Network connections

Important:

Citrix Managed Desktops is now Citrix Virtual Apps and Desktops Standard for Azure. Although this earlier documentation will remain published for a short time, it will not be updated. We recommend using the Citrix Virtual Apps and Desktops Standard for Azure product documentation.

Introduction

This article provides details about some deployment scenarios when using the Citrix-managed subscription.

When creating a catalog, you indicate if and how users access locations and resources on their corporate on-premises network from their Citrix Managed Desktops desktops and apps.

When using a Citrix-managed Azure subscription, the choices are:

When using one of your own customer-managed Azure subscriptions, there is no need to create a connection to the service. You just add the Azure subscription to the service.

You cannot change a catalog’s connection type after the catalog is created.

Requirements for all network connections

  • When creating a connection, you must have valid DNS server entries.
  • When using Secure DNS or a third-party DNS provider, you must add the address range that you allocated for use by the service (specified when you create the connection) to the DNS provider’s IP addresses on the allow list.
  • All service resources that use the connection (domain-joined machines) must be able to reach your NTP server, to ensure time synchronization.

No connectivity

When a catalog is configured with No connectivity, users cannot access resources on their on-premises or other networks. This is the only choice when creating a catalog using quick create.

No connectivity to other networks

About Azure VNet peering connections

Virtual network peering seamlessly connects two Azure virtual networks (VNets): yours and the Citrix Managed Desktops VNet. Peering also helps enable users to access files and other items from your on-premises networks.

As shown in the following graphic, you create a connection using Azure VNet peering from the Citrix-managed Azure subscription to the VNet in your company’s Azure subscription.

Deployment scenario with customer on-premises network

Here’s another illustration of VNet peering.

VNet peering diagram

Users can access their on-premises network resources (such as file servers) by joining the local domain when you create a catalog. (That is, you join the AD domain where file shares and other needed resources reside.) Your Azure subscription connects to those resources (in the graphics, using a VPN or Azure ExpressRoute). When creating the catalog, you provide the domain, OU, and account credentials.

Important:

  • Learn about VNet peering before using it in this service.
  • Create a VNet peering connection before creating a catalog that uses it.

Azure VNet peering custom routes

Custom, or user-defined, routes override Azure’s default system routes for directing traffic between virtual machines in a VNet peering, on-premises networks, and the Internet. You might choose to use custom routes if there are networks that Managed Desktops resources are expected to access but aren’t directly connected through VNet peering. For example, you might create a custom route that forces traffic through a network appliance to the Internet or to an on-premises network subnet.

To use custom routes:

  • You must have an existing Azure virtual network gateway or a network appliance such as Citrix SD-WAN in your Managed Desktops environment.
  • When you add custom routes, you must update your company’s route tables with the Managed Desktops destination VNet information to ensure end-to-end connectivity.
  • Custom routes are displayed in Managed Desktops in the order in which they are entered. This display order does not affect the order in which Azure selects routes.

Before using custom routes, review the Microsoft article Virtual network traffic routing to learn more about using custom routes, next hop types, and how Azure selects routes for outbound traffic.

You can add custom routes when you create an Azure VNet peering connection or to existing ones in your Managed Desktops environment. When you’re ready to use custom routes with your VNet peering, refer to the following sections in this article:

Azure VNet peering requirements and preparation

  • Credentials for an Azure Resource Manager subscription owner. This must be an Azure Active Directory account. This service does not support other account types, such as live.com or external Azure AD accounts (in a different tenant).
  • An Azure subscription, resource group, and virtual network (VNet).
  • Set up the Azure network routes so that VDAs in the Citrix-managed Azure subscription can communicate with your network locations.
  • Open Azure network security groups from your VNet to the specified IP range.
  • Active Directory: For domain-joined scenarios, we recommend that you have some form of Active Directory services running in the peered VNet. This takes advantage of the low latency characteristics of the Azure VNet peering technology.

    For example, the configuration might include Azure Active Directory Domain Services (AADDS), a domain controller VM in the VNet, or Azure AD Connect to your on-premises Active Directory.

    After you enable AADDS, you cannot move your managed domain to a different VNet without deleting the managed domain. So, it’s important to select the correct VNet to enable your managed domain. Before proceeding, review the Microsoft article Networking considerations for Azure AD Domain Services.

  • VNet IP range: When creating the connection, you must provide an available CIDR address space (IP address and network prefix) that is unique among the network resources and the Azure VNets being connected. This is the IP range assigned to the VMs within the Citrix Managed Desktops peered VNet.

    Ensure that you specify an IP range that does not overlap any addresses that you use in your Azure and on-premises networks.

    • For example if your Azure VNet has an address space of 10.0.0.0 /16, create the VNet peering connection in Citrix Managed Desktops as something such as 192.168.0.0 /24.

    • In this example, creating a peering connection with a 10.0.0.0 /24 IP range would be considered an overlapping address range.

    If addresses overlap, the VNet peering connection might not be created successfully. It also does not work correctly for site administration tasks.

To learn about VNet peering, see the following Microsoft articles.

Create an Azure VNet peering connection

  1. From the Manage dashboard, expand Network Connections on the right. If you have already set up connections, they’re listed.

    List of connections

  2. Click Add Connection.
  3. Click anywhere in the Add Azure VNet Peering box.

    Add VNet peering connection

  4. Click Authenticate Azure Account.

    Authenticate your Azure subscription

  5. The service automatically takes you to the Azure sign-in page to authenticate your Azure subscriptions. After you sign in to Azure (with the global administrator account credentials) and accept the terms, you are returned to the connection creation details dialog.

    VNet peering connection creation fields

  6. Type a name for the Azure VNet peer.
  7. Select the Azure subscription, resource group, and the VNet to peer.
  8. Indicate whether the selected VNet uses an Azure Virtual Network Gateway. For information, see the Microsoft article Azure VPN Gateway.
  9. Type an IP address and select a network mask. The address range to be used is displayed, plus how many addresses that the range supports. Ensure that the IP range does not overlap any addresses that you use in your Azure and on-premises networks.

    • For example, if your Azure VNet has an address space of 10.0.0.0 /16, create the VNet peering connection in Citrix Managed Desktops as something such as 192.168.0.0 /24.
    • In this example, creating a VNet peering connection with a 10.0.0.0 /24 IP range would be considered an overlapping address range.

    If addresses overlap, the VNet peering connection might not be created successfully. It also won’t work correctly for site administration tasks.

  10. Indicate whether you want to add custom routes to the VNet peering connection. If you select Yes, enter the following information:
    1. Type a friendly name for the custom route.
    2. Enter the destination IP address and network prefix. The network prefix must be between 16 and 24.
    3. Select a next hop type for where you want traffic to be routed. If you select Virtual appliance, enter the internal IP address of the appliance.

      Custom route creation fields

      For more information about next hop types, see Custom routes in the Microsoft article Virtual network traffic routing.

    4. Click Add route to create another custom route for the connection.
  11. Click Add VNet Peering.

After the connection is created, it is listed under Network Connections > Azure VNet Peers on the right side of the Manage dashboard. When you create a catalog, this connection is included in the available network connections list.

View Azure VNet peering connection details

VNet peering connection details

  1. From the Manage dashboard, expand Network Connections on the right.
  2. Select the Azure VNet peering connection you want to display.

Details include:

  • The number of catalogs, machines, images, and bastions that use this connection.
  • The region, allocated network space, and peered VNets.
  • The routes currently configured for the VNet peering connection.

Manage custom routes for existing Azure VNet peer connections

You can add new custom routes to an existing connection or modify existing custom routes, including disabling or deleting custom routes.

Important:

Modifying, disabling, or deleting custom routes changes the traffic flow of the connection and might disrupt any user sessions that might be active.

To add a custom route:

  1. From the VNet peering connection details, select Routes and then click Add Route.
  2. Enter a friendly name, the destination IP address and prefix, and the next hop type you want to use. If you select Virtual Appliance as the next hop type, enter the internal IP address of the appliance.
  3. Indicate whether you want to enable the custom route. By default, the custom route is enabled.
  4. Click Add Route.

To modify or disable a custom route:

  1. From the VNet peering connection details, select Routes and then locate the custom route you want to manage.
  2. From the ellipsis menu, select Edit.

    Routes tab in VNet peering details page

  3. Make any needed changes to the destination IP address and prefix or the next hop type, as needed.
  4. To enable or disable a custom route, in Enable this route?, select Yes or No.
  5. Click Save.

To delete a custom route:

  1. From the VNet peering connection details, select Routes and then locate the custom route you want to manage.
  2. From the ellipsis menu, select Delete.
  3. Select Deleting a route may disrupt active sessions to acknowledge the impact of deleting the custom route.
  4. Click Delete Route.

Delete an Azure VNet peering connection

Before you can delete an Azure VNet peer, remove any catalogs associated with it. See Delete a catalog.

  1. From the Manage dashboard, expand Network Connections on the right.
  2. Select the connection you want to delete.
  3. From the connection details, click Delete Connection.

About SD-WAN connections

Citrix SD-WAN optimizes all the network connections needed by Citrix Managed Desktops. Working in concert with the HDX technologies, Citrix SD-WAN provides quality-of-service and connection reliability for ICA and out-of-band Citrix Managed Desktops traffic. Citrix SD-WAN supports the following network connections:

  • Multi-stream ICA connection between users and their virtual desktops
  • Internet access from the virtual desktop to websites, SaaS apps, and other cloud properties
  • Access from the virtual desktop back to on-premises resources such as Active Directory, file servers, and database servers
  • Real-time/interactive traffic carried over RTP from the media engine in the Workspace app to cloud-hosted Unified Communications services such as Microsoft Teams
  • Client-side fetching of videos from sites like YouTube and Vimeo

As shown in the following graphic, you create an SD-WAN connection from the Citrix-managed Azure subscription to your sites. During connection creation, SD-WAN VPX appliances are created in the Citrix-managed Azure subscription. From the SD-WAN perspective, that location is treated as a branch.

SD-WAN connections

SD-WAN connection requirements and preparation

  • If the following requirements are not met, the SD-WAN network connection option is not available.

    • Citrix Cloud entitlements: Citrix Managed Desktops and SD-WAN Orchestrator.
    • An installed and configured SD-WAN deployment. The deployment must include a Master Control Node (MCN), whether in the cloud or on-premises, and be managed with SD-WAN Orchestrator.
  • VNet IP range: Provide an available CIDR address space (IP address and network prefix) that is unique among the network resources being connected. This is the IP range assigned to the VMs within the Citrix Managed Desktops VNet.

    Ensure that you specify an IP range that does not overlap any addresses that you use in your cloud and on-premises networks.

    • For example, if your network has an address space of 10.0.0.0 /16, create the connection in Citrix Managed Desktops as something such as 192.168.0.0 /24.
    • In this example, creating a connection with a 10.0.0.0 /24 IP range would be considered an overlapping address range.

    If addresses overlap, the connection might not be created successfully. It also does not work correctly for site administration tasks.

  • The connection configuration process includes tasks that you (the service administrator) and the SD-WAN Orchestrator administrator must complete. Also, to complete your tasks, you need information provided by the SD-WAN Orchestrator administrator.

    We recommend that you both review the guidance in this document, plus the SD-WAN documentation, before actually creating a connection.

Create an SD-WAN connection

Important:

For details about SD-WAN configuration, see SD-WAN configuration for CMD integration.

  1. From the Manage dashboard, expand Network Connections on the right.
  2. Click Add Connection.
  3. On the Add a network connection page, click anywhere in the SD-WAN box.
  4. The next page summarizes what’s ahead. When you’re done reading, click Start Configuring SD-WAN.
  5. On the Configure SD-WAN page, enter the information provided by your SD-WAN Orchestrator administrator.

    • Deployment mode: If you select High availability, two VPX appliances are created (recommended for production environments). If you select Standalone, one appliance is created. You cannot change this setting later. To change to the deployment mode, you’ll have to delete and re-create the branch and all associated catalogs.
    • Name: Type a name for the SD-WAN site.
    • Throughput and number of offices: This information is provided by your SD-WAN Orchestrator administrator.
    • Region: The region where the VPX appliances will be created.
    • VDA subnet and SD-WAN subnet: This information is provided by your SD-WAN Orchestrator administrator. See SD-WAN connection requirements and preparation for information about avoiding conflicts.
  6. When you’re done, click Create Branch.
  7. The next page summarizes what to look for on the Manage dashboard. When you’re done reading, click Got it.
  8. On the Manage dashboard, the new SD-WAN entry under Network Connections shows the progress of the configuration process. When the entry turns orange with the message Awaiting activation by SD-WAN administrator, notify your SD-WAN Orchestrator administrator.
  9. For SD-WAN Orchestrator administrator tasks, see the SD-WAN Orchestrator product documentation.
  10. When the SD-WAN Orchestrator administrator finishes, the SD-WAN entry under Network Connections turns green, with the message You can create catalogs using this connection.

View SD-WAN connection details

  1. From the Manage dashboard, expand Network Connections on the right.
  2. Select SD-WAN if it’s not the only selection.
  3. Click the connection you want to display.

The display includes:

  • Details tab: Information you specified when configuring the connection.
  • Branch Connectivity tab: Name, cloud connectivity, availability, bandwidth tier, role, and location for each branch and MCN.

Delete an SD-WAN connection

Before you can delete an SD-WAN connection, remove any catalogs associated with it. See Delete a catalog.

  1. From the Manage dashboard, expand Network Connections on the right.
  2. Select SD-WAN if it’s not the only selection.
  3. Click the connection you want to delete, to expand its details.
  4. On the Details tab, click Delete Connection.
  5. Confirm the deletion.