Overview
The following tech paper focuses on the prerequisites for building an Azure environment to host a Citrix solution. It outlines the key design areas, Citrix environment implications, and initial requirements, emphasizing the importance of a well-architected, secure platform. The document details Azure components, including subscriptions, virtual networks, and resource groups. It guides virtual machine setup, availability zones, storage solutions, and Active Directory configurations. Additionally, the document covers essential considerations for Entra ID-joined VDAs, user and service accounts, DNS records, certificate services, software downloads, and antivirus exclusions.
Prerequisites Checklist
The environment prerequisites checklist items are generally listed in sequential order. The “Environment Prerequisites” section outlines prerequisite specifics.
-
Design and Build Azure Landing Zone
- Create Tenant
- Create Azure Core Subscription
- Create Azure Citrix Subscription
- Create Management Groups
- Create Azure Virtual Network and Subnets
- Implement Azure ExpressRoute (Optional)
- Open Firewall Communication Ports
- Create Azure Resource Group(s)
-
Build Azure Infrastructure VMs:
- Cloud Connector
- StoreFront (Optional)
- NetScaler (Optional)
- FAS (Optional)
- Certificate Authority (Optional, required for FAS)
- RDS License Server (Server OS workloads only)
- Master Image (Server and/or Desktop OS)
- Setup Availability Zones for Infrastructure
- Design and Implement Profile Storage Solution
-
Active Directory:
- Minimum Functional Level
- Build OU Structure
- Confirm Access to the Policy Definitions Folder
- Review the Entra ID Joined VDA Considerations
- Create Service Accounts
- Create DNS Records
- Request Certificates
- Download Citrix Software
- Implement Citrix-Recommended Antivirus Exclusions
Environment Prerequisites
Azure Landing Zone
Microsoft has created the Cloud Adoption Framework (CAF) for Azure to guide each phase of a customer’s public cloud journey. Within the CAF, Azure Landing Zones outline design guidelines for a well-architected, secure platform, which are critical to a successful Citrix on Azure solution. The table below outlines the key Azure Landing Zone design areas, the relationship to a Citrix environment, and the baseline requirement to begin a Citrix on Azure journey.
Note:
These requirements will change as you scale at an enterprise level. Use the following article and included diagram for initial guidance on a Citrix on Azure Landing Zone design: Enterprise-Scale Support for Citrix on Azure.
See the following Microsoft documentation for additional information on Azure Landing Zones:
- Azure Landing Zone Architecture
- Azure Landing Zone Design Areas
- Azure Enterprise-Scale Landing Zones
See the following Citrix blogs and documentation for guidance on how Citrix fits into the CAF:
- Citrix Tech Zone: Citrix DaaS on Azure Reference Architecture
- Citrix Tech Zone: Citrix DaaS on Azure Design Decisions
- Citrix Blog: Introducing Citrix on Azure Enterprise Scale Reference Architecture
Design Area |
Citrix Environment Implications |
Initial Requirement |
Azure Billing and AD Tenant |
An active subscription with Microsoft is needed to consume Azure services. Additionally, an organization will use Entra ID to host the Azure identities and may also choose to use traditional Active Directory services if the Entra ID capabilities alone are not sufficient. |
Set up a Microsoft Enterprise Agreement, Entra ID tenant, and consider a traditional Active Directory tenant based on requirements. |
Identity and Access Management |
Core considerations for administration, user authentication, and resource privileges. |
Leverage Entra ID exclusively or a hybrid solution with Entra ID and traditional Active Directory. |
Network Topology and Connectivity |
Fundamental for connectivity to other Azure components/services, on-premises infrastructure, and external communication. |
Deploy at least one Citrix network and subnet with the opportunity to separate components based on the use case (internet, internal, etc.). Consider an Azure ExpressRoute for robust connectivity to on-premises resources. Evaluate the use of a firewall and/or Azure network security groups. |
Resource Organization |
Organization via naming, tagging, subscription design, and management group design becomes crucial as companies plan and scale their Citrix on Azure deployment alongside non-Citrix use cases. |
Deploy a single, dedicated Azure subscription for Citrix in a single region. |
Security |
Critical foundation to secure all environment components, from workloads to user data. |
Work with the Security Architecture team to develop a robust security stance for the Citrix platform. |
Management |
A management baseline is required for stable, ongoing operations in the cloud to provide visibility, operations compliance, and successful administration. |
Develop a multi-tiered administration model based on the principle of least privilege. This model applies to Azure and Citrix Cloud services. |
Governance |
Governance is important for tracking and optimizing costs, monitoring the platform’s compliance and security stance, and keeping the Azure landing zone up to date. |
Consider leveraging Azure native tools like Azure Monitor, Cost Management, and Security Center. Implement and maintain an antivirus solution. |
Platform Automation and DevOps |
Modernize the Citrix deployment and expansion through infrastructure as code. |
It is not required for an initial Citrix deployment but may be considered a future enhancement. |
Azure Subscriptions
Citrix recommends deploying a single dedicated Azure subscription for the Citrix environment (infrastructure and workloads) at a minimum. Additional subscriptions may be used for scale, security, or company standards. Many enterprises often have a separate subscription for non-Citrix core services and components.
Note:
Azure subscriptions may be deployed across regions if the VM count stays below the Citrix Limits.
Network
Azure Networks
An Azure Virtual Network is required in each Azure Region to host virtual machines. A minimum of one Virtual Network is needed. However, many enterprises deploy separate Virtual Networks for Infrastructure, NetScalers, Server OS Virtual Delivery Agents (VDA), and Desktop OS VDAs. Additionally, subnetting can be used to segment Azure Virtual Networks. Separating infrastructure and workloads into different networks and/or subnets lets you control and restrict traffic via Azure network security groups (NSGs). Citrix recommends working with the network team to design the Azure networking architecture.
Azure ExpressRoute
Many enterprises have components that will remain in on-premises data centers (e.g., application backends and user data). To establish connectivity from on-premises data centers to Azure, Citrix recommends an Azure ExpressRoute for best performance. The throughput will be dependent on the expected network load between the locations. Alternatively, you can consider a site-to-site VPN.
Routing and Firewall
Firewall rules must be created with the ports detailed in Citrix Tech Zone: Communication Ports Used by Citrix Technologies. The System and Connectivity Requirements article details the required internet connectivity and URL whitelisting for various components to communicate with Citrix Cloud services.
Azure Resource Groups
Resource Groups logically separate and group resources within the Azure subscription. Given this, the number of Resource Groups will vary depending on customer preferences. The following outlines example Resource Groups for a Citrix on Azure deployment.
- Infrastructure
- Citrix Master Images
- Citrix VDAs (multiple often deployed for different use cases)
- Network
- Testing (separate often deployed for Infrastructure, Master Images, VDAs)
Azure Virtual Machines
The following table outlines the virtual machines required to deploy a baseline Citrix on Azure environment. All virtual machines must be created, accessible on the network, and joined to the primary domain (Windows machines only).
Note:
Several components are optional based on design decisions, such as the access tier and authentication method. Citrix recommends using the latest generally available Azure VM SKU version.
Component |
Operating System |
Quantity |
Instance Type |
Storage |
Notes |
Citrix StoreFront |
Windows Server 2022 |
2 |
D4s_vX (4vCPU x 16 GiB RAM) |
128 GiB |
Optional. Dependent on on-premises access tier versus Citrix Cloud access tier (Workspace and Gateway Services). |
Citrix Cloud Connector |
Windows Server 2022 |
2 |
D4s_vX (4vCPU x 16 GiB RAM) |
128 GiB |
Required for all deployments to broker communication to Citrix Cloud. |
Microsoft Remote Desktop License Server |
Windows Server 2022 |
1 |
D2s_vX (2vCPU x 8 GiB RAM) |
64 GiB |
Required when deploying Remote Desktop Services (RDS) based workloads. Two servers are recommended for high availability in production deployments. |
Federated Authentication Service (FAS) |
Windows Server 2022 |
2 |
D4s_vX (4vCPU x 16 GiB RAM) |
128 GiB |
Optional. Enables single sign-on into VDAs when using SAML-based authentication. Dependent on authentication method and desired user experience. |
Certificate Authority |
Windows Server 2022 |
2 |
D4s_vX (4vCPU x 16 GiB RAM) |
128 GiB |
Optional. Component used in conjunction with FAS. |
Server OS Master Image |
Windows Server 2022 |
1 |
D8s_vX (8 vCPU x 32 GiB RAM) |
128 GiB |
The sizing of the VDAs is customer-dependent and can be changed during the Machine Creation Services (MCS) provisioning process. Enterprises must decide which Citrix delivery method is most appropriate for their user base (Server OS vs. Desktop OS, Single Session vs. Multi-Session, etc.). |
Desktop OS Master Image |
Windows 11 |
1 |
D4s_vX (4 vCPU x 16 GiB RAM) |
128 GiB |
|
NetScaler VPX 1000 Appliances |
NS Firmware 14.x |
2 |
Ds3_vX (4 vCPU x 14 GiB RAM) |
TBD |
Optional. Dependent on on-premises access tier versus Citrix Cloud access tier (Workspace and Gateway Services). |
Azure Availability
VMs should be placed across multiple Availability Zones in Azure to ensure the high availability of infrastructure components. Availability Zones place VMs across separated groups of data centers within a region. If Availability Zones are unavailable in the chosen Azure region, Availability Sets may be used instead.
Note:
Availability Zones have a higher SLA than Availability Sets.
Storage
For enterprises leveraging user profiles for their workloads (file-based or container-based), Citrix recommends deploying an Azure storage solution to locate the profiles close to the Azure workloads for optimal performance. Options include using PaaS offerings like Azure Files or Azure NetApp Files or deploying and maintaining a customer-managed storage solution. Citrix always recommends highly available storage solutions for critical environment components. See the following references for profile storage solutioning guidance:
- Citrix Tech Zone: Citrix Profile Management with Azure Files
- Citrix Tech Zone: User Data and Profile Considerations
- Citrix Tech Zone: Deployment Guide - Deploying Azure Files for Citrix Profile Management and Citrix User personalization layers
- Citrix Tech Zone: Deployment Guide - Citrix Profile Management Containers
- Citrix Blog: Making your Citrix Profile Management share highly available
Active Directory
Citrix requires Active Directory for most Citrix on Azure deployments. This includes machine and user identity management, authentication, and authorization. See Citrix eDocs: Machine Identities - Active Directory Joined for details.
The exception would be enterprises that have deployed Citrix Cloud services (e.g., Workspace and Gateway Services) exclusively with Azure Entra ID-joined or non-domain-joined workloads. In these cases, Cloud Connector servers would not be required. Citrix recommends developing a holistic strategy for using Active Directory and Azure Entra ID across the organization.
With Active Directory in use, the following prerequisites must be in place to properly configure the environment.
Prerequisite |
Requirement |
Domain Controller Functional Level |
Domain Controller (2x) with Windows Server 2008 R2 forest and domain level or higher. |
Dedicated Citrix Organizational Unit (OU) for New Environment |
Citrix recommends a dedicated OU structure for the new infrastructure and workloads. The following provides a sample OU structure:
|
Access to the domain Policy Definitions folder |
Upon installation, .admx and .adml files will be placed on the FAS servers. They must then be uploaded to the domain Policy Definitions folder. New GPOs will then be created using the settings in these files and linked to FAS, StoreFront, and VDA components in each Azure region. |
Entra ID Joined VDA Considerations
If Citrix VDAs are either Pure Entra ID (previously Azure AD) or Entra ID Hybrid-joined, enterprises should be aware of the requirements and limitations of these deployment methodologies. For details, see Citrix eDocs: Pure Entra ID-Joined VDAs and Citrix eDocs: Entra ID Hybrid-Joined VDAs.
User and Service Accounts
The following user accounts and service accounts are required:
- Azure Service Principal: An Azure Service Principal is required for Machine Creation Services (MCS) provisioning and power management of VDAs. The Service Principal can either be a Subscription Scope or Narrow Scope. Citrix only recommends Subscription Scope for Azure Subscriptions dedicated to Citrix. To align with the principle of least privilege, Citrix recommends the Narrow Scope. See Citrix Support: Azure Role Based Access Control in Citrix Virtual Apps and Desktops and Citrix eDocs: Connection to Microsoft Azure for details.
-
Citrix Administrators Group: Members of this group will have full administrative rights to all Citrix virtual machines and be defined as Full Administrators in Citrix Cloud Web Studio. The following permissions are required on the Citrix OU:
- Create sub-OUs
- Create, edit, and link GPOs
- Create, delete, and reset passwords for Computer Accounts in the Citrix VDAs OU(s)
DNS Records
If NetScaler appliances will be used to front-end the Citrix environment, the following DNS records will be required:
- External DNS record pointed to the NetScaler public IP for the Gateway.
- Internal DNS records for each desired load balancing VIP (StoreFront, Cloud Connectors).
Certificate Services
Depending on the architecture of the Citrix on Azure solution (on-premises vs. Citrix Cloud access tier, inclusion of Citrix FAS), the following certificates will be required for the Citrix environment:
- NetScaler: External certificate for the NetScaler Gateway from a public CA
- StoreFront: Internal SAN certificate for StoreFront load balancing VIP and server names
- Cloud Connector: Internal SAN certificate for Cloud Connector load balancing VIP and server names (on-premises access tier only)
- Microsoft Certificate Authority: If Citrix FAS is used, two Intermediate CAs per Azure region are recommended for high availability
- Domain Controller: If Citrix FAS will be used, Domain Controllers must have a Domain Controller Authentication certificate bound to support Smart Card logon
Software
The links below provide access to all Citrix-relevant software needed for the deployment. The software must be stored on a file share accessible by the virtual machines listed in the Virtual Machines section of this document.
- Citrix Cloud Connector: Downloaded from the Citrix Cloud portal
-
Citrix StoreFront and Virtual Delivery Agent: https://www.citrix.com/downloads/citrix-virtual-apps-and-desktops/
- Enterprises can choose the Long Term Service Release (LTSR) or Current Release (CR) version of the Citrix solution. The LTSR version provides a longer support lifecycle without new features, only Cumulative Update hotfixes. The CR version has a more frequent release cycle with new features and a shorter support period. See Citrix FAQ: Virtual Apps and Desktop LTSR for details.
-
Citrix Workspace App: https://www.citrix.com/downloads/workspace-app/
- The Citrix Workspace App client is recommended for all endpoints accessing Citrix on Azure workloads. The full client provides additional features and functionality beyond the HTML5 client. You can choose the Long Term Service Release (LTSR) or Current Release (CR) version of the Citrix Workspace App. Users may download the Citrix Workspace App from the Citrix Downloads page or have their organization push it down.
Antivirus Exclusions
Citrix recommends that you evaluate and implement the Citrix antivirus exclusions detailed in Citrix Tech Zone: Endpoint Security, Antivirus, and Antimalware Best Practices. The recommendations in Microsoft eDocs: Windows Defender in VDI Environments should be evaluated and implemented if this technology is used.
It is essential to understand that antivirus exclusions and optimizations increase the attack surface of a system and might expose computers to various security threats. The guidelines in the article typically represent the best trade-off between security and performance. Citrix does not recommend implementing these exclusions or optimizations until rigorous testing has been conducted in a lab environment to understand the tradeoffs between security and performance thoroughly. Citrix also recommends that organizations engage their antivirus and security teams to review the following guidelines before proceeding with any production deployment.
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now