Citrix DaaS Flex

Get started

May 11, 2026

Contributed by:

This article summarizes the prerequisites that must be met to begin delivering apps and desktops through Citrix DaaS Flex.

Authentication

To authenticate users with your own Identity Provider (IDP), you must first configure it in Citrix Cloud. For detailed instructions, see the documentation on Identity and Access Management.

For IdPs other than Active Directory, you can enable seamless Single Sign-On (SSO) to VDAs by implementing the Citrix Federated Authentication Service (FAS). Enable single sign-on for workspaces with Citrix Federated Authentication Service provides additional details regarding FAS.

Networking

Before creating a catalog, you should consider the network connectivity requirements of your VDAs. If the VDA has requirements to be domain-joined or needs to access resources or files on an internal network, connectivity between the Citrix-managed Azure subscription and your resources must be established. The following connectivity options are available:

Virtual network peering: Virtual network peering leverages the Azure backbone to provide a low-latency connection between the Citrix-managed Azure virtual network and a virtual network in your Azure subscription. Further connectivity to resources outside of Azure can be established by connecting the virtual network to your other networks through an Azure ExpressRoute, VPN Gateway, or similar connectivity options.
VPN Gateway: Azure VPN Gateways can be used to connect the Citrix-managed Azure virtual network directly to an on-premises network over the public internet. It can be used to bypass the middle-hop of a virtual network peer.
Virtual WAN peering: An Azure Virtual WAN spoke connection provides direct network connectivity between the Citrix-managed Azure virtual network and your corporate network by connecting the Citrix-managed network as a spoke to an Azure Virtual Hub that you control.
No connectivity: For deployments in which VDAs don’t need connectivity to your other networks, you can create a resource location that lacks connectivity to your networks. Only non-domain-joined VDAs are supported in resource locations without connectivity.

For environments with virtual network peering or VPN Gateway connectivity, to enhance the security posture of your environment, you might want to route all outbound traffic from your VDAs through a security appliance in your network. This can be achieved through a custom, or user-defined, route in Azure. Custom routes override Azure’s default system routes for directing traffic between virtual machines in a virtual network peering, on-premises networks, and the Internet.

Images

Before you can create a machine catalog in Citrix DaaS Flex, you must first have an image imported to the service. This image acts as the template from which all the virtual machines (VDAs) in your catalog are cloned. Every machine created within the catalog is a direct copy of this master image, ensuring that each one has the same operating system, applications, and initial configuration.

You have three primary options for sourcing this master image.

The simplest method is to use one of the Citrix-prepared images, which are pre-built and optimized with the necessary Citrix components already installed.
For more specific needs, you can build a custom image by taking a Citrix-prepared image, adding your own applications and configurations, and then saving it as a new template.
Finally, if you already have a standardized image in your own Azure subscription, you have the option to import your own image provided it has been properly prepared with the required Citrix VDA software.

To learn more about importing and configuring images, see Images.

Access

Citrix DaaS Flex VDAs can be accessed through two primary methods:

Citrix Workspace
On-premises Citrix StoreFront

Workspace

If using the cloud-hosted Citrix Workspace service, you must first configure the service. See Get started with Citrix Workspace for more information on configuring Citrix Workspace.

To enhance environment resiliency, it is highly recommended to enable Service Continuity if using Citrix Workspace for end-user access.

StoreFront

If using a customer-managed StoreFront access method, you must build a StoreFront and NetScaler Gateway deployment in your environment. See Get started for more information on planning and building a StoreFront deployment.

The StoreFront deployment must have connectivity to the Cloud Connectors hosted in the Citrix-managed Azure subscription and must be listed in the DaaS site in StoreFront. The inbound ports in the Citrix-managed virtual network are blocked by default. Contact Citrix support to get them opened. If connectors are not listed in the site or the connectors are unreachable from the StoreFront server, resources might be unavailable if your site transitions into Local Host Cache (LHC) mode.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Get started

May 11, 2026

Contributed by:

May 11, 2026

Contributed by:

Get started

Authentication

Networking

Images

Access

Workspace

StoreFront

In this article