Since the launch of the Citrix Workspace Cloud Applications and Desktops Service, customers have been requesting the addition of Citrix Provisioning Services support.
We heard you loud and clear. We are adding Provisioning Services 7.7 (or newer) managed VDAs to the service as tech preview. This tech preview requires enabling from Citrix Cloud, please contact your Citrix representative if you wish to do so. This article describes how this functionality was added and how to administer it.
A traditional deployment of XA/XD with PVS requires you to manage both an XA/XD deployment and a PVS deployment. This is shown in Figure 1 Traditional deployment of XA\XD with PVS.) Note that this figure only captures the control components. The VDAs have been omitted for clarity.
Figure 1 Traditional deployment of XA\XD with PVS
The Applications and Desktops Service has been extended to work with an on-premise PVS deployment. This is shown in Figure 2 Applications and Desktops Service PVS deployment
Figure 2 Applications and Desktops Service PVS deployment
The Applications and Desktops Service deployment eliminates the need for you to operate the XA/XD deployment while still providing the benefits of a PVS deployment.
To connect your existing PVS deployment to the Applications and Desktops Service you must:
- Add a Workspace Cloud Connector to your managed components (e.g. your resource location)
- Upgrade your PVS deployment to version 7.7. Available from the Applications and Desktops Service Downloads page.
- Replace the XenApp and XenDesktop SDK on your PVS console with the Applications and Desktop Services Remote PowerShell SDK
These steps are described in more detail below.
Notice that an on-premise Citrix license server is required in the Applications and Desktops Service deployment. Please refer to https://www.citrix.com/go/products/xendesktop/feature-matrix.html for product entitlements.
Workspace Cloud Connector
The Workspace Cloud Connector installs on any domain-joined Windows 2012 R2 machine. The Applications and Desktops Service does not directly call into the connector. All traffic is outbound to the cloud over HTTPS (port 443). This enables the connector to reside behind NATs and HTTP proxies.
Instructions how to do this can be found here. It is recommended that you create at least two connectors.
Upgrade to Provisioning Services 7.7
Because some minor modifications to the Provisioning Services were required to integrate with the Applications and Desktops Services, you’ll need to upgrade your existing deployment to the brand new 7.7 release that you can obtain from the Applications and Desktops Service Downloads page.
Applications and Desktop Services Remote PowerShell SDK
The PVS Console installation includes the XenApp and XenDesktop SDK. This SDK needs to be replaced by the Applications and Desktop Services Remote PowerShell SDK.
Critical Detail: Note that you must install the downloaded SDK from the command line and provide the “PVS=YES” argument.
Set up steps:
- Uninstall the XenApp and XenDesktop SDK from your PVS Console by uninstalling each of the snap-ins:
- Citrix Broker PowerShell snap-in
- Citrix Configuration Logging Service PowerShell snap-in
- Citrix Configuration Service PowerShell snap-in
- Citrix Delegated Administration Service PowerShell snap-in
- Citrix Host Service PowerShell snap-in
- Download the Applications and Desktop Services Remote PowerShell SDK from the Applications and Desktops Service Downloads page.
- Install the SDK using the command line: CitrixPoshSdk.exe PVS=YES
To verify the SDK installation:
- Open PowerShell
- Execute the cmdlet: Add-PsSnapin Citrix*
- Execute the cmdlet: Get-BrokerServiceStatus
- You should be presented with an authentication dialog like Figure 3 Citrix Workspace Cloud authentication. Enter your CWC credentials.
- The result of the Get-BrokerServiceStatus cmdlet should indicate that the controller is “OK”.
The outward bound SDK traffic is https so your firewall needs to allow outward-bound connections to port 443.
Figure 3 Citrix Workspace Cloud authentication
By design, your firewall configuration will require zero or minimal adjusting.
On the PVS Console, the outward bound SDK traffic is HTTPS (port 443).
On the Workspace Cloud Connector machine, all traffic is outbound to the cloud over HTTPS (port 443).
This enables the connector and PVS console to reside behind NATs and HTTP proxies
The new PVS proxy that has been added to the Workspace Cloud Connector forwards HTTP (port 80) communications to the PVS Server. This is traffic is wsHttp using message security.
The Personal vDisk functionality is not yet supported.
How to Administer Your PVS VDAs
Currently there are two ways to add PVS managed VDAs to a machine catalog:
The XenDesktop Setup Wizard
The XenDesktop Setup Wizard enables you to create PVS devices and collections and then create machine catalogs containing these machines. This wizard prompts you to specify the XenDesktop controller as in Figure 4 XenDesktop Controller Address. Provide the address of one of your Workspace Cloud Connector machines in lieu of a controller address.
Figure 4 XenDesktop Controller Address
When you click the Next button, you’ll be presented with an authentication dialog as in Figure 5 Citrix Workspace Cloud Authentication. Enter your CWC credentials. This authentication prompt is actually from the Applications and Desktops Remote PowerShell SDK that is being invoked by the PVS console. Your CWC credentials enable the SDK to securely communicate with Applications and Desktops Service in order to set up your machine catalogs.
Figure 5 Citrix Workspace Cloud Authentication
The remainder of the XenDesktop Setup Wizard is unchanged. The only difference you’ll experience is the prompt for your CWC customer credentials when the wizard first invokes a cmdlet in the Applications and Desktops Remote PowerShell SDK.
The Machine Catalog Setup Wizard
This wizard enables the addition of existing PVS managed VMs to a catalog. Note that in this case, the VMs need to have been created in advance using the PVS Console.
You can access Studio from the Manage tab of the Applications and Desktops Service web site. Select the Machine Catalogs view then Create New Catalog to start the wizard. The Machine Management page of the wizard will include a Citrix Provisioning Services option as in Figure 6 Select Provisioning Services for deployment. If you do not see the Citrix Provisioning Services option then you need to request that this feature be enabled for your CWC customer id.
Figure 6 Select Provisioning Services for deployment
Select Citrix Provisioning Services and click Next, to be taken to the Device collection page as in Figure 7 Device Collection wizard page.
Now you need to provide the address of your PVS Server and click Connect.
Figure 7 Device Collection wizard page
This will present a standard Windows authentication dialog as in Figure 8 PVS administrator authentication.
Figure 8 PVS administrator authentication
Provide credentials for a PVS administrator and click OK. Studio will then communicate with your Workspace Cloud Connector which forwards requests to the PVS Server using the provided credentials. If a valid PVS administrator was provided, the device collections will be listed as in Figure 9 PVS device collections.
Figure 9 PVS device collections
This authentication is the only user experience difference from a traditional XA and XD deployment. In the traditional case, the identity of the user running Studio is used to authenticate to the PVS Server. In the Applications and Desktops Service case, an explicit authentication is required because Studio is running in an AD with no trust relationships to the AD of your PVS deployment.
How does Studio securely contact the PVS Server?
Studio uses the PvsPsSnapin (a PowerShell snap-in) to communicate with the PVS Server. This snap-in has been extended to enable communications from the Applications and Desktops Service to the PvsMapiProxyPlugin (a new proxy that has been added to the XaXdCloudProxy in the Cloud Connector). This communications is over HTTPS (port 443). The PVS administrator credentials are sent over this secure channel. The credentials are then used by the proxy to impersonate the PVS administrator before contacting the PVS server.
There are a few simple steps add PVS to your Applications and Desktops Services deployment:
- Add your Workspace Cloud Connector
- Upgrade your existing PVS deployment to Provisioning Services 7.7 (download from the Applications and Desktops Service Downloads page)
- Install the Applications and Desktop Services Remote PowerShell SDK on your PVS Console
Then the user experience for both the XenDesktop Setup Wizard and the Machine Catalog Setup wizard is identical to a traditional deployment except for an authentication.
The XenDesktop Setup Wizard runs on the PVS Console machine. So a CWC authentication is required to securely access the Applications and Desktops Service.
The Machine Catalog Setup wizard runs in the Applications and Desktops Service. So a PVS administrator authentication is required to securely access your PVS Server.
Support for PVS managed VDAs is now available in the Applications and Desktop Service. Enjoy!