Citrix Cloud Services

Citrix Cloud
May 10 , 20 17
Citrix Cloud
https://docs.citrix.com 1999-2017 Citrix Systems, Inc. All rights reserved. p.1

Citrix Cloud Overview
Jan 26, 20 17
What's New
Service Level Goals

XenApp and XenDesktop Service Level Goal
ShareFile Service Level Goal
XenMobile Service Level Goal
Lifecycle Management Service Level Goal
About Citrix Cloud

What Are Resource locations?
What Are Notifications?
What Is Identity and Access Management?
Assigning users and groups to service offerings using Library
Setting Up StoreFront with Citrix Cloud
Secure Deployment Guide for Citrix Cloud
T hird Party Notifications
Service T rials
System Requirements
Known Issues (under construction)
Get Started with Citrix Cloud
How to Get Help and Support
Citrix Cloud Connector

T echnical Details
XenApp and XenDesktop Service

About the XenApp and XenDesktop Service
Getting Started with the XenApp and XenDesktop Service
Configuring Provisioning
Configure VDAs

XenApp and XenDesktop Remote PowerShell SDK
T echnical Security Overview for the XenApp and XenDesktop Service in Citrix Cloud
On-premises Resource Reference Architecture (PDF)
New Customer Reference Architecture (PDF)
NetScaler VPX Deployment Guides
Lifecycle Management
XenMobile Service
ShareFile
Secure Browser Service
License Usage Insights Service
Secure Deployment Guides

Citrix Cloud Secure Deployment Guide
XenApp and XenDesktop Service T echnical Security Overview
Lifecycle Management T echnical Security Overview
ShareFile Setup Guide

What's New
Nov 0 3, 20 16
T his document is a compilation of notable updates to Citrix Cloud (formerly: Citrix Workspace Cloud) and the services on the
platform.
October 31, 2016

End users can now navigate back or forward within the web app using the local browser navigation controls.
Administrators can enable printing for each published app. In a printing enabled Secure Browser session, end users can
print web app content to their local printer via the HT ML5 Receivers PDF printing feature.
October 3, 2016
NetScaler Gateway Service

Introducing the NetScaler Gateway Service. T he NetScaler Gateway Service is an optional add-on for the Virtual
Desktops, Virtual Apps and Desktops and Integrated Apps and Data Suite Packages providing all subscribers of the
XenApp and XenDesktop Service with a high-denition (HDX) user experience on any device. NetScaler Gateway Service
offers a completely secure remote access to a customer's Citrix virtual apps and desktops infrastructure without any need
for network changes on the on-premises data center. By using NetScaler Gateway Service, a customer has the added
security advantage that client-side connections do not hit the customer data center directly but always come through
Citrix Cloud which acts as a software-dened perimeter. NetScaler Gateway Service on Citrix Cloud platform will be
automatically provisioned and completely managed by Citrix.
Citrix Cloud
Citrix Provisioning f or Microsof t Of ce 365
Introducing the Citrix Provisioning f or Microsof t Of ce 365 Service, now available in Labs. Citrix Provisioning for
Microsoft Ofce 365 in Citrix Cloud enables IT administrators to assign Ofce 365 subscription licenses alongside other
Citrix apps and services within Citrix Cloud. T he result is simplied user management and centralized control from a single
console. Citrix Provisioning for Microsoft Ofce 365 also provides license verication and usage data to optimize
management thus help minimize unused licenses.
September 29, 2016
ShareFile

We are working towards a better integration with ShareFile. As a rst step in reducing initial confusion with data allocation,
weve decided to remove all ShareFile service offerings from workspaces. You wont be able to add ShareFile to workspaces,
and any instances that currently exist in your workspaces will be removed. In some cases where the only offering in a
workspace was ShareFile, the entire workspace will be removed.
T he good news is that this has no impact on your end-users access to their data, and you can continue using the ShareFile
service to provision secure data exactly as you do today.
September 19, 2016
Support f or Citrix CloudPlatf orm deprecated -- New resource locations running Citrix CloudPlatform can no longer be
added to Lifecycle Management. For existing CloudPlatform resource locations, the following functions continue to
be supported:
Modify server details

Create, deploy, and share custom blueprints that are compatible with CloudPlatform resource locations.
Deploy existing Citrix blueprints that are compatible with CloudPlatform resource locations.
On-demand update sync -- T he list of updates for a registered XenApp and XenDesktop site can be refreshed when
needed by clicking Sync Site Data on the Site Details tab. Previously, the updates list was refreshed only once per day with
no option to refresh on-demand.
Snapshots added to Update task details -- When installing scheduled updates that include taking a snapshot of the
machine beforehand, Lifecycle Management includes a "Create Snapshot" step in the Task Installation Details for the
update task.

App Switcher button in Receiver toolbar helps easily switch between popup windows
Updated HT ML5 receiver
Ability to enable or disable clipboard functionality for each published web app
Improved in-session performance for internal published web apps
Added PDF viewer plugin for IE 11 published web apps
Fixed session window sizing issue for sessions launched from Safari browser
July 25, 2016
Citrix Cloud Labs

Session Manager
Session Manager improves application launch performance by pre-launching anonymous sessions when using the XenApp
and XenDesktop service.

July 11, 2016

Additional VDA workload locations now include South East Asia and West Europe.
June 13, 2016
Updates to XenApp and XenDesktop Proof of Concept blueprints
With Lifecycle Managements collection of XenApp and XenDesktop Proof of Concept blueprints, many customers have
created their own basic XenApp and XenDesktop deployments while learning more about the potential for Lifecycle
Management. Now, these blueprints have been updated so customers have even more deployment options:
Support for XenApp and XenDesktop 7.9 Customers can now deploy a XenApp and XenDesktop proof of concept with
XenApp and XenDesktop 7.9 by default.
Support for Microsoft Azure T he Simple XenApp and XenDesktop Proof of Concept blueprint now includes support for
resource locations using Microsoft Azure, as well as Amazon Web Services.
Auto-registration for Smart Scale and Updates New sites that are deployed with these blueprints are automatically
registered with Lifecycle Management so customers can use them with Smart Scale and Update features. After
deployment, these sites appear automatically on the Smart Scale and Upgrades & Updates pages of Lifecycle
Management. Customers dont have to manually add their sites and can start scaling or perusing available updates right
away.
New XenApp and XenDesktop Service blueprint replaces Apps and Desktops service blueprint
Previously, Workspace Cloud customers learned how Lifecycle Management could help them deploy a resource location
using the Apps and Desktops Resource Location Setup blueprint. In the new era of Citrix Cloud, Lifecycle Management is
once again helping customers using the XenApp and XenDesktop service to rapidly deploy new resource locations with
minimal conguration. With the XenApp and XenDesktop Service Resource Location Setup blueprint, customers can:
Set up a Citrix Cloud resource location on Microsoft Azure, or Amazon Web Services.
Deploy a domain controller, two Cloud Connectors, NetScaler VPX appliance, and NetScaler Gateway.
Add optional components such as StoreFront and VDA machines configured for RDS desktops or Server VDI.
May 30, 2016
Citrix Cloud
Silent Cloud Connector Installation
Silent or automated installation of the Citrix Cloud Connector using Group Policy or other deployment systems is now
supported. See Citrix Cloud Connector Technical Details for required silent install parameters.

May 16, 2016
Citrix Cloud
Workspace Cloud is now Citrix Cloud, and a number of services have been renamed for clarity. T here are no functionality
or feature changes accompanying these name changes.
Apps and Desktop Service is now the XenApp and XenDesktop Service
Mobility Management Service is now the XenMobile Service
Secure Documents Service is now ShareFile
Updated Trial Expiration Experience
For services that support trial expiration, customers will be informed when trials are approaching their end, both in email and
in the console.
Smart Scale
Manage XenApp and XenDesktop delivery group capacity with Smart Scale. For more information, go to http://manage-
docs.citrix.com/entries/108446523-What-s-new.
May 2, 2016
Workspace Cloud
Perf ormance Enhancements f or Administrative Tasks
Multiple pages within the workspace cloud platform were targeted for sub-second load times, making the administrator
experience more delightful. Specic targeted enhancements can be seen in the following areas:
T he logon page
T he Workspace pages, including Details and Adding/Removing services
T he Domains page
T he Account Settings and Company Information page
April 18, 2016
Workspace Cloud
Citrix Launch f or Microsof t Access
A new service now available in Labs. It allows customers to host, share, and collaborate on Microsoft Access databases
(heavily used in the SMB market) within Workspace Cloud. Microsoft Access is not offered as part of Office 365 for

customers, which currently limits the ability to collaborate on Access databases.
Enhancements to connector installation
T he Workspace Cloud Connector installation currently provides the ability to test for a core set of external URL's that
will allow the connector to download the services needed to operate. T his functionality has been extended to validate
that the services downloaded can operate fully, as they might have additional requirements for connectivity.
March 21, 2016
Secure Browser
Workspace and internal web app support
T he Secure Browser service now enables admins to give users remote access to internally-hosted web apps. In addition,
these apps are now able to be congured and subscribed to as part of a Workspace Cloud workspace.
Additional Features:
External Web-app support with IE 11, Chrome, Flash and Silverlight (General availability)
Session Pre-launch to speed up session launches
Internal web apps with Chrome browser (available in Preview)
Watermarking for internal web app sessions (available in Preview)
Improved first time user experience
T rial enforcement for internal and external web app trials
Basic metering of service usage
February 22, 2016
Secure Browser (New)

Secure Browser service trial is now available
Deliver secure, remote access to web and SaaS applications with zero end point configuration. Administrators pre-define
the web browser and plug-ins they need to securely access the web application and users access them via a simple URL.
T he app is launched from the cloud and opens up a Receiver for HT ML5 session inside the users preferred browser,
adding an extra layer of security between your corporate network and the end point.
Learn more here.
Enhanced blueprint designer
T he workow for designing blueprints has been improved:

Added File upload parameter type to the list of supported blueprint input parameters. You can upload a file during
blueprint deployment.
Added Boolean parameter type to the list of supported blueprint input parameters.
T o see screenshots for these improvements, go here.
Enhanced blueprint deployment ow
T he workow for deploying blueprints has been improved:
Added capability to acquire EC2 Elastic IP during VM configuration on Amazon EC2 resource locations.
Improved blueprint deployment flow on Amazon EC2 to validate NAT instance status and Security Group before
deployment.
Improved blueprint deployment flow on Microsoft Azure to validate VM configuration before deployment.
Added capability to copy VM configuration data from one server tier to another during multi-server blueprint
deployments on Microsoft Azure resource locations.
Added capability to remove the Running and Stopped deployments from view (Lifecycle Management UI).
Improved blueprint deployment flow to cancel a paused deployment.
T o see screenshots for these improvements, go here.
Enhanced REST API support
REST APIs have been added for the following tasks:
Configuring monitor alerts

Sharing a blueprint or script
Unsharing a blueprint or script
February 8, 2016
Workspace Cloud
Improved Connector installation experience
T he Workspace Cloud Connector installation now performs connectivity checks to ensure that data is being
communicated correctly. During installation, the customer will be informed if critical addresses are being blocked by
proxies, firewalls, etc.
Enhanced workspace management
If a service in use is inadvertently deleted from a workspace, the platform will notify the administrator of the condition
and let them know how they can fix the problem.
January 25, 2016
Workspace Cloud
Ability to see trial waitlist status

Now, when an administrator requests a trial, they will be able to see where in the trial approval process they are currently
at for a particular service. T hey will also be asked a few questions that will help expedite the process.
Improved ability to request access to a customer account
A new adminstrator can now be on-boarded to an existing customer account by requesting access during the sign-up
process. Existing administrators will quickly receive an email letting them know that someone would like to be added.
When they go to the Identity and Access Management page in the console, they'll see the new admin's name at the
top. All they need to do is click Approve next to their name.
Improved domain management experience
T he console UI for managing domains has been revamped. It is now clearer, more informative, and more useful. Domains
can be marked as currently being in use or not, in addition to being added or removed altogether. Domains now show
resource location information and which workspaces have subscribers from the domain.
Citrix Insights Services (New)

Citrix Insight Services now integrated with workspace cloud notification framework to provide customer value through
notifications, rich diagnostic reports, and best practice recommendations.
January 11, 2016
Workspace Cloud
Ability to provide f eedback in the console
Workspace Cloud administrators can now quickly and easily provide feedback about the Workspace Cloud platform or
any cloud service by using a drop-down widget, accessible from the navigation bar in the console.
Added capability to refer and specify resource location information of a server tier in a conditional step during blueprint
design. T he resource location information can be used to evaluate conditions during blueprint deployment.
Added capability to refer Micrososft Azure virtual network ID and subnet of a server tier.
Improved blueprint designer to allow step outputs as input values in Velocity T emplate Language (VT L) expressions that
run before or after a script.
Improved resource location and architecture flows for blueprint deployment.

Improved blueprint deployment flow on Amazon EC2 to validate VM network before deployment.
Improved VM configuration wizard on Amazon EC2 and Microsoft Azure to allow or restrict Lifecycle Management
agent installation.
Improved the Add New Alert and Edit Alert pages to configure alert jobs on Windows machines that require user
impersonation, such as a domain user or local user.
December 14, 2015
Workspace Cloud
Perf ormance Improvements
Improved quality of T est Drive and performance upgrade for Workspace Cloud Connector and domains.
Apps and Desktops

New Features
Proactive Notification and Alert in Director

Initial support for provisioning server
Blueprints to create Apps and Desktops service resource location
Citrix AppDisk technology preview now available. Request access to this feature in the Support Forum.
Agent packages have been updated:
Linux: Name and installation commands of the Lifecycle Management agent package have been updated for achieving
consistency across the supported Linux operating systems. You can download the agent package, transfer it to the
machine you want to use as a connector, and run the following commands:
sudo chmod u+x citrix-lifecycle-management-agent.bin
sudo ./citrix-lifecycle-management-agent.bin
Windows: T he file name of the Lifecycle Management agent package has been updated
from CitrixLif eCycleManagementAgent.msi to CitrixLif eCycleManagementAgent.exe.
Enable or disable email notications
Option to enable or disable email notications has been provided for the following:
Server registration and unregistration

Blueprint deployment status
Script deployment status

Added built-in utility steps to register or unregister DNS subdomains with the public DNS domain of Lifecycle
Management.
Removed the Password Ref erence parameter.
Improved the Password parameter to allow an input value or a string reference.
Improved the parameter reference functionality to allow the following:
T he Enumerate, IP, and URL parameters configured in a step can be referred as inputs to subsequent steps of a
blueprint.
An AWS VPC ID configured on a server tier can be referred as an input to subsequent steps of a blueprint.
Improved the Enumerate parameter to validate a list of different data types. For example, the Enumerate parameter
can validate strings, integers, float, and mixed as input values and allow the first value in the list as a default value.
Improved the Server step to include the Create VPC and Subnets option for EC2 Recommended config for network.
Added capability to copy VM configuration data from one server tier to another during multi-server blueprint
deployments on Amazon EC2 resource locations.
Improved configuration input parameters layout to include labels and field descriptions.
Improved usability of multi-server deployments on Microsoft Azure. Added capability to create network, cloud service,
and storage account during VM configuration.
Improved deployment step output with troubleshooting tips in case of Server or Reboot step failures.
Added capability to auto-fill the blueprint name as the default deployment name.
Improved usability to display the status of a deployment in the Deployment Details page after you
click Deploy. T he Deployment Details page includes the real-time progress of each step in your blueprint. In previous
releases, when you click Deploy, the deployments list was displayed in the Manage page.
Added REST API support f or deployment proles
REST APIs have been added for the following tasks:
Create a deployment profile

Update an existing deployment profile
Retrieve details of an existing deployment profile
List all the deployment profiles associated with a blueprint
Deploy a blueprint using an existing deployment profile
Delete an existing deployment profile
November 30, 2015
Workspace Cloud
Perf ormance Improvements
Several notable performance enhancements have been made:

Improved API response
Improvements to better handle customer switching related to slow connections
Faster UI load time
Reduction in workspace enumeration time by more than 60%
October 15, 2015
Option to retry a f ailed VM deployment
Server step supports manual retry if congured to pause on failure.
Enhanced blueprint design and viewing experience
T he blueprint designer user experience has been improved:
Improved blueprint loading experience in the blueprint designer.

Blueprint authors can choose to display specific input parameters in the Architecture Option screen.
Supports in-product notification when a blueprint is updated in the Blueprint Catalog.
Enhanced resource location support
T he workow for adding and managing resource locations has been improved:
XenServer: Uses Windows Management Instrumentation (WMI) for automatic agent installation on Windows VMs if a
Windows machine acts as a connector.
Important: If you are using a Windows machine as a connector, ensure that Windows Management Instrumentation
(WMI) and inbound connections on TCP port 135 (DCOM port) are enabled on your Windows VM template. T his enables
Lifecycle Management to install the Lifecycle Management Agent on the machines that are provisioned from the VM
template. If WMI inbound rules are not enabled on your Windows VM template, you cannot deploy Windows VMs on your
XenServer resource location using Lifecycle Management. For more information, see Prepare Windows Server VM
templates on Citrix XenServer.
Azure: Supports upload and usage of multiple Azure subscription certificates.

Amazon EC2: Leverages EC2 NAT instance if VPC is created within Amazon EC2.
Enhanced deployment ow
Supports deployment creation with the same name as a deleted deployment.

Supports removal of a deployment profile.

About Citrix Cloud
May 25, 20 16
Citrix Cloud is a platform that hosts and administers Citrix services. It connects to your resources, via the Citrix Cloud
Connector, on any cloud or infrastructure you choose. It allows you to create, manage, and deploy workspaces with apps
and data to your end-users from a single console.
Learn more about Citrix Cloud
What are Resource Locations?
What is Identity and Access Management?
What are Notifications?
Citrix Cloud Video Playlist
T his section provides general information about Citrix Cloud that you should read before getting started.
T o see third-party notifications for Citrix Cloud and its services, see T hird Party Notifications.
For information on the known issues for the Citrix Cloud platform, see Known Issues.
For the system requirements for the Citrix Cloud platform, see System Requirements.
For information about new features and enhancements for each release, see What's New.

Third Party Notications
Aug 29, 20 16
Citrix Cloud T hird Party Notifications (PDF)
XenApp and XenDesktop T hird Party Notifications (PDF)
Citrix Lifecycle Management T hird Party Notifications
Citrix ShareFile Sync for Mac T hird Party Notices (PDF)
Citrix ShareFile Sync for Windows T hird Party Notices (PDF)
Secure Browser Service (PDF)
Session Manager Service (PDF)
XenMobile Cloud T hird Party Notifications (PDF)

Known Issues
Feb 10 , 20 17
Citrix Cloud
When the Connector is installed on the same machine as domain controller, there can be timing issues: In certain cases,
the Agent Service starts before the Domain Service. If that happens the Connector cannot talk to domains. T o work
around this issue, provide a delayed start for Agent Service.
Administrators are logged out of Citrix Cloud after an hour: If you are logged out of Citrix Cloud, log back in to continue
using Citrix Cloud.
Login fails if the administrator page has been idle for 30 minutes: Entering your Citrix credentials on the administrator
login page will fail if the page has remained idle for over 30 minutes. Simply reload the page and login again with your
credentials.
Citrix Cloud's interface appears blank in Internet Explorer (see above image). T he main content of the Citrix Cloud
interface occasionally does not load in Internet Explorer 11 on Windows Server 8.2 (also noted on Windows 7 and
Windows Server 2012). T his can occur when an administrator runs a system cleanup tool (such as CCleaner). T here may be
other actions that also cause this behavior. T ake the following steps to correct the problem:
As administrator, run the following command under the user's prole:
command COPY
icacls %userprole%\Appdat a\LocalLow /t /set int egrit ylevel (OI)(CI)L
If the command does not fix the problem, check registry

value CachePath for HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible
Cache\DOMStore. It should be %USERPROFILE%\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore. Set the
value to "LocalLow".
If the above registry key does not exist, create the key and copy the same values
from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible
Cache\DOMStore, and then set the CachePath as stated above, which points to the LowCache folder instead of the
Cache folder.
For an in-depth discussion of this solution, visit Microsoft Forums.

If the administrator page has been idle f or 30 minutes, an Invalid Conguration message is displayed: Page must
be refreshed and credentials might need to be reentered. [28278]
During rst time use, Studio does not launch: When clicking on Manage, the page starts to load, but a spinner appears
and never resolves. Refresh the page and Studio will launch.
Images dont load properly in Microsof t Edge browser: T here is a browser caching issue in Edge that causes images to
not render correctly. Clear the cache (Ctrl+F5) and the images will load.
Data retrieval error when opening Monitor page: When selecting Monitor to open Director, a warning, Cannot retrieve
the data, occurs. Refresh the page and Director will load. [26080]
Ad blocking extensions cause problems: Citrix Cloud management pages misbehave due to ad blockers. Turn off ad
blocking software and extensions if any issues arise. [0581850]
MCS support for all hypervisors across multi-site and multiple data centers are not currently supported.
Saved Custom Report queries in Director are not available af ter a Cloud upgrade. [DNA-23420]
Test Drive
Citrix Cloud's interface appears blank in Internet Explorer (see above image). T he main content of the Citrix Cloud interface
occasionally does not load in Internet Explorer 11 on Windows Server 8.2 (also noted on Windows 7 and Windows Server
2012). T his can occur when an administrator runs a system cleanup tool (such as CCleaner). T here may be other actions that
also cause this behavior. Take the following steps to correct the problem:
As administrator, run the following command under the user's profile:
command COPY


Cache folder.
Can't copy clipboard f rom local session to remote HTML 5 Studio session: You can not copy content from Notepad,
for instance, directly into HT ML 5 Studio. Any information you need to enter will need to be manually typed into Studio.
Administrators are logged out of Citrix Cloud af ter an hour: If you are logged out of Citrix Cloud, log back in to
continue using Citrix Cloud.
Login f ails if the administrator page has been idle f or 30 minutes: Entering your Citrix credentials on the administrator
credentials.

Known Issues (Test Drive)
May 25, 20 16
Can't copy clipboard from local session to remote HT ML 5 Studio session: You can not copy content from Notepad, for
instance, directly into HT ML 5 Studio. Any information you need to enter will need to be manually typed into Studio.
Administrators are logged out of Citrix Cloud after an hour: If you are logged out of Citrix Cloud, log back in to continue
using Citrix Cloud.
Login fails if the administrator page has been idle for 30 minutes: Entering your Citrix credentials on the administrator login
page will fail if the page has remained idle for over 30 minutes. Simply reload the page and login again with your credentials.
Citrix Cloud's interface appears blank in Internet Explorer. T he main content of the Citrix Cloud interface occasionally does
not load in Internet Explorer 11 on Windows Server 8.2 (also noted on Windows 7 and Windows Server 2012). T his can occur
when an administrator runs a system cleanup tool (such as CCleaner). T here may be other actions that also cause this
behavior. Take the following steps to correct the problem:
icacls %userprole%\Appdata\LocalLow /t /setintegritylevel (OI)(CI)L

Cache folder.

Known Issues (Production)
May 25, 20 16
Workspace Cloud Platform

When the Connector is installed on the same machine as domain controller, there can be timing issues: In certain cases,
the Agent Service starts before the Domain Service. If that happens the Connector cannot talk to domains. T o work
around this issue, provide a delayed start for Agent Service.
Administrators are logged out of Workspace Cloud after an hour: If you are logged out of Workspace Cloud, log back in
to continue using Workspace Cloud.
Login fails if the administrator page has been idle for 30 minutes: Entering your Citrix credentials on the administrator
credentials.
Workspace Cloud's interface appears blank in Internet Explorer (see above image). T he main content of the Workspace
Cloud interface occasionally does not load in Internet Explorer 11 on Windows Server 8.2 (also noted on Windows 7 and
Windows Server 2012). T his can occur when an administrator runs a system cleanup tool (such as CCleaner). T here may be
other actions that also cause this behavior. T ake the following steps to correct the problem:
command COPY

Cache folder.

Apps and Desktops

Can't copy clipboard from local session to remote HT ML 5 Studio session: You can not copy content from Notepad, for
instance, directly into HT ML 5 Studio. Any information you need to enter will need to be manually typed into Studio.
Administrators that delete a Delivery Group in Studio do not see the change in the Workspace Cloud: Within Studio, do
not delete any Delivery Groups that are included as offerings in any subscribed workspaces in Workspace Cloud.
Provisioning support via Machine Creation Services (MCS) for Amazon Web Services (AWS) and Windows Server Hyper-V
as a hypervisor are not currently supported.
MCS support for all hypervisors across multi-site and multiple data centers are not currently supported.
Citrix Studio is limited to one administrative session: When launching Studio, Workspace Cloud allows only one Studio
session. If you have Studio running on one machine and then log into Studio from a second machine, the first session will
close. T he session then roams to the new instance of Studio.

Re-create Worx Account (Mobile Users)
May 25, 20 16
Existing Citrix Cloud test drive subscribers are required to delete and re-create their Worx account due to a conguration
change in the XenMobile Service.
Note: T hese steps apply to both iOS- and Android-based mobile devices.
Follow the steps provided below:
1. From your mobile device, tap the Worx Home app.

2. T ap the Settings menu in the upper-left of the app window.
3. T ap Account. T ap Delete Account.
4. When the Worx Home app opens again, enter your email address and then click Next.
5. T ype your username and password. You may be asked to create a Worx PIN. You will need to enter your Worx PIN twice.
6. Worx Home opens. You can then access Worx Store to view the apps you can install on your mobile device.

What Are Resource Locations?
May 25, 20 16
Resource Locations contain the resources required to deliver services to your subscribers. You manage these resources from
Citrix Cloud.
What Resources Can a Resource Location Contain?
Resource Locations contain different resources depending on which Citrix Cloud services you are using and the services
that you want to provide to your subscribers.
Typical resources include:
Citrix NetScalers
Hypervisors
Virtual Desktop Agents (VDAs)
StoreFront servers
Citrix Lifecycle Management agents
Resource Locations need other components to interact with Citrix Cloud:
Citrix Cloud Connectors (see image above)

Access to Microsoft Active Directory domains
For more details on Citrix Cloud Connector see "What Is a Citrix Cloud Connector?"
Where Should I Put My Resource Locations?

Place Resource Locations where they best meet your business needs. Resource Locations can be in a public cloud, in a
branch ofce, private cloud, or a data center.
T he choice of location may be impacted by the following:
Proximity to subscribers
Proximity to data
Scale requirements
Security attributes
T here is no restriction on the number of Resource Locations you can build. T he overhead of a resource location is small.
To provide identity management for subscribers and resources you need to install a Connector to access an Active
Directory.
T his makes it easy to distribute the resources across as many Resource Locations as you need without needing to make
compromises.
As an example you could:
Build a Resource Location in your data center for the head office based on subscribers and applications that need to be
close to the data.
Add a separate Resource Location for your global users in a public cloud. Or build separate Resource Locations in branch
offices to provide the applications best served close to the branch workers.
Add a further Resource Location on a separate network that provides restricted applications. T his provides restricted
visibility to other resources and subscribers without the need to adjust the other Resource Locations.

What Are Notications?
May 25, 20 16
Notications provide information to administrators about issues that might be of interest to them. T hese notications
showcase any new features in Citrix Cloud or alert you to problems with your deployments. Notications can come
from any service within Citrix Cloud.
T he number of notications appears in the Insights area at the top of the Citrix Cloud control center (see image above).
Details are available by selecting Notications from the menu or by selecting the Notications tile (see image below). T his
area displays all notications, their severity, and the related service.
Once you have read a notication and acted on it (if required), you can dismiss the notication. It is removed from your list
and the count displayed in the insights area is updated.
Administrators receive notications independent from each other. Any action you take to dismiss a notication will not
impact another administrator from viewing their notications.
Select the checkbox next to the notications and click Dismss. It will be removed from the Notications list.

What Is Identity and Access Management?
Jan 25, 20 17
Identity and Access Management denes the accounts used for administration of and subscribers to Citrix Cloud and its
offerings.
T here are 2 sets of identities for Citrix Cloud:
1. Administrators
2. Subscribers
Administrators
Administrators use their identity to access Citrix Cloud and to perform management activities and install the Citrix Cloud
Connector.
A Citrix identity mechanism provides authentication for administrators. It uses an email address and password to
authenticate the user. You can also use your My Citrix credentials to login to Citrix Cloud.
Adding New Administrators

During the customer account onboarding process an initial administrator is created. T he administrator can then invite other
administrators to join Citrix Cloud. T hese new administrators can use their existing Citrix account credentials or set up a new
account if needed.
Managing Your Passwords

If you forget or want to reset your password, there is a "Forgot your password?" link on the login page. T his link will direct
you to a password-reset page.
Removing Administrators
Remove administrators from the customer account by using the Administrator tab within Identity and Access Management.
An administrator will not be able to log in to Citrix Cloud if you remove access.
An administrator logged in when the account is removed will stay active for a maximum of 1 minute. After this, any attempt

to access Citrix Cloud is denied without valid credentials.
Notes:
You cant remove the last administrator from the customer account. T here must be at least one administrator per
customer.
Citrix Cloud Connectors are not linked to an administrator account. Connectors will continue operating even if the
administrator who installed it is removed from the customer account.
Subscribers
Subscriber identity denes which subscribers have access to services through Citrix Cloud. T hese identities come from Active
Directory domain accounts provided from the domains within the Resource Location.
Citrix Cloud administrators can control which domains can be used to provide these identities from the Domains tab in
Identity and Access Management pages in Citrix Cloud.
Note: Disabling domains for use does not stop any already allocated identities being used by subscribers; it simply stops any
new identities being selected.
Assigning subscribers to Cloud Library offerings authorizes access to those offerings.
If you plan to use domains from multiple forests, install a Citrix Cloud Connector in each forest. We recommend that you
assign more than 1 Cloud Connector to each forest to maintain a highly available environment.
Note: Each Cloud Connector can enumerate and use all the domains from the single forest that it is installed in.
Managing Subscriber Usage

Add subscribers to offerings using individual accounts or Active Directory groups. T he use of groups enables customers to
manage access via group management of Active Directory. T his does not require management via Citrix Cloud once you
assign the group to an offering.
When an administrator removes a subscriber account or group of subscriber accounts from an offering, subscribers will no
longer be able to access the service. T he exact behavior may differ between the services offered. For more details about
different Citrix services, refer to service-specic documentation.

Features for Citrix Partners
Dec 0 9, 20 16
Citrix Cloud includes services, features and experiences designed for both customers and partners. T his section
outlines features available to Citrix Partners that help them collaborate with customers on Citrix Cloud services and
solutions.
Partner Identication
Partners are identied in Citrix Cloud based on their Citrix Organization ID (ORGID). Each Citrix Cloud account is associated
with a Citrix ORGID that can be viewed in the Citrix Cloud account details.
If the ORGID on the account is an active member of a Citrix partner program (such as Citrix Solution Advisor or Citrix Service
Provider) the program badge is shown indicating this account is owned by a Citrix partner. Partner identication is then used
to govern access to additional cloud services or features.
Customer Dashboard
T he customer dashboard is designed for partners to view the status of multiple Citrix Cloud customers in a consolidated
view. For a customer to appear on the dashboard, a connection must be established between the partner and customer.
T he customer dashboard is available on partner badged Citrix Cloud accounts.

Connecting with Customers
Partners collaborating with customers on Citrix Cloud solutions are able to establish a trusted link between their accounts.
T his account level relationship allows a customer to share specic information easily with a partner. By accepting to
connect with a partner, a customer grants the partner visibility into information about their Citrix Cloud account and
relationship with Citrix.
Establishing a partner connection enables the following:
Customer appears on the partners dashboard

Partner appears as an active connection in the customers account settings
Partner visibility into Citrix Cloud service entitlements
Additional information about partner connections:
Partners can establish connections with multiple customers

Customers can establish connections with multiple partners

T here is no limit to the number of customer-to-partner connections
Connections can be terminated at any time by either the customer or the partner
By the customer in their account details page
By the partner using the customer dashboard
Citrix Cloud Notifications are sent depending on the connection workflow
Partner is notified when a customer connection is made
Partner is notified if customer terminates connection
Customer is notified if partner terminates connection
Partner to customer connections do not expire
Inviting a Customer to Connect

Partners connect with customers in three simple steps:
1. Partner retrieves their invitation link from the customer dashboard
2. Partner copies the invitation link and provides it to the customer
3. Customer clicks the link, signs in (or signs up) and accepts the connection request

Additional information about partner invitation links:
Partners are provided one invitation link; the link is fixed and not customizable or changable
T here is no limit to how many times the link can be used to establish a connection
T he link can be reused if a connection needs to be recreated
T he link does not expire
Sharing Account Information with Partners

Partner visibility into Citrix Cloud service entitlements
When a customer accepts a Citrix partners connection invitation, the partner gains basic visibility into the Citrix Cloud
service entitlement status for that customer. T his information includes the status of both trial and non-trial entitlements.
active service trials

pending service trial requests
expired service trials
active service entitlements; services purchased or otherwise entitled/enabled for the customer
Purchase information such as price, license count, discounts or transaction details is not shared or shown with
partners when a customer connection is established

How to Get Help and Support
May 25, 20 16
Creating a Citrix Cloud Account
If you encounter an error when signing up for a Citrix Cloud account, contact Citrix Customer Service.
Signing Into Your Account
If you're having trouble signing into your Citrix Cloud account, make sure you sign in with the email address and password
you provided when you signed up for your account.
If youve forgotten or need to reset your account password, use the Forgot your password option. Youll get your new
password in an email.
If you do not receive the password reset email, or you need additional assistance, contact Citrix Customer Service.
Citrix Cloud Support Forums
On the Citrix Cloud support forums you can get help, provide feedback and improvement suggestions, view conversations
from other users, or begin your own topics.
Citrix support staff members track these forums and are ready to answer your questions. Other Citrix Cloud community
members may also offer help or join the discussion.
You do not need to log in to read forum topics. However, you must log in to post or reply to a topic.
To log in, use your existing Citrix account credentials or use the email address and password you provided when you created
your Citrix Cloud account. To create a new forum account, click the Create New Account option.

Related Topic:
How to Use the Forums
Technical Support
If youre experiencing an issue that requires technical help, click the Help ? icon in the Control center, and then select Open
a Ticket .
Support Articles
Youll nd support articles at support.citrix.com.

System Requirements
Sep 12, 20 16
Citrix Cloud requires the following minimum conguration:
An Active Directory domain

T wo physical or virtual machines for the Citrix Cloud Connector:
Windows 2012 R2 or Windows 2016 Server with .NET 4.5+
At least 40 GB of disk space and 4 GB of memory
Connected to your Active Directory domain
Active Directory Computer account with Read permissions on containers, Read/Write permissions on user and
computer objects
Port 443 must be open
Internet access
T wo physical or virtual machines for application and desktop images:

Connected to your Active Directory domain
(Preferred) No Virtual Delivery Agent (VDA) installed; you will set up the VDA later. (Alternative) If you have already set
up the VDAs, make sure to point them to the Connector after installation. See instructions for installing the
Connector.
Additional system requirements for XenApp and XenDesktop on Desktop OS and Server OS.
StoreFront installation and configuration.
Supported Sof tware
T he following software is supported in Citrix Cloud:
Virtual Delivery Agents (VDA): Use the version that shipped with your XenApp / XenDesktop installation. For example,
if you installed XenApp 7.6, upgrade all components, including the VDAs, to the 7.6 version. T he minimum requirement for
VDAs is version 7.0 for a XenApp/XenDesktop 7.x deployment.
Note: Older VDAs might encounter registration challenges. For more information, see the "Mixed VDA support"
section in the 'Upgrade a deployment' topic in Citrix Docs.
StoreFront: Citrix recommends using the most recent version of StoreFront (2.6). T he minimum requirement is
StoreFront 2.0 for a XenApp/XenDesktop 7.x deployment. For more information, refer to the "Other" section in the
System requirements section in Citrix Docs.
Note: Earlier versions of VDA and StoreFront will not have all the features available in the latest releases.
NetScaler Gateway: Citrix recommends using the most recent version of NetScaler Gateway (minimum version 10.5) for
a XenApp/XenDesktop 7.x deployment. For more information, refer to Citrix Docs for compatibility.

Internet Connectivity Requirements
Feb 0 1, 20 17
Citrix Cloud provides administrative functions (via a browser) and operational requests (from other installed components) that
connect to resources within a customers deployment. T his document denes the requirements and consideration to establish
customer connectivity.
Overview
T he connection to the internet from your datacenters only requires port 443 to be open for outbound connections. However, in
order to operate within environments containing an internet proxy server or rewall restrictions, further conguration might be
needed. Details of these requirements are provided here.
Details
T he following addresses need to be contactable in order to properly operate and consume the Citrix Cloud services.
Service Citrix Resource Location / Cloud Connector Administration Console
https://*.citrixworkspacesapi.net https://*.citrixworkspacesapi.net
https://*.cloud.com https://*.cloud.com
Smart Tools Additional requirements Additional requirements
https://manage-docs.citrix.com/hc/en-us/articles/212713883- https://manage-docs.citrix.com/hc/en-
Connectivity-requirements us/articles/212713883-Connectivity-requirements
https://*.citrixworkspacesapi.net
https://*.sharele.com https://*.cloud.com
ShareFile Additional requirements Additional requirements
http://support.citrixonline.com/en_US/ShareFile/all_les/SF090015 https://manage-docs.citrix.com/hc/en-
us/articles/212713883-Connectivity-requirements
https://*.cloud.com
Secure https://*.citrixworkspacesapi.net
https://*.cloud.com
Browser https://browser-release-a.azureedge.net
https://*.servicebus.windows.net
https://browser-release-b.azureedge.net
https://*.cloud.com https://*.citrixworkspacesapi.net
XenApp and https://cwsproduction.blob.core.windows.net/downloads https://*.cloud.com
XenDesktop https://*.nssvc.net [If Gateway As a Service is enabled] https://cwsproduction.blob.core.windows.net/downloads
https://*.servicebus.windows.net https://*.xendesktop.net
https://*.xendesktop.net
https://*.citrixworkspacesapi.net https://*.citrix.com
https://*.cloud.com https://*.citrixworkspacesapi.net
https://cwsproduction.blob.core.windows.net/downloads https://*.cloud.com
XenMobile https://*.servicebus.windows.net https://cwsproduction.blob.core.windows.net/downloads
Additional requirements Additional requirements
https://docs.citrix.com/en-us/xenmobile/10-1/about-xenmobile- https://docs.citrix.com/en-us/xenmobile/xenmobile-
cloud/xenmobile-cloud-prerequisites-administration.html cloud/about/prerequisites-administration.html

Citrix Cloud Management Console
Administration of Citrix Cloud is accomplished via web pages accessed from a browser. Initial access is provided by navigating to
https://citrix.cloud.com. However, once accessed, this page will require other resources on the internet either when logging in or at
a later point when carrying out specic operations.
Proxy Conguration
If youre connecting via a proxy server, the management console will operate via the same conguration applied to your browser.
T he console operates within the user context, so any conguration of proxy servers that require user authentication should work
as expected.
Firewall Conguration
For the management console to operate, it is required that port 443 is open for outbound connectivity. General connectivity can
be tested by navigating within the console.
T he Citrix Cloud Connector deploys a set of services that run on Microsoft Windows servers. It connects to the Citrix Cloud in
order to provide operation and management of resources within the network it was installed.
T here are requirements for both installing and operating the connector. Installing a connector does not necessarily mean all
functionality will operate as expected afterward as there are additional access requirements for the connector to operate.
T he connector requires outbound connectivity on port 443.

Get Started with Citrix Cloud
Jan 26, 20 17
About Citrix Cloud
Citrix Cloud is a platform that hosts and administers Citrix services. It connects to your resources, via the Citrix Cloud
Connector, on any cloud or infrastructure you choose (on-premises, public cloud, private cloud, or hybrid cloud). It allows you
to create, manage and deploy workspaces with apps and data, to your end-users from a single console.
Citrix Cloud Services

T he XenApp and XenDesktop Service is a service of Citrix Cloud. T he XenApp and XenDesktop Service offers secure
access to virtual Windows, Linux, and web apps and desktops.
T his service is based on XenApp and XenDesktop technology.
T o learn how to set up this service, read the XenApp and XenDesktop Service Getting Started Guide.
XenMobile Service
T his service of Citrix Cloud provides comprehensive enterprise mobility management (EMM) including mobile device
management, mobile application management and enterprise-grade productivity apps. Based on XenMobile technology,
the service also enables IT to quickly create pilot environments and experience faster production time with EMM
deployment.
T o learn how to set up this service, click here.
ShareFile
A file sync and sharing service based on Citrix ShareFile technology.

T o learn more about this service, click here.
Citrix Smart Tools
A service that allows you to deploy and manage Citrix workloads such as XenDesktop, XenApp, XenMobile, and
NetScaler.
For the full set of documentation on this service, go to http://manage-docs.citrix.com/home.
Try Citrix Cloud

Request Trials
Experience a full production environment in a proof-of-concept for one or more of the Citrix services listed above. After
signing up for Citrix Cloud, you can request trials for each of the services from inside the console. Trials are designed to be
tested with your infrastructure, applications and Microsoft Active Directory.
Once your trial is approved, to begin your trial you'll need to make some decisions and prepare your environment. See the
Citrix Cloud Trial Checklist.

At the end of a trial you can convert the trial to a production environment so you can retain all the congurations you have
tested during the trial. To get started with Citrix Cloud sign up or login here Citrix Cloud.

Signing Up for Citrix Cloud
May 25, 20 16
To start using Citrix Cloud, create a new Citrix Cloud company account or join an existing one that has been created by
someone else in your company. T his document describes the processes available and offers advice on how to proceed.
Start by going to: https://onboarding.cloud.com, where you can sign up for a Citrix Cloud account.
T here are two options:
Sign up with your Citrix.com account, or
Sign up for a new account
Note: A Citrix.com account is the account that you use to access Citrix.com sites and download software, raise support
requests, or post to Citrix forums. T his account would be afliated with a company.
Important: If you want to become an administrator of an existing Citrix Cloud account, you dont have to go through the
sign-up process. You can request to be added by a current administrator of the Citrix Cloud account you want to join.
Signing up without a Citrix.com account
If youre new to Citrix and dont have a Citrix.com account, click the "I dont have a Citrix.com account" link on the same
sign up page. Fill in the information requested and click, Continue. T his will create a new Citrix.com account and a Citrix
Cloud account at the same time.
After you click Continue, you should receive an email from cloud@cloud.com asking you to conrm your account and
complete the set-up process. T he link in the email will take you to a page where you can set up your initial password for
the account and sign in. To sign in, go to https://citrix.cloud.com and enter your details. You can change your password or
request a reminder from the 'Forgot your password?' link on this page.
Once you're signed in to the console, we recommend that you take the Test Drive. T his will allow you to explore Citrix
Cloud right away, using predened resources to understand the concepts and deliver an actual workspace.
Note: T he sign-up process outlined above will create for you a Citrix.com account and a Citrix Cloud account. You can view
the account details of the Citrix.com account here: https://www.citrix.com/account. Changing the password for this
account will not change the password for your Citrix Cloud account.
Signing up with a Citrix.com account
If you already have a Citrix.com account, you can quickly and easily create a Citrix Cloud account. Go to the sign-up page:
(https://onboarding.cloud.com) and enter your Citrix.com login ID. Note: the login ID is not necessarily an email address; it
depends on what you used to create your Citrix.com account. Accounts can be reset or located using the Reset Password
page: (https://www.citrix.com/welcome/request-password.html).
Once you enter your details, youll come to a page asking you to verify your Citrix.com account details. If these details are
correct, then click the Sign Up button. At that point, your Citrix Cloud account has been created and you can sign in.
Note: Youll need to sign in to Citrix Cloud using your email address (regardless of your Citrix.com login ID) and the same
password as your Citrix.com account. Changing the password of your Citrix.com account will not change the password for
you Citrix Cloud account.

If other administrators from the same company sign in while the Citrix Cloud account is in Test Drive, they will
automatically be added as administrators for the same account and have access to the same Test Drive environment.
Important: If the Citrix Cloud account is being used in a service trial, or a package has been purchased, new administrators
cannot sign up through this process. T hey must be invited by an existing administrator. Read Adding Administrators to a
Citrix Cloud account.
Joining an existing Citrix Cloud account
To join an account that has already been created, you need to be approved by a current administrator of that Citrix Cloud
account.
If you know who to contact within your company to request access, you can contact them directly. However, if you dont
know, you can go to the sign-in page (https://onboarding.cloud.com), enter your Citrix.com credentials, and you will be
prompted to request access by clicking on the Request Approval button. Once a current admin adds you to the account,
youll receive an email letting you that youve been approved and can go to https://citrix.cloud.com to sign in.
Other scenarios
T he following section describes some other scenarios and how to proceed.
My company already has a Citrix Cloud account, but were not allowed to share it.
Create a secondary Citrix Cloud account by signing up for a new Citrix.com account that is not afliated with the company.
Youll also need to enter an email address that isn't associated with your company. See Signing up without a Citrix.com
account above. Once you sign in, youll have access to a separate Test Drive environment.
Note: Reconguration may be required if you decide later that you want to use the original Cloud.com account.
I want to become an administrator for an existing Citrix Cloud account, but there are no current admins to add me.
T here are two options:
T emporarily redirect an existing admin email to a new email inbox. T his will allow you to use the forgot your password?
link on the https://citrix.cloud.com page. Follow the instructions to reset the password, and sign in to the Citrix Cloud
admin console to add yourself as a new administrator.
Contact Citrix Support (http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud/how-to-get-help-and-

support.html) and open a ticket requesting a new administrator account to be created.

Adding Administrators to a Citrix Cloud Account
Nov 10 , 20 16
Administrators are managed from the Citrix Cloud console (https://citrix.cloud.com) when using a purchased package or trial
service within an account.
Anyone wishing to become a new administrator must be invited by an existing administrator of the Citrix Cloud account.
Inviting new administrators
After signing into https://citrix.cloud.com, navigate to the Identity and Access Management page from the menu.
On this page, select the Administrators tab. T he display shows all the current administrators and provides a section at the
top that enables you to invite new administrators.

To invite an administrator, enter their email address. T hen, click Invite. An invitation will be sent to the email address
specied. T he administrator will be added to the list with a status of 'Invite Sent'.
T he administrator will receive an email from (cloud@citrix.com) titled 'Join Citrix Cloud', explaining how to access the
account. T hey must accept this invitation using the Join link within the email. T his link will open a browser and take them to
a page where they can create their password. Note: If they already have an account, they will be prompted to use their
existing password. T hey are then able to sign in at https://citrix.cloud.com. Once the administrator has joined the Citrix
Cloud account, they will receive a Welcome to Citrix Cloud email and the administrator will be shown as 'Active' in the
Administrators section of the Identity and Access Management page within the console.

Assigning users and groups to service offerings using
Library in Citrix Cloud
Jan 17, 20 17
T hings you congure in a service (for example, desktops or applications congured in the XenApp and XenDesktop service)
can be easily directly assigned to your Active Directory users and groups through Citrix Cloud. T his is done through the
Library. Lets take a look at some of the functionalities around the Library in Citrix Cloud.
View all of your offerings in the Library from this one-level view. Offerings may consist of your apps, desktops, data shares,
and web apps that are created via a Citrix Service within Citrix Cloud.
Of f ering Details
Youll be able to still view the details relating to each offering.
View applications, desktops, policies, and any other related offering information by clicking on the View Details button on
the offering card.

Managing Subscribers
You can add users or groups to a single offering by clicking Manage Subscribers from the dots menu.

Or, if you wanted to bulk manage your subscribers across many offerings in one go, you can select all the offerings youd
like, and then click the Manage Subscribers bulk action button.

Once youve selected Manage Subscribers, youll be able to search for users or groups within a chosen domain and assign
them to the selected offerings.

T he users or groups you add will show up in a list underneath and are automatically connected to the offering.
From here, you can also remove users or groups by either clicking on the trash icon or bulk selecting many in one go.

Once youve completed adding or removing subscribers, you can easily see how many subscribers a particular offering has
right on the front of the offering card.

Filtering
Weve added a couple new features that allow you to lter your offerings.
First, you can quickly view offerings that were created in a particular service, such as the XenApp and XenDesktop Service or
the Secure Browser Service.
To go back and see everything, simply select All Types from the dropdown menu.

Secondly, weve improved our searching mechanism. Search for any user or group that is currently subscribed to an offering
within the Library. T his ltered view is essentially the end-users workspace.
T he cards will dynamically adjust depending on your search and selection. For example, if you search for MedicalTeam and
then select it, youll see all offerings that MedicalTeam is currently subscribed to.
To go back and see everything, simply cancel the search by clicking the X.

For more details, please see the video "T he Library in Citrix Cloud" for an overview of the Library.

Assigning users and groups to service offerings using
Library in Citrix Cloud
Jan 17, 20 17
Of f ering Details
the offering card.

Managing Subscribers





Filtering



Jan 17, 20 17
the offering card.









May 25, 20 16
StoreFront authenticates users to sites hosting resources and manages stores of applications and desktops that users
access. It hosts your enterprise application store, which lets you give users self-service access to apps and desktops you
make available to them. It also keeps track of users' application subscriptions, shortcut names, and other data to ensure
they have a consistent experience across multiple devices.
When users connect from outside the corporate rewall, Citrix Cloud can use Citrix NetScaler Gateway (formerly Access
Gateway) technology to secure these connections with SSL. NetScaler Gateway or the NetScaler VPX virtual appliance is
an SSL VPN appliance that is deployed in the demilitarized zone (DMZ) to provide a single secure point of access through
the corporate rewall.
T here are three primary use cases for setting up StoreFront with Citrix Cloud:
1. A cloud-hosted StoreFront: T he XenApp and XenDesktop Service in Citrix Cloud hosts a StoreFront site for each
customer. T he benefit of the cloud-hosted StoreFront is that there is zero effort to deploy, and it is kept evergreen by
Citrix. Cloud-hosted is recommended for all new customers, previews, and proofs-of-concept (PoCs).
2. An on-premises StoreFront: Customers may also use an existing StoreFront to aggregate applications and desktops in
Citrix Cloud. T his offers greater security, including support for two-factor authentication and prevents users from
entering their password into the cloud service. It also allows customers to customize their domain names and URLs. T his
is recommended for any existing XenApp and XenDesktop customers that already have StoreFront deployed.
3. A combination on-premises StoreFront and cloud-hosted StoreFront.
Each scenario is laid out below.
Access to the cloud-hosted StoreFront is via https://<customername>.xendesktop.net/Citrix/StoreWeb/. T here is no

additional conguration needed. Cloud StoreFront is ready to be used.
To provide remote access for end-users through a cloud-hosted StoreFront, do the following:
Set up NetScaler Gateway as an ICA proxy (No authentication or session policies are needed). T his can be configured in
Citrix Studio by clicking on StoreFront under the Configuration node, then selecting the Set NetScaler Gateway action.

Bind Citrix Cloud Connectors as Secure T icket Authority (ST A) servers to NetScaler Gateway.
Set NetScaler Gateway (FQDN:PORT ) in the cloud-hosted Studio.
Note: Combination remote and internal access is not supported in a cloud-hosted StoreFront.
For more information about conguring NetScaler, see NetScaler VPX Deployment Guides.
For details on conguring an on-premises StoreFront, see Citrix Docs.
One benet of using an existing StoreFront is that the Citrix Cloud Connector provides encryption of user passwords.
Credentials are encrypted by the connector using AES-256, using a randomly-generated one-time key. T his key is returned
directly to the ICA client and never sent to the cloud. T he ICA client then supplies it to the VDA during session launch in
order to decrypt the credentials and provide a single sign-on experience into Windows.
For transport, select HT T P and port 80. T he StoreFront machine must be able to directly access the connector through
the FQDN (fully qualified domain name) provided; the connector needs to be able to reach the Cloud NFuse/ST A URL at
(https://<customername>.xendesktop.net/Scripts/wpnbr.dll and ctxsta.dll).
Multiple connectors should be added as delivery controllers for High Availability.

Use the most recent version of StoreFront.
To provide external access through NetScaler Gateway and on-premises StoreFront, do the following:
Set up NetScaler Gateway as in a usual deployment with authentication and session policies. See Citrix Docs for full
details.
Point your on-premises StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors.
Bind Citrix Cloud Connectors as ST A servers to NetScaler Gateway.
T he NetScaler Gateway must use the same ST A URLs as StoreFront. If the gateway is not already configured to use the
ST A of an existing XenApp/XenDesktop environment, Citrix Cloud Connectors may be used as a ST A.
To provide internal access through an on-premises StoreFront, do the following:
Point on-premises StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors.
To provide external and internal access through NetScaler Gateway and on-premises StoreFront, do the following:
Set up NetScaler Gateway as in a usual deployment (with authentication and session policies) - See Citrix Docs for full
details.
To provide external access through cloud-hosted StoreFront and NetScaler Gateway with on-premises StoreFront, do the
following:
Set up NetScaler Gateway as you would in a usual deployment (with authentication and session policies). See Citrix
eDocs for full details.
Point your on-premises StoreFront Stores Delivery Controllers to the Citrix Cloud Connectors.
Set NetScaler Gateway (FQDN:PORT ) in Cloud-hosted Studio
To provide internal access through cloud-hosted and on-premises StoreFront, do the following:
Point the on-premises StoreFront Stores Delivery Controllers to the Citrix Cloud Connectors.
To provide external and internal access, do the following:
Cloud-hosted StoreFront can only be used for external or internal access

Use NetScaler Gateway for external access and on-premises StoreFront for internal access (same as Use Case #2 with
external and internal access).
Set up NetScaler Gateway as in usual deployment (with authentication and session policies).
Point on-premises StoreFront Stores Delivery Controllers to the Citrix Cloud Connectors.

May 25, 20 16
Use strong passwords and regularly change your passwords.

All administrators within a customer account can add and remove other administrators. Ensure that only trusted
administrators have access to Citrix Cloud.
Administrators of a customer have, by default, full access to all services. Some services provide a capability to restrict the
access of an administrator. Consult the per-service documentation for more information.
T wo-factor authentication for administrators is not currently offered in Citrix Cloud.
T he control plane does not store sensitive customer information. Instead, Citrix Cloud retrieves information such as
administrator passwords on-demand (by asking prompting the administrator explicitly). T here is no data-at-rest that is
sensitive or encrypted, and thus you do not need to manage any keys.
For data-in-flight, Citrix uses industry standard T LS 1.2 with the strongest cipher suites. Customers cannot control the
T LS certificate in use, as Citrix Cloud is hosted on the Citrix-owned cloud.com domain. T o access Citrix Cloud, customers
must use a browser capable of T LS 1.2 with strong cipher suites.
Consult the per-service documentation for details about encryption and key management within each service.
T he Citrix Cloud control plane is hosted in the United States. Customers do not have control over this.
T he customer owns and manages the Resource Locations. It can be created in any data center, cloud, location, or geo
desired. All critical business data (such as documents, spreadsheets, etc.) are in the Resource Locations and are under
customer control.
For ShareFile, consult the service documentation on how to control where the data resides.
Other services may have an option to store data in different regions. Consult the per-service documentation for details.
T here is currently no customer-visible auditing or change control available in the Citrix Cloud UI or APIs.
Citrix has extensive internal auditing information. If a customer has a concern, contact Citrix within 30 days. We will
review the audit logs to determine which of the customer's administrators performed an operation, on what date, from
which IP address, etc.
status.cloud.com provides transparency into security issues that have an ongoing impact on the customer. T he site logs
status and uptime information. T here is an option to subscribe for updates to the platform or individual services.

Install the Citrix Cloud Connector on a Windows 2012 R2 domain-joined machine.
T his machine must have a minimum 2 GB of memory and 50 GB of disk space (minimum 10 GB of free space for use by
the Connector).
T he Connector machine should be inside the customer's private network and not in the DMZ.
T he customer is responsible for keeping the connector up-to-date with Windows security updates.
You can use anti-virus alongside the Connector. Citrix tests with McAfee VirusScan Enterprise + AntiSpyware Enterprise
8.8. Citrix will support customers who use other industry standard AV products.
For security and performance reasons, we recommend that you do not install the Connector software on a domain
controller.
In the customer's Active Directory (AD), restrict the Connector's machine account to read-only access. T his is the default
configuration in Active Directory.
T he customer can enable AD logging and auditing on the Connector's machine account to monitor any AD access that
the Connector does.
T he Connector contains sensitive security information such as administrative passwords. Only the most privileged
administrators should be able to log into the Connector machines (for example, to perform maintenance operations). In
general, there is no need for an administrator to log into the Connector for management of any Citrix product. T he
Connector is self-managing in that respect.
Do not allow end users to log into Connector machines.
You can install anti-virus software and hypervisor tools (if installed on a virtual machine) on the Connector machines.
However, we recommended that you do not install any other software. Other software creates additional possible
security attack vectors and may reduce the security of the overall Citrix Cloud solution.
T he Connector requires outbound port 443 to be open with access to the internet. T he Connector should have no
inbound ports accessible from the internet.
You can locate the Connector behind a web proxy for monitoring its outbound internet communications. However, that
web proxy must work with SSL/T LS encrypted communication.
T he Connector may have additional outbound ports with access to the internet. T he Connector will negotiate across a
wide range of ports to optimize network bandwidth and performance if additional ports are available.
T he Connector must have a wide range of inbound and outbound ports open within the internal network. T he base set
of open ports required is:
Client Port(s) Server Port Service

49152 -65535/UDP 123/UDP W32T ime
49152 -65535/TCP 135/TCP RPC Endpoint Mapper
49152 -65535/TCP 464/TCP/UDP Kerberos password change
49152 -65535/TCP 49152-65535/TCP RPC for LSA, SAM, Netlogon (*)
49152 -65535/TCP/UDP 389/TCP/UDP LDAP
49152 -65535/TCP 636/TCP LDAP SSL
49152 -65535/TCP 3268/TCP LDAP GC
49152 -65535/TCP 3269/TCP LDAP GC SSL
53, 49152 -65535/TCP/UDP 53/TCP/UDP DNS
49152 -65535/TCP 49152 -65535/TCP FRS RPC (*)
49152 -65535/TCP/UDP 88/TCP/UDP Kerberos
49152 -65535/TCP/UDP 445/TCP SMB
Each of the services used within Citrix Cloud will extend the list of open ports required. Consult the per-service secure
deployment guides for more information.
T he Connector communicates outbound to the internet on port 443, both to Citrix Cloud servers and to Microsoft
Azure Service Bus servers.
T he Connector will communicate with domain controllers on the local network that are inside the forest in which the
Connector is installed.
During normal operation the Connector will communicate only with domain controllers in domains that are selected as
"Use for subscriptions" within the Identity and Access Management page in the Citrix Cloud UI.
When selecting the domains to "Use for subscriptions", the Connector will communicate with domain controllers in all
domains in the forest in which the Connector is installed.
Each service within Citrix Cloud will extend the list of servers and internal resources that the Connector may contact in
the course of normal operations. Consult the per-service secure deployment guides for more information.
You cannot control the data that the Connector sends to Citrix. Consult the per-service documentation for details
about what data the Connector sends to Citrix.

Any information relevant or actionable to an administrator is available in the Windows Event Log on the Connector
machine.
View Installation logs for the Connector in these directories: %AppData%\Local\T emp\CitrixLogs\CloudServicesSetup
and %windir%\T emp\CitrixLogs\CloudServicesSetup
View logs of what the Connector sends to the cloud on the Connector machine:
%ProgramData%\Citrix\WorkspaceCloud\Logs
T he logs in the WorkspaceCloud\Logs directory are deleted once they exceed a specified size threshold. T he
administrator can control this size threshold by adjusting the following registry key value:
HKEY_LOCAL_MACHINE\SOFT WARE\Citrix\CloudServices\AgentAdministration\MaximumLogSpaceMegabytes
T he base Connector configuration does not need any special SSL/T LS configuration.
T he Connector must trust the certification authority (CA) used by Citrix Cloud SSL/T LS certificates, and by Microsoft
Azure Service Bus SSL/T LS certificates. Citrix and/or Microsoft may change certificates and CAs in the future, but will
always use CAs that are part of the standard Windows T rusted Publisher list.
Each service within Citrix Cloud may have different SSL configuration requirements. Consult the per-service secure
deployment guides for more information.
T o ensure security compliance, the Connector will self-manage. Do not disable reboots or put other restrictions on the
Connector. T hese actions prevent the Connector from updating itself when there is a critical update.
T he customer is not required to take any other action to react to security issues. T he Connector automatically applies
any security fixes.
Audit the list of administrators in Citrix Cloud and remove any who are not trusted.
Disable any compromised accounts within your companys Active Directory.
Contact Citrix and ask us to rotate the authorization secrets stored for all the customer's Connectors. Depending on
the severity of the breach, take the following actions:
Low Risk: Citrix can rotate the secrets over time. T he Connectors will continue to function normally. T he old
authorization secrets will become invalid in 2-4 weeks. Monitor the Connector during this time to ensure that there
are no unexpected operations.
Ongoing high risk: Citrix can revoke all old secrets. T he existing Connectors will no longer function. T o resume normal
operation, customers need to uninstall and reinstall all Connectors.

May 25, 20 16
If you encounter an error when signing up for a Citrix Cloud account, contact Citrix Customer Service.
If you're having trouble signing into your Citrix Cloud account, make sure you sign in with the email address and password
you provided when you signed up for your account.
If youve forgotten or need to reset your account password, use the Forgot your password option. Youll get your new
password in an email.
If you do not receive the password reset email, or you need additional assistance, contact Citrix Customer Service.
On the Citrix Cloud support forums you can get help, provide feedback and improvement suggestions, view conversations from other users, or
begin your own topics.
Citrix support sta members track these forums and are ready to answer your questions. Other Citrix Cloud community members may also
oer help or join the discussion.
You do not need to log in to read forum topics. However, you must log in to post or reply to a topic.

To log in, use your existing MyCitrix credentials or use the email address and password you provided when you created your Citrix Cloud
account. To create a new forum account, click the Create New Account option.
Relat ed Topic:
How to Use the Forums
If youre experiencing an issue that requires technical help, click the Help ? icon in the Control center, and then select Open
a Ticket .
Youll nd support articles at support.citrix.com.

Aug 23, 20 16
Citrix Cloud T echnical Security Overview
Xenapp and XenDesktop Service T echnical Security Overview
Lifecycle Management T echnical Security Overview
ShareFile T echnical Security Overview
Secure Browser Service T echnical Security Overview

May 25, 20 16
Use the forum to ask questions, get answers, and offer suggestions on how to improve Citrix Cloud. In order to use the
forum you will need to login with your MyCitrix ID to post a comment. If you do not have aMyCitrix ID, you will be
prompted to create one.
Access the forum at http://discussions.citrix.com/forum/1550-workspace-cloud/
T he forum contains multiple categories. You can search for threads that have been designated under that specific
category.
If you'd like to follow a particular thread or category, click Follow and choose how you would like to receive notications
when the forum is updated.

To create a new topic, go to to the appropriate category and click Start New Topic.
1. T ype the topic in the T opic Title field.

2. (optional) Add up to 10 tags in the T opic Tags f ield.
3. Be descriptive in the post text area. Format as needed by clicking on the buttons above the topic body.
4. (optional) Click on Choose File button to attach a file to the post.
1. Navigate to your file.
2. Click the Open button.
3. Click the Attach This File button. T he file is uploaded and attached to your post.
5. When you're happy with what you've written (you can test how it will appear by clicking on Preview Post), click Post
New Topic. T he topic will now appear in the forum.

May 25, 20 16
Citrix Cloud uses an on-premises Cloud Connector (Citrix Cloud Connector) to securely communicate with your Active
Directory. Download the Citrix Cloud Connector and follow the installation instructions.
Requirements
Internet access.
Port 443 must be open.
Step-by-Step Guide to Installing the Citrix Cloud Connector
1. From the Control Center, select Identity Management.

2. Download and install the Connector. Detailed instructions on installation are provided on the page.
3. When prompted, provide your Citrix online credentials.
4. Install Virtual Delivery Agents (VDAs) in the domain-joined desktops (managed by Citrix Cloud). Point the VDAs to the
Connector instead of the Delivery Controller.
5. Add the Connector as Delivery Controllers to your StoreFront site. Note: When creating a store in StoreFront, the
Delivery Controller should use T ransport type: http on Port: 80
6. (Optional) For remote access, point the NetScaler Gateway to the Secure T icket Authority (ST A) on the Connector
rather than the ST A on the Delivery Controller.

May 25, 20 16
Cloud service: T he cloud services provide the features that deliver the services subscribers need to perform their work. T his
includes creating and managing any infrastructure resources needed to achieve this.
Resources: T hese are resources that are available to host the services that are required by the customer. T hese
Infrastructure Resources might be hypervisors, servers, network appliances, VDAs for XenDesktop or XenApp, etc.
Resource Location: Customers use Resource Locations to dene the places that contain their resources. T hese resources
are all within a dened communication/network boundary, where access is available to them from the Citrix Cloud and to
any other customer infrastructure required to operate. Connection to the Citrix Cloud is via the Citrix Cloud Connector.
Service (Provided by the customer for subscribers): Services are used by the Subscribers to perform work. T hese are the
actual apps and data that are used directly by the Subscriber.
Subscriber Store: Subscribers use the Subscriber Store to gain access to the resources that are in the workspaces that are
assigned to them.
Subscriber: A person who performs work using the services from the workspaces to which they are invited.
Citrix Cloud Connector: Provides communication between the resources in the resource location and the Citrix Cloud.
Citrix Cloud: A cloud-based control plane that is owned by Citrix and can be used by customers to provision services on
their own data centers or into clouds.
Workspace: A collection of services that are needed to enable subscribers to perform work. Subscribers are invited to these
workspaces by an administrator. T he total collection of all the services that the subscriber has becomes their workspace
which may be managed across multiple workspaces by the administrator.

May 25, 20 16
Citrix Cloud: XenApp and XenDesktop Service Reference Architecture for New Customers (PDF)
Citrix Cloud: XenApp and XenDesktop Service Reference Architecture for On-Premises (PDF)

May 25, 20 16
T o learn more about the Test Drive, Read the Getting Started Guide for Citrix Cloud.
T o learn more about Trials, go here.

Jan 26, 20 17
Citrix Cloud trials are for individual services delivered through the Citrix Cloud platform. T he functionality of the services in
the trials is equal to a full production service and is suitable for a proof-of-concept (POC), pilot, or similar.
Trials are limited to 60 calendar days and no more than 25 subscribers. For each service you try, you can set up and
congure that trial, the offerings, and associated resource locations.
You can convert your trial to full production (removing the 25-user limit) at any time during the trial by purchasing a service
package.
Note: To help convert trial work to production environments after a purchase, register for Citrix Cloud with your business
email address and not a commercial email account (Live, Gmail, etc.).
Citrix Cloud Trial
Number of subscribers 25
Length 60 calendar days
Availability Restricted availability
Resource Zone Provided Customer provided and congured
User session length Unlimited
Local Microsoft Active Directory integration Yes
Choice of resource locations Yes
Deploy to on-premises Yes
Apps and Desktop Service Full feature set
XenMobile Service** Full feature set
Secure Document Service** Full feature set
Lifecycle Management Full feature set

Ability for customization Yes
*Subject to change, test drive ends when trial or production begins. **Trial not currently available.
In order to customize your experience and deliver the services that matter most to your users, Citrix Cloud trial access is
managed on a per-service basis.
You can request a trial for the service only once. When approved, you will have 60 days to complete your trial.
You can convert any time before the end of your trial by purchasing a Citrix Cloud subscription offering that includes the
service(s) you need.
If you do not purchase before the end of your 60-day trial, the service will be terminated. We will archive all data and
settings for 90 days. If you purchase within that time, the trial will be reactivated and converted to production.
Note: Initially, trials of the services may have limited capacity due to popularity. To ensure a great customer experience,
Citrix reserves the right to limit trials to a certain number of participants at any one time.
Requesting a trial is fast and easy. First, log on to your Citrix Cloud account. In the control center, request for a trial by
clicking the Request Trial button (see image above). T he button beneath the service will change to "Trial Requested".
You will receive an email notication when the trial for the requested service is ready. You have 60 days to complete the
trial.
When you are ready to purchase services, visit:
https://www.citrix.com/products/citrix-cloud/buy.html
To complete a purchase, you will need your Organization ID. T his is available in the Citrix Cloud Console (see image below).

/
AppDNA
Citrix Cloud
Citrix Receiver
CloudBridge
CloudPortal Services Manager
NetScaler
NetScaler Gateway
Yikes! 404 ... We feel your pain.

NetScaler SD-WAN
ShareFile
T he page you are trying to view is not here. T he link might be misspelled or outdated.
VDI-in-a-Box
XenApp and XenDesktop
XenMobile
Some things to try:
XenServer
Go to Docs.citrix.com and search or navigate for the content
Clear your browser cache and retry the link
Advanced Concepts
Report the problem and we'll investigate
Developer
Legacy Copy the address & use the Feedback link at the bottom of Docs.citrix.com to tell us about it
Documentation

Nov 29, 20 16
A Citrix Cloud Connector is a Citrix component that is installed to facilitate the administration and control of Resource
Locations from Citrix Cloud.
T he Connector serves as a channel for communication between Citrix Cloud and your Resource Locations enabling cloud
management without requiring any complex networking or infrastructure conguration such as VPNs or IPSec tunnels. T his
removes all the hassle of managing delivery infrastructure. It enables you to manage and focus on the resources that
provide the value to your end users.
T he XenApp and Desktop Service requires Cloud Connector. T he XenMobile Service requires either Cloud Connector or an
IPsec tunnel for Enterprise connectivity to XenMobile.
T he Cloud Connector authenticates and encrypts all communication between Citrix Cloud and your Resource Locations.
T here are no incoming connections. All connections are established from the Cloud Connector to the cloud. No incoming
connections are accepted.
T he Cloud Connector installer is available from the Citrix Cloud Control Center. It can be downloaded from the Resource
Locations page.
T he Cloud Connector needs to be installed on a Windows 2012 R2 or Windows 2016 server that is domain joined. T his server
should be able to communicate with the resources in the Resource Location that you want to manage from your Citrix
Cloud workspaces.

Silent installation or push deployments of the Connector using Group Policy or other deployment systems is supported. See
Citrix Cloud Connector Technical Details for required silent install parameters.
All communications between the Cloud Connector and Citrix Cloud are outbound. No inbound connections are required.
T he connections all use the standard HT T PS port (443) and the TCP protocol. After you have installed the Cloud
Connector, there is no need for any special conguration on the server.
Active Directory (AD): Enables AD management, allowing the use of AD forests and domains within your Resource
Locations. It removes the need for adding any additional AD trusts.
XenApp and XenDesktop publishing: Enables publishing from resources in your Resource Locations.
XenMobile: Enables a XenMobile enterprise mobility management (EMM) environment for managing apps and devices as
well as users or groups of users.
Delivery group provisioning: Enables provisioning of machines directly into your Resource Locations.
As long as there is one Cloud Connector available, there will be no loss in communication with Citrix Cloud.
T he Cloud Connector is stateless. All conguration is stored in the cloud. T his enables any Cloud Connector in a Resource
Location to provide the operations required. Install more than 1 Cloud Connector in your Resource Location to distribute
the load across all services.
T he end user's connection to the Resource Location does not rely on a connection to Citrix Cloud, wherever possible. T his
enables the Resource Location to provide users access to their resources regardless of a connection being available to
Citrix Cloud.
Note: Although operational, functionality might be reduced for the period of time that the connection to Citrix Cloud is
unavailable.
You can monitor the health of the Cloud Connector from the Citrix Cloud Control Center.
You can install multiple Cloud Connectors into your Resource Locations. T his provides for a robust connection. If one Cloud
Connector is unavailable for any period of time the other Cloud Connector(s) can take over and maintain the connection.
Note: Citrix recommends a minimum of 2 Cloud Connectors for each Resource Location to ensure continuous availability of
the Resource Location.
You can install multiple Cloud Connectors into your Resource Locations. Since each Cloud Connector is stateless, the load
can be distributed across all available Cloud Connectors.
T here is no need to congure this load balancing function. It is completely automated.

In each Resource Location you need enough Cloud Connectors to support your required load and then at least 1 more to
make sure that you have highly available support. At a minimum, 2 Cloud Connectors should be installed to provide
redundancy.
Basically, nothing. Install and walk away. As long as you have installed the Cloud Connectors in a highly available mode you
can manage the machines that the services are installed on one at a time to avoid periods of time during an outage. T he
health of the services can be monitored from the Citrix Cloud Control Center.
T he services are designed to be part of the cloud management model and the Cloud Connectors are fully managed from
Citrix Cloud.

Jan 20 , 20 17
T he Citrix Cloud Connector is a component with a collection of Windows services installed on Windows 2012 R2 Or
Windows 2016 Server.
.Net: .Net 4.5.1 or later.

Active Directory (AD): Join the machine to an AD domain that contains the resources and/or users for the assignment to
service offerings (Active Directory schema versions 2008 R2 and later are supported).
Networking: Connect the machine to a network that can contact the resources in the Resource Location. T hese
resources provide the services. T he machine must have a connection to the internet. For more details see "Networking
Details" below.
Make sure the clock on the server has the correct UT C time. Otherwise, you cannot connect to the cloud.
See Internet Connectivity Requirements and Cloud Connector Proxy and Firewall Conguration
T he Resource Locations page reports the health of the Connector. If the Cloud Connector does not appear in the list of
services or is not marked as healthy, see How Do I Diagnose a Problem with the Connector? below.
Event Messages
Event messages are available in the Windows Event viewer on the connector machine. See Windows Event Information
below for details of the event.
Operational Logs
T he event logs are in the C:\ProgramData\Citrix\WorkspaceCloud\Logs directory of the machine.
If the Connector is not listed or is "not in contact"
T he event messages and logs will provide an initial indication of issues.
If the Connector is "disconnected"
If the event logs do not indicate why you cannot establish a connection between the Connector and Citrix Cloud, contact
Citrix Support.
If the Connector is in an "error" state
T here may be a problem with the server hosting the Cloud Connector. Move the Cloud Connector to a new server or
contact Citrix support.
If youre still having problems, contact support.

T he Windows event logs generated by the Connector are in the following documents:
Connector Agent Provider [XML format]

Connector AgentWatchDog Provider [XML format]

Mar 0 9, 20 17
The Cloud Connector is currently supported as an interactive and non-interactive installation.
The connector requires access to the Cloud during installation. This access is to authenticate, validate the installers permission(s), and
download and congure the services the connector provides. The installation occurs with the privileges of the user who initiated the install.
Inst allat ion Requirement s:
You can only install the Connector onto a domain-joined machine. The installer will not allow the install to occur if it is not on a domain-joined
machine.
The machine where you are installing the connector needs to be in sync with UTC time for proper installation and operation.
Copy the installer (CWCConnector.exe) to the server and run it. Make sure your browser allows the download of executable files.
Switch Enhanced Security Configuration (ESC) off during installation.
You cannot install the Connector on machine templates cloned across multiple machines. Do a separate install of the Connector onto all
machines.
Import ant Considerat ions:
Ensure t hat you keep all of your connect ors powered on at all t imes f or proper operat ion.
T he Connect or should be inst alled on a dedicat ed domain joined machine.
It is highly recommended that you do not install the connector onto an Active Directory domain server or any other machine citrical to your
Resource Location infrastructure. Regular maintenance on the Cloud Connector will perform machine operations that will cause an outage
to these additional resources.
Ensure that the base Internet Connectivity Requirements are being met on all connector machines.
You should install connectors in pairs. The number of connectors you should install is (N+1) where N is the capacity needed to support the
infrastructure within your Citrix Cloud Resource Location. This is 2 at minimum.
Each Active Directory forest you plan to use within Citrix Cloud should be reachable by 2 connectors at all times.
If you're installing the connector in an environment that has a Web Proxy or strict firewall rules, see Cloud Connector Proxy and Firewall
Configuration for requirements before continuing the installation.
Please refrain from downloading and installing additional Citrix related softwared products on your connectors.
On the server, uninstall the previously installed Connector before installing the new one. Upgrading existing Connector installations is not
supported.
After installation, do not move the machine hosting the Connector into a different domain.
You should enable windows updates on all of your Connectors.
To install the Citrix Cloud Connector, log in to Citrix Cloud. Navigate to the Resource Locations page and download the
latest Connector (see image above).

T he following will occur during installation:
An initial connectivity check to Citrix Cloud will be performed

Prompting for Citrix Cloud administrator user name and password
If you are an administrator to more than 1 customer
You will be prompted to choose the customer for whom you wish to associated the connector installation with
If the customer you're installing the connector for has more than 1 resource location
You will be prompted to choose the resource location to associate the connector installation with
Final connectivity check to ensure connector-to-cloud communication
Silent or automated installation is supported. However, using the same installer for repeated installations over a period of
time is not recommended. Download a new Connector from the site using the instructions in Where do I get it?
T he list of supported parameters can be retrieved by running: CWCConnector /?
/Customer: T his is the customer ID available in the console on the API Access page (within Identity and Access
Management). T his is required.
/ClientId: Found on the API Access page. T his is the secure client ID an administrator can create. T his is required.
/ClientSecret: Found on the API Access page. T his is the secure client secret available via download after a secure client is
created. T his is required.
/ResourceLocationId: T his ID can be retrieved on the Resource Locations page using the ID button. T his is not required.

/AcceptTermsOf Service: Yes. T his is required.
A sample command line with all required parameters:
CWCConnector.exe /q /Customer:Customer /ClientId:ClientId /ClientSecret:ClientSecret

/ResourceLocationId:ResourceLocationId /AcceptTermsOfService:true
Exit Codes:
1603 - An unexpected error occured.

2 - A prerequiste check failed.
0 - Installation completed successfully.
Commandline Installation:
Use Start /Wait CWCConnector.exe /parameter:value in order to examine and potential error code in the case of a
failure. T his can be done using the standard mechanism of running echo %ErrorLevel% after the installation completes.
Installation logs can be found here:
% LOCALAPPDATA% \Temp\Cit rixLogs\CloudServicesSet up
Or within the following consolidated location, after installation:
% ProgramDat a% \Cit rix\WorkspaceCloud\Inst allLogs

/
AppDNA
Citrix Cloud
Citrix Receiver
CloudBridge
NetScaler
NetScaler Gateway

NetScaler SD-WAN
ShareFile
VDI-in-a-Box
XenMobile
Some things to try:
XenServer
Advanced Concepts
Developer
Documentation

May 0 8 , 20 17
Port 443 using HT T P trafc, egress only. For full connectivity details, see Internet Connectivity Requirements.
T he Connector supports connection to the internet via a web proxy server. Both the installer and the services it installs
need connections to Citrix Cloud. Internet access needs to be available at both these points.
Installer
T he installer will use the settings congured for internet connections. If you can browse the internet from the machine
then the installer should also function.
See Changing proxy server settings in Internet Explorer for details of how to congure the proxy settings.
Services at Runtime
T he runtime service operates in the context of a local service. It does not use the setting dened for the user (as described
above). It requires additional conguration.
To congure the proxy settings for this, use 'netsh' from the Windows command line. Open the cmd.exe window and use
the following:
net sh winht t p import proxy source =ie
T his will import the settings from the browser as congured in the step above. After the above command is executed,
reboot the Cloud Connector machine so that the services start up with these proxy settings.
For full details see Netsh Commands for Windows Hypertext Transfer Protocol (WINHT T P).
Note: T here is no support for auto-detect or PAC scripts.

Apr 12, 20 17
About XenApp and XenDesktop Service
XenApp and XenDesktop T rial Checklist
Getting Started with the XenApp and XenDesktop Service
Create Resource Locations on Amazon EC2 with Citrix Lifecycle Management
Configure Provisioning
Configure VDAs
Director
Setting Up StoreFront With Citrix Cloud
VMware SSL T humbprint
Application Publishing
T echnical Security Overview For the XenApp and XenDesktop Service
XenApp Essentials Service
XenDesktop Essentials Service
On-premises Resource Reference Architecture
New Customers Reference Architecture
Microsoft Azure Resource Manager virtualization environments

Sep 21, 20 16
T he XenApp and XenDesktop Service is a service of Citrix Cloud. T he XenApp and XenDesktop Service offers secure access
to virtual Windows, Linux, and web apps and desktops. T his service is based on XenApp and XenDesktop technology.
Host connection: A connection between the XenApp and XenDesktop Service and your on-premises hypervisor,
supported cloud provider, or hybrid environment. Using the host connection, the XenApp and XenDesktop Service can
provision machines to the network resources you specify and manage user access to the apps and desktops you make
available. See Configure Provisioning for more information.
Machine catalog: A collection of physical or virtual machines, managed as a single entity. All machines in the machine
catalog are configured identically, using a master image that you create. For more information, see Setting up and
assigning resources.
Virtual Delivery Agent (VDA): An agent installed on machines in a catalog that allows the resources they host to be
made available to users. T ypically, the agent is installed on the master image for the catalog, ensuring all machines
provisioned from that image have the agent as well. T he XenApp and XenDesktop Service uses the term "VDA" to refer
to the agent as well as the machines on which it is installed.
Delivery group: A collection of users who have access to a set of resources. For more information, see Setting up and
assigning resources.
Studio: T he management console for the XenApp and XenDesktop Service. Using Studio, you can set up host
connections, create machine catalogs, and assign users and machines to delivery groups.
To prepare your environment for using the XenApp and XenDesktop Service Trial, download the XenApp and XenDesktop
Service Trial Checklist.
To set up the XenApp and XenDesktop Service, see Getting Started with the XenApp and XenDesktop Service.
T he XenApp and XenDesktop Service (the Service) is designed using industry best practices to achieve cloud scale and a high
degree of service availability.
Citrixs goal is that in any 30 calendar day period 99.9% of the time users can access their app or desktop session through
the Service.
Performance against this goal can be monitored on an ongoing basis at http://status.cloud.com
Limitations
T he calculation of this Service Level Goal will not include loss of availability from the following causes:
Customer failure to follow configuration requirements for the service documented on https://docs.citrix.com.
Caused by any component not managed by Citrix including, but not limited to, customer controlled physical and virtual
machines, customer installed and maintained operating systems, customer installed and controlled networking
equipment or other hardware; customer defined and controlled security settings, group policies and other configuration
policies; public cloud provider failures, Internet Service Provider failures or other external to Citrixs control.

Service disruption due to reasons beyond Citrixs control, including natural disaster, war or acts of terrorism, government
action.

Known Issues
May 15, 20 17
T he XenApp and XenDesktop Service has the following known issues:
Custom Report queries saved in Director are not available after a Cloud upgrade. [#DNA-23420]
When deploying to Azure and creating an MCS catalog version 7.9 (or newer) with write back cache enabled, an error is
encountered. Also, you cannot create anything related to Personal vDisk for Microsoft Azure.
As a workaround, select another catalog version to deploy to Azure, or disable write back cache. To disable write back
cache:
On the Master Image page in the Create Machine Catalog wizard, pick a VHD for the master image and then click
Next.
Under Write Back Cache, clear the Memory allocated to cache and Disk cache size check boxes, and then click
Next.
When creating a machine catalog, Remote PC Access is not shown as an option. See CT X220737 for details about using
the Remote PowerShell SDK to create the catalog.
When creating a catalog using Machine Creation Services, using existing Active Directory machine accounts fails. As a
workaround, allow the accounts to be created. [#DNA-24566]
In Director, Export in T rends and Alerts fails. [#DNA-41528]
In Director, the creation of new alert policies results in an error. However, alerts are triggered according to existing alert
policies. [#DNA-41346]

Getting Started with the XenApp and XenDesktop
Service
Mar 30 , 20 17
In this article:
Architectural overview
Remote PC Access
Prep T ask: Download the XenApp and XenDesktop Service T rial Checklist
T ask 1: Create a resource location
T ask 2: Create a host connection
T ask 3: Set up machine provisioning
T ask 4: Create a delivery group
Using NetScaler VPX with the XenApp and XenDesktop Service
Monitoring the XenApp and XenDesktop Service
Setting up workspaces and adding users
Architectural Overview
Consider the following items when setting up the XenApp and XenDesktop Service:
At least two Citrix Cloud Connectors are needed and can be placed in either the perimeter network (also known as a
DMZ) or internal networks.
One or more Linux or shared hosted desktop VDAs can be installed and configured for remote connections.
Connections to StoreFront occur within the internal network Active Directory domain resource zone.
T he following diagram shows the environment utilizing internal connections. T he Citrix Cloud Connectors are proxies for
communication between the Citrix Cloud broker, Storefront servers, and the VDAs.
When hosting all core components on Microsoft Azure (including the Controller and site database), SQL Server on Azure
VMs (IaaS) is supported. Azure SQL (PaaS) Database is not supported.
Remote PC Access

See CT X220737 for details about enabling XenDesktop Remote PC Access in Citrix Cloud.
Prep Task: Download the XenApp and XenDesktop Service Trial Checklist
T he XenApp and XenDesktop Service Trial allows you to try out the service using your own on-premises infrastructure, a
supported cloud provider, or a hybrid conguration.
To help you get the most from your trial experience, the XenApp and XenDesktop Service Trial Checklist includes planning
information, a sample architecture, and build resources so you can prepare your target environment ahead of your trial
approval.
Download the XenApp and XenDesktop Service Trial Checklist
After your trial is approved, use this topic to set up the XenApp and XenDesktop Service.
Task 1: Create a resource location
Before you can use the XenApp and XenDesktop Service, you need to set up a resource location. You can create a resource
location using Citrix Smart Tools or you can create one manually.
For more information about resource locations and how they function, see What are Resource Locations?
Create your rst resource location with Smart Tools

If you have no resource locations in your Citrix Cloud account and you want to use Amazon Web Services (AWS) with the
XenApp and XenDesktop Service, you can use Smart Tools to create your rst resource location on AWS. T his option
minimizes the manual tasks associated with setting up a domain and deploying machines.
Smart Tools deploys the machines required for your resource location, including VDAs, and sets up a NetScaler Gateway so
external users can securely access the applications and desktops you provide. By default, your new resource location will
use the cloud-hosted StoreFront that comes with Citrix Cloud. However, Smart Tools provides the option of deploying a
StoreFront server so you can manage the stores available to your users.
When Smart Tools creates your resource location, Citrix Cloud registers the Citrix Cloud Connectors that are deployed and
the registers the domain that is created with your Citrix Cloud account.
For a walkthrough of using Smart Tools to create your resource location, see Create Resource Locations on Amazon EC2
with Citrix Smart Tools.
Create a resource location manually

Set up your resource location manually if:
You have existing resource locations in your Citrix Cloud account.

You want to set up a resource location on your choice of supported cloud providers or on-premises hypervisors (AWS,
Microsoft Azure, Citrix XenServer, or VMware vSphere).
You need the following components for your resource location:

An Active Directory domain controller.
T wo physical or virtual Windows Server 2012 R2 machines that are joined to the domain, on which to install the Citrix
Cloud Connector.
T wo physical or virtual Windows Server 2012 R2 machines that are joined to the domain, for hosting application and

desktop images.
T he Citrix Cloud Connector machines should meet the following minimum requirements:
.NET 4.5 must be installed.
At least 32 GB of disk space and 4 GB of memory.
Active Directory Computer account with Read permissions on containers, Read/Write permissions on user and computer
objects.
Outbound port 443 must be open to allow access to the Internet. T he Citrix Cloud Connector also supports Internet
Explorer proxy settings configured for outbound connections. For proxy support, see Citrix Cloud Connector - T echnical
Details.
If you want to enable secure external access to the applications and desktops you offer to users, you will need to add a
NetScaler VPX appliance to your resource location and set up a NetScaler Gateway. For proof-of-concept purposes, you
can use the cloud-hosted StoreFront that comes with Citrix Cloud, which allows internal access only.
Task overview
Depending on your cloud provider or on-premises hypervisor, perform the following tasks to set up your resource location:
1. Create the appropriate virtual private cloud (VPC) or virtual networks for the machines you will add to your resource
location. For example, for AWS, set up a VPC with public and private subnets.
2. Create the appropriate rules to secure inbound and outbound Internet traffic as well as traffic between the machines in
the virtual network. For example, in AWS, ensure the VPC's security group has the appropriate rules configured so the
machines in the VPC are accessible only to the IP addresses you specify.
3. Provision a machine, install Active Directory Domain Services, and promote it to a domain controller.
4. Provision two machines, join them to the domain, and install the Citrix Cloud Connector on each one.
5. Provision two machines, join them to the domain, and install the Virtual Delivery Agent (VDA) on each one.
To install the Citrix Cloud Connector
Citrix Cloud requires you install the Citrix Cloud Connector on two machines. T his ensures continuous availability of your
resource location. T he Citrix Cloud Connector is stateless. All logs and alerts are sent back to CitrixCloud.
1. Go to https://citrix.cloud.com and log on with the credentials you received in the email from Citrix Cloud. T he Citrix Cloud
Control Center opens.
2. From the menu button in the upper left corner, select Resource Locations.
3. Download and install the Citrix Cloud Connector onto a Windows Server 2012 R2 machine that is joined to your Active
Directory domain and has outbound Internet access.
4. When prompted, enter the same credentials you entered to log on to Citrix Cloud. Follow the wizard to install and
configure the Citrix Cloud Connector.
5. Repeat Steps 1-4 on additional machines you want to use as Citrix Cloud Connectors.
After installation, Citrix Cloud registers your domain in Identity and Access Management. For more information, see
Identity and Access Management.
To install the Virtual Delivery Agent
As part of preparing your machines for hosting the applications and desktops you will offer to users, you need to install the
Citrix VDA software on each machine. T he VDA software enables the machine to register with the XenApp and
XenDesktop Service, establish and manage the connection between the machine and the user device, verify that a Citrix
license is available for the user or session, and apply any policies have been congured for the session. T he VDA

communicates session information to the XenApp and XenDesktop Service through the broker agent included in the VDA.
VDAs are available for Windows server and desktop operating systems. VDAs for Windows server operating systems allow
multiple users to connect to the server at one time. VDAs for Windows desktop operating systems allow only one user to
connect to the desktop at a time.
For instructions for installing the VDA, see Congure VDAs.
Manually create a resource location on AWS
If you want to use AWS with the XenApp and XenDesktop Service, but you don't want to use Smart Tools to set up a
resource location, you can set one up manually.
For detailed instructions, see Set up an AWS resource location for the XenApp and XenDesktop Service.
Task 2: Create a host connection
A host connection enables the XenApp and XenDesktop Service to communicate with your cloud provider or on-premises
hypervisor and denes the network resources that the XenApp and XenDesktop Service can use when provisioning
machines that host applications and desktops for your users.
For instructions for creating a host connection, see Congure connections and resources.
Task 3: Set up machine provisioning
Machine provisioning refers to the process by which machines hosting your applications and desktops are provisioned to
your resource location. T hese machines are collected into machine catalogs. To populate the machine catalog, the XenApp
and XenDesktop Service uses a master image that includes the operating system and applications you want to make
available to users. T he master image ensures that all the machines in the catalog are identically congured.
T he XenApp and XenDesktop Service supports two methods for machine provisioning: Machine Creation Services (MCS) and
Provisioning Services.
To set up the XenApp and XenDesktop Servic with MCS provisioning, perform the following tasks:
1. On the VDA machines in your resource location, install the operating system updates and applications you want to make
available to users. If you are using a hypervisor in your resource location, install the appropriate integration software (for
example, XenServer T ools, VMWare T ools, and so on) on these machines. Afterward, create an image or snapshot of the
VDA. You will use this image as the master image for your machine catalog.
2. Create a machine catalog using the master image you created. For instructions, see Create machine catalogs.
For more information about using Provisioning Services with the XenApp and XenDesktop Service, see Using Provisioning
Services.
Task 4: Congure a delivery group
A delivery group is a collection of machines from one or more machine catalogs. Delivery groups specify which users can
access those machines as well as the applications and desktops that they host.

1. In Studio, right-click Delivery Groups in the left panel and select Create Delivery Group.
2. Select the number of machines that you want to make available to the delivery group. T he number you specify cannot
exceed the number of machines that are in your machine catalog. Click Next.
3. On the Delivery Type page, select whether you want to use the machines to deliver only desktops, only applications, or
both.
4. T o configure Receiver, select the option to Manually, using a Storef ront server address that I will provide later.
Click Next.
5. Provide a descriptive name for the Delivery Group for simple identification. T his name is visible to users. Click Finish.
Using NetScaler VPX with the XenApp and XenDesktop Service
Citrix Cloud comes with a cloud-hosted StoreFront that enables you to provide internal access to the applications and and
desktops you make available in your resource location. To provide external access to those resources, you need to add
NetScaler VPX to your resource location and congure a NetScaler Gateway that your users can access.
If you use Smart Tools to create your resource location on AWS, you need to subscribe to the NetScaler VPX service in the
Amazon Marketplace. When Smart Tools creates your resource location, it will also launch an instance of the NetScaler
appliance and congure the NetScaler Gateway for you.
If you want to add NetScaler manually to a resource location, refer to the NetScaler VPX Deployment Guides.

Monitoring the XenApp and XenDesktop Service
To monitor the overall performance of the XenApp and XenDesktop Service, do the following:
1. Navigate to the XenApp and XenDesktop Service.

2. Select the Monitor tab.
T he administrator can view information on sessions, logon duration, as well as other information.
Setting up workspaces and adding users
To offer the applications and desktops in your resource location as a service to your users, you can create a workspace and
subscribe your users to it.
For more information about creating workspaces, see Creating and Publishing a Workspace.
Related information
You can publish an application that is simply a URL or UNC path to a resource, such as a Microsoft Word document or a web
link. T his is known as published content. You publish content using the Remote PowerShell SDK. For details, see Publish
content.

Set up an AWS resource location for the XenApp and
XenDesktop Service
May 25, 20 16
In this article:
Component overview
T ask overview
T ask 1: Set up the virtual private cloud
T ask 2: Configure security groups
T ask 3: Associate the NAT instance with the NAT security group
T ask 4: Launch instances
T ask 5: Create a DHCP options set
T ask 6: Configure the instances
T he tasks in this article walk you through setting up your AWS account as a resource location you can use with the XenApp
and XenDesktop Service. T he resource location includes a basic set of components, ideal for a proof-of-concept or other
deployment that does not require resources spread over multiple availability zones. After you complete these tasks, you can
congure machine provisioning with Machine Creation Services (MCS), congure delivery groups, and add VDAs, NetScaler
VPX, or other components to your environment.
Component overview
When you complete these tasks, your resource location will include the following components:
A virtual private cloud (VPC) with public and private subnets inside a single availability zone.
An instance that runs as both an Active Directory domain controller and DNS server, located in the private subnet of the
VPC.
T wo domain-joined instances on which the Citrix Cloud Connector is installed, located in the private subnet of the VPC.
Citrix recommends at least two Citrix Cloud Connectors for high availability.
An instance that acts as a bastion host, located in the public subnet of your VPC. T his instance is used to initiate RDP
connections to the instances in the private subnet for administration purposes. After you finish setting up your resource
location, you can shut down this instance so it is no longer readily accessible. When you need to manage other instances
in the private subnet, such as VDA instances, you can restart the bastion host instance.
Task overview
To achieve this conguration, you perform the following tasks:
Set up a VPC with public and private subnets. When you complete this task, AWS deploys a NAT instance with an
Elastic IP address in the public subnet which enables instances in the private subnet to access the Internet. Instances in
the public subnet are accessible to inbound public traffic while instances in the private subnet are not.
Conf igure security groups. Security groups act as virtual firewalls that control traffic for the instances in your VPC.
You will add rules to your security groups that allow instances in your public subnet to communicate with instances in
your private subnet. You will also associate these security groups with each instance in your VPC.
Create a DHCP options set. With an Amazon VPC, DHCP and DNS services are provided by default, which affects how
you configure DNS on your Active Directory domain controller. Amazons DHCP cannot be disabled and Amazons DNS

can be used only for public DNS resolution, not Active Directory name resolution. T o specify the domain and name
servers that should be handed to instances via DHCP, you will create a new DHCP options set. T he set assigns the Active
Directory domain suffix and specifies the DNS server for all instances in your VPC. T o ensure Host (A) and Reverse
Lookup (PT R) records are automatically registered when instances join the domain, you will configure the network
adapter properties for each instance you add to the private subnet.
Add a bastion host, domain controller, and Citrix Cloud Connectors to the VPC. T hrough the bastion host, you
can log on to instances in the private subnet to set up the domain, join instances to the domain, and install the Citrix
Cloud Connector.
Task 1: Set up the virtual private cloud
1. From the AWS management console, click VPC.

2. From the VPC Dashboard, click Start VPC Wizard.
3. Select VPC with Public and Private Subnets and then click Select.
4. Enter a VPC name and make appropriate changes to the IP CIDRE block and Public and Private subnet IP ranges, if
necessary.
5. If a NAT gateway is selected, click Use a NAT Instance instead.
6. For the NAT instance, specify the instance type and the key pair you want to use. T he key pair enables you to securely
connect to the instance at a later time.
7. In Enable DNS hostnames, leave Yes selected.
8. Click Create VPC. AWS creates the public and private subnets, Internet gateway, route tables, and default security
group. Also, a NAT instance is created and assigned an Elastic IP address.
Task 2: Congure security groups
In this task, you will create the following security groups for your VPC:
A security group for the NAT instance.

A Public security group, with which instances in your Public subnet will be associated.
A Private security group, with which instances in your Private subnet will be associated.
1. From the VPC Dashboard, click Security Groups.

2. Create a security group for the NAT instance:
1. Click Create Security Group and enter a name tag and description for the group.
2. In VPC, select the VPC you created earlier.
3. Click Yes, Create.
3. Repeat Step 2 to create a Public security group and a Private security group.
Conf igure the NAT security group

1. From the security group list, select the NAT security group.
2. Click the Inbound Rules tab and click Edit to create the following rules:
Type Source
ALL T raffic Select the Private security group.
22 (SSH) 0.0.0.0/0
3. When finished, click Save.

Conf igure the Public security group
1. From the security group list, select the Public security group.
Type Source
ALL T raffic Select the Public security group.
ICMP 0.0.0.0/0
22 (SSH) 0.0.0.0/0
80 (HT T P) 0.0.0.0/0
443 (HT T PS) 0.0.0.0/0
1494 (ICA/HDX) 0.0.0.0/0
2598 (Session Reliability) 0.0.0.0/0
3389 (RDP) 0.0.0.0/0

4. Click the Outbound Rules tab and click Edit to create the following rules:
Type Destination
ALL T raffic 0.0.0.0/0
ICMP 0.0.0.0/0
Conf igure the Private security group

1. From the security group list, select the Private security group.
Type Source
ALL T raffic Select the NAT security group.

ALL T raffic Select the Public security group.
ICMP Select the Public security group.
T CP 53 (DNS) Select the Public security group.
UDP 53 (DNS) Select the Public security group.
80 (HT T P) Select the Public security group.
T CP 135 Select the Public security group.
T CP 389 Select the Public security group.
UDP 389 Select the Public security group.
443 (HT T PS) Select the Public security group.
T CP 1494 (ICA/HDX) Select the Public security group.
T CP 2598 (Session Reliability) Select the Public security group.
3389 (RDP) Select the Public security group.
T CP 49152-65535 Select the Public security group.

4. Click the Outbound Rules tab and click Edit to create the following rules:
Type Destination
ALL T raffic 0.0.0.0/0
ICMP 0.0.0.0/0

UDP 53 (DNS) 0.0.0.0/0
Task 3: Associate the NAT instance with the NAT security group
1. From the AWS management console, click EC2.

2. From the EC2 Dashboard, click Instances.
3. Select the NAT instance and then click Actions > Networking > Change Security Groups.
4. Clear the default security group check box.
5. Select the NAT security group you created earlier and then click Assign Security Groups.
Task 4: Launch instances
Use the steps below to create f our EC2 instances and decrypt the default Administrator password that Amazon
generates.
1. From the AWS management console, click EC2.

2. From the EC2 Dashboard, click Launch Instance.
3. Select a Windows Server machine image and instance type.
4. On the Conf igure Instance Details page, enter a name for the instance and select the VPC you set up earlier.
5. In Subnet, make the following selections for each instance:
Bastion host: Select the Public subnet.
Domain controller and Connectors: Select the Private subnet.
6. In Auto-assign Public IP address, make the following selections for each instance:
Bastion host: Select Enable.
Domain controller and Connectors: Select Use def ault setting or Disable.
7. In Network Interf aces, enter a primary IP address within the IP range of your private subnet for the domain controller
and Connector instances.
8. On the Add Storage page, modify the disk size, if necessary.
9. On the Tag Instance page, enter a friendly name for each instance.
10. On the Conf igure Security Groups page, select Select an existing security group and then make the following
selections for each instance:
Bastion host: Select the Public security group.
Domain controller and Connectors: Select the Private security group.
11. Review your selections and then click Launch.
12. Create a new key pair or select an existing one. If you create a new key pair, download your private key (.pem) file and
keep it in safe place. You will need to supply your private key when you acquire the default Administrator password for
the instance.
13. Click Launch Instances. Click View Instances to display a list of your instances. Wait until the newly-launched instance
has passed all status checks before accessing it.
14. Acquire the default Administrator password for each instance:
1. From the instance list, select the instance and then click Connect.
2. Click Get Password and supply your private key (.pem) file when prompted.
3. Click Decrypt Password. AWS displays the default password.
15. Repeat Steps 2-14 until you have created four instances: a bastion host instance in your public subnet and three
instances in your private subnet that you will prepare as a domain controller and two Workspace Cloud Connectors.

Task 5: Create a DHCP options set
1. From the VPC Dashboard, click DHCP Options Sets.

2. Enter the following information:
Name tag: Enter a friendly name for the set.
Domain name: Enter the fully qualified domain name you will use when you configure the domain controller instance.
Domain name servers: Enter the private IP address you assigned to the domain controller instance and the string
AmazonProvidedDNS, separated by commas.
NTP servers: Leave this field blank.
NetBIOS name servers: Enter the private IP address of the domain controller instance.
NetBIOS node type: Enter 2.
3. Click Yes, Create.
4. Associate the new set with your VPC:
1. From the VPC Dashboard, click Your VPCs and then select the VPC you set up earlier.
2. Click Actions > Edit DHCP Options Set.
3. When prompted, select the new set you created and then click Save.
Task 6: Congure the instances
1. Using an RDP client, connect to the public IP address of the bastion host instance. When prompted, enter the
credentials for the Administrator account.
2. From the bastion host instance, launch Remote Desktop Connection and connect to the private IP address of the
instance you want to configure. When prompted, enter the Administrator credentials for the instance.
3. For all instances in the private subnet, configure the DNS settings:
1. Click Start > Control Panel > Network and Internet > Network and Sharing Center > Change adapter
settings. Double-click the network connection displayed.
2. Click Properties, select Internet Protocol Version 4 (TCP/IPv4 ), and then click Properties.
3. Click Advanced and then click the DNS tab. Ensure the following settings are enabled and click OK:
Register this connections addresses in DNS
Use this connections DNS suf f ix in DNS registration
4. T o configure the domain controller:
1. Using Server Manager, add the Active Directory Domain Services role with all default features.
2. Promote the instance to a domain controller. During promotion, enable DNS and use the domain name you specified
when you created the new DHCP options set. Restart the instance when prompted.
5. T o configure the first Citrix Cloud Connector:
1. Join the instance to the domain and restart when prompted. From the bastion host instance, reconnect to the
instance using RDP.
2. Using a web browser, visit http://citrix.cloud.com and log in with your Citrix Cloud credentials.
3. From the Citrix Cloud home page, click the menu button in the upper-left corner and select Resource Locations.
4. Download the Citrix Cloud Connector: Click Citrix Cloud Connector and then click Download.
5. When prompted, run the CWCConnector.exe file and supply your Citrix Cloud credentials. Follow the wizard to install
the software.
6. When finished, click Ref resh to display the Resource Locations page. When the Citrix Cloud Connector is registered,
the instance appears on the page.
6. Repeat Step 5 to configure the second Citrix Cloud Connector.

Create Resource Locations on Amazon EC2 with Citrix
Smart Tools
Dec 22, 20 16
Before you can use the XenApp and XenDesktop Service, you must create a resource location that contains the on-
premises or cloud infrastructure you will use to deliver applications and desktops to your users. You can create this resource
location manually or you can use Citrix Smart Tools to create it for you.
Created for rst-time users of the XenApp and XenDesktop Service, the Setting Up a Resource Location for the XenApp
and XenDesktop Service with Citrix Smart Tools guide walks you through all the steps needed to create your rst resource
location successfully on Amazon EC2.
Using this guide, you will learn how to:
Create an Amazon Web Services (AWS) account and create the appropriate access keys.
Subscribe to NetScaler VPX in the Amazon Marketplace.
Use Smart T ools to configure and deploy the machines in your new resource location.
When nished, your new resource location will include the following components:
An Active Directory domain controller.

T wo Citrix Cloud Connectors.
A XenDesktop Server VDA configured with RDS. (optional)
A XenDesktop Server VDA configured with Server VDI. (optional)
A StoreFront server (optional). If you elect not to deploy a StoreFront server, your resource location will be configured to
use the cloud-hosted StoreFront that comes with Citrix Cloud. If you choose to deploy a StoreFront server, you will
need to configure it for use with the XenApp and XenDesktop Service. For more information, see Setting up StoreFront
with Citrix Cloud.
NetScaler Gateway (requires an Amazon Marketplace subscription to NetScaler VPX).
Smart Tools also performs the following tasks:
Create a virtual private cloud (VPC) with public and private subnets and provisions a NAT instance. T he NAT instance
enables machines in the private subnet to access the Internet. Citrix recommends allowing Smart T ools to create a new
VPC for your resource location.
Provision a bastion host for administering Amazon EC2 machines in the private subnet of your VPC using RDP. T he
bastion host is deployed in the public subnet.
Download the guide
Setting Up a Resource Location for the XenApp and XenDesktop Service with Smart Tools (PDF)

Congure Provisioning
Feb 16, 20 17
In this article:
Overview
Provisioning with MCS
Using Provisioning Services
Platform considerations
Configure connections and resources
Create machine catalogs
Overview
T he XenApp and XenDesktop Service in Citrix Cloud can provision and power-manage VDAs (Virtual Delivery Agents). For on-
premises hypervisors, requests are proxied through the Citrix Cloud Connector.
You can provision VDAs using the following methods:
Machine Creation Services (MCS)

Provisioning Services
Provisioning with MCS
Conguring provisioning through Machine Creation Services involves the following tasks:
1. Using Citrix Studio, create a connection with the hypervisor or cloud you want to use with the XenApp and XenDesktop
Service.
2. On a machine in your hypervisor or cloud environment, install the operating system, integration software for your cloud
or hypervisor, applications you want to make available to users, and the appropriate VDA package.
3. Using your hypervisor or cloud management tool, create an image or snapshot of this machine. You will use this image or
snapshot as the master image for your machine catalog.
4. Create a machine catalog with the appropriate number of machines for your users. During this process, you will specify
the master image you created.
Machine account creation with Machine Creation Services differs from XenApp and XenDesktop in that the accounts are
created by the Citrix Cloud Connector. By default, the machine hosting the Connector only has read-only access to Active
Directory (AD). T herefore, you will be prompted for AD credentials every time you create machine accounts in Citrix Studio.
Using Provisioning Services
T here are two options for creating Provisioning Services managed VDAs from an on-premise Provisioning Server
deployment:
XenDesktop Setup wizard in the Provisioning Services console

Machine Catalog Setup in Studio
XenDesktop Setup Wizard
In order to create the XenDesktop catalogs and add them to the Citrix Cloud site using the XenDesktop Setup wizard in

the Provisioning Services console, you must rst uninstall the XenApp and XenDesktop SDK and install the cloud-enabled
XenApp and XenDesktop Remote Powershell SDK. T he XenApp and XenDesktop Remote PowerShell SDK replaces the
default XenApp and XenDesktop SDK included with the PVS console installation.
1. Uninstall the XenApp and XenDesktop SDK from the PVS console by uninstalling each of the snap-ins:
1. Citrix Broker PowerShell
2. Citrix Configuration Logging Service PowerShell
3. Citrix Configuration Service PowerShell
4. Citrix Delegated Administration Service PowerShell
5. Citrix Host Service PowerShell
2. Download the XenApp and XenDesktop Remote PowerShell SDK.
3. Install the SDK using the command line and provide the PVS=Yes argument: CitrixPoshSdk.exe PVS=Yes
When you run the XenDesktop Setup wizard, you will be prompted for your Citrix Cloud customer credentials from the PVS
console, otherwise the process is the same as using the on-premise version.
Important
Known Issue: T he XenApp and XenDesktop Remote PowerShell SDK has a 30-minute timeout at which time you are prompted to
re-enter your Citrix Cloud customer credentials. If you re-enter your credentials, the wizard will nish in the background. If you close
the wizard after you are prompted for credentials, you will need to restart the PVS console and start the process over.
Machine Catalog Setup
From Citrix Cloud, access Machine Catalog Setup in Studio. After specifying the address of the on-premise Provisioning
Services server and clicking Connect, you will be prompted for Provisioning Services administrator credentials. After this
authentication, the process for the Machine Catalog Setup option is the same as the on-premise version.
For more information on Provisioning Services, see the latest documentation.
Platf orm considerations
Before you create a connection to the XenApp and XenDesktop Service or create machine catalogs, review the following
sections for important conguration information you will need for your cloud provider or hypervisor.
Microsof t Azure Classic
Before you create a connection in Studio, you must have an existing virtual network for the Azure account you want to
use with the XenApp and XenDesktop Service. When you create the connection, you will need to select the region in
which your virtual network resides and select the subnets where you want new machines to be provisioned.
T o create a connection, you must provide a Microsoft publish settings file. T his file contains all the Azure subscription
IDs and certificates associated with your Azure account. You will need to copy and paste the subscription ID from this
file into Studio using the session clipboard. You can obtain your publish settings file using the following methods:
Visit https://manage.windowsazure.com/publishsettings and log in with your account credentials. When prompted,
save the file.
Using Azure PowerShell, run the Get-AzurePublishSettingsFile cmdlet. When prompted, enter your account credentials
and save the file.
Machine catalogs are limited to 40 VMs. T his includes VDI and RDS hosts.

When creating machine catalogs using an Azure master image, be aware that Studio displays only Specialized VM images
with no data disks. T hese images must reside in the same region configured for the resource connection to Azure.
When creating machine catalogs using an Azure master image, ensure the Azure storage account containing the master
image VHD has sufficient IOPS capacity to support additional VMs.
Azure VM names must be at least one character long, up to a maximum of 15 characters. Valid names consist of letters,
numbers, and hyphens only. Valid names start with a letter and end with a letter or number. Valid names cannot contain
characters disallowed in Azure and must follow Azure naming rules. Studio does not validate the VM names you specify,
so creating a catalog might fail if the machines in the catalog do not conform to these naming rules.
Citrix recommends using Standard T ier VMs for VDI and RDS workloads.
For information about sizing considerations when using Azure for provisioning VMs in Apps and Desktops machine
catalogs, refer to CT X142340.
For additional information, see the Microsoft Azure documentation.
Amazon Web Services
When you create a connection in Studio, you must provide the Access Key ID and Secret Access Key for your AWS
account. You can copy and paste these values into Studio using the session clipboard. T o control access to your AWS
account, Citrix recommends using the access keys of a specific IAM user. For more information about the IAM user
permissions needed for using AWS with the XenApp and XenDesktop Service, refer to CT X140429.
When creating a connection to your AWS account, you will need to provide the ID of the virtual private cloud (VPC) you
prepared, the region in which the VPC is located, the availability zone of the subnets in your VPC, your domain name, and
security group names. For more information about setting up your VPC, see Set up an AWS resource location for the
XenApp and XenDesktop Service.
For additional information, see the AWS documentation on the Amazon web site.
Citrix XenServer
When you create a connection, you must provide the credentials for a VM Power Admin or higher-level user.
Citrix recommends using HT T PS to secure communications with XenServer. T o use HT T PS, you must replace the default
SSL certificate installed on XenServer; see CT X128656.
You can configure high availability if it is enabled on the XenServer. Citrix recommends that you select all servers in the
pool (from Edit High Availability) to allow communication with XenServer if the pool master fails.
You can select a GPU type and group, or passthrough, if the XenServer supports vGPU. T he display indicates if the
selection has dedicated GPU resources.
For more information, see the Citrix XenServer product documentation.
VMware
See Prepare the virtualization environment: VMware for guidance in preparing your environment.
If you are using VMware vCenter with a self-signed certificate, be sure to add the certificate to each of the Citrix Cloud
Connectors in your resource location.
For additional information, see the VMware vSphere product documentation.
Microsof t Hyper-V
See Prepare the virtualization environment: Microsoft System Center Virtual Machine Manager for guidance in preparing
your environment.
All Citrix Cloud Connectors in your resource location must have the SCVMM console installed.
For additional information, see the Microsoft Hyper-V or SCVMM product documentation.

Additional Citrix resources
XenApp and XenDesktop Service with an On-premises Resource reference architecture.

XenApp and XenDesktop Service for New Customers reference architecture.
Congure connections and resources
Before you can provision machines through the XenApp and XenDesktop Service, you must rst create a connection and
dene the network resources you will use. Conguring a connection includes setting the connection type from among the
supported hypervisors and cloud services. T he storage and network you select form the resources for that connection.
To create a connection and resources

1. From the XenApp and XenDesktop Service home page, click Manage. Citrix Studio appears.
2. From the left pane, under Conf iguration, click Hosting.
3. From the right pane, under Actions, click Add Connection and Resources.
4. On the Connection page, select the connection type and enter a connection name. Additional required information
depends on the selected connection type.
5. On the VM Location page, select the cloud region, virtual private cloud, and availability zone where you will provision new
virtual machines.
6. Enter a friendly name for the resources and select the network or cluster you want to use.
7. On the Storage page, select the available storage you want to use for the new virtual machines you will provision.
Create machine catalogs
If you are using Machine Creation Services to create VMs for your deployment, prepare a master image or template on your
host hypervisor or cloud. T hen, create the machine catalog.
Make sure the host has sufcient processors, memory, and storage to accommodate the number of machines you will
create.
T he Machine Catalog wizard walks you through the items described below. T he wizard pages you see may differ, depending
on the selections you make.
Operating system
Each catalog contains machines of only one of the following types:
Server OS: A Server OS catalog provides desktops and applications that can be shared by multiple users. T he machines
can be running supported versions of Windows or Linux operating systems, but the catalog cannot contain both.
Desktop OS: A Desktop OS catalog provides desktops and applications that are assigned to a variety of different users.
Remote PC Access: A Remote PC Access catalog provides users with remote access to the physical office desktop
machines. Remote PC Access does not require a VPN to provide security.
To set up Remote PC Access, see https://support.citrix.com/article/CT X220737.
Machine management
T he Machine Management page indicates how machines are managed and which tool you will use to deploy machines.
T he Machines that are power-managed option indicates the machines are power-managed through Studio or

provisioned through a cloud environment. T his option is available only if you have a connection to a hypervisor or cloud
already congured.
Use the Machines that are not power-managed option for physical machines.
Machine template
Select the snapshot or VM image of the machine you created earlier. Do not run Sysprep on master images.
To ensure you can use the latest product features, make sure the master image has the latest VDA version installed. Do not
change the default Select the VDA version installed selection on the wizard page.
Security
Select one or more security groups for the VMs; these are shown only if the availability zone supports security groups.
Choose whether machines will use shared hardware or account-dedicated hardware.
Virtual machines
Specify how many virtual machines to create.
If you are using a cloud service, specify the instance type or machine size to use.
Network cards
Select the network interface to use for machines in the catalog.
Computer accounts
Each machine in the catalog must have a corresponding computer account in Active Directory. Specify whether to create
new Active Directory accounts for machine in the catalog or use existing accounts. Additionally, specify the domain and
organizational unit (OU) where these accounts reside.
If you elect to create new accounts, specify the account naming scheme for the machines that will be created, using hash
marks to indicate where sequential numbers or letters will appear. Do not use a forward slash (/) in an OU name. A name
cannot begin with a number.
Domain credentials
Enter the domain administrator user name and password to use for creating the computer accounts in Active Directory.

Congure VDAs
Jun 14 , 20 16
A Virtual Delivery Agent (VDA) is installed on each physical or virtual machine in your site that you want to make available to
users. It enables the machine to register with the Citrix Cloud Connector, which in turn allows the machine and the
resources it is hosting to be made available to users. VDAs establish and manage the connection between the machine and
the user device, verify that a Citrix license is available for the user or session, and apply the policies that have been
congured for the session. T he VDA communicates session information to the Connector through the broker agent in the
VDA.
XenApp and XenDesktop include VDAs for Windows server and desktop operating systems. VDAs for Windows server
operating systems allow multiple users to connect to the server at one time. VDAs for Windows desktops allow only one
user to connect to the desktop at a time. Some cloud providers limit the use of Windows desktop operating systems. For
VDI deployments, see Server VDI.
Citrix recommends installing the latest version of the VDA. T he minimum requirement for the XenApp and XenDesktop
Service is version 7.0. Versions earlier than 7.6 might encounter registration issues. For more information, see the Upgrade
article.
For general and preparatory information about installing a VDA, see VDA installation guidance.
For instructions on using scripts to install a VDA, see the Install VDAs using scripts article.
Install a VDA
T he XenApp and XenDesktop Service download page provides access to several downloads, including the VDA standalone
installer.
Citrix account credentials are not required to access the VDA download page from within the XenApp and XenDesktop
Service; however, credentials are required if you want to download other Citrix software that is restricted to customers. You
must either have elevated administrative privileges before starting the installation or use Run as administrator. Disable User
Account Control (UAC).
1. From the Downloads page, click Download VDA.

2. Select the version you want to install (Server OS or Workstation OS) and click Download File.
3. Right-click the package and select Run as administrator.
4. Follow the wizard. An automatic restart is enabled by default when the installation completes; the restart is required
before the VDA can be used with the XenApp and XenDesktop Service.
See What to specify when installing a VDA for details about each page in the wizard. T He following items are unique to the
XenApp and XenDesktop Service environment:
Note: On the Delivery Controller page, choose the Do it manually option, and then specify the FQDNs of the Citrix
Cloud Connectors in your resource location. Citrix recommends specifying multiple Connectors for high availability. T he
installer attempts to connect to the specied addresses and indicates the test result.

Director
Feb 21, 20 17
Director is a monitoring and troubleshooting console for XenApp and XenDesktop. With full administrator permissions,
when you open Director, the Dashboard provides a centralized location to monitor the real-time and historical health and
usage of a site.
For more information on working with Director, see Director.
Filter data to troubleshoot failures

When you click numbers on the Dashboard or select a predened lter from the Filters menu, the Filters view opens to
display the data based on the selected machine or failure type.
Predened lters cannot be edited, but you can save a predened lter as a custom lter and then modify it. Additionally,
you can create custom ltered views of machines, connections, and sessions across all Delivery Groups.
1. Select a view:
Machines. Select Desktop OS Machines or Server OS Machines. T hese views show the number of configured
machines. T he Server OS Machines tab also includes the load evaluator index, which indicates the distribution of
performance counters and tool tips of the session count if you hover over the link.
Sessions. You can also see the session count from the Sessions view. Use the idle time measurements to identify
sessions that are idle beyond a threshold time period.
Connections. Filter connections by different time periods, including last 60 minutes, last 24 hours, or last 7 days.
Application Instances. T his view displays the properties of all application instances on VDAs of Server and Desktop
OS. T he session idle time measurements are available for Application instances on VDAs of Server OS Version 7.13 or
later.
2. For Filter by, select the criteria.
3. Use the additional tabs for each view, as needed, to complete the filter.
4. Select additional columns, as needed, to troubleshoot further.
5. Save and name your filter.
T o open filter later, from the Filters menu, select the failure type (Machines, Sessions, or Connections), and then select
the saved filter.
6. If needed, for Machines or Connections views, use power controls for all the machines you select in the filtered list. For

the Sessions view, use the session controls or option to send messages.
7. In the Machines and Connections views, click on the Failure Reason of a failed machine or connection to get a
detailed description of the failure and actions recommended to troubleshoot the failure. T he failure reasons and the
recommended actions for Machine and Connection failures are available in the Citrix Director 7.12 Failure Reasons
T roubleshooting Guide.
8. In the Application Instances view, sort or filter based on Idle Time greater than a threshold time period. Select the idle
application instances to end. Log off or Disconnect of an application instance ends all active application instances in the
same session.
Alerts and notications
Alerts are displayed in Director on the dashboard and other high level views with warning and critical alert symbols. Alerts
update automatically every minute; you can also update alerts on demand.
A warning alert (amber triangle) indicates that the warning threshold of a condition has been reached or exceeded.
A critical alert (red circle) shows that the critical threshold of a condition has been reached or exceeded.
You can view more detailed information on alerts by selecting an alert from the sidebar, clicking the Go to Alerts link at the
bottom of the sidebar or by selecting Alerts from the top of the Director page.
In the Alerts view, you can lter and export alerts. For example, Failed Server OS machines for a specic Delivery Group over
the last month, or all alerts for a specic user. For more information, see Export reports.
Citrix alerts. Citrix alerts are alerts monitored in Director which originate from Citrix components. You can congure Citrix
alerts within Director in Alerts > Citrix Alerts Policy. As part of the conguration, you can set notications to be sent by
email to individuals and groups when alerts exceed the thresholds you have set up.
Create alerts policies
To create a new alerts policy, for example to generate an alert when a specic set of session count criteria are met:
1. Go to Alerts > Citrix Alerts Policy and select, for example, Server OS Policy.
2. Click Create.
3. Name and describe the policy, then set the conditions which have to be met for the alert to be triggered. For example,
specify Warning and Critical counts for Peak Connected Sessions, Peak Disconnected Sessions and Peak Concurrent
T otal Sessions. Warning values must not be higher than Critical values. For more information, see Alerts policies
conditions.

4. Set the Re-alert interval. If the conditions for the alert are still met, then the alert is triggered again at this time interval
and, if set up in the alert policy, an email notification is generated. A dismissed alert will not generate an email
notification at the re-alert interval.
5. Set the Scope. For example, set for a specific Delivery Group.
6. In Notification preferences, specify who should be notified by email when the alert is triggered. You have to specify an
email server in the Email Server Conf iguration tab in order to set email Notification preferences in Alerts Policies.
7. Click Save.
Creating a policy with 20 or more Delivery Groups dened in the Scope may take approximately 30 seconds to complete the
conguration. A spinner is displayed during this time.
Creating more than 50 policies for up to 20 unique Delivery Groups (1000 Delivery Group targets in total), may result in an
increase in response time (over 5 seconds).
Alerts policies conditions
Alert policy condition Description and recommended actions
Peak Connected Sessions Number of peak connected sessions.

Check Director Session T rends view for peak connected sessions.
Check to ensure there is enough capacity to accommodate the session load.
Add new machines if needed.
Peak Disconnected Sessions Number of peak disconnected sessions.

Check Director Session T rends view for peak disconnected sessions.
Check to ensure there is enough capacity to accommodate session load.
Log off disconnected sessions if needed.
Peak Concurrent Total Number of peak concurrent sessions.

Sessions Check Director Session T rends view in Director for peak concurrent sessions.
Check to ensure there is enough capacity to accommodate session load.
Log off disconnected sessions if needed.
CPU Percentage CPU usage.
Identify the processes or resources consuming CPU.

End the process if necessary. Ending the process will cause unsaved data to be lost.
If all is working as expected, add additional CPU resources in the future.
Note: T he policy setting, Enable resource monitoring, is allowed by default for the
monitoring of CPU and memory performance counters on machines with VDAs. If this
policy setting is disabled, alerts with CPU and memory conditions will not be triggered.
For more information, see Monitoring policy settings.
Memory Percentage Memory usage.
Identify the processes or resources consuming memory.

End the process if necessary. Ending the process will cause unsaved data to be lost.
If all is working as expected, add additional memory in the future.
Note: T he policy setting, Enable resource monitoring, is allowed by default for the
monitoring of CPU and memory performance counters on machines with VDAs. If this
policy setting is disabled, alerts with CPU and memory conditions will not be triggered.
For more information, see Monitoring policy settings.
Connection Failure Rate Percentage of connection failures over the last hour. Calculated based on the total
failures to total connections attempted.
Check Director Connection Failures T rends view for events logged from the
Configuration log.
Determine if applications or desktops are reachable.
Connection Failure Count Number of connection failures over the last hour.
Check Director Connection Failures T rends view for events logged from the
Configuration log.
Determine if applications or desktops are reachable.
ICA RT T (Average) Average ICA round-trip time

Check NetScaler HDX Insight for a breakdown of the ICA RT T to determine root
cause.
If NetScaler is not available, check the Director User Details view for the ICA RT T
and Latency and determine if it is a network problem or XD/XA issue. For more
information, see the NetScaler Insight Center documentation, Use Cases: HDX
Insight.
ICA RT T (No. of Sessions) Number of sessions which exceed the threshold ICA round-trip time.
Check NetScaler HDX Insight for the number of sessions with high ICA RT T . For
more information, see the NetScaler Insight Center documentation, HDX Insight
Reports.
If NetScaler is not available, work with the network team to determine root cause.
ICA RT T (% of Session) Percentage of sessions which exceed the average ICA round-trip time.
Check NetScaler HDX Insight for the number of sessions with high ICA RT T . For
more information, see the NetScaler Insight Center documentation, HDX Insight
Reports.
If NetScaler is not available, work with the network team to determine root cause.
ICA round-trip time which is applied to sessions launched by the specified user. T he
ICA RT T (User)
alert is triggered if ICA RT T is higher than the threshold in at least one session.
Failed Machines (Desktop OS) Number of failed Desktop OS machines.

Failures can occur for various reasons as shown in the Director Dashboard and
Filters views. Run Citrix Scout diagnostics to determine root cause. For more
information, see T roubleshoot user issues.
Failed Machines (Server OS) Number of failed Server OS machines.

Failures can occur for various reasons as shown in the Director Dashboard and
Filters views. Run Citrix Scout diagnostics to determine root cause.
Average Logon Duration Average logon duration for logons which occurred over the last hour.
Check the Director Dashboard to get up to date metrics regarding the logon
duration. A large number of users logging in during a short timeframe can cause
elongated logons.
Check the baseline and break down of the logons to narrow down the cause.
For more information, see Diagnose user logon issues.
Logon Duration (User) Logon duration for logons for the specified user which occurred over the last hour.

Load Evaluator Index Value of the Load Evaluator Index over the last 5 minutes.
Check Director for Server OS Machines that may have a peak load (Max load).
View both Dashboard (failures) and T rends Load Evaluator Index report.
Monitor historical trends across a site
T he Trends view accesses historical trend information for sessions, connection failures, machine failures, logon
performance, load evaluation, capacity management, machine usage and resource utilization for each site. To locate this
information, click Trends menu.
T he zoom-in drilldown feature lets you navigate through trend charts by zooming in on a time period (clicking on a data
point in the graph) and drilling down to see the details associated with the trend. T his feature enables you to better
understand the details of who or what has been affected by the trends being displayed.
To change the default scope of each graph, apply a different lter to the data.
Action Description
View trends for sessions From the Sessions tab, select the Delivery Group and time period to view more
detailed information about the concurrent session count.
View trends for connection failures From the Failures tab, select connections, machine type, failure type, Delivery
Group, and time period to view a graph containing more detailed information
about the user connection failures across your site.
View trends for machine failures From Failures > Desktop OS Machine Failures or Server OS Machines, select the
failure type, Delivery Group, and time period to view a graph containing more
detailed information about the machine failures across your site.
View trends for logon performance From the Logon Performance tab, select the Delivery Group and time period to
view a graph containing more detailed information about the duration of user
logon times across your site and whether the number of logons affects the
performance. T his view also shows the average duration of the logon phases,
such as brokering duration, VM start time.
T his data is specically for user logons and does not include users trying to
reconnect from disconnected sessions.
T he table below the graph shows Logon Duration by User Session. T he

administrator can choose the columns to display and sort the report by any of
the columns.
For more information, see Diagnose user logon issues.
View trends for load evaluation From the Load Evaluator Index tab, view a graph containing more detailed
information about the load that is distributed among Server OS machines. T he

lter options for this graph include the Delivery Group or Server OS machine in a
Delivery Group, Server OS machine (available only if Server OS machine in a Delivery
Group was selected), and range.
View hosted applications usage T he availability of this feature depends on your organization's license.
From the Capacity Management tab, select Hosted Applications Usage tab,
select the Delivery Group and time period to view a graph displaying peak
concurrent usage and a table displaying application based usage. From the
Application Based Usage table, you can choose a specic application to see
details and a list of users who are using, or have used, the application.
View desktop and server OS usage T he Trends view shows the usage of Desktop OS by Site and by Delivery group.
When you select Site, usage is shown per Delivery group. When you select
Delivery group, usage is shown per User.
T he Trends view also shows the usage of Server OS by Site, by Delivery group and
by Machine. When you select Site, usage is shown per Delivery group. When you
select Delivery group, usage is shown per Machine and per User. When Machine is
selected usage is shown per User.
View virtual machine usage From the Machine Usage tab, select Desktop OS Machines or Server OS
Machines to obtain real-time view of your VM usage, enabling you to quickly
assess your site's capacity needs.
Desktop OS availability - displays the current state of Desktop OS machines

(VDIs) by availability for the entire site or specic Delivery Group.
Server OS availability - displays the current state of Server OS machines by

availability for the entire site or specic Delivery Group.
View resource utilization From the Resource Utilization tab, select Desktop OS Machines or Server OS
Machines to obtain insight into historical trends data for CPU and memory usage
for each VDI machine for better capacity planning.
Graphs show data for Average CPU, Average Memory and Total Sessions. T he
administrator can drill down further to the machine, and view data and charts for
the top 10 processes consuming CPU.
Filter by Delivery Group and T ime period (last 2 hours, 24 hours, 7 days, month, and
year).
Note: T he Monitoring policy setting, Enable Process Monitoring, must be set to

"Allowed" to collect and display data in the Top 10 Processes table on the Historic
Machine Utilization page. It is prohibited by default.

T he CPU and memory utilization data is collected by default. T his can be disabled
using the Enable Resource Monitoring policy setting.
For more information on using Resource utilization data to troubleshoot user

issues, see Resolve application failures.
T he Custom Reports tab provides a user interface to generate Custom Reports

containing real-time and historical data from the Monitoring database in tabular
format. From the list of previously saved Custom Report queries, you can execute
to export the report in CSV format, copy and share the corresponding OData
query, or edit the query.
You can create a new Custom Report query based on machines, connections,
sessions, or application instances. Specify lter conditions based on elds such as
Create customized reports
machine, delivery group, or time period. Specify additional columns required in your
Custom Report. Preview displays a sample of the report data. Saving the Custom
Report query adds it to the list of saved queries.
You can create a new Custom Report query based on a copied OData query. To
do this, select the OData Query option and paste the copied OData query. You
can save the resultant query for execution later.
T he ag icons on the graph indicate signicant events or actions for that specic time range. Hover the mouse over the
ag and click to list events or actions.
Note:
HDX connection logon data is not collected for VDAs earlier than 7. For earlier VDAs, the chart data is displayed as 0.
Sessions, failures, and logon performance trend information is available as graphs and tables when the time period is set
to Last month or shorter. When the time period is set to Last Year, the trend information is available as graphs but not
as tables.
Export reports
Using the export feature, you can export trends information to generate regular usage and capacity management reports.
Export supports PDF, Excel, and CSV report formats. Reports in PDF and Excel formats contain trends represented as
graphs and tables. CSV format reports contain tabular data that can be processed to generate views or can be archived.
T he supported number of concurrent export operations and the amount of data that can be exported is set to default
limits, beyond which tabular data is truncated.

Setting Up StoreFront With Citrix Cloud
Oct 27, 20 16
About StoreFront and NetScaler Gateway

StoreFront authenticates users to sites hosting resources and manages stores of applications and desktops that users
access. It hosts your enterprise application store, which lets you give users self-service access to app and desktops you
make available to them. It also keeps track of users' application subscriptions, shortcut names, and other data to ensure
they have a consistent experience across multiple devices.
When users connect from outside the corporate rewall, Citrix Cloud can use Citrix NetScaler Gateway (formerly Access
Gateway) technology to secure these connections with SSL. NetScaler Gateway or the NetScaler VPX virtual appliance is
an SSL VPN appliance that is deployed in the demilitarized zone (DMZ) to provide a single secure point of access through
the corporate rewall.
T here are three primary use cases for setting up StoreFront with Citrix Cloud:
1. A cloud-hosted StoreFront: T he applications and desktops service in Citrix Cloud hosts a StoreFront site for each
customer. T he benefit of the cloud-hosted StoreFront is that there is zero effort to deploy, and it is kept evergreen by
Citrix. Cloud-hosted is recommended for all new customers, previews, and proofs-of-concept (PoCs).
2. An on-premises StoreFront: Customers may also use an existing StoreFront to aggregate applications and desktops in
Citrix Cloud. T his offers greater security, including support for two-factor authentication and prevents users from
entering their password into the cloud service. It also allows customers to customize their domain names and URLs. T his
is recommended for any existing XenApp and XenDesktop customers that already have StoreFront deployed.
3. A combination on-premises StoreFront and cloud-hosted StoreFront.
Each scenario is laid out below.
Use Case #1: Cloud-hosted StoreFront
Access to the cloud-hosted StoreFront is via https://<customername>.xendesktop.net/Citrix/StoreWeb/. T here is no

additional conguration needed. Cloud StoreFront is ready to be used.
To provide remote access for end-users through a cloud-hosted StoreFront, do the following:
Set up NetScaler Gateway as an ICA proxy (No authentication or session policies are needed). T his can be configured in
Citrix Studio by clicking on StoreFront under the Configuration node, then selecting the Set NetScaler Gateway action.

Bind Citrix Cloud Connectors as Secure T icket Authority (ST A) servers to NetScaler Gateway.
Set NetScaler Gateway (FQDN:PORT ) in the cloud-hosted Studio.
Note: Combination remote and internal access is not supported in a cloud-hosted StoreFront.
Note
For more information on conguring NetScaler, see NetScaler VPX Deployment Guides.
Use Case #2: On-premises StoreFront
For details on conguring an on-premises StoreFront, see Citrix Product Documentation.
One benet of using an existing StoreFront is that the Citrix Cloud Connector provides encryption of user passwords.
Credentials are encrypted by the connector using AES-256, using a randomly-generated one-time key. T his key is returned
directly to Citrix Receiver and never sent to the cloud. Citrix Receiver then supplies it to the VDA during session launch in
order to decrypt the credentials and provide a single sign-on experience into Windows.
For transport, select HT T P and port 80. T he StoreFront machine must be able to directly access the connector through
the FQDN (fully qualified domain name) provided; the connector needs to be able to reach the Cloud NFuse/ST A URL at
(https://<customername>.xendesktop.net/Scripts/wpnbr.dll and ctxsta.dll).
Multiple connectors should be added as delivery controllers for High Availability.
Recommendation

Use the most recent version of StoreFront.
External Access
To provide external access through NetScaler Gateway and on-premises StoreFront, do the following:
Set up NetScaler Gateway as in a usual deployment with authentication and session policies. See Citrix Product
Documentation for more information.
Point your on-premises StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors.
T he NetScaler Gateway must use the same ST A URLs as StoreFront. If the gateway is not already configured to use the
ST A of an existing XenApp/XenDesktop environment, Citrix Cloud Connectors may be used as a ST A.
Internal Access
To provide internal access through an on-premises StoreFront, do the following:
External and Internal Access

To provide external and internal access through NetScaler Gateway and on-premises StoreFront, do the following:
Set up NetScaler Gateway as in a usual deployment (with authentication and session policies) - See Citrix Product
Documentation for more information.
Use Case #3: On-premises StoreFront and Cloud hosted StoreFront
To provide external access through cloud-hosted StoreFront and NetScaler Gateway with on-premises StoreFront, do the
following:
Set up NetScaler Gateway as you would in a usual deployment (with authentication and session policies). See Citrix
Product Documentation for more information.
Point your on-premises StoreFront Stores Delivery Controllers to the Citrix Cloud Connectors.
Set NetScaler Gateway (FQDN:PORT ) in Cloud-hosted Studio.
To provide internal access through cloud-hosted and on-premises StoreFront, do the following:
Point the on-premises StoreFront Stores Delivery Controllers to the Citrix Cloud Connectors.
To provide external and internal access, do the following:
Cloud-hosted StoreFront can only be used for external or internal access

Use NetScaler Gateway for external access and on-premises StoreFront for internal access (same as Use Case #2 with
external and internal access).
Set up NetScaler Gateway as in usual deployment (with authentication and session policies).
Point on-premises StoreFront Stores Delivery Controllers to the Citrix Cloud Connectors.

Two-factor authentication
Two-factor authentication is an extra layer of security based on verication of the users identity to gain access to their
resources.
T he users mobile phone receives a Short Message Service (SMS) message that contains a 6-digit access code. T he user
must enter the access code on the authentication form.
You can register the users mobile phone numbers in Active Directory. Set the Phone-Mobile-Primary attribute to the
required users mobile number in E.164 format. For more information, see E164: T he international public telecommunication
numbering plan.
To accelerate the logon process, add the Phone-Mobile-Primary attribute to the Active Directory Global catalog. For more
information, see Phone-Mobile-Primary attribute.

VMware SSL Thumbprint
May 25, 20 16
T he VMware SSL thumbprint feature addresses a frequently-reported error when creating a host connection to a VMware
vSphere hypervisor. Previously, administrators had to manually create a trust relationship between the Delivery Controllers in
the Site and the hypervisor's certicate before creating a connection. T he VMware SSL thumbprint feature removes that
manual requirement: the untrusted certicate's thumbprint is stored on the Site database so that the hypervisor can be
continuously identied as trusted by XenApp/XenDesktop, even if not by the Controllers.
When creating a vSphere host connection in Studio, a dialog box allows you to view the certicate of the machine you are
connecting to. You can then choose whether to trust it.

Application Publishing
May 25, 20 16
When you publish an application, conguration information for the application is stored in the data store for the server
farm. T he conguration information includes the types of les associated with the application, users who can connect to
the application, importance level for Preferential Load Balancing, and client-side session properties that include window
size, number of colors, level of encryption, and audio settings.
When delivered to users, published applications appear very similar to applications running locally on the user device. Users
start applications depending on the delivery options you select while publishing and the plug-in they are running on their
devices.
T he XenApp and XenDesktop Service in Citrix Cloud now features improvements to app publishing. Migration to Citrix Cloud
from other versions of XenApp and XenDesktop is now easier than ever. T he newest features are highlighted below.
Applications node in Studio
T he new Applications node in the Studio navigation pane provides a central way to manage all of your applications,
regardless of Delivery Group assignment. One of its key benets is the ability to add applications to more than one Delivery
Group at one time.
When you add an application to more than one Delivery Group, you can specify the priority of each Delivery Group (0 is the
highest). XenApp or XenDesktop will attempt to launch the application from the highest priority Delivery Group; if thats not
possible, the application in the second-highest Delivery Group will be launched, and so on.
T he Add Application wizard offers a dropdown from which you select the source of applications: a machine created in the
Machine Catalog, an App-V package, an application you have already added to the Site (perhaps in another Delivery Group),
or a manually-dened application.
Updated Create Delivery Group wizard and Edit Delivery Group interf ace
T he Delivery Type page is displayed only if you selected a Machine Catalog containing assigned desktop OS machines; in
that case, you can specify whether the machines in that catalog will deliver desktops or applications. For all other machine
types, the machines in the group can deliver applications and desktops. You can change the delivery type later by editing the
Delivery Group.
T he StoreFront page no longer appears in the Create Delivery Group wizard. It is assumed you will provide a StoreFront
server address from the StoreFront node in Studio.You can also specify StoreFront information later by editing the Delivery
Group.
T he page in the Create Delivery Group wizard now offers a new dropdown from which you select Applications the source
of applications you're adding to the Delivery Group: a machine created in the Machine Catalog you selected, an App-V
package, an application you have already added to the Site (perhaps in another Delivery Group), or a manually-dened
application.
On the page, you can add desktops, indicate who can use them, and enable/disable them for delivery. Desktops If the
Delivery Group contains machines from a static assigned catalog, you can also specify the maximum number of desktops
per user.
T he page now includes an optional description eld that is displayed in Studio. You can change this Summary description

later by editing the Delivery Group.
Improved tag interf ace in Studio
Tags are strings that identify items such as machines, applications, Delivery Groups, and policies. After adding a tag to an
item, you can tailor search queries and policy assignments to apply only to items that have a specied tag.
Previously, one dialog box was available for adding and editing tags. Currently it offers a more robust and easy-to-use
interface.

NetScaler Gateway as a Service
May 25, 20 16
NetScaler Gateway provides users with secure, remote access to XenApp, XenDesktop, and XenMobile applications across
a range of devices including laptops, desktops, thin clients, tablets, and smart phones.
NetScaler Gateway as a Service enables secure, remote access to XenApp and XenDesktop applications, without having to
deploy NetScaler Gateway in the perimeter network (also known as a DMZ) or recongure your rewall. T he entire
infrastructure overhead of using NetScaler Gateway moves to the cloud, where the cloud service is hosted by Citrix.
You enable NetScaler Gateway as a Service using a check box. Once it has been enabled, users can access their VDAs from
outside their network, as shown in the following diagram.
Enabling NetScaler Gateway as a Service
By default, NetScaler Gateway as a Service is disabled.
To enable NetScaler Gateway as a Service:
1. From the Citrix Cloud > Apps and Desktops menu, choose Manage > Service Delivery. T he Service Delivery screen
appears.
2. Enable NetScaler Gateway.
3. Choose Use cloud hosted Citrix NetScaler Gateway.
Known Issues
Be aware of the following limitations in the current service:
T he service is currently enabled only for use with HDX traffic as part of the XenApp and XenDesktop Service. Other
NetScaler Gateway functionality is not enabled.
T he service is available on the eastern and western coasts of the United States, and in Europe. As HDX traffic travels
through the service, users and/or XenApp or XenDesktop servers located outside those areas experience higher latency.
T he Citrix Cloud Connector located within your Citrix Cloud resource locations communicates with Citrix-run cloud
services over the Internet. Currently this communication channel does not support authentication at outbound proxies
for access to the Internet.
All network traffic is protected by SSL, but to provide the NetScaler Gateway functionality, HDX traffic is present in
memory in an unencrypted form.
T o use the NetScaler Gateway Service, you must use StoreFront hosted within the Citrix Cloud.
More Inf ormation

For more information about NetScaler Gateway, see the NetScaler Gateway product documentation on the Citrix
documentation web site.

Jun 14 , 20 16
T he XenApp and XenDesktop PowerShell (PS) SDK automates complex and repetitive tasks. It provides the mechanism to
set up and manage the XenApp and XenDesktop environment without having to use the Studio UI.
Customers run cmdlets and scripts in their traditional site containing both VDAs and Delivery Controllers within a common
domain structure. T he Citrix Cloud XenApp and XenDesktop Service splits the VDAs and Controllers into a Resource
Location and Control Plane, respectively. T his split means the original XenApp and XenDesktop PS SDK will not work
because it cannot cross the secure Resource Location to Control Plane boundary.
T he solution is the XenApp and XenDesktop Remote PS SDK. When run in the Resource Location, the Remote PS SDK can
access the Control Plane as if it were local, providing the same functionality as a single XenApp and XenDesktop site. T here
is only the lowest non-visible communication layer, enhanced to work either in a single local site or in the cloud environment.
T he cmdlets arethe same, and most existing scripts will work unchanged.
T he Get-XdAuthentication cmdlet provides authorization to cross the secure Resource Location to Control Plane
boundary. By default, Get-XdAuthentication prompts users for CAS credentials, and must be done once per PowerShell
session. Alternatively, the user can dene an authentication prole using an API access Secure Client, created in the Citrix
Cloud console. In both cases, the security information persists for use in subsequent PS SDK calls. If this cmdlet is not
explicitly executed, it will be called by the rst PS SDK cmdlet.
Install
Make sure PowerShell 3.0 or later is available on your system.
1. Download the installer from: here; the package contains both x86 and x64 implementations.
2. In the download folder, locate and run the installer.
3. Follow the dialogs to complete the installation.
Installation logs are created in %T EMP%\CitrixLogs\CitrixPoshSdk. Logs can help resolve installation issues.
How to Use
Run the XenApp and XenDesktop Remote PS SDK from any computer in the customers Resource Location.
Open a PowerShell command prompt. You do not need to run as an administrator.

Add the Citrix snapins: asnp citrix*.
You can explicitly authenticate by using the Get-XdAuthentication cmdlet. Or, execute your first XenApp and
XenDesktop PS SDK command, which will prompt you for the same authentication as Get-XdAuthentication.
T o bypass the authentication prompt, you can use the Set-XdCredentials cmdlet to create a default authentication
profile, using a Secure Client created in the Citrix Cloud console.
Continue executing PS SDK cmdlets or PS SDK automation scripts.
Citrix recommends that you do not run this on the Connectors; the SDKs operation does not involve the Connectors.
Uninstall
From the Windows feature for removing or changing programs, select XenApp and XenDesktop Remote PowerShell
SDK, then right-click and select Uninstall. Follow the dialog.

Example
Common activities include setting up catalogs, applications, and users. A sample script is shown below.
command COPY
$users = "xd.local\Domain Users"
$TSVDACat alogName = "TSVDA"
$TSVDADGName = "TSVDA"
$TSVDAMachineName = "xd\ds-t svda2"
#Creat e TSVDA Cat alog
$brokerUsers = New-BrokerUser -Name $users
$cat alog = New-BrokerCat alog -Name $TSVDACat alogName -Allocat ionType "Random" -Descript ion $TSVDACat alogName -Persist U
#Add TSVDA Machine t o Cat alog
$BrokeredMachine = New-BrokerMachine -MachineName $TSVDAMachineName -Cat alogUid $cat alog.uid
#Creat e new deskt ops & applicat ions delivery group
$dg = New-BrokerDeskt opGroup -Name $TSVDADGName -PublishedName $TSVDADGName -Deskt opKind "Shared" -SessionSupport
#Creat e not epad applicat ion
New-BrokerApplicat ion -Applicat ionType Host edOnDeskt op -Name "Not epad" -CommandLineExecut able "not epad.exe" -Deskt opGr
#Assign users t o deskt ops and applicat ions

#Assign users t o deskt ops and applicat ions
New-BrokerEnt it lement PolicyRule -Name $TSVDADGName -Deskt opGroupUid $dg.Uid -IncludedUsers $brokerUsers -descript ion $TS
New-BrokerAccessPolicyRule -Name $TSVDADGName -IncludedUserFilt erEnabled $t rue -IncludedUsers $brokerUsers -Deskt opGroup
New-BrokerAppEnt it lement PolicyRule -Name $TSVDADGName -Deskt opGroupUid $dg.Uid -IncludedUsers $brokerUsers -descript ion
#Add machine t o delivery group
Add-BrokerMachine -MachineName $TSVDAMachineName -Deskt opGroup $dg
Limitations
T he following XenApp and XenDesktop PowerShell snap-ins are supported in this release:
Broker
Active Directory (AD) Identity
Machine Creation
Configuration
Configuration Logging
Host
Delegated Administration
Analytics
Once authenticated, remote access remains valid in the current PowerShell session for 24 hours. After this time, you must
enter your credentials.
T he XenApp and XenDesktop Remote PS SDK must be run on a computer within the Resource Location.
T he following cmdlets are disabled in remote operations to maintain the integrity and security of the Cloud control plane.
Snapin Cmdlets
Acct:CopyIdentityPool
Acct:GetDBConnection
Acct:GetDBSchema
Acct:GetDBVersionChangeScript
Acct:GetInstalledDBVersion
Citrix.ADIdentity.Admin.V2
Acct:RemoveServiceMetadata
Acct:ResetServiceGroupMembership
Acct:SetDBConnection

Acct:SetServiceMetadata
Acct:TestDBConnection
Snapin Cmdlets
Analytics:GetDBConnection
Analytics:GetDBSchema
Analytics:GetDBVersionChangeScript
Analytics:GetInstalledDBVersion
Analytics:ImportDataDenition
Citrix.Analytics.Admin.V1 Analytics:RemoveServiceMetadata
Analytics:ResetServiceGroupMembership
Analytics:SetDBConnection
Analytics:SetServiceMetadata
Analytics:SetSite
Analytics:TestDBConnection
Admin:AddPermission
Admin:AddRight
Admin:GetAdministrator
Admin:GetDBConnection
Admin:GetDBSchema
Admin:GetDBVersionChangeScript
Admin:GetInstalledDBVersion
Admin:ImportRoleConguration
Admin:NewAdministrator
Admin:NewRole
Admin:NewScope
Admin:RemoveAdministrator
Admin:RemoveAdministratorMetadata
Admin:RemovePermission
Admin:RemoveRight
Citrix.DelegatedAdmin.Admin.V1
Admin:RemoveRole
Admin:RemoveRoleMetadata
Admin:RemoveScope
Admin:RemoveScopeMetadata
Admin:RemoveServiceMetadata
Admin:ResetServiceGroupMembership
Admin:SetAdministrator
Admin:SetAdministratorMetadata
Admin:SetDBConnection
Admin:SetRole
Admin:SetRoleMetadata
Admin:SetScope
Admin:SetScopeMetadata
Admin:SetServiceMetadata
Admin:TestDBConnection
Broker:GetDBConnection
Broker:GetDBSchema
Broker:GetDBVersionChangeScript
Broker:GetInstalledDBVersion
Broker:GetLease
Broker:NewMachineConguration
Broker:RemoveControllerMetadata

Broker:RemoveLease
Broker:RemoveLeaseMetadata
Snapin Cmdlets
Broker:RemoveMachineCongurationMetadata
Broker:RemoveMachineConguration
Broker:RemoveSiteMetadata
Citrix.Broker.Admin.V2 Broker:RemoveUserFromApplication
Broker:ResetLicensingConnection
Broker:ResetServiceGroupMembership
Broker:SetControllerMetadata
Broker:SetDBConnection
Broker:SetLeaseMetadata
Broker:SetMachineConguration
Broker:SetMachineCongurationMetadata
Broker:SetSite
Broker:SetSiteMetadata
Broker:TestDBConnection
Broker:TestLicenseServer
Broker:UpdateBrokerLocalLeaseCache
Cong:ExportFeatureTable
Cong:GetDBConnection
Cong:GetDBSchema
Cong:GetDBVersionChangeScript
Cong:GetInstalledDBVersion
Cong:GetServiceGroup
Cong:ImportFeatureTable
Cong:RegisterServiceInstance
Cong:RemoveRegisteredServiceInstanceMetadata
Cong:RemoveServiceGroup
Cong:RemoveServiceGroupMetadata
Citrix.Conguration.Admin.V2 Cong:RemoveServiceMetadata
Cong:RemoveSiteMetadata
Cong:ResetServiceGroupMembership
Cong:SetDBConnection
Cong:SetRegisteredServiceInstance
Cong:SetRegisteredServiceInstanceMetadata
Cong:SetServiceGroupMetadata
Cong:SetServiceMetadata
Cong:SetSite
Cong:SetSiteMetadata
Cong:TestDBConnection
Cong:UnregisterRegisteredServiceInstance
Hyp:GetDBConnection
Hyp:GetDBSchema
Hyp:GetDBVersionChangeScript
Hyp:GetInstalledDBVersion
Citrix.Host.Admin.V2 Hyp:RemoveServiceMetadata
Hyp:ResetServiceGroupMembership
Hyp:SetDBConnection
Hyp:SetServiceMetadata
Hyp:TestDBConnection

Log:ExportReport
Log:GetDBConnection
Snapin Cmdlets
Log:GetDBSchema
Log:GetDBVersionChangeScript
Log:GetHighLevelOperation
Log:GetInstalledDBVersion
Log:GetLowLevelOperation
Log:GetSummary
Log:RemoveOperation
Citrix.CongurationLogging.Admin.V1
Log:RemoveServiceMetadata
Log:RemoveSiteMetadata
Log:ResetDataStore
Log:ResetServiceGroupMembership
Log:SetDBConnection
Log:SetServiceMetadata
Log:SetSite
Log:SetSiteMetadata
Log:TestDBConnection
Prov:GetDBConnection
Prov:GetDBSchema
Prov:GetDBVersionChangeScript
Prov:GetInstalledDBVersion
Prov:GetServiceCongurationData
Prov:RemoveServiceCongurationData
Citrix.MachineCreation.Admin.V2
Prov:RemoveServiceMetadata
Prov:ResetServiceGroupMembership
Prov:SetDBConnection
Prov:SetServiceCongurationData
Prov:SetServiceMetadata
Prov:TestDBConnection
EnvTest:GetDBConnection
EnvTest:GetDBSchema
EnvTest:GetDBVersionChangeScript
EnvTest:GetInstalledDBVersion
Citrix.EnvTest.Admin.V1 EnvTest:RemoveServiceMetadata
EnvTest:ResetServiceGroupMembership
EnvTest:SetDBConnection
EnvTest:SetServiceMetadata
EnvTest:TestDBConnection
Monitor:GetConguration
Monitor:GetDBConnection
Monitor:GetDBSchema
Monitor:GetDBVersionChangeScript
Monitor:GetDataStore
Monitor:GetDataStore
Monitor:GetInstalledDBVersion
Citrix.Monitor.Admin.V1
Monitor:RemoveServiceMetadata
Monitor:ResetDataStore
Monitor:ResetServiceGroupMembership
Monitor:SetConguration

Monitor:SetDBConnection
Monitor:SetServiceMetadata
Snapin Cmdlets
Monitor:TestDBConnection
Sf:BuildCluster
Sf:GetClusters
Sf:GetDBConnection
Citrix.Storefront.Admin.V1
Sf:GetDBSchema
Sf:GetDBVersionChangeScript
Sf:GetInstalledDBVersion
Downloading the SDK
T he XenApp and XenDesktop Remote PowerShell SDK can be downloaded from here.
Disclaimer
T his software / sample code is provided to you AS IS with no representations, warranties or conditions of any kind. You
may use, modify and distribute it at your own risk. CIT RIX DISCLAIMS ALL WARRANT IES WHAT SOEVER, EXPRESS, IMPLIED,
WRIT T EN, ORAL OR STAT UTORY, INCLUDING WIT HOUT LIMITAT ION WARRANT IES OF MERCHANTABILIT Y, FIT NESS FOR
A PART ICULAR PURPOSE, T IT LE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you
acknowledge and agree that (a) the software / sample code may exhibit errors, design aws or other problems, possibly
resulting in loss of data or damage to property; (b) it may not be possible to make the software / sample code fully
functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any
future versions of the software / sample code. In no event should the software / code be used to support of ultra-
hazardous activities, including but not limited to life support or blasting activities. NEIT HER CIT RIX NOR IT S AFFILIAT ES OR
AGENT S WILL BE LIABLE, UNDER BREACH OF CONT RACT OR ANY OT HER T HEORY OF LIABILIT Y, FOR ANY DAMAGES
WHAT SOEVER ARISING FROM USE OF T HE SOFT WARE / SAMPLE CODE, INCLUDING WIT HOUT LIMITAT ION DIRECT,
SPECIAL, INCIDENTAL, PUNIT IVE, CONSEQUENT IAL OR OT HER DAMAGES, EVEN IF ADVISED OF T HE POSSIBILIT Y OF
SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modication or
distribution of the code.

Technical security overview for the XenApp and
XenDesktop Service in Citrix Cloud
Apr 20 , 20 17
Security overview
T his document applies to all the XenApp and XenDesktop services hosted in Citrix Cloud, including XenApp Essentials and
XenDesktop Essentials.
Citrix Cloud manages the operation of the control plane for XenApp and XenDesktop environments. T his includes the
controllers, management consoles, SQL database, license server, and optionally StoreFront and NetScaler Gateway. T he
Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer's control in the data center of
their choice, either cloud or on-premises. T hese components are connected to the cloud service using an agent called the
Citrix Cloud Connector. If customers elect to use the StoreFront cloud service, they may also choose to use the NetScaler
Gateway Service instead of running NetScaler Gateway within their data center. T he diagram below illustrates the service
and its security boundaries.
Data ow
As the components hosted by the cloud service do not include the VDAs, the customer's application data and golden
images required for provisioning are always hosted within the customer setup. T he control plane has access to metadata,
such as usernames, machine names, and application shortcuts, restricting access to the customer's Intellectual Property
from the control plane.
Data owing between the cloud and customer premises uses secure T LS connections over port 443.

Data isolation
T he XenApp and XenDesktop Service stores only metadata needed for the brokering and monitoring of the customers
applications and desktops. Sensitive information, including master images, user proles, and other application data remain
on the customer premises or in their subscription with a public cloud vendor.
Service editions
T he capabilities of the XenApp and XenDesktop Service varies by edition. For example, XenApp Essentials only supports
NetScaler Gateway service and Citrix-Managed StoreFront. Consult product documentation to learn more about
supported features.
Credential handling
T he service handles four types of credentials:
User Credentials: When using a customer-managed StoreFront, user credentials are encrypted by the Citrix Cloud
Connector using AES-256 encryption and a random one-time key generated for each launch. T he key is never passed
into the cloud, and returned only to Citrix Receiver. T his key is then passed to the VDA directly by Citrix Receiver to
decrypt the user password during session launch for a single sign-on experience. T he entire flow is shown in the figure
below.
Administrator Credentials: Administrators authenticate against Citrix Cloud, which uses the sign-on system from Citrix
Online. T his generates a one-time signed JSON Web T oken (JWT ) which gives the administrator access to the XenApp
and XenDesktop Service.
Hypervisor Passwords: On-premises hypervisors that require a password for authentication have a password generated
by the administrator and directly stored encrypted in the SQL database in the cloud. Peer keys are managed by Citrix to
ensure that hypervisor credentials are only available to authenticated processes.
Active Directory (AD) Credentials: Machine Creation Services uses the connector for creating machine accounts in a
customer's AD. Because the machine account of the connector has only read access to AD, the administrator is
prompted for credentials for each machine creation or deletion operation. T hese credentials are stored only in memory

and only held for a single provisioning event.
Deployment considerations
Citrix recommends that users consult the published best practices documentation for deploying NetScaler Gateway
applications and VDAs within their environments. Additional considerations regarding on-premises StoreFront deployment
and network connectivity are as follows:
Citrix Cloud Connector network access requirements
T he Citrix Cloud Connectors require only port 443 outbound trafc to the internet, and may be hosted behind an HT T P
proxy.
T he communication used in Citrix Cloud for HT T PS is T LS 1.0, 1.1, or 1.2.
Within the internal network, the connector needs access to the following for the XenApp and XenDesktop Service:
VDAs (port 80, both inbound and outbound)* plus 1494 and 2598 inbound if using NetScaler Gateway Service
StoreFront Servers (port 80 inbound)**
NetScaler Gateways, if configured as a ST A (port 80 inbound)**
Active Directory domain controllers
Hypervisors (outbound only; see hypervisor documentation for specific ports)
* Trafc between the VDAs and Connectors is encrypted using Kerberos message-level security.
** SSL is not yet supported in Citrix Cloud for the StoreFront or NetScaler trafc, so Citrix recommends conguring rewall
rules, VLANs, and/or IPsec tunnels for these services.
Customer-managed StoreFront
A customer-managed StoreFront offers greater security conguration options and exibility for deployment architecture,
including the ability to maintain user credentials on-premises. T he StoreFront can be hosted behind the NetScaler Gateway
to provide secure remote access, enforce multifactor authentication, and add other security features.
NetScaler Gateway Service and Citrix-managed StoreFront
Using the NetScaler Gateway Service avoids the need to deploy NetScaler Gateway within customer data centers. To use
the NetScaler Gateway Service, it is a prerequisite to use the StoreFront service delivered from Citrix Cloud. T he data-ow
when using NetScaler Gateway Service is shown in the gure below.

Note: T his diagram shows the logical data ows. All T LS connections between the Cloud Connector and Citrix Cloud are
initiated from the Cloud Connector to the Citrix Cloud. No in-bound rewall port mapping is required.
More information
See the following resources for more security information:
Citrix Security Site: http://www.citrix.com/security

Citrix Cloud Documentation: http://docs.citrix.com/en-us/workspace-cloud/workspace-cloud.html
Secure Deployment Guide for NetScaler
Note: T his document is intended to provide the reader with an introduction to and overview of the security functionality of
Citrix Cloud; and to dene the division of responsibility between Citrix and customers with regard to securing the Citrix
Cloud deployment. It is not intended to serve as a conguration and administration guidance manual for Citrix Cloud or any
of its components or services.

XenApp Essentials Service
May 23, 20 17
XenApp Essentials Service allows you to deliver Windows applications from Microsoft Azure to any user on any device. T he
service combines the industry-leading XenApp service with the power and exibility of Microsoft Azure.
XenApp Essentials Service replaces Microsoft RemoteApp while providing the same application access experience for users.
XenApp Essentials Service is delivered through the Citrix Cloud and helps you to deploy your app workloads within your
Azure subscription with ease. When users open their applications in Citrix StoreFront, the application appears to run locally
on the user computer. Users can work in one or more apps in the same XenApp Essentials session. Users can access their
apps securely from any device, anywhere.
To deliver Windows apps to users, log on to the Citrix Cloud. After you log on, choose the XenApp and XenDesktop Service
and then congure the settings.
You purchase XenApp Essentials from the Azure Marketplace. After you complete your purchase, see System Requirements
for the required components to deploy XenApp Essentials successfully.
Follow these steps to deploy XenApp Essentials Service:
1. Prepare and link your Azure subscription.

2. Create and upload your master image.
3. Create catalogs and share apps with users.
For detailed deployment instructions, see the following XenApp Essentials Deployment Guide.
PDF XenApp Essentials Deployment Guide
T he following graphic shows the ow of deploying XenApp Essentials.

System Requirements
T he following are the requirements to install and congure XenApp Essentials Service after you purchase the service from
the Azure Marketplace.

Microsof t Azure
To provision and deploy resources in Microsoft Azure correctly, you need the following:
An Azure account with an enterprise agreement.

An Azure subscription.
An Azure Active Directory global administrator account in the directory associated with your subscription. T he user
account must have Owner permission for the Azure subscription to use for provisioning resources.
For more information about how to set up an Azure Active Directory tenant, see How to get an Azure Active
Directory tenant on the Microsoft website.
Use the Azure Resource Manager to:

Deploy resources such as virtual machines, storage accounts, database, and virtual network.
Create and manage the resource group that is a container for resources you want to manage as a group.
Note
XenApp Essentials Service supports conguring machines by using Azure Resource Manager only.
Citrix Cloud
You must have a Citrix Cloud account to configure XenApp Essentials Service.
Important
XenApp Essentials Service creates Cloud Connector virtual machines automatically.
Compatibility
You can open the XenApp Essentials administration console in the following web browsers:
Google Chrome
Internet Explorer
T he administration console supports English only.
Users connect to their apps by logging on with Citrix Receiver. XenApp Essentials Service supports the current version of
Citrix Receiver for each user device operating system, such as Windows, iOS, and Android. Users can also connect by using
Citrix Receiver for HT ML5 by using any modern browser that supports HT ML5.
You can download the latest version of Citrix Receiver from the Citrix website.
Known Issues

T he XenApp Essentials Service has the following known issues:
Creating the machine catalog fails if the virtual machine size is not available for the selected region. T o check the virtual
machines that are available in your area, see the chart at Products available by region on the Microsoft website.
You cannot create and publish multiple instances of the same app from the Start menu at the same time.
For example, from the Start menu you publish Internet Explorer. T hen, you want to publish a second instance of Internet
Explorer that opens a specific website on startup. T o do so, publish the second app by using the path for the app
instead of the Start menu.
XenApp Essentials Service supports linking a subscription by using an Azure Active Directory user account. XenApp
Essentials does not support Live.com authenticated accounts.
Users cannot start an application if there is an existing Remote Desktop Protocol (RDP) session on the VDA. T his
behavior only happens if the RDP session starts when no other users are logged on to the VDA.
You cannot enter a license server address longer than server.domain.subdomain.
If you perform multiple sequential updates to capacity management, there is a possibility that the updated settings will
not properly propagate to the VDAs.
If you use a non-English web browser, such as Spanish, the text appears as a combination of English and the language of
the browser.
How to Buy XenApp Essentials Service

You can purchase XenApp Essentials directly from the Azure Marketplace by using your Microsoft Azure Account. T here
must be a minimum of 25 users. T he service is delivered through the Citrix Cloud and requires a Citrix Cloud account to
complete the onboarding process. You can create a Citrix Cloud account on the Citrix Cloud Sign Up page before going to
Azure Marketplace to complete the transaction. Ensure that you enter accurate information for all details including address
elds to ensure timely processing of your order.
Note
Your XenApp Essentials Citrix Cloud account cannot be afliated with either of the following:
Existing XenApp and XenDesktop Service

Existing XenDesktop Essentials Service entitlement.
Deploying XenApp Essentials Service

Citrix Cloud hosts the XenApp Essentials Service. T he XenApp Essentials offers secure access to virtual Windows apps. T his
service is based on XenApp and XenDesktop technology. T he service includes StoreFront and the NetScaler Gateway
Service along with core management services. Your app workloads run in your Azure subscription.
You can nd detailed deployment instructions in the XenApp Essentials Service Deployment Guide.
T he following diagram shows an architectural overview of a basic XenApp Essentials Service cloud deployment:

You can also allow users to connect to your on-premises data center. Connections between the Azure cloud and your on-
premises data center occur through a VPN connection. Users connect through XenApp Essentials to your license server, le
servers, or Active Directory over the VPN connection.

Set up a Microsoft Azure Account
Perform the following tasks in Microsoft Azure before setting up the connection in Citrix Cloud:
1. Create an Azure subscription.

2. Create a user in Azure Active Directory who is a global administrator for the subscription.
After you create your Azure account, you can prepare your Azure subscription.
Prepare Your Azure Subscription

Choose your Azure subscription to be the host connection for your VDAs and related resources. T hese resources can incur
charges based on your consumption.
Note
T his service requires you to log on with an Azure Active Directory account. XenApp Essentials does not support other account types,
such as live.com.
When you prepare your Azure subscription, you congure the following in Azure Resource Manager:
Create a resource group and provide the following details:

Resource group name
Subscription name
Location
Create a virtual network in the resource group and provide a name for the network. Create the virtual network in Azure
Resource Manager. You can leave all other default settings. Create a standard storage account when you create the
master image.
Note: XenApp Essentials Service does not support a premium storage account.
Use an existing or create a domain controller. If you create a domain controller, do the following:
Use the A3 Standard or any other size Windows Server 2012 R2 virtual in the Resource Group and virtual network. T his
virtual machine becomes the domain controller. If you plan to create multiple domain controllers, create an availability
set and put all the domain controllers in this set.
Assign a private static IP address to the network adapter of the virtual machine. You can assign the address in the
Azure portal. For more information, see Configure private IP addresses for a virtual machine using the Azure portal on
the Microsoft documentation website.
[Optional] Attach a new data disk to the virtual machine to store the Active Directory users and Groups and any
Active Directory logs. For more information, see How to attach a data disk to a Windows virtual machine in the Azure
portal. When you attach the disk, select all the default options to complete the settings.
Add the domain controller virtual machines private IP address to the virtual network DNS server. For more information,
see Manage DNS servers used by a virtual network (Classic) using the Azure portal (Classic).
Add a public DNS server in addition to the Microsoft DNS server. Use the IP address 168.63.129.16 for the second DNS
server.
Add the Active Directory Domain Services role to the domain controller virtual machine. When this step is complete,
promote the domain controller virtual machine to a domain controller and DNS.
Create a forest and add some Active Directory users. For more information, see Install a new Active Directory forest
on an Azure virtual network.
If you prefer to use Azure Active Directory Domain Services instead of a domain controller, use the following guidelines.
Citrix recommends reviewing the Active Directory Domain Services Documentation on the Microsoft website.
Create an Azure Active Directory and give it a unique name.

Create a classic virtual network to enable Domain Services.
When you create the classic virtual network, choose an IP address range that is different from the one you use with the
XenApp and XenDesktop Service. You need two IP addresses and can use the /24 range.
Enable the Azure Active Directory Domain Services by switching to the classic portal. Navigate to the Active Directory
node and open the new Azure Active Directory domain.
Enable the domain services for the directory.
When you complete this step, the DNS name and virtual network appear automatically. Ensure that the values are
correct.
When you save the settings, it can take 30 minutes to an hour to set up Domain Services.
When provisioning Domain Services is complete, a new section titled IP ADDRESS appears. Refresh the page until you
see two IP addresses.
Add a subnet IP address for the Azure virtual network.
Update the DNS settings for the Azure virtual network.
Edit the properties on the virtual network. Ensure that you enter both IP addresses created in a previous step.
Create an administrative group in the new Azure Active Directory domain. Use the following guidelines:

Create the group with the name AAD DC Administrators. T he group must have this name.
Configure the DNS settings before adding users and groups.
Add members after creating the group.
Create a Resource Manager virtual network. Ensure that the deployment model you use is set to Resource Manager.
Locate the Resource Manager virtual network in the same region as the classic virtual network.
Peer the Resource Manager virtual network to the classic virtual network. Peering connects the two virtual networks to
the same region in Azure. After peering the networks, the two networks appear as a single virtual network. When you
peer the two networks, ensure that you select the classic virtual network.
Add DNS servers to the Resource Manager virtual network. When you configure the DNS servers, type the IP address of
the Azure Active Directory Services. Ensure that you type both IP addresses that appear in the Domain Services section
on the Configure tab of your directory.
Link Your Azure Subscription
In the Citrix Cloud, you link your XenApp Essentials Service to your Azure subscription.
To link your Azure subscription
1. Log on to the Citrix Cloud for XenApp Essentials Service.

2. On the Manage tab, click Subscriptions.
3. Click +Add Subscription.
T he Azure portal opens.
4. Log on to your Azure subscription by using your global administrator Azure credentials.
5. Click Accept to allow XenApp Essentials Service to access your Azure account.
6. XenApp Essentials service enumerates the subscriptions available in your account.
7. Select the subscription you want to use and then click Link.
8. Return to the XenApp Essentials console to see the subscription in a linked state.
After you link your Azure subscription to XenApp Essentials, upload your master image.
Prepare Your Master Image

You can use one of the following two images in your deployment:
Your own master image with your applications installed.

A Citrix-prepared image.
Important
Citrix does not recommend using a Citrix-prepared image for production deployments.
When you prepare the master image, the Virtual Delivery Agent (VDA) installs on the image automatically. T he VDA
software enables the following:
Registers the machine with the XenApp Essentials Service.

Establishes and manages the connection between the machine and the user device.
Verifies that a Citrix license is available for the user or session.
Applies any configured policies for the session.
Communicates session information to the XenApp and XenDesktop Service through the broker agent included in the
VDA.
VDAs are available for Windows server and desktop operating systems. VDAs for Windows Server operating systems allow
multiple users to connect to the server at one time.
For more information, see Congure VDAs.
Note
T he VDA for Windows desktop operating systems is not supported in XenApp Essentials Service.
Image Requirements
Use the following requirements to create a master image:
Create the image by using Azure Resource Manager.

Configure the image to use standard (not premium) storage.
Select Windows Server 2012 R2 or Windows Server 2016.
Install and configure your apps.
Install the server OS VDA. You can download the VDA by using the Downloads link on the navigation bar in Citrix Cloud.
Shut down the virtual machine and note the VHD location.
Important
Do not Sysprep the image.
To prepare a master image
You create the master image by using the Azure Resource Manager. When you prepare your master image, the steps you
must take in the Azure portal are:
1. Log on to the Azure portal.

2. Create a Windows Server 2012 R2 or Windows 2016 server virtual machine.
You can also use existing server virtual machines. When you use existing machines, you can use the resource group, virtual
network, and storage account associated with the machine. T he storage account is where you create the virtual hard
disk (VHD).
Note: Create the VDA template with standard (non SSD) storage. Also, do not join the VDA to a domain.
3. Connect to the virtual machine after you create it and when it is running.
4. Install the applications on the virtual machine. T he apps are available to your users when they log on with Citrix Receiver.
5. Download the server OS VDA on the virtual machine from the XenApp and XenDesktop Service download page.
6. Install the VDA on the virtual machine. When prompted for the Delivery Controller address, select Let MCS conf igure.

7. Skip the installation of Citrix Receiver and App-V. Use the default settings for the remainder of the configuration steps.
8. Restart the VDA and complete the VDA installation steps by following the instructions on the page.
9. T est starting the applications to ensure that the configuration is correct.
10. Shut down the virtual machine.
When you create the virtual machine, the VHD is created in the storage account you specied. When you upload the
master image, you must specify the storage account location in the XenApp Essentials console.
To upload the master image
1. Log on to the Citrix Cloud for the XenApp Essentials Service.

2. On the Manage tab, click Master Images.
3. Click Add Image.
T he Add an image page opens.
4. Specify the location of the VHD by selecting the following:
1. Subscription
2. Resource group
3. Storage account
4. VHD location
5. Region
6. Name for the master image.
5. Click Save.
When you save the image, XenApp Essentials Service verifies the master image.
After verification, the image appears on the Master Images > My Images page.
Create Catalogs
A catalog is similar to collections in Azure Remote App. A Citrix XenApp Essentials Service catalog lists apps and resources
that you can share with users on any device.
XenApp Essentials Service catalog uses a simpler approach to the combination of a machine catalog and a Delivery Group.
Note
XenApp machine catalog and Delivery Group creation workows are not available in XenApp Essentials Service.
When you add a catalog, you congure the following:
Create a name for the catalog.

T he name must be between 2 and 38 characters long.
T he name must contain letters and numbers only. Special characters are not allowed.
Link your Azure subscription to the catalog.
Join the catalog to the domain.
Choose a master image.
Select the capacity and manage the cost of the apps.

Before you start creating your catalog, ensure that you have your Azure Active Directory credentials and your subscription
ID available.
To create a catalog
1. Log on to citrix.cloud.com.
2. Select the XenApp and XenDesktop Service.
3. On the Manage tab, click Catalogs, and then click +Catalog.
4. On the Add a Catalog page, in Pick a Name, type the name of the catalog, select Domain Joined, and then click Save.
5. In Link your Azure subscription, provide your Azure subscription details. You can use a subscription you created
previously or link a new Azure subscription. T o use an existing subscription, do the following:
1. In Subscription Name, select the subscription from the list.
2. In Resource Group (Region), select the resource group to which the Azure subscription belongs. Use the resource
group you created when you prepared your Azure subscription. XenApp Essentials Service creates Cloud Connectors in
the resource group.
3. In Virtual Network, select the virtual network to which the Azure subscription belongs.
T he virtual network is the same one you configured when you prepared your Azure subscription. Ensure that the
virtual network can reach your domain controller by using the DNS entries.
4. In Subnet, select the subnet to which the Azure subscription belongs and then click Save.
Ensure that the subnet can reach your domain controller.
6. Under Join local domain, enter the following:
1. In Fully Qualif ied Domain Name, type your organization's domain name.
2. In Organizational Unit, type the OU to which users belong. Adding the OU is an optional step.
For example, OU=Essentials,DC=citrix,DC=com.
T o put your computers in the default Computers container, leave this field blank. Otherwise, ensure that the specific
OU is in Active Directory
3. .In Service Account Name, type the account that by using permissions to join a machine to a domain and create
machine accounts. T he format for the Service Account name is the User Principal Name (UPN).
4. In Password and Conf irm Password, type the password and then click Save.
7. In Choose master image, do one of the following:
1. Select Link an existing image and then do the following:
1. In Image Name, select the image.
2. Click Save.
2. Select Import a new image and then do the following:
1. In Subscription, choose the subscription.
2. In Resource Group, choose the group.
3. In Storage Account, choose the account
4. In VHD, choose the location of the virtual hard disk.
5. In Image Name, provide a name for the master image and then click Save.
8. In Select Capacity and Manage Cost, do the following:
1. In Pick compute, select a worker role.
T he worker role defines the resources used. When you specify a worker role, XenApp Essentials Service determines the
correct load per instance for you. You can use one of the options in the list or create your own custom option. T he
session count is used as a scale metric.
2. In Select scale settings, do the following:
1. Set the minimum number of running instances. XenApp Essentials Service ensures that the minimum of virtual
machines are powered on all the time.

2. Set the maximum number of running instances. XenApp Essentials Service does not go beyond this number of
virtual machines.
3. [Optional] If you want a different number of virtual machines running during peak times, select I want to set a
schedule for peak time. T hen, specify the following:
Days of the week for the peak time
Start and end times for each day
T ime zone
Minimum number of running instances
9. In Set idle or disconnected session time-out, set the time for when the session ends.
User sessions end automatically if the session remains idle or is disconnected for the specified time period. Shorter time-
out values allow unused VDAs to power off and save costs.
10. Click Save.
After you congure your catalog, click Start Deployment to start catalog creation. T his step can take 1 2 hours. If you
specied many virtual machines, creating the catalog can take a longer time.
When the previous step is complete, you can publish apps and assign users and user groups. You need at least one published
application and one user assigned to complete creating the catalog.
To update or add applications, update the virtual machine that you used to create the catalogs master image.
To update the master image
1. Power on the master image virtual machine.

Powering on the virtual machine does not affect the master image installed in Microsoft Azure.
2. Install any updates or applications to the virtual machine.
3. After installation, shut down the virtual machine.
4. In the XenApp Essentials Service console, add the new image that includes the path to the virtual machines VHD image.
To update a catalog
1. On the Manage tab, click Catalogs.

2. Click the ellipsis in the catalog that you want to update, and then click Update Catalog Image.
3. Select either Link an existing image or Import a new image. Enter the information that is appropriate for your choice.
4. In Time until automatic log-of f , choose the amount of time before the session ends.
When you start the update of the master image, users can continue to work in XenApp Essentials until the processing is
complete. T hen, users receive a warning message to save their work and close applications. After closing all active
sessions on the VDA, the update finishes on that VDA. T hen, if users do not log off in the amount of time given, the
session closes automatically.
5. Click Update to start updating the master image.
Publish Apps
After conguring your catalog, you can publish apps for your users. T he image you installed includes apps that you can
publish.
To publish apps
1. Log on to the Citrix Cloud for the XenApp Essentials Service.

3. Click the ellipsis in the catalog for which you want to publish apps.
4. Click Manage Publishing.
5. On the Apps tab, click Publish Apps.
6. On the Publish Apps f or <catalog name> page, select the apps for publishing.
7. When done, click Publish.
T he Apps tab appears by using the list of published apps.
After you publish apps, you can add users and groups.
Add Users and User Groups

1. Log on to the Citrix Cloud for XenApp Essentials Service.
3. Click the ellipsis in the catalog for which you want to add users.
4. Click Manage Users.
5. On the Users tab, click +Add Users.
6. On the Assign Users f or <catalog name> page, in Domain, choose the domain.
7. In the search box, type the name of the user or user group.
8. Repeat step 7 until you've added all users and groups.
9. Click Assign Users.
T he Users tab appears by using the list of published apps.
Test Your Connection

Test your connectivity through the virtual network by creating a virtual machine in your Azure subscription. T he virtual
machine must be in the same resource group, virtual network, and subnet that you use to deploy the catalog. Ensure that
the virtual machine can connect to the internet. Also, include a test that you can reach the domain by joining the virtual
network to the domain. You can test by using the same credentials used for this catalog deployment.
Prole Management
Prole Management ensures that personal settings apply to users virtual applications, regardless of the location of the user
device.
Conguring Prole Management is an optional step.
You can enable Prole Management by using the prole optimization service. T his service provides a reliable way for
managing these settings in Windows. Managing the proles ensures a consistent experience by maintaining a single prole
that follows the user. It consolidates automatically and optimizes user proles to minimize management and storage
requirements. T he prole optimization service requires minimal administration, support, and infrastructure. Also, prole
optimization provides users with an improved log on and log off experience.
T he prole optimization service requires a le share where all the personal settings persist. You must specify the share as a
UNC path. T he path can contain system environment variables, Active Directory user attributes, or Prole Management

variables. To learn more about the format of the UNC text string, see To specify the path to the user store.
You congure Prole Management in the Citrix Cloud.
To congure Prole Management
1. In Citrix Cloud, click the Manage tab and then click Catalogs.
2. Click the name of the catalog, such as "Finance."
3. Click More Settings.
4. In Set up Prof ile Management in Azure subscription, type the path to the profile share. For example, type
\\fileserver\share\#sAMAccountName#
5. Click Save.
Note
When enabling Prole Management, consider further optimization of the users prole by conguring folder redirection to minimize
the effects of the user prole size. Applying folder redirection complements the Prole Management solution. For more
information, see Microsoft Folder Redirection.
Congure the Microsoft Remote Desktop Services

(RDS) License Server
T he XenApp Essentials Service offering accesses Windows Server remote session capabilities that would typically require a
Remote Desktop Services client access license (RDS CAL). T he Virtual Delivery Agent (VDA) must be able to contact a
Remote Desktop license server to request RDS CALs. You are required to install and activate the license server. For more
information, see Activate the Remote Desktop Services License Server. For POC environments, you can use the grace period
provided by Microsoft.
Using this UI, you can have the XenApp Essentials Service apply the license server settings. You can also congure the license
server and per user mode by using the Remote Desktop Services console on the master image. You can also congure the
license server by using Microsoft Group Policy settings. For more information, see License your RDS deployment with client
access licenses (CALs).
Conguring the RDS license server requires the following steps:
1. Install Remote Desktop Services License Server on one of the virtual machines that is always available. T he XenApp
Essentials workloads must be able to reach this license server.
2. Activate the Remote Desktop Services License Server by using these steps.
3. Specify the license server address and per user license mode by using Microsoft Group Policy. You can also configure the
license server and per license mode in Citrix Cloud by using the following steps.
Note
If you purchased CAL licenses from Microsoft Remote Access, you do not have to install the licenses. You can purchase licenses
from Microsoft Remote Access in the Azure Marketplace along with XenApp Essentials.

To congure the Remote Desktop Services (RDS) license server
1. In Citrix Cloud, click the Manage tab and then click Catalogs.
2. Click the name of the catalog, such as "Finance."
3. Click More Settings.
4. In Enter the FQDN of the license server, type the fully qualified domain name of the license server.
5. Click Save.
StoreFront and NetScaler Gateway in XenApp

Essentials Service
T he XenApp Essentials Service in Citrix Cloud hosts a StoreFront site for each customer. After you create the catalog, the
StoreFront site is created automatically. T he StoreFront URL appears under the catalog details. Hosting StoreFront in the
cloud means that you do not have to deploy or maintain StoreFront. Citrix keeps StoreFront current in the cloud.
To allow users secure access to their published apps, XenApp Essentials Service uses NetScaler Gateway Service. T his service
does not need any conguration by you. Each user is limited to 1-GB outbound data transfer per month. You can purchase
a 25 GB add-on from the Azure Marketplace. T he charge for the add-on is on a monthly basis.
Monitoring the XenApp Essentials Service

To monitor the overall performance of the Citrix XenApp Essentials Service for Azure, do the following:
1. Navigate to the XenApp and XenDesktop Service.

2. Click the Monitor tab.
3. Click the Catalog that you want to monitor.
You can view information on sessions, logon duration, in addition to other information.
4. You can choose a session and do the following tasks:
1. Disconnect the session.
2. Log off from the session.
3. Send a message
You can click each session to view extra details about the session such as processes, applications running, and more.
Getting Help
If you have problems with XenApp Essentials Service, open a ticket by following instructions in How to Get Help and
Support.

XenDesktop Essentials Service
Apr 11, 20 17
T he Citrix XenDesktop Essentials Service allows management and delivery of Windows 10 virtual desktops from Microsoft
Azure.
XenDesktop Essentials Service is designed specically for the Azure Marketplace. Citrix and Microsoft partner to deliver an
integrated experience for XenDesktop Essentials and Azure IaaS. T his partnership gives you a single interface to deliver a
complete Windows 10 digital workspace from Azure.
By using XenDesktop Essentials Service, you can:
Deploy and secure Windows 10 virtual desktops on Azure

Deliver best-in-class user experience by using Citrix HDX capabilities
Provide secure access on any device by using Citrix Receiver
Manage and administer the deployment from Microsoft Azure and Citrix Cloud
Citrix XenDesktop Essentials Service simplies Windows 10 deployment. You can deploy desktops quickly, manage at scale,
and deliver a rich user access experience from a single management plane.
You manage the Windows 10 desktops by using Studio and you monitor sessions from Director. Users connect to their
Windows 10 virtual desktops by logging on with Citrix Receiver.
XenDesktop Essentials, the Citrix Cloud, and Microsoft Azure work together. During conguration, you create a Microsoft
Azure subscription. After that, you install the Citrix Cloud Connectors, which provide access to your Azure resources from
Citrix Cloud. You then create a Windows 10 master image that includes the VDA. T he master image provides the template
for desktops you deliver to users.
When you complete those tasks, you create a host connection to Microsoft Azure. Studio and Director are available in
your cloud console. Use Studio and Director to manage and monitor your XenDesktop Essentials Service.
Deploy NetScaler VPX to provide secure access to Windows 10 desktops from anywhere. StoreFront is hosted from Citrix
Cloud. You provide your users with the URL.
Users connect to their desktops via Citrix Receiver, using the URL you provide. When users log on to Citrix Receiver, the
Windows 10 desktop icon appears in the StoreFront window.
T he diagram shows an architectural overview of a XenDesktop Essentials Service deployment.

System Requirements, Prerequisites, and Compatibility
XenDesktop Essentials Service requires certain complementary products and components and specic account permissions
for installation, conguration, and operation.
Microsof t Azure
XenDesktop Essentials Service is designed to support Microsoft Azure exclusively. Your Azure environment must meet
certain minimum requirements to support XenDesktop Essentials Service:
An Azure subscription with an enterprise agreement

An Azure Active Directory tenant
Important: Microsoft requires the Azure AD tenant in the Azure subscription to deploy Windows 10 desktops. You can
use the Azure AD tenant or another active directory to identify authorized users.
An Azure Resource Manager (ARM) virtual network (VNet) and subnet in your preferred region
An Azure AD user with contributor (or greater) permissions within the subscription
Microsof t Azure VNet Requirements
An Active Directory domain controller

T wo Windows Server 2012 R2 or Windows Server 2016 machines that are joined to the domain, on which to install the
One virtual machine that has Microsoft Windows 10 installed, including your required customizations and apps
T he Citrix Cloud Connector servers must meet the following minimum requirements:

At least 32 GB of disk space and 4 GB of memory (Microsoft Azure Standard A2 v2 virtual machines)
.NET 4.5 installed
Active Directory computer account with Read/Write permissions on user and computer objects
Outbound port 443 must be open to allow access to the internet.
T he Citrix Cloud Connector also supports Internet Explorer proxy settings configured for outbound connections.
For proxy support, see Cloud Connector Proxy and Firewall Configuration.
Citrix Cloud
A Citrix Cloud account

Access to the XenApp and XenDesktop Service within Citrix Cloud, which is enabled as a part of your XenDesktop
Essentials purchase
One Citrix NetScaler VPX configured in ICA Proxy mode. (Optional, for access from outside the corporate network)
ICA Proxy enables secure access to the applications and desktops offered to your users.
For more information about setting up the NetScaler VPX, see Creating a NetScaler VPX Deployment in Microsoft
Azure Reference Architecture.
Deployment Process Overview
Step 1: Connect your Azure subscription to the XenDesktop Essentials Service

Step 2: Create a host connection
Step 3: Create a pool of Windows 10 desktops
Step 4: Assign Windows 10 desktops to your users
Step 5: Configure NetScaler VPX (optional)
Step 6: Connect users via Citrix Receiver

May 25, 20 16
PDF NetScaler VPX in AWS Deployment Guide
T his guide will walk you through an example of how to manually install a NetScaler VPX Amazon EC2 instance
and then congure NetScaler for external Citrix Cloud XenApp and XenDesktop Service connections through
StoreFront.
PDF NetScaler VPX in Azure Deployment Guide

T his guide will walk you through an example of how to manually install a NetScaler VPX instance into Microsoft
Azure and then congure NetScaler for external Citrix Cloud XenApp and XenDesktop Service connections
through StoreFront.
PDF NetScaler VPX in various Hypervisors Deployment Guide

T his guide will provide links to the various installation/conguration for the various Hypervisors and then
congure NetScaler for external Citrix Cloud XenApp and XenDesktop Service connections through StoreFront.

Microsoft Azure Resource Manager virtualization
environments
Apr 24 , 20 17
Follow this guidance when using Microsoft Azure Resource Manager to provision virtual machines in your XenApp or
XenDesktop deployment.
You should be familiar with the following:
Azure Active Directory: https://azure.microsoft.com/en-us/documentation/articles/active-directory-howto-tenant/

Consent framework: https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-
applications/
Service principal: https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-objects/
Create a connection to Azure Resource Manager

See the Connections and resources article in the latest XenApp and XenDesktop product documentation for complete
information about all pages in the wizard that creates a connection. T he following information covers only details specic
to Azure Resource Manager connections.
T here are two ways to establish a host connection to Azure Resource Manager:
Authenticate to Azure Resource Manager to create a new service principal.

Use the details from a previously-created service principal to connect to Azure Resource Manager.
Authenticate to Azure Resource Manager to create a new service principal
Before you start, make sure:
You have a user account in your subscription's Azure Active Directory tenant.
T he Azure AD user account is also a co-administrator for the Azure subscription you want to use for provisioning
resouces.
In the Add Connection and Resources wizard:
1. On the Connection page, select the Microsof t Azure connection type and your Azure environment.
2. On the Connection Details page, enter your Azure subscription ID and a name for the connection. T he connection
name can contain 1-64 characters. T he name cannot contain only blank spaces of the characters \/;:#.*?=<>|[]{}"'()').
After you enter the subscription ID and connection name, the Create new button is enabled.
3. Enter the Azure Active Directory account username and password.
4. Click Sign in.
5. Click Accept to give XenApp or XenDesktop the listed permissions. XenApp or XenDesktop creates a service principal
that allows it to manage Azure Resource Manager resources on behalf of the specified user.
6. After you click Accept, you are returned to the Connection page. Notice that when you successfully authenticate to
Azure, the Create new and Use existing buttons are replaced with Connected, and a green check mark indicates the
successful connection to your Azure subscription.
7. Indicate which tools to use to create the virtual machines, and then click Next. (You cannot progress beyond this page in

the wizard until you either successfully authenticate with Azure and accept giving the required permissions.
Resources comprise the region and the network.
On the Region page, select a region.

On the Network page:
T ype a 1-64 character resources name to help identify the region and network combination in Studio. A resource
name cannot contain only blank spaces, and cannot contain the characters \/;:#.*?=<>|[]{}"'()'.
Select a virtual network and resource group pair. (Since you can have more than one virtual network with the same
name, pairing the network name with the resource group provides unique combinations.) If you selected a region on
the previous page that does not have any virtual networks, you will need to return to that page and select a region
that has virtual networks.
Complete the wizard.
Use the details f rom a previously-created service principal to connect to Azure Resource Manager
To create a service principal manually, connect to your Azure Resource Manager subscription and use the PowerShell
cmdlets provided below.
Prerequisites:
$SubscriptionId: Azure Resource Manager SubscriptionID for the subscription where you want to provision VDAs.
$AADUser: Azure AD user account for your subscriptions AD tenant.
Make the $AADUser the co-administrator for your subscription.
$ApplicationName: Name for the application to be created in Azure AD.
$ApplicationPassword: Password for the application. You will use this password as the application secret when creating
the host connection.
To create a service principal:
Step 1: Connect to your Azure Resoucre Manager subscription.
Login-AzureRmAccount.
Step 2: Select the Azure Resource Manager subscription where you want to create the service principal.
Select-AzureRmSubscription -SubscriptionID $SubscriptionId;
Step 3: Create the application in your AD tenant.
$AzureADApplication = New-AzureRmADApplication -DisplayName $ApplicationName -HomePage

"https://localhost/$ApplicationName" -IdentierUris https://$ApplicationName -Password $ApplicationPassword
Step 4: Create a service principal.
New-AzureRmADServicePrincipal -ApplicationId $AzureADApplication.ApplicationId
Step 5: Assign a role to the service principal.
New-AzureRmRoleAssignment -RoleDenitionName Contributor -ServicePrincipalName

$AzureADApplication.ApplicationId scope /subscriptions/$SubscriptionId

Step 6: From the output window of the PowerShell console, note the ApplicationId. You will provide that ID when creating
the host connection.
In the Add Connection and Resources wizard:
1. On the Connection page, select the Microsof t Azure connection type and your Azure environment.
2. Ont he Connection Details page, enter your Azure subscription ID and a name for the connection. T he connection
name can contain 1-64 characters, and cannot contain only blank spaces or he characters \/;:#.*?=<>|[]{}"'()'.
3. Click Use existing. Provide the subscription ID, subscription name, authentication URL, management URL, storage suffix,
Active Directory ID or tenant ID, application ID, and application secret for the existing service principal. After you enter
the details, the OK button is enabled. Click OK.
4. Indicate which tools to use to create the virtual machines, and then click Next. T he service principal details you provided
will be used to connect to your Azure subscription. (You cannot progress beyond this page in the wizard until you provide
valid details for the Use existing option.)
Resources comprise the region and the network.
On the Region page, select a region.

On the Network page,
T ype a 1-64 character resources name to help identify the region and network combination in Studio. A resource
name cannot contain only blank spaces, and cannot contain the characters \/;:#.*?=<>|[]{}"'()'.
Select a virtual network and resource group pair. (Since you can have more than one virtual network with the same
name, pairing the network name with the resource group provides unique combinations.) If you selected a region on
the previous page that does not have any virtual networks, you will need to return to that page and select a region
that has virtual networks.
Create a Machine Catalog using an Azure Resource

Manager master image
T his information is a supplement to the guidance in the Create Machine Catalogs article in the latest XenApp and
XenDesktop product documentation.
A master image is the template that will be used to create the VMs in a Machine Catalog. Before creating the Machine
Catalog, create a master image in Azure Resource Manager. For information about master images in general, see the Create
Machine Catalogs article.
When you create a Machine Catalog in Studio:
T he Operating System and Machine Management pages do not contain Azure-specific information. Follow the
guidance in the Create Machine Catalogs article.
On the Master Image page, select a resource group and then navigate (drill down) thorugh the containers to the Azure
VHD you want to use as the master image. T he VHD must have a Citrix VDA installed on it. If the VHD is attached to a
VM, the VM must be stopped.
T he Storage and License Types page appears only when using an Azure Resource Manager master image.
Select a storage type: standard or premium. T he storage type affects which machine sizes are offered on the Virtual

Machines page of the wizard. Both storage types make multiple synchronous copies of your data within a single data
center. For details about Azure storage types and storage replication, see the following:
https://azure.microsoft.com/en-us/documentation/articles/storage-introduction/
https://azure.microsoft.com/en-us/documentation/articles/storage-premium-storage/
https://azure.microsoft.com/en-us/documentation/articles/storage-redundancy/
Select whether or not to use existing on-premises Windows Server licenses. Doing so in conjunction with using
existing on-premises Windows Server images utilizes Azure Hybrid Use Benets (HUB). More details are available at
https://azure.microsoft.com/pricing/hybrid-use-benet/
HUB reduces the cost of running VMs in Azure to the base compute rate since it waives the price of additional
Windows Server licenses from the Azure gallery. You need to bring your on-premises Windows Servers images to Azure
to use HUB. Azure gallery images are not supported. On-premises Windows Client licenses are currently not supported.
See https://blogs.msdn.microsoft.com/azureedu/2016/04/13/how-can-i-use-the-hybrid-use-benet-in-
azure/%23comment-145
To check if the provisioned Virtual Machines are successfully utilizing HUB, run the powershell command
Get-AzureRmVM -ResourceGroup MyResourceGroup -Name MyVM
and check that the license type is Windows_Server. Additional instructions are available at
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-hybrid-use-benet-licensing/
On the Virtual Machines page, indicate how many VMs you want to create; you must specify at least one. Select a
machine size. After you create a Machine Catalog, you cannot change the machine size. If you later want a different
size, delete the catalog and then create a new catalog that uses the same master image and specifies the desired
machine size.
Virtual machine names cannot contain non-ASCII or special characters.
T he Network Cards, Computer Accounts, and Summary pages do not contain Azure-specific information. Follow the
guidance in the Create Machine Catalogs article.

Smart Tools
Dec 22, 20 16
Citrix Smart Tools (formerly Citrix Lifecycle Management) is a service of Citrix Cloud. Smart Tools includes the following
services to help enterprises and cloud service providers deploy and manage Citrix apps on hypervisors and public and private
platforms:
Smart Build: Deploy XenApp and XenDesktop Delivery Sites and other Citrix workloads on-premises or in the cloud using
customizable blueprints.
Smart Check: Proactively check the health of your Delivery Site for potential issues and receive notifications about
applicable component updates.
Smart Scale: Control Delivery Group scaling in your Delivery Site and associated usage costs.
Smart Migrate: Simplify migration of the applications and policies in your XenApp 6.x farm or VDI-in-a-Box 5.4 grid to a
XenApp and XenDesktop 7.x Delivery Site.
For the full set of documentation on this service, go to https://manage-docs.citrix.com/hc/en-us.
For the Technical Security Overview: https://manage-docs.citrix.com/hc/en-us/articles/212715263
Service Level Goal
T he Smart Tools Service (the Service) is designed using industry best practices to achieve cloud scale and a high degree of
service availability.
Citrixs goal is to maintain at least 99.9% availability in any 30 calendar day period. Service interruptions and scheduled
maintenance can be monitored on an ongoing basis at http://status.cloud.com.
Limitations
Customer failure to follow configuration requirements for the service documented on https://manage-
docs.citrix.com/hc/en-us.
Any component not managed by Citrix including, but not limited to, customer controlled physical and virtual machines,
customer installed and maintained operating systems and software, customer installed and controlled networking
action.

ShareFile
Sep 21, 20 16
ShareFile is a service in Citrix Cloud. It allows for sharing, syncing and securing content from the cloud and on-premises
storage services.
Quick Start Guide
As part of your Citrix Cloud subscription, a ShareFile account will be created for you. Before you can properly use that
service, there are a few steps to do.
Provisioning Administrators
T he rst thing you need to do is provision administrators. When your account was created, it was provisioned with a master
administrator account. T his was the rst administrator added to your Citrix Cloud account. In addition to this administrator,
you can provision additional administrators. Any additional administrator provisioned within CitrixCloud will be added to
ShareFile with administrator access.
Provisioning Users
To begin using your new ShareFile account, you must add users and congure authentication. In the Citrix Cloud
environment, you will want to enable SSO between the different components. In order to provide a seamless experience to
your end users, you will use SAML to authenticate against your Active Directory user accounts.
Importing Active Directory Users into ShareFile
T he ShareFile User Management Tool (UMT ) makes it easy for you to add your Active Directory users into ShareFile. You can
use the tool to provision user accounts and create distribution groups from Active Directory (AD).
Importing users from Active Directory can take some time and be resource intensive. To help with this, you can schedule the
tool to run at selected times. In addition to the initial import, you can also use the tool to keep your ShareFile users
synchronized with your AD users.
Click here for complete conguration details.
Conguring Authentication
After you have imported your users in to ShareFile, you must congure authentication. When using the Citrix Cloud
environment, you will want to use SSO. SSO will be done using the SAML protocol. In this environment you have two
options for conguring SAML either using ADFS, or via XenMobile SAML authorization.
Conguring Authentication with ADFS

You can integrate your ShareFile account with Active Directory (AD) to enable single sign-on for users with AD credentials.
ShareFile supports Security Assertion Markup Language (SAML) for single sign-on. You congure ShareFile to communicate
with a SAML-based federation tool running in your network. User logon requests are then redirected to Active Directory.
You can use the same SAML Identity Provider that you use for other web applications.

Conguring Authentication to your Active Directory with XenMobile 10.x
You can congure Citrix XenMobile server and NetScaler Gateway to function as a SAML identity provider for ShareFile. In
this conguration, a user logging on to ShareFile using a web browser or other ShareFile clients is redirected to the
XenMobile environment for user authentication. After successful authentication by XenMobile, the user receives a SAML
token that is valid for logon to their ShareFile account.
Accessing ShareFile
Now that you have congured your users and authentication, you should look at how ShareFile will be accessed. T here are
two specic types of access you need to look at: administrator access and user access.
Administrator Access
As administrator, you may need to make changes to your ShareFile conguration or manage your account.
Accessing the ShareFile Administrator UI through Citrix Cloud

You can access the ShareFile Web UI directly through the Citrix Cloud. Access through the Citrix Cloud provides a slightly
trimmed down version of the ShareFile Web UI. It contains everything you need to congure access for your users and set
up your account.
To access the ShareFile Administrator UI from the CitrixCloud console, select the ShareFile pulldown from the menu. It will
take you to the ShareFile Web UI. You will be taken directly to the Administrator section of the UI.
Accessing the ShareFile Administrator UI Directly

T here may be some ShareFile administrator settings that you are unable to access using the Citrix Cloud version of the
console. If you need additional functionality, your ShareFile account can be accessed directly through the regular
ShareFile login page. You can access the login page by going to https://<subdomain>.sharele.com.
Note: T his is not the recommended method for accessing the ShareFile Administrator UI in a Citrix Cloud environment.
User Access
T here are three options on how users will access their data in ShareFile. Data can be accessed directly using the Web UI.
T he other two options depend on what other applications you have enabled. If you have XenDesktop and/or XenMobile
enabled, users can access their data through one of those applications.
Accessing ShareFile through the Web UI

End users can access ShareFile directly by going to http://<subdomain>.sharele.com
Accessing ShareFile with XenDesktop

Accessing ShareFile with XenDesktop will be done using the ShareFile Sync Client. T he ShareFile Sync Client allows you to
sync your documents between a local client and the ShareFile cloud.

Using ShareFile Sync for Windows
On XenDesktop you will be using ShareFile Sync for Windows. ShareFile Sync for Windows can be preinstalled into your
desktop image before deploying to end users.
Click here for complete usage details
Installing the ShareFile Sync Client
You must start by installing ShareFile Sync for Windows in your XenDesktop environment. You can install the client once
and have it propagated to all of the XenDesktop sessions in your environment.
Click here for complete installation details
Implementing ShareFile On-Demand Sync
ShareFile On-Demand Sync is used when you want to deploy the smallest possible data footprint into your XenApp or
XenDesktop environment. More details on deploying On-Demand Sync can be found below.
Click here for complete implementation details
Accessing ShareFile with XenMobile

Follow the XenMobile conguration guide for information on wrapping the ShareFile application and deploying Single Sign-
On between XenMobile and ShareFile.
Service Level Goal
T he ShareFile Service (the Service) is designed using industry best practices to achieve cloud scale and a high degree of
Citrixs goal is that in any 30 calendar day period 99.9% of the time user can enumerate les and folders associated with
their account or download les that are hosted in Citrix-managed StorageZones. Service interruptions and scheduled
maintenance can be monitored on an ongoing basis at http://status.sharele.com.
Limitations
Caused by any component not managed by Citrix including, but not limited to, customer controlled physical and virtual
machines, customer installed and maintained operating systems, customer installed and controlled networking
action.

XenMobile Service
May 16, 20 17
T he Citrix Cloud XenMobile Service, previously called XenMobile Cloud, offers a XenMobile enterprise mobility management
(EMM) environment for managing apps, devices, users, and groups of users.
With XenMobile Service, Citrix handles the conguration and maintenance of the infrastructure onsite through the Citrix
Cloud Operations group. T his separation lets you focus exclusively on the user experience and on managing devices, policies,
and apps. With XenMobile Service, you pay a subscription fee instead of purchasing and managing licenses.
Cloud Operations administrators handle maintenance and conguration of the network connectivity and NetScaler
integration. Citrix hosts the Cloud environment in data centers located throughout the world to deliver high performance,
rapid response, and support.
Get started
To set up the XenMobile Service, see XenMobile Service.
Note
For the full set of documentation on the XenMobile Service, including whats new with each release, see XenMobile Service.
Service Level Goal
T he XenMobile Service (the Service) design uses industry best practices to achieve cloud scale and a high degree of service
availability.
T he Citrix goal is to maintain at least 99.9% availability in any 30 calendar day period. You can monitor service interruptions
and scheduled maintenance on an ongoing basis at http://status.cloud.com.
Limitations
T he calculation of this Service Level Goal doesn't include loss of availability from the following causes:
Caused by any component not managed by Citrix including, but not limited to the following:
Customer controlled physical and virtual machines
Customer installed and maintained operating systems
Customer installed and controlled networking equipment or other hardware
Customer defined and controlled security settings, group policies, and other configuration policies
Public cloud provider failures, ISP failures, or other failures external to the control of Citrix.
Service disruption because of reasons beyond the control of Citrix, including natural disaster, war, acts of terrorism, or
government action.

XenMobile Service Technical Security Overview
May 0 9, 20 17
For the latest inf ormation about XenMobile Service security, see XenMobile Service.
Citrix Cloud manages the control plane for XenMobile environments. T his includes the XenMobile server, NetScaler load-
balancer and a mySQL database. T he cloud service integrates with the customer's datacenter using the following
mechanisms:
An agent called the Citrix Cloud Connector. XenMobile Service customers who use Cloud Connector typically manage
NetScaler Gateway in their datacenters.
An IPsec tunnel between the customer's datacenter and an isolated network partition in the cloud containing single-
tenant components for that customer. For IPsec connectivity, NetScaler Gateway typically runs in Citrix Cloud.
T he following gure illustrates the service and its security boundaries.
Note
T his information is intended to provide the reader with an introduction to and overview of the security functionality of Citrix Cloud;
and to dene the division of responsibility between Citrix and customers with regard to securing the Citrix Cloud deployment. It is not
intended to serve as conguration and administration guidance manual for Citrix Cloud or any of its components or services.
Data ow
T he control plane has limited read-access to user and group objects from a customer's directory and other services such as
DNS. T hese services are accessed over the IPsec tunnel as well as the Citrix Cloud Connector, which uses secure HT T PS
connections.
Company data, such as, email, intranet, and web-app trafc, ows directly between the device and the application servers
over NetScaler Gateway deployed in the customer datacenter.
Data isolation

T he control plane stores metadata needed for managing user devices and their mobile applications. T he service itself
consists of a mix of multi- and single-tenant components. However, with the service's architecture, customer metadata is
always stored separately for each tenant, secured with unique credentials.
Credential handling
T he service handles the following types of credentials:
User credentials: User credentials are transmitted from the device to the control plane over an HT T PS connection. T he
control plane validates these credentials with a directory in the customer directory over a secure IPsec tunnel.
Administrator credentials: Administrators authenticate against Citrix Cloud, which uses the sign-on system from Citrix
Online. T his generates a one-time signed JSON Web T oken (JWT ), which gives the administrator access to the XenApp
and XenDesktop Service.
Active Directory credentials: T he control plane requires bind-credentials to read user meta-data from Active Directory.
T hese credentials are encrypted using AES-256 encryption and saved in a per-tenant database.
Deployment considerations
Citrix recommends that users consult the published best practices documentation for deploying NetScaler Gateway and
IPsec gateways within their environments. For additional considerations regarding network connectivity with IPsec, see
IPsec prerequisites and administration.
More inf ormation
See the following resources for additional security information:

Citrix Cloud Documentation: Secure Deployment Guide for the Citrix Cloud Platform
Secure Deployment Guide for NetScaler: http://support.citrix.com/article/CT X129514

XenMobile MDX Service
May 10 , 20 17
You can use the XenMobile MDX Service to prepare iOS and Android mobile apps by wrapping the apps with MDX, an app
container technology. You then manage the apps with XenMobile. You can use the XenMobile MDX Service to wrap apps
created within your organization or to wrap the Citrix XenMobile Apps. For more information about XenMobile Apps, see
What's new in XenMobile Apps.
T he XenMobile MDX Service currently uses MDX version 10.4.10 for wrapping apps.
For information about MDX, the traditional MDX wrapping process using the MDX Toolkit, and a description of signing
assets that are required, see:
About the MDX T oolkit

Wrapping iOS Mobile Apps
Wrapping Android Mobile Apps
Getting Started with the MDX Service
Follow these steps to start using XenMobile MDX Service.
We encourage you to provide us with feedback on your experience in the Citrix Discussions Forum.
1. Sign up for Citrix Cloud by requesting a trial if you do not already have a Citrix Cloud account. For details on signing up,
see Citrix Cloud sign-up.
2. After you set up an account and logged on to Citrix Cloud, on the navigation bar, click Lab Services. T hen, under
XenMobile MDX Service, click Try It.
To use the MDX Service
To use the XenMobile MDX Service, upload the application package binary and the required signing assets. T hen, verify the
app details and modify the attributes, as necessary. You can then download the wrapped application package.
T he following sections give more details for iOS and Android apps.
To wrap an iOS app

1. On the MDX Service Overview page, click Start.

2. Upload the .ipa le for the app. T he time required for the upload to complete depends on the le size.
3. After the .ipa le uploads to the XenMobile MDX Service and is processed successfully, a Verif y App Details screen
appears.
a. Optionally, change the App Name, Minimum OS Version, and Maximum OS Version.
b. Edit the Description eld (required).

c. Upload the following iOS signing assets:
Provisioning Profile
Certificate
Certificate Password
To collect the iOS Provisioning Prole and Certicate, follow the steps in this support article:
https://support.citrix.com/article/CT X2204801
4. After the XenMobile MDX Service uses the signing assets to modify the app, the Create Mobile App screen appears.
Optionally, you can change the bundle ID of the mobile app.
5. Click Next, and the wrapping process begins.

6. Download the wrapped MDX application package (.mdx le). You can also download the le later from the Jobs tab.
To wrap an Android app

1. Upload the .apk le for the app. T he time required for the upload to complete depends on the le size.

2. After the .apk le is uploaded to the XenMobile MDX Service and is processed successfully, a Verif y App Details screen
appears.
a. Optionally, change the App Name, Minimum OS Version, and Maximum OS Version.
b. Edit the Description eld (required).

3. On the Create Mobile App screen, upload the following Android signing assets:
Keystore
Keystore Password
Alias Name
Alias Password
To collect the Keystore and Alias Name, follow the steps in this support article:
https://support.citrix.com/article/CT X220480
4. Click Next, and the wrapping process begins.
5. Download the wrapped MDX application package (.mdx le). You can also download the le later from the Jobs tab.

Jan 31, 20 17
Citrix Secure Browser Service is a service, delivered within Citrix Cloud, that provides simple and secure remote access to web applications.
Administrators can now provide web applications in a specic browser version to users. For example, you can provide a web application in
Internet Explorer to a Mac user. The same browsing experience occurs from any device users select.
If users access a web app by using Secure Browser, the app appears in the pre-determined browser within a Citrix Receiver for HTML5 session.
Users cannot enter a dierent URL within the session. The website does not directly transfer any data to or from the endpoint device, so the
experience is secure.
Getting Started with Secure Browser Service
T here are three options for publishing applications by using Secure Browser Service:
Unauthenticated external web apps

Authenticated external web apps
Internal web apps
Publishing authenticated external web apps and internal web apps require a resource location and a Citrix Cloud Connector.
Also, for internal web apps, a NetScaler Gateway address is needed before creating the Secure Browser Service apps.
Security features include watermarking and URL whitelisting. Usage monitoring has also been enabled.
Using Secure Browser Service
For external unauthenticated web applications:
1. From the Citrix Cloud home page, under Services, click Manage for Secure Browser Service. You are taken to the Secure
Browser Overview page or the Manage page.
2. T o publish a web app from the Overview page, select Let's Get Started. T o publish a web app from the Manage page,
click Publish a Web App.
3. Select the External Unauthenticated option.
4. Give the web app a name.
5. Specify the URL for the application you want to share.
6. Choose the browser and version that provides the best experience from the drop-down.
7. Choose the region of the VDA workload that hosts the browser.
8. Click Publish.
9. From the Manage tab, you can start the web app to test by clicking ...Action Menu and selecting Launch Web App.
10. After you test the app, copy the URL in the browser to share with your users.
For external authenticated web applications:
1. Ensure you set up a resource location and a Citrix Cloud Connector.

2. On the Citrix Cloud home page, under Services, click Manage f or Secure Browser Service. The Secure Browser Overview page
or the Manage page appears.
3. To publish a web app from the Overview page, select, Let 's Get St art ed. To publish a web app from the Manage page, click Publish
a Web App.
4. Select the Ext ernal Aut hent icat ed option.
7. Select the browser and version that provides the best experience from the drop-down list.
8. Select the region of the VDA workload that hosts the browser.

9. Click Publish.
10. On the Manage tab, a list of published apps appears and a prompt appears to add the web app to a Library to complete publishing. For
more information about creating a Library, see "Assigning users and groups to service offerings using Library in Citrix Cloud."
11. From the Manage tab, you can start the web app to test by clicking ...Act ion Menu and selecting Launch Web App.
For int ernal web applicat ions:
For more information about how to congure NetScaler Gateway, see "Congure NetScaler Gateway for Secure Browser Service."
1. Ensure you set up a resource location and a Citrix Cloud Connector, along with configuring the NetScaler Gateway address.
2. On the Secure Browser Service Manage page, select Set t ings.
3. Provide the NetScaler Gateway address and then click Save Changes.
4. To publish a web app from the Manage page, click Publish a Web App.
5. Select the Int ernal option.
Not e: Internal web apps are supported on the Google Chrome browser only.
8. Select the region of the VDA workload that hosts the browser.
9. Click Publish.
10. On the Manage tab, the published app appears and you receive a prompt to add the web app to a Library to complete publishing. For
more information about creating a library, see "Assigning users and groups to service offering using Library in Citrix Cloud."
11. On the Manage tab, you can start the web app to test by clicking the ...Act ion Menu and selecting Launch Web App.
For more information about managing Libraries, see "Assigning users and groups to service oerings using Library in Citrix Cloud."
For more information about managing subscribers, see "What is Identity and Access Management?"
Enabling and Disabling Clipboard Functionality
T he Clipboard security setting allows enabling or disabling Clipboard functionality within the published web application
session. Clipboard functionality is enabled by default for all published web applications. To disable (or re-enable) this feature
on a published web app, follow these steps.
1. From the Secure Browser Service Manage page, select the ... Action Menu for the published internal or external
authenticated web app you want to disable or enable the Clipboard functionality.
2. Select Security Settings.
3. Disable (or Enable) the Clipboard setting and click OK.
Disabling the clipboard functionality ensures that users cannot copy content in or out of the published web application
session from or to the local endpoint machine. T he Disable setting removes the Open Clipboard button from the Receiver
for HT ML5 toolbar.
Printing f or Secure Browser Apps
You can enable printing for each published app. In a printing-enabled Secure Browser session, users can print web app
content to their local printer by using the Citrix Receiver for HT ML5 PDF printing feature. Users can start the print job by
pressing CT RL+P and then selecting the Citrix PDF printer in the Print dialog box. T he print job converts to a PDF le and
opens on the user device. Users can then send the document to their local printer.
Note
If you enable the watermark feature for a published web app, then the printing feature is disabled.

To enable or disable printing
1. On the Secure Browser Service Manage page, on the Manage tab, click the ellipsis () icon next to the published app and
then select Security Settings.
2. Enable or disable the Printing setting and then click OK.
Watermarking Published Web App Sessions
Watermarking published web applications is an advanced security feature available for external authenticated applications
and internal applications. To enable this feature on a published web app, follow these steps.
1. From the Secure Browser Service Manage page, select the ... Action Menu for the published internal or external
authenticated web app you want to enable the watermark feature.
2. Select Security Settings.
3. Enable the Watermark setting and click OK.
URL Whitelisting
T he URL whitelisting feature is available for internal and external authenticated web apps. T his feature restricts users to
visiting only whitelisted URLs within their published web app session.
1. From the Secure Browser Service Manage page, select the web app ... Action Menu and Security Settings option.
2. Enter the Whitelist entries following a <domain name>:<port number> format.
3.
For example, to set http://example.com as a whitelisted URL:
example.com:* - T his format allows connection to this URL from any port.
example:80 - T his format allows connection to this URL only from port 80.
*:* - T his format allows example.com to be accessed on any port and any links to the other URLs and ports on
example.com
Note: T he *.* entry allows access to all external web apps from the published app. T his format is the default setting for
the external web apps URL whitelist field.
4. You can specify multiple entries by entering each entry on a new line.
Usage Monitoring
To monitor the usage of the web apps, go to the Usage tab from the Secure Browser Service page. T he Summary shows
you:
Number of initiated sessions

Number of hours used
Clicking Export to CSV and selecting a timeframe provides a spreadsheet with usage details.
Secure Browser Navigation
When in a web app, users can navigate back or forward by using the local browser navigation controls. During a session, if users click either
the back or forward buttons, the HDX protocol transmits the request to the remote browser session

Note
If users start a session on an iOS device in a Chrome browser, browser navigation does not work. Navigation does work in either the
Safari or Firefox web browser.

/
AppDNA
Citrix Cloud
Citrix Receiver
CloudBridge
NetScaler
NetScaler Gateway

NetScaler SD-WAN
ShareFile
VDI-in-a-Box
XenMobile
Some things to try:
XenServer
Advanced Concepts
Developer
Documentation

Congure NetScaler Gateway for Secure Browser
Service
Sep 0 1, 20 16
T he following steps will guide you through the process of conguring NetScaler VPX for internal authenticated applications
in Secure Browser Service. It is assumed that the following is completed before starting these steps:
Initial configuration is completed

Setup of the NSIP (NetScaler IP Address) used for management
Configuration of the SNIP (Subnet IP)
Configuration of the hostname (NS1) and DNS Server
Enabled the following features
SSL Offloading
Load Balancing Authentication, Authorization, and Auditing
HT T P Compression
Content Switching
Integrated Caching
NetScaler Gateway
Certificates have been added - see Installing and Managing Certificates
Authentication policies are configured - see Authentication and Authorization and Configuring LDAP Authentication
For more information on how to deploy a NetScaler VPX, refer to the NetScaler VPX Deployment Guides.
T hese steps will describe a conguration to allow remote access with single sign on:
1. On a web browser, enter the NSIP (Management IP address) of the NetScaler VPX appliance that has been installed on
your XenServer.
2. Log on to the NetScaler VPX.
3. Click the NetScaler Gateway option in the left navigation bar.
4. Click Virtual Servers.
5. Click Add.
6. Add a new VPN Virtual Server.

7. Click OK.
8. Bind the server certicate and click Continue.
9. Add the authentication policy.
10. Select LDAP from the Choose Policy drop down.
11. Click > from the Select Policy dropdown.
12. Select the LDAP policy, click Continue and click Bind.
13. T he LDAP policy has been set as the primary authentication method. Now add the STA servers.
14. Click Published Applications.
15. Click No STA Server.
16. Enter the connector 1 address in the Secure T icket Authority Server text box and select IPV4 as the address type.
17. Click Bind.
18. To ensure the STA Server is reachable, click 1 STA Server.
19. T he State column will show green if the connection to connector 1 is healthy.
20. Optional add a second connector for availability by selecting Add Binding.
21. Click Close.

22. You should see the total number of STA servers added.
23. You are done conguring the virtual server. Click Done.
24. Ensure the status of Virtual Server is up. If it is up (green), save the conguration. Click the Save icon.
25. Click Yes to conrm.
Now that the NetScaler Gateway has been successfully congured, you can log out from the NetScaler Gateway
Management console.

Technical Security Overview for the Secure Browser
Service
Jan 17, 20 17
Secure Browser Service is a SaaS product managed and operated by Citrix. It allows access to web applications via an
intermediate web browser hosted in the cloud.
Cloud Service
T he Secure Browser Service consists of web browsers running on Virtual Delivery Agents (VDAs) along with the control
plane used to manage and connect users to these VDAs. Citrix Cloud manages the operation of these components,
including the security and patching of operating systems, web browsers, and Citrix components.
While using Secure Browser Service, hosted web browsers may track users browsing history and perform caching of HT T P
requests. Citrix uses mandatory proles and ensures that this data is deleted when the the browsing session ends.
Secure Browser Service is accessed with an HT ML5-compatible web browser. T he service does not provide any
downloadable clients. All trafc between the browser being used and cloud service is encrypted using industry-standard
T LS encryption. Secure Browser supports T LS 1.0, 1.1, and 1.2.
Web Applications
Secure Browser is used to deliver web applications owned by the customer or a third party. T he owner of the web
application is responsible for its security, including patching the web server and application against vulnerabilities.
Security of the trafc between Secure Browser and the web application depends on the encryption settings of the web
server. To protect this trafc as it ows over the Internet, administrators should publish HT T PS URLs, and install an SSL
certicate from a publically-trusted Certicate Authority on the server hosting the web application.
More Inf ormation
See the following resources for additional security information:

Citrix Cloud documentation
Note
T his document is intended to provide the reader with an introduction to and overview of the security functionality of Citrix Cloud; and
to dene the division of responsibility between Citrix and customers with regard to securing the Citrix Cloud deployment. It is not
intended to serve as a conguration and administration guidance manual for Citrix Cloud or any of its components or services.

License Usage Insights Service
Mar 22, 20 16
T he License Usage Insights (LUI) Service in Citrix Cloud is a free cloud service that helps Citrix Service Providers (CSP)
understand and report on product usage.
T he purpose of the LUI service is to make it easy for Citrix Service Provider partners to understand which Citrix products are
in use and at what capacity. Only CSP partners have access to the LUI service.
T he License Usage Insights service will enable you to:
Automatically collect and aggregate product usage information from Citrix license servers
Easily view which users are accessing your XenApp and XenDesktop deployments each month
Optimize license costs by identifying and tracking a list of free users
View and understand your historic business with Citrix
Learn more about the License Usage Insights Service
Getting Started
Features
Updating and Configuring the Citrix License Server
T echnical Details
FAQ

Technical Details
Sep 0 8 , 20 16
Information you should know before using the License Usage Insights service:
Only Windows based license servers are supported at this time.
T he LUI service does not support the Citrix License Server Virtual Appliance (VPX based license server). In the future, the
virtual appliance license server will also be supported with the LUI service.
It may take up to 24 hours for a newly updated license server to appear in the LUI service.
When usage data is uploaded from a license server, its processed and stored in a secure fashion such that it can be
accessed at a later date by the LUI service. T oday that process may take up to 24 hours.
By default, usernames associated with XenApp and XenDesktop license checkouts will be securely phoned home to
Citrix.
Usernames are phoned home so CSP partners can take full advantage of LUI features and the CSP licensing program
which supports free users for trial, test and administrative product use.
User information is limited to a single user@domain entry, no additional personal identifiable data is phoned home. Citrix
will never share this information.
For partners sensitive to uploading username information, this functionality can be disabled on the Citrix License Server
using the username anonymization feature.

Getting Started with the License Usage Insights
Service
Sep 0 8 , 20 16
Step 1: Update Citrix License Server to v11.13.1.2
Download the latest license server. In-place upgrade of Citrix License Servers is simple and fast. If you haven't already, read
about the lastest licence server.
Step 2: Sign in to Citrix Cloud Using myCitrix Login
Before signing in, youll need to sign up for a Citrix Cloud account. Follow these steps to get signed up and signed in to
Citrix Cloud for the rst time.
Sign up for Citrix Cloud - Visit onboarding.cloud.com to create an account using your myCitrix credentials. When creating
your account, use the same myCitrix login credentials used to allocate and download Citrix Licenses from citrix.com.
Citrix Cloud will email the address associated with your myCitrix login.

Sign into Citrix Cloud at citrix.cloud.com using your email address and password.
Step 3: Use the License Usage Insights Service
Access the service by clicking Manage.

Using the License Usage Insights Service
Sep 0 8 , 20 16
License server status: Lets you know how many license servers you have and whether or not theyre updated for use with
the LUI service.
T he service knows about each license server based on license allocation data stored in the Citrix back ofce. Using this data,
LUI presents a list of active license servers.
If the license server is updated and successfully reporting, it will be identied as "reporting" in the service. A timestamp of
the most recent upload is also provided.
To be compliant with Citrix Service Provider license guidelines, all active license servers must be updated and reporting. T he
license server status feature helps service providers through that process by identifying which license servers still need to be
updated.
Usage collection: Allows you to understand product usage through automated data collection and aggregation no need
to deploy additional tools.
T he service will automatically aggregate product usage across all Citrix license servers to provide a complete view of usage
across all deployments.
T he Citrix License Servers will collect and track product license usage and report it back to Citrix using a secure phone home
channel. T his automated approach provides a constant stream of updated usage data available to Citrix Service Providers -
saving time and allowing partners to better understand usage trends within their deployments.

Free user management: Manage a list of free users to take full advantage of CSP licensing benets.
LUI equips Citrix Service Providers with a comprehensive view of product usage across deployments while still allowing them
to take full advantage of the Citrix Service Provider license program that supports trial, test and administrative users.

Historical trends: View a complete historical record of all of your past business with Citrix. Check what usage you reported
last month, last year, or over a congurable time period.
Historical views deliver valuable business insight. Citrix Service Providers can quickly understand how their business with Citrix
is trending and which products are seeing the most growth across their customers and subscribers.

Updating and Conguring the Citrix License Server
Sep 0 8 , 20 16
T he Citrix License Server is a critical component of the License Usage Insights service. In order to use the LUI service, your
Citrix License Servers must be updated to version v11.13.1.2 or later.
About the Citrix License Server v11.13.1.2
Version v11.13.1.2 and later of the Citrix License Server contain key features that are important for CSP partners.
Optimized usage collection: Version v11.13.1.2 of the license server contains new functionality that optimizes
licensing behavior and tracking to better support Citrix Service Providers.
Call home: Version v11.13.1.2 of the license server is equipped with call home features that enable automated product
usage collection for CSP partners. T hese features are exclusive to Citrix Service Provider partners and will only be
activated when a CSP license is detected on the license server.
Upgrading your Citrix License Servers to use the License Usage Insights Service
Please follow this upgrade process:
Download the latest license server

Upgrade your current license server
Repeat the upgrade process for each of your license servers
Start using the LUI service
Conguring the license server to anonymize usernames
By default, usernames associated with XenApp and XenDesktop license checkouts will be securely phoned home to Citrix.
Usernames are phoned home so CSP partners can take full advantage of LUI features and the CSP licensing program, which
supports free users for trial, test, and administrative product use.
User information is limited to a single user@domain entry, no additional personal identiable data is phoned home. Citrix
does not share this information.
For partners sensitive to uploading username information, username anonymization can be enabled. When active, username
anonymization will convert readable usernames into unique strings using a secure and irreversible algorithm prior to upload.
T he LUI service will use these unique identiers to track product usage instead of the actual usernames. T his approach
allows service providers to take advantage of month-to-month insights without visibility into the actual usernames in the
cloud service UI.
Conguring username anonymization on the license server
Modify the the conguration le on the Citrix License Server:

C:\Program Files\Citrix\Licensing\WebServicesForLicensing\SimpleLicenseServiceCong.xml
<Congurations>
<UsageBasedBillingScramble>1</UsageBasedBillingScramble>
<Congurations>
Understanding license server inf ormation
When CSP home is activated on a Citrix License Server, it uploads the following information daily:
Information about the license server:
License server version
Information about licenses on the license server:
License files installed on the server

License file expiration dates
Product feature and edition entitlement information
License quantities
Information about license usage:
Licenses used in the current calendar month

Usernames associated with license checkout
Product features and editions activated
Note: Citrix Service Provider partners can inspect the last uploaded payload on their license server to fully understand all of
the details.
Viewing a license server upload:
A copy of the last upload remains as a .zip le on the license server.
Location:
C:\Program Files (x86)\Citrix\Licensing\LS\resource\usage\upload_1456166761.zip
Note: Successful uploads will be deleted except for the last one. Unsuccessful uploads will linger on the disk until a
successful upload, which will delete all but the last one.

Frequently Asked Questions
Sep 0 8 , 20 16
What inf ormation is being phoned home? Can I view the inf ormation my license servers are sending to
Citrix?
Yes, you may view an exact copy of the information being phoned home to Citrix. Please see Using the License Usage
Insights Service.
Is the LUI service available to Citrix customers or partners that are not Citrix Service Providers?
No. T he LUI service is only available to Citrix Service Provider partners with an active partner agreement.
Can I disable license server phone home?
No. Under the Citrix Service Provider license agreement, all Citrix License Servers are required to phone home product usage.
Partners sensitive to the phone home use case can use the username anonymization feature documented here.
Will I be billed based on the product usage shown in the LUI service?
No. T he LUI service helps partners understand their product usage so they can report it quickly and accurately to their Citrix
distributor. CSP partners will continue to be billed based on the product usage they report to their Citrix distributor. Citrix
distributors will continue to own the billing relationship with CSP partners.
Are all Citrix products supported by the LUI service - ShareFile, NetScaler and CloudPortal Services Manager?
T he LUI service currently supports XenApp and XenDesktop product usage. In the future, there will be additional products
supported.
How much does the License Usage Insights service cost?
Its a free service provided by Citrix. T here are no plans to charge for the LUI service.
How do I get help with the License Usage Insights service?
To get help with the LUI service, open a ticket from within the service. Sign in to Citrix Cloud, navigate to the LUI service, and
open a ticket from the navigation bar as shown.

Citrix Cloud Labs
Oct 30 , 20 15
T his is where you can nd new, experimental services that feature the latest technologies available. T hese services could
change over time and may not necessarily become Citrix Cloud services. If you experience a problem with a Labs service or
would like to provide feedback, please visit our Citrix Cloud - Labs Discussions page.

Citrix Launch for Microsoft Access
May 25, 20 16
Citrix Launch for Microsoft Access is a cloud-based service, delivered within Citrix Cloud, that provides a simple way to
deploy and access a Microsoft Access database from any web browser.
Getting Started with Citrix Launch f or Microsof t Access
No setup is required. T he administrator logs into Citrix Cloud with a free or paid account and publishes a Microsoft Access
database in a few simple steps. T he administrator then generates a friendly URL to access the Microsoft database reports
and forms to share with end users.
When a user accesses the reports or forms using the Citrix Launch for Microsoft Access Service, an instance of Microsoft
Access Runtime is created and hosted in the cloud. T he database reports and forms render just like any regular Microsoft
Access application, but they open within a Citrix Receiver for HT ML5 session.
T he user does not have the option to open a different database and the web site does not directly transfer any data to or
from the end-point device, so the experience is secure.
Important
T he Citrix Launch for Microsoft Access Service is currently offered for evaluation purposes only. Do not publish a Microsoft Access
database containing any personal or sensitive information.
Why Citrix Launch f or Microsof t Access Service?
Deploying Microsoft Access databases for reports and forms requires packaging and installing the databases along with
additional templates and third-party report writers along with the correct runtime version of Microsoft Access on every
endpoint Windows desktop. As a result, IT departments are required to re-package and redistribute any updates to all
endpoint Windows desktops causing downtime.
Citrix Launch for Microsoft Access simplies the distribution and launch experience. Administrators can upload their
databases and provide access to end users requiring zero endpoint installation and end users can access their databases
from any device. For example, you can interact with your Microsoft Access forms from a Mac.
Using Citrix Launch f or Microsof t Access Service
As an administrator, you can provide access to your Microsoft Access database reports for your users in just a few steps.
Currently this service supports Microsoft Access 2013 Runtime.
1. Log in to Citrix Cloud, navigate to the Labs section and select Citrix Launch f or Microsof t Access.
2. T o publish a Microsoft Access database, select Publish Microsof t Access app.
3. Give the database deployment a name.
4. Upload the database file. T here is a 1 GB file size limit.
5. Click Publish.
You can now share the custom URL with your users and they will have access to Microsoft Access reports and forms,
regardless of the endpoint device they are using.

If you have questions or need additional information, refer to the Discussions site.

Session Manager
Aug 0 4 , 20 16
Session Manager is a service that can be used in conjunction with the XenApp and XenDesktop Service to create
anonymous, ready-to-use applications reducing the time it takes to launch an application. T his service is currently available
as a Lab only.
Getting Started with Session Manager
T he Session Manager Lab requires that you have a XenApp and XenDesktop Service account within Citrix Cloud and the
ability to create an on-premise StoreFront. For more information on how to buy or request a trial of the XenApp and
XenDesktop Service, go to the Citrix Cloud product page.
T he applications delivered through this service are pre-launched and delivered by an anonymous StoreFront and published
to an anonymous Delivery Group.
Using Session Manager
In order to use Session Manager, you need to congure a few settings with an on-premise StoreFront and XenApp and
XenDesktop Service.
1. Connect a cloud-hosted StoreFront to NetScaler Gateway.

2. Create an anonymous on-premise StoreFront.
3. Create an anonymous Delivery Group.
4. Add applications to the anonymous Delivery Group.
Connect a cloud-hosted StoreFront to NetScaler Gateway

1. Access the cloud-hosted StoreFront through https://customername.xendesktop.net/Citrix/StoreWeb/.
2. Set up NetScaler Gateway as an ICA proxy (no authentication or session policies are needed). T his can be congured in
the XenApp and XenDesktop Service by clicking the Manage tab. Under Conguration on the left, click StoreFront and
under the right pane select Set NetScaler Gateway.

3. Set NetScaler Gateway (FQDN:PORT ) in the cloud-hosted Studio.
4. Bind Citrix Cloud Connectors as Secure T icket Authority (STA) servers to NetScaler Gateway.
For more information, see Setting Up StoreFront with Citrix Cloud.

Create an anonymous on-premises StoreFront
1. Install StoreFront 3.6.
2. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
3. Select the Stores node in the left pane of the Citrix StoreFront management console and in the Actions pane, click
Create Store.
4. On the Store Name page, specify a name for your store, select Allow only unauthenticated (anonymous) users to
access this store and click Next.

5. Store names appear in Citrix Receiver under users' accounts so choose a name that gives users information about the
content of the store.
6. On the delivery Controllers page, click Add.
7. In the Add Delivery Controller dialog box:
a. Specify a name that will help you identify the deployment.
b. Point the on-premise StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors. For transport select HTTP
and port 80. T he StoreFront machine must be able to directly access the connector through the fully qualied domain
name (FQDN).

8. Click OK.
9. Click Next on the XenApp Services URL section.
10. View the summary and click Create.
T he unauthenticated store is now available for use. For more information, see Create an unauthenticated store.
Create an anonymous Delivery Group

1. Using the XenApp and XenDesktop Service in Citrix Cloud, click Delivery Groups on the left pane in Studio. Under Actions
on the right, click Create Delivery Group.

2. T he Create Delivery Group wizard launches and guides you through the creation of a Delivery Group.
3. Select Allow any authenticated users to use this Delivery Group. T hen select the Give access to unauthenticated
(anonymous) users: no credentials are required to access StoreFront option. Click Next to complete the steps. For
more information, see Create Delivery Groups.

Add applications to the anonymous Delivery Group
By adding applications to an anonymous Delivery Group they can be launched anonymously and can be viewed by all Active
Directory users.
1. Click Delivery Groups in the left panel in Studio.

2. Select the Delivery Group that was congured in the previous step.
3. Click Add Applications in the right pane Action menu.

4. Follow the wizard to add applications to the anonymous Delivery Group.
Note: When selecting an applicationto prelaunch on the Session Manager UI, make sure that the application is assigned to
only one Delivery Groups. T he application must not be provided by multiple Delivery Groups. For more information, see
Applications.
Manage anonymous Delivery Groups

1. Return to the Session Manager page and click Manage.
2. From the Manage page, you can edit or activate your anonymous Delivery Groups.
If you have questions or need additional information about this Lab, refer to the Discussions site.

/
AppDNA
Citrix Cloud
Citrix Receiver
CloudBridge
NetScaler
NetScaler Gateway

NetScaler SD-WAN
ShareFile
VDI-in-a-Box
XenMobile
Some things to try:
XenServer
Advanced Concepts
Developer
Documentation

/
AppDNA
Citrix Cloud
Citrix Receiver
CloudBridge
NetScaler
NetScaler Gateway

NetScaler SD-WAN
ShareFile
VDI-in-a-Box
XenMobile
Some things to try:
XenServer
Advanced Concepts
Developer
Documentation

Citrix Provisioning for Microsoft Ofce 365
Jan 17, 20 17
Citrix Provisioning for Microsoft Ofce 365 Service in Citrix Cloud enables IT administrators to assign Ofce 365 subscription
licenses alongside other Citrix apps and services within Citrix Cloud. T he result is simplied user management and centralized
control from a single console. Citrix Provisioning for Microsoft Ofce 365 also provides license verication and usage data
to optimize management thus help minimize unused licenses.
Getting Started with Citrix Provisioning f or Microsof t Of ce 365
Prerequisites
1. Buy Office 365 Business Plan from Microsoft
2. Integrate on-premises Active Directory with Azure Active Directory using Azure AD Connect. Citrix Provisioning for
Microsoft Office 365 currently supports synchronized and federated identity models to setup and manage user
accounts.
Using Citrix Provisioning for Microsoft Ofce 365

Once you have synced users in your Active Directory to your Ofce 365 account, you can start using this Citrix Cloud Labs
service and assign Ofce 365 subscription licenses alongside other Citrix apps and services to your users.
Step 1: Sign up to Citrix Cloud

Sign up for Citrix Cloud using http://onboarding.cloud.com
Step 2: Access the Citrix Provisioning for Microsoft Ofce 365 service
Go to the Labs section in the navigation bar of the Citrix Cloud control center to view the list of available labs services.
Select Citrix Provisioning f or Microsof t Of ce 365 service.
You will then be presented with 3 steps to get started.

Step 3: One-time setup to use Citrix Provisioning for Microsoft Ofce 365
1. Connect Citrix Cloud with your Ofce 365 account
In order to connect Citrix Cloud to your Ofce 365 account, you will be redirected to Microsoft site where you will have to
login using your Ofce 365 credentials.
2. Connect on-premises active directory with Citrix Cloud
In order to connect on-premises active directory to Citrix Cloud, you need to install cloud connector in your resource
location. More details on what a resource location is can be found here.
We recommend installing two cloud connectors for high availability on physical or virtual Windows Server 2012 R2 or
later that are joined to the domain. More details on cloud connector can be found here

Step 4 : Publish and deliver Ofce 365 along with other Citrix apps and service to your end users
You can now assign Ofce 365 licenses along with other Citrix apps and services using Library. Follow below steps to deliver
these apps and services.
Select Ofce 365 plan along with other Citrix Services that you may have.

Subscribe users: Search for users in your Active Directory and assign them to the offering.

Track user assignment and license consumption
Citrix Provisioning for Microsoft Ofce 365 allows IT administrators to understand user license assignment and overall
Ofce 365 subscriber license consumption.
You can view this information using the User List and License Usage tabs in the service UI as shown below.

Frequently Asked Questions
Q1. Who is responsible for buying Ofce 365 subscription licenses and from what source?
T he IT administrator is responsible for buying Ofce 365 subscription from Microsoft site.
Q2. Who can access the Ofce 365 service in Citrix Cloud and from what source?
Anyone can access the service using the Citrix Cloud Labs section.
Q3. What is the cost of using Ofce 365 from within Citrix Cloud?
Citrix Cloud does not charge to integrate your Ofce 365 account with Citrix Cloud.
Q4 . Can I manually create users in the Ofce 365 administrator panel and then use Citrix Cloud to provision licenses?
No. Citrix Provisioning for Microsoft Ofce 365 Service in Citrix Cloud only supports integration with directory services. For
this the administrator needs to install Microsoft Azure Active Directory Connect to sync the on-premises identities to Azure
AD. Once synchronization is enabled you will be able to see the users in the Citrix Cloud Ofce 365 console. You can then
provision licenses to users along with other services.
Q5. Who is responsible for maintaining the users sync process between on-premises AD and Azure AD?
T he IT administrator is responsible to maintain the sync process running and updated.
Q6. Does this service support both users and groups license assignment for Ofce 365?
No. At present the service only supports user subscription license assignment.
Q7. Does Citrix store my ofce 365 account credentials?

No, Citrix Cloud does not store any account credentials. It redirects administrator to Microsoft site to validate and provide
access.
Q8. How can the end user access the assigned Ofce 365 plans?
T he end user can access Ofce 365 using https://login.microsoftonline.com/ or any other method provided by Microsoft.

NetScaler Web App Security Service
May 31, 20 17
NetScaler Web App Security Service is a cloud-based Web Application Firewall (WAF) service that protects customers web
applications and infrastructure from cyber security attacks. It has historical retention capabilities for easy operation and
incident analysis.
Features and Benets
NetScaler Web App Security Service offers the following benets:
Comprehensive Security: It provides protection against web application attacks using SQL Injection, Cross Site Sripting,
Blacklisted and Whitelisted URLs/applications, Signatures and IP Reputation etc.
Fast Deployment: Click & Protect less than 5 clicks from first time login to protection. T his service configuration is
Application and Service centric.
Ease of Use: It is quick and easy to deploy, manage, and report using a simplified GUI.
Lower operational expenses: T he service is managed by Citrix saving admin and on premise equipment costs.
Getting Started with NetScaler Web App Security Service
1. Users can access this service through the Citrix Cloud interface. User authentication happens when a user connects to
the Citrix Cloud service.
2. All user information such as certicates/keys are stored in a secure Citrix vault so that the certicates/keys are not
left unencrypted.
For more information about NetScaler MAS, Load Balancing, and Application Firewall, see:
http://docs.citrix.com/en-us/netscaler-mas/12/getting-started-with-mas.html, http://docs.citrix.com/en-us/netscaler-
mas/12/deploy-netscaler-mas.html, http://docs.citrix.com/en-us/netscaler/11-1/load-balancing/load-balancing-how-it-
works.html.
And http://docs.citrix.com/en-us/netscaler/12/application-rewall/conguring-application-rewall.html
Service Level Goal
NetScaler Web App Security Service is designed with industry best practices to achieve cloud scale and a high degree of
How to Register f or NetScaler Web App Security Service
You can add Web App Security Service by contacting your Citrix sales representative or through a request form on Citrix
cloud.
T he list of available services within the Citrix Cloud environment is displayed.
How to use NetScaler Web App Security Service
To use NetScaler Web App Security Service:
1. Go to https://netscalerappsecurity.cloud.com. Login with your Citrix Cloud account user credentials. T he following
page is displayed. If you have purchased a license to use the service, the NetScaler Web App Security Service page is

displayed as shown below.
2. Click Get Started. T he NetScaler Web App Security Service Domains page is displayed.
3. Click Add. T he Add Domain page is displayed. Enter the Name and Domain. Upload the SSL Certicate and SSL key
les, for example; waf.cert and waf.key. Enter an SSL Pass Phrase and then click Create. T he domain is added to the list of
domains as shown below.

4. Select the newly created domain and click Edit to edit it.
5. Select the newly added Domain and click Manage Applications. Ensure that you change the CNAME provided by the
WAF service for newly created domain. T his changes the DNS record address for the cname. T he IP address of the backend
server is populated as shown below. Click Close.

6. Click Add to add an application. Add name and URL for the Application. Click Create and Close.
7. Select an application, and click Security Service Prole, the following Application Firewall prole information is
displayed as shown in step a.

a) Application Security Service Prole General page:
8. On the Security Checks page, create security proles.
a. Application Security Checks page:

9. On the Security Check page, edit the While List URLs and click OK.
a. Security Check Actions views:
i) URL Whitelist Settings:
ii) URL Blacklist Settings:
iii) Buffer Overow Settings:

iv) Content-type Settings:
V) HT ML Cross-Site Scripting Settings:
Vi) HT ML SQL Injection Settings:

b) Prole Settings page:
For more information, see http://docs.citrix.com/en-us/netscaler/12/application-rewall/proles.html
c) Prole Signatures page:
For more information, see http://docs.citrix.com/en-us/netscaler/12/application-rewall/signatures.html.

d) Relaxation Rules page:
i) URL Whitelist Relaxation Rules:

ii) URL Blacklist Relaxation Rules:


Citrix Cloud Services

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Citrix Cloud Services

Caricato da

Copyright:

Formati disponibili

Citrix Cloud

https://docs.citrix.com 1999-2017 Citrix Systems, Inc. All rights reserved. p.1

Service Level Goals

ShareFile Service Level Goal

XenMobile Service Level Goal

Lifecycle Management Service Level Goal

About Citrix Cloud

What Are Notifications?

What Is Identity and Access Management?

Assigning users and groups to service offerings using Library

Setting Up StoreFront with Citrix Cloud

Secure Deployment Guide for Citrix Cloud

T hird Party Notifications

Known Issues (under construction)

Get Started with Citrix Cloud

How to Get Help and Support

Citrix Cloud Connector

XenApp and XenDesktop Service

Getting Started with the XenApp and XenDesktop Service

https://docs.citrix.com 1999-2017 Citrix Systems, Inc. All rights reserved. p.2

On-premises Resource Reference Architecture (PDF)

New Customer Reference Architecture (PDF)

NetScaler VPX Deployment Guides

Secure Browser Service

License Usage Insights Service

Secure Deployment Guides

XenApp and XenDesktop Service T echnical Security Overview

Lifecycle Management T echnical Security Overview

ShareFile Setup Guide

https://docs.citrix.com 1999-2017 Citrix Systems, Inc. All rights reserved. p.3

October 31, 2016

Secure Browser Service

NetScaler Gateway Service

September 29, 2016

https://docs.citrix.com 1999-2017 Citrix Systems, Inc. All rights reserved. p.4

September 19, 2016

Modify server details

Secure Browser Service

July 25, 2016

Citrix Cloud Labs

https://docs.citrix.com 1999-2017 Citrix Systems, Inc. All rights reserved. p.5

Secure Browser Service

June 13, 2016

May 30, 2016

https://docs.citrix.com 1999-2017 Citrix Systems, Inc. All rights reserved. p.6

Updated Trial Expiration Experience

April 18, 2016

https://docs.citrix.com 1999-2017 Citrix Systems, Inc. All rights reserved. p.7

Enhancements to connector installation

March 21, 2016

February 22, 2016

Secure Browser (New)

T he workow for designing blueprints has been improved:

https://docs.citrix.com 1999-2017 Citrix Systems, Inc. All rights reserved. p.8

Enhanced blueprint deployment ow

T he workow for deploying blueprints has been improved:

Enhanced REST API support

REST APIs have been added for the following tasks:

Configuring monitor alerts

Enhanced workspace management

January 25, 2016

https://docs.citrix.com 1999-2017 Citrix Systems, Inc. All rights reserved. p.9

Improved ability to request access to a customer account

Improved domain management experience