← Back to Portfolio

🔄 VDI Migration · Project Report

Citrix DaaS Environment Migration & Azure Landing Zone Re-Architecture

Full-stack Citrix DaaS platform migration aligned with Azure Landing Zone best practices, including configuration export, infrastructure provisioning, image migration, and phased user onboarding.

Client: Enterprise Healthcare (Clean Harbors) Scope: 10,000+ Users Duration: Multi-Phase Program Status: ✅ Delivered Author: Zaid Albaker
Azure Citrix DaaS Bicep PowerShell Landing Zones VDI Migration Automation Hub-Spoke FSLogix FAS

Executive Summary

Project Overview

This project delivered a complete Citrix DaaS environment migration and platform re-architecture for a large enterprise healthcare organization. The existing Citrix infrastructure was deployed in a legacy Azure environment with no structured landing zone, inconsistent networking, and manual provisioning workflows.

The migration program re-established the entire Citrix DaaS platform on a new Azure Landing Zone foundation — including Hub-Spoke networking, identity integration, policy governance, and modular Infrastructure-as-Code pipelines. All production workloads were migrated with zero unplanned downtime.

10K+
Users Migrated
50+
App Catalogs
70%
Deploy Time Reduction
0
Unplanned Outages
4
Migration Phases
100%
IaC Coverage

Problem Statement

Challenges & Business Drivers

Legacy Environment Pain Points

  • Citrix DaaS deployed in an unstructured Azure environment with no formal Landing Zone
  • Flat networking with no Hub-Spoke segregation, creating security and compliance risk
  • Manual golden image builds with no automation or version control
  • Citrix Cloud Connectors and FAS servers provisioned ad hoc with no IaC
  • No consistent Azure Policy enforcement — resources drifting from security baseline
  • Multiple overlapping VDI pools with no lifecycle management process
  • FSLogix profiles stored on legacy file servers without Azure Files integration

Business Objectives

  • Migrate all Citrix DaaS workloads to a secure, governed Azure Landing Zone
  • Eliminate manual provisioning with full IaC coverage (Bicep + PowerShell)
  • Enable rapid, repeatable golden image deployments via automation pipelines
  • Improve security posture with Azure Policy, RBAC, and network segmentation
  • Zero unplanned downtime during the migration program

Architecture

Target State Architecture Diagram

Citrix DaaS — Azure Landing Zone Target Architecture Hub-Spoke · Citrix DaaS · IaC · FSLogix · FAS · Azure AD ON-PREMISES 👤 End Users Thin / BYOD / VDI 🏢 AD DS On-Prem Domain ⚠️ Legacy VDI Maintenance Mode 🔗 ExpressRoute / VPN Gateway HUB VNET 🌐 Gateway Subnet VPN / ExpressRoute GW 🔥 Azure Firewall Central Egress + Inspection 🛡️ Azure Bastion Secure Admin Access 📡 Private DNS Azure Private DNS Zones 🔑 Entra ID Connect Hybrid Identity Sync 📊 Log Analytics Monitoring + Diagnostics 📋 Azure Policy Governance + Compliance CITRIX DAAS SPOKE ☁️ Citrix Cloud Connectors Bicep-provisioned · HA Pair · Auto-registered ✦ VNet Peered to Hub 🔐 FAS Servers Federated Auth Service ⚙️ WEM Agents Workspace Env Manager 🖥️ VDA Machine Catalogs Windows 10/11 Multi-Session ✦ Golden Image · PowerShell Automation 📦 Delivery Groups 50+ App Catalogs · 10,000+ Users Access Policies · Tags · Priority Groups 💾 FSLogix Profile Containers Azure Files 🆔 Hybrid Join Azure AD + ADDS SSO / Conditional Access 🔒 NSG + Route Tables Forced Tunnel → Hub Firewall · Micro-segmentation ⚙️ IaC: Bicep + PowerShell Modular · Versioned · CI/CD Pipeline SHARED SERVICES 📁 Azure Files FSLogix VHD Storage · SMB 🔑 Key Vault Secrets · Certs · Disk Keys 🗄️ Storage Account Diag Logs · Boot Diag 🛡️ Defender for Cloud Security Score · Alerts CITRIX CLOUD (Control Plane - SaaS) DaaS Console Catalog / Group Management Citrix Analytics Performance + Security Workspace Experience StoreFront / Gateway Peer VNet Peer User Session (ICA/HDX) LEGEND New Azure Infrastructure Hub-Spoke Networking Legacy / Decommission Path Citrix Cloud Control Shared Services Spoke IaC / Automation Layer

Figure 1 — Target State: Citrix DaaS on Azure Landing Zone (Hub-Spoke Architecture)

Delivery Approach

Migration Phases

Phase Name Activities Status
1 Discovery & Export Inventory legacy Citrix environment. Built modular PowerShell export framework to capture all machine catalogs, delivery groups, policies, connectors, and application configurations. Documented existing networking topology and identity dependencies. ✅ Complete
2 Landing Zone Foundation Deployed Hub-Spoke VNet topology using Bicep modules. Configured Azure Firewall, Bastion, Private DNS, NSGs, route tables, and Azure Policy assignments. Established identity integration via Entra ID Connect. Configured Log Analytics workspace and Defender for Cloud. ✅ Complete
3 Citrix Platform Build Provisioned Citrix Cloud Connectors (HA pair) via Bicep + PowerShell. Deployed FAS servers for federated authentication. Built new golden image using automated factory pipeline. Configured FSLogix profile containers on Azure Files. Registered connectors with Citrix Cloud and validated connectivity. ✅ Complete
4 Phased User Migration Created new machine catalogs and delivery groups mirroring the legacy environment. Executed phased user onboarding (pilot → department groups → full production). Legacy VDIs placed into maintenance mode progressively. Post-migration validation, FSLogix profile verification, and performance baseline captured. ✅ Complete

Technical Details

Solution Components

Azure Landing Zone — Hub-Spoke Foundation

  • Hub VNet with Azure Firewall for centralized egress and traffic inspection
  • Azure Bastion for secure, RDP-free administrative access
  • Private DNS zones for internal name resolution across spokes
  • Entra ID Connect for hybrid identity synchronization
  • Azure Policy initiative for Citrix DaaS compliance baseline
  • Log Analytics workspace integrated with all resources for unified monitoring

Citrix DaaS Platform — New Deployment

  • Citrix Cloud Connectors deployed as HA pair via Bicep, auto-registered to Citrix Cloud tenant
  • FAS (Federated Authentication Service) servers for seamless SSO and certificate-based authentication
  • WEM (Workspace Environment Manager) agents deployed across all VDA pools
  • Machine catalogs created from golden image with PowerShell provisioning automation
  • Delivery groups recreated with matching access policies, tags, and priority groups
  • 50+ application catalogs migrated and validated pre-cutover

Automation & IaC Framework

  • Bicep modules for: VNet/Subnets, NSGs, VMs, Storage Accounts, Key Vault, Log Analytics
  • PowerShell export framework: full Citrix configuration capture to JSON/CSV
  • Golden image automation: snapshot → Sysprep → catalog update pipeline
  • CI/CD pipeline for automated Bicep deployments with parameter files per environment
  • Post-deployment validation scripts for connector health, FSLogix, and session testing

Migration Flow

Legacy → Target State Migration Flow

PHASE 1 Discovery & Export PowerShell Export Framework Catalog · Groups Policies · Apps ✅ Complete PHASE 2 LZ Foundation Hub-Spoke · Firewall Policy · Bastion Identity · DNS Monitoring ✅ Complete PHASE 3 Platform Build Connectors · FAS Golden Image FSLogix · WEM Catalog Build ✅ Complete PHASE 4 Phased User Migration Pilot Group → Dept Rollout Legacy VDI → Maintenance Mode Full Production Cutover Post-migration Validation ✅ Complete · 0 Outages Week 1-2 Week 3-5 Week 6-9 Week 10 → Production

Figure 2 — Four-Phase Migration Timeline & Delivery Sequence

Results

Outcomes & Business Value

Delivered Results

  • 10,000+ users migrated to the new Citrix DaaS platform with zero unplanned downtime
  • 50+ application catalogs validated and published to delivery groups
  • 70% reduction in golden image deployment time through automation
  • 100% IaC coverage — all infrastructure defined and repeatable via Bicep + PowerShell
  • Azure Policy compliance baseline enforced across all Citrix resources from day one
  • FSLogix profiles migrated to Azure Files with ADDS Kerberos authentication (AES-256)
  • FAS federated authentication enabled seamless SSO across the new platform
  • Legacy VDI environment fully decommissioned after phased cutover validation

Technology Stack

Tools & Technologies

Azure Services

VNet · Firewall · Bastion · Azure Files · Key Vault · Log Analytics · Policy · Defender for Cloud · Entra ID

Citrix Platform

Citrix DaaS · Cloud Connectors · FAS · WEM · Machine Catalogs · Delivery Groups · StoreFront

IaC & Automation

Bicep · PowerShell · Azure CLI · CI/CD Pipelines · Parameter Files · Validation Scripts

Identity & Security

Entra ID · ADDS · FSLogix · Conditional Access · NSG · Route Tables · RBAC