Access control for SaaS and Web apps in StoreFront–Preview

The Access Control Sync for StoreFront utility enables administrators to harness the power of Access Control’s enhanced security and web-filtering policies to deliver secure access to SaaS and Web applications through the on-premises StoreFront. When users launch these applications, Access Control’s policies are automatically applied, protecting the users and network from the malware and data leaks.


Administrators use the utility to provide SaaS and enterprise Web applications in the on-premises StoreFront. This utility must be installed on a Delivery Controller in the on-premises Virtual Apps and Desktops environment. With the utility, administrators can perform the following tasks:

  • Display SaaS and Web applications in the on-premises StoreFront.
  • Enable access to SaaS and Web apps with single sign-on (SSO), web-filtering policies, and enhanced security control policies through the on-premises StoreFront using Workspace.
  • View the Access Control analytics on the Analytics tab in Access Control and Citrix Analytics service.


  • Citrix Cloud with the following services and components:
    • Access Control, Citrix Gateway, Secure Browser, and Citrix Analytics services. To sign up for an Access Control service trial, see Get Started.
    • Gateway Connector, if synchronizing Web applications. For more information, see Citrix Gateway Connector.
  • Citrix XenApp and XenDesktop (7.14 or later) or Virtual Apps and Desktops 7 (1808 or later) on-premises deployment.
  • Microsoft .NET Framework 4.7.2 or later installed on the Delivery Controller. To download this version, visit

Account permissions

The account you use to run the utility must be at least a Delivery Group Administrator or a custom administrator with permission to publish applications in the Virtual Apps and Desktops Site.

Published applications

Before using the utility, you must have SaaS applications already configured and published using the Citrix Gateway service. For more instructions, see Support for Software as a Service apps.

End user account

You will need an end user account that is subscribed to the SaaS or Web applications (in the Library in Citrix Cloud) that you want to synchronize with your on-premises StoreFront. When configuring the utility, you will enter the user name and password of this account. After you run the utility, these applications appear in your on-premises store.

Gateway endpoint URL configuration

To ensure Access Control policies are applied to applications, configure the web.config file on the StoreFront server with the Gateway service endpoint URL that Workspace app uses to retrieve the policies. The endpoint URL consists of the Gateway FQDN followed by /ngs/policy/getcfg.json. For example,


If you don’t have an Access Control entitlement in your Citrix Cloud account or you only want to use single sign-on with your synchronized applications, you don’t need to configure this endpoint URL.

  1. Log on to the StoreFront server in your on-premises deployment.
  2. Navigate to the web.config file at C:\inetpub\wwwroot\Citrix\store.
  3. Open the web.config file and locate the <externalEndpoints> section.
  4. Add a new endpoint called WebSaaSPolicy that includes the Gateway service URL where the Workspace app retrieves the Gateway security policies. For example:

    <clear />
    <endpoint id="WebUI" url="">
       <add capability="WebUI" />
       <endpoint id="WebUIAuthentication" url="">
       <add capability="WebUIAuthentication" />
        <endpoint id="WebSaaSPolicy"
          <add capability="WebSaaS policy" />
  5. Save the web.config file.
  6. Restart the IIS server. From the command line, enter iisreset /noforce.

Synchronize applications

Use the following steps to install and run the Access Control Sync for StoreFront utility. You can only synchronize applications that your end user account is subscribed to in the Citrix Cloud Library.

  1. Sign in to the Delivery Controller and download the utility package on To get the package, navigate to the Downloads > Citrix Virtual Apps and Desktops > Betas and Tech Previews section and download Access control for SaaS and Web apps in StoreFront-Preview.
  2. Accept the license agreement and click Install.
  3. If the User Account Control security dialog appears, click Yes. User account control
  4. Click Finish to complete the installation.
  5. Open the AccessControlSyncforStoreFront.msi application.
  6. Configure the following settings:
    • Citrix Workspace URL: Enter the URL that you use to access Citrix Workspace. To obtain this URL, select Workspace Configuration from the Citrix Cloud menu.
    • Citrix Workspace Username and Citrix Workspace Password: Enter the credentials of the end user account that’s subscribed to the SaaS apps you want to synchronize.
    • Citrix Workspace AD Domain: Enter the Active Directory domain name. To obtain the domain name, select Identity and Access Management from the Citrix Cloud menu and then select Domains.
    • Local Storefront App Prefix (optional): Enter a prefix for the SaaS applications that will appear in StoreFront. For example, if the SaaS application name is “test” and you enter “demo” into this field, the utility synchronizes the application as “demo-test”.
    • Local Delivery Group: Enter the name of the delivery group containing the users and user groups who can use SaaS applications.
  7. Click Synchronize SaaS Apps. If you are integrating applications that exist on the machine, the utility deletes them and installs applications with the Access Control policies.

You can check the synchronization process by watching the Status panel on the form. To view the Access Control analytics and app usage, go to the Analytics tab in Access Control and Citrix Analytics service.

Access control for SaaS and Web apps in StoreFront–Preview