Citrix Cloud Azure

30-04-2021
 |  [RAND-100] - Comments



Two weeks ago I went to Citrix Synergy in Anaheim. Here Citrix announced the future vision of the company. And the vision is clear, it is CLOUD. Citrix now thinks of itself as a cloud company. And with their new Citrix Workspace they have a great cloud product. But how does automation fit into the cloud and what can we automate? In this blog I will try and answer that.

During Synergy Citrix also announced Azure Quick Deployment capability from the Citrix Cloud environment (more on Quick Deployment here from christiaanbrinkhoff.com). If you use quick deployment, the Citrix Cloud will automatically make the resource groups and virtual networks in Azure. And by using the Citrix Cloud itself you automatically get a Citrix Site, Delivery Controller, Workspace (Storefront) etc. So what’s left to automate ? Well the Master Image/ VDA offcource.

During a Synergy session, I heard a presenter say: “The last part is easy. Just create a master image and you’re done.” But creating a good master image can take a lot of time, especially if there is a need for a lot of local applications. It is a best practice to automate the creation of your master image. That’s why I created the Ultimate Golden Image Automation guide. But this guide uses an on-prem VMware and Citrix Provisioning environment. For the cloud, we need a new process, one that uses Microsoft Azure and Citrix Machine Creation Services. A great thing about this is that they both can be managed with Microsoft PowerShell. If we combine the right PowerShell commands we can make a new automatic master image deployment scenario.

2 days ago  We proactively alert IT anytime end user experience is negatively impacted, looking at all IT elements whether they reside in Citrix Cloud, the supporting infrastructure on-premises, or hosted in AWS or Azure, as well as the Cloud Connectors.” Goliath’s Citrix Cloud Connector Module automatically discovers and maps an organization’s. During Synergy Citrix also announced Azure Quick Deployment capability from the Citrix Cloud environment (more on Quick Deployment here from christiaanbrinkhoff.com). If you use quick deployment, the Citrix Cloud will automatically make the resource groups and virtual networks in Azure.

The new master image deployment scenerio goes as follows:

  1. Create a new Azure Virtual Machine
  2. Deploy VDA and software on the Virtual Machine
  3. Update Machine Catalog from the new Virtual Machine
  4. Delete the Virtual Machine and its resources

Deleting the VM is not entirely necessary but helps reducing cost. Consistency is key during the automation process so starting with a new Azure VM will help.

The first thing we need to do is to install the Azure remote management PowerShell modules. This requires PowerShell 5, so if you have a Windows 2012R2 or Windows 8.1 machine you need to update to PowerShell 5, which you can download here. After that you can run the following script to install the modules.

After the installation is completed you need to import the module with the following script.

Now, we need to connect to the Azure tenant so that we can deploy a virtual machine. The script below will ask for your credentials. You could change the script to make an object from your credentials, so it connects automatically.

Now that we’re connected, we need to create the new Virtual Machine that is to become the new master image. We do this with the following script.

Because we’re going to use this new Azure virtual machine in a software deployment scenario, we need to know the private IP address of the virtual machine. This IP address is assigned randomly (DHCP). We can get the private IP address with the following script.

We need to push an automation agent to the Azure Virtual machine so that we can deploy our software. That’s why we temporarily need to disable the Windows Firewall on the Azure virtual machine. It is not possible to run a script directly on an Azure virtual machine, but you can use a Custom Script extension. The script below will create a small PowerShell script in c:temp. Then upload it to your Azure storage account and then create a Custom Script extension to be run on the Azure Virtual Machine which uses the script from your storage account. After this the Virtual Machine will be rebooted. And now you can push your Automation agent (Ivanti, SCCM, etc.). Don’t forget to enable the firewall once you’re done.

The Azure virtual machine is created with a public IP address by default but we’re not going to use this. The following script will delete the public IP.

Now that we have a new Azure virtual machine, the private IP address, credentials, and the firewall is temporarily turned off. We can start deploying software and, of course, the Citrix VDA Software. You can do this with PowerShell or your own favorite automation product. You can also use my Ultimate Golden Image Automation Guide for software deployment tips and silent parameters. To install the VDA, you can check out this great article by Dennis Span or see the Citrix install command web page. And of course, don’t forget to optimize your image with the Citrix Optimizer and to seal your master image the right way with BIS-F (Base Image Sealing Framework).

Citrix Equivalent In Azure

After deploying all the software and installing the VDA, it’s important to stop the Azure virtual machine before you update your machine catalog. You can do this with the following script.

Now that we have created a new master image, we need to update the Machine Catalog. If you run your own delivery controller in Azure or even on-premises, you can use the script below on any machine with Citrix Studio installed. If you use Citrix Cloud services you need to install the Citrix Cloud Remote PowerShell SDK. After installing the SDK, you can connect to your Citrix Cloud environment with the Get-XdAuthentication and then run the script.

Azure

Now that the catalog is updated, there is no need to keep the Azure Virtual Machine and its resources; we can delete it with the following script:

When you use the cloud and automation we need to enter credentials a few times. Make sure to never save your credentials as plain text in your scripts. Recently, there has been an increase in Azure account hijackings for mining cryptocurrency. Try to use a password vault or, at the very least, encrypted passwords. I have my script repository in my Ivanti automation library and I use password variables that are stored, encrypted, in the automation database. Another important thing is the Azure virtual machine credentials we created in the new virtual machine step. Once created, these admin credentials are on every machine you produce from the master image. So, don’t forget to disable the credentials with Disable-LocalUser or to remove them with Remove-LocalUser and add a new secure account.

I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me:

downloadWhy can't I download this file?

This article walks you through manually creating an application registration in the Azure portal, assigning that the necessary permissions, and then creating your host connection in Citrix Cloud.

Instructions

Note: Citrix Cloud Studiocan perform all these actions automatically when using the Create new.. option while adding a new Hosting Connection. Account privilege level in Azure must be Owner (not Contributor) to perform the actions listed in Step 1 and Step 4. If your Azure account role is Contributor, you might see the error 'Invalid Azure Credentials' in Citrix Cloud Studio when choosing the Use Existing.. option or no error but a window prompting for credentials again when using the Create New option. Vlc player replacement mac. Only follow the steps below once you've confirmed the current role level for your Azure account.

Citrix Cloud On Azure

Step 1: Manually creating an Azure application registration for Citrix Cloud

Define the application registration

  1. Login to your Azure Tenant

  2. Select the Azure Active Directory blade

  3. Select App Registrations

  4. Select '+ New application registration'
    Also select the Account type:

  5. Under Redirect URI, select Web for the type of application you want to create. Enter the URI where the access token is sent to.
    Application Type: 'Web app'
    'Sign-on URL: 'https://citrix.cloud.com'

  6. Select the App Registration from Step 4 to open its Settings
    Grant Access to the Azure API

  7. Select Required Permissions under API Permissions:
    Create the application secret access key

  8. From the Manage tab of the App registration; select “Certificates & Secrets”

    1. Refer the below edoc from Microsoft to create a secret key.
      https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

  9. Copy the value of the Key (this is the secret, similar to a password you will only see once)

  10. Select the Properties

  11. Copy the Application ID of the App registration (this is similar to the username)

The Key and Application ID & Directory ID are pieces of information required to create the Host connection to Azure from Citrix Cloud.

Step 2: Manually assigning Resource permissions to the Azure App Registration for Citrix Cloud

Now that the App registration account has been created and access has been granted to the Azure API it needs to be granted permissions to resources within your Azure account.

Citrix recommends that Citrix Cloud specific subscriptions be created. This reduces the risk of worker provisioning or life cycle actions from interfering with or impacting other production systems.

The following instructions utilize the built-in Azure RBAC Roles. The instructions select the most restrictive built-in Role for a particular resource, this allows Citrix Cloud to do what it needs to for worker machine provisioning and lifecycle actions.

Selecting a Citrix Worker management model

At this point, there is a decision of how much control a customer will grant to the Citrix Cloud App registration for machine provisioning.

Citrix Managed – In this model, Citrix Cloud is in full control of Resource Group(s) during the machine provisioning process. As Resource Groups are required, Citrix Cloud will simply add more as necessary to support the additional catalogs being provisioned. This streamlines the management experience by handling these details. This also makes the Citrix administrator the sole arbiter of how many virtual machines can be deployed.

Customer Managed – In this model, an Azure Admin or Co-Admin pre-creates Resource Groups that worker machines will be provisioned in to. Citrix Cloud cannot create additional Resource Groups as necessary, this will need to be performed by an Azure Subscription Admin or Co-Admin. This will require good communication between the Citrix Administrator and Azure Administrator as the number of Citrix workers in Azure is increased.

Note: The Customer Managed option is currently supported in the Citrix Cloud and in XenApp and XenDesktop 7.16 or later via the Studio GUI.

The primary difference between the two is the level of control that the application service principal has to the Azure Subscription and resources. These two models are detailed below.

Assigning Resource Permissions

The following outlines the permission settings required for the resource that is being secured with the built-in Azure RBAC role that provides the minimum settings necessary for the model.

Most of the settings will be the same for both models, except the settings on the Subscription where Citrix workers will be provisioned and the Resource Groups within it.

For more information about assigning permissions see: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure

For more information about built-in Azure RBAC roles see: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles

Subscription

The Subscription where Citrix workers (XenApp and/or XenDesktop will be provisioned) will reside.

Management ModelCitrix ManagedCustomer Managed
Azure RBAC RoleContributorNone
Azure Admin / Co-Admin must create Resource Groups manually

To grant the App Registration Contributor permission to a Subscription:

  1. Select the Billing blade
  2. Select the desired Subscription
  3. Select “Access control (IAM)”
  4. Select “+ Add”
  5. Select Contributor from the Role drop down menu
  6. Click in the Select search box and type the full name of the App registration
  7. Select the App registration
  8. Select Save

Resource Group(s)

The Resource Groups within the Subscription where Citrix workers will be provisioned.

Management ModelCitrix ManagedCustomer Managed
Azure RBAC RoleContributor
Inherited from Subscription		Virtual Machine Contributor
Storage Account Contributor

To grant the App Registration Contributor permission to a Resource Group

Citrix Managed – Do nothing, the permissions will be inherited.

Customer Managed – Complete the following:

  1. Select the Resource Group Blade
  2. Create the Resource Group(s)
    1. Select “+ Add”
    2. Enter:
      1. Resource Group Name
      2. Subscription
      3. Region
    3. Select Create
  3. Refresh the Resource Group list
  4. Select the Resource Group that was created
  5. Select “Access control (IAM)”
  6. Select “+ Add”
  7. Select Contributor from the Role drop down menu
  8. Click in the Select search box and type the full name of the App registration
  9. Select the App registration
  10. Select Save
  11. Repeat for each Resource Group

Virtual Network

The Azure Virtual Network that Citrix worker machines will be joined to.

Management ModelCitrix ManagedCustomer Managed
Azure RBAC RoleContributor
Inherited from Subscription		Virtual Machine Contributor

Complete this for both scenarios.

Master Image Storage Account

The Resource Group within the Subscription where Citrix worker master images are maintained. Citrix and / or Desktop administrators should have full access, but the App registration does not need to modify the image.

Management ModelCitrix ManagedCustomer Managed
Azure RBAC RoleContributor
Inherited from Subscription		Virtual Machine Contributor
Azure

Complete this for both scenarios.

Step 3: Deploy Cloud Connectors to the Azure Subscription

Citrix Documentation - Citrix Cloud Connector

Step 4: Add an Azure Resource Location using an existing Azure App registration

If you have worked through the process of manually creating an App registration in Azure and properly assigning the permissions, this new App registration now needs to be added to Citrix Cloud as a Resource Location for capacity.

Within the Citrix Cloud management portal / Citrix Studio;

  1. Select Hosting

  2. Select “Add Connection and Resources”

    1. Select “Create a new Connection”

    2. Select the Azure hosting environment

    3. Select Next

  3. Select “Use existing”

  4. Copy and paste;

    1. Azure Subscription ID (where Citrix workers will be provisioned by Citrix Cloud)

    2. Active Directory ID (the Directory ID of the Azure Active Directory in which the App registration was defined)

    3. Application ID (of the App registration)

    4. Application secret (the Key)

  5. Enter a “Connection name”

  6. Select Next

  7. Select the Azure Region where Citrix workers will be provisioned

  8. Select Next

  9. Enter a Citrix Cloud name for this Azure Subscription and Region

  10. Select the Azure Virtual Network that Citrix Worker machines will be joined to

  11. Select the Azure Virtual Network Subnet that Citrix Worker machines will retrieve IP addresses from

  12. Select Next

  13. Select Finish

  1. Select the Half Circle connection menu in the top center of the browser

  2. Select the Clipboard

  3. Copy your Azure Subscription ID to the Clipboard

  4. Either; right click and paste or use CTRL + v to paste the clipboard contents to the remote clipboard

  5. Select the X to close the Session clipboard

  6. Select the field to paste the data to

  7. Either; right click and paste or use CTRL + v to paste the clipboard contents to the field