Desktop as a Service – Design Decisions

Desktop as a Service – Design Decisions


Helpdesk, Self-Service, Billing and Account Management

Session Layer

  • Microsoft RDP
    • This is a very cost effective options with allot of feature restrictions
  • Citrix ICA
    • This is a fully featured option, while its more expensive, the issues that will be faced with a pure RDP options will add to cost for support over time and anything other than the most basic small 10 man organisations will become a burden.

Flexcast Model

  • Hosted shared non-persistent

Image result for citrix flexcast models

Infrastructure Layer

  • Build own Server Rack
    • This is much too cumbersome to build, can use a single server for PoC and Testing/Dev
  • AWS
    • Run into Microsoft licensing issues on AWS, but has better advance networking features.
  • Azure
    • As Microsoft is the core product for Windows Desktop, this is the ideal voice.
  • VMware based IaaS


Use DaaS Platforms

  • Citrix Workspaces
    • Can you this layer for the VPN / Dashboard access
  • VMware Horizon DaaS
    • Too restrictive,, when a complex customer requirement is required, this model wont allow for that..
  • 3rd Party DaaS providers
    • No way, i want to have complete ownership and flexibility and to reduce any middle men.


Session Isolation and Architecture

  • Shared Delivery Group/Shared Delivery site isolation.
    • The Shared Delivery Group/Shared Delivery Site isolation model uses shared Delivery Groups for application and desktop workers between smallest tenants within the same shared delivery site. This model presents the lowest cost of service delivery to the CSP (and as should follow, to the tenants) with least security. (Other types;Private Delivery Site isolation / Private Delivery Group/Shared Delivery Site isolation)


Solution Result

  • Use Azure to increase End-to-End Partnership with Microsoft.
  • Utilise Microsoft products as much as possible and fully managed
  • Use Citrix Workspace for entry / Dashboard access.


Network Design/Security Groups and vLANS

  • DMZ
    • Internet facing (SSL Port 443 only)
    • First hop (Firewall/NetScaller/VPN/Proxy)
    • Second hop (WebServer/Proxy
    • Firewall to Internal
  • Shared Session Servers vLAN
  • Isolated Private Tenant AD, Site and Network
    • Private AD
    • Private SL
    • Private Exchange
    • Private AppServers
    • Private File Servers
    • Private SharePoint
    • Azure AD Connect
  • Application vLAN
  • Management vLAN
    • Active Directory
    • ADFS
    • Azure AD
    • DNS/DHCP
    • CERTs
    • SQL
    • CloudPortal Services Manager
    • XenDesktopControllers
    • StoreFront Servers
    • License Servers
    • NTP Server
    • ITSM Server
      • ConnectWise
      • ManageEngine
      • Chat/Ticket
    • Security Applications
  • Storage vLAN

Citrix Cloud

Network Connectivity

  • Private Direct Links and VMware SD-WAN or NetScaler SD-WAN (which ever has NTU)

Active Directory OU Design

  • CPSM
    • CSM_MGTM
    • Tenant1(T)
    • Tenant2(2)

Office 365

  • Advanced Features
    • Enhance Security
    • Backup
    • Archival
    • Largefile

Azure Componets


Azure Automation Build


Azure CSP, MSPLA and CSP licensing Options

  • Microsoft Server VM
    • Azure Subscription per user/per month
  • Microsoft RDS
    • Azure Subscription per user/per month
    • BYO RDS MSPLA Server (invisible)
  • Azure Citrix XenApp Essentials
    • BYO/CSP (invisible)
    • Azure Subscription per user/per month
    • Cost Comparision
      • $12.00 USD per user/month, NetScaler Gateway Service, 1 GB data transfer per user per month, 25 minimum user per month.
      • $6.25 USD RDS
      • Exchange USD = 1.33816 AUD
      • Total $456.25 USD / $610.53 AUD


Citrix  XenApp Base 9.21
NetScaler Gateway 2.86
RDS 7.38
Citrix VM 1.59
RDS 1.59
NetScaler Gateway 1.59
  • Citrix NetScaler
    • BYO/CSP (invisible)
    • Azure Subscription per user/per month
    • Cost Comparison
  • Due to the minimum required of $610.53 per month this is not the ideal option to start and its also a service so not configurable So all BYO

Citrix Profile Management and Folder re-direction Configuration

Citrix Profile Management and Folder re-direction Configuration

  1. Folder Re-Direction Group Policy
  2. Exclude Policy
  3. Citrix UPM Install and Configuration
    1. Sync “AppData\Local\Microsoft\Windows\UsrClass.dat”



HowTo: Design a Secure Windows 2012 R2 Standard Operating Environment (SOE)

HowTo: Design a Secure Windows 2012 R2 Standard Operating Environment (SOE)

2014-10-20 17_28_17-Tripwire SecureCheq

It does’t matter the size of your organisation or the compliance posture that it must adhere to. Every device on the network should be hardened and maintained.  I worked for one of the largest IT companies in the world and it was the only company that had proper Windows Operating System hardening and Security Compliance Management. I also worked for a very large bank and the Security Team numbering in the 50+ just didn’t understand how develop a proper basis line for Security Compliance and copy and pasted information from another IT Vendor! What I am trying to say is . They are different levels of Security Experts..

So here is a basic Overview of how to create a Secure Windows 2012 R2 SOE. This method can be applied to any support OS.
Firstly, understand your security posture requirements:- I have listed a few here :

It is also important to understand SAN Critical Controls and Defeating Kill Chains.

This course is also a good starting point -SEC505: Securing Windows with the Critical Security Controls:-

Understand the Critical Security Controls –

Security Standards

These are the core Security Standards and vital information for Windows harderning

The above website and tools can be used to develop the require base line for your environments.. The Microsoft Security Compliance manager is the starting point for this process. You can use this software to understand all the settings and then export them into a Group Policy that can be used to harden the Operating System.  Once you have a policy setup, you need to maintain that posture  using Desired State management and Continuous Monitoring

Desired State

Security Scanners

Once you have the base policy using the above methods, You need to run a two types of scanners on your base OS.. The first is to use a Security Scanner against your OS and make adjust as required.. The other one I recommend is to run a tool to check and update all your software on the base OS image.. Key tool to use is Nessus which can be configured to scan and alert on items for PCI compliance,etc..

The follow three tools are required to create a sold secure SOE: These tools are NIST Security Content Automation Protocol (SCAP 1.2) Validation approved tools.

** you can not create a Secure hardened OS without a Security Scanner..

Implement OS Encryption

Implement Bootlocker


Install Microsoft Enhanced Mitigation Experience Toolkit

Here is a link to my own SOE settings –


Complexity of Application Presentation/Streaming and Distribution

Complexity of Application Presentation/Streaming and Distribution

I wanted to highlight and explain the complexity of designing Application Deployment and Management for  Windows Desktops and VDI environments in a single diagram.


(opps, I mean Microsoft 🙂

Update 02/04/16 Adding a few Application Deployment Options

  • Click Once Applications
  • Container Applications (AppZerto)
  • Application Layer (e.g. Citrix AppDisk.)

There are so many options for Application Deployment and they are all very complex and architecturally different and affects the user interaction with the application.

You can also have combination of these application deployment and management technologies. Example Citrix XenApp + AppV + SCCM.

The core problems is Usability, when you design such complex solutions its almost impossible to guarantee the same level of usability as a locally installed application which is what the end user is expecting.. (Example of usability – Copy/Pase, Print, Content sharing,etc) 

Combining this with the complexity of User State and profile management options, it is no wonder many VDI projects fail and cause major frustrations for end users.

The key is to provide the same user functionality as locally installed application when using different technologies to deliver and manage applications and user environments. (Click here to find out how to solve this problem.)

Overview of Application Deployment and Management options

  • Citrix XenApp Published Application (HDX Stream) + FlexCast Models
  • Citrix VDI-in-a-BOX
  • VMware ThinApp
  • Microsoft RemoteApp (RDS Stream)
  • App-V Application
  • App-V and SCCM (App-V Local Interaction feature, Virtual Environment and Connection Groups)
  • Application Deployment (Kace, LanDesk, Altris, SCCM)
  • Locally Installed Application

[Update 07.11.2014] – I saw information on Cloudvolumes,com, when it was released, but, they didn’t release any information. Until VMware acquired them. I think this is the future of Application Deployment – VMWare AppVolumes. This essentially can solve this complexity. Al thought, how it handles, upgrades, conflicts,etc Needs to be tested. I can’t wait for Microsoft to come up with a similar solution. –

Since writing this article and doing some more research on VMWare AppVolumes and UniDesk., could solve the problem of delivering applications and maintaining Microsoft and Application updates.


User State Profile Management

  • Microsoft UE-V
  • Citrix Profile Management
  • AppSense Profile Management
  • MANProfiles, FlexKit, Folder Re-Direction,etc
  • Citrix Personal vDisk

User/Application Interactions

  • Copy/Paste
  • Print
  • Application Content Sharing
  • mailto: and hyperlinks,etc
  • File Sharing
  • Application Plug-ins

FlexCast Models

  1. Hosted VDI- Assigned VDI Server OS (Windows Experience) (Persistent)
  2. Hosted Shared – Pooled VDI Server OS (Windows Experience) (Non-persistent)
  3. Streamed Desktops
  4. Hosted Blade PCs (VDI)
  5. Hosted VM-Based Desktops (VDI)
  6. Shared Published Desktop
  7. Remote PC

and of course Persistent vs Non- Persistent Desktops, Pooled vs Static,etc..  add to the complication and that is another topic. 

I thought this was a relevant diagram on the subject.


Be careful Will Robinson, most Citrix pre-sales guru’s don’t understand this complexity. (yeah you!)

But, dont worry, I am building a DaaS platform to solve all of this..

Alternative Application Deployment options in order of preference:-

  1. UniDesk
  2. Microsoft App-V
  3. AppZero
  4. FsLogix
  6. VMware AppVolumes
  7. Microsoft Docker (Beta only)
  8. VMware ThinApp
  9. AppDNA

Organizations with growing VDI environments find the tools used to deliver applications and updates to physical computers create significant issues when used for VDI. This research compares alternative approaches to software delivery to help organizations make the best choice for their environment.

So, now that we understand the issues, how do we solve the problem. Here is some technology that is absolutely required for any VDI deployment.

DaaS Build Phase

DaaS Build Phase

  1. Setup Proliant Server
  2. Install XenServer
    1. Setup XenServer GUI Appliance and Configure it to Autostart
    2. [source language=”bash”]</li>
      <li>Setup a Autostart vApp
      Create a Autstart vApp and add VMS
      Get uuid of vApp: xe appliance-list name-label="autostart"
      edit rc.local:
      echo "xe appliance-start uuid=869aabc7-5b30-b0bf-79cf-ca5acbb162be" >> /etc/rc.loca
      xe vm-param-set uuid=29025d12-5148-9ed3-9e21-78c1fc35a44a other-config:auto_poweron=true

  3. Create Windows 2012 R2 DataCenter Template
  4. Install DC
  5. Install Management Server
  6. Install SQL Server in HA
  7. Install KMS and activate
    1. Install Windows Activation Tool –
  8. Install Citrix Server
  9. Install Citrix License Server
  10. Install RDS Licenses
    1. Install RDS License Role

    2. Run RD licensingManager

    3. Active Server Wizard

    4. Install Licenses / Service Provider License Agreement / Windows 2012 / RDS Per User CAL /

    5. User Corporate Enrolment Number

    6. Setup RDS License GPO – Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing

  11. Install SQL Server 2012
  12. Build SCCM
    1. ConfigMgr 2012 R2 Prerequisites Installation Tool 1.3.0 –
    2. Install SQL Server 2012 SP2 on the same server as SCCM, as SQL is free. SQLConfiguration.ini
    3. Pre-requisits
      1. Servers Accounts must be in Local Administrator Group
      2. Create a SQLAdmin Group and add it as the SQL Administrators
    4. Check Pre-requisites – start \E:\SMSSETUP\BIN\X64\prereqchk.exe /LOCAL
    5. Test Schema Extension .\ADSchemaExtensionConflictAnalyzer.ps1 –inputfile E:\SMSSETUP\BIN\X64\ConfigMgr_ad_schema.ldf –outputfile results.ldf
    7. Install WSUS via Windows Features
    8. Extend Schema *.ldf / \SMSSETUP\BIN\X64\extadsch.exe
    9. AD schema has now be extended, AD must be configured to allow
      each ConfigMgr Site security rights to publish in each of their domains.
    10. Create  System Manager Container and give the SCCM computer object full permissions
      1. DSA.msc
      2. View Advanced Features
      3. Create new Container under System called System Manager
      4. Create a Group and add all SCCM Computer names it and add Full Permissions to this container
      5. Select Advanced and select this group Edit and Allow / This object and all descendant objects (Select All)
    11. Server Roles
      1. NET Framework 4.0
      2. Windows Server Features:
      3. .NET Framework 3.5.1 Features
      4. .NET Framework 3.5.1
      5. Background Intelligent Transfer Service (BITS)
      6. Add Required Role Services
      7. Remote Differential Compression
      8. Windows Role Services
      9. Web Server
      10. Common HTTP Features
      11. WebDAV publishing
      12. Application Development
      13. ASP.NET
      14. “Add Required Role Services”
      15. ASP
      16. Security
      17. Windows Authentication
      18. Management Tools
      19. IIS 6 WMI Compatibility
    12. Install Remote Differential Compression – Install-WindowsFeature Rdc
    13. Change the SQL Server(MSSQLSERVER) Logon with Domain Service Account
    14. Install Bits – install-windowsfeature BITS
    15. Create a Firewall Group Policy and Allow inbound rules for SQL Replication ports 1433 and 4022 (
    16. Install Windows ADK for Windows 8.1 –
    17. NOT Installed – In Server Manager select Features, Add Features, Select .NET Framework 3.5, also select WCF Activation and when prompted answer Add Required Role Services click next and next again. (Make sure the BIT and IIS service is running/restart after install).
    18. Not installed – Set SQL Server Properties/General/Server Colation/SQL_Latin1_General_CP1_CI_AS
    19. Not installed – Enable Bits –
    20. Download prerequisites – SMSSETUP\BIN\X64\SetupDL.exe <target dir>
    21. Add the SCCM Server domain computer account to local Administrators group of the SQL Server
    22. Setup SQL Properties/Memoy/ 50% of the Maximum memory and set MIN and MAX to same/static
    23. Add IIS 6 Management Compatibility Role
    24. IIS Configuration
      1. IIS \ Server \ Authentication \ Windows Authentication – Enable
      2. IIS \ Sites \ Default Web Site\ Add Authoring Rule – All content | All Users | Read | Local
      3. IIS \ Sites \ Default Web Site\ WebDAV Settings ????
    25. Reporting Services Configuration ???
    26. Change Server Collation SQL_Latin1_General_CP1_CI_AS (Run CMD as Administrator)
      3. Reattach existing database
    27. Reference:
    28. Checklist for Required Post Setup Configuration Tasks
      1. Checklist for Required Post Setup Configuration Tasks –
      2. Configure Sites and the Hierarchy in Configuration Manager –
      3. System Center Updates Publisher 2011 – Install –
      4. Clients for Additional OS –
      5. Install SP1
      6. Install App-V Integration and Clients
      7. Install Update Publisher
      8. Install WSUS
      9. Setup download schedule
      10. Desired Configuration Management (DCM)
      11. OSD + Integration with the Microsoft Deployment Toolkit (MDT)
      12. Configure Application Packages
      13. Tools
        1. Install RightClick Tools
        2. Client Center for Configuration Manager –
        3. Install System Center 2012 R2 Confiugration manager Toolkit –
        4. Install System Center 2012 Configuration Manager Support Center –
        5. Configuration Manager Trace Log Tool
        6. Install System Center Dashboard –
          2. Microsoft SQL Report Builder –
  13. Install App-V Standalone
    4. Setup Citrix Integration
      3.  Components
        1. App V Report Server
          1. Run the Installed and install the Reporting Services on the SQL Server.
        2. App-V Management Server
          1. Download the software Microsoft Desktop Optimisation -E:\App-V\Installers\5.0\Server
          2. Prerequisites –
          3. Install Silverlight on the management Server
          5. Install the Web Server ISS Role on the Management Server
          6. Install Application Services Role and Net.3.5
        3. App-V Sequence Server
        4. SQL Server
        5. Client
  14. Build App-V and App-V Sequence
    1. Install App-V Remote Application Packager –
  15. Build XenApp RDS Host Template Server
  16. Configure KMS licenses for RDS and OSs
    1. Install Volume Activation Management Tool –
    2. Activiate
    3. Setup DNS for KMS
  17. Configure Citrix License Server + Citrix Licensees
  18. Setup a Windows 8.1 and Windows 2012 OSD
    1. setup a isolated PXE boot environment and DHCP config –
  19. MED-V
  20. MDOP
  21. Microsoft Assessment and Deployment Kit –[/embed]
  22. Citrix Profile Server
  23. Setup IPAM
  24. Test Federated Access
  25. Monitoring
    1. Setup Puppet Server
    2. Setup Nessus
    3. Setup Splunk Server
    4. Setup WireShark
    5. OpenVMS
    6. Snort
    7. Wireshark
    8. HP Isight Manager for Linux –
    9. HP Version Control Repository Manager – HP Version Control Repository Manager (VCRM)
    10. HP Service Pack for ProLiant (SPP) Version 2014.02.0 –
    11. HP Supplement –
    12. ManageEngine Free Monitoring –
    13. Install Microsoft Best Practice Analyser
    14. Install Microsoft Software Inventory Analyser (MSIA) and Asset Inventory Service
    15. Microsoft Baseline Security Analyser
    16. Citrix License Reporting Tool
    17. Deploy Remote Server Administration Tools on Management Server
    18. Install Windows PowerShell Web Access on Management Server
    19. Windows Assessment Services
    20. Best Pratice Analysers
  26. XenServer Backup –
  27. PKI Infrastructure
  28. XenServer Orchestra –
  29. GPO Configurations
    1. Windows Defender and Active Protection Services –
    2. Configure Desktop Experience in Windows Server 2012 R2
  30. Setup PVS Server
    1. Configure BSMh
  31. Setup Sophos Virus Protection
    1. Update exclusions for Citrix, SQL, Clustering
    2. Install Microsoft Malicious Software Removal –[/embed]
    3. Microsoft Saftey Scanner –[/embed
  32. Setup Management Server
    1. Window Server Essentials Experience
    2. User Access Logging
    3. Windows Inventory Logging
    4. Windows System Resource Manager
    5. Configure Printer Servers
    6. Application Server
    7. Setup Desktop Template
  33. Windows Desktop Experience Configuration
    1. Adds the Desktop Experience and XPS Viewer features to the Windows server configuration
    2. Moves the Citrix folder items in the Start menu to the Administrative Tools folder (including the Citrix AppCenter)
    3. Creates a new Windows Theme file and sets the default wallpaper
    4. Starts the Windows Themes service and configures it to start automatically
  34. Configure Citrix CloudPortal and vWorkspaces
    2. Billing System
    3. Self-Services Website
    4. Manager Engine Self-Services
  35. Setup Puppet and Desired State Manager
    1. Setup Desired State Pull/Push –
  36. Active Directory
    1. Enable Active Directory Recycling Bin
    2. Setup GPO Backup and System State

Microsoft SPLA licensing for Windows 8

Microsoft SPLA licensing for Windows 8

update –,microsoft-allows-per-user-volume-licensing-of-windows.aspx#ixzz3IG3TsLeT

This is a subject that is always a discussion in almost all DaaS opportunities. Can a Microsoft MSP provide Windows 8 OS. The quick Answer is NO. Microsoft MSP/ SPLA licensing only covers Windows SERVER Operating Systems. (I won’t go into the all the different FlexCast models here and stick with providing a dedicated OS for users.)

However, there is a way a Microsoft MSP can provide Windows 8. Here is a quick guide:

  1. Customer and Microsoft MSP must sign up for License Mobility Through Software Assurance. Volume Licensing customers can license their server applications on-premises and in the cloud on a qualified service provider’s shared hardware environment for specific applications.
  2. Customer must purchase all Windows 8 OS Licenses.
  3. Customer must purchase all Virtual Desktop Access licenses. (If the client devices aren’t PCs covered by [Software Assurance].
    • Windows Virtual Desktop Access (VDA) is an authorization strategy that requires each device seeking access to a Windows virtual desktop in a virtual desktop infrastructure (VDI) to be licensed.
    • Windows Virtual Desktop Access (Windows VDA): A standard benefit of Software Assurance and a stand-alone subscription-based license which allows roaming access to Windows virtual machines (VMs) from thin clients, third party, and non-Windows-based devices.
    • The goal of Windows Virtual Desktop Access is to simplify licensing requirements in a virtual environment by licensing the devices that seek access to virtual desktops, instead of licensing the virtual desktops themselves.
    • Because VDA is included as a feature of Software Assurance (SA), primary users of devices covered by SA can access their virtual desktops at no extra charge. Microsoft defines a primary user as someone who has used the computing device for more than 50% of the time in a 90 day period.
    • If the user wishes to access a Microsoft VDI from a device that is not covered by Software Assurance, however, a separate Windows VDA license is required. Such devices include thin clientszero clients and third-party devices such as contractor-owned PCs. As of this writing, a separate VDA license costs $100 per year, per device.
    • Licensing_Windows_Desktop_OS_for_Virtual_Machines
    • Providing Microsoft Desktop as a Service licensing guide
    • More info :-
  4. Transfer these licenses to the Service Provider: [Detailed steps]
  5. The Microsoft MSP must provide the Windows 8 OS on DEDICATED hardware and not shared infrastructure with any other customer.  Which cannot be used to provide any kind of service to any other customer of the service provider. Microsoft advise the dedicated-hardware requirement applied to all of the hardware utilised to provide the solution to the customer: servers, storage and, presumably, switching infrastructure as well.
  6. Windows 8 can be used for Rental Desktops can not be used either. Remote access. Rental Rights do not allow for remote access to software. Microsoft Rental Rights are a simple way for companies to rent, lease, or outsource desktop PCs with Windows desktop operating system and Microsoft Office licenses to third parties (such as Internet cafés, hotel and airport kiosks, business service centers, and office equipment leasing companies) through a one-time license transaction valid for the term of the underlying software license or life of the PC. Solidify your role as trusted advisor by helping your customers be in compliance, by using an additive license that fits their business model—without requiring special tools, processes, reporting, or paperwork.

Definition of Severity Levels

Definition of Severity Levels

Severity Definitions are intended to provide guidance on correct assignment of severity levels in the event of an incident.



  • Sev 1 The product, service or channel is unavailable or unusable with NO planned and agreed sustainable workaround

 The problem may be directly impacting either:

 · External customers’ ability to interact with the customer

· Customers’s ability to service its customers

· The Business unit’s production workflow

The product, service or channel must be classified as business critical (eg it needs to be available within 24 hours of a disaster)

  • Sev 2 The product, service or channel is available however functions are restricted or degraded

 Significant exposure may exist. Business can continue to operate at a reduced capacity while the problem exists.

  • Sev 3 The product, service or channel is available with no immediate impact to external or internal customers

 Acceptable workaround is in place. The business can continue to operate at full or close to full capacity while the problem exists.

1. CIO Override – a vulnerability that poses a serious threat to the Customer, is wormable (i.e. Sasser
Virus) and code is in the wild and available to hackers. 247 to put this on the environment.
2. Critical – a vulnerability that poses a serious threat to , is typically wormable (i.e. Sasser Virus),
however code is not in wild as yet. Normal business hours to deploy this on the environment.
3. Important – vulnerability that poses a threat to is typically vulnerability that needs to be initiated
within and is local to the workstation. Normal business hours to deploy this on the environment.
4. Moderate – a minor vulnerability may pose a threat to . Usually patched to keep the platform
current. This type of patch will only be deployed if is deploying other hot fixes, otherwise it is deployed in the next Enterprise release.