Product Documentation

Integrating with App Controller or StoreFront

Apr 29, 2016

This section contains information about configuring connections from remote users through NetScaler Gateway to your App Controller and StoreFront deployment.

You can configure NetScaler Gateway to work with App Controller and StoreFront. When you configure NetScaler Gateway to work with App Controller or StoreFront, Citrix recommends using the Quick Configuration wizard to configure your settings. The Quick Configuration wizard configures a virtual server and the settings for session, clientless access, and authentication policies. You can also configure DNS servers for connections to StoreFront and App Controller.

Integrating NetScaler Gateway and App Controller

If you deploy App Controller in your network, you can allow user connections from remote users by integrating NetScaler Gateway and App Controller. This deployment allows users to connect to App Controller to obtain their web, Software as a Service (SaaS), Android and iOS mobile apps, along with documents from ShareFile. Users connect by using Worx Home, Citrix Receiver, or the NetScaler Gateway Plug-in.

In this App Controller deployment, NetScaler Gateway resides in the DMZ and App Controller resides in the internal network.

To allow connections from remote users to App Controller, Citrix recommends using the Quick Configuration wizard in NetScaler Gateway to configure the web address for App Controller, StoreFront or the Web Interface. The wizard configures all of the policies required for users to connect to App Controller, which include authentication, session, and clientless access policies. For more information about the wizard, see Configuring Settings with the Quick Configuration Wizard.

You can also configure connections to App Controller by creating policies with the configuration utility, such as:

  • One session policy manages Receiver and Worx Home connections to StoreFront. This session policy supports Receiver for Windows, Receiver for Mac, Receiver for Android, and Receiver for iOS. If users connect with Worx Home, WorxMail, or WorxWeb on an iOS device, you must enable clientless access and Secure Browse to allow connections through NetScaler Gateway. You need to configure Secure Browse for iOS devices only. Both iOS and Android devices use Micro VPN that establishes the VPN tunnel to the internal network.
  • One session policy manages browser connections to Receiver for Web. Users connect by using clientless access.
  • One virtual server with SmartAccess mode enabled which also enables clientless access. This deployment requires the Universal license.
  • Custom clientless access policies. These policies define rewriting policies for XML and HTML traffic, along with how cookies are handled by NetScaler Gateway.

Integrating NetScaler Gateway and StoreFront

Users can connect in one of the following ways through StoreFront:

  • Clientless access and Receiver for Web
  • NetScaler Gateway Plug-in
  • Receiver for Android
  • Receiver for iOS
  • Receiver for Mac
  • Receiver for Windows
  • Worx Home
Important: The fully qualified domain name (FQDN) for StoreFront must be unique and different from the NetScaler Gateway virtual server FQDN. You cannot use the same FQDN for StoreFront and the NetScaler Gateway virtual server. Citrix Receiver requires that the StoreFront FQDN is a unique address that resolves only from user devices connected to the internal network. If this is not the case, Receiver for Windows users cannot use email-based account discovery.
When users connect, a list of available applications, desktops, and documents appear in the Receiver window. Users can also subscribe to applications from the store. The store enumerates and aggregates desktops and applications from XenDesktop sites, XenApp farms, and App Controller, making these resources available to users.
Note: To allows users access to MDX mobile apps, you must deploy App Controller in front of StoreFront. If you are not providing access to MDX mobile apps, StoreFront resides in front of App Controller.

When you configure NetScaler Gateway to connect to StoreFront, you configure the following:

  • One session policy to manage Worx Home and Receiver connections to StoreFront. This session policy supports Receiver for Windows, Receiver for Mac, Receiver for Android, and Receiver for iOS. If users connect with Receiver for Android or Receiver for iOS, you must enable clientless access and Secure Browse to allow connections through NetScaler Gateway.
  • One session policy to manage browser connections to Receiver for Web. Users connect by using clientless access.
  • One session policy to manage PNA Services connections made through Receiver for Android, Receiver for iOS, and other mobile devices if you do not enable Secure Browse. If you configure the session policy for PNA Services, Receiver for Windows is not supported.
  • One virtual server with SmartAccess mode enabled which also enables clientless access. This deployment requires the Universal license.
  • Custom clientless access policies. These policies define rewriting policies for XML and HTML traffic, along with how cookies are handled by NetScaler Gateway.

Configuring Policies for App Controller and StoreFront

If you deploy App Controller and StoreFront and you do not use the Quick Configuration wizard to configure settings, you need to configure the following policies. You can configure these policies for NetScaler Gateway and App Controller only, NetScaler Gateway and StoreFront only, or a deployment that contains NetScaler Gateway, App Controller, and StoreFront.

  • One session policy to manage Receiver connections to App Controller or StoreFront. This session policy supports Receiver for Windows, Receiver for Mac, Receiver for Android, and Receiver for iOS. If users connect with Receiver for Android or Receiver for iOS, you must enable clientless access. For connections from Receiver for iOS, you must enable Secure Browse to allow connections through NetScaler Gateway.
  • One session policy to manage browser connections to Receiver for Web. Users connect by using clientless access.
  • One virtual server with SmartAccess mode enabled which also enables clientless access. This deployment requires the Universal license.
  • Custom clientless access policies. These policies define rewriting policies for XML and HTML traffic, along with how cookies are handled by NetScaler Gateway.

If you deploy StoreFront and users connect with legacy versions of Receiver, create one session policy to manage PNA Services connections made through Receiver for Android, Receiver for iOS, and other mobile devices if you do not enable Secure Browse. If you configure the session policy for PNA Services, Receiver for Windows is not supported.

Note: When you configure the StoreFront URL in NetScaler Gateway, such as https://<SFLite-FQDN>/Citrix/StoreWeb, the text StoreWeb is case sensitive.