Citrix Application Delivery Management service

Install Citrix ADM agent on Microsoft Azure cloud

The agent works as an intermediary between the Citrix Application Delivery Management (Citrix ADM) and the managed instances in the enterprise data center, or on the cloud.

To install the Citrix ADM agent on the Microsoft Azure cloud, you have to create an instance of the agent in the virtual network. Obtain the Citrix ADM agent image from the Azure Marketplace, and then use the Azure Resource Manager portal to create the agent.

Before you begin creating the Citrix ADM agent instance, make sure that you have created a virtual network with the required subnets where the instance will reside. You can create virtual networks during VM provisioning, but without the flexibility to create different subnets. For information about creating virtual networks, see

Configure DNS server and VPN connectivity that allows a virtual machine to access Internet resources.


Make sure that you have the following:

  • A Microsoft Azure user account
  • Access to Microsoft Azure Resource Manager


  • Citrix recommends that you create resource group, network security group, virtual network, and other entities before you provision the Citrix ADM agent virtual machine, so that the network information is available during provisioning.
  • For the Citrix ADM agent to communicate with Citrix ADM and the Citrix ADC instances, ensure that the recommended ports are open. For complete details about the port requirements for the Citrix ADM agent, see Ports.

To install the Citrix ADM agent on Microsoft Azure Cloud:

  1. Log on to the Azure portal ( by using your Microsoft Azure credentials.

  2. Click +Create a resource.

  3. Type Citrix ADM Agent in the search bar and select Citrix ADM Service Agent.

    Azure networking pane

  4. Click Create.

    Create Resource Manager

  5. In the Create virtual machine pane, specify the required values in each section to create a virtual machine.


    In this tab, specify Project details, Instance details, and Administrator account.

    Create virtual machine

    • Resource group – Select the resource group you have created from the drop-down list.


      You can create a resource group at this point, but Citrix recommends that you create a resource group from Resource groups in the Azure Resource Manager and then select the group from the drop-down list.

    • Virtual machine name – Specify a name for the Citrix ADM agent instance.

    • Region - Select the region where you want to deploy an agent.

    • Availability options – Select the availability set from the list.

    • Image - This field displays the already selected agent image. If you want to change to a different agent image, select the required image from the list.

    • Size - Specify the type and size of the virtual disk for deploying your Citrix ADM agent.

      Select the Supported virtual disk type (HDD or SSD) from the list.

    • Authentication Type – Select Password.

    • User name and Password – Specify a user name and password to access the resources in the resource group that you have created.


    In this tab, specify Disk options and Data disks.

    Specify disks information

    • OS disk type - Select the virtual disk type (HDD or SSD).


    Specify the required networking details:

    Specify Networking

    • Virtual network – Select the virtual network.
    • Subnet – Set the subnet address.
    • Public IP address – Select the IP address.
    • Network security group – Select the security group that you have created.
    • Select inbound ports - If you allow public inbound ports, ensure the inbound and outbound rules are configured in the security group. Then, select the inbound ports from the list. For more details, see Prerequisites.


    Specify Azure Security Center, Monitoring, and Identity.

    Specify Management


    Optional, specify Extensions, Custom Data, and Proximity placement group.

    Specify Advanced

    In Custom Data, you can specify an agent auto-registration script to register the agent with the ADM service. The following is an example script that runs the script and registers the agent:

        import os
        import requests
        import json
        import time
        import re
        import logging
        import logging.handlers
        import boto3
        Overview of the Script:
        The script helps to register an ADM agent with ADM. Pass it in userdata to make ADM agent in AWS to autoregister on bootup. The workflow is as follows
        1)  Fetch the ADM service API credentials (ID and secret) from AWS secret store (NOTE: you have to assign IAM role to the ADM Agent that will give permission to fetch secrets from AWS secret store)
        2)  Login to ADM service with credentials fetched in step 1
        3)  Call ADM service to fetch credentials (serviceURL and token) for agent registration
        4)  Calls registration by using the credentials fetched in step 3
        These are the placeholders which you need to replace according to your setup configurations
        aws_secret_id: Id of the AWS secret where you have stored ADM Credentials
        The secrets value should be in the following json format
        { "adm_user_id_key": "YOUR_ID", " adm_user_secret_key": "YOUR_SECRET"}
        aws_secret_id = "<AWS_secret_id>"
        adm_ip_or_hostname = "<YOUR_ADM_POP>"
        Set up a specific logger with your desired output level and log file name
        log_file_name_local = os.path.basename(__file__)
        LOG_FILENAME = '/var/log/' + 'bootstrap' + '.log'
        LOG_MAX_BYTE = 50*1024*1024
        LOG_BACKUP_COUNT = 20
        logger = logging.getLogger(__name__)
        logger_handler = logging.handlers.RotatingFileHandler(LOG_FILENAME, maxBytes=LOG_MAX_BYTE, backupCount=LOG_BACKUP_COUNT)
        logger_fortmater = logging.Formatter(fmt='%(asctime)-2s:%(funcName)30s:%(lineno)4d: [%(levelname)s] %(message)s', datefmt="%Y-%m-%d %H:%M:%S")
        class APIHandlerException(Exception):
            def __init__(self, error_code, message):
                self.error_code = error_code
                self.message = message
            def __str__(self):
                return self.message + ". Error code '" + str(self.error_code) + "'"
        def parse_response(response, url, print_response=True):
            if not response.ok:
                if "reboot" in url:
                    logger.debug('No response for url: reboot')
                    resp = {"errorcode": "500", "message": "Error while reading response."}
                    return resp
                if print_response:
                    logger.debug('Response text for %s is %s' % (url, response.text))
                response = json.loads(response.text)
                logger.debug("ErrorCode - " + str(response['errorcode']) + ". Message -" + str(response['message']))
                raise APIHandlerException(response['errorcode'], str(response['message']))
            elif response.text:
                if print_response:
                    logger.debug('Response text for %s is %s' % (url, response.text))
                result = json.loads(response.text)
                if 'errorcode' in result and result['errorcode'] > 0:
                    raise APIHandlerException(result['errorcode'], str(result['message']))
                return result
        def _request(method, url, data=None, headers=None, retry=3, print_response=True):
                response = requests.request(method, url, data=data, headers=headers)
                result = parse_response(response, url, print_response=print_response)
                return result
            except [requests.exceptions.ConnectionError, requests.exceptions.ConnectTimeout]:
                if retry > 0:
                    return _request(method, url, data, headers, retry-1, print_response=print_response)
                    raise APIHandlerException(503, 'ConnectionError')
            except requests.exceptions.RequestException as e:
                raise APIHandlerException(500, str(e))
            except APIHandlerException as e:
                logger.debug("URL: %s, Error: %s, Message: %s" % (url, e.error_code, e.message))
                raise e
            except Exception as e:
                raise APIHandlerException(500, str(e))
            '''Get the AWS Region'''
            client = boto3.client('s3')
            my_region = client.meta.region_name
            logger.debug("The rgion is %s" % (my_region))
            '''Creating a Boto cleint session'''
            session = boto3.session.Session()
            client = session.client(
            '''Getting the values stored in the secret with id: <aws_secret_id>'''
            get_id_value_response = client.get_secret_value(
                SecretId = aws_secret_id
            adm_user_id = json.loads(get_id_value_response["SecretString"])["adm_user_id_key"]
            adm_user_secret = json.loads(get_id_value_response["SecretString"])["adm_user_secret_key"]
        except Exception as e:
            logger.debug("Fetching of ADM credentials from AWS secret failed with error: %s" % (str(e)))
            raise e
        Initializing common ADM API handlers
        mas_common_headers = {
            'Content-Type': "application/json",
            'Accept-type': "application/json",
            'Connection': "keep-alive",
            'isCloud': "true"
        API to login to the ADM and fetch the Session ID and Tenant ID
        url = "https://" + str(adm_ip_or_hostname) + "/nitro/v1/config/login"
        payload = 'object={"login":{"ID":"' + adm_user_id + '","Secret":"' + adm_user_secret + '"}}'
            response = _request("POST", url, data=payload, headers=mas_common_headers)
            sessionid = response["login"][0]["sessionid"]
            tenant_id = response["login"][0]["tenant_name"]
        except Exception as e:
            logger.debug("Login call to the ADM failed with error: %s" % (str(e)))
            raise e
        API to fetch the service URL and Token to be used for registering the agent with the ADM
        mas_common_headers['Cookie'] = 'SESSID=' + str(sessionid)
        url = "https://" + str(adm_ip_or_hostname) + "/nitro/v1/config/trust_preauthtoken/" + tenant_id +"?customer="+ tenant_id
        logger.debug("Fetching Service URL and Token.")
            response = _request("GET", url, data=None, headers=mas_common_headers)
            service_name  = response["trust_preauthtoken"][0]["service_name"]
            token = response["trust_preauthtoken"][0]["token"]
            api_gateway_url = response["trust_preauthtoken"][0]["api_gateway_url"]
        except Exception as e:
            logger.debug("Fetching of the Service URL Passed with error. %s" % (str(e)))
            raise e
        Running the register agent command using the values we retrieved earlier
            registeragent_command = "registeragent -serviceurl "+api_gateway_url+" -activationcode "+service_name+"\;"+token
            file_run_command = "/var/python/bin/python2.7 /mps/ "+registeragent_command
            logger.debug("Executing registeragent command: %s" % (file_run_command))
        except Exception as e:
            logger.debug("Agent Registeration failed with error: %s" % (str(e)))
                raise e

    If you specify this auto-registration script, skip step 7 and 8.


    Type the key-value pair for the ADM agent tags. A tag consists of a case-sensitive key-value pair. These tags enable you to organize and identify the agent easily. The tags are applied to both Azure and Citrix ADM.

    Specify Tags

    The configuration settings are validated and the Review and create tab displays the result of the validation.

    • If the validation fails, this tab displays the reason for the failure. Go back to the particular section and make changes as required.
    • If the validation passes, click Create. The agent deployment process begins.

      VM summary

      The deployment process might take approximately 10–15 minutes. Once the deployment is successfully completed, you can view your Citrix ADM agent virtual machine in your Microsoft Azure account.

    Deploy VM

  6. Once the agent is up and running, using an SSH client, log on to your Citrix ADM agent using the Public IP address.


    • If you specified the user name as nsrecover, use the default Citrix ADM agent credentials (nsrecover/nsroot) to log on to the virtual machine.
    • Citrix recommends that you change your default password after the first logon. To change the password, at shell type: passwd nsroot.
  7. Enter the following command to invoke the deployment screen:

  8. Enter the Service-URL and the Activation code that you had copied and saved from the Set Up Agents page in Citrix ADM as instructed in Getting Started. The agent uses the service URL to locate the service and the activation code to register with the service.

    Register agent

After agent registration is successful, the agent restarts to complete the installation process.

After the agent has restarted, access Citrix ADM and on the Set Up Agent page, under Discovered Agents, verify the status of the agent.

Install Citrix ADM agent on Microsoft Azure cloud