Deploy the XenApp and XenDesktop Resource Location Setup blueprint with an existing domain on AWS
The XenApp and XenDesktop Service of Citrix Cloud helps you deliver virtual applications and desktops using XenApp and XenDesktop technology. As with on-premises XenApp and XenDesktop deployments, the XenApp and XenDesktop Service requires you have a supported hypervisor or cloud provider environment. The XenApp and XenDesktop service provides the functions that would otherwise be provided by the XenApp and XenDesktop Delivery Controllers in an on-premises deployment.
This topic describes the required tasks for creating a Citrix Cloud resource location on Amazon Web Services (AWS) using an existing domain in your network environment. You can use this resource location with the XenApp and XenDesktop Service.
The (Existing Domain) XenApp and XenDesktop Resource Location Setup blueprint enables you to create a Citrix Cloud resource location on AWS using an existing Active Directory domain that you provide. You can use your new resource location with the XenApp and XenDesktop Service to deliver applications and desktops to your users. Similar to resource locations in Smart Tools, a resource location for the XenApp and XenDesktop Service is where the machines reside that provide the applications and desktops you make available to your users. These are machines that you manage through the AWS management console.
By default, Smart Tools assumes you have no resource locations in your Citrix Cloud account, so it sets up a resource location as the default for your account. If you have multiple resource locations in your account, you can specify the one you want to use by adding the Resource Location ID to the blueprint configuration. See Step 11 in Deploy the blueprint in this topic.
To create the resource location, the blueprint performs the following actions:
- Deploy a bastion host instance so you can administer the other machines that Smart Tools deploys using RDP. This instance resides in the public subnet of an existing virtual private cloud (VPC) in your AWS account.
- Deploy two Cloud Connector machines, joined to your domain and added to the private subnet of your VPC.
- (Optional) Deploy two Server VDA machines, one configured for RDS and one configured for VDI, joined to your domain and added to the private subnet of your VPC.
- (Optional) Deploy a StoreFront server, if you don’t want to use the Citrix-hosted StoreFront that comes with the XenApp and XenDesktop Service. This machine is joined to your domain and added to the private subnet of your VPC.
- (Optional) Deploy a NetScaler VPX instance and configure a NetScaler Gateway for secure external access.
Provisioned machine configurations
The blueprint includes recommended configurations for each machine that Smart Tools provisions to the deployment. The following recommendations are displayed when you configure the VM for each machine tier in the deployment.
Operating system (for all machines): Windows Server 2012 R2 Datacenter Edition
|Machine Type||AWS Instance Type||Memory (GB)||Disk Size (GB)|
|Cloud Connectors||M3 Medium||3.75||32|
|Server VDA (RDS)||M3 Large||7.5||64|
|Server VDA (Server VDI)||M3 Medium||3.75||32|
Important: When configuring the VMs for each machine tier, you must allow Smart Tools to provision new VMs during deployment. Using existing machines with this blueprint is not supported and will cause the deployment to fail.
When you log on to your Citrix Cloud account and click Get Started for the XenApp and XenDesktop Service, Citrix Cloud gives you the option of using Smart Tools to deploy your resource location. When you choose the Smart Tools option, Citrix Cloud transitions you to Smart Tools to complete the blueprint deployment process. After completion, you can return to Citrix Cloud to set up the XenApp and XenDesktop Service.
When you deploy this blueprint, Smart Tools adds the blueprint to your library. Additionally, all Administrator users in your Smart Tools account will have access to the blueprint.
Before you deploy this blueprint, perform the following actions:
- Create an AWS account, if you don’t already have one. To sign up for AWS, visit http://aws.amazon.com.
- Request access to the XenApp and XenDesktop Service. To request access, visit https://citrix.cloud.com, log on to your account, and click Request Trial from the Citrix Cloud home page.
- Using the AWS Management Console, create access keys for your AWS account. These keys allow Smart Tools to deploy VMs to AWS on your behalf. Afterward, you also use these keys to set up the XenApp and XenDesktop Service. As a security best practice, Citrix recommends using the access keys of a specific IAM user with AmazonEC2FullAccess and AmazonVPCFullAccess policies assigned.
- Ensure you have a VPC with public and private subnets that meets the requirements for use with the blueprint. See VPC requirements in this topic.
- Ensure you have a working Active Directory domain to use with the blueprint. The domain controller can reside in the private subnet of your VPC or it can reside in your on-premises network environment, provided you have a VPN connection between your network and VPC.
Ensure you have the following domain information ready to supply during blueprint configuration:
- Fully qualified domain name
- IP address for the domain controller
- Username of the local Administrator or Domain Admin account
- Password for the specified username
To use this blueprint, you need to have a VPC available in your AWS account where Smart Tools can deploy the components for your resource location. You can use an existing VPC in your AWS account or you can create a new one using the AWS management console.
Verify your VPC has the following configurations:
- The VPC has two subnets: a public subnet and a private subnet.
The VPC and subnets have valid CIDR blocks assigned. For example, you might specify the following following CIDR ranges:
- VPC: 10.0.0.0/16
- Public subnet: 10.0.0.0/24
- Private subnet: 10.0.1.0/24
The subnets in the VPC are named or tagged with the role they assume within the VPC. This helps Smart Tools identify the appropriate subnet for each machine in the blueprint.
For this subnet role… Assign this name… Or assign this tag… Public subnet Public Subnet CLM-Role=”Public Subnet” Private subnet Private Subnet CLM-Role=”Private Subnet”
The VPC includes one of the following items to provide secure access to the Internet for the machines in the Private subnet:
- A NAT instance in the Public subnet with an Elastic IP address assigned. This is required if your domain controller resides in the Private subnet of your VPC. Without the NAT instance, Smart Tools can’t connect to your domain to deploy the blueprint. For more information about creating a VPC with a NAT, refer to the AWS topic Scenario 2: VPC with Public and Private Subnets (NAT).
VPN connection consisting of an AWS virtual private gateway and a hardware gateway device in your network environment. If your domain controller resides in your own network environment, this is required to create an IPSec VPN tunnel between your network and the VPC. For more information about creating a VPC with VPN access, refer to the AWS topic Scenario 3: VPC with Public and Private Subnets and Hardware VPN Access.
The default security group for the VPC has the following inbound rules and ports configured:
- HTTPS: 443
- RDP: 3389
- Custom IMCP Rule: Echo Request
Additional subnet for NetScaler
If you include NetScaler Gateway in your deployment, the blueprint will add a third subnet to your VPC for the NetScaler VPX. This subnet is labeled Management Subnet and is tagged as CLM-Role=”Management Subnet.”
If you intend to include NetScaler in your deployment, you must subscribe to NetScaler VPX in the Amazon Marketplace before you deploy the blueprint.
If you don’t have your own NetScaler license, select the edition (Standard, Enterprise, or Platinum) and bandwidth appropriate for your organization’s needs. These editions provide a fully licensed “pay-as-you-go” NetScaler deployment you can use with this blueprint.
If you have your own license, select the Customer Licensed edition. You will need to supply your license file during the blueprint configuration. The default hostname in the blueprint configuration is xd-rl-ns, but you can change this value to match your license file.
Note: If you choose not to include NetScaler, you can access your deployment through your intranet using a VPN.
Deploy the blueprint
- Log on to the Citrix Cloud web site and then, from the Control Center, click Get Started for the XenApp and XenDesktop Service.
- From the XenApp and XenDesktop Service home page, click Use Smart Tools. XenApp and XenDesktop Service directs you to Smart Tools so you can configure your resource location. This might take a few minutes to complete.
- On the Overview page, enter a deployment name. The default deployment name is XenApp and XenDesktop Service: Resource Location Setup. Click Next.
On the Resource Location page, specify your AWS account details and then click Next:
- In Resource Location, select Add New Resource Location.
- Select Amazon Web Services and then click Next.
- On the Amazon Web Services setup page, enter the following details and then click Add:
- Name: Enter a friendly name for your AWS account.
- Access Key ID: Copy and paste the Access Key ID for the IAM account you want to use with Smart Tools.
- Secret Access Key: Copy and paste the Secret Access Key from the IAM account you want to use with Smart Tools.
Click Done. Smart Tools returns you to the deployment configuration.
On the Architecture page, configure the following options and then click Next:
- Deploy Storefront: Select yes to add a Storefront server to your deployment. By default, Smart Tools does not deploy an additional Storefront server.
- Create RDS Template: By default, Smart Tools deploys a VDA machine and configures it for RDS. If you don’t this VDA included in your deployment, select no.
- Create Server VDI Template: By default, Smart Tools deploys a VDA machine and configures it for Server VDI. If you don’t want this VDA included in your deployment, select no.
- Create NetScaler Gateway: By default, Smart Tools includes a NetScaler Gateway in your deployment. If you intend to access the deployment only from your intranet using a VPN connection, select no.
- On the Size page, leave Create new VMs selected.
For the Cloud Connector machine tier, perform the following actions:
- Under VM Tiers, select the AWS deployment location you set up earlier. Smart Tools connects to your AWS account and the Configure VM wizard appears.
- On the Choose a Region page, select the AWS region where you will deploy your resource location.
- On the Choose an AMI page, select the Windows Server 2012 R2 Datacenter 64-bit base image.
- On the Instance Details page, in Network, select Create VPC with public and private subnets. When prompted, enter a VPC name and then click Create VPC. Click Next.
- On the Credentials page, in Key Pair, select Create new key pair. When prompted, type a friendly name for the key pair and then click Create Key. Save a copy of the key as a PEM file. You will need this key to access the machines in your resource location later. Click Next.
- On the Networking page, accept all the default values and click Next.
- On the Summary page, leave Copy this configuration to other VM tiers. This allows Smart Tools to copy the VM settings for the Cloud Connectors to the other machines that Smart Tools will provision.
- Click Finish. Smart Tools returns you to the Size page.
For the Bastion machine tier, perform the following actions:
- On the Size page, click Edit.
- Click Next on each page until you arrive at the Networking page.
- On the Networking page, under Elastic IP, select Allocate new Elastic IP address for this instance. Click Next.
- On the Summary page, click Finish to save your settings and return to the Size page.
- On the Size page, click Next to continue the deployment.
On the Configuration page, configure the following options and then click Next:
- DomainName: Enter the FQDN of the domain you want to use with your new resource location.
- DomainIPAddress: Enter the IP address of the domain controller.
- DomainUser: Enter the username of the local Administrator or Domain Admin user.
- DomainPassword: Enter the password for the domain user account you specified.
- (Optional) Resource Location Id: Enter the ID of the Citrix Cloud resource location you want to specify for this deployment. If no value is specified, Smart Tools sets up your new resource location as the default for your Citrix Cloud account.
- ComputerName (Bastion and Server VDAs): In each ComputerName field, enter a computer name 1-15 characters in length for the servers that Smart Tools will deploy. This name should have at least one alphabetic character and be unique among machines in the domain you specified earlier.
- VPX Password: Enter a new password to assign to the nsroot account on the NetScaler VPX appliance. Citrix recommends choosing a strong password to replace the default value, nsroot.
- VPX Hostname: Enter the hostname you want to assign to the NetScaler VPX appliance. The default hostname is xd-rl-ns.
- NetScaler VPX Edition: If you subscribed to NetScaler VPX in the Amazon Marketplace, select the edition you chose.
- License for Customer Licensed Edition: If you subscribed to the Customer Licensed edition of NetScaler VPX, click Upload File to supply the license file for the appliance.
- On the Summary page, click Deploy.
Smart Tools displays the Deployment Details page which shows the progress of your deployment. From here, you can see the status of your deployment as Smart Tools executes each step.
Deploying a resource location can take up to five hours. Be aware that some steps take longer than others to complete.
Verify the resource location is ready
- Verify the Cloud Connectors have registered with Citrix Cloud. To do this, click the menu button in the upper-left corner of the page and select Resource Locations. Each of the Cloud Connectors that Smart Tools deployed displays a green check mark to indicate it registered successfully.
- Verify the domain you specified has registered successfully with Citrix Cloud. To do this, click the menu button in the upper-left corner of the page and select Identity and Access Management. The Domains tab displays the domain for your new resource location with a green indicator showing the domain is online.
When your resource location is ready, you can set up the XenApp and XenDesktop Service. To do this, you perform the following tasks:
- Create a host connection.
- Set up machine provisioning.
- Create a Delivery Group.
For instructions, see Get started on the Citrix Product Documentation web site.
Tear down your resource location
If you no longer need your blueprint deployment or you want to redeploy the blueprint to the same resource location in Citrix Cloud, you can tear down the deployment in Smart Tools. When you perform a teardown, Smart Tools decommissions and terminates all the VMs that were deployed through the blueprint.
Note: Teardown does not decommission or release AWS components such as NAT instances, Elastic IP addresses, or virtual private gateways. Teardown also does not terminate your NetScaler VPX subscription. You will need to manually decommission these components using the AWS management console to avoid further charges after teardown is complete.
Before you tear down the deployment, perform the following actions:
- In the Library in Citrix Cloud, remove users from any offerings created through the XenApp and XenDesktop Service for your resource location.
In Studio, perform the following actions:
- Delete machines from all Delivery Groups in the Site.
- Delete all Delivery Groups in the Site.
- Delete all Machine Catalogs in the Site.
Delete all host connections in the Site.
- On each Cloud Connector machine in your resource location, uninstall the Citrix Cloud Connector software.
- In Citrix Cloud, delete the resource location.
To launch the teardown in Smart Tools:
- From the menu bar, click Manage and then select the XenApp and XenDesktop Resource Location Setup blueprint deployment you want to tear down.
- On the deployment page, click Tear Down and then click Tear down deployment.
- When prompted, click Tear down. Smart Tools schedules the teardown and, after a few minutes, decommissions and terminates the VMs.