August 24, 2022 Author:  Mayank SinghSpecial thanks:  Vivekananthan Devaraj, Martin Zugec, Allen Furmanski, Harsh Gupta, Nitin Mehta, Victor Cataluna, steve Beals

Deployment Guide: Migrating Citrix Virtual Apps and Desktops on-premises to Citrix Cloud

Overview

In this deployment guide, you learn how to migrate an on-premises Citrix Virtual Apps and Desktops environment to Citrix DaaS in Citrix Cloud. The components that manage and control access to the environment move to Citrix Cloud. Having these components in Citrix Cloud, offloads the effort of managing and updating these components to Citrix. In Citrix Cloud, these components are deployed adhering to best practices and kept evergreen with the latest updates and security patches. Added benefits of the cloud include guaranteed uptime and flexible subscription options. The resources that host the sessions continue to run in their original resource location(s).

Audience

This guide is intended for Citrix administrators, technical professionals, IT decision-makers, partners, and consultants who are assessing migration strategies to move their customer managed on-premises environment to Citrix DaaS on Citrix Cloud. The document is for users who are

• Familiar with the administration of a Citrix Virtual Apps and Desktops or XenApp and XenDesktop site.
• Familiar with the administration of a StoreFront environment.
• It’s also helpful if you understand how to deploy Citrix Gateway or NetScaler Gateway.

Typical existing architecture

The most typical architecture for an on-premises Citrix Virtual Apps and Desktops environment is:

The existing setup enables secure remote access to the resources (virtual apps and desktops) hosted in the customer’s on-premises data center to their users (internal or external) via a StoreFront and Citrix Gateway. The users access the setup via the Citrix Workspace app or a browser, from a device of their choice, using the Citrix Gateway URL. The customer’s Active Directory, application data, and use data all reside in the data center.

Desired state options after migration

The CTO of the company wants to have the Citrix management components moved to Citrix Cloud and be managed by Citrix. The workloads are to remain in the on-premises data center.Now the admin must decide where the access control components will reside after the migration.

There are 3 options available to the admins:

1. Move the access layer to Citrix Cloud and utilize the Citrix Gateway service.

   The admin chooses this option when the customer is willing to fully realize the benefits of the Citrix Workspace. This would be an option if the Gateway was being used exclusively for the CVAD deployment.

   
   

2. Retain the on-premises Citrix Gateway and utilize the Citrix Workspace service

   The admin chooses this option when the customer wants to extend the benefits of Citrix Workspace to their end users while retaining control of the Gateway, as it may be used for other services in the customer environment.

   
   

3. Retain the existing on-premises Gateway and StoreFront combination

   The admin chooses this option if they want to keep control of both these components or if end users must continue to access the original Gateway URL to access their resources.

   
   

Migration methodologies

Once the admin decides the desired state after the migration from the options in the preceding section, they must choose which migration method to use:

1. Using Automated Configuration tool

   The admin chooses this option, when the Automated Configuration tool supports their environment. This approach simplifies the migration process.

2. Manual

   The admin chooses this option if they are unable to use the tool, for example, when the existing environment is not on one of the LTSR releases or on one of the latest two Current Releases.

In this guide we are looking into the Automated Configuration tool based migration process.

Prerequisites and data to be collected before migration

As a pre-requisite, customers must ensure the network connectivity to establish communication from the customer hosted on-premises environments to Citrix Cloud. Refer to the Citrix documentation
for complete requirements.

Pre-requisites for machines that host the Cloud Connectors

The Citrix Cloud Connectors act as the communication channel between the components hosted in Citrix Cloud and the components hosted in the resource location. The cloud connectors act as a proxy for the delivery controller in Citrix Cloud. To install Citrix Cloud Connectors in your environment, you require (at least two) Windows Server 2012 R2 or later server machines/VMs. You require static IPs for these machines. Windows installation and domain join of these machines must be done in advance. Ensure the host names of these machines help you to identify them and their location easily. The machines the Citrix Cloud Connectors run on must have network access to all the virtual machines that are to be made available to end users.

The system requirements for the Cloud Connectors are here
.

Review the guidance on the cloud connector installation here
.

Some requirements for Citrix Cloud Connector installation (installer performs checks for these) are:

1. The Citrix Cloud Connector machine must have outbound Internet access on port 443, and port 80 to only *.digicert.com. The port 80 requirement is for X.509 certificate validation. See more info here
   .
2. Microsoft .NET Framework 4.7.2 or later must be pre-installed on the machine.
3. Time on the machine must be synced with UTC.

The Cloud Connector Connectivity Check Utility
tool can be used to test the reachability of the Citrix Cloud and its related services.

Pre-requisites for Automated Configuration tool

The pre-requisites that are needed for the tool can be found here
under the pre-requisites section.

Return to this doc once you have completed the steps in the Complete Pre-requisites for Exporting from on-premises site section.

The following data needs to be collected:

• Hosting connections and respective credentials
• Zone mappings
• Active directory credentials
• Authentication point and provider
• StoreFront configurations
• Citrix Gateway configuration for each site or data center
• If you have a Citrix DaaS subscription, then use those credentials (skip to the Install Citrix Cloud Connectors
  section).
• Else follow the below steps to create a new subscription.

Set up a basic Citrix Cloud Environment

1. If the organization, does not have one, create a new Citrix Cloud account, by following the instructions in the Create Citrix Cloud Account and Request a Citrix DaaS Trial sections on this page
   . Continue with the next step once completed.

2. Log in to the Citrix Cloud account and then invite one or more administrators to the Citrix Cloud account. Note: Even if other administrators in the organization have access to your Citrix account on Citrix.com, they still need to be invited to the Citrix Cloud account. To do this, from the Citrix Cloud management console, click the hamburger menu in the top left corner and select Identity and Access Management. For more information, see Add administrators to a Citrix Cloud account
   .

   

Install Cloud Connectors in on-premises resource location(s)

1. Log in to one of the machines that has been prepared for hosting the cloud connector as a local administrator over RDP.
2. Open a browser and go to the URL: Citrix Cloud
   .
3. The follow the steps in the Create a Resource Location section of this guide
   , login as a full Citrix Cloud administrator.
4. Repeat the steps for all the resource locations and Cloud Connectors in your environment.

Note: You can also install the Cloud Connector using the command line
.

The installation of the Cloud Connectors registers your on-premises domain to Citrix Cloud under the Identity and Access Management section.

Deploy Certificates for Cloud Connectors

If either on-premises StoreFront or Citrix ADCs are to be used after migration, then certificates are needed on the Cloud Connectors. The Cloud Connector runs the XML and the STA services on port 80 by default as these communications are typically INTERNAL. To configure encryption for these traffic types, certificates must be deployed on the Cloud Connectors and these two services must be bound to those certificates.

Both public and self-signed certificates can be used as the customer-hosted StoreFront and on-premises Citrix ADCs need to trust the certificates.

Enable TLS on Cloud Connectors to secure XML traffic

Refer to the Citrix Support article
for detailed information on how to enable SSL on Cloud Connectors to secure the XML traffic. The XML Service is used for application and desktop resource enumeration including handling user name and password data from StoreFront to Cloud Connectors, therefore, it must be encrypted.

Note: Cloud Connectors cannot traverse domain-level trusts. If deploying resources in different domains, install Cloud Connectors in each user domain.

Migration Steps

Once your Citrix DaaS trial / subscription has been activated continue with the following steps:

As indicated in the migration methodologies section, the migration steps discussed in this guide use the Automated Configuration tool. Depending on whether the provisioning scheme of the Citrix on-premises environment is PVS or MCS, the procedure changes.

Follow the steps in the Automated Configuration tool steps from the section linked here
.

Once the migration of the control layer is complete and verification is done, return here and continue with the following steps.

Migration steps - Configure machines running VDAs to register to the Cloud Connectors

Once the Automated Configuration tool has been run, then the machines hosting resources (running VDAs) must be configured to register with the Cloud Connectors.

For the MCS and PVS based machines (Pooled and Server OS) machines

The ListOfDDCs registry key on the golden image / virtual disk must be updated.

Power on the golden image, open the Registry editor and navigate to HKLM\Software\Citrix\VirtualDeliveryAgent key, and update the ListOfDDCs with Cloud Connector host names in their respective resource locations.

Shut down the machine running the golden image for MCS or virtual disk for PVS. Take a new snapshot and update the machine catalog with the new snapshot.

For manual machine catalogs

For catalogs that don’t use either of the provisioning methods, AD Group Policy can be used to update the registry key.

Open the Group Policy Management Console and create a new GPO.

Edit the Policy, select Computer Configuration and then Citrix Policies. On the right pane, select New under Citrix Computer Policies.

Name the Policy as VDA Migration and select the Controllers setting from the list and click Add to update.

Enter the FQDN of the Cloud Connectors, with space as a delimiter.

Set the Enable auto update of Controller option to Allowed. This setting allows VDAs to update the list of controllers with newly added Cloud Connectors. Although auto-update is not used for initial registration, the auto-update downloads and stores the ListOfDDCs in a persistent cache on the VDA when initial registration occurs. This process is done on each resource machine running a VDA.

Refer to the VDA registration product documentation
for additional details on how auto-update works and its exceptions.

On the Filters page, select the Delivery Group(s) on which this policy needs to be applied.

Check the Enable this policy check box and click Create to complete the policy creation.

Increase the priority of the policy to apply the settings.

Once the Group Policy setting is updated, the machines start to register with the Cloud Controllers.

Configuring the User Access layer

With everything ready the configuration of the access layer can be performed. One of the three options discussed in the earlier sections are possible.

1. Adopting Citrix Workspace and Citrix Gateway service in Citrix Cloud.
2. Adopting Citrix Workspace service while retaining on-premises Citrix Gateway.
3. Retaining both on-premises StoreFront and Gateway.

User Access Layer - Citrix Workspace and Citrix Gateway service in Citrix Cloud

To configure access via the Citrix Workspace and Citrix Gateway services navigate to Workspace Configuration from the hamburger menu on the top left of the Citrix Cloud console.

The Access tab shows the Workspace URL which is ready to use by the end-users. The first part of the workspace URL is customizable. You can change the URL from, for example, https://example.cloud.com to https://<desired_URL>.cloud.com

Enable connectivity using the Gateway service by clicking the ellipses for the desired resource location and selecting Configure Connectivity. (Perform this step and the following steps for each resource location that is being migrated).

Select Gateway Service radio button and click Save.

The Authentication tab allows for configuration of the authentication mechanism. Choose the desired method.

The Customize tab in Workspace Configuration allows you to customize the Workspace appearance and preferences.

Click Service Integrations tab, ensure that the Virtual Apps and Desktops On-Premises Sites tile lists one or more sites and is Enabled.

Users can now login to the Workspace URL that was configured and login to the Workspace for accessing the on-premises resources.

User Access Layer - Citrix Workspace service with on-premises Gateway

First the on-premises Gateway is configured to enable external access.

1. Connect to the on-premises Citrix ADC from a browser and login as an administrator. In the Integrate with Citrix Products section, click XenApp and XenDesktop.

   
   

2. Follow the wizard and provide the required details for FQDN and SSL Certificate for the configuration.

   
   

3. Enter Workspace URL in the StoreFront URL field. Click Retrieve Stores. Enter the Active Directory Domain in the Default Active Directory Domain text box. Enter the URLs of the Cloud Connectors as http://<cloudconnector.FQDN> or https://<cloudconnector.FQDN> (if SSL certificates are configured). Click Test STA Connectivity, ensure it passes.

   

4. Complete the configuration of the Gateway, no need to provide Authentication and session policy details.

To configure access via the Citrix Workspace service, login to Citrix Cloud and navigate to Workspace Configuration from the hamburger menu on the top left of the Citrix Cloud console.

The Access tab shows the Workspace URL which is ready to use by the end-users. The first part of the workspace URL is customizable. You can change the URL from, for example, https://example.cloud.com to https://<desired_URL>.cloud.com

Enable connectivity using the on-premises Gateway by clicking the ellipses for the desired resource location and selecting Configure Connectivity. (Perform this step and the following steps for each resource location that is being migrated).

Select Traditional Gateway Service radio button and click Add.

Click Test STA to confirm connectivity to the Cloud Connector based STA services. Once it passes. Click Save.

If the test fails, check the binding of Citrix Cloud Connectors as Secure Ticket Authority (STA) servers to Citrix Gateway. For more information, see CTX232640
.

The setup is now ready for users to connect via the configured Workspace URL.

User Access Layer - On-premises StoreFront and Gateway

The StoreFront servers need to communicate with Cloud Connectors for resource enumeration from Citrix Cloud. The Cloud Connectors are installed with SSL certificates to ensure that the XML and STA traffic is encrypted and secure.

Configure the store on StoreFront Servers with Cloud Connectors. If you are creating a new store add the Cloud Connectors on the Delivery Controllers page. If you are using the existing store, select the Manage Delivery Controllers option and update the FQDNs of the Cloud Connectors.

Enable the Remote Access option to integrate the Store service with the on-premises Gateway to enable external access for this store.

Configure the trusted domain for authentication and apply the customizations required as per the organization requirements. Access the StoreFront URL internally and verify the access.

For external access, we need to verify the Security Ticket Authority details. If not added in previous steps add those details now.

Configure the CallBack URL if necessary and finish the StoreFront configuration.

Now configure the on-prem Gateway. Perform the first 3 steps in the on-premises Gateway configuration in the preceding section
. Once done, return here and follow the remaining steps.

Configure the Active Directory Domain details for the authentication.

Configure the Session Policies to complete the gateway configuration. Also, apply the necessary themes with the required customization.

On-premises StoreFront and Gateway configuration are successfully completed. The users can now seamlessly access their resources as they used to before the migration using the StoreFront URL.

That completes the deployment guide to migrate an on-premises Citrix Virtual Apps and Desktops environemnt to the Citrix Cloud using Citrix DaaS.

Call to action

Request a trial of Citrix DaaS, click here
.

Try the Automated Configuration tool, click here
.

References

Citrix DaaS product documentation

Reference Architecture for Citrix DaaS

Cloud Connector connectivity requirements

Cloud Connector sizing guide

Cloud Connector Technical Details

Deployment scenarios for Cloud Connector with Active Directory domains

Cloud Connector installation

Citrix Cloud Identity and Access Management

Automated Configuration tool POC guide

Machine Catalog creation and types

Citrix Policies

Cloud Connector Updates

How to install SSL Certificate on Cloud Connectors