Citrix Provisioning on Microsoft Azure 编辑

This article explains how to move your Citrix Provisioning workloads to the Azure Cloud, using the same provisioning tools and policies as you use with on-premises hypervisors.

This functionality includes support for the Citrix Virtual Apps and Desktops Setup Wizard. You can integrate with Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) using the same tools that you already know. Installing Citrix Provisioning in your Azure subscription is the same as installing it in an on-premises provisioning farm.

Supported features

The following Citrix Provisioning features are supported when provisioning workloads in Azure:

• UEFI boot of Generation 2 Azure VMs.

• Streaming 64-bit Windows 10, Windows 11 (Standard Security Type only), and Windows Server 2016/2019/2022 target VMs.

• The Citrix Virtual Apps and Desktops Setup wizard to provision target VMs and add them to Citrix DaaS catalog.

• The import wizard lets you import manually provisioned VMs into the provisioning server.

• The export wizard lets you create and update catalogs in Citrix DaaS from manually provisioned targets.

• Create a master VM in Azure to act as the source of the virtual disk (vDisk) to be used by the provisioning server.

• Create a vDisk from an Azure master VM and update it using either provisioning versioning, or reverse imaging.

• Import an existing image to your Azure setup using the Citrix Image Portability Service. See Citrix IPS.

• Power management of targets from Citrix DaaS, provisioning console, Azure Portal, and Azure APIs.

• Azure SQL Database

• Azure SQL Managed Instance

• Active Directory support using one of the following:

  • Integrating with an on-premises forest by installing domain controller VMs in Azure and connecting them to the on-premises forest through an ExpressRoute connection. You can connect your on-premise AD infrastructure to your AAD tenant via the Microsoft AD Connect feature.

  • Implementing a standalone Active Directory domain in Azure by installing and configuring domain controller VMs in Azure.

  • Azure AD Domain Services can provide an AD environment that Citrix Provisioning can use. You can synchronize your on-premises forest with your Azure AD tenant using AD Connect to provide a fully integrated solution.

• Create targets in specific availability zones. To do this:

  1. For each availability zone that the targets will use, create a template VM located in that zone.
  2. Run the Citrix Virtual Apps and Desktops Setup Wizard multiple times specifying each of those template VMs to create the required set of targets in each zone.

Limitations

The following features are not supported:

• 32-bit operating systems.
• Windows Server 2012 and earlier are not supported.
• Secure boot and trusted launch are not currently supported.
• PXE and ISO boot of master and target VMs, because Azure does not support them.
• Generation 1 (BIOS) VMs. Only Generation 2 (UEFI) VMs are supported.
• Streamed VM Setup Wizard.
• vDisk Update Management.
• Virtual Host Connection Wizard.
• Auto-Add Wizard.
• Printer management.
• Write cache types:
  • Cache on device hard disk
  • Cache on device hard disk persisted
  • Cache in device RAM.

Consider the following Azure limitations:

• No more than 2500 VMs can be created in a single subscription.
• If you plan to use Azure File Services to provide storage for vDisks, you must create a Premium Storage Account.

This release has the following additional limitations:

• The Citrix Provisioning API, which provides scripted access to the provisioning process, is not supported.
• The Azure machine size used when creating the master VM must be compatible with that used when creating target VMs. Only Generation 2 VMs are supported. This includes the following:
  • Presence or absence of a temporary disk must be the same
  • Presence or absence of a GPU must be the same
• Template VMs (VMs to be used as a template for creating targets) must exist in the region associated with Citrix DaaS hosting unit. Therefore, for this release you have to create a template VM in each region.
• The Azure disks created for the boot and cache disks of target VMs are of type Standard SSD. Currently, this setting cannot be changed.
• You cannot use templates with pay-as-you-go plan information.

If you try to create vDisks from master VMs that have plan information, creation will fail with the following error message:

Requirements

To use Citrix Provisioning on Azure you need the following:

• System requirements for the on-premises version of the product.
• License for this latest version of Citrix Provisioning.
• A license server installed.
• An Azure subscription.
• Azure SQL Database, Azure SQL Managed Instance, or SQL Server or SQL Server Express on a VM installed in your subscription.
• Citrix Virtual Apps and Desktops Cloud connector VMs installed in your Azure subscription. A separate resource location (set of Cloud Connectors) is required for each combination of subscription+region to be used.

You can license this functionality in one of the following ways:

• If you have a full Citrix DaaS subscription, use the included Cloud Citrix Provisioning license.

You can install the license server on one of the Citrix Provisioning server VMs.

Architecture

This high-level architecture diagram shows the components that are either required or recommended to set up Citrix Provisioning on Azure.

The following diagram focuses on the Citrix Provisioning Server itself, and related components:

This section describes the main components.

Citrix Cloud

When using Citrix Provisioning on Azure, Citrix DaaS, including the:

• Connection Broker
• Connection Broker Catalogs that reference Citrix Provisioning Target VMs running on Azure.

The Citrix Provisioning Server does not manage power for Azure target VMs although targets can be manually turned on and off from the provisioning console. The Broker initiates power management by talking directly to Azure. As the VM boots, it streams the boot disk from the virtual disk maintained by the Citrix Provisioning Server.

Azure Active Directory Classic version

Citrix Provisioning on Azure supports “Classic” Active Directory only. You can make the classic Active Directory available on Azure in one of the ways as described in Set up Active Directory.

SQL Server on Azure SQL

This release supports SQL Server, SQL Server Express, Azure SQL Database, and Azure SQL Managed Instance.

Supported authentication types

Citrix Provisioning on Azure supports more authentication modes to benefit from the features found in Azure SQL Database and Azure SQL Managed Instance. Choose the authentication mode that best suits your needs.

The authentication modes that the Citrix Provisioning on Azure supports are:

• Active Directory Integrated
• SQL Server
• Active Directory Password
• Active Directory Service Principal
• System-Supplied Managed Identity
• User-Supplied Managed Identity

Following are the tables that provide information about the users to which the authentication modes grants access, required credentials, and supported database platforms.

Other restrictions

• Restrictions on Active Directory Integrated authentication:
  • With SQL Server: The Citrix Provisioning server must belong to a domain, the provisioning service user context must be a domain user, and Citrix Provisioning must be configured by a domain user.
  • With Azure SQL: Use this authentication mode with Azure SQL, but only from an enterprise domain federated to the Azure tenant domain. The Citrix Provisioning server virtual machine must belong to the enterprise domain, provisioning service account user context must be an enterprise user, and Citrix Provisioning must be configured by an enterprise user. Setting up federated domains is a significant task. Use this option if you have done this earlier. Instead, use Active Directory Password authentication.

• Restrictions on System-Supplied Managed Identity authentication:

  • Enable the system assigned managed identity on the Citrix Provisioning server VM.
• Restrictions on User-Supplied Managed Identity authentication:
  • Create a user assigned managed identity or select an existing one, and add that user assigned managed identity to the Citrix Provisioning server VM.

Citrix Provisioning Server

You install the Citrix Provisioning Server on a server-class Azure VM, similar to on-premises deployments.

The usual processes for providing storage for vDisks apply:

• You can use local storage on the server VM and manage replication of vDisks between servers yourself.

• Use Azure Files to provide an SMB server that can be accessed from any server in the region to create a Premium Storage account to host Azure Files. It is only supported for access in the same region as the provisioning server.

Tip:

The storage account must be premium.

• Create a separate VM to act as a file server for sharing vDisks.

Target VMs boot using a small boot disk

The Citrix Provisioning Server and targets do not support either PXE or ISO boot, because they are not available on Azure. Instead, target VMs boot uses a small boot disk, the BDM Boot Disk, which is about 20 MB and contains the Citrix Provisioning UEFI boot application.

Once the BDM app is running, it uses the Citrix Provisioning protocol to stream the virtual disk contents to the VM. The Citrix Virtual Apps and Desktops Setup Wizard can be used to create BDM boot disk. If you want to manually provision target VMs, you can use the BDM.exe tool to create a VHD file. This file is the boot image which can then be uploaded to Azure.

Provisioning of target VMs

The Citrix Virtual Apps and Desktops Setup Wizard can handle all the required steps for provisioning target VMs including:

• Creation and upload of the boot disk including configuration of provisioning servers to contact.
• Creation of Active Directory computer accounts, or import of existing computer accounts.
• Creation of the target VM including the network connection, the boot disk, and Citrix Provisioning WBC disk to hold the cache.
• Configuring the provisioned targets in the provisioning server database.
• Initial boot and shutdown of the target VMs to enable the WBC disk to be formatted.
• Creation of a Citrix Virtual Apps and Desktops catalog and adding the provisioned targets to it.

Citrix Provisioning master VM used to capture a virtual disk

The Citrix Provisioning master VM is used to capture a virtual disk. You create the VM manually on Azure where you install the Citrix Provisioning Target Driver package.

The mechanisms for this and the subsequent capture of a virtual disk from the master VM are essentially the same as for existing on-premises installations. There are some important points to note that are covered in the following sections.

Set up Citrix Provisioning on Azure

This section explains the pre-installation tasks, steps for creating a Citrix Provisioning collection with a set of targets streamed from your virtual disk, and links to the Azure docs to guide you.

To set up Azure provisioning, begin by configuring your provisioning server and other infrastructure on Azure. Using the Azure Resource Manager APIs and the instructions, set up the components along the same lines as your current on-premises setup. You can create PowerShell scripts to automate the process.

Pre-installation tasks

Complete the following tasks before installing and configuring Citrix Provisioning.

Select and configure the database

Each Citrix Provisioning farm has a single database. You can provide the database on either:

• A new or existing SQL Server or SQL Server Express Instance.
• A new or existing Azure SQL Database server.
• A new or existing Azure SQL Managed Instance.

All Citrix Provisioning servers in a farm must be able to communicate with the database server.

In a production environment, to avoid poor distribution during load balancing, best practice is to install the SQL Server or SQL Server Express instance and the Citrix Provisioning server component software on separate servers.

There are three ways to create the database:

• Use the Configuration Wizard. To use this option, you need dbcreator permission.
• If you do not have permission to create databases, use the DbScript.exe utility to create a SQL script that a database administrator can run to create the provisioning database. This utility is installed with the provisioning software.
• If the database administrator creates an empty database by running the DbScript.exe utility, then this database is chosen as the database for the new farm when running the configuration wizard. The login used when running the Configuration Wizard must be the owner of the database. Also, this login must have the View any definition permission. The database administrator sets this permission when the empty database is created.

Run the DbScript.exe utility to create or update the database

If you do not have permission to create databases, use DbScript.exe to generate a SQL script for the database administrator to run to create or update the PVS database. Run the script from the Windows command prompt in C:\Program Files\Citrix\Provisioning Services.

To generate a script to create the database, use this syntax:

• For SQL Server, SQL Server Express, or Azure SQL Managed Instance: DbScript.exe -new <databaseName> <farmName> <siteName> <collectionName> <farmAdminGroup> <adGroupsEnabled> <scriptName> <is2012orHigher>
• For Azure SQL Database: DbScript.exe -newForAzSqlDb <databaseName> <farmName> <siteName> <collectionName> <farmAdminGroup> <adGroupsEnabled> <scriptName> <is2012orHigher>

When creating a new database for Azure SQL Database, DbScript produces two script files instead of one.

• The first is run into the master database, and it creates the new database.
• The second script is then run into the new database.

This is due to limitations of Azure SQL Database.

To generate the script to update the database, enter:

DbScript.exe -upgrade <databaseName> <scriptName>

The commands use these arguments:

• <databaseName> — Name of the database to create or update.
• <farmName> — Farm name for the new database.
• <siteName> — Site name for the new database.
• <collectionName> — Collection name for the new database

• <farmAdminGroup> — Farm administrator group, specified as a full path.

  Note:

  When you run the configuration wizard, you must be a member of this group (an Active Directory group) to add the PVS servers to the database.

• <adGroupsEnabled> — Enable or disable AD groups, specified as Boolean, where true enables AD groups and false disables AD groups.
• <scriptName> — Name of the script to generate, specified as a full path.
• <is2012orHigher> — It is deprecated. Always use true.

Configuration wizard user permissions

You must have the system privilege of a local administrator to run the configuration wizard.

The admin database principal is the database principal used by the configuration wizard to create and set up the provisioning database. The authentication credentials that you specify in the configuration wizard identify the database principal.

• If you choose Active Directory Integrated authentication, the configuration wizard accesses the database as the user running the configuration wizard (an Active Directory user).
• If you choose other authentication modes, then the configuration wizard accesses the database as a different principal.

See Supported authentication types for more information on selecting an admin database principal.

Note:

The database admin principal is only used while running the configuration wizard. It is not saved and not used by the Stream and SOAP services. You must use a principal with elevated privileges for Stream and SOAP services.

• When using SQL Server or Azure SQL Managed Instance, the admin database principal requires the following permissions:

  • securityadmin for creating and updating server logins (when using SQL Server or Azure SQL Managed Instance)
  • db_owner for any existing database

  To create a database for a new farm, the admin database principal requires dbcreator as an additional permission.

• When using Azure SQL Database, the admin database principal requires the following permissions:

  • loginmanager for creating and updating server logins (when using Azure SQL Database)
  • db_owner for any existing database

  To create a database for a new farm, the admin database principal requires dbmanager as an additional permission.

  loginmanager and dbmanager are special user roles that are assigned to users in the master database.

Service account permissions

The service account for the Stream and SOAP services must have the following system privileges:

• Run as service
• Registry read access
• Access to Program Files\Citrix\Citrix Provisioning
• Read and write access to any virtual disk location.

The service database principal is the database principal used by the services to access the provisioning database. The authentication credentials you specify in the configuration wizard identify the database principal to be used.

• If you choose Active Directory Integrated authentication, the services access the database as the service account (an Active Directory user).
• If you choose other authentication modes, then the services access the database as a different principal.

See Supported authentication types for more information on selecting a service database principal.

The configuration wizard will configure the database to ensure the service database principal has the following permissions.

• db_datareader
• db_datawriter
• Run permissions on stored procedures

Enable a feature flag on your Azure subscriptions

Enable the ReserveMacOnCreateNic feature flag using the following PowerShell commands:

Register-AzProviderFeature -FeatureName ReserveMacOnCreateNic -ProviderNamespace Microsoft.Network
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
<!--NeedCopy-->