π¨ CRITICAL β Citrix License Advantage Service (LAS) Deadline: April 15, 2026
Citrix LAS (formerly Software Maintenance / Customer Success Services) renewals must be processed by April 15, 2026 or licenses enter a grace period and eventually go dark. This affects all on-prem perpetual license holders. Contact your Citrix partner immediately if you haven't renewed. After grace period: Delivery Controllers stop brokering sessions. Citrix CTX139887 β
Citrix LAS (formerly Software Maintenance / Customer Success Services) renewals must be processed by April 15, 2026 or licenses enter a grace period and eventually go dark. This affects all on-prem perpetual license holders. Contact your Citrix partner immediately if you haven't renewed. After grace period: Delivery Controllers stop brokering sessions. Citrix CTX139887 β
// Version Matrix
CVAD Version Matrix β Current (2026)
Citrix uses YY.MM naming. LTSR (Long Term Service Release) = 5-year lifecycle with Cumulative Updates. CR (Current Release) = 6-month lifecycle, latest features. Citrix Lifecycle β
| Release | Version | Released | EOL / Support End | Type | Notes |
|---|---|---|---|---|---|
| 2511 Latest CR | 24.11.0 | Nov 2025 | May 2026 | CR | WEM 2511 new features, Linux VDA 2511, HDX adaptive transport improvements, Citrix DaaS Next-Gen updates, App Layering improvements. |
| 2507 (2408 CU2) | 24.07.0 | Aug 2025 | Feb 2026 | CR | LTSR 2407 CU2 released concurrently. Multi-session GPU improvements, Secure Browser Service updates. |
| 2407 LTSR LTSR β | 24.07.0 | Jul 2024 | Jul 2029 | LTSR | Recommended for enterprises. 5-year lifecycle. CU2 available. HDX Thinwire progressive build-to-lossless, WEM 2407, StoreFront 2407 stability. Most enterprises standardize here. |
| 2203 LTSR | 22.03.0 | Mar 2022 | Mar 2027 | LTSR | Previous LTSR. Still supported until 2027 but upgrade to 2407 LTSR strongly recommended. CU6 is the latest. |
| 1912 LTSR | 19.12.0 | Dec 2019 | Dec 2024 β | EOL | EOL Dec 2024. Migrate immediately. No security patches. CVEs unpatched. |
| CVAD 7.x and older | β | β | EOL | EOL | Unsupported. Upgrade path: 7.x β 2203 LTSR β 2407 LTSR. |
VDI Guy Recommendation: Standard enterprises β 2407 LTSR (5-year lifecycle, CU2 available, stable for production). DevOps/cloud-first β 2511 CR (latest WEM, Linux VDA, cloud features). Never skip LTSR without a tested rollback plan. Always upgrade VDA before Delivery Controller.
// Architecture Components
CVAD Core Architecture 2026
ποΈ Delivery Controller (DDC)
Central broker. Authenticates users, routes sessions, manages power state, communicates with hypervisor via SDK. Stateless β deploy 2+ for HA. Requires SQL Server for site database.
4+ vCPU Β· 8β16 GB RAM Β· WinSrv 2022
π₯οΈ Virtual Delivery Agent (VDA)
Agent in every desktop or RDSH VM. Registers with DDC. Manages HDX sessions, USB, printing, clipboard, SSO. Separate VDA versions for Desktop OS vs Server OS. Must match DDC version Β±1.
Silent: XenDesktopVdaSetup.exe /quiet /noreboot /components VDA
π NetScaler ADC / Gateway
Load balancer + secure remote access gateway. Handles ICA proxy, SmartAccess/SmartControl policies, multi-factor auth (RADIUS/SAML). HDX Insight for session analytics. VPX (virtual) or MPX (hardware).
VPX 200: 2 vCPU Β· 4 GB RAM Β· 200 Mbps
πͺ StoreFront
On-prem app/desktop aggregator. Serves Receiver/Workspace App. Aggregates published resources from multiple CVAD sites and Citrix DaaS. Load balance behind NetScaler. Min 2 for HA. SSL required.
4 vCPU Β· 8 GB RAM Β· WinSrv 2022
π― WEM (Workspace Env Mgr)
Policy engine replacing complex logon scripts and GPOs. Manages CPU/memory optimization, app security (AppLocker policies), user environment (drives, printers, env vars), condition-based delivery.
WEM Service (cloud) or on-prem WEM Infrastructure Server
π» Citrix Profile Management (UPM)
On-prem profile solution. Streams profile on-demand vs FSLogix container approach. Supports folder redirection, profile exclusion, large file handling. Works alongside FSLogix for Office containers.
Agent bundled with VDA Β· Configure via GPO / ADMX
CVAD Network Ports
| Port | Protocol | Flow | Purpose |
|---|---|---|---|
| 1494 | TCP | Client β VDA (internal) | ICA protocol β primary session transport (internal) |
| 2598 | TCP | Client β VDA (internal) | CGP (Session Reliability) β reconnect without re-auth |
| 443 | TCP | Client β NetScaler | Secure ICA proxy, StoreFront HTTPS, Workspace App |
| UDP 443 | UDP | Client β NetScaler | EDT (Enlightened Data Transport) β QUIC-based, preferred |
| 80/443 | TCP | Client β StoreFront | StoreFront app enumeration (always HTTPS in prod) |
| 80 | TCP | VDA β DDC | VDA registration (use TLS/443 in secure environments) |
| 389/636 | TCP | DDC β DC | LDAP / LDAPS for Active Directory |
| 1433 | TCP | DDC β SQL | SQL Server site database (always AlwaysOn AG in prod) |
// Provisioning Technology
MCS vs PVS β Decision Framework 2026
Machine Catalog type is the most consequential architectural decision in CVAD. Wrong choice = years of operational pain. Choose based on scale, storage, and operational skills.
| Factor | MCS (Machine Creation Services) | PVS (Provisioning Services) |
|---|---|---|
| How it works | Hypervisor snapshot-based. Creates full VMs from master image snapshot. Stores delta disks on local/shared storage. | Network boot via PXE. Streams OS image from PVS vDisk. RAM-cache absorbs writes. VMs are diskless. |
| Storage requirement | Storage per VM (delta) β typically 10β20 GB/VM on SAN/NFS/vSAN. IOPS spike at logon storm. | Central vDisk store (shared). VMs boot from network. RAM cache (write-back) absorbs IOPS. Very low per-VM storage. |
| Complexity | Lower β no separate infrastructure. Fully managed by CVAD Studio. Citrix manages everything. | Higher β separate PVS servers (2+ for HA), vDisk management, RAM cache config, network boot config. |
| Scale recommendation | 1β2,000 VMs. Above 2k: storage IOPS becomes challenging during boot storms. | 500β50,000+ VMs. PVS scales extremely well with proper RAM cache sizing. Traditional choice for large enterprises. |
| Image updates | Update master image β Create snapshot β Apply to catalog (rolling reboot). Studio manages. | Update vDisk β Test version β Promote β Rolling reboot. vDisk versioning built in. More control. |
| Non-persistent support | MCS I/O Optimization (write-back cache to RAM+disk). Reduces storage IOPS. | RAM cache with overflow to disk. Superior IOPS isolation. BDM (Boot Device Manager) replaces PXE. |
| Cloud support | Full support β Azure, AWS, GCP, Nutanix, vSphere. MCS is the only choice for cloud. | On-prem only (vSphere, Hyper-V, XenServer). Not supported on cloud hypervisors natively. |
| VDI Guy verdict 2026 | β Default choice for <2,000 VMs, cloud, or new deployments. | β Large on-prem (>2,000 VMs), existing PVS infra, ultra-low storage IOPS requirement. |
MCS I/O Optimization (MCSIO) Config
# MCS I/O Optimization β GPO path:
# Citrix > Virtual Desktop Agent > MCS IOO
# Or via Studio Catalog settings
# Key registry (set during VDA install or via GPO):
# HKLM\SOFTWARE\Citrix\MCSIODrv
WriteCacheSize = 256 # MB RAM write cache
WriteCacheDisk = 1024 # MB disk overflow
EnableWriteBackCache = 1 # Required for non-persistent
# Command line: Enable MCSIO at catalog creation
New-BrokerCatalog -Name "Pool1" `
-MachinesArePhysical $false `
-MinimumFunctionalLevel L7_20 `
-ProvisioningType MCS `
-SessionSupport MultiSessionPVS RAM Cache Sizing Guide
# PVS Write-Back Cache (WBC) β key settings
# PVS Console > vDisk > Properties > Cache
Cache type options:
1 = Cache on device RAM with overflow to disk β Recommended
2 = Cache on device disk
3 = Cache on server (avoid β network overhead)
5 = Cache in device RAM (no overflow β risky)
# RAM cache sizing rule of thumb:
# Task worker: 512 MBβ1 GB
# Knowledge worker: 1β2 GB
# Power user: 2β4 GB
# Disk overflow: 10β20 GB per VM on local SSD
# Never put PVS overflow on SAN β defeats purpose// HDX Protocol
HDX β Adaptive Transport, Thinwire & EDT Tuning
HDX is the Citrix protocol umbrella covering display (Thinwire), transport (EDT/ICA), audio, and USB. EDT (Enlightened Data Transport β QUIC-based UDP) is the modern transport in 2026.
| HDX Feature | Policy Path | Recommended Setting | Notes |
|---|---|---|---|
| EDT (UDP Transport) | HDX Adaptive Transport | Preferred (not Diagnostic) | EDT = QUIC-based UDP. Better WAN performance, packet loss recovery. Preferred = use EDT, fall back to TCP if blocked. |
| Thinwire Progressive Display | Use video codec for compression | Use when preferred | Uses H.264 for moving regions, lossless for static text. Best bandwidth efficiency. Requires H.264 capable VDA. |
| BCR (Browser Content Redirection) | Browser Content Redirection | Enabled + URL whitelist | Renders Chrome/Edge content on client CPU (not VDA). Massive bandwidth savings for video-heavy sites. Requires Citrix Workspace App on client. |
| Visual Quality | Visual quality | Medium (default) | High/Very High = much more bandwidth. Use Medium unless users complain. Always-lossless for finance/compliance. |
| Frame Rate Cap | Target frame rate | 30 FPS general / 60 FPS GPU | 60 FPS roughly doubles bandwidth per session. Reserve for GPU desktops only. |
| Audio Over UDP | Audio over UDP | Enabled | Real-time audio via UDP β far better voice quality than TCP ICA audio. |
| Session Reliability | Session reliability | Enabled (port 2598) | Reconnects on network drop without re-auth. Critical for WAN/VPN users. Default timeout: 3 minutes. |
| HDX 3D Pro | Machine Catalog GPU setting | Enable for GPU VDAs | Required for GPU-accelerated desktops. Uses H.264 hardware encode (NVIDIA or AMD). Separate VDA install parameter. |
EDT Bandwidth Estimates
| User Type | Avg BW | Peak |
|---|---|---|
| Task worker | 100β300 Kbps | 800 Kbps |
| Knowledge worker | 400 Kbpsβ1.5 Mbps | 3 Mbps |
| Power user (video) | 1.5β4 Mbps | 8 Mbps |
| BCR enabled | 60β80% reduction | for video sites |
HDX Monitor (PowerShell)
# Check active session HDX stats:
# Citrix Director: Monitor > HDX channel data
# PowerShell β session details:
Add-PSSnapin Citrix*
$sessions = Get-BrokerSession -Filter {SessionState -eq 'Active'}
$sessions | Select UserName, Protocol,
EstablishmentTime, ClientAddress |
Format-Table -AutoSize
# NetScaler: HDX Insight dashboard
# nscommand: show ica sessions// WEM 2511
Workspace Environment Manager (WEM) 2511
WEM is the replacement for logon scripts, GPP (Group Policy Preferences), and basic profile management. In 2511 it adds significant profile container and security capabilities.
WEM 2511 New Features
- βΈProfile Management β integration with FSLogix profile containers (hybrid UPM + FSLogix config)
- βΈCPU Spike Protection v3 β improved algorithm, per-app CPU throttle thresholds
- βΈAppLocker policy management via WEM console (replaces raw AppLocker GPOs)
- βΈCondition engine improvements: new OOBE/first logon conditions for provisioned machines
- βΈWEM Service (Cloud) β no WEM infrastructure server required for Citrix DaaS
- βΈTransformer (kiosk mode) improvements β URL whitelist, auto-logon enhancements
WEM Key Configuration Areas
| Feature | Use Case | Notes |
|---|---|---|
| Actions | Drive map, printer, app shortcut, reg key, env var | Condition-based delivery |
| Filters / Conditions | AD Group, OU, client IP, client name, time | Granular targeting |
| CPU Mgmt | Spike protection, CPU affinity | Prevents runaway processes |
| Memory Mgmt | Working set optimization | Frees RAM from idle apps |
| Profile Mgmt | UPM config, FSLogix integration | 2511: FSLogix hybrid |
// StoreFront Configuration
StoreFront 2026 β HA, SSL & Workspace Integration
StoreFront HA Architecture
# Minimum StoreFront HA setup:
# 2x StoreFront servers behind NetScaler LB
# All servers in same Server Group
# Config replication: automatic (P2P sync)
# StoreFront server sync:
# Citrix StoreFront > Server Group > Add Server
# NetScaler LB VIP:
add lb vserver SF_VIP HTTP 10.x.x.100 80
add lb vserver SF_VIP_SSL SSL 10.x.x.100 443
bind lb vserver SF_VIP -policyName ns_adv_xpath_sf
bind ssl vserver SF_VIP_SSL -certkeyName star_corp_com
# Store URL format:
# https://storefront.corp.com/Citrix/Store/auth/
# Redirect HTTP β HTTPS alwaysStoreFront vs Citrix Workspace
| Feature | StoreFront | Citrix Workspace |
|---|---|---|
| Hosting | On-prem | Cloud SaaS |
| Customization | Full branding | Limited |
| Data sovereignty | Full control | Citrix cloud |
| Aggregation | Multiple sites | Multiple sites + SaaS apps |
| HA responsibility | Admin managed | Citrix managed |
| 2026 recommended | On-prem regulated orgs | DaaS / cloud-first |
// NetScaler ADC
NetScaler ADC β Gateway & Load Balancer Configuration
ICA Proxy Configuration
# NetScaler Gateway ICA Proxy
# Path: Traffic Management > Load Balancing > VS
# Enable ICA proxy on Gateway vServer:
set vpn vserver GATEWAY_VIP -icaOnly OFF
set vpn sessionaction ICA_Proxy `
-defaultAuthorizationAction ALLOW `
-transparentInterception OFF `
-SSO ON `
-icaProxy ON
# EDT (UDP) for HDX Adaptive Transport:
# Traffic Policy: set ns-profile for EDT
# Ensure UDP 443 open at firewall toward NetScaler
# Verify EDT active (from Director):
# Monitor > Sessions > Protocol column = UDPStoreFront LB Config (Key Points)
# NetScaler LB for StoreFront HA
# Monitor type: STOREFRONT
add lb monitor SF_Monitor STOREFRONT `
-storename Store `
-storefrontaccttype ActiveDirectory
# Service group for SF servers:
add servicegroup SG_SF HTTP
bind servicegroup SG_SF 10.x.x.11 80
bind servicegroup SG_SF 10.x.x.12 80
bind lb vserver SF_VIP SG_SF
# SSL cert binding (wildcard recommended):
bind ssl vserver SF_VIP -certkeyName star.corp.com
# HTTPS redirect:
add responder action redir_https redirect \
'"https://" + HTTP.REQ.HOSTNAME + HTTP.REQ.URL'
add responder policy redir_http_to_https TRUE redir_https// Sizing Reference
CVAD VM & Infrastructure Sizing 2026
| Component / User Type | vCPU | RAM | Disk | Scale / Density | Notes |
|---|---|---|---|---|---|
| Task Worker (published app) | 0.25 vCPU | 1β2 GB | N/A (RDSH) | 50β60/RDSH VM | RDSH VM: 16β24 vCPU / 64β128 GB. Single app delivery. |
| Knowledge Worker (VDI) | 2 | 4β6 GB | 60 GB | 80β120/host | Office 365, Teams, browser. MCS non-persistent. |
| Power User (VDI) | 4 | 8β16 GB | 80 GB | 40β60/host | Developer, analyst. Persistent preferred. |
| GPU (HDX 3D Pro) | 4β8 | 16β32 GB | 120 GB | GPU limited (6β12/GPU) | CAD/3D. NVIDIA vPC or vWS profile. HDX 3D Pro license. |
| Delivery Controller | 4+ | 8β16 GB | 80 GB | 1 per 5,000 CCU | Min 2 HA. SQL AlwaysOn for site DB. WinSrv 2022. |
| NetScaler VPX (Gateway) | 2β4 | 4β8 GB | 120 GB | VPX 1000: 1 Gbps, 5K SSL TPS | Deploy HA pair (active-passive). VPX 200 for <500 users. |
| StoreFront | 4 | 8 GB | 80 GB | 2 min (HA) | Behind NetScaler LB. WinSrv 2022. |
// β Licensing β LAS Deadline
Citrix Licensing β LAS Deadline & License Models
π¨ LAS (License Advantage Service) Deadline: April 15, 2026
Customers on perpetual licenses with expired LAS lose the right to use new versions AND enter a 30-day grace period on existing licenses after which the license server stops issuing sessions. This is not a new policy β it is being actively enforced in 2026. Contact your Citrix partner to assess status. Reference: CTX139887
Customers on perpetual licenses with expired LAS lose the right to use new versions AND enter a 30-day grace period on existing licenses after which the license server stops issuing sessions. This is not a new policy β it is being actively enforced in 2026. Contact your Citrix partner to assess status. Reference: CTX139887
| Edition | Includes | Model | Best For |
|---|---|---|---|
| CVAD Premium (formerly Platinum) | All components incl. HDX 3D Pro, App Layering, LAS, Analytics | CCU or Named Β· Subscription | Enterprise with GPU, analytics needs. Full feature set. |
| CVAD Advanced Plus | VDA, DDC, StoreFront, NetScaler Gateway Std, WEM, UPM | CCU Β· Subscription | Standard enterprise VDI. Most common. |
| CVAD Standard | VDA + DDC only. No HDX 3D Pro, no App Layering. | CCU Β· Subscription | Small deployments, budget constrained. |
| Citrix DaaS | Cloud DDC (no on-prem CS), all VDA types, NetScaler Cloud Gateway | Named User/Device Β· Monthly | Eliminate on-prem Delivery Controller overhead. |
| Perpetual + LAS β | Legacy perpetual licenses | Perpetual + annual LAS maintenance | Renew LAS by April 15 2026 or sessions stop. Migrate to subscription recommended. |
Check License Status
# Citrix Licensing Manager (web):
# https://[license-server]:8083
# PowerShell:
Get-LicCertificateInfo -AdminAddress https://lic:8083
Get-LicInventory -AdminAddress https://lic:8083
# Check LAS expiry specifically:
# Licenses show "Subscription Advantage Date"
# If date < today: EXPIRED β renew immediately
# Quick check all allocated licenses:
asnp Citrix.*
Get-BrokerController | Select DNSName, State
Get-LicInventory | Select PldName, LicensesInUse, LicensesAvailableLicense Server HA
# Citrix License Server β HA best practices:
# No native clustering β use VM HA (vSphere/Hyper-V)
# Take VM snapshots before updates
# Keep license files backed up:
# C:\Program Files\Citrix\Licensing\MyFiles\
# DDC license server redundancy:
# Configure 2+ license servers in Studio
# Studio > Settings > Licensing > Server list
# License grace period: 30 days if license server
# unreachable. After grace: new sessions rejected.
# Plan: snapshot restore < 15 min RTO for license server// Troubleshooting
Common CVAD Issues & Fixes
| Symptom | Likely Cause | Diagnostic | Fix |
|---|---|---|---|
| VDA stuck "Unregistered" | Firewall port 80 DDCβVDA, DNS resolution, wrong controller list | Broker Agent logs: Event Viewer > Citrix Delivery Services; ping DDC from VDA | Open TCP 80 or 443 (TLS) VDAβDDC. Verify ListOfDDCs registry on VDA. Set FQDN not IP. |
| Cannot launch session (1030 error) | ICA file sent but port 1494/2598 blocked, SSL cert issue on SF | Check .ica file download; test netcat to VDA:1494 from client | Open 1494/2598 clientβVDA. Verify NetScaler SSL cert validity. Check StoreFront HTTPS binding. |
| EDT not active (poor WAN perf) | UDP 443 blocked at firewall/VPN, policy not applied | Director > Sessions: Protocol column shows "TCP" not "UDP" | Open UDP 443 toward NetScaler. Verify "HDX Adaptive Transport = Preferred" policy applies to session. |
| Slow logon (>30s) | UPM/FSLogix mount, slow GPO, WEM processing time | WEM Admin Console > Monitor > Reports > Logon; gpresult /h | Enable WEM logon monitoring. Async DEM/WEM actions. FSLogix <15 GB VHDX. Baseline all GPO extensions. |
| MCS catalog update fails | Master image snapshot issue, vCenter permission, storage space | Studio Tasks view; CVAD event log on DDC | Verify vCenter permissions for DDC service account. Check storage free space (>20% headroom). Re-snapshot master. |
| License error (ICA-0x10000) | License server unreachable, expired LAS, insufficient CCU | https://[licserver]:8083; Get-LicInventory | Check LAS expiry first. Verify DDC β license server TCP 27000. Add more licenses if CCU exhausted. |
// Related Pages