog Image Updates.
    • MCS does not support Availability Sets, and VMs can’t be associated after creation. Use multiple Machine Catalogs and Azure Regions to gain HA during Azure maintenance activities.
    • Use App Layering (Personal vDisk/AppDisks Not Supported)
    • Smaller VMs with fewer users per VM are better than larger VMs, as they can drain and Smart Scale / Auto Scale shutdown quicker.

Module 13 – Providing Access to End Users

  • StoreFront
    • Use DS2v2 VMs with Premium storage
    • Deploy a minimum of two with Availability Sets to ensure HA
    • Domain join for StoreFront Server Group functionality
    • Azure Load Balancer with basic monitoring can be used to reduce costs (Use ARM High Availability Pairs)
    • Pay attention to port requirements for Network Security Group creation/management
  • Citrix ADC in Azure
    • BYO License in Azure marketplace
    • Citrix Cloud includes Citrix ADC licenses for HDX Proxy
    • Multi-NIC and Multi-IP supported with NS 11+ (only for Standalone or Active-Active HA mode, not for Active-Passive)
    • High Availability controlled by Azure Resource Manager Load Balancer (Active-Active or Active-Passive). Deploy with Independent Network Configuration (INC) Mode on two different networks. See:
      https://docs.citrix.com/en-us/netscaler-gateway/12/high-availability/ng-ha-routed-networks-con.html
    • Clustering not supported

Module 14 – Maintaining Infrastructure and VDAs in Microsoft Azure

  • Backups
    • If using Citrix Cloud, be mindful to backup Master Images and Static VDAs using Azure Backup or other third-party solutions
    • If using traditional CVAD with Azure, other other customer-managed infrastructure components like Gateway/StoreFront, always backup servers
    • Citrix Cloud Connectors are stateless and typically do not need to be backed up in the same way that Delivery Controllers, Site Databases, StoreFront, ADC, etc. would need to be backed up
    • Azure Backup has some limitations. See:
      https://docs.microsoft.com/en-us/azure/backup/backup-introduction-to-azure-backup
  • Monitoring
    • Operations Management Suite (OMS) is a great place to start for alerts/reporting, Log Analytics and Azure Automation
    • Capture VDA information including Event Log Data and Performance Counter Data using Azure Log Analytics in OMS (deploy Microsoft Monitoring Agent in the master images)
  • Maintenance
    • MCS practices for gold image and catalog management similar to on-prem deployments
    • Be mindful of deployment times when updating catalogs to ensure that all updates can be pushed during a fixed maintenance window. Consider A/B deployment groups (similar to canary deployments) to stage MCS catalog updates.
    • Windows Updates can be managed by OMS Update Management for persistent catalogs
    • WSUS can also be used to stage packages

Module 15 – Plan for a Successful POC

Summary

If this blog post has been useful to you, I would HIGHLY recommend taking the full five-day Citrix Learning course! If you reach out on the Connect page and mention that you read this blog post, you will automatically receive a 10% discount off the $5,000 Citrix Education course, exclusive to blog subscribers.

As always, I appreciate you taking the time to read this post, however you may have found this content! Follow me on Twitter (@youngtech) or other social media platforms, or check back in for more news and announcements.

Thanks for reading!

Dane Young, MBA
My Twitter | My LinkedIn

Share this post!

About the Author:

YOUNGTECH | www.youngtech.com | CONVERT TECHNOLOGY ROADBLOCKS INTO A ROADMAP TO SUCCESS | We advise technology trailblazers to customize transformation strategies, reduce cost and complexity, and deliver value to their business.

One Comment

  1. Victor DiMasico April 24, 2019 at 3:02 am - Reply

    Hey great article Dane, thanks for sharing!

Leave A Comment