-
Configuring the VPN User Experience
-
How to Configure Full VPN Setup on a Citrix Gateway Appliance
-
AlwaysOn VPN before Windows logon (Formally AlwaysOn service)
-
Maintaining and Monitoring the System
-
Deploying with Citrix Endpoint Management, Citrix Virtual Apps, and Citrix Virtual Desktops
-
Accessing Citrix Virtual Apps and Desktops Resources with the Web Interface
-
Integrating Citrix Gateway with Citrix Virtual Apps and Desktops
-
Configuring Additional Web Interface Settings on Citrix Gateway
-
Configuring Access to Applications and Virtual Desktops in the Web Interface
-
-
Integrate Citrix Gateway with Citrix Virtual Apps and Desktops
-
Configuring Settings for Your Citrix Endpoint Management Environment
-
Configuring Load Balancing Servers for Citrix Endpoint Management
-
Configuring Load Balancing Servers for Microsoft Exchange with Email Security Filtering
-
Configuring Citrix Endpoint Management NetScaler Connector (XNC) ActiveSync Filtering
-
Allowing Access from Mobile Devices with Citrix Mobile Productivity Apps
-
Configuring Domain and Security Token Authentication for Citrix Endpoint Management
-
Configuring Client Certificate or Client Certificate and Domain Authentication
-
-
Citrix Gateway Enabled PCoIP Proxy Support for VMware Horizon View
-
Proxy Auto Configuration for Outbound Proxy support for Citrix Gateway
-
Integrate Citrix Gateway with Citrix Virtual Apps and Desktops
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Using WebFront to Integrate with StoreFront
WebFront is a Web Application hosted on a Tomcat Container that runs on Citrix ADC. WebFront provides optimization and improved performance for users accessing StoreFront through Gateway using Client Browsers and Citrix native apps. WebFront coexists with the Web Interface on Citrix ADC.
WebFront provides the following functionalities:
- Receiver for Web Proxy
- Transparent SSO
Receiver for Web Proxy
Receiver for Web Proxy (RfWeb) provides a way for web browsers to communicate with a store in StoreFront. Functionally, it is the same as RfWeb in StoreFront with a few optimizations like caching and packet flow optimization.
Features
For users accessing through browsers (ReceiverforWeb Proxy):
- StoreFront’s RfWeb feature on Citrix ADC
- Caches Static content and StoreFront served icons
- Optimized packet flow for Apps/Desktop enumeration.
- Supports HTML5 Receiver
Transparent Single Sign On (SSO)
Native Citrix Receivers currently require a minimum of 12 HTTP transactions with StoreFront to perform resource enumeration. Along with this, an authentication token size of 4K is carried along with each HTTP request. WebFront optimizes this by reducing the number of transactions from 12 to 2 and prevents the sending of the token by proxy.
Features
For users accessing through Citrix native apps (Transparent SSO):
- Caches StoreFront served icons
- Optimized packet flow for Apps/Desktop enumeration (Data transferred over WAN reduced by 1%)
- Entire Authentication to SF is delegated to WebFront
Note
The native ICA traffic does not flow via WebFront.
Functionality
Receiver for Web Proxy
The RfWeb Proxy used with the Tomcat Web Server serves static content (HTML, CSS, JS, Static Icons, and so on) to web browsers and provides the following services:
- Lists all applications in the store. The information returned is in JSON format.
- Gets information for an application specified by the application ID. The information returned is in JSON format.
- Gets an application icon specified by the icon ID. Icons are returned in PNG format.
- Gets the launch information for a given HDX application specified by the application ID. The response is in the form of an ICA file.
- Supports launching web/SaaS apps.
- Powers off desktops.
- Assigns desktops.
- Subscribes to a given application specified by the application ID and the position in the subscribed application list.
- Unsubscribes a given application specified by the application ID.
- Updates subscription position for a given application specified by the application ID.
In the Workspace Control the following actions are performed:
- Lists available sessions (includes active sessions)
- Launches sessions
- Disconnects user sessions
- Logs off user sessions
- Performs Single Sign On (SSO) with StoreFront using credentials from Gateway, and stores the token in the Tomcat Session cache for reuse for subsequent requests.
- Supports the ICA apps launch through the HTML5 Receiver client.
Icon and Static content caching
Icon and static content caching: This is done using the Integrated Caching feature of the Citrix ADC appliance. This does not require an IC license. Only a VPN license is sufficient.
Transparent SSO
Transparent SSO (single sign-on) is applicable only for native Citrix Receivers.
WebFront is designed as a Java Webapp, which runs on the Tomcat v6, hosted on Citrix ADC. WebFront is developed using Spring MVC v3.1.2. WebFront is designed to work via Gateway with SSO on ONLY.
Installing and Configuration WebFront Using the WebFront Wizard
Prerequisites
Ensure that you have downloaded the JRE TAR files and the WebFront TAR files.
- JRE TAR files can be download from the JRE Link in the Install WebFront screen.
- WebFront tar ball can be downloaded from https://www.citrix.com/downloads/netscaler-gateway/components/components-for-netscaler-gateway-120.html.
To install WebFront
- Navigate to System > WebFront and click Install WebFront in the Getting Started section.
- Browse for the WebFront TAR file and the JRE TAR file that you have downloaded and then click Install.
You can select the files from the appliance or from your local directory.
A confirmation message appears once the installation is completed successfully.
To configure WebFront by using the WebFront wizard
-
Navigate to System > WebFront and click WebFront Wizard in the Getting Started section.
-
Enter all mandatory details, verify, and click Continue.
-
Click Done after verifying the data.
Citrix Gateway Virtual Server
You can either select a virtual server that is already configured for your device or you can configure a new virtual server.
To configure a virtual server:
- Click + to add a new virtual server.
- Specify the Citrix Gateway IP Address.
- Specify the port number.
- Assign a name to the virtual server.
- Select the Redirect requests from port 80 to secure port check box to redirect HTTP connections to an HTTPS secure connection.
- Click Continue.
Trust SSL Certificate
By selecting the Browse button, you can select a certificate from the appliance or from your local directory.
From the appliance, select a certificate from the list and click Open.
Uninstalling WebFront
-
Navigate to System > WebFront and click Uninstall WebFront in the WebFront Sites page. A confirmation message appears.
-
Click Yes.
Configuring WebFront Sites
1. Navigate to System> WebFront and click WebFront Sites in the Configuration Summary section.
-
The WebFront Sites allow the following the site operations:
-
Add
-
Edit
-
Delete
-
Add WebFront Sites
- Click Add in the WebFront Sites page.
- Select the Citrix ADC virtual server to which you want to use this site.
- Enter all mandatory details and click Continue.
- Create the VPN Session Action. Enter all mandatory detail and click Continue.
- Click Done after verifying the configuration.
Edit WebFront Sites
- Select the WebFront site and click Edit.
- Modify the configuration and click Continue.
- Enter all mandatory details and click Continue.
- Click Done after verifying the configuration.
Delete WebFront Sites
- Select the WebFront Site and click Delete. A confirmation message appears.
- Click Yes.
Installing and Configuration WebFront Using the CLI Commands
Install WebFront Package
The following CLI command installs WebFront.
install wf package –jre <JDK location> -wf <WebFront location>
This command installs WebFront on the system. On the shell it creates a /var/wi folder if not present, and installs WebFront in the ROOT directory present in the /var/wi/tomcat/webapps folder. WebFront can coexist with Web Interface. For example, if WI is already installed, WebFront extracts itself only in the ROOT directory; all the wi sites and configuration remains untouched. After the extraction, WebFront restarts Tomcat if already running.
As part of the install command, WF allocates 198 MB of RAM on a VPX and 576 MB of RAM on an MPX, in addition to memory allocated by WI.
For RfWebProxy to support clientless VPN, bind a ClientlessAccessPolicy, ns_cvpn_wf_policy, to VPN global during install time.
Uninstall WebFront Package
This command uninstalls WebFront from the system.
uninstall wf package –jre <JDK location> -wf <WebFront location>
If WI is present in the system, it does not remove the complete /var/wi directory structure - only WebFront part. If WI is not present, it removes the whole /var/wi folder.
Uninstall unbinds policy ns_cvpn_wf_policy from VPN global.
Show WebFront Package
This command shows the WebFront files and installation location.
sh wf package
This command is helpful if there is a WebFront version number change. The user sees the installed WebFront and where WebFront is installed.
Add WebFront Package
This command adds a WF site.
add wf site <siteName> -storefronturl <string> -storeName <string>
[-html5Receiver <html5Receiver>] [-workspaceControl ( ON | OFF )]
[-displayRoamingAccounts ( ON | OFF )]
[-xframeOptions ( ALLOW | DENY )]
In PPE, a WebFront site is created with StoreFront FQDN and store Name. Both the arguments are compulsory. User can change these by using the set command.
- It does not create a separate folder for the WebFront site in /var/wi/tomcat/webapps directory instead it creates a soft link from /var/wi/tomcat/ROOT/<siteName> to ROOT/WEB-INF/views. This modification was done to avoid the duplication of the static HTML display part. Since ever WebFront site is going to use the same Front End.
- It also appends an entry <siteName>=<StoreFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe> in the file /var/wi/tomcat/ROOT/WEB-INF/classes/wfsite.properties. This is needed for when the tomcat is restarted.
- Also the CLI sends the HTTP POST
http://127.0.0.1:8080/<addsite>\<SiteName>
with Post body “<StoreFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe>”. This instructs WF to fetch Store Service and Authentication URLs (Discovery \&Endpoints) from the StoreFront.
Property Name | Description | Default Value |
---|---|---|
HTML5Receiver | Specifies whether to use the HTML5 receiver for launching apps for all WF sites. Possible values: Always – Always use only the HTML5 receiver for launching apps; Fallback – Use the HTML5 receiver as fallback, if launch through native app is not possible; Off – Never use the HTML5 receiver, always use native receiver | Fallback |
WorkspaceControl | Specifies whether to use or not workspace control for all WF sites. Possible values: On – Workspace control is enabled. Off – Workspace control is disabled | On |
DisplayRoamingAccounts | Specifies whether or not to display the accounts selection screen during First Time Use of of Receiver. Possible Values: On – Display account selection screen. Off – Do not display account selection screen. | Off |
XFrameOptions | The value to be sent in the X-Frame-Options header. Possible values: Allow - Allow displaying in a Frame. Deny - Disallow display in a Frame | Deny |
rm wf site
This command removes the site (if present) from WebFront. More importantly it undoes what add wf site has done. It removes the entry from wfsite.properties and it removes the symbolic link from the ROOT directory also sends HTTP post request “POST http://127.0.0.1:8080/rmsite/<siteName>
. As always, the site is removed from PPE.
set wf site <siteName> -storeFronturl <> -storeName <>
[-html5Receiver <html5Receiver>] [-workspaceControl ( ON | OFF )]
[-displayRoamingAccounts ( ON | OFF )]
[-xframeOptions ( ALLOW | DENY )]
If users want to edit the entry in the already present WF site, they can use the set command. User can edit either StoreFrontFQDN or StoreName or both. It also sends HTTP post request “POST http://127.0.0.1:8080/modsite/\<SiteName
with post body ““<storeFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe>”. This change would be reflected in wfsite.properties and PPE.
sh wf site
It displays the details of the WF site. Including the state of the WF site. The state of the site is UP or (DOWN and reason for being DOWN, suggested remedy).
The state is obtained by sending a POST request to http://127.0.0.1:8080/shsite/<SiteName>
. The response body has the message to be displayed in the “Status” field.
Error Message | Cause for Failure | Suggested Remedy |
INITIALIZING | WF site is still initializing | Check status of site after a few seconds |
DOWN-HostUnknown | Host name of StoreFront cannot be resolved to an IP address | Make sure the host name is resolvable or add a DNS addrec on NS |
DOWN-ReqTimeout | StoreFront server cannot be reached. Request timed out while contacting SF. | Make sure SF is reachable through NSIP |
DOWN-Wrong Store | StoreName specified does not exist in SF | Change the storeName to the correct storeName using the set wf site command |
DOWN-SSL Error | CA used to sign SF’s server cert is not present in Java’s trusted CA store | Add the CA cert using exportcert.sh command |
DOWN-SF Error | Internal Error in SF | Check error in SF through Windows Event Viewer and rectify error |
DOWN-ConnReset | Connection was reset while communicating with SF | Make sure SF is reachable through NSIP |
DOWN | Unknown Error occurred | Collect files described in section 13.1 and contact Tech support |
Co-existence of WebFront and WebInterface(both are installed)
- We are disallowing the same site Name for both WF and WI. CLI throws the error that site is already present if a site by that name is already present in the webapps folder and an attempt is to create in its counterpart.
Steps to install and Use WF through the CLI
- Install WebFront on NS:
install wf package –jre “file:///var/openjdk7.tbz” –wf “file:///var/nswf-1.0.tar” - Import StoreFront’s CA cert to NS (Required only if SF is configured for https):
shell /netscaler/wi/export_cert.sh /var/CA.cer - Add a WF site: add wf site site1 –StoreFrontURL
http://storefront.lab.com
-storeName store 1 - Check status of newly added WF site and debug if state is DOWN: sh wf site site1
- If Site is UP, set up VPN virtual server with WF: add vpn sessionaction WF_ACT –sso ON –ntDomain
lab.com
–wihomehttp://127.0.0.1:8080/site1
add vpn sessionpolicy WF_POL NS_TRUE WF_ACT - Bind vpn vs VPN1 –policy WF_POL –priority 10
How to configure WF to work in the first pane of the 3-pane window VPN home page
Set wf site <siteName> -XFrameOptions ALLOW
This setting sets the X-Frame-Options HTTP header to Allow, making it display in an iframe (1<sup>
st</sup>
pane of the 3-pane window).
Share
Share
In this article
- Receiver for Web Proxy
- Transparent Single Sign On (SSO)
- Functionality
- Installing and Configuration WebFront Using the WebFront Wizard
- Uninstalling WebFront
- Configuring WebFront Sites
- Installing and Configuration WebFront Using the CLI Commands
- Uninstall WebFront Package
- Show WebFront Package
- Add WebFront Package
- rm wf site
- sh wf site
- Co-existence of WebFront and WebInterface(both are installed)
- Steps to install and Use WF through the CLI
- How to configure WF to work in the first pane of the 3-pane window VPN home page
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select Do Not Agree to exit.