Configuration guide for Citrix Virtual Apps and Desktops workloads
Citrix SD-WAN is a next-generation WAN Edge solution that accelerates digital transformation with flexible, automated, secure connectivity, and performance for SaaS, cloud, and virtual applications to ensure an always-on workspace experience.
Citrix SD-WAN is the recommended and best way for organizations using the Citrix Virtual Apps and Desktops (CVAD) Service to connect to CVAD workloads in the Cloud. For more information, see Citrix blog.
This document focuses on configuring Citrix SD-WAN for connectivity to/from CVAD workloads on Azure.
- Easy to set up SD-WAN in CVAD through a guided workflow
- Always-on, high performance connectivity through advanced SD-WAN technologies
- Benefits across all connections (VDA-to-DC, user-to-VDA, VDA-to-cloud, user-to-cloud)
- Reduces latency compared to backhauling traffic to the data center
- Traffic management to ensure Quality of Service (QoS)
- QoS across HDX/ICA traffic streams (single-port multi-stream HDX AutoQoS)
- QoS between HDX and other traffic
- HDX QoS Fairness between users
- End-to-end QoS
- Link bonding delivers more bandwidth for faster performance
- High Availability with seamless link failover and SD-WAN redundancy on Azure
- Optimized VoIP experience (packet racing for reduced jitter and minimal packet loss, QoS, local break-out for reduced latency)
- Major cost savings and must be faster and easier to deploy compared to Azure ExpressRoute
Adhere the following pre-requisites to evaluate and deploy the CVAD workloads capabilities:
- You must have either have an existing SD-WAN network or build a new one.
- You must have a subscription to CVAD Service.
- To make a use of SD-WAN features such as, multi-stream HDX AutoQoS and deep visibility, the Network Location Service (NLS) must be configured for all the SD-WAN sites in your network.
- You must have a DNS server and AD deployed where the client endpoints are present (often co-located in your data center environment) or you can utilize Azure Active Directory (AAD).
- The DNS server must be capable of resolving both internal (pvt) and external (public) IPs.
- Ensure that the FQDN (sdwan-location.citrixnetworkapi.net) is whitelisted in the firewall. This is the FQDN for Network Location Service which is critical in sending traffic over the SD-WAN virtual path. Also, a better way if you are comfortable with whitelisting wild card FQDN’s would be to whitelist *.citrixnetworkapi.net as this is the subdomain for other Citrix Cloud services such as zero touch provisioning.
- Enroll at sdwan.cloud.com to use the SD-WAN orchestrator for managing your SD-WAN network. SD-WAN Orchestrator is a Citrix Cloud based multitenant management platform for Citrix SD-WAN.
The following entities are required for deployment:
An on-premises location hosting the SD-WAN appliance which can either be deployed in branch mode or as an MCN (Master control Node). The branch mode or MCN contains the client machines, active directory, and DNS. However, you can also choose to use Azure’s DNS and AD. In most scenarios, the on-premises location serves as a data center and houses the MCN.
CVAD cloud service – Citrix Virtual Apps and Desktops provides virtualization solutions that give IT control of virtual machines, applications, and security while providing anywhere access for any device. End users can use applications and desktops independently of the device’s operating system and interface.
Using the Citrix Virtual Apps and Desktops Service, you can deliver secure virtual apps and desktops to any device, and leave most of the product installation, setup, configuration, upgrades, and monitoring to Citrix. You maintain complete control over applications, policies, and users while delivering the best user experience on any device.
Citrix connector/cloud connector - You connect your resources to the service through Citrix Cloud Connector, which serves as a channel for communication between Citrix Cloud and your resource locations. Cloud Connector enables cloud management without requiring any complex networking or infrastructure configuration such as VPNs or IPsec tunnels. Resource locations contain the machines and other resources that deliver applications and desktops to your subscribers.
SD-WAN Orchestrator – Citrix SD-WAN Orchestrator is a cloud-hosted, multitenant management service available to Do It Yourself enterprises and Citrix Partners. Citrix partners can use SD-WAN Orchestrator to manage multiple customers with a single pane of glass, and suitable role-based access controls.
Virtual and physical SD-WAN appliances – This runs as multiple instances within the cloud (VMs) and on-premises in the data center and in the branches (physical appliances or VMs) to provide connectivity among these locations and to/from the public Internet. SD-WAN instance in CVAD is created as a single or a set of virtual appliances (in case of HA deployment) by provisioning these instances via Azure Marketplace. SD-WAN appliances in other locations (DC and branches) are created by the customer. All of these SD-WAN appliances are managed (in terms of configuration and software upgrades) by SD-WAN Administrators through SD-WAN Orchestrator.
Deployment and configuration
In a common deployment, a customer would have the Citrix SD-WAN appliance (H/W or VPX) deployed as an MCN in their DC/large office. The customer DC would usually host on-prem users and resources such as AD and DNS servers. In some scenarios the customer can make use of Azure Active Directory services (AADS) and DNS, both of which are supported by Citrix SD-WAN and CMD integration.
Within the customer managed Azure subscription, the customer needs to deploy the Citrix SD-WAN virtual appliance and VDAs. The SD-WAN appliances are managed via SD-WAN Orchestrator. Once the SD-WAN appliance gets configured, it connects to the existing Citrix SD-WAN network and further tasks such as configuration, visibility, and management are handled via SD-WAN Orchestrator.
The third component in this integration is the Network Location Service (NLS) that allows internal users to bypass the gateway and connect to the VDA’s directly, reducing latency for internal network traffic. For phase 1 of this integration the Network location service needs to be configured manually for which the instructions can be found in further sections. For more information, see NLS.
Citrix SD-WAN VM is deployed within a specified region (as needed by the customer) and can be connected to multiple branch office locations through MPLS, Internet, or 4G/LTE. Within a Virtual Network (VNET) infrastructure, SD-WAN Standard Edition (SE) VM is deployed in gateway mode. The VNET has routes towards the Azure gateway. The SD-WAN instance has a route towards the Azure gateway for internet connectivity. This route needs to be created manually.
In a web browser, go to Azure portal. Log into Microsoft Azure account and search for Citrix SD-WAN Standard Edition.
In the search results, choose the Citrix SD-WAN Standard Edition solution. Click Create after going through the description and making sure the solution chosen is correct.
On click of Create, a wizard prompting with necessary details to create the virtual machine.
In the Basic settings page, choose the resource group in which you want to deploy the SD-WAN SE solution.
A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You can decide how you want to allocate resources to resource groups based on your deployment.
For Citrix SD-WAN, it’s recommended that the resource group you choose must be empty. Similarly, pick the Azure region where you want to deploy the SD-WAN instance. The region must be the same as the region in which your CVAD resources are deployed.
Under Administrator settings page, provide a name for the Virtual Machine. Choose a user name and strong password. The password must consist of an upper-case letter, special character and must be more than nine characters. Click OK.
This password is required to log in to the management interface of the instance as a guest user. To get admin access to the instance, use admin as the user name and the password created while provisioning the instance. If you use the user name created while provisioning the instance, you get read-only access. Also, choose the deployment type here.
If you want to deploy a single instance then make sure that you choose disabled from the HA Deployment mode option, else pick enabled. For production networks, Citrix always recommends deploying instances in HA mode as it guards your network against failures of the instance.
Under the SD-WAN settings page, choose the instance in which you want to run the image. Choose the following instance type as per your requirement:
- Instance type D3_V2 for maximum uni-directional throughput of 200 Mbps with direct connectivity to a maximum of 16 branches.
- Instance type D4_V2 for maximum uni-directional throughput of 500 Mbps with direct connectivity to a maximum of 16 branches.
- Instance type F8 standard for maximum uni-directional throughput of 1 Gbps with direct connectivity to a maximum of 64 branches.
- Instance type F16 standard for maximum uni-directional throughput of 1 Gbps with direct connectivity to a maximum of 128 branches.
Create a new Virtual Network (VNet) or use an existing VNet. This is the most critical step for the deployment as this step chooses the subnets to be assigned to the interfaces of the SD-WAN VPX VM.
The aux subnet is only needed when you are deploying the instances in HA mode. Ensure that the SD-WAN instance is being deployed in the same VNet as your CVAD resources and is on the same subnet as the LAN interface of the SD-WAN VPX appliance.
Verify the configuration in the Summary page and click OK.
On the Buy page, click Create to start the provisioning process for the instances. It can take around 10 minutes for the instance to get provisioned. You get a notification in the Azure management portal suggesting the success/failure of instance creation.
Once the instance is created successfully, fetch the public IP assigned to the management interface of the SD-WAN instance. It can be found under the networking section of the resource group within which the instance has been provisioned. Once retrieved you might use it to log in to the instance.
For admin access, the user name is admin and the password is the one that you have set during instance creation.
Once the site has been provisioned, log into the SD-WAN Orchestrator to configure it. As mentioned in the pre-requisites, you must have the entitlement to SD-WAN Orchestrator to configure the site. If you do not have it yet, refer Citrix SD-WAN Orchestrator Onboarding.
If you have an SD-WAN network already, then proceed to creating the configuration for the site that you provisioned in Azure. Otherwise you must create an MCN. For more information, see Network configuration.
Once you have access to SD-WAN Orchestrator and already have set up an MCN, login to SD-WAN orchestrator and click the +New site to start configuring the SD-WAN VPX appliance (that you have provisioned in Azure).
Provide a unique site name and enter the address based on the region in which you are provisioning the image. To set up the instance in Azure, refer Basic settings.
To fetch the serial number of the instance in Azure, log in to the instance via the public management IP. You can see the serial number on the dashboard screen. If you are configuring instances in HA then both the serial numbers must be captured. Also, while configuring the instance, ensure that the interfaces are chosen as Trusted.
For fetching the IP addresses associated with LAN and WAN interfaces on Azure. Navigate to the Azure portal > Resource groups > Resource group where the SD-WAN is provisioned >SD-WAN VM > Networking.
Once you are done with the configuration of the instance. Click Deploy Config/Software by navigating to Configuration > Network config Home.
If there are no issues and the configuration is accurate, you must have the virtual paths up between the instance in Azure and your MCN once the configuration deployment is executed.
As highlighted in the Deployment and configuration section, the AD/DNS is present in the on-premises location acting as the DC and in a deployment featuring SD-WAN it presents behind the SD-WAN that is on the LAN network. It is the IP of your AD/DNS that you need to configure here. In case you are making use of Azure Active Directory service/DNS, configure 18.104.22.168 as the DNS IP.
If you are making use of an on-premises AD/DNS.Check if you are able to ping the IP of your DNS from your SD-WAN appliance. You can do this by navigating to Troubleshooting > Diagnostics. Check the Ping check box and initiate a ping from the LAN interface/Default interface of the SD-WAN appliance to the IP of your AD/DNS.
If the ping succeeds, then it signifies that your AD/DNS can be reached successfully, if not then it means there is routing issue in your network which is preventing reachability to your AD/DNS. If possible, try to host your AD and SD-WAN appliance on the same LAN segment.
In case there is still an issue, get in touch with your network admin. Without completing this step successfully, the catalog creation step will not succeed and you get an error message as Global DNS IP not configured.
Ensure that the DNS is capable of resolving both internal and external IPs.
Network location service
With the Network Location service in Citrix Cloud, you can optimize internal traffic to the apps and desktops you make available to subscribers’ workspaces to make HDX sessions faster. Users on both internal and external networks have to connect to VDAs through an external gateway. While this is expected for external users, internal users experience slower connections to virtual resources. The Network Location service allows internal users to bypass the gateway and connect to the VDAs directly, reducing latency for internal network traffic.
To set up the Network Location service, you can configure the network locations that correspond to the VDAs in your environment using the Network Location service PowerShell module that Citrix provides. These network locations include the public IP ranges of the networks where your internal users are connecting from.
When subscribers launch Virtual Apps and Desktops sessions from their workspace, Citrix Cloud detects whether subscribers are internal or external to the company network based on the public IP address of the network from which they are connecting.
If a subscriber connects from the internal network, Citrix Cloud routes the connection directly to the VDA, bypassing Citrix Gateway. If a subscriber connects externally, Citrix Cloud routes the subscriber through Citrix Gateway as expected and then redirects the subscriber to the VDA in the internal network.
The public IP that needs to be configured in network location service needs to be the public IP assigned to the WAN links.