Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

AWS Logo
Menu

Create a Server OS image for Citrix DaaS on Amazon WorkSpaces Core

A guide to building your first license included Server OS base image for Citrix DaaS on Amazon WorkSpaces Core.

eucamazon-workspacescitrixonworkspacescore
Justin Grego
Amazon Employee
Published Jan 24, 2025
Comments
1
Amazon WorkSpaces Core offers OS license included bundles powered by Windows Server 2019 and Windows Server 2022. This feature enables customers and partners to run multi-session VDI desktop and application publishing workloads on WorkSpaces Core desktops. Before you import a server OS based image into your Citrix DaaS environment and use it in a deployment, you have to first create a customized WorkSpaces image with the Citrix Virtual Delivery Agent (VDA) installed. This article will walk you through this process to get you up and running quickly.
At a high level, you will learn to perform the following steps:
  • Deploy a Server OS Bring Your Own Protocol (BYOP) WorkSpace in your account.
  • Use RDP to connect to that WorkSpace and at a minimum install the VDA.
  • Create a custom WorkSpace image in your account.
  • Import that image into the Citrix DaaS console for deployment.
This guide assumes that you have already completed the initial setup of Citrix DaaS with WorkSpaces Core, outlined in the Citrix product guide. This includes resource locations, connecting your AWS account, and creating a shared tenancy directory connection.

Step 1: Create a BYOP WorkSpace from the provided bundles

When using license included server OS WorkSpaces, you first begin with a base BYOP bundle. This first WorkSpace does not have the Citrix VDA or other software installed. Before you can import an image into the Citrix DaaS console, you must deploy a BYOP WorkSpace, install the VDA, and create a custom image within the WorkSpaces console.
  1. In the WorkSpaces console, under WorkSpaces, choose Personal.
  2. Choose Create WorkSpace.
  3. For Onboarding options, select I know what WorkSpace options I need for my use case.
  4. Choose Next.
  5. For WorkSpace type, ensure Personal is selected. Then choose Compare all bundles.
  6. For Filter protocol, select BYOP. This will show you the base bundles available for use with Amazon WorkSpaces Core.
    Screenshot of the WorkSpaces console, highlighting the protocol filter.
  7. Select the radio button next to the operating system you wish to create the image for. Then choose Submit.
  8. For Running mode, select Always on. This is critical, as WorkSpaces Core does not support**** Auto stop WorkSpaces and will result in a console error. Core utilizes a different running mode for hourly billing, Manual mode, which is not exposed in the console.
  9. Choose Next.
  10. Select the WorkSpaces Personal directory to which this base WorkSpace is deployed to. Since this is a Server OS, a shared tenancy directory is required.
  11. Search for and select the user account that this WorkSpace is deployed to.
  12. Choose Next.
  13. Do not enable encryption, as you cannot create an image from an encrypted WorkSpace.
  14. Choose Create WorkSpaces.
  15. You must now wait for the WorkSpace show a Status of Available.

Step 2: Access the WorkSpace via Remote Desktop Protocol (RDP)

Since the WorkSpace was deployed from a BYOP bundle, there is currently no protocol installed on it other than the default RDP protocol available in Microsoft Windows. In order to access this WorkSpace, you will need the following:
  • The Security Group attached to the WorkSpace's elastic network interface (ENI) in your VPC needs to allow inbound TCP port 3389.
  • The Windows firewall within the WorkSpace should not be blocked inbound RDP. This may be possible if a Group Policy Object (GPO) attached to the Organizational Unit (OU) the WorkSpace is in makes modifications to the Windows firewall.
  • You will need a user account that is allowed to remote into the desktop and install applications. In many organizations this is typically deployed via local group permissions in Group Policy. You can also accomplish this by configuring the WorkSpaces directory to grant the user the WorkSpace is deployed to local administrator permissions.
  • You will need a route from your local machine (or another bastion host or jump box) to the WorkSpace's subnet. Alternatively, you can use your Citrix Cloud Connector instance as a jump box to RDP from.
While covering all possible scenarios to achieve these requirements is outside the scope of this article, I will walk through one way to ensure inbound RDP traffic is allowed to the WorkSpace's ENI, without opening it up for all WorkSpaces on your directory.
  1. Once the WorkSpace you deployed in Step 1 displays a WorkSpace IP, copy or note it for later.
  2. In the EC2 console, under Network & Security, choose Security Groups.
  3. Choose Create security group.
  4. Enter a descriptive Security group name, such as WorkSpacesRDPInBound.
  5. Enter a Description.
  6. Select the VPC that your WorkSpace is deployed in.
  7. Under Inbound rules, choose Add rule.
  8. For Type, select RDP from the list.
  9. For Source, enter the CIDR block that that jump box or machine you will RDP from resides, for example 10.11.12.0/24.
  10. Under Outbound rules, remove the existing rule by choosing Delete.
  11. Choose Create security group.
    Screenshot of the create security group wizard
  12. Again under Network & Security, choose Network Interfaces.
  13. Enter and search for the WorkSpace's IP address.
  14. Choose the Network interface ID link for that ENI.
  15. Choose Actions, then Change security groups.
  16. Under Associated security groups, search for the group you just created and choose Add security group.
  17. Choose Save, to apply this additional security group to your base WorkSpace.
  18. From your desktop or jump box, launch the Remote Desktop Connection client (mstsc.exe), enter the IP address of the WorkSpace, and choose Connect.
  19. Log onto the desktop of the WorkSpace as the user it was deployed to, install and configure the Citrix Server VDA and any other software you want in your image. For additional specifics on Citrix DaaS image requirements and VDA installation, refer to the Citrix on Core documentation.

Step 3: Create a WorkSpaces image and import it into the Citrix DaaS console

Now that you have a WorkSpace with the VDA installed, it is time to create a custom WorkSpaces image and then import it into Citrix DaaS.
  1. Before creating your custom image, it is a best practice to run the Amazon WorkSpaces Image Checker utility, remediate any issues detected, and perform one final reboot.
  2. Once complete, back in the WorkSpaces console, under Personal, search for your BYOP base WorkSpace.
  3. Select it, then choose Actions, Create image.
  4. Enter an Image name and Image description, that identifies this image as a Citrix VDA image.
  5. Choose Create image.
  6. Choose Images in the left hand navigation pane. You should now see your image in a Pending status. Wait for the image to become Available before proceeding to the next step.
  7. Log into your Citrix Cloud DaaS console.
  8. Under Quick Deploy, choose Amazon WorkSpaces Core, then Images.
  9. Choose Import Image, then Next: Choose image.
  10. Enter a Name for the image, this is how it will be displayed in the Citrix console.
  11. Select the Account where you created the custom BYOP image.
  12. Select the Image you created in the previous step. It will be listed with a WSI tag (WorkSpaces image).
  13. Enter a Description.
  14. Choose Next: Summary, then Image Image.
  15. You may now proceed with creating a Deployment within Citrix DaaS using this server OS image.
You only need to follow the process of creating a base Server OS image via RDP once per operating system. Once you have the VDA installed and an image imported into Citrix DaaS, you can utilize the Citrix console to deploy WorkSpaces and to connect to them for additional software installations and updates. Citrix provides a Create custom image button when viewing the details of a Deployment, as well as an Update Image option on Deployments to configure them to use a new image for future machine creations.
For videos covering Amazon WorkSpaces Core as well as all things AWS EUC, please check out the AWS EUC YouTube channel.
 

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments
1

1 Comment