Deployment Guide: Migrating Citrix Virtual Apps and Desktops on-premises to Citrix Cloud

Overview

In this deployment guide, you learn how to migrate an on-premises Citrix Virtual Apps and Desktops environment to Citrix DaaS in Citrix Cloud. The components that manage and control access to the environment move to Citrix Cloud. Having these components in Citrix Cloud, offloads the effort of managing and updating these components to Citrix. In Citrix Cloud, these components are deployed adhering to best practices and kept evergreen with the latest updates and security patches. Added benefits of the cloud include guaranteed uptime and flexible subscription options. The resources that host the sessions continue to run in their original resource location(s).

Audience

This guide is intended for Citrix administrators, technical professionals, IT decision-makers, partners, and consultants who are assessing migration strategies to move their customer managed on-premises environment to Citrix DaaS on Citrix Cloud. The document is for users who are

• Familiar with the administration of a Citrix Virtual Apps and Desktops site.
• Familiar with the administration of a StoreFront environment.
• It’s also helpful if you understand how to deploy Citrix Gateway or NetScaler Gateway.

Typical existing architecture

最typical architecture for an on-premises Citrix Virtual Apps and Desktops environment is:

The existing setup enables secure remote access to the resources (virtual apps and desktops) hosted in the customer’s on-premises data center to their users (internal or external) via a StoreFront and Citrix Gateway. The users access the setup via the Citrix Workspace app or a browser, from a device of their choice, using the Citrix Gateway URL. The customer’s Active Directory, application data, and use data all reside in the data center.

Desired state options after migration

The CTO of the company wants to have the Citrix management components moved to Citrix Cloud and be managed by Citrix. The workloads are to remain in the on-premises data center. Now the admin must decide where the access control components will reside after the migration.

There are 3 options available to the admins:

1. Move the access layer to Citrix Cloud and utilize the Citrix Gateway service.

   管理客户时选择此选项willing to fully realize the benefits of the Citrix Workspace. This would be an option if the Gateway was being used exclusively for the CVAD deployment.

   

2. Retain the on-premises Citrix Gateway and utilize the Citrix Workspace service

   The admin chooses this option when the customer wants to extend the benefits of Citrix Workspace to their end users while retaining control of the Gateway, as it may be used for other services in the customer environment.

   

3. Retain the existing on-premises Gateway and StoreFront combination

   The admin chooses this option if they want to keep control of both these components or if end users must continue to access the original Gateway URL to access their resources.

   

Migration methodologies

Once the admin decides the desired state after the migration from the options in the preceding section, they must choose which migration method to use:

1. Using Automated Configuration tool

   The admin chooses this option, when the Automated Configuration tool supports their environment. This approach simplifies the migration process.

2. Manual

   The admin chooses this option if they are unable to use the tool, for example, when the existing environment is not on one of the LTSR releases or on one of the latest two Current Releases.

In this guide we are looking into the Automated Configuration tool based migration process.

Prerequisites and data to be collected before migration

As a pre-requisite, customers must ensure the network connectivity to establish communication from the customer hosted on-premises environments to Citrix Cloud. Refer to theCitrix documentationfor complete requirements.

Pre-requisites for machines that host the Cloud Connectors

The Citrix Cloud Connectors act as the communication channel between the components hosted in Citrix Cloud and the components hosted in the resource location. The cloud connectors act as a proxy for the delivery controller in Citrix Cloud. To install Citrix Cloud Connectors in your environment, you require (at least two) Windows Server 2012 R2 or later server machines/VMs. You require static IPs for these machines. Windows installation and domain join of these machines must be done in advance. Ensure the host names of these machines help you to identify them and their location easily. The machines the Citrix Cloud Connectors run on must have network access to all the virtual machines that are to be made available to end users.

The system requirements for the Cloud Connectors arehere.

Review the guidance on the cloud connector installationhere.

Some requirements for Citrix Cloud Connector installation (installer performs checks for these) are:

1. The Citrix Cloud Connector machine must have outbound Internet access on port 443, and port 80 to only *.digicert.com. The port 80 requirement is for X.509 certificate validation. See more infohere.
2. Microsoft .NET Framework 4.7.2 or later must be pre-installed on the machine.
3. Time on the machine must be synced with UTC.

TheCloud Connector Connectivity Check Utilitytool can be used to test the reachability of the Citrix Cloud and its related services.

Pre-requisites for Automated Configuration tool

The pre-requisites that are needed for the tool can be foundhereunder the pre-requisites section.

Return to this doc once you have completed the steps in theComplete Pre-requisites for Exporting from on-premises sitesection.

The following data needs to be collected:

• Hosting connections and respective credentials
• Zone mappings
• Active directory credentials
• Authentication point and provider
• StoreFront configurations
• Citrix Gateway configuration for each site or data center
• If you have a Citrix DaaS subscription, then use those credentials (skip to theInstall Citrix Cloud Connectorssection).
• Else follow the below steps to create a new subscription.

Set up a basic Citrix Cloud Environment

1. If the organization, does not have one, create a new Citrix Cloud account, by following the instructions in theCreate Citrix Cloud AccountandRequest a Citrix DaaS Trialsections on thispage. Continue with the next step once completed.

2. Log in to the Citrix Cloud account and then invite one or more administrators to the Citrix Cloud account.Note: Even if other administrators in the organization have access to your Citrix account on Citrix.com, they still need to be invited to the Citrix Cloud account. To do this, from theCitrix Cloud management console, click thehamburger menuin the top left corner and selectIdentity and Access Management. For more information, seeAdd administrators to a Citrix Cloud account.

   

Install Cloud Connectors in on-premises resource location(s)

1. Log in to one of the machines that has been prepared for hosting the cloud connector as a local administrator over RDP.
2. Open a browserand go to the URL:Citrix Cloud.
3. The follow the steps in theCreate a Resource Location部分的guide, login as a full Citrix Cloud administrator.
4. Repeat the steps for all the resource locations and Cloud Connectors in your environment.

Note: You can also install the Cloud Connector using thecommand line.

The installation of the Cloud Connectors registers your on-premises domain to Citrix Cloud under theIdentity and Access Managementsection.

Deploy Certificates for Cloud Connectors

If either on-premises StoreFront or Citrix ADCs are to be used after migration, then certificates are needed on the Cloud Connectors. The Cloud Connector runs the XML and the STA services on port 80 by default as these communications are typically INTERNAL. To configure encryption for these traffic types, certificates must be deployed on the Cloud Connectors and these two services must be bound to those certificates.

Both public and self-signed certificates can be used as the customer-hosted StoreFront and on-premises Citrix ADCs need to trust the certificates.

Enable TLS on Cloud Connectors to secure XML traffic

Refer to theCitrix Support articlefor detailed information on how to enable SSL on Cloud Connectors to secure the XML traffic. The XML Service is used for application and desktop resource enumeration including handling user name and password data from StoreFront to Cloud Connectors, therefore, it must be encrypted.

Note: Cloud Connectors cannot traverse domain-level trusts. If deploying resources in different domains, install Cloud Connectors in each user domain.

Migration Steps

Once your Citrix DaaS trial / subscription has been activated continue with the following steps:

As indicated in the migration methodologies section, the migration steps discussed in this guide use the Automated Configuration tool. Depending on whether the provisioning scheme of the Citrix on-premises environment is PVS or MCS, the procedure changes.

Follow the steps in the Automated Configuration tool steps from the section linkedhere.

Once the migration of the control layer is complete and verification is done, return here and continue with the following steps.

Migration steps - Configure machines running VDAs to register to the Cloud Connectors

一旦自动配置工具运行, then the machines hosting resources (running VDAs) must be configured to register with the Cloud Connectors.

For the MCS and PVS based machines (Pooled and Server OS) machines

TheListOfDDCsregistry key on the golden image / virtual disk must be updated.

Power on the golden image, open theRegistry editorand navigate toHKLM\Software\Citrix\VirtualDeliveryAgentkey, andupdate the ListOfDDCs with Cloud Connector host namesin their respective resource locations.

Shut down the machine running the golden image for MCS or virtual disk for PVS. Take a new snapshot and update the machine catalog with the new snapshot.

For manual machine catalogs

For catalogs that don’t use either of the provisioning methods, AD Group Policy can be used to update the registry key.

Open theGroup Policy Management Consoleand create anew GPO.

Edit the Policy, selectComputer Configurationand thenCitrix Policies. On the right pane, selectNewunderCitrix Computer Policies.

Name the Policy asVDA Migrationand select theControllerssetting from the list and clickAddto update.

Enter theFQDN of the Cloud Connectors, with space as a delimiter.

Set theEnable auto update of Controlleroption toAllowed. This setting allows VDAs to update the list of controllers with newly added Cloud Connectors. Although auto-update is not used for initial registration, the auto-update downloads and stores the ListOfDDCs in a persistent cache on the VDA when initial registration occurs. This process is done on each resource machine running a VDA.

Refer to theVDA registration product documentationfor additional details on how auto-update works and its exceptions.

On theFilterspage, select theDelivery Group(s)on which this policy needs to be applied.

Check theEnable this policycheck box and clickCreateto complete the policy creation.

Increase thepriorityof the policy to apply the settings.

Once the Group Policy setting is updated, the machines start to register with the Cloud Controllers.

Configuring the User Access layer

With everything ready the configuration of the access layer can be performed. One of the three options discussed in the earlier sections are possible.

1. Adopting Citrix Workspace and Citrix Gateway service in Citrix Cloud.
2. Adopting Citrix Workspace service while retaining on-premises Citrix Gateway.
3. Retaining both on-premises StoreFront and Gateway.

User Access Layer - Citrix Workspace and Citrix Gateway service in Citrix Cloud

To configure access via the Citrix Workspace and Citrix Gateway services navigate toWorkspace Configuration从hamburger menuon the top left of the Citrix Cloud console.

TheAccess tabshows theWorkspace URLwhich is ready to use by the end-users. The first part of the workspace URL is customizable. You can change the URL from, for example,https://example.cloud.comtohttps://.cloud.com

Enable connectivity using the Gateway service by clicking the ellipses for the desired resource location and selectingConfigure Connectivity. (Perform this step and the following steps for each resource location that is being migrated).

SelectGateway Serviceradio button and clickSave.

TheAuthentication taballows for configuration of the authentication mechanism. Choose the desired method.

TheCustomize tabin Workspace Configuration allows you to customize the Workspace appearance and preferences.

ClickService Integrations tab, ensure that theVirtual Apps and Desktops On-Premises Sitestile lists one or more sites and isEnabled.

Users can now login to the Workspace URL that was configured and login to the Workspace for accessing the on-premises resources.

User Access Layer - Citrix Workspace service with on-premises Gateway

First the on-premises Gateway is configured to enable external access.

1. Connect to the on-premises Citrix ADCfrom a browser andlogin as an administrator. In theIntegrate with Citrix Productssection, clickVirtual Apps and Desktops.

   

2. Follow the wizard and provide the requireddetails for FQDN and SSL Certificatefor the configuration.

   

3. EnterWorkspace URLin theStoreFront URLfield. ClickRetrieve Stores. Enter theActive Directory Domainin theDefault Active Directory Domaintext box. Enterthe URLs of the Cloud Connectorsashttp://orhttps://(if SSL certificates are configured). ClickTest STA Connectivity, ensure it passes.

   

4. Complete the configuration of the Gateway, no need to provide Authentication and session policy details.

To configure access via the Citrix Workspace service,login to Citrix Cloudand navigate toWorkspace Configuration从hamburger menuon the top left of the Citrix Cloud console.

TheAccess tabshows theWorkspace URLwhich is ready to use by the end-users. The first part of the workspace URL is customizable. You can change the URL from, for example,https://example.cloud.comtohttps://.cloud.com

Enable connectivity using the on-premises Gateway by clickingthe ellipses for the desired resource locationand selectingConfigure Connectivity. (Perform this step and the following steps for each resource location that is being migrated).

SelectTraditional Gateway Serviceradio button and clickAdd.

ClickTest STAto confirm connectivity to the Cloud Connector based STA services. Once it passes. ClickSave.

If the test fails, check the binding of Citrix Cloud Connectors as Secure Ticket Authority (STA) servers to Citrix Gateway. For more information, seeCTX232640.

The setup is now ready for users to connect via the configured Workspace URL.

User Access Layer - On-premises StoreFront and Gateway

The StoreFront servers need to communicate with Cloud Connectors for resource enumeration from Citrix Cloud. The Cloud Connectors are installed with SSL certificates to ensure that the XML and STA traffic is encrypted and secure.

Configure thestoreon StoreFront Servers withCloud Connectors. If you are creating a new store add the Cloud Connectors on theDelivery Controllerspage. If you are using the existing store, select theManage Delivery Controllersoption andupdate the FQDNs of the Cloud Connectors.

Enable theRemote Accessoption to integrate the Store service with the on-premises Gateway to enable external access for this store.

Configure thetrusted domainfor authentication and apply the customizations required as per the organization requirements. Access the StoreFront URL internally and verify the access.

For external access, we need to verify theSecurity Ticket Authoritydetails. If not added in previous steps add those details now.

Configure the CallBack URL if necessary and finish the StoreFront configuration.

Now configure the on-prem Gateway. Perform the first 3 steps in the on-premises Gateway configuration in thepreceding section. Once done, return here and follow the remaining steps.

Configure theActive Directory Domaindetails for the authentication.

Configure theSession Policiesto complete the gateway configuration. Also, apply the necessary themes with the required customization.

On-premises StoreFront and Gateway configuration are successfully completed. The users can now seamlessly access their resources as they used to before the migration using theStoreFront URL.

That completes the deployment guide to migrate an on-premises Citrix Virtual Apps and Desktops environemnt to the Citrix Cloud using Citrix DaaS.

Call to action

Request a trial of Citrix DaaS, clickhere.

Try the Automated Configuration tool, clickhere.

References

Citrix DaaS product documentation

参考弧hitecture for Citrix DaaS

Cloud Connector connectivity requirements

Cloud Connector sizing guide

Cloud Connector Technical Details

Deployment scenarios for Cloud Connector with Active Directory domains

Cloud Connector installation

Citrix Cloud Identity and Access Management

Automated Configuration tool POC guide

Machine Catalog creation and types

Citrix Policies

Cloud Connector Updates

How to install SSL Certificate on Cloud Connectors