Monday, July 31, 2017

Isolating Citrix Cloud in your Azure Tenant

I have recently been studying issues that customers are having when trying to stand up a proof-of-concept environment for Citrix Cloud in Azure.

Most of these customers are standing up the full XenApp and XenDesktop Service.  However, our Citrix Cloud Services all have the same basic needs for any customer:
  1. Azure Subscription (for workers and infrastructure)
  2. App Registration (this is an Azure Tenant service account for our cloud based control plane to perform worker lifecycle events within a subscription)
  3. Virtual Network (the machines need IP addresses)
  4. Active Directory (there is a much larger discussion here, but either a read / write Domain Controller VM  or the Azure Active Directory Domain Service will work)
  5. The DNS setting for the Virtual Network must be your Active Directory 
  6. Cloud Connector machines (the connection between the machines in the subscription and the control plane)
  7. Some type of 'golden' image that is provisioned into the worker machines your end customers get their work done on.

Growing this conversation from the bottom up;

Each customer of Azure has at least one Azure Tenant.
This is your account in Azure.  It is the highest level of connection between Azure and you the customer.
Within your Azure Tenant you have Subscriptions.
Subscriptions are billing boundaries and service boundaries (services within subscription cannot 'talk' to each other without extra work, as if they are in different buildings).

Isolating Citrix Cloud in your tenant;

Can you isolate Citrix Cloud to its own Subscription in your Azure Tenant?  Yes!  And that is actually the topology that I am going to describe here.  How to isolate Citrix Cloud from your corporate infrastructure.

Common project slow down points that I have heard are:  modifications to existing virtual networks and protecting Active Directory.  

Focusing on the Virtual Network issue first;

You CAN create a virtual network dedicated to your Citrix Cloud deployment. 
The important things to remember are:
  • You need a route to your Active Directory
  • You must update the DNS settings of the Citrix Cloud virtual network to be the AD
The DNS setting is the most common place where customers trip up.  The DNS setting must be set. The Azure default results in the machines not being able to resolve the Active Directory.

The three models as pictures;

It is often that pictures tell a story faster and easier, I wanted to provide those to get you started thinking about your individual topology as well.

If your Active Directory is on the same Virtual Network you are most likely golden.

If your Active Directory machine(s) is on a different Virtual Network in the same subscription, you can use peering between the two virtual networks.

If your Active Directory machine(s) is on a different Virtual Network in a different subscription, you must use a gateway between the two virtual networks.

Friday, July 28, 2017

Virtual Network permissions for Citrix Cloud

In a previous post I covered how to manually create a Service Principal (App registration) for XenDesktop Essentials.  (this also applies to the XenApp and XenDesktop Service)

If you recall, this is the identity that Citrix Cloud will be using when it performs machine lifecycle actions in your Azure Subscription.

Things with permissions can get a bit strange in Azure pretty quickly.  One such area is Virtual Networks.

First of all, a Virtual Network exists within a Subscription.  It can belong to any Resource Group for management, but can be used by any machines or services within the subscription.

Now, in the world of assumptions, this is all fine and easy if you grant the Service Principal account the Contributor role AND the resource group that your virtual network belongs to is within a resource group under that same subscription.  You can take advantage of the inheritance.

This is not always the case.  In fact, it might not be the case for you at all.  You might be putting very tight controls on that Virtual Network to ensure it never gets messed up.

The minimum permissions that the Service Principal needs to your Virtual Network is the VM Contributor Role.  This level of access is necessary for the automated provisioning and lifecycle of desktop or session workers.

If you have a need to grant access to your Virtual Network or want to constrain access to your virtual network, here is how.

Remove the inheritance at the Virtual Network Resource Group from the subscription if it is enabled.
Explicitly grant the App Registration the VM Contributor role on the Virtual Network where worker machines will be attached when provisioned.

You can find more about the permissions in this article that I authored:  Manually granting Citrix Cloud Access to your Azure Subscription

Thursday, July 27, 2017

Azure Resource Manager Templates for Citrix Cloud workloads

At Citrix we recognize that different customers need different tools to accomplish their goals.  In the end, it is all about selecting the right tools for your environment and business processes to get you moving forward in an efficient way.

It has been brought to our attention that getting started in Azure with Citrix Cloud is not necessarily as straightforward as it needs to be, especially when customers go it alone (without the aid of a sales engineer or an integrator).

You will be seeing different tools, recommendations, updated documentation, and product enhancements to help get you (the customer) moving forward with your demonstration project, that Proof-of-Concept project, and moving into full production.

One of those tools was recently mentioned on this blog: Citrix Cloud XenDesktop Resource Location ARM Template

Without modification of the template this Azure Resource Manager template is focused on getting you up an going with that very first Demo environment.
It provides everything from an Active Directory Domain to NetScaler VPX.  And the glue in between to make it all work.

Additionally, there are other Azure Resource Manager templates that are componentized to support you in building out the infrastructure in your own way or integrating with your current Azure environment for any of the Citrix Cloud offerings.

These are being built to bring success to your Proof-of-Concept and production deployments. You can find the PoC and Production template repository here:

This is a community repository and we would love to see your additions and suggestions.

I would also like to hear your stories and questions about using Azure to deploy your Citrix Cloud service, whether it be XenApp Essentials, XenDesktop Essentials, or XenApp and XenDesktop Service. 

Lets make it better together.

Friday, April 14, 2017

Getting started with Citrix Essentials on Azure

Earlier this month two Citrix Essentials products hit the Azure Marketplace;
XenApp Essentials and XenDesktop Essentials.

In this short period of time, there has been  customers who have purchased the services or are kicking the tires.
While I didn't give a number, I can say that it has been a pretty exciting first two weeks, and the interest from customers has been great.  Really great.

Both Essentials offerings run on Azure (exclusively) and are managed through Citrix Cloud.

Since these are new services, the documentation is constantly coming on-line. Here are some references that should get you over the initial hurdles of understanding how to implement it all.

The newly updated XenDesktop Essentials guide:

If you were wondering if you could take advantage of Azure Active Directory Domain Service? Yes, you can:

If you are in a hybrid cloud scenario (user workers in Azure with a VPN back to the datacenter where they need Kerberos or Windows pass-through authentication) you will need to setup up an Active Directory replica server in Azure:

Are you setting up Windows Desktops in Azure? 
Be aware that you must implement Azure Active Directory. More details on the way.

And take advantage of the Hybrid Use Benefit Windows 10 image in the Azure Gallery if you create a new golden desktop image.

Friday, April 7, 2017

Active Directory with XenDesktop Essentials in Azure

XenDesktop Essentials and XenApp Essentials have hit the Azure Marketplace, and they are catching on.

For those of you that remember Azure RemoteApp, XenApp Essentials is the replacement for that.  And for those of you that want to give Windows Client desktops to your user-base, XenDesktop Essentials is for that.
And, for those that want it all, There is XenApp and XenDesktop Service.  Which offers it all.

Now, the reason for my post.  Active Directory and Azure Active Directory.
There is a requirement of all of these solutions that the provisioned machines are joined to a domain.  This is where I see many folks getting confused between all of the various Active Directory options.

In reality, there are only two models that will work today (at the date of this post).  Let me describe them in terms of what you need to accomplish.

In both models, you have the user side running in Azure.  Whether that be XenApp Servers (Terminal Servers for you really old folks) or Desktops (Windows Client or Windows Server desktops).

Your answer to this next question defines the path that you need to head down.

Do your Azure based user sessions need to access resources in some other cloud / datacenter?
A different way to ask this - do you need a VPN between your users in Azure and whatever other resources they need to access in some other cloud / datacenter.

If your answer was no
Then I am calling you 'cloud born' or 'Azure based'.
Knowing this you can use Azure AD plus Azure Active Directory Domain Service.

AD Sync is built in, and most likely Azure AD is your source for users.  But you need the additional service to support domain join, group policy, and those traditional things that Active Directory provides.

I personally love the following guide for getting AADDS all up and running: Azure Active Directory Domain Services for Beginners

The trick here is that you need to use FQDNs for domain joins and domain references.  If you customize your Azure AD domain, use that.  If you don't it is

When you need to add Group Policy to lock things down;

If your answer was yes;
Then you are more of a 'traditional' enterprise that is in some hybrid deployment model.
Knowing this you need to use Azure AD plus Active Directory.

You will need to enable AD Sync, you will need to establish a replica domain controller in Azure, and you (probably) already have a VPN between your datacenter and Azure virtual network.

The replica domain controller in Azure:
Active Directory Sync / Connect to Azure AD:
(It does not matter where you install / run that, just that you do).

In both cases; Don't forget to update the DNS settings of your Virtual Network with these new machine IP addresses.