Citrix Cloud

Access control for SaaS and Web apps in StoreFront–Preview


Launching Web and SaaS apps with Access Control and StoreFront and the Access Control Sync for StoreFront utility have been deprecated, as of 17 September 2020. Do not use the Access Control Sync for StoreFront utility in a production or test environment as the utility is no longer supported by Citrix. This article and the utility download page mentioned below will be removed at a later time.

The Access Control Sync for StoreFront utility enables administrators to harness the power of Access Control’s enhanced security and web-filtering policies to deliver secure access to SaaS and Web applications through the on-premises StoreFront. When users launch these applications, Access Control’s policies are automatically applied, protecting the users and network from the malware and data leaks.


Administrators use the utility to provide SaaS and enterprise Web applications in the on-premises StoreFront. This utility must be installed on a Delivery Controller in the on-premises Virtual Apps and Desktops environment. With the utility, administrators can perform the following tasks:

  • Display SaaS and Web applications in the on-premises StoreFront.
  • Enable access to SaaS and Web apps with single sign-on (SSO), web-filtering policies, and enhanced security control policies through the on-premises StoreFront using Citrix Workspace app.
  • View the Access Control analytics on the Analytics tab in Access Control and Citrix Analytics service.


  • Citrix Cloud:
    • Access Control, Citrix Gateway, Secure Browser, and Citrix Analytics services. To sign up for an Access Control service trial, see Get Started.
    • Gateway Connector, if synchronizing Web applications. For more information, see Citrix Gateway Connector.
    • Before using the utility, you must have SaaS applications already configured and published using the Citrix Gateway service. For more instructions, see Support for Software as a Service apps.
    • You will need an end user account that is subscribed to the SaaS or Web applications (in the Library in Citrix Cloud) that you want to synchronize with your on-premises StoreFront. When configuring the utility, you will enter the user name and password of this account. After you run the utility, these applications appear in your on-premises store.
  • Citrix XenApp and XenDesktop or Virtual Apps and Desktops:
    • Citrix XenApp and XenDesktop (7.14 or later) or Virtual Apps and Desktops 7 (1808 or later) on-premises deployment.
    • The Delivery Controller must have Microsoft .NET Framework 4.7.2 or later installed. To download this version, visit
    • The account you use to run the utility must be at least a Delivery Group Administrator or a custom administrator with permission to publish applications in the Virtual Apps and Desktops Site.


You can use only Citrix Workspace app to access the synchronized SaaS and Web apps. Access control for your SaaS and Web apps in the on-premises StoreFront is not supported through Workspace for Web.

Configure Gateway endpoint URL

To ensure Access Control policies are applied to applications, configure the web.config file on the StoreFront server with the Gateway service endpoint URL that Workspace app uses to retrieve the policies: The endpoint URL consists of the Gateway FQDN followed by /ngs/policy/getcfg.json.


If you don’t have an Access Control entitlement in your Citrix Cloud account or you only want to use single sign-on with your synchronized applications, you don’t need to configure this endpoint URL.

  1. Log on to the StoreFront server in your on-premises deployment.
  2. Navigate to the web.config file at C:\inetpub\wwwroot\Citrix\store.
  3. Open the web.config file and locate the <externalEndpoints> section.
  4. Add a new endpoint called WebSaaSPolicy that includes the Gateway service URL where the Workspace app retrieves the Gateway security policies. For example:

    <clear />
    <endpoint id="WebUI" url="">
       <add capability="WebUI" />
       <endpoint id="WebUIAuthentication" url="">
       <add capability="WebUIAuthentication" />
        <endpoint id="WebSaaSPolicy"
          <add capability="WebSaaS policy" />
  5. Save the web.config file.
  6. Restart the IIS server. From the command line, enter iisreset /noforce.

Synchronize SaaS and Web applications

Use the following steps to install and run the Access Control Sync for StoreFront utility. You can only synchronize applications that your end user account is subscribed to in the Citrix Cloud Library.

Step 1. Download and install the Access Control Sync for StoreFront utility.

  1. Log on to the Delivery Controller and download the utility package on To get the package, navigate to the Downloads > Citrix Virtual Apps and Desktops > Betas and Tech Previews section and download Access control for SaaS and Web apps in StoreFront-Preview. To access the download, you’ll need to sign in with your Citrix account.
  2. Accept the license agreement and click Install.
  3. If the User Account Control security dialog appears, click Yes. User account control
  4. Click Finish to complete the installation.

Step 2. Synchronize applications using the AccessControlSyncforStoreFront tool.

  1. On the Delivery Controller machine, start the Citrix Access Control Sync for StoreFront application.
  2. Configure the following settings:
    • Citrix Workspace URL: Enter the URL that you use to access Citrix Workspace. To obtain this URL, select Workspace Configuration from the Citrix Cloud menu.
    • Citrix Workspace Username and Citrix Workspace Password: Enter the credentials of the end user account that’s subscribed to the SaaS apps you want to synchronize.
    • Citrix Workspace AD Domain: Enter the Active Directory domain name. To obtain the domain name, select Identity and Access Management from the Citrix Cloud menu and then select Domains.
    • Local Storefront App Prefix (optional): Enter a prefix for the SaaS applications that will appear in StoreFront. For example, if the SaaS application name is “test” and you enter “demo” into this field, the utility synchronizes the application as “demo-test”.
    • Local Delivery Group: Enter the name of the delivery group containing the users and user groups who can use SaaS applications.
  3. Click Synchronize SaaS Apps. If you are integrating applications that exist on the machine, the utility deletes them and installs applications with the Access Control policies.

    Import information

    You can check the synchronization process by monitoring the Status panel on the form.

    Access control status

    To view the Access Control analytics and app usage, go to the Analytics tab in Access Control and Citrix Analytics service.

Access control for SaaS and Web apps in StoreFront–Preview