https://community.stage.citrix.com/rss/1-citrix-tech-zone-document-history.xml/The following describes important changed to the Citrix Tech Zone documentaiotn. To receive notification about these updates, subscribe to the RSS feed.enhttps://community.stage.citrix.com/tech-zone/automation/automation-handbook-2601-part6/The Citrix Automation Handbook - Part 6In the first part of the Citrix Automation Handbook, we discuss the Citrix Automation story and the basics of Infrastructure-as-Code, of Continuous Integration/Continuous Deployment (CI/CD) strategies, and our main IaC tools: Packer, Terraform, and Ansible. In the second part of the Citrix Automation Handbook, we focus on: Applying automation and infrastructure-as-code in the Citrix universe. We discuss all relevant components and provide code examples from real environments Best practises for designing an environment for automation and IaC use, and discuss deployment tips In the third part of the Citrix Automation Handbook, we discuss common and special use cases, as well as complete deployment examples from the field. In the fourth part of the Citrix Automation Handbook, we cover creating a Citrix Virtual Apps and Desktops 2507 LTSR deployment on XenServer 8.4 In the fifth part of the Citrix Automation Handbook, we cover creating a Citrix DaaS deployment on Azure In this part, we cover some final topics. Part 6 Let´s look at some final thoughts about using Automation and Infrastructure-as-Code in the Citrix Universe ConclusionDeploying Citrix infrastructure without Infrastructure-as-Code and automation is like navigating a storm without a compass. By embracing IaC, your organization gains predictability, speed, and governance—turning your infrastructure from a liability into a strategic asset. It’s not just about technology; it’s about enabling the business to deliver secure, high-performance apps and desktops at scale, with confidence. Instead of manual clicks and scripts scattered across teams, every component in your Citrix estate is defined, validated, and governed through code. This code is version-controlled, peer-reviewed, and automatically tested before deployment. With a single command, the entire Citrix stack spins up consistently—whether in the cloud, on-premises, or hybrid. But the evolution doesn’t stop at automation. For the last decade, automation was the bridge—the gap separating modern operations from legacy systems. Today, policy-driven infrastructure and AI-assisted intelligence are extending that bridge even further. Once your Citrix environment is expressed as code and governed by declarative policy, you unlock the next stage of operational maturity: infrastructure defined by intent, not manual effort Automated policy enforcement for security, cost, and performance baselines AI-driven recommendations, remediation, and continuous optimization Self-healing, self-scaling, and context-aware decision making across the Citrix control plane In other words: automation gets you consistency; policy + AI gets you intelligence. An organization that never crossed the automation bridge is already behind. But those who embrace IaC, policy-as-code, and AI-driven operations position themselves for compound acceleration, enabling their Citrix infrastructure to operate with predictability, resilience, and adaptability that legacy environments cannot match. This handbook is intended to: Provide an overview of the possibilities Citrix currently offers in Infrastructure-as-Code and Automation Show examples from real-world projects Provide insights and samples touching the three main IaC frameworks Explain CI/CD strategies for deploying and updating Citrix infrastructure Illustrate how policy-as-code and AI-driven intelligence become the natural next evolution once IaC is in place Important The Citrix Automation Handbook is a living document. We will add, edit, remove, and alter parts if necessary. AcknowledgementsThank you to all my colleagues who helped me create this handbook. They provided invaluable insights, experience, knowledge, and ideas: Avijit Gahtori Zhuolun Lin Sourav Samanta Sameer Sharma Special thanks for providing invaluable information and granting me access to their repositories to: Alan Goldman Konstantinos Kaltsas Rody Kossen Jason Samuel LinksAutomation Landing Zone Citrix GitHub repository for Terraform Citrix GitHub repository for Ansible Citrix GitHub repository for Packer Citrix NetScaler GitHub repository That completes Part 6 of the Citrix Automation Handbook. In the first part of the Citrix Automation Handbook, we discuss the Citrix Automation story and the basics of Infrastructure-as-Code, of Continuous Integration/Continuous Deployment (CI/CD) strategies, and our main IaC tools: Packer, Terraform, and Ansible. In the second part of the Citrix Automation Handbook, we focus on: Applying automation and infrastructure-as-code in the Citrix universe. We discuss all relevant components and provide code examples from real environments Best practises for designing an environment for automation and IaC use, and discuss deployment tips In the third part of the Citrix Automation Handbook, we discuss common and special use cases, as well as complete deployment examples from the field. In the fourth part of the Citrix Automation Handbook, we cover creating a Citrix Virtual Apps and Desktops 2507 LTSR deployment on XenServer 8.4 In the fifth part of the Citrix Automation Handbook, we cover creating a Citrix DaaS deployment on Azure In this part, we covered some final topics. DisclaimerMost important All code snippets mentioned in this handbook were thoroughly tested and run in a sandbox environment. All shown Packer, Terraform, Ansible Playbooks, and PowerShell scripts were tailored exclusively for the environment used for this handbook. You need to adjust all settings, values, snippets, etc., in the most suitable way tailored to your requirements, regulations, and existing environments. All settings, scripts, and code examples listed in this document are intended only to illustrate the possibilities and serve as a basis for your own deployment. We tried to show different ways, even if they were not always in line with best-practice guidelines, such as unencrypted WinRM communication for demonstration purposes. Using all the provided code snippets is at your own risk – please read the disclaimer below for further information. EXCEPT WHERE EXPRESSLY PROVIDED OTHERWISE BY CLOUD SOFTWARE GROUP, THE CONTENT IN THIS DOCUMENT IS PROVIDED “AS IS” AND CLOUD SOFTWARE GROUP HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED REPRESENTATIONS, WARRANTIES, GUARANTIES, AND CONDITIONS, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. CLOUD SOFTWARE GROUP MAKES NO REPRESENTATIONS, WARRANTIES, GUARANTIES, OR CONDITIONS AS TO THE QUALITY, SUITABILITY, TRUTH, ACCURACY, OR COMPLETENESS OF ANY OF THE CONTENT CONTAINED ON THE WEBSITE. The above disclaimer applies to any damages, liability, or injuries caused by any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communication line failure, theft or destruction of or unauthorized access to, alteration of, or use, whether for breach of contract, tort, negligence or any other cause of action.Wed, 21 Jan 2026 09:14:10 +0000https://community.stage.citrix.com/tech-zone/automation/automation-handbook-2601-part5/Wed, 21 Jan 2026 09:13:42 +0000https://community.stage.citrix.com/tech-zone/automation/automation-handbook-2601-part4/Wed, 21 Jan 2026 09:13:09 +0000https://community.stage.citrix.com/tech-zone/automation/automation-handbook-2601-part3/Wed, 21 Jan 2026 09:12:37 +0000https://community.stage.citrix.com/tech-zone/automation/automation-handbook-2601-part2/Wed, 21 Jan 2026 09:12:09 +0000https://community.stage.citrix.com/tech-zone/automation/automation-handbook-2601/Wed, 21 Jan 2026 09:11:00 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/unicon-licensing-guide/Thu, 15 Jan 2026 13:10:00 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/avoid-daas-resiliency-misconfiguration/Fri, 09 Jan 2026 14:35:00 +0000https://community.stage.citrix.com/tech-zone/automation/masterimage-iac-packer-ansible-chocolatey-github/Thu, 08 Jan 2026 11:40:33 +0000https://community.stage.citrix.com/tech-zone/automation/iac-cvad2507-vsphere8/Wed, 19 Nov 2025 15:54:00 +0000https://community.stage.citrix.com/tech-zone/automation/iac-cvad2507-xenserver8/Wed, 19 Nov 2025 13:08:00 +0000https://community.stage.citrix.com/tech-zone/design/reference-architectures/citrix-integration-for-windows-365/Fri, 31 Oct 2025 04:04:00 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/csa-ce/Wed, 17 Sep 2025 17:01:00 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/csa-ce/Wed, 17 Sep 2025 16:29:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/unicon-scout-sso/Thu, 14 Aug 2025 13:49:06 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/mcs-for-amazon-wsc/OverviewIn this Deployment Guide, we will walk you through the process of deploying Citrix MCS for Amazon WorkSpaces Core Managed Instances environments. The new integration introduces an Amazon WorkSpaces Core Host Connection type, which allows Citrix MCS to manage the power and lifecycle of VDAs across Amazon WorkSpaces Core environments. What´s NewWith this new product, we’re expanding Citrix MCS non-persistent and persistent provisioning capabilities to work with Amazon WorkSpaces Core Managed Instances environments. Here’s what’s now possible: Non-Persistent and persistent Workload Management: power management and provisioning of non-persistent and persistent WorkSpaces instances VM and Image lifecycle management (create, view, update, delete) Bring existing AWS EC2 AMIs to use as images for WorkSpaces BYOL Windows 11/10 Desktop, Windows Server 2025/2022/2019/2016, Ubuntu Server 24.04 LTS, and Debian 12 support Flexibility to bring Microsoft 365 Apps for enterprise licenses to run on WorkSpaces Core or purchase Microsoft Office bundles (https://aws.amazon.com/workspaces-family/core/faqs/) Global WorkSpaces Core regional support Customer-controlled account flexibility Identity management flexibility: Active Directory and Entra Hybrid support, Citrix FAS for SSO to VDAs A similar resource location setup, host connection configuration, and catalog creation process as existing MCS workflows (making the experience familiar for current MCS users) Full suite of DaaS capabilities beyond MCS: Studio management console, session brokering/management, HDX, Workspace app, Director monitoring, WEM, deviceTRUST PrerequisitesFollow our Product Docs to set up an AWS virtualization environment (Amazon WorkSpaces Core environments share similarities with AWS EC2 environments) Install VDAs on the Master VMs (for creating Master Image AMIs, which will be used to prepare Images for MCS Machine Catalogs) Create a service-linked role Creating a Host ConnectionThe Host Connection creation process for Amazon WorkSpaces Core will be similar to the existing MCS connection to AWS EC2, except for IAM permissions policy. Please see the “Minimal IAM permissions” in the “Appendix” section of this guide to properly define IAM permissions for your IAM user or role’s policy for Citrix to manage resources in your AWS account. If you’d like to create a host connection configured with a proxy, please see the section “Create a secure environment for AWS-managed traffic” section of our product docs. Create a new connection. Go to the Hosting tab on the Studio console and click Add Connection and Resources. Use the Resource Location (e.g., WSC) you set up for your AWS environment (see prerequisites) and select “Amazon WorkSpaces Core” as the Connection Type. Next, you can either use: an IAM user access key, or an IAM role. For the IAM user access key approach, please provide your “API key” and “Secret key” for the IAM user that has the proper IAM permissions policy for Citrix to manage resources in your AWS account. For the IAM role approach, select “Use IAM role”: Ensure that you've assigned an IAM role to the Citrix Cloud Connector (or Delivery Controller) instance with the proper IAM permissions policy, allowing Citrix to manage resources in your AWS account. Refer to our Role-based Authentication guide for more information. Finally, give the connection a name. Specify the location where your VMs will be provisioned. Select the Cloud region, VPC, and Availability Zone for creating new VMs. Name the resources in the previously selected Availability Zone and choose one or more subnets in the VPC that you configured in the previous menu. Click through the remaining pages until the Summary page. Click Finish to create the Host Connection to Amazon WorkSpaces Core. Create a Prepared ImageGo to the Images tab on the Studio console and click Create Image Definition. Select an OS type and Session type for the prepared Image. Provide the Host Connection that you created in the Create a Host Connection section of this guide. Select the resources you created in the Create a Host Connection section of this guide. Select a Master Image as the template for creating a prepared Image version in this Image Definition. The Master Image should be an AMI created from a Master VM with VDA installed (see the prerequisites section of this guide). Select a Machine Profile that will serve as a hardware template to use when provisioning machines in the Create a Machine Catalog section of this guide. The Machine Profile can be an EC2 instance or Launch Template Version in your resources with hardware properties (e.g., Instance type, Tenancy type, Network mappings, Security Groups, Volume properties) that will be captured for provisioning new VMs. Select a machine specification that the provisioned VMs will take on during Machine Catalog creation. By default, the Machine Profile’s instance type is selected. Select one or more network interfaces that the provisioned VMs will use during Machine Catalog creation. You can provide an optional description to highlight information about this initial version of the Image Definition. Name the definition and click Finish to create the Image Definition and an initial Image version. To create another Image version (beyond the initial Image version), navigate to the Image Definition you just created, and click Create Image version. Select Resources, a Master Image, and/or a Machine Profile for the new Image version. The initial Image version’s properties are used by default and can be modified. Create a Machine CatalogGo to the Machine Catalogs tab on the Studio console and click Create Machine Catalog. Select a Machine Type for this catalog (e.g., Multi-session OS or Single-session OS, which is required for persistent machines). Use the dropdown menu under Resources to select the Resources (Availability Zone) you configured in the Create a Host Connection section of this guide. To create a machine catalog containing persistent machines, select the option for a “static desktop” experience that “creates a dedicated VM and saves changes on the local disk.” For non-persistent machines, select a “random desktop” or “static desktop” that discards all changes. Click Select an Image to select a Prepared Image for the Machine Catalog. Select the Prepared Image version that you would like to use, created in the Create a Prepared Image section of this guide, and click Done. The Machine Profile associated with the Prepared Image will appear, and its hardware properties (e.g., Instance type, Tenancy type, Network mappings, Security groups, Volume properties) will be used to create machines in the catalogs. You can change the Machine Profile source to another VM or launch template version by clicking the Edit button. Define how many VMs you want to create in the Machine Catalog. The default Machine Specification is based on the Machine Profile. To change it, click Select a Machine Specification and pick the Instance type you’d like to use for the VMs. Configure on-prem AD (or Hybrid Azure AD) for the machines in the catalog by selecting the domain and creating new AD accounts for the VMs that will be created in this Machine Catalog. The provisioned VMs will be joined to the selected Domain. After configuring the Domain account options for the VMs in the catalog, you’ll have to provide the credentials for the selected domain by clicking Enter credentials, where you’ll be prompted to enter an admin-level Username and Password. You can also use a Service Account if you already have Domain credentials saved, as outlined in our Product Docs. Click through the remaining pages until the Summary page. Give the Machine Catalog a name and select Finish to create the Machine Catalog. AppendixMinimal IAM Permissions{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:AttachVolume", "ec2:AssociateIamInstanceProfile", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateImage", "ec2:CreateLaunchTemplate", "ec2:CreateNetworkInterface", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DeregisterImage", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceStatus", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeInstanceAttribute", "ec2:GetLaunchTemplateData", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DetachVolume", "ec2:DisassociateIamInstanceProfile", "ec2:RebootInstances", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ebs:StartSnapshot", "ebs:GetSnapshotBlock", "ebs:PutSnapshotBlock", "ebs:CompleteSnapshot", "ebs:ListSnapshotBlocks", "ebs:ListChangedBlocks", "ec2:CreateSnapshot" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKeyWithoutPlainText", "kms:GenerateDataKey", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/*" }, { "Effect": "Allow", "Action": [ "workspaces-instances:*" ], "Resource": "*" } ] } Confidentiality and DisclaimerConfidentiality and Disclaimer The information in this document is confidential information of Cloud Software Group, Inc. and/or its affiliates. Use, duplication, transmission, or republication for any purpose without the prior written consent of Cloud Software Group, Inc. is expressly prohibited. This document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and availability dates for Cloud Software Group, Inc. products and services. This document is provided for informational purposes only and its contents are subject to change without notice. Cloud Software Group, Inc. makes no warranties, express or implied, in or relating to this document or any information in it, including, without limitation, that this document, or any information in it, is error-free or meets any conditions of merchantability or fitness for a particular purpose. The material provided is for informational purposes only, and should not be relied on in making a purchasing decision. The information is not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion. During the course of this presentation, Cloud Software Group, Inc. or its representatives may make forward-looking statements regarding future events Cloud Software Group, Inc.'s future results or our future financial performance. These statements are based on management's current expectations. Although we believe that the expectations reflected in the forward-looking statements contained in this presentation are reasonable, these expectations or any such forward-looking statements could prove to be incorrect and actual results or financial performance could differ materially from those stated herein. Cloud Software Group, Inc. does not undertake to update any forward-looking statement that may be made from time to time or on its behalf.Tue, 22 Jul 2025 10:00:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/aws-cross-account-provisioning/Thu, 03 Jul 2025 16:01:40 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/master-images-with-packer/Mon, 30 Jun 2025 09:05:57 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/deploying-citrix-secure-developer-spaces-on-openshift/Tue, 10 Jun 2025 09:04:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/citrix-hypervisor-to-xenserver-migration/Fri, 06 Jun 2025 16:45:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/deploying-citrix-secure-developer-spaces-in-azure-kubernetes/Thu, 05 Jun 2025 12:46:00 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/elux-and-scout/Thu, 05 Jun 2025 12:32:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/elux7-2503-xenserver/Tue, 08 Apr 2025 13:56:00 +0000https://community.stage.citrix.com/tech-zone/by-product/unicon/Unicon provides a Secure, Lean Operating System and Management Tool for Virtual Desktop Endpoints. With its eLux OS and Scout management system, Unicon’s software is highly suitable for on-premises and cloud use cases, consisting of endpoints like thin clients, desktop PCs, and laptops. Deployment GuideseLux 2503 VM on XenServer - Provides high-level steps to install and configure an eLux 7 VM on XenServer. Integrating Scout Board with Okta SAML 2.0 for Single Sign-On - Describes how to integrate Scout Board with Okta using the SAML 2.0 protocol to enable Single Sign-On (SSO) for end users POC GuideseLux and Scout - Provides the steps to build a proof-of-concept environment to evaluate the eLux operating system and Scout Management Suite. Tech BriefsCitrix Unicon Licensing Guide - The Licensing Guide explains the available licensing models for Citrix Unicon OS Management (Scout), their technical requirements and compatibility, and provides step-by-step instructions to help you choose and implement the model that best fits your needs.Tue, 08 Apr 2025 12:44:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/vmware-to-xenserver-migration-guide/Wed, 02 Apr 2025 13:00:00 +0000https://community.stage.citrix.com/tech-zone/by-product/xenserver/Reference ArchitecturesXenServer for Citrix Workloads - Provides a blueprint for deploying XenServer to run Citrix workloads suitable for enterprise-sized deployments that can scale from a few hundred to a few thousand VDAs. Deployment GuidesVMware to XenServer Migration Guide - Provides high-level steps and tools for migrating Citrix workloads and infrastructure components from VMware to XenServer. Citrix Hypervisor 8.2 CU1 to XenServer 8.4 Migration Guide - End of life for Citrix Hypervisor is June 25, 2025. This deployment guide provides the steps to migrate your Citrix Hypervisor 8.2 CU1 hosts to XenServer 8.4. Tech PapersSecurity Recommendations When Deploying XenServer - Provides security recommendations for deploying XenServer, covering best practices for protecting networks, storage, virtual machines, and the control domain and guidance on configuration, auditing, and managing XenServer environments.Wed, 02 Apr 2025 13:00:00 +0000https://community.stage.citrix.com/tech-zone/design/reference-architectures/xenserver-for-citrix-workloads/Overview This document serves as a blueprint for deploying XenServer to run Citrix workloads for the most common commercial-sized deployment that can scale from a few hundred to a few thousand VDAs. Whether using Citrix Virtual Apps and Desktops or Citrix DaaS, this reference architecture is valid. Enterprise-sized deployments may have additional considerations that are not covered in this reference architecture. Use XenServer product documentation alongside this document. Blueprint Host and resource pool layer XenServer hosts should be part of a resource pool with a recommended maximum of 16 hosts for this deployment type. XenServer hosts in the same resource pool must have the same vendor, model, and features as the CPUs and the same amount of memory. Memory should not be overcommitted. You need as much memory in a host as the VMs have allocated. See the Citrix Provisioning workloads section for local storage requirements and host memory considerations. Network layer XenServer hosts should have network card speeds of 10 Gbps or greater. XenServer hosts should have at least four network cards: 2 bonded pairs with 1 pair dedicated to storage traffic and one used for the VM and management traffic. Where there are insufficient network cards to provide physical separation between VM and management traffic, you must ensure that logical separation is provided using VLANs so that management traffic (XenServer control domains, license servers etc.) are on a different logical network to guest VMs such as CVAD desktop or server VDAs. Storage layer Shared storage is recommended to ensure VMs can be migrated between hosts. NFS or SMB is recommended when using Machine Creation Service (MCS). Any supported storage option works when using Citrix Provisioning. Isolate storage networking traffic as outlined in the Network Layer section. Citrix Image Provisioning layer Citrix Machine Creation Services (MCS) and Citrix Provisioning Services can be used separately or in combination to provision VDAs to XenServer. Citrix Provisioning workloads If using Citrix Provisioning, we recommend enabling the XenServer feature PVS-Accelerator. 5 GB of cache on each host is recommended per vDisk version you actively use. Memory cache is recommended instead of disk cache, if enough memory is available. If using disk cache, local storage is recommended. Machine Creation Services workloads If using Citrix Machine Creation Services, we recommend that you use both Intellicache and storage read caching. Intellicache: Enable Intellicache during the installation of XenServer by selecting “Enable thin provisioning (Optimized storage for Virtual Desktops)”. Intellicache uses local storage for the cache. XenServer hosts should have enterprise-grade SSDs or NVME drives that support 512-byte sectors (or can emulate 512-byte sectors). NFS or SMB shared storage is recommended, as the VDAs require it to allow a fully thin-provisioned solution with IntelliCache. When creating the Hosting Connection from Citrix, select the IntelliCache option. Storage read caching: On each XenServer host, increase Dom0 memory by 10 GB to provide space. Design decisions This section details the reasons for the blueprint configuration and other potential configuration options. Host and resource pool layer While XenServer can support a resource pool with up to 64 hosts, limiting the resource pool to 16 hosts ensures that the time needed to perform updates (even when host reboots are required) is achievable within a working day. Additionally, there is an increased resilience to failures, and the impact of failure (if one occurs) is constrained to this set of hosts. When allocating VMs to XenServer resource pools, ensure that there is enough capacity to operate all VMs with at least 1 host unavailable. This allows for pool maintenance without requiring VM outages. If XenServer hosts in the same Resource Pool have different amounts of memory, the XenServer host with the smallest amount of memory must be able to support workloads placed on it during failover scenarios or upgrades. XenServer hosts within the same resource pool should be on the same network, in the same datacenter or physical location, and only separated by a L2 switch (not a router). Create a separate resource pool for each set of XenServer hosts on a different network or physical location. XenServer HA is not recommended for Citrix workloads/VDAs. Protection at the VM level is not typically required due to the inherent manner in which Citrix Virtual Apps and Desktops workloads are dynamically created and destroyed HA in a Citrix Virtual Apps and Desktops deployment can be beneficial in handling hardware failure or hypervisor crashes. However, when HA is enabled, there is an increased risk of any temporary interruptions (in network or storage infrastructure) causing a host to ‘fence’ for safety, interrupting services (for end users) that otherwise might not have occurred. If possible, splitting VDAs over multiple pools ensures for availability in case of a pool failure. The total number of vCPUs allocated to an individual VM on a host should not exceed the number of physical CPU threads for the host. Network layer Other network card options for your hosts: 6 Network cards: Three bonded pairs with one pair dedicated to storage traffic, 1 pair dedicated to VM traffic, and one pair dedicated to management traffic. 3 network cards: One is dedicated to storage traffic, one to VM traffic, and one to management traffic. 2 network cards: One network card is dedicated to the storage traffic, and one network card is used for the VM and management traffic. As described above, you must ensure that logical network separation is provided using VLANs. Citrix Provisioning Layer Minimize the number of different golden images used in each resource pool to maximize the use of the available caching technologies. Each image uses the caches. The more golden images there are, the more likely the caches are to become full and less effective. Making the caches bigger may also help with this aspect as the number of golden images increases. Intellicache If you are using block-based storage with Intellicache, we recommend that you use full provision (LVM) mode. This model is compatible with IntelliCache (which will enable faster VM operation with older/slower storage devices). Some block storage filers provide thin provisioning, which can be used, but care must be taken to avoid out-of-space conditions. Reference materials XenServer Product Documentation: https://docs.xenserver.com/en-us/xenserver/8/ XenServer Technical Overview: https://docs.xenserver.com/en-us/xenserver/8/technical-overview Getting Started with XenCenter: https://docs.xenserver.com/en-us/xencenter/current-release/intro-welcomeWed, 02 Apr 2025 13:00:00 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/xenserver-security-recommendations/Tue, 01 Apr 2025 13:01:06 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/citrix-fas-multi-domain-architecture/Tech Paper_Multi-Domain Federated Authentication Service (FAS) Architecture.pdf Overview Many public and private organizations are integrating Citrix solutions into Active Directory infrastructures in multi-forest scenarios, typically to separate user objects from resources. In addition to this deployment type, many companies are moving toward SAML-based authentication to improve security, as it offers more flexibility and granular authentication policies. SAML could be a challenge for implementations using Citrix environments, and to enable consistent SSO to VDAs without LDAP authentication, Citrix Federated Authentication Service (FAS) implementation is required. Previous Citrix Blog and Tech Zone articles have covered this topic in other areas. However, this deployment guide will share the key points of an experience to identify how and where to install Citrix Federated Authentication Service (FAS) in different multi-forest scenarios. Assessment During the assessment phase, checking the architecture and whether infrastructure components are already required for FAS to work is essential. The corresponding table contains questions that will help you identify where Citrix FAS can be installed and the key points. Question Description Describe the network topology regarding the domain and forests involved in the architecture. Specify how forests are divided. Is replication between forests active? Requirement - two-way replication or selective between forests On which forests are users located who will authenticate on the platform? Is the Certification Authority available? Verify the structure of the existing CA (Root and Sub). A CA is required. Microsoft CA is preferred*** Is CA in the resource forest? Depending on where the CA is, requirements could change. If yes, is Cross-Forest CA present with the user forest? Useful to use autoenrollment for user forest DCs. If yes, is LDAPReferrarls active? Needed to issue certificates to users from a different forest Do the DCs in the user forest have a Domain Controller or Kerberos-type certificate issued by the same CA? In a scenario of RootCA and several SubCAs, it is also okay for it to be issued from any SubCA (more below for details) Is it possible to install FAS in the same forest as CA? It would facilitate the final design and avoid configuring the CA cross-forest between the FAS and CA forests. ***Starting with Citrix FAS version 2311, it’s possible to use a Certification Authority other than Microsoft's. Refer to the latest available Citrix FAS documentation for the list of validated non-Microsoft PKIs. Having the answers to the above questions will make it easier to study where to install Citrix FAS and what the requirements will be to make the architecture work. The following flowchart will help you design the target solution. The sections below will go into detail about each possible scenario and the solutions to adopt: Active Directory Different multi-forest scenarios may exist. Forest segmentation in Active Directory is usually based on separating IT objects from user accounts, but this is not always true. More complex multi-forest scenarios may come up when we work with customers. This article will help you understand how to design the SSO solution to VDAs with Citrix FAS, depending on where you can place this new resource. It is also helpful to know how authentication by Smartcard-Logon certificate used by FAS works. You can refer to this Microsoft article. Be aware that when trying to access a device with a smartcard-logon certificate, the device requires the Domain Controller to authenticate the user. The Domain Controller uses the Domain Controller Authentication or Kerberos-type certificate to verify the device's identity and establish a secure connection. Without this certificate installed on the DCs, authentication with a smartcard certificate would not be possible. Finally, the configurations described below have been validated in environments that meet the following requirements: There is a Microsoft Certification Authority. There is bidirectional or selective replication between forests. That the VDAs trust the reference CAs for issuing certificates generated with Citrix FAS. That Domain controller where user accounts are located has in trust on the NTAuth store the reference CA for issuing certificates generated with Citrix FAS (PKI-Trust); in some cases, we will see that it will be automatic, and in others, it will be necessary to implement it during the FAS setup phase. Single Forest Citrix FAS installation and configuration will occur in this forest. Microsoft Certification Authority is implemented in the forest, and domain controllers will probably already have the domain controller authentication certificate issued by Microsoft CA by auto-enroll. However, it is good to verify that it is present or a certificate can be issued to each Domain Controller based on one of these templates: Domain Controller Domain Controller Authentication Kerberos Authentication However, Microsoft recommends that the Domain Controller use the Kerberos Authentication certificate, which has a more specific use case. From then on, we will always refer to the Kerberos Authentication certificate but remember that you can use any of the above certificates. Citrix FAS will be able to install the necessary templates for proper SSO operation in the CA. VDAs and DCs will automatically have Microsoft Enterprise CA certificates in trust. KEY POINTS: Install the FAS in the single forest Verify that the DCs have the required Kerberos certificate Multiple resource forest Multiple forests are used for resource placement, and a single forest is for user accounts. In this scenario, we can expect Citrix FAS to be placed in different locations. Citrix FAS and Microsoft CA in the user forest This scenario could occur when a Microsoft CA is already located in the user forest, and you do not intend to create another one or trust it in the resource forests. The scenario described above can be followed in a single forest by installing FAS in the user forest where CA is also located. KEY POINTS: Install the FAS in the single forest Verify that the DCs have the required Kerberos certificate Citrix FAS and Microsoft CA in the same resource forest Being in the same forest and with the correct permissions, Citrix FAS can install the necessary templates for proper SSO operation in the Microsoft CA. By default, Microsoft CA can issue certificates only for users in its forest. LDAPReferrarls must be enabled to issue certificates for the user account forest as well. Finally, Domain Controllers in the user account forest must have the Kerberos Authentication certificate issued by the same CA used by Citrix FAS (in this case, located in Resource Forest #2). For the Microsoft CA in the resource forest to issue the Kerberos certificate for the DCs Cross-Forest Certification Enrollment must be enabled in the user forest using autoenrollment (between the User Forest and Resource Forest #2). Otherwise, issuing certificates for DCs using certutil commands will be possible. In this case, remember to also place the CA's certificate in the NTAuth store of each Domain Controller in the user forest (PKI-Trust). KEY POINTS: Install FAS in the resource forest where Microsoft CA is located. Enable LDAPReferrals on the CA Issue Kerberos certificates for the DCs in the user forest: With auto-enroll, you need to enable Cross-Forest Certification Enrollment between the forest where the CA is and the user forest. Without auto-enroll, you can use the certutil command to issue the Kerberos certificate and add the CA's certificate to the NTAuth store (PKI Trust). Citrix FAS and Microsoft CA in different resource forests Citrix FAS and Microsoft CA are in different resource forests. In this scenario, FAS will only be able to install the templates required for proper SSO operation on VDAs if Cross-Forest Certification Enrollment between the two resource forests is enabled (between Resource Forest #1 and Resource Forest #2), which becomes a requirement. The requirement to enable LDAPReferrals and Kerberos certificates for user DCs remains the same. KEY POINTS: Enable Cross-Forest Certification Enrollment between resource forests where Microsoft CA and Citrix FAS reside. Enable LDAPReferrals on the CA Issue Kerberos certificates for the DCs in the user forest: With auto-enroll, you need to enable Cross-Forest Certification Enrollment between the forest where the CA is and the user forest. You can use the certutil command to issue the Kerberos certificate and add the CA's certificate to the NTAuth store (PKI Trust) without auto-enroll. Multiple user forest and multiple resource forest Multiple forests are used for resource placement, and multiple forests are where user accounts reside. This may seem like an even more complex scenario than the previous ones, but everything is related to the previous ones. Consider installing Citrix FAS in the same forest where the Microsoft CA is located and following the previous suggestions. Alternatively, you will need to enable Cross-Forest Certification Enrollment between the resource forests where Microsoft CA is located and the one where Citrix FAS is. Since user accounts are stored in multiple forests, always install Kerberos Authentication certificates on each Domain Controller where users reside. For autoenrollment mode, you will need to enable Cross-Forest Certification Enrollment. KEY POINTS: If you can install Citrix FAS in the same forest as Microsoft CA, follow the above suggestions. Alternatively, enable Cross-Forest Certification Enrollment active between the resource forests where Microsoft CA and Citrix FAS are located. Enable LDAPReferrals on the CA Issue Kerberos certificates for the DCs in the user forest: With auto-enroll, you need to enable Cross-Forest Certification Enrollment between the forest where the CA is and the user forest. You can use the certutil command to issue the Kerberos certificate and add the CA's certificate to the NTAuth store (PKI Trust) without auto-enroll. SubCA in multiple forests When we work with customers, complex and unpredictable multi-forest scenarios may arise. The last case might be when different SubCAs in multiple forests are part of the same Microsoft Enterprise CA. The only difference from the previous case is that Kerberos certificates are used on DCs where user accounts can be issued from different SubCAs (it does not matter which SubCA is the issuer). The basic requirement remains that on all DCs in the forests where user accounts reside, there is trust in the NTAuth to store the certificate of the SubCA (more specifically) used by FAS or RootCA (PKI-Trust). KEY POINTS: Check if you can install Citrix FAS in the same forest as a SubCA. Alternatively, enable Cross-Forest Certification Enrollment between the resource forests where SubCA and Citrix FAS are located. Enable LDAPReferrals on the CA Check if all DCs with user accounts have a Kerberos certificate issued by one of the SubCAs (it does not matter which SubCA is the issuer). If there is a SubCA in the same forest, use autoenrollment or: With autoenrollment, you need to enable Cross-Forest Certification Enrollment between the forest where there is a SubCA and the user forest and add in the NTAuth store the certificate of the SubCA used by the FAS (PKI-Trust if you do not use the same one). Without auto-enroll, use the certutil command to issue the Kerberos certificate and add the certificate of the SubCA used by the FAS (PKI Trust) to the NTAuth store. Summary During the assessment phase, engaging the teams responsible for Active Directory and security is crucial to fully assess the status of Certification Authorities (CAs) if they are already in place. It is also critical to check for existing predefined policies related to CAs and ensure that the customer has already carefully considered these critical elements. Another important aspect is the hardening of CAs and related templates, which include key retention management, encryption, and other security measures. For detailed guidance on hardening, see the Citrix FAS documentation, which provides specific guidance and best practices. Finally, other considerations should be considered when integrating Citrix components, such as Delivery Controller or StoreFront, into multidomain environments. Each Active Directory implementation is slightly different, so additional steps may be required to make your solution work.Tue, 25 Mar 2025 12:29:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/create-iac-vm/Fri, 21 Mar 2025 13:52:31 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/daas-azure-iac/Fri, 21 Mar 2025 13:51:00 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/netscaler-credential-protection/Thu, 13 Mar 2025 13:30:01 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/csp-daas-single-multitenant-migration/Introduction This document provides guidance for Citrix Service Providers (CSPs) to migrate a customer from an existing standalone single-tenant Citrix DaaS service to a CSP multitenant service. A CSP admin can follow the steps detailed in the document to complete the migration process. When a CSP transitions an existing single-tenant DaaS Customer to the partner’s multitenant service for centralized management and greater economy of scale, a parallel deployment for the customer in the multitenant environment is needed before the final switchover. This migration process aims to retain the customer’s existing custom Workspace URL and end-user experience while minimizing disruption. Architecture In the diagram below, the purple-colored cloud instance indicates Customer A’s pre-migration single tenant (or standalone) DaaS environment. After the migration (teal color), the same customer A will be sharing the CSP’s multitenant service instance (middle frame) while still retaining its workspace experience (same custom workspace URL and VDAs). Summary of Steps Before October 1, 2024, migrating a customer from Single Tenant to Multitenant required Fast Decommission of the existing single tenant instance before multitenant DaaS can be added to the same customer (cloud account and Org ID) for the new tenant scope to be created. This caused concerns among our partners regarding downtime. From October 1, 2024, onboarding a new customer in Partner’s Citrix Cloud console is for multitenant only and no longer needs an Org ID. This removes the requirement for a partner to re-use the tenant’s existing Org ID/cloud account. The updated process is defined below, which no longer requires decommissioning the existing single-tenant instance so that disruption is minimized. Step Task Task Owner 1 Create a new tenant for the customer via the partner cloud console that will share the CSP’s Org ID. Service Provider 2 Add Service to the new tenant and select DaaS Service Provider 3 Configure the corresponding resource location in the partner account for the new tenant. Service Provider 4 Federate the tenant to the domain of the new resource location Service Provider 5 Create Machine Catalogues with customer scope Service Provider 6 Create a Delivery Group with assigned tenant AD group(s) Service Provider 7 Add test/pilot users to the relevant AD group Service Provider and Customer 8 Configure temporary tenant workspace URL Service Provider and Customer 9 UAT testing Service Provider and Customer 10 Schedule production service cutover to multitenant Service Provider and Customer 11 Production cutover Service Provider 12 Post-migration testing Service Provider and Customer 13 Decommission old single-tenant instance (optional) and delink the account Service Provider Migration Process CSP Creates the New Tenant The CSP partner admin must create a new cloud tenant with the customer’s name but under the partner’s Org ID. To do so, the partner admin can log in to the CSP cloud account and follow the steps defined in the product documentation to “Add” the customer. By default, when the new tenant account is created for the customer, the CSP admin will automatically be added as an admin in the tenant cloud account to ensure the partner admin has sufficient permission to manage the tenant services. Add Service to the New Tenant After creating the new tenant, the partner admin needs to add this customer to its multitenant DaaS Service. This process will automatically generate the tenant scope in Studio for the subsequent security isolations. Note: If the partner admin is not able to perform “Add Service” to the new tenant, please first verify if the logged-in admin has the necessary permissions (e.g., a full admin in the tenant’s account). Configure Corresponding Resource Location for the New Tenant Resource locations of all tenants under CSP’s multitenant (MT) DaaS must be configured in the partner account. Since the same customer has an existing single-tenant DaaS in a separate cloud account, the new corresponding dedicated Resource Location in the CSP partner Cloud account will be connected to the same environment and Active Directory that the customer’s existing single tenant is currently using. Install a minimum of two Cloud Connectors to the new resource location for the tenant customer. Note: Do not reuse the existing customer’s cloud connectors even if they are in the same Active Directory domain. The new cloud connectors need to be reinstalled to connect to the partner’s cloud account. Federate the Customer Tenant to the Domain of the New Resource Location The important step for configuring a customer under multitenant DaaS is to federate the tenant to the domain configured in the partner account. Without this step, the tenant-level authentication to access the resources and FAS multitenant support would not function. Follow the product documentation to add the tenant to the newly configured domain in the partner account. Once completed, log in to the tenant cloud account and verify that you can see a domain appear via the federation, although you never configured one in the new tenant’s own account. Create Machine Catalogues You can reuse the customer Operating System images from the existing single-tenant environment and create new machine catalogs with the new tenant scope under the partner’s multitenant service that match the customer’s existing catalogs of its single-tenant service. Customer’s Existing Catalog under Standalone Single Tenant Service Customer’s New Catalog with assigned tenant scope under CSP Multitenant Service Catalog 1 Catalog 1 Catalog 2 Catalog 2 Catalog 3 Catalog 3 … … As best practice, please use a naming convention in a multitenant environment to identify and separate objects belonging to different tenants. Defining a new Hosting connection may be necessary before creating the machine catalogs if the new tenant workloads are hosted in different infrastructure resources. Create Delivery Group(s) Like machine catalogs, create the mapping delivery groups with tenant scope under the partner’s multitenant service as per the customer’s existing single tenant instance. As best practice: Delivery groups under CSP multitenant service should always be dedicated to a tenant customer and assigned with the tenant scope. Instead of assigning individual users to the delivery group for user access, assign AD security group(s) to the delivery group and manage individual user access via the AD group memberships. This provides flexibility, separating the Studio access for managing delivery groups and user AD group membership. Add Test/Pilot Users Create necessary test or pilot users in the customer’s Active Directory and add them to the relevant security group assigned to a scoped delivery group(s) to match the user personas in the customer’s existing single-tenant environment. Configure Temporary Tenant Workspace URL CSP multitenant DaaS provides each tenant with their own workspace experience with separate workspace URL(s) per tenant. Before the customer’s existing single-tenant workspace URL can be transitioned over, the new deployment for the same customer under multi-tenant DaaS needs to be tested. Define a temporary Workspace URL for user acceptance testing in the new tenant account. UAT Testing Thoroughly test the user experience (session launch, access to applications and desktops, etc.) with different personas, compared with their existing experience under single tenant DaaS, until the result is accepted by the customer. Schedule Production Service Cutover Once user acceptance testing is completed, the service provider and the customer must schedule the maintenance window for service cutover to minimize disruption to users’ access and experience. Production Cutover During the scheduled maintenance window, user access to the existing single-tenant instance should be blocked. The production Workspace URL will be moved from the single-tenant account to the multi-tenant account. Post Migration Testing Additional testing should be conducted after the production Workspace URL has been transferred to the multitenant account; if applicable, necessary DNS records should be updated. Verify that user sessions via the same production Workspace URL are now launched from the multitenant environment. Decommission Old Single Tenant Instance and Delink the Account The customer’s old single-tenant environment is now obsolete. A few options the service provider can choose from: If the CSP licenses in that account are not expired, they can be transferred back to the partner or canceled (via customer service/support case). Remove the partner link and admin rights from the single tenant account. (Optional) self-service decommission of the single tenant instance to release back-end resources. References Reference Architecture: Citrix Service Provider DaaS Citrix Cloud for Partners Citrix DaaS for Citrix Service ProvidersTue, 11 Mar 2025 16:59:00 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/citrix-fas/Fri, 28 Feb 2025 13:31:00 +0000https://community.stage.citrix.com/tech-zone/design/diagrams-posters/cvad-disa-stigs/Citrix Cheat Sheets - DISA STIG.pdf The Citrix Cheat Sheet - DISA STIGs in Citrix Virtual Apps and Desktop environments points out some of the standard STIG settings that might be giving you trouble, as well as a few pointers and tips. If you have already finished implementing STIGs, this is a good list to lead you to a setting that might be breaking your environment. If you haven’t implemented STIG settings yet, cheat sheet will give you a good head start on what to look for and may save you some time troubleshooting.Wed, 26 Feb 2025 14:37:19 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/citrix-disa-stigs/Wed, 26 Feb 2025 14:37:09 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/citrix-session-remote-start/Fri, 14 Feb 2025 13:00:00 +0000https://community.stage.citrix.com/tech-zone/design/diagrams-posters/netscaler-cheat-sheet/Overview This cheat sheet for Citrix NetScaler provides a comprehensive list of commands and their functions for system status, service management, network configuration, high availability, authentication, SSL certificates, backup, traffic analysis, connectivity testing, and system resources. Key commands and functions include: System Status: Commands to check system uptime, CPU, memory, SSL utilization, hardware, firmware, licenses, current time, operating modes, and feature status. Service Management: Commands for viewing vServer statistics, backend status, and service group details. Network: Commands to display interface status, VLAN configuration, IP configuration, ARP table, and routing table. Configuration: Commands to show current configuration, save configuration, and show changed configuration. High Availability: Commands to check node sync status, force sync, and trigger failover. Authentication: Commands to change passwords, view live authentication data, and show current AAA users/sessions. SSL Certificates: Commands to manage SSL certificates, certificate chains, SSL profiles, and cipher groups. Backup: Commands to show, create, and restore system backups. Traffic Analysis / Connectivity Testing: Commands for DNS lookup tests, HTTP(S) connection tests, viewing current connections, access control lists, live network traffic, and creating/stopping traces. System Resource: Commands for memory allocation and policy hits. Technical Support: Command to create a technical support bundle. Management Traffic: Command to use a different router for management traffic. Download the document here: NetScalerCheatSheet_v07.pdfThu, 30 Jan 2025 16:00:00 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/manage-timeout-settings/Thu, 23 Jan 2025 15:02:00 +0000https://community.stage.citrix.com/tech-zone/by-product/citrix-secure-developer-spaces/Citrix Secure Developer Spaces, formerly known as Strong Network, is a secure, cloud-based development environment (CDE) platform that enhances developer productivity while maintaining enterprise-grade security. It provides fast onboarding through preconfigured workspaces that are accessible from anywhere—ideal for hybrid and remote teams. Deployment GuidesDeploying Secure Developer Spaces in Azure Kubernetes - Provides the steps to deploy Citrix Secure Developer Spaces CDE in Azure Kubernetes. Deploying Citrix Secure Developer Spaces on OpenShift - Provides the steps to deploy Citrix Secure Developer Spaces to an existing OpenShift cluster.Wed, 15 Jan 2025 16:08:00 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/key-exchange-in-ssl-tls/Overview When you connect to a secure website, your browser and the server must establish an encrypted connection to exchange data. Many will say this connection is "protected with the server's certificate," but this oversimplifies what's happening. Certificates are crucial in authenticating the server and enabling key exchange, but they’re just one piece of the puzzle. Modern websites depend on seamless yet robust encryption to ensure data security. Understanding how key exchanges evolved - from RSA to Diffie-Hellman to ECDHE - unlocks the complete picture of how cryptography balances performance and security. Public/Private Key Pair encryption is called “asymmetric encryption” (meaning the keys used for encryption and decryption are not the same) and relies on a process called “modular exponentiation.” This process can be hundreds of times slower than “symmetric encryption” (which uses the same key for encryption and decryption). If the server certificate (asymmetric encryption) were used for the entire connection, the experience would be poor and significantly slower. Instead, Key Exchange occurs at the beginning of each connection and focuses on moving from asymmetric to symmetric encryption, ensuring the connection remains secure while significantly improving performance. But how do your browser and the server agree on a symmetric key without exposing it to potential eavesdroppers? This article unpacks the evolution of key exchange protocols - RSA, Diffie-Hellman, and ECDHE - to explain their trade-offs between security and performance. The companion document Networking SSL/TLS Best Practices (Q1 2025 Edition) provides practical implementation guidance on configuring SSL/TLS using these key exchange methods. Historical Context In the late 90s, most of the Internet operated over plaintext ("http" rather than "https"). Websites that required security, such as banking portals, relied on the RSA encryption system with 512-bit certificates, balancing computational load and security. Servers with limited encrypted traffic could handle this load using software like Apache 1.3’s mod ssl. However, high-traffic sites often relied on specialized hardware accelerators to offload the resource-intensive RSA calculations. At that time, 512-bit certificates were common, and "secure" often meant little more than the browser displaying a padlock icon and the assurance the server “had a certificate installed.” The certificate's presence provided assurance, but there was often little discussion about the level of security the “encryption” provided. As computation power doubled every 18 months, what was considered secure in the late 90s (512-bit keys) became increasingly vulnerable. In 1999, Adi Shamir, one of RSA’s creators, led a research effort that publicly cracked a 512-bit certificate, showing it was vulnerable to modern computing but also the computational power of a single organization. Using distributed computing, a second certificate was cracked in 2000 as part of the RSA-155 project. This highlighted the urgent need to move to stronger key sizes such as RSA-1024 and RSA-2048, which were already recommended by standards bodies like NIST. The evolution of key sizes highlights the trade-off between computational feasibility and resilience against attacks. While 512-bit keys sufficed in the early web era, increasing key sizes to 1024 bits doubled the security margin but required over 30 times more processing power. This growing computational demand drove the development of more efficient cryptographic methods, such as Elliptic Curve Cryptography (ECC). By 2003, the National Institute of Standards and Technology (NIST) recommended a minimum RSA key size of 1024 bits, with 2048 bits suggested for long-term security. In 2004, Visa, Mastercard, American Express, Discover, and JCB introduced the Payment Card Industry Data Security Standard (PCI DSS), mandating strong encryption practices for credit card processing, making 1024-bit keys the industry norm. In 2009, SSL Labs launched, raising greater awareness about SSL/TLS best practices. By 2010, Microsoft, Mozilla, and Google began marking 512-bit certificates as insecure, rendering them obsolete. In 2013, NIST began recommending 2048-bit keys for most security applications, and the CA/Browser Forum mandated that Certificate Authorities stop issuing 1024-bit certificates. Website owners with certificates expiring after December 31, 2013, were required to replace them with 2048-bit certificates before the deadline. By this point, 2048-bit certificates were the standard for encryption, reflecting a broader industry commitment to security. Around this point, I began writing the NetScaler “How to get an A+ at SSL Labs” series, as it had become a frequent question from enterprise customers looking to ensure their platforms were secure. After 2013, while 2048-bit certificates have remained widely used, cryptographic standards and practices have continued to evolve in response to technological advancements and emerging threats. However, an alternative became necessary, with 4096-bit RSA keys being significantly more computationally intensive than their 2048-bit counterparts. ECC emerged as that alternative. Today, ECC provides the same level of security as RSA but with significantly smaller key sizes. For example, a 256-bit ECC key is considered equivalent in strength to a 3072-bit RSA key, though this depends on the state of cryptanalysis techniques and computing power available. This efficiency has reduced computational load and improved performance, particularly for mobile devices, IoT applications, and environments where resources are constrained. For key exchange protocols, ECC has now become the current preferred choice. However, while ECC is increasingly adopted for key exchange, RSA certificates remain widely deployed due to their longstanding prevalence and compatibility across existing infrastructure. This reflects the ongoing transition in cryptographic practices, where ECC is gaining traction, but RSA continues to dominate legacy systems. Looking ahead, however, cryptographic standards will continue to change. RSA's security relies on the computational difficulty of factoring large numbers, a problem that quantum computers may efficiently solve using Shor's algorithm. Similarly, ECC's security depends on solving the elliptic curve discrete logarithm problem, which is also potentially vulnerable to quantum attacks. Although these quantum threats remain theoretical, they underscore the need for continued innovation in cryptographic systems. More on this later. RSA: A Static Key Exchange Let's begin with the classic RSA key exchange, the cornerstone of secure communications for years. A server has a certificate and a key. The certificate contains the server's public key, shared with anyone who wants to connect, while the private key is securely stored on the server. This is called asymmetric encryption (two different but mathematically linked keys: a public and private key). It's secure but typically hundreds or thousands of times slower than symmetric algorithms like AES. How RSA Works An RSA public/private key pair works like a special automatic locking box you can send in the post. This box (the public key) ensures anyone can securely send a message, but only the owner, with their private key, can unlock it to retrieve the contents. RSA is based on asymmetric encryption, which uses two mathematically linked keys: Public Key: Shared openly and used to encrypt data. Private Key: Kept secure and used to decrypt data. When a client connects: The server provides its RSA public key in a certificate. The client generates a random secret, known as the pre-master secret, and encrypts it using the server's public key. The server decrypts the pre-master secret with its private key. The client and server use the pre-master secret to derive a symmetric session key, which encrypts the rest of the connection using faster algorithms like AES. The public and private keys are used only during the initial exchange of the pre-master secret. Once the symmetric session key is derived, it is used for the rest of the communication. This transition ensures the connection remains secure while leveraging the speed of symmetric encryption for the remainder of the session. The Mathematical Foundation RSA’s security relies on the mathematical difficulty of factoring large numbers. While it’s easy to multiply two numbers together, it’s incredibly hard to reverse the process and figure out the original numbers—especially when the numbers involved are very large. At some point, long before a client connects and the key exchange process begins, the server administrator will have created a private key and a public key while creating the server’s certificate. The public key will be included in the certificate and sent to clients, while the private key will remain stored securely on the server. This process will have occurred when the keys were generated: The server will have picked two large prime numbers (commonly called p and q), each hundreds of digits long. These primes were multiplied to create a larger number (called n), the modulus. The public key is made up of: n: the product of multiplying p and q e: a smaller number, often a standard value like 65537, used for encrypting data The private key is derived using p, q, and e through a mathematical process called “modular inversion” that ensures only the server can decrypt data encrypted with the public key. When a client connects, the public and private keys work together during the key exchange: The public key is included in the certificate and sent to the client, who uses it to encrypt the pre-master secret. The private key is kept secret. The server uses it to decrypt the pre-master secret sent by the client. Once the pre-master secret is securely shared, the client and server use it to derive a symmetric session key, efficiently encrypting the rest of the communication. Why the Secrecy of p and q Matters The security of RSA depends on keeping the prime numbers p and q secret. If someone could figure out p and q from n, they could calculate the private key and decrypt any communication. However, factoring n back into p and q is extremely difficult and becomes exponentially harder as the key size increases. Modular Exponentiation and Why Asymmetric Encryption is only used for the initial key exchange Aside from sounding like the strangest Harry Potter novel, touching on modular exponentiation is an excellent opportunity to explain why asymmetric encryption (like RSA) is only used for the initial key exchange and not for encrypting the entire conversation. Modular exponentiation is the operation used during encryption and decryption in RSA: To encrypt, the client computes c = m^e mod n, where m is the message, e is the public exponent, and n is the modulus. To decrypt, the server computes m = c^d mod n, where d is the private exponent. This process is computationally intensive, especially for larger key sizes (like 2048 or 3072 bits), because it involves repeated multiplication and division by n. The bigger the key size, the more time and processing power it takes. Using RSA for every message in a conversation would be highly inefficient. Rather than m consisting of just small handshake data, the RSA calculation would need to be performed for the content of every data packet exchanged during the session. Even on modern CPUs, performing RSA encryption or decryption for each data packet is significantly slower than using a symmetric cipher like AES. For example, while RSA-2048 can encrypt a small piece of data (such as a 256-byte pre-master secret) in microseconds to milliseconds, AES can encrypt 1 MB of bulk data in under a millisecond on typical hardware. This performance gap is why RSA is used only at the start of a session to secure the key exchange for a faster symmetric cipher like AES. The Vulnerability The RSA key exchange has a significant weakness: it lacks forward secrecy. Suppose the server's private RSA key is ever compromised, whether tomorrow or years from now. In that case, an attacker who recorded any past traffic can retroactively decrypt the key exchange, retrieve the pre-master secret, and decrypt the traffic. For this reason, RSA key exchange is discouraged in modern TLS setups, which favor ephemeral methods like ECDHE (for example, TLS 1.3 uses ECDHE as its default key exchange method). The RSA key exchange lacks forward secrecy, a critical limitation in modern cryptography. Since the same private key is reused across all sessions, a single compromise of the key renders all previously recorded traffic vulnerable to decryption. This creates a significant risk for sensitive data in environments requiring long-term security. Historical sessions remain at risk if the primary RSA key is stolen later. Forward Secrecy (also called Perfect Forward Secrecy—PFS) is a security property in which compromising long-term keys (like a server's RSA private key) doesn't compromise past session keys. The RSA Key Exchange lacks Forward Secrecy. The Security-Performance Trade-off Smaller key sizes (e.g., 512 bits) are completely insecure by modern standards and can now be factored within hours using readily available home PCs and laptops. Larger keys (e.g., 1024 or 2048 bits) are exponentially harder to break but require more processing power. This creates a trade-off between security and performance: In the 90s, 512-bit keys were standard, balancing security and computational cost By the 2000s, 1024-bit keys became the norm Today, 2048-bit keys are standard (and considered the minimum) for strong encryption, with larger sizes (e.g., 3072 or 4096 bits) used for high-security applications Diffie-Hellman (DHE) and Forward Secrecy Diffie-Hellman Ephemeral (DHE) uses a different approach to address the lack of forward secrecy in RSA key exchange. DHE generates new, temporary key pairs for each session. This 'ephemeral' (meaning short-lived or per session) design ensures that even if a private key from one session is compromised, past and future sessions remain secure. How DHE Works In this process: The client and server each generate a private secret number (their "private DH key"). This private key is never shared with anyone. They calculate corresponding public values from their private keys Using a shared mathematical base (a known prime number and generator). These public values are safe to share and are exchanged between the client and server. Each side combines its private key with the other party's public value through a mathematical process (called modular exponentiation) to arrive at the same shared secret. The public values are safe to share because they cannot be reversed to reveal the private keys. This security relies on a mathematical property called the discrete logarithm problem, which is computationally infeasible to solve for large numbers. Through modular exponentiation, the client and server independently calculate the shared secret without transmitting it over the connection. This differs from public-private key-pair encryption (like RSA), where there are two keys for encryption and decryption. In contrast, Diffie-Hellman is a key exchange protocol focused on securely creating a shared secret without ever exposing it. Key Sizes and Security To provide the same level of protection, a DH key needs to match the size of the RSA key it replaces. For example, rather than using a 2048-bit RSA key, you might use a 2048-bit DH key. In this case, the "DH key" refers to the private random number generated by the client and server for that individual session. The cryptographic library on each side will then use that key with predefined groups of widely accepted and pre-agreed secure prime numbers to calculate the modular exponentiation. The cryptographic library will select a prime matching the size of the key. For instance, a "2048-bit DH key" corresponds to a group with a 2048-bit prime modulus, ensuring consistent security. The Benefits and Drawbacks Key Benefits: As ephemeral/per-session keys are used, a new private key is generated for each session. Even if an attacker compromises the server's long-term RSA key in the future, they cannot decrypt past or future sessions. The server can still prove its identity using RSA while the shared secret is derived via DH. The Drawback: The modular exponentiation required to compute public values and derive shared secrets is CPU intensive, especially when using large prime numbers. On busy servers, this can become a bottleneck, leading to: High CPU usage: Servers handling many connections experience significant overhead Battery drain: Mobile devices checking email or browsing frequently suffer reduced battery life Elliptic Curves—Smaller, Yet More Secure Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) involves much smaller key sizes and is orders of magnitude faster. ECC significantly reduces computational requirements for servers and clients, making it well-suited for mobile devices, IoT sensors, and high-traffic environments. For instance, a 256-bit ECC key provides the same security strength as a 3072-bit RSA key while requiring a fraction of the processing power and bandwidth. This efficiency allows secure connections without compromising speed or scalability. But how does it work? Understanding Elliptic Curves First, let's define what Elliptic Curves are. Imagine you have a pre-agreed curve defined by a mathematical equation (shown in the diagram) and a point on that curve that everyone knows about. This point is called the base point (denoted as G). To start, you pick a secret number - your private key. The larger this number, the stronger your security. Using your private key, you perform a mathematical operation called scalar multiplication, which involves multiplying the base point G by your private key. This isn't simple multiplication, though - it consists of adding the point to itself following specific geometric rules, where each addition requires drawing lines between points and finding intersections with the curve. As our diagram illustrates, all calculations are done using modular arithmetic, making the resulting points jump unpredictably around the curve. This operation is similar to repeatedly adding the base point to itself a number of times equal to the value of the private key, treated as an integer. To put this into perspective, using a 256-bit private key means 2^256 (approximately 10^77) possible private keys. This is an astronomically large number - even the number of atoms in the Milky Way galaxy (roughly 10^67 to 10^69) is around 100 million times smaller than this number of possibilities. While these geometric operations of finding intersections would be incredibly slow if done one at a time, computers can optimize this process using an efficient method called "double-and-add." This method still follows the same geometric rules for each operation. Still, it strategically combines point doublings (2G, 4G, etc.) with selective additions to minimize the number of geometric operations needed. With double-and-add, computing scalar multiplication requires only about 256-point operations for a 256-bit key, making it computationally feasible. The Security Foundation The result of this calculation is a new point on the curve, which becomes your public key. While it's easy to calculate the public key from the private key (by performing scalar multiplication), it's challenging to reverse and find the process. The mathematical properties of elliptic curves over finite fields mean that scalar multiplication produces points with no predictable pattern, making it computationally infeasible to work backward. To reverse the process, an attacker would need to solve the Elliptic Curve Discrete Logarithm Problem, for which no efficient mathematical solution is currently known (although this may change as quantum computing advances). With a 256-bit key space (approximately 10^77 possibilities), even with the most efficient known mathematical approaches running on the fastest classical computers, solving the ECDLP would take longer than the universe's age. ECDHE - DHE, but on an Elliptic Curve Why ECDHE Became the Standard Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) is simply taking the Diffie-Hellman concept and performing it over an elliptic curve rather than using huge primes. Each party picks a random integer (the private key), multiplies a known "base point" on the curve by this integer to get a public point, and exchanges these public points. By combining the public point they receive with their private key, they compute a shared secret - and never actually send it over the wire. This approach is much faster than traditional DHE because ECC arithmetic on 256-bit numbers is quicker than exponentiation with 2048+ bit primes, and you still get forward secrecy via ephemeral keys. Like the RSA + DHE scenario, an RSA certificate can be used with ECDHE purely for authentication (the server proves its identity with the RSA certificate, while the actual shared secret is derived via elliptic-curve DH). This makes ECC an ideal choice for modern cryptographic applications, where efficiency and security are critical (where are they not?), and ECDHE is now standard for key exchange. (For a detailed NetScaler configuration guide implementing these methods, see 'Networking SSL/TLS Best Practices (Q1 2025 Edition)'.) Protocol Key Size (Equivalent Strength) Performance Impact Forward Secrecy Modern Usage RSA 2048-bit High No Legacy systems DHE 2048-bit Moderate Yes Some applications ECDHE 256-bit ECC Low Yes Default in TLS 1.3 The Importance of Standardized Curves One final note: we can’t just casually invent our own elliptic curve parameters. Curves used in cryptography – like NIST P-256, Curve25519, and P-384 – undergo rigorous scrutiny by the cryptographic community. Small errors in curve definition or parameter selection can severely weaken security, making it easier for attackers to exploit vulnerabilities. Worse, obscure or poorly reviewed curves could contain intentional backdoors, leaving systems compromised. This is why widely validated curves, like NIST P-256 and Curve25519, have become the gold standard for ensuring cryptographic integrity. (Refer to the 'Networking SSL/TLS Best Practices (Q1 2025 Edition)' configuration guide for practical implementation of these curve selections.) New standardized curves, such as Curve448 and those from the SafeCurves project, continue to be developed and reviewed to address evolving cryptographic needs. That’s why standardization bodies and industry consensus are crucial: adopting widely validated, open curves ensures your security is based on well-tested math that the world’s cryptographers have combed over. For example, poorly chosen parameters could introduce vulnerabilities, making the curve susceptible to faster-than-expected attacks. Worse, intentionally flawed curves could harbor backdoors, compromising all data protected by them. Adopting widely validated and open standards like NIST P-256 and Curve25519 is critical to ensuring robust security. As cryptography continues to evolve, mastering key exchange protocols is crucial—not just for securing today’s data but also for building resilient systems that can withstand the challenges of tomorrow’s threat landscape.Wed, 08 Jan 2025 15:07:33 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/networking-tls-best-practices-2025/Wed, 08 Jan 2025 15:07:00 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/horizon-to-citrix-what-to-know/Overview Migrating from Omnissa Horizon to the Citrix Platform requires detailed planning and execution. Though both technologies allow users to access virtual desktops and apps, it is necessary to understand their differences and respective architectures. Both Omnissa and Citrix deliver applications and desktops to users, but they employ different technologies to achieve this. Omnissa supports various remoting protocols, including Blast Extreme, PCoIP, and RDP, offering flexibility for diverse environments and user needs. On the other hand, Citrix relies on its proprietary HDX technology, which builds upon the ICA remoting protocol. HDX offers a more integrated and optimized experience within Citrix environments, providing performance and management advantages over Omnissa. This document is intended to help Horizon Administrators understand the architectural differences between the two platforms rather than provide a feature-by-feature comparison. Citrix Platform Introduction The Citrix platform is a comprehensive, enterprise-wide solution that includes all of Citrix and NetScaler's capabilities. It provides access to virtual applications and desktops, Zero-Trust access, and high-performance, secure application delivery, all with end-to-end observability. With the Citrix platform, you can deliver, monitor, and manage secure access to enterprise content while ensuring high performance and security for any user on any device. Citrix Platform Architecture The Citrix platform provides both on-premises and cloud architectures to deliver multi-hybrid-cloud resources to your end users. Citrix Virtual Apps and Desktops Citrix Virtual Apps and Desktops are virtualization solutions that give IT control of virtual machines, applications, licensing, and security while providing access to any device anywhere. The solution allows end users to run applications and desktops independently of the device's operating system and interfaces, and it enables administrators to manage the network and control access from selected devices or all devices. The components in Citrix Virtual Apps and Desktops are broken down into layers. User Layer Citrix Workspace app – The Citrix Workspace app is installed on client devices (desktops, laptops, tablets, mobile phones, thin clients) and provides users with quick, secure, self-service access to documents, applications, and desktops. Access Layer NetScaler Gateway—When users connect outside the corporate firewall, Citrix Virtual Apps and Desktops can use NetScaler Gateway to secure these connections with TLS. NetScaler MPX/SDX physical or NetScaler VPX virtual appliance is an SSL VPN deployed in the demilitarized zone (DMZ). It provides a single secure point of access through the corporate firewall. Citrix StoreFront – Citrix StoreFront is a web server that authenticates users and manages stores of desktops and applications that users access. It can host your enterprise application store, giving users self-service access to the desktops and applications you make available. It also tracks users’ application subscriptions, shortcut names, and other data, helping ensure a consistent experience across multiple devices. Control Layer Delivery Controllers—The Delivery Controller is the central management component of each Citrix Virtual Apps and Desktops site. It contains several services that allow it to communicate with the hypervisor or hyperscaler to distribute applications and desktops, authenticate and manage user access, broker connections between users and their resources, load balance connections, and optimize user connections. Other services track which users are logged on and where session resources are being used, and data is being monitored for troubleshooting and historical purposes. License Server - The License Server manages your Citrix product licenses. It communicates with the Controller to manage licensing for each user’s session and with Web Studio to allocate license files. A site must have at least one license server to store and manage your license files. Web Studio - Web Studio is a web-based management console that lets you configure and manage your Citrix Virtual Apps and Desktops deployment. Director - Director is a web-based tool that enables IT support and help desk teams to monitor an environment, troubleshoot issues before they become system-critical, and perform support tasks for end users. One Director deployment can connect to and monitor multiple Citrix Virtual Apps or Citrix Virtual Desktops sites. Secure Private Access—Citrix Secure Private Access, an on-premises solution, enhances an organization’s overall security and compliance posture by easily delivering Zero Trust Network Access to browser-based apps (internal web apps and SaaS apps) using StoreFront as a unified access portal to web and SaaS apps, along with virtual apps and desktops. Workspace Environment Management - Workspace Environment Management uses intelligent resource management and profile management technologies to deliver the best possible performance, desktop logon, and application response times for Citrix Virtual Apps and Desktops deployments. It is a software-only, driver-free solution. Databases – Microsoft SQL server databases are required for every Citrix Virtual Apps and Desktops site. Three databases are needed for each site. Each database contains specific information for its database roles, such as the Site database, which stores the running configuration and current session state and connection information. The Logging database stores information about the site configuration changes and administrative activities, and the Monitoring database stores the session and connection information to be used by the Citrix Director monitoring tool. Workspace Environment Management also requires a SQL server database to store its settings. Secure Private Access requires a database for information about the applications, policies, and related artwork. It also includes information related to troubleshooting and telemetry. Resource Layer Virtual Delivery Agent (VDA)—Each physical or virtual machine that delivers resources (applications and desktops) must have a Citrix VDA installed. VDAs establish and manage the connection between the machine on which they’re installed and the user device and apply policies configured for the session. uberAgent – Provides visibility across physical and virtual Windows servers, client operating systems, and MacOS endpoints. Compute Layer Citrix Virtual Apps and Desktops infrastructure and resources can be fully deployed in an on-premises data center, supported public cloud, or hybrid approach. Citrix DaaS User Layer Citrix Workspace app – The Citrix Workspace app is installed on client devices (desktops, laptops, tablets, mobile phones, thin clients) and provides users with quick, secure, self-service access to documents, applications, and desktops. Access Layer Citrix Workspace—Citrix Workspace is a cloud-hosted service that provides secure access to virtual apps and desktops, web, and SaaS apps from a web browser or Citrix Workspace app. Citrix manages this service. Gateway service – The Citrix Gateway service is a Citrix-managed service that provides secure remote access to Citrix DaaS desktops and applications without deploying NetScaler Gateway in an on-premises DMZ. Control Layer Citrix DaaS—Citrix DaaS is a service that provides app and desktop virtualization. The components (Delivery Controllers, Databases, Licensing, Studio, Director) mentioned within the Citrix Virtual Apps and Desktops architecture are managed and maintained by Citrix as a service. Secure Private Access—The Citrix Secure Private Access service enables administrators to provide a cohesive experience by integrating single sign-on, remote access, and content inspection into a single solution for end-to-end access control. Thus, administrators can govern access to approved SaaS apps with a simplified single sign-on experience. Workspace Environment Management – The Workspace Environment Management service uses intelligent resource management and Profile Management technologies to deliver the best possible performance, desktop logon, and application response times. Monitor—The Monitor console enables IT support and help desk teams to monitor an environment, troubleshoot issues before they become critical, and perform support tasks for end users. Web Studio - Studio is a web-based central portal that lets you configure, manage, and monitor your DaaS deployments for delivering virtual apps and desktops. Resource Layer Cloud Connector—Cloud Connectors are the communications channel between the Citrix Cloud and resource location components. In the resource location, the Cloud Connector acts as a proxy for the Delivery Controller in Citrix Cloud. Citrix updates and manages the Cloud Connector software. Virtual Delivery Agent (VDA)—Each physical or virtual machine that delivers resources (applications and desktops) must have a Citrix VDA installed. VDAs establish and manage the connection between the machine on which they’re installed and the user device and apply policies configured for the session. uberAgent – Provides visibility across physical and virtual Windows servers, client operating systems, and MacOS endpoints. Compute Layer Citrix DaaS resources can be fully deployed in an on-premises data center, supported public cloud, or hybrid approach. Additional Components Many additional Citrix components are available for both Citrix Virtual Apps and Desktops and Citrix DaaS deployments. These include: Citrix Profile Management – A profile solution for Citrix deployments can be installed on each Virtual Delivery Agent. Federated Authentication Service - Federated Authentication Service (FAS) is a privileged component that integrates with Active Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an Active Directory environment as if they had a smart card. This allows StoreFront to use more authentication options, such as SAML (Security Assertion Markup Language) assertions. SAML is commonly used as an alternative to traditional Windows user accounts on the Internet. Citrix Provisioning - Citrix Provisioning is software streaming technology that delivers patches, updates, and configuration information to multiple virtual desktop endpoints through a shared desktop image. It centralizes virtual machine management while reducing a virtualized desktop environment's operational and storage costs. App Layering—Citrix App Layering is a technology that simplifies the management of virtual desktop images by separating the operating system and applications into distinct "layers." Administrators can independently update and manage each layer, creating a more streamlined approach to deploying and maintaining applications across different user groups and environments. Endpoint Management—Citrix Endpoint Management is a solution for managing endpoints. It offers Mobile Device Management (MDM) and mobile application management (MAM) capabilities. It allows you to manage device and app policies and deliver apps to users. Global App and Configuration Service – Cloud service to help manage Citrix Workspace app settings for end users on managed and unmanaged devices. Settings can be configured for both Citrix Workspace and Citrix StoreFront environments. XenServer - XenServer is a virtualization platform that allows organizations to create and manage virtualized server infrastructures. It is designed to optimize the delivery of Windows and Linux virtual machines, providing a robust and scalable solution for data center virtualization. Session Recording—Session Recording records, catalogs, and archives sessions for retrieval and playback. It provides flexible policies to automatically trigger recordings of application and desktop sessions and supports dynamic session recording. deviceTRUST introduces real-time contextual access for virtual desktop infrastructure (VDI) and desktop-as-a-service (DaaS) environments, including locally installed applications. It enables granular access control based on device posture and user context, allowing organizations to continuously monitor and respond to changes, strengthen security, and minimize endpoint risk. Strong Network – Strong Network provides secure cloud development environments where mission-critical applications can be built, launched, and accessed more efficiently and cost-effectively. Terms to Know If you're a Horizon administrator, you're likely familiar with the terminology and concepts of managing your Horizon deployment. To help with your migration efforts, here's a table highlighting the key differences between Omnissa and Citrix. Omnissa Term/Concept Citrix Term/Concept Connection Server Delivery Controller Linked Clone Machine Creation Services Connection Server StoreFront Universal Access Gateway NetScaler Gateway Horizon Console Web Studio Replicas Master Images Pools Machine Catalogs Application Pools Delivery Groups Floating Dedicated, Dedicated Random Non-Persistent, Static Non-Persistent, Static Persistent Entitlements Assignments App Volumes App Layering Horizon Agent Virtual Delivery Agent (VDA) Horizon Client Citrix Workspace app Horizon Enrollment Server Federated Authentication Service Horizon Edge Gateway Appliance (next-gen cloud service) Cloud Connector Horizon Cloud Connector (first gen) Cloud Connector Dynamic Environment Manager Profile Management ESXi XenServer Extended Service Branch (ESB) Long Term Service Release (LTSR) Available Resources Beyond the links in this document, several resources are available to help you get started with Citrix. These include: Citrix Product Documentation Citrix DaaS POC Guide Citrix Virtual Apps and Desktops POC Guide Citrix Terraform Provider Citrix Features Explained: Citrix DaaS Additionally, as part of your Citrix license, Citrix training is available for free at Pluralsight.Fri, 20 Dec 2024 15:03:00 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/automate-cc-health/Wed, 18 Dec 2024 15:19:00 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/detecting-and-mitigating-password-spraying-attacks-nsg/Mon, 16 Dec 2024 18:36:00 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/cvad/Thu, 12 Dec 2024 16:08:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/mcs-machine-profile/Overview Machine profile is a feature available to Citrix administrators who use Machine Creation Services (MCS) to provision machines in Citrix Virtual Apps and Desktops and Citrix DaaS environments. This article will cover the key reasons for using a machine profile and the steps necessary to configure machine profiles in your environment. This includes how to deploy via: Web Studio through Recommendations New Machine Catalog creation Editing an existing Machine Catalog PowerShell Scripts (navigate to your desired hypervisor) What is a machine profile? A machine profile serves as a template for virtual machines (VM), providing hardware details, network settings, and features across hypervisors. Machine Creation Services (MCS) captures those details and applies them to provisioned machines in the catalog in a unified manner. In other words, the properties of the machine profile source can be "carried through" to the created machines. The source of the machine profile can be a VM or a VM template (like an Azure template). For more information on properties captured, please see the Citrix SDK documentation. Why use a machine profile? A machine profile can help you implement new features rolled out by hypervisors from day one. Take, for instance, when Azure added support for using proximity placement groups. When Microsoft released the feature, if a machine profile was configured to use a proximity placement group, machines provisioned by MCS based on that profile would use the same proximity placement group automatically, with minimal admin input. Additionally, many hypervisor capabilities are only supported via machine profiles. We highly encourage machine profiles if specific hypervisor capabilities are desired in your Citrix environment. Here are some examples of hypervisor-specific features that are captured from a machine profile: Azure: accelerated networking, availability zones, boot diagnostic, host disk caching AWS: tenancy type, hibernation capability GCP: zones, service accounts, accelerators VMware: folder ID, vTPM data, storage policy, guest OS XenServer: generation, vGPU A machine profile offers several key improvements to deployments. Automation. Machine profiles simplify the process of deploying virtual machines by enabling administrators to implement predefined hardware configurations across all machines. Standardization. Ensure that all machines adhere to standardized configurations on all hypervisor and hyperscaler platforms, which is crucial for reducing errors. Hardware-versioning. Admins can keep an inventory of template versions, each with different customizations, on their hypervisors that can be used to update catalogs. When editing a catalog, a new machine profile can be picked anytime to update or roll back changes. Security. Certain platform security features (e.g., trusted launch, disk encryption) require a machine profile. A machine profile can also ensure security policies are applied across all VMs. Cost-savings. Using a machine profile also enables VM hibernation, allowing you to pause idle VMs and save on compute costs. Check out our product docs and blog on creating hibernation-capable VMs. How do I use a machine profile? Machine profiles can be enabled when you create or edit a catalog and through the Recommendations widget available within Web Studio. In this guide, we will be provisioning on Microsoft Azure with machine profiles. Machine profiles are available across different platforms; please see the product documentation for more details. Using Web Studio There are several different ways to implement machine profiles through Web Studio. Through Recommendation Note: If you do not see the recommendation, refer to the “Through Catalog Creation” and “Through Editing an Existing Catalog” sections below to deploy a machine profile. On the Citrix DaaS full configuration console, select View all under Recommendations. Recommendations can also be accessed via the Machine Catalog page. On the next screen, Click Start on the recommendation to Simplify Catalog Configuration with Machine Profile. Click Edit on the catalog where you would like to begin the configuration of a machine profile. Use a machine profile for the catalog and select a machine profile source. Select the machine profile source (e.g., VM, template) you want to apply and hit Done. Through Catalog Creation After clicking Create in the Machine Catalog console, you can choose a machine profile under the Image tab. Choose the machine profile source (ex. VM, template) to apply and hit Done. The selected machine profile will appear, and you may proceed with the catalog creation by clicking Next. Through Editing an Existing Catalog Select the catalog and click Edit Machine Catalog. Select Machine Profile. Note: When editing a catalog with a machine profile selected, you can update the machine profile by selecting the pencil icon. You may see a warning when the selected machine profile differs from the original catalog properties. Select Confirm to proceed with the changes, or select Cancel if you do not wish to continue. Select Apply and Save. Using Powershell To configure a machine profile through PowerShell, use the -MachineProfile parameter available within the New-ProvScheme operation. The MachineProfile parameter is a string containing a Citrix inventory item path to the VM or VM template that will be used as the machine profile. Example Script: $provScheme = New-ProvScheme -ProvisioningSchemeName AWS1 -HostingUnitName aws-test -IdentityPoolName idPool1 -MasterImageVM "XDHyp:\HostingUnits\aws-test\TemplateAmi (ami-06927522c36bf4109).template" -CleanOnBoot -MachineProfile "XDHyp:\HostingUnits\aws-test\us-east-1a.availabilityzone\server-vda (i-0c136ee2a01a3dd60).vm" For detailed instructions on how to apply a machine profile to new and existing catalogs, follow sample scripts from GitHub (navigate to your desired hypervisor directory’s “MachineProfile folder”). Summary With the Machine Creation Services (MCS) machine profile feature, you can roll out hardware updates to VMs using a single centralized workflow. Available for Citrix Virtual Apps and Desktops and Citrix DaaS environments across all supported hypervisors and hyperscalers, the machine profile helps you maintain your environment at scale.Thu, 12 Dec 2024 15:32:00 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/windows-365-citrix-session-recording-service/Fri, 29 Nov 2024 18:45:00 +0000https://community.stage.citrix.com/tech-zone/automation/terraform-daily-administration/Tue, 26 Nov 2024 14:40:37 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/mcs-image-mgmt/Mon, 18 Nov 2024 08:30:00 +0000https://community.stage.citrix.com/tech-zone/learn/tech-insights/citrix-integration-nutanix-pc/The Citrix integration with Nutanix Prism Central on AHV makes it easier for Citrix Administrators to manage Citrix workloads on Nutanix's hybrid multi-cloud environments. With this new integration, Citrix's capabilities work directly with Nutanix Prism Central hybrid and multi-cloud environments, including on-premises AHV, NC2 on Azure, and NC2 on AWS. Find out more in this Citrix Tech Insight! Citrix_TechInsight_NutanixPlugin.mp4Fri, 15 Nov 2024 15:02:09 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/daas-and-awc-terraform/Tue, 12 Nov 2024 15:20:30 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/citrix-vda-upgrade-service-posh/Wed, 06 Nov 2024 19:01:00 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/daas-on-awc/Sat, 02 Nov 2024 11:28:00 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/ucssdk/Tue, 22 Oct 2024 18:35:00 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/daas-on-amazon-ec2/Tue, 15 Oct 2024 11:54:17 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/citrix-for-aws-workspaces-core/Overview AWS WorkSpaces Core is a managed virtual desktop infrastructure designed to work with third-party VDI solutions such as Citrix DaaS. It is the compute layer of AWS workloads that the Citrix DaaS control plane can help orchestrate and manage to deliver HDX-optimized apps anywhere. AWS WorkSpaces Core and Citrix improve cost savings, simplify cloud management, and provide a superior user experience. Citrix DaaS treats AWS WorkSpaces Core as another Resource Location option to leverage within your deployment. It helps your IT teams manage and provision WorkSpace Core desktops directly from the Citrix platform, reducing application delivery complexity and simplifying operations. With security features like Zero Trust Network Access (ZTNA), contextual access policies, and secure browser redirection, Citrix protects your business from cyber threats and data leaks. Citrix improves the WorkSpaces Core experience with advanced HDX graphics, Unified Communication optimizations, USB redirection, and support for 3D workloads, ensuring smooth performance on any device or network. With centralized management, automated patching, and streamlined updates, Citrix optimizes your budget by reducing IT costs and complexity. Why Citrix DaaS for AWS WorkSpaces Core? Citrix DaaS for AWS WorkSpaces Core combines the best of everything, merged with Citrix, Amazon, and Microsoft, to build the most cloud-friendly virtual desktop solution. With Citrix’s proven technologies, enterprises can improve scalability, reduce costs, maintain a strong security posture, and enhance user productivity. Improve Scalability Use your existing Citrix management software to provide users with the highly scalable AWS WorkSpaces Core solution without dealing with the long lead times associated with procuring new on-premises infrastructure. Manage the entire solution with your existing Citrix DaaS entitlement. Reduce Costs AWS WorkSpaces Core offers flexible billing options and pay-as-you-go pricing, allowing you to only pay for resources used. Eliminating the need for capacity planning frees internal resources to focus on higher ROI initiatives. Citrix DaaS additionally helps reduce costs with its Autoscale feature by automatically scaling resources up and down with demand and without over-provisioning infrastructure. Maintain a Strong Security Posture Running Citrix DaaS on WorkSpaces Core bolsters security by leveraging highly secure, fully managed AWS Cloud infrastructure. Additionally, you can secure your enterprise with Citrix Secure Private Access, which integrates single sign-on, remote access, and content inspection into a single solution for end-to-end access control. Network and end-user devices can be protected from malware and data leaks, and access security policies for secure access to SaaS and Web applications can be enforced. Additionally, printing, downloads, and clipboard access can be restricted. Enhance User Productivity Citrix DaaS and AWS WorkSpaces Core allow resources to be placed in close geographic proximity to end users. At the same time, data is transmitted through the high-speed AWS backbone, minimizing latency and optimizing end-user experience. User productivity is further enhanced with the globally deployed Citrix Gateway service, which provides highly available, secure remote access; end users are optimally routed to the closest Gateway service POP location. Citrix DaaS for AWS WorkSpaces Core Architecture Citrix DaaS interacts directly with AWS WorkSpaces Core via APIs. In appearance, AWS WorkSpaces Core is another resource location for Citrix DaaS, but communication happens at the API level between the services. Citrix Workspace app provides users with secure, self-service access to documents, applications, and desktops from any device, including smartphones, tablets, and PCs. It also provides on-demand access to Windows, web, and Software as a Service (SaaS) applications. For devices that cannot install Citrix Workspace app software, the Citrix Workspace app for HTML5 provides a connection through an HTML5-compatible web browser. Citrix Workspace is a service that provides secure access to your desktop from a web browser or Citrix Workspace app. Citrix Gateway service enables secure, remote access to desktops without deploying Citrix Gateway in the DMZ or reconfiguring your firewall. The infrastructure overhead of using Citrix Gateway moves to Citrix Cloud. Citrix DaaS is a cloud-based service managed by Citrix that provides application and desktop virtualization. Citrix manages the user access and management services and components in Citrix Cloud. The applications and desktops you deliver to users reside on machines in one or more resource locations. In a Citrix DaaS deployment, a resource location contains components from the access layer and resource layers. Cloud Monitor enables IT support and help desk teams to monitor an environment, troubleshoot issues before they become critical, and perform support tasks for end user Citrix Cloud Studio is a web-based, central portal that lets administrators configure, manage, and monitor their DaaS deployments to deliver virtual apps and desktops. Cloud Connectors are the communications channel between the Citrix Cloud and resource location components. They are proxies for the Delivery Controller in Citrix Cloud in the resource location. Once the Cloud Connectors are installed, the software is managed and updated. Enterprises are responsible for Windows updates and patching. Microsoft Active Directory is used for authentication and authorization. It authenticates users and ensures that they are getting access to appropriate resources. A subscriber’s identity defines the services to which they have access in Citrix Cloud. This identity comes from Active Directory domain accounts provided from the domains within the resource location. Citrix Virtual Delivery Agents (VDA) are virtual machines hosted in AWS WorkSpaces Core that must have a Citrix VDA installed. VDAs establish and manage the connection between the machine on which they’re installed and the user device and apply policies configured for the session. AWS AD Connector provides a gateway within AWS WorkSpaces Core to your on-premises Microsoft Active Directory without needing to cache any information in the cloud. HDX is the Citrix proprietary high-definition HDX technology that delivers high-quality voice, video, multimedia, and 3D graphics applications even over low bandwidth. HDX technology makes cloud-hosted virtual applications and desktops perform as if installed locally on the user’s device for seamless experiences. Citrix DaaS for AWS WorkSpaces Core Onboarding Information on the Citrix DaaS for AWS WorkSpaces Core prerequisites and supported configuration can be found here. To configure Citrix DaaS for AWS WorkSpaces Core, follow these steps in order: Create a resource location Connect your AWS account Create a directory connection Import an image Create a deployment After completing the configuration, end users can access their Citrix-enhanced AWS WorkSpaces Core desktop through the Citrix Workspace app alongside other Citrix-provided content. References Citrix DaaS for Amazon WorkSpaces CoreWed, 09 Oct 2024 19:40:00 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/citrix-for-windows-365/Wed, 09 Oct 2024 11:51:00 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/citrix-for-windows-365/Overview Citrix for Windows 365 integrates Citrix Cloud with Windows 365 Cloud PCs to deliver a high-performance, secure, and easy-to-manage solution. This combination enables organizations to provide a seamless hybrid work experience, supporting diverse use cases beyond standard Windows 365 capabilities. Citrix helps IT teams manage and provision Cloud PCs directly from the Citrix platform, reducing application delivery complexity and simplifying operations. With security features like Zero Trust Network Access (ZTNA), contextual access policies, and secure browser redirection, Citrix protects your business from cyber threats and data leaks. Citrix improves the Windows 365 Cloud PC experience with adaptive HDX graphics, Microsoft Teams and Unified Communications optimizations, USB redirection, and support for 3D workloads, ensuring smooth performance on any device or network. With Citrix, customers can support a wide range of hybrid work scenarios, such as remote and BYOD employees, high-turnover environments like call centers, and scaling up for seasonal demand. Citrix provides flexibility to run Cloud PCs and on-prem workloads side-by-side, avoiding vendor lock-in and offering seamless integration with existing infrastructure. Why Citrix for Windows 365? Citrix extends Windows 365's value by delivering a solution that protects your business, integrates your ecosystem, optimizes your budget, and improves user satisfaction. With Citrix’s proven technologies, organizations get a secure, efficient, and flexible environment to support their hybrid work strategy. Satisfied Users on Any Network Citrix HDX delivers an enhanced experience for Windows 365 Cloud PCs across any network or device. Telephony and unified communications optimizations, multimedia enhancements, and adaptive technologies ensure smooth performance, even in low-bandwidth or high-latency environments. Protect Your Business Citrix strengthens security for Windows 365 Cloud PCs with granular policy controls, giving admins control over printers, USB devices, and clipboards, protecting data from leaks or misuse. Features like Session Recording and Adaptive Access policies help keep your environment compliant and secure. Integrate Your Ecosystem Citrix supports a wide range of devices and peripherals, ensuring a consistent user experience on any endpoint. Whether it's advanced multi-monitor setups or specialty peripherals, Citrix integrates your ecosystem seamlessly. Simplify Authentication Citrix integrates with third-party identity providers, enabling secure Single Sign-On, Multi-factor Authentication, and SAML 2.0 support, so you can use your existing identity solutions without disruption. With Citrix for Windows 365, you can protect your business, integrate your ecosystem, optimize your budget, and improve user satisfaction—all with a solution designed to make your hybrid work environment more secure, efficient, and adaptable. Citrix for Windows 365 Architecture Citrix Cloud Monitor is a web-based, central portal for configuring, managing, and monitoring your DaaS deployments for delivering virtual apps and desktops. Citrix Workspace app provides users with secure, self-service access to documents, applications, and desktops from any device, including smartphones, tablets, and PCs. It also provides on-demand access to Windows, web, and Software as a Service (SaaS) applications. For devices that cannot install Citrix Workspace app software, the Citrix Workspace app for HTML5 provides a connection through an HTML5-compatible web browser. Citrix Workspace aggregates and integrates Citrix Cloud services, enabling unified access to all the resources available to your end-users either through the browser with the Workspace URL or through the Citrix Workspace app Citrix Gateway Service is part of Citrix Cloud Services and provides secure remote access. It is a globally distributed multitenant service. End users use the nearest Point-of-Presence (PoP), regardless of the location of the Citrix Cloud Control or the location of the applications being accessed. Citrix Virtual Delivery Agent (VDA) enables the Windows 365 Cloud PC to register with the Citrix control plane, allowing the machine and its hosting resources to be available to users. VDAs establish and manage the connection between the machine and the user device. VDAs also verify that a Citrix license is available for the user or session and apply policies configured for the session. HDX - Citrix has proprietary high-definition HDX technology that delivers high-quality voice, video, multimedia, and 3D graphics applications even over low bandwidth. HDX technology makes cloud-hosted virtual applications and desktops perform as if installed locally on the user’s device for seamless experiences. Citrix for Windows 365 Onboarding Once Citrix licenses are assigned to users, Citrix communicates to the Windows 365 service that the selected users are entitled to use Citrix to access their Cloud PCs. If the selected users already have Cloud PCs provisioned, Windows 365 automatically installs the Citrix Virtual Delivery Agent (VDA) on those Cloud PCs and switches users' access to Citrix. If the selected users do not have Cloud PCs assigned, the VDA is installed immediately after the Cloud PC is provisioned at the time of Windows 365 license assignment. After installing the VDA, it registers with Citrix Cloud, and any necessary Machine Catalogs and Delivery Groups are created automatically. Cloud PCs are then available through Citrix Workspace. A Citrix policy is also created for each Windows 365 delivery group to enable the required features. Get started with Citrix for Windows 365 Information on the Citrix for Windows 365 prerequisites and supported configuration can be found here. To configure Citrix for Windows 365, complete the following steps in order: Enable the Citrix Connector for Windows 365 Connect Entra ID to Citrix Cloud Configure Citrix Workspace Connect Windows 365 to Citrix Cloud Assign Citrix Licenses to Users Provision Cloud PCs After completing this initial configuration and granting access to Windows 365, admins choose users to receive their new enhanced Cloud PC. Existing Citrix administrators can manage Windows 365 Cloud PCs alongside their other Citrix apps and desktops, consistently applying access policies and security controls across their enterprise. End users can access their Citrix-enhanced Cloud PCs through Intune, windows365.microsoft.com, or the Citrix Workspace app alongside other Citrix-provided content.Tue, 08 Oct 2024 12:08:00 +0000https://community.stage.citrix.com/tech-zone/automation/resources/Citrix DaaSCitrix DaaS Remote PowerShell SDK - The Remote PowerShell SDK automates complex and repetitive tasks and provides the mechanism to set up and manage the Citrix DaaS environment without Studio. Citrix DaaS APIs—Citrix DaaS APIs allow you to automate resource management within a Citrix Virtual Apps and Desktops deployment. Citrix Power Management of Azure Virtual Machines - REST API - Learn how to power manage Azure Virtual Machines with Citrix DaaS and REST APIs. Citrix Power Management of Azure Virtual Machines - PowerShell - Learn how to power manage Azure Virtual Machines with Citrix DaaS and PowerShell. Citrix Connector Appliance Local APIs - Use the Connector Appliance APIs to configure and manage your Connector Appliances. GitHub Plugin for Citrix Terraform Provider- Using Terraform with Citrix provider, you can manage your Citrix products via Infrastructure as Code, giving you higher efficiency and consistency on infrastructure management and better reusability on infrastructure configuration. Citrix develops and maintains the provider. Citrix DaaS and Terraform - Installing Terraform and Configuring the Citrix Terraform Provider - Learn how to install Terraform and Configuring the Citrix Terraform Provider Installing and Configuring Ansible, Terraform, and Packer for Citrix Infrastructure-as-Code-based Environments - Learn how to install a dedicated Virtual Machine with Terraform, Ansible, and Packer installed to use for IaC-based environments Using Citrix Automation with Terraform and Ansible to deploy Citrix DaaS on Microsoft Azure (2025 Update) - Learn how to use Terraform and Ansible together to automatically create a new Citrix DaaS deployment on Microsoft Azure Citrix DaaS and Terraform - Automatic Deployment of Citrix DaaS and Amazon WorkSpaces Core using Terraform - Learn how to automatically deploy Citrix DaaS and Amazon WorkSpaces Core using Terraform Citrix DaaS and Terraform - Automatic Deployment of a Resource Location on XenServer 8 - Learn how to use Terraform to automatically deploy a Citrix Cloud Resource Location on XenServer 8 Citrix DaaS and Terraform - Automatic Deployment of a Resource Location on Nutanix AHV - Learn how to use Terraform to automatically deploy a Citrix Cloud Resource Location on Nutanix AHV Citrix DaaS and Terraform - Automatic Deployment of a Resource Location on vSphere 8 - Learn how to use Terraform to deploy a Citrix Cloud Resource Location on vSphere 8 automatically Citrix DaaS and Terraform - Automatic Deployment of a Resource Location on Amazon EC2 - Learn how to use Terraform to automatically create a new Resource Location on Amazon EC2, including deploying all necessary VMs, a Machine Catalog, and a Delivery Group. Citrix DaaS and Terraform - Automatic Deployment of a Resource Location on Google Cloud Platform (GCP) - Learn how to use Terraform to automatically create a new Resource Location on Google Cloud Platform (GCP), including the deployment of all necessary VMs, a Machine Catalog, and a Delivery Group. Citrix DaaS and Terraform - Automatic Deployment of a Resource Location on Microsoft Azure - Learn how to use Terraform to automatically create a new Resource Location on Microsoft Azure, including the deployment of all necessary VMs, a new domain, a Machine Catalog, and a Delivery Group. Using HashiCorp Packer to Automate the Creation of Master Images - Learn how to use HashiCorp Packer to create Master Images for MCS automatically. Citrix Virtual Apps and DesktopsCitrix Virtual Apps and Desktops SDK - A set of PowerShell cmdlets that allows you to automate and manage various Citrix products and services. Citrix Virtual Apps and Desktops REST APIs - Citrix Virtual Apps and Desktops REST APIs allow you to automate the management of resources within a Citrix Virtual Apps and Desktops deployment. Citrix Automated Configuration tool - This tool is designed to help automate the migration of Virtual Apps and Desktop configuration (such as policies, applications, machine catalogs, and others) from one or more On-Premises site(s) to the Citrix DaaS. Automated Configuration Tool POC Guide - Learn how to use the Automated Configuration tool to automate moving your Citrix Virtual Apps and Desktops configuration to your Citrix Virtual Apps and Desktops Service deployment, as well as moving your configuration between Citrix Virtual Apps and Desktops Service deployments. Using HashiCorp Packer to Automate the Creation of Master Images - Learn how to use HashiCorp Packer to create Master Images for MCS automatically. Using Infrastructure-as-Code for deploying Citrix® Virtual Apps and Desktops™ 2507 LTSR on XenServer™ 8.4 - Learn how to use Terraform, Ansible, and Packer to fully automate the creation of a Citrix Virtual Apps and Desktops 2507 LTSR deployment on XenServer 8 Using Infrastructure-as-Code for deploying Citrix® Virtual Apps and Desktops™ 2507 LTSR on vSphere 8 - Learn how to use Terraform, Ansible, and Packer to fully automate the creation of a Citrix Virtual Apps and Desktops 2507 LTSR deployment on vSphere 8 Citrix Secure Private AccessCitrix Secure Private Access REST APIs for Configuration - Using the Secure Private Access REST APIs allows you to directly configure multiple applications and automate certain tasks. SIEM Integration for Citrix Secure Private Access Logs—Citrix Analytics for Security receives user events in real-time when users access applications through Citrix Secure Private Access, such as Citrix Workspace App, Citrix Secure Access clients, or Citrix Enterprise Browser. You can view your SIEM's user events associated with Secure Private Access. NetScalerNetScaler Next-Gen API - Through the use of NetScaler APIs, administrators can save time by automating their NetScaler configuration. NetScaler uses a proprietary protocol called NITRO that allows you to programmatically configure and monitor your NetScaler ADCs using a REST interface. NetScaler Automation Toolkit—The NetScaler Automation Toolkit contains all the NetScaler tools needed to integrate NetScaler with DevOps and Automation pipelines. NetScaler Terraform Registry (ADC)—Citrix has developed a custom Terraform provider to automate Citrix ADC deployments and configurations. You can custom configure your ADCs using Terraform for different use cases, such as Load Balancing, SSL, Content Switching, GSLB, WAF, etc. NetScaler Terraform Registry (SDK)—The Terraform provider for NetScaler SDX provides Infrastructure as Code (IaC) to manage your ADCs via SDX. Using the Terraform provider, you can provision VPXs on SDX, start, stop, and reboot them. Red Hat Automation Hub (ADC) - The Red Hat Automation Hub is a central repository for content that can be used to automate NetScaler. Ansible Galaxy (ADC)—The NetScaler Ansible Galaxy collection provides a complete declarative interface for configuring and managing NetScaler ADC.Wed, 02 Oct 2024 15:32:00 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/gateway-service-for-storefront-deployment/Thu, 19 Sep 2024 18:01:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/macos-vda-aws/Thu, 19 Sep 2024 10:42:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/citrix-vda-for-macos-macstadium/Overview MacStadium is the industry-leading Mac cloud provider that provides access to genuine Apple Mac mini and Studio hardware in their Cloud Compute environment. MacStadium has partnered with Citrix to certify the Citrix VDA for macOS with MacStadium Cloud Compute. Examples of mini and studio models are available at https://www.macstadium.com/bare-metal-mac. Note: Virtualization on macOS has different limitations compared to Windows and Linux. Specifically, macOS limits users to a maximum of 2 VMs running at a time and restricts specific actions within VMs, such as signing into an Apple ID or using a USB passthrough. As a result, we recommend and support bare metal Mac deployments with the Citrix VDA for macOS today. This deployment guide provides the steps to procure and configure your MacStadium solution with the Citrix VDA for macOS. The following steps are covered in the guide: Talk to the MacStadium team to assist with your needs. Prepare your Citrix DaaS environment by creating a Machine Catalog and capturing the Enrollment Token. Procure your MacStadium Cloud Compute from MacStadium and share the Enrollment Token with the MacStadium Support team, who will automate the installation and registration of the Citrix VDA on your chosen MacStadium models. Create a Delivery Group with user assignments. (Optional) Enable Rendezvous Launch macOS VDA via the Citrix Workspace app that is installed on your user’s desktops. Talk to the MacStadium team Learn more about how MacStadium can be a part of your Citrix DaaS solution. Review the web page and contact us via the form at https://www.macstadium.com/citrix. We’ll reach out to discuss options for your deployment. MacStadium will provide the Cloud Compute, and customers will bring their own Citrix license/subscription directly from Citrix or through a partner. Whether or not your organization uses an MDM tool (e.g., JAMF or Kandji), MacStadium can deploy Cloud Compute resources. Prepare your Citrix DaaS environment Note: The steps for preparation and installation are quite similar if you’re deploying with Citrix Virtual Apps and Desktops; please refer to the Installation section in the product documentation for details. 1. Log in to Citrix DaaS, open Web Studio, and select Machine Catalogs. 2. Click Create Machine Catalog. 3. Select Remote PC Access and click Next. (The Single-session OS option is also supported.) 4. Select "I want users to connect to the same (static) desktop each time they log on" and click Next. 5. Select the minimum functional level for this catalog and click Next on the Machine Accounts page. 6. Click Next on the Scopes page. 7. Click Next on the Workspace Environment Management (Optional) page. 8. Leave the "Enable VDA upgrade" unchecked and click Next. 9. Name your Machine Catalog and click Finish. 10. The Machine Catalog is now created. 11. Right-click on the Citrix VDA for macOS Machine Catalog and select Manage Enrollment Tokens. 12. Click Generate. 13. Enter your Token name, select Use current date and time for start, enter 100 into the Specify how many times the token can register VDAs, choose an appropriate end date for the token to allow VDA registrations, and click Generate. 14. Click Copy. 15. Optionally, click Download to download this token for later usage. 16. You will now see your active Enrollment token. Click Close. Procure your MacStadium Cloud Compute MacStadium offers various models of dedicated Bare Metal Mac minis and Studios, especially compared to competitors. Standard models that are available immediately in the Cloud Compute environment are listed by MacStadium here. Custom configurations can be made available in large quantities. Contact MacStadium via the form at https://www.macstadium.com/citrix. Purchase your Cloud Compute directly from the MacStadium self-service portal or by speaking with their sales team via the form at https://www.macstadium.com/citrix. Choose your version of macOS Ventura 13, Sonoma 14, or Sequoia 15. You do not need to prepare your macOS base image for deployment, as MacStadium provides multiple options. Share the enrollment token and VDA agent version with the MacStadium Support team through the support ticket system. The MacStadium team will ensure the VDA for macOS is installed and registered with your enrollment tokens. The team will respond to the support ticket with confirmation that the machines have enrolled successfully. Your organization’s network environment may need configuring to support the Citrix VDA, Delivery Controller, and/or Director. For specific guidance, see the documentation here. Create a Delivery Group with user assignments. 1. Within Citrix DaaS Web Studio, select Delivery Groups, then click Create Delivery Group. 2. Select your Citrix VDA for macOS Machine Catalog and click Next. 3. Select which users can access the Delivery Group and click Next. 4. Add the required Desktop Assignment Rule and click Next. 5. Select Next on the App Protection screen. 6. Click Next on the Scopes window. 7. Select the appropriate License Assignment for your Citrix DaaS deployment and click Next. 8. Click Next on the Policy Set window. 9. Provide a name for your Delivery Group and click Finish. 10. Your Delivery Group is now created and ready for user access. (Optional) Enable Rendezvous If your deployment contains non-domain-joined macOS devices, enable the Rendezvous Citrix policy to allow access. 1. Within Citrix Web Studio, select Policies and then click Create Policy. 2. Select ICA within View by Category, then scroll to and select Rendezvous Protocol. Click Allow. 3. Click Next. 4. Select Filtered users and computers and expand the Delivery Group. 5. Select Allow in the Mode drop-down menu, and then choose your Citrix VDA for macOS Delivery Group, select Enable, and click Save. 6. review your filters, then click Next. 7. Select Enable policy, provide a Policy name, then click Finish. 8. The Rendezvous policy is now active and enabled. Launch macOS VDA via Citrix Workspace app Your users can now launch the macOS VDA via the Citrix Workspace app.Thu, 19 Sep 2024 10:42:00 +0000https://community.stage.citrix.com/tech-zone/automation/cvad-terraform-xenserver/Fri, 13 Sep 2024 10:56:41 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/deployment-prerequisites-citrix-on-azure/Thu, 12 Sep 2024 18:09:00 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/citrix-daas-flexapp-one/Tue, 10 Sep 2024 11:47:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/secure-private-access-on-premises/Mon, 09 Sep 2024 13:00:00 +0000https://community.stage.citrix.com/tech-zone/automation/citrix-terraform-xenserver/Thu, 05 Sep 2024 17:29:09 +0000https://community.stage.citrix.com/tech-zone/automation/cvad-terraform-policies/Thu, 05 Sep 2024 14:34:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/netscaler-advanced-auth-for-cem-cert/Fri, 30 Aug 2024 16:19:56 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/netscaler-advanced-auth-for-cem-domain/Fri, 30 Aug 2024 16:13:22 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/netscaler-advanced-auth-for-cem-cert-and-domain/Fri, 30 Aug 2024 13:35:00 +0000https://community.stage.citrix.com/tech-zone/design/reference-architectures/mergers-acquisitions/Tue, 27 Aug 2024 14:15:00 +0000https://community.stage.citrix.com/tech-zone/automation/cvad-terraform-nutanix/Thu, 22 Aug 2024 12:43:00 +0000https://community.stage.citrix.com/tech-zone/automation/citrix-terraform-nutanix/Fri, 16 Aug 2024 07:48:18 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/wem-tool-hub/Wed, 07 Aug 2024 15:50:17 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/citrix-enterprise-browser/Overview This Tech Brief explores Enterprise Browsers, detailing their purpose in an enterprise environment and providing a detailed overview of the Citrix Enterprise Browser and its core features. What is an Enterprise Browser? Browsers are the number one way for malware, spyware, and ransomware to infect enterprise organizations. Enterprise Browsers were introduced to the market to meet organizations' security requirements and isolate browser sessions to combat this ongoing problem. At their core, enterprise browsers are specialized browsers that provide enhanced security and control over browser functionality, access to corporate web and SaaS applications, and sensitive data. Enterprise Browsers typically have several features to enhance users' security, manageability, and productivity in enterprise environments. These features can include: Enhanced security features like sandboxing, malware protection, phishing protection, Data Loss Prevention (DLP), and data encryption to protect sensitive data and mitigate cyber threats. Centralized policy and user access control management allow administrators to configure browser settings for all enterprise devices. Compliance and reporting features like activity logging help enterprises comply with regulations and internal policies. System integration into other enterprise systems, such as Single Sign-on (SSO) and custom browser extensions or plugins. Use Cases for Enterprise Browsers There are several use cases for Enterprise Browser use within an enterprise, including: Internal web applications - Enterprises provide secure and managed access to internal web applications. Compliance - Enterprises that must comply with industry-specific regulations and internal policies. Bring your own device - Enterprises that allow personal devices to access enterprise resources. Contract and Temp Work - Enterprises that provide corporate access to contract or temp worker unmanaged devices. What is Citrix Enterprise Browser? Citrix Enterprise Browser is a Chromium-based browser that runs on the endpoint and creates a security sandbox for the web session. Focusing on security as a transparent layer on top of an enhanced user experience, running locally gives end users the best performance for rendering webpages of SaaS and private web applications, as the browser looks and acts like a user's traditional browser. The Citrix Enterprise Browser provides all the functionalities of a native browsing solution to the end user’s work environment. The secure sandbox protects the end user and the enterprise against malware, performance degradation, data loss, and unintended end-user behavior. With Citrix Enterprise Browser, organizations can centrally apply adaptive access policies that limit keyloggers, screen captures, clipboard operations, and more. In addition, the Citrix Enterprise Browser leverages the zero-trust capabilities of Citrix Secure Private Access. Launching any internally hosted web application or a SaaS app with security policies configured will trigger the Citrix Enterprise Browser to enforce security policies and enable a seamless user experience. Citrix Enterprise Browser protects against cyber threats, ensures secure access to critical applications, and helps comply with industry regulations and internal security policies. Citrix Enterprise Browser Architecture End users log into the Citrix Workspace or Citrix StoreFront on managed or unmanaged devices using single sign-on or Federated authentication. Citrix Enterprise Browser inherits the user's authenticated session, providing seamless access to authorized web and SaaS applications. A new browser session is launched within a secure, isolated environment, and Secure Access Policies and Configurations are applied, including last-mile DLP policies. Citrix Enterprise Browser routes web traffic through the Secure Private Access web URL filtering, and data is encrypted to transit to protect against interception. Users then interact with the web applications through the Citrix Enterprise Browser interface. Citrix Enterprise Browser Features There are several features within the Citrix Enterprise Browser to enforce zero-trust access and ensure a safe browsing experience for your end users. Web/SaaS app access Internal web and external SaaS apps can be directed to open within the Citrix Enterprise Browser. For internal web apps that would otherwise require a VPN to access outside the Citrix Workspace framework, Citrix Enterprise Browser provides enhanced security for end users to launch the web apps. This is based on the default deny ZTNA principal, and a separate full tunnel is not created. For external SaaS apps, Secure Private Access policies can be applied to ensure that SaaS apps are open securely using the Citrix Enterprise Browser. Data Loss Prevention (DLP) Consumer browsers do not control copy/paste, downloads, printing, and screen capture, which can be a risk for critical apps, especially on BYO devices. Together with Citrix Secure Private Access, the Citrix Enterprise Browser provides ZTNA access to protect users against threats through configured security policies and controls for the following: Watermark application Clipboard restriction or isolation Printing restriction File up- and download restriction App protection policies, including: Anti-keylogging to prevent hijacking of sensitive data Anti-screen capture against malicious software, as well as accidental screen sharing Personal data masking Additional information on these controls can be found here and here. Browser Management With Citrix Enterprise Browser and Secure Private Access, administrators can centrally manage and secure the browsing experience on managed and unmanaged devices. Browser management capabilities include: Extension Management — Create Secure Private Access policies with Citrix Enterprise Browser to force-install IT-required extensions and set up extensions to allow lists for end users to download optional extensions they may require. Web Filtering — Combined with Secure Private Access policies, comprehensive web filtering policies can be applied. Push Bookmarks — Administrators can push bookmarks to the end user's device to quickly access needed resources. Additional Controls — Allow users to save passwords, clear data on exit (including which data to clear), allow incognito mode, and developer tools. User Experience The Citrix Enterprise Browser allows administrators to customize the browser settings and policies according to their security needs. It provides a familiar experience that acts and looks like any other browser for easy navigation and use. Citrix Enterprise Browser and Citrix Secure Private Access provide internal and external access to applications without a VPN. This enterprise-grade browser works on any corporate or personal device. Citrix Enterprise Browser fully supports microphones, webcams, progressive web apps, web conferencing tools, bookmarks, dark modes, tabs, and windows. Work Browser mode can open all work links and allow an alternate browser to open non-work links. Remote Browser Isolation Remote browser Isolation is a web security measure that creates an "air gap" between a remote user's internet browser and corporate networks. It separates web browsing activity from endpoint devices by redirecting sessions to an isolated environment. This reduces the attack surface, ensuring browser-based cyber threats don't reach the company's digital resources. With Citrix Enterprise Browser and Remote Browser Isolation, policy controls can be enabled to secure browsing for any user, over any connection, on any device, and keep malware off your network. On Bring Your Own (BYO), unmanaged devices, or even managed devices, the Remote Browser Isolation service prevents the movement of sensitive and malicious content to ensure browser-based threats don't reach the user's device by creating an air gap between the browser and device. Sessions are also discarded once the user is done for additional protection from web threats or attackers. Summary Citrix Enterprise Browser is a powerful tool for organizations looking to secure their web and SaaS applications while providing a seamless, high-performance user experience. Its integration with Citrix Workspace, advanced security features, and ease of management make it an ideal choice for enterprises aiming to enhance their digital workspace infrastructure.Tue, 06 Aug 2024 19:05:45 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/f5-netscaler-migration-terms/Overview Migrating from F5 to NetScaler involves several critical steps and considerations, necessitating a comprehensive understanding of both technologies and their respective architectures. F5, with its BIG-IP platform, primarily uses the Traffic Management Operating System (TMOS) and iRules for traffic manipulation, offering robust features like Global Traffic Manager (GTM) and Local Traffic Manager (LTM). NetScaler utilizes its proprietary Operating System and natively supports policies through NetScaler policies and AppExpert, providing similar functionalities like Global Server Load Balancing (GSLB) and Local Load Balancing. When migrating from F5 to NetScaler, it is critical to understand the differences in concepts and terms between the two technologies to ensure a smooth transition. The table here outlines the key distinctions between F5 and NetScaler to help your migration effort. F5 Term/Concept NetScaler Term/Concept BIG-IP. ADC product offering. NetScaler Virtual Server. Logical entity that represents a network service. Virtual Server Virtual IP (VIP). An IP address assigned to a virtual server. Virtual IP Pool. A group of servers offering the same service. Service Group Pool Members. Individual servers within a pool Services SNAT (Secure Network Address Translation). Translates the source IP address of outgoing packets. Source IP (SNIP) SSL Profile. Configurations for SSL/TLS Settings. SSL Profile HA Pair. High Availability devices configured for failover. HA Pair Local Traffic Policies Content Switching Advanced WAF/ASM Application Firewall Local Traffic Policies and/or iRules Responder Policy Local Traffic Policies and/or iRules Rewrite Policy On-Box Analytics (AVR), sFlow, IPFIX AppFlow BIG-IQ Centralized Management NetScaler Console DNS (rename from GTM - Global Traffic Manager) GSLB (Global Server Load Balancing) APM (Access Policy Manager) AAA for Traffic Management IP Intelligence IP Reputation SSL Orchestrator SSL Forward Proxy Integrated Bot Defense Bot Management iControl. API for automation and integration. NITRO iApps: Application templates. F5 Application Services Templates (FAST) are replacing iApp templates. See https://support.f5.com/csp/article/K13422 for details. Stylebooks iRules: Customized TCL-based scripting language for programmatic traffic control NetScaler Policies iSession: Maintains session persistence across multiple servers. Session Reliability WebSafe/DataSafe Application layer encryption, form field encryptionThu, 01 Aug 2024 04:05:00 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/citrix-vdi-handbook-assess/Mon, 01 Jul 2024 13:01:14 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/citrix-vdi-handbook/Welcome to the Citrix VDI Handbook. This guide is a collaborative effort between the Citrix Product Marketing, Product Management, and Professional Services teams and is designed to give you an in-depth understanding of Citrix Infrastructure, a pivotal technology in modern enterprise IT environments. Citrix solutions empower organizations to deliver secure, virtualized desktops and applications to users anywhere, on any device, ensuring a seamless and productive user experience while simplifying IT management and enhancing security. In this handbook, we will explore the fundamentals of Citrix, including its architecture, key features, deployment strategies, and leading practices. Whether you are a seasoned IT professional looking to optimize your current VDI implementation or a newcomer aiming to understand the benefits and intricacies of Citrix solutions, this handbook is an essential resource to help you navigate the complexities of virtual desktop and application delivery. The Citrix VDI Handbook offers detailed information and best practices for deploying and managing virtual desktop infrastructure (VDI) using Citrix technologies. It is a valuable resource for IT professionals, architects, and administrators responsible for designing, implementing, and maintaining Citrix-based environments. The Citrix VDI Handbook follows the Citrix Professional Services methodology, which has been successfully employed across thousands of Citrix virtualization projects and consists of five phases: Define: Builds the business case for virtualization by creating a high-level project roadmap, prioritizing activities, and estimating storage and hardware requirements. Assess: Key business drivers are rated to prioritize work efforts accordingly. In addition, the current environment is reviewed for potential problems and to identify use cases for the project. This information will set the direction for Citrix deployment, upgrade, or expansion. Design: Define the architecture required to satisfy key business drivers and success criteria identified during the assessment phase. Topics such as environment scalability, redundancy, and high availability are addressed. Deploy: During the deployment phase, the infrastructure is installed and configured as described in the design phase. Before users can access the environment, all infrastructure components should be thoroughly unit and regression-tested. Monitor: Define architectural and operational processes required to maintain the production environment. The Citrix VDI Handbook is provided here as a full PDF document but is also available online by section via the links below. Citrix VDI Handbook -2402 LTSR.pdf The Citrix VDI Handbook provides content on the Assess, Design, and Monitor phases. Deployment information can be found in Citrix Product Documentation and Citrix Tech Zone. Assess Define the Organization Define the User Groups Define the Applications Define the Project Team Design Conceptual Architecture Layer 0: The Business Layer Layer 1: The User Layer Layer 2: The Access Layer Layer 3: The Resource Layer Layer 4: The Control Layer Layer 5: The Compute Layer Monitor Process 1: Support Process 2: Operations Process 3: Monitoring Disclaimer EXCEPT WHERE EXPRESSLY PROVIDED OTHERWISE BY CLOUD SOFTWARE GROUP, THE CONTENT IN THIS DOCUMENT IS PROVIDED “AS IS” AND CLOUD SOFTWARE GROUP HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED REPRESENTATIONS, WARRANTIES, GUARANTIES, AND CONDITIONS, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. CLOUD SOFTWARE GROUP MAKES NO REPRESENTATIONS, WARRANTIES, GUARANTIES, OR CONDITIONS AS TO THE QUALITY, SUITABILITY, TRUTH, ACCURACY, OR COMPLETENESS OF ANY OF THE CONTENT CONTAINED ON THE WEBSITE. The above disclaimer applies to any damages, liability, or injuries caused by any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communication line failure, theft or destruction of or unauthorized access to, alteration of, or use, whether for breach of contract, tort, negligence or any other cause of action.Mon, 01 Jul 2024 13:01:00 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/citrix-vdi-handbook-design/Mon, 01 Jul 2024 13:01:00 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/citrix-vdi-handbook-monitor/Mon, 01 Jul 2024 13:01:00 +0000https://community.stage.citrix.com/tech-zone/automation/terraform-cvad-vsphere8/Mon, 01 Jul 2024 11:48:00 +0000https://community.stage.citrix.com/tech-zone/automation/terraform-daas-vsphere8/Mon, 01 Jul 2024 11:48:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/w11-mcs-vsphere8/Mon, 01 Jul 2024 11:47:35 +0000https://community.stage.citrix.com/tech-zone/automation/terraform-install-and-config/Mon, 01 Jul 2024 11:47:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/simplify-new-teams-deployment-with-citrix/Fri, 28 Jun 2024 15:16:27 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/local-host-cache-ha-daas/Overview Local Host Cache (LHC) is a Citrix technology that can maintain user access to resources during potential service disruptions. Local Host Cache leverages Site configurations cached locally on Delivery Controllers or Cloud Connectors to continue brokering operations when services may be unhealthy. Local Host Cache is a combination of several services and components which come together to take over the brokering responsibilities until the connection to the Cloud Broker or SQL database can be reestablished. In DaaS, Local Host Cache engages when Cloud Connectors lose connectivity with Citrix Cloud for 60 seconds. For customer-managed Sites, Local Host Cache engages when Delivery Controllers lose connectivity to the Site database for 90 seconds. For customers with on-prem StoreFront (regardless if using DaaS or a customer-managed environment), Local Host Cache is the main resiliency solution. Because Local Host Cache is critical to keeping users productive during service disruptions, it must be tested to ensure it is configured and functioning correctly. This guide will discuss how Local Host Cache operates, the services involved, the necessary Local Host Cache configurations, and various capabilities to test to improve the availability of your environment no matter what happens. Local Host Cache This article discusses the components, behavior, configurations, and testing required for Local Host Cache. Components There are several components within the Citrix Cloud Connector and Delivery Controller which are required for the Local Host Cache operations Configuration Synchronizer Service: The Configuration Synchronizer Service (CSS) periodically checks with the Cloud Broker (every 300 seconds) or Site database (every 300 seconds) to see if any configuration changes were made. The changes can be administrator-initiated (such as changing a delivery group property) or system actions (such as machine assignments). If changes are detected, CSS synchronizes the changes from the Cloud Broker or Site database to the Cloud Connectors or Delivery Controllers. LocalDB: The CSS imports the configuration data into a Microsoft SQL Server Express LocalDB database. A new instance of the database is created for every sync operation. Once the sync is successfully completed, the latest DB instance replaces the prior DB instance. Note: LocalDB has specific licensing that limits it to the lesser of four cores or a single socket. This can have a significant performance effect when the physical or virtual machine has been configured with multiple sockets with only a single or dual core. A broker machine with four sockets and one core per socket will limit LocalDB to using a single core, whereas the same VM configured as a 1-socket, 4-core machine means that LocalDB can access all four cores. See CPU core and socket configuration considerations for more information. High Availability Service: The High Availability Service (HA Service) is a specialized Broker Service that provides the runtime brokering functionality during an outage. The HA Service is also referred to as the secondary broker Remote Broker Provider (DaaS only): The Remote Broker Provider has several important functions: It acts as a proxy relaying communication between the Citrix Virtual Delivery Agent (VDA) and the Cloud Broker It acts as a proxy relaying communication between an on-premises StoreFront or an on-premises ADC and the various Citrix Cloud services It determines when to switch a Resource Location between HA mode and normal operation High Availability Mode Citrix Cloud Connectors and Delivery Controllers are capable of entering or exiting HA mode automatically without administrator intervention. For Citrix DaaS, HA mode is triggered after 60 seconds of failed health checks for the following services: Enumerations or launch requests Communications between the VDA and the Cloud Broker Secure Ticket Authority (STA) requests The OutageModeForced registry key set to 1 For CVAD, HA mode is triggered when the Delivery Controllers cannot communicate with the SQL server for 90 seconds. During HA mode, the HA Service takes over several important brokering functions: it enumerates resources, brokers session launches, and accepts VDA registrations. In DaaS, the HA Service also acts as an STA provider. In a Resource Location or Zone with multiple Cloud Connectors or Delivery Controllers, a single Cloud Connector or Delivery Controller per Zone performs all brokering functions. To determine which broker will take over during the HA event, the HA Services communicate with one another as part of an election process. The elected broker, which is generally chosen in alphabetical order, becomes the primary broker during LHC events. Note: Delivery Controllers and Cloud Connectors must be able to communicate with each other to perform the election. If the brokers cannot communicate, you can end up with multiple elected brokers which can result in failed launch attempts during LHC. Entering and Exiting High Availability Mode CVAD HA mode is entered when the Broker Service cannot communicate with the SQL database for 90 seconds. During the HA event, the Broker Service continues to monitor the health of the Site database while the High Availability Service brokers connection. Once the Broker Service can re-establish connectivity to the Site database, the HA event concludes and normal operations are restored. DaaS The decision to transition to HA mode is dependent upon health checks that test the ability to enumerate and launch traffic through a given Cloud Connector. There are several states during the entire cycle of entering and exiting HA mode: During the Working Normally state, all components are healthy and all brokering transactions are handled by the Cloud Broker. The CSS is actively replicating the configurations from the Cloud Broker to the Cloud Connectors. If any health checks fail, Cloud Connectors transitions to the Pending HA state. When in this state, a comprehensive health check is initiated to determine the next course of action. The connectors interact with other connectors in the Resource Location/Zone to determine their health status. The decision to move from Pending HA to Initial HA is based on the health status of all the connectors in a given Resource Location. If the health checks are successful, the connectors/controllers transition back to the Working Normally state. Alternatively if the health checks continue to fail, the connectors/controllers transition to the Initial HA state. During the Initial HA state, the High Availability Service on the elected connector takes over brokering responsibilities. All VDAs in the current Resource Location that were registered before will now register with the HA Service on the connector. It can take up to 5 minutes for all VDAs to re-register with the HA Service. At the end of Initial HA, health checks are initiated. If all health checks succeed, the state transitions to Pending Recovery, otherwise the state transitions to Extended HA. Health checks continue to occur during the Extended HA period. When health checks succeed during the Extended HA, the state transitions to Pending Recovery. There is no maximum time duration for a connector to remain in the Extended HA state Pending Recovery serves as a buffer period to ensure services are fully healthy before transitioning out of HA mode. If any of the health checks fail during Pending Recovery, the state transitions back to Extended HA. If all the health checks succeed during the entirety of the 10 minute Pending Recovery period, then the state transitions to Working Normally. With this transition, HA mode has exited, and all the VDAs in the Resource Location that were registered with the secondary broker now re-register with the primary broker. This re-registration can again take up to 5 minutes. Behavior Behavior within Resource Locations and/or Zones The primary broker is designed to have a view of the whole deployment – across multiple Resource Locations in DaaS or Zones in CVAD. However, when in HA mode, each Resource Location/Zone becomes its own independent pod, and the elected secondary broker in each Resource Location/Zone will manage the brokering transactions only for the VDAs within that pod. This design is a critical reason to ensure that the StoreFront is configured to include all the Cloud Connectors and Delivery Controllers from all the Resource Locations and Zones that contain VDA workloads. The StoreFront can then distribute launch requests and effectively load balance users across multiple Resource Locations/Zones. Citrix recommends a minimum of 2 connectors/controllers in every Resource Location/Zone. In each zone, there is an election process constantly running to make sure the HA Services know which machine would take over brokering responsibilities if there is an interruption. This election always happens – both during normal operations and when running in HA mode. Broker Behavior The CSS routinely provides the secondary broker with information about all Cloud Connectors/Delivery Controllers in the Resource Location/Zone. Having that information, each machine knows about all peer machines running in the Resource Location/Zone. The secondary brokers communicate with each other on a separate channel. Those services use an alphabetical list of FQDN names of the machines that they're running on to determine the elected secondary broker in the Resource Location/Zone if an outage occurs. When in HA mode, the elected secondary broker takes over brokering responsibilities while the other secondary brokers in the zone actively reject incoming connection and VDA registration requests. If an elected secondary broker fails during an outage, another secondary broker is elected to take over, and VDAs register with the newly elected secondary broker. During HA mode, if a connector/controller is restarted: If that connector/controller is not the elected secondary broker, the restart has no impact. If that connector/controller is the elected secondary broker, a different Cloud Connector/Delivery Controller is elected, causing VDAs to register with the new elected secondary broker. After the restarted Cloud Connector/Delivery Controller powers on, it automatically takes over brokering, which causes VDAs to register again. In this scenario, performance can be affected during the registrations. The event log provides information about elections. For more information on the associated events, review the event logs article from the product documentation. VDA Behavior When the outage begins, the elected secondary broker does not have current VDA registration data, but when a VDA communicates with it a registration process is triggered. During that process, the elected secondary broker also gets current session information for that VDA. The VDA communicates with the broker at least every 5 minutes. Depending on when the last heartbeat was completed, it may take a VDA up to 5 minutes to realize the change from to the elected secondary broker and trigger the registration with the elected secondary broker. It is important to note the end user experience differs for pooled desktops versus dedicated desktops. For pooled desktops, users may reconnect as soon as one VDA re-registers with the secondary broker. For dedicated desktops, users have to wait for their specific desktop to re-register, which may take up to 5 minutes. While the elected secondary broker is handling connections, the remote broker provider monitors the connection to Citrix Cloud for DaaS or the primary broker service monitors the connection to the Site database for CVAD. When the connection is restored, the remote broker provider or primary broker service instructs the elected secondary broker to stop listening for connection information, and resumes conveying brokering operations to the Cloud Broker or Site database. The next time a VDA communicates with the connector or controller, another registration process is triggered. The elected secondary broker removes any remaining VDA registrations from the previous outage. The CSS resumes synchronizing information when it learns that configuration changes have occurred in the Site database or in Citrix Cloud There are specific considerations for power-managed pooled desktop VDAs when in LHC mode. Typically, when a user logs off of a power managed pooled desktop VDA, the VDA’s image is reset to remove any user specific data or changes on the VDA. When a site is running in HA mode, because power management is unavailable, the reset operation cannot be performed. Due to the security consideration of previous user data and changes being available on subsequent sessions, these VDAs are unavailable by default during LHC. Depending on the security needs for an implementation, this behavior can be modified by modifying the Local Host Cache setting in Studio or setting the ReuseMachinesWithoutShutdownInOutage flag with PowerShell. More information about how to override the default behavior is available in the product documentation. Behavior with Resource Locations and/or Zones Load balancing within a Resource Location or Zone The on-premises StoreFront sends a heartbeat message to all the Cloud Connectors and/or Delivery Controllers configured in its store every 60 seconds by default. Only healthy Cloud Connectors/Delivery Controllers (that respond successfully to the heartbeat) are considered for load balancing app enumeration and launch requests. Resource Locations and Zones publishing the same resources It is common to have multiple Resource Locations or Zones publishing duplicate resources for redundancy. For example, a deployment containing applications from a single multi-session image or pooled VDI desktops might be deployed uniformly across all Resource Locations or Zones. When such a deployment is operating in HA mode, users may be directed to any of the VDAs in the various configured Resource Locations or Zones. In this scenario, the StoreFront load balances requests to all configured Cloud Connectors/Delivery Controllers across various Resource Locations/Zones. Resource Locations and Zones publishing different resources A Citrix deployment may also have certain applications available only in a specific subset of Resource Locations or Zones. For example, a Japanese OS desktop may be available only on the VDAs running in Japan. Another example is with static/assigned desktops that are user specific and tied to a specific Resource Location or Zone after assignment. When such a DaaS deployment operates in HA mode, the application or desktop launch requests need to be routed to the appropriate Cloud Connector in the specific Resource Locations where the resource resides. This is because cross-zone brokering is not available in HA mode. The AdvancedHealthCheck feature offered by StoreFront 1912 LTSR Cumulative Update 5 or later facilitates such deployments as described in the following paragraph. Advanced Health Checks are enabled by default for new installs starting in StoreFront 2203 LTSR CU5 and CR 2308, and is enabled by default for upgrades starting in StoreFront 2203 CU5 and later. When AdvancedHealthCheck is on, the StoreFront enumerates resources from Cloud Connectors in any region. The enumeration information now contains a mapping between the resource (an application or a desktop) and the Resource Locations where the resource resides. This mapping is used to direct the user launch requests to specific Resource Locations. Review the configuration steps listed in the product documentation to enable the StoreFront to use this functionality. Behavior with Citrix NetScaler for load balancing For architectures involving Citrix NetScaler with Resource Locations/Zones publishing different apps and desktops, the following configurations need to be performed in order to successfully broker connections to the appropriate resources during HA mode. Aggregate the Cloud Connectors/Delivery Controllers in each Resource Location or Zone to a unique VIP in the NetScaler load balancer Set up the NetScaler load balancer to monitor the Cloud Connectors/Delivery Controllers in each Resource Location/Zone via the CITRIX-XD-DDC monitor Add all NetScaler VIPs as a single Resource Feed to StoreFront Enable the StoreFront AdvancedHealthCheck feature Configurations There are a few key configurations to be aware of when using Local Host Cache. While the main configurations are highlighted below, we recommend you review Avoid Common Misconfigurations that Can Negatively Impact DaaS Resiliency to ensure other configurations don’t negatively impact LHC performance. Site For on-prem environments, from XenApp and XenDesktop 7.15 LTSR forward, Local Host Cache is enabled by default. You can validate that it is enabled using Get-BrokerSite on the Citrix Delivery Controller. Check that the LocalHostCacheEnabled property is True. For DaaS environments, Local Host Cache is always on. For performance considerations during LHC mode, no more than 10,000 VDAs can be supported in a single zone in CVAD or a single Resource Location in DaaS. No more than 40,000 VDAs can be supported in a single CVAD site. You can find more information in our product documentation for CVAD and DaaS. As mentioned previously, by default, power-managed desktop VDAs in pooled delivery groups (created by MCS or Citrix Provisioning) are unavailable for new connections during a Local Host Cache event. You can change this default to allow those desktops to be used during Local Host Cache. Sizing During Local Host Cache mode, the Site switches to using SQL Server Express LocalDB versus the regular SQL database. A Cloud Connector or Delivery Controller’s CPU configuration, particularly the number of cores available to the SQL Server Express LocalDB, directly affects Local Host Cache performance. While LocalDB can use up to 4 cores, it is limited to a single socket. Maximizing the number of cores per socket is recommended - for example, if you have 4 vCPU placing them all in one socket. For more sizing recommendations, see size and scale considerations for Cloud Connectors and for Delivery Controllers. StoreFront All Cloud Connectors and Delivery Controllers that provide access to resources need to be listed in the ‘Manage Delivery Controllers’ section of the StoreFront console. As discussed above, if the requisite Cloud Connectors or Delivery Controllers are not listed might result in loss of capacity when the site enters HA mode. If different resources are published from different Zones or Resource Locations, AdvancedHealthCheck needs to be configured. In StoreFront 2203 LTSR CU5+ and 2308+, this is enabled by default for new installations. The feature is enabled by default for upgrades starting in StoreFront 2402. If you are using an older version, you can go to C:\\inetpub\wwwroot\Citrix\*yourstorename* to access the web.config file for StoreFront. Be sure to do this on your primary StoreFront server. Open the file, and search for AdvancedHealthCheck. Change the setting to On. Save the file, and propagate changes to the rest of the server group. This change can also be done via PowerShell. Example: $storeService = Get-STFStoreService –VirtualPath '/Citrix/Store' Set-STFStoreFarmConfiguration $storeService -AdvancedHealthCheck $true NetScaler As mentioned previously, there are several key configurations to ensure that launches proxied via NetScaler work correctly when in LHC mode. First, aggregate the Cloud Connectors/Delivery Controllers in each Resource Location or Zone to a unique VIP in the NetScaler load balancer. Each load balancer should monitor the brokers using the Citrix-XD-DDC monitor. Next, add all the load balanced VIPs as Delivery Controllers into StoreFront. Monitor Local Host Cache There are several different methods to monitor Local Host Cache behavior and performance. Most information regarding LHC can be found in the event logs of Cloud Connectors or Delivery Controllers. See Event logs (DaaS) or Event logs (Citrix Virtual Apps and Desktops) for more information on what can be monitored. When it comes to monitoring LHC, three different phases should be considered: before an event, during an event, and after an event. Before an LHC Event Before an event, you want to make sure your environment is prepared for an LHC event. A well-prepared environment for LHC can help improve performance during a service disruption. Here’s what you can monitor before an LHC event to improve preparedness: Misconfigurations Misconfigurations should be monitored to ensure your environment is ready to perform optimally during an LHC event. Unfound misconfigurations in your environment can cause launch failures during LHC and an inability to access key resources. Some of the most common and impactful misconfigurations include: Power-managed pooled desktops being unavailable during Local Host Cache. Multiple elected Delivery Controllers or Cloud Connectors. Delivery Controllers or Cloud Connectors having only 1 vCPU core per socket. Advanced Health Check not enabled (DaaS only). For DaaS customers, review Avoid Common Misconfigurations that Can Negatively Impact DaaS Resiliency. You can also check the Zones node in Citrix DaaS Full Configuration to check if any errors or warnings were detected in your deployment. Config Syncs The configuration sync process plays a pivotal role in ensuring up-to-date settings and resource assignments during an LHC event. If Configuration Syncs are failing, out of date settings and resources may be presented to users during LHC or LHC may be completely unavailable. Monitoring your environment for failed config syncs can help improve readiness for an LHC event. Config syncs can be monitored in two different ways: Event logs (DaaS and CVAD) A 505 event from the Config Synchronizer service on Cloud Connectors or Delivery Controllers signifies a failed config sync. If a previous config is present, the old config will be used for LHC. Configurations will be out-of-date. If no config is present, LHC will fail to be able to service enumeration and brokering requests. See Config Synchronizer Service for more information. Citrix Monitor (DaaS only) Citrix Monitor on DaaS has an out of the box alert for consecutive Config sync failures that administrators can configure to their preferred notification medium and recipients for quick, timely analysis. Learn more on Local host cache config sync failure alert monitoring. HA mode starting It’s important to be alerted that an HA event is occurring in your environment. The best way to monitor your environment for an HA event is through 3502 events from the High Availability Service on your Cloud Connector or Delivery Controller. Citrix DaaS has additional ways for identifying that a Resource Location is in Local Host Cache mode. It is important to note that due to delays in reporting and the potential for DaaS Full Configuration to be unavailable, the most reliable way to monitor for an LHC event is the event logs. In Citrix DaaS, there are additional alerts around HA mode starting. Local Host Cache banner When Full Configuration identifies that Connectors in a Resource Location are unavailable, it displays a banner in Full Configuration letting you know Resource Location(s) are in LHC. Local Host Cache zone-level alert If a Resource Location is unavailable, the Zones node will show a warning icon for that resource location. During an LHC Event During an LHC event, while your team may be working to understand and troubleshoot the root cause of why LHC mode was entered, you should also be monitoring the performance of LHC to make sure there are no issues that prevent users from accessing their apps and desktops. You have limited access to the PowerShell SDK when in LHC mode. The Get-Broker* cmdlets can be a powerful tool for monitoring the status of resources during LHC. See “What is unavailable during an outage, and other differences” (DaaS and CVAD) for more information on enabling and using the PowerShell SDK during an LHC event. All information obtained from the PowerShell SDK is on a per-zone basis because all zones act as independent sites when in LHC mode. Three main things should be monitored during an LHC event: VDA registration, session launches, and LHC state. VDA Registration VDAs can take up to 5 minutes to re-register when entering and exiting LHC mode. The impact of the 5 minutes can be more impactful for dedicated desktops, where users have to wait for their specific VDA to register. Multi-user and pooled desktop VDAs become available to users as soon as a VDA in the Delivery Group is available. The more VDAs in a Delivery Group, the higher the likelihood that a VDA will be available earlier on in the 5 minutes, minimizing the disruption of entering and exiting LHC. To check the registration status of VDAs during the LHC event, run the following PowerShell cmdlet after enabling the PowerShell SDK for LHC: Get-BrokerMachine -AdminAddress localhost:89 | Select MachineName, ContollerDNSName, DesktopGroupName, RegistrationState This will return a list of VDAs and their registration state. User sessions End users launching their apps and desktops is the most critical part of the operation. During LHC, it’s important to monitor session launches so you know that things are running smoothly. Sessions can be monitored using the event logs or PowerShell. Event logs 3507 events on the elected Cloud Connector or Delivery Controller from the High Availability service give summary information regarding the current state of the LHC event. Information includes net-new sessions launched, sessions reconnected, VDA registrations, peer broker state, and event duration. These events occur every 2 minutes when LHC mode is active, giving you information about the event as a whole as well as information about the last 2 minutes of the event. PowerShell Get-BrokerSession can be used once the PowerShell SDK is enabled to learn more about active sessions in the zone. Local Host Cache States For Citrix DaaS, LHC goes through states before transitioning back to a Working Normally state. Understanding these states, and the implications about health checks behind those states, can make troubleshooting issues more straightforward. The states are discussed in more detail in a previous section. LHC states can be monitored using the following events from the Remote Broker Provider service on your Cloud Connectors, with these events being the most critical: 3001: Notifies you that a health check failed and that the connector is currently in a Pending HA state. Connectors make a decision in 60 seconds after this 3001 event to determine if LHC should be entered or not based on the results of a health check. While a single 3001 event is not a cause for concern, frequent 3001 events in a short period of time can be an indicator of intermittent network issues. You may want to force LHC if your environment is experiencing user access issues due to intermittent network issues. 3003: Notifies you of a change of HA state. Extended HA to Pending Recovery: Your connector passed a health check while in the Extended HA state. Your connectors will need to pass health checks for 10 minutes straight before exiting LHC. Pending Recovery to Extended HA: During Pending Recovery, your connectors have failed a health check. Connectors will remain in Extended HA until another health check is passed. The 10 minute recovery timer will be restarted when the connector passes a health check and re-enters the Pending Recovery state. Understanding these states can help give insight into the success of your troubleshooting efforts. If a troubleshooting step successfully mitigated the issue, you should not expect your environment to leave LHC immediately. Instead, you should see your connectors transition into Pending Recovery. After an LHC Event After an LHC event you should review how LHC performed to determine if any changes need to be made to improve the performance of future events. Information regarding the performance of LHC during an event can be found in the Citrix Monitor (DaaS only) or the event logs. Event logs 3508 events from the High Availability service give a summary of session launch and VDA registration information of an entire LHC event once the event is complete. This is the data that feeds the LHC Monitor dashboard. DaaS Monitor The LHC dashboard in the trends view of Monitor allows for visibility into past LHC events. Information in the dashboard includes the time of the incident, duration, impacted Zone, user sessions, and number of machine registrations. Learn more - Monitor - trends Test Local Host Cache Verify Functionality Before testing LHC, it is important to verify that the CSS service is operating successfully. 1. Ensure that synchronization imports are completed successfully. Check the event logs for 504 events from the Citrix Config Synchronizer Service. 2. Ensure each Cloud Connector or Delivery Controller creates the Local Host Cache database. This confirms that the High Availability Service can take over if needed. a. On Cloud Connectors or Delivery Controllers, browse to c:\Windows\ServiceProfiles\NetworkService. b. Verify that HaDatabaseName.mdf and HaDatabaseName_log.ldf are created. 3. Before going into Local Host Cache, it’s important to understand that when LHC engages, a single Cloud Connector or Delivery Controller services all brokering requests. This Cloud Connector or Delivery Controller is referred to as the elected broker. a. To determine which server is acting as the elected broker, review Delivery Controllers or Cloud Connectors for 3504 events from the Citrix High Availability Service. b. If multiple brokers are elected, VDA registrations may be split across brokers during the LHC event and launch attempts may fail. Ensure VDAs can communicate with each other over port 80 to enable the connector/controller communication required for LHC elections. Force LHC It’s important to note that testing LHC can cause an intermittent service disruption in your environment due to VDAs re-registering when entering and leaving LHC mode. LHC should be tested during a maintenance window. To simulate Local Host Cache behavior, follow these steps: 1. Force an outage on the Cloud Connectors or Delivery Controllers. This step must occur on every broker in the zones that will be tested. There are two ways to do this: a. Registry key: i. In HKLM\Software\Citrix\DesktopServer\LHC, create and set OutageModeForced as REG_DWORD to 1. This setting instructs the Local Host Cache broker to enter HA mode, regardless of the state of the connection to Citrix Cloud or Site database. b. PowerShell cmdlet: i. Import the module by running the following command on the Delivery Controllers or Cloud Connectors in the zone where you’re testing: cd C:\Program Files\Citrix\Broker\Service\ControlScripts Import-Module .\HighAvailabilityServiceControl.psm1 ii. Run the following PoSh cmdlet on the Delivery Controllers or Cloud Connectors in the zone where you’re testing: Enable-LhcForcedOutageMode 2. Validate an outage has been forced by checking for a 3502 event on the elected broker: Monitor VDA Registration You can verify and monitor VDA registration during LHC mode using the following steps: 1. Once in Local Host Cache mode, if you’re running CVAD, Studio won’t be available. If you’re running DaaS, all VDAs will appear unregistered in Manage. Knowing your VDAs are registered is a key function for ensuring LHC works correctly. Note: VDAs can take up to 5 minutes to re-register with the elected broker. a. To run Get-Broker* cmdlets during Local Host Cache, run the following on a machine with the remote PoSh SDK installed for DaaS or directly on the Delivery Controller for CVAD. i. In HKLM\Software\Citrix\DesktopServer\LHC, create and set EnableCssTestMode as REG_DWORD to 1. ii. For DaaS, run the following before running PoSh cmdlets so cmdlets are run on the Cloud Connector rather than the Cloud broker: $XDSDKAuth=”OnPrem” iii. To view machine registration information, run Get-BrokerMachine -AdminAddress [elected broker FQDN]:89 | Select MachineName, ControllerDNSName, DesktopGroupName, RegistrationState. For CVAD environments, you can replace [elected broker FQDN] with localhost as this will be run directly on the Delivery Controller. b. After running those commands, you can access All Get-Broker* cmdlets. c. More general VDA registration information can be found in 3507 events on the elected broker. Test and monitor launch behavior 1. Test launches from StoreFront. Users should be able to authenticate, enumerate, and launch applications like normal. a. Information regarding sessions launched during LHC can be found in 3507 events on the elected broker, which occur every two minutes. b. Note: During the first 5 minutes of an LHC event, VDAs may be re-registering, which can result in failed launch attempts due to a lack of resources. Once all VDAs register, further launches should succeed as normal. 2. Situations to test: a. Different resource types: i. Pooled desktops ii. Static Desktops iii. Hosted apps b. Subset of zones in LHC: Test what happens if only one of your zones enters LHC mode. c. Zone preference and machine tags i. Zone preference and restricting launches to a single zone using tagging is not supported during LHC. Launch requests may go to other zones, resulting in a subset of launch failures. This issue can be amplified if using failover order in StoreFront rather than load balancing. Test this and see how it works in your environment! Disable Forced LHC Once you have finished testing LHC, you can disable the Forced LHC mode. 1. Disable LHC a. Note: When exiting LHC mode, VDAs must re-register with the healthy primary broker. VDA re-registration should be completed within 5 minutes of disabling LHC. b. Registry key: i. In HKLM\Software\Citrix\DesktopServer\LHC, set OutageModeForced as REG_DWORD to 0. This setting instructs the Local Host Cache broker to leave HA mode. c. PowerShell cmdlet: i. Import the module by running the following command on the Delivery Controllers or Cloud Connectors in the zone where you’re testing: cd C:\Program Files\Citrix\Broker\Service\ControlScripts Import-Module .\HighAvailabilityServiceControl.psm1 ii. Run the following PoSh cmdlet on the Delivery Controllers or Cloud Connectors in the zone where you’re testing: Disable-LhcForcedOutageMode 2. Review Delivery Controllers or Cloud Connectors for 3508 events to get a summary of the LHC event. Summary As you can see, Local Host Cache plays a critical role in your environment. By understanding how Local Host Cache operates, and testing its functionality, you can ensure that your environment is resilient and highly available even in the event of service disruptions. Ensure your users can always connect to their resources by testing your environment today! Please refer to the resources below to learn more about Local Host Cache. Resources Product Documentation: DaaS - Local Host Cache Product Documentation: CVAD - Local Host Cache Tech Brief: Avoid Common Misconfigurations that Can Negatively Impact DaaS Resiliency Citrix Tech Insight: Citrix DaaS High Availability with Local Host CacheTue, 18 Jun 2024 18:50:00 +0000https://community.stage.citrix.com/tech-zone/design/reference-architectures/pvs-on-azure/Mon, 17 Jun 2024 13:08:00 +0000https://community.stage.citrix.com/tech-zone/build/tech-papers/secure-ica-file/Overview Citrix Independent Computing Architecture (ICA) information is a critical part of your Citrix deployment. It allows your internal and external users to securely connect to applications and desktops. This information is commonly found in a .ICA file, which the Citrix Workspace app or browser uses to complete the connection. Because the information in the ICA file provides access to your systems, it is important to implement security best practices. This paper will cover the various launch methods available for ICA files, information recommendations, and leading practices for hardening this critical part of your infrastructure. What is an ICA file? When a user launches an application or desktop, StoreFront generates ICA information, which contains instructions to the client on how to connect to the VDA. This is a text document with the same format as an INI file. This document refers to this as an ICA ‘file’ regardless of whether it is a file stored on disk or data held in memory. StoreFront generates this ICA file based on the information it receives from Citrix Virtual Apps and Desktop or Citrix Desktop as a Service (DaaS), along with its own configuration and logic. If you open an ICA file, you’ll see name-value pairs, including the following: Field Description Address For internal access, the IP address of the VDA to connect to. When a resource is accessed via a Gateway, this contains the Secure Ticket Authority (STA) ticket. SSLProxyHost If the resource is accessed via a Gateway, this contains the address of the Gateway. LaunchReference This contains the launch reference that is used to retrieve ancillary session data. This is a one-time ticket with a limited lifespan. LogonTicket This contains the logon ticket used to validate that the VDA is launching the connection that the DDC prepared. This is a one-time ticket with a limited lifespan. Note that the ICA file includes a field called ClearPassword. Despite its name, this is a legacy field that does not contain a password. Current versions of the Citrix Workspace app do not use this field. Client access and launch methods There are three ways for a user to view their store and connect to their resources: Users can open the store in the Citrix Workspace app. This provides the best and most secure experience. It avoids using unmanaged web browsers, securely handles ICA files, and allows the use of anti-keylogging protection during authentication. Users can open their store and connect to resources within a web browser. This provides an option for situations where the Citrix Workspace app cannot be installed. ICA information is stored in memory within the browser. Users can open the store in their web browsers but launch resources in their locally installed Citrix Workspace app. This is known as a “hybrid launch”. This requires handing ICA information between the browser and the locally installed app. There are a number of mechanisms in this work. For more information on how your users can access their stores and launch resources, see StoreFront documentation. Hybrid Launch mechanism details This section describes how hybrid launches can transfer data between the browser and locally installed Citrix app. Hybrid Launch using Citrix Workspace web extensions Users can install Citrix Workspace web extensions on Chrome, Edge, and Safari. If the website detects this, it uses it to communicate securely with the locally installed Citrix Workspace app to launch applications. The user does not have the option to download ICA files to disk. Hybrid Launch using Citrix Workspace launcher Citrix Workspace app for Windows, Mac, and Linux includes a component called the Workspace app launcher. When the user launches a resource, the browser signals to the locally installed Citrix Workspace app to retrieve the ICA file from the StoreFront server. Hybrid Launch using ICA download If the browser cannot detect a locally installed Citrix Workspace via either Web Extensions or the Workspace launcher, then when a user launches a resource, it downloads an ICA file. The user must then open this file Citrix Workspace app. Launch via Gateway Whichever launch method is used, StoreFront contacts a Secure Ticket Authority to get a ticket when you launch a resource via a Gateway. If using Citrix Virtual Apps and Desktops, this is normally the Delivery Controller. If using DaaS, this is normally the Cloud Connector, which proxies requests to the cloud ticketing authority. This ticket entitles the caller to connect to the resource for a limited period of time and is only valid for a single use. When the HDX client sees an SSLProxyHost in the ICA file, it contacts the Gateway, providing the STA ticket. The Gateway, in turn, contacts the STA server to check whether the ticket is still valid and to get the address of the VDA to which it should forward the traffic. The Gateway acts as a reverse proxy between the HDX client and the VDA. Recommendations It is important that ICA files are managed securely as they provide direct access to connect and log into a VDA. Deploy the latest Citrix Workspace app A locally installed Citrix Workspace app is the best and most secure experience for launching VDAs, as the launch process is entirely encapsulated within the app. Therefore, we recommend deploying the Citrix Workspace app and configuring it to connect to the store wherever possible. Ensure you keep it updated so you always have the latest improvements. Enable in-memory hybrid launches You must enable the setting ‘Allow users to download HDX engine (plug-in)’ to allow hybrid launches using Citrix Workspace launcher and Citrix Web Extensions. If this setting is disabled, users will all download ICA files. You must enable this setting even if you use other mechanisms to deploy the Citrix Workspace app and have no need to provide download links in this way. On advanced settings, ensure that “Enable protocol handler” is not unticked (it is ticked by default). This is required for both protocol handler and web extension launch methods. Deploy Citrix Workspace Web Extensions Where native launch is not possible, and you need to allow hybrid launches, we recommend deploying Citrix Workspace web extensions to your users. This provides the most reliable and secure hand-off between the browser and the locally installed Citrix Workspace app. Encrypt communications using TLS Ensure that ICA files are encrypted over the network by enabling HTTPS on your NetScaler Gateway, load balancer and StoreFront server. Disable ICA file downloads In the case of a hybrid launch, where neither Citrix Workspace Web Extensions nor Citrix Workspace launcher are used, the browser downloads an ICA file to disk. The file is not immediately launched and instead relies on the user opening the file. This allows a user to email the file to someone else or malicious software could access it and send it directly to the attacker. Therefore, we recommend disabling ICA file downloads for most deployments and only use launch methods where the ICA file is transferred in-memory and immediately launched. StoreFront 2402 StoreFront has new settings to control whether ICA downloads are allowed. The first applies only to platforms where Citrix Workspace launcher is supported (Windows, macOS, Linux). Normally, when users first open their store in a browser, it prompts the user to open the Citrix Workspace launcher. Once they’ve done this, the Citrix Workspace launcher is used for subsequent app launches. However, the users can press instead ‘Already installed’ which falls back to download ica downloads. You can remove this option by clearing “Show ‘Already installed’ link on the client detection page. Citrix Workspace app for iOS and Android does not support Workspace launcher, so hybrid launches always download ICA files. You can disable these downloads by ticking “Prevent ICA downloads on all platforms.” In this case, users should add their store directly to the Citrix Workspace app for iOS and Android to use native launches. For more information, see StoreFront documentation Earlier versions of StoreFront You can achieve the same results in earlier versions of StoreFront by applying the customization described in CTX584240. Citrix Workspace Citrix Workspace has a similar setting to hide the “Already installed” link. This is called “disallowIcaDownload”. This removes the “Already installed” link on Windows and Mac and does not impact other operating systems. We recommend opening the store in a locally installed Citrix Workspace app for other operating systems. You can configure Citrix Workspace to enforce protocol detection using the Workspace powershell module. This does not force users who have previously clicked “Already installed” to use the Citrix Workspace launcher; therefore, we recommend prompting your users to clear their cookies after enabling this setting. Reduce the lifetime of launch reference and logon tickets Reducing session validity and launch times decreases an attacker's opportunity window if the system has been compromised. This launch reference and logon tickets are valid for 200s by default, but you can use the PowerShell Set-BrokerServiceConfigurationData command to configure them with the MaxSessionEstablishmentTimeSecs setting. For example: Set-BrokerServiceConfigurationData Core.MaxSessionEstablishmentTimeSecs -SettingValue 100 Ensure you carefully test your configuration in the worst-case performance scenarios—if the ticket life is too low, it will expire before connecting to the VDA, and the launch will fail. Prevent launching of unauthorized ICA files Another concern is that a threat actor could provide a user with a malicious ICA file, for example, as part of a phishing email. This ICA file could, for instance, connect to a VDA-enabled local drive mapping and pull data off the drives. Prevent launching of ICA files from disk As long as you’ve enabled in-memory ICA launches for your own systems, we recommend that you configure your Windows clients to refuse to launch ICA files from disk. This prevents users from launching ICA files they have been sent via email or other messaging systems. See Citrix Workspace app for Windows documentation. ICA Signing ICA signing is a more comprehensive way to block users from opening ICA files from unauthorized sources in Windows. This involves configuring StoreFront to add a signature to the ICA file and configuring the Citrix Workspace app to only allow launches where that specific signature is present. You can configure Workspace apps to either block unsigned launches completely or to prompt the user to allow unsigned launches. This can apply to all unauthorized launches, whether from disk or in-memory. This feature is not available in Citrix Workspace. For more details, see StoreFront documentation and Citrix Workspace app for Windows documentation. Summary As you can see, there are multiple ways to improve ICA security. Some of these may not apply to your organization, but you should use a layered and defense-in-depth approach to apply as many as you can. Start testing these recommendations today to harden your environment! Resources Product Documentation: StoreFront 2402 Long Term Service Release Overview Product Documentation: Secure your StoreFront deployment Product Documentation: Citrix Workspace Tech Paper: Security best practices for Citrix Virtual Apps and Desktops Tech Paper: Citrix VDA Operating System Hardening GuideThu, 06 Jun 2024 15:23:00 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/ztna-private-web-apps/Overview With remote work, users need access to internal web-based applications. Providing a better experience means avoiding a VPN deployment model, which often results in the following challenges: VPN Risk 1: Are difficult to install and configure VPN Risk 2: Require users to install VPN software on endpoint devices, which might utilize an unsupported operating system VPN Risk 3: Require the configuration of complex policies to prevent an untrusted endpoint device from having unrestricted access to the corporate network, resources, and data VPN Risk 4: Difficult to keep security policies synchronized between VPN infrastructure and on-premises infrastructure To improve the overall user experience, organizations must be able to unify all sanctioned apps and simplify user login operations while still enforcing authentication standards. Organizations must deliver and secure SaaS, web, Windows, Linux applications, and desktops even though some of these resources exist beyond the confines of the data center and can access resources outside of the data center. Citrix Secure Private Access service provides organizations with secure, VPN-less access to user-authorized resources through Citrix Workspace. In this proof of concept scenario, a user authenticates to Citrix Workspace using Active Directory, Azure Active Directory, Okta, Google, Citrix Gateway, or a SAML 2.0 provider of their choice as the primary user directory. Citrix Workspace provides single sign-on services for a defined set of enterprise web applications. If the Citrix Secure Private Access service is assigned to the Citrix subscription, enhanced security policies, ranging from applying screen-based watermarks, restricting printing/downloading actions, screen grabbing restrictions, and keyboard obfuscation are applied on top of the web applications. The animation shows a user accessing an internal Sharepoint web application with Citrix-provided SSO and secured with Citrix Secure Private Access service. This demonstration shows a flow where the user launches the application from Citrix Workspace, which uses the VPN-less connection to the data center. Because the user accesses an internal web application from an external device, the access request must come from within Citrix Workspace. This proof of concept guide demonstrates how to: Setup Citrix Workspace Integrate a primary user directory Incorporate Single sign-on for a Sharepoint web application, which is located within the data center Validate the configuration Setup Citrix Workspace The initial steps for setting up the environment is to get Citrix Workspace prepared for the organization, which includes Once you establish Citrix Secure Private Access service entitlement with your Citrix account team, you will find the Citrix Secure Private Access icon under My Services. For more information, see. Set up the Workspace URL Set Workspace URL Connect to Citrix cloud and log in as your administrator account Within Citrix Workspace, access Workspace Configuration from the upper-left menu From the Access tab, enter a unique URL for the organization and select Enabled Integrate a Primary User Directory Before users can authenticate to Workspace, a primary user directory must be configured. The primary user directory is the only identity the user requires as all requests for apps within Workspace utilize single sign-on to secondary identities. An organization can use any one of the following primary user directories: Active Directory: To enable Active Directory authentication, a cloud connector must be deployed within the same data center as an Active Directory domain controller by following the Cloud Connector Installation guide. Active Directory with Time-Based One Time Password: Active Directory-based authentication can also include multifactor authentication with a Time-based One Time Password (TOTP). This guide details the required steps to enable this authentication option. Azure Active Directory: Users can authenticate to Citrix Workspace with an Azure Active Directory identity. This guide provides details on configuring this option. Citrix Gateway: Organizations can utilize an on-premises Citrix Gateway to act as an identity provider for Citrix Workspace. This guide provides details on the integration. Okta: Organizations can use Okta as the primary user directory for Citrix Workspace. This guide provides instructions for configuring this option. SAML 2.0: Organizations can use the SAML 2.0 provider of choice with their on-premises Active Directory (AD). This guide provides instructions for configuring this option. Configure Single Sign-on To successfully integrate web apps with Citrix Workspace, the administrator needs to do the following: Deploy Connector Appliance Configure Web app Authorize Web App and configure enhanced security Deploy Connector Appliance Within Citrix cloud, select Resource Locations from the menu bar Within the resource location associated with the site containing the web app, select Connector Appliances In the Add a Connector Appliance dialog, download the image associated with the appropriate hypervisor and leave this browser window open Once downloaded, import the image into the hypervisor When the image starts, it will provide the URL to use to access the console Log into the Connector and change the admin password, and set the network IP address Give the appliance a name and login to the domain for that resource location Select Register and copy the registration code Return to the Citrix Cloud page and submit the registration code to complete the Connector Appliance setup Configure Web app Within Citrix cloud, select Manage from the Secure Private Access tile Select Applications followed by Add an App In the Choose a template wizard, select Skip In the App details window, select Inside my corporate network Specify HTTP/HTTPS as the App Type Provide a App name and description for the application (optionally) Select Direct Access to enable access directly via an FQDN resolvable via the public Internet. If selected, you will need to upload the pertinent SSL certificate in .pfx or .pem format. Also, you will need to map a CNAME record for the site FQDN to the Citrix Gateway service Enter the URL for the web application Add additional related domains as necessary for the web application Add a custom App icon if desired Select Next In the Single Sign-On window, select the appropriate SSO option for the web application. This often requires help from the web app owner. You will have 5 SSO choices to choose from: Basic: If your backend server presents you with a basic-401 challenge, choose Basic SSO Kerberos: If your backend server presents you with negotiate-401 challenge, choose Kerberos SSO Form-Based: If your backend server presents you with an HTML form for authentication, choose Form-based SSO SAML: Choose SAML for SAML-based SSO into web applications. Enter the configuration details for SAML SSO type. No SSO: Use no SSO option when you do not need to authenticate the user on the backend server Select Basic SSO and User Principal Name (UPN) as username format Select Next In the App Connectivity window, select the Resource Location, where you installed the Connector Appliance earlier, for the URL and Related Domain entries (and verify that your connectors are up) Select Save Select Finish Authorize Web App and configure enhanced security Within Secure Private Access menu, select Access Policies In the Access Policy section, select Create policy Enter the Policy name and a brief Policy description In the Applications drop-down list, search for “The Hub (Intranet)” and select it NOTE You can create multiple access rules and configure different access conditions for different users or user groups within a single policy. These rules can be applied separately for HTTP/HTTPS and TCP/UDP applications. For more information on multiple access rules, see Configure an access policy with multiple rules. Select Create Rule to create rules for the policy Enter the rule name and a brief description of the rule, and select Next Add the appropriate users/groups who are authorized to launch the app, and select Next NOTE Click + to add multiple conditions based on the context. Specify if the HTTP/HTTPS app can be accessed with or without restrictions The below screenshot has all restrictions configured. Please note that Anti Key-logging and Anti Screen-Capturing require Citrix Workspace desktop clients. Specify the TCP/UDP apps action The below screenshot denies access to TCP/UDP apps. Select Next The Summary page displays the policy rule details Verify the details and select Finish In the Create policy dialog, verify that Enable policy on save is checked, and select Save. Validate Log into Citrix Workspace as a user Select the configured web application The user automatically signs in to the app The appropriate enhanced security policies are applied Troubleshooting Enhanced Security Policies Failing Users might experience the enhanced security policies (watermark, printing, or clipboard access) fail. Typically, this happens because the web application uses multiple domain names. Within the application configuration settings for the web app, there was an entry for Related Domains. The enhanced security policies are applied onto those related domains. To identify missing domain names, an administrator can access the web app with a local browser and do the following: Navigate to the section of the app where the policies fail. In Google Chrome and Microsoft Edge (Chromium version), select the three dots in the upper right side of the browser to show a menu screen. Select More Tools. Select Developer Tools Within the developer tools, select Sources. This provides a list of access domain names for that application section. To enable the enhanced security policies for this portion of the app, those domain names must be entered into the related domains field within the app configuration. Related domains are added like the following *.domain.comMon, 03 Jun 2024 12:31:06 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/act-ltsr/Mon, 03 Jun 2024 09:19:47 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/citrix-uberagent/Tue, 28 May 2024 16:15:00 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/citrix-profiles-wem/Wed, 08 May 2024 13:50:58 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/uberagent/Tue, 30 Apr 2024 12:36:59 +0000https://community.stage.citrix.com/tech-zone/learn/tech-briefs/wem-security/Overview This Tech Brief explores the pivotal security features embedded within Citrix Workspace Environment Management (WEM). In today’s rapidly evolving digital landscape, robust application security within WEM is not just a luxury. It is a necessity. By harnessing the power of WEM, organizations can bolster their security posture, seamlessly navigate the complexities of application management, and protect their environment against many threats. This Tech Brief provides an overview of WEM’s security features, designed to empower IT administrators with the tools they need to enforce security measures effectively. It covers mechanisms such as Execution Rules, Windows Installer Rules, Script Rules, Packaged Rules, the intricacies of Process Management, and Privilege Elevation within WEM. Through this article, we will try to highlight the benefits and operational implications of WEM’s security capabilities. We offer a blend of technical details suited for seasoned IT professionals while remaining accessible to those new to the domain. We aim to demystify WEM's security features, highlighting how they integrate into broader IT security strategies to safeguard your organizational environment. In the following sections, we explore each feature in detail, outlining their roles, use cases, and the subsequent benefits they offer. Application Security Application security offers various mechanisms to bolster security within virtual and physical environments. Executable, Windows Installer, Script, and Packaged Rules. A crucial element to using each section is first adding the default rules. These predefined rules are a foundational starting point before any deny rules should be applied. Execution Rules The implementation of Execution Rules significantly strengthens application security. These rules serve as a line of defense against unauthorized or malicious software executions within the digital workspace. The types of rules that fall under this category can be broadly classified into several types based on their operational criteria: Path: These rules specify the exact paths from which applications can execute. Administrators can ensure that only applications from trusted locations can run by enforcing rules based on directory paths. Publisher: This rule leverages publisher information to allow or disallow applications. It is predicated on the publisher's information (Publisher, Product name, file name, and version) to ensure the application's legitimacy. Hash: This more granular approach permits or blocks applications based on their unique hash values. Even if the application moves locations or is renamed, the hash remains the same, providing a consistent method for control. Execution Rules are pivotal for fortifying application security in several ways: Prevent Malware Execution: By specifying which applications can run and which cannot, Execution Rules prevent the execution of unauthorized or malicious programs that could potentially introduce malware into the system. Enforce Software Compliance: These rules ensure that only licensed and approved applications are run in the user environment, aiding in compliance with software licensing and organizational policies. Limit Application Surface Attacks: Controlling application execution reduces the surface for potential attacks. This is particularly beneficial in minimizing the risk of zero-day attacks, where newly discovered software vulnerabilities could be exploited if not promptly patched. User Access Control: Execution Rules can be configured to apply to specific users or user groups, thus tailoring the application access according to job roles and requirements. This means enhanced security without impeding workflow efficiency. By integrating Execution Rules into the wider security framework, WEM empowers administrators to construct a more resilient and secure workspace environment, minimizing risks while ensuring that productivity tools remain readily available to authorized users. These rules are crucial to the dynamic security posture necessary to confront the evolving threat landscape organizations face today. Windows Installer Rules Windows Installer Rules within WEM are specifically designed to manage the installation of software packages. These rules govern how Windows Installer (.msi files) operates within the managed environment, allowing administrators to control which software can be installed, updated, or removed. Windows Installer Rules work by defining the permissions around Windows Installer Packages based on criteria such as: · Path: These rules specify the location from which the installation can be initiated. Administrators can ensure that only installations from trusted locations can run by enforcing rules based on directory paths. · Publisher: This rule leverages the software publisher’s information to allow or disallow installs. It is predicated on the publisher's file information (Publisher, Product name, file name, and version) to ensure the legitimacy of the installations. · Hash: This more granular approach permits or blocks installs based on their unique hash values. Even if the installer moves location or is renamed, the hash remains the same, providing a consistent method for control. These rules can be applied globally or targeted to specific user groups, providing flexibility and control over the software deployment landscape. Windows Installer Rules are pivotal in maintaining the security and compliance of software installations within an organization: Maintain Software Compliance: They help ensure that only authorized installations occur, preventing the deployment of unlicensed software and reducing legal risks. Enhance System Stability: By controlling software installations, these rules help maintain system stability and prevent conflicts between programs. ·Improve Security: They prevent potentially harmful software from being installed, which could introduce vulnerabilities or compromise system integrity. Reduce Administrative Overhead: Automated enforcement of installation policies eases the burden on IT staff, freeing them from manual oversight of software deployments. Customization and Flexibility: Rules can be customized to meet the specific needs of different departments or user groups within the organization. In summary, Windows Installer Rules are integral to the WEM security infrastructure. They deliver comprehensive management and control over the software installation process, enhancing the organization's overall security posture. Script Rules Script Rules in WEM serve a crucial role in enhancing security by governing the execution of scripts within the IT environment. They act as gatekeepers, determining which scripts are permitted to run, thereby preventing the execution of unauthorized or malicious scripts that could pose a security threat. The ability to manage script execution is essential because scripts are often used to automate tasks but can also be exploited to carry out harmful actions without user interaction. The Script Rules are defined based on the same criteria as all the application security rules: Path, Publisher, and Hash. These rules can apply to all users or be assigned to specific users or groups, allowing certain privileged users to override them. · Path: These rules allow or prevent scripts from running based on their file path location. If a script is not located in a designated safe directory, it won't execute. · Publisher: This type focuses on the script's publisher information. Only scripts matching the publisher info (Publisher, Product name, file name, and version) are permitted to run, ensuring their authenticity and integrity. · Hash: Hash rules are defined by the unique hash value of a script file. Since each file has a distinctive hash, this method ensures that only specific, verified scripts are executed. Script Rules enhance security by: Preventing Unauthorized Scripts: Script rules prevent malware and unauthorized changes to system configurations by blocking the execution of unauthorized or potentially harmful scripts. Ensuring Compliance: Script rules help enforce policy compliance, ensuring only approved scripts run in the environment. This is essential for meeting various regulatory and compliance requirements. Limiting Exploits: Many cyber-attacks use scripts to exploit vulnerabilities. Script Rules can mitigate such threats by controlling which scripts have execution rights. Reducing Surface Attack: Script Rules reduce the attack surface by ensuring that only necessary and safe scripts are allowed to run, thereby minimizing the vectors through which attacks can occur. In summary, Script Rules are a crucial part of the application security framework in WEM, as they provide administrators with a robust set of tools to manage script execution, thus significantly enhancing the security of applications and the overall IT environment. Through these rules, WEM empowers administrators to have granular control over script execution, contributing to the security and operational efficiency of the organization's IT infrastructure. Organizations can significantly mitigate the risk of script-related security threats by carefully crafting and enforcing Script Rules. By setting up script rules, WEM provides a robust framework to secure the IT environment against script-based threats, enforce policy compliance, and enable secure automation of administrative tasks. Packaged Rules Packaged Rules within WEM are designed to manage and secure the execution of packaged applications, such as those delivered in Microsoft's App-V format or similar encapsulation technologies. These rules dictate which packaged applications execute based on criteria like a publisher, package name, and file version. By defining such parameters, WEM ensures that only trusted packaged applications can run, aligning with the organization's security protocols and compliance standards. Once the packaged applications have been identified within the organization, identify those that should be allowed or denied based on business requirements. Create the rules to allow or deny based on the identifiers above. The rules can then be applied universally or tailored to specific groups or users, providing application access and usage flexibility. In summary, Packaged Rules are critical to WEM application security management. By strategically implementing these rules, organizations can ensure that their packaged applications are delivered efficiently and securely, maintaining operational effectiveness and a strong security posture. Process Management The process management feature in WEM is designed to monitor and control the applications and processes that users can launch from Explorer. This management ensures system stability and security by preventing unnecessary or malicious processes from consuming resources or executing harmful actions. Process Blacklist Process management includes a process blacklist feature, a crucial security tool that blocks unauthorized or harmful executables from running in the system. This part of WEM’s security suite allows administrators to identify and catalog disallowed processes—typically those known to be malicious or unnecessary - into a blacklist. WEM enforces this policy throughout the user environment, automatically preventing the initiation of any blacklisted process, thereby offering real-time protection. Overall, the process blacklist is instrumental in ensuring system stability and security across varied applications and user interactions. Privilege Elevation Privilege Elevation is designed to selectively increase user permissions for specific tasks or applications without granting broad administrative rights. This feature enhances security by providing users with the necessary privileges to perform their job functions while minimizing the risk of unauthorized system changes or potential security breaches that could arise from wider administrative rights. Execution Rules Execution Rules define the conditions under which applications and scripts can run with elevated privileges. These rules can be crafted to allow certain trusted applications to execute with higher permissions, necessary for updates or specific functionalities that require administrative rights, without elevating the user’s overall access level. Privilege Elevation allows administrators to grant users permanent or scheduled elevated rights to execute specific tasks or applications. This controlled elevation is crucial for maintaining tight security protocols while enabling users to perform functions requiring higher privileges than their standard user accounts. Elevation can be precisely configured with Execution Rules that dictate the conditions under which applications can run with elevated privileges. Execution Rules can include settings that detail the criteria for elevation, such as path location, publisher, or the specific hash of the executable. Administrators can also define elevation time windows, specifying when the elevated rights are active, to control further and restrict the use of elevated privileges to only necessary periods. Additionally, these rules can extend to child processes spawned by an elevated application, providing granular control over the extent of privileges granted. By implementing Execution Rules, WEM allows necessary applications to function with elevated rights safely and only under conditions that align with organizational security policies. This ensures users can perform essential duties while the system's overall security posture remains uncompromised. Windows Installer Rules Windows Installer Rules govern the installation and updating of software by managing the privileges required for these processes. The importance of these rules lies in their ability to ensure that only authorized installations or updates take place, thus safeguarding against unauthorized changes to the system, potential security vulnerabilities, and compliance issues. By controlling installer privileges, these rules also help maintain system stability and prevent the installation of unlicensed or non-compliant software. These rules are crucial for maintaining a secure environment. They ensure that only installations from trusted sources or with the appropriate privileges can proceed. They also prevent users from installing unauthorized or potentially harmful software, which is essential for complying with security policies and regulatory standards. Administrators can define elevation time windows, limiting the time frame during which installations with elevated privileges are permitted. This prevents users from having persistent administrative rights, reducing the risk of security breaches. Additionally, rules can extend to child processes spawned by the installer, ensuring that the installation procedure, including subsidiary actions, adheres to the organization’s security protocols. This level of granular control over both parent installers and their child processes ensures that all aspects of software installation are under scrutiny and control, reinforcing the system's security and enhancing compliance posture. Self-elevation Self-elevation allows users to temporarily elevate their permissions to perform specific tasks requiring administrative rights. This capability provides significant security advantages, as it eliminates the need to grant users permanent administrative privileges, which could expose the system to security risks. By offering controlled elevation, organizations can maintain a principle of least privilege, reducing the attack surface and potential for accidental or malicious system changes. Self-elevation is configured via the administration console, where administrators establish policies that determine how users can elevate their permissions to execute tasks or applications that require admin rights. These policies allow for the specification of individual applications that users can run with elevated privileges and can include time-based restrictions, confining how long these permissions are active to reduce risk. It can also be restricted to specific applications and applied to certain users or groups. Conclusion In summary, Citrix Workspace Environment Management offers robust security features for protecting and managing the modern digital workspace. Execution Rules ensure that only authorized applications and scripts run, while Windows Installer Rules and Packaged App Rules enforce compliance and prevent unauthorized software installations. Privilege Elevation and Self-Elevation features provide users with the necessary administrative capabilities when required without compromising overall security. The security functionalities within WEM are not just about defending against external threats but also enabling businesses to operate more efficiently and securely. By implementing a principle of least privilege and automating privilege management, WEM ensures that users have the necessary access without exposing the organization's systems to unnecessary risks. The role of security within WEM is foundational. It supports a strategic approach to workspace management by integrating comprehensive security measures that are both proactive and reactive. These measures are vital in building a trusted environment where both productivity and protection are optimized, demonstrating that WEM is a powerful ally in the ongoing effort to balance functionality with security in an ever-evolving threat landscape. References For a more in-depth understanding of the security features within WEM and their implementation, the following resources are invaluable: Citrix Tech Zone offers many resources, including deep-dive articles, expert-led discussions, and community forums for real-world insights and troubleshooting. Citrix blogs where you can find updates on the latest features, security tips, and thought leadership articles on workspace security. Citrix Tech Insight where you can watch how WEM improves the security posture and reduces the threat surface for your users within your Citrix DaaS and CVAD deployments. Citrix Online Training and webinars offered by Citrix can be instrumental for both new and experienced administrators looking to enhance their skills in WEM security management.Wed, 24 Apr 2024 16:35:44 +0000https://community.stage.citrix.com/tech-zone/learn/poc-guides/gacs/Mon, 22 Apr 2024 14:47:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/citrix-mac-vda/OverviewThe Citrix Virtual Delivery Agent for macOS (Citrix VDA for macOS) enables HDX access to macOS Remote desktop from any device with the Citrix Workspace App installed. The Citrix VDA for macOS is designed and engineered as “yet another VDA” backed by Citrix's leading HDX technologies within the DaaS/CVAD product family. It adheres to the existing Citrix product architecture. It follows all the common roadmap of HDX features and all interfaces defined between critical components in DaaS/CVAD to ensure that our customers' knowledge and experience can be fully reused in this new VDA. This deployment guide provides the steps to Install and configure the Citrix VDA for macOS using NDJ (non-Active Directory domain joined) technology to connect the macOS desktop to your management plane (DaaS or CVAD). The Mac device itself could be either domain-bonded or not (for the case of support SSO feature, AD binding is one supported scenario - refer to the product documentation for more details). The following steps are covered in the guide: Prepare the installation of the non-domain joined VDA. Install the Citrix VDA for macOS. Create the Delivery Group Connect via Citrix Gateway Service to the Citrix VDA for macOS. For information regarding using MDM/UEM solutions such as Jamf PRO to deploy Mac VDA please refer to related article in the product documentation Installation section; If the deployment will be in your infrastructure provider, please refer to our MacStadium deployment guide and AWS EC2 Instances guide separately. Remote Access OptionsThe Citrix VDA for macOS supports access from Citrix DaaS and Citrix Virtual Apps and Desktops v2407 or later. This supports multiple access options to macOS VDAs through Citrix Gateway Service with Citrix Workspace or via your on-premises NetScaler Gateway and StoreFront deployment. Access via Citrix Cloud Gateway Service and Citrix Workspace Access via Citrix Cloud with On-Premises NetScaler Gateway and Citrix StoreFront Access via On-Premises NetScaler Gateway and Citrix StoreFront PrerequisitesAny Apple Silicon (M1, M2, and M3 families) based macOS device. macOS 13 (Venture), 14 (Sonoma), 15 (Sequoia, beta and formal release) The following network requirements are configured: https://docs.citrix.com/en-us/mac-vda/system-requirements#network-requirements Citrix DaaS or CVAD subscription Citrix Workspace app 2402 or later (Windows, Linux, Mac, ipadOS, iOS, Android, HTML5, Chrome OS) Citrix VDA for macOS is downloaded to your macOS device from Citrix Downloads. Prepare the Installation Note: The steps for preparation and installation are quite similar if you’re deploying with Citrix Virtual Apps and Desktops; please refer to the Installation section in the product documentation for details. 1. Login to Citrix DaaS, open Web Studio, and select Machine Catalogs. 2. Click Create Machine Catalog. 3. Select Remote PC Access and click Next. (The Single-session OS option is also supported.) 4. Select "I want users to connect to the same (static) desktop each time they log on" and click Next. 5. Select the minimum functional level for this catalog and click Next on the Machine Accounts page. 6. Click Next on the Scopes page. 7. Click Next on the Workspace Environment Management (Optional) page. 8. Leave the "Enable VDA upgrade" unchecked and click Next. 9. Name your Machine Catalog and click Finish. 10. The Machine Catalog is now created. 11. Right-click on the Citrix VDA for macOS Machine Catalog and select Manage Enrollment Tokens. 12. Click Generate. 13. Enter your Token name, select Use current date and time for start, enter 100 into the Specify how many times the token can register VDAs, choose an appropriate end date for the token to allow VDA registrations, and click Generate. 14. Click Copy. 15. Optionally, click Download to download this token for later usage. 16. You will now see your active Enrollment token. Click Close. Install the VDA1. On your macOS device, download .Net 8.0 from https://dotnet.microsoft.com/en-us/download/dotnet/8.0. 2. Select .NET Runtime v8.0.8 and choose the macOS Arm64 download link. 3. Install the Arm64 .Net Runtime package for macOS and check the installation directory path using the command: which dotnet 4. To begin the VDA installation, select the Citrix VDA for macOS installer and double-click it. 5. Click Continue. 6. Click Continue on the License Agreement. 7. Click Agree. 8. Select Install for all users of this computer and click Continue. 9. Click Install. 10. Enter the administrator password and click Install Software if prompted. 11. The Citrix VDA for macOS installs. 12. Choose the required option on the vdaconfig UI and click Open Screen Recording Preference to enable Citrix Graphics Service. Then click Open System Settings. 13. Enable Citrix Graphics Service and close the window. 14. Click Open Accessibility Preferences. 15. Enabled the Citrix Input Service. 16. Validate that .NET 8.0 is installed correctly. 17. Copy the Enrollment Token from Notepad, paste it into Enroll with Token, then click Enroll. 18. Enter the administrator password if prompted and click OK. 19. Once your enrollment is successful, you will receive the enrolled successfully message as seen here: 20. Click Close. Your Citrix VDA for macOS has been installed. 21. Return to Citrix DaaS Web Studio console and verify that the macOS device is registered with the Machine Catalog. Create Delivery Group1. Within Citrix DaaS Web Studio, select Delivery Groups, then click Create Delivery Group. 2. Select your Citrix VDA for macOS Machine Catalog and click Next. 3. Select which users can access the Delivery Group and click Next. 4. Add the required Desktop Assignment Rule and click Next. 5. Select Next on the App Protection screen. 6. Click Next on the Scopes window. 7. Select the appropriate License Assignment for your Citrix DaaS deployment and click Next. 8. Click Next on the Policy Set window. 9. Provide a name for your Delivery Group and click Finish. 10. Your Delivery Group is now created and ready for user access. Enable RendezvousOur deployment will contain non-domain-joined macOS devices. The Rendezvous v2 protocol is used in this scenario, so no Cloud Connectors are required. However, we must enable the Rendezvous Citrix policy for our deployment to work. 1. Within Citrix Web Studio, select Policies and then click Create Policy. 2. Select ICA within View by Category, then scroll to and select Rendezvous Protocol. Click Allow. 3. Click Next. 4. Select Filtered users and computers and expand the Delivery Group. 5. Select Allow in the Mode drop-down menu, and then choose your Citrix VDA for macOS Delivery Group, select Enable, and click Save. 6. review your filters, then click Next. 7. Select Enable policy, provide a Policy name, then click Finish. 8. The Rendezvous policy is now active and enabled. Launch the macOS VDA1. Open your Citrix Workspace app or browser, enter your Citrix Workspace URL, and log in. Your Citrix VDA for macOS desktop will be available for launch. 2. Launch the Desktop. 3. Your remote session via Citrix HDX to your macOS device will begin. SummaryThis guide walked you through the installation and configuration of the Citrix VDA for macOS. This consisted of preparing the Citrix DaaS environment by creating a Machine Catalog and capturing an Enrollment Token, installing and registering the Citrix VDA on macOS device, and creating a Delivery Group with user assignments. As a reminder, the Citrix VDA for macOS is currently in Public Tech Preview. This deployment guide will be updated during the preview period and when the feature goes GA. For more information, please visit the Citrix VDA for macOS product documentation.Fri, 19 Apr 2024 12:03:00 +0000https://community.stage.citrix.com/tech-zone/build/deployment-guides/cpm-one-drive-container/Overview This document is intended for Citrix technical professionals, IT decision-makers, partners, and consultants who want to deploy Microsoft OneDrive Citrix Virtual Apps environment. The content is relevant for both on-premises and public cloud architectures. The reader should understand the Citrix app, desktop virtualization offerings, and Microsoft OneDrive. The document provides best practices for deploying Microsoft OneDrive in a Citrix Virtual Apps environment. The goal is to overcome the challenges of delivering OneDrive in a Citrix environment and provide an optimal user experience. Installing OneDrive in a Citrix virtual application environment, especially for multi-user, non-persistent scenarios, requires careful planning and configuration to ensure seamless user experiences. There are several challenges when deploying OneDrive Citrix Virtual Apps environment, including: Users who roam between multiple endpoints require their applications, files, and data to roam with them. Users with multiple applications open from different sessions on hosts require access to the same storage repository. Environments that have unique applications that store data in specific mapped drives, often without user intervention. Microsoft OneDrive syncs data from the cloud upon user login, which causes challenges in a non-persistent environment where data is deleted after user logoff and can consume a significant amount of storage in the data center where the user’s sessions are hosted. Solving these challenges requires careful planning when deploying Microsoft OneDrive. This deployment guide provides the reader with the recommended installation, configuration, and optimizations to resolve the challenges of deploying OneDrive in a Citrix Virtual Apps environment with the Citrix Profile Management OneDrive Container. Conceptual Architecture Citrix Profile Management is a profile solution for Citrix Virtual Apps servers installed on each computer where user profiles must be managed. Citrix Profile Management addresses user profile deficiencies in environments where simultaneous domain logins by the same user introduce complexities and consistency issues to the profile and optimizes profiles efficiently and reliably. Citrix Profile Management is a crucial component of a well-optimized Citrix Virtual Apps environment. Please review the Citrix Profile Management Quick Start Guide for additional information on deploying the solution. Refer to Profile Management architecture for more details on the folder structure of the user store and the central location for Citrix user profiles. Profile Container The Citrix Profile Management Profile Container is a VHDX-based profile solution that allows you to store the profile folders of your choice or the entire user profile on a VHDX profile disk. A VHDX file is created per user on your profile storage share and mounted to the VDA session(s) when the users log on, resolving any issues with slow logons and improving the logon experience. Once the users have logged into their virtual application, their profile folders are available immediately. Note: Starting with Profile Management 2109, Profile Containers can store the entire user profile in the VHDX profile disk. Microsoft OneDrive Container The Citrix Profile Management OneDrive container is a VHDX-based folder roaming solution. Profile Management creates a VHDX file per user on a file share and stores the users’ OneDrive folders into the VHDX files. The VHDX files are attached when users log on and detached when users log off. With Citrix Profile Management OneDrive Containers, end-user OneDrive folders roam with users to allow access to the same OneDrive folders on any computer or virtual session. These containers are VHDX-based and are created per user within a file share. They are then mounted to the virtual session when users log on and detached when users log off. The VHDX files for the OneDrive container are stored on the same storage server as the Citrix Profile Management user store. The VHDX files for Citrix Profile Management, such as the OneDrive container and profile container, can be stored in different locations in a hybrid solution with a container plus a file-based profile. Roaming and simultaneous access from multiple sessions In many cases, end users roam between multiple endpoints in these settings, requiring their applications, files, and data to roam with them. This is seen a lot in healthcare settings that deliver Citrix Virtual Applications. Additionally, these users may have multiple applications open from different sessions on different hosts, all requiring access to the same storage repository. Citrix Profile Management is designed to resolve the roaming and multiple-session scenario. The above diagram depicts a scenario where the user has launched multiple virtual applications from multiple Citrix Virtual Delivery Agents (VDAs). The user then logs out of two applications and moves to a second device, where they log onto the open application session. Once they log off from the remaining application setting, Citrix Profile Management writes back on the specific settings that were changed during the session while letting other unchanged settings remain untouched. OneDrive Container for roaming and multiple sessions Introducing OneDrive into an environment where roaming or multiple-session Citrix Virtual Apps environments are common also brings many challenges. Challenges include the OneDrive sync app needing to be supported when using file-based profile roaming and previously requiring FSLogix to be supported. However, Citrix Profile Management v2311 and the Citrix OneDrive Container resolve these challenges and allow users to roam and open multiple virtual application sessions when using OneDrive. Note: Many organizations require LTSR infrastructure and Virtual Delivery Agents in their environments. If so, Citrix Virtual Apps and Desktops LTSR v2402 includes the Citrix Profile Management OneDrive Container. Alternatively, customers could remain on LTSR v2203 for VDAs and use newer Citrix Profile Management versions, including the OneDrive Container. OneDrive Install Recommendations Installing OneDrive within a Citrix Virtual Apps environment takes careful consideration. The typical OneDrive installation is installed into each user's profile, which in a Citrix Virtual Apps non-persistent environment will cause issues. OneDrive provides a per-machine install option for this type of environment, which installs OneDrive so that each profile logged in will use the same OneDrive.exe binary. This is recommended when installing OneDrive into a Citrix Virtual Apps non-persistent environment. The following recommendations should be considered when deploying OneDrive in a Citrix Virtual Apps environment. Ensure that the following prerequisites and requirements for OneDrive and Citrix are met. a. Citrix Virtual Apps and Desktops 2311 or later, or Citrix DaaS for the Citrix management plane. b. Windows Server 2019 and above for the VDA operating system. c. Citrix Profile Management 2311 or later e. SMB File share for the VHDX containers Shellbridge is enabled by default in Citrix VDA 2212 and later versions. If using Citrix VDA 2203, Shellbridge must be enabled manually by adding the following Registry key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Virtual Desktop Agent` 'Name: Shellbridge` `Type: REG_DWORD` `Value: 1` Install OneDrive once at the machine level, making it available to all users who access the virtual environment. This method can save storage space but may result in a less personalized experience. For more information on deploying OneDrive per machine level, refer to Microsoft’s OneDrive per-machine installation. OneDrive must be added to the following registry location: HKLM\software\Microsoft\Windows\CurrentVersion. The following command will create the key required for the per-machine installation to run correctly. `REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /d "\"C:\Program Files\Microsoft OneDrive\OneDrive.exe\" /background"` Install the OneDrive sync client on the base image of your virtual machines or in the shared application layer. Configure OneDrive settings to match your deployment strategy (shared). Create a Group Policy Object (GPO) settings for the following: OneDrive Files On-Demand: This setting prevents files from being downloaded into a user's local cache until the user accesses them. Allow Storage Sense: This setting will remove local copies of files that have not been accessed for a defined period and help control the size of the OneDrive cache. Citrix Profile Management Recommended Configuration with OneDrive Integrating Citrix Profile Management with OneDrive requires careful planning and consideration, as several configurations are necessary to ensure optimal performance and user experience. With the Citrix Profile Management OneDrive container enabled in CPM 2311, the OneDrive container can be accessed via concurrent sessions by default. Citrix Profile Management file-based users must allow the OneDrive container to roam the OneDrive data. This supports simultaneous access to OneDrive. OneDrive data can be roamed for full container users with the profile container, but it does not support concurrent access to the OneDrive data. Full container users must specifically enable OneDrive container for OneDrive data concurrent access. Enable Citrix Profile Management. Enable and set the path to the Profile Management User Store. When using Citrix Profile Management and OneDrive, administrators need to Enable the OneDrive Container so that Citrix Profile Management creates a VHDX file per user on a file share and stores the users’ OneDrive folders into the VHDX files. The VHDX files are attached when users log on and detached when users log off. Enable the OneDrive container—list of OneDrive folders policy and add your OneDrive folders as a path relative to the user profile, then click Save. It is recommended that VHDX disks be automatically reattached in sessions be enabled when deploying containers in the Citrix Profile Management solution (profile container, OneDrive container, Outlook container). Once the Citrix Profile Management OneDrive container is enabled and users are signed into OneDrive, no other sign-in to OneDrive is required if users sign in to a new workstation and launch a new one or connect to a disconnected session. Any files stored In OneDrive will also be available to them immediately as they are not downloaded from the cloud but rather synced between the virtual app server they are connected to and the local area network (LAN). Lastly, offline access is still available for kiosks that do not have internet access to their files. Storage, Scale, and Sync Considerations Each OneDrive user is granted 1 TB of storage space for their personal library. Synchronizing the user’s entire library across multiple devices consumes significant storage. Citrix Profile Management VHDX containers are created in the user store per user, ensuring a single copy of the OneDrive VHDX or profile container VHDX, regardless of the number of user sessions. The VHDX base disk and the difference disk are in the user store. No matter how large a user's OneDrive folder is, it won't consume the OS disk space in an MCS scenario or the write cache disk space in a PVS scenario. Additionally, the storage consumed on the VDAs is minimal as the OneDrive VHDX containers are remote-mounted, preventing the entire user library from copying across the network during the login process. If Citrix Profile Containers are used, the default storage size of the VHDX file is 50GB per user. However, if required, you can use the Default capacity of the VHD containers policy to set a smaller default for profile size. Citrix Profile container VHDX files can auto-compact upon user logoff to save space for central or cloud storage locations. Certain conditions must be met for the compaction to take effect. Lastly, to help with scaling the environment, you can limit the ability for OneDrive to sync only when files are required by enabling the Use OneDrive Files On-Demand Group Policy setting. This setting allows OneDrive to download files when they are needed. Users accessing published applications throughout the day typically only require access to a few files within their OneDrive container. Enabling this setting ensures that the OneDrive sync client does not sync unneeded files to the container. Tips and Optimizations Optimizing the environment to make the OneDrive user experience consistent with a physical desktop is essential to healthcare customers. Several settings can be configured to adjust OneDrive settings to improve performance and reduce network traffic. Disable the OneDrive Update service on the master image. The OneDrive Update service keeps the application updated in the per-machine installation of OneDrive. It is recommended that you disable this service in non-persistent image workloads. Disable the OneDrive per machine Standalone Update and Reporting scheduled tasks. The Standalone Update scheduled task updates the OneDrive application service. The Reporting scheduled task audits every file OneDrive and provides up-to-date reports on all user file activity. Limit selective sync to essential folders. Syncing only essential OneDrive folders in the environment helps optimize performance and enhances the end-user experience in the Citrix environment. Setting upload and download limits. Setting limits to uploads and downloads for OneDrive can assist in avoiding overloading the virtual infrastructure. Enable VHD disk compaction. The Citrix Profile Management setting automatically compacts the VHDX file on user logoff when the file exceeds a specified value or the number of logoffs reaches a specified value. Replicate profile containers. Replicating user profile containers provides profile redundancy for user logins but not for in-session failovers. However, replicating the containers increases system I/O and may prolong logoffs. Enable Automatically reattach VHDX disks in sessions. This policy enables a high level of stability if a session failover occurs. The connection to the profile container is re-established to the profile store, and the VHDX is automatically re-attached. By default, with Local Caching, the entire profile is cached locally during log-in. To Reduce Login times, enable Profile Streaming, which caches profile folders on demand after login. Exclusive Access. VHD containers allow concurrent access by default. If needed, you can disable concurrent access for the profile and OneDrive. Summary Deploying Microsoft OneDrive in a Citrix Virtual Apps environment to be used within healthcare settings comes with many challenges. Having the right strategy and careful planning and execution will allow healthcare organizations to deploy OneDrive successfully within a Citrix Virtual Apps environment and overcome the difficulties of roaming users, multiple sessions, and cloud synchronization of files. Optimizing the environment will provide a better overall end-user experience within the environment and applications. References Citrix Profile Containers Deployment GuideMon, 15 Apr 2024 12:07:43 +0000https://community.stage.citrix.com/tech-zone/automation/terraform-daas-gcp/Wed, 10 Apr 2024 07:45:00 +0000