Jump to content
Welcome to our new Citrix community!

Maintaining namespace during upgrade/migration

Recommended Posts



We have an older Citrix infrastructure (7.15.3000.47) that is being replaced with a newer 2203 infrastructure.


We have switched from legacy on-prem authentication to FAS with Azure and SAML.


The new infrastructure shares the ADCs but has separate and upgraded DCs, Storefronts, etc.


How would we maintain the original portal address but have certain users sent to the new infrastructure?


Link to comment
Share on other sites

So have all the new DCs and Storefronts configured for the current production URL instead of the new one? How would it know who to send where? Also the FAS authentication model is not supported on the older infrastructure so not sure how that will mix.


This will not be a cutover but a gradual move. If it was a cutover then it would not be an issue.


Link to comment
Share on other sites

Cutover Citrix Gateway and StoreFront to the new ones. Use HOSTS file to test before the cutover. Otherwise you'd need separate DNS names for new StoreFront/Gateway and old StoreFront/Gateway.


StoreFront can pull icons from both the new farm and the old farm. You can assign different groups to the icons from each farm. Or in StoreFront > Manage Delivery Controllers, click the User Mapping button and assign groups at the farm level.

Link to comment
Share on other sites

One of the items is the difference in authentication flow and some differences to the storefront.


That is one of the main reasons this is being spread out a bit. We already have applications staged on both infrastructures.


What about a way to forward some people to the new portal from the old and then once far enough then simply swap the URLs throughout each and have them all live in the new infrastructure?


Link to comment
Share on other sites

So I just want to make sure of a few things.


1. Would 7.15.3000.47 infrastructure (DCs and Storefronts) not be able to leverage the FAS authentication? Is it just not supported or will it not work?


2. Is there a way within a virtual server to have a certain group of people log in with AD-based authentication and another group of people through the FAS/SAML with Azure AD?


3. Maybe also create session policies to the two storefronts with exclusions based on those same groups controlling the authentication. Again I am not sure how the namespace would work there.



But is there a way to have it so the primary namespace allows all users to authenticate the older method (and namespace) with AD-based auth and then simply redirects the users that should be using the new infrastructure to the other (different namespace) and then they would authenticate again to the FAS most likely?



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...