At Citrix Synergy 2016, Bill Burley and Microsoft’s Brad Anderson illustrated the Citrix and Microsoft partnership vision that will combine Citrix XenApp with Microsoft Azure to introduce a new generation of integrated cloud hosted app solutions.

Anderson highlighted how that majority of large organizations virtualizing apps and desktops are doing it on Citrix XenApp. He said that Microsoft currently has more than 34 Azure datacenters worldwide which is “more than Amazon and Google combined.” With Azure selected as the preferred public cloud for Citrix solutions, it’s no surprise that Citrix has been focused on building Citrix solutions on top of that impressive Azure global footprint.

 “The most common use case we are hearing from customer is, we want to have a common control plane, it gives us the ability to be able to have some apps and desktops running in our datacenter and some in Azure and they wanted this hybrid scenario” – Brad Anderson, Microsoft Corporate Vice President of the Enterprise Client & Mobility (ECM) team

Citrix XenApp delivers a unique, hybrid cloud solution that gives organizations the freedom to deploy applications when and where they make the most sense to meet their security, performance, and availability requirements. In an ideal hybrid cloud solution, you should have a seamless extension of your private and public data center with desktop and application resources located both in the on premise data center as well as a public cloud like Azure.

This blog post describes exactly that, I will give you step by step instructions for creating a XenApp 7.11 hybrid cloud deployment in Microsoft Azure Resource Manager datacenter using site-to-site VPN.

The following figure illustrates the XenApp 7.11 hybrid cloud deployment architecture.


This blog post assumes you have an existing on-premises XenApp 7.11 setup up and running with following components.

  • Domain Controller
  • XenServer Host
  • Citrix License server
  • XenDesktop 7.11 Controller
  • XenDesktop 7.11 Worker with VDA
  • SQL data base server
  • StoreFront Server
  • NetScaler Gateway

Step 1 – Connecting On-Premises Network to Azure using a site to to site VPN

The objective of a site to site VPN is to connect the two different sites, a specific Virtual Network on Azure and On-Premises network.

For more info on cross-premises connectivity and supported VPN devices and best prctices, please check this Microsoft article. I used Windows 2012 R2 RAAS as site to site VPN in our test deployment.

The following section describes the creation of an Azure Virtual Network to be connected to the on-Premises datacenter via an Azure Site-to-Site VPN with RAAS.

To create a site to site VPN perform the following steps:

Create a Resource Group

Log-in into Azure portal and click on the Resource Groups and + Add button.

Give it a name “S2SVPN-ResGroup“.You will put all of your resources for the site to site VPN in here for better tracking and managing the resources.


Create a Virtual Network

Go to Virtual networks -> Create virtual network and click on Add.  Give any name as “S2SVPN-vNet“. Enter “” for the address space. For the first subnet make the Subnet Name “Backend“. Make the Subnet address range ““. Set it to the resource group you created in the previous step.


Now creating a virtual network gateway. This network gateway will contain the second subnet. Go to Virtual networks -> S2SVPN-vNet -> Settings -> Subnets.

Click on + Gateway subnet. For the Address Range use ““. This address range is the IP range for your RRAS server to use. So in your virtual network you should now have the two following Subnets.


Create a Virtual Network Gateway

Next we will create the Virtual Network Gateway. The virtual network gateway will be responsible for sending and receiving data. This is the bridge between Azure and the on premise RRAS server.

Navigate to Virtual network gateways and click on Add. Name the gateway “S2SVPN-vNetGW“. For the virtual network select the existing one S2SVPN-vNet and select the gateway type as VPN, and leave VPN type to Route-based. For the public IP we will need to create one here. Click on choose a public IP address and click on Create New.


After the Virtual network gateways is created note down the public IP address. This is required for configuring the RRAS server later. You can get this by going here, Virtual network gateways -> S2SVPN-vNetGW -> S2SVPN-vNetGW-IP -> Settings.

This will take approximately 30 to 45 minutes to provision the public IP address.

Create a Local Network Gateway

Now we need to create the local network gateway, this gateway will be configured with all of your on-premises network.

Go to Local network gateways and click on +Add.  Give it any name, “S2SVPN-LocalNWGW“ and enter the public IP of your RRAS server, in the address space enter an IP range for your on-premises network, and select your Resource Group.


Create the VPN connection

Now we need to create a connection in our local gateway. To do this navigate to the Settings -> Connections and click on + Add. Name this “S2SVPN-vNetGW-Connection“.

The Connection type will default to Site-to-site (IPsec). Set the Virtual network gateway to “S2SVPN-vNetGW“. Set a Shared key (PSK) to be used and note it down somewhere it is required to configure the RRAS server.


The RRAS server configuration:

Configure the Windows Server 2012 R2 with two different networks internal and External. Configure the public IP address on external adopter and internal adapter as shown in the figure.

Install the RRAS Windows Role.


Configuring the VPN in RRAS server:

Right click on the Network Interface, and select  New Demand-dial Interface.


Give it any name and click Next


Choose VPN and click Next


Select IKEv2 Encryption here for the VPN Type and click Next


Enter Azure public IP and click Next. If you don’t know your Azure Public IP, go to your Virtual LAN Gateway, and see within the Essentials properties.


Enable Route IP packets on this interface and click Next.


Enter any user name and rest blank and click Next


Add the Static Route for your local network,,


Right-click on the interface just created, and go to the Security settings. Select the use preshared key for authentication option, and now enter that PSK we used in Azure portal and click OK.


Now right click on the AzureARM-STSVPN connection and select connect. Then it will show as connected in RRAS as shown in the figure.


In Azure portal you should also see the connection status as Connected and also you should see the data flowing in and out of your connection.


Setup static route as shown in the following figure on RRAS server before it could communicate from on-premises to Azure.


Enable NAT on RRAS server

Without having NAT enabled none of the servers could reach the internet. The basic steps for enabling NAT on RRAS are as follows:

  • Right-click NAT, and then click New Interface.
  • Select the interface that connects to your private intranet, and then click OK.
  • Select Private interface connected to private network, and then click OK.
  • Right-click NAT, and then click New Interface again.
  • Select the interface that connects to the public Internet, and then click OK.
  • Select both Public interface connected to the Internet and Enable NAT on this interface, and then click OK.

Now spin up a new Azure VM on Azure Resource Manager and make sure you place it in the correct virtual network, then the VM should be able to communicate with your on-premises servers.

Step 2 – Create XenDesktop 7.11 Controller, VDA and StoreFont VMs in Azure

Provision 3 new VM instances in Azure Resource Manager for Controller, VDA and StoreFront server. Make sure to select the Virtual Network that is created in Step 1 when creating the VMs.

Follow these instructions to create virtual machines in Azure portal.

Step 3 – Install XenDesktop 7.11

  • Login to the Controller VM and join to the on-premises domain.
  • Install the XenDesktop Controller and Studio.
  • Add the Controller to the existing site by pointing to the on –premises XenDesktop Controller.

Note: You will see an error when Delivery Controller in Azure connecting to an on premise primary XenDesktop site. This is because Microsoft Azure Virtual machine time is not syncing with the on premise Delivery Controller.

If you are using XenDesktop in a hybrid cloud scenario with an on premise domain infrastructure, you need to sync your Azure VMs with the on premise domain controller. This will require some manual configuration since Microsoft Azure resides in a different time zone than your local domain.

This KB article will explain how to fix the time sync issue.

Step 4 – Install VDA and create Master Image in Azure Resource Manager

  • Login to VDA machine (no need to domain join if you are provisioning using MCS).
  • Install the VDA software and point to the Controller in Azure as Delivery Controller.
  • Follow the steps as explained in this blog to create master image.

Step 5 – Create Azure ARM Host Connection

  • Navigate to Configuration -> Hosting and click Add Connection and Resources from Actions.
  • Follow the steps as explained in this blog to create Azure ARM host connection

You will notice there are two hosting connections present in the Studio as shown in the figure.


Step 6 – Configuring XenDesktop Zones

In XenApp 7.11 you can configure Zones, which will allow you to run applications and desktops closer to user locations within a single XenApp site

Login to your on-premises XenDesktop Controller machine and open the Citrix Studio.

Navigate to Configuration -> Zones and you will see the Primary Zone and the resources that already have in the site and the new Controller that you just build in the Azure Zone.

Rename the Primary Zone by clicking Edit button. Rename it to On-Premise Zone.


Click Create Zone from the Actions menu.

Enter the zone name and select the resources that you want to assign to the new zone.


Now the Studio should display two Zones.


Step 7 – Machine Catalog creation

Follow the steps as described in this blog  and create MCS catalogs using Azure ARM.

Step 8 – Delivery Group Creation

  • Right click on the Delivery Group node and select Create Delivery Group
  • Choose the Machine Catalog that just created and enter the desired number of VMs to allocate to this Delivery Group and click next.
  • Select Apps and Desktops and click next.
  • Add the users to access the apps and desktops and click next.
  • Wait for VMs power on and registration process and select the applications you want to publish and click next.
  • Enter a friendly name and display name for the delivery group and click Finish.

Step 9 – NetScaler and StoreFront configuration

NetScaler Configuration:

Please follow the instruction here to deploy and configure the NetScaler in Azure.

StoreFront Configuration:

Login to the StoreFront server in Azure and launch the StoreFront and click create a new deployment.

Name the store and click next.


Enter both delivery controller’s on-premises and Azure delivery controllers and click next.


Check Enable Remote Access and click Add under NetScaler Gateway Appliances.


Enter display name and NetScaler Gateway URL, Select Authentication and HDX routing from the drop down list and click next.


Enter the STA URL and click next.

Select Login type as Domain and enter the NetScaler gateway as callback URL and click Create.


Repeat same step and add the on-premises NetScaler gateway. Both NetScaler gateways will appear in the list of appliances. Click create.


Check user name and password and click next.


Click create and the store will be configured. The authentication, stores, Receiver for web and NetScaler Gateways should all be configured and visible from the StoreFront UI.

Optimal Gateway Routing configuration

Optimal gateway routing enables you to route HDX connections to different XenDesktop Zones via different NetScaler Gateways. This means all launches for resources in the Azure Zone will be performed through the Azure NetScaler gateway even if the request for the resource came from another gateway such as on-premises gateway.

To configure optimal gateway routing, select the store and then select the Configure Store Settings actions in the right pane. Select Optimal HDX Routing and configure the gateways, Delivery controllers and Zones as shown in the figure.


Install Citrix Receiver on your external machine and navigate to the NetScaler Gateway in Azure. Login as user which has apps in both on-premises and Azure zones.


I created two apps Notepad and Command prompt. Notepad is running from the Azure zone and Command prompt from on-premises zone.


Launch notepad, it should launch from Azure zone.

Launch Command prompt, it should launch from on-premises zone. Verify using ipconfig and the IP address should get from on-premises network.

Call For Topics Banner Blog Post