Setup Guide for the XenApp on AWS CloudFormation Template This document walks you through the steps of using the Citrix XenApp on AWS CloudFormation template (v 4.1.5) available here to create a fully functional XenApp farm in the Amazon cloud. The process consists of six steps:

1. Create the Stack using the CloudFormation Template in AWS Console 2. Build and configure the XenApp farm by running the AWS-Farm-Install PowerShell script 3. Configure the StoreFront Services 4. Configure the NetScaler Platinum Edition (Requires subscription via AWS MarketPlace) via

NSSetup PowerShell script and manually complete some AWS and DNS configurations. 5. Configure XenApp license server and add a license

The steps will take about 4 hours to fully execute, with only about 60 minutes of user intervention. Each of the steps is discussed below. This CloudFormation template uses AWS Marketplace AMI’s that must be linked to your account before beginning the install. To do this, complete the following steps:

1. From the AWS console select the “Find software on AWS MarketPlace” hyperlink under the additional information section on the right-side of the console.

2. Search for “NetScaler VPX Platinum Edition – 10 Mbps” and select version 10.0-71.6008.e.

3. Select and Register it to your AWS account.

Stack Creation Using the CloudFormation Template The steps below show how to use the CloudFormation template to automate the building of all necessary resources in the Amazon EC2 cloud for a XenDesktop farm.

1. On the CloudFormation Stack console tab, use the dropdown box in the upper right-hand corner to select the Region in which you want to build the environment.

2. Click the Create New Stack button.

3. Provide the Stack Name and point to the CloudFormation JSON template available at https://s3.amazonaws.com/cf-XenApp/XAonAWSCF_v4.1.5.json. Click Continue.

4. Provide parameters for the script to run, including AvailabilityZonePref. The template provides

brief explanations for each parameter and displays default values. The default values produce a two-server farm running with eight amazon instances as described below.

Instance Purpose Bastion Jump host in the DMZ which allows external administration. Can be powered down

when not administering the environment. DC01 Domain controller (name can be changed via parameter) for the active directory

domain. XENAPP Primary XenApp server holding the most preferred data collector role for the farm

as well as the SQL server. XENAPP-BDC Secondary XenApp server holding the preferred data collector role for the farm. XENAPP-SF Server hosting the StoreFront role. Runs version 1.2 of StoreFront with the

database on the XENAPP server. STARBURST Install server used to build the server farm using the App Delivery Setup PowerShell

scripts. Can be powered down after the farm is built. NAT Network address translation server which allows outbound access to the internet

for the servers in the private subnet. VPX Primary Netscaler VPX instance that is used to provide ICA Proxy functionality for the

StoreFront server.

5. Different firmware versions of the NetScaler VPX are supported, and can be selected by choosing the appropriate JSON template for the desired firmware version based on the table below:

NSCloudFormationURL Firmware https://s3.amazonaws.com/cf-XenApp/NS_VPX_Template_v3.json 10.0-71.6008.e https://s3.amazonaws.com/cf-XenApp/NS_VPX_Template_v4.json 10.1-119.7 https://s3.amazonaws.com/cf-XenApp/NS_VPX_Template_v4.1.json

10.1-120.13

6. After specifying the required parameters, enable the “I acknowledge that this template may

create IAM resources” checkbox and click Continue.

7. Add any additional tags on the next screen and click Continue.

8. Verify that the regions for the Template and AvailabilityZonePref match. If not, backup and correct the error, because if they are not the same, the template creation will fail. Once correct, click Continue to start the stack build process.

9. Click Close on the stack creation information screen.

The CloudFormation template then builds out the environment according to the parameters you’ve specified. If you select the default values, the template constructs a XenApp farm in the AWS cloud similar to the diagram below.

Farm Build with PowerShell Scripts Once the creation of the CloudFormation Stack is complete, the next step is to execute the AWS-Farm-Build.PS1 PowerShell script to build and configure the farm. The latest version of the script automates much of the earlier manual process, performing the following steps:

1. Calling the Install-CtxFarm-Wrapperv3.ps1 script to mount the XA6.5 share on the InstallServer in preparation for the install segment.

2. Calling the Install-CtxFarmV3.ps1 script to install the ZDC, BDC, and WI servers. 3. Using PSRemoting to silently install the LicenseServer on the ZDC. 4. Calling the register-tenant.ps1 script to register the tenant OU and create the Worker Group. 5. Calling the Add-CtxFarmCapacityV3.ps1 script to add the WorkerServers to the farm and move

them to the Worker Group OU. (Should worker servers be manually added to the environment prior to running this script)

6. Using PSRemoting to publish Notepad to all users and a Server Desktop to Administrators. 7. Using PSRemoting to silently install StoreFront on the XenApp-SF server.

NOTE: Wait about 30 minutes after the CloudFormation script completes to allow all of the servers a chance to join the domain and reboot. During testing of the seven Regions, five of the zones had one or more servers fail to join the domain automatically. This failure is not caused by the script, but by instance creation timing in the cloud. An easy workaround is to join the servers manually to the domain before executing the script.

The steps for executing the AWS-Farm-Build.PS1 PowerShell script to build the farm have changed since the earlier script we published. To build the farm, follow these steps:

1. From the EC2 Instances management console, obtain the local adminstrator’s password for the Bastion host, by selecting Get Windows Password from the Actions menu.

2. On the Outputs tab of the CloudFormation Stack tab, find the elastic IP address and use RDP to connect to the Bastion host (54.236.120.70 in the example screen shot) and login as local administrator with the password retrieved from the AWS Console comman

3. From the Bastion host, RDP to the Domain Controller (default IP is 10.0.1.5) and login as the Domain Administrator using the DomainAdminUser and DomainAdminPassword provided as parameters during the stack creation event.

4. Launch an “Active Directory Users & Computers” window and verify that core four hosts have successfully joined the domain (Xenapp, Xenapp-BDC, Xenapp-SF, and Starburst). If any of the servers are not in the domain, RDP to the appropriate IP address and join them to the domain with the correct name before continuing. Use the EC2 Get Windows Password action to retrieve their local administrator password.

5. Disable the Firewall on the Xenapp, Xenapp-BDC, and Xenapp-SF hosts before continuing. Once the farm build is complete, and before users connect, the firewalls should be re-enabled.

6. Change the password for the Administrator account to one that you know, as it is required for the SQL Database install later.

7. Once the above servers are in the domain, connect from the Bastion host to Starburst as the Domain Administrator. If you log on with a local administrator account, the PowerShell script will fail.

8. Verify that DNS resolution works for Xenapp, Xenapp-BDC, and XenApp-SF by NetBIOS name. To

do this, use ping with the NetBIOS name and look at the returned IP address. (However, don’t expect the server to respond to the pings because the Windows firewall is enabled.) Alternatively, you can run nslookup to verify DNS resolution.

9. Once name resolution has been verified, launch PowerShell and navigate to “C:\Program Files (x86)\Citrix\App Delivery Setup Tools”.

10. From there execute the .\AWS-Farm-Build.ps1 script and answer the prompts. Be sure to use

the domain administrator account for the database user unless you manually create and grant SA permissions to another domain account first.

11. Confirm the key settings by typing “YES” and pressing Enter.

12. If an error occurs regarding setting preferred status on XENAPP-BDC, manually make that change and restart the script or just skip that step and continue the build by running .\AWS-Farm-Build.ps1 –ExecutionStep InstallLicenseServer

13. On completion, you should see a screen like the one below.

NOTE: If you see an error message about installing StoreFront after it completed the installation, this may be a benign error. Before re-running the script as it requests, first RDP to the StoreFront Server and verify the StoreFront icon is not in the Citrix Start menu. If the icon is present, the error can be safely ignored.

Citrix StoreFront Server Configuration Once the PowerShell script finishes, the next step is to configure the StoreFront server as follows:

1. Launch the RDP client to the XenApp-SF server 2. Launch the configuration console from the Start Menu: All Programs >> Citrix >> Citrix

StoreFront 3. Click the “Deploy a multiple server group” menu button.

4. The Initial Setup wizard will start. Provide the following information: Hostname: http://xenapp-sf.<domainname> Database Server: xenapp.<domainname> Database Name: ReceiverStoreFront

Click Test Connection and verify the database connection is successful.

Then click OK on the test connection and finally Create on the dialog box.

5. After the deployment is created, the wizard will request a name for the store. This name will be used later in the NSSetup.ps1 PowerShell script, so keep it handy. After supplying it, click Next.

6. Click Add… to provide information on the farm controllers.

7. Name the farm and provide the FQDN of the xenapp and xenapp-bdc servers. Set the Transport type to HTTP and the Port to 8080. Click OK to finish the farm configuration.

8. Once the farm is configured, click Next.

9. On the Remote Access dialog, since we will be using Access Gateway Enterprise Edition on the NetScaler, we set the Remote Access to No VPN tunnel and click Add to configure the gateway.

10. Provide a Display Name (AGEE), Gateway URL (https://ag.ctxcloud.com), enable the “Set server as Access Gateway Enterprise Edition, and provide the MIP of the internal subnet (10.0.1.102). Then click Next.

11. Provide the Callback URL and click Next.

12. The final step in setting up the Access Gateway is to provide the FQDN of the Secure Ticket Authorities (xenapp and xenapp-bdc), which use port 8080, and disable the session reliability

checkbox. Since no certs are installed on the domain members, the STA’s should be using an http protocol not https as is the default. When finished, click Create.

13. Then click Create one more time to finish off the Store creation.

14. At this point the store is configured. Please note the name of the website as underlined in the screenshot below, because it will be used as an input to the NSSetup PowerShell script later.

15. Click Finish.

NetScaler Configuration Now the StoreFront server is setup, the NetScaler config can be created and uploaded to the NetScaler VPX as follows:

1. Launch the RDP client to the Starburst server 2. Launch PowerShell command-prompt 3. Change to the “C:\Program Files (x86)\Citrix\App Delivery Setup Tools” folder 4. Start the NSSetup.ps1 script 5. Provide the Public and Private subnet addressing spaces, IP addresses for the environment as

prompted, and the StoreFront Web and StoreFront Receiver site names from the previous section. Verify none of the IP addresses selected will conflict with existing ones assigned via DHCP.

6. The script will then create a batch file of commands and upload it to the NetScaler as shown in the screen shot below:

7. Verify you see the rsa2 key fingerprint (as outlined in red), this lets you know the script was able

to connect to the NetScaler successfully. If not present, close the PowerShell window and rerun the NSSetup script from a new PowerShell window. NOTE: You will need to manually install the correct SSL certificates and link them to the Access Gateway vServer on the NetScaler before continuing. If you place the SSL certificates in the c:\users\public\downloads folder they will be automatically uploaded to the /nsconfig/ssl folder on the NetScaler and you will then only need to manually configure them through the UI.

8. Launch the RDP client to the DC01 server (default 10.0.1.5) 9. Launch the DNS management console and navigate to the Forward Lookup Zone for your

domain 10. Add a host (A) record for the DMZ IP address (default 10.0.0.176) of the Access Gateway (default

ag.ctxcloud.com)

11. Finally, return to the AWS console and obtain a new Elastic IP and assign it to the secondary Access Gateway IP address (10.0.0.176) or move the existing Elastic IP assigned from the current IP address (10.0.175) to the new AG IP address if you don’t plan to administer the NetScaler from the external interface. Click “Associate” to make the update.

Licensing Configuration Once the farm build is complete, you must configure Citrix Farm licensing as follows.

1. Connect to the XenApp server via an RDP client as the Domain Administrator. The XenApp

Server Role Manager should start automatically. 2. Select the Configure link under the License Server heading.

3. Complete the licensing configuration wizard to setup the license service. If you get a “port

already in use” error, stop the Citrix licensing service (which probably started during a reboot) and finish the wizard to restart it.

4. Upload your license file for hostname XENAPP to the license server and verify that it can see the

licenses. 5. Start Citrix AppCenter. 6. Configure the Unfiltered Computer policy to set the license server, license port, product edition,

and product model.

While in the Citrix AppCenter console, edit the Notepad published application and verify that a server or worker group is assigned to the application. If not, go ahead and add the worker group, since sometimes the script fails to add the worker group. Also, you might consider changing the administrator password. At this point you should be able to set an entry in your hosts file to map to the elastic IP address of your Access Gateway and connect to both the published application (notepad which is automatically added to receiver) and the published AdminDesktop.