Citrix DaaS

Citrix DaaS for Amazon WorkSpaces Core (Preview)

The preview is intended only for evaluating using development or test workloads. You must not use it for production workloads. You must not use the preview for any critical, production, or otherwise important code, data, or other Content.

AWS might change the functionality of the preview during and after the preview term at its sole discretion or based on participant feedback. Preview functionality, features, and documentation might change during the preview and might be different from any generally available version.

Although AWS does not charge for this preview, you are responsible for the charges incurred for other AWS Services that are used with the preview. Standard pricing applies for your use of those AWS Services.

You must not use the preview to process or store PII or other sensitive data or information.

This preview is not HIPAA certified and is not certified to process or store healthcare data or information in the United States or internationally.

If you use any data from third-party hospitals, patients, or healthcare facilities while using this preview, make sure that you obtain all the necessary consent from such third parties before allowing them to use it.

Introduction

This article describes how to prepare and create a deployment with Citrix for Amazon WorkSpaces Core. Amazon WorkSpaces Core resides in Amazon Web Services (AWS).

The following is the representation of the AWS implementation and its management with Citrix DaaS:

AWS architecture

About this preview

  • For support during this preview, contact your Citrix account representative during US East Coast business hours. Do not contact Citrix Support or AWS Support.
  • To manage the Citrix environment during this preview, use only the Manage console in the Citrix DaaS. No Citrix or AWS APIs are supported during this preview. (Citrix welcomes your feedback about APIs that you want to use in the future.)

Prepare and create a deployment

The deployment checklist in the Quick Deploy interface contains links to procedures 1-5.

  1. Before you start, complete the prerequisites in Citrix Cloud and AWS.
  2. Create a resource location in Citrix Cloud. (This procedure is also included as a prerequisite.)
  3. Connect your AWS account. This procedure enables permissions so that the Citrix DaaS can connect to AWS.
  4. Create a directory connection. This procedure configures a connection that allows access to your organization’s Active Directory.
  5. Import an image. This procedure enables you to create a desktop experience for your users.
  6. Create a deployment. This procedure specifies the machines to be deployed and the users who can access them through Citrix Workspace.

Before you start

Make sure you’ve completed the following tasks before you begin preparing and creating your deployment.

There is one exception: Creating a resource location in Citrix Cloud is listed as a prerequisite. It is also the first procedure in the deployment checklist. So, if you create the resource location as part of the prerequisites, skip that procedure in the checklist sequence. Similarly, complete that procedure in the checklist if you didn’t do it earlier.

Prerequisites to complete in Citrix Cloud

Prerequisites to complete in AWS

  • Create a non-production AWS user account. The account must have:
  • In your Active Directory:
    • Use the AD Connector option to store and manage information. For more details, see AD Connector.
    • Create an OU where VMs are created. That OU must have a Citrix policy for communication with the Cloud Connectors and Citrix Cloud. See the Reference section for details.
    • Set up a group policy for the Citrix Cloud Connector configuration:
      1. Download the latest Group Policy Management Console provided by Citrix (CitrixGroupPolicyManagement_64.msi) from the Citrix download site.
      2. Install the MSI (that machine must have the Visual Studio 2015 runtime installed). Then create a Citrix policy that contains the Controllers policy setting. That setting specifies the Cloud Connector addresses.
  • Create or use an existing NAT gateway. For more information, see NAT gateway.
  • Create or use one or more existing security groups that allow the Citrix Cloud Connectors to communicate with the deployed VMs. For more information, see Control traffic to your AWS resources using security groups
  • Open an AWS Support ticket to enable BYOL on your account. To get started, contact your AWS account manager or sales representative, or contact the AWS Support Center. Your contact will verify and enable BYOL. For more information, see Enable BYOL for your account for BYOL using the Amazon WorkSpaces console.

    Note:

    Windows 10 N and Windows 11 N versions are not supported for BYOL currently.

    • Using the Citrix DaaS for Amazon WorkSpaces Core feature will automatically enable the Bring Your Own Protocol (BYOP) feature in AWS WorkSpaces Core.
    • Have sufficient Windows 10 licenses for the desktops that will be created. For more information, see Bring Your Own Windows desktop licenses.

General preparation

Review each procedure before you start. Benefit: This will help the processes to be completed easily.

Create a resource location

You create a resource location in Citrix Cloud.

  • A resource location contains two or more Cloud Connectors that communicate with Citrix Cloud. The servers on which you install the Cloud Connectors must be in an EC2 VPC, domain-joined, and have Internet connectivity. The Cloud Connectors must be in the same VPC as the directory you plan to use.
  • For more information on Cloud Connectors, see Citrix Cloud Connector and how to provision them.
  • The resource location can also contain your Active Directory servers. For more information, see Connect Active Directory to Citrix Cloud.

Connect your AWS account

This procedure enables permissions for the Citrix DaaS to connect to AWS.

To create AssumeRole for AWS WorkSpaces Core, follow these steps:

  1. In Citrix DaaS, under Manage > Quick Deploy > Accounts, click Connect account.
  2. In the Connect AWS account page, under Confirm prerequisites, click Download AWS CloudFormation Template. After the template is downloaded, click Next.

download AWS CloudFormation template

  1. To upload the template, see Create AssumeRole for AWS Workspace Core integration.
  2. In the Authenticate account page, add the Amazon Resource Name (ARN) generated in the Role ID field, provide a name in the Name field, and click Next. The Pick region page opens.

    Role ID corresponds to the ARN of the role that will authorize Citrix to manage the resources. The Role ID can be found in the AWS management console by navigating to IAM > Roles.

    If you are using the CloudFormation script, then navigate to CloudFormation and click the corresponding stack that was used to create the role. Navigate to the Resources tab and click the resource with LogicalID CitrixAssumeRole.

    Note:

    You cannot connect two accounts on the same region for the same AWS account.

  3. In the Pick region page, select the region you want to deploy your desktops and click Next.

  4. In the Configure BYOL support page, to configure the BYOL support, a management network interface that is connected to a secure Amazon network is required. Select an IP address range to search for use as that interface. Then select Display available CIDR blocks. If CIDR blocks are available in the selected search range, select an available CIDR block. A message confirms when you successfully select a search address range and available CIDR block. Click Next.
  5. In the Summary page, review the information you have specified. You can return to the earlier pages. When you’re done, click Finish. The connection process might take several hours to complete.

Create AssumeRole for AWS Workspace Core integration

  1. In your browser window, open the Amazon Web Services website and sign in.
  2. In the Search field, type cloudformation and press Enter. CloudFormation service
  3. Under Services select CloudFormation. The Stacks window opens. stacks
  4. Click Create stack > With new resources (standard) at the top right corner. The Create stack window opens.
    1. Under Prerequisite – Prepare template, select Template is ready.
    2. Under Specify template, click Upload a template file > Choose file and click Next. The Specify stack details pane opens.
  5. In the Specify stack details pane, provide a Stack name and AssumeRoleName and click Next. The Configure stack options pane opens. specify stack details

Note:

  • In the Configure stack options pane, select the Preserve successfully provisioned resources option. This option preserves the state of successfully provisioned resources. Resources without a last known stable state are deleted upon the next stack operation. stack failure options

  • In the Capabilities pop-up window, select the I acknowledge that AWS CloudFormation might create IAM resources with custom names check box and click Create stack. capabilities Stack creation might fail at the end because workspace_DefaultRole has already been created. This does not affect the AssumeRole creation.

  1. The Events tab shows the status of the Stack created.
  2. In the Resources tab, select the Physical ID corresponding to the AssumeRole created. resources
  3. The Summary pane shows the Amazon Resource Name (ARN) generated. summary
  4. Resume the procedure from step 4 in Connect your AWS account

Create a directory connection

This procedure creates a connection that allows access to your organization’s Active Directory.

Prerequisites:

  • A resource location containing two Cloud Connectors.
  • A security group.
  • An OU in your Active Directory.

For prerequisite details, see Before you start.

You can start this procedure from one of two places:

  • A link on the Get Started checklist.
  • From the DaaS Manage console, select Quick Deploy in the left pane, Directory Connections under the Amazon WorkSpaces Core section. Then select Create Directory Connection.

Follow the Create directory connection sequence:

  1. Confirm prerequisites: If you have completed the prerequisites, click Next.
  2. Connect directory: Select the resource location, account, and directory. (The selected account must have at least one directory.)
    • Select two subnets in which the desktop machines will be deployed. The subnets must be in appropriate availability zones.
    • Specify a friendly name for this connection.
    • When you’re done, click Next.
  3. Virtual machine settings: The settings you select apply to all VMs that use this directory connection.
    • The OU selected must match the OU targeted by the Citrix Group Policy.
    • Select a security group.
    • Indicate whether you want to give administrator privileges to each user assigned to VMs.

Import an image

This procedure enables you to create a desktop experience for your users.

Prerequisites to import the image:

  • Must be an EC2 image.
  • Must have a Citrix Virtual Delivery Agent (VDA) installed.
  • Must be prepared for BYOL. A BYOL script is available at: BYOLChecker.zip.

To import the image, follow the steps:

  1. Confirm prerequisites: After the prerequisites steps, click Next. (If you haven’t prepared the image for BYOL, you can download the script from this page.) For more information, see Requirements.
  2. Choose image and provide a friendly name for the image. Select the account, AMI and add a description. Click Next. The Summary page opens.
  3. In the Summary page review the information you provided. After verifying, select Import Image.

    Note:

    Importing an image might take several hours.

Integrate Microsoft Office 2019 Image when importing an image

To integrate Microsoft Office 2019 image while importing an image:

  1. In Web Studio > Quick Deploy, click Images.
  2. In My Images, click Import Image.
  3. In Import Image > Prerequisites, click Next: Choose Image.
  4. In Import Image > Choose image:
    • Select an account from the Account dropdown.
    • Select an AMI from the AMI dropdown.
    • Enter the name of the image in the Name field.
    • Select the Include Microsoft Office 2019 Professional Plus in the image.
    • Enter a description in the Description field.
  5. In Import Image > Choose image, click Next: Summary.
  6. In Choose Image > Summary, ensure that Selected appears for Microsoft Office 2019.
  7. In My Images, click Import Image. The status of the recently deployed image displays importing until the import operation completes.
  8. In My Images, select the recently deployed image and click View Detail.
  9. In the Detail panel, the Microsoft Office 2019 field displays Included.

Note:

Only the following versions of the OS are compatible:

  • Windows 10 Version 21H2 (December 2021 Update)
  • Windows 10 Version 22H2 (November 2022 Update)
  • Windows 10 Enterprise LTSC 2019 (1809) (1809)
  • Windows 10 Enterprise LTSC 2021 (21H2) (21H2)
  • Windows 11 Version 22H2 (October 2022 release)

Create a deployment

A deployment is a group of desktops that users can access from their Citrix Workspace. This procedure specifies the characteristics of the virtual machines to be deployed as desktops, and which AD users can use them.

Prerequisites

Complete all the steps listed in Prepare and create a deployment.

  1. In Web Studio > Quick Deploy, click Deployments in the Amazon Web Services column. Click Create a deployment.
  2. Name and connection: Enter a friendly name for this group of machines. The name must be unique. Select a directory connection and click Next: Image and performance.
  3. Image & performance: Select the operating system and the machine performance for the machines. Specify the default size for the root volume and the user volume. You cannot change the volume size after you launch a desktop in this group. So, specify the maximum size you think you’ll need. You can also specify these sizes per user, on the next page. Click Next: Users.
  4. Users: Search and select the users who will be allowed to access the desktops. If you want to customize volume sizes for a user, select Edit user and root volume sizes, and then specify the sizes. Click Next: Summary.
  5. Summary: Review the information you provided and click Create deployment.

Integrate Microsoft 365 Windows apps

To integrate Microsoft 365 Apps, see Microsoft 365 Apps for enterprise now available on Amazon WorkSpaces services and Microsoft 365 Bring Your Own License (BYOL).

Manage machines in a deployment

In addition to the machine management features described in Manage machine catalogs, for some actions, you can select machines to manage from a deployment.

To manage machines in a deployment:

  1. In Web Studio > Quick Deploy, select Deployments.
  2. In the Deployments pane, select the deployment containing machines you want to manage.
  3. Click View details.
  4. In the Deployment details pane, select the machine you want to manage.
  5. From the actions displayed, select the action you want to perform on the machine:
  • Click Edit volume size to change the volume size of the machine.
  • Click Delete to delete the machine from the deployment and AWS. If a machine is in a delivery group, it can be deleted only if it is maintenance mode.
  • Click Turn maintenance mode on/off to turn maintenance mode on (if it is off) or off (if it is on) for the machine.

Reference

AWS account programmatic access permissions

The AWS user account must have certain programmatic access permissions to make API calls to the AWS resource layer. Programmatic access creates an access key ID and a secret access key. You can create a policy containing these permissions in the IAM console. As shown in the following graphics, you can use the visual editor (adding the permissions one by one) or the JSON (adding the snippet below). For more information, see Creating an IAM user in your AWS account.

  • On the Visual editor tab, add the permissions one-by-one. Create policy
  • On the JSON tab, add the snippet shown after the following graphic. Create policy in JSON

Required permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0", 
            "Effect": "Allow", 
            "Action": [
                    "workdocs:DeregisterDirectory",
                    "workdocs:RegisterDirectory",
                    "workdocs:AddUserToGroup",
                    "ec2:ImportInstance",
                    "ec2:DescribeImages",
                    "ec2:CreateKeyPair",
                    "ec2:DescribeKeyPairs",
                    "ec2:ModifyImageAttribute",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeSubnets",
                    "ec2:RunInstances",
                    "ec2:DescribeSecurityGroups",
                    "ec2:CreateTags",
                    "ec2:DescribeRouteTables",
                    "ec2:DescribeInternetGateways",
                    "ec2:CreateSecurityGroup",
                    "ec2:DescribeInstanceTypes",
                    "servicequotas:ListServices",
                    "servicequotas:GetRequestedServiceQuotaChange",
                    "servicequotas:ListTagsForResource",
                    "servicequotas:GetServiceQuota",
                    "servicequotas:GetAssociationForServiceQuotaTemplate",
                    "servicequotas:ListAWSDefaultServiceQuotas",
                    "servicequotas:ListServiceQuotas",
                    "servicequotas:GetAWSDefaultServiceQuota",
                    "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
                    "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
                    "servicequotas:ListRequestedServiceQuotaChangeHistory",
                    "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
                    "sts:DecodeAuthorizationMessage",
                    "ds:*",
                    "workspaces:*",
                    "iam:GetRole",
                    "iam:GetContextKeysForPrincipalPolicy",
                    "iam:SimulatePrincipalPolicy"

                ],
                "Resource": "*"
            }
        ]
}
<!--NeedCopy-->
Citrix DaaS for Amazon WorkSpaces Core (Preview)