Product Documentation

Setting Up StoreFront With Citrix Cloud

Oct 27, 2016

About StoreFront and NetScaler Gateway

StoreFront authenticates users to sites hosting resources and manages stores of applications and desktops that users access. It hosts your enterprise application store, which lets you give users self-service access to app and desktops you make available to them. It also keeps track of users' application subscriptions, shortcut names, and other data to ensure they have a consistent experience across multiple devices.

When users connect from outside the corporate firewall, Citrix Cloud can use Citrix NetScaler Gateway (formerly Access Gateway) technology to secure these connections with SSL. NetScaler Gateway or the NetScaler VPX virtual appliance is an SSL VPN appliance that is deployed in the demilitarized zone (DMZ) to provide a single secure point of access through the corporate firewall.

There are three primary use cases for setting up StoreFront with Citrix Cloud:

  1. A cloud-hosted StoreFront: The applications and desktops service in Citrix Cloud hosts a StoreFront site for each customer. The benefit of the cloud-hosted StoreFront is that there is zero effort to deploy, and it is kept evergreen by Citrix. Cloud-hosted is recommended for all new customers, previews, and proofs-of-concept (PoCs).
  2. An on-premises StoreFront: Customers may also use an existing StoreFront to aggregate applications and desktops in Citrix Cloud. This offers greater security, including support for two-factor authentication and prevents users from entering their password into the cloud service. It also allows customers to customize their domain names and URLs. This is recommended for any existing XenApp and XenDesktop customers that already have StoreFront deployed.
  3. A combination on-premises StoreFront and cloud-hosted StoreFront.

Each scenario is laid out below.

Use Case #1: Cloud-hosted StoreFront

Access to the cloud-hosted StoreFront is via https://<customername>.xendesktop.net/Citrix/StoreWeb/. There is no additional configuration needed. Cloud StoreFront is ready to be used.

To provide remote access for end-users through a cloud-hosted StoreFront, do the following:

  • Set up NetScaler Gateway as an ICA proxy (No authentication or session policies are needed). This can be configured in Citrix Studio by clicking on StoreFront under the Configuration node, then selecting the Set NetScaler Gateway action.
localized image
  • Bind Citrix Cloud Connectors as Secure Ticket Authority (STA) servers to NetScaler Gateway.
  • Set NetScaler Gateway (FQDN:PORT) in the cloud-hosted Studio.
    Note: Combination remote and internal access is not supported in a cloud-hosted StoreFront.

Note

For more information on configuring NetScaler, see NetScaler VPX Deployment Guides.

Use Case #2: On-premises StoreFront

For details on configuring an on-premises StoreFront, see Citrix Product Documentation.

One benefit of using an existing StoreFront is that the Citrix Cloud Connector provides encryption of user passwords. Credentials are encrypted by the connector using AES-256, using a randomly-generated one-time key. This key is returned directly to Citrix Receiver and never sent to the cloud. Citrix Receiver then supplies it to the VDA during session launch in order to decrypt the credentials and provide a single sign-on experience into Windows.

  • For transport, select HTTP and port 80. The StoreFront machine must be able to directly access the connector through the FQDN (fully qualified domain name) provided; the connector needs to be able to reach the Cloud NFuse/STA URL at (https://<customername>.xendesktop.net/Scripts/wpnbr.dll and ctxsta.dll).
  • Multiple connectors should be added as delivery controllers for High Availability.

Recommendation

Use the most recent version of StoreFront.

External Access

To provide external access through NetScaler Gateway and on-premises StoreFront, do the following:

  • Set up NetScaler Gateway as in a usual deployment with authentication and session policies. See Citrix Product Documentation for more information.
  • Point your on-premises StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors.
  • Bind Citrix Cloud Connectors as STA servers to NetScaler Gateway.
  • The NetScaler Gateway must use the same STA URLs as StoreFront. If the gateway is not already configured to use the STA of an existing XenApp/XenDesktop environment, Citrix Cloud Connectors may be used as a STA.

Internal Access

To provide internal access through an on-premises StoreFront, do the following:

  • Point on-premises StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors.

External and Internal Access

To provide external and internal access through NetScaler Gateway and on-premises StoreFront, do the following:

  • Set up NetScaler Gateway as in a usual deployment (with authentication and session policies) - See Citrix Product Documentation for more information.
  • Bind Citrix Cloud Connectors as STA servers to NetScaler Gateway.
  • Point on-premises StoreFront Store's Delivery Controllers to the Citrix Cloud Connectors.

Use Case #3: On-premises StoreFront and Cloud hosted StoreFront

To provide external access through cloud-hosted StoreFront and NetScaler Gateway with on-premises StoreFront, do the following:

  • Set up NetScaler Gateway as you would in a usual deployment (with authentication and session policies). See Citrix Product Documentation for more information.
  • Point your on-premises StoreFront Store’s Delivery Controllers to the Citrix Cloud Connectors.
  • Bind Citrix Cloud Connectors as STA servers to NetScaler Gateway.
  • Set NetScaler Gateway (FQDN:PORT) in Cloud-hosted Studio.

To provide internal access through cloud-hosted and on-premises StoreFront, do the following:

  • Point the on-premises StoreFront Store’s Delivery Controllers to the Citrix Cloud Connectors.

To provide external and internal access, do the following:

  • Cloud-hosted StoreFront can only be used for external or internal access
  • Use NetScaler Gateway for external access and on-premises StoreFront for internal access (same as Use Case #2 with external and internal access).
    • Set up NetScaler Gateway as in usual deployment (with authentication and session policies).
    • Bind Citrix Cloud Connectors as STA servers to NetScaler Gateway.
    • Point on-premises StoreFront Store’s Delivery Controllers to the Citrix Cloud Connectors.

Two-factor authentication

Two-factor authentication is an extra layer of security based on verification of the users’ identity to gain access to their resources.

The user’s mobile phone receives a Short Message Service (SMS) message that contains a 6-digit access code. The user must enter the access code on the authentication form.

You can register the users’ mobile phone numbers in Active Directory. Set the Phone-Mobile-Primary attribute to the required user’s mobile number in E.164 format. For more information, see  E164: The international public telecommunication numbering plan.

To accelerate the logon process, add the Phone-Mobile-Primary attribute to the Active Directory Global catalog. For more information, see Phone-Mobile-Primary attribute.