Citrix DaaS Standard for Azure

Introduction

Citrix DaaS Standard for Azure (formerly Citrix Virtual Apps and Desktops Standard for Azure) is the simplest, fastest way to deliver Windows apps and desktops from Microsoft Azure. Citrix DaaS for Azure offers cloud-based management, provisioning, and managed capacity for delivering virtual apps and desktops to any device.

This solution includes:

  • Cloud-based management and provisioning for delivering Citrix-hosted Azure Virtual Desktops, and apps from multi-session machines.
  • A high-definition user experience from a broad range of devices, using the Citrix Workspace app.
  • Simplified image creation and management workflows, along with Citrix prepared Windows and Linux single-session and multi-session images that have the latest Citrix Virtual Delivery Agent (VDA) installed.
  • Secure remote access from any device using global points of presence of the Citrix Gateway service.
  • Advanced monitoring and help desk management capabilities.
  • Managed Azure IaaS, including Azure compute, storage, and networking for delivering virtual desktops.

The Citrix Remote PC Access feature enables users to remotely use existing physical machines located in the office. Users receive the best user experience by using Citrix HDX to deliver their office PC session.

If you’re familiar with other Citrix DaaS products, Citrix DaaS for Azure simplifies the deployment of virtual apps and desktops. Citrix can manage the infrastructure for hosting those workloads.

Citrix DaaS for Azure is a Citrix Cloud service. Citrix Cloud is the platform that hosts and administers Citrix Cloud services. Learn more about Citrix Cloud.

To learn about components, data flow, and security considerations, see Technical security overview. That article also outlines customer and Citrix responsibilities.

How users access desktops and apps

Users (sometimes called subscribers) access their desktops and apps directly through their browser, using the Citrix HTML5 client. Users browse to a Citrix Workspace URL that is provided by you, their administrator. The Citrix Workspace platform enumerates and delivers the digital resources to users. Users start a desktop or an application from their workspace.

After you configure a catalog of machines that deliver desktops and apps (or a catalog containing physical machines for Remote PC Access), Citrix DaaS for Azure displays the Workspace URL. You then notify your users to go to that URL to start their desktop and apps.

As an alternative to navigating to Citrix Workspace to access their desktops and apps, users can install a Citrix Workspace app on their device. Download the app that’s right for the endpoint device’s operating system: https://www.citrix.com/downloads/workspace-app/.

Concepts and terminology

This section introduces some of the items and terms that administrators use in Citrix DaaS for Azure:

Catalogs

A catalog is a group of machines.

  • The desktops and apps that Citrix DaaS for Azure delivers to your users reside on virtual machines (VMs). Those VMs are created (provisioned) in the catalog.

    When you deploy desktops, the machines in the catalog are shared with selected users. When you publish applications, multi-session machines host applications that are shared with selected users.

  • For Remote PC Access, a catalog contains existing single-session physical machines. A common deployment includes machines located in your office. You control user access to those machines through the configured user assignment method and selected users.

If you’re familiar with other Citrix DaaS products, a catalog in Citrix DaaS is similar to combining a machine catalog and a delivery group.

For more information, see:

Resource locations

A catalog’s machines reside in a resource location. A resource location also contains two or more Cloud Connectors.

  • When publishing desktops or apps, Citrix automatically creates the resource location and the Cloud Connectors when you create the first catalog.
  • For Remote PC Access, the administrator creates the resource location and the Cloud Connectors before creating a catalog.

When you create more catalogs for published desktops and apps, the Azure subscription, region, and domain determine whether Citrix creates another resource location. If those criteria match an existing catalog, Citrix tries to reuse that resource location.

For more information, see:

Images

When you create a catalog for published desktops and apps, a machine image is used (with other settings) as a template for creating the machines.

  • Citrix DaaS for Azure provides several Citrix prepared images:

    • Windows 10 Enterprise (single-session)
    • Windows 10 Enterprise Virtual Desktop (multi-session)
    • Windows 10 Enterprise Virtual Desktop (multi-session) with Office 365 ProPlus
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
    • Linux

    Each Citrix prepared image has a Citrix VDA and troubleshooting tools installed. The VDA is the communication mechanism between your users’ machines and the Citrix Cloud infrastructure that manages Citrix DaaS for Azure.

    Citrix updates the available prepared images when a new VDA version releases.

  • You can also import and use your own images from Azure. You must install a VDA (and other software) on the image before it can be used to create a catalog.

The term VDA often refers to the machine that delivers apps or desktops, and the software component installed on that machine.

For more information, see Images.

Azure subscriptions

You can create catalogs for delivering desktops and apps, and build/import images in either in a Citrix Managed Azure subscription or your own (customer-managed) Azure subscription.

If you order only Citrix DaaS for Azure, you must import (add) and use your own Azure subscriptions. If you also order a Citrix Azure Consumption Fund, you receive a Citrix Managed Azure subscription. You can then use either a Citrix Managed Azure subscription or one of your imported Azure subscriptions when creating a catalog or building a new image.

For more information, see:

  • Deployment scenarios illustrate ways to use Azure subscriptions with Citrix DaaS for Azure.

  • Azure subscriptions explains the differences between Citrix Managed Azure and customer-managed Azure subscriptions. This article also describes how to view, add, and remove subscriptions.

  • Technical security overview describes the differences in responsibility with Citrix Managed Azure and customer-managed Azure subscriptions.

Network connections

When creating a catalog using a Citrix Managed Azure subscription, you indicate if and how users can access locations and resources on their corporate on-premises network from their published desktops and apps. The choices are no connectivity, Azure VNet peering, and Citrix SD-WAN.

When using your own Azure subscription, there is no need to create a connection. You only need to import (add) your Azure subscription to the service.

For more information, see Network connections.

Domain-joined and non-domain-joined

Several service operations and features differ, depending on whether the machines (VDAs) are domain-joined or non-domain-joined. Domain membership also affects the available deployment scenarios.

  • Both domain-joined and non-domain joined machines support any of the user authentication methods available in the user’s workspace.
  • You can publish desktops, apps, or both from domain-joined and non-domain-joined machines. Machines in Remote PC Access catalogs must be domain-joined.

The following table lists several differences between non-domain-joined and domain-joined machines when delivering desktops and apps.

Non-domain-joined Domain-joined
Active Directory is not used for machines. Machines are not joined to an AD domain. Active Directory is used for machines. Machines are joined to an AD domain.
Active Directory group policies cannot be applied to machines (VDAs). (You can apply local GPO on the image that’s used to create a catalog.) VDAs inherit group policies for the AD OU specified during catalog creation.
Users sign in using single sign-on. When users sign in to their workspace using an authentication method other than Active Directory, they are also prompted for sign-in when a desktop or app launches.
Do not need a connection to an on-premises network. (When using a Citrix Managed Azure subscription) Must have a connection to access an on-premises network, using Microsoft Azure VNet or Citrix SD-WAN.
Must use a Citrix Managed Azure subscription for provisioning VDAs. (Cannot use your own Azure subscriptions for provisioning VDAs. However, users can be connected from your own Azure AD.) Can use a Citrix Managed Azure subscription and your own Azure subscriptions.
Cannot troubleshoot using a bastion machine or direct RDP. Can troubleshoot using a bastion machine or direct RDP.
Cannot use Citrix Profile Management. (Recommend: Use persistent catalogs.) Can use Citrix Profile Management or FSLogix.

Deployment scenarios

Deployment scenarios for published desktops and apps differ, depending on whether you’re using a Citrix Managed Azure subscription or your own customer-managed Azure subscription.

Deploying in a Citrix Managed Azure subscription

Deployment scenario with Citrix Managed Azure subscription

Citrix DaaS for Azure supports several deployment scenarios for connection and user authentication.

  • Managed Azure AD: This is the simplest deployment, with non-domain-joined VDAs. It’s recommended for proofs of concept. You use the Managed Azure AD (which Citrix manages) to manage users. Your users don’t need to access resources on your on-premises network.

    Deployment scenario with Managed Azure AD

  • Customer’s Azure Active Directory: This deployment contains non-domain-joined VDAs. You use your own Active Directory or Azure Active Directory (AAD) for end user authentication. In this scenario, your users don’t need to access resources on your on-premises network.

    Deployment scenario with customer's Azure AD

  • Customer’s Azure Active Directory with on-premises access: This deployment contains non-domain-joined VDAs. You use your own AD or AAD for end user authentication. In this scenario, installing Citrix Cloud Connectors in your on-premises network enables access to resources in that network.

    Deployment scenario with customer's AAD and on-premises network

  • Customer’s Azure Active Directory Domain Services and VNet peering: If your AD or AAD resides in your own Azure VNet and Azure subscription, you can use the Microsoft Azure VNet peering feature for a network connection, and Azure Active Directory Domain Services (AADDS) for end user authentication. The VDAs are joined to your domain.

    Deployment scenario with Azure VNet peering and customer Azure subscription

    To enable your users to access data stored in your on-premises network, you can use your VPN connection from your Azure subscription to the on-premises location. Azure VNet peering is used for network connectivity. Active Directory Domain Services in the on-premises location is used for end user authentication.

    Deployment scenario with Azure VNet peering and customer on-premises network

  • Customer’s Active Directory and SD-WAN: You can provide users with access to files and other items from your on-premises or cloud SD-WAN networks.

    Citrix SD-WAN optimizes all the network connections needed by Citrix DaaS for Azure. Working in concert with the HDX technologies, Citrix SD-WAN provides quality-of-service and connection reliability for ICA and out-of-band Citrix DaaS for Azure traffic.

    Deployment scenario with Citrix SD-WAN and customer on-premises network

Deploying in a customer managed Azure subscription

Deployment scenario with customer managed subscription

The deployment in the preceding graphic uses a customer-managed Azure subscription. However, the Citrix Managed Azure subscription remains an option for other catalogs and images, as indicated by the dotted outline.

Management interfaces

Citrix DaaS for Azure has two graphical management interfaces: Quick Deploy and Full Configuration.

  • Quick Deploy enables you to quickly create catalogs and start delivering desktops and apps to your users. (Hence the name, Quick Deploy.) It’s the default interface when you start Citrix DaaS for Azure. You can also access this interface by selecting Manage > Azure Quick Deploy. The instructions in this product documentation set assume you’re using Quick Deploy.

    If you plan to use a Citrix Managed Azure subscription when creating a catalog or image, you must use Quick Deploy.

  • Full Configuration offers advanced features and configuration options to tailor and manage your deployment. Catalogs that you create in Quick Deploy automatically appear in Full Configuration. To move from Quick Deploy to Full Configuration, select Manage > Full Configuration.

    When you create a catalog in Quick Deploy, an associated delivery group and host connection are created automatically in Full Configuration.

    Full Configuration also offers its own catalog creation process that includes creating a connection to the Azure host, then creating a catalog and a delivery group. That process is supported only if you use your own Azure subscription. It’s much easier to create the catalog in Quick Deploy.

    Full Configuration supports processes related to hypervisor and cloud service hosts other than Azure. Those are not available to Citrix DaaS for Azure customers.

Manage catalogs created in the Quick Deploy interface

After you create a catalog in the Quick Deploy interface, you can continue to manage that catalog in that interface. For details, see Manage catalogs. You can also use the Full Configuration interface.

When you create a catalog in Quick Deploy, that catalog (plus the delivery group and hosting connection that are created automatically behind the scenes) are assigned a scope of Citrix managed object. Scopes are used in delegated administration to group objects.

Catalogs, delivery groups, and connections with the Citrix managed object scope are prohibited from certain actions in the Full Configuration interface. (Allowing those actions in Full Configuration might adversely affect the system’s ability to support both Quick Deploy and Full Configuration, so those actions are disabled.) In the Full Configuration interface:

  • Catalog: Most of the catalog management actions are not available. You cannot delete a catalog.
  • Delivery group: Most of the delivery group management actions are available. You cannot delete the delivery group.
  • Connection: Most of the connection management actions are not available. You cannot delete a connection. You cannot create a connection that is based on a connection that has the Citrix managed object scope.

If you create a catalog in Quick Deploy using your own Azure subscription (that you added to Quick Deploy), and you want to manage the catalog (and its delivery group and connection) entirely in Full Configuration, you can convert the catalog.

  • Converting a catalog restricts its management to only the Full Configuration interface. After a catalog is converted, you can no longer use the Quick Deploy interface to manage that catalog.
  • After a catalog is converted, the actions that were previously unavailable in Full Configuration can be selected. (The Citrix managed object scope is removed from the converted catalog, delivery group, and hosting connection.)
  • To convert a catalog:

    From the Manage > Azure Quick Deploy dashboard in Citrix DaaS for Azure, click anywhere in the catalog’s entry. On the Details tab, under Advanced settings, select Convert Catalog. When prompted, confirm the conversion.

  • You cannot convert a catalog that was created in Quick Deploy using a Citrix Managed Azure subscription.

For information about how to manage converted catalogs in Full Configuration, see:

More information

For technical details, see:

For information about automating your deployments, see the Managed desktops public API preview.

When you’re ready, get started.

Citrix DaaS Standard for Azure