-
Configuring the VPN User Experience
-
How to Configure Full VPN Setup on a Citrix Gateway Appliance
-
Integrating the Citrix Gateway plug-in with Citrix Receiver
-
Maintaining and Monitoring the System
-
Deploying with Citrix Endpoint Management, Citrix Virtual Apps, and Citrix Virtual Desktops
-
Accessing Citrix Virtual Apps and Desktops Resources with the Web Interface
-
Integrating Citrix Gateway with Citrix Virtual Apps and Desktops
-
Configuring Additional Web Interface Settings on Citrix Gateway
-
Configuring Access to Applications and Virtual Desktops in the Web Interface
-
-
Integrate Citrix Gateway with Citrix Virtual Apps and Desktops
-
Configuring Settings for Your Citrix Endpoint Management Environment
-
Configuring Load Balancing Servers for Citrix Endpoint Management
-
Configuring Load Balancing Servers for Microsoft Exchange with Email Security Filtering
-
Configuring Citrix Endpoint Management NetScaler Connector (XNC) ActiveSync Filtering
-
Allowing Access from Mobile Devices with Citrix Mobile Productivity Apps
-
Configuring Domain and Security Token Authentication for Citrix Endpoint Management
-
Configuring Client Certificate or Client Certificate and Domain Authentication
-
-
Citrix Gateway Enabled PCoIP Proxy Support for VMware Horizon View
-
Proxy Auto Configuration for Outbound Proxy support for Citrix Gateway
-
Integrate Citrix Gateway with Citrix Virtual Apps and Desktops
View PDF
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
Using WebFront to Integrate with StoreFront
WebFront is a Web Application hosted on a Tomcat Container that runs on Citrix ADC. WebFront provides optimization and improved performance for users accessing StoreFront through Gateway using Client Browsers and Citrix Native Receivers. WebFront coexists with the Web Interface on Citrix ADC.
WebFront provides the following functionalities:
- Receiver for Web Proxy
- Transparent SSO
Receiver for Web Proxy
Receiver for Web Proxy (RfWeb) provides a way for web browsers to communicate with a store in StoreFront. Functionally, it is the same as RfWeb in StoreFront with a few optimizations like caching and packet flow optimization.
Features
For users accessing through browsers (ReceiverforWeb Proxy):
- StoreFront’s RfWeb feature on Citrix ADC
- Caches Static content and StoreFront served icons
- Optimized packet flow for Apps/Desktop enumeration.
- Supports HTML5 Receiver
Transparent Single Sign On (SSO)
Native Citrix Receivers currently require a minimum of 12 HTTP transactions with StoreFront to perform resource enumeration. Along with this, an authentication token size of 4K is carried along with each HTTP request. WebFront optimizes this by reducing the number of transactions from 12 to 2 and prevents the sending of the token by proxy.
Features
For users accessing through Citrix Native Receivers (Transparent SSO):
- Caches StoreFront served icons
- Optimized packet flow for Apps/Desktop enumeration (Data transferred over WAN reduced by 1%)
- Entire Authentication to SF is delegated to WebFront
Note
The native ICA traffic does not flow via WebFront.
Functionality
Receiver for Web Proxy
The RfWeb Proxy used with the Tomcat Web Server serves static content (HTML, CSS, JS, Static Icons, etc.) to web browsers and provides the following services:
- Lists all applications in the store. The information returned is in JSON format.
- Gets information for an application specified by the application ID. The information returned is in JSON format.
- Gets an application icon specified by the icon ID. Icons are returned in PNG format.
- Gets the launch information for a given HDX application specified by the application ID. The response is in the form of an ICA file.
- Supports launching web/SaaS apps.
- Powers off desktops.
- Assigns desktops.
- Subscribes to a given application specified by the application ID and the position in the subscribed application list.
- Unsubscribes a given application specified by the application ID.
- Updates subscription position for a given application specified by the application ID.
In the Workspace Control the following actions are performed:
- Lists available sessions (includes active sessions)
- Launches sessions
- Disconnects user sessions
- Loggs off user sessions
- Performs Single Sign On (SSO) with StoreFront using credentials from Gateway, and stores the token in the Tomcat Session cache for reuse for subsequent requests.
- Supports the ICA apps launch through the HTML5 Receiver client.
Icon and Static content caching
Icon and static content caching: This is done using Integrated Caching feature of Citrix ADC. This does not require an IC license; only a VPN license is sufficient.
Transparent SSO
Transparent SSO (single sign on) is applicable only for native Citrix Receivers.
WebFront is designed as a Java Webapp, which runs on the Tomcat v6, hosted on Citrix ADC. WebFront is developed using Spring MVC v3.1.2. WebFront is designed to work via Gateway with SSO on ONLY.
Installing and Configuration WebFront Using the WebFront Wizard
Prerequisites
Ensure that you have downloaded the JRE TAR files and the WebFront TAR files.
- JRE TAR files can be download from the JRE Link in the Install WebFront screen.
- WebFront tar ball can be downloaded from https://www.citrix.com/downloads/netscaler-gateway/components/components-for-netscaler-gateway-120.html.
To install WebFront
- Navigate to System > WebFront and click Install WebFront in the Getting Started section.
- Browse for the WebFront TAR file and the JRE TAR file that you have downloaded and then click Install.
You can select the files from the appliance or from your local directory.
A confirmation message appears once the installation is completed successfully.
To configure WebFront by using the WebFront wizard
-
Navigate to System > WebFront and click WebFront Wizard in the Getting Started section.
-
Enter all mandatory details, verify, and click Continue.
-
Click Done after verifying the data.
Citrix Gateway Virtual Server
You can either select a virtual server that is already configured for your device or you can configure a new virtual server.
To configure a virtual server:
- Click + to add a new virtual server.
- Specify the Citrix Gateway IP Address.
- Specify the port number.
- Assign a name to the virtual server.
- Select the Redirect requests from port 80 to secure port check box to redirect HTTP connections to an HTTPS secure connection.
- Click Continue.
Trust SSL Certificate
By selecting the Browse button, you can select a certificate from the appliance or from your local directory.
From the appliance, select a certificate from the list and click Open.
Uninstalling WebFront
1. Navigate to System > WebFront and click Uninstall WebFront in the WebFront Sites page. A confirmation message appears.
2. Click Yes.
Configuring WebFront Sites
1. Navigate to System > WebFront and click WebFront Sites in the Configuration Summary section.
2. The WebFront Sites allows the following the site operations:
-
Add
-
Edit
-
Delete
Add WebFront Sites
- Click Add in the WebFront Sites page.
- Select the Citrix ADC virtual server to which you want to use this site.
- Enter all mandatory details and click Continue.
- Create the VPN Session Action. Enter all mandatory detail and click Continue.
- Click Done after verifying the configuration.
Edit WebFront Sites
- Select the WebFront site and click Edit.
- Modify the configuration and click Continue.
- Enter all mandatory details and click Continue.
- Click Done after verifying the configuration.
Delete WebFront Sites
- Select the WebFront Site and click Delete. A confirmation message appears.
- Click Yes.
Installing and Configuration WebFront Using the CLI Commands
Install WebFront Package
The following CLI command installs WebFront.
install wf package –jre <JDK location> -wf <WebFront location>
This command installs WebFront on the system. On the shell it creates a /var/wi folder if not present, and installs WebFront in the ROOT directory present in the /var/wi/tomcat/webapps folder. WebFront can coexist with Web Interface. For example, if WI is already installed, WebFront extracts itself only in the ROOT directory; all the wi sites and configuration will remain untouched. After the extraction, WebFront re-starts Tomcat if already running.
As part of the install command, WF allocates 198MB of RAM on a VPX and 576MB of RAM on an MPX, in addition to memory allocated by WI.
In order for RfWebProxy to work with CVPN, bind a ClientlessAccessPolicy, ns_cvpn_wf_policy, to VPN global during install time.
Uninstall WebFront Package
This command uninstalls WebFront from the system.
uninstall wf package –jre <JDK location> -wf <WebFront location>
If WI is present in the system, it will not remove the complete /var/wi directory structure - only WebFront part. If WI is not present, it will remove the whole /var/wi folder.
Uninstall unbinds policy ns_cvpn_wf_policy from VPN global.
Show WebFront Package
This command shows the WebFront files and installation location.
sh wf package
This command is helpful if there is a WebFront version number change. The user sees the installed WebFront and where WebFront is installed.
Add WebFront Package
This command adds a WF site.
add wf site <siteName> -storefronturl <string> -storeName <string>
[-html5Receiver <html5Receiver>] [-workspaceControl ( ON | OFF )]
[-displayRoamingAccounts ( ON | OFF )]
[-xframeOptions ( ALLOW | DENY )]
In PPE, a WebFront site will be created with storefront FQDN and store Name. Both the arguments are compulsory. User can change these by using the set command.
- It does not create a separate folder for wf site in /var/wi/tomcat/webapps directory instead it creates a soft link from /var/wi/tomcat/ROOT/<siteName> to ROOT/WEB-INF/views. This modification was done to avoid the duplication of static HTML display part. Since ever WF site is going to use the same Front End.
- It also appends an entry <siteName>=<storeFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe> in the file /var/wi/tomcat/ROOT/WEB-INF/classes/wfsite.properties. This is needed for when tomcat is restarted.
- Also the CLI sends HTTP POST
http://127.0.0.1:8080/<addsite>\<SiteName>with Post body “<storeFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe>”. This instructs WF to fetch Store Service and Authentication URLs (Discovery \&Endpoints) from the StoreFront.
| Property Name | Description | Default Value |
|---|---|---|
| HTML5Receiver | Specifies whether or not to use HTML5 receiver for launching apps for all WF sites. Possible values: Always – Always use only HTML5 receiver for launching apps; Fallback – Use HTML5 receiver as fallback, if launch through native receiver is not possible; Off – Never use HTML5 receiver, always use native receiver | Fallback |
| WorkspaceControl | Specifies whether to use or not workspace control for all WF sites. Possible values: On – Workspace control is enabled. Off – Workspace control is disabled | On |
| DisplayRoamingAccounts | Specifies whether or not to display the accounts selection screen during First Time Use of Receiver. Possible Values: On – Display account selection screen. Off – Do not display account selection screen. | Off |
| XFrameOptions | The value to be sent in the X-Frame-Options header. Possible values: Allow - Allow displaying in a Frame. Deny - Disallow display in a Frame | Deny |
rm wf site
This command removes the site (if present) from WebFront. More importantly it undoes what add wf site has done. It removes the entry from wfsite.properties and it removes the symbolic link from ROOT directory also sends http post request “POST http://127.0.0.1:8080/rmsite/<siteName>. As always site would be removed from PPE.
set wf site <siteName> -storeFronturl <> -storeName <>
[-html5Receiver <html5Receiver>] [-workspaceControl ( ON | OFF )]
[-displayRoamingAccounts ( ON | OFF )]
[-xframeOptions ( ALLOW | DENY )]
If user wants to edit the entry in already present WF site he/she can use set command. User can edit either StoreFrontFQDN or StoreName or both. It also sends http post request “POST http://127.0.0.1:8080/modsite/\<SiteName with post body ““<storeFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe>”. This change would be reflected in wfsite.properties and PPE.
sh wf site
It will display the details of the WF site. Including the state of the WF site. The state of the site will be UP or (DOWN and reason for being DOWN, suggested remedy).
The state is obtained by sending a POST request to http://127.0.0.1:8080/shsite/<SiteName>. The response body will have the message to be displayed in the “Status” field.
| Error Message | Cause for Failure | Suggested Remedy |
| INITIALIZING | WF site is still initializing | Check status of site after a few seconds |
| DOWN-HostUnknown | Hostname of StoreFront cannot be resolved to an IP address | Make sure the hostname is resolvable or add a dns addrec on NS |
| DOWN-ReqTimeout | StoreFront server cannot be reached. Request timed out while contacting SF. | Make sure SF is reachable through NSIP |
| DOWN-Wrong Store | StoreName specified does not exist in SF | Change the storeName to the correct storeName using the set wf site command |
| DOWN-SSL Error | CA used to sign SF’s server cert is not present in Java’s trusted CA store | Add the CA cert using exportcert.sh command |
| DOWN-SF Error | Internal Error in SF | Check error in SF through Windows Event Viewer and rectify error |
| DOWN-ConnReset | Connection was reset while communicating with SF | Make sure SF is reachable through NSIP |
| DOWN | Unknown Error occurred | Collect files described in section 13.1 and contact Tech support |
Co-existence of WebFront and WebInterface(both are installed)
- We are disallowing the same site Name for both WF and WI. CLI will throw the error that site is already present if site by that name is already present in webapps folder and attempt is to create in its counterpart.
Steps to install and Use WF through CLI
- Install WebFront on NS:
install wf package –jre “file:///var/openjdk7.tbz” –wf “file:///var/nswf-1.0.tar” - Import StoreFront’s CA cert to NS (Required only if SF is configured for https):
shell /netscaler/wi/export_cert.sh /var/CA.cer - Add a WF site: add wf site site1 –StoreFrontURL
http://storefront.lab.com-storeName store 1 - Check status of newly added WF site and debug if state is DOWN: sh wf site site1
- If Site is UP, set up VPN vServer with WF: add vpn sessionaction WF_ACT –sso ON –ntDomain
lab.com–wihomehttp://127.0.0.1:8080/site1add vpn sessionpolicy WF_POL NS_TRUE WF_ACT - Bind vpn vs VPN1 –policy WF_POL –priority 10
How to configure WF to work in the 1st pane of the 3-pane window VPN Homepage
Set wf site <siteName> -XFrameOptions ALLOW
This setting sets the X-Frame-Options HTTP header to Allow, making it display in an iframe (1<sup>st</sup> pane of 3-pane window).
Using WebFront to Integrate with StoreFront
Share
In this article
- Receiver for Web Proxy
- Transparent Single Sign On (SSO)
- Functionality
- Installing and Configuration WebFront Using the WebFront Wizard
- Uninstalling WebFront
- Configuring WebFront Sites
- Installing and Configuration WebFront Using the CLI Commands
- Uninstall WebFront Package
- Show WebFront Package
- Add WebFront Package
- rm wf site
- sh wf site
- Co-existence of WebFront and WebInterface(both are installed)
- Steps to install and Use WF through CLI
- How to configure WF to work in the 1st pane of the 3-pane window VPN Homepage