Create a XenApp and XenDesktop production deployment on AWS

This page has moved to You can now find all Smart Tools documentation at the Citrix Product Documentation site. Please update any page links to the new URL:



This topic describes how to deploy the XenApp and XenDesktop with SQL blueprint to an AWS resource location. Provisioning Services is not included in this deployment.

Important: Although this blueprint includes options for adding Provisioning Services and NetScaler Gateway to the blueprint deployment, these options are not supported with AWS resource locations. If you want to add both Provisioning Services and NetScaler Gateway to your deployment, you must deploy this blueprint to a Citrix XenServer resource location

After you complete the tasks in this topic, your deployment will include the following components:

  • A virtual private cloud (VPC) with public and private subnets inside a single availability zone. A NAT instance is included to enable provisioned machines to access the Internet.
  • A domain controller, located in the private subnet of your VPC.
  • A staging server, joined to the domain and located in the private subnet of your VPC.
  • Three SQL servers: A primary SQL server, a secondary SQL server, and a witness SQL server, joined to the domain and located in the private subnet of your VPC.
  • Two XenApp and XenDesktop Delivery Controllers, joined to the domain and located in the private subnet of your VPC.
  • Two Storefront servers, joined to the domain and located in the private subnet of your VPC.
  • A Citrix Licensing server, joined to the domain and located in the private subnet of your VPC.
  • A NetScaler Gateway using a NetScaler VPX appliance to which you subscribe, through the AWS Marketplace.
  • (Optional) A Test VDA, joined to the domain and located in the private subnet of your VPC.
  • A bastion host, located in the public subnet of the VPC. This machine is used to initiate RDP connections to the instances in the private subnet for administrative purposes. You provision the bastion host using a separate blueprint.

Back to top

What does the blueprint do?

The XenApp and XenDesktop with SQL blueprint includes scripts that perform the following tasks:

  • Install XenApp and XenDesktop 7.6 LTSR or 7.11, including Citrix Licensing Server and StoreFront. 
  • Install SQL Server and configure database mirroring
  • Create a XenApp and XenDesktop Site and StoreFront cluster.
  • Join the provisioned machines to your existing domain.
  • (Optional) Provision a virtual desktop that you can access for testing purposes.

Provisioned machine configurations

The blueprint includes recommended configurations for each machine that Smart Tools provisions to the deployment. The following recommendations are displayed when you configure the VM for each machine tier in the deployment. 

For all machines: 

  • Operating system: Windows Server 2012 R2
  • Storage available in the resource location: 50 GB
Machine Type AWS Instance Type Root Volume Storage (GB)
Staging Server M3 Large (7.5 GB) 30
Citrix License Server M4 Large (8 GB) 30
SQL Server 1 M4 Large (8 GB) 30
SQL Server 2  M4 Large (8 GB) 30
SQL Server Witness  M4 Large (8 GB) 30
Delivery Controller 1 M4 Large (8 GB) 30
Delivery Controller 2 M4 Large (8 GB) 30
StoreFront 1 M4 Large (8 GB) 30
StoreFront 2 M4 Large (8 GB) 30
Test VDA M4 Large (8 GB) 30 

Back to top


Before deploying this blueprint, you need the following items:

  • An AWS account. If you have an account, you can use your credentials to log on to AWS. If you don't have an account, you can create one at
  • Access keys for your AWS account. These keys allow Smart Tools to deploy VMs to AWS on your behalf. As a security best practice, Citrix recommends using the access keys of a specific IAM user with Full Access permissions to Amazon EC2 and VPC functions. You will supply these keys when you add your AWS account to Smart Tools later in this topic.
  • Allowance for Elastic IP addresses. By default, you can allocate up to five Elastic (public) IP addresses to your AWS account. To complete the tasks in this topic, make sure that your AWS account can accommodate three (3) allocated Elastic IP addresses: one for the NAT instance created for your VPC, one for the bastion host, and one for the NetScaler VPX appliance.
  • A NetScaler VPX subscription. To deploy NetScaler Gateway, you need to subscribe to Citrix NetScaler VPX through the AWS Marketplace. To subscribe, visit the AWS Marketplace and search for the NetScaler VPX edition you want to use and for which you have a valid license. After you subscribe, Amazon sends you an email notification that NetScaler is ready to use.
  • A valid NetScaler VPX license file. You will need to specify this license file when you configure the deployment.
  • An X.509 certificate and private key, in PEM or PFX format, to assign to the NetScaler Gateway. During blueprint deployment, Smart Tools uploads this file directly to the NetScaler appliance. The file may contain only the certificate and key or a certificate bundle. For more information about certificate bundles and acceptable file formats, see the NetScaler product documentation at
  • The web server URL or Windows file share address where the certificate file is stored. During blueprint deployment, Smart Tools downloads the certificate file from this location and uploads it to the NetScaler appliance. If you are using a Windows share that requires authentication you may also need a user name and password for authenticating to the share.

Create AWS access keys

  1. From the AWS Management Console, under Security and Identity, click Identity & Access Management.
  2. Create a new user: From the IAM Dashboard, click Users, click Create New Users, and then enter a user name. Click Create.
  3. Click Download Credentials to save the access key for the IAM user you created as a .csv file on your computer. When finished, click Close to return to the IAM Dashboard.
  4. Create a new group with the appropriate AWS access permissions: From the IAM Dashboard, click Groups, click Create New Group, and then enter a group name. Click Next Step.
  5. Select the AmazonEC2FullAccess and AmazonVPCFullAccess policies. Click Next Step and then click Create Group.
  6. Add the new user to the new group: From the IAM Dashboard, click Groups and then select the new group. Click Group Actions > Add Users to Group. Select the new user you created and then click Add Users.

Gather deployment information

  • Identify the domain name you will use when you provision and configure the domain controller.
  • Identify the computer names you will use for the VMs that will be deployed. You will need to supply these names when you configure the blueprint for deployment.
  • Identify the service account you will use to run SQL services and an Active Directory security group that will be given sysadmin privileges on the SQL servers that the blueprint deploys. If these items are not present when you deploy the blueprint,  Smart Tools attempts to create them. These items are added to the "Users" and "Groups" OUs, respectively, located in the root OU you specify during deployment. 
  • Identify the fully qualified UNC paths or local file paths of the following files:
    • SQL Server Express executable (if using database mirroring)
    • Microsoft SQL Server Shared Management Objects
    • Microsoft System CLR Types for Microsoft SQL Server
    • Microsoft Windows PowerShell Extensions for Microsoft SQL Server
  • Identify the IP address  and external URL you want use with NetScaler Gateway.

Note: The installation media for XenApp and XenDesktop 7.6 LTSR and 7.11 is provided by Citrix. You can specify the version you want to use when you configure the deployment.

Back to top

Prepare your environment

Complete each of the tasks in this section in the sequence presented.

Create a VPC

  1. From the AWS Management Console, click VPC. The VPC Dashboard appears.
  2. Click Start VPC Wizard and then click VPC with Public and Private Subnets. Click Select.
  3. In VPC Name, enter name for your VPC.
  4. Under Specify the details of your NAT instance, accept the default values for Instance type and Key pair name. If you don't see these settings, click Use a NAT instance instead.
  5. Click Create VPC.

Tip: After AWS creates the VPC, note the VPC ID that AWS assigns. This can help you readily identify the VPC you just created, as AWS does not always display VPCs by name.

Adjust default security group rules

  1. From the VPC Dashboard, under Security, click Security Groups.
  2. Select the security group for the VPC you created in Create a VPC and click the Inbound Rules tab.
  3. Click Edit and add rules to allow RDP and HTTPS access from your chosen CIDR range. Optionally, you can allow ICMP Echo Requests to aid in diagnostics.
  4. When finished, click Save.

Add a Management subnet

  1. From the VPC Dashboard, under Virtual Private Clouds, click Subnets.
  2. Click Create Subnet and enter the following information:
    1. In Name, type Management subnet.
    2. In VPC, ensure the VPC you created in Create a VPC is selected.
    3. In CIDR block, you can use any CIDR block that you choose, as you will use only one address in this subnet. However, if you are using the default VPC network addresses, Citrix suggests using a CIDR of
  3. Click Yes, Create.

Tip: After AWS creates the subnet, note the Subnet ID that AWS assigns. This will help you readily identify this subnet, as AWS does not always display subnets by name.

Back to top

Provision the bastion host and domain controller

Complete each of the tasks in this section in the sequence presented.

Add AWS to Smart Tools

After you finish preparing your VPC, you need to add your AWS account to Smart Tools as a resource location. This allows Smart Tools to connect to your AWS account and provision machines on your behalf. To add your AWS account as a resource location, follow the steps described in Add an Amazon Web Services resource location.

Create a bastion host

This task creates a bastion host in the public subnet so you can log on to machines in the VPC's private subnet for diagnostics, administration activities, and so on. If you already have a bastion host in your public subnet, ensure you have the local Administrator credentials and proceed to Provision the domain controller instance.

  1. In a separate browser window, log on to Smart Tools, click Checks and Blueprints and then add the XenApp and XenDesktop Cloud Access Server blueprint to your account.
  2. Click Smart Build, click Actions > Deploy, and then click Start deployment setup.
  3. Enter a Deployment Name and click Next.
  4. In Resource Location, select your AWS resource location and then click Next.
  5. When the Pre-deployment Checklist appears, click Continue.
  6. Under the Cloud Access Server machine tier, select the AWS resource location where Smart Tools will provision the bastion host VM. 
  7. On the Choose a Region page, select the AWS region where you will deploy the machines in the blueprint and then click Next.
  8. On the Choose an AMI page, select the Windows Server 2012 R2 64-bit base machine image.
  9. On the Instance Details page, select the following settings and then click Next:
    • In Network, select the VPC you created in Create a VPC.
    • In Subnet, select the Public subnet associated with the VPC.  
  10. On the Credentials page, select an existing AWS key pair or create a new one. To create a new key pair, click Create Key Pair, enter a name, and click Create Key. When prompted, copy the resulting private key and save it as a .pem file. Click Next.
  11. On the Networking page, under Elastic IP, select Allocate new Elastic IP for this instance. Click Next.
  12. On the Summary page, click Finish.
  13. On the Size page, click Next.
  14. On the Configuration page, enter the computer name for the bastion host and an Administrator password. Click Next.
  15. (Optional) Enter a deployment profile name and then click Save to save your blueprint deployment settings. Otherwise, click Cancel.
  16. Click Deploy.

Smart Tools displays the Deployment Details page so you can see each deployment step as it's executed in real time. By default, Smart Tools names the instance access-N, where N is the sequential number of the instance (for example, access-1). 

Provision a domain controller instance

  1. From the AWS Management Console, click EC2. The EC2 Dashboard appears.
  2. Under Create Instance, click Launch Instance.
  3. On the Choose AMI page, select the Microsoft Windows Server 2012 R2 Base 64-bit image.
  4. On the Choose Instance Type page, select the appropriate machine size for your deployment. Click Next: Configure Instance Details.
  5. On the Configure Instance page, configure the following options and then click Next: Add Storage:
    • In Network, select the VPC you created in Create a VPC.
    • In Subnet, select the Private subnet of your VPC.
  6. On the Add Storage page, click Next: Tag Instance.
  7. On the Tag Instance page, enter a name for your instance. Click Next: Configure Security Group.
  8. On the Configure Security Group page, configure the following options:
    • In Assign a security group, select Select an existing security group.
    • In Security group name, select the default security group associated with your VPC. Click Review and Launch.
  9. On the Review page, verify the instance details are correctly specified and then click Launch.
  10. Select the key pair you specified when you created the bastion host or create a new key pair for this instance. You will need the private key to log on to this instance through RDP.
  11. Click Launch Instance. AWS provisions the instance and displays the Launch Status page. To return to the Instances page of the EC2 Dashboard, click View Instances.

When AWS finishes provisioning the domain controller instance, you will need to acquire the randomly generated Administrator password that AWS assigned. 

Acquire the default Administrator credentials

To log on to the domain controller instance or the instances that Smart Tools provisions, you will need the default Administrator credentials that AWS assigns to each machine so you can access them through RDP when needed. To retrieve these credentials, you need the private key from the key pair (.pem file) you specified when each instance was provisioned.

  1. From the EC2 Dashboard, on the Instances page, select the instance you want to connect to and then click Actions > Get Windows Password.
  2. Upload or copy and paste the private key from the key pair you specified when the instance was provisioned.
  3. Click Decrypt Password. AWS displays the default Administrator password for the instance.

Configure the domain controller instance

  1. Using RDP, log on to the bastion host using its public IP address.
  2. From the bastion host, initiate an RDP connection to the domain controller using its private IP address.
  3. Add the Active Directory Domain Services role with all default features.
  4. Promote the instance to be a domain controller. 
  5. If applicable, create an organization unit (OU) where Smart Tools will create the appropriate security groups and accounts for the deployment.
  6. Disable Group Policy inheritance on the root OU. You can re-enable it after Smart Tools deploys the blueprint.

Back to top

Deploy the blueprint

  1. From Smart Tools, click Checks and Blueprints and add the XenApp and XenDesktop with SQL blueprint to your account.
  2. Click Smart Build, click Actions > Deploy, then click Start deployment setup.
  3. On the Overview page, enter a Deployment Name and then click Next.
  4. On the Resource Location page, select your AWS resource location and then click Next.
  5. On the Architecture page, configure the following options:
    • In Deploy Test Virtual Desktop, select Yes (default).
    • In Deploy Provisioning Services, select No. Provisioning Services is not supported with AWS.
    • In Deploy NetScaler Gateway, select Yes (default) to include NetScaler Gateway in your deployment. Otherwise, select No.
  6. On the Pre-deployment Checklist, click Continue.
  7. On the Size page, ensure Create new VMs is selected.
  8. For the Staging Server machine tier, perform the following actions:  
    1. In the Select a Resource Location field, select your AWS resource location. The Configure VM dialog box appears.
    2. On the Choose a Region page, select the same AWS region that you selected when you deployed the bastion host. Click Next.
    3. On the Choose an AMI page, select the Windows Server 2012 R2 base machine image.
    4. On the Instance Details page, configure the following options and click Next:
      • In Network, select the VPC you created in Create a VPC.
      • In Subnet, ensure the Private subnet is selected.
    5. On the Credentials page, select the same key pair that you specified when you deployed the bastion host. Click Next.
    6. On the Networking page, ensure the default security group is selected and click Next.
    7. On the Summary page, leave Copy this configuration to other VM tiers selected and then click Finish
  9. On the Size page, click Next to continue the deployment.
  10. On the Configuration page, configure the required settings. For more information about each setting, click the ? icon. Click Next.
  11. (Optional) When prompted, enter a name for the deployment profile and click Save. This allows you to redeploy the blueprint with the same settings. To continue without creating a profile, click Cancel.
  12. On the Summary page, click Deploy.

Smart Tools displays the Deployment Details page so you can see each deployment step as it's executed in real time. 

Back to top

Perform post-deployment tasks

After the deployment is finished, perform the tasks in this section.

Secure your deployment

Securing your XenApp and XenDesktop deployment is important. If you choose to do so using the Secure Sockets Layer (SSL) security protocol, you must generate, distribute, and install SSL certificates to secure the communication within the deployment. This may include the following tasks, none of which is implemented by the blueprints.

Secure this component... By establishing...
XML SSL communication between StoreFront servers and Delivery Controllers
Virtualization infrastructure SSL communication between the virtualization infrastructure and the Delivery Controllers
Virtual desktops SSL communication between users’ endpoints and the Virtual Delivery Agent on virtual desktops
StoreFront SSL communication between users’ endpoints and StoreFront servers
Database SSL communication between the servers running the XenApp and XenDesktop databases and the Delivery Controllers

For more information about SSL in XenApp and XenDesktop deployments, see  

Remove temporary objects

For security and good housekeeping, consider removing any objects such as media locations and reverting any temporary changes (for example, GPO policies and database permissions) that you created or put in place during blueprint design and deployment. Also, consider disabling the general service account for a period of time (for example, 1-2 weeks) before deleting. If no issues arise in your deployment during that time, you can delete the account. If you disabled Group Policy inheritance to ensure unimpaired blueprint deployment, re-enable it after you have completed testing of the deployment. 

Remove unneeded machines

After the deployment finishes, the Staging Server VM, the TestVDA VM, and the associated Machine Catalog and Delivery Group are no longer needed. Remove these items before opening the deployment to end-users.

To remove these items, uninstall the Smart Tools Agent from each machine and then decommission the machines. If you decommission the machines with the agent still installed, Smart Tools reports the machines are unresponsive, but still counts them as part of the deployment. 

Apply Citrix and Microsoft updates

Apply applicable Citrix hotfixes and feature packs, Windows operating system updates, and SQL Server updates to the appropriate machines in your deployment.

Add users to Active Directory security groups for the deployment

Before you can use Studio or Citrix License Server to administer your new Site, add the appropriate users to the XenDesktop, Licensing, and SQL security groups that the blueprint creates during deployment. When you deploy the blueprint, you can specify these group names or you can allow the blueprint to use the default group name. The following table shows the blueprint input parameters and the default names for each group.

Group Type Blueprint input parameter for the group name Default group name created by the blueprint
XenDesktop XA-XD-AdminGroup CTX_RES_XDC_Admins
Citrix Licensing LicenseServerAdminGroup CTX_RES_LIC_Admins
SQL Server SQLAdminGroup CTX_RES_SQL_Admins

Add end-user accounts to Users OU

Enable end-users to access apps and desktops through NetScaler Gateway. To do this, add the appropriate user accounts to the "Users" OU that Smart Tools created within the root OU you specified during the deployment configuration. 

Refine application and desktop access and behavior

After deploying the blueprint, users can work with the applications and virtual desktops that you create. At this stage, you can configure XenApp and XenDesktop Machine Catalogs and Delivery Groups to refine the access, scope, and behavior of the applications and desktops. 

For more information about XenApp and XenDesktop catalogs, see the Machine Catalogs and Delivery Groups topics on the Citrix Product Documentation web site. 

Back to top