Global Financial Group
A global financial group needed to upgrade its mission-critical Citrix Virtual Apps and Desktops estate from legacy on-premises 1912 LTSR to modern Azure-hosted 2203 LTSR — while simultaneously hardening authentication with Azure AD and Citrix FAS and replacing static capacity with ARM Template auto-scaling. GYSP formulated the end-to-end migration architecture, executed full control plane lifecycle upgrades, and delivered a cloud-native VDI environment tuned for financial-grade performance.
The Challenge
Version upgrades to Citrix LTSR in financial services environments carry far more complexity than a standard software upgrade. This global financial group running 1912 LTSR had accrued years of configuration depth — custom policies, compliance-critical application publishing rules, licensing configurations, and legacy identity integrations — all of which had to survive a major version transition to 2203 LTSR without disrupting live financial operations. The simultaneous move to Azure hosting compounded the challenge: control plane components (Delivery Controllers, Director, Studio, Licensing servers) required both version upgrades and re-platforming onto cloud infrastructure, with new Azure-native networking and compute topology to design from scratch. Legacy authentication mechanisms needed to be replaced with modern Azure AD-backed workflows using Citrix Federated Authentication Service — introducing SAML federation and MFA enforcement into a financial desktop environment that had historically relied on traditional Active Directory authentication. VDI capacity management had to be re-engineered from static on-premises allocation to dynamic ARM Template-driven auto-scaling that could respond to real-time session demand without over-provisioning.
Our Solution
Developed the end-to-end migration architecture mapping the transition from on-premises 1912 LTSR to Azure-hosted 2203 LTSR — covering control plane uplift, authentication modernisation, capacity model transformation, and performance validation. Executed lifecycle version upgrades across all critical Citrix infrastructure: Delivery Controllers, Director, Studio, and enterprise Licensing servers were upgraded in sequence with full change control and rollback procedures. Azure Active Directory was integrated with Citrix Federated Authentication Service to enforce modern authentication at the VDI session layer: SAML-based identity federation, MFA enforcement, and seamless SSO workflows replacing the legacy Kerberos-only authentication model. Custom ARM Templates were designed and deployed to orchestrate demand-driven auto-scaling policies for Azure VDI host pools — dynamic provisioning and deallocation tied to real-time session load, replacing static capacity with an elastic model. Comprehensive UAT cycles were conducted across the upgraded environment, with Azure-native performance tuning applied to session density, application response latency, and host pool efficiency.
Facing a similar challenge? Get a no-commitment technical brief.
Get free briefKey Deliverables
- Formulated end-to-end migration architecture for the transition of core VDI layers from legacy on-premises Citrix 1912 LTSR to Azure-hosted 2203 LTSR — control plane, authentication, capacity, and performance layers
- Executed lifecycle version upgrades across all critical Citrix infrastructure nodes: Delivery Controllers (DDC), Director, Studio, and enterprise Licensing servers
- Integrated Azure Active Directory with Citrix Federated Authentication Service (FAS) enforcing modern authentication — SAML federation, MFA at the VDI session layer, and seamless SSO for financial applications
- Designed and deployed custom ARM Templates orchestrating dynamic demand-driven auto-scaling policies for VDI node pools in Microsoft Azure — replacing static capacity with elastic provisioning
- Conducted comprehensive UAT cycles and implemented Azure-native performance tuning across the cloud VDI environment — session density, application latency, and host pool efficiency optimised
Services Delivered
- CVAD Version Migration
- Azure VDI Architecture
- Citrix FAS Authentication
- ARM Auto-Scaling Design
Tech Stack
Frequently Asked Questions
What is Citrix LTSR and why does upgrading from 1912 to 2203 matter for a financial group?+
Citrix Long Term Service Release (LTSR) versions are the stable, compliance-tested releases that regulated industries standardise on — they receive 5 years of security patches without the feature churn of Current Release versions. Moving from 1912 LTSR (released 2019, approaching end of mainstream maintenance) to 2203 LTSR is not a patch: it involves architectural changes to broker communication protocols, authentication frameworks, and cloud integration capabilities. For a financial group, deferring this upgrade carries regulatory risk — 1912 LTSR approaching end-of-maintenance means unpatched security vulnerabilities, and financial desktop environments have zero tolerance for unpatched infrastructure.
What is Citrix FAS and why is it critical for Azure AD integration in VDI environments?+
Citrix Federated Authentication Service (FAS) is the bridge between modern cloud identity providers like Azure Active Directory (with SAML, OIDC, and MFA) and the legacy Kerberos authentication that Windows desktop sessions require. When a financial user authenticates via Azure AD with MFA, their session would normally need a second Windows password prompt to launch the Citrix desktop. FAS eliminates this by issuing a virtual smart card certificate at the authentication boundary, allowing the Citrix session to launch seamlessly using the Azure AD authentication already completed — enforcing strong modern auth at the VDI layer without forcing users through a redundant credential prompt.
How do ARM Templates enable dynamic VDI auto-scaling in Azure for a financial group?+
Azure Resource Manager Templates are declarative infrastructure-as-code specifications defining Azure resources. For Citrix VDI auto-scaling, ARM Templates define session host VM configurations, scaling trigger policies, deallocate rules for idle VMs, and pre-warmup schedules for predictable demand events like market open or morning shift start. Citrix Autoscale orchestrates when to provision or deprovision hosts; ARM Templates define exactly what those hosts look like — ensuring newly provisioned VDI nodes are always identically configured, security-hardened, and compliant with the financial group's Azure policies. The result is a capacity model that scales to session demand, eliminating the over-provisioned static pools that drove unnecessary compute spend on-premises.
What does UAT for a major Citrix LTSR upgrade cover in financial services?+
In financial services, UAT for a Citrix LTSR upgrade tests far more than whether desktops launch correctly. The scope includes: all regulated financial applications — trading platforms, compliance tools, risk systems — rendering correctly under 2203 LTSR broker protocols; Azure AD + FAS authentication working correctly for all user populations including privileged accounts and service accounts; auto-scaling correctly provisioning and deprovisioning hosts under simulated load; print redirection, clipboard policies, and data leakage prevention controls operating correctly in the new version; and performance characteristics — session logon time, application launch latency, screen refresh under load — meeting the SLA thresholds the financial business requires before any production rollout.
Work with GYSP
Want results like these?
Get a free technical brief — architecture options, cost estimates, and a delivery timeline tailored to your challenge.
- 48-hour turnaround
- Senior engineers only
- No commitment required
Or call: +1 (929) 588-8364
Services Used
More FinTech Case Studies
FinTechDotPe
Growing transaction volumes, three active compliance frameworks, and a full AWS-to-GCP migration — all without a single major service outage. The stakes were high for this fintech platform.
FinTechOptions Trading Platform
Retail traders were making high-stakes decisions with manual calculations and static charts. They needed the kind of strategy tools professional desks take for granted — built for the masses.
Tier-1 Retail Bank, United Kingdom
Ahead of the UK's January 2018 Open Banking deadline, a tier-1 retail bank needed to migrate its legacy platform to containerized, multi-region cloud infrastructure on GCP — without disrupting live banking operations or missing a single regulatory milestone.
