XenApp 7.5 and 7.6 and XenDesktop 7.5 and 7.

Deploy XenApp 7.5 and 7.6 and XenDesktop 7.5

and 7.6 with Amazon VPC

Prepared by: Peter Bats

Commissioning Editor: Linda Belliveau

Version: 5.0

Last Updated: September 3, 2014

Page 1 © 2014 Citrix Systems, Inc. All rights reserved.

Table of Contents
Introduction .................................................................................................................................................. 3
Known issues................................................................................................................................................. 3
Requirements................................................................................................................................................ 3
Prerequisites ............................................................................................................................................. 3
Link AWS Marketplace AMIs to your account .......................................................................................... 4
Automated deployment using an AWS CloudFormation template .............................................................. 5
XenApp or XenDesktop Infrastructure Stack Creation using the CloudFormation template ................... 5
Set up XenApp or XenDesktop on the AWS Infrastructure ........................................................................ 15
Configure the Master VDA machine ................................................................................................... 21
Set up machines in Studio using the Master VDA AMI ........................................................................... 30
Set up Delivery Groups ........................................................................................................................... 35
Set up NetScaler Gateway Remote Access ............................................................................................. 36
Set up StoreFront ................................................................................................................................ 36
Configure NetScaler Gateway using the Enterprise Store wizard ...................................................... 40
Create template AMIs from other templates ......................................................................................... 46
Appendix ..................................................................................................................................................... 47
Manually deploy XenApp and XenDesktop in AWS ................................................................................ 47
Security and firewall mappings ........................................................................................................... 48
Set up the VPC network .......................................................................................................................... 51
Create the VPC network infrastructure .............................................................................................. 51
Add security groups ............................................................................................................................ 55
Add public security group ................................................................................................................... 58
Add Private Security Group................................................................................................................. 60
DHCP options .......................................................................................................................................... 62
Create a DHCP options set .................................................................................................................. 62
Set up the XenApp or XenDesktop infrastructure instances .............................................................. 65

Page 2 © 2014 Citrix Systems, Inc. All rights reserved.

Introduction
This document describes setting up Citrix XenApp or XenDesktop with the Amazon Web Services (AWS)
Virtual Private Cloud (VPC).

Known issues
Amazon Web Services depreciated the ECU terminology and no longer lists this value for new instance
types. However, Studio lists some new instance types for Memory Optimized and General purpose that
display 2.5 in the ECU column. The 2.5 actually refers to the clock speed in GHZ for these instance types
and not ECU. Refer to the Amazon Web Services website https://aws.amazon.com/ for details on each
instance type and its technical specification. [#496972]

Requirements
To deploy a XenApp or XenDesktop 7.5 or 7.6 Site in an Amazon VPC, ensure that you complete the
prerequisites and link AWS Marketplace AMIs to your account as follows.

Prerequisites
Make sure you perform the following before you begin:

 Plan to take one day for the first-time implementation of the deployment.
 Have an AWS environment set up and running, with an active AWS account and preferably an AWS
Identity and Access Management user account that can be used for this specific deployment.
 For this proof of concept (POC) deployment, the IAM user must have administrative rights to your
AWS environment. For information about the rights you need, see the XenApp and XenDesktop
topic Prepare to Install.
 Subscribe with your AWS account to the NetScaler VPX AMI located in AWS Marketplace.

Page 3 © 2014 Citrix Systems, Inc. All rights reserved.

Link AWS Marketplace AMIs to your account
The CloudFormation template uses AWS Marketplace AMIs. Link the AMIs to your account before
beginning the install as follows.

1. From the AWS console, select Find software on AWS MarketPlace under the additional information
section on the right side of the console.

2. Search for NetScaler VPX Platinum Edition – 10 Mbps, and select version 10.1-123.9.

3. Select your AWS account and register it.

Page 4 © 2014 Citrix Systems, Inc. All rights reserved.

Automated deployment using an AWS CloudFormation
template
XenApp or XenDesktop Infrastructure Stack Creation using the
CloudFormation template
The following steps show how to use the CloudFormation template to automate building all necessary
resources in the Amazon EC2 cloud for a XenApp or XenDesktop Site.

1. On the CloudFormation Stack console tab, use the drop-down box in the upper-right-hand
corner to select the region in which you want to build the environment.

Page 5 © 2014 Citrix Systems, Inc. All rights reserved.

 2. Click Create New Stack.
3. Provide the stack name, and point to the CloudFormation JSON template available at
https://s3.amazonaws.com/cf-XenDesktop/XD75NSonAWS_CF_v1_2.json,
and click Continue.

Page 6 © 2014 Citrix Systems, Inc. All rights reserved.

 4. Provide parameters for the script to run. The template provides the following information,
including brief explanations for each parameter, and displays the following default values.

Default Default Value Description

ADInstanceType m1.medium Amazon EC2 instance type for the Active

Directory Instance.
ADPrivateIP 10.0.1.5 Fixed private IP for the Active Directory server
AZ Name of Availability Zone that will contain
public and private subnets. Select a valid zone
for your region.
BastionInstanceType m1.small Amazon EC2 instance type for the Bastion
instance.
DMZCDIR 10.0.0.0/24 CIDR Block for the public subnet.
DomainAdminPassword User Supplied Password for the domain admin user that is
created by the user. Must be at least eight
characters and contain letters, numbers, and
symbols.
DomainAdminUser Xenadmin User name for the account that will be added
as a domain administrator. This is separate
from the default administrator account.
DomainDNSName xencloud.net Fully qualified domain name (FQDN) to be
used for the DHCP scope; for example,
xencloud.com.
DomainLDIFFormat DC=xencloud,DC=net LDIF domain (up to 30 characters) for creating
users in the Active Directory Domain Tree.
DomainNetBIOSName XENCLOUD NetBIOS name of the domain (up to 15
characters) for users of earlier versions of
Windows; for example, XENCLOUD.
IAMUserAccessKey User Supplied IAM user access key used to create and
configure the various instances.
KeyPairName User Supplied Public/private key pairs allow you to securely
connect to your instance after it launches.
NATInstanceType m1.small Amazon EC2 instance type for the NAT
instances.
NSCloudFormationURL https://s3.amazonaws.com The public URL for the NetScaler VPX
/cf- CloudFormation v4.4 template.
XenApp/NS_VPX_PLT_10M
B_Template_v4.4.json
NSMIP 10.0.1.102 The IP address used. This can be a MIP or a
SNIP for the NetScaler NIC connected to the
private NIC should be within the CIDR of the
private subnet.
NSNSIP 10.0.1.100 Fixed private IP for the NetScaler NIC
connected to the private subnet should be

Page 7 © 2014 Citrix Systems, Inc. All rights reserved.

 within the CIDR of the private subnet.
NSSNIP 10.0.0.175 Fixed public IP for the NetScaler NIC
connected to the public subnet, should be
within the CIDR of the public subnet.
NSVIP 10.0.0.176 Fixed VIP for the NetScaler NIC connected to
the public subnet, should be within the CIDR
of the public subnet.
PrivateCIDR 10.0.1.0/24 CIDR block for private subnet.
RestoreModePassword User Supplied
SecretAccessKey User Supplied IAM user secret access key to be used.
ServerNetBIOSName DC01 NetBIOS name of the AD server (up to 15
characters).
VDAInstanceType c1.xlarge Amazon EC2 instance type for the VDA
master instance.
VdaName VDAMaster NetBIOS name of the machine used as the
master image for VDAs.
VPCCIDR 10.0.0.0/16 VPC Subnet.
VPCName XenDesktop 7.5 and 7.6 Name of the XenDesktop VPC.
POC VPC
XD7DDCInstanceType m3.large Install server used to build the server farm
using the App Delivery Setup PowerShell
scripts. Can be powered down after the farm
is built.
XD7ISOLocation https://s3.amazonaws.com Network address translation server, which
/cf- allows outbound access to the Internet for
XenDesktop/ISO/XenApp_a the servers in the private subnet.
nd_XenDesktop_7_5.iso
XDAdminPassword User supplied NetScaler VPX instance that is used to provide
ICA proxy functionality for the StoreFront
server.
XDAdminUser XDFarmAdmin

Page 8 © 2014 Citrix Systems, Inc. All rights reserved.

 5. Different firmware versions of the NetScaler VPX are supported. Select the version you want by
choosing the appropriate JSON template from one of the following firmware versions:
NSCloudFormationURL Firmware
https://s3.amazonaws.com/cf-XenApp/NS_VPX_Template_v3.json 10.0-71.6008.e
https://s3.amazonaws.com/cf-XenApp/NS_VPX_Template_v4.json 10.1-119.7
https://s3.amazonaws.com/cf-XenApp/NS_VPX_Template_v4.1.json 10.1-120.13

6. After specifying the required parameters, select I acknowledge that this template may create
IAM resources check box, and click Continue.

Page 9 © 2014 Citrix Systems, Inc. All rights reserved.

 7. Add any additional tags on the next screen, and click Continue.

Verify that the values provided match your environment.

Note: It is important to ensure that the availability zone, your access credentials and keypair are correct. If
not, go back and correct the error; otherwise, the template creation will fail. Once correct, click Continue
to start the stack build process.

8. Click Create on the stack creation information screen.

Page 10 © 2014 Citrix Systems, Inc. All rights reserved.
Page 11 © 2014 Citrix Systems, Inc. All rights reserved.
The CloudFormation template builds the environment according to the parameters you specified; the
template will appear in the CloudFormation Console when completed.

It displays two CloudFormation stacks: one for the EC2 Infrastructure and one for the NetScaler VPX.

Page 12 © 2014 Citrix Systems, Inc. All rights reserved.

9. When you select the Outputs section of the Infrastructure Stack, the IP addresses of the main
components appear.

Page 13 © 2014 Citrix Systems, Inc. All rights reserved.

If you select the default values, the template constructs a XenApp or XenDesktop Site infrastructure in
the AWS cloud similar to the following example:

Site infrastructure using the CloudFormation template

XenApp / XenDesktop in AWS Cloud

AWS Regional DataCenter

Virtual Private Cloud (VPC)

DMZ 10.0.0.x Private Subnet (10.0.1.x)

EIP
Corporate
Office

(80,443,1494,2598,3389,53,5986,8080,27000)
Workers
(80, 443, 3389)

AD DC
Public SG

Bastion DC01 (.5)

Eth 0/1
EIP

Private SG
XenApp /
Eth 0/0 XenDesktop
NetScaler NSVPX-1 Delivery Controller Workers
Eth 0/0 (.175) SQL Server
Eth 0/1 (.100) StoreFront
XD7DDC

EIP
NAT SG
(22)

Remote
& Mobile
Users NAT iNet VDAMaster
Gateway

Page 14 © 2014 Citrix Systems, Inc. All rights reserved.

Set up XenApp or XenDesktop on the AWS Infrastructure
Once you have setup AWS using an AWS CloudFormation template, you can configure XenApp or
XenDesktop to deliver virtual desktops and applications from AWS.

1. From the EC2 instances management console, select Download Desktop File to connect to the
Bastion host using RDP.
2. Log in with the domain administrator credentials you provided during the CloudFormation Stack
creation.

3. From the Bastion host, RDP to the Delivery Controller (the controller is xd7ddc.xencloud.net
when using the default domain name), and log in as the domain administrator using again the
DomainAdminUser and DomainAdminPassword provided as parameters during the stack
creation event.

Page 15 © 2014 Citrix Systems, Inc. All rights reserved.

 4. The XenApp and XenDesktop 7.5 and 7.6 product media is already mounted. Run
AutoSelect.exe to start the installation.

Note: The credentials file for the root AWS account, retrieved from
https://console.aws.amazon.com/iam/home?#security_credential is not in the same format for
credentials files downloaded for standard AWS users. Because of this, Studio cannot use the file to
populate the API and secret key fields when creating a connection. Ensure that you are using IAM
credentials files when administering Studio.
5. Install XenApp or XenDesktop as required for your environment.
a. Select the Delivery Controller.
b. Select All Core Components.
c. Follow the wizard instructions to complete the Delivery Controller Installation.
6. Start Citrix Studio, and follow the wizard to create the site. Note that the CloudFormation
template has preinstalled SQL Server 2012 on the Delivery Controller.

Page 16 © 2014 Citrix Systems, Inc. All rights reserved.

 7. Select the local host as the database server location, and allow the wizard to create the
database.

8. Complete the licensing setup.

Page 17 © 2014 Citrix Systems, Inc. All rights reserved.

 9. Provide your AWS access credentials to allow the Delivery Controller to provision instances on
AWS.

10. Select the AWS region, your VPC, and the desired availability zone for this connection.

Page 18 © 2014 Citrix Systems, Inc. All rights reserved.

 11. Select the subnets to host your instances, and then enter a name. In this example, the private
subnet, 10.0.1.0/24 is selected to access the VDAs running in this private network, as shown in
Site Infrastructure using the CloudFormation template.

12. Skip the configuration for the App-V Publishing option to complete the Site setup. You can add
this feature later.

Page 19 © 2014 Citrix Systems, Inc. All rights reserved.

When the configuration completes, the wizard displays the Site Setup page.

Page 20 © 2014 Citrix Systems, Inc. All rights reserved.

Configure the Master VDA machine

Once you have configured the Delivery Controller, you must configure a master image by configuring a
master VDA machine.

1. From the Bastion host, RDP to the VDA Master (you can find the IP address from the EC2
console), and log in as the domain administrator, using again the DomainAdminUser and
DomainAdminPassword provided as parameters during the stack creation event.

2. The XenApp and XenDesktop 7.5 and 7.6 product media is already mounted. Run
AutoSelect.exe to start the installation.

Page 21 © 2014 Citrix Systems, Inc. All rights reserved.

 3. Select Virtual Delivery Agent for Windows Server OS for a XenApp Worker installation. See
Server VDI for information on setting up a Server VDI Master VDA.

Page 22 © 2014 Citrix Systems, Inc. All rights reserved.

10. Select Create a Master Image.

11. Supply the FQDN of the Delivery Controller you configured earlier in this process.

12. Review the specified settings for the Master VDA

13. Select Install to start the VDA Master installation.

Page 23 © 2014 Citrix Systems, Inc. All rights reserved.

 Note: You must reboot the machine to complete the addition of the Microsoft Remote Desktop Session
host. You can reboot from within the instance; you do not need to use the AWS console to do so. It can
take several minutes after reboot before the instance responds to RDP connections again.

14. After the machine reboots, log in to the Master VDA. The XenApp and XenDesktop product media is
no longer mounted (it searches for the media), and the installation does not continue.

Page 24 © 2014 Citrix Systems, Inc. All rights reserved.

15. Click Cancel, and remount the media from its location. For example,
C:\Users\Public\Downloads.

16. When the media is mounted, select the Virtual Delivery Agent for Windows installation, which
automatically continues from where it left off.
17. Restart the machine.
Page 25 © 2014 Citrix Systems, Inc. All rights reserved.
18. After the VDA installation completes, install applications that will be published or available on the
users' desktops on the master VDA.

Page 26 © 2014 Citrix Systems, Inc. All rights reserved.

19. After installing additional software, from the EC2 Console, select Actions > Stop to shut down the
VDA Master Image.

Page 27 © 2014 Citrix Systems, Inc. All rights reserved.

20. After shutdown, create an AMI from your Master VDA by selecting Actions > Create Image.

Page 28 © 2014 Citrix Systems, Inc. All rights reserved.

21. Assign a name and description, and then click Create Image.

Important: By default, Delete on Termination is selected. Do not change this setting. The product works
on the assumption that root disk volumes are deleted automatically by Amazon. Unchecking this box can
cause the deployment to leak volumes in EBS storage.

Depending on the size of the instance volume, image creation can take a long time. You must wait until
the image is fully created before you can see it in Studio.

When the AMI creation process completes, set up machines in Studio using Master VDA AMI.

Page 29 © 2014 Citrix Systems, Inc. All rights reserved.

Set up machines in Studio using the Master VDA AMI
Now that the master AMI is configured, use Studio to provision applications and desktops by creating a
machine catalog.

1. Open Studio on the Delivery Controller and select Option 2.

2. Select Server OS. If your configuration has Server VDI available on a Desktop OS, you can
alternatively choose the Desktop OS option.

Page 30 © 2014 Citrix Systems, Inc. All rights reserved.

3. To enable XenApp or XenDesktop to control machine provisioning in AWS, select the settings shown
in this example:

Note: AWS does not support Citrix Provisioning Services.

Page 31 © 2014 Citrix Systems, Inc. All rights reserved.

4. Select the machine template the AMI created in the EC2 console as described in Configure the
Master VDA machine.

5. Select the required security groups. In this example, you must select the DomainMemberSG
Security as well as the private security group PrivateSecurityGroup.

You can also indicate that dedicated hardware is required to host your instances. Use Shared
Hardware is the default.

Page 32 © 2014 Citrix Systems, Inc. All rights reserved.

6. Select the number of machines and instance type to for the machine catalog.

7. Select the networking configuration.

Page 33 © 2014 Citrix Systems, Inc. All rights reserved.

8. Configure the computer accounts.

9. Enter a name, and click Finish. Note that the process of copying the master image can take a long
time to complete. It may take 30 to 40 minutes, or more if there are a lot of machines in the catalog.

Page 34 © 2014 Citrix Systems, Inc. All rights reserved.

Set up Delivery Groups
After setting up machines in the machine catalog, configure Delivery Groups to specify which users can
access desktops or applications that you want to provide. Delivery Groups are usually based on user
characteristics, such as job function or geographical region.

1. In Studio, select the Delivery group node and click Create Delivery Group.
2. Click Add Machines, select a machine catalog for this Delivery Group, and then enter the number
of machines the group consumes from the machine catalog.
3. On the Users page, click Add users to add the users or user groups that can access the desktops
or applications. You can select user groups by browsing or entering a list of Active Directory users
and groups each separated by a semicolon. For Desktop OS Delivery Groups, you can import user
data from a file after you create the group.
4. On the Delivery Type page, select what the desktops deliver to users:
 Applications only
 Desktops only
 Applications and desktops
5. On the StoreFront page, select StoreFront URLs to be pushed to Citrix Receiver so that Receiver
can connect to a StoreFront without user intervention. Note that this setting is for Receiver
running on VDAs.
6. On the Scopes page, define which administrators can access the Delivery Group.
7. On the Summary page, check all details and then enter a display name that users and
administrators see and a descriptive Delivery Group name that only administrators see.

Page 35 © 2014 Citrix Systems, Inc. All rights reserved.

Set up NetScaler Gateway Remote Access
After provisioning applications and desktops through Studio, set up access to StoreFront by configuring
remote access to NetScaler Gateway. Remote users access and authenticate to the NetScaler Gateway.
Upon successful validation, NetScaler Gateway forwards the user request to StoreFront, which
generates a list of available application and desktop resources.

Set up StoreFront

1. Run the StoreFront administration console on the Delivery Controller and enable remote access.

Page 36 © 2014 Citrix Systems, Inc. All rights reserved.

2. In the Add NetScaler Gateway Appliance wizard, enter the parameters of your public NetScaler
configuration, such as the FQDN and the NetScaler subnet IP address (SNIP). In this example, the
SNIP is 10.0.1.102.

3. Add the Secure Ticket Authority (STA), which is the Delivery Controller.

Page 37 © 2014 Citrix Systems, Inc. All rights reserved.

4. Click OK, and then click Create to complete the NetScaler Gateway definition for StoreFront.

5. Click OK to complete the remote access enabling process.

6. Enable the NetScaler Gateway function.
a. Connect a machine on the private subnet to the NSIP (10.0.1.100).
b. Log in to the NetScaler GUI.

Page 38 © 2014 Citrix Systems, Inc. All rights reserved.

7. On the NetScaler Gateway, you must use the subnet IP and enable MAC-based forwarding.

8. Create the following network connections:

a. SNIP with IP address 10.0.1.102 on the NetScaler server
b. VIP with IP address 10.0.0.176 on the NetScaler client

Page 39 © 2014 Citrix Systems, Inc. All rights reserved.

The CloudFormation template or the manual setup procedure has already configured these addresses at
the AWS layer for the NetScaler VPX.

Configure NetScaler Gateway using the Enterprise Store wizard

1. Launch the Enterprise Store wizard.

Page 40 © 2014 Citrix Systems, Inc. All rights reserved.

 2. Ensure that the VIP used for the NetScaler Gateway virtual server is set to 10.0.0.176. The
CloudFormation template configures this VIP to point to an elastic IP address.

Page 41 © 2014 Citrix Systems, Inc. All rights reserved.

 3. Look up the elastic IP address for your VIP using the EC2 console. The CloudFormation output
section shows the EIP associated with the VIP (NSGWVIP).

Page 42 © 2014 Citrix Systems, Inc. All rights reserved.

 4. Complete the XenApp or XenDesktop configuration:
 Place a certificate on your NetScaler Gateway, and assign this in DNS. Alternatively, place an
entry in your hosts file to the elastic IP address.
 Create a Delivery Group from your XenApp or XenDesktop machines and publish your
applications and desktops.

Page 43 © 2014 Citrix Systems, Inc. All rights reserved.

Examples

The following example shows a desktop launched using an AWS g2.2xlarge instance (template), which
allows for HDX 3D Pro support:

Page 44 © 2014 Citrix Systems, Inc. All rights reserved.

The following example shows applications available in Receiver:

The following example shows launched applications:

Page 45 © 2014 Citrix Systems, Inc. All rights reserved.

Create template AMIs from other templates
You can create template AMIs by launching an instance from a virtual machine (VM) that you imported
from Citrix XenServer, Microsoft Hyper-V, VMware Workstation, or VMware vSphere. You create the
template AMI by:

 Exporting your existing Windows images or template from your on-premises virtualization
environment using the environment’s virtualization tools.
 Importing the image or template to Amazon EC2 using the Amazon EC2 command line or API
tools.

See the Importing EC2 Instances in the AWS EC2 User guide for detailed instructions on importing
existing VMs.

Once you import your template, and create an instance from it as described in Importing EC2 Instances,
you can turn it in to an AMI as with any other instance.

Page 46 © 2014 Citrix Systems, Inc. All rights reserved.

Appendix
Manually deploy XenApp and XenDesktop in AWS
An alternative to using an AWS CloudFormation template, you can deploy XenApp and XenDesktop on
AWS using manual procedures, as shown in the following example.

Site infrastructure using the manual deployment

XenApp / XenDesktop in AWS Cloud

AWS Regional DataCenter

Virtual Private Cloud (VPC)

DMZ 10.0.0.x Private Subnet (10.0.1.x)

EIP
Corporate
Office
(80,443,1494,2598,3389,53,5986,8080,27000)
Workers
(80, 443, 3389)

AD DC
Public SG

Bastion DC01 (.5)

Eth 0/1
EIP
Private SG

XenApp /
Eth 0/0 XenDesktop
NetScaler NSVPX-1 Delivery Controller Workers
Eth 0/0 (.175) SQL Server
Eth 0/1 (.100) StoreFront
XD7DDC

EIP
NAT SG
(22)

Remote
& Mobile
Users NAT iNet VDAMaster
Gateway

Page 47 © 2014 Citrix Systems, Inc. All rights reserved.

Security and firewall mappings

This section lists network specifics used in this manual set up example.

NAT Security Group

Inbound Outbound

Type Traffic Source Type Traffic Source

All All privateSG All All 0.0.0.0/0

TCP 22 (SSH) 0.0.0.0/0

Public Network Security Group (publicSG) rules

Inbound Outbound

Type Traffic Source Type Traffic Source

All All publicSG All All 0.0.0.0/0

All publicSG All privateSG

ICMP All 0.0.0.0/0 ICMP All 0.0.0.0/0

TCP 22 (SSH) 0.0.0.0/0

80 (HTTP) 0.0.0.0/0

443 (HTTPS) 0.0.0.0/0

1494 (CA) 0.0.0.0/0

2598 (Sess) 0.0.0.0/0

3389 (RDP) 0.0.0.0/0

Page 48 © 2014 Citrix Systems, Inc. All rights reserved.

Private Network Security Group (privateSG) rules

Inbound Outbound

Type Traffic Source Type Traffic Source

All All NATSG All All 0.0.0.0/0

All privateSG All privateSG

ICMP All publicSG ICMP All 0.0.0.0/0

TCP 53 (DNS) publicSG UDP 52 (DNS) 0.0.0.0/0

80 (HTTP) publicSG

135 publicSG

389 publicSG

443 (HTTPS) publicSG

1494 (CA) publicSG

2598 (Sess) publicSG

3389 (RDP) publicSG

49152 -
65535 publicSG

UDP 53 (DNS) publicSG

389 (LDAP) publicSG

Page 49 © 2014 Citrix Systems, Inc. All rights reserved.

Relevant AMIs for XenApp and XenDesktop Site in US-East-1

Function AMI Name AMI ID Network IP Address

Domain Microsoft Windows Server 2012 Base ami-814642e8 private 10.0.1.5
Controller Microsoft Windows Server 2008 R2 Base
configuration ami-37b1b45e

Delivery Microsoft Windows Server 2012 with SQL ami-e743478e private 10.0.1.15
Controller ami-a1b9bcc8
Microsoft Windows Server 2008 R2 with
SQL

NetScaler NetScaler VPX Platinum Edition - 10 Mbps ami-c995aaa0 Public

Gateway
SNIP 10.0.0.175

VIP 10.0.0.176

Private

NSIP 10.0.1.100

SNIP 10.0.1.102

Bastion Microsoft Windows Server 2012 Base ami-814642e8 public DHCP

configuration ami-37b1b45e
Microsoft Windows Server 2008 R2 Base
configuration
NAT ami-vpc-nat-1.1.0-beta.x86-64-ebs ami-f619c29f public DHCP

VDAMaster Microsoft Windows Server 2012 Base ami-814642e8 private DHCP

configuration Microsoft Windows Server ami-37b1b45e
2008 R2 Base configuration
Note: The Amazon VPC wizard automatically creates the NAT server. Therefore, you do not need to create
the AMI.

Page 50 © 2014 Citrix Systems, Inc. All rights reserved.

Set up the VPC network
Create the VPC network infrastructure

Creating a Site involves creating the Virtual Private Cloud (VPC) network infrastructure in your Amazon
Web Services account.

1. Log in to your AWS account, and navigate to the VPC tab. Click Get Started Creating your VPC.

Page 51 © 2014 Citrix Systems, Inc. All rights reserved.

 2. Select VPC with Public and Private Subnets.

3. To create a hybrid setup between your on premise environment:

a. Select VPC with Public and Private Subnets and Hardware VPN.
b. Alternatively, deploy the CloudBridge on your NetScaler, which creates the VPN for you.

Page 52 © 2014 Citrix Systems, Inc. All rights reserved.

This sample deployment uses the default network settings. Adjust them accordingly.

Page 53 © 2014 Citrix Systems, Inc. All rights reserved.

When the VPC is automatically created, it includes the public and private subnets, the router, NAT
gateway, and the Internet gateway.

Page 54 © 2014 Citrix Systems, Inc. All rights reserved.

Add security groups

The security groups in Amazon VPC provide communication between the Internet and public network,
and the public and private network. The security groups contain ACLs and are the basis of the firewalls
shown in the network diagram.

You must create the following security groups.

Add NAT Security Group

1. On the VPC tab, select Security Groups > Create Security Group.
2. Add ACL rules for inbound and outbound traffic. Select:
a. Create a new rule
b. Port number
c. Source IP address

Note: A source IP address of 0.0.0.0/0 indicates that you want to allow all inbound or outbound traffic.

Page 55 © 2014 Citrix Systems, Inc. All rights reserved.

 3. Create ACL rules to match the inbound and outbound traffic table.

Page 56 © 2014 Citrix Systems, Inc. All rights reserved.

NAT Security Group rules

Inbound Outbound

Type Traffic Source Type Traffic Source

All All privateSG All All 0.0.0.0/0

TCP 22 (SSH) 0.0.0.0/0

NAT instance

The VPC Wizard creates the NAT instance.

Go to the EC2/Instances page, and locate the instance. Right-click the instance, and change the security
group to NATSG.

Page 57 © 2014 Citrix Systems, Inc. All rights reserved.

Add public security group

1. On the VPC tab, select Security Groups > Create Security Group.

2. Add ACL rules for inbound and outbound traffic. Select:

a. Create a new rule
b. Port number
c. Source IP address

Note: Entering a Source IP address of 0.0.0.0/0 allows all inbound or outbound traffic.

Page 58 © 2014 Citrix Systems, Inc. All rights reserved.

3. Create ACL rules to match the Public Network Security Group (publicSG) rules table.

Public Network Security Group (publicSG) rules

Inbound Outbound

Type Traffic Source Type Traffic Source

All All publicSG All All 0.0.0.0/0

All publicSG All privateSG

ICMP All 0.0.0.0/0 ICMP All 0.0.0.0/0

TCP 22 (SSH) 0.0.0.0/0

80 (HTTP) 0.0.0.0/0

443 (HTTPS) 0.0.0.0/0

1494 (CA) 0.0.0.0/0

2598 (Sess) 0.0.0.0/0

3389 (RDP) 0.0.0.0/0

Page 59 © 2014 Citrix Systems, Inc. All rights reserved.

Add Private Security Group

1. On the VPC tab, select Security Groups > Create Security Group.

Page 60 © 2014 Citrix Systems, Inc. All rights reserved.

4. Add ACL rules for inbound and outbound traffic. Select:
a. Create a new rule
b. Port number
c. Source IP address

Note: Entering a Source IP address of 0.0.0.0/0 allows all inbound or outbound traffic. Create ACL rules to
match the table.

Page 61 © 2014 Citrix Systems, Inc. All rights reserved.

Private Network Security Group (privateSG) rules

Inbound Outbound

Type Traffic Source Type Traffic Source

All All NATSG All All 0.0.0.0/0

All privateSG All privateSG

ICMP All publicSG ICMP All 0.0.0.0/0

TCP 53 (DNS) publicSG UDP] 52 (DNS) 0.0.0.0/0

80 (HTTP) publicSG

135 publicSG

389 publicSG

443 (HTTPS) publicSG

1494 (CA) publicSG

2598 (Sess) publicSG

3389 (RDP) publicSG

49152 -
65535 publicSG

UDP 53 (DNS) publicSG

389 (LDAP) publicSG

DHCP options
Create a DHCP options set

There is a domain controller running DNS in the private network. The controller enables Citrix servers to
authenticate and communicate with each other. To implement this communication:

 Create a new DHCP options set that contains your DNS server IP address.
 Add an open-source DNS server on the Internet in case a server needs to access the Internet.

Page 62 © 2014 Citrix Systems, Inc. All rights reserved.

DHCP Options Set

1. Navigate to the VPC tab, and select DHCP Options Set > Create DHCP Options Set.

Page 63 © 2014 Citrix Systems, Inc. All rights reserved.

 2. Select the VPC, right-click on your selection, and choose Change DHCP Options Set to the new
set.

Page 64 © 2014 Citrix Systems, Inc. All rights reserved.

Set up the XenApp or XenDesktop infrastructure instances

Launch and configure a domain controller AMI

Create a domain controller for the Site as follows.

1. Select AMIs in the EC2 tab.

2. Depending on operating system you use, perform a search in the Amazon AMIs for Windows
Server 2012 Base or Windows Server 2008 R2 Base. Ensure that the machine is deployed to
your subnet, and make sure it is in the private subnet 10.0.1.0/24.

Page 65 © 2014 Citrix Systems, Inc. All rights reserved.

 3. Assign the IP address for this server.

4. Assign a friendly name to the AMI to make it easily identifiable in the Amazon console.

Page 66 © 2014 Citrix Systems, Inc. All rights reserved.

 5. Place the domain controller in the network by launching the AMI into the appropriate network
and security group. This example places the domain controller in the private network.

6. Review the settings, and then select Launch.

Page 67 © 2014 Citrix Systems, Inc. All rights reserved.

 7. Choose an existing AWS keypair, or create a new one.

Page 68 © 2014 Citrix Systems, Inc. All rights reserved.

Launch remaining XenApp or XenDesktop AMIs

Launch the remaining XenApp or XenDesktop AMIs using the parameters in the following table. Ensure
that you launch them into the correct network (private or public as applicable), and assign an IP address
and the elastic IP addresses.

Note: The Amazon VPC wizard automatically creates the NAT server, so you should not need this AMI.

Function AMI Name AMI ID Network IP Address

Domain Microsoft Windows Server 2012

Controller Base ami-814642e8 private 10.0.1.5

Microsoft Windows Server 2008

R2 Base ami-37b1b45e private 10.0.1.5

Delivery Microsoft Windows Server 2012

Controller with SQL ami-e743478e private DHCP

Microsoft Windows Server 2008

R2 with SQL ami-a1b9bcc8 private DHCP

VDA Master Microsoft Windows Server 2012

Base ami-814642e8 private DHCP

Microsoft Windows Server 2008

R2 Base ami-37b1b45e private DHCP

Bastion Microsoft Windows Server 2012

Base ami-814642e8 public DHCP

Microsoft Windows Server 2008

R2 Base ami-37b1b45e public DHCP

NetScaler VPX
NetScaler VPX Platinum Edition -
10 Mbps ami-c995aaa0 public/private 10.0.1.100

Page 69 © 2014 Citrix Systems, Inc. All rights reserved.

Launch the NetScaler AMI

1. Ensure that you subscribe to NetScaler VPX in the AWS Marketplace.

2. In Community AMIs of the EC2 Console launch wizard, launch the AMI searching for the AMI
IDs.

For detailed instructions, see https://s3.amazonaws.com/awsmp-usageinstructions/CitrixUI.html.

Page 70 © 2014 Citrix Systems, Inc. All rights reserved.

 3. Deploy the instance into the private subnet.

4. Ensure that this instance has two interfaces:

 Public subnet
 Private subnet:
i. eth0 is connected to the private subnet
ii. Primary IP address (NSIP) is 10.0.1.100
iii. Secondary IP address (SNIP) is 10.0.1.102

Page 71 © 2014 Citrix Systems, Inc. All rights reserved.

 5. Deploy the instance into the private security group.

Page 72 © 2014 Citrix Systems, Inc. All rights reserved.

 6. Configure the NetScaler ENIs (AWS elastic network interfaces) to be part of their respective
security groups.
 Public-subnet-facing ENI needs to be part of the public security group
 Private-subnet-facing ENI needs to be part of the private security group

Public ENI – Public Security Group

Page 73 © 2014 Citrix Systems, Inc. All rights reserved.

 Private ENI – Private Security Group

7. Assign an elastic IP address to the NetScaler public ENI – associated to the VIP (10.0.0.176).

Page 74 © 2014 Citrix Systems, Inc. All rights reserved.

Page 75 © 2014 Citrix Systems, Inc. All rights reserved.