You are on page 1of 162

StoreFront 3.5 through 3.

11 – Basic Configuration

This article applies to StoreFront versions 3.5, 3.6, 3.7, 3.8, 3.9, and 3.11.

• StoreFront Installation / Upgrade
o Initial Configuration
o Second StoreFront Server
o Customer Experience Improvement Program (CEIP)
• Store Name – Rename
• SSL Certificate
o Delivery Controllers – SSL
o Socket Pooling
• HOSTS File
• Base URL – Change
• Default Web Page
• Authentication Configuration
• Citrix Online
• Receiver for Web
o Unified Receiver Experience
o Customize Receiver Appearance
o Receiver for Web Pass-through Authentication

o Receiver for HTML5 2.4
o Deploy Citrix Receivers for Windows/Mac from StoreFront
o Receiver for Edge
o Receiver for Firefox 52
o Receiver for Web Timeout
o Default Tab
• Beacons
• Propagate Changes
• Export/Import StoreFront Configuration
• Auto-Favorite
• Logon Simulator

= Recently Updated

StoreFront Installation / Upgrade

The XenApp/XenDesktop 7.14 ISO comes with StoreFront 3.11. Or you can download it

You can install StoreFront at the same time as installing Delivery Controller. Or you can install StoreFront
3.11 on dedicated servers.

Citrix Blog Post StoreFront 3.0 Scalability recommends StoreFront servers to be sized with 4 vCPU and 8 GB

Note: You can install Web Interface and StoreFront on the same servers. Make sure Web Interface is
installed first.

1. If upgrading do the following before beginning the upgrade:
1. Export the StoreFront configuration so you can restore it if something goes wrong.
2. Stop the World Wide Web Publishing Service.
3. Stop all StoreFront services.
4. Close all PowerShell and StoreFront consoles.
5. If the Citrix SCOM Agent for StoreFront is installed, stop the Citrix MPSF Agent service.
Citrix CTX220935 Cannot Perform a StoreFront Upgrade if Citrix SCOM Management Pack
Agent Service is Running.

6. See Patrick van den Born Avoid 1603 errors when upgrading Citrix StoreFront 2.x to Citrix
StoreFront 3.5
2. Go to the downloaded Citrix StoreFront 3.11 and run CitrixStoreFront-x64.exe.

3. Or you can install from the 7.14 ISO by running AutoSelect.exe.

click Next. check the box next to I accept the terms. In the Review prerequisites page. 5. In the License Agreement page. and click Next. .4.

In the Successfully installed StoreFront page. 6.6 or older. click Install. After upgrading from StoreFront 2. In the Ready to install page. do the following to enable the Receiver X1 theme: . click Finish. If this is a new install. skip to the Initial Configuration. 7.

on the left click the Stores node.1. 2. Once classic experience is disabled. you can now make changes on the Customize Appearance and Featured App Groups pages. Click OK and Close when done. . 4. Click Configure. Right-click the store and click Manage Receiver for Web Sites. 3. On the Receiver Experience page select Disable classic experience. In the StoreFront Console.


If you are upgrading to StoreFront 3.9 or newer. When you propagate changes. 5. Right-click the Store. and click OK. If you did a fresh deployment of 3. the default web page might not be replicated to the other nodes. Check the box next to Set the unified Receiver experience as the default for this store. and click Configure Unified Experience. This feature lets you perform SAML against StoreFront without needing NetScaler Gateway. Go to Stores. .9 or newer. 6. then SAML is already added.config manually to each node. Copy C:\inetpub\wwwroot\web. do the following to add SAML Authentication as an option. 7.

On the bottom. Right-click the Store. 3. Check the box next to SAML Authentication. and click Manage Authentication Methods.1. and click OK. 2. . and click Install or uninstall authentication methods. click the Advanced button.

See the Federated Authentication Service article for SAML details. If not. do the following to perform the initial configuration: 1. then uncheck the authentication method. you can create multiple stores in different IIS websites.8 and newer. run Set-ExecutionPolicy RemoteSigned. If this is a new deployment of StoreFront. This functionality is not exposed in the GUI and instead the entire StoreFront configuration must be performed using PowerShell. 4. 2. See Citrix Blog Post StoreFront 3. launch Citrix StoreFront from the Start Menu. Initial Configuration In StoreFront 3. In PowerShell. You can also use PowerShell to create a store and configure it as detailed at CTX206009 How to configure a Store via Powershell.8 is Available NOW! for sample PowerShell commands to create the stores. . The management console should launch automatically. If you don’t want to configure SAML at this time.

3. click Create a new deployment. then the Hostname should already be filled in. Click Next. if you installed an SSL certificate on the StoreFront server. In the Base URL page. . In the middle. you can leave it set to the server name and then change it later once you setup SSL and load balancing. 4. For now.

Check the box next to Set this Receiver for Web site as IIS default and click Next. In the Store Name page. click Next. 6. In the Getting Started page. 7. . enter a name for the store.5. Note: the name entered here is part of the URL path.

9. don’t put spaces or periods in the farm name) 10.5. . Change the Type to XenDesktop. (If StoreFront 3.8. This name does not need to match the actual farm name. click Add. Enter a descriptive name for the XenApp/XenDesktop farm. In the Delivery Controllers page.

Click OK. . Or you can add older XenApp farms.11. 12. (If StoreFront 3. Change the Transport Type to HTTP. don’t put spaces or periods in the farm name) Click Next when done. If you have multiple XenDesktop sites/farms. Add the two XenDesktop Controllers. feel free to add them now.5.

14. don’t check the box. . you also need to enable it for Receiver for Web as detailed later in this topic. Click Next. You can set this up later. check the boxes next to Domain pass-through and Pass- through from NetScaler Gateway. In the Remote Access page.13. and click Next. Note: if you want Domain pass-through for browser users. In the Authentication Methods page.

click Create. In the XenApp Services URL page.15. .

. right-click Server Group. Second StoreFront Server After the server group is created. 1. Install StoreFront on the second server. In the StoreFront management console. Create/Import the SSL certificate. 2. and bind it to the Default Web Site. and click Add Server. NT SERVICE\CitrixConfigurationReplication and NT SERVICE\CitrixClusterService must remain in the Administrators group on both StoreFront servers or propagation will fail. click Finish. Login to the first StoreFront server. 16. In the Summary page. 3.

Note: the Please wait message means it is waiting on you to add the 2nd server. You don’t actually have to wait.4. 5. Copy the Authorization code. click Join existing server group. . In the middle. Login to the second StoreFront server and launch the management console.

enter the name of the first StoreFront server and enter the Authorization code copied earlier. Notice this message.6. Then click OK. Go back to the first server. Click Join. . In the Join Server Group page. 8. 9. Click OK. 7. It is good advice.

See http://www.carlstalhood. upgrade. You do that by right-clicking Server Group and clicking Propagate Changes. 10. To disable it. Store Name – Rename . 11.config manually to each node. Also see CEIP at Install. create the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Telemetry\CEIP\Enabled (DWORD) and set it to 0 (zero). set up. Customer Experience Improvement Program StoreFront 3. and uninstall at Citrix Docs. Copy C:\inetpub\wwwroot\web. the default web page might not be replicated to the other nodes. All changes made on one StoreFront server must be manually propagated to the other StoreFront server.9 and newer enable Customer Experience Improvement Program (CEIP) by for additional places where CEIP is enabled. When you propagate changes.

. If you don’t like the default Store Name (/Citrix/Store) then you will need to remove the store and re-add it. and click Remove Store. On the left. on the left. 2. 4. right-click Stores. 1. It’s probably cleaner to uninstall StoreFront and reinstall it. it will have a default store named Store. Click Yes. click Stores. In the StoreFront console. Note: Some at Citrix Discussions (A protocol error occured while communicating with the Authentication Service) have reported authentication issues after following this procedure. Right-click the store.If you installed StoreFront on your Delivery Controller. 3. and click Create Store.

6. Note: the name entered here is part of the URL path. In the Store Name page. 7.5. click Next. In the Getting Started page. . enter a name for the store. Check the box next to Set this Receiver for Web site as IIS default and click Next.

Add the two XenDesktop Controllers. Change the Type to XenDesktop. . This name does not need to match the actual farm name. Click OK.8. 12. (If StoreFront 3. 9. don’t put spaces or periods in the farm name) 10.5. In the Delivery Controllers page. 11. Enter a descriptive name for the XenApp/XenDesktop farm. Change the Transport Type to HTTP. click Add.

feel free to add them now. .13. Or you can add older XenApp farms. don’t check the box and click Next. You can set this up later.5. If you have multiple XenDesktop farms. 14. In the Remote Access page. don’t put spaces or periods in the farm name) Or later. (If StoreFront 3. you can add farms in Store > Manage Delivery Controllers. Click Next when done.

check the boxes next to Domain pass-through and Pass- through from NetScaler Gateway. click Create. 16. Click Next. In the XenApp Services URL page. In the Authentication Methods page.15. .

For load balancers that can terminate SSL (e. Another option is to create an SSL certificate with Subject Alternative Names for the load balanced DNS name and each of the StoreFront server FQDNs. with server- specific certificates you can later enable HTTPS in the StoreFront Store Delivery Controller configuration. • SSL Offload: Use NetScaler to do SSL Offload and load balancing. If StoreFront is installed on the Delivery Controllers. SSL Certificate StoreFront requires SSL. the StoreFront IIS server certificate should match the StoreFront server name. NetScaler). This allows you to use SSL protocol between the load balancer and the StoreFront servers.g. Or a wildcard certificate could match all of these names.suffix for every email domain. then the StoreFront IIS certificate must match the DNS name that resolves to the load balancing VIP. In this scenario. The SSL certificate on the NetScaler must match the DNS name that resolves to the load balancing VIP. be aware that Email-based discovery in Citrix Receiver requires the certificate to not only match the StoreFront load balanced DNS name but the certificate must also match discoverReceiver. If your load balancer cannot terminate SSL. install the SSL certificate on the load balancer. Usually the only option to match multiple email .email. click Finish. trusted certificates. 17. You will save yourself much heartache if you install valid. In either case. In the Created Successfully page. You can leave the StoreFront servers listening on HTTP and no IIS server certificate. • SSL End-to-end: Install an SSL certificate on each StoreFront server and bind to IIS. There are two options for StoreFront SSL. Then import this one certificate on all StoreFront servers.

.suffix. then you don’t have to worry about these discoverReceiver Subject Alternative Names. the first Subject Alternative Name should be the same as the Load Balancing FQDN. each beginning with for every email The remaining Subject Alternative Names should be discoverReceiver. If the certificate does not match discoverReceiver. When adding Subject Alternative Names to a certificate. then users will see this message when attempting to use email discovery in Citrix Receiver. If you don’t plan on implementing email-based is with Subject Alternative Names. If you have multiple email suffixes then you will need multiple Subject Alternative Names.

You can use IIS to request the certificate. click Subject Alternative Name to verify that all names are listed. GoDaddy. then the certificate for external NetScaler Gateway can also be used for internal StoreFront. Public Certificate Authorities (e.g. Note: Single FQDN has additional Subject Alternative Name certificate requirements including: Internal Beacon FQDN and Callback FQDN. There are several methods of creating a certificate for StoreFront. iPads. thin clients) connecting to your internal StoreFront.When you view a Subject Alternative Name certificate.g.) let you enter additional Subject Alternative Names when you purchase the certificate. on the Details tab. • If you are implementing Single FQDN for internal and external users. including the DNS name that resolves to the load balancing VIP. Digicert. • If you will support non-domain-joined machines (e. then the StoreFront certificate should be signed by a public Certificate Authority. . You can then export the certificate from IIS and import it to NetScaler (for Load Balancing and NetScaler Gateway). etc.

The MMC method allows you to specify Subject Alternative Names. . then you can use an internal Certificate Authority to create the StoreFront certificate. The Certificates MMC snap-in can be used to create an internal certificate signed by a Microsoft Certificate Authority.• If all internal machines are domain-joined.

In IIS Manager.Once the certificate is created or imported. right-click the Default Web Site. you need to bind it to IIS: 1. and click Edit Bindings. .

2. Change the Type to https. and select the SSL certificate. 1. on the left click Stores. 3. then you can configure the Store to use SSL when communicating with the Delivery Controllers. and then click Close. and bind it to the Default Web Site. . Click Add. In the StoreFront Console. simply install/create a certificate. • If IIS is not installed on the Delivery Controller.x Controllers to Secure XML Traffic. Do NOT put anything in the Host name field. Click OK. Delivery Controllers – SSL Delivery Controllers can be SSL enabled by using one of two methods: • If IIS is installed on the Delivery Controller. Or use Matt Bodholdt’s script at XenDesktop 7 – Bind Cert to XML Service Without IIS Integration at CUGC. Once SSL certificates are installed on the Delivery Controller servers. then you need to run a command line program as described at CTX200415 How to Enable SSL on XenDesktop 7.

The Servers list must contain FQDNs that match the certificates installed on those servers. . Change the Transport type to HTTPS. 3. Right-click the store. and click Manage Delivery Controllers. Highlight the deployment and click Edit. 5. 4.2.

6. Socket Pooling Socket pooling is disabled by default in stores. 2. On the left. Enabling socket pooling enhances performance. When socket pooling is enabled. To enable socket pooling: 1. Right-click the store and click Configure Store Settings. . rather than creating a socket each time one is needed and returning it to the operating system when the connection is closed. Click OK twice. click the Stores node. particularly for Secure Sockets Layer (SSL) connections. StoreFront maintains a pool of sockets.

callback. It won’t accept http. 3.corp. Base URL – Change 1.g. . HOSTS File Edit the HOSTS file (C:\Windows\System32\Drivers\Etc\HOSTS) on each StoreFront server with the following entries: • StoreFront Load Balancing FQDN (e. right-click Server Group. In the Citrix StoreFront console.g. On the Advanced Settings = NetScaler Gateway VIP in the local datacenter. including SSL certificate. Enter the StoreFront Load Balancing FQDN as the new Base URL in https://storefront. and click Change Base URL. Click OK. 2. = Load Balancing VIP in the local datacenter.corp. • NetScaler Gateway Callback FQDN (e. Configure load balancing of the StoreFront servers. check the box for Enable socket pooling. 3. Note: Receiver requires that the Base URL is https.corp.

then you’ll need to do the following: 1. On the left click the Stores node. Right-click the store and click Manage Receiver for Web Sites. Note: if you want the StoreFront Base URL to be the same as your Gateway FQDN. . but you don’t have certificates installed on your StoreFront servers (aka SSL Offload). then see the Single FQDN instructions. If the Base URL is https. Click Configure. 2. 3.

1. change Enable loopback communication to OnUsingHttp. On the left. and click Set Default Website. On the Advanced Settings page. Default Web Page After changing the Base URL. 4. . and then click Close. Click OK. right-click Stores. you’ll need to update the IIS Default Website.

config. you’ll see the redirect. 4. 2. Authentication Configuration . 3. If you go to C:\inetpub\wwwroot and edit the file web. and click OK. Check the box next to Set a Receiver for Web site as the default page in IIS. Click Yes to overwrite.

Check the boxes next to Domain pass-through and Pass-through from NetScaler Gateway. this is a Citrix Policy > Computer > Trust XML Requests. In XenApp 6. If you intend to enable pass-through authentication from Receiver Self-Service or from Receiver for Web. 2. go to a XenDesktop Controller. and run the command Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True from a Windows PowerShell command prompt. on the left. Run asnp citrix. In the Citrix StoreFront console. Right-click the store. . click the Stores node. 3. 4. and click Manage Authentication Methods.* first.5.1.

7. . The DNS suffix is needed if doing userPrincipalName authentication from NetScaler Gateway. Select Trusted domains only. If desired.5. and then click Configure Trusted Domains. 1. Select one of the domains as the default. 8. and enter the domain names in DNS format. 6. Also see CTX223551 Log on delay when user is not in the same domain as Storefront Server for RPC firewall rules. Click the top gear icon. click Add. check the box next to Show domains list in logon page. Click OK.

Click the top gear icon. and then click Manage Password Options. a profile will be created for that user on the StoreFront server. Make your selection. Use a tool like delprof2. . and click OK.exe to periodically delete these local profiles.9. Be careful with password changes. 10. 11. Any time somebody changes their password through StoreFront.

13. . If you have XenApp/XenDesktop Platinum Edition and installed Self-Service Password Reset. o Citrix CTX217143 Self-Service Password Reset Central Store Creation Tool o Citrix CTX224244 How Do I Deploy Self-Service Password Reset For the First Time o George Spiers Citrix Self-Service Password Reset 14.7 or newer by clicking the top gear icon and clicking Configure Account Self-Service. and click Configure. you can integrate SSPR with StoreFront 3.12. Change the selection to Citrix SSPR. This option is only available if your Base URL is https (encrypted). See the following for detailed implementation guides. Or see Citrix Blog Post Delete Local User Profile Folders on StoreFront Servers for a script to delete local profiles.

Click OK three times. a new Tasks tab lets users enroll with SSPR. .15. Check both boxes and enter the URL of the SSPR server using the displayed example (with /MPMService on the end). 16. With SSPR enabled.

6 and newer can be workgroup members without joining a domain. 18. 17. Citrix Online . The logon page also has an Account Self-Service link. See XML service-based authentication at Citrix Docs. then you can configure StoreFront to delegate authentication to the Delivery Controllers. If StoreFront is not in the same domain (or trusted domain) as the users. Note: StoreFront 3.

and click Configure Store Settings. on the left click the Stores node. To remove them. On the Citrix Online Integration page. 2. Right-click the store. then you can disable the Classic UI to enable the newer UI. . 1.6 or older. StoreFront might be configured to add the Citrix Online icons.5 or newer. then the newer UI will already be enabled. If you upgraded from a StoreFront 2. uncheck all three boxes. but Unified Experience might not be. 3. Unified Receiver Experience If you did a clean install of StoreFront 3. and click OK.

select Disable classic experience. click Stores. On the left. and click Close. and click Configure Unified Experience. On the left click the Stores node. Right-click the store. 4. and click Manage Receiver for Web Sites.1. Click Configure. 2. On the Receiver Experience page. Right-click the store. 3. . Click OK.

Additional customization can be performed using the SDK. . you can go to Stores > Manage Receiver for Web Sites > Configure > Customize Appearance to change logos and colors. Customize Receiver Appearance If the Unified Receiver appearance is enabled. 5. Check the box next to Set the unified Receiver experience as the default for this store and click OK.

You can also Manage Featured App Groups. These Featured App Groups are displayed at the top of the Apps > All page. .

. This is OK if you have several Featured App Groups but doesn’t look right if you only have one Featured App Group. Featured App Groups are displayed with continual horizontal scrolling. Receiver for Web Pass-through Authentication 1. Right-click the store and click Manage Receiver for Web Sites.By default. On the left click the Stores node. Michael Bednarek has posted some code at Citrix Discussions to disable the continuous horizontal scrolling.

4. Receiver for HTML5 2. 3. then you’ll see a prompt to automatically Log On. check the box next to Domain pass-through.4 1. . 2. Click OK. Click Configure. This only appears once. On the left click the Stores node. On the Authentication Methods page. If the StoreFront URL is in the browser’s Local Intranet zone. if desired.

3.citrix. See Configure Citrix Receiver for HTML5 use of browser tabs at docs. change the drop-down to Use Receiver for HTML5 if local Receiver is unavailable.2. 5. Click Configure. You can optionally enable Launch applications in the same tab as Receiver for Web. Download the latest Receiver for HTML5 (version 2. and then click Close. the HTML5 session opens in a new tab. Right-click the store and click Manage Receiver for Web Sites. It installs silently.4) and install it on one of the StoreFront servers. 6. Click OK. 7. On the Deploy Citrix Receiver for more information. 4. By default. When you propagate changes. the Receiver for HTML5 will be copied to .

in the bottom half. In the middle pane. . To see the installed version of HTML5 Receiver. 8. click the Stores node on the left. the other server. switch to the Receiver for Web Sites tab.

js”. Customer Experience Improvement Program (CEIP) is enabled by default. edit the file “C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration. To disable it. 10.9. Search for the ceip section and change it to false. .

Optionally. In the StoreFront console. it’s no longer necessary to install App Switcher on the VDAs. The PDF printer is in the Additional Components section of the HTML5 Receiver download page. 12. install Citrix PDF Printer on the VDAs.11. . Note: as of Receiver for HTML 2. and click Propagate Changes. on the left. 13.0. right-click Server Group. and not with regular Receiver. This PDF printer is only used with Receiver for HTML5.

as we expect this to be the majority use case.5 for the Javascript code. There are two ways around this. Unfortunately. This will give you the chance to choose the HTML5 Receiver (“Use light version”) and your choice will be remembered for the next time you log on. Firstly. See the forum post Cannot access citrix apps from ipad using HTML5 receiver post upgrade to SF 3. In SF 3.5.0 and StoreFront 3. If this is no good. any iPad user can change between using native Receiver and using the HTML5 Receiver by going to the dropdown menu after logging on.0 and HTML5 client. and choosing “Change Receiver”.0 at Citrix Docs: The new toolbar can be disabled or customized by editing the file C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\configuration.js.From About Citrix Receiver for Chrome 2. on an iPad we are unable to actually tell whether you have the Receiver app installed or not. . To enable this option in IE or Firefox. Chrome and Edge users have the option of selecting either native or HTML5 by clicking “Change Citrix Receiver“. If HTML5 Receiver is enabled. From Michael Bednarek at Citrix Discussions: There was a functionality change between StoreFront 3. see Emin Huseynov Citrix StoreFront 3. you can use a JavaScript customization to get back the old behaviour and make sure that iPad users default to HTML5. so we can’t do anything more intelligent out of the box.5 which affects the default client used for iPads. we default to using the native Receiver to launch apps on an iPad.

Create any missing registry keys. on every VDA set the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard\Additional Formats\HTML Format\Name=”HTML Format”.9 at Citrix Docs: To enable enhanced clipboard support.From About Citrix Receiver for Chrome 1. This applies to both .

virtual desktops and Remote Desktop Session Hosts.js settings for client-side configuration • How to view HTML5Client log file Deploy Citrix Receivers 1. Right-click the store. and click Manage Receiver for Web Sites. . On the left click the Stores node. Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained: • How to use the toolbar to transfer files • Citrix Policy settings to enable/disable file transfer • VDA registry settings to control file transfer • HTML5Client\Configuration.

. 3. On the Deploy Citrix Receiver page. check the box next to Allow users to download HDX engine (plug in). Click Configure.2.

. Click both Browse buttons and browse to the downloaded Receiver for Windows 4. 5.4.8 and Receiver for Mac 12.6. You can optionally enable Upgrade plug-in at logon. Change both source drop-downs to Local files on the StoreFront server. 6.

they will be prompted to install or upgrade. Click OK when done. Receiver Self-Service will not receive this prompt. 7. 8. Note: this only applies to Receiver for Web. Receiver for Edge . and Close when done. When users connect to Receiver for Web.

Receiver for Firefox 52 Firefox 52 disabled NPAPI plug-in.config for the RfWeb site you would like to configure (typically C:\inetpub\wwwroot\Citrix\StoreWeb\web. Every time a user clicks an icon. But once you do that. you get a new switch apps prompt every time you launch an icon from Edge. which means Firefox 52 can no longer detect the locally installed Citrix Receiver. Remove (?!. and set it to 0 (zero).The Receiver for Web experience in Microsoft Edge is not ideal. StoreFront 3.*((Firefox/((5[3-9]|[6789][0- 9])|\d\d\d))|(Chrome/((4[2-9]|[56789][0-9])|\d\d\d)))(?!. To stop the switch apps pop-up.*Edge) and save the file. create DWORD value WarnOnOpen. Use your preferred text editor to open web.ica file is downloaded. on the client side. . edit the registry. go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\receiver (create missing registry keys).config). Citrix Blog Post Providing Full Receiver for Web Experience for Microsoft Edge has instructions for enabling the Receiver Launcher for Edge.8 and newer already fixes this for Firefox 53. and users will be prompted to install it. the user has the click the Open button after the .*Edge)". Locate the line like this: <protocolHandler enabled="true" platforms="(Macintosh|Windows NT).

. To fix this in StoreFront 3.but not for Firefox 52.config file with an elevated text editor. This causes the Protocol Handler to work in Firefox 52 and newer. go to C:\Inetpub\wwwroot\Citrix\StoreWeb. change 5[3 to 5[2.8 and newer. and edit the web. Search for protocolHandler. In the Firefox section.

Receiver for Web Timeout 1. and click Manage Receiver for Web Sites. On the left click the Stores node. just like Chrome. .Now when users connect. they are prompted to Detect Receiver. Right-click the store.

there is a screenshot below for you to reference: . On the Session Settings page.2. If you are using a NetScaler. I changed mine to 720. 3. set the Session timeout as desired. you will need to change the Global Session Timeout located at NetScaler Gateway => Global Settings => Change Global Settings => Client Experience => Session Time-out (mins). Click Configure. and click OK. 4.

you should also edit tokenLifeTime in c:\inetpub\wwwroot\Citrix\StoreWeb\web.5. . If your desired timeout value is greater than 8 hours. 6. From CTX215701 Storefront page session time-out: If you increase the session timeout for RfWeb to be more than 1 hour. you have to also increase the maxLifetime appropriately in c:\inetpub\wwwroot\Citrix\Authentication\Web.config.config.

Default Tab

1. By default, when a user logs in to StoreFront, the Favorites tab is selected. Users can go to other
tabs to add icons to the list of Favorites.

2. You can completely remove the Favorites tab by going to Stores > Configure Store Settings > User
Subscriptions, and choose Disable User Subscriptions (Mandatory Store).

You can change the default tab and tab visibility by going to the Stores > Manage Receiver for Web Sites > Configure > Client Interface Settings page.3. .

CTXS.Extensions.4.afterDisplayHomeScreen = function (callback) { 8.setTimeout(function () { 14. 16. if (viewName == 'store') { 13. CTXS.js. 10.navigateToFolder('/'). } 17. CTXS. 11.Extensions. When publishing applications in Studio.ExtensionAPI. 6. 5. then you might also want to default to the Categories view instead of the All view. 7. . }. You can do this by adding the following code to C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script. specify a Category so the applications are organized into folders.navigateToFolder('\\'). 9. CTXS.0 – change default view at Citrix Discussions. 0). If you change the default tab to Applications. 15. }. window. }.ExtensionAPI.onViewChange = function (viewName) { 12. More details at Storefront 3.

Configure an Internal Beacon. On the left. 2. If the Internal Beacon is reachable then Receiver Self-Service assumes it is internal. then the Internal Beacon can be the StoreFront FQDN since the StoreFront FQDN is usually only available internally. 18. and thus connects to the StoreFront Base URL. Receiver Self-Service tries to connect to the Internal Beacon to determine if Receiver is currently internal or not. and click Manage Beacons. right-click Stores. Then when you login to StoreFront you’ll see Apps > Categories as the default view. If you are not doing Single FQDN. then Receiver Self-Service assumes it is external and thus connects to NetScaler Gateway. . This works in Receiver too. Beacons 1. If the Internal Beacon is not reachable. the Internal Beacon must not be resolvable externally. For this to work properly.

. and click Propagate Changes. Click OK when done. on the left. If you want to force internal Receiver Self-Service users to connect through NetScaler Gateway (for AppFlow reporting). you must use a different internal website for the beacon. 1. Since the Internal Beacon is never resolvable. then you can’t use the StoreFront FQDN. right-click Server Group. 3. Or you can use Optimal Gateway to achieve the same goal. you can set the Internal Beacon to a fake URL. If you need to support internal iPads. then the Internal Beacon can be any internal website. The External beacons are used by Receiver Self-Service to determine if the Receiver Self-Service has Internet access or not. due to differences in how iPads determine location. If internal iPads are not needed. you must propagate the changes to the other StoreFront server. You can use any reliable Internet DNS name. Propagate Changes Any time you make a change on one StoreFront server. Instead. the Internal Beacon should be a new FQDN that resolves to the StoreFront Load Balancing VIP thus requiring the StoreFront certificate to match both the Internal Beacon and the Base URL. If you are doing Single FQDN. Receiver Self-Service always uses NetScaler Gateway. In the StoreFront console.

3. You might see a message saying that you made changes on the wrong server. Click Yes when asked to propagate changes. 4. Click OK when done. .2.

the default web page is not replicated to the other nodes. Copy C:\inetpub\wwwroot\web. Export/Import StoreFront Configuration Use the following PowerShell cmdlets to export StoreFront Configuration into a . • KEYWORDS: Mandatory = the application is automatically subscribed and users cannot remove the favorite. But users can remove the favorite. use one of the following keywords in the published application description: • KEYWORDS: Auto = the application is automatically subscribed. When you propagate changes.config manually to each file (encryption optional) and import to a different StoreFront server group: • Export-STFConfiguration • Import-STFConfiguration See Export and import the StoreFront configuration at Citrix Docs for details. Auto-Favorite To force a published application to be favorited (subscribed). 5. .

Logon Simulator .With Mandatory applications there is no option to remove the application from Favorites.

You can run it on any machine to periodically test app launches from StoreFront.ControlUp has a free Logon Simulator for StoreFront and NetScaler Gateway. . The events can be consumed by your monitoring tool. The tool creates entries in the Application Log in Event Viewer.

5.StoreFront 3.11.11 – Tweaks Last Modified: May 28. 3. 3.5 = Recently Updated CRL Checking – Disable When the StoreFront server checks certificate revocation for its locally signed files. Add-PSSnapin Citrix.Framework.0 • StoreFront 3.0 and newer • StoreFront SDKs • StoreFront 3.x Portal Theme for NetScaler 11.7. Run the following PowerShell commands: 2.5 through 3.8.Commands Set-DSAssemblyVerification $false . • Disable CRL Checking to speed up . This article applies to StoreFront versions 3.6. 3.NET • StoreFront can control Receiver Shortcut placement • PNAgent – Authentication and Default Store • Hide Applications/Desktops from the Store • Desktop Autolaunch • Force desktops to launch full screen • Autolaunch Applications • Store for Anonymous users • Workspace Control • Treat Desktops as Applications • Enable Special Folder Redirection • Disable “Remember My Password” in Receiver Self-Service • Remove “Activate” Option from Receiver for Web • Disable HTML5 Receiver Getting Started Tour • Log Off RfWebUI seconds after an Icon Launch • Customize Appearance of Receiver in StoreFront 3.DeliveryServices. 3.x Theme for NetScaler 10.9. and 3. 1. 2017 @ 10:50 am 44 Comments Navigation Here is a collection of optional StoreFront configurations. a delay can occur before the StoreFront logon page is displayed.

Right-click the NIC and click Properties. 4. . Right-click the Start Menu and click Network Connections.3. Another potential tweak to speed up StoreFront is to disable NetBIOS.

5. . 6. Click Advanced. Highlight Internet Protocol Version 4 and click Properties.

7. On the WINS tab, change the selection to Disable NetBIOS over TCP/IP and click OK twice and
Close once.

8. Repeat on the other StoreFront servers.

Note: According to Microsoft, it is no longer necessary to configure generatePublisherEvidence
in C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet.config.

Receiver Shortcuts

You can use StoreFront to control placement of shortcuts on Receiver machines.

1. Run Notepad elevated (as administrator).
2. Edit the file C:\inetpub\wwwroot\Citrix\Roaming\web.config.

3. Search for <account id. Find the Store name in the name attribute.

4. Scroll down to the first <properties> section located under <annotatedServices>.
5. See Using StoreFront account settings to customize app shortcut locations at for a
list of properties. Add the properties as detailed at The properties should be added
after the clear tag.

6. Note: if subscriptions are enabled in StoreFront then only Favorites are added to the Start Menu
and Desktop. If subscriptions are disabled then all applications are placed on the Start Menu or

7. Close and save the file.

8. Then Propagate Changes.

PNAgent Authentication and Default Store

Default Store

If you point your browser to, which is the typical
path for PNAgent, you’ll get a 404.

To fix this, in the StoreFront console, right-click the store, and click Configure XenApp Services Support.

On the primary StoreFront server in your deployment. At a command prompt. You can change the authentication method.ps1" –SiteId 1 -ResourcesVirtualPath /Citrix/Store –LogonMethod sson . select the Default store. domain pass-through. Note: this only works for /Citrix/PNAgent/config. for each authentication method. 2. and pass-through with smart card authentication. type the following command to configure the user authentication method for users accessing the store through the XenApp Services URL.In the bottom of the window. use an account with local administrator permissions to start Windows PowerShell. & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\EnablePnaForStore. and click OK. you run a Windows PowerShell script. To change the authentication method for a XenApp Services URL. 1. create separate stores.xml. Explicit authentication is enabled by default. Now PNAgent can point to StoreFront without needing to specify a custom path. but only one authentication method can be configured for each XenApp Services URL. Single Sign-on From Configure authentication for XenApp Services URLs at Citrix Docs: XenApp Services URLs support explicit. each with a XenApp Services URL. To enable multiple authentication methods.

Remember my password If you leave PNAgent authentication set to Prompt.aspx. When PNAgent connects. 2. there should now be a Remember my password checkbox. 3. Desktops. Change it to true. Go to Stores > MyStore > Configure Store Settings > Advanced Settings and look for the Filter options. Propagate changes. 3. Run Notepad as Administrator and edit the file C:\inetpub\wwwroot\Citrix\Store\Views\PnaConfig\Config. Hide Applications You can hide all icons of a particular type (Applications. you can enable the Remember my password box by doing the following: 1. Documents). Near line 74 is EnableSavePassword. Or you can hide icons with a specific keyword. .

Filter resources by excluded keywords lets you filter published icons that match a custom keyword. then you probably don’t want desktop icons to be delivered by Receiver. In that case. If you are running Receiver inside a published desktop. This works for both . Once the ExcludeKeyword has been defined. create a new Store and filter the Desktop icons.Filter resources by type lets you hide all Applications or all Desktops. add the keyword to a published application or published desktop description and that application/desktop will no longer display in Receiver. Then only the application icons will be delivered.

Receiver for Web and Receiver Self-Service (non-browser).

In XenDesktop 7.9 and newer, to assign a description to a Desktop, you edit the Delivery Group, go to the
Desktops page, and edit one of the Desktops. Citrix CTX220429 Configure Resource Filtering to Allow
Desktops to be filtered on Storefront.

Desktop Autolaunch

By default, if only a single desktop is published to the user, Receiver for Web will auto-launch it. You can
change this behavior by going to Stores > MyStore > Manage Receiver for Web Sites > Configure > Client

Interface Settings and uncheck the box next to Auto launch desktop.

Full Screen Desktop

Citrix CTX139762 How to Configure StoreFront to Start Published Desktops in Full Screen Mode: This article
describes how to configure StoreFront to start published desktops in Full Screen Mode.

1. Open the file C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica on the StoreFront server(s)
with notepad (as Administrator)
2. Add the line:
3. [Application]

4. In older versions of StoreFront, it should be true instead of On.
5. Save the file.
6. Open the command prompt (cmd) and run iisreset.

Autolaunch Application

See the script.js code posted by Michael Bednarek at

Store for Anonymous

If you intend to publish applications to anonymous users then you can create a StoreFront store that does
not require authentication. Note: anonymous stores only work internally (no NetScaler Gateway).

1. On the VDAs, create and configure anonymous accounts.
2. In Citrix Studio, configure a Delivery Group to accept unauthenticated (anonymous) users.

3. In the StoreFront Console, right-click Stores and click Create Store.

4. In the Store Name and Access page, enter a new store name.
5. Check the box next to Allow only unauthenticated users to access this store.
6. Then click Next and finish the wizard like normal.

7. Anonymous stores are hidden by default. When performing discovery in Receiver you’ll need to
enter the full path to the store (e.g.

. and Receiver. workspace control can be managed on client devices by modifying the registry. Receiver Self-Service Citrix Blog Post – How to Disable Workspace Control Reconnect: For Receiver for Windows. StoreFront. This can also be done for domain-joined client devices using Group Policy. It can be disabled. Citrix Blog Post Workspace Control: When You DON’T Want to Roam details complete session reconnection configuration instructions for XenApp. Remote Desktop Services. Please see this Knowledgebase Article for how to implement it. Or configure various reconnection options.Workspace Control Workspace Control reconnects user sessions. Receiver for Web Go to Stores > MyStore > Manage Receiver for Web Sites > Configure > Workspace Control page.

ps1" Set-EnhancedEnumerationOptions -siteId 1 -storeVirtualPath /Citrix/Store ` -treatDesktopsAsApps $true Also see Citrix CTX223817 How to Configure “TreatAsApp” in XenDesktop 7. go to Stores > MyStore > Configure Store Settings > Advanced Settings and there’s a setting for Allow session reconnect. & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules. StoreFront 3. They are placed in a separate Desktop tab and in the case of Receiver for Web. This is configurable using a PowerShell cmdlet.0 enables you to configure treating all desktops as applications at the store level without the need of adding the TreatAsApp keyword to all the published desktops.8. you have to add the TreatAsApp keyword to all published desktops to achieve this effect. In some use cases. Special Folder Redirection .In StoreFront Console. Treat Desktops as Applications From Treating All Desktops as Applications at Citrix Blog Post What’s New in StoreFront 3.x. they are not reconnected with workspace control. it is desirable to treat desktops as applications so that they are placed together with applications and get reconnected as part of workspace control.0: Desktops are treated differently from applications in StoreFront/Receivers. With StoreFront 2.

citrix. 1. This procedure is documented by John Ashman at Citrix Discussions and Prevent Citrix Receiver for Windows from caching passwords and usernames at docs.From Configure special folder redirection at docs. users can map Windows special folders for the server to those on their local computers. go to Stores > Configure Store Settings > Advanced Settings and there’s an option for Allow special folder redirection. Note: When connecting through NetScaler Gateway. the user is able to check the box next to Remember my password. when Receiver Self-Service connects internally to StoreFront. Receiver Self-service – Disable “Remember My Password” By default. such as \Documents and \Desktop.citrix. this checkbox is never available. In StoreFront With Special Folder Redirection Note that this procedure seems to prevent Receiver for iOS from adding accounts. This can be disabled by making a change on the StoreFront server. . Special folders refer to standard Windows folders.

wrap it in @* and *@. Save the file when done.2. 5. On the StoreFront server. Go to line 20. which should start with @SaveCredential. To comment out the line. Open the file C:\inetpub\wwwroot\Citrix\StoreAuth\App_Data\Templates\UsernamePassword. 4. run a text editor elevated (as administrator).tfrm. 3. .

“Activate” Option in Web Page – Disable From Citrix Discussions: to disable the “activate…”. Now the Remember My Password checkbox is gone. go to Stores > MyStore > Manage Receiver for Web Sites > Configure > Client Interface Settings page. in StoreFront Console. HTML5 Receiver Getting Started Tour . There’s a checkbox for Enable Receiver configuration. 6. function for Citrix receiver for windows that is visible when a user clicks their username in the upper right hand corner of Receiver for Web.

The Getting Started Tour can be disabled by doing the following: 1. . Edit the file C:\Inetpub\wwwroot\Citrix\StoreWeb\custom\script.The first time a user connects to HTML5 Receiver.js. the user is prompted to tour the interface.

Extensions.x StoreFront 3. .com.Extensions. 2.isNativeClient()) { if (status == CTXS. At the bottom of the file. delayLogoffInSeconds * 1000).postLaunch = function(app. } window. localStorage["showFtu"] = false.logOff(). CTXS. Logoff RfWeb Seconds after Icon Launch From Citrix Blog Post Logging Off Receiver for Web after an Application/Desktop Launch: Simply add the following code snippet to script.js in the custom folder for the Receiver for Web site (typically C:\inetpub\wwwroot\Citrix\StoreWeb\custom\) you would like to customize: var delayLogoffInSeconds = 10.citrix. Make sure the quotes are straight quotes and not curly quotes.beforeWebLogoffIca = function(action) { return 'none'. status) { if (! CTXS. }.LAUNCH_SUCCESS) { function logoff() { CTXS.setTimeout(logoff.Device.Environment. Customize Receiver UI in StoreFront 3.x customizations are visible in both Receiver for Web and in Receiver Self-Service. add Feng Huang’s code from First time user tutorial at discussions. CTXS. } } }.

Nicolas Ignoto Lab: Part 22 – Ultimate StoreFront 3 customization guide contains many StoreFront customizations including: • Add disclaimer • Change logo/background • Add header • Add text • Change colors • Etc. Citrix Blog Post Citrix Customization Cookbook contains a collection of customizations including: • Add Static or dynamic (read from file) text to the header and/or footer of the login page. see Nicolas Ignoto Display server name with Citrix StoreFront 3.If you are load balancing StoreFront and want to put the server name on the webpage. • Click-through disclaimer before or after login page • Footer for every page • Default to Folder view when visiting the Apps tab • Change default text • Change background images for featured categories • Background image .

6 to StoreFront 3.x • Background images • Logon button • Colors for page and text • How to view the mobile version of the page • CSS for mobile pages Jason Samuel Upgrading Citrix StoreFront 2. .0 – Things to Know details how to change the StoreFront logo to a Receiver logo.Citrix Blog Post Storefront 3 Web Customization: Branding Your Deployment describes how to modify the following CSS to customize the appearance of StoreFront 3.

Chrome. This is displayed in both Browsers and Receivers. Customizations apply to latest Web. This post contains a new version of the executable that supports StoreFront 3. Mac and Linux details how to configure Web Interface features in StoreFront. It uses a PowerShell-based HTTP server to process the group lookup.0 APIs is Citrix Blog Post Citrix Recipe Box: StoreFront Approvals.citrix. This includes: • Enable return to last folder • Header logo • Pre-logon welcome message • Logon screen customization • Footer text StoreFront 3. o See Citrix Storefront – Adventures in customization – Dynamically configure features based on group membership to change authentication based on group membership • An example use case for the StoreFront 3.Citrix Blog Post StoreFront Message Customization describes how to add a scrolling message to the top of the screen.0 Receiver Customization APIs are detailed at Citrix Developer.0 and newer. This code enables StoreFront to require workflow approval when a user subscribes to an . and will be extended to mobile devices in future releases. Windows. • Trentent Tye at Citrix Storefront – Adventures in customization – Dynamically configure workspace control based on group membership used the API to dynamically enable/disable Workspace Control based on AD group membership. Use the Receiver Customization API to brand or customize your end users’ app and desktop selection experience beyond capabilities provided in the StoreFront admin console. Migrate Web Interface features to StoreFront at Docs.

• How to force X1 UI to display in either phone or larger mode. See below for an example of overriding one of the built-in strings. • Override Citrix’s JavaScript functions to modify behavior – exclude or restyle apps. Go to C:\inetpub\wwwroot\Citrix\<StoreName>Web\custom 2.js file 3. Open strings. app. 1. add a warning message etc. Citrix Blog Post X1 Customization: Going deeper with CSS describes the following: . change a sort order. See the article for the full list of strings.en. CTX221097 How to rename items on StoreFront? describes the strings that can be changed. Citrix Blog Post Receiver X1 APIs describes the following: • Overview of the CSS classes that can be customized.

high DPI. small display. Citrix Blog Post Scripting X1 describes the following: . Shown below in red. #customBottom. Apps view.css) to style the three custom regions (#customTop. blue. Desktops view. #customScrollTop). appinfo view. Favorites view. • Use CSS (/custom/style. • Marker classes for showing/hiding or highlighting parts of the UI: large display. and pink.

More details and the . but where that string contains a particular token.dll file are in the blog post. #customScrollTop) including using CSS to hide the HTML code unless a specific tab is selected by the user.8. • Use JQuery to add HTML code to custom regions (e.g. The customisation template can be any string. the token will be replaced by some information from the User Context. and how to handle . If the intent was just to replace the ClientName with the user name. the template is then just “$U”. Citrix Blog Post – Rewriting the Session ClientName from StoreFront: I would like to offer the following customisation DLL which can apply client name rewrites based on a template. • JavaScript code to display an Acceptance dialog box before users can login.9 using StoreFront SDK for detailed info on how to implement this customization in StoreFront 3. • See CTP Jason Samuel How to rewrite the Client Name in Citrix StoreFront 3.

To force StoreFront to only use English. see Sam Jacobs How to Change the Page Title in Citrix Receiver 3. to change ICA virtual channel parameters.Environment. add the following to c:\inetpub\wwwroot\Citrix\StoreWeb\custom\script. Key Customization Points: • Post-Enumeration • Post-Launch ICA File • Post-Session Enumeration • Access Conditions (pre-launch and pre-enumeration) • Provider List • Device information Citrix Blog Post Adding a Language to StoreFront upgrades. For example.x at mycugc. See the Blog Post for more details. a string bundle file and a custom string bundle file.0: A new language pack is comprised of a culture definition file. you can use the SDK to control which apps and desktops are displayed to users.getPreferredLanguages = function () { return null.js as detailed at Set default language to EN at Citrix Discussions: CTXS. StoreFront Store Customization SDK at Citrix Developer: The Store Customization SDK allows you to apply custom logic to the process of displaying resources to users and to adjust launch parameters. or to modify access conditions through XenApp and XenDesktop policy selection. . } To change the StoreFront page title.

together with tasks you cannot do with the console alone. Chrome.x Portal Theme for NetScaler 11 See NetScaler Gateway 11 > Portal Themes.0 modules. you can perform the same tasks as you would with the StoreFront MMC console. you can use the SDK to control which apps and desktops are displayed to users.5 You can make the NetScaler Gateway 10. With this SDK.x Theme for NetScaler 10. Build 62 and newer have a built-in X1 theme. Mac and Linux clients. and will be extended to mobile devices in future releases. StoreFront SDKs Most of the StoreFront SDK documentation can be found at StoreFront Store Customization SDK – Use the Store Customization SDK to apply custom logic to the process of displaying resources to users and to adjust launch parameters.0. StoreFront PowerShell SDK – Citrix StoreFront provides an SDK based on a number of Microsoft Windows PowerShell version 3. to change ICA virtual channel parameters.5 logon page look like the Receiver for Web in StoreFront 3. StoreFront 3. or to modify access conditions through XenApp and XenDesktop policy selection. For example. we have introduced a new Unified UI that is delivered from StoreFront to Receiver on all client platforms.github. Visit Citrix Blog Post X1 Skin for NetScaler Gateway to download an already developed theme package. It consists of a User Interface tier and a StoreFront Services Web Proxy tier. StoreFront Authentication SDKs – With StoreFront 3. Use the Receiver Customization API to brand or customize your end users’ app and desktop selection experience beyond capabilities provided in the StoreFront admin console. Windows. Or . Customizations apply to latest Web. StoreFront 3.Customizations detailed at topic Modify Receiver for Web site at Citrix Discussions: • Add Featured App Groups to Categories View • Increase the number of Featured applications beyond the default of 3. StoreFront Web API – Receiver for Web is a component of Citrix StoreFront that provides access to applications and desktops using a Web browser.0.

Download the X1 theme from the Citrix Blog post. 2.0 • Ivan Cacic NetScaler Gateway Customisation – Receiver X1/StoreFront 2.see one of the following for instructions to manually edit the NetScaler Gateway theme to match StoreFront 3.gz file. rename the existing receivertheme.tar. WinSCP to the NetScaler and switch to /var/netscaler/gui/themes. 1.7 To install the theme package: 1. On the right. .x • Daniel Ruiz NetScaler Gateway front page à la StoreFront 3.

Switch to the Client Experience tab. change it to Default. go to NetScaler Gateway > Global Settings > Change Global Settings. 4. 5. In NetScaler GUI. Click OK. . Then go back into the screen and change it back to Green Bubble. At the bottom. Upload the theme that was downloaded from the Citrix Blog post.3. 6. This causes the theme to reload. if the current UI Theme is Green Bubble.

. The logon page should now look more like Receiver for Web in StoreFront 3.0.7.

Name it StoreFront or similar. 2016 @ 12:43 pm 45 Comments Navigation • Monitor to verify that StoreFront is UP • Server Objects • Service Group • Virtual Server • SSL Redirect • StoreFront Base URL • Subscriptions/Favorites Replication Load Balancing Monitor Note: This is a Perl monitor. which uses the NSIP as the source IP. On the right. 2. expand Traffic Management. click Add. On the left.5. 1.StoreFront Load Balancing – NetScaler 11. . 3. expand Load Balancing. You can use RNAT to override this as described in CTX217712 How to Force scriptable monitor to use SNIP in Netscaler in 10.1 Last Modified: Oct 18. and click Monitors.

0. then scroll down. MyStore) without spaces. 5. 7.0. 4. In the Store Name field. Change the Type drop-down to STORERONT. and check the box next to Secure. Click Create. 6. 8. and switch to the Special Parameters -dispatcherIP 127. enter the name of your store (e. If you will use SSL to communicate with the StoreFront servers.g.1 -dispatcherPort 3013 -secure YES - storename Store Servers . add lb monitor StoreFront STOREFRONT -scriptName nssf. Scroll up.

. and click Servers. On the right. 2. Enter the IP address of the server. 3. expand Traffic Management. On the left.1. 4. expand Load Balancing. Enter a descriptive server name. usually it matches the actual server name. click Add.

add server SF01 10. . 7. Enter comments to describe the server. On the left. expand Traffic Management. Service Group 1.2. expand Load Balancing.57 add server SF02 10. and click Service Groups. Continue adding StoreFront servers. 6. Click Create.

ensure that the StoreFront Monitor has Secure checked. If you previously created a server object then change the selection to Server Based and select the server objects. click Add.g. Click where it says No Service Group Member. svcgrp-StoreFront-SSL). 3. If the protocol is SSL. Scroll down and click OK. 5. Change the Protocol to HTTP or SSL. 7. 4. . 6. If you did not create server objects then enter the IP address of a StoreFront Server.2. On the right. Give the Service Group a descriptive name (e.

Enter 80 or 443 as the port. click Monitors. Click OK. On the right. Then click Create. under Advanced Settings . 9.8. . 10.

Select your StoreFront monitor and click Select. To verify that the monitor is working. click the Service Group Members line. Then click Bind. 15. on the left. Click where it says says No Service Group to Monitor Binding. in the Service Group Members section. .11. 13. 14. 12. Click the arrow next to Click to select.

18. Click the ellipsis next to a member and click Monitor Details. . On the right. The Last Response should be Success – Probe succeeded. Click Close twice. click Settings.16. under Advanced Settings. 17.

ps1" 4. On the left. 3. 20. bind serviceGroup svcgrp-StoreFront-SSL SF01 443 24. If the Service Group is http and you don’t have certificates installed on your StoreFront servers (aka SSL Offload) then you’ll need to enable loopback in StoreFront. in the Settings section. 23. 21. Create or install a certificate that will be used by the SSL Offload Virtual Server. In StoreFront 3. Then click OK. you enable it in the GUI console.local) or have a subject alternative name . 19. & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules. This certificate must match the DNS name for the load balanced StoreFront servers. In StoreFront 3. check the box for Client IP and enter X-Forwarded-For as the Header. add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For 22. the certificate must either be a wildcard (*.0.0. run the following commands on the StoreFront 3.corp. Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb -Loopback OnUsingHttp Load Balancing Virtual Server 1. For email discovery in Citrix Receiver. 2. Then click Done. bind serviceGroup svcgrp-StoreFront-SSL SF02 443 bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront 25.0 servers as detailed at Citrix Blog Post What’s New in StoreFront 3.5 and newer. 1.

3. Specify a new internal VIP. 5. 7.domain. Name it lbvip-StoreFront-SSL or = email address suffix) 2. On the left. for discoverReceiver. 6. 4. On the right click Add. Change the Protocol to SSL. under Traffic Management > Load Balancing. . click Virtual (domain. Enter 443 as the Port.

2.2. On the left. in the Services and Service Groups section.8. click where it says No Load Balancing Virtual Server ServiceGroup Binding. Click OK.221 443 -persistenceType SOURCEIP -timeout 60 9. . add lb vserver lbvip-StoreFront-SSL SSL 10.

12. 11. . Click Continue. Select your StoreFront Service Group and click Select. Click the arrow next to Click to select. Click Bind.10. bind lb vserver lbvip-StoreFront-SSL svcgrp-StoreFront-SSL 13.

bind ssl vserver lbvip-StoreFront-SSL -certkeyName WildCorpCom . Click Bind. 16. 17. Click the arrow next to Click to select. Select the certificate for this StoreFront Load Balancing Virtual Server and click Select. 15.14. Click where it says No Server Certificate.

20. 21. 22. 19. 23. select SOURCEIP. Set the timeout to match the timeout of Receiver for Web. in the Persistence section. click Persistence. On the left. Click Continue. . The IPv4 Netmask should default to 32 bits. Click OK. Do NOT use COOKIEINSERT persistence or Android devices will not function correctly.18. On the right. in the Advanced Settings column.

set ssl vserver lbvip-StoreFront-SSL -sslRedirect ENABLED -ssl3 DISABLED 27. 26. then perform other normal SSL configuration including: disable SSLv3. bind lb vserver lbvip-StoreFront-SSL -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE When connecting to StoreFront through load balancing. or create a new custom SSL Profile with the SSL Redirect option enabled. and enable Strict Transport Security. If the NetScaler communicates with the StoreFront servers using HTTP (aka SSL Offload – 443 on client-side. bind a Modern Cipher Group. If you haven’t enabled the Default SSL Profile. 80 on server-side). 28. Otherwise the Receiver for Web page will never display. if you want to put the server name on the StoreFront webpage so you can identify the server. bind ssl vserver lbvip-StoreFront-SSL -cipherName Modern 35. 32. 34. 36. and if you have enabled the Default SSL Profile. If the default SSL Profile is not enabled. 24. unbind ssl vserver lbvip-StoreFront-SSL -cipherName ALL 33. and then bind the custom SSL Profile to this vServer. bind ssl vserver lbvip-StoreFront-SSL -eccCurveName ALL 37. see Nicolas Ignoto Display server name with Citrix . then you’ll need to edit the SSL Parameters section on the vServer. then you’ll either need to edit the Default SSL Profile to include the SSL Redirect option. 30. and at the top right. 25. set ssl vserver lbvip-StoreFront-SSL -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED 31. bind ssl vserver lbvip-StoreFront-SSL -certkeyName MyCert 29. check the box next to SSL Redirect.

enable SSL Redirection. On the left. An alternative is to use the Responder method. . This procedure details the SSL Load Balancing vServer method of performing an SSL redirect. click Virtual Servers. SSL Redirect – SSL Load Balancing vServer Method Users must enter https:// when navigating to the StoreFront website. 1.StoreFront 3. To make it easier for the users. under Traffic Management > Load Balancing.

. click the pencil icon. 3.2. click the ellipsis next to it and click Edit. On the right. find the SSL Virtual Server you’ve already created. In the Basic Settings section.

6. https://storefront. In the HTTPS Redirect URL field. Click the More link. Scroll down and click Continue twice. StoreFront Base URL .corp. In the Redirect from Port field. 7. 8. This method does not add any new vServers to the list so it’s not easy to see if this is configured. enter your StoreFront Load Balancing URL (e. set lb vserver lbvip-StoreFront-SSL -redirectFromPort 80 -httpsRedirectUrl https://storefront. enter 80.

The DNS name for StoreFront load balancing must be different than the DNS name for NetScaler Gateway. right-click Server Group and click Change Base URL. Unless you are following the Single FQDN procedure. In the Citrix StoreFront console. .1. 3. Create a DNS Host record that resolves to the new VIP. 2.

Subscription Replication Load Balancing If you have multiple StoreFront clusters (separate datacenters). click Add. expand Traffic Management. and click Service Groups. 4. See Configure subscription synchronization at Citrix Docs for more information. 3. 1.corp. To provide High Availability for this service. you might want to replicate subscriptions between them. StoreFront subscription replication uses TCP port format. load balance TCP port 808 on the StoreFront servers. expand Load Balancing. On the right. Enter the new Base URL in https://storefront. 2. Click OK. This must match the certificate that is installed on the load balancer. .g. svcgrp-StoreFront-SubRepl). Give the Service Group a descriptive name (e. On the left.

Click where it says No Service Group Member. 6. Change the Protocol to TCP. Scroll down and click OK. Then click Create. Change the selection to Server Based and select the StoreFront servers. 8. 7. .4. Enter 808 as the port. 5.

Click the arrow next to Click to select. . On the right. On the left. 12. 10. Click OK. click where it says No Service Group to Monitor Binding. 11. click Monitors. in the Monitors section.9. under Advanced Settings.

13. bind serviceGroup svcgrp-StoreFront-FavRepl SF01 808 bind serviceGroup svcgrp-StoreFront-FavRepl SF02 808 . Select the tcp monitor and click Select. 14. add serviceGroup svcgrp-StoreFront-FavRepl TCP 16. 15. Then click Bind and click Done.

Specify the same VIP that you used for SSL Load Balancing of StoreFront. 20. under Traffic Management > Load Balancing. Name it lbvip-StoreFront-SubRepl or similar. click the ellipsis next to the existing StoreFront Load Balancing vServer. 19. Enter 808 as the Port. . Change the Protocol to TCP. 21.17. 18. 22. On the right. click Virtual Servers. and click Add. On the left.

Click where it says No Load Balancing Virtual Server ServiceGroup Binding. 24. Click OK. . Click the arrow next to Click to select.23. 25.

Click Bind.26. 28. 27. Click Continue. add lb vserver lbvip-StoreFront-FavRepl TCP 10. Then click Done. 29.2.201 808 -persistenceType NONE 31.2. 30. Select your StoreFront Subscription Replication Service Group and click Select. bind lb vserver lbvip-StoreFront-FavRepl svcgrp-SF-FavRepl .

When adding the remote cluster. 4. 2.config file. Use the same VIP you created for SSL Load Balancing of StoreFront. The store names must be identical in each StoreFront server group. Administrators can also use KEYWORDS in published application descriptions to auto-favorite an application. Load balance TCP 808 for each StoreFront cluster. Multi-datacenter – Favorites/Subscriptions Replication If you have different StoreFront clusters (server groups) in multiple datacenters. Run these commands on both StoreFront clusters. Don’t forget to add the StoreFront server computer accounts to the local group CitrixSubscriptionSyncUsers on each StoreFront server. . For more information. For StoreFront servers in multiple datacenters. see What Subscriptions and Server Groups Mean for StoreFront Designs 1. When adding farms (Manage Delivery Controllers) to StoreFront. The Favorites (subscriptions) are stored in a file database on each StoreFront server and are automatically replicated to every StoreFront server in a local Server Group. Each datacenter has its own VIP. make sure the farm names are identical in each StoreFront cluster (server group). 2017 @ 11:05 am 18 Comments Navigation This page contains the following topics: • Favorites/Subscriptions Overview • Favorites/Subscriptions Replication across Server Groups • Common Favorites/Subscriptions for Multiple Stores on same Server Group • Delete Favorites/Subscriptions Favorites/Subscriptions Overview By default. Run the PowerShell commands detailed at Configure subscription synchronization at Citrix Docs. 3. you can configure replication of subscriptions between Server Groups. one for external access to resources using Netscaler Gateway and another for internal access using the corporate LAN. You can configure both “external” and “internal” stores to share a common subscription datastore by making a simple change to the store web. These subscribed applications are then displayed in the Favorites view of Receiver. enter the TCP 808 Load Balancing VIP in the other datacenter. 5. This provides a consistent user interface no matter which datacenter the user connects to. StoreFront allows users to select applications as their Favorites. Share Favorites/Subscriptions with Multiple Stores Docs.citrix. you probably want to replicate subscriptions between them.StoreFront Favorites/Subscriptions Last Modified: May – Configure two StoreFront stores to share a common subscription datastore: It is common for administrators to configure StoreFront with two distinct stores.

an inconsistent set of resource subscriptions on one store might occur. For example: <subscriptionsStoreClient enabled="true"> <clientEndpoint uri="net. Then Propagate Changes. 5.txt 3. If StoreFront 3. 6.1 or older.pipe://localhost/Citrix/Subscriptions/1__Citrix_External" authenticationMode="windows" transferMode="Streamed"> <clientCertificate thumbprint="0" /> </clientEndpoint> </subscriptionsStoreClient> Change the external to match the internal store endpoint. 'C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules. If StoreFront 3. Note: If UAC is enabled then you might have to go to C:\Windows\ServiceProfiles\NetworkService first and then drill down into the remaining folders. AppData is a hidden folder. Delete the contents of this folder (do not delete the folder itself). 4. run the following PowerShell (using ‘Run As Administrator’ when opening the PowerShell Console and not missing the ‘. Restart the “Citrix Subscriptions Store” Service on all StoreFront servers in the deployment. navigate to Applications and Services Logs > Citrix Delivery Services.\subscriptions.5 or newer.5 or newer. in the left pane.pipe://localhost/Citrix/Subscriptions/1__Citrix_Internal" authenticationMode="windows" transferMode="Streamed"> <clientCertificate thumbprint="0" /> </clientEndpoint> </subscriptionsStoreClient> Delete Favorites/Subscriptions From Citrix Discussions: You can delete subscriptions using the subscription store PowerShell API and some file editing: 1. <subscriptionsStoreClient enabled="true"> <clientEndpoint uri="net.For two stores to share a subscription datastore. Sharing a datastore is supported only when the two stores reside on the same StoreFront server or server group deployment. 7. Search for events logged by the Citrix Subscriptions Store Service with an Event ID of 3 and a Task Category of 2901. If StoreFront 3.txt. Backup subscriptions. Open the external store web.0. run the following (from Citrix CTX216295 How to Export and Import StoreFront Subscription Database on Storefront 3.ps1' Export-DSStoreSubscriptions -StoreName MyStore -FilePath .6): 2.e. you need only point one store to the subscription service end point of the other store.config) using Notepad and search for the clientEndpoint. Note: The XenApp. then edit to remove any entries you want to delete. Ensure that an entry is logged for each store on every server in the deployment before continuing. ‘ (i. Stop the “Citrix Subscriptions Store” Service on all StoreFront servers in the deployment.txt" 1. run the following PowerShell commands to restore your subscriptions: .config file (C:\Inetpub\wwwroot\Citrix\ExternalStore\web. otherwise. Find the subscription store database folder: “C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\1__C itrix_Store” on each StoreFront server. XenDesktop and AppC controllers configured on each store must match exactly. Open Event Viewer and. . dot space) at the start of the first command): 2. $store = Get-STFStoreService Export-STFStoreSubscriptions -Store $store -FilePath "$env:userprofile\desktop\subscriptions.

To delete all subscriptions for a particular user. $store = Get-STFStoreService Import-STFStoreSubscriptions -Store $store -FilePath "$env:userprofile\desktop\subscriptions.txt Each row of the exported subscriptions file is a tab-separated list of user-sid. If StoreFront 3.1 or older.txt" 1. . resource-id.\subscriptions.0. you will need to find the user’s SID and then delete all rows starting with that value. 8. subscription-status followed by zero or more subscription-property name-value pairs. subscription-id. run the following PowerShell: Import-DSStoreSubscriptions -StoreName MyStore -FilePath .

StoreFront 3. See the NetScaler pages for instructions on configuring NetScaler Gateway for StoreFront. Ensure Pass-through from NetScaler Gateway is selected. 4. right-click the Store and click Manage Authentication Methods.5 through 3. 3. 2. 3.5. If you need the SmartAccess feature. 3. and 3. .11 – Configuration for NetScaler Gateway Navigation This article applies to StoreFront versions 3. • StoreFront Configuration for NetScaler Gateway o NetScaler Gateway Logon Page Theme • Single FQDN for internal and external • Multiple Datacenters o Multisite StoreFront and NetScaler Gateway Design o Icon Aggregation and Home Sites o HDX Optimal Gateway • Multiple Gateways Connecting to One StoreFront StoreFront Config for Gateway 1.6. 3.11. In the StoreFront Console. and click OK. then you need to configure StoreFront to perform an authentication callback to a NetScaler Gateway Virtual Server on the same appliance that authenticated the user.

If you need SmartAccess and are doing Single FQDN then the Callback FQDN must be different than the Single FQDN. then the Callback FQDN is usually the same as the Gateway FQDN. After configuring the HOSTS file.6 or newer. See Citrix Blog Post NetScaler Gateway Deployment Configuration for StoreFront. 1. Make sure the StoreFront server can resolve the Callback FQDN to a Gateway VIP (with matching certificate). 5. If you need SmartAccess and are doing different FQDNs for Gateway and StoreFront. on the StoreFront server.1. One option is to edit the C:\Windows\System32\drivers\etc\hosts file and add an entry for the Callback FQDN. and click Manage NetScaler Gateways. 2. If StoreFront 3. 6. 3. open a browser and navigate to the DNS name. Simplified! for details. . In the StoreFront Console. right-click Stores. 4. notice the imported from file link on top. Make sure the Gateway vServer logon page appears. This is a new feature of NetScaler 11.

. 8. If you’re not using the config file from NetScaler 11.7. This name appears in Citrix Receiver so make it descriptive.1 and newer. In the General Settings page. click Add. enter a display name.

9. Enter the URL to a XenDesktop Controller. . Enter the NetScaler Gateway Public URL. Click Next. This can be a GSLB-enabled DNS name. 10. In the Secure Ticket Authority page. click Add. This can be http or https. 11.

o The Callback URL Gateway Virtual Server must have a trusted and valid (matches the FQDN) certificate. For multi-datacenter.12. then leave the VServer IP address field empty. 13. Continue adding Secure Ticket Authorities (XenDesktop Controllers). then enter the Callback URL. . edit the HOSTS file on the StoreFront server so it resolves to NetScaler appliances in the same datacenter. o The Callback URL Gateway Virtual Server must not have client certificates set to Mandatory. In the Authentication Settings page. Whatever Secure Ticket Authorities you add here must also be added to the NetScaler Gateway Virtual Server on the NetScaler appliance. 14. Click Next. o The Callback URL must resolve to any NetScaler Gateway VIP on the same appliance that authenticated the user. if you have multiple Gateways (on separate appliance pairs) connecting to one StoreFront server then then you’ll need to enter the vServer IP address (VIP) of the NetScaler Gateway Virtual Server so StoreFront can differentiate one NetScaler Gateway from another. If there’s only one Gateway communicating with this StoreFront server group. If you need SmartAccess.

. Click Create. If you enabled two-factor authentication (LDAP and RADIUS) on your NetScaler. 18. Otherwise leave it set to Domain only. 17. If you don’t need SmartAccess then leave the Callback URL field empty. Then click Finish.15. change the Logon type to Domain and security token. 16.

Check the box next to Enable Remote Access. 21. Check the box next to the NetScaler Gateway object you just created and then click OK. o Note: if you want Receiver to automatically launch a VPN tunnel. Right-click a store and click Configure Remote Access Settings. 22.19. 20. then see CTX200664 How to Configure Receiver for Seamless Experience Through NetScaler Gateway. . Leave it set to No VPN tunnel.

right-click Server Group and click Propagate Changes.citrix.2 or newer o Receiver for Mac 11. See docs. This assumes that external users resolve the Single FQDN to a NetScaler Gateway VIP and internal users resolve the same FQDN to StoreFront Load Balancing VIP. Sample DNS names are used below.5 Single FQDN Links: • Citrix CTX200848 How to Configure Single Fully Qualified Domain Name for StoreFront and NetScaler Gateway • Docs.x Theme for NetScaler 10. Different instructions are needed for when ICA Proxy is – Create a single Fully Qualified Domain Name (FQDN) to access a store internally and externally Traditionally Receiver required separate FQDNs for StoreFront Load Balancing (internal) and NetScaler Gateway (external). If you don’t care about email-based discovery then the configuration of Single FQDN is fairly simple.x Portal Theme for NetScaler 11. Then in the StoreFront console. NetScaler Gateway Logon Page Theme To make the NetScaler Gateway logon page look like Receiver 3. see one of the following: • NetScaler Gateway 11.9 or newer o Mobile Receivers o It doesn’t seem to work with Linux Receiver • StoreFront 2.6 or newer • Split DNS – different DNS resolution for internal vs external • NetScaler 10.0 • StoreFront for more information.0 and newer.1 Portal Theme • StoreFront 3. Single FQDN has the following requirements: • Receivers: o Receiver for Windows 4.1 or newer This section assumes NetScaler Gateway is in ICA Proxy mode. Recently Citrix made some code changes to accept a single FQDN for both. 23. Make sure the certificates match the DNS names. .

.g. External DNS name = the Single FQDN ( storefront. which is NAT’d to NetScaler Gateway VIP on DMZ NetScaler. Internal DNS name = the Single FQDN (e. 2.1. Set the NetScaler Gateway object in StoreFront to this FQDN. Resolves to internal Load Balancing VIP for StoreFront. Set the StoreFront Base URL to this address. storefront. Resolves to public IP.corp.

Internal Beacon = any internal website URL that is not externally accessible. If you need SmartAccess. callback.3. then the Callback URL = any DNS name (e. o If are using Receiver for iOS internally then be aware that Receiver for iOS handles the Internal Beacon differently than Receiver for Windows. o The callback DNS name must be different than the Single FQDN. o Callback is optional if you don’t need SmartAccess features. o Your external NetScaler Gateway certificate could match both the Single FQDN and the Callback FQDN.g. You can’t use the Single FQDN as the Internal Beacon. that resolves to a NetScaler Gateway VIP on the same DMZ NetScaler appliance that authenticated the user. However. the Internal Beacon should be a new DNS name that resolves to the StoreFront Load Balancing VIP. Receiver for iOS will append /Citrix/Store/discovery to the Internal Beacon and thus it only works if the Internal Beacon DNS name resolves to the StoreFront server. this requires the StoreFront Load Balancing Virtual Server to have a certificate that matches both the Single FQDN and the Internal Beacon. Ideally.corp. Or you can create separate NetScaler Gateway Virtual Servers on the same appliance with separate certificates that match these FQDNs. See CTX218708 How to Configure Internal Beacon for Single FQDN on StoreFront. Since you can’t use the StoreFront Base URL as the Internal Beacon you’ll need a .

You typically add internal DNS servers to the NetScaler. Make sure the DMZ NetScaler resolves the Single FQDN to the internal StoreFront Load Balancing VIP. set the Web Interface Address and the Account Services Address to the Single FQDN. different DNS name that resolves to the StoreFront servers and matches the StoreFront certificate. 5. . In the NetScaler Gateway Session Profiles. Or you can create a local Address Record for the Single FQDN. 6. Note: if you are not allowing internal iOS devices then this isn’t needed. o Another option is the following Subject Alternative Names: ▪ Storefront. Make sure this name is not resolvable – for callback URL. o If email-based discovery. Assumes email suffix is also corp.suffix points to StoreFront. then you might have to remove accounts from Receiver and re-add the account. For authentication If you need email-based discovery then here’s an example configuration for ICA Proxy NetScaler Gateway: • External DNS: o Storefront. That’s all you need to implement Single – resolves to NetScaler Gateway VIP on DMZ NetScaler. If you made changes to an existing StoreFront deployment.corp. ▪ Or you can create a separate Gateway vServer for callback with a separate certificate. which is NAT’d to NetScaler Gateway VIP on DMZ resolves to Load Balancing VIP for StoreFront o Callback. SRV record for _citrixreceiver. . • External publicly-signed certificate for NetScaler Gateway: o One option is wildcard for * ▪ resolves to public IP. Only accessed from internal._tcp. o For the internal beacon. ▪ If email-based • Internal DNS: o Storefront. 7. FQDN of any internal web server.

o If email-based discovery.HTTP. Assumes email suffix is also .HEADER User-Agent CONTAINS CitrixReceiver o Client Experience tab: ▪ Session Timeout = 60 minutes ▪ Clientless Access = Off ▪ Clientless Access URL Encoding = Clear ▪ Clientless Access Persistent Cookie = Deny ▪ Plug-in Type = Java o Security tab: ▪ Default authorization = ALLOW o Published Applications tab: ▪ ICA Proxy = On ▪ Web Interface address = o Callback URL = https://Callback._tcp. • Internal certificate for StoreFront Load Balancing: publicly-signed recommended.suffix StoreFront Configuration: • Base URL = https://storefront.corp. discoverReceiver.corp. especially for mobile devices and thin clients.corp. Make sure it’s not resolvable Receiver for Web session policy (basic mode or ICA Only is checked): • Policy expression = points to Or FQDN of internal web o Session Timeout = 60 minutes o Clientless Access = Off o Clientless Access URL Encoding = Clear o Clientless Access Persistent Cookie = Deny o Plug-in Type = Windows/Mac OS X o Single Sign-on to Web Applications = checked • Security tab: o Default authorization = ALLOW • Published Applications tab: o ICA Proxy = On o Web Interface address = https://storefront. • Gateway object: o Gateway URL = o Web Interface Portal Mode = Normal o Single Sign-on Domain = Corp Receiver Self-Service session policy (basic mode or ICA Only is checked): • o Policy expression = REQ.corp.corp. Also can use the external certificate.corp.corp.HEADER User-Agent NOTCONTAINS CitrixReceiver • Client Experience tab: o Home page = ▪ Web Interface Portal Mode = Normal ▪ Single Sign-on Domain = Corp ▪ Account Services address = • Internal beacon = https://InternalBeacon.corp. o Another option is the following Subject Alternative Names: ▪ ▪ If email-based o One option is wildcard for *. SRV record for _citrixreceiver.

This is typically done based on the user’s Active Directory group membership. However. o Zones are not yet an effective option. After the datacenter (farm) is selected. SAML.) . There are two methods of configuring icon aggregation in StoreFront: • The StoreFront Console can do simple configurations – The console supports a single aggregation group and active/passive configurations for multiple Active Directory user groups. StoreFront chooses datacenters at the farm level. Externally it is required. • FQDN: Internal users and external users use the same FQDN (e. Or farms can be active/active load balanced. GSLB is typically used for the initial user connection but GSLB doesn’t provide much control over which datacenter a user initially reaches. If there are identical icons in multiple farms. When the user clicks the icon. modifying. Smart Card. See Citrix Docs – Set up highly available multi-site store configurations Note: if you have existing subscriptions/ So the ultimate datacenter routing logic must be performed by StoreFront. Optimal Gateway directs the ICA connection through the NetScaler Gateway that is closest to the destination VDA. StoreFront can enumerate icons from multiple farms. etc. • NetScaler Gateways: For AppFlow reporting. then the icons can be aggregated so that only a single icon is displayed to the o Internally.g. NetScaler Gateway ICA Proxy is typically used both externally and resolves to a NetScaler Gateway VIP. and assigning users to Home Sites.Multiple Datacenters / Farms Multisite NetScaler Gateway and StoreFront Design If you have StoreFront (and NetScaler Gateway) in multiple datacenters. o Externally. Optimal Gateway requires datacenter-specific DNS names for NetScaler Gateway. citrix. Here’s a typical active/active XenApp/XenDesktop configuration: • Farms: Separate XenApp/XenDesktop farms in each datacenter. citrix.g. and importing. Farms can be prioritized (active/passive). two-factor. then enabling icon aggregation will cause the existing subscriptions to be ignored. Citrix is still working on adding zone functionality. The current challenge with stretched farms is that SQL is in only one datacenter. Internally it is used to generate AppFlow One Active Directory user group could have Farm A as active and Farm B as passive. citrix. you can load balance connections across two identical farms (active/active). See Subscriptions Missing after Enabling Aggregation at Citrix Discussions. Thus StoreFront assumes that each datacenter has a separate XenApp/XenDesktop farm. If the internal DNS name resolved to a NetScaler Gateway VIP then pass- through authentication would not work. This is required for two reasons: HDX Optimal Routing. You can migrate the existing subscriptions by exporting. A different Active Directory user group could have Farm B as active and Farm A as passive. • Citrix is beginning to add more zone-based features to support single farms stretched across This is also known as “Home Sites” • Complex configurations can be performed in XML files – For example. but this functionality is not yet fully realized. StoreFront then needs to select a datacenter (select a farm). NetScaler Gateway is sometimes needed internally for certain authentication configurations ( resolves to a StoreFront Load balancing VIP. This allows pass- through authentication.

. o NetScaler GSLB for these DNS names is configured for active/passive: if the specific datacenter is up. the GSLB services contain the public NetScaler Gateway VIP in each datacenter. • Icon aggregation: Configure StoreFront to aggregate icons from the two farms as detailed below. • StoreFront Load Balancing: StoreFront load balancing VIP can be active/passive. Active = the StoreFront servers in the local datacenter. o Use AD groups to specify a user’s home datacenter as detailed o If these DNS names are added to StoreFront for both Authentication and HDX Routing. • STAs: each StoreFront Server Group uses STAs in the local datacenter. GSLB vServer Source IP persistence is probably not effective internally so GSLB Service Site Persistence (cookies) is If so that the DNS request that reaches internal NetScaler ADNS is actually for citrixinternal. o Citrix doesn’t support stretching a single StoreFront Server Group across a WAN link. The active/passive VIP allows NetScaler Gateway to connect to StoreFront even if StoreFront in the local datacenter is down. citrixsite1. o GSLB persistence is required for the duration of the StoreFront session.g. Since ICA Traffic could end up on either and same Beacons. Or GSLB static proximity can take care of persistence. o If subscriptions/favorites are enabled. NetScaler in one datacenter must monitor the Internet circuit in the other datacenter so it doesn’t give out the public IP of the other datacenter if that datacenter’s Internet circuit is down. Or configure each of them separately but identically. all STAs must be added to all NetScaler Gateways. This is helpful for testing. the GSLB services contain the internal StoreFront Load Balancing VIP in each datacenter. o You can’t bind the same DNS name to two different GSLB vServers. o For the public DNS • HDX Optimal Routing: Use HDX Optimal Routing to route ICA traffic through the NetScaler Gateway that is closest to the destination In the Active (local) Load Balancing vServer. o Configure farm priority based on AD groups. The user’s roaming profile and home directory are in the user’s home to o The datacenter-specific DNS names are delegated to NetScaler o Create two Load Balancing vServers: one for local is delegated from internal DNS and public DNS to NetScaler ADNS (internal and external). If internal. Then you can have two different GSLB vServers with different GSLB services with different monitoring configurations. add the Protection section and configure the Backup (remote) vServer. same Gateways. Identical means: same Base URL. same farms (Manage Delivery Controllers). then give out that IP. This also means that MEP must be routed across the internal DCI (datacenter interconnect) instead of across the Internet. For an aggregated icon. then give out the IP of the other datacenter.• Delegation: citrix. The internal DNS servers have a CNAME (alias) from and configure internal GSLB for o You can use a proximity GSLB load balancing method to select the closest datacenter. then you can use one of these DNS names to connect to StoreFront in a specific datacenter. o Each Server Group is configured identically. • StoreFront Server Groups: Separate StoreFront Server Groups in each datacenter. One option is to bind a TCP monitor to the remote GSLB service. The TCP monitor contains the public IP address of the NetScaler Gateway in the remote datacenter. then you probably don’t want that to affect internal GSLB. If Internet goes down in one of the datacenters. use PowerShell commands to configure subscription replication between the two Server Groups. o This configuration allows you to configure NetScaler Gateway Session Policies with the IP address of StoreFront Load Balancing instead of a GSLB DNS name. One workaround is to configure external GSLB for citrix. You can export the config from one Server Group and import it to the other. o This DNS name is bound to one NetScaler GSLB vServer that has two active GSLB services. same If the specific datacenter is down. o The GSLB Services contain the internal or public VIPs of NetScaler Gateway in each one for remote Passive = the StoreFront servers in the remote datacenter. the AD group determines which farm the icon is launched from. This requires datacenter-specific DNS names (e. • Single NetScaler: If one NetScaler is doing GSLB for both internal and external: o You probably want different GSLB monitoring methods for internal vs external.

and click Manage Delivery Controllers. go to Stores. 2. Add multiple farms. • Beacons: the internal beacon is critical. . Typically. GSLB can be used for the internal beacon DNS name. If the internal beacon is down then Receiver Self-service won’t be able to determine if the client device is internal or not. In StoreFront Console. Icon Aggregation and Home Sites To configure icon aggregation using the StoreFront Console: 1. each datacenter is a separate farm. right-click your Store.

If StoreFront 3. click the link to Aggregate resources. After adding multiple farms. 6. modifying. and . You can migrate the existing subscriptions by exporting. If load balancing farms.3. 7. Select the farms with identical resources that you want to aggregate. 5. Click it. the farms no longer need to be identical.6 and newer. Click Aggregate. You can now load balance farms instead of doing farm failover only. then enabling icon aggregation will cause the existing subscriptions to be ignored. notice the new checkboxes on the bottom. Click OK when done. 4. If you are publishing identical resources from multiple farms. Note: if you have existing subscriptions/favorites. 8. the Configure button becomes available.

If you want the same farm failover (active/passive) or farm load balancing (StoreFront 3. See Subscriptions Missing after Enabling Aggregation at Citrix Discussions. then leave the User Groups page set to Everyone. You can run this wizard multiple times to specify different home sites for different user groups. 10. importing. add a user group that contains the users that will be homed to a particular datacenter.6 and newer) settings for everyone. . 9. Click Map users to controllers. Or if you intend to have different home sites for different users.

11. click Add. Click Next. . In the Controllers page.

Click Create. and click OK. If you add multiple user groups. 16. Click OK twice when . If farm aggregation is configured for load balancing (StoreFront 3. 13. you can assign different primary farms to each Active Directory group. If you configured farm aggregation without load balancing. then use the up and down arrow buttons to put the active site on top. Select the farms that these users will have access to. This is how you configure “home sites”. You can run this wizard multiple times to specify different active sites for different users. then there are no arrows to prioritize the farms. 15.6 and newer). The lower priority sites will only be accessed if the primary site is down. You can click Add to add more user mappings.12. 14.

config file. The SRID can be safely edited in the \inetpub\wwwroot\Citrix\Roaming\web. Here’s the exact setting I’m referring to: https://citrix. you must design roaming profiles and home directories correctly.sharefile.config which can be edited as well or refreshed from the admin console by going into Remote Access setup for the store and hitting OK. but the actual name of the Delivery Controller/Farm must be identical. If the Base URL is changed after the initial setup. if you use the same Base URL in the 2 separate installations. From Juan Zevallos at Citrix Discussions: To have multiple StoreFront deployments across a GSLB deployment. then the SRID should end up being identical. done. Shaun Ritchie Citrix StoreFront High Availability and Aggregation – A dual site Active Active design has a sample multi-site configuration using XML Notepad and explains how to use the Primary and Secondary keywords to override farm priority order. This can be prevented by doing the following. the SRID doesn’t change. Citrix Blogs StoreFront Multi-Site Settings: Some Examples has example XML configurations for various multi-datacenter Load Balancing and failover scenarios. it’s possible for each datacenter to be treated as a separate Receiver site. Make sure to propagate changes to other servers in the group. HDX Optimal Routing . here are the StoreFront requirements: • Match the SRID – in StoreFront. It will be replicated into the discovery servicerecord entry in the Store If you are running XenApp / XenDesktop in multiple datacenters. • Match the Base URL • Match the Delivery Controller names under “Manage Delivery Controllers” – The XML brokers can be different. When Citrix Receiver switches between StoreFront servers in multiple datacenters.

Note: SmartAccess Callback URL also cannot use a NetScaler Gateway Virtual Server where client certificates are set to Mandatory so the extra NetScaler Gateway Virtual Server would be useful for that scenario too. If you want to force internal users to go through NetScaler Gateway so AppFlow data can be sent to Citrix Insight Center then you can do that using Optimal Gateway even if the user originally connected directly to the StoreFront server. then you need additional datacenter-specific DNS names so you can control which datacenter the ICA connection goes through. If ICA traffic goes through a NetScaler Gateway Virtual Server that requires user certificates (e. build a separate NetScaler Gateway Virtual Server that doesn’t have user certificates as Mandatory. If the icon selected by the user is published from XenApp/XenDesktop in Datacenter A. Use Optimal Gateway to force ICA connections through the other NetScaler Gateway Virtual Server. then you probably want the ICA connection to go through a NetScaler Gateway Virtual Server in Datacenter A.7+ farms). Right-click Stores. • The NetScaler Gateway Virtual Server requires user certificates. .The Optimal Gateway feature lets you override the NetScaler Gateway used for ICA connections. Here are some scenarios where this would be useful: • Multi-site Load Balancing. See CTX200129 How to Force Connections through NetScaler Gateway Using Optimal Gateways Feature of StoreFront for more information. Optimal Gateway can be configured in the StoreFront Console: 1. If the main DNS name for accessing NetScaler Gateway is GSLB load balanced across datacenters.g. then each session launch will result in a PIN prompt. and click Manage NetScaler Gateways. Smart Card). Note: Optimal Gateway is applied at the farm/site level or zone level (for stretched 7. Add more Gateways: one for each datacenter. To prevent these extra prompts. 2. • NetScaler Gateway for internal connections (AppFlow).

4. There’s no harm in leaving all of the Gateways set to Authentication and HDX routing. Or if test users will use these datacenter-specific DNS names to connect to Gateways in specific datacenters.3. leave them set to Authentication and HDX routing. The Gateway accessed through the active/active GSLB DNS name should be set to Authentication and HDX routing. The Gateways for Optimal Routing could be set to HDX routing only. When adding a Gateway. you can designate a Usage or role. .

Highlight one of the datacenter-specific Gateways and click Manage Delivery Controllers. Go to the Optimal HDX Routing page. 6.5. 7. 8. . Go to Stores. right-click a store and click Configure Store Settings. Select the farms that are accessible through this gateway and click OK.

12. 13. Multiple Gateways (GSLB) to One StoreFront This section applies to SmartAccess and the Callback URL. Highlight a Gateway. If you don’t need SmartAccess then skip this section. This assumes the zone name has also been specified in the Manage Delivery Controllers dialog box > Advanced Settings. After clicking an icon. Click OK when done. In XenApp/XenDesktop 7. In summary. users will connect to the GSLB-enabled Gateway and login. check the boxes for External only. Otherwise the Gateway routing will be used for both internal and external connections. 10. 9. If you only want the Gateways to be used for external users. The Gateway for the active/active GSLB-enabled DNS name doesn’t need any farms associated with it. . 11. Repeat for the other datacenter-specific Gateways.7 and newer. Click Manage Zones and add the zone name. you can stretch a farm across datacenters (zones) and use a different Gateway for each zone. HDX will be routed through one of the datacenter-specific Gateways based on the farm the icon was launched from. Another option for Optimal Gateway selection is zones.

5. 3. Create datacenter-specific callback DNS names. Here are some options to handle the certificate requirement: o On the main NetScaler Gateway Virtual Server. one for each datacenter. o On the main NetScaler Gateway Virtual Server. If you have multiple appliance pairs communicating with a single StoreFront server. assign a wildcard certificate that matches both the GSLB name and the datacenter-specific callback name. create multiple NetScaler Gateway appliances. Instead. o Create an additional NetScaler Gateway Virtual Server on the appliance. assign an SSL certificate with Subject Alternative Names for both the GSLB name and the datacenter-specific callback name. 4. . enter the Gateway VIP for this particular appliance pair. 2. Give each of the gateway objects unique names.The Callback URL must go to the same appliance that authenticated the user. StoreFront can use the Gateway VIP to distinguish appliances so the callback goes to the correct appliance. In the VServer IP address field. In the StoreFront console. then you can’t use the DNS name to distinguish one appliance from the and callbackdr. then StoreFront needs to identify which NetScaler appliance pair the request came from so it can perform a callback to that appliance pair. If each of the NetScaler Gateways uses the same DNS name (GSLB). Enter the same NetScaler Gateway URL in all of the gateway appliances. StoreFront will use this VIP to distinguish one NetScaler appliance from another. Bind a certificate that matches the datacenter-specific name. For example: callbackprod.corp. The datacenter-specific callback DNS name must match the certificate on the NetScaler Gateway Virtual Server. 1.

The callback URL must resolve to a NetScaler Gateway VIP on the same appliance pair that authenticated the user. . When enabling Remote Access on the Select one as the default appliance. Configure name resolution for the datacenter-specific callback DNS names. The callback URL must be unique for each NetScaler appliance pair (e. callbackdr. 9. Either edit the HOSTS file on the StoreFront servers or add DNS records to your DNS servers. select both Gateway appliances.corp. 8.