Create a XenApp and XenDesktop production deployment with Provisioning Services on Citrix XenServer and VMware vSphere

This page has moved to You can now find all Smart Tools documentation at the Citrix Product Documentation site. Please update any page links to the new URL:


 Which blueprint should I use?

Use one of the following blueprints to deploy XenApp and XenDesktop to your on-premises Citrix XenServer or VMware vSphere environment:

  • XenApp and XenDesktop with SQL
  • XenApp and XenDesktop without SQL

Both blueprints create production-ready deployments of Citrix XenApp and XenDesktop that you attach to your existing Active Directory infrastructure.  You can also elect to include Citrix Provisioning Services in your deployment.

Important: Provisioning Services is only supported for use with the on-premises hypervisors listed in this topic. Provisioning Services is not supported for deployments on AWS or Azure Classic resource locations. If you include Provisioning Services when deploying these blueprints to AWS or Azure Classic resource locations, the deployment will fail.

Use the XenApp and XenDesktop with SQL blueprint if:

  • Your environment does not already include SQL.
  • You want to implement dedicated SQL mirroring that is not shared or affected by other software using the same SQL servers.
  • You want to include NetScaler Gateway in your blueprint deployment (XenServer only)

Use the XenApp and XenDesktop without SQL blueprint if your environment already includes SQL. If you want to use NetScaler Gateway to secure external access to your deployment, you can perform the appropriate NetScaler configurations after you have completed the tasks in this topic.

Back to top

What do the blueprints do?

Both blueprints include scripts that perform the following tasks:

  • Install XenApp and XenDesktop 7.6 LTSR or 7.11, including Citrix Licensing Server and StoreFront.
  • Create a XenApp and XenDesktop Site and StoreFront cluster.
  • Join the provisioned machines to your existing domain.
  • Create a Provisioning Services farm with two Provisioning Servers (optional).
  • Provision a virtual desktop that you can access for testing purposes.

The "with SQL" blueprint also includes additional scripts that perform the following tasks:

  • Install SQL Server and configure database mirroring.
  • Deploy a NetScaler Gateway using a NetScaler VPX appliance that you provide (XenServer only).

Provisioned machine configurations

The blueprints include recommended configurations for each machine that Smart Tools provisions to the deployment. The following recommendations are displayed when you configure the VM for each machine tier in the deployment. 

For all machines: 

  • Operating system: Windows Server 2012 R2
  • Storage available in the resource location: 50 GB
Machine Type Recommended vCPUs Recommended Memory (GB)
Staging Server 2 2
Citrix License Server 2 4
SQL Server 1 ("with SQL" only) 4 8
SQL Server 2 ("with SQL" only) 4 8
SQL Server Witness ("with SQL" only) 4 8
Delivery Controller 1 4 8
Delivery Controller 2 4 8
StoreFront 1 4 8
StoreFront 2 4 8
Provisioning Server 1 4 16 (minimum)
Provisioning Server 2 4 16 (minimum)
Test VDA 4 16

Note: Memory recommendations for the Provisioning Servers assume a single vDisk configuration for up to 500 VMs. For best practices in determining the appropriate size for your Provisioning Services deployment, see

How is Provisioning Services deployed?

When you deploy either blueprint, you have the option of including Provisioning Services in your deployment. When you configure the blueprint deployment and select the version of XenApp and XenDesktop you want to use (Version 7.6 LTSR or 7.11), Smart Tools installs the corresponding version of Provisioning Services.

Smart Tools creates a two-node Provisioning Services farm with two Provisioning Servers. The farm uses a mirrored database that resides on the same SQL servers that are used for the XenApp and XenDesktop Site.

Streaming and management IP addresses

When you deploy the blueprint, you will be prompted to specify four IP addresses: two for managing streaming and management traffic on Provisioning Server 1, and two for managing streaming and management traffic on Provisioning Server 2. Use one of the following options depending on the configuration of your Provisioning Servers:

  • Provisioning Server 1 and 2 each have two NICs and static IP addressing: Enter the IP addresses of the NICs that you want to assign to manage streaming and management traffic on each server. Smart Tools assumes the streaming and management IP addresses are on separate NICs and that the IP addresses are static.  
  • Provisioning Server 1 and 2 each have a single NIC and use DHCP: Enter no values for Provisioning Server 1 and 2. Smart Tools assumes your Provisioning Servers use DHCP and will use the first IP address it detects for both streaming and management traffic.    

For more information about NICs and IP addresses for Provisioning Servers, see IP addressing for Provisioning Services.

Preferred boot method

The farm is configured to use BDM for the client boot method; PXE is not enabled. The blueprint will automatically generate a boot ISO located on the root drive (such as C:\PVSBootISO.iso) of the first Provisioning Server in the farm. This ISO can be used to boot Provisioning Services target devices and is configured to point to both Provisioning Services logon servers or a DNS alias if one was provided during the blueprint deployment.

Service account

When you deploy the blueprint, you can specify the username and password of the service account you want to use for running the Stream and SOAP services. If the account you specify does not exist, Smart Tools attempts to create it. Additionally, Smart Tools adds the service account to the local administrator groups on each Provisioning Server to provide KMS and MAK functions in Provisioning Services.

VDA and vDisk deployment

No VDAs or vDisks are created for the Provisioning Services deployment.  

For more information about the tasks for including Provisioning Services in your XenApp and XenDesktop deployment, see the Prepare for deployment and Deploy the blueprints sections.

Back to top

Which XenServer and vSphere versions are supported?

You can deploy these blueprints on resource locations running the following hypervisors:

  • Citrix XenServer 6.2 and 6.5
  • VMware vSphere 5.1 and 5.5

Note: Including NetScaler in your "with SQL" blueprint deployment is supported on Citrix XenServer only.

Back to top

Who should use these blueprints?

Anyone can deploy the blueprints to roll out a XenApp and XenDesktop deployment, but they are primarily designed for system administrators in small-to-medium businesses with 50 to 5,000 users. Typically, you might be planning a single XenApp and XenDesktop site with the following server infrastructure:

  • Two Delivery Controllers
  • Two SQL mirror partners and a mirror witness
  • A Citrix License server
  • Two Citrix StoreFront servers
  • Two Provisioning Servers

Back to top

Prepare for deployment

Before you deploy the XenApp and XenDesktop blueprints, use the following tasks to prepare your environment.

Prep Task 1: Identify the domain and disable Group Policy inheritance

Locate the Active Directory domain in your environment where the XenApp and XenDesktop deployment will be created. You will need to supply this domain when you configure the blueprint during deployment.

Additionally, Citrix recommends temporarily disabling Group Policy inheritance on the root OU that you will use to deploy these blueprints (specified in the blueprint's OUPath parameter) so that no policies interfere with the deployment process. After the deployment is finished and testing is complete, you can re-enable policy inheritance on the OU. 

Prep Task 2: Verify SQL Server version for database mirroring

If you are deploying the "without SQL" blueprint, you will need to supply connection information to three existing SQL Servers. The primary and secondary servers must be running an edition of SQL Server capable of database mirroring, such as Enterprise or Standard. The witness server can run any edition of SQL Server, including Express. 

All three servers must have SQL mirroring endpoints created and listening prior to deploying the blueprint. 

Prep Task 3: Gather NetScaler prerequisites ("with SQL" blueprint only)

If you are using the "with SQL" blueprint and want to include NetScaler Gateway in your deployment, you need the following items:

  • The address and credentials for an existing NetScaler appliance you can use to configure the NetScaler Gateway. Ensure the NetScaler appliance is configured with an IP address (NSIP), any required subnet IP addresses (SNIP), and is licensed for a NetScaler Gateway. 
  • An available IP address to assign to the NetScaler Gateway. 
  • A file containing an X.509 certificate and private key to assign to the NetScaler Gateway. During deployment, this file will be uploaded directly to NetScaler. The file can contain just the certificate and key or a certificate bundle. For more information about certificate bundles and acceptable file formats, see the NetScaler documentation on the Citrix Product Documentation web site
  • The URL for a web server or address of a Windows file share from which the certificate file can be downloaded. If you are using a Windows share that requires authentication, you might also need a user name and password for authenticating to the share. 
  • The external URL by which the NetScaler Gateway will be accessed (for example,

Prep Task 4: Name your servers

Identify names to use for the following servers that Smart Tools will deploy. You supply these names when deploying your blueprint:

  • A staging server to be used for all temporary files used during deployment creation.
  • The Delivery Controllers.
  • The StoreFront servers.
  • The License server.
  • The Provisioning Servers (if deploying Provisioning Services)
  • The main XenApp and XenDesktop database, which is used to control the deployment.
  • The secondary XenApp and XenDesktop database, which is used to monitor performance and log changes.
  • The SQL mirror partners and mirror witness. If you are using the “without SQL”  blueprint, use the existing names in your SQL infrastructure.
  • The server used for the Server VDA.

Prep Task 5: Set up service accounts

The general service account you use must allow you to perform installations, create AD objects, and execute scripts in your deployment. You can use different accounts for different server roles if you wish.

If you are using the “without SQL”  blueprint, identify the SQL account that will be used to create and mirror the XenApp and XenDesktop database on your existing database servers. This account can be a SQL sysadmin account or a sufficiently least privileged account. For more information about the database access permissions required for XenApp and XenDesktop, see CTX127998 on the Citrix Support web site.

If you are using the “with SQL" blueprint, identify an account that will be used to run SQL services and an Active Directory security group that will be given sysadmin privileges on the SQL servers that the blueprint deploys. If these items are not present when you deploy the blueprint,  Smart Tools attempts to create them. These items are added to the "Users" and "Groups" OUs, respectively, located in the root OU you specify during deployment. 

If you elect to include Citrix Provisioning Services in your deployment, identify the service account that will be used to run the Stream and SOAP services on the Provisioning Servers that will be deployed. If the service account you specify does not exist, Smart Tools will attempt to create it. Additionally, Smart Tools adds the service account to the local administrator groups on each Provisioning Server to provide KMS and MAK functions in Provisioning Services.

Important considerations for accounts

  • These blueprints support deployment to a single Active Directory domain that you specify. Therefore, the accounts that you specify -- existing accounts as well as accounts that the blueprint creates -- must reside in this domain. 
  • All accounts must be specified in down-level format (NetBIOSDomainName\UserName); for example, contoso\BobS. If you are deploying the blueprint in a disjoint NetBIOS environment, provide the NetBIOS domain name which might be different from the DNS domain name. For more information about name requirements, see

Prep Task 6: Locate files

When you deploy these blueprints, you will need to supply the locations of several required files. During deployment, you will supply these locations as fully qualified UNC paths or as local file paths.

For both blueprints, identify the locations of the following files:

  • Microsoft SQL Server Shared Management Objects
  • Microsoft System CLR Types for Microsoft SQL Server
  • Microsoft Windows PowerShell Extensions for Microsoft SQL Server

The Microsoft SQL and Windows items listed above are available for download as part of the Microsoft SQL Server 2014 Feature Pack. For more information, see

If you are using the “with SQL” blueprint, identify the locations of the following additional files: 

  • Microsoft SQL 2014 ISO
  • Microsoft SQL 2014 Express executable (required only if using SQL Express as a mirroring witness)

Note: Installation media for XenApp and XenDesktop and Provisioning Services is provided by Citrix.  

Prep Task 7: Prepare a VM template

When you deploy these blueprints, you can allow Smart Tools to provision new VMs to your resource location or you can select machines that exist already in your environment. If you elect to provision the new machines that are specified by these blueprints, Smart Tools uses a VM template that you prepare which resides in your hypervisor environment. For more information about preparing VM templates for use with XenServer and vSphere resource locations, see Prepare Windows Server templates for deploying blueprints

You can specify different VM templates for each machine tier that you configure. For example, you can specify a VM template for provisioning the Delivery Controller and a different VM template for the SQL database server. Additionally, the VM templates you prepare must include the following requirements:

  • For all provisioned VMs, the template you prepare should have Windows 2012 R2 Datacenter Edition installed.
  • If you are using the "with SQL" blueprint, .NET 3.5 is required for installing SQL Server 2014. To ensure a smooth deployment experience, Citrix recommends installing .NET 3.5 on the VM template you prepare for provisioning the database server. If .NET 3.5 is not present on the template, Smart Tools will attempt to download and install it during blueprint deployment. However, if Smart Tools cannot complete the download due to connectivity issues with Windows Update, the deployment will fail. 
  • If you elect to include Provisioning Services in your deployment, consider the following:
    • If you are using VMware vSphere as your resource location, you must prepare two VM templates for your deployment: a template with two NICs for the Provisioning Servers and a template with a single NIC for the other machine tiers. When you configure the VM that Smart Tools will provision for each machine tier, you can specify the appropriate template.
    • If you are using Citrix XenServer as your resource location, you can choose to use a single VM template with a single NIC for the entire deployment. When you configure the VM that Smart Tools will provision for the Provisioning Servers machine tier, you can add the second NIC to the machine from within Smart Tools.

About IP addresses

Citrix recommends deploying these blueprints to your resource location using static IP addresses. You can specify static IP addresses using one of the following methods:

  • if you are deploying the blueprints to a VMware vSphere resource location, you can specify static IP addresses when you configure each new VM that Smart Tools will provision.
  • If you have existing machines that are already configured with static IP addresses, you can specify these machines when you deploy the blueprint. 

Important: Existing machines must have the Smart Tools Agent installed so that Smart Tools can detect them in your resource location. For more information about installing the agent, see Install or remove the Citrix Smart Tools Agent

IP addressing for Provisioning Services

Citrix recommends that each Provisioning Server is configured with two NICs on separate subnets to segment management and streaming traffic. If you are using VMware vSphere as your resource location, you can specify static IPs when you configure the VM for each Provisioning Server during blueprint deployment. If you choose not to specify IP addresses, Smart Tools assumes you are using a single NIC and will use the first IP address that is discovered on each server for both management and streaming traffic.

If you are using XenServer as your resource location, using static IP addresses is not supported. Therefore, Citrix recommends specifying a MAC address and using DHCP reservations to control IP addresses for all infrastructure servers in the blueprint, including the Provisioning Servers.  After the blueprint is deployed successfully, you can discard the DHCP reservations and convert them to static IP addresses.

Back to top

Deploy the blueprints

Deploying these blueprints follows the same workflow that you follow for any blueprint in the Checks and Blueprints catalog. For more information about this workflow, refer to the following topics in Deploy blueprints:

This section describes additional considerations you should be aware of when deploying the "with SQL" and "without SQL" blueprints. 

Save time by downloading configuration settings from the Pre-Deployment Checklist

When you deploy these blueprints, you will need to configure a number of blueprint settings such as service account, SQL mirroring, and file locations. To save time and minimize errors during deployment, consider downloading these settings beforehand as a CSV file that you can update and import to the blueprint. The CSV file contains complete descriptions for each setting so you can enter the right information in the correct format. 

The CSV file is available from the blueprint's Pre-deployment Checklist. You can access the checklist by:

  • Viewing the blueprint in the Blueprint Designer. On the Overview tab, click Preview pre-deployment checklist.
  • Deploying the blueprint. The Pre-deployment Checklist displays automatically after you supply the resource location where you want to deploy the blueprint. 

On the Pre-deployment Checklist, scroll down to the bottom and click Export parameter list (.csv).

After you have updated the CSV file with the required values, you can import it at the Configuration step in the blueprint deployment process. 


Important: When you export the blueprint's CSV file, commas included in parameter entries are automatically converted to semicolons. So, when you update these values in the CSV file, be sure to use semicolons. When you import the CSV file, Smart Tools converts all semicolons back to commas. After you import the CSV file, carefully review your entries to ensure they are correctly formatted.

VM network customization for VMware vSphere

When deploying these blueprints on VMware vSphere resource locations, the Networking page of the Configure VM wizard enables you to customize the VM network and configure a number of networking options, including joining a domain or workgroup. 


If you elect to customize the VM network, and you configure the Join Workgroup or Domain option, select Join Workgroup and enter a workgroup name. Do not join a domain; the blueprint handles joining the domain you specify later on in the deployment process. 

Re-deploy the "without SQL" blueprint in the same domain

If you need to re-deploy the "without SQL" version of the blueprint in the same domain (for example, the first deployment failed and you want to try again), be sure to remove any SQL databases that were created during the previous deployment. 

Additionally, if you deleted the Active Directory machine accounts, you might need to reboot the primary SQL Server or use new hostnames for the Delivery Controllers before re-deploying the blueprint. 

Back to top

Perform post-deployment tasks

This section describes the tasks you should perform after deploying one of the XenApp and XenDesktop blueprints.

Secure your deployment

Securing your XenApp and XenDesktop deployment is important. If you choose to do so using the Secure Sockets Layer (SSL) security protocol, you must generate, distribute, and install SSL certificates to secure the communication within the deployment. This may include the following tasks, none of which is implemented by the blueprints.

Secure this component... By establishing...
XML SSL communication between StoreFront servers and Delivery Controllers
Virtualization infrastructure SSL communication between the virtualization infrastructure and the Delivery Controllers
Virtual desktops SSL communication between users’ endpoints and the Virtual Delivery Agent on virtual desktops
StoreFront SSL communication between users’ endpoints and StoreFront servers
Database SSL communication between the servers running the XenApp and XenDesktop databases and the Delivery Controllers

For more information about SSL in XenApp and XenDesktop deployments, see

Remove temporary objects

For security and good housekeeping, consider removing any objects such as media locations and reverting any temporary changes (for example, GPO policies and database permissions) that you created or put in place during blueprint design and deployment. Also, consider disabling the general service account for a period of time (for example, 1-2 weeks) before deleting. If no issues arise in your deployment during that time, you can delete the account. Additionally, if you disabled Group Policy inheritance to ensure unimpaired blueprint deployment, re-enable it after you have completed testing of the deployment. 

Additionally, remove the following items from your completed deployment:

  • Staging VM
  • TestVDA, including the associated Machine Catalog and Delivery Group

To remove these items, uninstall the Smart Tools Agent from each machine and then decommission the machines. If you decommission the machines with the agent still installed, Smart Tools reports the machines are unresponsive, but still counts them as part of the deployment. 

Add users to Active Directory security groups for the deployment

Before you can use Studio or Citrix License Server to administer your new Site, add the appropriate users to the XenDesktop, Licensing, and SQL security groups that the blueprint creates during deployment. When you deploy the blueprint, you can specify these group names or you can allow the blueprint to use the default group name. The following table shows the blueprint input parameters and the default names for each group.

Group Type Blueprint input parameter for specifying the group name Default group name created by blueprint
XenDesktop XA-XD-AdminGroup CTX_RES_XDC_Admins
Citrix Licensing LicenseServerAdminGroup CTX_RES_LIC_Admins
SQL Server (if using "with SQL" blueprint) SQLAdminGroup CTX_RES_SQL_Admins
Provisioning Services PVS_AdminGroup CTX_RES_PVSAdmin

Add NetScaler Gateway users to Users OU

If you deployed the "with SQL" blueprint with NetScaler Gateway on Citrix XenServer, you also need to enable users to access apps and desktops through NetScaler Gateway. To do this, add the appropriate user accounts to the "Users" OU that Smart Tools created within the root OU you specified during the deployment configuration.

Refine application and desktop access and behavior

After deploying the blueprint, users can work with the applications and virtual desktops that you create. At this stage, you can configure XenApp and XenDesktop to refine the access, scope, and behavior of the applications and desktops. The product uses the concepts of Machine Catalogs  and Delivery Groups to do this. For example, catalogs are collections of virtual machines based on a master image. You can use catalogs to power manage the machines and control users’ desktop experience. With Delivery Groups, you can control who accesses specific desktops and the applications available to them. This type of configuration is only available after blueprint deployment.

For more information about XenApp and XenDesktop catalogs, see For more information about Delivery Groups, see

Apply Citrix and Microsoft updates

Apply the following updates to the appropriate machines in your deployment:

  • Citrix hotfixes and feature packs
  • Windows operating system updates 
  • SQL updates (if you deployed the "with SQL" blueprint)

Set up load balancing and remote access

If you deployed the "with SQL" blueprint on VMware vSphere or the "without SQL" blueprint, you might find that Internal Load Balancer, which might be built into your Microsoft infrastructure, is sufficient for your load-balancing needs. You might also already have a remote access solution in place. However, larger enterprises might consider using Citrix NetScaler, which also contains these and other features. Setting up load balancing and remote access using NetScaler is a task that you perform manually after deploying these blueprints. 

For more information, see the NetScaler product documentation on

Back to top