Citrix Workspace Azure



Citrix recently made a change with within the Azure AD Workspace integration to resolve a security concern. To ensure that a user is properly and securely authenticated when accessing Citrix Workspace, the Engineering team has added the “prompt=login” parameter to. This demo will explore how Citrix Workspace delivers Windows Virtual Desktop on Azure, optimized for Office 365, Microsoft Teams, OneDrive Learn more about C.

  1. Add Citrix Virtual Apps and Desktops Standard for Azure to a customer Sign in to Citrix Cloud with your CSP credentials. Click Customers in the upper left menu. From the Customer dashboard, select Add Service in the ellipsis menu for the customer.
  2. Citrix builds on their long-standing partnership with Microsoft and offers multiple VDI deployment options for Citrix solutions on Microsoft Azure—including virtual apps, desktops, data and networking.
  3. Citrix Workspace Cloud XenApp /XenDesktop - Unable to upgrade Catalog Solution 'Managed Disk' based source VM is not supported for MCS provisioning, if you are able to convert this image and host it on a Storage Account, and have this attached to a VM and have it boot normally within Azure.
downloadWhy can't I download this file?Citrix Workspace Azure Active Directory

Information

There are several key decisions an admin must make when planning a design for a resource location to be used with the Citrix Cloud Virtual Apps and Desktops Service. The first of these decisions is the Subscription Workspace model they plan to utilize.
Subscriptions
Selecting a subscription model is a complex decision as it involved the planned growth of the footprint in azure considering both the initial design and planned growth of the environment.
Single Subscription workspace model
In a single subscription, all core and citrix infrastructure remain inside the same subscription. This configuration is recommended for environments that require up to 1,000 Citrix VDA Machines.
Multi-Subscription Workspace Model
In this model, Citrix and Core resources reside in seperated subscriptions to help manage scalability in large deployments.
Protecting Citrix Cloud Resource location hosted in azure
NSG (Network Security Groups) are simplified packet inspection devices the allow or deny traffic over specific ports to the resources hosted inside the azure platform for usage with Citrix Cloud Virtual Apps and Desktops Service. The port requirement for a Citrix Cloud Resource location are as follows:

Citrix Workspace Va


Granting Access for Citrix Cloud to Access your Azure Subscirption
When considering how to connect the Citrix Cloud Virtual Apps and desktops Service to the Azure subscriptions, there are 2 primary options for connecting Citrix Cloud to the Azure Subscription:

1. Subscription Scope Principals.
2. Narrow Scope Service Principals
When an admin creates a host connection to azure for the first time, Microsoft Azure creates a Service Principal which is an application template created that impersonates the user and the rights it has over the subscription. When the Citrix Service creates the Service principal for the host connection through studio, a Subscription Scope principal is created that provides the list of permissions included in the service principal across all resources hosted in the Azure subscription.
Customers that have needs for more granular controls over their resources, the admin can also create what is called a Narrow scope service principal. This requires a bit more planning in designing the environment in that the admins not only need to pre-create the resource groups the vda's reside in, but the access to these resource groups needs to be defined to a pre-created service principal prior to creating the service principal.
The requirements and process to create this narrow scope service principal are defined in greater detail at Tech Article - https://support.citrix.com/article/CTX219243.
At this stage, the admin is now prepared to deploy their first machine catalog to Azure using the Citrix Cloud Virtual Apps and desktops service. For more information as to how to Prepare a Master Image and deploy a machine catalog, review the following article: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/machine-catalogs-create.html#prepare-a-master-image-on-the-hypervisor-or-cloud-service

Additional Resources

References:

https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/virtual-apps-and-desktops-azure.html
https://support.citrix.com/article/CTX219243

downloadWhy can't I download this file?
  • XenDesktop
  • XenApp
  • Citrix Cloud

Information

Introduction

Citrix XenApp and XenDesktop have traditionally used Windows Server Active Directory domains to manage end user access and administrator roles. With the move to the cloud, the use of an Active Directory domain continues to remain a requirement.

When using Azure as a Resource Location, Azure Active Directory also has a role to play:

  1. Azure Active Directory must always be configured as the holder of an application service account for the Citrix service. This account is used by Citrix Cloud or Studio to perform machine lifecycle events within the Azure Tenant.

  2. Azure Active Directory can be used as a more general repository of accounts for administrators and users. Depending on the configuration and type of service, using Azure Active Directory for this role may be optional.

The remainder of this document is focused on the various Azure Active Directory configurations that customers are likely to have, how each of those configurations can be used as repositories of accounts, and the recommended way to associate a Windows Server Active Directory domain controller to manage your Citrix XenApp and XenDesktop environment.

Note: Customers using Windows 10 CBB under a Hybrid Use Benefit license are required to associate an Azure Active Directory instance with their deployment. For other service scenarios, use of Azure Active Directory as a repository is optional and will depend on the customer’s choice of architecture.

Identity management – “hybrid” or “born in the cloud”

Companies that were “born in the cloud” most likely began with an Azure Active Directory linked to some service. This is often the Azure Active Directory associated with an Office 365 Tenant.

Companies that were born in a datacenter typically adopt a hybrid model with some assets in Azure and others remaining in the datacenter. These customers often add Azure Active Directory to an existing Windows Server Active Directory to support authentication with some external service.

The key difference between the two origins is whether there was an existing Windows Server Active Directory that needs to be synchronized with Azure Active Directory (aka ‘Synced with Active Directory’), or if the user accounts are only in Azure Active Directory (aka ‘In cloud’).

Citrix machines (XenApp and XenDesktop workers and supporting infrastructure machines) have a requirement to be joined to an Active Directory domain. This is required for domain computer accounts, new machine provisioning (creation of machine accounts), user association, and pass-through / Kerberos authentication to resources. It is because of these requirements that Azure Active Directory cannot be used alone.

When Azure Active Directory is used with the Windows 10 CBB under a Hybrid Use Benefit license computer accounts and user accounts must be in the same Azure Active Directory. Documentation related to this requirement and its configuration would be available soon.

Implementing Active Directory with Azure Active Directory

As mentioned earlier there are two Azure Active Directory origins for customers; they are born in the cloud or they are hybrid. And there are two Azure Active Directory to Azure Tenant associations; the Azure Active Directory is native to the Azure Tenant or it is not. These combinations impact the Active Directory options that a customer must consider.

  • Customers that only have ‘In cloud’ users can take advantage of Azure Active Directory Domain Services.

  • Hybrid customers with a VPN (such as ExpressRoute) should deploy replica Domain Controllers in Azure.

It was previously described that many customers will have multiple Azure Active Directories. The key take away that affects any implementation is that the Azure Active Directory used for the application service account, can be different from the Azure Active Directory where user accounts reside.

The important design point is that the Domain Services are linked to the Azure Active Directory where user accounts reside. This is important all the time, but critical using Windows 10 CBB under a Hybrid Use Benefit license.

The following sections describe the primary scenarios through the use of diagrams to give an understanding of the topology and the relationship of the accounts and Active Directory components.

In cloud user accounts

In this scenario, the user accounts are ‘In cloud’. Therefore, Azure Active Directory Domain Services can be used to provide the necessary Domain Controller services required.

Useful links:

Some possible models with Azure Active Directory are:

In Cloud with one Azure Active Directory

The customer has one Azure Active Directory domain, which is also the same Azure Active Directory associated with the customer Azure Tenant.

Figure 1- In Cloud customer with a single Azure AD

In Cloud with more than one Azure Active Directory

The customer could also have two (or more) Azure Active Directories. In the example below, the customer’s user accounts are being synchronized with an Azure Active Directory associated with an Office365 subscription. And the Azure Tenant account has its default Azure Active Directory which is separate.

Azure Role Based Access Control is used to grant access to user accounts from the Office365 Azure AD to the Azure Tenant, however the application service account used by Citrix must be an account native to the Azure Tenant.

Citrix Workspace Azure Login

Figure 2- in cloud customer with a separate user Azure AD

Synced with Active Directory user accounts

In this scenario, the user accounts are ‘Synced with Active Directory’. Therefore Domain Controller IaaS VMs need to be deployed into the Azure subscription. These can be a replica domain controller if this is a hybrid deployment.

Useful links:

As with the ‘In cloud’ options above, similar topologies exist for customers that have a hybrid networking scenario. In the hybrid scenarios, there is some resource or application that must be accessed from a remote datacenter through a VPN, and Windows pass-through / Kerberos authentication is used by that resource or application.

Hybrid with one Azure Active Directory

Figure 3- Hybrid network with a single Azure AD

Citrix Azure Files

Hybrid with more than one Azure Active Directory

Figure 4- Hybrid network with a separate user Azure AD

Tips for success:

The application service account must be created in the Azure Active Directory instance associated with the Azure Tenant where Citrix resources will be deployed.

When creating the application service account from the Citrix Cloud portal or Studio using the “Create New” option, the Azure user account used to create the application service account must be a member of the Azure Tenant Azure Active Directory.

Guest identities such as a Microsoft ID or invited from another Azure Active Directory cannot be used. Enable the “user type” column to discover this in the Azure Active Directory portal.

See Citrix documentation; Microsoft Azure Resource Manager for additional details.

When using the “Use existing” option in the Citrix Cloud portal or Studio delegated users can manually create the application service account through the Azure Portal.Refer to Manually Granting Citrix Cloud Access to Your Azure Subscription for more information.

Additional learning:

  • Administer your (Azure) directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-administer

  • Multiple directories: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-directory-independence

  • O365 directories: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-manage-o365-subscription