Citrix Cloud

downloadWhy can't I download this file?Https Citrix Sw21cloud

Information

There are several key decisions an admin must make when planning a design for a resource location to be used with the Citrix Cloud Virtual Apps and Desktops Service. The first of these decisions is the Subscription Workspace model they plan to utilize.
Subscriptions
Selecting a subscription model is a complex decision as it involved the planned growth of the footprint in azure considering both the initial design and planned growth of the environment.
Single Subscription workspace model
In a single subscription, all core and citrix infrastructure remain inside the same subscription. This configuration is recommended for environments that require up to 1,000 Citrix VDA Machines.
Multi-Subscription Workspace Model
In this model, Citrix and Core resources reside in seperated subscriptions to help manage scalability in large deployments.
Protecting Citrix Cloud Resource location hosted in azure
NSG (Network Security Groups) are simplified packet inspection devices the allow or deny traffic over specific ports to the resources hosted inside the azure platform for usage with Citrix Cloud Virtual Apps and Desktops Service. The port requirement for a Citrix Cloud Resource location are as follows:

Granting Access for Citrix Cloud to Access your Azure Subscirption
When considering how to connect the Citrix Cloud Virtual Apps and desktops Service to the Azure subscriptions, there are 2 primary options for connecting Citrix Cloud to the Azure Subscription:

Do you want to change your password? Change Now Not Now. When you refer the Brokering Time from Citrix Studio in Citrix Cloud environment, you will notice that the time is displayed in UTC timezone. So is there any way to customize the timezone which customer prefers. Answer: Currently the Brokering Time from Citrix Studio is using the Delivery Controller server's timezone.

1. Subscription Scope Principals.
2. Narrow Scope Service Principals
When an admin creates a host connection to azure for the first time, Microsoft Azure creates a Service Principal which is an application template created that impersonates the user and the rights it has over the subscription. When the Citrix Service creates the Service principal for the host connection through studio, a Subscription Scope principal is created that provides the list of permissions included in the service principal across all resources hosted in the Azure subscription.
Customers that have needs for more granular controls over their resources, the admin can also create what is called a Narrow scope service principal. This requires a bit more planning in designing the environment in that the admins not only need to pre-create the resource groups the vda's reside in, but the access to these resource groups needs to be defined to a pre-created service principal prior to creating the service principal.
The requirements and process to create this narrow scope service principal are defined in greater detail at Tech Article - https://support.citrix.com/article/CTX219243.
At this stage, the admin is now prepared to deploy their first machine catalog to Azure using the Citrix Cloud Virtual Apps and desktops service. For more information as to how to Prepare a Master Image and deploy a machine catalog, review the following article: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/machine-catalogs-create.html#prepare-a-master-image-on-the-hypervisor-or-cloud-service

Additional Resources

References:

https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/virtual-apps-and-desktops-azure.html
https://support.citrix.com/article/CTX219243

downloadWhy can't I download this file?

The Root and Intermediate Certificate authority used to sign the Citrix Cloud Connector need to be trusted on the local machine where the Citrix Cloud Connector is being installed. Cloud Connector binaries and endpoints that the Cloud Connector contacts are protected by X.509 certificates issued by DigiCert, a widely respected enterprise certificate authority (CA). DigiCert employs Certificate Revocation List (CRL) servers using HTTP on port 80 instead of HTTPS on port 443 to verify these certificates during Cloud Connector installation. Cloud Connector components, themselves, do not communicate over external port 80. The need for external port 80 is a byproduct of the certificate verification process that the operating system performs.

Here is the primary way to resolve this issue:

Https Citrix Sw21cloud

Download a new Connector installation package from the resource location page on Citrix Cloud.
Open HTTP port 80 to *.digicert.com on the Cloud Connector. This port is used during Cloud Connector installation and during the periodic CRL checks. For more information about how to test for CRL and OCSP connectivity, see https://www.digicert.com/kb/util/utility-test-ocsp-and-crl-access-from-a-server.htm on the DigiCert web site.
Ensure Windows Update are enabled and there’s connectivity from the Citrix Cloud Connector to the following URIs:
The following address needs to be contactable from the Cloud Connector machine(s) to ensure proper certificate validation: Ensure the machine has the Root and Intermediate certificates (used by the Citrix Cloud Installer) installed in the certificate store on the local machine. You can manually install the certificates by following the instructions below.
- http://crl3.digicert.com
  http://crl4.digicert.com
  http://ocsp.digicert.com
  http://www.d-trust.net
  http://root-c3-ca2-2009.ocsp.d-trust.net
  http://crl.microsoft.com
  http://oneocsp.microsoft.com
  http://ocsp.msocsp.com
Communication with the following addresses is enabled:
- [https://*.digicert.com]https://*.digicert.com
The following certificates are need to be installed:
- https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
- https://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
- https://cacerts.digicert.com/DigiCertGlobalRootG2.crt
- https://cacerts.digicert.com/DigiCertGlobalRootCA.crt
- https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt
- https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_2009.crt
- https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt
- https://www.microsoft.com/pkiops/certs/Microsoft%20EV%20ECC%20Root%20Certificate%20Authority%202017.crt
- Installing the certificate

Open the MMC certificate store on the Citrix Cloud Connector exhibiting the behavior
https://msdn.microsoft.com/en-us/library/ms788967(v=vs.110).aspx. Make sure to select the Computer account option when prompted by the Certificates snap-in.
Navigate to https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt and download the Root certificate.
Open the certificate and choose “Install Certificate…”
Ensure that the “local machine” option is targeted
Validate that the Root certificate shows up under the proper Certificate Store
Drivers elinchrom usb devices.
Navigate to https://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt and download the Intermediate certificate.
Open the certificate and choose “Install Certificate…”
Ensure that the “local machine” option is targeted
Validate that the Intermediate certificate shows up under the proper Certificate Store.

10. Repeat the above steps for missing required certificates listed in 'The following certificates are need to be installed:' section.

Problem Cause

Citrix Cloud Sla

The Citrix Cloud Connector installer is signed with a DigiCert signing certificate. During installation this certificate is programmatically validated in order to ensure integrity of the components downloaded. If the Root and Intermediate certificates are not trusted on the local machine, the installer cannot be successfully verified, preventing the installation from continuing.

Citrix Cloud Duo

Note: This is usually not an issue if Windows Updates are automatically allowed.