Our in house Citrix SD-WAN SME Simon has been working with the product team at Citrix, helping refine the new Citrix SD-WAN for Citrix Managed Desktops offering. He’s put together a great how to guide based on his experience but first, what’s the story behind Citrix SD-WAN for CMD?

Citrix Managed Desktops (CMD) is the simplest, fastest way to deliver Windows apps and desktops from Microsoft Azure. CMD offers cloud-based management, provisioning, and managed capacity for delivering virtual apps and desktops to any device.

Citrix SD-WAN for CMD makes it easy for CMD customers to benefit from Citrix SD-WAN and take advantage of the features that Citrix SD-WAN can provide such as connection reliability and Quality of Service (QoS)

The concept of Citrix SD-WAN for CMD is to add a Citrix SD-WAN VPX appliance in Azure in front of the CMD environment so customers with a Citrix SD-WAN network will see the new Citrix Managed Desktops as a Branch Site. This branch has resources that can now be accessed via the Citrix SD-WAN Overlay and users benefit from all the Citrix SD-WAN features listed below.

Citrix SD-WAN optimises all of the network connections needed by Citrix Managed Desktops. Working in concert with the HDX technologies, Citrix SD-WAN provides quality-of-service and connection reliability for ICA and out-of-band Citrix Managed Desktops traffic. Citrix SD-WAN supports the following network connections:

  • Multi-stream ICA connection between users and their virtual desktops
  • Internet access from the virtual desktop to web sites, SaaS apps, and other cloud properties
  • Access from the virtual desktop back to on-premises resources such as Active Directory, file servers, and database servers
  • Real-time/interactive traffic carried over RTP from the media engine in the Workspace app to cloud-hosted Unified Communications services such as Microsoft Teams.
  • Client-side fetching of videos from sites like YouTube and Vimeo

What is needed to implement?

First off, a Citrix Cloud Services Account with Citrix SD-WAN Orchestrator and Citrix Managed Desktops services.

Initial requirements

A working SD-WAN deployment with an MCN (Master Control Node), AD (Active Directory) and DNS (Domain Name System) server.

For this Tech preview I installed a Citrix SD-WAN device in Azure to be setup as my MCN and in the same resource group I configured a Windows Server 2016 with the AD and DNS roles enabled.

Note: this could be an MCN, AD and DNS server on premises

Using Citrix SD-WAN Orchestrator

I setup the Citrix SD-WAN appliance in Azure (Dublin in this case) as my MCN and added 2 sites, my home office Citrix SD-WAN 210 LTE in Cheshire and cloudDNA HQ Citrix SD-WAN 210 LTE just outside London

The MCN must have a DNS server configured pointing to the DNS server configured above.

For testing I also added two test users to the AD.

Phase 1:

On completion of the setup I then Launched Citrix Managed Desktops and ran through the tech preview setup to add a Network Connection from CMD to my Citrix SD-WAN deployment.

Select “Network Connections” 

Then Select “+Add”

Select Tech “Citrix SD-WAN” – note our version is the Tech Preview.

Select “Start Configuring SD-WAN”

Enter new site name, Select the region, Enter VDA subnet and SD-WAN Subnet, Select “Configure”.

On selecting Configure you are presented with the following:

The bar on the left will initially show RED while it creates the SD-WAN VPX.

When it shows Orange you then need to go into Orchestrator and you will see the new site. (In my case site called “cDNATestCMD”)

In Orchestrator you will then have to initiate the  “Verify > Stage > Activate” process to bring this new VPX into the configuration.

When you return to the Managed Desktops web page you will see the bar has now turned Green.

In Orchestrator the Citrix Managed Desktops site is now part of your SD-WAN Network. That’s it!

Log onto any branch device you will see the routes to the Managed Desktops subnet have propagated across the network.

Phase 2:

Now proceed the creation of the Managed Desktops Catalogue.


Select the Network Connection –

Select the newly created network connection in Phase 1.

  • Select the newly created network connection in Phase 1.
  • Enter appropriate data for the Active Directory.
  • Select Machine type and Image Master.
  • Enter appropriate name for the catalogue and select “Create Catalogue”.

When creation is complete (which can be some time) the new catalogue will be displayed:

Select the three dots on the right of the catalogue and you will be presented with the main catalogue edit options.

View the details and update master image.

Edit the VDA name and add published apps.

Add Users from the AD domain created earlier.

View the Machines available in the Catalogue.

Select the “hamburger menu” top left of the GUI and other Citrix Cloud options are available – select “Workspace Configuration”.

The URL to connect to the Workspace is found in the Access Tab and can be edited to allow you to enter a more readable URL than the one provided by default.

Entering the provided URL into a browser will allow you to authenticate and connect to the desktops or applications published from the Citrix Workspace.

Authentication will be to the AD server identified in earlier configuration.

At this time ALL apps and Desktops will launch via the “External Gateway” access to the CMD environment.

Phase 3:

Network Location Services

“Network Location Services” (NLS) requires configuration in order to redirect users connected to the Citrix SD-WAN network to their published desktops over the Citrix SD-WAN overlay rather than externally via the Citrix External Gateway.


The Network Location service allows internal users to bypass the external Citrix Gateway service and connect to the VDAs directly over the Citrix SD-WAN Overlay network.

To set up the Network Location service, you configure network locations that correspond to the VDAs in your environment using the Network Location service PowerShell module that Citrix provides. These network locations include the public IP ranges of the networks where your internal users will be connecting from.

When subscribers launch Virtual Apps and Desktops sessions from their workspace, Citrix Cloud detects whether subscribers are internal or external to the company network based on the public IP address of the network from which they’re connecting. If a subscriber connects from the internal network, Citrix Cloud routes the connection directly to the VDA, bypassing Citrix Gateway. If a subscriber connects externally, Citrix Cloud routes the subscriber through Citrix Gateway as expected and then redirects the subscriber to the VDA in the internal network.

Once configured Published Apps and Published Desktops can be seen to flow over the Citrix SD-WAN Virtual Paths rather than externally via the External Gateway.

Using Citrix Orchestrator it is possible to identify the HDX Traffic and the Multi Stream QoS applied to it, to optimise performance for the user at the remote site. 🙂

Here’s a screen shot from the Local Citrix SD-WAN 210 LTE device in “MyHomeOffice” appliance with HDX traffic (port 2598) traversing the network over Virtual Path.


If you would like to talk to us about any of the points raised or you have your own challenges that you’d like discuss, please call 0330 010 3443 or email hello@clouddnagroup.com.