Configure a hybrid NetScaler Management and Analytics Service(MAS) environment in Citrix Cloud to manage NetScalers located on-premises. In this article, we will review how to configure a hybrid NetScaler Management And Analytics Service environment in Citrix Cloud to manage NetScalers located on-premises. With this setup, no need to have a local MAS infrastructure, except the. Citrix Cloud services simplify the delivery and management of Citrix technologies, helping you to extend existing on-premises software deployments or move one hundred percent to the cloud. Create and deploy secure digital workspaces in hours, not weeks, while placing your sensitive app, desktop and data resources on any cloud or hybrid cloud. Hybrid cloud is a solution that combines a private cloud with one or more public cloud services, with proprietary software enabling communication between each distinct service. A hybrid cloud strategy provides businesses with greater flexibility by moving workloads between cloud solutions as needs and costs fluctuate.

Applicable Products

• XenDesktop
• XenApp
• Citrix Cloud

Information

Introduction

Citrix XenApp and XenDesktop have traditionally used Windows Server Active Directory domains to manage end user access and administrator roles. With the move to the cloud, the use of an Active Directory domain continues to remain a requirement.

When using Azure as a Resource Location, Azure Active Directory also has a role to play:

1. Azure Active Directory must always be configured as the holder of an application service account for the Citrix service. This account is used by Citrix Cloud or Studio to perform machine lifecycle events within the Azure Tenant.

2. Azure Active Directory can be used as a more general repository of accounts for administrators and users. Depending on the configuration and type of service, using Azure Active Directory for this role may be optional.

The remainder of this document is focused on the various Azure Active Directory configurations that customers are likely to have, how each of those configurations can be used as repositories of accounts, and the recommended way to associate a Windows Server Active Directory domain controller to manage your Citrix XenApp and XenDesktop environment.

Identity management – “hybrid” or “born in the cloud”

Companies that were “born in the cloud” most likely began with an Azure Active Directory linked to some service. This is often the Azure Active Directory associated with an Office 365 Tenant.

Companies that were born in a datacenter typically adopt a hybrid model with some assets in Azure and others remaining in the datacenter. These customers often add Azure Active Directory to an existing Windows Server Active Directory to support authentication with some external service.

The key difference between the two origins is whether there was an existing Windows Server Active Directory that needs to be synchronized with Azure Active Directory (aka ‘Synced with Active Directory’), or if the user accounts are only in Azure Active Directory (aka ‘In cloud’).

Citrix machines (XenApp and XenDesktop workers and supporting infrastructure machines) have a requirement to be joined to an Active Directory domain. This is required for domain computer accounts, new machine provisioning (creation of machine accounts), user association, and pass-through / Kerberos authentication to resources. It is because of these requirements that Azure Active Directory cannot be used alone.

When Azure Active Directory is used with the Windows 10 CBB under a Hybrid Use Benefit license computer accounts and user accounts must be in the same Azure Active Directory. Documentation related to this requirement and its configuration would be available soon.

Implementing Active Directory with Azure Active Directory

As mentioned earlier there are two Azure Active Directory origins for customers; they are born in the cloud or they are hybrid. And there are two Azure Active Directory to Azure Tenant associations; the Azure Active Directory is native to the Azure Tenant or it is not. These combinations impact the Active Directory options that a customer must consider.

• Customers that only have ‘In cloud’ users can take advantage of Azure Active Directory Domain Services.

• Hybrid customers with a VPN (such as ExpressRoute) should deploy replica Domain Controllers in Azure.

It was previously described that many customers will have multiple Azure Active Directories. The key take away that affects any implementation is that the Azure Active Directory used for the application service account, can be different from the Azure Active Directory where user accounts reside.

The important design point is that the Domain Services are linked to the Azure Active Directory where user accounts reside. This is important all the time, but critical using Windows 10 CBB under a Hybrid Use Benefit license.

The following sections describe the primary scenarios through the use of diagrams to give an understanding of the topology and the relationship of the accounts and Active Directory components.

In cloud user accounts

In this scenario, the user accounts are ‘In cloud’. Therefore, Azure Active Directory Domain Services can be used to provide the necessary Domain Controller services required.

Useful links:

Some possible models with Azure Active Directory are:

In Cloud with one Azure Active Directory

The customer has one Azure Active Directory domain, which is also the same Azure Active Directory associated with the customer Azure Tenant.

Figure 1- In Cloud customer with a single Azure AD

In Cloud with more than one Azure Active Directory

The customer could also have two (or more) Azure Active Directories. In the example below, the customer’s user accounts are being synchronized with an Azure Active Directory associated with an Office365 subscription. And the Azure Tenant account has its default Azure Active Directory which is separate.

Azure Role Based Access Control is used to grant access to user accounts from the Office365 Azure AD to the Azure Tenant, however the application service account used by Citrix must be an account native to the Azure Tenant.

Figure 2- in cloud customer with a separate user Azure AD

Synced with Active Directory user accounts

In this scenario, the user accounts are ‘Synced with Active Directory’. Therefore Domain Controller IaaS VMs need to be deployed into the Azure subscription. These can be a replica domain controller if this is a hybrid deployment.

Useful links:

As with the ‘In cloud’ options above, similar topologies exist for customers that have a hybrid networking scenario. In the hybrid scenarios, there is some resource or application that must be accessed from a remote datacenter through a VPN, and Windows pass-through / Kerberos authentication is used by that resource or application.

Hybrid with one Azure Active Directory

Figure 3- Hybrid network with a single Azure AD

Hybrid with more than one Azure Active Directory

Figure 4- Hybrid network with a separate user Azure AD

Tips for success:

The application service account must be created in the Azure Active Directory instance associated with the Azure Tenant where Citrix resources will be deployed.

When creating the application service account from the Citrix Cloud portal or Studio using the “Create New” option, the Azure user account used to create the application service account must be a member of the Azure Tenant Azure Active Directory.

Guest identities such as a Microsoft ID or invited from another Azure Active Directory cannot be used. Enable the “user type” column to discover this in the Azure Active Directory portal.

See Citrix documentation; Microsoft Azure Resource Manager for additional details.

When using the “Use existing” option in the Citrix Cloud portal or Studio delegated users can manually create the application service account through the Azure Portal.Refer to Manually Granting Citrix Cloud Access to Your Azure Subscription for more information.

Additional learning:

• Administer your (Azure) directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-administer

• Multiple directories: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-directory-independence

• O365 directories: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-manage-o365-subscription

This post has already been read 687557 times!

Intro

Considering recent published articles surrounding Citrix Cloud I think it is important to remind institutions out there of the benefits. I will highlight (very briefly) 13 advantages about the Citrix Cloud (There are many more) and provide a link to a great article by fellow CTP Nicolas Ignoto on feature requests that should be incorporated in to the solution.

SQL Backend

This is a big one. If you have multiple resource locations on premises traditionally you are wanting multiple SQL servers for your Xenapp Sites back end. Moving to Citrix Cloud eliminates this. You also now can use WEM as a fully integrated cloud service meaning you do not have to worry about costly SQL. Have you checked how much SQL costs in Azure?

What Is A Hybrid Cloud

High Availability

All infrastructure is HA (Highly Available). Your Desktop Delivery Controllers (Brokers), license Servers, Studio, Director, SQL. Think of the comparable cost with IAAS or on premises.

Automatic Patching

All infrastructure is automatically upgraded. Citrix takes care of this for you eliminating the need to plan patch management. Hotfixes and Security patches are not your worry when it comes to the infrastructure components.

Always Latest Software

The infrastructure components are automatically upgraded to latest Citrix versions. You are on latest technology that is thoroughly tested before deployment. You get latest features and improvements.

License Usage

With the Citrix Xenapp and Xendesktop Service you can easily control your license usage. The licences are user licenses as there is no concurrent unless you subscribe to the full Workspace services, however you do get 2 for 1 trade up deals and hybrid rights usage. This allows you to continue using your on premises solution whilst migrating (testing) the Citrix Cloud. At time of writing I believe you have a 3 year transition period. The other advantage is you are eligible to release licenses after 30 days compared to 90 days for on premises environments.

Unified Management

You can easily manage multiple resource locations from one single unified management plane. This reduces the need for costly infrastructure at multiple site locations.

Smart Scale

You have the ability of controlling costs by using Smart Scale. This helps reduce the cost of your workloads in Azure, AWS or Xenserver (on premises). Think of the way public clouds incur cost by billing per minute. You can now have workloads running only during core operational hours or reduce workloads as users reduce.

Hidden Costs

Hard one to prove but if you think that there is an additional cost with Cloud you should think of the hidden cost savings also. Reduced tin, reduced operational costs, freeing up time and resource to concentrate on other initiatives, not worrying about upgrade cycles, multiple infrastructure in resource locations, easy central management, easy image management, monitoring capability included.

WEM

This will be a fully integrated Cloud service allowing you to improve the workspace experience for your users. Improve logon times by moving GPP to this service. Apply CPU and memory optimisations. The SQL back-end is managed by Citrix.

Smart Check

This is an automatic health check for your site. No need to deploy agents if you have the Xenapp and Xendesktop Cloud Service. You will receive diagnostics on your sites health such as machines in maintenance mode, services that are stopped and any back-end communication issues.

Simple Image Management

Citrix Hybrid Cloud Deployment

You have the ability to use MCS and PVS (on premises) via the Citrix Cloud. (Granted you do have this ability on premises -So maybe this one does not count.)

What Is Hybrid Cloud Solution

Cloud Agnostic

You can choose your Cloud of choice. There is no Cloud lock in. Citrix Cloud is public Cloud agnostic. Managing multiple resource locations in different public Clouds is easy.

Easy On boarding and ability to make POC

The time it takes to request a trial is up for debate but when you compare this to the time it takes to get traditional POC concepts running it is not that bad. This will be improved but it is easy to transition a on premises deployment to a running Citrix Cloud Xenapp and Xendesktop Service. We are talking hours and not days here!

Citrix Hybrid Cloud Azure

Workspace App

Definition Of Hybrid Cloud

Finally, you are able to take advantage of the Workspace experience using the Workspace APP which is an all in one place to go to use multiple resources you need on a daily basis. Whether it is Sharefile apps, Saas Apps, Web Apps, Xenapp/ Xendesktop Apps, on- premises, Cloud etc, you can browse and search for your resource through one easy to use Workspace App experience when linked to the Workspace in the Xenapp and Xendesktop Service.

Citrix Hybrid Cloud Aws

Conclusion

Citrix Xenapp On Azure

Citrix Cloud is evolving and is improving and does have its limitations. I feel it is important to highlight some advantages though in the wake of some recent Citrix Cloud bashing. My fellow CTP’s provide a constructive article on the limitations that are being worked upon that is worth a read. The aim for this article is to provide some Yin and Yang to the pro’s and cons of the solution.