If you are using Citrix MCS with Azure VMs, you might have noticed that not all the VM SKUs are available to select when creating a new Machine Catalog. With PowerShell, though, you can use any Azure VM SKUs.

If you are using Citrix Cloud, you have to download and install the Citrix Powershell SDK and login with your Citrix credentials. Optionally you could download an API client and authenticate with those credentials.

The secure client can be downloaded under Identity and Access Management > API Access > Create client. The customer id will also be shown on that page.

You authenticate with the API client this way:

Set-XDCredentials -CustomerId “customername” -SecureClientFile “C:\temp\secureclient.csv” -ProfileType CloudAPI

Otherwise, without API credentials, after executing the first command, you will be asked to insert your Citrix credentials:

Now the commands to change the Citrix MCS VM type.

Get-ProvScheme -ProvisioningSchemeName “CatalogName”

Take note of the folder name after XDHYP:\HostingUnits\ under MasterImageVM.

This command will register the virtual drive XDHYP:\ in PowerShell:

Set-HypAdminConnection

Insert that folder name in this command:

Set-ProvScheme –ProvisioningSchemeName “CatalogName” –ServiceOffering “XDHyp:\HostingUnits\Foldername\serviceoffering.folder\Standard_NV4as_v4.serviceoffering”

Delete and re-create the VM. The right VM type will be then used.

Normally, adding an Availability Set after the VM has been deployed is not possible. You would have to delete the VM, leaving the NIC and OS disk intact and then re-creating the VM with the Availability Set. Of course that can be done manually, but there is a PowerShell script that does this all for us.

This can be all done in the Azure Cloud Shell, you do not have to install the PowerShell Module on a Windows Machine.

Install-Module AzureRm.AvailabilitySetManagement

Create an AS before adding the VM to the AS.

New-AzureRmAvailabilitySet -Location “West Europe” -Name “myAs” -ResourceGroupName “myRg” -Sku aligned -PlatformFaultDomainCount 3 -PlatformUpdateDomainCount 5

Now add the VM to the AS:

Add-AzureRmAvSetVmToAvailabilitySet -ResourceGroupName “myRg” -VMName “VM01” -OsType windows -AvailabilitySet “myAs”

This will stop the VM if it is running, delete the VM item (leaving the NIC and OS disk intact) and re-create that with the same VM size inside the newly created Availability Set.

References:

https://pixelrobots.co.uk/2018/02/add-existing-virtual-machine-availability-set-azure/

https://gist.github.com/PixelRobots/3c34027d225c7acb09833840b7258ee9#file-movevmavaset-ps1

An Azure Service Principal is a service account created in Azure AD and can be leveraged in PowerShell scripts for automation. It is recommended to use Service Principals for security reasons since they have separate credentials and very constrained rights.

You can either use password-based authentication or certificate-based authentication with Service Principals. In this article, only password-based authentication is covered. Certificate-based authentication is treated in the Microsoft article linked at the end of the page.

First of all, the Az Powershell Module is needed.

Install-Module -Name Az -AllowClobber -Scope Allusers

If you have multiple subscriptions, make sure you have selected the correct one.

Get-AzSubscription

Select-AzSubscription -SubscriptionId xxxxxxxxx

Now create the Principal:

$sp = New-AzADServicePrincipal -DisplayName PowershellAutomation

The $sp object contains a secret parameter (the password), which is not in clear-text and an ApplicationID, that will be used as the username. To decrypt the secret parameter use the following commands:

$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($sp.secret)
$UnsecurePassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

In a script the $UnsecurePassword should not be hardcoded, instead, it should be saved as an encrypted XML file and decrypted when the script is executed. I wrote a post about securing credentials in PowerShell scripts, check it out: https://www.ajni.it/2020/05/powershell-encrypt-and-store-your-credentials-securely/.

Logging in is also straightforward. The Tenant id can be retrieved in the main page of Azure AD.

Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant xxxxx

When assigning rights, the newly created identity will be listed:

References:

https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-3.8.0

Azure has a lot of pre-defined roles, but you can also create very specific roles with the help of Azure Powershell or Bash and a JSON config file. In this example, the user that gets this role is only able to start, stop, or restart a VM.

Start off by opening the cloud shell. If this is the first time opening it, a storage account must be created.

Create a new json config file and insert the following:

code role.json

{
"Name": "Virtual Machine Operator",
"IsCustom": true,
"Description": "Can deallocate, start and restart virtual machines.",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action"
],
"NotActions": [
, "AssignableScopes": [ "/subscriptions/xxxx" ]
}

You can save with CTRL+S and exit the visual editor with CTRL+Q.

The role grants read permission and allow to start, restart, and stop the VM. Do not forget to add your subscription id at the end (line 16).

Create the role based off the template:

az role definition create –role-definition role.json

When assigning a role the custom role should also be listed. You can either assign this role to a Resource Group or the VM directly.

References:

https://stackoverflow.com/questions/23668154/allow-users-to-start-stop-particular-azure-vms

What do we need for a Citrix Virtual Apps and Desktops (XenApp and XenDesktop) deployment?

• Active Directory
• Citrix Delivery Controller
• Citrix Storefront
• One Citrix Virtual Delivery Agent (VDA)
• Citrix License Server
• A Database Server (SQL Server)

I will be consolidating Citrix Delivery Controller, Storefront, and License Server into one VM since this is a lab environment. In a production environment, you would use 2 VMs for Citrix Delivery Controller (for High Availability – HA), two for Citrix Storefront, and one for the License Server. The VDA count depends on user size.

Using the same two VMs for Delivery Controller and Storefront is also viable.

In my lab, all the servers are housing Windows Server 2019 Datacenter.

First, download the ISO on citrix.com. You will need an account and if you don’t have any partnership with Citrix, it is very difficult to get those files. There is a form you can fill and all you can do afterward is hope that they give you the files. Otherwise, there is no way of getting them publicly.

After mounting the ISO Autoselect.exe can be run.

Select Virtual Apps and Desktops. Virtuals Apps would just publish single programs as apps.

Start by installing Delivery Controller and other components.

Just in case you are wondering: Some obvious steps will not be shown.

We are installing all the features on the same server. Like I said, Delivery Controller and Director should be on one server, License Server on another, and Storefront on another. Storefront and Delivery Controller should have 2 VMs each for High Availability.

I am also using SQL Express on the same server. Normally you would use a dedicated instance on a separate database server.

The server will be restarted. You will need to mount the ISO again and select the target folder:

And after some time…

Our main tool is going to be Citrix Studio.

Make sure you a logged in with a domain user. Local users are not supported.

Configuring a new site.

These parameters will be automatically populated if SQL Express is being used. If using a separate database server a script can be generated to create the databases and tables.

My license server is hosted on the same server.

A connection to VMware or Hyper-V can be made. I am using Azure.

I will select “Other Tools” this time, I’ll make a post about Citrix MCS another time.

Enter your Azure Subscription ID and any name and then select “Create New”.

You will log in to Azure AD. This process creates a new Service Principal in Azure AD that allows Citrix to start, stop, create, and delete VMs in Azure.

In your Subscription under Access control (IAM) you will see a new App Principal as a Contributor.

App-V and AppDNA is not our focus right now.

Here is the summary of my settings.

To deliver a desktop we need at least one server to connect to.

Create a new VM, join it to the domain, and install the Virtual Delivery Agent (VDA).

Run autoselect.exe inside the ISO again.

We are not creating a Master Image for MCS. The Delivery Group will have a catalog of one machine.

Citrix Workspace App is not needed. You can de-select it.

I did not select any additional components.

Add the Delivery Controller.

Enable both features

Leave Firewall Rules to automatic.

Prerequisites will be installed.

Server will restart twice.

Create a Machine Catalog containing the Remote Desktop Session Host.

This is a server with multiple users connecting to it.

Select the VM and the computer account.

Give it a name.

Create a Delivery Group.

Select the Machine Catalog we just created

You should probably create a custom group to limit the users.

Add a new desktop and give it a name. I use “TreatAsApp” to show both Desktops and Apps in one tab.

Under Search, we can see if the server has successfully registered with the Delivery Controller.

Now the Desktop can be started through http://ctx01.company.lab/Citrix/StoreWeb/

Configure Storefront to use SSL

Open Internet Information Services (IIS)

Create a self-signed certificate (I do not have Active Directory Certificate Services on my lab environment). I might do a post about that in the future.

Run through the wizard (easy).

Make sure you select the personal certificate store.

Add a new Binding on port 443.

Select the certificate you just signed.

Now both 80 and 443 are active:

Change the Base URL to HTTPS

Now HTTPS is being shown:

Configure Passthrough authentication

The storefront URL should be added to the Trusted Sites for pass-through authentication to function properly. Make sure to change “User Authentication” to “Automatic logon with current username and password”. The default setting is “Automatic logon only in Intranet Zone”

Also, configure pass-through authentication for Receiver for Web Sites.

Change loopback communication to OnUsingHttp:

Change “Enable loopback communication” to OnUsingHttp

Set this Site as default in IIS:

Configure Delivery Controller to use SSL

Storefront does not accept self-signed certificates, so an internal Certificate Authority is needed for SSL communication between Storefront and Delivery Controller.

That’s it! It was a long but very interesting post.