StoreFront 3.11

StoreFront 3.5 through 3.
11 Basic Configuration
Navigation
This article applies to StoreFront versions 3.5, 3.6, 3.7, 3.8, 3.9, and 3.11.
StoreFront Installation / Upgrade

o Initial Configuration
o Second StoreFront Server
o Customer Experience Improvement Program (CEIP)
Store Name Rename
SSL Certificate
o Delivery Controllers SSL
o Socket Pooling
HOSTS File
Base URL Change
Default Web Page
Authentication Configuration
Citrix Online
Receiver for Web
o Unified Receiver Experience
o Customize Receiver Appearance
o Receiver for Web Pass-through Authentication
o Receiver for HTML5 2.4

o Deploy Citrix Receivers for Windows/Mac from StoreFront
o Receiver for Edge
o Receiver for Firefox 52
o Receiver for Web Timeout
o Default Tab
Beacons
Propagate Changes
Export/Import StoreFront Configuration
Auto-Favorite
Logon Simulator
= Recently Updated
StoreFront Installation / Upgrade
The XenApp/XenDesktop 7.14 ISO comes with StoreFront 3.11. Or you can download it
from https://www.citrix.com/downloads/storefront-web-interface/product-software/storefront-311.html.
You can install StoreFront at the same time as installing Delivery Controller. Or you can install StoreFront
3.11 on dedicated servers.
Citrix Blog Post StoreFront 3.0 Scalability recommends StoreFront servers to be sized with 4 vCPU and 8 GB
RAM.
Note: You can install Web Interface and StoreFront on the same servers. Make sure Web Interface is
installed first.
1. If upgrading do the following before beginning the upgrade:

1. Export the StoreFront configuration so you can restore it if something goes wrong.
2. Stop the World Wide Web Publishing Service.
3. Stop all StoreFront services.
4. Close all PowerShell and StoreFront consoles.
5. If the Citrix SCOM Agent for StoreFront is installed, stop the Citrix MPSF Agent service.
Citrix CTX220935 Cannot Perform a StoreFront Upgrade if Citrix SCOM Management Pack
Agent Service is Running.
6. See Patrick van den Born Avoid 1603 errors when upgrading Citrix StoreFront 2.x to Citrix
StoreFront 3.5
2. Go to the downloaded Citrix StoreFront 3.11 and run CitrixStoreFront-x64.exe.
3. Or you can install from the 7.14 ISO by running AutoSelect.exe.
4. In the License Agreement page, check the box next to I accept the terms, and click Next.
5. In the Review prerequisites page, click Next.

6. In the Ready to install page, click Install.
7. In the Successfully installed StoreFront page, click Finish.
If this is a new install, skip to the Initial Configuration.
After upgrading from StoreFront 2.6 or older, do the following to enable the Receiver X1 theme:
1. In the StoreFront Console, on the left click the Stores node. Right-click the store and click Manage
Receiver for Web Sites.
2. Click Configure.
3. On the Receiver Experience page select Disable classic experience.
4. Once classic experience is disabled, you can now make changes on the Customize Appearance and
Featured App Groups pages. Click OK and Close when done.
5. Go to Stores. Right-click the Store, and click Configure Unified Experience.
6. Check the box next to Set the unified Receiver experience as the default for this store, and click
OK.
7. When you propagate changes, the default web page might not be replicated to the other nodes.
Copy C:\inetpub\wwwroot\web.config manually to each node.
If you are upgrading to StoreFront 3.9 or newer, do the following to add SAML Authentication as an option.
This feature lets you perform SAML against StoreFront without needing NetScaler Gateway. If you did a
fresh deployment of 3.9 or newer, then SAML is already added.
1. Right-click the Store, and click Manage Authentication Methods.
2. On the bottom, click the Advanced button, and click Install or uninstall authentication methods.
3. Check the box next to SAML Authentication, and click OK.

4. If you dont want to configure SAML at this time, then uncheck the authentication method. See the
Federated Authentication Service article for SAML details.
Initial Configuration
In StoreFront 3.8 and newer, you can create multiple stores in different IIS websites. This functionality is
not exposed in the GUI and instead the entire StoreFront configuration must be performed using
PowerShell. See Citrix Blog Post StoreFront 3.8 is Available NOW! for sample PowerShell commands to
create the stores.
You can also use PowerShell to create a store and configure it as detailed at CTX206009 How to configure a
Store via Powershell.
If this is a new deployment of StoreFront, do the following to perform the initial configuration:
1. In PowerShell, run Set-ExecutionPolicy RemoteSigned.

2. The management console should launch automatically. If not, launch Citrix StoreFront from the
Start Menu.
3. In the middle, click Create a new deployment.
4. In the Base URL page, if you installed an SSL certificate on the StoreFront server, then the
Hostname should already be filled in. For now, you can leave it set to the server name and then
change it later once you setup SSL and load balancing. Click Next.
5. In the Getting Started page, click Next.
6. In the Store Name page, enter a name for the store. Note: the name entered here is part of the URL
path.
7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
8. In the Delivery Controllers page, click Add.
9. Enter a descriptive name for the XenApp/XenDesktop farm. This name does not need to match the
actual farm name. (If StoreFront 3.5, dont put spaces or periods in the farm name)
10. Change the Type to XenDesktop.
11. Add the two XenDesktop Controllers. Change the Transport Type to HTTP. Click OK.
12. If you have multiple XenDesktop sites/farms, feel free to add them now. Or you can add older
XenApp farms. (If StoreFront 3.5, dont put spaces or periods in the farm name) Click Next when
done.
13. In the Remote Access page, dont check the box, and click Next. You can set this up later.
14. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-
through from NetScaler Gateway. Click Next. Note: if you want Domain pass-through for browser
users, you also need to enable it for Receiver for Web as detailed later in this topic.
15. In the XenApp Services URL page, click Create.
16. In the Summary page, click Finish.
Second StoreFront Server
After the server group is created, NT SERVICE\CitrixConfigurationReplication and NT

SERVICE\CitrixClusterService must remain in the Administrators group on both StoreFront servers or
propagation will fail.
1. Install StoreFront on the second server.

2. Create/Import the SSL certificate, and bind it to the Default Web Site.
3. Login to the first StoreFront server. In the StoreFront management console, right-click Server
Group, and click Add Server.
4. Copy the Authorization code. Note: the Please wait message means it is waiting on you to add the
2nd server. You dont actually have to wait.
5. Login to the second StoreFront server and launch the management console. In the middle, click Join
existing server group.
6. In the Join Server Group page, enter the name of the first StoreFront server and enter the
Authorization code copied earlier. Click Join.
7. Then click OK.
8. Go back to the first server. Click OK.
9. Notice this message. It is good advice.

10. All changes made on one StoreFront server must be manually propagated to the other StoreFront
server. You do that by right-clicking Server Group and clicking Propagate Changes.
11. When you propagate changes, the default web page might not be replicated to the other nodes.
Customer Experience Improvement Program
StoreFront 3.9 and newer enable Customer Experience Improvement Program (CEIP) by default. To disable
it, create the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD)
and set it to 0 (zero). Also see CEIP at Install, set up, upgrade, and uninstall at Citrix Docs.
See http://www.carlstalhood.com/delivery-controller-7-13-and-licensing/#ceip for additional places where

CEIP is enabled.
Store Name Rename

If you installed StoreFront on your Delivery Controller, it will have a default store named Store. If you dont
like the default Store Name (/Citrix/Store) then you will need to remove the store and re-add it.
Note: Some at Citrix Discussions (A protocol error occured while communicating with the Authentication
Service) have reported authentication issues after following this procedure. Its probably cleaner to
uninstall StoreFront and reinstall it.
1. In the StoreFront console, on the left, click Stores.

2. Right-click the store, and click Remove Store.
3. Click Yes.
4. On the left, right-click Stores, and click Create Store.

5. In the Getting Started page, click Next.
6. In the Store Name page, enter a name for the store. Note: the name entered here is part of the URL
path.
7. Check the box next to Set this Receiver for Web site as IIS default and click Next.
8. In the Delivery Controllers page, click Add.
9. Enter a descriptive name for the XenApp/XenDesktop farm. This name does not need to match the
actual farm name. (If StoreFront 3.5, dont put spaces or periods in the farm name)
10. Change the Type to XenDesktop.
11. Add the two XenDesktop Controllers.
12. Change the Transport Type to HTTP. Click OK.
13. If you have multiple XenDesktop farms, feel free to add them now. Or you can add older XenApp
farms. (If StoreFront 3.5, dont put spaces or periods in the farm name) Or later, you can add farms
in Store > Manage Delivery Controllers. Click Next when done.
14. In the Remote Access page, dont check the box and click Next. You can set this up later.
15. In the Authentication Methods page, check the boxes next to Domain pass-through and Pass-
through from NetScaler Gateway. Click Next.
16. In the XenApp Services URL page, click Create.

17. In the Created Successfully page, click Finish.
SSL Certificate
StoreFront requires SSL. You will save yourself much heartache if you install valid, trusted certificates.
There are two options for StoreFront SSL.
SSL Offload: Use NetScaler to do SSL Offload and load balancing. In this scenario, install the SSL
certificate on the load balancer. You can leave the StoreFront servers listening on HTTP and no IIS
server certificate. The SSL certificate on the NetScaler must match the DNS name that resolves to
the load balancing VIP.
SSL End-to-end: Install an SSL certificate on each StoreFront server and bind to IIS. This allows you
to use SSL protocol between the load balancer and the StoreFront servers.
If your load balancer cannot terminate SSL, then the StoreFront IIS certificate must match the DNS name
that resolves to the load balancing VIP.
For load balancers that can terminate SSL (e.g. NetScaler), the StoreFront IIS server certificate should
match the StoreFront server name. If StoreFront is installed on the Delivery Controllers, with server-
specific certificates you can later enable HTTPS in the StoreFront Store Delivery Controller configuration.
Another option is to create an SSL certificate with Subject Alternative Names for the load balanced DNS
name and each of the StoreFront server FQDNs. Then import this one certificate on all StoreFront servers.
Or a wildcard certificate could match all of these names.
In either case, be aware that Email-based discovery in Citrix Receiver requires the certificate to not only
match the StoreFront load balanced DNS name but the certificate must also match
discoverReceiver.email.suffix for every email domain. Usually the only option to match multiple email
domains is with Subject Alternative Names. If you have multiple email suffixes then you will need multiple
Subject Alternative Names, each beginning with discoverReceiver. If you dont plan on implementing
email-based discovery, then you dont have to worry about these discoverReceiver Subject Alternative
Names.
If the certificate does not match discoverReceiver.email.suffix, then users will see this message when
attempting to use email discovery in Citrix Receiver.
When adding Subject Alternative Names to a certificate, the first Subject Alternative Name should be the
same as the Load Balancing FQDN. The remaining Subject Alternative Names should be
discoverReceiver.email.suffix for every email domain.
When you view a Subject Alternative Name certificate, on the Details tab, click Subject Alternative Name
to verify that all names are listed, including the DNS name that resolves to the load balancing VIP.
There are several methods of creating a certificate for StoreFront.
If you are implementing Single FQDN for internal and external users, then the certificate for
external NetScaler Gateway can also be used for internal StoreFront. Note: Single FQDN has
additional Subject Alternative Name certificate requirements including: Internal Beacon FQDN and
Callback FQDN.
If you will support non-domain-joined machines (e.g. iPads, thin clients) connecting to your internal
StoreFront, then the StoreFront certificate should be signed by a public Certificate Authority. You
can use IIS to request the certificate. You can then export the certificate from IIS and import it to
NetScaler (for Load Balancing and NetScaler Gateway). Public Certificate Authorities (e.g. GoDaddy,
Digicert, etc.) let you enter additional Subject Alternative Names when you purchase the certificate.
If all internal machines are domain-joined, then you can use an internal Certificate Authority to
create the StoreFront certificate. The Certificates MMC snap-in can be used to create an internal
certificate signed by a Microsoft Certificate Authority. The MMC method allows you to specify
Subject Alternative Names.
Once the certificate is created or imported, you need to bind it to IIS:
1. In IIS Manager, right-click the Default Web Site, and click Edit Bindings.
2. Click Add.
3. Change the Type to https, and select the SSL certificate. Do NOT put anything in the Host name
field. Click OK, and then click Close.
Delivery Controllers SSL
Delivery Controllers can be SSL enabled by using one of two methods:
If IIS is installed on the Delivery Controller, simply install/create a certificate, and bind it to the
Default Web Site.
If IIS is not installed on the Delivery Controller, then you need to run a command line program as
described at CTX200415 How to Enable SSL on XenDesktop 7.x Controllers to Secure XML Traffic. Or
use Matt Bodholdts script at XenDesktop 7 Bind Cert to XML Service Without IIS Integration at
CUGC.
Once SSL certificates are installed on the Delivery Controller servers, then you can configure the Store to
use SSL when communicating with the Delivery Controllers.
1. In the StoreFront Console, on the left click Stores.

2. Right-click the store, and click Manage Delivery Controllers.
3. Highlight the deployment and click Edit.
4. The Servers list must contain FQDNs that match the certificates installed on those servers.
5. Change the Transport type to HTTPS.
6. Click OK twice.
Socket Pooling
Socket pooling is disabled by default in stores. When socket pooling is enabled, StoreFront maintains a
pool of sockets, rather than creating a socket each time one is needed and returning it to the operating
system when the connection is closed. Enabling socket pooling enhances performance, particularly for
Secure Sockets Layer (SSL) connections. To enable socket pooling:
1. On the left, click the Stores node.

2. Right-click the store and click Configure Store Settings.
3. On the Advanced Settings page, check the box for Enable socket pooling.
HOSTS File
Edit the HOSTS file (C:\Windows\System32\Drivers\Etc\HOSTS) on each StoreFront server with the
following entries:
StoreFront Load Balancing FQDN (e.g. storefront.corp.com) = Load Balancing VIP in the local
datacenter.
NetScaler Gateway Callback FQDN (e.g. callback.corp.com) = NetScaler Gateway VIP in the local
datacenter.
Base URL Change
1. Configure load balancing of the StoreFront servers, including SSL certificate.

2. In the Citrix StoreFront console, right-click Server Group, and click Change Base URL.
3. Enter the StoreFront Load Balancing FQDN as the new Base URL in https://storefront.corp.com
format. Note: Receiver requires that the Base URL is https. It wont accept http. Click OK.
Note: if you want the StoreFront Base URL to be the same as your Gateway FQDN, then see the
Single FQDN instructions.
If the Base URL is https, but you dont have certificates installed on your StoreFront servers (aka SSL
Offload), then youll need to do the following:
1. On the left click the Stores node.

2. Right-click the store and click Manage Receiver for Web Sites.
3. Click Configure.
4. On the Advanced Settings page, change Enable loopback communication to OnUsingHttp. Click
OK, and then click Close.
Default Web Page
After changing the Base URL, youll need to update the IIS Default Website.
1. On the left, right-click Stores, and click Set Default Website.

2. Check the box next to Set a Receiver for Web site as the default page in IIS, and click OK.
3. Click Yes to overwrite.
4. If you go to C:\inetpub\wwwroot and edit the file web.config, youll see the redirect.
Authentication Configuration
1. In the Citrix StoreFront console, on the left, click the Stores node.
2. Right-click the store, and click Manage Authentication Methods.
3. Check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway.
4. If you intend to enable pass-through authentication from Receiver Self-Service or from Receiver for
Web, go to a XenDesktop Controller, and run the command
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True from a Windows PowerShell command
prompt. Run asnp citrix.* first. In XenApp 6.5, this is a Citrix Policy > Computer > Trust XML Requests.
5. Click the top gear icon, and then click Configure Trusted Domains.
6. Select Trusted domains only, click Add, and enter the domain names in DNS format. The DNS suffix
is needed if doing userPrincipalName authentication from NetScaler Gateway.
1. Also see CTX223551 Log on delay when user is not in the same domain as Storefront Server
for RPC firewall rules.
7. Select one of the domains as the default.
8. If desired, check the box next to Show domains list in logon page. Click OK.
9. Click the top gear icon, and then click Manage Password Options.
10. Make your selection, and click OK.
11. Be careful with password changes. Any time somebody changes their password through StoreFront,
a profile will be created for that user on the StoreFront server. Use a tool like delprof2.exe to
periodically delete these local profiles.
12. Or see Citrix Blog Post Delete Local User Profile Folders on StoreFront Servers for a script to delete
local profiles.
13. If you have XenApp/XenDesktop Platinum Edition and installed Self-Service Password Reset, you
can integrate SSPR with StoreFront 3.7 or newer by clicking the top gear icon and clicking Configure
Account Self-Service. This option is only available if your Base URL is https (encrypted). See the
following for detailed implementation guides.
o Citrix CTX217143 Self-Service Password Reset Central Store Creation Tool
o Citrix CTX224244 How Do I Deploy Self-Service Password Reset For the First Time
o George Spiers Citrix Self-Service Password Reset
14. Change the selection to Citrix SSPR, and click Configure.

15. Check both boxes and enter the URL of the SSPR server using the displayed example (with
/MPMService on the end). Click OK three times.
16. With SSPR enabled, a new Tasks tab lets users enroll with SSPR.
17. The logon page also has an Account Self-Service link.
18. If StoreFront is not in the same domain (or trusted domain) as the users, then you can configure
StoreFront to delegate authentication to the Delivery Controllers. See XML service-based
authentication at Citrix Docs. Note: StoreFront 3.6 and newer can be workgroup members without
joining a domain.
Citrix Online
1. StoreFront might be configured to add the Citrix Online icons. To remove them, on the left click the
Stores node.
2. Right-click the store, and click Configure Store Settings.
3. On the Citrix Online Integration page, uncheck all three boxes, and click OK.
Unified Receiver Experience
If you did a clean install of StoreFront 3.5 or newer, then the newer UI will already be enabled, but Unified
Experience might not be. If you upgraded from a StoreFront 2.6 or older, then you can disable the Classic
UI to enable the newer UI.
1. On the left click the Stores node. Right-click the store, and click Manage Receiver for Web Sites.
2. Click Configure.
3. On the Receiver Experience page, select Disable classic experience. Click OK, and click Close.
4. On the left, click Stores. Right-click the store, and click Configure Unified Experience.
5. Check the box next to Set the unified Receiver experience as the default for this store and click
OK.
Customize Receiver Appearance
If the Unified Receiver appearance is enabled, you can go to Stores > Manage Receiver for Web Sites >
Configure > Customize Appearance to change logos and colors. Additional customization can be
performed using the SDK.
You can also Manage Featured App Groups.
These Featured App Groups are displayed at the top of the Apps > All page.
By default, Featured App Groups are displayed with continual horizontal scrolling. This is OK if you have
several Featured App Groups but doesnt look right if you only have one Featured App Group.
Michael Bednarek has posted some code at Citrix Discussions to disable the continuous horizontal scrolling.
Receiver for Web Pass-through Authentication
1. On the left click the Stores node. Right-click the store and click Manage Receiver for Web Sites.
2. Click Configure.
3. On the Authentication Methods page, if desired, check the box next to Domain pass-through. Click
OK.
4. If the StoreFront URL is in the browsers Local Intranet zone, then youll see a prompt to
automatically Log On. This only appears once.
Receiver for HTML5 2.4
1. On the left click the Stores node.

2. Right-click the store and click Manage Receiver for Web Sites.
3. Click Configure.
4. On the Deploy Citrix Receiver page, change the drop-down to Use Receiver for HTML5 if local
Receiver is unavailable.
5. By default, the HTML5 session opens in a new tab. You can optionally enable Launch applications in
the same tab as Receiver for Web. See Configure Citrix Receiver for HTML5 use of browser tabs at
docs.citrix.com for more information.
6. Click OK, and then click Close.
7. Download the latest Receiver for HTML5 (version 2.4) and install it on one of the StoreFront
servers. It installs silently. When you propagate changes, the Receiver for HTML5 will be copied to
the other server.
8. To see the installed version of HTML5 Receiver, click the Stores node on the left. In the middle
pane, in the bottom half, switch to the Receiver for Web Sites tab.
9. Customer Experience Improvement Program (CEIP) is enabled by default. To disable it, edit the
file C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js.
10. Search for the ceip section and change it to false.

11. In the StoreFront console, on the left, right-click Server Group, and click Propagate Changes.
12. Optionally, install Citrix PDF Printer on the VDAs. The PDF printer is in the Additional Components
section of the HTML5 Receiver download page. This PDF printer is only used with Receiver for
HTML5, and not with regular Receiver.
13. Note: as of Receiver for HTML 2.0, its no longer necessary to install App Switcher on the VDAs.
From About Citrix Receiver for Chrome 2.0 at Citrix Docs: The new toolbar can be disabled or customized
by editing the file C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js.
From Michael Bednarek at Citrix Discussions: There was a functionality change between StoreFront 3.0 and
StoreFront 3.5 which affects the default client used for iPads. In SF 3.5, we default to using the native
Receiver to launch apps on an iPad, as we expect this to be the majority use case. Unfortunately, on an
iPad we are unable to actually tell whether you have the Receiver app installed or not, so we cant do
anything more intelligent out of the box.
There are two ways around this. Firstly, any iPad user can change between using native Receiver and using
the HTML5 Receiver by going to the dropdown menu after logging on, and choosing Change Receiver.
This will give you the chance to choose the HTML5 Receiver (Use light version) and your choice will be
remembered for the next time you log on.
If this is no good, you can use a JavaScript customization to get back the old behaviour and make sure that
iPad users default to HTML5. See the forum post Cannot access citrix apps from ipad using HTML5 receiver
post upgrade to SF 3.5 for the Javascript code.
If HTML5 Receiver is enabled, Chrome and Edge users have the option of selecting either native or HTML5
by clicking Change Citrix Receiver. To enable this option in IE or Firefox, see Emin Huseynov Citrix
StoreFront 3.0 and HTML5 client.
From About Citrix Receiver for Chrome 1.9 at Citrix Docs: To enable enhanced clipboard support, on every
VDA set the registry value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard\Additional
Formats\HTML Format\Name=HTML Format. Create any missing registry keys. This applies to both
virtual desktops and Remote Desktop Session Hosts.
Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:
How to use the toolbar to transfer files

Citrix Policy settings to enable/disable file transfer
VDA registry settings to control file transfer
HTML5Client\Configuration.js settings for client-side configuration
How to view HTML5Client log file
Deploy Citrix Receivers
2. Click Configure.
3. On the Deploy Citrix Receiver page, check the box next to Allow users to download HDX engine
(plug in).
4. Change both source drop-downs to Local files on the StoreFront server.
5. Click both Browse buttons and browse to the downloaded Receiver for Windows 4.8 and Receiver
for Mac 12.6.
6. You can optionally enable Upgrade plug-in at logon.

7. Click OK when done, and Close when done.
8. When users connect to Receiver for Web, they will be prompted to install or upgrade. Note: this
only applies to Receiver for Web. Receiver Self-Service will not receive this prompt.
Receiver for Edge

The Receiver for Web experience in Microsoft Edge is not ideal. Every time a user clicks an icon, the user
has the click the Open button after the .ica file is downloaded.
Citrix Blog Post Providing Full Receiver for Web Experience for Microsoft Edge has instructions for enabling
the Receiver Launcher for Edge. Use your preferred text editor to open web.config for the RfWeb site you
would like to configure (typically C:\inetpub\wwwroot\Citrix\StoreWeb\web.config). Locate the line like
this: <protocolHandler enabled="true" platforms="(Macintosh|Windows NT).*((Firefox/((5[3-9]|[6789][0-
9])|\d\d\d))|(Chrome/((4[2-9]|[56789][0-9])|\d\d\d)))(?!.*Edge)". Remove (?!.*Edge) and save the file.
But once you do that, you get a new switch apps prompt every time you launch an icon from Edge.
To stop the switch apps pop-up, on the client side, edit the registry, go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\receiver (create missing registry keys),
create DWORD value WarnOnOpen, and set it to 0 (zero).
Receiver for Firefox 52
Firefox 52 disabled NPAPI plug-in, which means Firefox 52 can no longer detect the locally installed Citrix
Receiver, and users will be prompted to install it. StoreFront 3.8 and newer already fixes this for Firefox 53,
but not for Firefox 52.
To fix this in StoreFront 3.8 and newer, go to C:\Inetpub\wwwroot\Citrix\StoreWeb, and edit

the web.config file with an elevated text editor.
Search for protocolHandler. In the Firefox section, change 5[3 to 5[2. This causes the Protocol Handler to
work in Firefox 52 and newer.
Now when users connect, they are prompted to Detect Receiver, just like Chrome.
Receiver for Web Timeout
2. Click Configure.
3. On the Session Settings page, set the Session timeout as desired, and click OK.
4. If you are using a NetScaler, you will need to change the Global Session Timeout located at
NetScaler Gateway => Global Settings => Change Global Settings => Client Experience => Session
Time-out (mins). I changed mine to 720, there is a screenshot below for you to reference:
5. From CTX215701 Storefront page session time-out: If you increase the session timeout for RfWeb
to be more than 1 hour, you have to also increase the maxLifetime appropriately
in c:\inetpub\wwwroot\Citrix\Authentication\Web.config.
6. If your desired timeout value is greater than 8 hours, you should also edit tokenLifeTime in
c:\inetpub\wwwroot\Citrix\StoreWeb\web.config.
Default Tab
1. By default, when a user logs in to StoreFront, the Favorites tab is selected. Users can go to other
tabs to add icons to the list of Favorites.
2. You can completely remove the Favorites tab by going to Stores > Configure Store Settings > User
Subscriptions, and choose Disable User Subscriptions (Mandatory Store).
3. You can change the default tab and tab visibility by going to the Stores > Manage Receiver for Web
Sites > Configure > Client Interface Settings page.
4. When publishing applications in Studio, specify a Category so the applications are organized into
folders.
5. If you change the default tab to Applications, then you might also want to default to the Categories
view instead of the All view.
6. You can do this by adding the following code to

C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script.js. More details at Storefront 3.0 change
default view at Citrix Discussions.
7. CTXS.Extensions.afterDisplayHomeScreen = function (callback) {
8. CTXS.ExtensionAPI.navigateToFolder('/');
9. };
10.
11. CTXS.Extensions.onViewChange = function (viewName) {
12. if (viewName == 'store') {
13. window.setTimeout(function () {
14. CTXS.ExtensionAPI.navigateToFolder('\\');
15. }, 0);
16. }
17. };
18. Then when you login to StoreFront youll see Apps > Categories as the default view. This works in
Receiver too.
Beacons
1. On the left, right-click Stores, and click Manage Beacons.
2. Configure an Internal Beacon. Receiver Self-Service tries to connect to the Internal Beacon to
determine if Receiver is currently internal or not. If the Internal Beacon is reachable then Receiver
Self-Service assumes it is internal, and thus connects to the StoreFront Base URL. If the Internal
Beacon is not reachable, then Receiver Self-Service assumes it is external and thus connects to
NetScaler Gateway. For this to work properly, the Internal Beacon must not be resolvable
externally.
If you are not doing Single FQDN, then the Internal Beacon can be the StoreFront FQDN since the
StoreFront FQDN is usually only available internally.
If you are doing Single FQDN, then you cant use the StoreFront FQDN. Instead, you must use a
different internal website for the beacon. If you need to support internal iPads, due to differences
in how iPads determine location, the Internal Beacon should be a new FQDN that resolves to the
StoreFront Load Balancing VIP thus requiring the StoreFront certificate to match both the Internal
Beacon and the Base URL. If internal iPads are not needed, then the Internal Beacon can be any
internal website.
If you want to force internal Receiver Self-Service users to connect through NetScaler Gateway (for
AppFlow reporting), you can set the Internal Beacon to a fake URL. Since the Internal Beacon is
never resolvable, Receiver Self-Service always uses NetScaler Gateway. Or you can use Optimal
Gateway to achieve the same goal.
3. The External beacons are used by Receiver Self-Service to determine if the Receiver Self-Service has
Internet access or not. You can use any reliable Internet DNS name. Click OK when done.
Propagate Changes
Any time you make a change on one StoreFront server, you must propagate the changes to the other
StoreFront server.
1. In the StoreFront console, on the left, right-click Server Group, and click Propagate Changes.
2. You might see a message saying that you made changes on the wrong server.
3. Click Yes when asked to propagate changes.
4. Click OK when done.

5. When you propagate changes, the default web page is not replicated to the other nodes.
Export/Import StoreFront Configuration
Use the following PowerShell cmdlets to export StoreFront Configuration into a .zip file (encryption
optional) and import to a different StoreFront server group:
Export-STFConfiguration
Import-STFConfiguration
See Export and import the StoreFront configuration at Citrix Docs for details.
Auto-Favorite
To force a published application to be favorited (subscribed), use one of the following keywords in the
published application description:
KEYWORDS: Auto = the application is automatically subscribed. But users can remove the favorite.
KEYWORDS: Mandatory = the application is automatically subscribed and users cannot remove the
favorite.
With Mandatory applications there is no option to remove the application from Favorites.
Logon Simulator
ControlUp has a free Logon Simulator for StoreFront and NetScaler Gateway. You can run it on any
machine to periodically test app launches from StoreFront.
The tool creates entries in the Application Log in Event Viewer. The events can be consumed by your
monitoring tool.
StoreFront 3.5 through 3.11 Tweaks
Last Modified: May 28, 2017 @ 10:50 am
44 Comments
Navigation
Here is a collection of optional StoreFront configurations.
Disable CRL Checking to speed up .NET

StoreFront can control Receiver Shortcut placement
PNAgent Authentication and Default Store
Hide Applications/Desktops from the Store
Desktop Autolaunch
Force desktops to launch full screen
Autolaunch Applications
Store for Anonymous users
Workspace Control
Treat Desktops as Applications
Enable Special Folder Redirection
Disable Remember My Password in Receiver Self-Service
Remove Activate Option from Receiver for Web
Disable HTML5 Receiver Getting Started Tour
Log Off RfWebUI seconds after an Icon Launch
Customize Appearance of Receiver in StoreFront 3.0 and newer

StoreFront SDKs
StoreFront 3.x Portal Theme for NetScaler 11.0
StoreFront 3.x Theme for NetScaler 10.5
= Recently Updated
CRL Checking Disable
When the StoreFront server checks certificate revocation for its locally signed files, a delay can occur
before the StoreFront logon page is displayed.
1. Run the following PowerShell commands:

2. Add-PSSnapin Citrix.DeliveryServices.Framework.Commands
Set-DSAssemblyVerification $false
3. Another potential tweak to speed up StoreFront is to disable NetBIOS. Right-click the Start Menu
and click Network Connections.
4. Right-click the NIC and click Properties.

5. Highlight Internet Protocol Version 4 and click Properties.
6. Click Advanced.
7. On the WINS tab, change the selection to Disable NetBIOS over TCP/IP and click OK twice and
Close once.
8. Repeat on the other StoreFront servers.
Note: According to Microsoft, it is no longer necessary to configure generatePublisherEvidence

in C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet.config.
Receiver Shortcuts
You can use StoreFront to control placement of shortcuts on Receiver machines.
1. Run Notepad elevated (as administrator).

2. Edit the file C:\inetpub\wwwroot\Citrix\Roaming\web.config.
3. Search for <account id. Find the Store name in the name attribute.
4. Scroll down to the first <properties> section located under <annotatedServices>.

5. See Using StoreFront account settings to customize app shortcut locations at docs.citrix.com for a
list of properties. Add the properties as detailed at docs.citrix.com. The properties should be added
after the clear tag.
6. Note: if subscriptions are enabled in StoreFront then only Favorites are added to the Start Menu
and Desktop. If subscriptions are disabled then all applications are placed on the Start Menu or
Desktop.
7. Close and save the file.

8. Then Propagate Changes.
PNAgent Authentication and Default Store
Default Store
If you point your browser to https://storefront.corp.com/Citrix/PNAgent/config.xml, which is the typical

path for PNAgent, youll get a 404.
To fix this, in the StoreFront console, right-click the store, and click Configure XenApp Services Support.
In the bottom of the window, select the Default store, and click OK.
Now PNAgent can point to StoreFront without needing to specify a custom path. Note: this only works for
/Citrix/PNAgent/config.xml.
Single Sign-on
From Configure authentication for XenApp Services URLs at Citrix Docs: XenApp Services URLs support
explicit, domain pass-through, and pass-through with smart card authentication. Explicit authentication is
enabled by default. You can change the authentication method, but only one authentication method can
be configured for each XenApp Services URL. To enable multiple authentication methods, create separate
stores, each with a XenApp Services URL, for each authentication method. To change the authentication
method for a XenApp Services URL, you run a Windows PowerShell script.
1. On the primary StoreFront server in your deployment, use an account with local administrator
permissions to start Windows PowerShell.
2. At a command prompt, type the following command to configure the user authentication method
for users accessing the store through the XenApp Services URL.
& "C:\Program Files\Citrix\Receiver StoreFront\Scripts\EnablePnaForStore.ps1" SiteId 1 -ResourcesVirtualPath

/Citrix/Store LogonMethod sson
3. Propagate changes.
Remember my password
If you leave PNAgent authentication set to Prompt, you can enable the Remember my password box by
doing the following:
1. Run Notepad as Administrator and edit the file

C:\inetpub\wwwroot\Citrix\Store\Views\PnaConfig\Config.aspx.
2. Near line 74 is EnableSavePassword. Change it to true.
3. When PNAgent connects, there should now be a Remember my password checkbox.
Hide Applications
You can hide all icons of a particular type (Applications, Desktops, Documents). Or you can hide icons with
a specific keyword.
Go to Stores > MyStore > Configure Store Settings > Advanced Settings and look for the Filter options.
Filter resources by type lets you hide all Applications or all Desktops. If you are running Receiver inside a
published desktop, then you probably dont want desktop icons to be delivered by Receiver. In that case,
create a new Store and filter the Desktop icons. Then only the application icons will be delivered.
Filter resources by excluded keywords lets you filter published icons that match a custom keyword.
Once the ExcludeKeyword has been defined, add the keyword to a published application or published
desktop description and that application/desktop will no longer display in Receiver. This works for both
Receiver for Web and Receiver Self-Service (non-browser).
In XenDesktop 7.9 and newer, to assign a description to a Desktop, you edit the Delivery Group, go to the
Desktops page, and edit one of the Desktops. Citrix CTX220429 Configure Resource Filtering to Allow
Desktops to be filtered on Storefront.
Desktop Autolaunch
By default, if only a single desktop is published to the user, Receiver for Web will auto-launch it. You can
change this behavior by going to Stores > MyStore > Manage Receiver for Web Sites > Configure > Client
Interface Settings and uncheck the box next to Auto launch desktop.
Full Screen Desktop
Citrix CTX139762 How to Configure StoreFront to Start Published Desktops in Full Screen Mode: This article
describes how to configure StoreFront to start published desktops in Full Screen Mode.
1. Open the file C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica on the StoreFront server(s)

with notepad (as Administrator)
2. Add the line:
3. [Application]
DesktopViewer-ForceFullScreenStartup=On
4. In older versions of StoreFront, it should be true instead of On.

5. Save the file.
6. Open the command prompt (cmd) and run iisreset.
Autolaunch Application
See the script.js code posted by Michael Bednarek at discussions.citrix.com.
Store for Anonymous
If you intend to publish applications to anonymous users then you can create a StoreFront store that does
not require authentication. Note: anonymous stores only work internally (no NetScaler Gateway).
1. On the VDAs, create and configure anonymous accounts.

2. In Citrix Studio, configure a Delivery Group to accept unauthenticated (anonymous) users.
3. In the StoreFront Console, right-click Stores and click Create Store.
4. In the Store Name and Access page, enter a new store name.
5. Check the box next to Allow only unauthenticated users to access this store.
6. Then click Next and finish the wizard like normal.
7. Anonymous stores are hidden by default. When performing discovery in Receiver youll need to
enter the full path to the store (e.g. https://storefront.corp.com/Citrix/Anon/discovery).
Workspace Control
Workspace Control reconnects user sessions. It can be disabled. Or configure various reconnection options.
Citrix Blog Post Workspace Control: When You DONT Want to Roam details complete session reconnection
configuration instructions for XenApp, Remote Desktop Services, StoreFront, and Receiver.
Receiver for Web
Go to Stores > MyStore > Manage Receiver for Web Sites > Configure > Workspace Control page.
Receiver Self-Service
Citrix Blog Post How to Disable Workspace Control Reconnect: For Receiver for Windows, workspace
control can be managed on client devices by modifying the registry. Please see this Knowledgebase
Article for how to implement it. This can also be done for domain-joined client devices using Group Policy.
In StoreFront Console, go to Stores > MyStore > Configure Store Settings > Advanced Settings and theres
a setting for Allow session reconnect.
Treat Desktops as Applications
From Treating All Desktops as Applications at Citrix Blog Post Whats New in StoreFront 3.0: Desktops are
treated differently from applications in StoreFront/Receivers. They are placed in a separate Desktop tab
and in the case of Receiver for Web, they are not reconnected with workspace control. In some use cases,
it is desirable to treat desktops as applications so that they are placed together with applications and get
reconnected as part of workspace control. With StoreFront 2.x, you have to add the TreatAsApp keyword
to all published desktops to achieve this effect. StoreFront 3.0 enables you to configure treating all
desktops as applications at the store level without the need of adding the TreatAsApp keyword to all the
published desktops. This is configurable using a PowerShell cmdlet.
& "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
Set-EnhancedEnumerationOptions -siteId 1 -storeVirtualPath /Citrix/Store `

-treatDesktopsAsApps $true
Also see Citrix CTX223817 How to Configure TreatAsApp in XenDesktop 7.8.
Special Folder Redirection

From Configure special folder redirection at docs.citrix.com: With Special Folder Redirection configured,
users can map Windows special folders for the server to those on their local computers. Special folders
refer to standard Windows folders, such as \Documents and \Desktop.
In StoreFront Console, go to Stores > Configure Store Settings > Advanced Settings and theres an option
for Allow special folder redirection.
Receiver Self-service Disable Remember My Password
By default, when Receiver Self-Service connects internally to StoreFront, the user is able to check the box
next to Remember my password. Note: When connecting through NetScaler Gateway, this checkbox is
never available.
This can be disabled by making a change on the StoreFront server. This procedure is documented by John
Ashman at Citrix Discussions and Prevent Citrix Receiver for Windows from caching passwords and
usernames at docs.citrix.com.
1. Note that this procedure seems to prevent Receiver for iOS from adding accounts.
2. On the StoreFront server, run a text editor elevated (as administrator).
3. Open the file C:\inetpub\wwwroot\Citrix\StoreAuth\App_Data\Templates\UsernamePassword.tfrm.

4. Go to line 20, which should start with @SaveCredential.
5. To comment out the line, wrap it in @* and *@. Save the file when done.
6. Now the Remember My Password checkbox is gone.
Activate Option in Web Page Disable
From Citrix Discussions: to disable the activate; function for Citrix receiver for windows that is visible
when a user clicks their username in the upper right hand corner of Receiver for Web, in StoreFront
Console, go to Stores > MyStore > Manage Receiver for Web Sites > Configure > Client Interface Settings
page. Theres a checkbox for Enable Receiver configuration.
HTML5 Receiver Getting Started Tour

The first time a user connects to HTML5 Receiver, the user is prompted to tour the interface.
The Getting Started Tour can be disabled by doing the following:
1. Edit the file C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script.js.

2. At the bottom of the file, add Feng Huangs code from First time user tutorial at
discussions.citrix.com. Make sure the quotes are straight quotes and not curly quotes.
localStorage["showFtu"] = false;
Logoff RfWeb Seconds after Icon Launch
From Citrix Blog Post Logging Off Receiver for Web after an Application/Desktop Launch: Simply add the
following code snippet to script.js in the custom folder for the Receiver for Web site (typically
C:\inetpub\wwwroot\Citrix\StoreWeb\custom\) you would like to customize:
var delayLogoffInSeconds = 10;
CTXS.Extensions.beforeWebLogoffIca = function(action) {
return 'none';
};
CTXS.Extensions.postLaunch = function(app, status) {

if (! CTXS.Device.isNativeClient()) {
if (status == CTXS.LAUNCH_SUCCESS) {
function logoff() {
CTXS.Environment.logOff();
}
window.setTimeout(logoff, delayLogoffInSeconds * 1000);
}
}
};
Customize Receiver UI in StoreFront 3.x
StoreFront 3.x customizations are visible in both Receiver for Web and in Receiver Self-Service.
If you are load balancing StoreFront and want to put the server name on the webpage, see Nicolas
Ignoto Display server name with Citrix StoreFront 3.
Nicolas Ignoto Lab: Part 22 Ultimate StoreFront 3 customization guide contains many StoreFront
customizations including:
Add disclaimer
Change logo/background
Add header
Add text
Change colors
Etc.
Citrix Blog Post Citrix Customization Cookbook contains a collection of customizations including:
Add Static or dynamic (read from file) text to the header and/or footer of the login page.
Click-through disclaimer before or after login page
Footer for every page
Default to Folder view when visiting the Apps tab
Change default text
Change background images for featured categories
Background image
Citrix Blog Post Storefront 3 Web Customization: Branding Your Deployment describes how to modify the
following CSS to customize the appearance of StoreFront 3.x
Background images
Logon button
Colors for page and text
How to view the mobile version of the page
CSS for mobile pages
Jason Samuel Upgrading Citrix StoreFront 2.6 to StoreFront 3.0 Things to Know details how to change the
StoreFront logo to a Receiver logo.
Citrix Blog Post StoreFront Message Customization describes how to add a scrolling message to the top of
the screen. This is displayed in both Browsers and Receivers. This post contains a new version of the
executable that supports StoreFront 3.0 and newer.
Migrate Web Interface features to StoreFront at Docs.citrix.com details how to configure Web Interface
features in StoreFront. This includes:
Enable return to last folder

Header logo
Pre-logon welcome message
Logon screen customization
Footer text
StoreFront 3.0 Receiver Customization APIs are detailed at Citrix Developer. Use the Receiver
Customization API to brand or customize your end users app and desktop selection experience beyond
capabilities provided in the StoreFront admin console. Customizations apply to latest Web, Chrome,
Windows, Mac and Linux clients, and will be extended to mobile devices in future releases.
Trentent Tye at Citrix Storefront Adventures in customization Dynamically configure workspace

control based on group membership used the API to dynamically enable/disable Workspace Control
based on AD group membership. It uses a PowerShell-based HTTP server to process the group
lookup.
o See Citrix Storefront Adventures in customization Dynamically configure features based
on group membership to change authentication based on group membership
An example use case for the StoreFront 3.0 APIs is Citrix Blog Post Citrix Recipe Box: StoreFront
Approvals. This code enables StoreFront to require workflow approval when a user subscribes to an
app.
CTX221097 How to rename items on StoreFront? describes the strings that can be changed.
1. Go to C:\inetpub\wwwroot\Citrix\<StoreName>Web\custom
2. Open strings.en.js file
3. See below for an example of overriding one of the built-in strings. See the article for the full list of
strings.
Citrix Blog Post Receiver X1 APIs describes the following:
Overview of the CSS classes that can be customized.

Override Citrixs JavaScript functions to modify behavior exclude or restyle apps, change a sort
order, add a warning message etc.
How to force X1 UI to display in either phone or larger mode.
Citrix Blog Post X1 Customization: Going deeper with CSS describes the following:
Use CSS (/custom/style.css) to style the three custom regions (#customTop, #customBottom,
#customScrollTop). Shown below in red, blue, and pink.
Marker classes for showing/hiding or highlighting parts of the UI: large display, small display, high
DPI, Favorites view, Desktops view, Apps view, appinfo view.
Citrix Blog Post Scripting X1 describes the following:

JavaScript code to display an Acceptance dialog box before users can login.
Use JQuery to add HTML code to custom regions (e.g. #customScrollTop) including using CSS to hide
the HTML code unless a specific tab is selected by the user.
Citrix Blog Post Rewriting the Session ClientName from StoreFront: I would like to offer the following
customisation DLL which can apply client name rewrites based on a template. The customisation template
can be any string, but where that string contains a particular token, the token will be replaced by some
information from the User Context. If the intent was just to replace the ClientName with the user name,
the template is then just $U. More details and the .dll file are in the blog post.
See CTP Jason Samuel How to rewrite the Client Name in Citrix StoreFront 3.9 using StoreFront SDK
for detailed info on how to implement this customization in StoreFront 3.8, and how to handle
upgrades.
StoreFront Store Customization SDK at Citrix Developer: The Store Customization SDK allows you to apply
custom logic to the process of displaying resources to users and to adjust launch parameters. For example,
you can use the SDK to control which apps and desktops are displayed to users, to change ICA virtual
channel parameters, or to modify access conditions through XenApp and XenDesktop policy selection. Key
Customization Points:
Post-Enumeration
Post-Launch ICA File
Post-Session Enumeration
Access Conditions (pre-launch and pre-enumeration)
Provider List
Device information
Citrix Blog Post Adding a Language to StoreFront 3.0: A new language pack is comprised of a culture
definition file, a string bundle file and a custom string bundle file. See the Blog Post for more details.
To force StoreFront to only use English, add the following to

c:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js as detailed at Set default language to EN at Citrix
Discussions:
CTXS.Environment.getPreferredLanguages = function () { return null; }
To change the StoreFront page title, see Sam Jacobs How to Change the Page Title in Citrix Receiver 3.x at
mycugc.org.
Customizations detailed at topic Modify Receiver for Web site at Citrix Discussions:
Add Featured App Groups to Categories View

Increase the number of Featured applications beyond the default of 3.
StoreFront SDKs
Most of the StoreFront SDK documentation can be found at https://citrix.github.io/storefront-sdk/
StoreFront Store Customization SDK Use the Store Customization SDK to apply custom logic to the
process of displaying resources to users and to adjust launch parameters. For example, you can use the
SDK to control which apps and desktops are displayed to users, to change ICA virtual channel parameters,
or to modify access conditions through XenApp and XenDesktop policy selection.
StoreFront Web API Receiver for Web is a component of Citrix StoreFront that provides access to
applications and desktops using a Web browser. It consists of a User Interface tier and a StoreFront
Services Web Proxy tier.
StoreFront Authentication SDKs With StoreFront 3.0, we have introduced a new Unified UI that is
delivered from StoreFront to Receiver on all client platforms. Use the Receiver Customization API to brand
or customize your end users app and desktop selection experience beyond capabilities provided in the
StoreFront admin console. Customizations apply to latest Web, Chrome, Windows, Mac and Linux clients,
and will be extended to mobile devices in future releases.
StoreFront PowerShell SDK Citrix StoreFront provides an SDK based on a number of Microsoft Windows
PowerShell version 3.0 modules. With this SDK, you can perform the same tasks as you would with the
StoreFront MMC console, together with tasks you cannot do with the console alone.
StoreFront 3.x Portal Theme for NetScaler 11
See NetScaler Gateway 11 > Portal Themes. Build 62 and newer have a built-in X1 theme.
You can make the NetScaler Gateway 10.5 logon page look like the Receiver for Web in StoreFront 3.0.
Visit Citrix Blog Post X1 Skin for NetScaler Gateway to download an already developed theme package. Or
see one of the following for instructions to manually edit the NetScaler Gateway theme to match
StoreFront 3.x
Daniel Ruiz NetScaler Gateway front page la StoreFront 3.0

Ivan Cacic NetScaler Gateway Customisation Receiver X1/StoreFront 2.7
To install the theme package:
1. Download the X1 theme from the Citrix Blog post.

2. WinSCP to the NetScaler and switch to /var/netscaler/gui/themes.
1. On the right, rename the existing receivertheme.tar.gz file.
3. Upload the theme that was downloaded from the Citrix Blog post.
4. In NetScaler GUI, go to NetScaler Gateway > Global Settings > Change Global Settings.
5. Switch to the Client Experience tab.
6. At the bottom, if the current UI Theme is Green Bubble, change it to Default. Then go back into the
screen and change it back to Green Bubble. This causes the theme to reload. Click OK.
7. The logon page should now look more like Receiver for Web in StoreFront 3.0.
StoreFront Load Balancing NetScaler 11.1
Last Modified: Oct 18, 2016 @ 12:43 pm
45 Comments
Navigation
Monitor to verify that StoreFront is UP

Server Objects
Service Group
Virtual Server
SSL Redirect
StoreFront Base URL
Subscriptions/Favorites Replication Load Balancing
Monitor
Note: This is a Perl monitor, which uses the NSIP as the source IP. You can use RNAT to override this as
described in CTX217712 How to Force scriptable monitor to use SNIP in Netscaler in 10.5.
1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
2. On the right, click Add.
3. Name it StoreFront or similar.

4. Change the Type drop-down to STORERONT.
5. If you will use SSL to communicate with the StoreFront servers, then scroll down, and check the box
next to Secure.
6. Scroll up, and switch to the Special Parameters tab.

7. In the Store Name field, enter the name of your store (e.g. MyStore) without spaces.
8. Click Create.
add lb monitor StoreFront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -secure YES -
storename Store
Servers
1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
3. Enter a descriptive server name, usually it matches the actual server name.
4. Enter the IP address of the server.
5. Enter comments to describe the server. Click Create.
6. Continue adding StoreFront servers.
7. add server SF01 10.2.2.57

add server SF02 10.2.2.58
Service Group
1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
3. Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SSL).

4. Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure that the StoreFront Monitor has
Secure checked.
5. Scroll down and click OK.
6. Click where it says No Service Group Member.
7. If you did not create server objects then enter the IP address of a StoreFront Server. If you
previously created a server object then change the selection to Server Based and select the server
objects.
8. Enter 80 or 443 as the port. Then click Create.
9. Click OK.
10. On the right, under Advanced Settings , click Monitors.

11. Click where it says says No Service Group to Monitor Binding.
12. Click the arrow next to Click to select.
13. Select your StoreFront monitor and click Select.
14. Then click Bind.
15. To verify that the monitor is working, on the left, in the Service Group Members section, click the
Service Group Members line.
16. Click the ellipsis next to a member and click Monitor Details.
17. The Last Response should be Success Probe succeeded. Click Close twice.
18. On the right, under Advanced Settings, click Settings.

19. On the left, in the Settings section, check the box for Client IP and enter X-Forwarded-For as the
Header. Then click OK.
20. Then click Done.
21. add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For
22.
23. bind serviceGroup svcgrp-StoreFront-SSL SF01 443
24. bind serviceGroup svcgrp-StoreFront-SSL SF02 443
bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront
25. If the Service Group is http and you dont have certificates installed on your StoreFront servers (aka
SSL Offload) then youll need to enable loopback in StoreFront.
1. In StoreFront 3.5 and newer, you enable it in the GUI console.
2. In StoreFront 3.0, run the following commands on the StoreFront 3.0 servers as detailed at
Citrix Blog Post Whats New in StoreFront 3.0.
3. & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
4.
Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb -Loopback OnUsingHttp
Load Balancing Virtual Server
1. Create or install a certificate that will be used by the SSL Offload Virtual Server. This certificate must
match the DNS name for the load balanced StoreFront servers. For email discovery in Citrix
Receiver, the certificate must either be a wildcard (*.corp.local) or have a subject alternative name
for discoverReceiver.domain.com (domain.com = email address suffix)
2. On the left, under Traffic Management > Load Balancing, click Virtual Servers.
3. On the right click Add.
4. Name it lbvip-StoreFront-SSL or similar.

5. Change the Protocol to SSL.
6. Specify a new internal VIP.
7. Enter 443 as the Port.
8. Click OK.
add lb vserver lbvip-StoreFront-SSL SSL 10.2.2.221 443 -persistenceType SOURCEIP -timeout 60
9. On the left, in the Services and Service Groups section, click where it says No Load Balancing
Virtual Server ServiceGroup Binding.
11. Select your StoreFront Service Group and click Select.
12. Click Bind.
bind lb vserver lbvip-StoreFront-SSL svcgrp-StoreFront-SSL
13. Click Continue.

14. Click where it says No Server Certificate.
16. Select the certificate for this StoreFront Load Balancing Virtual Server and click Select.
17. Click Bind.
bind ssl vserver lbvip-StoreFront-SSL -certkeyName WildCorpCom

18. Click Continue.
19. On the right, in the Advanced Settings column, click Persistence.
20. On the left, in the Persistence section, select SOURCEIP. Do NOT use COOKIEINSERT persistence or
Android devices will not function correctly.
21. Set the timeout to match the timeout of Receiver for Web.
22. The IPv4 Netmask should default to 32 bits.
23. Click OK.
24. If the NetScaler communicates with the StoreFront servers using HTTP (aka SSL Offload 443 on
client-side, 80 on server-side), and if you have enabled the Default SSL Profile, then youll either
need to edit the Default SSL Profile to include the SSL Redirect option, or create a new custom SSL
Profile with the SSL Redirect option enabled, and then bind the custom SSL Profile to this vServer.
25. If the default SSL Profile is not enabled, then youll need to edit the SSL Parameters section on the
vServer, and at the top right, check the box next to SSL Redirect. Otherwise the Receiver for Web
page will never display.
26. set ssl vserver lbvip-StoreFront-SSL -sslRedirect ENABLED -ssl3 DISABLED

27. If you havent enabled the Default SSL Profile, then perform other normal SSL configuration
including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.
28. bind ssl vserver lbvip-StoreFront-SSL -certkeyName MyCert
29.
30. set ssl vserver lbvip-StoreFront-SSL -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
31.
32. unbind ssl vserver lbvip-StoreFront-SSL -cipherName ALL
33.
34. bind ssl vserver lbvip-StoreFront-SSL -cipherName Modern
35.
36. bind ssl vserver lbvip-StoreFront-SSL -eccCurveName ALL
37.
bind lb vserver lbvip-StoreFront-SSL -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type
RESPONSE
When connecting to StoreFront through load balancing, if you want to put the server name on the
StoreFront webpage so you can identify the server, see Nicolas Ignoto Display server name with Citrix
StoreFront 3.
SSL Redirect SSL Load Balancing vServer Method
Users must enter https:// when navigating to the StoreFront website. To make it easier for the users,
enable SSL Redirection.
This procedure details the SSL Load Balancing vServer method of performing an SSL redirect. An alternative
is to use the Responder method.
2. On the right, find the SSL Virtual Server youve already created, click the ellipsis next to it and click
Edit.
3. In the Basic Settings section, click the pencil icon.

4. Click the More link.
5. In the Redirect from Port field, enter 80.

6. In the HTTPS Redirect URL field, enter your StoreFront Load Balancing URL (e.g.
https://storefront.corp.com).
7. Scroll down and click Continue twice.
set lb vserver lbvip-StoreFront-SSL -redirectFromPort 80 -httpsRedirectUrl https://storefront.corp.com
8. This method does not add any new vServers to the list so its not easy to see if this is configured.
StoreFront Base URL

1. Create a DNS Host record that resolves to the new VIP.
2. The DNS name for StoreFront load balancing must be different than the DNS name for NetScaler
Gateway. Unless you are following the Single FQDN procedure.
3. In the Citrix StoreFront console, right-click Server Group and click Change Base URL.
4. Enter the new Base URL in https://storefront.corp.com format. This must match the certificate that
is installed on the load balancer. Click OK.
Subscription Replication Load Balancing
If you have multiple StoreFront clusters (separate datacenters), you might want to replicate subscriptions
between them. StoreFront subscription replication uses TCP port 808. To provide High Availability for this
service, load balance TCP port 808 on the StoreFront servers. See Configure subscription synchronization at
Citrix Docs for more information.
1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
3. Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SubRepl).

4. Change the Protocol to TCP.
5. Scroll down and click OK.
6. Click where it says No Service Group Member.
7. Change the selection to Server Based and select the StoreFront servers.
8. Enter 808 as the port. Then click Create.
9. Click OK.
10. On the right, under Advanced Settings, click Monitors.
11. On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.

13. Select the tcp monitor and click Select.
14. Then click Bind and click Done.
15. add serviceGroup svcgrp-StoreFront-FavRepl TCP

16. bind serviceGroup svcgrp-StoreFront-FavRepl SF01 808
bind serviceGroup svcgrp-StoreFront-FavRepl SF02 808
18. On the right, click the ellipsis next to the existing StoreFront Load Balancing vServer, and click Add.
19. Name it lbvip-StoreFront-SubRepl or similar.

20. Change the Protocol to TCP.
21. Specify the same VIP that you used for SSL Load Balancing of StoreFront.
22. Enter 808 as the Port.
23. Click OK.
24. Click where it says No Load Balancing Virtual Server ServiceGroup Binding.

26. Select your StoreFront Subscription Replication Service Group and click Select.
27. Click Bind.
28. Click Continue.
29. Then click Done.
30. add lb vserver lbvip-StoreFront-FavRepl TCP 10.2.2.201 808 -persistenceType NONE

31.
bind lb vserver lbvip-StoreFront-FavRepl svcgrp-SF-FavRepl
StoreFront Favorites/Subscriptions
Last Modified: May 28, 2017 @ 11:05 am
18 Comments
Navigation
This page contains the following topics:
Favorites/Subscriptions Overview
Favorites/Subscriptions Replication across Server Groups
Common Favorites/Subscriptions for Multiple Stores on same Server Group
Delete Favorites/Subscriptions
Favorites/Subscriptions Overview
By default, StoreFront allows users to select applications as their Favorites. These subscribed applications
are then displayed in the Favorites view of Receiver. Administrators can also use KEYWORDS in published
application descriptions to auto-favorite an application.
The Favorites (subscriptions) are stored in a file database on each StoreFront server and are automatically
replicated to every StoreFront server in a local Server Group. For StoreFront servers in multiple
datacenters, you can configure replication of subscriptions between Server Groups. This provides a
consistent user interface no matter which datacenter the user connects to.
Multi-datacenter Favorites/Subscriptions Replication
If you have different StoreFront clusters (server groups) in multiple datacenters, you probably want to
replicate subscriptions between them. For more information, see What Subscriptions and Server Groups
Mean for StoreFront Designs
1. The store names must be identical in each StoreFront server group.

2. When adding farms (Manage Delivery Controllers) to StoreFront, make sure the farm names are
identical in each StoreFront cluster (server group).
3. Load balance TCP 808 for each StoreFront cluster. Use the same VIP you created for SSL Load
Balancing of StoreFront. Each datacenter has its own VIP.
4. Run the PowerShell commands detailed at Configure subscription synchronization at Citrix Docs.
When adding the remote cluster, enter the TCP 808 Load Balancing VIP in the other datacenter.
Run these commands on both StoreFront clusters.
5. Dont forget to add the StoreFront server computer accounts to the local group
CitrixSubscriptionSyncUsers on each StoreFront server.
Share Favorites/Subscriptions with Multiple Stores
Docs.citrix.com Configure two StoreFront stores to share a common subscription datastore: It is common
for administrators to configure StoreFront with two distinct stores; one for external access to resources
using Netscaler Gateway and another for internal access using the corporate LAN. You can configure both
external and internal stores to share a common subscription datastore by making a simple change to
the store web.config file.
For two stores to share a subscription datastore, you need only point one store to the subscription service
end point of the other store. Note: The XenApp, XenDesktop and AppC controllers configured on each
store must match exactly; otherwise, an inconsistent set of resource subscriptions on one store might
occur. Sharing a datastore is supported only when the two stores reside on the same StoreFront server or
server group deployment.
Open the external store web.config file (C:\Inetpub\wwwroot\Citrix\ExternalStore\web.config) using

Notepad and search for the clientEndpoint. For example:
<subscriptionsStoreClient enabled="true">
<clientEndpoint uri="net.pipe://localhost/Citrix/Subscriptions/1__Citrix_External" authenticationMode="windows"
transferMode="Streamed">
<clientCertificate thumbprint="0" />
</clientEndpoint>
</subscriptionsStoreClient>
Change the external to match the internal store endpoint. Then Propagate Changes.
<subscriptionsStoreClient enabled="true">
<clientEndpoint uri="net.pipe://localhost/Citrix/Subscriptions/1__Citrix_Internal" authenticationMode="windows"
transferMode="Streamed">
<clientCertificate thumbprint="0" />
</clientEndpoint>
</subscriptionsStoreClient>
Delete Favorites/Subscriptions
From Citrix Discussions: You can delete subscriptions using the subscription store PowerShell API and some
file editing:
1. If StoreFront 3.5 or newer, run the following (from Citrix CTX216295 How to Export and Import
StoreFront Subscription Database on Storefront 3.6):
2. $store = Get-STFStoreService
Export-STFStoreSubscriptions -Store $store -FilePath "$env:userprofile\desktop\subscriptions.txt"
1. If StoreFront 3.0.1 or older, run the following PowerShell (using Run As Administrator
when opening the PowerShell Console and not missing the . (i.e. dot space) at the start of
the first command):
2. . 'C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1'
Export-DSStoreSubscriptions -StoreName MyStore -FilePath .\subscriptions.txt
3. Stop the Citrix Subscriptions Store Service on all StoreFront servers in the deployment.
4. Find the subscription store database folder:
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\1__C
itrix_Store on each StoreFront server. Delete the contents of this folder (do not delete the folder
itself). Note: If UAC is enabled then you might have to go
to C:\Windows\ServiceProfiles\NetworkService first and then drill down into the remaining
folders. AppData is a hidden folder.
5. Restart the Citrix Subscriptions Store Service on all StoreFront servers in the deployment. Open
Event Viewer and, in the left pane, navigate to Applications and Services Logs > Citrix Delivery
Services. Search for events logged by the Citrix Subscriptions Store Service with an Event ID of 3
and a Task Category of 2901. Ensure that an entry is logged for each store on every server in the
deployment before continuing.
6. Backup subscriptions.txt, then edit to remove any entries you want to delete.
7. If StoreFront 3.5 or newer, run the following PowerShell commands to restore your subscriptions:
8. $store = Get-STFStoreService
Import-STFStoreSubscriptions -Store $store -FilePath "$env:userprofile\desktop\subscriptions.txt"
1. If StoreFront 3.0.1 or older, run the following PowerShell:
Import-DSStoreSubscriptions -StoreName MyStore -FilePath .\subscriptions.txt
Each row of the exported subscriptions file is a tab-separated list of user-sid, resource-id, subscription-id,
subscription-status followed by zero or more subscription-property name-value pairs.
To delete all subscriptions for a particular user, you will need to find the users SID and then delete all rows
starting with that value.
StoreFront 3.5 through 3.11 Configuration for
NetScaler Gateway
Navigation
StoreFront Configuration for NetScaler Gateway

o NetScaler Gateway Logon Page Theme
Single FQDN for internal and external
Multiple Datacenters
o Multisite StoreFront and NetScaler Gateway Design
o Icon Aggregation and Home Sites
o HDX Optimal Gateway
Multiple Gateways Connecting to One StoreFront
StoreFront Config for Gateway
1. See the NetScaler pages for instructions on configuring NetScaler Gateway for StoreFront.
2. In the StoreFront Console, right-click the Store and click Manage Authentication Methods.
3. Ensure Pass-through from NetScaler Gateway is selected, and click OK.
4. If you need the SmartAccess feature, then you need to configure StoreFront to perform an authentication
callback to a NetScaler Gateway Virtual Server on the same appliance that authenticated the user.
1. If you need SmartAccess and are doing Single FQDN then the Callback FQDN must be different than
the Single FQDN.
2. If you need SmartAccess and are doing different FQDNs for Gateway and StoreFront, then the
Callback FQDN is usually the same as the Gateway FQDN.
3. Make sure the StoreFront server can resolve the Callback FQDN to a Gateway VIP (with matching
certificate). One option is to edit the C:\Windows\System32\drivers\etc\hosts file and add an entry
for the Callback FQDN.
4. After configuring the HOSTS file, on the StoreFront server, open a browser and navigate to the DNS
name. Make sure the Gateway vServer logon page appears.
5. In the StoreFront Console, right-click Stores, and click Manage NetScaler Gateways.
6. If StoreFront 3.6 or newer, notice the imported from file link on top. This is a new feature of NetScaler 11.1.
See Citrix Blog Post NetScaler Gateway Deployment Configuration for StoreFront, Simplified! for details.
7. If youre not using the config file from NetScaler 11.1 and newer, click Add.
8. In the General Settings page, enter a display name. This name appears in Citrix Receiver so make it
descriptive.
9. Enter the NetScaler Gateway Public URL. This can be a GSLB-enabled DNS name. Click Next.
10. In the Secure Ticket Authority page, click Add.
11. Enter the URL to a XenDesktop Controller. This can be http or https.
12. Continue adding Secure Ticket Authorities (XenDesktop Controllers). Whatever Secure Ticket Authorities you
add here must also be added to the NetScaler Gateway Virtual Server on the NetScaler appliance. Click Next.
13. In the Authentication Settings page, if you have multiple Gateways (on separate appliance pairs) connecting
to one StoreFront server then then youll need to enter the vServer IP address (VIP) of the NetScaler
Gateway Virtual Server so StoreFront can differentiate one NetScaler Gateway from another. If theres only
one Gateway communicating with this StoreFront server group, then leave the VServer IP address field
empty.
14. If you need SmartAccess, then enter the Callback URL.
o The Callback URL must resolve to any NetScaler Gateway VIP on the same appliance that
authenticated the user. For multi-datacenter, edit the HOSTS file on the StoreFront server so it
resolves to NetScaler appliances in the same datacenter.
o The Callback URL Gateway Virtual Server must have a trusted and valid (matches the FQDN)
certificate.
o The Callback URL Gateway Virtual Server must not have client certificates set to Mandatory.
15. If you dont need SmartAccess then leave the Callback URL field empty.
16. If you enabled two-factor authentication (LDAP and RADIUS) on your NetScaler, change the Logon type to
Domain and security token. Otherwise leave it set to Domain only.
17. Click Create.

18. Then click Finish.
19. Right-click a store and click Configure Remote Access Settings.
20. Check the box next to Enable Remote Access.

21. Leave it set to No VPN tunnel.
o Note: if you want Receiver to automatically launch a VPN tunnel, then see CTX200664 How to
Configure Receiver for Seamless Experience Through NetScaler Gateway.
22. Check the box next to the NetScaler Gateway object you just created and then click OK.
23. Then in the StoreFront console, right-click Server Group and click Propagate Changes.
NetScaler Gateway Logon Page Theme
To make the NetScaler Gateway logon page look like Receiver 3.0 and newer, see one of the following:
NetScaler Gateway 11.1 Portal Theme

StoreFront 3.x Portal Theme for NetScaler 11.0
Single FQDN
Links:
Citrix CTX200848 How to Configure Single Fully Qualified Domain Name for StoreFront and NetScaler
Gateway
Docs.citrix.com Create a single Fully Qualified Domain Name (FQDN) to access a store internally and
externally
Traditionally Receiver required separate FQDNs for StoreFront Load Balancing (internal) and NetScaler
Gateway (external). Recently Citrix made some code changes to accept a single FQDN for both. This
assumes that external users resolve the Single FQDN to a NetScaler Gateway VIP and internal users resolve
the same FQDN to StoreFront Load Balancing VIP.
Single FQDN has the following requirements:
Receivers:
o Receiver for Windows 4.2 or newer
o Receiver for Mac 11.9 or newer
o Mobile Receivers
o It doesnt seem to work with Linux Receiver
StoreFront 2.6 or newer
Split DNS different DNS resolution for internal vs external
NetScaler 10.1 or newer
This section assumes NetScaler Gateway is in ICA Proxy mode. Different instructions are needed for when
ICA Proxy is off. See docs.citrix.com for more information.
If you dont care about email-based discovery then the configuration of Single FQDN is fairly simple.
Sample DNS names are used below. Make sure the certificates match the DNS names.
1. Internal DNS name = the Single FQDN (e.g. storefront.corp.com). Resolves to internal Load Balancing VIP for
StoreFront. Set the StoreFront Base URL to this address.
2. External DNS name = the Single FQDN (e.g. storefront.corp.com). Resolves to public IP, which is NATd to
NetScaler Gateway VIP on DMZ NetScaler. Set the NetScaler Gateway object in StoreFront to this FQDN.
3. If you need SmartAccess, then the Callback URL = any DNS name (e.g. callback.corp.com) that resolves to a
NetScaler Gateway VIP on the same DMZ NetScaler appliance that authenticated the user.
o Callback is optional if you dont need SmartAccess features.

o The callback DNS name must be different than the Single FQDN.
o Your external NetScaler Gateway certificate could match both the Single FQDN and the Callback
FQDN. Or you can create separate NetScaler Gateway Virtual Servers on the same appliance with
separate certificates that match these FQDNs.
4. Internal Beacon = any internal website URL that is not externally accessible. You cant use the Single FQDN
as the Internal Beacon. Ideally, the Internal Beacon should be a new DNS name that resolves to the
StoreFront Load Balancing VIP. However, this requires the StoreFront Load Balancing Virtual Server to have a
certificate that matches both the Single FQDN and the Internal Beacon. See CTX218708 How to Configure
Internal Beacon for Single FQDN on StoreFront.
o If are using Receiver for iOS internally then be aware that Receiver for iOS handles the Internal
Beacon differently than Receiver for Windows. Receiver for iOS will append /Citrix/Store/discovery
to the Internal Beacon and thus it only works if the Internal Beacon DNS name resolves to the
StoreFront server. Since you cant use the StoreFront Base URL as the Internal Beacon youll need a
different DNS name that resolves to the StoreFront servers and matches the StoreFront certificate.
Note: if you are not allowing internal iOS devices then this isnt needed.
5. Make sure the DMZ NetScaler resolves the Single FQDN to the internal StoreFront Load Balancing VIP. You
typically add internal DNS servers to the NetScaler. Or you can create a local Address Record for the Single
FQDN.
6. In the NetScaler Gateway Session Profiles, set the Web Interface Address and the Account Services Address
to the Single FQDN.
7. Thats all you need to implement Single FQDN. If you made changes to an existing StoreFront deployment,
then you might have to remove accounts from Receiver and re-add the account.
If you need email-based discovery then heres an example configuration for ICA Proxy NetScaler Gateway:
External DNS:
o Storefront.corp.com resolves to public IP, which is NATd to NetScaler Gateway VIP on DMZ
NetScaler.
o If email-based discovery, SRV record for _citrixreceiver._tcp.email.suffix points to
StoreFront.corp.com.
External publicly-signed certificate for NetScaler Gateway:
o One option is wildcard for *.corp.com. Assumes email suffix is also corp.com.
o Another option is the following Subject Alternative Names:
Storefront.corp.com
Callback.corp.com for callback URL. Only accessed from internal.
Or you can create a separate Gateway vServer for callback with a separate
certificate.
If email-based discovery, discoverReceiver.email.suffix
Internal DNS:
o Storefront.corp.com resolves to Load Balancing VIP for StoreFront
o Callback.corp.com resolves to NetScaler Gateway VIP on DMZ NetScaler. For authentication
callback.
o For the internal beacon, FQDN of any internal web server. Make sure this name is not resolvable
externally.
o If email-based discovery, SRV record for _citrixreceiver._tcp.email.suffix points to
StoreFront.corp.com.
Internal certificate for StoreFront Load Balancing: publicly-signed recommended, especially for mobile
devices and thin clients. Also can use the external certificate.
o One option is wildcard for *.corp.com. Assumes email suffix is also corp.com.
o Another option is the following Subject Alternative Names:
Storefront.corp.com
If email-based discovery, discoverReceiver.email.suffix
StoreFront Configuration:
Base URL = https://storefront.corp.com

Internal beacon = https://InternalBeacon.corp.com. Or FQDN of internal web server. Make sure its not
resolvable externally.
Gateway object:
o Gateway URL = https://storefront.corp.com
o Callback URL = https://Callback.corp.com
Receiver for Web session policy (basic mode or ICA Only is checked):
Policy expression = REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

Client Experience tab:
o Home page = https://storefront.corp.com/Citrix/StoreWeb
o Session Timeout = 60 minutes
o Clientless Access = Off
o Clientless Access URL Encoding = Clear
o Clientless Access Persistent Cookie = Deny
o Plug-in Type = Windows/Mac OS X
o Single Sign-on to Web Applications = checked
Security tab:
o Default authorization = ALLOW
Published Applications tab:
o ICA Proxy = On
o Web Interface address = https://storefront.corp.com/Citrix/StoreWeb
o Web Interface Portal Mode = Normal
o Single Sign-on Domain = Corp
Receiver Self-Service session policy (basic mode or ICA Only is checked):

o Policy expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
o Client Experience tab:
Session Timeout = 60 minutes
Clientless Access = Off
Clientless Access URL Encoding = Clear
Clientless Access Persistent Cookie = Deny
Plug-in Type = Java
o Security tab:
Default authorization = ALLOW
o Published Applications tab:
ICA Proxy = On
Web Interface address = https://storefront.corp.com
Web Interface Portal Mode = Normal
Single Sign-on Domain = Corp
Account Services address = https://storefront.corp.com
Multiple Datacenters / Farms
Multisite NetScaler Gateway and StoreFront Design
If you have StoreFront (and NetScaler Gateway) in multiple datacenters, GSLB is typically used for the
initial user connection but GSLB doesnt provide much control over which datacenter a user initially
reaches. So the ultimate datacenter routing logic must be performed by StoreFront.
StoreFront chooses datacenters at the farm level. Thus StoreFront assumes that each datacenter has a
separate XenApp/XenDesktop farm.
Citrix is beginning to add more zone-based features to support single farms stretched across datacenters,
but this functionality is not yet fully realized. The current challenge with stretched farms is that SQL is in only
one datacenter.
StoreFront can enumerate icons from multiple farms. If there are identical icons in multiple farms, then the
icons can be aggregated so that only a single icon is displayed to the user. When the user clicks the icon,
StoreFront then needs to select a datacenter (select a farm). This is typically done based on the users
Active Directory group membership. Farms can be prioritized (active/passive). Or farms can be
active/active load balanced.
After the datacenter (farm) is selected, Optimal Gateway directs the ICA connection through the NetScaler
Gateway that is closest to the destination VDA. Optimal Gateway requires datacenter-specific DNS names
for NetScaler Gateway.
There are two methods of configuring icon aggregation in StoreFront:
The StoreFront Console can do simple configurations The console supports a single aggregation group and
active/passive configurations for multiple Active Directory user groups. One Active Directory user group
could have Farm A as active and Farm B as passive. A different Active Directory user group could have Farm
B as active and Farm A as passive. This is also known as Home Sites
Complex configurations can be performed in XML files For example, you can load balance connections
across two identical farms (active/active). See Citrix Docs Set up highly available multi-site store
configurations
Note: if you have existing subscriptions/favorites, then enabling icon aggregation will cause the existing
subscriptions to be ignored. You can migrate the existing subscriptions by exporting, modifying, and
importing. See Subscriptions Missing after Enabling Aggregation at Citrix Discussions.
Heres a typical active/active XenApp/XenDesktop configuration:
Farms: Separate XenApp/XenDesktop farms in each datacenter. This is required for two reasons: HDX
Optimal Routing, and assigning users to Home Sites.
o Zones are not yet an effective option. Citrix is still working on adding zone functionality.
NetScaler Gateways: For AppFlow reporting, NetScaler Gateway ICA Proxy is typically used both externally
and internally. Externally it is required. Internally it is used to generate AppFlow data.
FQDN: Internal users and external users use the same FQDN (e.g. citrix.company.com).
o Externally, citrix.company.com resolves to a NetScaler Gateway VIP.
o Internally, citrix.company.com resolves to a StoreFront Load balancing VIP. This allows pass-
through authentication. If the internal DNS name resolved to a NetScaler Gateway VIP then pass-
through authentication would not work. However, NetScaler Gateway is sometimes needed
internally for certain authentication configurations (e.g. Smart Card, SAML, two-factor, etc.)
Delegation: citrix.company.com is delegated from internal DNS and public DNS to NetScaler ADNS (internal
and external).
o This DNS name is bound to one NetScaler GSLB vServer that has two active GSLB services. If internal,
the GSLB services contain the internal StoreFront Load Balancing VIP in each datacenter. If external,
the GSLB services contain the public NetScaler Gateway VIP in each datacenter.
o You can use a proximity GSLB load balancing method to select the closest datacenter.
o GSLB persistence is required for the duration of the StoreFront session. GSLB vServer Source IP
persistence is probably not effective internally so GSLB Service Site Persistence (cookies) is
preferred. Or GSLB static proximity can take care of persistence.
o For the public DNS name, NetScaler in one datacenter must monitor the Internet circuit in the other
datacenter so it doesnt give out the public IP of the other datacenter if that datacenters Internet
circuit is down. One option is to bind a TCP monitor to the remote GSLB service. The TCP monitor
contains the public IP address of the NetScaler Gateway in the remote datacenter.
Single NetScaler: If one NetScaler is doing GSLB for both internal and external:
o You probably want different GSLB monitoring methods for internal vs external. If Internet goes down
in one of the datacenters, then you probably dont want that to affect internal GSLB. This also means
that MEP must be routed across the internal DCI (datacenter interconnect) instead of across the
Internet.
o You cant bind the same DNS name to two different GSLB vServers. One workaround is to configure
external GSLB for citrix.company.com and configure internal GSLB for citrixinternal.company.com.
The internal DNS servers have a CNAME (alias) from citrix.company.com
to citrixinternal.company.com so that the DNS request that reaches internal NetScaler ADNS is
actually for citrixinternal.company.com. Then you can have two different GSLB vServers with
different GSLB services with different monitoring configurations.
StoreFront Server Groups: Separate StoreFront Server Groups in each datacenter.
o Citrix doesnt support stretching a single StoreFront Server Group across a WAN link.
o Each Server Group is configured identically. You can export the config from one Server Group and
import it to the other. Or configure each of them separately but identically. Identical means: same
Base URL, same farms (Manage Delivery Controllers), same SRID, same Gateways, and same
Beacons.
o If subscriptions/favorites are enabled, use PowerShell commands to configure subscription
replication between the two Server Groups.
StoreFront Load Balancing: StoreFront load balancing VIP can be active/passive. Active = the StoreFront
servers in the local datacenter. Passive = the StoreFront servers in the remote datacenter.
o Create two Load Balancing vServers: one for local StoreFront, one for remote StoreFront. In the
Active (local) Load Balancing vServer, add the Protection section and configure the Backup (remote)
vServer.
o This configuration allows you to configure NetScaler Gateway Session Policies with the IP address of
StoreFront Load Balancing instead of a GSLB DNS name. The active/passive VIP allows NetScaler
Gateway to connect to StoreFront even if StoreFront in the local datacenter is down.
Icon aggregation: Configure StoreFront to aggregate icons from the two farms as detailed below.
o Use AD groups to specify a users home datacenter as detailed below. The users roaming profile and
home directory are in the users home datacenter.
o Configure farm priority based on AD groups. For an aggregated icon, the AD group determines which
farm the icon is launched from.
HDX Optimal Routing: Use HDX Optimal Routing to route ICA traffic through the NetScaler Gateway that is
closest to the destination farm. This requires datacenter-specific DNS names (e.g. citrixsite1.company.com,
citrixsite2.company.com)
o The datacenter-specific DNS names are delegated to NetScaler ADNS.
o NetScaler GSLB for these DNS names is configured for active/passive: if the specific datacenter is up,
then give out that IP. If the specific datacenter is down, then give out the IP of the other datacenter.
o The GSLB Services contain the internal or public VIPs of NetScaler Gateway in each datacenter.
o If these DNS names are added to StoreFront for both Authentication and HDX Routing, then you can
use one of these DNS names to connect to StoreFront in a specific datacenter. This is helpful for
testing.
STAs: each StoreFront Server Group uses STAs in the local datacenter. Since ICA Traffic could end up on
either NetScaler, all STAs must be added to all NetScaler Gateways.
Beacons: the internal beacon is critical. If the internal beacon is down then Receiver Self-service wont be
able to determine if the client device is internal or not. GSLB can be used for the internal beacon DNS name.
Icon Aggregation and Home Sites
To configure icon aggregation using the StoreFront Console:
1. In StoreFront Console, go to Stores, right-click your Store, and click Manage Delivery Controllers.
2. Add multiple farms. Typically, each datacenter is a separate farm.

3. After adding multiple farms, the Configure button becomes available. Click it.
4. If you are publishing identical resources from multiple farms, click the link to Aggregate resources.
5. Select the farms with identical resources that you want to aggregate.
6. If StoreFront 3.6 and newer, notice the new checkboxes on the bottom. You can now load balance farms
instead of doing farm failover only. If load balancing farms, the farms no longer need to be identical.
7. Click Aggregate. Click OK when done.
8. Note: if you have existing subscriptions/favorites, then enabling icon aggregation will cause the existing
subscriptions to be ignored. You can migrate the existing subscriptions by exporting, modifying, and
importing. See Subscriptions Missing after Enabling Aggregation at Citrix Discussions.
9. Click Map users to controllers.
10. If you want the same farm failover (active/passive) or farm load balancing (StoreFront 3.6 and newer)
settings for everyone, then leave the User Groups page set to Everyone. Or if you intend to have different
home sites for different users, add a user group that contains the users that will be homed to a particular
datacenter. You can run this wizard multiple times to specify different home sites for different user groups.
Click Next.
11. In the Controllers page, click Add.

12. Select the farms that these users will have access to, and click OK.
13. If you configured farm aggregation without load balancing, then use the up and down arrow buttons to put
the active site on top. The lower priority sites will only be accessed if the primary site is down. You can run
this wizard multiple times to specify different active sites for different users.
14. If farm aggregation is configured for load balancing (StoreFront 3.6 and newer), then there are no arrows to
prioritize the farms.
15. Click Create.
16. You can click Add to add more user mappings. If you add multiple user groups, you can assign different
primary farms to each Active Directory group. This is how you configure home sites. Click OK twice when
done.
Shaun Ritchie Citrix StoreFront High Availability and Aggregation A dual site Active Active design has a
sample multi-site configuration using XML Notepad and explains how to use the Primary and Secondary
keywords to override farm priority order.
Citrix Blogs StoreFront Multi-Site Settings: Some Examples has example XML configurations for various
multi-datacenter Load Balancing and failover scenarios.
When Citrix Receiver switches between StoreFront servers in multiple datacenters, its possible for each
datacenter to be treated as a separate Receiver site. This can be prevented by doing the following. From
Juan Zevallos at Citrix Discussions: To have multiple StoreFront deployments across a GSLB deployment,
here are the StoreFront requirements:
Match the SRID in StoreFront, if you use the same Base URL in the 2 separate installations, then the SRID
should end up being identical. If the Base URL is changed after the initial setup, the SRID doesnt change. The
SRID can be safely edited in the \inetpub\wwwroot\Citrix\Roaming\web.config file. It will be replicated
into the discovery servicerecord entry in the Store web.config which can be edited as well or refreshed from
the admin console by going into Remote Access setup for the store and hitting OK. Make sure to propagate
changes to other servers in the group.
Match the Base URL
Match the Delivery Controller names under Manage Delivery Controllers The XML brokers can be
different, but the actual name of the Delivery Controller/Farm must be identical. Heres the exact setting Im
referring to: https://citrix.sharefile.com/d/sa562ba140be4462b
If you are running XenApp / XenDesktop in multiple datacenters, you must design roaming profiles and
home directories correctly.
HDX Optimal Routing

The Optimal Gateway feature lets you override the NetScaler Gateway used for ICA connections. Here are
some scenarios where this would be useful:
Multi-site Load Balancing. If the icon selected by the user is published from XenApp/XenDesktop in
Datacenter A, then you probably want the ICA connection to go through a NetScaler Gateway Virtual Server
in Datacenter A. If the main DNS name for accessing NetScaler Gateway is GSLB load balanced across
datacenters, then you need additional datacenter-specific DNS names so you can control which datacenter
the ICA connection goes through. Note: Optimal Gateway is applied at the farm/site level or zone level (for
stretched 7.7+ farms).
NetScaler Gateway for internal connections (AppFlow). If you want to force internal users to go through
NetScaler Gateway so AppFlow data can be sent to Citrix Insight Center then you can do that using Optimal
Gateway even if the user originally connected directly to the StoreFront server. See CTX200129 How to Force
Connections through NetScaler Gateway Using Optimal Gateways Feature of StoreFront for more
information.
The NetScaler Gateway Virtual Server requires user certificates. If ICA traffic goes through a NetScaler
Gateway Virtual Server that requires user certificates (e.g. Smart Card), then each session launch will result
in a PIN prompt. To prevent these extra prompts, build a separate NetScaler Gateway Virtual Server that
doesnt have user certificates as Mandatory. Use Optimal Gateway to force ICA connections through the
other NetScaler Gateway Virtual Server. Note: SmartAccess Callback URL also cannot use a NetScaler
Gateway Virtual Server where client certificates are set to Mandatory so the extra NetScaler Gateway Virtual
Server would be useful for that scenario too.
Optimal Gateway can be configured in the StoreFront Console:
1. Right-click Stores, and click Manage NetScaler Gateways.
2. Add more Gateways: one for each datacenter.

3. When adding a Gateway, you can designate a Usage or role. The Gateway accessed through the
active/active GSLB DNS name should be set to Authentication and HDX routing.
4. The Gateways for Optimal Routing could be set to HDX routing only. Or if test users will use these
datacenter-specific DNS names to connect to Gateways in specific datacenters, leave them set
to Authentication and HDX routing. Theres no harm in leaving all of the Gateways set to Authentication
and HDX routing.
5. Go to Stores, right-click a store and click Configure Store Settings.
6. Go to the Optimal HDX Routing page.

7. Highlight one of the datacenter-specific Gateways and click Manage Delivery Controllers.
8. Select the farms that are accessible through this gateway and click OK.
9. Repeat for the other datacenter-specific Gateways. The Gateway for the active/active GSLB-enabled DNS
name doesnt need any farms associated with it.
10. If you only want the Gateways to be used for external users, check the boxes for External only. Otherwise
the Gateway routing will be used for both internal and external connections.
11. Another option for Optimal Gateway selection is zones. In XenApp/XenDesktop 7.7 and newer, you can
stretch a farm across datacenters (zones) and use a different Gateway for each zone. Highlight a Gateway.
Click Manage Zones and add the zone name. This assumes the zone name has also been specified in the
Manage Delivery Controllers dialog box > Advanced Settings.
12. Click OK when done.

13. In summary, users will connect to the GSLB-enabled Gateway and login. After clicking an icon, HDX will be
routed through one of the datacenter-specific Gateways based on the farm the icon was launched from.
Multiple Gateways (GSLB) to One StoreFront
This section applies to SmartAccess and the Callback URL. If you dont need SmartAccess then skip this
section.
The Callback URL must go to the same appliance that authenticated the user. If you have multiple
appliance pairs communicating with a single StoreFront server, then StoreFront needs to identify which
NetScaler appliance pair the request came from so it can perform a callback to that appliance pair.
If each of the NetScaler Gateways uses the same DNS name (GSLB), then you cant use the DNS name to
distinguish one appliance from the other. Instead, StoreFront can use the Gateway VIP to distinguish
appliances so the callback goes to the correct appliance.
1. Create datacenter-specific callback DNS names. For example: callbackprod.corp.com and

callbackdr.corp.com.
2. The datacenter-specific callback DNS name must match the certificate on the NetScaler Gateway Virtual
Server. Here are some options to handle the certificate requirement:
o On the main NetScaler Gateway Virtual Server, assign a wildcard certificate that matches both the
GSLB name and the datacenter-specific callback name.
o On the main NetScaler Gateway Virtual Server, assign an SSL certificate with Subject Alternative
Names for both the GSLB name and the datacenter-specific callback name.
o Create an additional NetScaler Gateway Virtual Server on the appliance. Bind a certificate that
matches the datacenter-specific name.
3. In the StoreFront console, create multiple NetScaler Gateway appliances, one for each datacenter.
4. Give each of the gateway objects unique names.

5. Enter the same NetScaler Gateway URL in all of the gateway appliances.
6. In the VServer IP address field, enter the Gateway VIP for this particular appliance pair. StoreFront will use
this VIP to distinguish one NetScaler appliance from another.
7. The callback URL must be unique for each NetScaler appliance pair (e.g. callbackdr.corp.com). The callback
URL must resolve to a NetScaler Gateway VIP on the same appliance pair that authenticated the user.
8. Configure name resolution for the datacenter-specific callback DNS names. Either edit the HOSTS file on the
StoreFront servers or add DNS records to your DNS servers.
9. When enabling Remote Access on the store, select both Gateway appliances. Select one as the default
appliance.

StoreFront 3.11

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

StoreFront 3.11

Transféré par

Droits d'auteur :

Formats disponibles

StoreFront 3.5 through 3.

StoreFront Installation / Upgrade

o Receiver for HTML5 2.4

StoreFront Installation / Upgrade

1. If upgrading do the following before beginning the upgrade:

5. In the Review prerequisites page, click Next.

7. In the Successfully installed StoreFront page, click Finish.

If this is a new install, skip to the Initial Configuration.

3. On the Receiver Experience page select Disable classic experience.

3. Check the box next to SAML Authentication, and click OK.

1. In PowerShell, run Set-ExecutionPolicy RemoteSigned.

Second StoreFront Server

After the server group is created, NT SERVICE\CitrixConfigurationReplication and NT

1. Install StoreFront on the second server.

7. Then click OK.

8. Go back to the first server. Click OK.

9. Notice this message. It is good advice.

Customer Experience Improvement Program

See http://www.carlstalhood.com/delivery-controller-7-13-and-licensing/#ceip for additional places where

Store Name Rename

1. In the StoreFront console, on the left, click Stores.

4. On the left, right-click Stores, and click Create Store.

16. In the XenApp Services URL page, click Create.

There are several methods of creating a certificate for StoreFront.

Delivery Controllers SSL

Delivery Controllers can be SSL enabled by using one of two methods:

1. In the StoreFront Console, on the left click Stores.

3. Highlight the deployment and click Edit.

1. On the left, click the Stores node.

Base URL Change

1. Configure load balancing of the StoreFront servers, including SSL certificate.

1. On the left click the Stores node.

Default Web Page

1. On the left, right-click Stores, and click Set Default Website.

3. Click Yes to overwrite.

10. Make your selection, and click OK.

14. Change the selection to Citrix SSPR, and click Configure.

Unified Receiver Experience

Customize Receiver Appearance

Receiver for Web Pass-through Authentication

Receiver for HTML5 2.4

1. On the left click the Stores node.

10. Search for the ceip section and change it to false.

How to use the toolbar to transfer files

Deploy Citrix Receivers

6. You can optionally enable Upgrade plug-in at logon.

Receiver for Edge

Receiver for Firefox 52

To fix this in StoreFront 3.8 and newer, go to C:\Inetpub\wwwroot\Citrix\StoreWeb, and edit

Receiver for Web Timeout

6. You can do this by adding the following code to

1. On the left, right-click Stores, and click Manage Beacons.

3. Click Yes when asked to propagate changes.

4. Click OK when done.

Export/Import StoreFront Configuration

Here is a collection of optional StoreFront configurations.

Disable CRL Checking to speed up .NET

Customize Appearance of Receiver in StoreFront 3.0 and newer

CRL Checking Disable

1. Run the following PowerShell commands:

4. Right-click the NIC and click Properties.

8. Repeat on the other StoreFront servers.

Note: According to Microsoft, it is no longer necessary to configure generatePublisherEvidence