by Uddave Jajoo, Indianapolis CUGC Leader
Enterprise does run into the situation where they would be reluctant to take first step towards their cloud journey. However, that journey needs to be taken by every enterprise to utilize the benefits from SaaS offerings and optimize their infrastructure. There are several possible drivers to take the first step on your journey to cloud, like capacity constraints on-prem, less operational overhead, less management of infrastructure servers, improved resiliency, and high availability.
In this blog, I would like to highlight some major configuration steps and challenges that were encountered while working on the Citrix Cloud DaaS migration from on-prem.
Control Layer: Part 1
- Requirements and Analysis
- Right Size CCs Infrastructure
- Configuring Cloud Connector Infrastructure
Requirements and Analysis
In this phase, customers would need to focus on the licenses they need to procure with the Citrix Enterprise depending on their existing workloads and user base. Identify the user base and type of resources published in on-prem, accordingly, calculate the projection for Opex and Capex cost while migrating to the Citrix Cloud.
(Quick reference guide – https://www.citrix.com/products/citrix-daas/resources/cloud-migration-costs-calculator.html)
In case of multiple on-prem sites, please make sure to provision the cloud connector for each site pointing to a separate resource location. Cloud Connectors get configured within the resource location.
Right Size CCs Infrastructure
This is a very important milestone and consideration in your cloud journey, as all your workloads would now be brokering connections via cloud connectors. Cloud connectors act as a proxy between on-prem DC and Citrix Cloud – (See Citrix Cloud Connector Technical Details)
The Cloud Connector links your workloads to Citrix DaaS in the following ways:
- Provides a proxy for communication between your VDAs and Citrix DaaS
- Provides a proxy for communication between Citrix DaaS and your Active Directory (AD) and hypervisors
- In deployments that include StoreFront servers, the Cloud Connector serves as a temporary session broker during cloud outages, providing users with continued access to resources
It is important to have your Cloud Connectors properly sized and configured to meet your specific needs.
(Reference guide: Size and scale considerations for Cloud Connectors)
Determine the compute and memory resources for your cloud connector servers depending on the number of users and load consumption. Citrix has shared some mechanisms based on their testing internally. Identify the type of workloads (Non-Persistent/Persistent) to find the number of users connected in a month.
Example: Let’s say a customer needs to migrate the site hosting around 4,000+ persistent desktops (MCS), 500+ non-persistent servers (PVS). Total user base is around 12,000+. How you would right size the infrastructure?
Refer the table and determine based on the number of servers and VDIs
| Medium | Large | Maximum | |
| VDAs | 1000 VDI or 100 RDS | 5000 VDI or 500 RDS | 10,000 VDI or 1000 RDS |
| Hosting connections | 20 | 40 | 40 |
| CPUs for Connectors | 4 vCPU | 4 vCPU | 8 CPU |
| Memory for Connectors | 6 GB | 8 GB | 10 GB |
- Finalize the compute and memory resources for Cloud Connectors.
- Two Cloud Connectors are required for high availability. Citrix recommends using the N+1 redundancy model when deploying Cloud Connectors to maintain a highly available connection with Citrix Cloud.
- Plan for N+2 configuration for your cloud connectors to ensure HA in terms of outage per resource location. In case of HA scenarios, please plan to increase the memory of Cloud connector to 16 GB depending on the load.
- Create multiple resource locations for different geographical regions. Each resource location would have its separate cloud connectors.
Configuring Cloud Connector Infrastructure
Requirements:
In initial deployments, if trying to grant access to published apps and resources via security groups, the enumeration process would fail as mentioned in the article Custom Domain User Groups Are Not Enumerating Applications in citrix Cloud. Hence, add permissions for Cloud Connector Machine Accounts on users OU in AD. Add the computer accounts for all the cloud connectors to Windows Authorization Access group (WAA).
Configure network connectivity from On-Prem Cloud Connector servers to Citrix Cloud:
Enable communication from on-prem DCs to Citrix Cloud Service by proxy pac file configuration, by updating the allowed category list on proxy servers OR enable communication via Edge Router Firewalls within your DCs to Citrix Cloud Services.
Below is the list of URLs that need to be configured in the allow list on Firewall to communicate via TCP Port 443:
| https://*.citrixworkspacesapi.net | Provides access to Citrix Cloud APIs that the services use |
| https://*.cloud.com | Provides access to the Citrix Cloud sign-in interface |
| https://*.blob.core.windows.net | Provides access to Azure Blob Storage, which stores updates for Citrix Cloud Connector |
| *.*.nssvc.net iwsprodeastusuniconacr.azurecr.io iwsprodeastusuniconacr.eastus.data.azurecr.io browser-release-a.azureedge.net browser-release-b.azureedge.net *.netscalergateway.net *.citrixdata.com citrix-cloud-content.customer.pendo.io *.wem.cloud.com | Some miscellaneous URLs |
| Customers who can’t enable all sub-domains can use the following addresses instead: https://cwsproduction.blob.core.windows.net https://ccprodaps.blob.core.windows.net https://ccprodeu.blob.core.windows.net | |
| https://*.servicebus.windows.net | Provides access to Azure Service Bus, which is used for logging, the Active Directory agent and Machine Creation Services |
| https://%5Bcustomerid%5D.xendesktop.net | Where [customerid] is the customer ID parameter displayed on the Secure Clients tab (Identity and Access Management > API Access > Secure Clients) of the Citrix Cloud management console |
| HTTP port 80 is open to *.digicert.com. This port is used during Cloud Connector installation and during periodic Certificate Revocation List checks. The following addresses must be contactable: http://*.digicert.com https://*.digicert.com https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt https://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt |
Install Cloud Connector:
For an overview of how the Cloud Connector communicates with the service, refer to the Citrix DaaS diagram on the Citrix Tech Zone web site.
- Logon to the server you would like to install the cloud connector and open the server manager, select Local Server.
- Click on IE Enhanced Security configuration.
- Change the IE Enhanced Security configuration and set the Administrators option to Off.
- Click OK to confirm
- Copy the installer (you have downloaded from the Citrix Cloud services) and the certificates to local C Drive
- Open a cmd-prompt and run netsh and bitsadmin commands below if communication is allowed directly via firewall and bypassing the proxy.
netsh winhttp set proxy <ProxyServerAddress>:9000 "<customerID>.xendesktop.net;*.citrixworkspacesapi.net;*.cloud.com;*.blob.core.windows.net;*.servicebus.windows.net;*.citrixnetworkapi.net;*.*.nssvc.net;iwsprodeastusuniconacr.azurecr.io;iwsprodeastusuniconacr.eastus.data.azurecr.io;browser-release-a.azureedge.net;browser-release-b.azureedge.net;*.netscalergateway.net;*.citrixdata.com;citrix-cloud-content.customer.pendo.io;*.wem.cloud.com;localhost;<AnyLocalIPAddressRanges>"C:\windows\System32\bitsadmin.exe /Util /SetIEProxy LocalSystem Manual_proxy http://<ProxyServerAddress>:9000 "<customerID>.xendesktop.net;*.citrixworkspacesapi.net;*.cloud.com;*.blob.core.windows.net;*.servicebus.windows.net;*.citrixnetworkapi.net;*.*.nssvc.net;iwsprodeastusuniconacr.azurecr.io;iwsprodeastusuniconacr.eastus.data.azurecr.io;browser-release-a.azureedge.net;browser-release-b.azureedge.net;*.netscalergateway.net;*.citrixdata.com;citrix-cloud-content.customer.pendo.io;*.wem.cloud.com;localhost;<AnyLocalIPAddressRanges>"
| Certificate Install 1. Open the MMC certificate store on the Citrix Cloud Connector. 2. Make sure to select the computer account option when prompted by the Certificates snap-in. 3. Navigate to downloaded root certificate (https://dl.cacerts.digicert.com/DigiCertAssuredI DRootCA.crt). 4. Open the certificate and choose “Install Certificate…” 5. Ensure that the “local machine” option is targeted  |
| 6. Validate that the Root certificate shows up under the proper Certificate Store. Trusted Root Certification Authorities Intermediate Certification Authorities  |
| 7. Navigate to downloaded intermediate certificate (https://dl.cacerts.digicert.com/ DigiCertSHA2AssuredIDCodeSigningCA.crt). 8. Open the certificate and choose “Install Certificate…” 9. Ensure that the “local machine” option is targeted  |
| Citrix Cloud Connector Installation From the Citrix Cloud console, navigate to Resource Locations, locate your resource location, click on the ID and copy the ID displayed.  |
From the Citrix Cloud console, navigate to Identity and Access Management – API Access – Secure Clients, and click on Create Client. |
Type in a name and click on Create Client. Copy the ID and Secret. Copy also the ORG-ID under your name to a text file.  |
| Create the installation JSON-File { “customerName”: “xxxxxxxxxxx”, “clientId”: ” xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”, “clientSecret”: “xxxxxxxxxxxxxxxxxxxxxxx”, “resourceLocationId”: “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”, “acceptTermsOfService”: “true” } |
| Open CMD with administrator privilege. Run the installer with the following parameters. Start /Wait CWCConnector.exe /ParametersFilePath: c:\cwcconnector_install_params.json |
| Manual Cloud Connector installation 1. Launch the installer with Run as administrator.  2. For a short period of time the Connectivity Test Successful window will be displayed. 3. Wait till it moves on to the Cloud Sign In window.  Adding it to the Cloud service – Cloud Connector installation 4. Sign into the Citrix Cloud with your Citrix credentials  5. Enter Username and Password. 6. Click on Sign In.  7. Open your Authenticator App and type in the displayed Code and click Verify.  8. Select the correct Resource Location and click Install.  9. The installation process starts.  10. When the installation is completed, the Testing Service Connectivity window appears and will run for a period of time (approx. 5 minutes).  11. If the Citrix Cloud Connectivity was successful, the Connectivity Test Successful window appears. 12. Click Close to finish the installation part.  |
| Manage Cloud Connector update schedules To keep your Cloud Connectors performing optimally, secure, and reliably, manage the updates of your Cloud Connector software versions and do so in a way that there will always be one Cloud Connector available to maintain service for your organization. |
From the Citrix Cloud console, navigate to Resource Locations, locate your resource location, click the ellipsis, and select Manage Resource Location.  |
Select Set a maintenance start time and choose any window during off hours based on local server time. Once done, click Confirm. |
| Updating Cloud Connectors in Resource location Updates are scheduled and pushed out by Citrix directly to the cloud connectors, for some or the other reasons if updates are not getting pushed down to CCs and showing as update pending. Please follow the process below: 1. Remove the cloud connector from resource location 2. Uninstall the cloud connector components if not already removed by performing step1 3. Install the new cloud connector component and add to resource location. Note: Citrix has introduced a new DigiCert certificate requirement to be present on the Cloud Connector machine under Intermediate Certificate Authorities (Citrix still pending to include this information in their Knowledge article.)  Link: https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt Considerations Keep all cloud connectors powered on all times to ensure connectivity to Citrix Cloud Services Do not upgrade previously installed cloud connector, instead remove from resource location and install the new one |
Reference Articles:
PoC Guide: Automated Configuration Tool | Citrix Tech Zone
Migrate configuration to Citrix Cloud
Migrate from on-premises to cloud
NEXT: Guidelines for Migration from CVAD on Prem to Citrix DAAS – Control Layer: Part 2.
Are you a CUGC member? Join for FREE today!
[…] is in continuation to the previous blog post Guidelines for Migration from CVAD on Prem to Citrix DAAS – Control Layer: Part ). In this blog, I focus on the process of Exporting Site Database configuration […]
[…] post continues the series covering Citrix Control Layer Migration to Citrix Cloud – Guidelines for Migration from CVAD on Prem t… & Guidelines for Migration from CVAD On-Prem to Citrix DAAS – Control Layer: Part […]
[…] What happens if a cloud connector is restarted:1. If that Cloud Connector is not the elected broker, restart has no impact.2. If that broker is the elected broker, a different cloud connector will be elected, causing VDAs to register. After restart, it automatically takes over the brokering, which cause VDAs to register again.Note: Always schedule different maintenance windows on your cloud connectors, refer the deployment guidelines highlighted in this post. […]