Citrix Gateway Service for StoreFront - Preview

Important information:

• This document describes the steps that you can perform to deploy Citrix Gateway Service for StoreFront in a scenario where you prefer to use the on-premises NetScaler Gateway for authentication and on-premises StoreFront for enumeration.
• The Citrix Gateway Service for StoreFront solution is in preview and must not be used in a production environment. Features in preview are recommended to be used in non-production environments only and to give customers an opportunity to share feedback. Cloud Software Group does not accept support cases for features in preview but welcomes feedback for improving them. Cloud Software Group might act on feedback based on its severity, criticality, and importance in its sole discretion.
• No service commitment is offered for any trial, preview, labs, or beta service.
• Citrix Gateway Service for StoreFront is currently not supported in Citrix Cloud Japan and Citrix Cloud Government environments.

Overview

Citrix Gateway Service for StoreFront is a cloud based HDX solution that provides secure remote access to resources accessed from on-premises StoreFront. You can leverage the scalability and reliability of Citrix Cloud (for HDX proxy) without changing your on-premises StoreFront and on-premises NetScaler Gateway environments.

Consider that you are a Citrix DaaS customer using on-premises StoreFront as your enterprise application store and on-premises NetScaler Gateway for remote access. If you are looking for an option to leverage a cloud-hosted remote access solution (HDX proxy) while maintaining on-premises StoreFront as your user portal and on-premises NetScaler Gateway for authentication, Citrix Gateway Service for StoreFront is for you.

Citrix Gateway Service handles the HDX proxy launches using a Windows-based Cloud Connector in your resource location.

Notes:

• You can sign up for the preview using https://podio.com/webforms/28961380/2348524.

• You can provide your feedback using https://podio.com/webforms/29573332/2436458.

Citrix Gateway Service for StoreFront supports the following use cases:

• Authentication and session management: Two-factor authentication (LDAP, SAML) along with basic EPA scans

• HDX: HDX over TCP

The following use cases are not supported:

• Non-HDX use cases such as RDP proxy, VPN, PC over IP (PCoIP).

• Classic authentication policies

Note:

Citrix Gateway Service for StoreFront does not support SmartAccess.

Benefits

• Citrix Cloud onboarding is faster and seamless.
• Retains the benefits of on-premises StoreFront for enumeration and on-premises NetScaler Gateway for authentication.
• Ensures high resiliency because of the multi-cloud and multi-geo architecture of Citrix Gateway Service.
• HDX proxy performance and scale requirements are now managed by Citrix Gateway Service. They are no longer customer-managed.

Pre-requisites

• Use NetScaler 13.1 version and above. For details, refer to NetScaler documentation.

• Use an on-prem StoreFront version 2311 or later with Citrix DaaS configured. For details, refer to StoreFront System requirements.

• Onboard Citrix Cloud and install Citrix Cloud Connector. Cloud Connector in your on-premises environment is used to establish connectivity with your on-premises StoreFront from Citrix Gateway Service. You can use an existing Cloud Connector or deploy a new one. If your connector upgrade is disabled, contact Support to get it enabled.

  For details about the Citrix Cloud Connector requirements, see Citrix Cloud Connector requirements. For details about the sizing requirements, see Size and scale considerations for Cloud Connectors.

• Configure a network time protocol (NTP) server to avoid time skews. For details, see How to synchronize system clock with servers on the network.

Note:

Only a Windows-based Cloud Connector is supported. Connector Appliance is not supported.

Deploy Citrix Gateway Service for StoreFront

Citrix Gateway Service for StoreFront deployment involves the following steps:

1. On-premises NetScaler Gateway for authentication

2. On-premises StoreFront configuration for enumeration

1. On-premises NetScaler Gateway for authentication

On-premises NetScaler Gateway directly facilitates authentication and establishes connectivity with on-premises StoreFront. With this approach, you can continue using the existing on-premises resources for authentication, enumeration, and pre-launch.

Deploy on-premises NetScaler Gateway at the perimeter of your organization’s internal network to provide a secure single point of access to Citrix Virtual apps and Desktops.

2. On-premises StoreFront configuration for enumeration

This section describes the following on-premises StoreFront configurations to be performed after Citrix Gateway Service for StoreFront is deployed.

1. Enable remote access to the StoreFront store

2. Add on-premises NetScaler Gateway

3. Configure a store to use Citrix Gateway Service for StoreFront

4. Establish a launch path

1. Enable remote access to the StoreFront store

1. Select Stores on the right pane of the on-premises StoreFront GUI.
2. In the Results pane, select a store and click Configure Remote Access Settings.
3. Select the Enable Remote Access option.

2. Add on-premises NetScaler Gateway

This step enables access to the stores from Citrix Gateway Service for users connecting from public networks.

1. Click Add in the Citrix Gateway appliances section.

   

2. On the General Settings page, configure the following settings:

   • Display name: The name of the on-premises NetScaler Gateway.

   • Citrix Gateway URL: FQDN of the on-premises NetScaler Gateway.

   • Usage or role: Select Authentication and HDX routing.

   Note:

   In this section, “NetScalerGateway” is used as the name of the on-premises NetScaler Gateway. You will require this name later when running a PowerShell command, to enable Citrix Gateway Service for StoreFront.

   

3. On the Secure Ticket Authority (STA) page, add the STA URL that redirects you to the connector that proxies your requests to the Cloud STA service. Select Load balance multiple STA servers if more than one STA URL is configured.

   Note:

   Ensure that the Enable session reliability checkbox is selected.

   

4. On the Authentication Settings page, select the version of your on-premises NetScaler Gateway, the virtual server, and logon type and then click Create.

   

5. On the Summary page, you see a notification that the on-premises NetScaler Gateway has been added successfully. Click Finish.

   

3. Configure a store to use Citrix Gateway Service for StoreFront

This step enables you to associate on-premises NetScaler Gateway to your store.

1. On the Store > Configure Remote Access Settings page, select your on-premises NetScaler Gateway and set it as your default appliance.

2. Click OK.

4. Establish a launch path

Enable the Citrix Gateway Service FQDN to establish a path for HDX launch.

1. Navigate to System Properties on your device (On your command prompt, run the sysdm.cpl command).

2. Go to the Advanced tab and click Environment Variables.

   

3. Add the user and system variables. Assign a name and value to the variables and click OK.

   

   

4. Open your command prompt as an administrator and run the IISRESET command.

Use the following PowerShell command to enable the Cloud Gateway Service for StoreFront functionality for your deployment:

Set-STFRoamingGateway -Name "NetScalerGateway" -IsCloudGateway $true

Use the following PowerShell command to verify the status of your Citrix Gateway Service for on-premises StoreFront deployment.

Get-STFRoamingGateway | Format-Table Name, IsCloudGateway
 
 Name        IsCloudGateway
# ----       --------------
# NetScalerGateway    True
<!--NeedCopy-->

Security requirements

For best practices on NetScaler security, see the NetScaler secure deployment guide.

Troubleshooting

Ensure that you enable the log levels to capture the Citrix Gateway Service for StoreFront logs.

To enable logs using the NetScaler GUI:

1. Navigate to Configuration > System > Auditing.
2. In the Auditing page, under Settings, click Change Auditing Syslog Settings.
3. In Log Levels, select ALL.

Note:

Ensure to restore the log level settings after troubleshooting.

Authentication

• To troubleshoot authentication issues, see Troubleshoot authentication, authorization and auditing issues.

• For information about data collection, see How to collect data for ADC Gateway, Storefront, and VDA issues.

EPA

• Issue: EPA client is already present, but the user is prompted to download it:

  Possible causes: Version mismatch or corrupt files

  Run Developer Tools and validate if the plug-in list file contains the same version as that of NetScaler and your client machine. Ensure that the Citrix EPA client version is the same as the one on the client machine.

  Workaround: Update the EPA client on the on-premises NetScaler Gateway GUI by navigating to Citrix Gateway > Global Settings > Update client libraries. For details about the EPA client versions, see the EPA plug-in libraries page on Citrix Downloads.

• Revert EPA settings (Always, Yes, No) after the user has selected an option.

  Workaround:

  • On the client machine, navigate to C:\Users<user_name>\AppData\Local\Citrix\AGEE.

  • Open the config.js file and set “trustAlways” to “null”. For example, “trustAlways”:null.

For instructions about EPA configurations, refer to the following articles:

• Configure pre-auth and post-auth EPA scan as a factor in nFactor authentication

• Configure NetScaler Gateway preauthentication EPA scan for the domain check

• Advanced Endpoint Analysis Scans

Session launch

For information about how to diagnose session launch failures, see Session launch diagnostics.

General Support log collection procedures

• Technical support bundle: For details, see How to collect the technical support bundle from VPX appliances for insight analysis.

• Trace files: For details, see How to record a packet trace on NetScaler.

• Contact Support for guidance.

Other references

• StoreFront Always On tracing

• EPA log collection

• Support

Known issues and limitations

• HDX session launch fails if the Enable session reliability option is disabled on on-premises StoreFront.

• Citrix Gateway Service for StoreFront does not support dual STA.

• Applications launched through Citrix Workspace fail to load from iOS devices.

  Workaround: Run the following CLI commands through the Netscaler ADM configuration job before you launch the applications through Citrix Workspace.

   bind policy patset ns_aaa_relaystate_param_whitelist "citrixauthwebviewdone://" -index 1 -charset ASCII
  
   bind policy patset ns_aaa_relaystate_param_whitelist "citrixsso://" -index 2 -charset ASCII
  
   bind policy patset ns_aaa_relaystate_param_whitelist "citrixng://" -index 3 -charset ASCII
   <!--NeedCopy-->
  

Upcoming enhancements

The following enhancements are planned in the upcoming releases:

• HDX over EDT
• Local Host Cache Support
• Rendezvous protocol
• DDC (On-premises)
• Multistore support