Académique Documents
Professionnel Documents
Culture Documents
11 Basic Configuration
Navigation
This article applies to StoreFront versions 3.5, 3.6, 3.7, 3.8, 3.9, and 3.11.
= Recently Updated
The XenApp/XenDesktop 7.14 ISO comes with StoreFront 3.11. Or you can download it
from https://www.citrix.com/downloads/storefront-web-interface/product-software/storefront-311.html.
You can install StoreFront at the same time as installing Delivery Controller. Or you can install StoreFront
3.11 on dedicated servers.
Citrix Blog Post StoreFront 3.0 Scalability recommends StoreFront servers to be sized with 4 vCPU and 8 GB
RAM.
Note: You can install Web Interface and StoreFront on the same servers. Make sure Web Interface is
installed first.
6. See Patrick van den Born Avoid 1603 errors when upgrading Citrix StoreFront 2.x to Citrix
StoreFront 3.5
2. Go to the downloaded Citrix StoreFront 3.11 and run CitrixStoreFront-x64.exe.
3. Or you can install from the 7.14 ISO by running AutoSelect.exe.
4. In the License Agreement page, check the box next to I accept the terms, and click Next.
After upgrading from StoreFront 2.6 or older, do the following to enable the Receiver X1 theme:
1. In the StoreFront Console, on the left click the Stores node. Right-click the store and click Manage
Receiver for Web Sites.
2. Click Configure.
4. Once classic experience is disabled, you can now make changes on the Customize Appearance and
Featured App Groups pages. Click OK and Close when done.
5. Go to Stores. Right-click the Store, and click Configure Unified Experience.
6. Check the box next to Set the unified Receiver experience as the default for this store, and click
OK.
7. When you propagate changes, the default web page might not be replicated to the other nodes.
Copy C:\inetpub\wwwroot\web.config manually to each node.
If you are upgrading to StoreFront 3.9 or newer, do the following to add SAML Authentication as an option.
This feature lets you perform SAML against StoreFront without needing NetScaler Gateway. If you did a
fresh deployment of 3.9 or newer, then SAML is already added.
1. Right-click the Store, and click Manage Authentication Methods.
2. On the bottom, click the Advanced button, and click Install or uninstall authentication methods.
Initial Configuration
In StoreFront 3.8 and newer, you can create multiple stores in different IIS websites. This functionality is
not exposed in the GUI and instead the entire StoreFront configuration must be performed using
PowerShell. See Citrix Blog Post StoreFront 3.8 is Available NOW! for sample PowerShell commands to
create the stores.
You can also use PowerShell to create a store and configure it as detailed at CTX206009 How to configure a
Store via Powershell.
If this is a new deployment of StoreFront, do the following to perform the initial configuration:
4. In the Base URL page, if you installed an SSL certificate on the StoreFront server, then the
Hostname should already be filled in. For now, you can leave it set to the server name and then
change it later once you setup SSL and load balancing. Click Next.
5. In the Getting Started page, click Next.
6. In the Store Name page, enter a name for the store. Note: the name entered here is part of the URL
path.
7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
8. In the Delivery Controllers page, click Add.
9. Enter a descriptive name for the XenApp/XenDesktop farm. This name does not need to match the
actual farm name. (If StoreFront 3.5, dont put spaces or periods in the farm name)
10. Change the Type to XenDesktop.
11. Add the two XenDesktop Controllers. Change the Transport Type to HTTP. Click OK.
12. If you have multiple XenDesktop sites/farms, feel free to add them now. Or you can add older
XenApp farms. (If StoreFront 3.5, dont put spaces or periods in the farm name) Click Next when
done.
13. In the Remote Access page, dont check the box, and click Next. You can set this up later.
14. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-
through from NetScaler Gateway. Click Next. Note: if you want Domain pass-through for browser
users, you also need to enable it for Receiver for Web as detailed later in this topic.
15. In the XenApp Services URL page, click Create.
16. In the Summary page, click Finish.
5. Login to the second StoreFront server and launch the management console. In the middle, click Join
existing server group.
6. In the Join Server Group page, enter the name of the first StoreFront server and enter the
Authorization code copied earlier. Click Join.
11. When you propagate changes, the default web page might not be replicated to the other nodes.
Copy C:\inetpub\wwwroot\web.config manually to each node.
StoreFront 3.9 and newer enable Customer Experience Improvement Program (CEIP) by default. To disable
it, create the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD)
and set it to 0 (zero). Also see CEIP at Install, set up, upgrade, and uninstall at Citrix Docs.
Note: Some at Citrix Discussions (A protocol error occured while communicating with the Authentication
Service) have reported authentication issues after following this procedure. Its probably cleaner to
uninstall StoreFront and reinstall it.
3. Click Yes.
6. In the Store Name page, enter a name for the store. Note: the name entered here is part of the URL
path.
7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
8. In the Delivery Controllers page, click Add.
9. Enter a descriptive name for the XenApp/XenDesktop farm. This name does not need to match the
actual farm name. (If StoreFront 3.5, dont put spaces or periods in the farm name)
10. Change the Type to XenDesktop.
11. Add the two XenDesktop Controllers.
12. Change the Transport Type to HTTP. Click OK.
13. If you have multiple XenDesktop farms, feel free to add them now. Or you can add older XenApp
farms. (If StoreFront 3.5, dont put spaces or periods in the farm name) Or later, you can add farms
in Store > Manage Delivery Controllers. Click Next when done.
14. In the Remote Access page, dont check the box and click Next. You can set this up later.
15. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-
through from NetScaler Gateway. Click Next.
SSL Certificate
StoreFront requires SSL. You will save yourself much heartache if you install valid, trusted certificates.
There are two options for StoreFront SSL.
SSL Offload: Use NetScaler to do SSL Offload and load balancing. In this scenario, install the SSL
certificate on the load balancer. You can leave the StoreFront servers listening on HTTP and no IIS
server certificate. The SSL certificate on the NetScaler must match the DNS name that resolves to
the load balancing VIP.
SSL End-to-end: Install an SSL certificate on each StoreFront server and bind to IIS. This allows you
to use SSL protocol between the load balancer and the StoreFront servers.
If your load balancer cannot terminate SSL, then the StoreFront IIS certificate must match the DNS name
that resolves to the load balancing VIP.
For load balancers that can terminate SSL (e.g. NetScaler), the StoreFront IIS server certificate should
match the StoreFront server name. If StoreFront is installed on the Delivery Controllers, with server-
specific certificates you can later enable HTTPS in the StoreFront Store Delivery Controller configuration.
Another option is to create an SSL certificate with Subject Alternative Names for the load balanced DNS
name and each of the StoreFront server FQDNs. Then import this one certificate on all StoreFront servers.
Or a wildcard certificate could match all of these names.
In either case, be aware that Email-based discovery in Citrix Receiver requires the certificate to not only
match the StoreFront load balanced DNS name but the certificate must also match
discoverReceiver.email.suffix for every email domain. Usually the only option to match multiple email
domains is with Subject Alternative Names. If you have multiple email suffixes then you will need multiple
Subject Alternative Names, each beginning with discoverReceiver. If you dont plan on implementing
email-based discovery, then you dont have to worry about these discoverReceiver Subject Alternative
Names.
If the certificate does not match discoverReceiver.email.suffix, then users will see this message when
attempting to use email discovery in Citrix Receiver.
When adding Subject Alternative Names to a certificate, the first Subject Alternative Name should be the
same as the Load Balancing FQDN. The remaining Subject Alternative Names should be
discoverReceiver.email.suffix for every email domain.
When you view a Subject Alternative Name certificate, on the Details tab, click Subject Alternative Name
to verify that all names are listed, including the DNS name that resolves to the load balancing VIP.
If you are implementing Single FQDN for internal and external users, then the certificate for
external NetScaler Gateway can also be used for internal StoreFront. Note: Single FQDN has
additional Subject Alternative Name certificate requirements including: Internal Beacon FQDN and
Callback FQDN.
If you will support non-domain-joined machines (e.g. iPads, thin clients) connecting to your internal
StoreFront, then the StoreFront certificate should be signed by a public Certificate Authority. You
can use IIS to request the certificate. You can then export the certificate from IIS and import it to
NetScaler (for Load Balancing and NetScaler Gateway). Public Certificate Authorities (e.g. GoDaddy,
Digicert, etc.) let you enter additional Subject Alternative Names when you purchase the certificate.
If all internal machines are domain-joined, then you can use an internal Certificate Authority to
create the StoreFront certificate. The Certificates MMC snap-in can be used to create an internal
certificate signed by a Microsoft Certificate Authority. The MMC method allows you to specify
Subject Alternative Names.
Once the certificate is created or imported, you need to bind it to IIS:
1. In IIS Manager, right-click the Default Web Site, and click Edit Bindings.
2. Click Add.
3. Change the Type to https, and select the SSL certificate. Do NOT put anything in the Host name
field. Click OK, and then click Close.
If IIS is installed on the Delivery Controller, simply install/create a certificate, and bind it to the
Default Web Site.
If IIS is not installed on the Delivery Controller, then you need to run a command line program as
described at CTX200415 How to Enable SSL on XenDesktop 7.x Controllers to Secure XML Traffic. Or
use Matt Bodholdts script at XenDesktop 7 Bind Cert to XML Service Without IIS Integration at
CUGC.
Once SSL certificates are installed on the Delivery Controller servers, then you can configure the Store to
use SSL when communicating with the Delivery Controllers.
4. The Servers list must contain FQDNs that match the certificates installed on those servers.
5. Change the Transport type to HTTPS.
6. Click OK twice.
Socket Pooling
Socket pooling is disabled by default in stores. When socket pooling is enabled, StoreFront maintains a
pool of sockets, rather than creating a socket each time one is needed and returning it to the operating
system when the connection is closed. Enabling socket pooling enhances performance, particularly for
Secure Sockets Layer (SSL) connections. To enable socket pooling:
HOSTS File
Edit the HOSTS file (C:\Windows\System32\Drivers\Etc\HOSTS) on each StoreFront server with the
following entries:
StoreFront Load Balancing FQDN (e.g. storefront.corp.com) = Load Balancing VIP in the local
datacenter.
NetScaler Gateway Callback FQDN (e.g. callback.corp.com) = NetScaler Gateway VIP in the local
datacenter.
3. Enter the StoreFront Load Balancing FQDN as the new Base URL in https://storefront.corp.com
format. Note: Receiver requires that the Base URL is https. It wont accept http. Click OK.
Note: if you want the StoreFront Base URL to be the same as your Gateway FQDN, then see the
Single FQDN instructions.
If the Base URL is https, but you dont have certificates installed on your StoreFront servers (aka SSL
Offload), then youll need to do the following:
3. Click Configure.
4. On the Advanced Settings page, change Enable loopback communication to OnUsingHttp. Click
OK, and then click Close.
After changing the Base URL, youll need to update the IIS Default Website.
4. If you go to C:\inetpub\wwwroot and edit the file web.config, youll see the redirect.
Authentication Configuration
1. In the Citrix StoreFront console, on the left, click the Stores node.
2. Right-click the store, and click Manage Authentication Methods.
3. Check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway.
4. If you intend to enable pass-through authentication from Receiver Self-Service or from Receiver for
Web, go to a XenDesktop Controller, and run the command
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True from a Windows PowerShell command
prompt. Run asnp citrix.* first. In XenApp 6.5, this is a Citrix Policy > Computer > Trust XML Requests.
5. Click the top gear icon, and then click Configure Trusted Domains.
6. Select Trusted domains only, click Add, and enter the domain names in DNS format. The DNS suffix
is needed if doing userPrincipalName authentication from NetScaler Gateway.
1. Also see CTX223551 Log on delay when user is not in the same domain as Storefront Server
for RPC firewall rules.
7. Select one of the domains as the default.
8. If desired, check the box next to Show domains list in logon page. Click OK.
9. Click the top gear icon, and then click Manage Password Options.
11. Be careful with password changes. Any time somebody changes their password through StoreFront,
a profile will be created for that user on the StoreFront server. Use a tool like delprof2.exe to
periodically delete these local profiles.
12. Or see Citrix Blog Post Delete Local User Profile Folders on StoreFront Servers for a script to delete
local profiles.
13. If you have XenApp/XenDesktop Platinum Edition and installed Self-Service Password Reset, you
can integrate SSPR with StoreFront 3.7 or newer by clicking the top gear icon and clicking Configure
Account Self-Service. This option is only available if your Base URL is https (encrypted). See the
following for detailed implementation guides.
o Citrix CTX217143 Self-Service Password Reset Central Store Creation Tool
o Citrix CTX224244 How Do I Deploy Self-Service Password Reset For the First Time
o George Spiers Citrix Self-Service Password Reset
16. With SSPR enabled, a new Tasks tab lets users enroll with SSPR.
17. The logon page also has an Account Self-Service link.
18. If StoreFront is not in the same domain (or trusted domain) as the users, then you can configure
StoreFront to delegate authentication to the Delivery Controllers. See XML service-based
authentication at Citrix Docs. Note: StoreFront 3.6 and newer can be workgroup members without
joining a domain.
Citrix Online
1. StoreFront might be configured to add the Citrix Online icons. To remove them, on the left click the
Stores node.
2. Right-click the store, and click Configure Store Settings.
3. On the Citrix Online Integration page, uncheck all three boxes, and click OK.
If you did a clean install of StoreFront 3.5 or newer, then the newer UI will already be enabled, but Unified
Experience might not be. If you upgraded from a StoreFront 2.6 or older, then you can disable the Classic
UI to enable the newer UI.
1. On the left click the Stores node. Right-click the store, and click Manage Receiver for Web Sites.
2. Click Configure.
3. On the Receiver Experience page, select Disable classic experience. Click OK, and click Close.
4. On the left, click Stores. Right-click the store, and click Configure Unified Experience.
5. Check the box next to Set the unified Receiver experience as the default for this store and click
OK.
If the Unified Receiver appearance is enabled, you can go to Stores > Manage Receiver for Web Sites >
Configure > Customize Appearance to change logos and colors. Additional customization can be
performed using the SDK.
You can also Manage Featured App Groups.
These Featured App Groups are displayed at the top of the Apps > All page.
By default, Featured App Groups are displayed with continual horizontal scrolling. This is OK if you have
several Featured App Groups but doesnt look right if you only have one Featured App Group.
Michael Bednarek has posted some code at Citrix Discussions to disable the continuous horizontal scrolling.
1. On the left click the Stores node. Right-click the store and click Manage Receiver for Web Sites.
2. Click Configure.
3. On the Authentication Methods page, if desired, check the box next to Domain pass-through. Click
OK.
4. If the StoreFront URL is in the browsers Local Intranet zone, then youll see a prompt to
automatically Log On. This only appears once.
3. Click Configure.
4. On the Deploy Citrix Receiver page, change the drop-down to Use Receiver for HTML5 if local
Receiver is unavailable.
5. By default, the HTML5 session opens in a new tab. You can optionally enable Launch applications in
the same tab as Receiver for Web. See Configure Citrix Receiver for HTML5 use of browser tabs at
docs.citrix.com for more information.
6. Click OK, and then click Close.
7. Download the latest Receiver for HTML5 (version 2.4) and install it on one of the StoreFront
servers. It installs silently. When you propagate changes, the Receiver for HTML5 will be copied to
the other server.
8. To see the installed version of HTML5 Receiver, click the Stores node on the left. In the middle
pane, in the bottom half, switch to the Receiver for Web Sites tab.
9. Customer Experience Improvement Program (CEIP) is enabled by default. To disable it, edit the
file C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js.
12. Optionally, install Citrix PDF Printer on the VDAs. The PDF printer is in the Additional Components
section of the HTML5 Receiver download page. This PDF printer is only used with Receiver for
HTML5, and not with regular Receiver.
13. Note: as of Receiver for HTML 2.0, its no longer necessary to install App Switcher on the VDAs.
From About Citrix Receiver for Chrome 2.0 at Citrix Docs: The new toolbar can be disabled or customized
by editing the file C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js.
From Michael Bednarek at Citrix Discussions: There was a functionality change between StoreFront 3.0 and
StoreFront 3.5 which affects the default client used for iPads. In SF 3.5, we default to using the native
Receiver to launch apps on an iPad, as we expect this to be the majority use case. Unfortunately, on an
iPad we are unable to actually tell whether you have the Receiver app installed or not, so we cant do
anything more intelligent out of the box.
There are two ways around this. Firstly, any iPad user can change between using native Receiver and using
the HTML5 Receiver by going to the dropdown menu after logging on, and choosing Change Receiver.
This will give you the chance to choose the HTML5 Receiver (Use light version) and your choice will be
remembered for the next time you log on.
If this is no good, you can use a JavaScript customization to get back the old behaviour and make sure that
iPad users default to HTML5. See the forum post Cannot access citrix apps from ipad using HTML5 receiver
post upgrade to SF 3.5 for the Javascript code.
If HTML5 Receiver is enabled, Chrome and Edge users have the option of selecting either native or HTML5
by clicking Change Citrix Receiver. To enable this option in IE or Firefox, see Emin Huseynov Citrix
StoreFront 3.0 and HTML5 client.
From About Citrix Receiver for Chrome 1.9 at Citrix Docs: To enable enhanced clipboard support, on every
VDA set the registry value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard\Additional
Formats\HTML Format\Name=HTML Format. Create any missing registry keys. This applies to both
virtual desktops and Remote Desktop Session Hosts.
Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:
1. On the left click the Stores node. Right-click the store, and click Manage Receiver for Web Sites.
2. Click Configure.
3. On the Deploy Citrix Receiver page, check the box next to Allow users to download HDX engine
(plug in).
4. Change both source drop-downs to Local files on the StoreFront server.
5. Click both Browse buttons and browse to the downloaded Receiver for Windows 4.8 and Receiver
for Mac 12.6.
8. When users connect to Receiver for Web, they will be prompted to install or upgrade. Note: this
only applies to Receiver for Web. Receiver Self-Service will not receive this prompt.
Citrix Blog Post Providing Full Receiver for Web Experience for Microsoft Edge has instructions for enabling
the Receiver Launcher for Edge. Use your preferred text editor to open web.config for the RfWeb site you
would like to configure (typically C:\inetpub\wwwroot\Citrix\StoreWeb\web.config). Locate the line like
this: <protocolHandler enabled="true" platforms="(Macintosh|Windows NT).*((Firefox/((5[3-9]|[6789][0-
9])|\d\d\d))|(Chrome/((4[2-9]|[56789][0-9])|\d\d\d)))(?!.*Edge)". Remove (?!.*Edge) and save the file.
But once you do that, you get a new switch apps prompt every time you launch an icon from Edge.
To stop the switch apps pop-up, on the client side, edit the registry, go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\receiver (create missing registry keys),
create DWORD value WarnOnOpen, and set it to 0 (zero).
Firefox 52 disabled NPAPI plug-in, which means Firefox 52 can no longer detect the locally installed Citrix
Receiver, and users will be prompted to install it. StoreFront 3.8 and newer already fixes this for Firefox 53,
but not for Firefox 52.
Search for protocolHandler. In the Firefox section, change 5[3 to 5[2. This causes the Protocol Handler to
work in Firefox 52 and newer.
Now when users connect, they are prompted to Detect Receiver, just like Chrome.
1. On the left click the Stores node. Right-click the store, and click Manage Receiver for Web Sites.
2. Click Configure.
3. On the Session Settings page, set the Session timeout as desired, and click OK.
4. If you are using a NetScaler, you will need to change the Global Session Timeout located at
NetScaler Gateway => Global Settings => Change Global Settings => Client Experience => Session
Time-out (mins). I changed mine to 720, there is a screenshot below for you to reference:
5. From CTX215701 Storefront page session time-out: If you increase the session timeout for RfWeb
to be more than 1 hour, you have to also increase the maxLifetime appropriately
in c:\inetpub\wwwroot\Citrix\Authentication\Web.config.
6. If your desired timeout value is greater than 8 hours, you should also edit tokenLifeTime in
c:\inetpub\wwwroot\Citrix\StoreWeb\web.config.
Default Tab
1. By default, when a user logs in to StoreFront, the Favorites tab is selected. Users can go to other
tabs to add icons to the list of Favorites.
2. You can completely remove the Favorites tab by going to Stores > Configure Store Settings > User
Subscriptions, and choose Disable User Subscriptions (Mandatory Store).
3. You can change the default tab and tab visibility by going to the Stores > Manage Receiver for Web
Sites > Configure > Client Interface Settings page.
4. When publishing applications in Studio, specify a Category so the applications are organized into
folders.
5. If you change the default tab to Applications, then you might also want to default to the Categories
view instead of the All view.
Beacons
2. Configure an Internal Beacon. Receiver Self-Service tries to connect to the Internal Beacon to
determine if Receiver is currently internal or not. If the Internal Beacon is reachable then Receiver
Self-Service assumes it is internal, and thus connects to the StoreFront Base URL. If the Internal
Beacon is not reachable, then Receiver Self-Service assumes it is external and thus connects to
NetScaler Gateway. For this to work properly, the Internal Beacon must not be resolvable
externally.
If you are not doing Single FQDN, then the Internal Beacon can be the StoreFront FQDN since the
StoreFront FQDN is usually only available internally.
If you are doing Single FQDN, then you cant use the StoreFront FQDN. Instead, you must use a
different internal website for the beacon. If you need to support internal iPads, due to differences
in how iPads determine location, the Internal Beacon should be a new FQDN that resolves to the
StoreFront Load Balancing VIP thus requiring the StoreFront certificate to match both the Internal
Beacon and the Base URL. If internal iPads are not needed, then the Internal Beacon can be any
internal website.
If you want to force internal Receiver Self-Service users to connect through NetScaler Gateway (for
AppFlow reporting), you can set the Internal Beacon to a fake URL. Since the Internal Beacon is
never resolvable, Receiver Self-Service always uses NetScaler Gateway. Or you can use Optimal
Gateway to achieve the same goal.
3. The External beacons are used by Receiver Self-Service to determine if the Receiver Self-Service has
Internet access or not. You can use any reliable Internet DNS name. Click OK when done.
Propagate Changes
Any time you make a change on one StoreFront server, you must propagate the changes to the other
StoreFront server.
1. In the StoreFront console, on the left, right-click Server Group, and click Propagate Changes.
2. You might see a message saying that you made changes on the wrong server.
Use the following PowerShell cmdlets to export StoreFront Configuration into a .zip file (encryption
optional) and import to a different StoreFront server group:
Export-STFConfiguration
Import-STFConfiguration
See Export and import the StoreFront configuration at Citrix Docs for details.
Auto-Favorite
To force a published application to be favorited (subscribed), use one of the following keywords in the
published application description:
KEYWORDS: Auto = the application is automatically subscribed. But users can remove the favorite.
KEYWORDS: Mandatory = the application is automatically subscribed and users cannot remove the
favorite.
With Mandatory applications there is no option to remove the application from Favorites.
Logon Simulator
ControlUp has a free Logon Simulator for StoreFront and NetScaler Gateway. You can run it on any
machine to periodically test app launches from StoreFront.
The tool creates entries in the Application Log in Event Viewer. The events can be consumed by your
monitoring tool.
StoreFront 3.5 through 3.11 Tweaks
Last Modified: May 28, 2017 @ 10:50 am
44 Comments
Navigation
This article applies to StoreFront versions 3.5, 3.6, 3.7, 3.8, 3.9, and 3.11.
= Recently Updated
When the StoreFront server checks certificate revocation for its locally signed files, a delay can occur
before the StoreFront logon page is displayed.
6. Click Advanced.
7. On the WINS tab, change the selection to Disable NetBIOS over TCP/IP and click OK twice and
Close once.
Receiver Shortcuts
6. Note: if subscriptions are enabled in StoreFront then only Favorites are added to the Start Menu
and Desktop. If subscriptions are disabled then all applications are placed on the Start Menu or
Desktop.
Default Store
To fix this, in the StoreFront console, right-click the store, and click Configure XenApp Services Support.
In the bottom of the window, select the Default store, and click OK.
Now PNAgent can point to StoreFront without needing to specify a custom path. Note: this only works for
/Citrix/PNAgent/config.xml.
Single Sign-on
From Configure authentication for XenApp Services URLs at Citrix Docs: XenApp Services URLs support
explicit, domain pass-through, and pass-through with smart card authentication. Explicit authentication is
enabled by default. You can change the authentication method, but only one authentication method can
be configured for each XenApp Services URL. To enable multiple authentication methods, create separate
stores, each with a XenApp Services URL, for each authentication method. To change the authentication
method for a XenApp Services URL, you run a Windows PowerShell script.
1. On the primary StoreFront server in your deployment, use an account with local administrator
permissions to start Windows PowerShell.
2. At a command prompt, type the following command to configure the user authentication method
for users accessing the store through the XenApp Services URL.
Remember my password
If you leave PNAgent authentication set to Prompt, you can enable the Remember my password box by
doing the following:
Hide Applications
You can hide all icons of a particular type (Applications, Desktops, Documents). Or you can hide icons with
a specific keyword.
Go to Stores > MyStore > Configure Store Settings > Advanced Settings and look for the Filter options.
Filter resources by type lets you hide all Applications or all Desktops. If you are running Receiver inside a
published desktop, then you probably dont want desktop icons to be delivered by Receiver. In that case,
create a new Store and filter the Desktop icons. Then only the application icons will be delivered.
Filter resources by excluded keywords lets you filter published icons that match a custom keyword.
Once the ExcludeKeyword has been defined, add the keyword to a published application or published
desktop description and that application/desktop will no longer display in Receiver. This works for both
Receiver for Web and Receiver Self-Service (non-browser).
In XenDesktop 7.9 and newer, to assign a description to a Desktop, you edit the Delivery Group, go to the
Desktops page, and edit one of the Desktops. Citrix CTX220429 Configure Resource Filtering to Allow
Desktops to be filtered on Storefront.
Desktop Autolaunch
By default, if only a single desktop is published to the user, Receiver for Web will auto-launch it. You can
change this behavior by going to Stores > MyStore > Manage Receiver for Web Sites > Configure > Client
Interface Settings and uncheck the box next to Auto launch desktop.
Citrix CTX139762 How to Configure StoreFront to Start Published Desktops in Full Screen Mode: This article
describes how to configure StoreFront to start published desktops in Full Screen Mode.
Autolaunch Application
If you intend to publish applications to anonymous users then you can create a StoreFront store that does
not require authentication. Note: anonymous stores only work internally (no NetScaler Gateway).
4. In the Store Name and Access page, enter a new store name.
5. Check the box next to Allow only unauthenticated users to access this store.
6. Then click Next and finish the wizard like normal.
7. Anonymous stores are hidden by default. When performing discovery in Receiver youll need to
enter the full path to the store (e.g. https://storefront.corp.com/Citrix/Anon/discovery).
Workspace Control
Workspace Control reconnects user sessions. It can be disabled. Or configure various reconnection options.
Citrix Blog Post Workspace Control: When You DONT Want to Roam details complete session reconnection
configuration instructions for XenApp, Remote Desktop Services, StoreFront, and Receiver.
Go to Stores > MyStore > Manage Receiver for Web Sites > Configure > Workspace Control page.
Receiver Self-Service
Citrix Blog Post How to Disable Workspace Control Reconnect: For Receiver for Windows, workspace
control can be managed on client devices by modifying the registry. Please see this Knowledgebase
Article for how to implement it. This can also be done for domain-joined client devices using Group Policy.
In StoreFront Console, go to Stores > MyStore > Configure Store Settings > Advanced Settings and theres
a setting for Allow session reconnect.
From Treating All Desktops as Applications at Citrix Blog Post Whats New in StoreFront 3.0: Desktops are
treated differently from applications in StoreFront/Receivers. They are placed in a separate Desktop tab
and in the case of Receiver for Web, they are not reconnected with workspace control. In some use cases,
it is desirable to treat desktops as applications so that they are placed together with applications and get
reconnected as part of workspace control. With StoreFront 2.x, you have to add the TreatAsApp keyword
to all published desktops to achieve this effect. StoreFront 3.0 enables you to configure treating all
desktops as applications at the store level without the need of adding the TreatAsApp keyword to all the
published desktops. This is configurable using a PowerShell cmdlet.
In StoreFront Console, go to Stores > Configure Store Settings > Advanced Settings and theres an option
for Allow special folder redirection.
By default, when Receiver Self-Service connects internally to StoreFront, the user is able to check the box
next to Remember my password. Note: When connecting through NetScaler Gateway, this checkbox is
never available.
This can be disabled by making a change on the StoreFront server. This procedure is documented by John
Ashman at Citrix Discussions and Prevent Citrix Receiver for Windows from caching passwords and
usernames at docs.citrix.com.
1. Note that this procedure seems to prevent Receiver for iOS from adding accounts.
2. On the StoreFront server, run a text editor elevated (as administrator).
From Citrix Discussions: to disable the activate; function for Citrix receiver for windows that is visible
when a user clicks their username in the upper right hand corner of Receiver for Web, in StoreFront
Console, go to Stores > MyStore > Manage Receiver for Web Sites > Configure > Client Interface Settings
page. Theres a checkbox for Enable Receiver configuration.
localStorage["showFtu"] = false;
From Citrix Blog Post Logging Off Receiver for Web after an Application/Desktop Launch: Simply add the
following code snippet to script.js in the custom folder for the Receiver for Web site (typically
C:\inetpub\wwwroot\Citrix\StoreWeb\custom\) you would like to customize:
CTXS.Extensions.beforeWebLogoffIca = function(action) {
return 'none';
};
StoreFront 3.x customizations are visible in both Receiver for Web and in Receiver Self-Service.
If you are load balancing StoreFront and want to put the server name on the webpage, see Nicolas
Ignoto Display server name with Citrix StoreFront 3.
Nicolas Ignoto Lab: Part 22 Ultimate StoreFront 3 customization guide contains many StoreFront
customizations including:
Add disclaimer
Change logo/background
Add header
Add text
Change colors
Etc.
Citrix Blog Post Citrix Customization Cookbook contains a collection of customizations including:
Add Static or dynamic (read from file) text to the header and/or footer of the login page.
Click-through disclaimer before or after login page
Footer for every page
Default to Folder view when visiting the Apps tab
Change default text
Change background images for featured categories
Background image
Citrix Blog Post Storefront 3 Web Customization: Branding Your Deployment describes how to modify the
following CSS to customize the appearance of StoreFront 3.x
Background images
Logon button
Colors for page and text
How to view the mobile version of the page
CSS for mobile pages
Jason Samuel Upgrading Citrix StoreFront 2.6 to StoreFront 3.0 Things to Know details how to change the
StoreFront logo to a Receiver logo.
Citrix Blog Post StoreFront Message Customization describes how to add a scrolling message to the top of
the screen. This is displayed in both Browsers and Receivers. This post contains a new version of the
executable that supports StoreFront 3.0 and newer.
Migrate Web Interface features to StoreFront at Docs.citrix.com details how to configure Web Interface
features in StoreFront. This includes:
StoreFront 3.0 Receiver Customization APIs are detailed at Citrix Developer. Use the Receiver
Customization API to brand or customize your end users app and desktop selection experience beyond
capabilities provided in the StoreFront admin console. Customizations apply to latest Web, Chrome,
Windows, Mac and Linux clients, and will be extended to mobile devices in future releases.
An example use case for the StoreFront 3.0 APIs is Citrix Blog Post Citrix Recipe Box: StoreFront
Approvals. This code enables StoreFront to require workflow approval when a user subscribes to an
app.
CTX221097 How to rename items on StoreFront? describes the strings that can be changed.
1. Go to C:\inetpub\wwwroot\Citrix\<StoreName>Web\custom
2. Open strings.en.js file
3. See below for an example of overriding one of the built-in strings. See the article for the full list of
strings.
Citrix Blog Post X1 Customization: Going deeper with CSS describes the following:
Use CSS (/custom/style.css) to style the three custom regions (#customTop, #customBottom,
#customScrollTop). Shown below in red, blue, and pink.
Marker classes for showing/hiding or highlighting parts of the UI: large display, small display, high
DPI, Favorites view, Desktops view, Apps view, appinfo view.
Use JQuery to add HTML code to custom regions (e.g. #customScrollTop) including using CSS to hide
the HTML code unless a specific tab is selected by the user.
Citrix Blog Post Rewriting the Session ClientName from StoreFront: I would like to offer the following
customisation DLL which can apply client name rewrites based on a template. The customisation template
can be any string, but where that string contains a particular token, the token will be replaced by some
information from the User Context. If the intent was just to replace the ClientName with the user name,
the template is then just $U. More details and the .dll file are in the blog post.
See CTP Jason Samuel How to rewrite the Client Name in Citrix StoreFront 3.9 using StoreFront SDK
for detailed info on how to implement this customization in StoreFront 3.8, and how to handle
upgrades.
StoreFront Store Customization SDK at Citrix Developer: The Store Customization SDK allows you to apply
custom logic to the process of displaying resources to users and to adjust launch parameters. For example,
you can use the SDK to control which apps and desktops are displayed to users, to change ICA virtual
channel parameters, or to modify access conditions through XenApp and XenDesktop policy selection. Key
Customization Points:
Post-Enumeration
Post-Launch ICA File
Post-Session Enumeration
Access Conditions (pre-launch and pre-enumeration)
Provider List
Device information
Citrix Blog Post Adding a Language to StoreFront 3.0: A new language pack is comprised of a culture
definition file, a string bundle file and a custom string bundle file. See the Blog Post for more details.
To change the StoreFront page title, see Sam Jacobs How to Change the Page Title in Citrix Receiver 3.x at
mycugc.org.
Customizations detailed at topic Modify Receiver for Web site at Citrix Discussions:
StoreFront SDKs
StoreFront Store Customization SDK Use the Store Customization SDK to apply custom logic to the
process of displaying resources to users and to adjust launch parameters. For example, you can use the
SDK to control which apps and desktops are displayed to users, to change ICA virtual channel parameters,
or to modify access conditions through XenApp and XenDesktop policy selection.
StoreFront Web API Receiver for Web is a component of Citrix StoreFront that provides access to
applications and desktops using a Web browser. It consists of a User Interface tier and a StoreFront
Services Web Proxy tier.
StoreFront Authentication SDKs With StoreFront 3.0, we have introduced a new Unified UI that is
delivered from StoreFront to Receiver on all client platforms. Use the Receiver Customization API to brand
or customize your end users app and desktop selection experience beyond capabilities provided in the
StoreFront admin console. Customizations apply to latest Web, Chrome, Windows, Mac and Linux clients,
and will be extended to mobile devices in future releases.
StoreFront PowerShell SDK Citrix StoreFront provides an SDK based on a number of Microsoft Windows
PowerShell version 3.0 modules. With this SDK, you can perform the same tasks as you would with the
StoreFront MMC console, together with tasks you cannot do with the console alone.
See NetScaler Gateway 11 > Portal Themes. Build 62 and newer have a built-in X1 theme.
You can make the NetScaler Gateway 10.5 logon page look like the Receiver for Web in StoreFront 3.0.
Visit Citrix Blog Post X1 Skin for NetScaler Gateway to download an already developed theme package. Or
see one of the following for instructions to manually edit the NetScaler Gateway theme to match
StoreFront 3.x
4. In NetScaler GUI, go to NetScaler Gateway > Global Settings > Change Global Settings.
6. At the bottom, if the current UI Theme is Green Bubble, change it to Default. Then go back into the
screen and change it back to Green Bubble. This causes the theme to reload. Click OK.
7. The logon page should now look more like Receiver for Web in StoreFront 3.0.
StoreFront Load Balancing NetScaler 11.1
Last Modified: Oct 18, 2016 @ 12:43 pm
45 Comments
Navigation
Monitor
Note: This is a Perl monitor, which uses the NSIP as the source IP. You can use RNAT to override this as
described in CTX217712 How to Force scriptable monitor to use SNIP in Netscaler in 10.5.
1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
5. If you will use SSL to communicate with the StoreFront servers, then scroll down, and check the box
next to Secure.
add lb monitor StoreFront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -secure YES -
storename Store
Servers
1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
3. Enter a descriptive server name, usually it matches the actual server name.
4. Enter the IP address of the server.
5. Enter comments to describe the server. Click Create.
Service Group
1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
2. On the right, click Add.
7. If you did not create server objects then enter the IP address of a StoreFront Server. If you
previously created a server object then change the selection to Server Based and select the server
objects.
8. Enter 80 or 443 as the port. Then click Create.
9. Click OK.
15. To verify that the monitor is working, on the left, in the Service Group Members section, click the
Service Group Members line.
16. Click the ellipsis next to a member and click Monitor Details.
17. The Last Response should be Success Probe succeeded. Click Close twice.
21. add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For
22.
23. bind serviceGroup svcgrp-StoreFront-SSL SF01 443
24. bind serviceGroup svcgrp-StoreFront-SSL SF02 443
bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront
25. If the Service Group is http and you dont have certificates installed on your StoreFront servers (aka
SSL Offload) then youll need to enable loopback in StoreFront.
1. In StoreFront 3.5 and newer, you enable it in the GUI console.
2. In StoreFront 3.0, run the following commands on the StoreFront 3.0 servers as detailed at
Citrix Blog Post Whats New in StoreFront 3.0.
3. & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
4.
Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb -Loopback OnUsingHttp
1. Create or install a certificate that will be used by the SSL Offload Virtual Server. This certificate must
match the DNS name for the load balanced StoreFront servers. For email discovery in Citrix
Receiver, the certificate must either be a wildcard (*.corp.local) or have a subject alternative name
for discoverReceiver.domain.com (domain.com = email address suffix)
2. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
9. On the left, in the Services and Service Groups section, click where it says No Load Balancing
Virtual Server ServiceGroup Binding.
10. Click the arrow next to Click to select.
16. Select the certificate for this StoreFront Load Balancing Virtual Server and click Select.
20. On the left, in the Persistence section, select SOURCEIP. Do NOT use COOKIEINSERT persistence or
Android devices will not function correctly.
21. Set the timeout to match the timeout of Receiver for Web.
22. The IPv4 Netmask should default to 32 bits.
23. Click OK.
24. If the NetScaler communicates with the StoreFront servers using HTTP (aka SSL Offload 443 on
client-side, 80 on server-side), and if you have enabled the Default SSL Profile, then youll either
need to edit the Default SSL Profile to include the SSL Redirect option, or create a new custom SSL
Profile with the SSL Redirect option enabled, and then bind the custom SSL Profile to this vServer.
25. If the default SSL Profile is not enabled, then youll need to edit the SSL Parameters section on the
vServer, and at the top right, check the box next to SSL Redirect. Otherwise the Receiver for Web
page will never display.
When connecting to StoreFront through load balancing, if you want to put the server name on the
StoreFront webpage so you can identify the server, see Nicolas Ignoto Display server name with Citrix
StoreFront 3.
Users must enter https:// when navigating to the StoreFront website. To make it easier for the users,
enable SSL Redirection.
This procedure details the SSL Load Balancing vServer method of performing an SSL redirect. An alternative
is to use the Responder method.
1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
2. On the right, find the SSL Virtual Server youve already created, click the ellipsis next to it and click
Edit.
8. This method does not add any new vServers to the list so its not easy to see if this is configured.
2. The DNS name for StoreFront load balancing must be different than the DNS name for NetScaler
Gateway. Unless you are following the Single FQDN procedure.
3. In the Citrix StoreFront console, right-click Server Group and click Change Base URL.
4. Enter the new Base URL in https://storefront.corp.com format. This must match the certificate that
is installed on the load balancer. Click OK.
If you have multiple StoreFront clusters (separate datacenters), you might want to replicate subscriptions
between them. StoreFront subscription replication uses TCP port 808. To provide High Availability for this
service, load balance TCP port 808 on the StoreFront servers. See Configure subscription synchronization at
Citrix Docs for more information.
1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
7. Change the selection to Server Based and select the StoreFront servers.
8. Enter 808 as the port. Then click Create.
9. Click OK.
11. On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.
18. On the right, click the ellipsis next to the existing StoreFront Load Balancing vServer, and click Add.
24. Click where it says No Load Balancing Virtual Server ServiceGroup Binding.
18 Comments
Navigation
Favorites/Subscriptions Overview
Favorites/Subscriptions Replication across Server Groups
Common Favorites/Subscriptions for Multiple Stores on same Server Group
Delete Favorites/Subscriptions
Favorites/Subscriptions Overview
By default, StoreFront allows users to select applications as their Favorites. These subscribed applications
are then displayed in the Favorites view of Receiver. Administrators can also use KEYWORDS in published
application descriptions to auto-favorite an application.
The Favorites (subscriptions) are stored in a file database on each StoreFront server and are automatically
replicated to every StoreFront server in a local Server Group. For StoreFront servers in multiple
datacenters, you can configure replication of subscriptions between Server Groups. This provides a
consistent user interface no matter which datacenter the user connects to.
If you have different StoreFront clusters (server groups) in multiple datacenters, you probably want to
replicate subscriptions between them. For more information, see What Subscriptions and Server Groups
Mean for StoreFront Designs
Docs.citrix.com Configure two StoreFront stores to share a common subscription datastore: It is common
for administrators to configure StoreFront with two distinct stores; one for external access to resources
using Netscaler Gateway and another for internal access using the corporate LAN. You can configure both
external and internal stores to share a common subscription datastore by making a simple change to
the store web.config file.
For two stores to share a subscription datastore, you need only point one store to the subscription service
end point of the other store. Note: The XenApp, XenDesktop and AppC controllers configured on each
store must match exactly; otherwise, an inconsistent set of resource subscriptions on one store might
occur. Sharing a datastore is supported only when the two stores reside on the same StoreFront server or
server group deployment.
<subscriptionsStoreClient enabled="true">
<clientEndpoint uri="net.pipe://localhost/Citrix/Subscriptions/1__Citrix_External" authenticationMode="windows"
transferMode="Streamed">
<clientCertificate thumbprint="0" />
</clientEndpoint>
</subscriptionsStoreClient>
Change the external to match the internal store endpoint. Then Propagate Changes.
<subscriptionsStoreClient enabled="true">
<clientEndpoint uri="net.pipe://localhost/Citrix/Subscriptions/1__Citrix_Internal" authenticationMode="windows"
transferMode="Streamed">
<clientCertificate thumbprint="0" />
</clientEndpoint>
</subscriptionsStoreClient>
Delete Favorites/Subscriptions
From Citrix Discussions: You can delete subscriptions using the subscription store PowerShell API and some
file editing:
1. If StoreFront 3.5 or newer, run the following (from Citrix CTX216295 How to Export and Import
StoreFront Subscription Database on Storefront 3.6):
2. $store = Get-STFStoreService
Export-STFStoreSubscriptions -Store $store -FilePath "$env:userprofile\desktop\subscriptions.txt"
1. If StoreFront 3.0.1 or older, run the following PowerShell (using Run As Administrator
when opening the PowerShell Console and not missing the . (i.e. dot space) at the start of
the first command):
2. . 'C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1'
Export-DSStoreSubscriptions -StoreName MyStore -FilePath .\subscriptions.txt
3. Stop the Citrix Subscriptions Store Service on all StoreFront servers in the deployment.
4. Find the subscription store database folder:
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\1__C
itrix_Store on each StoreFront server. Delete the contents of this folder (do not delete the folder
itself). Note: If UAC is enabled then you might have to go
to C:\Windows\ServiceProfiles\NetworkService first and then drill down into the remaining
folders. AppData is a hidden folder.
5. Restart the Citrix Subscriptions Store Service on all StoreFront servers in the deployment. Open
Event Viewer and, in the left pane, navigate to Applications and Services Logs > Citrix Delivery
Services. Search for events logged by the Citrix Subscriptions Store Service with an Event ID of 3
and a Task Category of 2901. Ensure that an entry is logged for each store on every server in the
deployment before continuing.
6. Backup subscriptions.txt, then edit to remove any entries you want to delete.
7. If StoreFront 3.5 or newer, run the following PowerShell commands to restore your subscriptions:
8. $store = Get-STFStoreService
Import-STFStoreSubscriptions -Store $store -FilePath "$env:userprofile\desktop\subscriptions.txt"
Each row of the exported subscriptions file is a tab-separated list of user-sid, resource-id, subscription-id,
subscription-status followed by zero or more subscription-property name-value pairs.
To delete all subscriptions for a particular user, you will need to find the users SID and then delete all rows
starting with that value.
StoreFront 3.5 through 3.11 Configuration for
NetScaler Gateway
Navigation
This article applies to StoreFront versions 3.5, 3.6, 3.7, 3.8, 3.9, and 3.11.
1. See the NetScaler pages for instructions on configuring NetScaler Gateway for StoreFront.
2. In the StoreFront Console, right-click the Store and click Manage Authentication Methods.
4. If you need the SmartAccess feature, then you need to configure StoreFront to perform an authentication
callback to a NetScaler Gateway Virtual Server on the same appliance that authenticated the user.
1. If you need SmartAccess and are doing Single FQDN then the Callback FQDN must be different than
the Single FQDN.
2. If you need SmartAccess and are doing different FQDNs for Gateway and StoreFront, then the
Callback FQDN is usually the same as the Gateway FQDN.
3. Make sure the StoreFront server can resolve the Callback FQDN to a Gateway VIP (with matching
certificate). One option is to edit the C:\Windows\System32\drivers\etc\hosts file and add an entry
for the Callback FQDN.
4. After configuring the HOSTS file, on the StoreFront server, open a browser and navigate to the DNS
name. Make sure the Gateway vServer logon page appears.
5. In the StoreFront Console, right-click Stores, and click Manage NetScaler Gateways.
6. If StoreFront 3.6 or newer, notice the imported from file link on top. This is a new feature of NetScaler 11.1.
See Citrix Blog Post NetScaler Gateway Deployment Configuration for StoreFront, Simplified! for details.
7. If youre not using the config file from NetScaler 11.1 and newer, click Add.
8. In the General Settings page, enter a display name. This name appears in Citrix Receiver so make it
descriptive.
9. Enter the NetScaler Gateway Public URL. This can be a GSLB-enabled DNS name. Click Next.
11. Enter the URL to a XenDesktop Controller. This can be http or https.
12. Continue adding Secure Ticket Authorities (XenDesktop Controllers). Whatever Secure Ticket Authorities you
add here must also be added to the NetScaler Gateway Virtual Server on the NetScaler appliance. Click Next.
13. In the Authentication Settings page, if you have multiple Gateways (on separate appliance pairs) connecting
to one StoreFront server then then youll need to enter the vServer IP address (VIP) of the NetScaler
Gateway Virtual Server so StoreFront can differentiate one NetScaler Gateway from another. If theres only
one Gateway communicating with this StoreFront server group, then leave the VServer IP address field
empty.
14. If you need SmartAccess, then enter the Callback URL.
o The Callback URL must resolve to any NetScaler Gateway VIP on the same appliance that
authenticated the user. For multi-datacenter, edit the HOSTS file on the StoreFront server so it
resolves to NetScaler appliances in the same datacenter.
o The Callback URL Gateway Virtual Server must have a trusted and valid (matches the FQDN)
certificate.
o The Callback URL Gateway Virtual Server must not have client certificates set to Mandatory.
15. If you dont need SmartAccess then leave the Callback URL field empty.
16. If you enabled two-factor authentication (LDAP and RADIUS) on your NetScaler, change the Logon type to
Domain and security token. Otherwise leave it set to Domain only.
To make the NetScaler Gateway logon page look like Receiver 3.0 and newer, see one of the following:
Single FQDN
Links:
Citrix CTX200848 How to Configure Single Fully Qualified Domain Name for StoreFront and NetScaler
Gateway
Docs.citrix.com Create a single Fully Qualified Domain Name (FQDN) to access a store internally and
externally
Traditionally Receiver required separate FQDNs for StoreFront Load Balancing (internal) and NetScaler
Gateway (external). Recently Citrix made some code changes to accept a single FQDN for both. This
assumes that external users resolve the Single FQDN to a NetScaler Gateway VIP and internal users resolve
the same FQDN to StoreFront Load Balancing VIP.
Receivers:
o Receiver for Windows 4.2 or newer
o Receiver for Mac 11.9 or newer
o Mobile Receivers
o It doesnt seem to work with Linux Receiver
StoreFront 2.6 or newer
Split DNS different DNS resolution for internal vs external
NetScaler 10.1 or newer
This section assumes NetScaler Gateway is in ICA Proxy mode. Different instructions are needed for when
ICA Proxy is off. See docs.citrix.com for more information.
If you dont care about email-based discovery then the configuration of Single FQDN is fairly simple.
Sample DNS names are used below. Make sure the certificates match the DNS names.
1. Internal DNS name = the Single FQDN (e.g. storefront.corp.com). Resolves to internal Load Balancing VIP for
StoreFront. Set the StoreFront Base URL to this address.
2. External DNS name = the Single FQDN (e.g. storefront.corp.com). Resolves to public IP, which is NATd to
NetScaler Gateway VIP on DMZ NetScaler. Set the NetScaler Gateway object in StoreFront to this FQDN.
3. If you need SmartAccess, then the Callback URL = any DNS name (e.g. callback.corp.com) that resolves to a
NetScaler Gateway VIP on the same DMZ NetScaler appliance that authenticated the user.
o If are using Receiver for iOS internally then be aware that Receiver for iOS handles the Internal
Beacon differently than Receiver for Windows. Receiver for iOS will append /Citrix/Store/discovery
to the Internal Beacon and thus it only works if the Internal Beacon DNS name resolves to the
StoreFront server. Since you cant use the StoreFront Base URL as the Internal Beacon youll need a
different DNS name that resolves to the StoreFront servers and matches the StoreFront certificate.
Note: if you are not allowing internal iOS devices then this isnt needed.
5. Make sure the DMZ NetScaler resolves the Single FQDN to the internal StoreFront Load Balancing VIP. You
typically add internal DNS servers to the NetScaler. Or you can create a local Address Record for the Single
FQDN.
6. In the NetScaler Gateway Session Profiles, set the Web Interface Address and the Account Services Address
to the Single FQDN.
7. Thats all you need to implement Single FQDN. If you made changes to an existing StoreFront deployment,
then you might have to remove accounts from Receiver and re-add the account.
If you need email-based discovery then heres an example configuration for ICA Proxy NetScaler Gateway:
External DNS:
o Storefront.corp.com resolves to public IP, which is NATd to NetScaler Gateway VIP on DMZ
NetScaler.
o If email-based discovery, SRV record for _citrixreceiver._tcp.email.suffix points to
StoreFront.corp.com.
External publicly-signed certificate for NetScaler Gateway:
o One option is wildcard for *.corp.com. Assumes email suffix is also corp.com.
o Another option is the following Subject Alternative Names:
Storefront.corp.com
Callback.corp.com for callback URL. Only accessed from internal.
Or you can create a separate Gateway vServer for callback with a separate
certificate.
If email-based discovery, discoverReceiver.email.suffix
Internal DNS:
o Storefront.corp.com resolves to Load Balancing VIP for StoreFront
o Callback.corp.com resolves to NetScaler Gateway VIP on DMZ NetScaler. For authentication
callback.
o For the internal beacon, FQDN of any internal web server. Make sure this name is not resolvable
externally.
o If email-based discovery, SRV record for _citrixreceiver._tcp.email.suffix points to
StoreFront.corp.com.
Internal certificate for StoreFront Load Balancing: publicly-signed recommended, especially for mobile
devices and thin clients. Also can use the external certificate.
o One option is wildcard for *.corp.com. Assumes email suffix is also corp.com.
o Another option is the following Subject Alternative Names:
Storefront.corp.com
If email-based discovery, discoverReceiver.email.suffix
StoreFront Configuration:
Receiver for Web session policy (basic mode or ICA Only is checked):
o Policy expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
o Client Experience tab:
Session Timeout = 60 minutes
Clientless Access = Off
Clientless Access URL Encoding = Clear
Clientless Access Persistent Cookie = Deny
Plug-in Type = Java
o Security tab:
Default authorization = ALLOW
o Published Applications tab:
ICA Proxy = On
Web Interface address = https://storefront.corp.com
Web Interface Portal Mode = Normal
Single Sign-on Domain = Corp
Account Services address = https://storefront.corp.com
Multiple Datacenters / Farms
If you have StoreFront (and NetScaler Gateway) in multiple datacenters, GSLB is typically used for the
initial user connection but GSLB doesnt provide much control over which datacenter a user initially
reaches. So the ultimate datacenter routing logic must be performed by StoreFront.
StoreFront chooses datacenters at the farm level. Thus StoreFront assumes that each datacenter has a
separate XenApp/XenDesktop farm.
Citrix is beginning to add more zone-based features to support single farms stretched across datacenters,
but this functionality is not yet fully realized. The current challenge with stretched farms is that SQL is in only
one datacenter.
StoreFront can enumerate icons from multiple farms. If there are identical icons in multiple farms, then the
icons can be aggregated so that only a single icon is displayed to the user. When the user clicks the icon,
StoreFront then needs to select a datacenter (select a farm). This is typically done based on the users
Active Directory group membership. Farms can be prioritized (active/passive). Or farms can be
active/active load balanced.
After the datacenter (farm) is selected, Optimal Gateway directs the ICA connection through the NetScaler
Gateway that is closest to the destination VDA. Optimal Gateway requires datacenter-specific DNS names
for NetScaler Gateway.
The StoreFront Console can do simple configurations The console supports a single aggregation group and
active/passive configurations for multiple Active Directory user groups. One Active Directory user group
could have Farm A as active and Farm B as passive. A different Active Directory user group could have Farm
B as active and Farm A as passive. This is also known as Home Sites
Complex configurations can be performed in XML files For example, you can load balance connections
across two identical farms (active/active). See Citrix Docs Set up highly available multi-site store
configurations
Note: if you have existing subscriptions/favorites, then enabling icon aggregation will cause the existing
subscriptions to be ignored. You can migrate the existing subscriptions by exporting, modifying, and
importing. See Subscriptions Missing after Enabling Aggregation at Citrix Discussions.
Farms: Separate XenApp/XenDesktop farms in each datacenter. This is required for two reasons: HDX
Optimal Routing, and assigning users to Home Sites.
o Zones are not yet an effective option. Citrix is still working on adding zone functionality.
NetScaler Gateways: For AppFlow reporting, NetScaler Gateway ICA Proxy is typically used both externally
and internally. Externally it is required. Internally it is used to generate AppFlow data.
FQDN: Internal users and external users use the same FQDN (e.g. citrix.company.com).
o Externally, citrix.company.com resolves to a NetScaler Gateway VIP.
o Internally, citrix.company.com resolves to a StoreFront Load balancing VIP. This allows pass-
through authentication. If the internal DNS name resolved to a NetScaler Gateway VIP then pass-
through authentication would not work. However, NetScaler Gateway is sometimes needed
internally for certain authentication configurations (e.g. Smart Card, SAML, two-factor, etc.)
Delegation: citrix.company.com is delegated from internal DNS and public DNS to NetScaler ADNS (internal
and external).
o This DNS name is bound to one NetScaler GSLB vServer that has two active GSLB services. If internal,
the GSLB services contain the internal StoreFront Load Balancing VIP in each datacenter. If external,
the GSLB services contain the public NetScaler Gateway VIP in each datacenter.
o You can use a proximity GSLB load balancing method to select the closest datacenter.
o GSLB persistence is required for the duration of the StoreFront session. GSLB vServer Source IP
persistence is probably not effective internally so GSLB Service Site Persistence (cookies) is
preferred. Or GSLB static proximity can take care of persistence.
o For the public DNS name, NetScaler in one datacenter must monitor the Internet circuit in the other
datacenter so it doesnt give out the public IP of the other datacenter if that datacenters Internet
circuit is down. One option is to bind a TCP monitor to the remote GSLB service. The TCP monitor
contains the public IP address of the NetScaler Gateway in the remote datacenter.
Single NetScaler: If one NetScaler is doing GSLB for both internal and external:
o You probably want different GSLB monitoring methods for internal vs external. If Internet goes down
in one of the datacenters, then you probably dont want that to affect internal GSLB. This also means
that MEP must be routed across the internal DCI (datacenter interconnect) instead of across the
Internet.
o You cant bind the same DNS name to two different GSLB vServers. One workaround is to configure
external GSLB for citrix.company.com and configure internal GSLB for citrixinternal.company.com.
The internal DNS servers have a CNAME (alias) from citrix.company.com
to citrixinternal.company.com so that the DNS request that reaches internal NetScaler ADNS is
actually for citrixinternal.company.com. Then you can have two different GSLB vServers with
different GSLB services with different monitoring configurations.
StoreFront Server Groups: Separate StoreFront Server Groups in each datacenter.
o Citrix doesnt support stretching a single StoreFront Server Group across a WAN link.
o Each Server Group is configured identically. You can export the config from one Server Group and
import it to the other. Or configure each of them separately but identically. Identical means: same
Base URL, same farms (Manage Delivery Controllers), same SRID, same Gateways, and same
Beacons.
o If subscriptions/favorites are enabled, use PowerShell commands to configure subscription
replication between the two Server Groups.
StoreFront Load Balancing: StoreFront load balancing VIP can be active/passive. Active = the StoreFront
servers in the local datacenter. Passive = the StoreFront servers in the remote datacenter.
o Create two Load Balancing vServers: one for local StoreFront, one for remote StoreFront. In the
Active (local) Load Balancing vServer, add the Protection section and configure the Backup (remote)
vServer.
o This configuration allows you to configure NetScaler Gateway Session Policies with the IP address of
StoreFront Load Balancing instead of a GSLB DNS name. The active/passive VIP allows NetScaler
Gateway to connect to StoreFront even if StoreFront in the local datacenter is down.
Icon aggregation: Configure StoreFront to aggregate icons from the two farms as detailed below.
o Use AD groups to specify a users home datacenter as detailed below. The users roaming profile and
home directory are in the users home datacenter.
o Configure farm priority based on AD groups. For an aggregated icon, the AD group determines which
farm the icon is launched from.
HDX Optimal Routing: Use HDX Optimal Routing to route ICA traffic through the NetScaler Gateway that is
closest to the destination farm. This requires datacenter-specific DNS names (e.g. citrixsite1.company.com,
citrixsite2.company.com)
o The datacenter-specific DNS names are delegated to NetScaler ADNS.
o NetScaler GSLB for these DNS names is configured for active/passive: if the specific datacenter is up,
then give out that IP. If the specific datacenter is down, then give out the IP of the other datacenter.
o The GSLB Services contain the internal or public VIPs of NetScaler Gateway in each datacenter.
o If these DNS names are added to StoreFront for both Authentication and HDX Routing, then you can
use one of these DNS names to connect to StoreFront in a specific datacenter. This is helpful for
testing.
STAs: each StoreFront Server Group uses STAs in the local datacenter. Since ICA Traffic could end up on
either NetScaler, all STAs must be added to all NetScaler Gateways.
Beacons: the internal beacon is critical. If the internal beacon is down then Receiver Self-service wont be
able to determine if the client device is internal or not. GSLB can be used for the internal beacon DNS name.
1. In StoreFront Console, go to Stores, right-click your Store, and click Manage Delivery Controllers.
4. If you are publishing identical resources from multiple farms, click the link to Aggregate resources.
5. Select the farms with identical resources that you want to aggregate.
6. If StoreFront 3.6 and newer, notice the new checkboxes on the bottom. You can now load balance farms
instead of doing farm failover only. If load balancing farms, the farms no longer need to be identical.
7. Click Aggregate. Click OK when done.
8. Note: if you have existing subscriptions/favorites, then enabling icon aggregation will cause the existing
subscriptions to be ignored. You can migrate the existing subscriptions by exporting, modifying, and
importing. See Subscriptions Missing after Enabling Aggregation at Citrix Discussions.
10. If you want the same farm failover (active/passive) or farm load balancing (StoreFront 3.6 and newer)
settings for everyone, then leave the User Groups page set to Everyone. Or if you intend to have different
home sites for different users, add a user group that contains the users that will be homed to a particular
datacenter. You can run this wizard multiple times to specify different home sites for different user groups.
Click Next.
13. If you configured farm aggregation without load balancing, then use the up and down arrow buttons to put
the active site on top. The lower priority sites will only be accessed if the primary site is down. You can run
this wizard multiple times to specify different active sites for different users.
14. If farm aggregation is configured for load balancing (StoreFront 3.6 and newer), then there are no arrows to
prioritize the farms.
15. Click Create.
16. You can click Add to add more user mappings. If you add multiple user groups, you can assign different
primary farms to each Active Directory group. This is how you configure home sites. Click OK twice when
done.
Shaun Ritchie Citrix StoreFront High Availability and Aggregation A dual site Active Active design has a
sample multi-site configuration using XML Notepad and explains how to use the Primary and Secondary
keywords to override farm priority order.
Citrix Blogs StoreFront Multi-Site Settings: Some Examples has example XML configurations for various
multi-datacenter Load Balancing and failover scenarios.
When Citrix Receiver switches between StoreFront servers in multiple datacenters, its possible for each
datacenter to be treated as a separate Receiver site. This can be prevented by doing the following. From
Juan Zevallos at Citrix Discussions: To have multiple StoreFront deployments across a GSLB deployment,
here are the StoreFront requirements:
Match the SRID in StoreFront, if you use the same Base URL in the 2 separate installations, then the SRID
should end up being identical. If the Base URL is changed after the initial setup, the SRID doesnt change. The
SRID can be safely edited in the \inetpub\wwwroot\Citrix\Roaming\web.config file. It will be replicated
into the discovery servicerecord entry in the Store web.config which can be edited as well or refreshed from
the admin console by going into Remote Access setup for the store and hitting OK. Make sure to propagate
changes to other servers in the group.
Match the Base URL
Match the Delivery Controller names under Manage Delivery Controllers The XML brokers can be
different, but the actual name of the Delivery Controller/Farm must be identical. Heres the exact setting Im
referring to: https://citrix.sharefile.com/d/sa562ba140be4462b
If you are running XenApp / XenDesktop in multiple datacenters, you must design roaming profiles and
home directories correctly.
Multi-site Load Balancing. If the icon selected by the user is published from XenApp/XenDesktop in
Datacenter A, then you probably want the ICA connection to go through a NetScaler Gateway Virtual Server
in Datacenter A. If the main DNS name for accessing NetScaler Gateway is GSLB load balanced across
datacenters, then you need additional datacenter-specific DNS names so you can control which datacenter
the ICA connection goes through. Note: Optimal Gateway is applied at the farm/site level or zone level (for
stretched 7.7+ farms).
NetScaler Gateway for internal connections (AppFlow). If you want to force internal users to go through
NetScaler Gateway so AppFlow data can be sent to Citrix Insight Center then you can do that using Optimal
Gateway even if the user originally connected directly to the StoreFront server. See CTX200129 How to Force
Connections through NetScaler Gateway Using Optimal Gateways Feature of StoreFront for more
information.
The NetScaler Gateway Virtual Server requires user certificates. If ICA traffic goes through a NetScaler
Gateway Virtual Server that requires user certificates (e.g. Smart Card), then each session launch will result
in a PIN prompt. To prevent these extra prompts, build a separate NetScaler Gateway Virtual Server that
doesnt have user certificates as Mandatory. Use Optimal Gateway to force ICA connections through the
other NetScaler Gateway Virtual Server. Note: SmartAccess Callback URL also cannot use a NetScaler
Gateway Virtual Server where client certificates are set to Mandatory so the extra NetScaler Gateway Virtual
Server would be useful for that scenario too.
8. Select the farms that are accessible through this gateway and click OK.
9. Repeat for the other datacenter-specific Gateways. The Gateway for the active/active GSLB-enabled DNS
name doesnt need any farms associated with it.
10. If you only want the Gateways to be used for external users, check the boxes for External only. Otherwise
the Gateway routing will be used for both internal and external connections.
11. Another option for Optimal Gateway selection is zones. In XenApp/XenDesktop 7.7 and newer, you can
stretch a farm across datacenters (zones) and use a different Gateway for each zone. Highlight a Gateway.
Click Manage Zones and add the zone name. This assumes the zone name has also been specified in the
Manage Delivery Controllers dialog box > Advanced Settings.
This section applies to SmartAccess and the Callback URL. If you dont need SmartAccess then skip this
section.
The Callback URL must go to the same appliance that authenticated the user. If you have multiple
appliance pairs communicating with a single StoreFront server, then StoreFront needs to identify which
NetScaler appliance pair the request came from so it can perform a callback to that appliance pair.
If each of the NetScaler Gateways uses the same DNS name (GSLB), then you cant use the DNS name to
distinguish one appliance from the other. Instead, StoreFront can use the Gateway VIP to distinguish
appliances so the callback goes to the correct appliance.
6. In the VServer IP address field, enter the Gateway VIP for this particular appliance pair. StoreFront will use
this VIP to distinguish one NetScaler appliance from another.
7. The callback URL must be unique for each NetScaler appliance pair (e.g. callbackdr.corp.com). The callback
URL must resolve to a NetScaler Gateway VIP on the same appliance pair that authenticated the user.
8. Configure name resolution for the datacenter-specific callback DNS names. Either edit the HOSTS file on the
StoreFront servers or add DNS records to your DNS servers.
9. When enabling Remote Access on the store, select both Gateway appliances. Select one as the default
appliance.