Citrix Gateway

Using WebFront to Integrate with StoreFront

WebFront is a Web Application hosted on a Tomcat Container that runs on Citrix ADC. WebFront provides optimization and improved performance for users accessing StoreFront through Gateway using Client Browsers and Citrix native apps. WebFront coexists with the Web Interface on Citrix ADC.

WebFront provides the following functionalities:

  • Receiver for Web Proxy
  • Transparent SSO

Receiver for Web Proxy

Receiver for Web Proxy (RfWeb) provides a way for web browsers to communicate with a store in StoreFront. Functionally, it is the same as RfWeb in StoreFront with a few optimizations like caching and packet flow optimization.


For users accessing through browsers (ReceiverforWeb Proxy):

  • StoreFront’s RfWeb feature on Citrix ADC
  • Caches Static content and StoreFront served icons
  • Optimized packet flow for Apps/Desktop enumeration.
  • Supports HTML5 Receiver

Transparent Single Sign On (SSO)

Native Citrix Receivers currently require a minimum of 12 HTTP transactions with StoreFront to perform resource enumeration. Along with this, an authentication token size of 4K is carried along with each HTTP request. WebFront optimizes this by reducing the number of transactions from 12 to 2 and prevents the sending of the token by proxy.


For users accessing through Citrix native apps (Transparent SSO):

  • Caches StoreFront served icons
  • Optimized packet flow for Apps/Desktop enumeration (Data transferred over WAN reduced by 1%)
  • Entire Authentication to SF is delegated to WebFront


The native ICA traffic does not flow via WebFront.


Receiver for Web Proxy

The RfWeb Proxy used with the Tomcat Web Server serves static content (HTML, CSS, JS, Static Icons, and so on) to web browsers and provides the following services:

  • Lists all applications in the store. The information returned is in JSON format.
  • Gets information for an application specified by the application ID. The information returned is in JSON format.
  • Gets an application icon specified by the icon ID. Icons are returned in PNG format.
  • Gets the launch information for a given HDX application specified by the application ID. The response is in the form of an ICA file.
  • Supports launching web/SaaS apps.
  • Powers off desktops.
  • Assigns desktops.
  • Subscribes to a given application specified by the application ID and the position in the subscribed application list.
  • Unsubscribes a given application specified by the application ID.
  • Updates subscription position for a given application specified by the application ID.

In the Workspace Control the following actions are performed:

  • Lists available sessions (includes active sessions)
  • Launches sessions
  • Disconnects user sessions
  • Logs off user sessions
  1. Performs Single Sign On (SSO) with StoreFront using credentials from Gateway, and stores the token in the Tomcat Session cache for reuse for subsequent requests.
  2. Supports the ICA apps launch through the HTML5 Receiver client.

Icon and Static content caching

Icon and static content caching: This is done using the Integrated Caching feature of the Citrix ADC appliance. This does not require an IC license. Only a VPN license is sufficient.

Transparent SSO

Transparent SSO (single sign-on) is applicable only for native Citrix Receivers.

WebFront is designed as a Java Webapp, which runs on the Tomcat v6, hosted on Citrix ADC. WebFront is developed using Spring MVC v3.1.2. WebFront is designed to work via Gateway with SSO on ONLY.

Installing and Configuration WebFront Using the WebFront Wizard


Ensure that you have downloaded the JRE TAR files and the WebFront TAR files.

To install WebFront

  1. Navigate to System > WebFront and click Install WebFront in the Getting Started section.
  2. Browse for the WebFront TAR file and the JRE TAR file that you have downloaded and then click Install.
    You can select the files from the appliance or from your local directory.

Click Install

A confirmation message appears once the installation is completed successfully.

To configure WebFront by using the WebFront wizard

  1. Navigate to System > WebFront and click WebFront Wizard in the Getting Started section.

    WebFront wizard

  2. Enter all mandatory details, verify, and click Continue.

  3. Click Done after verifying the data.

Citrix Gateway Virtual Server

You can either select a virtual server that is already configured for your device or you can configure a new virtual server.

To configure a virtual server:

  1. Click + to add a new virtual server.
  2. Specify the Citrix Gateway IP Address.
  3. Specify the port number.
  4. Assign a name to the virtual server.
  5. Select the Redirect requests from port 80 to secure port check box to redirect HTTP connections to an HTTPS secure connection.
  6.  Click Continue.

Trust SSL Certificate

By selecting the Browse button, you can select a certificate from the appliance or from your local directory.

From the appliance, select a certificate from the list and click Open.

Uninstalling WebFront

  1. Navigate to System > WebFront and click Uninstall WebFront in the WebFront Sites page.  A confirmation message appears.

    Confirmation message to uninstall

  2. Click Yes.

Configuring WebFront Sites

1. Navigate to System> WebFront and click WebFront Sites in the Configuration Summary section.

Setup WebFront sites

  1. The WebFront Sites allow the following the site operations:

    • Add

    • Edit

    • Delete

Add WebFront Sites

  1. Click Add in the WebFront Sites page.
  2. Select the Citrix ADC virtual server to which you want to use this site.
  3. Enter all mandatory details and click Continue.
  4. Create the VPN Session Action. Enter all mandatory detail and click Continue.
  5. Click Done after verifying the configuration.

Edit WebFront Sites

  1. Select the WebFront site and click Edit.
  2. Modify the configuration and click Continue.
  3. Enter all mandatory details and click Continue.
  4. Click Done after verifying the configuration.

Delete WebFront Sites

  1. Select the WebFront Site and  click Delete. A confirmation message appears.
  2. Click Yes.

Installing and Configuration WebFront Using the CLI Commands

Install WebFront Package

The following CLI command installs WebFront.

install wf package –jre <JDK location> -wf <WebFront location>

This command installs WebFront on the system. On the shell it creates a /var/wi folder if not present, and installs WebFront in the ROOT directory present in the /var/wi/tomcat/webapps folder. WebFront can coexist with Web Interface. For example, if WI is already installed, WebFront extracts itself only in the ROOT directory; all the wi sites and configuration remains untouched. After the extraction, WebFront restarts Tomcat if already running.

As part of the install command, WF allocates 198 MB of RAM on a VPX and 576 MB of RAM on an MPX, in addition to memory allocated by WI.

For RfWebProxy to support clientless VPN, bind a ClientlessAccessPolicy, ns_cvpn_wf_policy, to VPN global during install time.

Uninstall WebFront Package

This command uninstalls WebFront from the system.

uninstall wf package –jre <JDK location> -wf <WebFront location>

If WI is present in the system, it does not remove the complete /var/wi directory structure - only WebFront part. If WI is not present, it removes the whole /var/wi folder.

Uninstall unbinds policy ns_cvpn_wf_policy from VPN global.

Show WebFront Package

This command shows the WebFront files and installation location.

sh wf package

This command is helpful if there is a WebFront version number change. The user sees the installed WebFront and where WebFront is installed.

Add WebFront Package

This command adds a WF site.

add wf site <siteName> -storefronturl <string> -storeName <string>
  [-html5Receiver <html5Receiver>] [-workspaceControl ( ON | OFF )]
   [-displayRoamingAccounts ( ON | OFF )]
  [-xframeOptions ( ALLOW | DENY )]

In PPE, a WebFront site is created with StoreFront FQDN and store Name. Both the arguments are compulsory. User can change these by using the set command.

  1. It does not create a separate folder for the WebFront site in /var/wi/tomcat/webapps directory instead it creates a soft link from /var/wi/tomcat/ROOT/<siteName> to ROOT/WEB-INF/views. This modification was done to avoid the duplication of the static HTML display part. Since ever WebFront site is going to use the same Front End.
  2. It also appends an entry <siteName>=<StoreFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe> in the file  /var/wi/tomcat/ROOT/WEB-INF/classes/ This is needed for when the tomcat is restarted.
  3. Also the CLI sends the HTTP POST<addsite>\<SiteName> with Post body “<StoreFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe>”. This instructs WF to fetch Store Service and Authentication URLs (Discovery \&Endpoints) from the StoreFront.
Property Name Description Default Value
HTML5Receiver Specifies whether to use the HTML5 receiver for launching apps for all WF sites. Possible values: Always – Always use only the HTML5 receiver for launching apps; Fallback – Use the HTML5 receiver as fallback, if launch through native app is not possible; Off – Never use the HTML5 receiver, always use native receiver Fallback
WorkspaceControl Specifies whether to use or not workspace control for all WF sites. Possible values: On – Workspace control is enabled. Off – Workspace control is disabled On
DisplayRoamingAccounts Specifies whether or not to display the accounts selection screen during First Time Use of of Receiver. Possible Values: On – Display account selection screen. Off – Do not display account selection screen. Off
XFrameOptions The value to be sent in the X-Frame-Options header. Possible values: Allow - Allow displaying in a Frame. Deny - Disallow display in a Frame Deny

rm wf site

This command removes the site (if present) from WebFront. More importantly it undoes what add wf site has done. It removes the entry from and it removes the symbolic link from the ROOT directory also sends HTTP post request “POST<siteName>. As always, the site is removed from PPE.

set wf site <siteName> -storeFronturl <> -storeName <>
[-html5Receiver <html5Receiver>] [-workspaceControl ( ON | OFF )]
   [-displayRoamingAccounts ( ON | OFF )]
  [-xframeOptions ( ALLOW | DENY )]

If users want to edit the entry in the already present WF site, they can use the set command. User can edit either StoreFrontFQDN or StoreName or both. It also sends HTTP post request “POST\<SiteName with post body ““<storeFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe>”. This change would be reflected in and PPE.

sh wf site

It displays the details of the WF site. Including the state of the WF site. The state of the site is UP or (DOWN and reason for being DOWN, suggested remedy).

The state is obtained by sending a POST request to<SiteName>. The response body has the message to be displayed in the “Status” field.

Error Message Cause for Failure Suggested Remedy
INITIALIZING WF site is still initializing Check status of site after a few seconds
DOWN-HostUnknown Host name of StoreFront cannot be resolved to an IP address Make sure the host name is resolvable or add a DNS addrec on NS
DOWN-ReqTimeout StoreFront server cannot be reached. Request timed out while contacting SF. Make sure SF is reachable through NSIP
DOWN-Wrong Store StoreName specified does not exist in SF Change the storeName to the correct storeName using the set wf site command
DOWN-SSL Error CA used to sign SF’s server cert is not present in Java’s trusted CA store Add the CA cert using command
DOWN-SF Error Internal Error in SF Check error in SF through Windows Event Viewer and rectify error
DOWN-ConnReset Connection was reset while communicating with SF Make sure SF is reachable through NSIP
DOWN Unknown Error occurred Collect files described in section 13.1 and contact Tech support

Co-existence of WebFront and WebInterface(both are installed)

  1. We are disallowing the same site Name for both WF and WI. CLI throws the error that site is already present if a site by that name is already present in the webapps folder and an attempt is to create in its counterpart.

Steps to install and Use WF through the CLI

  1. Install WebFront on NS:
    install wf package –jre “file:///var/openjdk7.tbz” –wf “file:///var/nswf-1.0.tar”
  2. Import StoreFront’s CA cert to NS (Required only if SF is configured for https):
    shell /netscaler/wi/ /var/CA.cer
  3. Add a WF site: add wf site site1 –StoreFrontURL -storeName store 1
  4. Check status of newly added WF site and debug if state is DOWN: sh wf site site1
  5. If Site is UP, set up VPN virtual server with WF: add vpn sessionaction WF_ACT –sso ON –ntDomain –wihome add vpn sessionpolicy WF_POL NS_TRUE WF_ACT
  6. Bind vpn vs VPN1 –policy WF_POL –priority 10

How to configure WF to work in the first pane of the 3-pane window VPN home page

Set wf site <siteName> -XFrameOptions ALLOW

This setting sets the X-Frame-Options HTTP header to Allow, making it display in an iframe (1<sup>st</sup> pane of the 3-pane window).