Integrating with Citrix Endpoint Management or StoreFront

This section contains information about configuring connections from remote users through Citrix Gateway to your Endpoint Management and StoreFront deployment.

You can configure Citrix Gateway to work with Endpoint Management and StoreFront. When you configure Citrix Gateway to work with Endpoint Management or StoreFront, Citrix recommends using the Quick Configuration wizard to configure your settings. The Quick Configuration wizard configures a virtual server and the settings for session, clientless access, and authentication policies. You can also configure DNS servers for connections to StoreFront and Endpoint Management.

Integrating Citrix Gateway and Endpoint Management

If you deploy Endpoint Management in your network, you can allow user connections from remote users by integrating Citrix Gateway and Endpoint Management. This deployment allows users to connect to Endpoint Management to obtain their web, Software as a Service (SaaS), Android and iOS mobile apps, along with documents from ShareFile. Users connect by using Secure Hub, Citrix Receiver, or the Citrix Gateway plug-in.

In this Endpoint Management deployment, Citrix Gateway resides in the DMZ and Endpoint Management resides in the internal network.

To allow connections from remote users to Endpoint Management, Citrix recommends using the Quick Configuration wizard in Citrix Gateway to configure the web address for Endpoint Management, StoreFront or the Web Interface. The wizard configures all of the policies required for users to connect to Endpoint Management, which include authentication, session, and clientless access policies. For more information about the wizard, see Configuring Settings with the Quick Configuration Wizard.

You can also configure connections to Endpoint Management by creating policies with the configuration utility, such as:

  • One session policy manages Receiver and Secure Hub connections to StoreFront. This session policy supports Receiver for Windows, Receiver for Mac, Receiver for Android, and Receiver for iOS. If users connect with Secure Hub, Secure Mail, or WorxWeb on an iOS device, you must enable clientless access and Secure Browse to allow connections through Citrix Gateway. You need to configure Secure Browse for iOS devices only. Both iOS and Android devices use Micro VPN that establishes the VPN tunnel to the internal network.
  • One session policy manages browser connections to Receiver for Web. Users connect by using clientless access.
  • One virtual server with SmartAccess mode enabled which also enables clientless access. This deployment requires the Universal license.
  • Custom clientless access policies. These policies define rewriting policies for XML and HTML traffic, along with how cookies are handled by Citrix Gateway.

Integrating Citrix Gateway and StoreFront

Users can connect in one of the following ways through StoreFront:

  • Clientless access and Receiver for Web
  • Citrix Gateway plug-in
  • Receiver for Android
  • Receiver for iOS
  • Receiver for Mac
  • Receiver for Windows
  • Secure Hub

Important: The fully qualified domain name (FQDN) for StoreFront must be unique and different from the Citrix Gateway virtual server FQDN. You cannot use the same FQDN for StoreFront and the Citrix Gateway virtual server. Citrix Receiver requires that the StoreFront FQDN is a unique address that resolves only from user devices connected to the internal network. If this is not the case, Receiver for Windows users cannot use email-based account discovery.

When users connect, a list of available applications, desktops, and documents appear in the Receiver window. Users can also subscribe to applications from the store. The store enumerates and aggregates desktops and applications from Citrix Virtual Desktops sites, Citrix Virtual Apps farms, and Endpoint Management, making these resources available to users.

Note: To allows users access to MDX mobile apps, you must deploy Endpoint Management in front of StoreFront. If you are not providing access to MDX mobile apps, StoreFront resides in front of Endpoint Management.

When you configure Citrix Gateway to connect to StoreFront, you configure the following:

  • One session policy to manage Secure Hub and Receiver connections to StoreFront. This session policy supports Receiver for Windows, Receiver for Mac, Receiver for Android, and Receiver for iOS. If users connect with Receiver for Android or Receiver for iOS, you must enable clientless access and Secure Browse to allow connections through Citrix Gateway.
  • One session policy to manage browser connections to Receiver for Web. Users connect by using clientless access.
  • One session policy to manage PNA Services connections made through Receiver for Android, Receiver for iOS, and other mobile devices if you do not enable Secure Browse. If you configure the session policy for PNA Services, Receiver for Windows is not supported.
  • One virtual server with SmartAccess mode enabled which also enables clientless access. This deployment requires the Universal license.
  • Custom clientless access policies. These policies define rewriting policies for XML and HTML traffic, along with how cookies are handled by Citrix Gateway.

Configuring Policies for Endpoint Management and StoreFront

If you deploy Endpoint Management and StoreFront and you do not use the Quick Configuration wizard to configure settings, you need to configure the following policies. You can configure these policies for Citrix Gateway and Endpoint Management only, Citrix Gateway and StoreFront only, or a deployment that contains Citrix Gateway, Endpoint Management, and StoreFront.

  • One session policy to manage Receiver connections to Endpoint Management or StoreFront. This session policy supports Receiver for Windows, Receiver for Mac, Receiver for Android, and Receiver for iOS. If users connect with Receiver for Android or Receiver for iOS, you must enable clientless access. For connections from Receiver for iOS, you must enable Secure Browse to allow connections through Citrix Gateway.
  • One session policy to manage browser connections to Receiver for Web. Users connect by using clientless access.
  • One virtual server with SmartAccess mode enabled which also enables clientless access. This deployment requires the Universal license.
  • Custom clientless access policies. These policies define rewriting policies for XML and HTML traffic, along with how cookies are handled by Citrix Gateway.

If you deploy StoreFront and users connect with legacy versions of Receiver, create one session policy to manage PNA Services connections made through Receiver for Android, Receiver for iOS, and other mobile devices if you do not enable Secure Browse. If you configure the session policy for PNA Services, Receiver for Windows is not supported.

Note: When you configure the StoreFront URL in Citrix Gateway, such as https://<SFLite-FQDN>/Citrix/StoreWeb, the text StoreWeb is case sensitive.