Desktop as a Service – Design Decisions

Desktop as a Service – Design Decisions


Helpdesk, Self-Service, Billing and Account Management

Session Layer

  • Microsoft RDP
    • This is a very cost effective options with allot of feature restrictions
  • Citrix ICA
    • This is a fully featured option, while its more expensive, the issues that will be faced with a pure RDP options will add to cost for support over time and anything other than the most basic small 10 man organisations will become a burden.

Flexcast Model

  • Hosted shared non-persistent

Image result for citrix flexcast models

Infrastructure Layer

  • Build own Server Rack
    • This is much too cumbersome to build, can use a single server for PoC and Testing/Dev
  • AWS
    • Run into Microsoft licensing issues on AWS, but has better advance networking features.
  • Azure
    • As Microsoft is the core product for Windows Desktop, this is the ideal voice.
  • VMware based IaaS


Use DaaS Platforms

  • Citrix Workspaces
    • Can you this layer for the VPN / Dashboard access
  • VMware Horizon DaaS
    • Too restrictive,, when a complex customer requirement is required, this model wont allow for that..
  • 3rd Party DaaS providers
    • No way, i want to have complete ownership and flexibility and to reduce any middle men.


Session Isolation and Architecture

  • Shared Delivery Group/Shared Delivery site isolation.
    • The Shared Delivery Group/Shared Delivery Site isolation model uses shared Delivery Groups for application and desktop workers between smallest tenants within the same shared delivery site. This model presents the lowest cost of service delivery to the CSP (and as should follow, to the tenants) with least security. (Other types;Private Delivery Site isolation / Private Delivery Group/Shared Delivery Site isolation)


Solution Result

  • Use Azure to increase End-to-End Partnership with Microsoft.
  • Utilise Microsoft products as much as possible and fully managed
  • Use Citrix Workspace for entry / Dashboard access.


Network Design/Security Groups and vLANS

  • DMZ
    • Internet facing (SSL Port 443 only)
    • First hop (Firewall/NetScaller/VPN/Proxy)
    • Second hop (WebServer/Proxy
    • Firewall to Internal
  • Shared Session Servers vLAN
  • Isolated Private Tenant AD, Site and Network
    • Private AD
    • Private SL
    • Private Exchange
    • Private AppServers
    • Private File Servers
    • Private SharePoint
    • Azure AD Connect
  • Application vLAN
  • Management vLAN
    • Active Directory
    • ADFS
    • Azure AD
    • DNS/DHCP
    • CERTs
    • SQL
    • CloudPortal Services Manager
    • XenDesktopControllers
    • StoreFront Servers
    • License Servers
    • NTP Server
    • ITSM Server
      • ConnectWise
      • ManageEngine
      • Chat/Ticket
    • Security Applications
  • Storage vLAN

Citrix Cloud

Network Connectivity

  • Private Direct Links and VMware SD-WAN or NetScaler SD-WAN (which ever has NTU)

Active Directory OU Design

  • CPSM
    • CSM_MGTM
    • Tenant1(T)
    • Tenant2(2)

Office 365

  • Advanced Features
    • Enhance Security
    • Backup
    • Archival
    • Largefile

Azure Componets


Azure Automation Build


Azure CSP, MSPLA and CSP licensing Options

  • Microsoft Server VM
    • Azure Subscription per user/per month
  • Microsoft RDS
    • Azure Subscription per user/per month
    • BYO RDS MSPLA Server (invisible)
  • Azure Citrix XenApp Essentials
    • BYO/CSP (invisible)
    • Azure Subscription per user/per month
    • Cost Comparision
      • $12.00 USD per user/month, NetScaler Gateway Service, 1 GB data transfer per user per month, 25 minimum user per month.
      • $6.25 USD RDS
      • Exchange USD = 1.33816 AUD
      • Total $456.25 USD / $610.53 AUD


Citrix  XenApp Base 9.21
NetScaler Gateway 2.86
RDS 7.38
Citrix VM 1.59
RDS 1.59
NetScaler Gateway 1.59
  • Citrix NetScaler
    • BYO/CSP (invisible)
    • Azure Subscription per user/per month
    • Cost Comparison
  • Due to the minimum required of $610.53 per month this is not the ideal option to start and its also a service so not configurable So all BYO

Leave a Reply