How to deploy the Citrix Lifecycle Management Apps & Desktops: Resource Location & Service Setup Blueprint to create a Resource Location in your Amazon Web Services account for use with Citrix Workspace Cloud Apps & Desktops service.

The following diagram gives an overview of the Resource Location that will be created within a Virtual Private Cloud (VPC) in Amazon Web Services.

Apps & Desktops BP

The core of the Resource Location is:

  • An Active Directory Domain Controller to provide Identity Management
  • Two Workspace Cloud Connectors to provide highly available connectivity between your Resource Location and the Apps & Desktops service in the Citrix Workspace Cloud
  • A NetScaler Gateway to provide secure remote access to the desktops and apps that you will be provisioning into your Resource Location.
  • A Bastion host to allow you to log into your Resource Location from the internet in order to perform any required administrative functions

Other Resource Location components that you may optionally wish to deploy are:

  • A Storefront server (by default a Storefront server will be provisioned for you in the Citrix Workspace Cloud, but under certain circumstances you may prefer to host and manage Storefront yourself)
  • An Amazon Machine Image (AMI) of a Windows Server joined to your Resource Location domain with the XenDesktop VDA pre-installed and configured for RDS desktops – a perfect start point for creating a catalog of RDS desktops
  • An Amazon Machine Image (AMI) of a Windows Server joined to your Resource Location domain with the XenDesktop VDA pre-installed and configured for Server VDI desktops

This section walks through the process of deploying the Apps & Desktops: Resource Location & Service Setup Blueprint and the post deployment steps that you will need to perform to get up and running with Apps & Desktops

1.     Subscribe to NetScaler VPX

The Apps & Desktops: Resource Location & Service Setup Blueprint will deploy a NetScaler VPX in your AWS account. Before it can do this you must first accept the terms and conditions of usage from the Amazon Marketplace. This is a one-off operation – you do not need to repeat the process if you wish to run the Blueprint a second time.

Go to the Amazon Marketplace at and search for NetScaler VPX Platinum Edition – 10 Mbps. Review the terms and conditions and click Continue. On the Launch on EC2 page click on the Manual Launch tab, and the click Accept Terms to subscribe to the VPX software. That’s it – you don’t need to do anything more the Blueprint will take care of launching and configuring the NetScaler VPX!

2.     Create public address for the Bastion

The Bastion server in your Resource Location is intended to provide a remote access service so that you can log in to perform administrative functions. In order to do this it needs to have a public IP address; so the next step is to allocate one using the AWS Console (EC2 Dashboard). Select the Elastic IPs view and then click Allocate New Address.

Elastic IP

Specify that the new IP address is to be used in VPC as shown above and click Yes, Allocate

3.     Deploy the Blueprint

Deploying the blueprint is simple – there are very few questions to answer. Only Amazon Web Services is supported as a location for this release of the blueprint, so make sure that you have added an Amazon Web Services resource location in your Citrix Lifecycle Management account.

The Architecture stage of the deployment wizard is shown below – simply select whether you require a Storefront in your Resource Location (the default is to use the cloud hosted Storefront provided by the Apps & Desktops service) and then decide if you want AMIs (templates) created for RDS Desktops and/or Server VDI Desktops. These AMIS are Windows Server machines that will be joined to your Resource Location domain and have the XenDesktop 7.7 VDA pre-installed ready to be used for creation of XenDesktop machine catalogs.


Make your choices and then press Next to get to the Size step of the Deploy wizard and start to configure the Domain Controller. You should be able to accept all the default values that the wizard offers – unless you wish to use an existing VPC (the default is to create a new VPC).

Instance Details

If you decide to override the defaults and use an existing VPC please consult the appendix for guidance on supported VPC subnet configurations.

Click through the rest of the Configure VM wizard and review the configuration: at this stage ensure that the checkbox named Copy this configuration to other VM tiers is checked.

Copy VM Config

This will have the effect of automatically applying your VPC choice to the other VM tiers and applying the Blueprint recommendations for subnet deployment saving you a good deal of clicking.

There is only one adjustment that is needed – an Elastic IP address needs to be associate with the Bastion server that will be deployed in the public subnet.  Click on the Edit button for the Bastion VM:

Edit Bastion

Now click through the wizard, accepting the default values until you reach the Networking step. Click on the Elastic IP drop down and select the Elastic IP address that was created in step 2.

Bastion IP

Check the final configuration of the Bastion has an Elastic IP address as shown below.

Bastion final config

Once you are happy press Next to enter the installation and configuration parameters for the blueprint as shown below:

BP Parameters

Enter the fully qualified name for the new Active Directory domain that will be created, leave the Administrator name unchanged, and enter suitable passwords for the domain and a set of test user accounts that will be created.

Press “next” and save your choices and parameters as a profile in case you need to deploy the Blueprint again and then press Deploy to start creating your Resource Location.

Once the Blueprint completes (it can take several hours) you will receive an email confirmation containing the details of the completed job; keep this email you will need it later!

4.     Verify your new Resource Location

Once the Blueprint has completed you should log into the CWC console to verify the Resource Location has been registered correctly.  Go to and check that your Cloud Connectors have registered successfully. You should see something like this:


Next, take a look at to check that your domain is also correctly registered (in this example my domain is named tenant1.local):


5.     Apps and Desktops: Create Host Connection

Go to and click on the Manage tab to get access to the Apps and Desktops management console

Manage Apps

The first thing you will need to do is set up a host connection to your Amazon account so that you can create Machine Catalogs from one of the AMIs created by the Blueprints.

Click on “hosting” in the left-hand column and select the action “Add Connection” and Resources. Select connection type Amazon EC2, enter your credentials, give the connection a name and press “next.”

Note that the account you use to create a host connection is required to meet the minimum documented permission set for XenDesktop. See for more information.

Add Connection

Now select the Region, Virtual Private Cloud and Availability Zone and press Next.


How did I get the values for Region, Virtual Private Cloud and Availability Zone? A quick way to find the correct values is to log onto your Amazon Web Services Console where the information is readily available: view your EC2 instances and select the virtual machine named cwc-dc-1 (which is the Domain Controller created by the Blueprint in the private subnet of the VPC).

As we want to create the MCS provisioned machines in this same private subnet, it is just a case of copying these values. The highlighted value on the right gives you the Availability zone (for me the VM is deployed in Availability zone us-east-1e and thus region us-east-1)


The highlighted value of the left is the VPC Id – if you now switch to the VPC console, you will be able to find the VPC name for this ID:


Having entered the  Region, Virtual Private Cloud name and Availability Zone press Next and select the private subnet (the Resource Location only supports provisioning of Apps and Desktops into the private subnet); give the resources a name (I chose Private subnet) and press Next and then Finish to complete the configuration of your host connection to Amazon.  If you followed the instructions for VPC usage in step 3 the private subnet of the VPC will have the CIDR as illustrated below:


6.     Apps and Desktops: Create Catalog

Still in the Apps and Desktops management console, click on Machine Catalogs in the left column and select the action “Create Machine Catalog.” Select the number of virtual machines you require and accept the default settings until you reach the screen to select the Machine Template. Choose one of the AMIs that the Blueprint created (the AMIs are named CWC-VDI-Image and CWC-RDS-Image and the description field will contain the fully qualified name of the Resource Location domain).


On the next screen select the default VPC security group, and follow the wizard through, entering the Domain Administrator credentials for your Resource Location when prompted and finally press Finish to create the machine catalog. This operation is quite lengthy (an hour or more is not unusual).

7.     Apps and Desktops: Set NetScaler Gateway (cloud hosted Storefront only)

If you are using a cloud-hosted Storefront (the default option) you will need to configure Storefront to use the NetScaler Gateway in your Resource Location for launching Apps & Desktops.

Find the email message that you received when your Blueprint deployment completed. This will contain the Fully Qualified Domain Name allocated to the NetScaler Gateway in your Resource Location:

email-notification 2

Now go back to the Apps & Desktops Manage tab and click on Storefront in the left column of Studio to set the NetScaler Gateway address as shown below:


  1. Apps and Desktops: Create Delivery Group

Once the Machine catalog has been created, click on Delivery Groups in the left column and select the action Create Delivery Group.


Choose the catalog you created in step 6 and select the number of virtual machines you require. When specifying which Users can access the apps & desktops, click on “leave user management to Citrix Workspace Cloud.”


Accept the defaults for the rest of the options as you progress through the wizard; optionally add some applications and then give the delivery group and the desktop a name and press Finish. Creation of the delivery group will cause your desktop machines to be started; you should check that the desktops successfully register (this may take a few minutes).


9.     Add the delivery group to a Workspace

Go to and click the + icon to add a new workspace


Give you workspace a name, click on the Apps and Desktops tab on the left and add the newly created Delivery Group Apps and/or Desktops to the workspace and then click Create Workspace to create the new workspace:


In the workspace select the Subscribers tab to subscribe members of your CWC Resource Location domain to this workspace and press Publish (I published to Domain Users)


10.  Send your subscribers to Storefront to access their Apps & Desktops

If you chose to use the cloud hosted Storefront navigate to and scroll down to the end of the page to see the URL by which your subscribers can access the workspace you have published.


If you are using your own Storefront in the Resource Location check the email you received when the Blueprint deployment completed to see the URL of the NetScaler Gateway. This is where your subscribers can access the workspace you have published.


Appendix 1 – Using your own VPC

Please note that the only supported configuration is a VPC with public and private subnets as created using the Amazon Web Services VPC Wizard as shown by the following two screenshots: