Académique Documents
Professionnel Documents
Culture Documents
May 10 , 20 17
Citrix Cloud
What's New
Service T rials
System Requirements
Configuring Provisioning
Configure VDAs
T echnical Security Overview for the XenApp and XenDesktop Service in Citrix Cloud
Lifecycle Management
XenMobile Service
ShareFile
October 3, 2016
Citrix Cloud
Citrix Provisioning f or Microsof t Of ce 365
Introducing the Citrix Provisioning f or Microsof t Of ce 365 Service, now available in Labs. Citrix Provisioning for
Microsoft Ofce 365 in Citrix Cloud enables IT administrators to assign Ofce 365 subscription licenses alongside other
Citrix apps and services within Citrix Cloud. T he result is simplied user management and centralized control from a single
console. Citrix Provisioning for Microsoft Ofce 365 also provides license verication and usage data to optimize
management thus help minimize unused licenses.
ShareFile
T he good news is that this has no impact on your end-users access to their data, and you can continue using the ShareFile
service to provision secure data exactly as you do today.
Lifecycle Management
Support f or Citrix CloudPlatf orm deprecated -- New resource locations running Citrix CloudPlatform can no longer be
added to Lifecycle Management. For existing CloudPlatform resource locations, the following functions continue to
be supported:
On-demand update sync -- T he list of updates for a registered XenApp and XenDesktop site can be refreshed when
needed by clicking Sync Site Data on the Site Details tab. Previously, the updates list was refreshed only once per day with
no option to refresh on-demand.
Snapshots added to Update task details -- When installing scheduled updates that include taking a snapshot of the
machine beforehand, Lifecycle Management includes a "Create Snapshot" step in the Task Installation Details for the
update task.
Session Manager improves application launch performance by pre-launching anonymous sessions when using the XenApp
and XenDesktop service.
Lifecycle Management
Updates to XenApp and XenDesktop Proof of Concept blueprints
With Lifecycle Managements collection of XenApp and XenDesktop Proof of Concept blueprints, many customers have
created their own basic XenApp and XenDesktop deployments while learning more about the potential for Lifecycle
Management. Now, these blueprints have been updated so customers have even more deployment options:
Support for XenApp and XenDesktop 7.9 Customers can now deploy a XenApp and XenDesktop proof of concept with
XenApp and XenDesktop 7.9 by default.
Support for Microsoft Azure T he Simple XenApp and XenDesktop Proof of Concept blueprint now includes support for
resource locations using Microsoft Azure, as well as Amazon Web Services.
Auto-registration for Smart Scale and Updates New sites that are deployed with these blueprints are automatically
registered with Lifecycle Management so customers can use them with Smart Scale and Update features. After
deployment, these sites appear automatically on the Smart Scale and Upgrades & Updates pages of Lifecycle
Management. Customers dont have to manually add their sites and can start scaling or perusing available updates right
away.
New XenApp and XenDesktop Service blueprint replaces Apps and Desktops service blueprint
Previously, Workspace Cloud customers learned how Lifecycle Management could help them deploy a resource location
using the Apps and Desktops Resource Location Setup blueprint. In the new era of Citrix Cloud, Lifecycle Management is
once again helping customers using the XenApp and XenDesktop service to rapidly deploy new resource locations with
minimal conguration. With the XenApp and XenDesktop Service Resource Location Setup blueprint, customers can:
Set up a Citrix Cloud resource location on Microsoft Azure, or Amazon Web Services.
Deploy a domain controller, two Cloud Connectors, NetScaler VPX appliance, and NetScaler Gateway.
Add optional components such as StoreFront and VDA machines configured for RDS desktops or Server VDI.
Citrix Cloud
Silent Cloud Connector Installation
Silent or automated installation of the Citrix Cloud Connector using Group Policy or other deployment systems is now
supported. See Citrix Cloud Connector Technical Details for required silent install parameters.
Citrix Cloud
Workspace Cloud is now Citrix Cloud, and a number of services have been renamed for clarity. T here are no functionality
or feature changes accompanying these name changes.
Apps and Desktop Service is now the XenApp and XenDesktop Service
Mobility Management Service is now the XenMobile Service
Secure Documents Service is now ShareFile
For services that support trial expiration, customers will be informed when trials are approaching their end, both in email and
in the console.
Lifecycle Management
Smart Scale
Manage XenApp and XenDesktop delivery group capacity with Smart Scale. For more information, go to http://manage-
docs.citrix.com/entries/108446523-What-s-new.
May 2, 2016
Workspace Cloud
Perf ormance Enhancements f or Administrative Tasks
Multiple pages within the workspace cloud platform were targeted for sub-second load times, making the administrator
experience more delightful. Specic targeted enhancements can be seen in the following areas:
T he logon page
T he Workspace pages, including Details and Adding/Removing services
T he Domains page
T he Account Settings and Company Information page
Workspace Cloud
Citrix Launch f or Microsof t Access
A new service now available in Labs. It allows customers to host, share, and collaborate on Microsoft Access databases
(heavily used in the SMB market) within Workspace Cloud. Microsoft Access is not offered as part of Office 365 for
T he Workspace Cloud Connector installation currently provides the ability to test for a core set of external URL's that
will allow the connector to download the services needed to operate. T his functionality has been extended to validate
that the services downloaded can operate fully, as they might have additional requirements for connectivity.
Secure Browser
Workspace and internal web app support
T he Secure Browser service now enables admins to give users remote access to internally-hosted web apps. In addition,
these apps are now able to be congured and subscribed to as part of a Workspace Cloud workspace.
Additional Features:
External Web-app support with IE 11, Chrome, Flash and Silverlight (General availability)
Session Pre-launch to speed up session launches
Internal web apps with Chrome browser (available in Preview)
Watermarking for internal web app sessions (available in Preview)
Improved first time user experience
T rial enforcement for internal and external web app trials
Basic metering of service usage
Deliver secure, remote access to web and SaaS applications with zero end point configuration. Administrators pre-define
the web browser and plug-ins they need to securely access the web application and users access them via a simple URL.
T he app is launched from the cloud and opens up a Receiver for HT ML5 session inside the users preferred browser,
adding an extra layer of security between your corporate network and the end point.
Learn more here.
Lifecycle Management
Enhanced blueprint designer
Added capability to acquire EC2 Elastic IP during VM configuration on Amazon EC2 resource locations.
Improved blueprint deployment flow on Amazon EC2 to validate NAT instance status and Security Group before
deployment.
Improved blueprint deployment flow on Microsoft Azure to validate VM configuration before deployment.
Added capability to copy VM configuration data from one server tier to another during multi-server blueprint
deployments on Microsoft Azure resource locations.
Added capability to remove the Running and Stopped deployments from view (Lifecycle Management UI).
Improved blueprint deployment flow to cancel a paused deployment.
T o see screenshots for these improvements, go here.
February 8, 2016
Workspace Cloud
Improved Connector installation experience
T he Workspace Cloud Connector installation now performs connectivity checks to ensure that data is being
communicated correctly. During installation, the customer will be informed if critical addresses are being blocked by
proxies, firewalls, etc.
If a service in use is inadvertently deleted from a workspace, the platform will notify the administrator of the condition
and let them know how they can fix the problem.
Workspace Cloud
Ability to see trial waitlist status
A new adminstrator can now be on-boarded to an existing customer account by requesting access during the sign-up
process. Existing administrators will quickly receive an email letting them know that someone would like to be added.
When they go to the Identity and Access Management page in the console, they'll see the new admin's name at the
top. All they need to do is click Approve next to their name.
T he console UI for managing domains has been revamped. It is now clearer, more informative, and more useful. Domains
can be marked as currently being in use or not, in addition to being added or removed altogether. Domains now show
resource location information and which workspaces have subscribers from the domain.
Workspace Cloud
Ability to provide f eedback in the console
Workspace Cloud administrators can now quickly and easily provide feedback about the Workspace Cloud platform or
any cloud service by using a drop-down widget, accessible from the navigation bar in the console.
Lifecycle Management
Enhanced blueprint designer
Added capability to refer and specify resource location information of a server tier in a conditional step during blueprint
design. T he resource location information can be used to evaluate conditions during blueprint deployment.
Added capability to refer Micrososft Azure virtual network ID and subnet of a server tier.
Improved blueprint designer to allow step outputs as input values in Velocity T emplate Language (VT L) expressions that
run before or after a script.
Workspace Cloud
Perf ormance Improvements
Improved quality of T est Drive and performance upgrade for Workspace Cloud Connector and domains.
Lifecycle Management
Agent packages have been updated:
Linux: Name and installation commands of the Lifecycle Management agent package have been updated for achieving
consistency across the supported Linux operating systems. You can download the agent package, transfer it to the
machine you want to use as a connector, and run the following commands:
sudo ./citrix-lifecycle-management-agent.bin
Windows: T he file name of the Lifecycle Management agent package has been updated
from CitrixLif eCycleManagementAgent.msi to CitrixLif eCycleManagementAgent.exe.
Option to enable or disable email notications has been provided for the following:
Added built-in utility steps to register or unregister DNS subdomains with the public DNS domain of Lifecycle
Management.
Removed the Password Ref erence parameter.
Improved the Password parameter to allow an input value or a string reference.
Improved the parameter reference functionality to allow the following:
T he Enumerate, IP, and URL parameters configured in a step can be referred as inputs to subsequent steps of a
blueprint.
An AWS VPC ID configured on a server tier can be referred as an input to subsequent steps of a blueprint.
Improved the Enumerate parameter to validate a list of different data types. For example, the Enumerate parameter
can validate strings, integers, float, and mixed as input values and allow the first value in the list as a default value.
Improved the Server step to include the Create VPC and Subnets option for EC2 Recommended config for network.
Added capability to copy VM configuration data from one server tier to another during multi-server blueprint
deployments on Amazon EC2 resource locations.
Improved configuration input parameters layout to include labels and field descriptions.
Improved usability of multi-server deployments on Microsoft Azure. Added capability to create network, cloud service,
and storage account during VM configuration.
Improved deployment step output with troubleshooting tips in case of Server or Reboot step failures.
Added capability to auto-fill the blueprint name as the default deployment name.
Improved usability to display the status of a deployment in the Deployment Details page after you
click Deploy. T he Deployment Details page includes the real-time progress of each step in your blueprint. In previous
releases, when you click Deploy, the deployments list was displayed in the Manage page.
Workspace Cloud
Perf ormance Improvements
Lifecycle Management
Option to retry a f ailed VM deployment
T he workow for adding and managing resource locations has been improved:
XenServer: Uses Windows Management Instrumentation (WMI) for automatic agent installation on Windows VMs if a
Windows machine acts as a connector.
Important: If you are using a Windows machine as a connector, ensure that Windows Management Instrumentation
(WMI) and inbound connections on TCP port 135 (DCOM port) are enabled on your Windows VM template. T his enables
Lifecycle Management to install the Lifecycle Management Agent on the machines that are provisioned from the VM
template. If WMI inbound rules are not enabled on your Windows VM template, you cannot deploy Windows VMs on your
XenServer resource location using Lifecycle Management. For more information, see Prepare Windows Server VM
templates on Citrix XenServer.
Enhanced deployment ow
T his section provides general information about Citrix Cloud that you should read before getting started.
T o see third-party notifications for Citrix Cloud and its services, see T hird Party Notifications.
For information on the known issues for the Citrix Cloud platform, see Known Issues.
For the system requirements for the Citrix Cloud platform, see System Requirements.
For information about new features and enhancements for each release, see What's New.
Citrix Cloud
When the Connector is installed on the same machine as domain controller, there can be timing issues: In certain cases,
the Agent Service starts before the Domain Service. If that happens the Connector cannot talk to domains. T o work
around this issue, provide a delayed start for Agent Service.
Administrators are logged out of Citrix Cloud after an hour: If you are logged out of Citrix Cloud, log back in to continue
using Citrix Cloud.
Login fails if the administrator page has been idle for 30 minutes: Entering your Citrix credentials on the administrator
login page will fail if the page has remained idle for over 30 minutes. Simply reload the page and login again with your
credentials.
Citrix Cloud's interface appears blank in Internet Explorer (see above image). T he main content of the Citrix Cloud
interface occasionally does not load in Internet Explorer 11 on Windows Server 8.2 (also noted on Windows 7 and
Windows Server 2012). T his can occur when an administrator runs a system cleanup tool (such as CCleaner). T here may be
other actions that also cause this behavior. T ake the following steps to correct the problem:
command COPY
If the above registry key does not exist, create the key and copy the same values
from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible
Cache\DOMStore, and then set the CachePath as stated above, which points to the LowCache folder instead of the
Cache folder.
During rst time use, Studio does not launch: When clicking on Manage, the page starts to load, but a spinner appears
and never resolves. Refresh the page and Studio will launch.
Images dont load properly in Microsof t Edge browser: T here is a browser caching issue in Edge that causes images to
not render correctly. Clear the cache (Ctrl+F5) and the images will load.
Data retrieval error when opening Monitor page: When selecting Monitor to open Director, a warning, Cannot retrieve
the data, occurs. Refresh the page and Director will load. [26080]
Ad blocking extensions cause problems: Citrix Cloud management pages misbehave due to ad blockers. Turn off ad
blocking software and extensions if any issues arise. [0581850]
MCS support for all hypervisors across multi-site and multiple data centers are not currently supported.
Saved Custom Report queries in Director are not available af ter a Cloud upgrade. [DNA-23420]
Test Drive
Citrix Cloud's interface appears blank in Internet Explorer (see above image). T he main content of the Citrix Cloud interface
occasionally does not load in Internet Explorer 11 on Windows Server 8.2 (also noted on Windows 7 and Windows Server
2012). T his can occur when an administrator runs a system cleanup tool (such as CCleaner). T here may be other actions that
also cause this behavior. Take the following steps to correct the problem:
command COPY
Can't copy clipboard f rom local session to remote HTML 5 Studio session: You can not copy content from Notepad,
for instance, directly into HT ML 5 Studio. Any information you need to enter will need to be manually typed into Studio.
Administrators are logged out of Citrix Cloud af ter an hour: If you are logged out of Citrix Cloud, log back in to
continue using Citrix Cloud.
Login f ails if the administrator page has been idle f or 30 minutes: Entering your Citrix credentials on the administrator
login page will fail if the page has remained idle for over 30 minutes. Simply reload the page and login again with your
credentials.
Administrators are logged out of Citrix Cloud after an hour: If you are logged out of Citrix Cloud, log back in to continue
using Citrix Cloud.
Login fails if the administrator page has been idle for 30 minutes: Entering your Citrix credentials on the administrator login
page will fail if the page has remained idle for over 30 minutes. Simply reload the page and login again with your credentials.
Citrix Cloud's interface appears blank in Internet Explorer. T he main content of the Citrix Cloud interface occasionally does
not load in Internet Explorer 11 on Windows Server 8.2 (also noted on Windows 7 and Windows Server 2012). T his can occur
when an administrator runs a system cleanup tool (such as CCleaner). T here may be other actions that also cause this
behavior. Take the following steps to correct the problem:
If the above registry key does not exist, create the key and copy the same values
from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible
Cache\DOMStore, and then set the CachePath as stated above, which points to the LowCache folder instead of the
Cache folder.
Workspace Cloud's interface appears blank in Internet Explorer (see above image). T he main content of the Workspace
Cloud interface occasionally does not load in Internet Explorer 11 on Windows Server 8.2 (also noted on Windows 7 and
Windows Server 2012). T his can occur when an administrator runs a system cleanup tool (such as CCleaner). T here may be
other actions that also cause this behavior. T ake the following steps to correct the problem:
As administrator, run the following command under the user's profile:
command COPY
If the above registry key does not exist, create the key and copy the same values
from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible
Cache\DOMStore, and then set the CachePath as stated above, which points to the LowCache folder instead of the
Cache folder.
Note: T hese steps apply to both iOS- and Android-based mobile devices.
Resource Locations contain different resources depending on which Citrix Cloud services you are using and the services
that you want to provide to your subscribers.
Citrix NetScalers
Hypervisors
Virtual Desktop Agents (VDAs)
StoreFront servers
Citrix Lifecycle Management agents
For more details on Citrix Cloud Connector see "What Is a Citrix Cloud Connector?"
Proximity to subscribers
Proximity to data
Scale requirements
Security attributes
T here is no restriction on the number of Resource Locations you can build. T he overhead of a resource location is small.
To provide identity management for subscribers and resources you need to install a Connector to access an Active
Directory.
T his makes it easy to distribute the resources across as many Resource Locations as you need without needing to make
compromises.
Build a Resource Location in your data center for the head office based on subscribers and applications that need to be
close to the data.
Add a separate Resource Location for your global users in a public cloud. Or build separate Resource Locations in branch
offices to provide the applications best served close to the branch workers.
Add a further Resource Location on a separate network that provides restricted applications. T his provides restricted
visibility to other resources and subscribers without the need to adjust the other Resource Locations.
Notications provide information to administrators about issues that might be of interest to them. T hese notications
showcase any new features in Citrix Cloud or alert you to problems with your deployments. Notications can come
from any service within Citrix Cloud.
T he number of notications appears in the Insights area at the top of the Citrix Cloud control center (see image above).
Details are available by selecting Notications from the menu or by selecting the Notications tile (see image below). T his
area displays all notications, their severity, and the related service.
Once you have read a notication and acted on it (if required), you can dismiss the notication. It is removed from your list
and the count displayed in the insights area is updated.
Administrators receive notications independent from each other. Any action you take to dismiss a notication will not
impact another administrator from viewing their notications.
Select the checkbox next to the notications and click Dismss. It will be removed from the Notications list.
Identity and Access Management denes the accounts used for administration of and subscribers to Citrix Cloud and its
offerings.
1. Administrators
2. Subscribers
Administrators
Administrators use their identity to access Citrix Cloud and to perform management activities and install the Citrix Cloud
Connector.
A Citrix identity mechanism provides authentication for administrators. It uses an email address and password to
authenticate the user. You can also use your My Citrix credentials to login to Citrix Cloud.
Removing Administrators
Remove administrators from the customer account by using the Administrator tab within Identity and Access Management.
An administrator will not be able to log in to Citrix Cloud if you remove access.
An administrator logged in when the account is removed will stay active for a maximum of 1 minute. After this, any attempt
Notes:
You cant remove the last administrator from the customer account. T here must be at least one administrator per
customer.
Citrix Cloud Connectors are not linked to an administrator account. Connectors will continue operating even if the
administrator who installed it is removed from the customer account.
Subscribers
Subscriber identity denes which subscribers have access to services through Citrix Cloud. T hese identities come from Active
Directory domain accounts provided from the domains within the Resource Location.
Citrix Cloud administrators can control which domains can be used to provide these identities from the Domains tab in
Identity and Access Management pages in Citrix Cloud.
Note: Disabling domains for use does not stop any already allocated identities being used by subscribers; it simply stops any
new identities being selected.
If you plan to use domains from multiple forests, install a Citrix Cloud Connector in each forest. We recommend that you
assign more than 1 Cloud Connector to each forest to maintain a highly available environment.
Note: Each Cloud Connector can enumerate and use all the domains from the single forest that it is installed in.
When an administrator removes a subscriber account or group of subscriber accounts from an offering, subscribers will no
longer be able to access the service. T he exact behavior may differ between the services offered. For more details about
different Citrix services, refer to service-specic documentation.
Partner Identication
Partners are identied in Citrix Cloud based on their Citrix Organization ID (ORGID). Each Citrix Cloud account is associated
with a Citrix ORGID that can be viewed in the Citrix Cloud account details.
If the ORGID on the account is an active member of a Citrix partner program (such as Citrix Solution Advisor or Citrix Service
Provider) the program badge is shown indicating this account is owned by a Citrix partner. Partner identication is then used
to govern access to additional cloud services or features.
Customer Dashboard
T he customer dashboard is designed for partners to view the status of multiple Citrix Cloud customers in a consolidated
view. For a customer to appear on the dashboard, a connection must be established between the partner and customer.
T he customer dashboard is available on partner badged Citrix Cloud accounts.
3. Customer clicks the link, signs in (or signs up) and accepts the connection request
Partners are provided one invitation link; the link is fixed and not customizable or changable
T here is no limit to how many times the link can be used to establish a connection
T he link can be reused if a connection needs to be recreated
T he link does not expire
When a customer accepts a Citrix partners connection invitation, the partner gains basic visibility into the Citrix Cloud
service entitlement status for that customer. T his information includes the status of both trial and non-trial entitlements.
If you encounter an error when signing up for a Citrix Cloud account, contact Citrix Customer Service.
If you're having trouble signing into your Citrix Cloud account, make sure you sign in with the email address and password
you provided when you signed up for your account.
If youve forgotten or need to reset your account password, use the Forgot your password option. Youll get your new
password in an email.
If you do not receive the password reset email, or you need additional assistance, contact Citrix Customer Service.
On the Citrix Cloud support forums you can get help, provide feedback and improvement suggestions, view conversations
from other users, or begin your own topics.
Citrix support staff members track these forums and are ready to answer your questions. Other Citrix Cloud community
members may also offer help or join the discussion.
You do not need to log in to read forum topics. However, you must log in to post or reply to a topic.
To log in, use your existing Citrix account credentials or use the email address and password you provided when you created
your Citrix Cloud account. To create a new forum account, click the Create New Account option.
Technical Support
If youre experiencing an issue that requires technical help, click the Help ? icon in the Control center, and then select Open
a Ticket .
Support Articles
Virtual Delivery Agents (VDA): Use the version that shipped with your XenApp / XenDesktop installation. For example,
if you installed XenApp 7.6, upgrade all components, including the VDAs, to the 7.6 version. T he minimum requirement for
VDAs is version 7.0 for a XenApp/XenDesktop 7.x deployment.
Note: Older VDAs might encounter registration challenges. For more information, see the "Mixed VDA support"
section in the 'Upgrade a deployment' topic in Citrix Docs.
StoreFront: Citrix recommends using the most recent version of StoreFront (2.6). T he minimum requirement is
StoreFront 2.0 for a XenApp/XenDesktop 7.x deployment. For more information, refer to the "Other" section in the
System requirements section in Citrix Docs.
Note: Earlier versions of VDA and StoreFront will not have all the features available in the latest releases.
NetScaler Gateway: Citrix recommends using the most recent version of NetScaler Gateway (minimum version 10.5) for
a XenApp/XenDesktop 7.x deployment. For more information, refer to Citrix Docs for compatibility.
Overview
T he connection to the internet from your datacenters only requires port 443 to be open for outbound connections. However, in
order to operate within environments containing an internet proxy server or rewall restrictions, further conguration might be
needed. Details of these requirements are provided here.
Details
T he following addresses need to be contactable in order to properly operate and consume the Citrix Cloud services.
https://*.citrixworkspacesapi.net https://*.citrixworkspacesapi.net
https://*.cloud.com https://*.cloud.com
Smart Tools Additional requirements Additional requirements
https://manage-docs.citrix.com/hc/en-us/articles/212713883- https://manage-docs.citrix.com/hc/en-
Connectivity-requirements us/articles/212713883-Connectivity-requirements
https://*.citrixworkspacesapi.net
https://*.sharele.com https://*.cloud.com
ShareFile Additional requirements Additional requirements
http://support.citrixonline.com/en_US/ShareFile/all_les/SF090015 https://manage-docs.citrix.com/hc/en-
us/articles/212713883-Connectivity-requirements
https://*.cloud.com
https://*.citrixworkspacesapi.net
Secure https://*.citrixworkspacesapi.net
https://*.cloud.com
Browser https://browser-release-a.azureedge.net
https://*.servicebus.windows.net
https://browser-release-b.azureedge.net
https://*.citrixworkspacesapi.net
https://*.cloud.com https://*.citrixworkspacesapi.net
XenApp and https://cwsproduction.blob.core.windows.net/downloads https://*.cloud.com
XenDesktop https://*.nssvc.net [If Gateway As a Service is enabled] https://cwsproduction.blob.core.windows.net/downloads
https://*.servicebus.windows.net https://*.xendesktop.net
https://*.xendesktop.net
https://*.citrixworkspacesapi.net https://*.citrix.com
https://*.cloud.com https://*.citrixworkspacesapi.net
https://cwsproduction.blob.core.windows.net/downloads https://*.cloud.com
XenMobile https://*.servicebus.windows.net https://cwsproduction.blob.core.windows.net/downloads
Additional requirements Additional requirements
https://docs.citrix.com/en-us/xenmobile/10-1/about-xenmobile- https://docs.citrix.com/en-us/xenmobile/xenmobile-
cloud/xenmobile-cloud-prerequisites-administration.html cloud/about/prerequisites-administration.html
Administration of Citrix Cloud is accomplished via web pages accessed from a browser. Initial access is provided by navigating to
https://citrix.cloud.com. However, once accessed, this page will require other resources on the internet either when logging in or at
a later point when carrying out specic operations.
Proxy Conguration
If youre connecting via a proxy server, the management console will operate via the same conguration applied to your browser.
T he console operates within the user context, so any conguration of proxy servers that require user authentication should work
as expected.
Firewall Conguration
For the management console to operate, it is required that port 443 is open for outbound connectivity. General connectivity can
be tested by navigating within the console.
T he Citrix Cloud Connector deploys a set of services that run on Microsoft Windows servers. It connects to the Citrix Cloud in
order to provide operation and management of resources within the network it was installed.
T here are requirements for both installing and operating the connector. Installing a connector does not necessarily mean all
functionality will operate as expected afterward as there are additional access requirements for the connector to operate.
Citrix Cloud is a platform that hosts and administers Citrix services. It connects to your resources, via the Citrix Cloud
Connector, on any cloud or infrastructure you choose (on-premises, public cloud, private cloud, or hybrid cloud). It allows you
to create, manage and deploy workspaces with apps and data, to your end-users from a single console.
T he XenApp and XenDesktop Service is a service of Citrix Cloud. T he XenApp and XenDesktop Service offers secure
access to virtual Windows, Linux, and web apps and desktops.
T his service is based on XenApp and XenDesktop technology.
T o learn how to set up this service, read the XenApp and XenDesktop Service Getting Started Guide.
XenMobile Service
T his service of Citrix Cloud provides comprehensive enterprise mobility management (EMM) including mobile device
management, mobile application management and enterprise-grade productivity apps. Based on XenMobile technology,
the service also enables IT to quickly create pilot environments and experience faster production time with EMM
deployment.
T o learn how to set up this service, click here.
ShareFile
A service that allows you to deploy and manage Citrix workloads such as XenDesktop, XenApp, XenMobile, and
NetScaler.
For the full set of documentation on this service, go to http://manage-docs.citrix.com/home.
Experience a full production environment in a proof-of-concept for one or more of the Citrix services listed above. After
signing up for Citrix Cloud, you can request trials for each of the services from inside the console. Trials are designed to be
tested with your infrastructure, applications and Microsoft Active Directory.
Once your trial is approved, to begin your trial you'll need to make some decisions and prepare your environment. See the
Citrix Cloud Trial Checklist.
Start by going to: https://onboarding.cloud.com, where you can sign up for a Citrix Cloud account.
Note: A Citrix.com account is the account that you use to access Citrix.com sites and download software, raise support
requests, or post to Citrix forums. T his account would be afliated with a company.
Important: If you want to become an administrator of an existing Citrix Cloud account, you dont have to go through the
sign-up process. You can request to be added by a current administrator of the Citrix Cloud account you want to join.
If youre new to Citrix and dont have a Citrix.com account, click the "I dont have a Citrix.com account" link on the same
sign up page. Fill in the information requested and click, Continue. T his will create a new Citrix.com account and a Citrix
Cloud account at the same time.
After you click Continue, you should receive an email from cloud@cloud.com asking you to conrm your account and
complete the set-up process. T he link in the email will take you to a page where you can set up your initial password for
the account and sign in. To sign in, go to https://citrix.cloud.com and enter your details. You can change your password or
request a reminder from the 'Forgot your password?' link on this page.
Once you're signed in to the console, we recommend that you take the Test Drive. T his will allow you to explore Citrix
Cloud right away, using predened resources to understand the concepts and deliver an actual workspace.
Note: T he sign-up process outlined above will create for you a Citrix.com account and a Citrix Cloud account. You can view
the account details of the Citrix.com account here: https://www.citrix.com/account. Changing the password for this
account will not change the password for your Citrix Cloud account.
If you already have a Citrix.com account, you can quickly and easily create a Citrix Cloud account. Go to the sign-up page:
(https://onboarding.cloud.com) and enter your Citrix.com login ID. Note: the login ID is not necessarily an email address; it
depends on what you used to create your Citrix.com account. Accounts can be reset or located using the Reset Password
page: (https://www.citrix.com/welcome/request-password.html).
Once you enter your details, youll come to a page asking you to verify your Citrix.com account details. If these details are
correct, then click the Sign Up button. At that point, your Citrix Cloud account has been created and you can sign in.
Note: Youll need to sign in to Citrix Cloud using your email address (regardless of your Citrix.com login ID) and the same
password as your Citrix.com account. Changing the password of your Citrix.com account will not change the password for
you Citrix Cloud account.
Important: If the Citrix Cloud account is being used in a service trial, or a package has been purchased, new administrators
cannot sign up through this process. T hey must be invited by an existing administrator. Read Adding Administrators to a
Citrix Cloud account.
To join an account that has already been created, you need to be approved by a current administrator of that Citrix Cloud
account.
If you know who to contact within your company to request access, you can contact them directly. However, if you dont
know, you can go to the sign-in page (https://onboarding.cloud.com), enter your Citrix.com credentials, and you will be
prompted to request access by clicking on the Request Approval button. Once a current admin adds you to the account,
youll receive an email letting you that youve been approved and can go to https://citrix.cloud.com to sign in.
Other scenarios
My company already has a Citrix Cloud account, but were not allowed to share it.
Create a secondary Citrix Cloud account by signing up for a new Citrix.com account that is not afliated with the company.
Youll also need to enter an email address that isn't associated with your company. See Signing up without a Citrix.com
account above. Once you sign in, youll have access to a separate Test Drive environment.
Note: Reconguration may be required if you decide later that you want to use the original Cloud.com account.
I want to become an administrator for an existing Citrix Cloud account, but there are no current admins to add me.
T emporarily redirect an existing admin email to a new email inbox. T his will allow you to use the forgot your password?
link on the https://citrix.cloud.com page. Follow the instructions to reset the password, and sign in to the Citrix Cloud
admin console to add yourself as a new administrator.
Anyone wishing to become a new administrator must be invited by an existing administrator of the Citrix Cloud account.
After signing into https://citrix.cloud.com, navigate to the Identity and Access Management page from the menu.
On this page, select the Administrators tab. T he display shows all the current administrators and provides a section at the
top that enables you to invite new administrators.
T he administrator will receive an email from (cloud@citrix.com) titled 'Join Citrix Cloud', explaining how to access the
account. T hey must accept this invitation using the Join link within the email. T his link will open a browser and take them to
a page where they can create their password. Note: If they already have an account, they will be prompted to use their
existing password. T hey are then able to sign in at https://citrix.cloud.com. Once the administrator has joined the Citrix
Cloud account, they will receive a Welcome to Citrix Cloud email and the administrator will be shown as 'Active' in the
Administrators section of the Identity and Access Management page within the console.
View all of your offerings in the Library from this one-level view. Offerings may consist of your apps, desktops, data shares,
and web apps that are created via a Citrix Service within Citrix Cloud.
Of f ering Details
View applications, desktops, policies, and any other related offering information by clicking on the View Details button on
the offering card.
You can add users or groups to a single offering by clicking Manage Subscribers from the dots menu.
From here, you can also remove users or groups by either clicking on the trash icon or bulk selecting many in one go.
Weve added a couple new features that allow you to lter your offerings.
First, you can quickly view offerings that were created in a particular service, such as the XenApp and XenDesktop Service or
the Secure Browser Service.
To go back and see everything, simply select All Types from the dropdown menu.
T he cards will dynamically adjust depending on your search and selection. For example, if you search for MedicalTeam and
then select it, youll see all offerings that MedicalTeam is currently subscribed to.
To go back and see everything, simply cancel the search by clicking the X.
View all of your offerings in the Library from this one-level view. Offerings may consist of your apps, desktops, data shares,
and web apps that are created via a Citrix Service within Citrix Cloud.
Of f ering Details
View applications, desktops, policies, and any other related offering information by clicking on the View Details button on
the offering card.
You can add users or groups to a single offering by clicking Manage Subscribers from the dots menu.
From here, you can also remove users or groups by either clicking on the trash icon or bulk selecting many in one go.
Weve added a couple new features that allow you to lter your offerings.
First, you can quickly view offerings that were created in a particular service, such as the XenApp and XenDesktop Service or
the Secure Browser Service.
To go back and see everything, simply select All Types from the dropdown menu.
T he cards will dynamically adjust depending on your search and selection. For example, if you search for MedicalTeam and
then select it, youll see all offerings that MedicalTeam is currently subscribed to.
To go back and see everything, simply cancel the search by clicking the X.
View all of your offerings in the Library from this one-level view. Offerings may consist of your apps, desktops, data shares,
and web apps that are created via a Citrix Service within Citrix Cloud.
View applications, desktops, policies, and any other related offering information by clicking on the View Details button on
the offering card.
From here, you can also remove users or groups by either clicking on the trash icon or bulk selecting many in one go.
First, you can quickly view offerings that were created in a particular service, such as the XenApp and XenDesktop Service or
the Secure Browser Service.
To go back and see everything, simply select All Types from the dropdown menu.
T he cards will dynamically adjust depending on your search and selection. For example, if you search for MedicalTeam and
then select it, youll see all offerings that MedicalTeam is currently subscribed to.
To go back and see everything, simply cancel the search by clicking the X.
StoreFront authenticates users to sites hosting resources and manages stores of applications and desktops that users
access. It hosts your enterprise application store, which lets you give users self-service access to apps and desktops you
make available to them. It also keeps track of users' application subscriptions, shortcut names, and other data to ensure
they have a consistent experience across multiple devices.
When users connect from outside the corporate rewall, Citrix Cloud can use Citrix NetScaler Gateway (formerly Access
Gateway) technology to secure these connections with SSL. NetScaler Gateway or the NetScaler VPX virtual appliance is
an SSL VPN appliance that is deployed in the demilitarized zone (DMZ) to provide a single secure point of access through
the corporate rewall.
T here are three primary use cases for setting up StoreFront with Citrix Cloud:
1. A cloud-hosted StoreFront: T he XenApp and XenDesktop Service in Citrix Cloud hosts a StoreFront site for each
customer. T he benefit of the cloud-hosted StoreFront is that there is zero effort to deploy, and it is kept evergreen by
Citrix. Cloud-hosted is recommended for all new customers, previews, and proofs-of-concept (PoCs).
2. An on-premises StoreFront: Customers may also use an existing StoreFront to aggregate applications and desktops in
Citrix Cloud. T his offers greater security, including support for two-factor authentication and prevents users from
entering their password into the cloud service. It also allows customers to customize their domain names and URLs. T his
is recommended for any existing XenApp and XenDesktop customers that already have StoreFront deployed.
3. A combination on-premises StoreFront and cloud-hosted StoreFront.
To provide remote access for end-users through a cloud-hosted StoreFront, do the following:
Set up NetScaler Gateway as an ICA proxy (No authentication or session policies are needed). T his can be configured in
Citrix Studio by clicking on StoreFront under the Configuration node, then selecting the Set NetScaler Gateway action.
For more information about conguring NetScaler, see NetScaler VPX Deployment Guides.
One benet of using an existing StoreFront is that the Citrix Cloud Connector provides encryption of user passwords.
Credentials are encrypted by the connector using AES-256, using a randomly-generated one-time key. T his key is returned
directly to the ICA client and never sent to the cloud. T he ICA client then supplies it to the VDA during session launch in
order to decrypt the credentials and provide a single sign-on experience into Windows.
For transport, select HT T P and port 80. T he StoreFront machine must be able to directly access the connector through
the FQDN (fully qualified domain name) provided; the connector needs to be able to reach the Cloud NFuse/ST A URL at
(https://<customername>.xendesktop.net/Scripts/wpnbr.dll and ctxsta.dll).
Multiple connectors should be added as delivery controllers for High Availability.
To provide external access through NetScaler Gateway and on-premises StoreFront, do the following:
Set up NetScaler Gateway as in a usual deployment with authentication and session policies. See Citrix Docs for full
details.
Point your on-premises StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors.
Bind Citrix Cloud Connectors as ST A servers to NetScaler Gateway.
T he NetScaler Gateway must use the same ST A URLs as StoreFront. If the gateway is not already configured to use the
ST A of an existing XenApp/XenDesktop environment, Citrix Cloud Connectors may be used as a ST A.
Point on-premises StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors.
To provide external and internal access through NetScaler Gateway and on-premises StoreFront, do the following:
Set up NetScaler Gateway as in a usual deployment (with authentication and session policies) - See Citrix Docs for full
details.
Bind Citrix Cloud Connectors as ST A servers to NetScaler Gateway.
Point on-premises StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors.
To provide external access through cloud-hosted StoreFront and NetScaler Gateway with on-premises StoreFront, do the
following:
Set up NetScaler Gateway as you would in a usual deployment (with authentication and session policies). See Citrix
eDocs for full details.
Point your on-premises StoreFront Stores Delivery Controllers to the Citrix Cloud Connectors.
Bind Citrix Cloud Connectors as ST A servers to NetScaler Gateway.
Set NetScaler Gateway (FQDN:PORT ) in Cloud-hosted Studio
To provide internal access through cloud-hosted and on-premises StoreFront, do the following:
Point the on-premises StoreFront Stores Delivery Controllers to the Citrix Cloud Connectors.
T he control plane does not store sensitive customer information. Instead, Citrix Cloud retrieves information such as
administrator passwords on-demand (by asking prompting the administrator explicitly). T here is no data-at-rest that is
sensitive or encrypted, and thus you do not need to manage any keys.
For data-in-flight, Citrix uses industry standard T LS 1.2 with the strongest cipher suites. Customers cannot control the
T LS certificate in use, as Citrix Cloud is hosted on the Citrix-owned cloud.com domain. T o access Citrix Cloud, customers
must use a browser capable of T LS 1.2 with strong cipher suites.
Consult the per-service documentation for details about encryption and key management within each service.
T he Citrix Cloud control plane is hosted in the United States. Customers do not have control over this.
T he customer owns and manages the Resource Locations. It can be created in any data center, cloud, location, or geo
desired. All critical business data (such as documents, spreadsheets, etc.) are in the Resource Locations and are under
customer control.
For ShareFile, consult the service documentation on how to control where the data resides.
Other services may have an option to store data in different regions. Consult the per-service documentation for details.
T here is currently no customer-visible auditing or change control available in the Citrix Cloud UI or APIs.
Citrix has extensive internal auditing information. If a customer has a concern, contact Citrix within 30 days. We will
review the audit logs to determine which of the customer's administrators performed an operation, on what date, from
which IP address, etc.
status.cloud.com provides transparency into security issues that have an ongoing impact on the customer. T he site logs
status and uptime information. T here is an option to subscribe for updates to the platform or individual services.
T he customer is responsible for keeping the connector up-to-date with Windows security updates.
You can use anti-virus alongside the Connector. Citrix tests with McAfee VirusScan Enterprise + AntiSpyware Enterprise
8.8. Citrix will support customers who use other industry standard AV products.
For security and performance reasons, we recommend that you do not install the Connector software on a domain
controller.
In the customer's Active Directory (AD), restrict the Connector's machine account to read-only access. T his is the default
configuration in Active Directory.
T he customer can enable AD logging and auditing on the Connector's machine account to monitor any AD access that
the Connector does.
T he Connector contains sensitive security information such as administrative passwords. Only the most privileged
administrators should be able to log into the Connector machines (for example, to perform maintenance operations). In
general, there is no need for an administrator to log into the Connector for management of any Citrix product. T he
Connector is self-managing in that respect.
Do not allow end users to log into Connector machines.
You can install anti-virus software and hypervisor tools (if installed on a virtual machine) on the Connector machines.
However, we recommended that you do not install any other software. Other software creates additional possible
security attack vectors and may reduce the security of the overall Citrix Cloud solution.
T he Connector requires outbound port 443 to be open with access to the internet. T he Connector should have no
inbound ports accessible from the internet.
You can locate the Connector behind a web proxy for monitoring its outbound internet communications. However, that
web proxy must work with SSL/T LS encrypted communication.
T he Connector may have additional outbound ports with access to the internet. T he Connector will negotiate across a
wide range of ports to optimize network bandwidth and performance if additional ports are available.
T he Connector must have a wide range of inbound and outbound ports open within the internal network. T he base set
of open ports required is:
Each of the services used within Citrix Cloud will extend the list of open ports required. Consult the per-service secure
deployment guides for more information.
T he Connector communicates outbound to the internet on port 443, both to Citrix Cloud servers and to Microsoft
Azure Service Bus servers.
T he Connector will communicate with domain controllers on the local network that are inside the forest in which the
Connector is installed.
During normal operation the Connector will communicate only with domain controllers in domains that are selected as
"Use for subscriptions" within the Identity and Access Management page in the Citrix Cloud UI.
When selecting the domains to "Use for subscriptions", the Connector will communicate with domain controllers in all
domains in the forest in which the Connector is installed.
Each service within Citrix Cloud will extend the list of servers and internal resources that the Connector may contact in
the course of normal operations. Consult the per-service secure deployment guides for more information.
You cannot control the data that the Connector sends to Citrix. Consult the per-service documentation for details
about what data the Connector sends to Citrix.
T he base Connector configuration does not need any special SSL/T LS configuration.
T he Connector must trust the certification authority (CA) used by Citrix Cloud SSL/T LS certificates, and by Microsoft
Azure Service Bus SSL/T LS certificates. Citrix and/or Microsoft may change certificates and CAs in the future, but will
always use CAs that are part of the standard Windows T rusted Publisher list.
Each service within Citrix Cloud may have different SSL configuration requirements. Consult the per-service secure
deployment guides for more information.
T o ensure security compliance, the Connector will self-manage. Do not disable reboots or put other restrictions on the
Connector. T hese actions prevent the Connector from updating itself when there is a critical update.
T he customer is not required to take any other action to react to security issues. T he Connector automatically applies
any security fixes.
Audit the list of administrators in Citrix Cloud and remove any who are not trusted.
Disable any compromised accounts within your companys Active Directory.
Contact Citrix and ask us to rotate the authorization secrets stored for all the customer's Connectors. Depending on
the severity of the breach, take the following actions:
Low Risk: Citrix can rotate the secrets over time. T he Connectors will continue to function normally. T he old
authorization secrets will become invalid in 2-4 weeks. Monitor the Connector during this time to ensure that there
are no unexpected operations.
Ongoing high risk: Citrix can revoke all old secrets. T he existing Connectors will no longer function. T o resume normal
operation, customers need to uninstall and reinstall all Connectors.
If you encounter an error when signing up for a Citrix Cloud account, contact Citrix Customer Service.
If you're having trouble signing into your Citrix Cloud account, make sure you sign in with the email address and password
you provided when you signed up for your account.
If youve forgotten or need to reset your account password, use the Forgot your password option. Youll get your new
password in an email.
If you do not receive the password reset email, or you need additional assistance, contact Citrix Customer Service.
On the Citrix Cloud support forums you can get help, provide feedback and improvement suggestions, view conversations from other users, or
begin your own topics.
Citrix support sta members track these forums and are ready to answer your questions. Other Citrix Cloud community members may also
oer help or join the discussion.
You do not need to log in to read forum topics. However, you must log in to post or reply to a topic.
Relat ed Topic:
If youre experiencing an issue that requires technical help, click the Help ? icon in the Control center, and then select Open
a Ticket .
Use the forum to ask questions, get answers, and offer suggestions on how to improve Citrix Cloud. In order to use the
forum you will need to login with your MyCitrix ID to post a comment. If you do not have aMyCitrix ID, you will be
prompted to create one.
T he forum contains multiple categories. You can search for threads that have been designated under that specific
category.
If you'd like to follow a particular thread or category, click Follow and choose how you would like to receive notications
when the forum is updated.
Requirements
Internet access.
Port 443 must be open.
Cloud service: T he cloud services provide the features that deliver the services subscribers need to perform their work. T his
includes creating and managing any infrastructure resources needed to achieve this.
Resources: T hese are resources that are available to host the services that are required by the customer. T hese
Infrastructure Resources might be hypervisors, servers, network appliances, VDAs for XenDesktop or XenApp, etc.
Resource Location: Customers use Resource Locations to dene the places that contain their resources. T hese resources
are all within a dened communication/network boundary, where access is available to them from the Citrix Cloud and to
any other customer infrastructure required to operate. Connection to the Citrix Cloud is via the Citrix Cloud Connector.
Service (Provided by the customer for subscribers): Services are used by the Subscribers to perform work. T hese are the
actual apps and data that are used directly by the Subscriber.
Subscriber Store: Subscribers use the Subscriber Store to gain access to the resources that are in the workspaces that are
assigned to them.
Subscriber: A person who performs work using the services from the workspaces to which they are invited.
Citrix Cloud Connector: Provides communication between the resources in the resource location and the Citrix Cloud.
Citrix Cloud: A cloud-based control plane that is owned by Citrix and can be used by customers to provision services on
their own data centers or into clouds.
Workspace: A collection of services that are needed to enable subscribers to perform work. Subscribers are invited to these
workspaces by an administrator. T he total collection of all the services that the subscriber has becomes their workspace
which may be managed across multiple workspaces by the administrator.
Citrix Cloud: XenApp and XenDesktop Service Reference Architecture for On-Premises (PDF)
Trials are limited to 60 calendar days and no more than 25 subscribers. For each service you try, you can set up and
congure that trial, the offerings, and associated resource locations.
You can convert your trial to full production (removing the 25-user limit) at any time during the trial by purchasing a service
package.
Note: To help convert trial work to production environments after a purchase, register for Citrix Cloud with your business
email address and not a commercial email account (Live, Gmail, etc.).
Number of subscribers 25
*Subject to change, test drive ends when trial or production begins. **Trial not currently available.
In order to customize your experience and deliver the services that matter most to your users, Citrix Cloud trial access is
managed on a per-service basis.
You can request a trial for the service only once. When approved, you will have 60 days to complete your trial.
You can convert any time before the end of your trial by purchasing a Citrix Cloud subscription offering that includes the
service(s) you need.
If you do not purchase before the end of your 60-day trial, the service will be terminated. We will archive all data and
settings for 90 days. If you purchase within that time, the trial will be reactivated and converted to production.
Note: Initially, trials of the services may have limited capacity due to popularity. To ensure a great customer experience,
Citrix reserves the right to limit trials to a certain number of participants at any one time.
Requesting a trial is fast and easy. First, log on to your Citrix Cloud account. In the control center, request for a trial by
clicking the Request Trial button (see image above). T he button beneath the service will change to "Trial Requested".
You will receive an email notication when the trial for the requested service is ready. You have 60 days to complete the
trial.
https://www.citrix.com/products/citrix-cloud/buy.html
To complete a purchase, you will need your Organization ID. T his is available in the Citrix Cloud Console (see image below).
AppDNA
Citrix Cloud
Citrix Receiver
CloudBridge
NetScaler
NetScaler Gateway
ShareFile
T he page you are trying to view is not here. T he link might be misspelled or outdated.
VDI-in-a-Box
XenMobile
Some things to try:
XenServer
Go to Docs.citrix.com and search or navigate for the content
Clear your browser cache and retry the link
Advanced Concepts
Report the problem and we'll investigate
Developer
Legacy Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it
Documentation
T he Connector serves as a channel for communication between Citrix Cloud and your Resource Locations enabling cloud
management without requiring any complex networking or infrastructure conguration such as VPNs or IPSec tunnels. T his
removes all the hassle of managing delivery infrastructure. It enables you to manage and focus on the resources that
provide the value to your end users.
T he XenApp and Desktop Service requires Cloud Connector. T he XenMobile Service requires either Cloud Connector or an
IPsec tunnel for Enterprise connectivity to XenMobile.
T he Cloud Connector authenticates and encrypts all communication between Citrix Cloud and your Resource Locations.
T here are no incoming connections. All connections are established from the Cloud Connector to the cloud. No incoming
connections are accepted.
T he Cloud Connector installer is available from the Citrix Cloud Control Center. It can be downloaded from the Resource
Locations page.
T he Cloud Connector needs to be installed on a Windows 2012 R2 or Windows 2016 server that is domain joined. T his server
should be able to communicate with the resources in the Resource Location that you want to manage from your Citrix
Cloud workspaces.
All communications between the Cloud Connector and Citrix Cloud are outbound. No inbound connections are required.
T he connections all use the standard HT T PS port (443) and the TCP protocol. After you have installed the Cloud
Connector, there is no need for any special conguration on the server.
Active Directory (AD): Enables AD management, allowing the use of AD forests and domains within your Resource
Locations. It removes the need for adding any additional AD trusts.
XenApp and XenDesktop publishing: Enables publishing from resources in your Resource Locations.
XenMobile: Enables a XenMobile enterprise mobility management (EMM) environment for managing apps and devices as
well as users or groups of users.
Delivery group provisioning: Enables provisioning of machines directly into your Resource Locations.
As long as there is one Cloud Connector available, there will be no loss in communication with Citrix Cloud.
T he Cloud Connector is stateless. All conguration is stored in the cloud. T his enables any Cloud Connector in a Resource
Location to provide the operations required. Install more than 1 Cloud Connector in your Resource Location to distribute
the load across all services.
T he end user's connection to the Resource Location does not rely on a connection to Citrix Cloud, wherever possible. T his
enables the Resource Location to provide users access to their resources regardless of a connection being available to
Citrix Cloud.
Note: Although operational, functionality might be reduced for the period of time that the connection to Citrix Cloud is
unavailable.
You can monitor the health of the Cloud Connector from the Citrix Cloud Control Center.
You can install multiple Cloud Connectors into your Resource Locations. T his provides for a robust connection. If one Cloud
Connector is unavailable for any period of time the other Cloud Connector(s) can take over and maintain the connection.
Note: Citrix recommends a minimum of 2 Cloud Connectors for each Resource Location to ensure continuous availability of
the Resource Location.
You can install multiple Cloud Connectors into your Resource Locations. Since each Cloud Connector is stateless, the load
can be distributed across all available Cloud Connectors.
Basically, nothing. Install and walk away. As long as you have installed the Cloud Connectors in a highly available mode you
can manage the machines that the services are installed on one at a time to avoid periods of time during an outage. T he
health of the services can be monitored from the Citrix Cloud Control Center.
T he services are designed to be part of the cloud management model and the Cloud Connectors are fully managed from
Citrix Cloud.
See Internet Connectivity Requirements and Cloud Connector Proxy and Firewall Conguration
T he Resource Locations page reports the health of the Connector. If the Cloud Connector does not appear in the list of
services or is not marked as healthy, see How Do I Diagnose a Problem with the Connector? below.
Event Messages
Event messages are available in the Windows Event viewer on the connector machine. See Windows Event Information
below for details of the event.
Operational Logs
If the event logs do not indicate why you cannot establish a connection between the Connector and Citrix Cloud, contact
Citrix Support.
T here may be a problem with the server hosting the Cloud Connector. Move the Cloud Connector to a new server or
contact Citrix support.
The connector requires access to the Cloud during installation. This access is to authenticate, validate the installers permission(s), and
download and congure the services the connector provides. The installation occurs with the privileges of the user who initiated the install.
You can only install the Connector onto a domain-joined machine. The installer will not allow the install to occur if it is not on a domain-joined
machine.
The machine where you are installing the connector needs to be in sync with UTC time for proper installation and operation.
Copy the installer (CWCConnector.exe) to the server and run it. Make sure your browser allows the download of executable files.
Switch Enhanced Security Configuration (ESC) off during installation.
You cannot install the Connector on machine templates cloned across multiple machines. Do a separate install of the Connector onto all
machines.
Ensure t hat you keep all of your connect ors powered on at all t imes f or proper operat ion.
T he Connect or should be inst alled on a dedicat ed domain joined machine.
It is highly recommended that you do not install the connector onto an Active Directory domain server or any other machine citrical to your
Resource Location infrastructure. Regular maintenance on the Cloud Connector will perform machine operations that will cause an outage
to these additional resources.
Ensure that the base Internet Connectivity Requirements are being met on all connector machines.
You should install connectors in pairs. The number of connectors you should install is (N+1) where N is the capacity needed to support the
infrastructure within your Citrix Cloud Resource Location. This is 2 at minimum.
Each Active Directory forest you plan to use within Citrix Cloud should be reachable by 2 connectors at all times.
If you're installing the connector in an environment that has a Web Proxy or strict firewall rules, see Cloud Connector Proxy and Firewall
Configuration for requirements before continuing the installation.
Please refrain from downloading and installing additional Citrix related softwared products on your connectors.
On the server, uninstall the previously installed Connector before installing the new one. Upgrading existing Connector installations is not
supported.
After installation, do not move the machine hosting the Connector into a different domain.
You should enable windows updates on all of your Connectors.
To install the Citrix Cloud Connector, log in to Citrix Cloud. Navigate to the Resource Locations page and download the
latest Connector (see image above).
Silent or automated installation is supported. However, using the same installer for repeated installations over a period of
time is not recommended. Download a new Connector from the site using the instructions in Where do I get it?
/Customer: T his is the customer ID available in the console on the API Access page (within Identity and Access
Management). T his is required.
/ClientId: Found on the API Access page. T his is the secure client ID an administrator can create. T his is required.
/ClientSecret: Found on the API Access page. T his is the secure client secret available via download after a secure client is
created. T his is required.
/ResourceLocationId: T his ID can be retrieved on the Resource Locations page using the ID button. T his is not required.
Exit Codes:
Commandline Installation:
Use Start /Wait CWCConnector.exe /parameter:value in order to examine and potential error code in the case of a
failure. T his can be done using the standard mechanism of running echo %ErrorLevel% after the installation completes.
AppDNA
Citrix Cloud
Citrix Receiver
CloudBridge
NetScaler
NetScaler Gateway
ShareFile
T he page you are trying to view is not here. T he link might be misspelled or outdated.
VDI-in-a-Box
XenMobile
Some things to try:
XenServer
Go to Docs.citrix.com and search or navigate for the content
Clear your browser cache and retry the link
Advanced Concepts
Report the problem and we'll investigate
Developer
Legacy Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it
Documentation
T he Connector supports connection to the internet via a web proxy server. Both the installer and the services it installs
need connections to Citrix Cloud. Internet access needs to be available at both these points.
Installer
T he installer will use the settings congured for internet connections. If you can browse the internet from the machine
then the installer should also function.
See Changing proxy server settings in Internet Explorer for details of how to congure the proxy settings.
Services at Runtime
T he runtime service operates in the context of a local service. It does not use the setting dened for the user (as described
above). It requires additional conguration.
To congure the proxy settings for this, use 'netsh' from the Windows command line. Open the cmd.exe window and use
the following:
T his will import the settings from the browser as congured in the step above. After the above command is executed,
reboot the Cloud Connector machine so that the services start up with these proxy settings.
For full details see Netsh Commands for Windows Hypertext Transfer Protocol (WINHT T P).
Configure Provisioning
Configure VDAs
Director
Application Publishing
Host connection: A connection between the XenApp and XenDesktop Service and your on-premises hypervisor,
supported cloud provider, or hybrid environment. Using the host connection, the XenApp and XenDesktop Service can
provision machines to the network resources you specify and manage user access to the apps and desktops you make
available. See Configure Provisioning for more information.
Machine catalog: A collection of physical or virtual machines, managed as a single entity. All machines in the machine
catalog are configured identically, using a master image that you create. For more information, see Setting up and
assigning resources.
Virtual Delivery Agent (VDA): An agent installed on machines in a catalog that allows the resources they host to be
made available to users. T ypically, the agent is installed on the master image for the catalog, ensuring all machines
provisioned from that image have the agent as well. T he XenApp and XenDesktop Service uses the term "VDA" to refer
to the agent as well as the machines on which it is installed.
Delivery group: A collection of users who have access to a set of resources. For more information, see Setting up and
assigning resources.
Studio: T he management console for the XenApp and XenDesktop Service. Using Studio, you can set up host
connections, create machine catalogs, and assign users and machines to delivery groups.
To prepare your environment for using the XenApp and XenDesktop Service Trial, download the XenApp and XenDesktop
Service Trial Checklist.
To set up the XenApp and XenDesktop Service, see Getting Started with the XenApp and XenDesktop Service.
T he XenApp and XenDesktop Service (the Service) is designed using industry best practices to achieve cloud scale and a high
degree of service availability.
Citrixs goal is that in any 30 calendar day period 99.9% of the time users can access their app or desktop session through
the Service.
Performance against this goal can be monitored on an ongoing basis at http://status.cloud.com
Limitations
T he calculation of this Service Level Goal will not include loss of availability from the following causes:
Customer failure to follow configuration requirements for the service documented on https://docs.citrix.com.
Caused by any component not managed by Citrix including, but not limited to, customer controlled physical and virtual
machines, customer installed and maintained operating systems, customer installed and controlled networking
equipment or other hardware; customer defined and controlled security settings, group policies and other configuration
policies; public cloud provider failures, Internet Service Provider failures or other external to Citrixs control.
Custom Report queries saved in Director are not available after a Cloud upgrade. [#DNA-23420]
When deploying to Azure and creating an MCS catalog version 7.9 (or newer) with write back cache enabled, an error is
encountered. Also, you cannot create anything related to Personal vDisk for Microsoft Azure.
As a workaround, select another catalog version to deploy to Azure, or disable write back cache. To disable write back
cache:
On the Master Image page in the Create Machine Catalog wizard, pick a VHD for the master image and then click
Next.
Under Write Back Cache, clear the Memory allocated to cache and Disk cache size check boxes, and then click
Next.
When creating a machine catalog, Remote PC Access is not shown as an option. See CT X220737 for details about using
the Remote PowerShell SDK to create the catalog.
When creating a catalog using Machine Creation Services, using existing Active Directory machine accounts fails. As a
workaround, allow the accounts to be created. [#DNA-24566]
In Director, Export in T rends and Alerts fails. [#DNA-41528]
In Director, the creation of new alert policies results in an error. However, alerts are triggered according to existing alert
policies. [#DNA-41346]
Architectural overview
Remote PC Access
Prep T ask: Download the XenApp and XenDesktop Service T rial Checklist
T ask 1: Create a resource location
T ask 2: Create a host connection
T ask 3: Set up machine provisioning
T ask 4: Create a delivery group
Using NetScaler VPX with the XenApp and XenDesktop Service
Monitoring the XenApp and XenDesktop Service
Setting up workspaces and adding users
Architectural Overview
Consider the following items when setting up the XenApp and XenDesktop Service:
At least two Citrix Cloud Connectors are needed and can be placed in either the perimeter network (also known as a
DMZ) or internal networks.
One or more Linux or shared hosted desktop VDAs can be installed and configured for remote connections.
Connections to StoreFront occur within the internal network Active Directory domain resource zone.
T he following diagram shows the environment utilizing internal connections. T he Citrix Cloud Connectors are proxies for
communication between the Citrix Cloud broker, Storefront servers, and the VDAs.
When hosting all core components on Microsoft Azure (including the Controller and site database), SQL Server on Azure
VMs (IaaS) is supported. Azure SQL (PaaS) Database is not supported.
Remote PC Access
Prep Task: Download the XenApp and XenDesktop Service Trial Checklist
T he XenApp and XenDesktop Service Trial allows you to try out the service using your own on-premises infrastructure, a
supported cloud provider, or a hybrid conguration.
To help you get the most from your trial experience, the XenApp and XenDesktop Service Trial Checklist includes planning
information, a sample architecture, and build resources so you can prepare your target environment ahead of your trial
approval.
After your trial is approved, use this topic to set up the XenApp and XenDesktop Service.
Before you can use the XenApp and XenDesktop Service, you need to set up a resource location. You can create a resource
location using Citrix Smart Tools or you can create one manually.
For more information about resource locations and how they function, see What are Resource Locations?
Smart Tools deploys the machines required for your resource location, including VDAs, and sets up a NetScaler Gateway so
external users can securely access the applications and desktops you provide. By default, your new resource location will
use the cloud-hosted StoreFront that comes with Citrix Cloud. However, Smart Tools provides the option of deploying a
StoreFront server so you can manage the stores available to your users.
When Smart Tools creates your resource location, Citrix Cloud registers the Citrix Cloud Connectors that are deployed and
the registers the domain that is created with your Citrix Cloud account.
For a walkthrough of using Smart Tools to create your resource location, see Create Resource Locations on Amazon EC2
with Citrix Smart Tools.
T he Citrix Cloud Connector machines should meet the following minimum requirements:
.NET 4.5 must be installed.
At least 32 GB of disk space and 4 GB of memory.
Active Directory Computer account with Read permissions on containers, Read/Write permissions on user and computer
objects.
Outbound port 443 must be open to allow access to the Internet. T he Citrix Cloud Connector also supports Internet
Explorer proxy settings configured for outbound connections. For proxy support, see Citrix Cloud Connector - T echnical
Details.
If you want to enable secure external access to the applications and desktops you offer to users, you will need to add a
NetScaler VPX appliance to your resource location and set up a NetScaler Gateway. For proof-of-concept purposes, you
can use the cloud-hosted StoreFront that comes with Citrix Cloud, which allows internal access only.
Task overview
Depending on your cloud provider or on-premises hypervisor, perform the following tasks to set up your resource location:
1. Create the appropriate virtual private cloud (VPC) or virtual networks for the machines you will add to your resource
location. For example, for AWS, set up a VPC with public and private subnets.
2. Create the appropriate rules to secure inbound and outbound Internet traffic as well as traffic between the machines in
the virtual network. For example, in AWS, ensure the VPC's security group has the appropriate rules configured so the
machines in the VPC are accessible only to the IP addresses you specify.
3. Provision a machine, install Active Directory Domain Services, and promote it to a domain controller.
4. Provision two machines, join them to the domain, and install the Citrix Cloud Connector on each one.
5. Provision two machines, join them to the domain, and install the Virtual Delivery Agent (VDA) on each one.
Citrix Cloud requires you install the Citrix Cloud Connector on two machines. T his ensures continuous availability of your
resource location. T he Citrix Cloud Connector is stateless. All logs and alerts are sent back to CitrixCloud.
1. Go to https://citrix.cloud.com and log on with the credentials you received in the email from Citrix Cloud. T he Citrix Cloud
Control Center opens.
2. From the menu button in the upper left corner, select Resource Locations.
3. Download and install the Citrix Cloud Connector onto a Windows Server 2012 R2 machine that is joined to your Active
Directory domain and has outbound Internet access.
4. When prompted, enter the same credentials you entered to log on to Citrix Cloud. Follow the wizard to install and
configure the Citrix Cloud Connector.
5. Repeat Steps 1-4 on additional machines you want to use as Citrix Cloud Connectors.
After installation, Citrix Cloud registers your domain in Identity and Access Management. For more information, see
Identity and Access Management.
As part of preparing your machines for hosting the applications and desktops you will offer to users, you need to install the
Citrix VDA software on each machine. T he VDA software enables the machine to register with the XenApp and
XenDesktop Service, establish and manage the connection between the machine and the user device, verify that a Citrix
license is available for the user or session, and apply any policies have been congured for the session. T he VDA
VDAs are available for Windows server and desktop operating systems. VDAs for Windows server operating systems allow
multiple users to connect to the server at one time. VDAs for Windows desktop operating systems allow only one user to
connect to the desktop at a time.
If you want to use AWS with the XenApp and XenDesktop Service, but you don't want to use Smart Tools to set up a
resource location, you can set one up manually.
For detailed instructions, see Set up an AWS resource location for the XenApp and XenDesktop Service.
A host connection enables the XenApp and XenDesktop Service to communicate with your cloud provider or on-premises
hypervisor and denes the network resources that the XenApp and XenDesktop Service can use when provisioning
machines that host applications and desktops for your users.
For instructions for creating a host connection, see Congure connections and resources.
Machine provisioning refers to the process by which machines hosting your applications and desktops are provisioned to
your resource location. T hese machines are collected into machine catalogs. To populate the machine catalog, the XenApp
and XenDesktop Service uses a master image that includes the operating system and applications you want to make
available to users. T he master image ensures that all the machines in the catalog are identically congured.
T he XenApp and XenDesktop Service supports two methods for machine provisioning: Machine Creation Services (MCS) and
Provisioning Services.
To set up the XenApp and XenDesktop Servic with MCS provisioning, perform the following tasks:
1. On the VDA machines in your resource location, install the operating system updates and applications you want to make
available to users. If you are using a hypervisor in your resource location, install the appropriate integration software (for
example, XenServer T ools, VMWare T ools, and so on) on these machines. Afterward, create an image or snapshot of the
VDA. You will use this image as the master image for your machine catalog.
2. Create a machine catalog using the master image you created. For instructions, see Create machine catalogs.
For more information about using Provisioning Services with the XenApp and XenDesktop Service, see Using Provisioning
Services.
Task 4: Congure a delivery group
A delivery group is a collection of machines from one or more machine catalogs. Delivery groups specify which users can
access those machines as well as the applications and desktops that they host.
Citrix Cloud comes with a cloud-hosted StoreFront that enables you to provide internal access to the applications and and
desktops you make available in your resource location. To provide external access to those resources, you need to add
NetScaler VPX to your resource location and congure a NetScaler Gateway that your users can access.
If you use Smart Tools to create your resource location on AWS, you need to subscribe to the NetScaler VPX service in the
Amazon Marketplace. When Smart Tools creates your resource location, it will also launch an instance of the NetScaler
appliance and congure the NetScaler Gateway for you.
If you want to add NetScaler manually to a resource location, refer to the NetScaler VPX Deployment Guides.
To monitor the overall performance of the XenApp and XenDesktop Service, do the following:
T he administrator can view information on sessions, logon duration, as well as other information.
Setting up workspaces and adding users
To offer the applications and desktops in your resource location as a service to your users, you can create a workspace and
subscribe your users to it.
For more information about creating workspaces, see Creating and Publishing a Workspace.
Related information
You can publish an application that is simply a URL or UNC path to a resource, such as a Microsoft Word document or a web
link. T his is known as published content. You publish content using the Remote PowerShell SDK. For details, see Publish
content.
Component overview
T ask overview
T ask 1: Set up the virtual private cloud
T ask 2: Configure security groups
T ask 3: Associate the NAT instance with the NAT security group
T ask 4: Launch instances
T ask 5: Create a DHCP options set
T ask 6: Configure the instances
T he tasks in this article walk you through setting up your AWS account as a resource location you can use with the XenApp
and XenDesktop Service. T he resource location includes a basic set of components, ideal for a proof-of-concept or other
deployment that does not require resources spread over multiple availability zones. After you complete these tasks, you can
congure machine provisioning with Machine Creation Services (MCS), congure delivery groups, and add VDAs, NetScaler
VPX, or other components to your environment.
Component overview
When you complete these tasks, your resource location will include the following components:
A virtual private cloud (VPC) with public and private subnets inside a single availability zone.
An instance that runs as both an Active Directory domain controller and DNS server, located in the private subnet of the
VPC.
T wo domain-joined instances on which the Citrix Cloud Connector is installed, located in the private subnet of the VPC.
Citrix recommends at least two Citrix Cloud Connectors for high availability.
An instance that acts as a bastion host, located in the public subnet of your VPC. T his instance is used to initiate RDP
connections to the instances in the private subnet for administration purposes. After you finish setting up your resource
location, you can shut down this instance so it is no longer readily accessible. When you need to manage other instances
in the private subnet, such as VDA instances, you can restart the bastion host instance.
Task overview
Set up a VPC with public and private subnets. When you complete this task, AWS deploys a NAT instance with an
Elastic IP address in the public subnet which enables instances in the private subnet to access the Internet. Instances in
the public subnet are accessible to inbound public traffic while instances in the private subnet are not.
Conf igure security groups. Security groups act as virtual firewalls that control traffic for the instances in your VPC.
You will add rules to your security groups that allow instances in your public subnet to communicate with instances in
your private subnet. You will also associate these security groups with each instance in your VPC.
Create a DHCP options set. With an Amazon VPC, DHCP and DNS services are provided by default, which affects how
you configure DNS on your Active Directory domain controller. Amazons DHCP cannot be disabled and Amazons DNS
In this task, you will create the following security groups for your VPC:
Type Source
22 (SSH) 0.0.0.0/0
Type Source
ICMP 0.0.0.0/0
22 (SSH) 0.0.0.0/0
80 (HT T P) 0.0.0.0/0
Type Destination
ICMP 0.0.0.0/0
Type Source
Type Destination
ICMP 0.0.0.0/0
Task 3: Associate the NAT instance with the NAT security group
Use the steps below to create f our EC2 instances and decrypt the default Administrator password that Amazon
generates.
1. Using an RDP client, connect to the public IP address of the bastion host instance. When prompted, enter the
credentials for the Administrator account.
2. From the bastion host instance, launch Remote Desktop Connection and connect to the private IP address of the
instance you want to configure. When prompted, enter the Administrator credentials for the instance.
3. For all instances in the private subnet, configure the DNS settings:
1. Click Start > Control Panel > Network and Internet > Network and Sharing Center > Change adapter
settings. Double-click the network connection displayed.
2. Click Properties, select Internet Protocol Version 4 (TCP/IPv4 ), and then click Properties.
3. Click Advanced and then click the DNS tab. Ensure the following settings are enabled and click OK:
Register this connections addresses in DNS
Use this connections DNS suf f ix in DNS registration
4. T o configure the domain controller:
1. Using Server Manager, add the Active Directory Domain Services role with all default features.
2. Promote the instance to a domain controller. During promotion, enable DNS and use the domain name you specified
when you created the new DHCP options set. Restart the instance when prompted.
5. T o configure the first Citrix Cloud Connector:
1. Join the instance to the domain and restart when prompted. From the bastion host instance, reconnect to the
instance using RDP.
2. Using a web browser, visit http://citrix.cloud.com and log in with your Citrix Cloud credentials.
3. From the Citrix Cloud home page, click the menu button in the upper-left corner and select Resource Locations.
4. Download the Citrix Cloud Connector: Click Citrix Cloud Connector and then click Download.
5. When prompted, run the CWCConnector.exe file and supply your Citrix Cloud credentials. Follow the wizard to install
the software.
6. When finished, click Ref resh to display the Resource Locations page. When the Citrix Cloud Connector is registered,
the instance appears on the page.
6. Repeat Step 5 to configure the second Citrix Cloud Connector.
Created for rst-time users of the XenApp and XenDesktop Service, the Setting Up a Resource Location for the XenApp
and XenDesktop Service with Citrix Smart Tools guide walks you through all the steps needed to create your rst resource
location successfully on Amazon EC2.
Create an Amazon Web Services (AWS) account and create the appropriate access keys.
Subscribe to NetScaler VPX in the Amazon Marketplace.
Use Smart T ools to configure and deploy the machines in your new resource location.
When nished, your new resource location will include the following components:
Create a virtual private cloud (VPC) with public and private subnets and provisions a NAT instance. T he NAT instance
enables machines in the private subnet to access the Internet. Citrix recommends allowing Smart T ools to create a new
VPC for your resource location.
Provision a bastion host for administering Amazon EC2 machines in the private subnet of your VPC using RDP. T he
bastion host is deployed in the public subnet.
Setting Up a Resource Location for the XenApp and XenDesktop Service with Smart Tools (PDF)
Overview
Provisioning with MCS
Using Provisioning Services
Platform considerations
Configure connections and resources
Create machine catalogs
Overview
T he XenApp and XenDesktop Service in Citrix Cloud can provision and power-manage VDAs (Virtual Delivery Agents). For on-
premises hypervisors, requests are proxied through the Citrix Cloud Connector.
Conguring provisioning through Machine Creation Services involves the following tasks:
1. Using Citrix Studio, create a connection with the hypervisor or cloud you want to use with the XenApp and XenDesktop
Service.
2. On a machine in your hypervisor or cloud environment, install the operating system, integration software for your cloud
or hypervisor, applications you want to make available to users, and the appropriate VDA package.
3. Using your hypervisor or cloud management tool, create an image or snapshot of this machine. You will use this image or
snapshot as the master image for your machine catalog.
4. Create a machine catalog with the appropriate number of machines for your users. During this process, you will specify
the master image you created.
Machine account creation with Machine Creation Services differs from XenApp and XenDesktop in that the accounts are
created by the Citrix Cloud Connector. By default, the machine hosting the Connector only has read-only access to Active
Directory (AD). T herefore, you will be prompted for AD credentials every time you create machine accounts in Citrix Studio.
T here are two options for creating Provisioning Services managed VDAs from an on-premise Provisioning Server
deployment:
In order to create the XenDesktop catalogs and add them to the Citrix Cloud site using the XenDesktop Setup wizard in
1. Uninstall the XenApp and XenDesktop SDK from the PVS console by uninstalling each of the snap-ins:
1. Citrix Broker PowerShell
2. Citrix Configuration Logging Service PowerShell
3. Citrix Configuration Service PowerShell
4. Citrix Delegated Administration Service PowerShell
5. Citrix Host Service PowerShell
2. Download the XenApp and XenDesktop Remote PowerShell SDK.
3. Install the SDK using the command line and provide the PVS=Yes argument: CitrixPoshSdk.exe PVS=Yes
When you run the XenDesktop Setup wizard, you will be prompted for your Citrix Cloud customer credentials from the PVS
console, otherwise the process is the same as using the on-premise version.
Important
Known Issue: T he XenApp and XenDesktop Remote PowerShell SDK has a 30-minute timeout at which time you are prompted to
re-enter your Citrix Cloud customer credentials. If you re-enter your credentials, the wizard will nish in the background. If you close
the wizard after you are prompted for credentials, you will need to restart the PVS console and start the process over.
From Citrix Cloud, access Machine Catalog Setup in Studio. After specifying the address of the on-premise Provisioning
Services server and clicking Connect, you will be prompted for Provisioning Services administrator credentials. After this
authentication, the process for the Machine Catalog Setup option is the same as the on-premise version.
Before you create a connection to the XenApp and XenDesktop Service or create machine catalogs, review the following
sections for important conguration information you will need for your cloud provider or hypervisor.
Before you create a connection in Studio, you must have an existing virtual network for the Azure account you want to
use with the XenApp and XenDesktop Service. When you create the connection, you will need to select the region in
which your virtual network resides and select the subnets where you want new machines to be provisioned.
T o create a connection, you must provide a Microsoft publish settings file. T his file contains all the Azure subscription
IDs and certificates associated with your Azure account. You will need to copy and paste the subscription ID from this
file into Studio using the session clipboard. You can obtain your publish settings file using the following methods:
Visit https://manage.windowsazure.com/publishsettings and log in with your account credentials. When prompted,
save the file.
Using Azure PowerShell, run the Get-AzurePublishSettingsFile cmdlet. When prompted, enter your account credentials
and save the file.
Machine catalogs are limited to 40 VMs. T his includes VDI and RDS hosts.
When you create a connection in Studio, you must provide the Access Key ID and Secret Access Key for your AWS
account. You can copy and paste these values into Studio using the session clipboard. T o control access to your AWS
account, Citrix recommends using the access keys of a specific IAM user. For more information about the IAM user
permissions needed for using AWS with the XenApp and XenDesktop Service, refer to CT X140429.
When creating a connection to your AWS account, you will need to provide the ID of the virtual private cloud (VPC) you
prepared, the region in which the VPC is located, the availability zone of the subnets in your VPC, your domain name, and
security group names. For more information about setting up your VPC, see Set up an AWS resource location for the
XenApp and XenDesktop Service.
For additional information, see the AWS documentation on the Amazon web site.
Citrix XenServer
When you create a connection, you must provide the credentials for a VM Power Admin or higher-level user.
Citrix recommends using HT T PS to secure communications with XenServer. T o use HT T PS, you must replace the default
SSL certificate installed on XenServer; see CT X128656.
You can configure high availability if it is enabled on the XenServer. Citrix recommends that you select all servers in the
pool (from Edit High Availability) to allow communication with XenServer if the pool master fails.
You can select a GPU type and group, or passthrough, if the XenServer supports vGPU. T he display indicates if the
selection has dedicated GPU resources.
For more information, see the Citrix XenServer product documentation.
VMware
See Prepare the virtualization environment: VMware for guidance in preparing your environment.
If you are using VMware vCenter with a self-signed certificate, be sure to add the certificate to each of the Citrix Cloud
Connectors in your resource location.
For additional information, see the VMware vSphere product documentation.
Microsof t Hyper-V
See Prepare the virtualization environment: Microsoft System Center Virtual Machine Manager for guidance in preparing
your environment.
All Citrix Cloud Connectors in your resource location must have the SCVMM console installed.
For additional information, see the Microsoft Hyper-V or SCVMM product documentation.
Before you can provision machines through the XenApp and XenDesktop Service, you must rst create a connection and
dene the network resources you will use. Conguring a connection includes setting the connection type from among the
supported hypervisors and cloud services. T he storage and network you select form the resources for that connection.
If you are using Machine Creation Services to create VMs for your deployment, prepare a master image or template on your
host hypervisor or cloud. T hen, create the machine catalog.
Make sure the host has sufcient processors, memory, and storage to accommodate the number of machines you will
create.
T he Machine Catalog wizard walks you through the items described below. T he wizard pages you see may differ, depending
on the selections you make.
Operating system
Each catalog contains machines of only one of the following types:
Server OS: A Server OS catalog provides desktops and applications that can be shared by multiple users. T he machines
can be running supported versions of Windows or Linux operating systems, but the catalog cannot contain both.
Desktop OS: A Desktop OS catalog provides desktops and applications that are assigned to a variety of different users.
Remote PC Access: A Remote PC Access catalog provides users with remote access to the physical office desktop
machines. Remote PC Access does not require a VPN to provide security.
Machine management
T he Machine Management page indicates how machines are managed and which tool you will use to deploy machines.
T he Machines that are power-managed option indicates the machines are power-managed through Studio or
Use the Machines that are not power-managed option for physical machines.
Machine template
Select the snapshot or VM image of the machine you created earlier. Do not run Sysprep on master images.
To ensure you can use the latest product features, make sure the master image has the latest VDA version installed. Do not
change the default Select the VDA version installed selection on the wizard page.
Security
Select one or more security groups for the VMs; these are shown only if the availability zone supports security groups.
Virtual machines
Specify how many virtual machines to create.
If you are using a cloud service, specify the instance type or machine size to use.
Network cards
Select the network interface to use for machines in the catalog.
Computer accounts
Each machine in the catalog must have a corresponding computer account in Active Directory. Specify whether to create
new Active Directory accounts for machine in the catalog or use existing accounts. Additionally, specify the domain and
organizational unit (OU) where these accounts reside.
If you elect to create new accounts, specify the account naming scheme for the machines that will be created, using hash
marks to indicate where sequential numbers or letters will appear. Do not use a forward slash (/) in an OU name. A name
cannot begin with a number.
Domain credentials
Enter the domain administrator user name and password to use for creating the computer accounts in Active Directory.
XenApp and XenDesktop include VDAs for Windows server and desktop operating systems. VDAs for Windows server
operating systems allow multiple users to connect to the server at one time. VDAs for Windows desktops allow only one
user to connect to the desktop at a time. Some cloud providers limit the use of Windows desktop operating systems. For
VDI deployments, see Server VDI.
Citrix recommends installing the latest version of the VDA. T he minimum requirement for the XenApp and XenDesktop
Service is version 7.0. Versions earlier than 7.6 might encounter registration issues. For more information, see the Upgrade
article.
For general and preparatory information about installing a VDA, see VDA installation guidance.
For instructions on using scripts to install a VDA, see the Install VDAs using scripts article.
Install a VDA
T he XenApp and XenDesktop Service download page provides access to several downloads, including the VDA standalone
installer.
Citrix account credentials are not required to access the VDA download page from within the XenApp and XenDesktop
Service; however, credentials are required if you want to download other Citrix software that is restricted to customers. You
must either have elevated administrative privileges before starting the installation or use Run as administrator. Disable User
Account Control (UAC).
See What to specify when installing a VDA for details about each page in the wizard. T He following items are unique to the
XenApp and XenDesktop Service environment:
Note: On the Delivery Controller page, choose the Do it manually option, and then specify the FQDNs of the Citrix
Cloud Connectors in your resource location. Citrix recommends specifying multiple Connectors for high availability. T he
installer attempts to connect to the specied addresses and indicates the test result.
Predened lters cannot be edited, but you can save a predened lter as a custom lter and then modify it. Additionally,
you can create custom ltered views of machines, connections, and sessions across all Delivery Groups.
1. Select a view:
Machines. Select Desktop OS Machines or Server OS Machines. T hese views show the number of configured
machines. T he Server OS Machines tab also includes the load evaluator index, which indicates the distribution of
performance counters and tool tips of the session count if you hover over the link.
Sessions. You can also see the session count from the Sessions view. Use the idle time measurements to identify
sessions that are idle beyond a threshold time period.
Connections. Filter connections by different time periods, including last 60 minutes, last 24 hours, or last 7 days.
Application Instances. T his view displays the properties of all application instances on VDAs of Server and Desktop
OS. T he session idle time measurements are available for Application instances on VDAs of Server OS Version 7.13 or
later.
2. For Filter by, select the criteria.
3. Use the additional tabs for each view, as needed, to complete the filter.
4. Select additional columns, as needed, to troubleshoot further.
5. Save and name your filter.
T o open filter later, from the Filters menu, select the failure type (Machines, Sessions, or Connections), and then select
the saved filter.
6. If needed, for Machines or Connections views, use power controls for all the machines you select in the filtered list. For
Alerts are displayed in Director on the dashboard and other high level views with warning and critical alert symbols. Alerts
update automatically every minute; you can also update alerts on demand.
A warning alert (amber triangle) indicates that the warning threshold of a condition has been reached or exceeded.
A critical alert (red circle) shows that the critical threshold of a condition has been reached or exceeded.
You can view more detailed information on alerts by selecting an alert from the sidebar, clicking the Go to Alerts link at the
bottom of the sidebar or by selecting Alerts from the top of the Director page.
In the Alerts view, you can lter and export alerts. For example, Failed Server OS machines for a specic Delivery Group over
the last month, or all alerts for a specic user. For more information, see Export reports.
Citrix alerts. Citrix alerts are alerts monitored in Director which originate from Citrix components. You can congure Citrix
alerts within Director in Alerts > Citrix Alerts Policy. As part of the conguration, you can set notications to be sent by
email to individuals and groups when alerts exceed the thresholds you have set up.
To create a new alerts policy, for example to generate an alert when a specic set of session count criteria are met:
1. Go to Alerts > Citrix Alerts Policy and select, for example, Server OS Policy.
2. Click Create.
3. Name and describe the policy, then set the conditions which have to be met for the alert to be triggered. For example,
specify Warning and Critical counts for Peak Connected Sessions, Peak Disconnected Sessions and Peak Concurrent
T otal Sessions. Warning values must not be higher than Critical values. For more information, see Alerts policies
conditions.
Creating a policy with 20 or more Delivery Groups dened in the Scope may take approximately 30 seconds to complete the
conguration. A spinner is displayed during this time.
Creating more than 50 policies for up to 20 unique Delivery Groups (1000 Delivery Group targets in total), may result in an
increase in response time (over 5 seconds).
Note: T he policy setting, Enable resource monitoring, is allowed by default for the
monitoring of CPU and memory performance counters on machines with VDAs. If this
policy setting is disabled, alerts with CPU and memory conditions will not be triggered.
For more information, see Monitoring policy settings.
Note: T he policy setting, Enable resource monitoring, is allowed by default for the
monitoring of CPU and memory performance counters on machines with VDAs. If this
policy setting is disabled, alerts with CPU and memory conditions will not be triggered.
For more information, see Monitoring policy settings.
Connection Failure Rate Percentage of connection failures over the last hour. Calculated based on the total
failures to total connections attempted.
Check Director Connection Failures T rends view for events logged from the
Configuration log.
Determine if applications or desktops are reachable.
Connection Failure Count Number of connection failures over the last hour.
Check Director Connection Failures T rends view for events logged from the
Configuration log.
Determine if applications or desktops are reachable.
ICA RT T (No. of Sessions) Number of sessions which exceed the threshold ICA round-trip time.
Check NetScaler HDX Insight for the number of sessions with high ICA RT T . For
more information, see the NetScaler Insight Center documentation, HDX Insight
Reports.
If NetScaler is not available, work with the network team to determine root cause.
ICA RT T (% of Session) Percentage of sessions which exceed the average ICA round-trip time.
Check NetScaler HDX Insight for the number of sessions with high ICA RT T . For
more information, see the NetScaler Insight Center documentation, HDX Insight
Reports.
If NetScaler is not available, work with the network team to determine root cause.
ICA round-trip time which is applied to sessions launched by the specified user. T he
ICA RT T (User)
alert is triggered if ICA RT T is higher than the threshold in at least one session.
Average Logon Duration Average logon duration for logons which occurred over the last hour.
Check the Director Dashboard to get up to date metrics regarding the logon
duration. A large number of users logging in during a short timeframe can cause
elongated logons.
Check the baseline and break down of the logons to narrow down the cause.
Logon Duration (User) Logon duration for logons for the specified user which occurred over the last hour.
T he Trends view accesses historical trend information for sessions, connection failures, machine failures, logon
performance, load evaluation, capacity management, machine usage and resource utilization for each site. To locate this
information, click Trends menu.
T he zoom-in drilldown feature lets you navigate through trend charts by zooming in on a time period (clicking on a data
point in the graph) and drilling down to see the details associated with the trend. T his feature enables you to better
understand the details of who or what has been affected by the trends being displayed.
To change the default scope of each graph, apply a different lter to the data.
Action Description
View trends for sessions From the Sessions tab, select the Delivery Group and time period to view more
detailed information about the concurrent session count.
View trends for connection failures From the Failures tab, select connections, machine type, failure type, Delivery
Group, and time period to view a graph containing more detailed information
about the user connection failures across your site.
View trends for machine failures From Failures > Desktop OS Machine Failures or Server OS Machines, select the
failure type, Delivery Group, and time period to view a graph containing more
detailed information about the machine failures across your site.
View trends for logon performance From the Logon Performance tab, select the Delivery Group and time period to
view a graph containing more detailed information about the duration of user
logon times across your site and whether the number of logons affects the
performance. T his view also shows the average duration of the logon phases,
such as brokering duration, VM start time.
T his data is specically for user logons and does not include users trying to
reconnect from disconnected sessions.
View trends for load evaluation From the Load Evaluator Index tab, view a graph containing more detailed
information about the load that is distributed among Server OS machines. T he
View hosted applications usage T he availability of this feature depends on your organization's license.
From the Capacity Management tab, select Hosted Applications Usage tab,
select the Delivery Group and time period to view a graph displaying peak
concurrent usage and a table displaying application based usage. From the
Application Based Usage table, you can choose a specic application to see
details and a list of users who are using, or have used, the application.
View desktop and server OS usage T he Trends view shows the usage of Desktop OS by Site and by Delivery group.
When you select Site, usage is shown per Delivery group. When you select
Delivery group, usage is shown per User.
T he Trends view also shows the usage of Server OS by Site, by Delivery group and
by Machine. When you select Site, usage is shown per Delivery group. When you
select Delivery group, usage is shown per Machine and per User. When Machine is
selected usage is shown per User.
View virtual machine usage From the Machine Usage tab, select Desktop OS Machines or Server OS
Machines to obtain real-time view of your VM usage, enabling you to quickly
assess your site's capacity needs.
View resource utilization From the Resource Utilization tab, select Desktop OS Machines or Server OS
Machines to obtain insight into historical trends data for CPU and memory usage
for each VDI machine for better capacity planning.
Graphs show data for Average CPU, Average Memory and Total Sessions. T he
administrator can drill down further to the machine, and view data and charts for
the top 10 processes consuming CPU.
Filter by Delivery Group and T ime period (last 2 hours, 24 hours, 7 days, month, and
year).
You can create a new Custom Report query based on machines, connections,
sessions, or application instances. Specify lter conditions based on elds such as
Create customized reports
machine, delivery group, or time period. Specify additional columns required in your
Custom Report. Preview displays a sample of the report data. Saving the Custom
Report query adds it to the list of saved queries.
You can create a new Custom Report query based on a copied OData query. To
do this, select the OData Query option and paste the copied OData query. You
can save the resultant query for execution later.
T he ag icons on the graph indicate signicant events or actions for that specic time range. Hover the mouse over the
ag and click to list events or actions.
Note:
HDX connection logon data is not collected for VDAs earlier than 7. For earlier VDAs, the chart data is displayed as 0.
Sessions, failures, and logon performance trend information is available as graphs and tables when the time period is set
to Last month or shorter. When the time period is set to Last Year, the trend information is available as graphs but not
as tables.
Export reports
Using the export feature, you can export trends information to generate regular usage and capacity management reports.
Export supports PDF, Excel, and CSV report formats. Reports in PDF and Excel formats contain trends represented as
graphs and tables. CSV format reports contain tabular data that can be processed to generate views or can be archived.
T he supported number of concurrent export operations and the amount of data that can be exported is set to default
limits, beyond which tabular data is truncated.
When users connect from outside the corporate rewall, Citrix Cloud can use Citrix NetScaler Gateway (formerly Access
Gateway) technology to secure these connections with SSL. NetScaler Gateway or the NetScaler VPX virtual appliance is
an SSL VPN appliance that is deployed in the demilitarized zone (DMZ) to provide a single secure point of access through
the corporate rewall.
T here are three primary use cases for setting up StoreFront with Citrix Cloud:
1. A cloud-hosted StoreFront: T he applications and desktops service in Citrix Cloud hosts a StoreFront site for each
customer. T he benefit of the cloud-hosted StoreFront is that there is zero effort to deploy, and it is kept evergreen by
Citrix. Cloud-hosted is recommended for all new customers, previews, and proofs-of-concept (PoCs).
2. An on-premises StoreFront: Customers may also use an existing StoreFront to aggregate applications and desktops in
Citrix Cloud. T his offers greater security, including support for two-factor authentication and prevents users from
entering their password into the cloud service. It also allows customers to customize their domain names and URLs. T his
is recommended for any existing XenApp and XenDesktop customers that already have StoreFront deployed.
3. A combination on-premises StoreFront and cloud-hosted StoreFront.
To provide remote access for end-users through a cloud-hosted StoreFront, do the following:
Set up NetScaler Gateway as an ICA proxy (No authentication or session policies are needed). T his can be configured in
Citrix Studio by clicking on StoreFront under the Configuration node, then selecting the Set NetScaler Gateway action.
Note
For more information on conguring NetScaler, see NetScaler VPX Deployment Guides.
One benet of using an existing StoreFront is that the Citrix Cloud Connector provides encryption of user passwords.
Credentials are encrypted by the connector using AES-256, using a randomly-generated one-time key. T his key is returned
directly to Citrix Receiver and never sent to the cloud. Citrix Receiver then supplies it to the VDA during session launch in
order to decrypt the credentials and provide a single sign-on experience into Windows.
For transport, select HT T P and port 80. T he StoreFront machine must be able to directly access the connector through
the FQDN (fully qualified domain name) provided; the connector needs to be able to reach the Cloud NFuse/ST A URL at
(https://<customername>.xendesktop.net/Scripts/wpnbr.dll and ctxsta.dll).
Multiple connectors should be added as delivery controllers for High Availability.
Recommendation
External Access
To provide external access through NetScaler Gateway and on-premises StoreFront, do the following:
Set up NetScaler Gateway as in a usual deployment with authentication and session policies. See Citrix Product
Documentation for more information.
Point your on-premises StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors.
Bind Citrix Cloud Connectors as ST A servers to NetScaler Gateway.
T he NetScaler Gateway must use the same ST A URLs as StoreFront. If the gateway is not already configured to use the
ST A of an existing XenApp/XenDesktop environment, Citrix Cloud Connectors may be used as a ST A.
Internal Access
To provide internal access through an on-premises StoreFront, do the following:
Point on-premises StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors.
Set up NetScaler Gateway as in a usual deployment (with authentication and session policies) - See Citrix Product
Documentation for more information.
Bind Citrix Cloud Connectors as ST A servers to NetScaler Gateway.
Point on-premises StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors.
To provide external access through cloud-hosted StoreFront and NetScaler Gateway with on-premises StoreFront, do the
following:
Set up NetScaler Gateway as you would in a usual deployment (with authentication and session policies). See Citrix
Product Documentation for more information.
Point your on-premises StoreFront Stores Delivery Controllers to the Citrix Cloud Connectors.
Bind Citrix Cloud Connectors as ST A servers to NetScaler Gateway.
Set NetScaler Gateway (FQDN:PORT ) in Cloud-hosted Studio.
To provide internal access through cloud-hosted and on-premises StoreFront, do the following:
Point the on-premises StoreFront Stores Delivery Controllers to the Citrix Cloud Connectors.
T he users mobile phone receives a Short Message Service (SMS) message that contains a 6-digit access code. T he user
must enter the access code on the authentication form.
You can register the users mobile phone numbers in Active Directory. Set the Phone-Mobile-Primary attribute to the
required users mobile number in E.164 format. For more information, see E164: T he international public telecommunication
numbering plan.
To accelerate the logon process, add the Phone-Mobile-Primary attribute to the Active Directory Global catalog. For more
information, see Phone-Mobile-Primary attribute.
When creating a vSphere host connection in Studio, a dialog box allows you to view the certicate of the machine you are
connecting to. You can then choose whether to trust it.
When delivered to users, published applications appear very similar to applications running locally on the user device. Users
start applications depending on the delivery options you select while publishing and the plug-in they are running on their
devices.
T he XenApp and XenDesktop Service in Citrix Cloud now features improvements to app publishing. Migration to Citrix Cloud
from other versions of XenApp and XenDesktop is now easier than ever. T he newest features are highlighted below.
T he new Applications node in the Studio navigation pane provides a central way to manage all of your applications,
regardless of Delivery Group assignment. One of its key benets is the ability to add applications to more than one Delivery
Group at one time.
When you add an application to more than one Delivery Group, you can specify the priority of each Delivery Group (0 is the
highest). XenApp or XenDesktop will attempt to launch the application from the highest priority Delivery Group; if thats not
possible, the application in the second-highest Delivery Group will be launched, and so on.
T he Add Application wizard offers a dropdown from which you select the source of applications: a machine created in the
Machine Catalog, an App-V package, an application you have already added to the Site (perhaps in another Delivery Group),
or a manually-dened application.
Updated Create Delivery Group wizard and Edit Delivery Group interf ace
T he Delivery Type page is displayed only if you selected a Machine Catalog containing assigned desktop OS machines; in
that case, you can specify whether the machines in that catalog will deliver desktops or applications. For all other machine
types, the machines in the group can deliver applications and desktops. You can change the delivery type later by editing the
Delivery Group.
T he StoreFront page no longer appears in the Create Delivery Group wizard. It is assumed you will provide a StoreFront
server address from the StoreFront node in Studio.You can also specify StoreFront information later by editing the Delivery
Group.
T he page in the Create Delivery Group wizard now offers a new dropdown from which you select Applications the source
of applications you're adding to the Delivery Group: a machine created in the Machine Catalog you selected, an App-V
package, an application you have already added to the Site (perhaps in another Delivery Group), or a manually-dened
application.
On the page, you can add desktops, indicate who can use them, and enable/disable them for delivery. Desktops If the
Delivery Group contains machines from a static assigned catalog, you can also specify the maximum number of desktops
per user.
T he page now includes an optional description eld that is displayed in Studio. You can change this Summary description
Tags are strings that identify items such as machines, applications, Delivery Groups, and policies. After adding a tag to an
item, you can tailor search queries and policy assignments to apply only to items that have a specied tag.
Previously, one dialog box was available for adding and editing tags. Currently it offers a more robust and easy-to-use
interface.
NetScaler Gateway as a Service enables secure, remote access to XenApp and XenDesktop applications, without having to
deploy NetScaler Gateway in the perimeter network (also known as a DMZ) or recongure your rewall. T he entire
infrastructure overhead of using NetScaler Gateway moves to the cloud, where the cloud service is hosted by Citrix.
You enable NetScaler Gateway as a Service using a check box. Once it has been enabled, users can access their VDAs from
outside their network, as shown in the following diagram.
1. From the Citrix Cloud > Apps and Desktops menu, choose Manage > Service Delivery. T he Service Delivery screen
appears.
2. Enable NetScaler Gateway.
3. Choose Use cloud hosted Citrix NetScaler Gateway.
Known Issues
T he service is currently enabled only for use with HDX traffic as part of the XenApp and XenDesktop Service. Other
NetScaler Gateway functionality is not enabled.
T he service is available on the eastern and western coasts of the United States, and in Europe. As HDX traffic travels
through the service, users and/or XenApp or XenDesktop servers located outside those areas experience higher latency.
T he Citrix Cloud Connector located within your Citrix Cloud resource locations communicates with Citrix-run cloud
services over the Internet. Currently this communication channel does not support authentication at outbound proxies
for access to the Internet.
All network traffic is protected by SSL, but to provide the NetScaler Gateway functionality, HDX traffic is present in
memory in an unencrypted form.
T o use the NetScaler Gateway Service, you must use StoreFront hosted within the Citrix Cloud.
Customers run cmdlets and scripts in their traditional site containing both VDAs and Delivery Controllers within a common
domain structure. T he Citrix Cloud XenApp and XenDesktop Service splits the VDAs and Controllers into a Resource
Location and Control Plane, respectively. T his split means the original XenApp and XenDesktop PS SDK will not work
because it cannot cross the secure Resource Location to Control Plane boundary.
T he solution is the XenApp and XenDesktop Remote PS SDK. When run in the Resource Location, the Remote PS SDK can
access the Control Plane as if it were local, providing the same functionality as a single XenApp and XenDesktop site. T here
is only the lowest non-visible communication layer, enhanced to work either in a single local site or in the cloud environment.
T he cmdlets arethe same, and most existing scripts will work unchanged.
T he Get-XdAuthentication cmdlet provides authorization to cross the secure Resource Location to Control Plane
boundary. By default, Get-XdAuthentication prompts users for CAS credentials, and must be done once per PowerShell
session. Alternatively, the user can dene an authentication prole using an API access Secure Client, created in the Citrix
Cloud console. In both cases, the security information persists for use in subsequent PS SDK calls. If this cmdlet is not
explicitly executed, it will be called by the rst PS SDK cmdlet.
Install
1. Download the installer from: here; the package contains both x86 and x64 implementations.
2. In the download folder, locate and run the installer.
3. Follow the dialogs to complete the installation.
Installation logs are created in %T EMP%\CitrixLogs\CitrixPoshSdk. Logs can help resolve installation issues.
How to Use
Run the XenApp and XenDesktop Remote PS SDK from any computer in the customers Resource Location.
Citrix recommends that you do not run this on the Connectors; the SDKs operation does not involve the Connectors.
Uninstall
From the Windows feature for removing or changing programs, select XenApp and XenDesktop Remote PowerShell
SDK, then right-click and select Uninstall. Follow the dialog.
Common activities include setting up catalogs, applications, and users. A sample script is shown below.
command COPY
$TSVDADGName = "TSVDA"
$cat alog = New-BrokerCat alog -Name $TSVDACat alogName -Allocat ionType "Random" -Descript ion $TSVDACat alogName -Persist U
$dg = New-BrokerDeskt opGroup -Name $TSVDADGName -PublishedName $TSVDADGName -Deskt opKind "Shared" -SessionSupport
New-BrokerApplicat ion -Applicat ionType Host edOnDeskt op -Name "Not epad" -CommandLineExecut able "not epad.exe" -Deskt opGr
New-BrokerEnt it lement PolicyRule -Name $TSVDADGName -Deskt opGroupUid $dg.Uid -IncludedUsers $brokerUsers -descript ion $TS
New-BrokerAccessPolicyRule -Name $TSVDADGName -IncludedUserFilt erEnabled $t rue -IncludedUsers $brokerUsers -Deskt opGroup
New-BrokerAppEnt it lement PolicyRule -Name $TSVDADGName -Deskt opGroupUid $dg.Uid -IncludedUsers $brokerUsers -descript ion
Limitations
T he following XenApp and XenDesktop PowerShell snap-ins are supported in this release:
Broker
Active Directory (AD) Identity
Machine Creation
Configuration
Configuration Logging
Host
Delegated Administration
Analytics
Once authenticated, remote access remains valid in the current PowerShell session for 24 hours. After this time, you must
enter your credentials.
T he XenApp and XenDesktop Remote PS SDK must be run on a computer within the Resource Location.
T he following cmdlets are disabled in remote operations to maintain the integrity and security of the Cloud control plane.
Snapin Cmdlets
Acct:CopyIdentityPool
Acct:GetDBConnection
Acct:GetDBSchema
Acct:GetDBVersionChangeScript
Acct:GetInstalledDBVersion
Citrix.ADIdentity.Admin.V2
Acct:RemoveServiceMetadata
Acct:ResetServiceGroupMembership
Acct:SetDBConnection
Analytics:GetDBConnection
Analytics:GetDBSchema
Analytics:GetDBVersionChangeScript
Analytics:GetInstalledDBVersion
Analytics:ImportDataDenition
Citrix.Analytics.Admin.V1 Analytics:RemoveServiceMetadata
Analytics:ResetServiceGroupMembership
Analytics:SetDBConnection
Analytics:SetServiceMetadata
Analytics:SetSite
Analytics:TestDBConnection
Admin:AddPermission
Admin:AddRight
Admin:GetAdministrator
Admin:GetDBConnection
Admin:GetDBSchema
Admin:GetDBVersionChangeScript
Admin:GetInstalledDBVersion
Admin:ImportRoleConguration
Admin:NewAdministrator
Admin:NewRole
Admin:NewScope
Admin:RemoveAdministrator
Admin:RemoveAdministratorMetadata
Admin:RemovePermission
Admin:RemoveRight
Citrix.DelegatedAdmin.Admin.V1
Admin:RemoveRole
Admin:RemoveRoleMetadata
Admin:RemoveScope
Admin:RemoveScopeMetadata
Admin:RemoveServiceMetadata
Admin:ResetServiceGroupMembership
Admin:SetAdministrator
Admin:SetAdministratorMetadata
Admin:SetDBConnection
Admin:SetRole
Admin:SetRoleMetadata
Admin:SetScope
Admin:SetScopeMetadata
Admin:SetServiceMetadata
Admin:TestDBConnection
Broker:GetDBConnection
Broker:GetDBSchema
Broker:GetDBVersionChangeScript
Broker:GetInstalledDBVersion
Broker:GetLease
Broker:NewMachineConguration
Broker:RemoveControllerMetadata
Cong:ExportFeatureTable
Cong:GetDBConnection
Cong:GetDBSchema
Cong:GetDBVersionChangeScript
Cong:GetInstalledDBVersion
Cong:GetServiceGroup
Cong:ImportFeatureTable
Cong:RegisterServiceInstance
Cong:RemoveRegisteredServiceInstanceMetadata
Cong:RemoveServiceGroup
Cong:RemoveServiceGroupMetadata
Citrix.Conguration.Admin.V2 Cong:RemoveServiceMetadata
Cong:RemoveSiteMetadata
Cong:ResetServiceGroupMembership
Cong:SetDBConnection
Cong:SetRegisteredServiceInstance
Cong:SetRegisteredServiceInstanceMetadata
Cong:SetServiceGroupMetadata
Cong:SetServiceMetadata
Cong:SetSite
Cong:SetSiteMetadata
Cong:TestDBConnection
Cong:UnregisterRegisteredServiceInstance
Hyp:GetDBConnection
Hyp:GetDBSchema
Hyp:GetDBVersionChangeScript
Hyp:GetInstalledDBVersion
Citrix.Host.Admin.V2 Hyp:RemoveServiceMetadata
Hyp:ResetServiceGroupMembership
Hyp:SetDBConnection
Hyp:SetServiceMetadata
Hyp:TestDBConnection
Prov:GetDBConnection
Prov:GetDBSchema
Prov:GetDBVersionChangeScript
Prov:GetInstalledDBVersion
Prov:GetServiceCongurationData
Prov:RemoveServiceCongurationData
Citrix.MachineCreation.Admin.V2
Prov:RemoveServiceMetadata
Prov:ResetServiceGroupMembership
Prov:SetDBConnection
Prov:SetServiceCongurationData
Prov:SetServiceMetadata
Prov:TestDBConnection
EnvTest:GetDBConnection
EnvTest:GetDBSchema
EnvTest:GetDBVersionChangeScript
EnvTest:GetInstalledDBVersion
Citrix.EnvTest.Admin.V1 EnvTest:RemoveServiceMetadata
EnvTest:ResetServiceGroupMembership
EnvTest:SetDBConnection
EnvTest:SetServiceMetadata
EnvTest:TestDBConnection
Monitor:GetConguration
Monitor:GetDBConnection
Monitor:GetDBSchema
Monitor:GetDBVersionChangeScript
Monitor:GetDataStore
Monitor:GetDataStore
Monitor:GetInstalledDBVersion
Citrix.Monitor.Admin.V1
Monitor:RemoveServiceMetadata
Monitor:ResetDataStore
Monitor:ResetServiceGroupMembership
Monitor:SetConguration
Sf:BuildCluster
Sf:GetClusters
Sf:GetDBConnection
Citrix.Storefront.Admin.V1
Sf:GetDBSchema
Sf:GetDBVersionChangeScript
Sf:GetInstalledDBVersion
T he XenApp and XenDesktop Remote PowerShell SDK can be downloaded from here.
Disclaimer
T his software / sample code is provided to you AS IS with no representations, warranties or conditions of any kind. You
may use, modify and distribute it at your own risk. CIT RIX DISCLAIMS ALL WARRANT IES WHAT SOEVER, EXPRESS, IMPLIED,
WRIT T EN, ORAL OR STAT UTORY, INCLUDING WIT HOUT LIMITAT ION WARRANT IES OF MERCHANTABILIT Y, FIT NESS FOR
A PART ICULAR PURPOSE, T IT LE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you
acknowledge and agree that (a) the software / sample code may exhibit errors, design aws or other problems, possibly
resulting in loss of data or damage to property; (b) it may not be possible to make the software / sample code fully
functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any
future versions of the software / sample code. In no event should the software / code be used to support of ultra-
hazardous activities, including but not limited to life support or blasting activities. NEIT HER CIT RIX NOR IT S AFFILIAT ES OR
AGENT S WILL BE LIABLE, UNDER BREACH OF CONT RACT OR ANY OT HER T HEORY OF LIABILIT Y, FOR ANY DAMAGES
WHAT SOEVER ARISING FROM USE OF T HE SOFT WARE / SAMPLE CODE, INCLUDING WIT HOUT LIMITAT ION DIRECT,
SPECIAL, INCIDENTAL, PUNIT IVE, CONSEQUENT IAL OR OT HER DAMAGES, EVEN IF ADVISED OF T HE POSSIBILIT Y OF
SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modication or
distribution of the code.
Security overview
T his document applies to all the XenApp and XenDesktop services hosted in Citrix Cloud, including XenApp Essentials and
XenDesktop Essentials.
Citrix Cloud manages the operation of the control plane for XenApp and XenDesktop environments. T his includes the
controllers, management consoles, SQL database, license server, and optionally StoreFront and NetScaler Gateway. T he
Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer's control in the data center of
their choice, either cloud or on-premises. T hese components are connected to the cloud service using an agent called the
Citrix Cloud Connector. If customers elect to use the StoreFront cloud service, they may also choose to use the NetScaler
Gateway Service instead of running NetScaler Gateway within their data center. T he diagram below illustrates the service
and its security boundaries.
Data ow
As the components hosted by the cloud service do not include the VDAs, the customer's application data and golden
images required for provisioning are always hosted within the customer setup. T he control plane has access to metadata,
such as usernames, machine names, and application shortcuts, restricting access to the customer's Intellectual Property
from the control plane.
Data owing between the cloud and customer premises uses secure T LS connections over port 443.
Service editions
T he capabilities of the XenApp and XenDesktop Service varies by edition. For example, XenApp Essentials only supports
NetScaler Gateway service and Citrix-Managed StoreFront. Consult product documentation to learn more about
supported features.
Credential handling
T he service handles four types of credentials:
User Credentials: When using a customer-managed StoreFront, user credentials are encrypted by the Citrix Cloud
Connector using AES-256 encryption and a random one-time key generated for each launch. T he key is never passed
into the cloud, and returned only to Citrix Receiver. T his key is then passed to the VDA directly by Citrix Receiver to
decrypt the user password during session launch for a single sign-on experience. T he entire flow is shown in the figure
below.
Administrator Credentials: Administrators authenticate against Citrix Cloud, which uses the sign-on system from Citrix
Online. T his generates a one-time signed JSON Web T oken (JWT ) which gives the administrator access to the XenApp
and XenDesktop Service.
Hypervisor Passwords: On-premises hypervisors that require a password for authentication have a password generated
by the administrator and directly stored encrypted in the SQL database in the cloud. Peer keys are managed by Citrix to
ensure that hypervisor credentials are only available to authenticated processes.
Active Directory (AD) Credentials: Machine Creation Services uses the connector for creating machine accounts in a
customer's AD. Because the machine account of the connector has only read access to AD, the administrator is
prompted for credentials for each machine creation or deletion operation. T hese credentials are stored only in memory
Deployment considerations
Citrix recommends that users consult the published best practices documentation for deploying NetScaler Gateway
applications and VDAs within their environments. Additional considerations regarding on-premises StoreFront deployment
and network connectivity are as follows:
T he Citrix Cloud Connectors require only port 443 outbound trafc to the internet, and may be hosted behind an HT T P
proxy.
Within the internal network, the connector needs access to the following for the XenApp and XenDesktop Service:
VDAs (port 80, both inbound and outbound)* plus 1494 and 2598 inbound if using NetScaler Gateway Service
StoreFront Servers (port 80 inbound)**
NetScaler Gateways, if configured as a ST A (port 80 inbound)**
Active Directory domain controllers
Hypervisors (outbound only; see hypervisor documentation for specific ports)
* Trafc between the VDAs and Connectors is encrypted using Kerberos message-level security.
** SSL is not yet supported in Citrix Cloud for the StoreFront or NetScaler trafc, so Citrix recommends conguring rewall
rules, VLANs, and/or IPsec tunnels for these services.
Customer-managed StoreFront
A customer-managed StoreFront offers greater security conguration options and exibility for deployment architecture,
including the ability to maintain user credentials on-premises. T he StoreFront can be hosted behind the NetScaler Gateway
to provide secure remote access, enforce multifactor authentication, and add other security features.
Using the NetScaler Gateway Service avoids the need to deploy NetScaler Gateway within customer data centers. To use
the NetScaler Gateway Service, it is a prerequisite to use the StoreFront service delivered from Citrix Cloud. T he data-ow
when using NetScaler Gateway Service is shown in the gure below.
More information
See the following resources for more security information:
Note: T his document is intended to provide the reader with an introduction to and overview of the security functionality of
Citrix Cloud; and to dene the division of responsibility between Citrix and customers with regard to securing the Citrix
Cloud deployment. It is not intended to serve as a conguration and administration guidance manual for Citrix Cloud or any
of its components or services.
XenApp Essentials Service replaces Microsoft RemoteApp while providing the same application access experience for users.
XenApp Essentials Service is delivered through the Citrix Cloud and helps you to deploy your app workloads within your
Azure subscription with ease. When users open their applications in Citrix StoreFront, the application appears to run locally
on the user computer. Users can work in one or more apps in the same XenApp Essentials session. Users can access their
apps securely from any device, anywhere.
To deliver Windows apps to users, log on to the Citrix Cloud. After you log on, choose the XenApp and XenDesktop Service
and then congure the settings.
You purchase XenApp Essentials from the Azure Marketplace. After you complete your purchase, see System Requirements
for the required components to deploy XenApp Essentials successfully.
For detailed deployment instructions, see the following XenApp Essentials Deployment Guide.
To provision and deploy resources in Microsoft Azure correctly, you need the following:
For more information about how to set up an Azure Active Directory tenant, see How to get an Azure Active
Directory tenant on the Microsoft website.
Note
XenApp Essentials Service supports conguring machines by using Azure Resource Manager only.
Citrix Cloud
You must have a Citrix Cloud account to configure XenApp Essentials Service.
Important
XenApp Essentials Service creates Cloud Connector virtual machines automatically.
Compatibility
You can open the XenApp Essentials administration console in the following web browsers:
Google Chrome
Internet Explorer
Users connect to their apps by logging on with Citrix Receiver. XenApp Essentials Service supports the current version of
Citrix Receiver for each user device operating system, such as Windows, iOS, and Android. Users can also connect by using
Citrix Receiver for HT ML5 by using any modern browser that supports HT ML5.
You can download the latest version of Citrix Receiver from the Citrix website.
Known Issues
Creating the machine catalog fails if the virtual machine size is not available for the selected region. T o check the virtual
machines that are available in your area, see the chart at Products available by region on the Microsoft website.
You cannot create and publish multiple instances of the same app from the Start menu at the same time.
For example, from the Start menu you publish Internet Explorer. T hen, you want to publish a second instance of Internet
Explorer that opens a specific website on startup. T o do so, publish the second app by using the path for the app
instead of the Start menu.
XenApp Essentials Service supports linking a subscription by using an Azure Active Directory user account. XenApp
Essentials does not support Live.com authenticated accounts.
Users cannot start an application if there is an existing Remote Desktop Protocol (RDP) session on the VDA. T his
behavior only happens if the RDP session starts when no other users are logged on to the VDA.
You cannot enter a license server address longer than server.domain.subdomain.
If you perform multiple sequential updates to capacity management, there is a possibility that the updated settings will
not properly propagate to the VDAs.
If you use a non-English web browser, such as Spanish, the text appears as a combination of English and the language of
the browser.
Note
Your XenApp Essentials Citrix Cloud account cannot be afliated with either of the following:
You can nd detailed deployment instructions in the XenApp Essentials Service Deployment Guide.
T he following diagram shows an architectural overview of a basic XenApp Essentials Service cloud deployment:
After you create your Azure account, you can prepare your Azure subscription.
Note
T his service requires you to log on with an Azure Active Directory account. XenApp Essentials does not support other account types,
such as live.com.
When you prepare your Azure subscription, you congure the following in Azure Resource Manager:
Subscription name
Location
Create a virtual network in the resource group and provide a name for the network. Create the virtual network in Azure
Resource Manager. You can leave all other default settings. Create a standard storage account when you create the
master image.
Note: XenApp Essentials Service does not support a premium storage account.
Use an existing or create a domain controller. If you create a domain controller, do the following:
Use the A3 Standard or any other size Windows Server 2012 R2 virtual in the Resource Group and virtual network. T his
virtual machine becomes the domain controller. If you plan to create multiple domain controllers, create an availability
set and put all the domain controllers in this set.
Assign a private static IP address to the network adapter of the virtual machine. You can assign the address in the
Azure portal. For more information, see Configure private IP addresses for a virtual machine using the Azure portal on
the Microsoft documentation website.
[Optional] Attach a new data disk to the virtual machine to store the Active Directory users and Groups and any
Active Directory logs. For more information, see How to attach a data disk to a Windows virtual machine in the Azure
portal. When you attach the disk, select all the default options to complete the settings.
Add the domain controller virtual machines private IP address to the virtual network DNS server. For more information,
see Manage DNS servers used by a virtual network (Classic) using the Azure portal (Classic).
Add a public DNS server in addition to the Microsoft DNS server. Use the IP address 168.63.129.16 for the second DNS
server.
Add the Active Directory Domain Services role to the domain controller virtual machine. When this step is complete,
promote the domain controller virtual machine to a domain controller and DNS.
Create a forest and add some Active Directory users. For more information, see Install a new Active Directory forest
on an Azure virtual network.
If you prefer to use Azure Active Directory Domain Services instead of a domain controller, use the following guidelines.
Citrix recommends reviewing the Active Directory Domain Services Documentation on the Microsoft website.
In the Citrix Cloud, you link your XenApp Essentials Service to your Azure subscription.
After you link your Azure subscription to XenApp Essentials, upload your master image.
Important
Citrix does not recommend using a Citrix-prepared image for production deployments.
When you prepare the master image, the Virtual Delivery Agent (VDA) installs on the image automatically. T he VDA
software enables the following:
VDAs are available for Windows server and desktop operating systems. VDAs for Windows Server operating systems allow
multiple users to connect to the server at one time.
Note
T he VDA for Windows desktop operating systems is not supported in XenApp Essentials Service.
Image Requirements
Use the following requirements to create a master image:
Important
Do not Sysprep the image.
You create the master image by using the Azure Resource Manager. When you prepare your master image, the steps you
must take in the Azure portal are:
When you create the virtual machine, the VHD is created in the storage account you specied. When you upload the
master image, you must specify the storage account location in the XenApp Essentials console.
Create Catalogs
A catalog is similar to collections in Azure Remote App. A Citrix XenApp Essentials Service catalog lists apps and resources
that you can share with users on any device.
XenApp Essentials Service catalog uses a simpler approach to the combination of a machine catalog and a Delivery Group.
Note
XenApp machine catalog and Delivery Group creation workows are not available in XenApp Essentials Service.
To create a catalog
1. Log on to citrix.cloud.com.
2. Select the XenApp and XenDesktop Service.
3. On the Manage tab, click Catalogs, and then click +Catalog.
4. On the Add a Catalog page, in Pick a Name, type the name of the catalog, select Domain Joined, and then click Save.
5. In Link your Azure subscription, provide your Azure subscription details. You can use a subscription you created
previously or link a new Azure subscription. T o use an existing subscription, do the following:
1. In Subscription Name, select the subscription from the list.
2. In Resource Group (Region), select the resource group to which the Azure subscription belongs. Use the resource
group you created when you prepared your Azure subscription. XenApp Essentials Service creates Cloud Connectors in
the resource group.
3. In Virtual Network, select the virtual network to which the Azure subscription belongs.
T he virtual network is the same one you configured when you prepared your Azure subscription. Ensure that the
virtual network can reach your domain controller by using the DNS entries.
4. In Subnet, select the subnet to which the Azure subscription belongs and then click Save.
Ensure that the subnet can reach your domain controller.
6. Under Join local domain, enter the following:
1. In Fully Qualif ied Domain Name, type your organization's domain name.
2. In Organizational Unit, type the OU to which users belong. Adding the OU is an optional step.
For example, OU=Essentials,DC=citrix,DC=com.
T o put your computers in the default Computers container, leave this field blank. Otherwise, ensure that the specific
OU is in Active Directory
3. .In Service Account Name, type the account that by using permissions to join a machine to a domain and create
machine accounts. T he format for the Service Account name is the User Principal Name (UPN).
4. In Password and Conf irm Password, type the password and then click Save.
7. In Choose master image, do one of the following:
1. Select Link an existing image and then do the following:
1. In Image Name, select the image.
2. Click Save.
2. Select Import a new image and then do the following:
1. In Subscription, choose the subscription.
2. In Resource Group, choose the group.
3. In Storage Account, choose the account
4. In VHD, choose the location of the virtual hard disk.
5. In Image Name, provide a name for the master image and then click Save.
8. In Select Capacity and Manage Cost, do the following:
1. In Pick compute, select a worker role.
T he worker role defines the resources used. When you specify a worker role, XenApp Essentials Service determines the
correct load per instance for you. You can use one of the options in the list or create your own custom option. T he
session count is used as a scale metric.
2. In Select scale settings, do the following:
1. Set the minimum number of running instances. XenApp Essentials Service ensures that the minimum of virtual
machines are powered on all the time.
After you congure your catalog, click Start Deployment to start catalog creation. T his step can take 1 2 hours. If you
specied many virtual machines, creating the catalog can take a longer time.
When the previous step is complete, you can publish apps and assign users and user groups. You need at least one published
application and one user assigned to complete creating the catalog.
To update or add applications, update the virtual machine that you used to create the catalogs master image.
To update a catalog
Publish Apps
After conguring your catalog, you can publish apps for your users. T he image you installed includes apps that you can
publish.
To publish apps
After you publish apps, you can add users and groups.
Prole Management
Prole Management ensures that personal settings apply to users virtual applications, regardless of the location of the user
device.
You can enable Prole Management by using the prole optimization service. T his service provides a reliable way for
managing these settings in Windows. Managing the proles ensures a consistent experience by maintaining a single prole
that follows the user. It consolidates automatically and optimizes user proles to minimize management and storage
requirements. T he prole optimization service requires minimal administration, support, and infrastructure. Also, prole
optimization provides users with an improved log on and log off experience.
T he prole optimization service requires a le share where all the personal settings persist. You must specify the share as a
UNC path. T he path can contain system environment variables, Active Directory user attributes, or Prole Management
1. In Citrix Cloud, click the Manage tab and then click Catalogs.
2. Click the name of the catalog, such as "Finance."
3. Click More Settings.
4. In Set up Prof ile Management in Azure subscription, type the path to the profile share. For example, type
\\fileserver\share\#sAMAccountName#
5. Click Save.
Note
When enabling Prole Management, consider further optimization of the users prole by conguring folder redirection to minimize
the effects of the user prole size. Applying folder redirection complements the Prole Management solution. For more
information, see Microsoft Folder Redirection.
Using this UI, you can have the XenApp Essentials Service apply the license server settings. You can also congure the license
server and per user mode by using the Remote Desktop Services console on the master image. You can also congure the
license server by using Microsoft Group Policy settings. For more information, see License your RDS deployment with client
access licenses (CALs).
1. Install Remote Desktop Services License Server on one of the virtual machines that is always available. T he XenApp
Essentials workloads must be able to reach this license server.
2. Activate the Remote Desktop Services License Server by using these steps.
3. Specify the license server address and per user license mode by using Microsoft Group Policy. You can also configure the
license server and per license mode in Citrix Cloud by using the following steps.
Note
If you purchased CAL licenses from Microsoft Remote Access, you do not have to install the licenses. You can purchase licenses
from Microsoft Remote Access in the Azure Marketplace along with XenApp Essentials.
1. In Citrix Cloud, click the Manage tab and then click Catalogs.
2. Click the name of the catalog, such as "Finance."
3. Click More Settings.
4. In Enter the FQDN of the license server, type the fully qualified domain name of the license server.
5. Click Save.
To allow users secure access to their published apps, XenApp Essentials Service uses NetScaler Gateway Service. T his service
does not need any conguration by you. Each user is limited to 1-GB outbound data transfer per month. You can purchase
a 25 GB add-on from the Azure Marketplace. T he charge for the add-on is on a monthly basis.
You can click each session to view extra details about the session such as processes, applications running, and more.
Getting Help
If you have problems with XenApp Essentials Service, open a ticket by following instructions in How to Get Help and
Support.
XenDesktop Essentials Service is designed specically for the Azure Marketplace. Citrix and Microsoft partner to deliver an
integrated experience for XenDesktop Essentials and Azure IaaS. T his partnership gives you a single interface to deliver a
complete Windows 10 digital workspace from Azure.
Citrix XenDesktop Essentials Service simplies Windows 10 deployment. You can deploy desktops quickly, manage at scale,
and deliver a rich user access experience from a single management plane.
You manage the Windows 10 desktops by using Studio and you monitor sessions from Director. Users connect to their
Windows 10 virtual desktops by logging on with Citrix Receiver.
XenDesktop Essentials, the Citrix Cloud, and Microsoft Azure work together. During conguration, you create a Microsoft
Azure subscription. After that, you install the Citrix Cloud Connectors, which provide access to your Azure resources from
Citrix Cloud. You then create a Windows 10 master image that includes the VDA. T he master image provides the template
for desktops you deliver to users.
When you complete those tasks, you create a host connection to Microsoft Azure. Studio and Director are available in
your cloud console. Use Studio and Director to manage and monitor your XenDesktop Essentials Service.
Deploy NetScaler VPX to provide secure access to Windows 10 desktops from anywhere. StoreFront is hosted from Citrix
Cloud. You provide your users with the URL.
Users connect to their desktops via Citrix Receiver, using the URL you provide. When users log on to Citrix Receiver, the
Windows 10 desktop icon appears in the StoreFront window.
Microsof t Azure
XenDesktop Essentials Service is designed to support Microsoft Azure exclusively. Your Azure environment must meet
certain minimum requirements to support XenDesktop Essentials Service:
An Azure Resource Manager (ARM) virtual network (VNet) and subnet in your preferred region
An Azure AD user with contributor (or greater) permissions within the subscription
T he Citrix Cloud Connector servers must meet the following minimum requirements:
Citrix Cloud
T here are two ways to establish a host connection to Azure Resource Manager:
You have a user account in your subscription's Azure Active Directory tenant.
T he Azure AD user account is also a co-administrator for the Azure subscription you want to use for provisioning
resouces.
1. On the Connection page, select the Microsof t Azure connection type and your Azure environment.
2. On the Connection Details page, enter your Azure subscription ID and a name for the connection. T he connection
name can contain 1-64 characters. T he name cannot contain only blank spaces of the characters \/;:#.*?=<>|[]{}"'()').
After you enter the subscription ID and connection name, the Create new button is enabled.
3. Enter the Azure Active Directory account username and password.
4. Click Sign in.
5. Click Accept to give XenApp or XenDesktop the listed permissions. XenApp or XenDesktop creates a service principal
that allows it to manage Azure Resource Manager resources on behalf of the specified user.
6. After you click Accept, you are returned to the Connection page. Notice that when you successfully authenticate to
Azure, the Create new and Use existing buttons are replaced with Connected, and a green check mark indicates the
successful connection to your Azure subscription.
7. Indicate which tools to use to create the virtual machines, and then click Next. (You cannot progress beyond this page in
Use the details f rom a previously-created service principal to connect to Azure Resource Manager
To create a service principal manually, connect to your Azure Resource Manager subscription and use the PowerShell
cmdlets provided below.
Prerequisites:
$SubscriptionId: Azure Resource Manager SubscriptionID for the subscription where you want to provision VDAs.
$AADUser: Azure AD user account for your subscriptions AD tenant.
Make the $AADUser the co-administrator for your subscription.
$ApplicationName: Name for the application to be created in Azure AD.
$ApplicationPassword: Password for the application. You will use this password as the application secret when creating
the host connection.
Login-AzureRmAccount.
Step 2: Select the Azure Resource Manager subscription where you want to create the service principal.
1. On the Connection page, select the Microsof t Azure connection type and your Azure environment.
2. Ont he Connection Details page, enter your Azure subscription ID and a name for the connection. T he connection
name can contain 1-64 characters, and cannot contain only blank spaces or he characters \/;:#.*?=<>|[]{}"'()'.
3. Click Use existing. Provide the subscription ID, subscription name, authentication URL, management URL, storage suffix,
Active Directory ID or tenant ID, application ID, and application secret for the existing service principal. After you enter
the details, the OK button is enabled. Click OK.
4. Indicate which tools to use to create the virtual machines, and then click Next. T he service principal details you provided
will be used to connect to your Azure subscription. (You cannot progress beyond this page in the wizard until you provide
valid details for the Use existing option.)
A master image is the template that will be used to create the VMs in a Machine Catalog. Before creating the Machine
Catalog, create a master image in Azure Resource Manager. For information about master images in general, see the Create
Machine Catalogs article.
T he Operating System and Machine Management pages do not contain Azure-specific information. Follow the
guidance in the Create Machine Catalogs article.
On the Master Image page, select a resource group and then navigate (drill down) thorugh the containers to the Azure
VHD you want to use as the master image. T he VHD must have a Citrix VDA installed on it. If the VHD is attached to a
VM, the VM must be stopped.
T he Storage and License Types page appears only when using an Azure Resource Manager master image.
Select a storage type: standard or premium. T he storage type affects which machine sizes are offered on the Virtual
https://azure.microsoft.com/en-us/documentation/articles/storage-introduction/
https://azure.microsoft.com/en-us/documentation/articles/storage-premium-storage/
https://azure.microsoft.com/en-us/documentation/articles/storage-redundancy/
Select whether or not to use existing on-premises Windows Server licenses. Doing so in conjunction with using
existing on-premises Windows Server images utilizes Azure Hybrid Use Benets (HUB). More details are available at
https://azure.microsoft.com/pricing/hybrid-use-benet/
HUB reduces the cost of running VMs in Azure to the base compute rate since it waives the price of additional
Windows Server licenses from the Azure gallery. You need to bring your on-premises Windows Servers images to Azure
to use HUB. Azure gallery images are not supported. On-premises Windows Client licenses are currently not supported.
See https://blogs.msdn.microsoft.com/azureedu/2016/04/13/how-can-i-use-the-hybrid-use-benet-in-
azure/%23comment-145
To check if the provisioned Virtual Machines are successfully utilizing HUB, run the powershell command
and check that the license type is Windows_Server. Additional instructions are available at
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-hybrid-use-benet-licensing/
On the Virtual Machines page, indicate how many VMs you want to create; you must specify at least one. Select a
machine size. After you create a Machine Catalog, you cannot change the machine size. If you later want a different
size, delete the catalog and then create a new catalog that uses the same master image and specifies the desired
machine size.
T he Network Cards, Computer Accounts, and Summary pages do not contain Azure-specific information. Follow the
guidance in the Create Machine Catalogs article.
Smart Build: Deploy XenApp and XenDesktop Delivery Sites and other Citrix workloads on-premises or in the cloud using
customizable blueprints.
Smart Check: Proactively check the health of your Delivery Site for potential issues and receive notifications about
applicable component updates.
Smart Scale: Control Delivery Group scaling in your Delivery Site and associated usage costs.
Smart Migrate: Simplify migration of the applications and policies in your XenApp 6.x farm or VDI-in-a-Box 5.4 grid to a
XenApp and XenDesktop 7.x Delivery Site.
T he Smart Tools Service (the Service) is designed using industry best practices to achieve cloud scale and a high degree of
service availability.
Citrixs goal is to maintain at least 99.9% availability in any 30 calendar day period. Service interruptions and scheduled
maintenance can be monitored on an ongoing basis at http://status.cloud.com.
Limitations
T he calculation of this Service Level Goal will not include loss of availability from the following causes:
Customer failure to follow configuration requirements for the service documented on https://manage-
docs.citrix.com/hc/en-us.
Any component not managed by Citrix including, but not limited to, customer controlled physical and virtual machines,
customer installed and maintained operating systems and software, customer installed and controlled networking
equipment or other hardware; customer defined and controlled security settings, group policies and other configuration
policies; public cloud provider failures, Internet Service Provider failures or other external to Citrixs control.
Service disruption due to reasons beyond Citrixs control, including natural disaster, war or acts of terrorism, government
action.
As part of your Citrix Cloud subscription, a ShareFile account will be created for you. Before you can properly use that
service, there are a few steps to do.
Provisioning Administrators
T he rst thing you need to do is provision administrators. When your account was created, it was provisioned with a master
administrator account. T his was the rst administrator added to your Citrix Cloud account. In addition to this administrator,
you can provision additional administrators. Any additional administrator provisioned within CitrixCloud will be added to
ShareFile with administrator access.
Provisioning Users
To begin using your new ShareFile account, you must add users and congure authentication. In the Citrix Cloud
environment, you will want to enable SSO between the different components. In order to provide a seamless experience to
your end users, you will use SAML to authenticate against your Active Directory user accounts.
T he ShareFile User Management Tool (UMT ) makes it easy for you to add your Active Directory users into ShareFile. You can
use the tool to provision user accounts and create distribution groups from Active Directory (AD).
Importing users from Active Directory can take some time and be resource intensive. To help with this, you can schedule the
tool to run at selected times. In addition to the initial import, you can also use the tool to keep your ShareFile users
synchronized with your AD users.
Conguring Authentication
After you have imported your users in to ShareFile, you must congure authentication. When using the Citrix Cloud
environment, you will want to use SSO. SSO will be done using the SAML protocol. In this environment you have two
options for conguring SAML either using ADFS, or via XenMobile SAML authorization.
Accessing ShareFile
Now that you have congured your users and authentication, you should look at how ShareFile will be accessed. T here are
two specic types of access you need to look at: administrator access and user access.
Administrator Access
As administrator, you may need to make changes to your ShareFile conguration or manage your account.
To access the ShareFile Administrator UI from the CitrixCloud console, select the ShareFile pulldown from the menu. It will
take you to the ShareFile Web UI. You will be taken directly to the Administrator section of the UI.
Note: T his is not the recommended method for accessing the ShareFile Administrator UI in a Citrix Cloud environment.
User Access
T here are three options on how users will access their data in ShareFile. Data can be accessed directly using the Web UI.
T he other two options depend on what other applications you have enabled. If you have XenDesktop and/or XenMobile
enabled, users can access their data through one of those applications.
On XenDesktop you will be using ShareFile Sync for Windows. ShareFile Sync for Windows can be preinstalled into your
desktop image before deploying to end users.
You must start by installing ShareFile Sync for Windows in your XenDesktop environment. You can install the client once
and have it propagated to all of the XenDesktop sessions in your environment.
ShareFile On-Demand Sync is used when you want to deploy the smallest possible data footprint into your XenApp or
XenDesktop environment. More details on deploying On-Demand Sync can be found below.
T he ShareFile Service (the Service) is designed using industry best practices to achieve cloud scale and a high degree of
service availability.
Citrixs goal is that in any 30 calendar day period 99.9% of the time user can enumerate les and folders associated with
their account or download les that are hosted in Citrix-managed StorageZones. Service interruptions and scheduled
maintenance can be monitored on an ongoing basis at http://status.sharele.com.
Limitations
T he calculation of this Service Level Goal will not include loss of availability from the following causes:
Customer failure to follow configuration requirements for the service documented on https://docs.citrix.com.
Caused by any component not managed by Citrix including, but not limited to, customer controlled physical and virtual
machines, customer installed and maintained operating systems, customer installed and controlled networking
equipment or other hardware; customer defined and controlled security settings, group policies and other configuration
policies; public cloud provider failures, Internet Service Provider failures or other external to Citrixs control.
Service disruption due to reasons beyond Citrixs control, including natural disaster, war or acts of terrorism, government
action.
With XenMobile Service, Citrix handles the conguration and maintenance of the infrastructure onsite through the Citrix
Cloud Operations group. T his separation lets you focus exclusively on the user experience and on managing devices, policies,
and apps. With XenMobile Service, you pay a subscription fee instead of purchasing and managing licenses.
Cloud Operations administrators handle maintenance and conguration of the network connectivity and NetScaler
integration. Citrix hosts the Cloud environment in data centers located throughout the world to deliver high performance,
rapid response, and support.
Get started
Note
For the full set of documentation on the XenMobile Service, including whats new with each release, see XenMobile Service.
T he XenMobile Service (the Service) design uses industry best practices to achieve cloud scale and a high degree of service
availability.
T he Citrix goal is to maintain at least 99.9% availability in any 30 calendar day period. You can monitor service interruptions
and scheduled maintenance on an ongoing basis at http://status.cloud.com.
Limitations
T he calculation of this Service Level Goal doesn't include loss of availability from the following causes:
Customer failure to follow configuration requirements for the service documented on https://docs.citrix.com.
Caused by any component not managed by Citrix including, but not limited to the following:
Customer controlled physical and virtual machines
Customer installed and maintained operating systems
Customer installed and controlled networking equipment or other hardware
Customer defined and controlled security settings, group policies, and other configuration policies
Public cloud provider failures, ISP failures, or other failures external to the control of Citrix.
Service disruption because of reasons beyond the control of Citrix, including natural disaster, war, acts of terrorism, or
government action.
Citrix Cloud manages the control plane for XenMobile environments. T his includes the XenMobile server, NetScaler load-
balancer and a mySQL database. T he cloud service integrates with the customer's datacenter using the following
mechanisms:
An agent called the Citrix Cloud Connector. XenMobile Service customers who use Cloud Connector typically manage
NetScaler Gateway in their datacenters.
An IPsec tunnel between the customer's datacenter and an isolated network partition in the cloud containing single-
tenant components for that customer. For IPsec connectivity, NetScaler Gateway typically runs in Citrix Cloud.
Note
T his information is intended to provide the reader with an introduction to and overview of the security functionality of Citrix Cloud;
and to dene the division of responsibility between Citrix and customers with regard to securing the Citrix Cloud deployment. It is not
intended to serve as conguration and administration guidance manual for Citrix Cloud or any of its components or services.
Data ow
T he control plane has limited read-access to user and group objects from a customer's directory and other services such as
DNS. T hese services are accessed over the IPsec tunnel as well as the Citrix Cloud Connector, which uses secure HT T PS
connections.
Company data, such as, email, intranet, and web-app trafc, ows directly between the device and the application servers
over NetScaler Gateway deployed in the customer datacenter.
Data isolation
Credential handling
User credentials: User credentials are transmitted from the device to the control plane over an HT T PS connection. T he
control plane validates these credentials with a directory in the customer directory over a secure IPsec tunnel.
Administrator credentials: Administrators authenticate against Citrix Cloud, which uses the sign-on system from Citrix
Online. T his generates a one-time signed JSON Web T oken (JWT ), which gives the administrator access to the XenApp
and XenDesktop Service.
Active Directory credentials: T he control plane requires bind-credentials to read user meta-data from Active Directory.
T hese credentials are encrypted using AES-256 encryption and saved in a per-tenant database.
Deployment considerations
Citrix recommends that users consult the published best practices documentation for deploying NetScaler Gateway and
IPsec gateways within their environments. For additional considerations regarding network connectivity with IPsec, see
IPsec prerequisites and administration.
T he XenMobile MDX Service currently uses MDX version 10.4.10 for wrapping apps.
For information about MDX, the traditional MDX wrapping process using the MDX Toolkit, and a description of signing
assets that are required, see:
We encourage you to provide us with feedback on your experience in the Citrix Discussions Forum.
1. Sign up for Citrix Cloud by requesting a trial if you do not already have a Citrix Cloud account. For details on signing up,
see Citrix Cloud sign-up.
2. After you set up an account and logged on to Citrix Cloud, on the navigation bar, click Lab Services. T hen, under
XenMobile MDX Service, click Try It.
To use the XenMobile MDX Service, upload the application package binary and the required signing assets. T hen, verify the
app details and modify the attributes, as necessary. You can then download the wrapped application package.
T he following sections give more details for iOS and Android apps.
3. After the .ipa le uploads to the XenMobile MDX Service and is processed successfully, a Verif y App Details screen
appears.
a. Optionally, change the App Name, Minimum OS Version, and Maximum OS Version.
Provisioning Profile
Certificate
Certificate Password
To collect the iOS Provisioning Prole and Certicate, follow the steps in this support article:
https://support.citrix.com/article/CT X2204801
4. After the XenMobile MDX Service uses the signing assets to modify the app, the Create Mobile App screen appears.
Optionally, you can change the bundle ID of the mobile app.
a. Optionally, change the App Name, Minimum OS Version, and Maximum OS Version.
Keystore
Keystore Password
Alias Name
Alias Password
To collect the Keystore and Alias Name, follow the steps in this support article:
https://support.citrix.com/article/CT X220480
5. Download the wrapped MDX application package (.mdx le). You can also download the le later from the Jobs tab.
If users access a web app by using Secure Browser, the app appears in the pre-determined browser within a Citrix Receiver for HTML5 session.
Users cannot enter a dierent URL within the session. The website does not directly transfer any data to or from the endpoint device, so the
experience is secure.
T here are three options for publishing applications by using Secure Browser Service:
Publishing authenticated external web apps and internal web apps require a resource location and a Citrix Cloud Connector.
Also, for internal web apps, a NetScaler Gateway address is needed before creating the Secure Browser Service apps.
Security features include watermarking and URL whitelisting. Usage monitoring has also been enabled.
Using Secure Browser Service
1. From the Citrix Cloud home page, under Services, click Manage for Secure Browser Service. You are taken to the Secure
Browser Overview page or the Manage page.
2. T o publish a web app from the Overview page, select Let's Get Started. T o publish a web app from the Manage page,
click Publish a Web App.
3. Select the External Unauthenticated option.
4. Give the web app a name.
5. Specify the URL for the application you want to share.
6. Choose the browser and version that provides the best experience from the drop-down.
7. Choose the region of the VDA workload that hosts the browser.
8. Click Publish.
9. From the Manage tab, you can start the web app to test by clicking ...Action Menu and selecting Launch Web App.
10. After you test the app, copy the URL in the browser to share with your users.
For more information about how to congure NetScaler Gateway, see "Congure NetScaler Gateway for Secure Browser Service."
1. Ensure you set up a resource location and a Citrix Cloud Connector, along with configuring the NetScaler Gateway address.
2. On the Secure Browser Service Manage page, select Set t ings.
3. Provide the NetScaler Gateway address and then click Save Changes.
4. To publish a web app from the Manage page, click Publish a Web App.
5. Select the Int ernal option.
6. Give the web app a name.
7. Specify the URL for the application you want to share.
Not e: Internal web apps are supported on the Google Chrome browser only.
8. Select the region of the VDA workload that hosts the browser.
9. Click Publish.
10. On the Manage tab, the published app appears and you receive a prompt to add the web app to a Library to complete publishing. For
more information about creating a library, see "Assigning users and groups to service offering using Library in Citrix Cloud."
11. On the Manage tab, you can start the web app to test by clicking the ...Act ion Menu and selecting Launch Web App.
12. After you test the app, copy the URL in the browser to share with your users.
For more information about managing Libraries, see "Assigning users and groups to service oerings using Library in Citrix Cloud."
For more information about managing subscribers, see "What is Identity and Access Management?"
T he Clipboard security setting allows enabling or disabling Clipboard functionality within the published web application
session. Clipboard functionality is enabled by default for all published web applications. To disable (or re-enable) this feature
on a published web app, follow these steps.
1. From the Secure Browser Service Manage page, select the ... Action Menu for the published internal or external
authenticated web app you want to disable or enable the Clipboard functionality.
2. Select Security Settings.
3. Disable (or Enable) the Clipboard setting and click OK.
Disabling the clipboard functionality ensures that users cannot copy content in or out of the published web application
session from or to the local endpoint machine. T he Disable setting removes the Open Clipboard button from the Receiver
for HT ML5 toolbar.
You can enable printing for each published app. In a printing-enabled Secure Browser session, users can print web app
content to their local printer by using the Citrix Receiver for HT ML5 PDF printing feature. Users can start the print job by
pressing CT RL+P and then selecting the Citrix PDF printer in the Print dialog box. T he print job converts to a PDF le and
opens on the user device. Users can then send the document to their local printer.
Note
If you enable the watermark feature for a published web app, then the printing feature is disabled.
1. On the Secure Browser Service Manage page, on the Manage tab, click the ellipsis () icon next to the published app and
then select Security Settings.
2. Enable or disable the Printing setting and then click OK.
Watermarking published web applications is an advanced security feature available for external authenticated applications
and internal applications. To enable this feature on a published web app, follow these steps.
1. From the Secure Browser Service Manage page, select the ... Action Menu for the published internal or external
authenticated web app you want to enable the watermark feature.
2. Select Security Settings.
3. Enable the Watermark setting and click OK.
URL Whitelisting
T he URL whitelisting feature is available for internal and external authenticated web apps. T his feature restricts users to
visiting only whitelisted URLs within their published web app session.
1. From the Secure Browser Service Manage page, select the web app ... Action Menu and Security Settings option.
2. Enter the Whitelist entries following a <domain name>:<port number> format.
3.
For example, to set http://example.com as a whitelisted URL:
example.com:* - T his format allows connection to this URL from any port.
example:80 - T his format allows connection to this URL only from port 80.
*:* - T his format allows example.com to be accessed on any port and any links to the other URLs and ports on
example.com
Note: T he *.* entry allows access to all external web apps from the published app. T his format is the default setting for
the external web apps URL whitelist field.
4. You can specify multiple entries by entering each entry on a new line.
Usage Monitoring
To monitor the usage of the web apps, go to the Usage tab from the Secure Browser Service page. T he Summary shows
you:
Clicking Export to CSV and selecting a timeframe provides a spreadsheet with usage details.
Secure Browser Navigation
When in a web app, users can navigate back or forward by using the local browser navigation controls. During a session, if users click either
the back or forward buttons, the HDX protocol transmits the request to the remote browser session
AppDNA
Citrix Cloud
Citrix Receiver
CloudBridge
NetScaler
NetScaler Gateway
ShareFile
T he page you are trying to view is not here. T he link might be misspelled or outdated.
VDI-in-a-Box
XenMobile
Some things to try:
XenServer
Go to Docs.citrix.com and search or navigate for the content
Clear your browser cache and retry the link
Advanced Concepts
Report the problem and we'll investigate
Developer
Legacy Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it
Documentation
For more information on how to deploy a NetScaler VPX, refer to the NetScaler VPX Deployment Guides.
T hese steps will describe a conguration to allow remote access with single sign on:
1. On a web browser, enter the NSIP (Management IP address) of the NetScaler VPX appliance that has been installed on
your XenServer.
5. Click Add.
12. Select the LDAP policy, click Continue and click Bind.
13. T he LDAP policy has been set as the primary authentication method. Now add the STA servers.
16. Enter the connector 1 address in the Secure T icket Authority Server text box and select IPV4 as the address type.
19. T he State column will show green if the connection to connector 1 is healthy.
20. Optional add a second connector for availability by selecting Add Binding.
23. You are done conguring the virtual server. Click Done.
24. Ensure the status of Virtual Server is up. If it is up (green), save the conguration. Click the Save icon.
Now that the NetScaler Gateway has been successfully congured, you can log out from the NetScaler Gateway
Management console.
Cloud Service
T he Secure Browser Service consists of web browsers running on Virtual Delivery Agents (VDAs) along with the control
plane used to manage and connect users to these VDAs. Citrix Cloud manages the operation of these components,
including the security and patching of operating systems, web browsers, and Citrix components.
While using Secure Browser Service, hosted web browsers may track users browsing history and perform caching of HT T P
requests. Citrix uses mandatory proles and ensures that this data is deleted when the the browsing session ends.
Secure Browser Service is accessed with an HT ML5-compatible web browser. T he service does not provide any
downloadable clients. All trafc between the browser being used and cloud service is encrypted using industry-standard
T LS encryption. Secure Browser supports T LS 1.0, 1.1, and 1.2.
Web Applications
Secure Browser is used to deliver web applications owned by the customer or a third party. T he owner of the web
application is responsible for its security, including patching the web server and application against vulnerabilities.
Security of the trafc between Secure Browser and the web application depends on the encryption settings of the web
server. To protect this trafc as it ows over the Internet, administrators should publish HT T PS URLs, and install an SSL
certicate from a publically-trusted Certicate Authority on the server hosting the web application.
Note
T his document is intended to provide the reader with an introduction to and overview of the security functionality of Citrix Cloud; and
to dene the division of responsibility between Citrix and customers with regard to securing the Citrix Cloud deployment. It is not
intended to serve as a conguration and administration guidance manual for Citrix Cloud or any of its components or services.
T he purpose of the LUI service is to make it easy for Citrix Service Provider partners to understand which Citrix products are
in use and at what capacity. Only CSP partners have access to the LUI service.
Automatically collect and aggregate product usage information from Citrix license servers
Easily view which users are accessing your XenApp and XenDesktop deployments each month
Optimize license costs by identifying and tracking a list of free users
View and understand your historic business with Citrix
Getting Started
Features
T echnical Details
FAQ
T he LUI service does not support the Citrix License Server Virtual Appliance (VPX based license server). In the future, the
virtual appliance license server will also be supported with the LUI service.
It may take up to 24 hours for a newly updated license server to appear in the LUI service.
When usage data is uploaded from a license server, its processed and stored in a secure fashion such that it can be
accessed at a later date by the LUI service. T oday that process may take up to 24 hours.
By default, usernames associated with XenApp and XenDesktop license checkouts will be securely phoned home to
Citrix.
Usernames are phoned home so CSP partners can take full advantage of LUI features and the CSP licensing program
which supports free users for trial, test and administrative product use.
User information is limited to a single user@domain entry, no additional personal identifiable data is phoned home. Citrix
will never share this information.
For partners sensitive to uploading username information, this functionality can be disabled on the Citrix License Server
using the username anonymization feature.
Download the latest license server. In-place upgrade of Citrix License Servers is simple and fast. If you haven't already, read
about the lastest licence server.
Before signing in, youll need to sign up for a Citrix Cloud account. Follow these steps to get signed up and signed in to
Citrix Cloud for the rst time.
Sign up for Citrix Cloud - Visit onboarding.cloud.com to create an account using your myCitrix credentials. When creating
your account, use the same myCitrix login credentials used to allocate and download Citrix Licenses from citrix.com.
Citrix Cloud will email the address associated with your myCitrix login.
T he service knows about each license server based on license allocation data stored in the Citrix back ofce. Using this data,
LUI presents a list of active license servers.
If the license server is updated and successfully reporting, it will be identied as "reporting" in the service. A timestamp of
the most recent upload is also provided.
To be compliant with Citrix Service Provider license guidelines, all active license servers must be updated and reporting. T he
license server status feature helps service providers through that process by identifying which license servers still need to be
updated.
Usage collection: Allows you to understand product usage through automated data collection and aggregation no need
to deploy additional tools.
T he service will automatically aggregate product usage across all Citrix license servers to provide a complete view of usage
across all deployments.
T he Citrix License Servers will collect and track product license usage and report it back to Citrix using a secure phone home
channel. T his automated approach provides a constant stream of updated usage data available to Citrix Service Providers -
saving time and allowing partners to better understand usage trends within their deployments.
LUI equips Citrix Service Providers with a comprehensive view of product usage across deployments while still allowing them
to take full advantage of the Citrix Service Provider license program that supports trial, test and administrative users.
Historical views deliver valuable business insight. Citrix Service Providers can quickly understand how their business with Citrix
is trending and which products are seeing the most growth across their customers and subscribers.
Version v11.13.1.2 and later of the Citrix License Server contain key features that are important for CSP partners.
Optimized usage collection: Version v11.13.1.2 of the license server contains new functionality that optimizes
licensing behavior and tracking to better support Citrix Service Providers.
Call home: Version v11.13.1.2 of the license server is equipped with call home features that enable automated product
usage collection for CSP partners. T hese features are exclusive to Citrix Service Provider partners and will only be
activated when a CSP license is detected on the license server.
Upgrading your Citrix License Servers to use the License Usage Insights Service
By default, usernames associated with XenApp and XenDesktop license checkouts will be securely phoned home to Citrix.
Usernames are phoned home so CSP partners can take full advantage of LUI features and the CSP licensing program, which
supports free users for trial, test, and administrative product use.
User information is limited to a single user@domain entry, no additional personal identiable data is phoned home. Citrix
does not share this information.
For partners sensitive to uploading username information, username anonymization can be enabled. When active, username
anonymization will convert readable usernames into unique strings using a secure and irreversible algorithm prior to upload.
T he LUI service will use these unique identiers to track product usage instead of the actual usernames. T his approach
allows service providers to take advantage of month-to-month insights without visibility into the actual usernames in the
cloud service UI.
<Congurations>
<UsageBasedBillingScramble>1</UsageBasedBillingScramble>
<Congurations>
When CSP home is activated on a Citrix License Server, it uploads the following information daily:
Note: Citrix Service Provider partners can inspect the last uploaded payload on their license server to fully understand all of
the details.
Location:
Note: Successful uploads will be deleted except for the last one. Unsuccessful uploads will linger on the disk until a
successful upload, which will delete all but the last one.
What inf ormation is being phoned home? Can I view the inf ormation my license servers are sending to
Citrix?
Yes, you may view an exact copy of the information being phoned home to Citrix. Please see Using the License Usage
Insights Service.
Is the LUI service available to Citrix customers or partners that are not Citrix Service Providers?
No. T he LUI service is only available to Citrix Service Provider partners with an active partner agreement.
No. Under the Citrix Service Provider license agreement, all Citrix License Servers are required to phone home product usage.
Partners sensitive to the phone home use case can use the username anonymization feature documented here.
Will I be billed based on the product usage shown in the LUI service?
No. T he LUI service helps partners understand their product usage so they can report it quickly and accurately to their Citrix
distributor. CSP partners will continue to be billed based on the product usage they report to their Citrix distributor. Citrix
distributors will continue to own the billing relationship with CSP partners.
Are all Citrix products supported by the LUI service - ShareFile, NetScaler and CloudPortal Services Manager?
T he LUI service currently supports XenApp and XenDesktop product usage. In the future, there will be additional products
supported.
Its a free service provided by Citrix. T here are no plans to charge for the LUI service.
To get help with the LUI service, open a ticket from within the service. Sign in to Citrix Cloud, navigate to the LUI service, and
open a ticket from the navigation bar as shown.
No setup is required. T he administrator logs into Citrix Cloud with a free or paid account and publishes a Microsoft Access
database in a few simple steps. T he administrator then generates a friendly URL to access the Microsoft database reports
and forms to share with end users.
When a user accesses the reports or forms using the Citrix Launch for Microsoft Access Service, an instance of Microsoft
Access Runtime is created and hosted in the cloud. T he database reports and forms render just like any regular Microsoft
Access application, but they open within a Citrix Receiver for HT ML5 session.
T he user does not have the option to open a different database and the web site does not directly transfer any data to or
from the end-point device, so the experience is secure.
Important
T he Citrix Launch for Microsoft Access Service is currently offered for evaluation purposes only. Do not publish a Microsoft Access
database containing any personal or sensitive information.
Deploying Microsoft Access databases for reports and forms requires packaging and installing the databases along with
additional templates and third-party report writers along with the correct runtime version of Microsoft Access on every
endpoint Windows desktop. As a result, IT departments are required to re-package and redistribute any updates to all
endpoint Windows desktops causing downtime.
Citrix Launch for Microsoft Access simplies the distribution and launch experience. Administrators can upload their
databases and provide access to end users requiring zero endpoint installation and end users can access their databases
from any device. For example, you can interact with your Microsoft Access forms from a Mac.
As an administrator, you can provide access to your Microsoft Access database reports for your users in just a few steps.
Currently this service supports Microsoft Access 2013 Runtime.
1. Log in to Citrix Cloud, navigate to the Labs section and select Citrix Launch f or Microsof t Access.
2. T o publish a Microsoft Access database, select Publish Microsof t Access app.
3. Give the database deployment a name.
4. Upload the database file. T here is a 1 GB file size limit.
5. Click Publish.
You can now share the custom URL with your users and they will have access to Microsoft Access reports and forms,
regardless of the endpoint device they are using.
T he Session Manager Lab requires that you have a XenApp and XenDesktop Service account within Citrix Cloud and the
ability to create an on-premise StoreFront. For more information on how to buy or request a trial of the XenApp and
XenDesktop Service, go to the Citrix Cloud product page.
T he applications delivered through this service are pre-launched and delivered by an anonymous StoreFront and published
to an anonymous Delivery Group.
In order to use Session Manager, you need to congure a few settings with an on-premise StoreFront and XenApp and
XenDesktop Service.
2. Set up NetScaler Gateway as an ICA proxy (no authentication or session policies are needed). T his can be congured in
the XenApp and XenDesktop Service by clicking the Manage tab. Under Conguration on the left, click StoreFront and
under the right pane select Set NetScaler Gateway.
4. Bind Citrix Cloud Connectors as Secure T icket Authority (STA) servers to NetScaler Gateway.
2. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
3. Select the Stores node in the left pane of the Citrix StoreFront management console and in the Actions pane, click
Create Store.
4. On the Store Name page, specify a name for your store, select Allow only unauthenticated (anonymous) users to
access this store and click Next.
b. Point the on-premise StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors. For transport select HTTP
and port 80. T he StoreFront machine must be able to directly access the connector through the fully qualied domain
name (FQDN).
T he unauthenticated store is now available for use. For more information, see Create an unauthenticated store.
3. Select Allow any authenticated users to use this Delivery Group. T hen select the Give access to unauthenticated
(anonymous) users: no credentials are required to access StoreFront option. Click Next to complete the steps. For
more information, see Create Delivery Groups.
Note: When selecting an applicationto prelaunch on the Session Manager UI, make sure that the application is assigned to
only one Delivery Groups. T he application must not be provided by multiple Delivery Groups. For more information, see
Applications.
2. From the Manage page, you can edit or activate your anonymous Delivery Groups.
If you have questions or need additional information about this Lab, refer to the Discussions site.
AppDNA
Citrix Cloud
Citrix Receiver
CloudBridge
NetScaler
NetScaler Gateway
ShareFile
T he page you are trying to view is not here. T he link might be misspelled or outdated.
VDI-in-a-Box
XenMobile
Some things to try:
XenServer
Go to Docs.citrix.com and search or navigate for the content
Clear your browser cache and retry the link
Advanced Concepts
Report the problem and we'll investigate
Developer
Legacy Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it
Documentation
AppDNA
Citrix Cloud
Citrix Receiver
CloudBridge
NetScaler
NetScaler Gateway
ShareFile
T he page you are trying to view is not here. T he link might be misspelled or outdated.
VDI-in-a-Box
XenMobile
Some things to try:
XenServer
Go to Docs.citrix.com and search or navigate for the content
Clear your browser cache and retry the link
Advanced Concepts
Report the problem and we'll investigate
Developer
Legacy Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it
Documentation
Prerequisites
1. Buy Office 365 Business Plan from Microsoft
2. Integrate on-premises Active Directory with Azure Active Directory using Azure AD Connect. Citrix Provisioning for
Microsoft Office 365 currently supports synchronized and federated identity models to setup and manage user
accounts.
Step 2: Access the Citrix Provisioning for Microsoft Ofce 365 service
Go to the Labs section in the navigation bar of the Citrix Cloud control center to view the list of available labs services.
Select Citrix Provisioning f or Microsof t Of ce 365 service.
In order to connect Citrix Cloud to your Ofce 365 account, you will be redirected to Microsoft site where you will have to
login using your Ofce 365 credentials.
In order to connect on-premises active directory to Citrix Cloud, you need to install cloud connector in your resource
location. More details on what a resource location is can be found here.
We recommend installing two cloud connectors for high availability on physical or virtual Windows Server 2012 R2 or
later that are joined to the domain. More details on cloud connector can be found here
You can now assign Ofce 365 licenses along with other Citrix apps and services using Library. Follow below steps to deliver
these apps and services.
Select Ofce 365 plan along with other Citrix Services that you may have.
You can view this information using the User List and License Usage tabs in the service UI as shown below.
Q2. Who can access the Ofce 365 service in Citrix Cloud and from what source?
Anyone can access the service using the Citrix Cloud Labs section.
Q3. What is the cost of using Ofce 365 from within Citrix Cloud?
Citrix Cloud does not charge to integrate your Ofce 365 account with Citrix Cloud.
Q4 . Can I manually create users in the Ofce 365 administrator panel and then use Citrix Cloud to provision licenses?
No. Citrix Provisioning for Microsoft Ofce 365 Service in Citrix Cloud only supports integration with directory services. For
this the administrator needs to install Microsoft Azure Active Directory Connect to sync the on-premises identities to Azure
AD. Once synchronization is enabled you will be able to see the users in the Citrix Cloud Ofce 365 console. You can then
provision licenses to users along with other services.
Q5. Who is responsible for maintaining the users sync process between on-premises AD and Azure AD?
T he IT administrator is responsible to maintain the sync process running and updated.
Q6. Does this service support both users and groups license assignment for Ofce 365?
No. At present the service only supports user subscription license assignment.
Q8. How can the end user access the assigned Ofce 365 plans?
T he end user can access Ofce 365 using https://login.microsoftonline.com/ or any other method provided by Microsoft.
Comprehensive Security: It provides protection against web application attacks using SQL Injection, Cross Site Sripting,
Blacklisted and Whitelisted URLs/applications, Signatures and IP Reputation etc.
Fast Deployment: Click & Protect less than 5 clicks from first time login to protection. T his service configuration is
Application and Service centric.
Ease of Use: It is quick and easy to deploy, manage, and report using a simplified GUI.
Lower operational expenses: T he service is managed by Citrix saving admin and on premise equipment costs.
1. Users can access this service through the Citrix Cloud interface. User authentication happens when a user connects to
the Citrix Cloud service.
2. All user information such as certicates/keys are stored in a secure Citrix vault so that the certicates/keys are not
left unencrypted.
For more information about NetScaler MAS, Load Balancing, and Application Firewall, see:
http://docs.citrix.com/en-us/netscaler-mas/12/getting-started-with-mas.html, http://docs.citrix.com/en-us/netscaler-
mas/12/deploy-netscaler-mas.html, http://docs.citrix.com/en-us/netscaler/11-1/load-balancing/load-balancing-how-it-
works.html.
And http://docs.citrix.com/en-us/netscaler/12/application-rewall/conguring-application-rewall.html
NetScaler Web App Security Service is designed with industry best practices to achieve cloud scale and a high degree of
service availability.
You can add Web App Security Service by contacting your Citrix sales representative or through a request form on Citrix
cloud.
1. Go to https://netscalerappsecurity.cloud.com. Login with your Citrix Cloud account user credentials. T he following
page is displayed. If you have purchased a license to use the service, the NetScaler Web App Security Service page is
2. Click Get Started. T he NetScaler Web App Security Service Domains page is displayed.
3. Click Add. T he Add Domain page is displayed. Enter the Name and Domain. Upload the SSL Certicate and SSL key
les, for example; waf.cert and waf.key. Enter an SSL Pass Phrase and then click Create. T he domain is added to the list of
domains as shown below.
5. Select the newly added Domain and click Manage Applications. Ensure that you change the CNAME provided by the
WAF service for newly created domain. T his changes the DNS record address for the cname. T he IP address of the backend
server is populated as shown below. Click Close.
7. Select an application, and click Security Service Prole, the following Application Firewall prole information is
displayed as shown in step a.