Guidelines for Migration from CVAD On-Prem to Citrix DaaS–Control Layer: Part 1

by Uddave Jajoo, Indianapolis CUGC Leader

Enterprise does run into the situation where they would be reluctant to take first step towards their cloud journey. However, that journey needs to be taken by every enterprise to utilize the benefits from SaaS offerings and optimize their infrastructure. There are several possible drivers to take the first step on your journey to cloud, like capacity constraints on-prem, less operational overhead, less management of infrastructure servers, improved resiliency, and high availability.

In this blog, I would like to highlight some major configuration steps and challenges that were encountered while working on the Citrix Cloud DaaS migration from on-prem.

Control Layer: Part 1

  1. Requirements and Analysis
  2. Right Size CCs Infrastructure
  3. Configuring Cloud Connector Infrastructure

Requirements and Analysis

In this phase, customers would need to focus on the licenses they need to procure with the Citrix Enterprise depending on their existing workloads and user base. Identify the user base and type of resources published in on-prem, accordingly, calculate the projection for Opex and Capex cost while migrating to the Citrix Cloud.
(Quick reference guide – https://www.citrix.com/products/citrix-daas/resources/cloud-migration-costs-calculator.html)

In case of multiple on-prem sites, please make sure to provision the cloud connector for each site pointing to a separate resource location. Cloud Connectors get configured within the resource location.

Right Size CCs Infrastructure

This is a very important milestone and consideration in your cloud journey, as all your workloads would now be brokering connections via cloud connectors. Cloud connectors act as a proxy between on-prem DC and Citrix Cloud – (See Citrix Cloud Connector Technical Details)

The Cloud Connector links your workloads to Citrix DaaS in the following ways:

  • Provides a proxy for communication between your VDAs and Citrix DaaS
  • Provides a proxy for communication between Citrix DaaS and your Active Directory (AD) and hypervisors
  • In deployments that include StoreFront servers, the Cloud Connector serves as a temporary session broker during cloud outages, providing users with continued access to resources

It is important to have your Cloud Connectors properly sized and configured to meet your specific needs.
(Reference guide: Size and scale considerations for Cloud Connectors)

Determine the compute and memory resources for your cloud connector servers depending on the number of users and load consumption. Citrix has shared some mechanisms based on their testing internally. Identify the type of workloads (Non-Persistent/Persistent) to find the number of users connected in a month.

Example: Let’s say a customer needs to migrate the site hosting around 4,000+ persistent desktops (MCS), 500+ non-persistent servers (PVS). Total user base is around 12,000+. How you would right size the infrastructure?

Refer the table and determine based on the number of servers and VDIs

 MediumLargeMaximum
VDAs1000 VDI or 100 RDS5000 VDI or 500 RDS10,000 VDI or 1000 RDS
Hosting connections204040
CPUs for Connectors4 vCPU4 vCPU8 CPU
Memory for Connectors6 GB8 GB10 GB
CC Sizing

  • Finalize the compute and memory resources for Cloud Connectors.
  • Two Cloud Connectors are required for high availability. Citrix recommends using the N+1 redundancy model when deploying Cloud Connectors to maintain a highly available connection with Citrix Cloud.
  • Plan for N+2 configuration for your cloud connectors to ensure HA in terms of outage per resource location. In case of HA scenarios, please plan to increase the memory of Cloud connector to 16 GB depending on the load.
  • Create multiple resource locations for different geographical regions. Each resource location would have its separate cloud connectors.

Configuring Cloud Connector Infrastructure

Requirements:

In initial deployments, if trying to grant access to published apps and resources via security groups, the enumeration process would fail as mentioned in the article Custom Domain User Groups Are Not Enumerating Applications in citrix Cloud. Hence, add permissions for Cloud Connector Machine Accounts on users OU in AD. Add the computer accounts for all the cloud connectors to Windows Authorization Access group (WAA).

Configure network connectivity from On-Prem Cloud Connector servers to Citrix Cloud:

Enable communication from on-prem DCs to Citrix Cloud Service by proxy pac file configuration, by updating the allowed category list on proxy servers OR enable communication via Edge Router Firewalls within your DCs to Citrix Cloud Services.

Below is the list of URLs that need to be configured in the allow list on Firewall to communicate via TCP Port 443:

https://*.citrixworkspacesapi.net Provides access to Citrix Cloud APIs that the services use
https://*.cloud.comProvides access to the Citrix Cloud sign-in interface
https://*.blob.core.windows.netProvides access to Azure Blob Storage, which stores updates for Citrix Cloud Connector
*.*.nssvc.net
iwsprodeastusuniconacr.azurecr.io
iwsprodeastusuniconacr.eastus.data.azurecr.io
browser-release-a.azureedge.net
browser-release-b.azureedge.net
*.netscalergateway.net
*.citrixdata.com
citrix-cloud-content.customer.pendo.io
*.wem.cloud.com
Some miscellaneous URLs
Customers who can’t enable all sub-domains can use the following addresses instead:
https://cwsproduction.blob.core.windows.net
https://ccprodaps.blob.core.windows.net
https://ccprodeu.blob.core.windows.net
https://*.servicebus.windows.netProvides access to Azure Service Bus, which is used for logging, the Active Directory agent and Machine Creation Services
https://%5Bcustomerid%5D.xendesktop.netWhere [customerid] is the customer ID parameter displayed on the Secure Clients tab (Identity and Access Management > API Access > Secure Clients) of the Citrix Cloud management console
HTTP port 80 is open to *.digicert.com. This port is used during Cloud Connector installation and during periodic Certificate Revocation List checks.

The following addresses must be contactable:
http://*.digicert.com
https://*.digicert.com
https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
https://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
List of URLs

Install Cloud Connector:

For an overview of how the Cloud Connector communicates with the service, refer to the Citrix DaaS diagram on the Citrix Tech Zone web site.

  1. Logon to the server you would like to install the cloud connector and open the server manager, select Local Server.
  2. Click on IE Enhanced Security configuration.
  1. Change the IE Enhanced Security configuration and set the Administrators option to Off.
  1. Click OK to confirm
  2. Copy the installer (you have downloaded from the Citrix Cloud services) and the certificates to local C Drive
  1. Open a cmd-prompt and run netsh and bitsadmin commands below if communication is allowed directly via firewall and bypassing the proxy.

    netsh winhttp set proxy <ProxyServerAddress>:9000 "<customerID>.xendesktop.net;*.citrixworkspacesapi.net;*.cloud.com;*.blob.core.windows.net;*.servicebus.windows.net;*.citrixnetworkapi.net;*.*.nssvc.net;iwsprodeastusuniconacr.azurecr.io;iwsprodeastusuniconacr.eastus.data.azurecr.io;browser-release-a.azureedge.net;browser-release-b.azureedge.net;*.netscalergateway.net;*.citrixdata.com;citrix-cloud-content.customer.pendo.io;*.wem.cloud.com;localhost;<AnyLocalIPAddressRanges>"

    C:\windows\System32\bitsadmin.exe /Util /SetIEProxy LocalSystem Manual_proxy http://<ProxyServerAddress&gt;:9000 "<customerID>.xendesktop.net;*.citrixworkspacesapi.net;*.cloud.com;*.blob.core.windows.net;*.servicebus.windows.net;*.citrixnetworkapi.net;*.*.nssvc.net;iwsprodeastusuniconacr.azurecr.io;iwsprodeastusuniconacr.eastus.data.azurecr.io;browser-release-a.azureedge.net;browser-release-b.azureedge.net;*.netscalergateway.net;*.citrixdata.com;citrix-cloud-content.customer.pendo.io;*.wem.cloud.com;localhost;<AnyLocalIPAddressRanges>"

Certificate Install

1. Open the MMC certificate store on the Citrix Cloud Connector.
2. Make sure to select the computer account option when prompted by the Certificates snap-in.
3. Navigate to downloaded root certificate (https://dl.cacerts.digicert.com/DigiCertAssuredI DRootCA.crt).
4. Open the certificate and choose “Install Certificate…”
5. Ensure that the “local machine” option is targeted

6. Validate that the Root certificate shows up under the proper Certificate Store.

Trusted Root Certification Authorities
Intermediate Certification Authorities

7. Navigate to downloaded intermediate certificate (https://dl.cacerts.digicert.com/ DigiCertSHA2AssuredIDCodeSigningCA.crt).
8. Open the certificate and choose “Install Certificate…”
9. Ensure that the “local machine” option is targeted

Instructions for Certificate Install

Citrix Cloud Connector Installation

From the Citrix Cloud console, navigate to Resource Locations, locate your resource location, click on the ID and copy the ID displayed.

From the Citrix Cloud console, navigate to Identity and Access Management – API Access – Secure Clients, and click on Create Client.

Type in a name and click on Create Client.


Copy the ID and Secret.
Copy also the ORG-ID under your name to a text file.

Create the installation JSON-File
{
“customerName”: “xxxxxxxxxxx”,
“clientId”: ” xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“clientSecret”: “xxxxxxxxxxxxxxxxxxxxxxx”,
“resourceLocationId”: “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“acceptTermsOfService”: “true”
}
Open CMD with administrator privilege.
Run the installer with the following parameters.
Start /Wait CWCConnector.exe /ParametersFilePath: c:\cwcconnector_install_params.json
Cloud Connector Installation Command Line

                                                   

Manual Cloud Connector installation

1.       Launch the installer with Run as administrator.


2.       For a short period of time the Connectivity Test Successful window will be displayed.
3.       Wait till it moves on to the Cloud Sign In window.



Adding it to the Cloud service –  Cloud Connector installation
4.       Sign into the Citrix Cloud with your Citrix credentials



5.       Enter Username and Password.
6.       Click on Sign In.



7.       Open your Authenticator App and type in the displayed Code and click Verify.



8.       Select the correct Resource Location and click Install.



9.       The installation process starts.



10.    When the installation is completed, the Testing Service Connectivity window appears and will run for a period of time (approx. 5 minutes).



11.    If the Citrix Cloud Connectivity was successful, the Connectivity Test Successful window appears.
12.    Click Close to finish the installation part.

Manual Cloud Connector Install

                                                               

Manage Cloud Connector update schedules

To keep your Cloud Connectors performing optimally, secure, and reliably, manage the updates of your Cloud Connector software versions and do so in a way that there will always be one Cloud Connector available to maintain service for your organization.
From the Citrix Cloud console, navigate to Resource Locations, locate your resource location, click the ellipsis, and select Manage Resource Location.  

Select Set a maintenance start time and choose any window during off hours based on local server time. Once done, click Confirm.

Manage Resource Location

Reference Articles:

PoC Guide: Automated Configuration Tool | Citrix Tech Zone
Migrate configuration to Citrix Cloud
Migrate from on-premises to cloud

NEXT: Guidelines for Migration from CVAD on Prem to Citrix DAAS – Control Layer: Part 2.

Are you a CUGC member? Join for FREE today!

2 comments

Leave a Reply