Citrix Cloud

Connector Appliance for Cloud Services

The Connector Appliance is a Citrix component hosted in your hypervisor. It serves as a channel for communication between Citrix Cloud and your resource locations, enabling cloud management without requiring any complex networking or infrastructure configuration. Connector Appliance enables you to manage and focus on the resources that provide value to your users.

The Connector Appliance provides the following functions:

  • Connecting Active Directory to Citrix Cloud enables AD management, allowing the use of AD forests and domains within your resource locations. It removes the need for adding any additional AD trusts. For more information, see Active Directory with Connector Appliance.

  • Image Portability Service simplifies the management of images across platforms. This feature is useful for managing images between an on-premises resource location and one in a public cloud. The Citrix Virtual Apps and Desktops REST APIs can be used to automate the administration of resources within a Citrix Virtual Apps and Desktops site.

    The Image Portability workflow begins when you use Citrix Cloud to initiate the migration of an image from your on-premises location to your public cloud subscription. After preparing your image, the Image Portability Service helps you transfer the image to your public cloud subscription and prepare it to run. Finally, Citrix Provisioning or Machine Creation Services provisions the image in your public cloud subscription.

    For more information, see Image Portability Service.

  • Citrix Secure Private Access enables administrators to provide a cohesive experience that integrates single sign-on, remote access, and content inspection into a single solution for end-to-end access control. For more information, see Secure Private Access with Connector Appliance.

There might be other services in preview that also depend on the Connector Appliance.

The Connector Appliance platform is part of Citrix Cloud Platform and Citrix Identity Platform and can process data, including the following information:

  • IP addresses or FQDNs
  • Device, user, and resource location identifiers
  • Timestamps
  • Event data
  • User and group details from Active Directory (for example, used for authenticating and searching for users and groups)

Details of specific information processed by the Connector Appliance are available in the Data Collected by Citrix Cloud Platform table in the Citrix Cloud Services Data Protection Overview.

Connector Appliance availability and load management

For continuous availability and to manage load, install multiple Connector Appliances in each of your resource locations. Citrix recommends at least two Connector Appliances in each resource location. If one Connector Appliance is unavailable for any time, the other Connector Appliances can maintain the connection. Since each Connector Appliance is stateless, the load can be distributed across all available Connector Appliances. There is no need to configure this load balancing function. It is automated. If at least one Connector Appliance is available, there is no loss in communication with Citrix Cloud.

If you have only one connector configured for a resource location, Citrix Cloud shows a warning on both the Resource Locations and the Connectors page.

Connector Appliance updates

The Connector Appliance is updated automatically. You are not required to take any actions to update your connector.

You can configure your resource location to apply updates either immediately as they become available or during a specific maintenance window.

For more information about configuring updates, see Connector updates

As part of the update, the Connector Appliance becomes temporarily unavailable. Updates are applied to only one Connector Appliance in a resource location at a time. For this reason, register at least two Connector Appliances in each resource location to ensure that at least one Connector Appliance is always available.

Connector Appliance communication

The Connector Appliance authenticates and encrypts all communication between Citrix Cloud and your resource locations. Once installed, the Connector Appliance initiates communication with Citrix Cloud through an outbound connection. All connections are established from the Connector Appliance to the cloud using the standard HTTPS port (443) and the TCP protocol. No incoming connections are allowed.

The following table lists the ports that the Connector Appliance requires access to:

Service Port Supported Domain Protocol Configuration details
DNS 53 TCP/UDP This port must be open to the local setup
NTP 123 UDP This port must be open to the local setup
HTTPS 443 TCP Connector Appliance requires outbound access to this port

To configure the Connector Appliance, IT administrators must be able to access the administration interface on port 443 (HTTPS) of the Connector Appliance.

Note:

You must include https:// at the start of the IP address.

The Connector Appliance can communicate with both on-premises systems in your resource location and with external systems. If you define one or more web proxies during Connector Appliance registration, only traffic from the Connector Appliance to external systems is routed through this web proxy. If your on-premises system is located in a private address space, traffic from Connector Appliance to this system is not routed through the web proxy.

The Connector Appliance defines private address spaces as the following IPv4 address ranges:

  • 10.0.0.0 – 10.255.255.255
  • 172.16.0.0 – 172.31.255.255
  • 192.168.0.0 – 192.168.255.255

Internet connectivity requirements

Connecting to the Internet from your data centers requires opening port 443 to outbound connections. However, to operate within environments containing an Internet proxy server or firewall restrictions, further configuration might be needed.

To properly operate and consume the Citrix Cloud services, the following addresses must be contactable with unmodified HTTPS connections:

  • https://*.cloud.com
  • https://*.citrixworkspacesapi.net
  • https://*.citrixnetworkapi.net
  • https://*.nssvc.net
    • Customers who can’t enable all subdomains can use the following addresses instead:
      • https://*.g.nssvc.net
      • https://*.c.nssvc.net
  • https://*.servicebus.windows.net
  • https://iwsprodeastusuniconacr.azurecr.io
  • https://iwsprodeastusuniconacr.eastus.data.azurecr.io

Network requirements

Ensure that your environment has the following configuration:

  • Either the network allows the Connector Appliance to use DHCP to get DNS and NTP servers, an IP address, a host name, and a domain name or you can manually set the network settings in the Connector Appliance console.
  • The network is not configured to use the link-local IP ranges 169.254.0.1/24, 169.254.64.0/18 or 169.254.192.0/18, which are used internally by the Connector Appliance.
  • Either the hypervisor clock is set to Coordinated Universal Time (UTC) and is synchronized with a time server or DHCP provides NTP server information to the Connector Appliance.
  • If you use a proxy with Connector Appliance, the proxy must be unauthenticated or use basic authentication.

System requirements

The Connector Appliance is supported on the following hypervisors:

  • Citrix Hypervisor 8.2 CU1 LTSR
  • VMware ESXi version 7 update 2
  • Hyper-V on Windows Server 2016, Windows Server 2019, or Windows Server 2022.
  • Nutanix AHV
  • Microsoft Azure
  • AWS
  • Google Cloud Platform

Your hypervisor must provide the following minimum capabilities:

  • 20 GB root disk
  • 2 vCPUs
  • 4 GB memory
  • An IPv4 network

You can host multiple Connector Appliances on the same hypervisor host. The number of Connector Appliances on the same host is only constrained by the hypervisor and hardware limitations.

Note:

Cloning, suspending, and taking snapshots of the Connector Appliance VM are not supported.

Obtain the Connector Appliance

Download the Connector Appliance software from within Citrix Cloud.

  1. Sign in to Citrix Cloud.

  2. From the menu in the top left of the screen, select Resource Locations.

  3. If you do not already have a resource location, click the plus icon (+) or select Add a Resource Location.

  4. In the resource location where you want to register the Connector Appliance, click the Connector Appliances plus icon (+).

    The Add a Connector Appliance task opens.

    The Install Connector Appliance task

  5. From the Hypervisor list in Step 1, choose the type of hypervisor or cloud provider that you use to host your Connector Appliance.

    • For on-premises hypervisors and cloud environments, you can download the Connector Appliance within Citrix Cloud:

      1. Click Download Image.
      2. Review the Citrix End User Service Agreement and, if you agree, select Agree and Continue.
      3. When prompted, save the provided Connector Appliance file.

        The file name extension of the Connector Appliance file depends on the hypervisor that you choose.

    • For some cloud environments, you can get the Connector Appliance from the marketplace:

  6. Keep the Install Connector Appliance task open. After installing the Connector Appliance, you input your registration code into Step 2.

You can also get to the Install Connector Appliance task from the Connectors page. Select the plus icon (+) to add a connector and choose to add a Connector Appliance.

Install Connector Appliance on your hypervisor

Citrix Hypervisor

This section describes how to import the Connector Appliance to a Citrix Hypervisor server by using XenCenter.

  1. Connect to your Citrix Hypervisor server or pool by using XenCenter on a system that has access to the downloaded Connector Appliance XVA file.
  2. Select File > Import.
  3. Specify or browse to the path where the Connector Appliance XVA file is located. Click Next.
  4. Select the Citrix Hypervisor server where you want to host the Connector Appliance. Alternatively, you can select the pool to host the Connector Appliance in and Citrix Hypervisor chooses a suitable available server. Click Next.
  5. Specify the storage repository to use for your Connector Appliance. Click Import.
  6. Click Add to add a virtual network interface. From the Network list, select the network for the Connector Appliance to use. Click Next.
  7. Review the options to use to deploy the Connector Appliance. If any are incorrect, use Previous to change these options.
  8. Ensure that Start the new VM(s) automatically as soon as the import is complete is selected. Click Finish.

After the Connector Appliance is deployed and has successfully started up, its console displays a landing page that contains the Connector Appliance IP address. Use this IP address to connect to the Connector Appliance administration page and complete the registration process.

By default, the Connector Appliance uses DHCP to set its network configuration. If DHCP is not available in your environment, you must set the network configuration at the Connector Appliance console before you can access the Connector Appliance management console. For more information, see Set the network configuration by using the Connector Appliance console.

Next step: Register your Connector Appliance with Citrix Cloud.

VMware ESXi

This section describes how to deploy Connector Appliance on a VMware ESXi host by using the VMware vSphere Client.

  1. Connect to your ESXi host by using the vSphere Client on a system that has access to the downloaded Connector Appliance OVA file.
  2. Select File > Deploy OVF Template….
  3. Specify or browse to the path where the Connector Appliance OVA file is located. Click Next.
  4. Review the template details. Click Next.
  5. You can specify a unique name for your Connector Appliance instance. By default, the name is set to Connector Appliance. Ensure that you choose a name that distinguishes this instance of the Connector Appliance from other instances hosted on this ESXi host. Click Next.
  6. Specify the destination storage for your Connector Appliance. Click Next.
  7. Choose the format to store the virtual disks in. Click Next.
  8. Review the options to use to deploy the Connector Appliance. If any are incorrect, use Back to change these options.
  9. Select Power on after deployment. Click Finish.

After the Connector Appliance is deployed and has successfully started up, its console displays a landing page that contains the Connector Appliance IP address. Use this IP address to connect to the Connector Appliance administration page and complete the registration process.

By default, the Connector Appliance uses DHCP to set its network configuration. If DHCP is not available in your environment, you must set the network configuration at the Connector Appliance console before you can access the Connector Appliance UI. For more information, see Set the network configuration by using the Connector Appliance console.

Next step: Register your Connector Appliance with Citrix Cloud.

Hyper-V

This section describes how to deploy Connector Appliance on a Hyper-V host. You can deploy the VM by using the Hyper-V Manager or by using the included PowerShell script.

Deploy the Connector Appliance by using the Hyper-V Manager

  1. Connect to your Hyper-V host.
  2. Copy or download the Connector Appliance ZIP file to the Hyper-V host.
  3. Extract the contents of the ZIP file. The ZIP file contains a PowerShell script and the connector-appliance.vhdx file.
  4. Copy the VHDX file to where you want to keep your VM disks. For example, C:\ConnectorApplianceVMs.
  5. Open Hyper-V Manager.
  6. Right-click on your server name and select New > Virtual Machine.
  7. In the New Virtual Machine Wizard, on the Specify Name and Location panel, enter a unique name to identify your Connector Appliance. Click Next.
  8. On the Specify Generation panel, select Generation 1. Click Next.
  9. On the Assign Memory panel, configure the following settings and then click Next:

    1. Assign 4 GB of RAM.
    2. Disable dynamic memory.
  10. On the Configure Networking panel, select a switch from the list (for example, Default Switch). Click Next.
  11. On the Connect Virtual Hard Disk panel, select Use an existing virtual hard disk.
  12. Browse to the location of the connector-appliance.vhdx file and select it. Click Next.
  13. On the Summary panel, review the values you have chosen and click Finish to create the VM.
  14. On the Virtual Machines panel, right-click on the Connector Appliance VM and select Settings.
  15. In the Settings window, select Hardware > Processors and perform the following actions:
    1. In Number of virtual processors, change the value to 2.
    2. Click Apply.
    3. Click OK.
  16. On the Virtual Machines panel, right-click on the Connector Appliance VM and select Start.
  17. Right-click on the Connector Appliance VM and select Connect to open the console.

After the Connector Appliance is deployed and has successfully started up, connect to the console using the Hyper-V Manager. The console displays a landing page that contains the Connector Appliance IP address. Use this IP address to connect to the Connector Appliance administration page and complete the registration process.

By default, the Connector Appliance uses DHCP to set its network configuration. If DHCP is not available in your environment, you must set the network configuration at the Connector Appliance console before you can access the Connector Appliance UI. For more information, see Set the network configuration by using the Connector Appliance console.

Next step: Register your Connector Appliance with Citrix Cloud.

Deploy the Connector Appliance by using a PowerShell script

The connector-appliance.zip file contains a PowerShell script that creates and starts a new VM.

Note:

To run this unsigned PowerShell script, you might have to change the execution policies on the Hyper-V system. For more information, see https://go.microsoft.com/fwlink/?LinkID=135170. Alternatively, you can use the provided script as the basis to create or amend your own local script.

  1. Connect to your Hyper-V host.
  2. Copy or download the Connector Appliance ZIP file to the Hyper-V host.
  3. Extract the contents of the ZIP file: A PowerShell script and a VHDX file.
  4. In a PowerShell console, change the current directory to where the ZIP file contents are located and run the following command:

    .\connector-appliance-install.ps1
    <!--NeedCopy-->
    
  5. When prompted, type a name for your VM or select Enter to accept the default value of Connector Appliance.
  6. When prompted, type a destination for the root disk or press Enter to use the system default directory for VHDs.
  7. When prompted, type a file name for the root disk or select Enter to accept the default value of connector-appliance.vhdx.
  8. When prompted, select the switch to use. Select Enter.
  9. Review the summary of the VM import information. If the information is correct, select Enter to continue. The script creates and starts the Connector Appliance VM.

After the Connector Appliance is deployed and has successfully started up, its console displays a landing page that contains the Connector Appliance IP address. Use this IP address to connect to the Connector Appliance and complete the registration process.

Next step: Register your Connector Appliance with Citrix Cloud.

Nutanix AHV

This section describes how to deploy Connector Appliance from the connector-appliance.vhdx file onto a Nutanix AHV host by using the Nutanix Prism web console.

  1. On the main menu of the Nutanix Prism web console, select the Storage view.
  2. Click + Storage Container to create a storage container to hold the Connector Appliance image file. Alternatively, you can use an existing storage container.
  3. Upload the connector-appliance.vhdx file to your storage container.
    1. On the main menu of the web console, select Settings.
    2. Select the Image Configuration tab and click + Upload Image
    3. In Create Image, specify a Name for your image.
    4. From the Image Type list, select DISK.
    5. From the Storage Container list, select the storage container you created.
    6. Select Upload a file.
    7. Click Choose file and navigate to the connector-appliance.vhdx file on your local system.
    8. Click Save.
  4. Wait until the image is created and its state shows as ACTIVE in the Image Configuration page.
  5. Select the Network Configuration tab.
  6. Click + Create Network to create a network for the Connector Appliance to use.
  7. In the Create Network page, specify the following information:
    • The network name.
    • The network VLAN ID.
  8. On the main menu of the web console, select the VM view.
  9. Click + Create VM to create a Connector Appliance instance.
  10. In Create VM, specify the following information:
    • The VM name
    • The number of vCPUs
    • The amount of memory in GiB
  11. Select to use Legacy BIOS.
  12. Click + Add New Disk to add a disk to the VM.
  13. In Add Disk, complete the following information:
    1. For Type, select DISK.
    2. For Operation, select Clone from Image Service.
    3. For Bus Type, select SCSI
    4. For Image, select the image you created when you uploaded the Connector Appliance file.
  14. Click Add to finish adding the disk.
  15. In Create VM, click + Add New NIC.
  16. In Create NIC, select the network to add the VM to.
  17. For Network Connection State, select Connected.
  18. Click Add to finish adding the NIC.
  19. Click Save to create the VM.

    By default, the new VM is powered off.

  20. In the VM view, select the VM and click Power on.
  21. Wait for the VM to start up. This process can take several minutes.

After the Connector Appliance is deployed and has successfully started up, you can find the Connector Appliance IP address in one of the following places:

  • In the VM view of the Nutanix Prism web console.
  • In the Connector Appliance console.

Use this IP address to connect to the Connector Appliance administration page and complete the registration process.

Next step: Register your Connector Appliance with Citrix Cloud.

Microsoft Azure

This section describes how to deploy Connector Appliance in Microsoft Azure. You can deploy the Connector Appliance from the Azure Marketplace or from the downloaded disk image by using the included PowerShell script.

Deploy the Connector Appliance from the Azure Marketplace

To deploy the Connector Appliance from the Azure Marketplace complete the following steps:

  1. Go to the Connector Appliance in the Azure Marketplace. (Azure Marketplace)

    Alternatively, you can search for “Connector Appliance for Cloud Services” in the marketplace search.

  2. Click Get It Now and then Create.

  3. On the Create Citrix Connector Appliance for Cloud Services page, complete the following information:

    • Select the Subscription to use.
    • Select the Resource group to use.
    • Select the Region to locate the Connector Appliance in.
    • Specify a VM name.
    • Select a Virtual network to add the Connector Appliance to. This network is used to access Citrix Cloud, the local resources, and the Connector Appliance administration page. This network cannot be changed later.
    • Specify a value for Subnet.

    Click Next : Tags >.

  4. On the Tags tab, add required tags if needed.

    Click Next : Review + create >.

  5. After you have reviewed the deployment details, click Create.

After the Connector Appliance is deployed and has successfully started up, its console displays a landing page that contains the Connector Appliance IP address. Use this IP address to connect to the Connector Appliance administration page and complete the registration process.

Next step: Register your Connector Appliance with Citrix Cloud.

Deploy the Connector Appliance VM by using a PowerShell script

The connector-appliance-azure.zip file contains a PowerShell script that creates and starts a new VM. You can use the provided script as the basis to create or amend your own local script.

Before running the script ensure that you have the following prerequisites:

  • Install the Az PowerShell module into your local PowerShell environment.
  • Run the PowerShell script in the directory where the VHD file is located.

Complete the following steps:

  1. Copy or download the Connector Appliance ZIP file to your Windows system.
  2. Extract the contents of the ZIP file: A PowerShell script and a VHD file.
  3. Open a PowerShell console as Administrator.
  4. Change the current directory to where the ZIP file contents are located and run the following command:

    .\connector-appliance-upload-Azure.ps1
    
  5. A dialog appears, prompting you to log into Microsoft Azure. Enter your credentials.
  6. When prompted by the PowerShell script, select the subscription to use. Press Enter.
  7. Follow the prompts in the script, which guide you through uploading the image and creating a virtual machine.
  8. After you have created the first VM, the script asks if you want to create another VM from the uploaded image.

    • Type y to create another VM.
    • Type n to exit the script.

After the Connector Appliance is deployed and has successfully started up, its console displays a landing page that contains the Connector Appliance IP address. Use this IP address to connect to the Connector Appliance administration page and complete the registration process.

Next step: Register your Connector Appliance with Citrix Cloud.

AWS

This section describes how to deploy Connector Appliance in AWS. Connector Appliance is available as an AMI in the AWS marketplace and we recommend that you install the Connector Appliance from the AMI. Alternatively, you can deploy a downloaded disk image by using the AWS UI or by using the included PowerShell script.

Networking prerequisites

To deploy the Connector Appliance on AWS, ensure that you have access to Citrix Cloud from the subnet in which the Connector Appliance is created.

We recommend using a private IP address for the appliance, which requires specific configuration to provide access to Citrix Cloud. To achieve this configuration, complete the following steps in the AWSManagement Console:

  1. Create the NAT gateway.

    1. In the top navigation bar, select Services > VPC > NAT Gateways.
    2. On the top right, click Create NAT Gateway. Enter the following information:

      • Enter Name.
      • Select subnet from the list.
      • Set Connectivity type as Public.
      • Select an Elastic IP allocation ID from the list. If there is no available Elastic IP, click Allocate Elastic IP and follow the instructions to create one.
    3. Click Create NAT Gateway.
  2. Create a route table entry including the NAT gateway.

    1. In the top navigation bar, select Services > VPC > Route Tables.
    2. On the top right, click Create route table. Enter the following information:

      • Enter Name.
      • From the list, select the VPC that contains the subnet you selected when creating the NAT gateway.
    3. Click Create route table.
    4. In the Routes tab of the route table you created, click Edit routes > Add route.
    5. Input the Destination and Target for the new route entry.

      • Set the destination as 0.0.0.0/0.
      • For the target, select the NAT Gateway you created from the list.
    6. Click Save change.
  3. Attach the subnet to be used for the Connector Appliance to this route table.

    1. In the top navigation bar, Select Services > VPC > Route Tables.
    2. Select the route table that contains the NAT gateway.
    3. In the display page, go to the Subnet Associations tab.
    4. Click Edit subnet associations.
    5. Select the subnet or subnets to attach to the route table.
    6. Click Save Associations.

Deploy the Connector Appliance from the AWS Marketplace

Before beginning, ensure you meet the following prerequisites:

  • You have permissions to operate EC2 resources.

  • You have completed the configuration in Networking prerequisites.

  • (Optional) You can create a security group that restricts which IP addresses are permitted to access your Connector Appliance.

Complete the following steps:

  1. Log in to the AWSManagement Console.
  2. Find the Connector Appliance AMI in the AWS marketplace. You can do this in one of the following ways:

    • Follow the marketplace link provided in Citrix Cloud. (AWS Marketplace)

    • Search for the AMI in the AWS Management Console:

      1. Go to Services > Compute > EC2 > AMIs
      2. Ensure that you are in the US East (Ohio) region.
      3. In Public images, search for “Citrix Connector Appliance” or for the AMI ID “ami-026eaf9b3b232577f”.
  3. Verify that you have the correct AMI by checking the AMI ID (ami-026eaf9b3b232577f) and owner ID (414337923189).

  4. Copy the AMI to your subscription:

    1. Go to Actions > Copy AMI.
    2. In the Copy AMI dialog, you can select the Destination Region that you require.
    3. Click Copy AMI
  5. From your copied AMI summary page, click Launch instance from AMI.

  6. In the Launch an instance dialog, complete the following steps:

    1. Select the number of instances to create. For resiliency, we recommend that you have two or more Connector Appliances in each resource location.
    2. Specify a name for the instance.
    3. For the Instance type, select t2.medium. The instance type must have at least 4 GB and 2 CPUs.
    4. For the Key pair (login), select Proceed without a key pair. SSH login to the Connector Appliance is not permitted, so a key pair is not needed.
    5. For the Network settings, in the Firewall (security group) section, configure the following settings:
      1. Choose whether to Create security group or Select existing security group.
      2. Deselect Allow SSH traffic from the internet
      3. Select Allow HTTPs traffic from the internet
      4. Select Allow HTTP traffic from the internet

    Click Launch instance.

  7. After the instance is created, in the Success section, click the instance ID link to view your Connector Appliance instance.

    Alternatively, you can click the View All Instances button on this page or go to Services > EC2 >Instances in the AWS Management Console to see a list of your instances.

  8. When your Instance state has changed to Running, go into the instance details and use the Private IPv4 address to connect to the Connector Appliance administration page and complete the registration process.

You might need to use a bastion host to go to the Connector Appliance administration page at the internal IP address from your browser and complete the registration process.

By default, the Connector Appliance uses DHCP to set its network configuration. You can edit this network configuration using the Connector Appliance web interface. For more information, see Configuring network settings on the Connector Appliance administration page.

Next step: Register your Connector Appliance with Citrix Cloud.

Deploy the Connector Appliance by using the AWS UI

Before beginning, ensure you meet the following prerequisites:

Complete the following steps:

  1. On your local system, extract the contents of connector-appliance-aws.zip.
  2. Log in to the AWSManagement Console.
  3. Create a storage bucket by completing the following steps. (Alternatively, you can skip these steps and use an existing storage bucket.)
    1. In the top navigation bar, select Services > S3 > Create bucket.
    2. Enter a unique name for your bucket. For naming conventions for buckets in Amazon S3, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html.
    3. Select the region for your bucket. Ensure that you choose the same region as your AWS Region, because you cannot use the files in the bucket if these regions are different.
    4. Keep the remaining settings set to the defaults, then click Create bucket.
  4. Click the name of the bucket that you have created. Click Upload > Add files, then select the connector-appliance.vhd file. Keep the remaining settings set to the defaults then click Upload.
  5. Click the file you uploaded. Click Copy S3 URI.
  6. Click the AWS CloudShell icon in the top navigation bar and run the following commands:
    1. Create a task to convert your VHD file to a snapshot:

      aws ec2 import-snapshot --disk-container Format=VHD,Url="<S3_URI>"
      

      Replace the placeholder value with your S3 URI that you copied from the previous step. For example, aws ec2 import-snapshot --disk-container Format=VHD,Url="s3://my-aws-bucket/connector-appliance.vhd".

      This command is complete when the following command returns a JSON string containing "Status": "completed". Make note of the ImportTaskId value in the JSON output.

    2. Run the following command:

      aws ec2 describe-import-snapshot-tasks --import-task-ids <ImportTaskId>
      

      Replace the placeholder value with the ImportTaskId copied from the previous step. For example, aws ec2 describe-import-snapshot-tasks --import-task-ids import-snap-0273h2836153itg5.

  7. On the AWSManagement Console, in the top navigation bar, select Services > EC2.
  8. From the menu on the left of the screen, click Snapshots.
  9. Right-click on the snapshot that you created and click Create Image.
  10. In the pane that opens, complete the following steps:
    1. Enter a name for your AMI.
    2. Select Hardware-assisted virtualization.

    Click Create.

  11. From the menu on the left of the screen, click AMIs.
  12. Right-click on the AMI that you created and click Launch.
  13. In the pane that opens, complete the following steps:
    1. Choose the instance type.
    2. (Optional) Customize the network on the Configure Instance tab.
    3. (Optional) Attach another volume on the Add Storage tab.
    4. Set security group rules on the Configure Security Group tab.

    After you have reviewed the instance launch, click Review and Launch.

After the Connector Appliance is deployed and has successfully started up, go to Services > EC2 > Instances and select the instance you have created. Use the Private IPv4 address to connect to the Connector Appliance administration page and complete the registration process. You might need to use a bastion host to go to the Connector Appliance administration page at the internal IP address from your browser to continue the installation process.

By default, the Connector Appliance uses DHCP to set its network configuration. You can edit this network configuration using the Connector Appliance web interface. For more information, see Configuring network settings on the Connector Appliance administration page.

Next step: Register your Connector Appliance with Citrix Cloud.

Deploy the Connector Appliance by using a PowerShell script

The connector-appliance-aws.zip file contains a PowerShell script that creates and starts a new VM. Before running the script ensure that you have the following prerequisites:

Complete the following steps:

  1. On your local system, extract the contents of connector-appliance-aws.zip to a folder.
  2. In PowerShell, run the following commands:
    1. To be able to run an AWS cmdlet in your local environment, run the following command to add a new profile to the AWS SDK store:

      Set-AWSCredential -AccessKey <access_key_ID> -SecretKey <secret_key> -StoreAs MyProfile
      

      Replace the placeholder values with your access key and secret key. Provide a unique profile name. In the example we have provided, it is MyProfile.

    2. Set the profile to the default:

      Initialize-AWSDefaultConfiguration -ProfileName MyProfile
      
    3. Change the current directory to the folder where the extracted files are located and run the following command:

      .\connector-appliance-upload-aws.ps1
      
  3. Follow the prompts in the script, which guide you through selecting the region for your Connector Appliance deployment, uploading the image to your chosen bucket, and entering a name for your VM.

    • You must use the bucket with VM import access that you created earlier.
    • When asked to select the VPC to use, select the VPC where the NAT gateway and route tables are configured.
    • When asked to select the subnet to use, select the subnet attached to the route table containing the NAT gateway.

    For more information, see Networking prerequisites.

After the Connector Appliance is deployed and has successfully started up, the script displays the private IP address of the Connector Appliance. You might need to use a bastion host to go to the Connector Appliance administration page at the internal IP address from your browser and complete the registration process.

By default, the Connector Appliance uses DHCP to set its network configuration. You can edit this network configuration using the Connector Appliance web interface. For more information, see Configuring network settings on the Connector Appliance administration page.

Next step: Register your Connector Appliance with Citrix Cloud.

Google Cloud Platform

This section describes how to deploy Connector Appliance on the Google Cloud Platform. You can install the Connector Appliance from the Google Cloud Marketplace. Alternatively, you can deploy a downloaded disk image by using the Google Cloud Platform Console or by using the included PowerShell script.

The file connector-appliance-gcp.zip contains:

  • connector-appliance.tar.gz, which is a disk image of the Connector Appliance
  • connector-appliance-upload-gcp.ps1, which is a PowerShell script that can be used to automatically deploy the Connector Appliance

Deploy the Connector Appliance from the Google Cloud marketplace

  1. Log in to your Google account.

  2. Follow the marketplace link provided in Citrix Cloud. (Google Cloud Marketplace)

    Alternatively, you can search for “Connector Appliance for Cloud Services” in the marketplace search.

  3. Click Launch.

  4. On the New Citrix Connector Appliance for Cloud Services deployment page, complete the following information:

    • Specify a Deployment name for the deployment job.
    • Select the Zone to locate the Connector Appliance in.
    • Select the Machine family, Series, and Machine type to use.
    • Select the Boot disk type and Boot disk size in GB to use.
    • In the Networking section, specify the networking interface to be used by the Connector Appliance. If you want to be able to connect to the administration page from a public network, specify an External IP.

    Click Deploy. You are directed to the Deployment Manager page.

    Note:

    After the Connector Appliance is deployed and has successfully started up, you receive an email to confirm that the Connector Appliance is deployed on Google Cloud Platform.

  5. On the Deployment Manager page, click on the instance name. Alternatively, you can search for the Connector Appliance instance that you created in the Compute Engine.

  6. If you previously specified an External IP when setting up the networking interface for your Connector Appliance, copy the External IP address in the Network interfaces section in the Details tab. Use this IP address to connect to the Connector Appliance administration page and complete the registration process. Alternatively, you can use the Primary internal IP address to visit the Connector Appliance administration page from another machine that is in the same subnet as your Connector Appliance.

Next step: Register your Connector Appliance with Citrix Cloud.

Deploy the Connector Appliance by using the Google Cloud Platform console

  1. On your local system, extract the contents of connector-appliance-gcp.zip.
  2. In your Google Cloud Platform project, create a storage bucket. (Alternatively, you can use an existing storage bucket.)

    1. From the main menu, select Cloud Storage.
    2. On the main pane, select Create bucket.
    3. Specify a name for your bucket.
    4. Configure the data storage and access settings that you require. You can leave these settings as the defaults.
    5. Click Create.
  3. Inside your storage bucket, select Upload files and choose the file connector-appliance.tar.gz. Wait while the file uploads.
  4. Select the uploaded file to view its details. Copy the value of gsutil URI to the clipboard.
  5. Open the Cloud Shell by clicking the Activate Cloud Shell icon in the header bar.
  6. In your Cloud Shell, run the following command to create an image:

    gcloud compute images create "Image name" --guest-os-features=MULTI_IP_SUBNET --source-uri="gsutil URI of uploaded connector-appliance.tar.gz file"
    
  7. From the main menu, select Compute Engine > VM Instances.
  8. Select Create Instance. In the pane that opens, specify the following information:

    1. In the Name field, specify a name for the Connector Appliance instance.
    2. Choose a region to locate the Connector Appliance in.
    3. Choose the machine configuration.
    4. In the Boot disk section, click Change.
    5. In the section that opens, go to the Custom images tab.
    6. From the Image list, select the image you created.
    7. Click Select.
    8. In the Firewall section, enable HTTPS traffic to allow access to the Connector Appliance administration page.
    9. Specify any additional configuration required. For example, you might not want to use the default networking configuration.

    Click Create.

  9. In the VM Instances section, select your newly created VM to view its details.

After the Connector Appliance is deployed and has successfully started up, the VM Instances section displays the Connector Appliance IP addresses.

If the Connector Appliance has an external IP address, you can use this IP address to go to the Connector Appliance administration page from your browser and complete the registration process.

If the Connector Appliance has only an internal IP address, use a bastion host to go to the Connector Appliance administration page from your browser and complete the registration process. For more information, see https://cloud.google.com/compute/docs/connect/ssh-using-bastion-host.

Next step: Register your Connector Appliance with Citrix Cloud.

Deploy the Connector Appliance by using a PowerShell script

To use the provided PowerShell script to deploy the Connector Appliance, you must have the Google Cloud SDK installed on your system.

  1. On your local system, extract the contents of connector-appliance-gcp.zip to a folder.
  2. In PowerShell, change the directory to the folder where the extracted files are located.
  3. Run the command .\connector-appliance-upload-GCP.ps1.
  4. In the browser window that opens, authenticate with the Google Cloud SDK with an account that has access to the project you want to deploy the Connector Appliance to.
  5. In Google Cloud Tools for PowerShell, when prompted by the PowerShell script, select the project to use. Press Enter.
  6. Follow the prompts in the script, which guide you through uploading the disk, creating an image, and creating a virtual machine.
  7. After you have created the first VM, the script asks if you want to create another VM from the uploaded image.

    • Type y to create another VM.
    • Type n to exit the script.

After the Connector Appliance is deployed and has successfully started up, the script displays the internal IP address of the Connector Appliance. Alternatively, you can go to the Google Cloud Platform console to find the Connector Appliance internal IP address. The Compute Engine > VM Instances section displays the Connector Appliance IP address.

Use a bastion host to go to the Connector Appliance administration page at the internal IP address from your browser and complete the registration process. For more information, see https://cloud.google.com/compute/docs/connect/ssh-using-bastion-host.

Next step: Register your Connector Appliance with Citrix Cloud.

Register your Connector Appliance with Citrix Cloud

Register a Connector Appliance with Citrix Cloud to provide a channel for communication between Citrix Cloud and your resource locations.

After you install your Connector Appliance on the hypervisor and start it, the console displays the IP address of the Connector Appliance. The console also displays an SSL fingerprint that you can use to validate your connection to the Connector Appliance UI.

The Connector Appliance landing page. The Citrix logo in ASCII art. Information about your Connector Appliance, including the version number, the IP address to use to register the connector, and an SSL fingerprint.

  1. Copy the Connector Appliance IP address to your browser address bar.

    Note:

    You may have to include https:// at the start of the IP address.

    The Connector Appliance UI uses a self-signed certificate, which is valid for five years. As a result, you might see a message about the connection not being secure. To verify the connection to your Connector Appliance, you can compare the SSL fingerprint in the console with the fingerprint the browser receives from the webpage.

    For example, in the Google Chrome browser, complete the following steps:

    1. Click the Not Secure marker next to the address bar.
    2. Select Certificate. The Certificate window opens.
    3. Go to the Details tab and find the Thumbprint field.

      If the value of the Thumbprint field and the SSL fingerprint provided in the console match, you can confirm that your browser is connecting directly to the Connector Appliance UI.

    The Connector Appliance SSL fingerprint in a Chrome browser dialog.

    You can replace this self-signed certificate with one of your own that is signed by your organization or generated by using your organization’s chain of trust. For more information, see Managing certificates.

  2. If your browser requires an extra step to confirm that you want to continue to the site, complete this step now.

    The Create new password webpage opens.

  3. Create a password for your Connector Appliance UI and click Set password.

    The Create a new password page.

    The password you set must meet the following requirements:

    • 8 or more characters long
    • Contains both upper and lower case letters
    • Contains at least one non-alphabetic character

    Ensure that you store this password in a safe place for future use.

  4. Sign in with the password you set. The Connector administration page opens.

    Connector administration page with Proxy servers section

  5. (Optional) If you use one or more web proxies, you can add the proxy addresses in the Proxy servers section. Both unauthenticated and authenticated proxies are supported. To add an unauthenticated proxy, provide a valid Proxy IP Address and Port. To add an authenticated proxy, provide a valid Username and Password as well.

    Note:

    Only basic proxy authentication is supported. Other forms of authentication are not supported.

    Only traffic to external systems is routed through the web proxy. For more information, see Connector Appliance communication.

  6. (Optional) If your network uses TLS intercepting web proxies to access the internet you may require your Connector to trust its Root Certificate Authority to successfully communicate with the cloud.
    1. Under Root certificate authorities, select Add certificate.
    2. Copy the contents of the certificate in PEM format:

      -----BEGIN CERTIFICATE-----
      <certificate-base64-bytes>
      -----END CERTIFICATE-----
      <!--NeedCopy-->
      
    3. In Full Certificate Details, paste the certificate contents.
    4. Select Add Certificate.

    To add a RootCA using the Connector Appliance APIs, see Managing root certificate authorities in the Citrix Developer documentation.

    Note:

    Certificates which are expired or will expire in the next 30 days will show a warning.

  7. Click Register Connector to open the registration task.

  8. Choose a name for your Connector Appliance. This name can help you distinguish between the various Connector Appliances that exist in your resource location. After you register your Connector Appliance, the name cannot be changed.

    Enter the name in the Connector Appliance name field and click Next.

    Name the Connector Appliance.

    The webpage provides a code to use to register with Citrix Cloud. This code expires in 15 minutes.

    A generated code to use to connect to Citrix Cloud

  9. Use the Copy button to copy the code to the clipboard.

  10. Return to the Resource Locations webpage.

  11. Paste the code into Step 2 of the Install Connector Appliance task. Click Confirm Details.

    Citrix Cloud verifies that the Connector Appliance is present and can be contacted. If the registration code has expired, you are prompted to generate a new code.

    Step 2 shows that the connector is ready to register.

  12. Click Register.

    The page shows whether the registration was successful. If the registration failed, you are prompted to try again.

  13. Click Close.

The Connector Appliance administration page also enables you to download a diagnostic report for the Connector Appliance. For more information, see Generating a diagnostic report.

After registering your Connector Appliance

For each resource location, we advise that you install and register two or more Connector Appliances. This configuration ensures continuous availability and enables the connectors to balance the load.

You cannot directly manage your Connector Appliance.

The Connector Appliance is updated automatically. You are not required to take any actions to update your connector. You can specify the time and day that you want Connector Appliance updates to be applied in your resource location. For more information, see Connector updates.

Do not clone, suspend, or take a snapshot of your Connector Appliance VMs. These actions are not supported.

You are only presented with the Create new password page the first time that you connect to the Connector Appliance UI. Ensure that you store this password in a safe place for future use. This password cannot be reset. If you forget the password, you must reinstall the Connector Appliance. On subsequent connections to the UI, you are asked to input the password you set when registering the Connector Appliance.

Enter the password for Connector Appliance UI.

Generating a diagnostic report

You can generate and download a diagnostic report from the Connector Appliance administration page.

The Diagnostic report section of the Connector Appliance for Cloud Services page.

  1. From the Connector Appliance console in your hypervisor, copy the IP address to your browser address bar.
  2. Enter the password that you set when you registered your Connector Appliance.
  3. In the Diagnostic report section of the page, click Download Report.

The diagnostic reports are provided in a .zip file.

Verify your network connection

You can check your network connection from the Connector Appliance administration page by using the TCP Capture diagnostic check.

  1. On the Connector Appliance administration page, click your account name in the header bar and select Network Diagnostics.
  2. (Optional) In the TCP Capture section, enter the target IP address, host name, or port to restrict the TCP capture.
  3. From the Trace Duration menu, select the duration for which you want your trace to run.
  4. (Optional) Enable Packet Tracing to capture the contents of the packets.

    When packet tracing is disabled, the TCP capture functionality uses a best-effort approach to capture the headers for diagnosis. This best-effort approach captures the first 94 bytes of each packet. However, as headers are not a fixed size, this approach might not capture all of the header.

  5. Click Start trace.
  6. Wait until the trace has completed. After the trace has completed, you can download a trace report or start a new trace.
    • Click Download to download the trace report. The trace report is provided in a .pcap file.
    • Click Start new trace to begin another trace.

Connecting Active Directory to Citrix Cloud

You can use Connector Appliance to connect a resource location to forests which do not contain Citrix Virtual Apps and Desktops resources. For example, in the case of Citrix Secure Private Access customers or Citrix Virtual Apps and Desktops customers with some forests only used for user authentication.

For more information, see Active Directory with Connector Appliance.

Validating your Kerberos configuration

If you use Kerberos for single sign-on, you can verify that the configuration on your Active Directory controller is correct from the Connector Appliance administration page. The Kerberos validation feature enables you to validate a Kerberos realm-only mode configuration or a Kerberos Constrained Delegation (KCD) mode configuration.

Validate Kerberos realm-only configuration:

  1. Go to the Connector Appliance administration page.
  2. From the Connector Appliance console in your hypervisor, copy the IP address to your browser address bar.
  3. Enter the password that you set when you registered your Connector Appliance.
  4. To validate your realm-only Kerberos configuration select the Kerberos Validation Realm-Only in the Active Directory domains section.
  5. Specify the Active Directory Domain.
    • If you’re validating a Kerberos realm-only mode configuration, you can specify any Active Directory domain. This mode doesn’t depend on being joined to the domain.
  6. Specify the Service FQDN. The default service name is assumed to be “https”. If you specify “computer.example.com”, this value is considered the same as “https://computer.example.com”.
  7. Specify the Username.
  8. Specify the Password.
  9. Click Test Kerberos.

Kerbors Validation Realm-Only

Validate Kerberos Contrained Delegation (KCD) configuration:

  1. Go to the Connector Appliance administration page.
  2. To validate Kerberos Constrained Delegation (KCD) mode for domains to which the Connector Appliance has been joined, select Kerberos validation from the ellipsis menu (…) of the relevant domain.
  3. Specify the Active Directory Domain.
    • If you’re validating a Kerberos Constrained Delegation configuration, you must select from a list of joined domains.
  4. Specify the Service FQDN. The default service name is assumed to be “https”. For example, specify “computer.example.com”, this value is considered the same as “https://computer.example.com”.
  5. Specify the Username.
    • For the Kerberos Constrained Delegation mode, you can also validate the kerberos setup using service accounts by selecting the Service Accounts tab.
  6. Click Test Kerberos.

Kerbors Constrained Delegation Validation

If the Kerberos configuration is correct, you see the message “Successfully validated Kerberos setup”. If the Kerberos configuration is not correct, you see an error message that provides information about how the validation failed.

For more information about Kerberos, see the Microsoft documentation.

Network settings for your Connector Appliance

By default, the IP address and network settings of your Connector Appliance are automatically assigned by using DHCP.

After registering your Connector Appliance by using DHCP, you can edit its network settings in the Connector Appliance administration page.

However, if DHCP is not available in your environment or if you do not have access to the Connector Appliance administration page, you can set the network configuration directly on the Connector Appliance console.

Configuring network settings on the Connector Appliance administration page

After registering your Connector Appliance by using DHCP, you can edit its network settings in the Connector Appliance administration page.

To manually configure your network settings:

  1. In the Connector Summary section, select Edit network settings.
  2. In the Network settings dialog, choose Configure your own network settings.
  3. Enter the IP address, Subnet mask, and Default gateway.
  4. Add one or more DNS servers.
  5. Add one or more NTP servers.
  6. Click Save.

When you save changes to your network settings, the Connector Appliance restarts. During the restart, the Connector Appliance is temporarily unavailable. You are logged out of the Connector Appliance administration page and the URL of this page changes. You can find the new URL in the Connector Appliance console or by looking at the network information in your hypervisor.

To change your network configuration to use automatically assigned values:

  1. In the Connector Summary section, select Edit network settings.
  2. In the Network settings dialog, choose Obtain IP address automatically.
  3. Click Save.

When you save changes to your network settings, the Connector Appliance restarts. During the restart, the Connector Appliance is temporarily unavailable. You are logged out of the Connector Appliance administration page and the URL of this page changes. You can find the new URL in the Connector Appliance console or by looking at the network information in your hypervisor.

Set the network configuration by using the Connector Appliance console

By default, the IP address and network settings of your Connector Appliance are automatically assigned by using DHCP. However, if DHCP is not available in your environment or if you do not have access to the Connector Appliance administration page, you can set the network configuration directly on the Connector Appliance console.

To set the network configuration:

  1. In your hypervisor, restart the Connector Appliance.
  2. While the Connector Appliance starts up, watch the console for the message Welcome to GRUB!.
  3. When you see this message, press Esc to enter the GRUB menu.
  4. To edit the boot parameters, press e.

    You see a view that looks like the following image:

    The GRUB command

  5. Edit the line that begins with linux to include your required network configuration.

    • To specify DHCP networking, append network=dhcp to the end of the line.
    • To specify static networking, append the following parameters to the end of the line:

       network=static:ip=<static_ip_address>:netmask=<netmask>:route=<default_gateway>:dns=<dns_server_1>,<dns_server_2>:ntp=<ntp_server_1>,<ntp_server_2>
       <!--NeedCopy-->
      

      Replace the placeholder values with the values for your configuration.

  6. Press Ctrl+X to start the Connector Appliance with the new configuration.

Change the administrator user password for the Connector Appliance

  1. From the user menu in the top-right of the console, select Change password.

    Select change password from the menu.

    The change password page is displayed.

    Landing on the change password page.

  2. Enter your current password and then enter and confirm the new password. The new password you set must meet the following requirements:

    • 8 or more characters long
    • Contains both upper and lower case letters
    • Contains at least one non-alphabetic character
    • Must not be the same as current password
  3. Select Change password to save your changes.

Citrix Cloud signs you out automatically and redirects you to the sign-in page.