You are on page 1of 162

StoreFront 3.5 through 3.

11 – Basic Configuration

This article applies to StoreFront versions 3.5, 3.6, 3.7, 3.8, 3.9, and 3.11.

• StoreFront Installation / Upgrade
o Initial Configuration
o Second StoreFront Server
o Customer Experience Improvement Program (CEIP)
• Store Name – Rename
• SSL Certificate
o Delivery Controllers – SSL
o Socket Pooling
• HOSTS File
• Base URL – Change
• Default Web Page
• Authentication Configuration
• Citrix Online
• Receiver for Web
o Unified Receiver Experience
o Customize Receiver Appearance
o Receiver for Web Pass-through Authentication

o Receiver for HTML5 2.4
o Deploy Citrix Receivers for Windows/Mac from StoreFront
o Receiver for Edge
o Receiver for Firefox 52
o Receiver for Web Timeout
o Default Tab
• Beacons
• Propagate Changes
• Export/Import StoreFront Configuration
• Auto-Favorite
• Logon Simulator

= Recently Updated

StoreFront Installation / Upgrade

The XenApp/XenDesktop 7.14 ISO comes with StoreFront 3.11. Or you can download it

You can install StoreFront at the same time as installing Delivery Controller. Or you can install StoreFront
3.11 on dedicated servers.

Citrix Blog Post StoreFront 3.0 Scalability recommends StoreFront servers to be sized with 4 vCPU and 8 GB

Note: You can install Web Interface and StoreFront on the same servers. Make sure Web Interface is
installed first.

1. If upgrading do the following before beginning the upgrade:
1. Export the StoreFront configuration so you can restore it if something goes wrong.
2. Stop the World Wide Web Publishing Service.
3. Stop all StoreFront services.
4. Close all PowerShell and StoreFront consoles.
5. If the Citrix SCOM Agent for StoreFront is installed, stop the Citrix MPSF Agent service.
Citrix CTX220935 Cannot Perform a StoreFront Upgrade if Citrix SCOM Management Pack
Agent Service is Running.

6. See Patrick van den Born Avoid 1603 errors when upgrading Citrix StoreFront 2.x to Citrix
StoreFront 3.5
2. Go to the downloaded Citrix StoreFront 3.11 and run CitrixStoreFront-x64.exe.

3. Or you can install from the 7.14 ISO by running AutoSelect.exe.

. and click Next.4. check the box next to I accept the terms. In the Review prerequisites page. In the License Agreement page. 5. click Next.

After upgrading from StoreFront 2. 6. click Finish. click Install. If this is a new install. do the following to enable the Receiver X1 theme: . In the Ready to install page. skip to the Initial Configuration. 7. In the Successfully installed StoreFront page.6 or older.

In the StoreFront Console.1. Click Configure. Once classic experience is disabled. . Click OK and Close when done. On the Receiver Experience page select Disable classic experience. 4. 3. you can now make changes on the Customize Appearance and Featured App Groups pages. Right-click the store and click Manage Receiver for Web Sites. on the left click the Stores node. 2.


then SAML is already added. When you propagate changes. . the default web page might not be replicated to the other nodes.9 or newer. 5. Copy C:\inetpub\wwwroot\web.config manually to each node.9 or newer. do the following to add SAML Authentication as an option. 6. Go to Stores. and click Configure Unified Experience. Check the box next to Set the unified Receiver experience as the default for this store. 7. Right-click the Store. This feature lets you perform SAML against StoreFront without needing NetScaler Gateway. and click OK. If you are upgrading to StoreFront 3. If you did a fresh deployment of 3.

click the Advanced button. . Check the box next to SAML Authentication.1. and click Manage Authentication Methods. 2. and click Install or uninstall authentication methods. Right-click the Store. 3. On the bottom. and click OK.

do the following to perform the initial configuration: 1. The management console should launch automatically. See Citrix Blog Post StoreFront 3. you can create multiple stores in different IIS websites. If you don’t want to configure SAML at this time. 2. Initial Configuration In StoreFront 3. You can also use PowerShell to create a store and configure it as detailed at CTX206009 How to configure a Store via Powershell. run Set-ExecutionPolicy RemoteSigned. launch Citrix StoreFront from the Start Menu. 4. In PowerShell. If this is a new deployment of StoreFront. . If not.8 and newer. See the Federated Authentication Service article for SAML details.8 is Available NOW! for sample PowerShell commands to create the stores. This functionality is not exposed in the GUI and instead the entire StoreFront configuration must be performed using PowerShell. then uncheck the authentication method.

you can leave it set to the server name and then change it later once you setup SSL and load balancing.3. For now. then the Hostname should already be filled in. click Create a new deployment. Click Next. In the Base URL page. if you installed an SSL certificate on the StoreFront server. . In the middle. 4.

6. 7. enter a name for the store. In the Getting Started page. Note: the name entered here is part of the URL path. .5. click Next. Check the box next to Set this Receiver for Web site as IIS default and click Next. In the Store Name page.

Enter a descriptive name for the XenApp/XenDesktop farm. 9. (If StoreFront 3.8. Change the Type to XenDesktop.5. . In the Delivery Controllers page. click Add. This name does not need to match the actual farm name. don’t put spaces or periods in the farm name) 10.

(If StoreFront 3. Or you can add older XenApp farms. If you have multiple XenDesktop sites/farms. 12.5. don’t put spaces or periods in the farm name) Click Next when done. Add the two XenDesktop Controllers. Click OK.11. feel free to add them now. . Change the Transport Type to HTTP.

don’t check the box. . check the boxes next to Domain pass-through and Pass- through from NetScaler Gateway. In the Authentication Methods page.13. 14. you also need to enable it for Receiver for Web as detailed later in this topic. and click Next. In the Remote Access page. Click Next. Note: if you want Domain pass-through for browser users. You can set this up later.

In the XenApp Services URL page. .15. click Create.

and click Add Server. Login to the first StoreFront server. Create/Import the SSL certificate. 1. 3. NT SERVICE\CitrixConfigurationReplication and NT SERVICE\CitrixClusterService must remain in the Administrators group on both StoreFront servers or propagation will fail. and bind it to the Default Web Site. 16. click Finish. In the Summary page. 2. right-click Server Group. Second StoreFront Server After the server group is created. . In the StoreFront management console. Install StoreFront on the second server.

Copy the Authorization code. Login to the second StoreFront server and launch the management console. click Join existing server group. 5.4. Note: the Please wait message means it is waiting on you to add the 2nd server. In the middle. . You don’t actually have to wait.

Then click OK. enter the name of the first StoreFront server and enter the Authorization code copied earlier. Click Join. .6. Go back to the first server. It is good advice. Notice this message. 8. 9. 7. Click OK. In the Join Server Group page.

create the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD) and set it to 0 (zero).9 and newer enable Customer Experience Improvement Program (CEIP) by default. See http://www. upgrade. You do that by right-clicking Server Group and clicking Propagate Changes. To disable it. the default web page might not be replicated to the other nodes. and uninstall at Citrix Docs. Store Name – Rename . Also see CEIP at Install.carlstalhood. When you propagate changes.config manually to each node. 11. set up. Customer Experience Improvement Program StoreFront 3. All changes made on one StoreFront server must be manually propagated to the other StoreFront server. Copy C:\inetpub\wwwroot\ for additional places where CEIP is enabled. 10.

If you don’t like the default Store Name (/Citrix/Store) then you will need to remove the store and re-add it. it will have a default store named Store.If you installed StoreFront on your Delivery Controller. 3. In the StoreFront console. 1. click Stores. 4. Note: Some at Citrix Discussions (A protocol error occured while communicating with the Authentication Service) have reported authentication issues after following this procedure. on the left. and click Create Store. It’s probably cleaner to uninstall StoreFront and reinstall it. and click Remove Store. Right-click the store. On the left. 2. Click Yes. right-click Stores. .

5. In the Getting Started page. Check the box next to Set this Receiver for Web site as IIS default and click Next. 6. Note: the name entered here is part of the URL path. In the Store Name page. click Next. 7. . enter a name for the store.

Change the Transport Type to HTTP. don’t put spaces or periods in the farm name) 10.5. In the Delivery Controllers page. Click OK. This name does not need to match the actual farm name. . Add the two XenDesktop Controllers. click Add. Change the Type to XenDesktop. 12.8. Enter a descriptive name for the XenApp/XenDesktop farm. 11. 9. (If StoreFront 3.

In the Remote Access page. you can add farms in Store > Manage Delivery Controllers. If you have multiple XenDesktop farms. feel free to add them now. Click Next when done. . You can set this up later.13. don’t check the box and click Next. Or you can add older XenApp farms. don’t put spaces or periods in the farm name) Or later. (If StoreFront 3.5. 14.

In the Authentication Methods page. In the XenApp Services URL page. . check the boxes next to Domain pass-through and Pass- through from NetScaler Gateway. Click Next. 16.15. click Create.

Another option is to create an SSL certificate with Subject Alternative Names for the load balanced DNS name and each of the StoreFront server FQDNs. • SSL End-to-end: Install an SSL certificate on each StoreFront server and bind to IIS. install the SSL certificate on the load balancer. If your load balancer cannot terminate SSL.suffix for every email domain. If StoreFront is installed on the Delivery Controllers.g. then the StoreFront IIS certificate must match the DNS name that resolves to the load balancing VIP. In the Created Successfully page. Usually the only option to match multiple email . NetScaler). • SSL Offload: Use NetScaler to do SSL Offload and load balancing. Then import this one certificate on all StoreFront servers. There are two options for StoreFront trusted certificates. click Finish. In this scenario. Or a wildcard certificate could match all of these names. You can leave the StoreFront servers listening on HTTP and no IIS server certificate. For load balancers that can terminate SSL (e. The SSL certificate on the NetScaler must match the DNS name that resolves to the load balancing VIP. In either case. You will save yourself much heartache if you install valid. SSL Certificate StoreFront requires SSL. 17. This allows you to use SSL protocol between the load balancer and the StoreFront servers. the StoreFront IIS server certificate should match the StoreFront server name. with server- specific certificates you can later enable HTTPS in the StoreFront Store Delivery Controller configuration. be aware that Email-based discovery in Citrix Receiver requires the certificate to not only match the StoreFront load balanced DNS name but the certificate must also match discoverReceiver.

then you don’t have to worry about these discoverReceiver Subject Alternative Names. The remaining Subject Alternative Names should be discoverReceiver. . then users will see this message when attempting to use email discovery in Citrix Receiver.suffix. each beginning with discoverReceiver. the first Subject Alternative Name should be the same as the Load Balancing is with Subject Alternative When adding Subject Alternative Names to a for every email domain. If you have multiple email suffixes then you will need multiple Subject Alternative Names. If the certificate does not match discoverReceiver. If you don’t plan on implementing email-based discovery.

click Subject Alternative Name to verify that all names are listed. GoDaddy. Note: Single FQDN has additional Subject Alternative Name certificate requirements including: Internal Beacon FQDN and Callback FQDN. then the certificate for external NetScaler Gateway can also be used for internal StoreFront. then the StoreFront certificate should be signed by a public Certificate Authority.) let you enter additional Subject Alternative Names when you purchase the certificate. thin clients) connecting to your internal StoreFront. etc.g. • If you will support non-domain-joined machines (e. including the DNS name that resolves to the load balancing VIP. You can use IIS to request the certificate. iPads. Digicert. There are several methods of creating a certificate for StoreFront. • If you are implementing Single FQDN for internal and external users. . on the Details tab. Public Certificate Authorities (e.g. You can then export the certificate from IIS and import it to NetScaler (for Load Balancing and NetScaler Gateway).When you view a Subject Alternative Name certificate.

. then you can use an internal Certificate Authority to create the StoreFront certificate.• If all internal machines are domain-joined. The MMC method allows you to specify Subject Alternative Names. The Certificates MMC snap-in can be used to create an internal certificate signed by a Microsoft Certificate Authority.

Once the certificate is created or imported. and click Edit Bindings. right-click the Default Web Site. . In IIS Manager. you need to bind it to IIS: 1.

and bind it to the Default Web Site. Or use Matt Bodholdt’s script at XenDesktop 7 – Bind Cert to XML Service Without IIS Integration at CUGC. and then click Close. .x Controllers to Secure XML Traffic. simply install/create a certificate. 2. and select the SSL certificate. Click Add. Delivery Controllers – SSL Delivery Controllers can be SSL enabled by using one of two methods: • If IIS is installed on the Delivery Controller. Do NOT put anything in the Host name field. In the StoreFront Console. 3. Click OK. Change the Type to https. then you need to run a command line program as described at CTX200415 How to Enable SSL on XenDesktop 7. Once SSL certificates are installed on the Delivery Controller servers. then you can configure the Store to use SSL when communicating with the Delivery Controllers. 1. on the left click Stores. • If IIS is not installed on the Delivery Controller.

Highlight the deployment and click Edit. and click Manage Delivery Controllers. 5. Right-click the store. The Servers list must contain FQDNs that match the certificates installed on those servers. Change the Transport type to HTTPS. 4.2. . 3.

On the left. particularly for Secure Sockets Layer (SSL) connections. When socket pooling is enabled. Right-click the store and click Configure Store Settings. rather than creating a socket each time one is needed and returning it to the operating system when the connection is closed. Enabling socket pooling enhances performance. . StoreFront maintains a pool of sockets. 6. 2. To enable socket pooling: 1. Click OK twice. click the Stores node. Socket Pooling Socket pooling is disabled by default in stores.

g. Configure load balancing of the StoreFront servers. In the Citrix StoreFront console. It won’t accept = NetScaler Gateway VIP in the local datacenter. including SSL certificate.corp. Note: Receiver requires that the Base URL is https. HOSTS File Edit the HOSTS file (C:\Windows\System32\Drivers\Etc\HOSTS) on each StoreFront server with the following entries: • StoreFront Load Balancing FQDN (e. Click OK. 2. Base URL – Change format.g.corp. On the Advanced Settings page. callback. . 3. 3. check the box for Enable socket pooling. • NetScaler Gateway Callback FQDN (e. right-click Server Group. = Load Balancing VIP in the local datacenter. Enter the StoreFront Load Balancing FQDN as the new Base URL in https://storefront. and click Change Base URL.

then you’ll need to do the following: 1. . 2. If the Base URL is https. Note: if you want the StoreFront Base URL to be the same as your Gateway FQDN. but you don’t have certificates installed on your StoreFront servers (aka SSL Offload). On the left click the Stores node. Right-click the store and click Manage Receiver for Web Sites. Click Configure. 3. then see the Single FQDN instructions.

. On the left. right-click Stores. 1. and click Set Default Website. and then click Close. 4. On the Advanced Settings page. change Enable loopback communication to OnUsingHttp. you’ll need to update the IIS Default Website. Default Web Page After changing the Base URL. Click OK.

Click Yes to overwrite. 3. you’ll see the redirect. If you go to C:\inetpub\wwwroot and edit the file web. Authentication Configuration . and click OK. 2. 4. Check the box next to Set a Receiver for Web site as the default page in IIS.config.

5. In XenApp 6. If you intend to enable pass-through authentication from Receiver Self-Service or from Receiver for Web. Right-click the store. . Check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway.* first. on the left. 2. go to a XenDesktop Controller. and click Manage Authentication Methods. 3. In the Citrix StoreFront console.1. 4. and run the command Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True from a Windows PowerShell command prompt. this is a Citrix Policy > Computer > Trust XML Requests. Run asnp citrix. click the Stores node.

. If desired. Click the top gear icon. 6. click Add. and enter the domain names in DNS format. The DNS suffix is needed if doing userPrincipalName authentication from NetScaler Gateway. check the box next to Show domains list in logon page. 8. Click OK. Select one of the domains as the default. 1.5. 7. Select Trusted domains only. Also see CTX223551 Log on delay when user is not in the same domain as Storefront Server for RPC firewall rules. and then click Configure Trusted Domains.

9. a profile will be created for that user on the StoreFront server. 10. 11. and click OK. . Click the top gear icon. Use a tool like delprof2. and then click Manage Password Options. Make your selection. Any time somebody changes their password through StoreFront. Be careful with password changes.exe to periodically delete these local profiles.

This option is only available if your Base URL is https (encrypted). o Citrix CTX217143 Self-Service Password Reset Central Store Creation Tool o Citrix CTX224244 How Do I Deploy Self-Service Password Reset For the First Time o George Spiers Citrix Self-Service Password Reset 14. Or see Citrix Blog Post Delete Local User Profile Folders on StoreFront Servers for a script to delete local profiles. and click Configure. If you have XenApp/XenDesktop Platinum Edition and installed Self-Service Password Reset.7 or newer by clicking the top gear icon and clicking Configure Account Self-Service. you can integrate SSPR with StoreFront 3. Change the selection to Citrix SSPR. 13. . See the following for detailed implementation guides.12.

15. a new Tasks tab lets users enroll with SSPR. With SSPR enabled. Click OK three times. 16. . Check both boxes and enter the URL of the SSPR server using the displayed example (with /MPMService on the end).

If StoreFront is not in the same domain (or trusted domain) as the users.6 and newer can be workgroup members without joining a domain. 17. Citrix Online . 18. The logon page also has an Account Self-Service link. then you can configure StoreFront to delegate authentication to the Delivery Controllers. See XML service-based authentication at Citrix Docs. Note: StoreFront 3.

Unified Receiver Experience If you did a clean install of StoreFront 3. 2. and click OK. 1. On the Citrix Online Integration page. To remove them. If you upgraded from a StoreFront 2.5 or newer. and click Configure Store Settings. uncheck all three boxes.6 or older. but Unified Experience might not be. . StoreFront might be configured to add the Citrix Online icons. 3. then the newer UI will already be enabled. Right-click the store. on the left click the Stores node. then you can disable the Classic UI to enable the newer UI.

On the Receiver Experience page. and click Manage Receiver for Web Sites. Right-click the store. On the left.1. On the left click the Stores node. click Stores. select Disable classic experience. 3. and click Close. 4. Click Configure. 2. and click Configure Unified Experience. Click OK. Right-click the store. .

Check the box next to Set the unified Receiver experience as the default for this store and click OK. Customize Receiver Appearance If the Unified Receiver appearance is enabled. you can go to Stores > Manage Receiver for Web Sites > Configure > Customize Appearance to change logos and colors. 5. . Additional customization can be performed using the SDK.

.You can also Manage Featured App Groups. These Featured App Groups are displayed at the top of the Apps > All page.

Receiver for Web Pass-through Authentication 1. This is OK if you have several Featured App Groups but doesn’t look right if you only have one Featured App Group. . Michael Bednarek has posted some code at Citrix Discussions to disable the continuous horizontal scrolling. Featured App Groups are displayed with continual horizontal scrolling. Right-click the store and click Manage Receiver for Web Sites.By default. On the left click the Stores node.

Receiver for HTML5 2. if desired. On the left click the Stores node. check the box next to Domain pass-through. Click Configure. This only appears once. then you’ll see a prompt to automatically Log On.4 1. If the StoreFront URL is in the browser’s Local Intranet zone. Click OK. On the Authentication Methods page. 3. 2. . 4.

4. 3. Download the latest Receiver for HTML5 (version 2. and then click Close. Right-click the store and click Manage Receiver for Web Sites. the Receiver for HTML5 will be copied to . See Configure Citrix Receiver for HTML5 use of browser tabs at docs. When you propagate changes. Click Configure. change the drop-down to Use Receiver for HTML5 if local Receiver is unavailable. 7. It installs silently.citrix. 5. the HTML5 session opens in a new tab. By default. You can optionally enable Launch applications in the same tab as Receiver for for more information. On the Deploy Citrix Receiver page. Click OK.4) and install it on one of the StoreFront servers. 6.2.

. 8. In the middle pane. the other server. click the Stores node on the left. To see the installed version of HTML5 Receiver. in the bottom half. switch to the Receiver for Web Sites tab.

Search for the ceip section and change it to false. edit the file “C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration. 10.js”. To disable it.9. Customer Experience Improvement Program (CEIP) is enabled by default. .

13. . and click Propagate Changes. In the StoreFront console. install Citrix PDF Printer on the VDAs. Note: as of Receiver for HTML 2.0. right-click Server Group. 12. The PDF printer is in the Additional Components section of the HTML5 Receiver download page. This PDF printer is only used with Receiver for HTML5.11. it’s no longer necessary to install App Switcher on the VDAs. and not with regular Receiver. on the left. Optionally.

0 and HTML5 client.From About Citrix Receiver for Chrome 2. so we can’t do anything more intelligent out of the box.5. you can use a JavaScript customization to get back the old behaviour and make sure that iPad users default to HTML5. on an iPad we are unable to actually tell whether you have the Receiver app installed or not. Chrome and Edge users have the option of selecting either native or HTML5 by clicking “Change Citrix Receiver“.5 which affects the default client used for iPads.5 for the Javascript code. we default to using the native Receiver to launch apps on an iPad. If this is no good.0 and StoreFront 3. Firstly. From Michael Bednarek at Citrix Discussions: There was a functionality change between StoreFront 3. There are two ways around this. This will give you the chance to choose the HTML5 Receiver (“Use light version”) and your choice will be remembered for the next time you log on. . If HTML5 Receiver is enabled.js. any iPad user can change between using native Receiver and using the HTML5 Receiver by going to the dropdown menu after logging on. To enable this option in IE or Firefox. See the forum post Cannot access citrix apps from ipad using HTML5 receiver post upgrade to SF 3. see Emin Huseynov Citrix StoreFront 3. and choosing “Change Receiver”. In SF 3.0 at Citrix Docs: The new toolbar can be disabled or customized by editing the file C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration. Unfortunately. as we expect this to be the majority use case.

This applies to both .From About Citrix Receiver for Chrome 1.9 at Citrix Docs: To enable enhanced clipboard support. on every VDA set the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard\Additional Formats\HTML Format\Name=”HTML Format”. Create any missing registry keys.

Right-click the store.js settings for client-side configuration • How to view HTML5Client log file Deploy Citrix Receivers 1. Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained: • How to use the toolbar to transfer files • Citrix Policy settings to enable/disable file transfer • VDA registry settings to control file transfer • HTML5Client\Configuration. On the left click the Stores node.virtual desktops and Remote Desktop Session Hosts. and click Manage Receiver for Web Sites. .

2. 3. check the box next to Allow users to download HDX engine (plug in). Click Configure. On the Deploy Citrix Receiver page. .

Change both source drop-downs to Local files on the StoreFront server. 5.6. 6.8 and Receiver for Mac 12. . Click both Browse buttons and browse to the downloaded Receiver for Windows 4.4. You can optionally enable Upgrade plug-in at logon.

8. and Close when done. they will be prompted to install or upgrade. Receiver for Edge . When users connect to Receiver for Web. Receiver Self-Service will not receive this prompt. Click OK when done. Note: this only applies to Receiver for Web. 7.

ica file is downloaded. Use your preferred text editor to open web. . edit the registry. which means Firefox 52 can no longer detect the locally installed Citrix Receiver.*Edge)".8 and newer already fixes this for Firefox 53.The Receiver for Web experience in Microsoft Edge is not ideal. and users will be prompted to install it. Receiver for Firefox 52 Firefox 52 disabled NPAPI plug-in. But once you do that. To stop the switch apps pop-up. the user has the click the Open button after the .*((Firefox/((5[3-9]|[6789][0- 9])|\d\d\d))|(Chrome/((4[2-9]|[56789][0-9])|\d\d\d)))(?!. create DWORD value WarnOnOpen. Citrix Blog Post Providing Full Receiver for Web Experience for Microsoft Edge has instructions for enabling the Receiver Launcher for Edge.config for the RfWeb site you would like to configure (typically C:\inetpub\wwwroot\Citrix\StoreWeb\web. on the client side. Locate the line like this: <protocolHandler enabled="true" platforms="(Macintosh|Windows NT). and set it to 0 (zero).*Edge) and save the file. go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\receiver (create missing registry keys). Remove (?!. you get a new switch apps prompt every time you launch an icon from Edge. StoreFront 3.config). Every time a user clicks an icon.

but not for Firefox 52.8 and newer. change 5[3 to 5[2. . In the Firefox section. This causes the Protocol Handler to work in Firefox 52 and newer. go to C:\Inetpub\wwwroot\Citrix\StoreWeb. To fix this in StoreFront 3.config file with an elevated text editor. Search for protocolHandler. and edit the web.

Right-click the store. just like Chrome. .Now when users connect. Receiver for Web Timeout 1. and click Manage Receiver for Web Sites. On the left click the Stores node. they are prompted to Detect Receiver.

On the Session Settings page. set the Session timeout as desired. you will need to change the Global Session Timeout located at NetScaler Gateway => Global Settings => Change Global Settings => Client Experience => Session Time-out (mins).2. If you are using a NetScaler. and click OK. there is a screenshot below for you to reference: . 4. 3. I changed mine to 720. Click Configure.

.config.config. 6.5. you have to also increase the maxLifetime appropriately in c:\inetpub\wwwroot\Citrix\Authentication\Web. you should also edit tokenLifeTime in c:\inetpub\wwwroot\Citrix\StoreWeb\web. If your desired timeout value is greater than 8 hours. From CTX215701 Storefront page session time-out: If you increase the session timeout for RfWeb to be more than 1 hour.

Default Tab

1. By default, when a user logs in to StoreFront, the Favorites tab is selected. Users can go to other
tabs to add icons to the list of Favorites.

2. You can completely remove the Favorites tab by going to Stores > Configure Store Settings > User
Subscriptions, and choose Disable User Subscriptions (Mandatory Store).

.3. You can change the default tab and tab visibility by going to the Stores > Manage Receiver for Web Sites > Configure > Client Interface Settings page.

ExtensionAPI.Extensions.afterDisplayHomeScreen = function (callback) { 8. 7. }. window.onViewChange = function (viewName) { 12. 16.4.setTimeout(function () { 14. }. CTXS. 9. When publishing applications in Studio. CTXS. 6. }. CTXS. You can do this by adding the following code to C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script. 5. .ExtensionAPI. If you change the default tab to Applications. specify a Category so the applications are organized into folders. then you might also want to default to the Categories view instead of the All view.navigateToFolder('\\'). More details at Storefront 3. } 17. CTXS. 11. if (viewName == 'store') { 13. 0).js.Extensions. 10. 15.0 – change default view at Citrix Discussions.navigateToFolder('/').

If the Internal Beacon is not reachable. then Receiver Self-Service assumes it is external and thus connects to NetScaler Gateway. Configure an Internal Beacon. Receiver Self-Service tries to connect to the Internal Beacon to determine if Receiver is currently internal or not. 2. . This works in Receiver too. Beacons 1. 18. If you are not doing Single FQDN. Then when you login to StoreFront you’ll see Apps > Categories as the default view. the Internal Beacon must not be resolvable externally. then the Internal Beacon can be the StoreFront FQDN since the StoreFront FQDN is usually only available internally. For this to work properly. If the Internal Beacon is reachable then Receiver Self-Service assumes it is internal. On the left. right-click Stores. and click Manage Beacons. and thus connects to the StoreFront Base URL.

. then you can’t use the StoreFront FQDN. and click Propagate Changes. on the left. you can set the Internal Beacon to a fake URL. Propagate Changes Any time you make a change on one StoreFront server. Since the Internal Beacon is never resolvable. 1. If you need to support internal iPads. Click OK when done. If you want to force internal Receiver Self-Service users to connect through NetScaler Gateway (for AppFlow reporting). Or you can use Optimal Gateway to achieve the same goal. Receiver Self-Service always uses NetScaler Gateway. In the StoreFront console. you must use a different internal website for the beacon. right-click Server Group. You can use any reliable Internet DNS name. you must propagate the changes to the other StoreFront server. The External beacons are used by Receiver Self-Service to determine if the Receiver Self-Service has Internet access or not. If internal iPads are not needed. If you are doing Single FQDN. Instead. due to differences in how iPads determine location. the Internal Beacon should be a new FQDN that resolves to the StoreFront Load Balancing VIP thus requiring the StoreFront certificate to match both the Internal Beacon and the Base URL. then the Internal Beacon can be any internal website. 3.

Click Yes when asked to propagate changes. 4. You might see a message saying that you made changes on the wrong server. Click OK when done.2. . 3.

Export/Import StoreFront Configuration Use the following PowerShell cmdlets to export StoreFront Configuration into a .zip file (encryption optional) and import to a different StoreFront server group: • Export-STFConfiguration • Import-STFConfiguration See Export and import the StoreFront configuration at Citrix Docs for details. Copy C:\inetpub\wwwroot\web.config manually to each node. 5. But users can remove the favorite. Auto-Favorite To force a published application to be favorited (subscribed). use one of the following keywords in the published application description: • KEYWORDS: Auto = the application is automatically subscribed. the default web page is not replicated to the other nodes. . • KEYWORDS: Mandatory = the application is automatically subscribed and users cannot remove the favorite. When you propagate changes.

With Mandatory applications there is no option to remove the application from Favorites. Logon Simulator .

The events can be consumed by your monitoring tool. You can run it on any machine to periodically test app launches from StoreFront. . The tool creates entries in the Application Log in Event Viewer.ControlUp has a free Logon Simulator for StoreFront and NetScaler Gateway.

x Portal Theme for NetScaler • StoreFront 3.NET • StoreFront can control Receiver Shortcut placement • PNAgent – Authentication and Default Store • Hide Applications/Desktops from the Store • Desktop Autolaunch • Force desktops to launch full screen • Autolaunch Applications • Store for Anonymous users • Workspace Control • Treat Desktops as Applications • Enable Special Folder Redirection • Disable “Remember My Password” in Receiver Self-Service • Remove “Activate” Option from Receiver for Web • Disable HTML5 Receiver Getting Started Tour • Log Off RfWebUI seconds after an Icon Launch • Customize Appearance of Receiver in StoreFront 3. 2017 @ 10:50 am 44 Comments Navigation Here is a collection of optional StoreFront configurations. Add-PSSnapin Citrix.11.StoreFront 3. 1.x Theme for NetScaler 10.0 and newer • StoreFront SDKs • StoreFront 3.DeliveryServices. a delay can occur before the StoreFront logon page is displayed.6.5 = Recently Updated CRL Checking – Disable When the StoreFront server checks certificate revocation for its locally signed files. Run the following PowerShell commands: 2.Commands Set-DSAssemblyVerification $false . 3. • Disable CRL Checking to speed up .5 through 3.7. 3. 3. and 3. This article applies to StoreFront versions 3.11 – Tweaks Last Modified: May 28.Framework. 3.5.

Right-click the NIC and click Properties. Right-click the Start Menu and click Network Connections. 4. Another potential tweak to speed up StoreFront is to disable NetBIOS. .3.

Click Advanced.5. 6. Highlight Internet Protocol Version 4 and click Properties. .

7. On the WINS tab, change the selection to Disable NetBIOS over TCP/IP and click OK twice and
Close once.

8. Repeat on the other StoreFront servers.

Note: According to Microsoft, it is no longer necessary to configure generatePublisherEvidence
in C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet.config.

Receiver Shortcuts

You can use StoreFront to control placement of shortcuts on Receiver machines.

1. Run Notepad elevated (as administrator).
2. Edit the file C:\inetpub\wwwroot\Citrix\Roaming\web.config.

3. Search for <account id. Find the Store name in the name attribute.

4. Scroll down to the first <properties> section located under <annotatedServices>.
5. See Using StoreFront account settings to customize app shortcut locations at for a
list of properties. Add the properties as detailed at The properties should be added
after the clear tag.

6. Note: if subscriptions are enabled in StoreFront then only Favorites are added to the Start Menu
and Desktop. If subscriptions are disabled then all applications are placed on the Start Menu or

7. Close and save the file.

8. Then Propagate Changes.

PNAgent Authentication and Default Store

Default Store

If you point your browser to, which is the typical
path for PNAgent, you’ll get a 404.

To fix this, in the StoreFront console, right-click the store, and click Configure XenApp Services Support.

type the following command to configure the user authentication method for users accessing the store through the XenApp Services URL.ps1" –SiteId 1 -ResourcesVirtualPath /Citrix/Store –LogonMethod sson . 1. for each authentication method. 2. & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\EnablePnaForStore.xml. use an account with local administrator permissions to start Windows PowerShell. At a command prompt. domain pass-through. Now PNAgent can point to StoreFront without needing to specify a custom path. You can change the authentication method. you run a Windows PowerShell script. and pass-through with smart card authentication. Single Sign-on From Configure authentication for XenApp Services URLs at Citrix Docs: XenApp Services URLs support explicit. To change the authentication method for a XenApp Services URL. each with a XenApp Services URL. To enable multiple authentication methods. Note: this only works for /Citrix/PNAgent/config. but only one authentication method can be configured for each XenApp Services URL. select the Default store.In the bottom of the window. and click OK. On the primary StoreFront server in your deployment. Explicit authentication is enabled by default. create separate stores.

When PNAgent connects. Desktops. Go to Stores > MyStore > Configure Store Settings > Advanced Settings and look for the Filter options. Near line 74 is EnableSavePassword. 2. Or you can hide icons with a specific keyword. Propagate changes. Hide Applications You can hide all icons of a particular type (Applications. Run Notepad as Administrator and edit the file C:\inetpub\wwwroot\Citrix\Store\Views\PnaConfig\Config. there should now be a Remember my password checkbox. 3. Change it to true. Remember my password If you leave PNAgent authentication set to Prompt. Documents). you can enable the Remember my password box by doing the following: 1.aspx. . 3.

Then only the application icons will be delivered.Filter resources by type lets you hide all Applications or all Desktops. If you are running Receiver inside a published desktop. create a new Store and filter the Desktop icons. Filter resources by excluded keywords lets you filter published icons that match a custom keyword. Once the ExcludeKeyword has been defined. then you probably don’t want desktop icons to be delivered by Receiver. In that case. This works for both . add the keyword to a published application or published desktop description and that application/desktop will no longer display in Receiver.

Receiver for Web and Receiver Self-Service (non-browser).

In XenDesktop 7.9 and newer, to assign a description to a Desktop, you edit the Delivery Group, go to the
Desktops page, and edit one of the Desktops. Citrix CTX220429 Configure Resource Filtering to Allow
Desktops to be filtered on Storefront.

Desktop Autolaunch

By default, if only a single desktop is published to the user, Receiver for Web will auto-launch it. You can
change this behavior by going to Stores > MyStore > Manage Receiver for Web Sites > Configure > Client

Interface Settings and uncheck the box next to Auto launch desktop.

Full Screen Desktop

Citrix CTX139762 How to Configure StoreFront to Start Published Desktops in Full Screen Mode: This article
describes how to configure StoreFront to start published desktops in Full Screen Mode.

1. Open the file C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica on the StoreFront server(s)
with notepad (as Administrator)
2. Add the line:
3. [Application]

4. In older versions of StoreFront, it should be true instead of On.
5. Save the file.
6. Open the command prompt (cmd) and run iisreset.

Autolaunch Application

See the script.js code posted by Michael Bednarek at

Store for Anonymous

If you intend to publish applications to anonymous users then you can create a StoreFront store that does
not require authentication. Note: anonymous stores only work internally (no NetScaler Gateway).

1. On the VDAs, create and configure anonymous accounts.
2. In Citrix Studio, configure a Delivery Group to accept unauthenticated (anonymous) users.

3. In the StoreFront Console, right-click Stores and click Create Store.

4. In the Store Name and Access page, enter a new store name.
5. Check the box next to Allow only unauthenticated users to access this store.
6. Then click Next and finish the wizard like normal.

7. Anonymous stores are hidden by default. When performing discovery in Receiver you’ll need to
enter the full path to the store (e.g.

Receiver for Web Go to Stores > MyStore > Manage Receiver for Web Sites > Configure > Workspace Control page. . Remote Desktop Services. Or configure various reconnection options. Citrix Blog Post Workspace Control: When You DON’T Want to Roam details complete session reconnection configuration instructions for XenApp. This can also be done for domain-joined client devices using Group Policy. workspace control can be managed on client devices by modifying the registry. and Receiver.Workspace Control Workspace Control reconnects user sessions. Please see this Knowledgebase Article for how to implement it. Receiver Self-Service Citrix Blog Post – How to Disable Workspace Control Reconnect: For Receiver for Windows. StoreFront. It can be disabled.

8. go to Stores > MyStore > Configure Store Settings > Advanced Settings and there’s a setting for Allow session reconnect. & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules. With StoreFront 2. This is configurable using a PowerShell cmdlet. it is desirable to treat desktops as applications so that they are placed together with applications and get reconnected as part of workspace control. Special Folder Redirection . They are placed in a separate Desktop tab and in the case of Receiver for Web. In some use cases.0 enables you to configure treating all desktops as applications at the store level without the need of adding the TreatAsApp keyword to all the published desktops.In StoreFront Console.0: Desktops are treated differently from applications in StoreFront/Receivers.ps1" Set-EnhancedEnumerationOptions -siteId 1 -storeVirtualPath /Citrix/Store ` -treatDesktopsAsApps $true Also see Citrix CTX223817 How to Configure “TreatAsApp” in XenDesktop 7. StoreFront 3. you have to add the TreatAsApp keyword to all published desktops to achieve this effect. they are not reconnected with workspace control.x. Treat Desktops as Applications From Treating All Desktops as Applications at Citrix Blog Post What’s New in StoreFront 3.

Note that this procedure seems to prevent Receiver for iOS from adding accounts. Note: When connecting through NetScaler Gateway. 1. when Receiver Self-Service connects internally to StoreFront. This can be disabled by making a change on the StoreFront server.citrix. users can map Windows special folders for the server to those on their local computers. the user is able to check the box next to Remember my password. . this checkbox is never available. This procedure is documented by John Ashman at Citrix Discussions and Prevent Citrix Receiver for Windows from caching passwords and usernames at docs.From Configure special folder redirection at docs. such as \Documents and \ With Special Folder Redirection configured. In StoreFront Console.citrix. Special folders refer to standard Windows folders. Receiver Self-service – Disable “Remember My Password” By default. go to Stores > Configure Store Settings > Advanced Settings and there’s an option for Allow special folder

tfrm. On the StoreFront server. . To comment out the line. 3. 5. which should start with @SaveCredential. 4. run a text editor elevated (as administrator). Save the file when done. wrap it in @* and *@. Open the file C:\inetpub\wwwroot\Citrix\StoreAuth\App_Data\Templates\UsernamePassword. Go to line 20.2.

function for Citrix receiver for windows that is visible when a user clicks their username in the upper right hand corner of Receiver for Web. Now the Remember My Password checkbox is gone. “Activate” Option in Web Page – Disable From Citrix Discussions: to disable the “activate…”. in StoreFront Console. There’s a checkbox for Enable Receiver configuration. HTML5 Receiver Getting Started Tour . 6. go to Stores > MyStore > Manage Receiver for Web Sites > Configure > Client Interface Settings page.

js. The Getting Started Tour can be disabled by doing the following: 1. . the user is prompted to tour the interface.The first time a user connects to HTML5 Receiver. Edit the file C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script.

com. .Extensions. }. CTXS.beforeWebLogoffIca = function(action) { return 'none'.postLaunch = function(app. 2. delayLogoffInSeconds * 1000).x StoreFront 3.LAUNCH_SUCCESS) { function logoff() { CTXS. } window.x customizations are visible in both Receiver for Web and in Receiver Self-Service.logOff().js in the custom folder for the Receiver for Web site (typically C:\inetpub\wwwroot\Citrix\StoreWeb\custom\) you would like to customize: var delayLogoffInSeconds = 10.Environment.citrix.setTimeout(logoff.isNativeClient()) { if (status == CTXS. Logoff RfWeb Seconds after Icon Launch From Citrix Blog Post Logging Off Receiver for Web after an Application/Desktop Launch: Simply add the following code snippet to script. status) { if (! CTXS. At the bottom of the file. localStorage["showFtu"] = false. } } }.Device.Extensions. CTXS. Make sure the quotes are straight quotes and not curly quotes. Customize Receiver UI in StoreFront 3. add Feng Huang’s code from First time user tutorial at discussions.

see Nicolas Ignoto Display server name with Citrix StoreFront 3.If you are load balancing StoreFront and want to put the server name on the webpage. • Click-through disclaimer before or after login page • Footer for every page • Default to Folder view when visiting the Apps tab • Change default text • Change background images for featured categories • Background image . Nicolas Ignoto Lab: Part 22 – Ultimate StoreFront 3 customization guide contains many StoreFront customizations including: • Add disclaimer • Change logo/background • Add header • Add text • Change colors • Etc. Citrix Blog Post Citrix Customization Cookbook contains a collection of customizations including: • Add Static or dynamic (read from file) text to the header and/or footer of the login page.

x • Background images • Logon button • Colors for page and text • How to view the mobile version of the page • CSS for mobile pages Jason Samuel Upgrading Citrix StoreFront 2. .Citrix Blog Post Storefront 3 Web Customization: Branding Your Deployment describes how to modify the following CSS to customize the appearance of StoreFront 3.0 – Things to Know details how to change the StoreFront logo to a Receiver logo.6 to StoreFront 3.

It uses a PowerShell-based HTTP server to process the group lookup. This is displayed in both Browsers and Receivers. and will be extended to mobile devices in future releases. details how to configure Web Interface features in StoreFront.citrix. Chrome. • Trentent Tye at Citrix Storefront – Adventures in customization – Dynamically configure workspace control based on group membership used the API to dynamically enable/disable Workspace Control based on AD group membership. Migrate Web Interface features to StoreFront at Docs. o See Citrix Storefront – Adventures in customization – Dynamically configure features based on group membership to change authentication based on group membership • An example use case for the StoreFront 3. Use the Receiver Customization API to brand or customize your end users’ app and desktop selection experience beyond capabilities provided in the StoreFront admin console.Citrix Blog Post StoreFront Message Customization describes how to add a scrolling message to the top of the screen.0 APIs is Citrix Blog Post Citrix Recipe Box: StoreFront Approvals. Customizations apply to latest Web.0 and newer. This includes: • Enable return to last folder • Header logo • Pre-logon welcome message • Logon screen customization • Footer text StoreFront 3.0 Receiver Customization APIs are detailed at Citrix Developer. This post contains a new version of the executable that supports StoreFront 3. Mac and Linux clients. This code enables StoreFront to require workflow approval when a user subscribes to an .

Citrix Blog Post X1 Customization: Going deeper with CSS describes the following: . add a warning message etc.js file 3. Go to C:\inetpub\wwwroot\Citrix\<StoreName>Web\custom 2. See the article for the full list of strings. change a sort order. CTX221097 How to rename items on StoreFront? describes the strings that can be changed. • Override Citrix’s JavaScript functions to modify behavior – exclude or restyle apps. • How to force X1 UI to display in either phone or larger mode.en. Citrix Blog Post Receiver X1 APIs describes the following: • Overview of the CSS classes that can be customized. 1. app. Open strings. See below for an example of overriding one of the built-in strings.

Desktops view. #customBottom. appinfo view. Shown below in red. #customScrollTop). and pink. high DPI. • Use CSS (/custom/style. small display.css) to style the three custom regions (#customTop. Favorites view. • Marker classes for showing/hiding or highlighting parts of the UI: large display. Citrix Blog Post Scripting X1 describes the following: . blue. Apps view.

Citrix Blog Post – Rewriting the Session ClientName from StoreFront: I would like to offer the following customisation DLL which can apply client name rewrites based on a template. More details and the . • See CTP Jason Samuel How to rewrite the Client Name in Citrix StoreFront 3.g. and how to handle . the token will be replaced by some information from the User Context. If the intent was just to replace the ClientName with the user name.dll file are in the blog post. • JavaScript code to display an Acceptance dialog box before users can login. #customScrollTop) including using CSS to hide the HTML code unless a specific tab is selected by the user. The customisation template can be any string. • Use JQuery to add HTML code to custom regions (e.8.9 using StoreFront SDK for detailed info on how to implement this customization in StoreFront 3. the template is then just “$U”. but where that string contains a particular token.

getPreferredLanguages = function () { return null.Environment. . see Sam Jacobs How to Change the Page Title in Citrix Receiver 3. StoreFront Store Customization SDK at Citrix Developer: The Store Customization SDK allows you to apply custom logic to the process of displaying resources to users and to adjust launch parameters. you can use the SDK to control which apps and desktops are displayed to Key Customization Points: • Post-Enumeration • Post-Launch ICA File • Post-Session Enumeration • Access Conditions (pre-launch and pre-enumeration) • Provider List • Device information Citrix Blog Post Adding a Language to StoreFront 3. to change ICA virtual channel parameters.0: A new language pack is comprised of a culture definition file. add the following to c:\inetpub\wwwroot\Citrix\StoreWeb\custom\script. upgrades.x at mycugc. See the Blog Post for more details. } To change the StoreFront page title. a string bundle file and a custom string bundle file. For example. or to modify access conditions through XenApp and XenDesktop policy selection. To force StoreFront to only use English.js as detailed at Set default language to EN at Citrix Discussions: CTXS.

For example.x Portal Theme for NetScaler 11 See NetScaler Gateway 11 > Portal Themes.Customizations detailed at topic Modify Receiver for Web site at Citrix Discussions: • Add Featured App Groups to Categories View • Increase the number of Featured applications beyond the default of 3.5 logon page look like the Receiver for Web in StoreFront 3. StoreFront SDKs Most of the StoreFront SDK documentation can be found at https://citrix. Visit Citrix Blog Post X1 Skin for NetScaler Gateway to download an already developed theme package.github. you can perform the same tasks as you would with the StoreFront MMC console.0 modules. we have introduced a new Unified UI that is delivered from StoreFront to Receiver on all client platforms. Windows. Or . Use the Receiver Customization API to brand or customize your end users’ app and desktop selection experience beyond capabilities provided in the StoreFront admin console. you can use the SDK to control which apps and desktops are displayed to users.0. or to modify access conditions through XenApp and XenDesktop policy selection.0. to change ICA virtual channel parameters.x Theme for NetScaler 10.5 You can make the NetScaler Gateway 10. With this SDK. Build 62 and newer have a built-in X1 theme. StoreFront Web API – Receiver for Web is a component of Citrix StoreFront that provides access to applications and desktops using a Web browser. StoreFront 3. Customizations apply to latest StoreFront Store Customization SDK – Use the Store Customization SDK to apply custom logic to the process of displaying resources to users and to adjust launch parameters. Chrome. Mac and Linux clients. StoreFront Authentication SDKs – With StoreFront 3. StoreFront PowerShell SDK – Citrix StoreFront provides an SDK based on a number of Microsoft Windows PowerShell version 3. It consists of a User Interface tier and a StoreFront Services Web Proxy tier. together with tasks you cannot do with the console alone. and will be extended to mobile devices in future releases. StoreFront 3.

0 • Ivan Cacic NetScaler Gateway Customisation – Receiver X1/StoreFront 2. 1.x • Daniel Ruiz NetScaler Gateway front page à la StoreFront 3.tar. WinSCP to the NetScaler and switch to /var/netscaler/gui/themes. rename the existing receivertheme. 2.7 To install the theme package: 1. Download the X1 theme from the Citrix Blog post.see one of the following for instructions to manually edit the NetScaler Gateway theme to match StoreFront 3. On the right.gz file. .

4. change it to Default. if the current UI Theme is Green Bubble. Switch to the Client Experience tab. Click OK. Upload the theme that was downloaded from the Citrix Blog post. 5. At the bottom. In NetScaler GUI. Then go back into the screen and change it back to Green Bubble.3. go to NetScaler Gateway > Global Settings > Change Global Settings. . This causes the theme to reload. 6.

0.7. The logon page should now look more like Receiver for Web in StoreFront 3. .

2. . 2016 @ 12:43 pm 45 Comments Navigation • Monitor to verify that StoreFront is UP • Server Objects • Service Group • Virtual Server • SSL Redirect • StoreFront Base URL • Subscriptions/Favorites Replication Load Balancing Monitor Note: This is a Perl monitor.5. which uses the NSIP as the source IP. expand Load Balancing. expand Traffic Management. click Add.StoreFront Load Balancing – NetScaler 11. and click Monitors. 3. 1. Name it StoreFront or similar. On the left. On the right. You can use RNAT to override this as described in CTX217712 How to Force scriptable monitor to use SNIP in Netscaler in 10.1 Last Modified: Oct 18.

and check the box next to Secure.0. 8. 7. If you will use SSL to communicate with the StoreFront servers.1 -dispatcherPort 3013 -secure YES - storename Store Servers . Scroll up. MyStore) without -dispatcherIP 127. Change the Type drop-down to STORERONT. then scroll down. 6. 4. and switch to the Special Parameters tab. In the Store Name field. 5. add lb monitor StoreFront STOREFRONT -scriptName nssf. enter the name of your store (e.g. Click Create.0.

2. usually it matches the actual server name. . expand Load Balancing. click Add.1. and click Servers. On the left. Enter the IP address of the server. On the right. 4. Enter a descriptive server name. 3. expand Traffic Management.

2. 6. On the left. Enter comments to describe the server.57 add server SF02 10.2. 5. expand Traffic Management.2. and click Service Groups. add server SF01 10.2. expand Load Balancing. Continue adding StoreFront servers.58 Service Group 1. . Click Create. 7.

svcgrp-StoreFront-SSL). 7. . 5. If you previously created a server object then change the selection to Server Based and select the server objects. 3. 6. click Add. If the protocol is SSL. Click where it says No Service Group Member.2.g. On the right. 4. ensure that the StoreFront Monitor has Secure checked. Change the Protocol to HTTP or SSL. Give the Service Group a descriptive name (e. Scroll down and click OK. If you did not create server objects then enter the IP address of a StoreFront Server.

9. Then click Create. On the right. 10. . Enter 80 or 443 as the port.8. Click OK. click Monitors. under Advanced Settings .

in the Service Group Members section. 15. . 12. Select your StoreFront monitor and click Select. Click the arrow next to Click to select. Click where it says says No Service Group to Monitor Binding. 14. click the Service Group Members line. on the left. To verify that the monitor is working.11. Then click Bind. 13.

On the right. under Advanced Settings. . The Last Response should be Success – Probe succeeded. click Settings. 17. 18.16. Click Close twice. Click the ellipsis next to a member and click Monitor Details.

bind serviceGroup svcgrp-StoreFront-SSL SF02 443 bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront 25. 21. the certificate must either be a wildcard (*. check the box for Client IP and enter X-Forwarded-For as the Header. This certificate must match the DNS name for the load balanced StoreFront servers. On the left. In StoreFront 3.local) or have a subject alternative name .5 and newer. & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules. In StoreFront 3. 19.ps1" 4. run the following commands on the StoreFront 3. add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For 22. For email discovery in Citrix Receiver. 1. bind serviceGroup svcgrp-StoreFront-SSL SF01 443 24. Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb -Loopback OnUsingHttp Load Balancing Virtual Server 1. Then click Done. in the Settings section.corp. Create or install a certificate that will be used by the SSL Offload Virtual Server.0. 20. 23. you enable it in the GUI console.0 servers as detailed at Citrix Blog Post What’s New in StoreFront 3.0. 3. 2. Then click OK. If the Service Group is http and you don’t have certificates installed on your StoreFront servers (aka SSL Offload) then you’ll need to enable loopback in StoreFront.

under Traffic Management > Load Balancing. for discoverReceiver.domain. 4. On the right click Add. On the = email address suffix) 2. Name it lbvip-StoreFront-SSL or similar. Enter 443 as the Port. click Virtual Servers. 3. . 5. 6. Change the Protocol to (domain. 7. Specify a new internal VIP.

in the Services and Service Groups section.8.2. click where it says No Load Balancing Virtual Server ServiceGroup Binding. .221 443 -persistenceType SOURCEIP -timeout 60 9. On the left. Click OK.2. add lb vserver lbvip-StoreFront-SSL SSL 10.

11. bind lb vserver lbvip-StoreFront-SSL svcgrp-StoreFront-SSL 13. 12. Click the arrow next to Click to select. .10. Click Bind. Select your StoreFront Service Group and click Select. Click Continue.

14. 15. Select the certificate for this StoreFront Load Balancing Virtual Server and click Select. 17. Click where it says No Server Certificate. Click the arrow next to Click to select. bind ssl vserver lbvip-StoreFront-SSL -certkeyName WildCorpCom . 16. Click Bind.

19. 22. Set the timeout to match the timeout of Receiver for Web. On the right. Click Continue. in the Persistence section. 20. click Persistence.18. . in the Advanced Settings column. 23. Do NOT use COOKIEINSERT persistence or Android devices will not function correctly. The IPv4 Netmask should default to 32 bits. On the left. select SOURCEIP. Click OK. 21.

and enable Strict Transport Security. If the NetScaler communicates with the StoreFront servers using HTTP (aka SSL Offload – 443 on client-side. and at the top right. if you want to put the server name on the StoreFront webpage so you can identify the server. If the default SSL Profile is not enabled. 26. If you haven’t enabled the Default SSL Profile. 24. then you’ll either need to edit the Default SSL Profile to include the SSL Redirect option. set ssl vserver lbvip-StoreFront-SSL -sslRedirect ENABLED -ssl3 DISABLED 27. 80 on server-side). then perform other normal SSL configuration including: disable SSLv3. 25. bind ssl vserver lbvip-StoreFront-SSL -eccCurveName ALL 37. bind a Modern Cipher Group. set ssl vserver lbvip-StoreFront-SSL -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED 31. and if you have enabled the Default SSL Profile. bind ssl vserver lbvip-StoreFront-SSL -certkeyName MyCert 29. 34. or create a new custom SSL Profile with the SSL Redirect option enabled. 36. then you’ll need to edit the SSL Parameters section on the vServer. and then bind the custom SSL Profile to this vServer. 28. check the box next to SSL Redirect. Otherwise the Receiver for Web page will never display. see Nicolas Ignoto Display server name with Citrix . unbind ssl vserver lbvip-StoreFront-SSL -cipherName ALL 33. bind ssl vserver lbvip-StoreFront-SSL -cipherName Modern 35. bind lb vserver lbvip-StoreFront-SSL -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE When connecting to StoreFront through load balancing. 30. 32.

To make it easier for the users. On the left. This procedure details the SSL Load Balancing vServer method of performing an SSL redirect. click Virtual Servers. An alternative is to use the Responder method.StoreFront 3. . 1. under Traffic Management > Load Balancing. SSL Redirect – SSL Load Balancing vServer Method Users must enter https:// when navigating to the StoreFront website. enable SSL Redirection.

click the ellipsis next to it and click Edit. find the SSL Virtual Server you’ve already created.2. In the Basic Settings section. click the pencil icon. On the right. 3. .

Scroll down and click Continue twice. Click the More link. This method does not add any new vServers to the list so it’s not easy to see if this is configured.corp.g. set lb vserver lbvip-StoreFront-SSL -redirectFromPort 80 -httpsRedirectUrl https://storefront. enter your StoreFront Load Balancing URL (e. 4. 7. 6. enter 80. In the HTTPS Redirect URL field. In the Redirect from Port field.corp. 8. StoreFront Base URL .

2.1. Unless you are following the Single FQDN procedure. . right-click Server Group and click Change Base URL. In the Citrix StoreFront console. The DNS name for StoreFront load balancing must be different than the DNS name for NetScaler Gateway. Create a DNS Host record that resolves to the new VIP. 3.

4. Give the Service Group a descriptive name (e. See Configure subscription synchronization at Citrix Docs for more information. On the format. Enter the new Base URL in https://storefront. . click Add. svcgrp-StoreFront-SubRepl). StoreFront subscription replication uses TCP port 808. expand Traffic Management.g. Click OK. load balance TCP port 808 on the StoreFront servers. On the right. 2. and click Service Groups. 3. expand Load Balancing. you might want to replicate subscriptions between them. This must match the certificate that is installed on the load balancer. Subscription Replication Load Balancing If you have multiple StoreFront clusters (separate datacenters). To provide High Availability for this service. 1.

4. Scroll down and click OK. Enter 808 as the port. 8. . Change the Protocol to TCP. Click where it says No Service Group Member. 7. 6. Change the selection to Server Based and select the StoreFront servers. 5. Then click Create.

10. in the Monitors section. Click OK. On the right. Click the arrow next to Click to select. under Advanced Settings. 11.9. On the left. 12. . click where it says No Service Group to Monitor Binding. click Monitors.

add serviceGroup svcgrp-StoreFront-FavRepl TCP 16. Then click Bind and click Done. 14. 15. bind serviceGroup svcgrp-StoreFront-FavRepl SF01 808 bind serviceGroup svcgrp-StoreFront-FavRepl SF02 808 . Select the tcp monitor and click Select.13.

under Traffic Management > Load Balancing. 21. and click Add. Specify the same VIP that you used for SSL Load Balancing of StoreFront. Change the Protocol to TCP. 18. 20. Name it lbvip-StoreFront-SubRepl or similar. Enter 808 as the Port. On the right. click the ellipsis next to the existing StoreFront Load Balancing vServer. 22. click Virtual Servers.17. On the left. . 19.

. 24. Click where it says No Load Balancing Virtual Server ServiceGroup Binding. Click OK. Click the arrow next to Click to select. 25.23.

bind lb vserver lbvip-StoreFront-FavRepl svcgrp-SF-FavRepl . Click Bind. Then click Done.26. 29. Click Continue.2. 27. Select your StoreFront Subscription Replication Service Group and click Select. add lb vserver lbvip-StoreFront-FavRepl TCP 10.2. 30.201 808 -persistenceType NONE 31. 28.

make sure the farm names are identical in each StoreFront cluster (server group). Share Favorites/Subscriptions with Multiple Stores Docs. Administrators can also use KEYWORDS in published application descriptions to auto-favorite an application. Use the same VIP you created for SSL Load Balancing of StoreFront. 2017 @ 11:05 am 18 Comments Navigation This page contains the following topics: • Favorites/Subscriptions Overview • Favorites/Subscriptions Replication across Server Groups • Common Favorites/Subscriptions for Multiple Stores on same Server Group • Delete Favorites/Subscriptions Favorites/Subscriptions Overview By default. one for external access to resources using Netscaler Gateway and another for internal access using the corporate LAN. 3. Run these commands on both StoreFront clusters. You can configure both “external” and “internal” stores to share a common subscription datastore by making a simple change to the store web. Multi-datacenter – Favorites/Subscriptions Replication If you have different StoreFront clusters (server groups) in multiple datacenters. see What Subscriptions and Server Groups Mean for StoreFront Designs 1. 5. 4. The Favorites (subscriptions) are stored in a file database on each StoreFront server and are automatically replicated to every StoreFront server in a local Server Group. Don’t forget to add the StoreFront server computer accounts to the local group CitrixSubscriptionSyncUsers on each StoreFront server. When adding the remote – Configure two StoreFront stores to share a common subscription datastore: It is common for administrators to configure StoreFront with two distinct stores.citrix. Run the PowerShell commands detailed at Configure subscription synchronization at Citrix Docs. These subscribed applications are then displayed in the Favorites view of Receiver.config file. This provides a consistent user interface no matter which datacenter the user connects to. you can configure replication of subscriptions between Server Groups. For more information. For StoreFront servers in multiple datacenters. Load balance TCP 808 for each StoreFront cluster. 2. StoreFront allows users to select applications as their Favorites. enter the TCP 808 Load Balancing VIP in the other datacenter. The store names must be identical in each StoreFront server group. . you probably want to replicate subscriptions between them. When adding farms (Manage Delivery Controllers) to StoreFront.StoreFront Favorites/Subscriptions Last Modified: May 28. Each datacenter has its own VIP.

otherwise.ps1' Export-DSStoreSubscriptions -StoreName MyStore -FilePath .e.txt. Then Propagate Changes. Open Event Viewer and. If StoreFront 3.txt" 1. you need only point one store to the subscription service end point of the other store. ‘ (i. Ensure that an entry is logged for each store on every server in the deployment before continuing. 4.config file (C:\Inetpub\wwwroot\Citrix\ExternalStore\web. then edit to remove any entries you want to delete.For two stores to share a subscription datastore. an inconsistent set of resource subscriptions on one store might occur. 'C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules. If StoreFront 3. Backup subscriptions. Restart the “Citrix Subscriptions Store” Service on all StoreFront servers in the deployment. AppData is a hidden folder.6): 2. run the following PowerShell (using ‘Run As Administrator’ when opening the PowerShell Console and not missing the ‘. dot space) at the start of the first command): 2. in the left pane. 6. 5. Open the external store web.config) using Notepad and search for the clientEndpoint. If StoreFront 3. Sharing a datastore is supported only when the two stores reside on the same StoreFront server or server group deployment. For example: <subscriptionsStoreClient enabled="true"> <clientEndpoint uri="net. Note: If UAC is enabled then you might have to go to C:\Windows\ServiceProfiles\NetworkService first and then drill down into the remaining folders. <subscriptionsStoreClient enabled="true"> <clientEndpoint uri="net.5 or newer.1 or older. run the following (from Citrix CTX216295 How to Export and Import StoreFront Subscription Database on Storefront 3.pipe://localhost/Citrix/Subscriptions/1__Citrix_External" authenticationMode="windows" transferMode="Streamed"> <clientCertificate thumbprint="0" /> </clientEndpoint> </subscriptionsStoreClient> Change the external to match the internal store endpoint. Note: The XenApp. Stop the “Citrix Subscriptions Store” Service on all StoreFront servers in the deployment. navigate to Applications and Services Logs > Citrix Delivery Services.\subscriptions. . Find the subscription store database folder: “C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\1__C itrix_Store” on each StoreFront server. Delete the contents of this folder (do not delete the folder itself). $store = Get-STFStoreService Export-STFStoreSubscriptions -Store $store -FilePath "$env:userprofile\desktop\subscriptions. 7. run the following PowerShell commands to restore your subscriptions: .5 or newer. Search for events logged by the Citrix Subscriptions Store Service with an Event ID of 3 and a Task Category of 2901.pipe://localhost/Citrix/Subscriptions/1__Citrix_Internal" authenticationMode="windows" transferMode="Streamed"> <clientCertificate thumbprint="0" /> </clientEndpoint> </subscriptionsStoreClient> Delete Favorites/Subscriptions From Citrix Discussions: You can delete subscriptions using the subscription store PowerShell API and some file editing: 1. XenDesktop and AppC controllers configured on each store must match exactly.0.txt 3.

8.0.txt" 1.txt Each row of the exported subscriptions file is a tab-separated list of user-sid. To delete all subscriptions for a particular user. If StoreFront 3. $store = Get-STFStoreService Import-STFStoreSubscriptions -Store $store -FilePath "$env:userprofile\desktop\subscriptions. subscription-status followed by zero or more subscription-property name-value pairs. you will need to find the user’s SID and then delete all rows starting with that value.1 or older. resource-id. subscription-id. .\subscriptions. run the following PowerShell: Import-DSStoreSubscriptions -StoreName MyStore -FilePath .

and 3. 3. In the StoreFront Console. 2. See the NetScaler pages for instructions on configuring NetScaler Gateway for StoreFront. 3.11 – Configuration for NetScaler Gateway Navigation This article applies to StoreFront versions 3.5 through 3.StoreFront 3. . and click OK.8. If you need the SmartAccess feature.6. • StoreFront Configuration for NetScaler Gateway o NetScaler Gateway Logon Page Theme • Single FQDN for internal and external • Multiple Datacenters o Multisite StoreFront and NetScaler Gateway Design o Icon Aggregation and Home Sites o HDX Optimal Gateway • Multiple Gateways Connecting to One StoreFront StoreFront Config for Gateway 1.9. Ensure Pass-through from NetScaler Gateway is selected. 4. 3.5. right-click the Store and click Manage Authentication Methods. 3.7.11. then you need to configure StoreFront to perform an authentication callback to a NetScaler Gateway Virtual Server on the same appliance that authenticated the user. 3.

4.6 or newer. 6. and click Manage NetScaler Gateways. See Citrix Blog Post NetScaler Gateway Deployment Configuration for StoreFront. then the Callback FQDN is usually the same as the Gateway FQDN. One option is to edit the C:\Windows\System32\drivers\etc\hosts file and add an entry for the Callback FQDN. If you need SmartAccess and are doing Single FQDN then the Callback FQDN must be different than the Single FQDN. 1. After configuring the HOSTS file.1. open a browser and navigate to the DNS name. on the StoreFront server. notice the imported from file link on top. Make sure the StoreFront server can resolve the Callback FQDN to a Gateway VIP (with matching certificate). Make sure the Gateway vServer logon page appears. If you need SmartAccess and are doing different FQDNs for Gateway and StoreFront. 2. 3. 5. . In the StoreFront Console. Simplified! for details. right-click Stores. This is a new feature of NetScaler 11. If StoreFront 3.

8. .7. If you’re not using the config file from NetScaler 11.1 and newer. In the General Settings page. enter a display name. click Add. This name appears in Citrix Receiver so make it descriptive.

click Add. 10. Enter the URL to a XenDesktop Controller. Click Next. Enter the NetScaler Gateway Public URL. This can be http or https. In the Secure Ticket Authority page. .9. 11. This can be a GSLB-enabled DNS name.

Whatever Secure Ticket Authorities you add here must also be added to the NetScaler Gateway Virtual Server on the NetScaler appliance. Continue adding Secure Ticket Authorities (XenDesktop Controllers). o The Callback URL must resolve to any NetScaler Gateway VIP on the same appliance that authenticated the user. then enter the Callback URL. 13. In the Authentication Settings page. edit the HOSTS file on the StoreFront server so it resolves to NetScaler appliances in the same datacenter. . o The Callback URL Gateway Virtual Server must have a trusted and valid (matches the FQDN) certificate. 14. o The Callback URL Gateway Virtual Server must not have client certificates set to Mandatory. For multi-datacenter.12. Click Next. if you have multiple Gateways (on separate appliance pairs) connecting to one StoreFront server then then you’ll need to enter the vServer IP address (VIP) of the NetScaler Gateway Virtual Server so StoreFront can differentiate one NetScaler Gateway from another. If you need SmartAccess. If there’s only one Gateway communicating with this StoreFront server group. then leave the VServer IP address field empty.

. 16. change the Logon type to Domain and security token. Click Create. 18. If you enabled two-factor authentication (LDAP and RADIUS) on your NetScaler. 17. Otherwise leave it set to Domain only. If you don’t need SmartAccess then leave the Callback URL field empty.15. Then click Finish.

Leave it set to No VPN tunnel. Right-click a store and click Configure Remote Access Settings. Check the box next to the NetScaler Gateway object you just created and then click OK. . then see CTX200664 How to Configure Receiver for Seamless Experience Through NetScaler Gateway. 22.19. 20. 21. o Note: if you want Receiver to automatically launch a VPN tunnel. Check the box next to Enable Remote Access.

Then in the StoreFront – Create a single Fully Qualified Domain Name (FQDN) to access a store internally and externally Traditionally Receiver required separate FQDNs for StoreFront Load Balancing (internal) and NetScaler Gateway (external).0 • StoreFront 3. right-click Server Group and click Propagate Changes. see one of the following: • NetScaler Gateway 11. Make sure the certificates match the DNS for more information.5 Single FQDN Links: • Citrix CTX200848 How to Configure Single Fully Qualified Domain Name for StoreFront and NetScaler Gateway • Docs. This assumes that external users resolve the Single FQDN to a NetScaler Gateway VIP and internal users resolve the same FQDN to StoreFront Load Balancing VIP.0 and newer.x Theme for NetScaler 10. 23. Recently Citrix made some code changes to accept a single FQDN for both.citrix. Sample DNS names are used below. .9 or newer o Mobile Receivers o It doesn’t seem to work with Linux Receiver • StoreFront 2.citrix. NetScaler Gateway Logon Page Theme To make the NetScaler Gateway logon page look like Receiver 3. See docs.2 or newer o Receiver for Mac 11. Single FQDN has the following requirements: • Receivers: o Receiver for Windows 4. Different instructions are needed for when ICA Proxy is off. If you don’t care about email-based discovery then the configuration of Single FQDN is fairly simple.1 or newer This section assumes NetScaler Gateway is in ICA Proxy mode.x Portal Theme for NetScaler 11.6 or newer • Split DNS – different DNS resolution for internal vs external • NetScaler 10.1 Portal Theme • StoreFront 3.

1.corp. Resolves to public IP.corp. Set the NetScaler Gateway object in StoreFront to this FQDN.g. storefront. Resolves to internal Load Balancing VIP for StoreFront. Set the StoreFront Base URL to this address. storefront. which is NAT’d to NetScaler Gateway VIP on DMZ NetScaler. . Internal DNS name = the Single FQDN (e. External DNS name = the Single FQDN (e.

Receiver for iOS will append /Citrix/Store/discovery to the Internal Beacon and thus it only works if the Internal Beacon DNS name resolves to the StoreFront server. However. Since you can’t use the StoreFront Base URL as the Internal Beacon you’ll need a . o Callback is optional if you don’t need SmartAccess features. You can’t use the Single FQDN as the Internal Beacon. Ideally. 4. callback. Or you can create separate NetScaler Gateway Virtual Servers on the same appliance with separate certificates that match these FQDNs. o The callback DNS name must be different than the Single FQDN. o If are using Receiver for iOS internally then be aware that Receiver for iOS handles the Internal Beacon differently than Receiver for Windows. the Internal Beacon should be a new DNS name that resolves to the StoreFront Load Balancing that resolves to a NetScaler Gateway VIP on the same DMZ NetScaler appliance that authenticated the user. If you need SmartAccess.3.g. o Your external NetScaler Gateway certificate could match both the Single FQDN and the Callback FQDN. Internal Beacon = any internal website URL that is not externally accessible.corp. then the Callback URL = any DNS name (e. See CTX218708 How to Configure Internal Beacon for Single FQDN on StoreFront. this requires the StoreFront Load Balancing Virtual Server to have a certificate that matches both the Single FQDN and the Internal Beacon.

. different DNS name that resolves to the StoreFront servers and matches the StoreFront certificate. Make sure the DMZ NetScaler resolves the Single FQDN to the internal StoreFront Load Balancing VIP. 5. Note: if you are not allowing internal iOS devices then this isn’t needed. You typically add internal DNS servers to the NetScaler. Or you can create a local Address Record for the Single FQDN. In the NetScaler Gateway Session Profiles. 6. set the Web Interface Address and the Account Services Address to the Single FQDN.

▪ If email-based discovery. ▪ Or you can create a separate Gateway vServer for callback with a separate . Only accessed from internal. If you made changes to an existing StoreFront which is NAT’d to NetScaler Gateway VIP on DMZ NetScaler. SRV record for points to ▪ Callback.corp.corp. For authentication – for callback then you might have to remove accounts from Receiver and re-add the account. – resolves to NetScaler Gateway VIP on DMZ NetScaler. That’s all you need to implement Single resolves to public IP.corp. Assumes email suffix is also corp._tcp.corp. If you need email-based discovery then here’s an example configuration for ICA Proxy NetScaler Gateway: • External DNS: o Storefront. • External publicly-signed certificate for NetScaler Gateway: o One option is wildcard for *. o If email-based discovery.corp. o Another option is the following Subject Alternative Names: ▪ Storefront.corp. discoverReceiver. Make sure this name is not resolvable resolves to Load Balancing VIP for StoreFront o Callback. FQDN of any internal web server.suffix • Internal DNS: o Storefront. o For the internal beacon.

corp. o Another option is the following Subject Alternative Names: ▪ Receiver for Web session policy (basic mode or ICA Only is checked): • Policy expression = ▪ Web Interface Portal Mode = Normal ▪ Single Sign-on Domain = Corp ▪ Account Services address = https://storefront. especially for mobile devices and thin • Internal certificate for StoreFront Load Balancing: publicly-signed o Session Timeout = 60 minutes o Clientless Access = Off o Clientless Access URL Encoding = Clear o Clientless Access Persistent Cookie = Deny o Plug-in Type = Windows/Mac OS X o Single Sign-on to Web Applications = checked • Security tab: o Default authorization = ALLOW • Published Applications tab: o ICA Proxy = On o Web Interface address = https://storefront. Or FQDN of internal web server. • Gateway object: o Gateway URL = discoverReceiver.corp. o If email-based o Callback URL = https://Callback.HEADER User-Agent NOTCONTAINS CitrixReceiver • Client Experience tab: o Home page = . Make sure it’s not resolvable externally.corp.corp. Assumes email suffix is also corp.HEADER User-Agent CONTAINS CitrixReceiver o Client Experience tab: ▪ Session Timeout = 60 minutes ▪ Clientless Access = Off ▪ Clientless Access URL Encoding = Clear ▪ Clientless Access Persistent Cookie = Deny ▪ Plug-in Type = Java o Security tab: ▪ Default authorization = ALLOW o Published Applications tab: ▪ ICA Proxy = On ▪ Web Interface address = o Web Interface Portal Mode = Normal o Single Sign-on Domain = Corp Receiver Self-Service session policy (basic mode or ICA Only is checked): • o Policy expression = • Internal beacon = https://InternalBeacon.corp. o One option is wildcard for *.com ▪ If email-based discovery.suffix points to StoreFront.corp.corp.suffix StoreFront Configuration: • Base URL = https://storefront.HTTP. Also can use the external SRV record for _citrixreceiver.

com resolves to a NetScaler Gateway NetScaler Gateway ICA Proxy is typically used both externally and internally. Here’s a typical active/active XenApp/XenDesktop configuration: • Farms: Separate XenApp/XenDesktop farms in each datacenter. This allows pass- through two-factor. See Citrix Docs – Set up highly available multi-site store configurations Note: if you have existing subscriptions/favorites. There are two methods of configuring icon aggregation in StoreFront: • The StoreFront Console can do simple configurations – The console supports a single aggregation group and active/passive configurations for multiple Active Directory user groups. StoreFront can enumerate icons from multiple farms. but this functionality is not yet fully realized. If there are identical icons in multiple farms. then enabling icon aggregation will cause the existing subscriptions to be ignored.Multiple Datacenters / Farms Multisite NetScaler Gateway and StoreFront Design If you have StoreFront (and NetScaler Gateway) in multiple datacenters. modifying. SAML. StoreFront chooses datacenters at the farm level. When the user clicks the icon. Thus StoreFront assumes that each datacenter has a separate XenApp/XenDesktop farm. Externally it is required. o Externally.) . citrix. After the datacenter (farm) is See Subscriptions Missing after Enabling Aggregation at Citrix Discussions. and assigning users to Home resolves to a StoreFront Load balancing VIP. A different Active Directory user group could have Farm B as active and Farm A as passive. citrix. then the icons can be aggregated so that only a single icon is displayed to the user. Optimal Gateway directs the ICA connection through the NetScaler Gateway that is closest to the destination VDA. GSLB is typically used for the initial user connection but GSLB doesn’t provide much control over which datacenter a user initially reaches.g. o Zones are not yet an effective option. citrix. you can load balance connections across two identical farms (active/active). NetScaler Gateway is sometimes needed internally for certain authentication configurations (e. This is required for two reasons: HDX Optimal Routing. Smart Card. StoreFront then needs to select a datacenter (select a farm). Or farms can be active/active load balanced. The current challenge with stretched farms is that SQL is in only one datacenter. Optimal Gateway requires datacenter-specific DNS names for NetScaler Gateway. Farms can be prioritized (active/passive). Citrix is still working on adding zone functionality. You can migrate the existing subscriptions by exporting. This is also known as “Home Sites” • Complex configurations can be performed in XML files – For example. So the ultimate datacenter routing logic must be performed by StoreFront. and importing. This is typically done based on the user’s Active Directory group membership. • FQDN: Internal users and external users use the same FQDN (e. o Internally. etc. One Active Directory user group could have Farm A as active and Farm B as passive. • Citrix is beginning to add more zone-based features to support single farms stretched across datacenters. • NetScaler Gateways: For AppFlow reporting. Internally it is used to generate AppFlow data. If the internal DNS name resolved to a NetScaler Gateway VIP then pass- through authentication would not work.

company. Or configure each of them separately but identically. o This configuration allows you to configure NetScaler Gateway Session Policies with the IP address of StoreFront Load Balancing instead of a GSLB DNS name. You can export the config from one Server Group and import it to the other. • HDX Optimal Routing: Use HDX Optimal Routing to route ICA traffic through the NetScaler Gateway that is closest to the destination • StoreFront Server Groups: Separate StoreFront Server Groups in each If the specific datacenter is o The datacenter-specific DNS names are delegated to NetScaler ADNS. o Create two Load Balancing vServers: one for local StoreFront. o Use AD groups to specify a user’s home datacenter as detailed citrixsite2. same Gateways. One option is to bind a TCP monitor to the remote GSLB service. the GSLB services contain the internal StoreFront Load Balancing VIP in each datacenter. o The GSLB Services contain the internal or public VIPs of NetScaler Gateway in each datacenter.• Delegation: to If external. o Configure farm priority based on AD groups. Or GSLB static proximity can take care of persistence. For an aggregated icon. • STAs: each StoreFront Server Group uses STAs in the local Then you can have two different GSLB vServers with different GSLB services with different monitoring configurations. One workaround is to configure external GSLB for so that the DNS request that reaches internal NetScaler ADNS is actually for citrixinternal. same SRID. then you can use one of these DNS names to connect to StoreFront in a specific datacenter. add the Protection section and configure the Backup (remote) vServer. Since ICA Traffic could end up on either NetScaler. • Icon aggregation: Configure StoreFront to aggregate icons from the two farms as detailed is delegated from internal DNS and public DNS to NetScaler ADNS (internal and external). . then give out that IP. o This DNS name is bound to one NetScaler GSLB vServer that has two active GSLB services. This is helpful for testing.g. Identical means: same Base URL. o If subscriptions/favorites are enabled. use PowerShell commands to configure subscription replication between the two Server Groups. o Citrix doesn’t support stretching a single StoreFront Server Group across a WAN one for remote In the Active (local) Load Balancing vServer. The TCP monitor contains the public IP address of the NetScaler Gateway in the remote datacenter. the AD group determines which farm the icon is launched from. If internal. GSLB vServer Source IP persistence is probably not effective internally so GSLB Service Site Persistence (cookies) is preferred. The user’s roaming profile and home directory are in the user’s home and configure internal GSLB for citrixinternal. The active/passive VIP allows NetScaler Gateway to connect to StoreFront even if StoreFront in the local datacenter is down. o You can’t bind the same DNS name to two different GSLB vServers. Active = the StoreFront servers in the local datacenter. This also means that MEP must be routed across the internal DCI (datacenter interconnect) instead of across the Internet. o GSLB persistence is required for the duration of the StoreFront session. o You can use a proximity GSLB load balancing method to select the closest datacenter. o NetScaler GSLB for these DNS names is configured for active/passive: if the specific datacenter is up. • Single NetScaler: If one NetScaler is doing GSLB for both internal and external: o You probably want different GSLB monitoring methods for internal vs external. and same Beacons. citrixsite1. same farms (Manage Delivery Controllers). the GSLB services contain the public NetScaler Gateway VIP in each datacenter. Passive = the StoreFront servers in the remote datacenter. o Each Server Group is configured identically. all STAs must be added to all NetScaler Gateways. The internal DNS servers have a CNAME (alias) from citrix. o If these DNS names are added to StoreFront for both Authentication and HDX Routing. then give out the IP of the other datacenter. This requires datacenter-specific DNS names (e. If Internet goes down in one of the datacenters. then you probably don’t want that to affect internal GSLB. • StoreFront Load Balancing: StoreFront load balancing VIP can be active/passive. o For the public DNS name. NetScaler in one datacenter must monitor the Internet circuit in the other datacenter so it doesn’t give out the public IP of the other datacenter if that datacenter’s Internet circuit is

Typically. . right-click your Store. go to Stores. each datacenter is a separate farm. In StoreFront Console. If the internal beacon is down then Receiver Self-service won’t be able to determine if the client device is internal or not. Add multiple farms. GSLB can be used for the internal beacon DNS name. 2. • Beacons: the internal beacon is critical. and click Manage Delivery Controllers. Icon Aggregation and Home Sites To configure icon aggregation using the StoreFront Console: 1.

modifying. Note: if you have existing subscriptions/favorites.3. notice the new checkboxes on the bottom. You can now load balance farms instead of doing farm failover only. 4. click the link to Aggregate resources. the Configure button becomes available. the farms no longer need to be identical. If you are publishing identical resources from multiple farms. then enabling icon aggregation will cause the existing subscriptions to be ignored. Click Aggregate.6 and newer. You can migrate the existing subscriptions by exporting. 8. and . 7. Click OK when done. If load balancing farms. If StoreFront 3. Click it. Select the farms with identical resources that you want to aggregate. 6. 5. After adding multiple farms.

Or if you intend to have different home sites for different users. 9. You can run this wizard multiple times to specify different home sites for different user groups. .6 and newer) settings for everyone. Click Map users to controllers. importing. then leave the User Groups page set to Everyone. If you want the same farm failover (active/passive) or farm load balancing (StoreFront 3. See Subscriptions Missing after Enabling Aggregation at Citrix Discussions. 10. add a user group that contains the users that will be homed to a particular datacenter.

In the Controllers page. 11. . Click Next. click Add.

you can assign different primary farms to each Active Directory group.12. If farm aggregation is configured for load balancing (StoreFront 3. If you configured farm aggregation without load balancing. 15. then use the up and down arrow buttons to put the active site on top. You can run this wizard multiple times to specify different active sites for different users. and click OK. 16. If you add multiple user groups. then there are no arrows to prioritize the farms. This is how you configure “home sites”. Select the farms that these users will have access to.6 and newer). Click Create. The lower priority sites will only be accessed if the primary site is down. 14. 13. You can click Add to add more user mappings. Click OK twice when .

if you use the same Base URL in the 2 separate installations. Citrix Blogs StoreFront Multi-Site Settings: Some Examples has example XML configurations for various multi-datacenter Load Balancing and failover scenarios. If the Base URL is changed after the initial If you are running XenApp / XenDesktop in multiple datacenters.sharefile. HDX Optimal Routing .config file. the SRID doesn’t change. It will be replicated into the discovery servicerecord entry in the Store web. it’s possible for each datacenter to be treated as a separate Receiver site. Make sure to propagate changes to other servers in the group. you must design roaming profiles and home directories correctly. done. The SRID can be safely edited in the \inetpub\wwwroot\Citrix\Roaming\web. but the actual name of the Delivery Controller/Farm must be identical. This can be prevented by doing the following. here are the StoreFront requirements: • Match the SRID – in StoreFront. Shaun Ritchie Citrix StoreFront High Availability and Aggregation – A dual site Active Active design has a sample multi-site configuration using XML Notepad and explains how to use the Primary and Secondary keywords to override farm priority order. From Juan Zevallos at Citrix Discussions: To have multiple StoreFront deployments across a GSLB deployment. Here’s the exact setting I’m referring to: https://citrix. then the SRID should end up being identical. • Match the Base URL • Match the Delivery Controller names under “Manage Delivery Controllers” – The XML brokers can be different.config which can be edited as well or refreshed from the admin console by going into Remote Access setup for the store and hitting OK. When Citrix Receiver switches between StoreFront servers in multiple datacenters.

If you want to force internal users to go through NetScaler Gateway so AppFlow data can be sent to Citrix Insight Center then you can do that using Optimal Gateway even if the user originally connected directly to the StoreFront server. If ICA traffic goes through a NetScaler Gateway Virtual Server that requires user certificates (e. If the icon selected by the user is published from XenApp/XenDesktop in Datacenter A.7+ farms). • The NetScaler Gateway Virtual Server requires user certificates. then you probably want the ICA connection to go through a NetScaler Gateway Virtual Server in Datacenter A. Add more Gateways: one for each datacenter.g. and click Manage NetScaler Gateways. • NetScaler Gateway for internal connections (AppFlow). then each session launch will result in a PIN prompt. Note: Optimal Gateway is applied at the farm/site level or zone level (for stretched 7. build a separate NetScaler Gateway Virtual Server that doesn’t have user certificates as Mandatory. Note: SmartAccess Callback URL also cannot use a NetScaler Gateway Virtual Server where client certificates are set to Mandatory so the extra NetScaler Gateway Virtual Server would be useful for that scenario too. Smart Card). If the main DNS name for accessing NetScaler Gateway is GSLB load balanced across datacenters. 2. Here are some scenarios where this would be useful: • Multi-site Load Balancing. then you need additional datacenter-specific DNS names so you can control which datacenter the ICA connection goes through. See CTX200129 How to Force Connections through NetScaler Gateway Using Optimal Gateways Feature of StoreFront for more information. Optimal Gateway can be configured in the StoreFront Console: 1. Right-click Stores.The Optimal Gateway feature lets you override the NetScaler Gateway used for ICA connections. . Use Optimal Gateway to force ICA connections through the other NetScaler Gateway Virtual Server. To prevent these extra prompts.

There’s no harm in leaving all of the Gateways set to Authentication and HDX routing. The Gateways for Optimal Routing could be set to HDX routing only. you can designate a Usage or role. When adding a Gateway. leave them set to Authentication and HDX routing. 4. Or if test users will use these datacenter-specific DNS names to connect to Gateways in specific datacenters. . The Gateway accessed through the active/active GSLB DNS name should be set to Authentication and HDX routing.3.

right-click a store and click Configure Store Settings. . Go to the Optimal HDX Routing page. Select the farms that are accessible through this gateway and click OK. 8.5. Go to Stores. 7. Highlight one of the datacenter-specific Gateways and click Manage Delivery Controllers. 6.

Another option for Optimal Gateway selection is zones. This assumes the zone name has also been specified in the Manage Delivery Controllers dialog box > Advanced Settings. 13.7 and newer. The Gateway for the active/active GSLB-enabled DNS name doesn’t need any farms associated with it. Repeat for the other datacenter-specific Gateways. 10. Highlight a Gateway. Multiple Gateways (GSLB) to One StoreFront This section applies to SmartAccess and the Callback URL. HDX will be routed through one of the datacenter-specific Gateways based on the farm the icon was launched from. If you don’t need SmartAccess then skip this section. In summary. After clicking an icon. If you only want the Gateways to be used for external users. In XenApp/XenDesktop 7. check the boxes for External only. users will connect to the GSLB-enabled Gateway and login. Click Manage Zones and add the zone name. 11. 12. Otherwise the Gateway routing will be used for both internal and external connections. you can stretch a farm across datacenters (zones) and use a different Gateway for each zone. Click OK when done. . 9.

Bind a certificate that matches the datacenter-specific name. o Create an additional NetScaler Gateway Virtual Server on the If you have multiple appliance pairs communicating with a single StoreFront server. If each of the NetScaler Gateways uses the same DNS name (GSLB). 3.corp. In the VServer IP address field. 4. one for each datacenter. assign a wildcard certificate that matches both the GSLB name and the datacenter-specific callback name. Instead. For example: callbackprod. StoreFront can use the Gateway VIP to distinguish appliances so the callback goes to the correct appliance. Give each of the gateway objects unique names. 1. Create datacenter-specific callback DNS names. assign an SSL certificate with Subject Alternative Names for both the GSLB name and the datacenter-specific callback name. then you can’t use the DNS name to distinguish one appliance from the other. 6. In the StoreFront console. create multiple NetScaler Gateway appliances. StoreFront will use this VIP to distinguish one NetScaler appliance from another. Enter the same NetScaler Gateway URL in all of the gateway appliances. and callbackdr. The datacenter-specific callback DNS name must match the certificate on the NetScaler Gateway Virtual Server.The Callback URL must go to the same appliance that authenticated the user. Here are some options to handle the certificate requirement: o On the main NetScaler Gateway Virtual Server. enter the Gateway VIP for this particular appliance pair. then StoreFront needs to identify which NetScaler appliance pair the request came from so it can perform a callback to that appliance pair. o On the main NetScaler Gateway Virtual Server. 5. 2.

8. . Configure name resolution for the datacenter-specific callback DNS names. When enabling Remote Access on the store. select both Gateway appliances. The callback URL must resolve to a NetScaler Gateway VIP on the same appliance pair that authenticated the user.corp.7.g. callbackdr. Either edit the HOSTS file on the StoreFront servers or add DNS records to your DNS servers. 9. Select one as the default appliance. The callback URL must be unique for each NetScaler appliance pair (