Product Documentation

Download full document

XenDesktop Essentials Service

Mar. 20, 2017

The Citrix XenDesktop Essentials Service allows management and delivery of Windows 10 Current Branch for Business (CBB) virtual desktops from Microsoft Azure.

XenDesktop Essentials Service is the first Citrix Cloud service designed specifically for the Azure Marketplace. Citrix and Microsoft are partnering to deliver an integrated experience for XenDesktop Essentials and Azure IaaS. This partnership gives you a single interface to deliver a complete Windows 10 digital workspace from Azure.

With XenDesktop Essentials Service, you can:

  • Rapidly deploy and secure Windows 10 virtual desktops on Azure
  • Deliver best-in-class user experience with Citrix HDX capabilities
  • Provide secure access on any device by using Citrix Receiver from anywhere
  • Access to everything you need from the Azure Marketplace and Citrix Cloud

Citrix XenDesktop Essentials Service for Azure simplifies Windows 10 deployment. You can expedite deployment and streamline management at scale and deliver a rich user access experience at the same time.

You can rapidly migrate users from Windows 7 or Windows 8 virtual or local desktops to Windows 10 in the Azure cloud with XenDesktop Essentials Service. You can manage the Windows 10 desktops by using Studio and monitor sessions from Director. Users connect to their Windows 10 virtual desktops by logging on with Citrix Receiver.

XenDesktop Essentials, the Citrix Cloud, and the Microsoft Azure cloud work together. During configuration, you create your Microsoft Azure account and then create virtual machines. After that, you install the Citrix Cloud Connectors and the Virtual Delivery Agent (VDA) on the domain controller. You also install the VDA on the Windows 10 desktop.

When you complete those tasks, you create a host connection to Microsoft Azure. The machine catalog uses a Windows 10 master image that you provide or one obtained from Citrix.

Users connect to their desktops by using StoreFront and Citrix Receiver. When users log on to Citrix Receiver, the Windows 10 desktop icon appears in the StoreFront window.

If you have users who are remote, deploy NetScaler Gateway to provide secure access to their Windows 10 desktops.

Deploying XenDesktop Essentials Service

The following diagram depicts the main components of the solution by using their respective subcomponents. The four major components are as follows:

  1. Microsoft Azure - Azure subscription hosting the Azure Resource Manager and Azure Service Manager accounts for the solution.
  2. Citrix Cloud - Citrix subscription and company hosting the XenApp and XenDesktop Service.
  3. Public internet - internet-based external clients and users with Citrix Receiver.
  4. Internal data center - on-premises network containing internal users and the necessary applications accessed by the Azure Windows 10 virtual machines.

localized image

You can also deploy NetScaler VPX to allow external customers secure access to their Windows 10 desktops.

The following diagram shows an architectural overview of a XenDesktop Essentials Service deployment.

localized image

System Requirements

The following information provides the system requirements for XenDesktop Essentials.

  1. An Azure subscription.
  2. An Azure AD user account in the directory associated with your subscription, who is also an administrator of the subscription.
  3. An Azure Resource Manager (ARM) virtual network and subnet in your preferred region. These components require connectivity to an Active Directory domain controller and the Citrix Cloud Connector.
  4. A Microsoft Azure host connection. You can create the connection by following the steps in the Citrix blog, "Connecting to Azure Resource Manager in XenApp & XenDesktop."
  5. One Microsoft Azure resource group is required that contains the following:
    1. One Microsoft Windows Server 2012 R2 Microsoft Azure Active Directory with at least one user who has permission to provision machines. Citrix recommends using, at a minimum, the Standard_D2_v2 virtual machine instance in Microsoft Azure. For more information about how to create an Azure Active Directory account, see "How to get an Azure Active Directory tenant." In addition, consider the following:
    2. The Azure AD user must have the Owner Role for the subscription. This person is the first to log on and who grants permission to XenDesktop to create the service principal.
    3. The Owner Role creates the service principal and contains the Contributor Role. The Contributor Role is added to the subscription at the specified time of creation.
    4. You can then use the service principal to create the Machine Creation Services catalog, hosting connections and units, and power management settings.
    5. The Azure AD account must have, at the least, contributor permissions for the Azure subscription you want to use for provisioning resources. For more information about how to make a user a contributor on a subscription, see "How to Add or Change Azure Administrator Roles."
  6. Two Microsoft Windows Server 2012 R2 virtual machines, with the Citrix Cloud Connector installed on both machines. Citrix recommends using, at a minimum, the Standard_D2_v2 virtual machine instance in Microsoft Azure. Ensure that each machine meets the following minimum requirements:
    • Active Directory computer account that uses Read permissions on containers and Read/Write permissions on user and computer objects.
    • Outbound port 443 must be open to allow secure access to the internet. The Citrix Cloud Connector also supports Internet Explorer proxy settings configured for outbound connections.
  7. One virtual machine with Microsoft Windows 10, the Citrix Desktop OS Virtual Delivery Agent, and installation of any desired apps.
  8. One Citrix NetScaler VPX configured in ICA Proxy mode.
    1. Configuring ICA Proxy enables secure access to the applications and desktops offered to your users.
    2. For more information about setting up the NetScaler VPX, see "Creating a NetScaler VPX Deployment in Microsoft Azure Reference Architecture."

You can create a machine catalog by using Machine Creation Services. XenDesktop requires a master image that you use as a template for all the machines in that catalog.

For more information about Citrix Cloud requirements, see "System Requirements."

Next Steps

The next steps for setting up XenDesktop Essentials are:

  1. Create a Microsoft Azure account and the necessary virtual machines.
    1. Provision one Microsoft Windows 10 virtual machine (that you provide). Install any desired applications on the image and then join the machine to the domain. You install the Citrix Virtual Delivery Agent (VDA) on this machine.
  2. Install the Citrix Cloud Connectors. The Cloud Connector must be open to connect to the cloud. For more information about installing the Cloud Connector, see "Cloud Connector Installation." For more information, see "Citrix Cloud Connector Technical Details."
  3. Create a host connection to Microsoft Azure from the Citrix Cloud.
  4. Create a machine catalog by using a Windows 10 master image.
  5. Configure a Delivery Group.
  6. Connect users with Citrix Receiver.

Create a Microsoft Azure Account

The following are the requirements to create a Microsoft Azure Account:

  1. Ensure that the user is a member of the Azure Active Directory.
  2. Ensure that the user has, at a minimum, contributor permissions to the subscription to be used.
  3. Create a resource group within Microsoft Azure. For more information about the required servers, see "Azure resource group guidelines."

Install the Cloud Connectors

Citrix Cloud requires that you install the Citrix Cloud Connector on two machines. When you install the Citrix Cloud Connectors, you ensure continuous availability of your resource location. The Citrix Cloud Connector is stateless. All logs and alerts are sent back to Citrix Cloud. For more information, see the following topics on the Citrix Product Documentation website:

To install the Citrix Cloud Connector

  1. Go to and log on with your credentials. The XenApp and XenDesktop Service console opens.
  2. From the menu in the upper left corner, click Resource Locations.
  3. Download and install the Citrix Cloud Connector on a Windows Server 2012 R2 machine. This machine must be joined to your Active Directory domain and has outbound internet access.
  4. When prompted, type the same user credentials that you typed to log on to Citrix Cloud. Follow the pages to install and configure the Citrix Cloud Connector.
  5. Repeat step 4 on any extra machines that you want to use as Citrix Cloud Connectors.

After installation, Citrix Cloud registers your domain in Identity and Access Management. For more information, see Identity and Access Management.

Install the Virtual Delivery Agent

In preparation for hosting the desktops, install the Citrix Virtual Delivery Agent (VDA) software on the machine hosting the applications and desktop. The VDA software enables the machine to register with the XenApp and XenDesktop Service. The software also establishes and manages the connection between the machine and the user device. Last, the VDA software verifies that a Citrix license is available for the user or session. The VDA software also applies any configured policies for the session. The VDA communicates session information to the XenApp and XenDesktop Service through the broker agent included in the VDA.

VDAs are available for Windows server and desktop operating systems. VDAs for Windows server operating systems allow multiple users to connect to the server at one time. VDAs for Windows desktop operating systems allow only one user to connect to the desktop at a time.

Download and install the Citrix Desktop OS Virtual Delivery Agent (VDA) to the virtual machine with Windows 10 installed. For more information, see Configure VDAs.

Create a Host Connection to Microsoft Azure

Before you start, ensure that you have your Azure Active Directory credentials and your subscription ID available.


The person who sets up the host connection must have a user account in the directory mapped to the Azure subscription. The user account cannot be a Microsoft Identity. If you are using tenants, map the primary directory to a directory within the subscription.

To authenticate to Azure to create a service principal

  1. Go to, log on, and then click the tile for XenDesktop Essentials Service.
  2. Click Manage and then choose Service Creation to open Citrix Studio.
  3. In the left pane, under Citrix Studio, expand Configuration, and then click Hosting.
  4. In the Actions pane, under Hosting, click Add Connection and Resources.
  5. On the Add Connection and Resources page, do the following:
    1. In Connection type, select Microsoft Azure.
    2. In the Azure environment, select Azure Global and then click Next.
  6. In Connection Details, do the following:
    1. In Subscription ID, type the Azure identification number.
    2. In Connection name, type a name for the connection and then do one of the following:
      1. Click Create new and then follow the procedure "To create a connection."
      2. Click Use existing and continue configuring the settings. Follow the procedure "To use an existing host connection."

To create a connection

  1. After clicking Create new, the Azure logon website appears. Log on with your Microsoft account.
  2. After logging on, Azure creates the host connection automatically.
    A green checkmark with the word Connected appears on the Add Connection and Resources page.
  3. Click Next.
  4. On the Region page, select your region and then click Next.
  5. On the Network page, do the following:
    1. Type a name for the resources.
    2. Select the virtual network for the resource group.
    3. Select the subnet that applies to the resource group and then click Next.
  6. On the Summary page, click Finish.
    The host connection to the Microsoft Azure Resource Manager is complete.

To use an existing host connection

  1. After clicking Use existing, the Existing Service Principal Details page appears. Do the following:
    1. In Subscription ID, type the identification number for Microsoft Azure.
    2. In Subscription name, type the name of the Azure subscription.
    3. In Authentication URL, type the URL of the Azure Active Directory.
    4. In Management URL, type the URL you received when you created your Azure account.
  2. Click OK.
  3. On the Connection page:
    1. Click Create a new Connection, type your Microsoft Azure subscription ID and a connection name (optional), and then click Create new. The Citrix XenDesktop Microsoft authentication dialog box appears.
      NOTE: If you want to use a connection that you created at another time, choose Use an existing connection. Then, select the connection from the drop-down list.
    2. Type the user name and password for the Microsoft Azure Active Directory user. Citrix Cloud creates a service principal with the rights to create and manage machines for this subscription.
  4. On the Region page, select the region where your Microsoft Azure resource group is located.
  5. On the Network page:
    1. Type a name for the resources.
      TIP: If you typed a Connection name, use it as the name for the Resources name.
    2. Choose the virtual network for your Microsoft Azure resource group.
    3. Select the subnets to use for this connection. If only one subnet exists, it is selected by default.

Create the Windows 10 CBB Master Image

This section covers how to create a Windows 10 master image for XenDesktop Machine Creation Services. After you create and upload a base image to Azure, the XenApp and XenDesktop Service can create a pool of desktops. The desktops are provisioned within Azure Resource Manager network.

This section assumes that you have a hypervisor, such as Microsoft Hyper-V, Citrix XenServer, or VMware vSphere. Install the Virtual Delivery Agent (VDA) and the Azure virtual machine agent on the base image. Then, the XenApp and XenDesktop Service can create machine accounts by using the virtual hard disk.

Before continuing, install the necessary business applications that you need on the base Windows 10 image.

To create the master image, perform the following steps:

  • Install the VDA on the Windows 10 base image
  • Install the Azure Virtual Machines Agent (VM Agent)
  • Export the virtual hard disk and convert the VHDX format to VHD
  • Create a storage account to host the VHD images
  • Upload the converted VHD to the storage account

To install the VDA on the base image

To get started, download the XenDesktop ISO file from the Citrix website. Then, double-click the .iso file to mount the file. After that, you can start autolaunch to start the installer.

  1. In XenDesktop, start setup to install the VDA on the Windows 10 image. Next to XenDesktop, click Start.
  2. On the next page, click Virtual Delivery Agent for Windows Desktop OS. This item starts the VDA installation.
  3. On the Environment page, click Create a Master Image.
  4. On the HDX 3D Pro page, ensure that you select No, install the standard VDA.
    Note: Azure Windows 10 images do not support this feature.
  5. On the Core Components page, click Next to accept the default settings.
  6. On the Delivery Controller page, select Do it Later (Advanced).
    You configure the Delivery Controller location by using the Azure Active Directory Group Policy.
  7. Click Next and confirm the warning in the dialog box.
  8. On the Features page, select all the features except for Enable Citrix App-V publishing components for the base image and then click Next.
  9. Click Next to accept the default settings on the remaining pages in the installation configuration to install the VDA.
  10. On the Summary page, click Install.
  11. Restart the virtual machine and log back on.

The next step is to install the Windows Azure VM Agent. You can download the agent from the Microsoft website at After you finish installing the agent, restart the machine, and then shut down the machine.

On your hypervisor management server, run the following command to convert the VHDX format to VHD:

command Copy

Convert-VHD -Path <path to source VHDX file> -DestinationPath <path to copy destination VHD file>


In Destination path, set the VHD file name extension to lowercase for compatibility purposes.

Create a Storage Account

In Microsoft Azure, you need a storage account to host the base image virtual hard disk. You can host the drive in an existing storage account or create a storage account.

To create a storage account

  1. In Microsoft Azure, in the navigation pane, click Storage accounts.
  2. On the Storage accounts page, click Add.
  3. In Name, provide a name.
  4. In Deployment model, select Resource manager.
  5. In Performance, select Standard.
  6. For Replication, Storage service encryption, and Subscription, leave the default settings.
  7. In Resource group, do one of the following:
    1. Click Create new to create a resource group. Type the name of the group in the text box.
    2. Click Use existing to use an existing resource group. Click the down arrow and select a group from the list.
  8. To have the storage account appear on the dashboard, click Pin to dashboard.
  9. Click Create.

After you create a storage account, create a "blob container" and then name it to reflect the virtual hard disk, such as "VHDs."

To create a blob container

  1. In Microsoft Azure, in the navigation pane, click Storage accounts and navigate to the storage account that you want to use.
  2. In the center navigation pane, under BLOB SERVICE, click Containers.
  3. In the details pane, click +Container.
  4. In the New container pane, give the container a name.
  5. In Access type, select Blob and then click Create.
    The new blob container appears in the pane.
  6. Copy the blob URL and save it in a text file. 
    The URL is used later to upload the converted VHD.

To upload the VHD image to Azure

After you create the blob container, upload the VHD image to the VHD container of your storage account. To do so, you use the Azure PowerShell management machine.

  1. Start Azure PowerShell.
  2. Run the following commands to upload the VHD:
command Copy

Select-AzureRmSubscription -SubscriptionName 'MySubscription'
Add-AzureRMVHD -ResourceGroupName 'ResourceGroupName' -Destination 'https://BlobServiceEndpointURL/vhds/NameOfVHD.vhd' -LocalFilePath PathOfConvertedVHD\VHDName.vhd

In 'Resource Group Name' type the name of your resource group.
Replace 'https://BlobServiceEndpointURL/vhds/NameofVHD.vhd' by using the URL you copied and saved previously.

After uploading the base image to Azure, you can configure the hosting connection.

Create the Hosting Connection Between the Delivery Controller and Azure

Before you start, ensure that you have your Azure Active Directory credentials and your subscription ID available.

The hosting connection contains information on region, resource group, and virtual networks that are used for deploying desktops in Azure.

After creating the hosting connection, the Citrix Cloud environment can connect to the Azure Resource Manager assets. Then, the Resource Manager configures the resources needed for machine catalogs and Delivery Groups.

To create a hosting connection

  1. Log on to and choose the Organization configured for the XenApp and XenDesktop Service.
  2. Click Setup Service on My Services > XenApp and XenDesktop Service.
  3. After Citrix Studio starts, go to the Hosting node in Configuration and then in the Actions pane, click Add Connection and Resources.
  4. On the Connection page, accept the default settings in Connection type and Azure environment and then click Next.
  5. On the Connection Details page, type in your Azure Subscription ID.
  6. Click Create New Connection, type in a Connection name and provide the credentials for the Azure Contributor administrator account.
    When the status shows Connected, click Next.
  7. On the Regions page, choose the region where your Cloud Connectors are located and then click Next.
    Note: Cloud Connectors and Windows 10 virtual machines must be in the same region and use the same virtual network.
  8. On the Network page, type a name for the resources. Then, select the virtual network and subnet for the connection.
  9. Click Next and then click Finish.


The person who sets up the hosting connection must have a user account in the directory mapped to the Azure subscription. The user account cannot be a Microsoft Identity. If you are using tenants, map the primary directory to a directory within the subscription.

Create a Machine Catalog For XenDesktop Essentials


This information is a supplement to the guidance in the article Create a Machine Catalog on the Citrix Product Documentation website. The article provides information about creating machine catalogs and master images.

A master image is a template that you use to create the virtual machines in a machine catalog. Before creating the machine catalog, create a Windows 10 CBB master image in Azure. After you create the master image, install the master virtual machine with apps and the Citrix VDA on the image.


Upload the Microsoft Windows 10 CBB master image to the destination storage account in Azure before you create the machine catalog.

To create a machine catalog

Go to the Manage tab within the XenApp and XenDesktop Service in Citrix Cloud to create the machine catalog.

  1. In Citrix Studio, click Machine Catalogs in the navigation pane on the left.
  2. In the Actions pane, click Create Machine Catalog.
  3. On the Introduction page, click Next.
  4. On the Operating System page, ensure that Desktop OS is the only operating system option available and then click Next.
  5. On the Machine Management page, do the following:
    1. Ensure that Machines that are power managed is the only option available.
    2. Ensure that Citrix Machine Creation Services (MCS) is the only deployment method available and then click Next.
  6. On the Desktop Experience page, choose the following:
    1. I want users to connect to the same (static) desktop each time they log on.
    2. Yes, create a dedicated virtual machine and save changes on the local disk.
    3. Click Next.
  7. On the Master Image page, do the following:
    1. Use the navigation tree to select the virtual hard disk (VHD) that contains the master image.
      The structure of the navigation tree aligns with the Azure hierarchy as follows:
      • Resource group
      • Storage accounts
      • Containers
      • Virtual hard disks (VHDs)
      • Image names
    2. In Select the minimum functional level for this catalog, choose the XenDesktop version. Click Next.
  8. On the Storage and License Types page, select the destination storage type and where the license server resides. Click Next.
  9. On the Virtual Machines page, select the number of virtual machines and then select the machine size.
    The Standard-A2 machine provides 3.5 GB of memory and a maximum of 1,023 GB for the operating system. The Standard-A3 machine provides 7 GB of memory and 1,023 GB for the operating system.
  10. Click Next.
  11. On the Network Interface Cards page, select a network adapter to associate it with the Azure subnet name for your Citrix machines. You can also click Add Card to add another network adapter. Click Next.
  12. On the Active Directory Computer Accounts page, do the following:
    1. Click Create new Active Directory accounts.
    2. Choose the domain for the computer accounts.
    3. Navigate to the organizational unit (OU) for the new machines.
    4. Type an account naming scheme for the new machines.
      Include two pound signs (##) to increment numbers automatically. In the drop-down list, select number or letters. The pound signs translate to the naming scheme. For example, mymachcatalog## becomes mymachcatalog01 or mymachcatalogAB.
    5. Click Next.
  13. On the Domain Credentials page, click Enter Credentials and then in the Windows Security dialog box, type your user name and password. Click OK and then click Next.
    This account is used to create the computer accounts.
  14. The Summary page appears. Type a Machine Catalog name and the Machine Catalog description for Administrators. Click Finish.

The virtual machines are created and a new storage account appears in the Microsoft Azure dashboard. While machine catalog services deploy the virtual machines, a preparation virtual machine with a VHS is created temporarily in Azure.

To identify the image name in Microsoft Azure

  1. Log on to
  2. On the Dashboard, in the navigation pane, click All resources.
    A full list of subscriptions appears.
  3. Choose the subscription.
  4. Click All settings.
  5. Click Resource groups.
  6. Select the resource group.
  7. Select the virtual machine that contains the Windows 10 and the Citrix VDA installation.
  8. Click All settings.
  9. Click Disks.
  10. Select the OS disk.
    The first text box in the OS disk window contains the URL for the image, which is structured as shown in the following example. You can obtain the storage account name and image name from the URL. For example: https://<storage account name><image name>.
  11. On the Machines page, the templates listed are retrieved directly from your Azure subscription.


Power off the master image virtual machine before finishing the machine catalog creation.

Configure a Delivery Group

A Delivery Group is a collection of machines selected from one or more machine catalogs. The Delivery Group specifies which users can use those machines. For more information about creating Delivery Groups, see "Create Delivery Groups."

  1. In Citrix Studio, right-click Delivery Groups in the navigation panel and then select Create Delivery Group.
  2. Choose the number of machines that you want to make available to the Delivery Group. The number you specify cannot exceed the number of machines that are in your machine catalog. Click Next.
  3. On the Delivery Type page, choose Desktops and then click Next.
  4. On the Users page, choose the option to Leave user management to Citrix Cloud.
    Selecting this option allows you to manage access to the Delivery Group through Citrix Cloud.
  5. On the Summary page, provide a Delivery Group name and type in the display name. Click Finish.

After completing these steps, edit the Delivery Group to configure access for users. You can add or remove users and change user settings.

Add or Remove Users in a Delivery Group

For detailed information about users, see the Users section in the "Create a Delivery Group" article.

  1. Select Delivery Groups in the Studio navigation pane.
  2. Select a group and then select Edit Delivery Group in the Actions pane.
  3. On the Users page, to add users, click Add, and then specify the users you want to add. To remove users, select one or more users and then click Remove. You can also select or clear the check box that enables or disables access by unauthenticated users.
  4. Click OK.

Change user settings in a Delivery Group

The name of this page can appear as either User Settings or Basic Settings.

  1. Select Delivery Groups in the Studio navigation pane.
  2. Select a group and then select Edit Delivery Group in the Actions pane.
  3. On the User Settings (or Basic Settings) page, do the following:
    1. In Description, type the text that StoreFront uses and that users see.
    2. Set the Time zone to match the Azure time zone.
    3. Select Enable Delivery Group.
    4. Set the maximum number of desktops per user.
  4. Click OK to save settings.

The next step is to configure users in the Citrix Cloud.

  1. Log on to the Citrix Cloud portal and then click View Library.
  2. On the desktops tile, click the ellipsis (…) button in the right corner.
  3. Search for the users groups that are allowed access to the Delivery Group and add them to the list.
  4. When finished, click the X to close the window.

localized image

At this stage, your Windows 10 virtual desktops are assigned to the groups added to the subscribers list.

Connect Users for Secure Access

If you have users who connect from a remote location, configure NetScaler Gateway in Azure to create secure connections between Citrix Receiver and Windows 10 desktops. When a user starts a Windows 10 VDA, Citrix Receiver connects to NetScaler in Azure. The connection type is HDX by using the SSL/TLS protocol. It is possible to configure connectivity without the NetScaler appliance in Azure. However, the solution would not be able to scale to larger session capacity through the Citrix Cloud Connector virtual machines.

You can configure NetScaler in Azure by using the following guidelines:

  • Create a NetScaler VPX deployment
  • Run the first-time setup on the NetScaler appliance
  • Configure the XenApp and XenDesktop virtual server gateway
  • Configure an inbound access rule in the Network Security Group

To configure NetScaler in Azure

  1. Log on to the Azure portal as a contributor administrator.
  2. Click the plus (+) sign to add a resource. Search for NetScaler.
  3. Choose the NetScaler 11.1 VPX Bring Your Own License virtual machine.
  4. Configure the basic settings, name, and user name. Choose to use Password for Authentication type.
  5. Set and confirm a user password for an administrator user.
  6. Choose the Resource group that hosts the Windows 10 VDAs and verify your location for the Resource Group and then click OK.
  7. Create a virtual machine for the NetScaler virtual machine.
  8. Choose the machine size for the NetScaler virtual machine.
    Depending on the number of connections, choose the desired size:
    1. For 1,000 HDX sessions or less, select the A2 Standard size.
    2. For more than 1,000 HDX sessions, choose the A3 Standard size.
  9. Choose the Storage and Network settings to match the same settings for the resource manager hosting the Windows 10 VDAs.
  10. Click OK, verify the Summary settings, and then click Purchase to start the deployment.

When the deployment is complete, use the Remote Desktop Protocol (RDP) to connect to one of the Cloud Connector machines. When you connect, you continue to the NetScaler VPX configuration from the web administration console.

You can also add inbound port 80 to the NetScaler network security group to configure NetScaler by using its public IP address. After the configuration is complete, you can delete the inbound port 80 rule to secure access to the management console.

To configure the NetScaler Gateway settings for secure access

  1. Log on to the management console by using the credentials configured for the NetScaler administrator.
    After you log on, configure a Subnet IP Address.
    Note: Azure NetScaler deployments do not support subnet IP addresses configured on the appliance.
    You remove the subnet IP address in a later step to make NetScaler a single IP address mode appliance. Configure a subnet IP address for now; you can use a valid IP address not used by other devices.
  2. In Host Name, DNS IP Address, and Time Zone, use the same IP address that Active Directory uses in Azure Service Manager (Classic). The settings configure DNS servers.
  3. Click Done.
    You do not have to restart NetScaler VPX now.
  4. Click Licenses on the Configuration tab and upload the necessary licenses to configure NetScaler Gateway.
    After the licenses upload, restart the appliance.

When the virtual machine restarts, log on again by using NetScaler credentials. The next step is to delete the subnet IP address.

To delete the subnet IP address

  1. On the Configuration tab, navigate to System > Network > IP Addresses.
  2. Choose the Subnet IP address and then click Delete.

The next step is to add the two Active Directory domain controllers from the Azure Service Manager (Classic) network.

To add the Azure Service Manager Active Directory domain controllers

  1. Under System > NTP Servers, click Add.
  2. Enter the IP address, minimum and maximum poll intervals and if the domain controller is preferred.
  3. Click OK.

Configuring User Connections in NetScaler VPX

You can configure StoreFront by using the XenApp/XenDesktop wizard in NetScaler. Before starting the wizard, ensure that you have the following prerequisites:

  • IP address of the NetScaler Gateway virtual server, which is usually a public address.
  • Firewall port is open between NetScaler Gateway and StoreFront.
  • Local area network (LAN) access is working to StoreFront.
  • StoreFront fully qualified domain name (FQDN).
  • Server certificate for NetScaler Gateway.
  • Authentication server details, which define the credentials with which users log on.

To configure user connections to StoreFront

  1. On the XenApp/XenDesktop landing page, click Continue.
  2. On the NetScaler Gateway Settings page, do the following:
    1. In Gateway FQDN, type the FQDN of NetScaler Gateway.
    2. In Gateway IP address, type the internal IP address of NetScaler Gateway, which can be acquired from the Azure portal.
    3. In Port, type port number 8081.
      An inbound rule is created for the NetScaler Network Security Group that allows inbound traffic through port 8081.
    4. Click Continue.
  3. In Server Certificate, choose the certificate and then type the private key password if the certificate is encrypted. Click Continue.
  4. In Authentication, do the following:
    1. Select Domain as the authentication type.
    2. Provide the IP address of one of the Azure Service Manager (Classic) domain controllers.
    3. Type the port, domain Base DN, the service account, and password of the Azure Active Directory.
    4. Click Test Connection and verify that the NetScaler can communicate with the domain controller.
    5. Click Continue.
  5. In StoreFront, do the following:
    1. Type the StoreFront URL for StoreFront running in the Citrix Cloud.
      You can get the URL from the Citrix Cloud Manage Delivery page.
    2. Type the NetBIOS domain name for the Active Directory domain.
    3. Add the two Cloud Connectors in Azure as Secure Ticket Authority (STA) HTTP URLs.
      Note: Use HTTP instead of HTTPS. Because you are configuring a single NetScaler, all traffic is contained within the same subnet.
    4. Click Continue.
  6. Verify the settings in each section and then click Done.

The next step is to log on to Azure and configure settings.

To configure user connections in Microsoft Azure

  1. Log on to
  2. In the navigation pane, click More services, and then in the center pane, click Network interfaces.
  3. Click a configured network adapter and then click Network security group.
  4. In the details pane, click the configured network security group.
  5. In the navigation pane, click Inbound security rules.
  6. Click Add at the top of the page and then do the following:
    1. Click Advanced in the top pane of the new rule.
    2. Type a name for the rule.
    3. Set the Source port range to an asterisk (*).
    4. Set the Destination port range to 8081 and then click OK.

The next step is to log on to the Citrix Cloud portal and configure settings.

To configure the XenApp and XenDesktop Service in the Citrix Cloud

  1. Log on to
  2. Click Manage in the XenApp and XenDesktop Service.
  3. On the Manage tab, click the down arrow, and select Service Delivery.
  4. In NetScaler Gateway, select Use your own NetScaler Gateway in the resource location.
  5. Type the FQDN:8081 of the NetScaler Gateway published in Azure and then click Save.

You can test your connection by logging on to the StoreFront URL with your domain credentials and starting a Windows 10 desktop. The traffic between Citrix Receiver and the desktop is directed through the NetScaler instance in Azure.

Back to Top