This page has moved to docs.citrix.com. You can now find all Smart Tools documentation at the Citrix Product Documentation site. Please update any page links to the new URL: https://docs.citrix.com/en-us/smart-tools/citrix-solutions-deployments/deploy-xenapp-xendesktop-netscaler-poc-aws.html.
- Component overview
- What does this blueprint do?
- Step 1: Create a VPC
- Step 2: Adjust default security group rules
- Step 3: Add a Management subnet
- Step 4: Deploy a NetScaler VPX instance
- Step 5: Adjust NetScaler VPX security groups
- Step 6: Create a private IP address for NetScaler Gateway
- Step 7: Create a public IP address NetScaler Gateway
- Step 8: Create a bastion host
- Step 9: Assign NetScaler VPX subnet addresses
- Step 10: Deploy the XenApp and XenDesktop Proof of Concept blueprint
This topic describes how to prepare an Amazon Web Services (AWS) environment and deploy the XenApp and XenDesktop Proof of Concept blueprint with an on-premises NetScaler appliance.
If you want to deploy a XenApp and XenDesktop proof-of-concept with a cloud-based NetScaler appliance, use the Simple XenApp and XenDesktop Proof of Concept blueprint.
When you complete the tasks in this topic, your proof-of-concept will include the following components:
- A virtual private cloud (VPC) with public and private subnets inside a single availability zone. A NAT instance is included to enable provisioned machines to access the Internet.
- A domain controller, located in the private subnet of the VPC.
- A XenApp and XenDesktop Delivery Controller, joined to the domain and located in the private subnet of the VPC.
- A Server VDA, joined to the domain and located in the private subnet of the VPC.
- A NetScaler VPX appliance, located in your network environment.
- A bastion host, located in the public subnet of the VPC. This machine is used to initiate RDP connections to the instances in the private subnet for administration purposes. You provision the bastion host using a separate blueprint.
What does this blueprint do?
When you deploy this blueprint, Smart Tools performs the following tasks:
- Provisions a domain controller and creates a domain.
- Provisions a XenApp and XenDesktop Delivery Controller and Server VDA and joins them to the domain.
- Installs XenApp and XenDesktop and creates a database and Site.
- Deploys a NetScaler Gateway using a NetScaler VPX appliance that you provide.
Note: NetScaler is an optional component in this blueprint. If you don't want to include NetScaler in your proof-of-concept, use Steps 1, 2, 8, and 10 only. Alternatively, refer to Getting Started with Smart Tools and AWS for a guided walkthrough.
Provisioned machine configurations
The blueprint includes recommended configurations for each machine that Smart Tools provisions to the deployment. The following AWS instance recommendations are the default selections when you configure the VM for each machine tier in the deployment:
Operating system: Windows Server 2012 R2 (all machines)
|Machine Type||AWS Instance Type||Root Volume Storage (GB)|
|Domain controller||M3 Medium 3.75 GB||48|
|Delivery Controller||M3 Large 7.5 GB||64|
|Server VDA||M3 Large 7.5 GB||64|
Important: This blueprint includes conditions for deploying the components above on supported resource locations. When configuring the VMs for each machine tier, you must allow Smart Tools to provision new VMs during deployment. Using existing machines with this blueprint is not supported and will cause the deployment to fail.
Before deploying the blueprint, you need an AWS account. If you have an Amazon.com account, you can use your credentials to log on to AWS. If you don't have an account, you can create one at http://aws.amazon.com.
To include a NetScaler Gateway in your deployment, you will need an existing NetScaler VPX in your network environment that you can prepare for use with the blueprint. Additionally, you need the following items:
- A file containing an X.509 certificate and private key to assign to the NetScaler Gateway. During blueprint deployment, Smart Tools uploads this file directly to the NetScaler appliance. The file may contain only the certificate and key or a certificate bundle. For more information about certificate bundles and acceptable file formats, see the NetScaler product documentation at http://docs.citrix.com.
- The URL for a web server or address of a Windows file share where the certificate file is stored. During blueprint deployment, Smart Tools downloads the certificate file from this location and uploads it to the NetScaler appliance. If you are using a Windows share that requires authentication you may also need a user name and password for authenticating to the share.
To perform the steps in this topic with minimal interruption, Citrix recommends you perform the following tasks in Smart Tools beforehand:
- Add the XenApp and XenDesktop Cloud Access Server and XenApp and XenDesktop Proof of Concept blueprints in the Checks and Blueprints catalog to your Smart Tools account.
- Add your AWS account to your Smart Tools account as a resource location. To do this, follow the steps described in Add an Amazon Web Services resource location.
Step 1: Create a VPC
- From the Amazon Management Console, click VPC. The VPC Dashboard appears.
- Click Start VPC Wizard and then click VPC with Public and Private Subnets. Click Select.
- Enter a VPC Name and accept all other default values.
- Click Create VPC.
Tip: After AWS creates the VPC, note the VPC ID that AWS assigns. If you have more than one VPC in your AWS account, knowing the VPC ID can help you readily identify this VPC, as AWS does not always display VPCs by name.
Step 2: Adjust default security group rules
- From the VPC Dashboard, under Security, click Security Groups.
- Select the VPC you created in “Step 1: Create the VPC” and click the Inbound Rules tab.
- Click Edit and add rules to allow RDP and HTTPS access from your chosen CIDR range. Optionally, you can allow ICMP Echo Requests to aid in diagnostics.
- When finished, click Save.
Step 3: Add a Management subnet
- From the VPC Dashboard, under Virtual Private Clouds, click Subnets.
- Click Create Subnet and enter the following information:
- In Name, type Management subnet.
- In VPC, ensure the VPC you created in “Step 1: Create a VPC” is selected.
- In CIDR block, you can use any CIDR block that you choose, as you will use only one address in this subnet. However, if you are using the default VPC network addresses, Citrix suggests using a CIDR of 10.0.2.0/24.
Tip: After AWS creates the subnet, note the Subnet ID that AWS assigns. Because you will be dealing with multiple subnets in this topic, knowing the Subnet ID can help you readily identify each subnet, as AWS does not always display subnets by name.
Step 4: Deploy a NetScaler VPX instance
- In a separate browser window, go to the Amazon Marketplace at https://aws.amazon.com/marketplace.
- Search for NetScaler VPX and select an offering.
- Under Pricing Details, select the region where you are deploying the XenApp and XenDesktop Proof of Concept blueprint and click Continue. The currently active region for your account is displayed in the top navigation bar of the AWS Management Console.
- On the Launch on EC2 page, ensure the 1-Click Launch tab is selected.
- Under VPC Settings, click Set up.
- In VPC, select the VPC you created in “Step 1: Create a VPC.”
- In Network interface (Management subnet), select the Management subnet you created in “Step 3: Add a Management subnet.”
- In Network interface (Private subnet), select the private subnet associated with your VPC.
- In Network interface (Public subnet), select the public subnet associated with your VPC.
- Click Done and then click Accept Terms and Launch with 1-Click. AWS launches an instance of NetScaler VPX to the region you specified.
Tip: After the NetScaler VPX instance has finished deploying, go to the EC2 Dashboard and note the Instance ID. The Instance ID is also the default password for the NetScaler VPX management console which you will need to access later in this topic.
Step 5: Adjust NetScaler VPX security groups
- From the AWS Management Console, click EC2.
- From the EC2 Dashboard, under Network & Security, click Network Interfaces.
- Select the Private ENI for the NetScaler VPX instance, click Actions > Change Security Groups, and then select the default security group for your VPC. Click Save.
- Select the Public ENI for the NetScaler VPX instance, click Actions > Change Security Groups , and then select the default security group for your VPC. Click Save.
Step 6: Create a private IP address for NetScaler Gateway
When deployed, the XenApp and XenDesktop Proof of Concept blueprint creates a NetScaler Gateway virtual server on the NetScaler VPX instance. To do this, the virtual server needs a private IP address within the VPC.
- From the Network Interfaces list, select the Public ENI and then click Actions > Manage Private IP addresses.
- Click Assign new IP and then click Yes, Update. AWS assigns a second IP address automatically.
Note: You will assign this second IP address to the NetScaler Gateway virtual server that will be created on the NetScaler VPX instance.
- Click Cancel to close the dialog box.
Step 7: Create a public IP address for NetScaler Gateway
When deployed, the XenApp and XenDesktop Proof of Concept blueprint creates a NetScaler Gateway virtual server on the NetScaler VPX instance. To access the virtual server from the Internet, you create a public (Elastic) IP address within the VPC and associate it with the Public ENI of the NetScaler VPX instance.
- From the EC2 Dashboard, under Network & Security, click Elastic IPs.
- Click Allocate New Address and then click Yes, Allocate.
- Select the new Elastic IP address and then click Actions > Associate Address.
- In Network Interface, select the Public ENI for the NetScaler VPX instance.
- In Private IP Address, select the private IP address you created in “Step 6: Create a private IP address for NetScaler Gateway.”
- Click Associate.
Step 8: Create a bastion host
This task creates a bastion host in the public subnet so you can log on to machines in the VPC's private subnet for diagnostics, administration activities, and so on.
Important: This task assumes that you have already added your AWS account to Smart Tools as a resource location. If you have not already done so, follow the steps described in Add an Amazon Web Services resource location before completing this task.
- In a separate browser window, log on to Smart Tools, click Checks and Blueprints, and then add the XenApp and XenDesktop Cloud Access Server blueprint to your account.
- Click Smart Build, click Actions > Deploy, then click Start deployment setup.
- Enter a Deployment Name and click Next.
- In Resource Location, select your AWS resource location and then click Next.
- When the Pre-deployment Checklist appears, click Continue.
- Under VM Tiers, select the AWS resource location to configure the VM that Smart Tools will provision.
- Select the AWS region where you will deploy the machines in the proof-of-concept and then click Next.
- Select the Windows Server 2012 R2 base machine image.
- On the Instance Details page, select the following settings and then click Next:
- In Network, select the VPC you created in “Step 1: Create a VPC.”
- In Subnet, select the Public subnet associated with the VPC.
Step 9: Assign NetScaler VPX Subnet addresses
- From the bastion host, open a web browser and access the NetScaler VPX management console. The console URL is http://NSIP, where NSIP is the IP address of the NetScaler VPX instance in the Management subnet. This IP address is listed in the Private IPs for the NetScaler VPX instance.
- Log on to the management console. The default user name is nsroot and the default password is the Instance ID of the NetScaler VPX instance. You can find the Instance ID by selecting the NetScaler VPX instance on the EC2 Dashboard.
- From the management console, expand System, expand Network, and then click IPs.
- Add Subnet IP entries for the IP address on the private subnet and the main IP address on the public subnet. If you used the default CIDR values of 10.0.0/24 and 10.0.1.0/24 for the public and private subnets you will need to enter a Netmask of 255.255.255.0.
Important: Do not add a Subnet IP entry using the IP address that you added to the Public ENI in “Step 6: Create a private address for NetScaler Gateway.”
- When finished, save the running configuration.
Step 10: Deploy the XenApp and XenDesktop Proof of Concept blueprint
- From Smart Tools, click Checks and Blueprints and add the XenApp and XenDesktop Proof of Concept blueprint to your account.
- Click Smart Build, click Actions > Deploy, then click Start deployment setup.
- On the Overview page, enter a Deployment Name and then click Next.
- On the Resource Location page, select your AWS resource location and then click Next.
- On the Architecture page, in ConfigureNetScaler, type yes and then click Next.
- On the Pre-deployment Checklist, click Continue.
- On the Scale page, click Next.
- On the Size page, ensure Create new VMs is selected.
- For the Domain Controller machine tier, perform the following actions:
- In the Select a Resource Location field, select your AWS resource location. The Configure VM dialog box appears.
- On the Choose a Region page, select the AWS region where you want Smart Tools to deploy the machines in the blueprint. Click Next.
- On the Choose an AMI page, select the Windows Server 2012 R2 base machine image.
- On the Instance Details page, in Network, select the VPC you created in "Step 1: Create a VPC." In Subnet, ensure the Private subnet is selected.
- On the Credentials page, enter your key pair details by uploading an existing AWS private key or click Create Key Pair to create a new key pair through Smart Tools. Click Next.
- On the Networking page, ensure the default security group is selected and click Next.
- On the Summary page, leave Copy this configuration to other VM tiers selected and then click Finish.
- Click Next to continue the deployment.
- On the Configuration page, enter the following settings and then click Next:
- In DomainName, enter a fully-qualified domain name for your XenDesktop deployment.
- In AdministratorPassword, enter a password for the local administrator account.
- In SafeModePassword, enter a password to allow administrators to repair Active Directory in safe mode.
- In NSIP, enter the IP address of the NetScaler VPX instance in the Management subnet.
- In NsPassword, enter the default NetScaler VPX password.
- In CertificatePath, enter the URL or CIFS share location where your NetScaler Gateway certificate files reside. Examples: http://download.example.com; \\example.com\download
- In Gateway IP, enter the second private IP address that you assigned in “Step 6: Create a private IP address for NetScaler Gateway.”
- In GatewayExternalUrl, enter the public URL of the NetScaler Gateway.
- In GatewayCertificate, enter the name of the file containing the gateway certificate and private key, in PEM or PFX format. The certificate must be consistent with the GatewayExternalURL setting that you specified.
- In GatewayCertPassword, enter the password for the private key associated with the certificate.