This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Using WebFront to Integrate with StoreFront
WebFront is a Web Application hosted on a Tomcat Container that runs on Citrix ADC. WebFront provides optimization and improved performance for users accessing StoreFront through Gateway using Client Browsers and Citrix native apps. WebFront coexists with the Web Interface on Citrix ADC.
WebFront provides the following functionalities:
- Receiver for Web Proxy
- Transparent SSO
Receiver for Web Proxy (RfWeb) provides a way for web browsers to communicate with a store in StoreFront. Functionally, it is the same as RfWeb in StoreFront with a few optimizations like caching and packet flow optimization.
For users accessing through browsers (ReceiverforWeb Proxy):
- StoreFront’s RfWeb feature on Citrix ADC
- Caches Static content and StoreFront served icons
- Optimized packet flow for Apps/Desktop enumeration.
- Supports HTML5 Receiver
Native Citrix Receivers currently require a minimum of 12 HTTP transactions with StoreFront to perform resource enumeration. Along with this, an authentication token size of 4K is carried along with each HTTP request. WebFront optimizes this by reducing the number of transactions from 12 to 2 and prevents the sending of the token by proxy.
For users accessing through Citrix native apps (Transparent SSO):
- Caches StoreFront served icons
- Optimized packet flow for Apps/Desktop enumeration (Data transferred over WAN reduced by 1%)
- Entire Authentication to SF is delegated to WebFront
The native ICA traffic does not flow via WebFront.
The RfWeb Proxy used with the Tomcat Web Server serves static content (HTML, CSS, JS, Static Icons, and so on) to web browsers and provides the following services:
- Lists all applications in the store. The information returned is in JSON format.
- Gets information for an application specified by the application ID. The information returned is in JSON format.
- Gets an application icon specified by the icon ID. Icons are returned in PNG format.
- Gets the launch information for a given HDX application specified by the application ID. The response is in the form of an ICA file.
- Supports launching web/SaaS apps.
- Powers off desktops.
- Assigns desktops.
- Subscribes to a given application specified by the application ID and the position in the subscribed application list.
- Unsubscribes a given application specified by the application ID.
- Updates subscription position for a given application specified by the application ID.
In the Workspace Control the following actions are performed:
- Lists available sessions (includes active sessions)
- Launches sessions
- Disconnects user sessions
- Logs off user sessions
- Performs Single Sign On (SSO) with StoreFront using credentials from Gateway, and stores the token in the Tomcat Session cache for reuse for subsequent requests.
- Supports the ICA apps launch through the HTML5 Receiver client.
Icon and static content caching: This is done using the Integrated Caching feature of the Citrix ADC appliance. This does not require an IC license. Only a VPN license is sufficient.
Transparent SSO (single sign-on) is applicable only for native Citrix Receivers.
WebFront is designed as a Java Webapp, which runs on the Tomcat v6, hosted on Citrix ADC. WebFront is developed using Spring MVC v3.1.2. WebFront is designed to work via Gateway with SSO on ONLY.
Ensure that you have downloaded the JRE TAR files and the WebFront TAR files.
- JRE TAR files can be download from the JRE Link in the Install WebFront screen.
- WebFront tar ball can be downloaded from https://www.citrix.com/downloads/netscaler-gateway/components/components-for-netscaler-gateway-120.html.
- Navigate to System > WebFront and click Install WebFront in the Getting Started section.
- Browse for the WebFront TAR file and the JRE TAR file that you have downloaded and then click Install.
You can select the files from the appliance or from your local directory.
A confirmation message appears once the installation is completed successfully.
Navigate to System > WebFront and click WebFront Wizard in the Getting Started section.
Enter all mandatory details, verify, and click Continue.
Click Done after verifying the data.
You can either select a virtual server that is already configured for your device or you can configure a new virtual server.
To configure a virtual server:
- Click + to add a new virtual server.
- Specify the Citrix Gateway IP Address.
- Specify the port number.
- Assign a name to the virtual server.
- Select the Redirect requests from port 80 to secure port check box to redirect HTTP connections to an HTTPS secure connection.
- Click Continue.
By selecting the Browse button, you can select a certificate from the appliance or from your local directory.
From the appliance, select a certificate from the list and click Open.
Navigate to System > WebFront and click Uninstall WebFront in the WebFront Sites page. A confirmation message appears.
1. Navigate to System> WebFront and click WebFront Sites in the Configuration Summary section.
The WebFront Sites allow the following the site operations:
- Click Add in the WebFront Sites page.
- Select the Citrix ADC virtual server to which you want to use this site.
- Enter all mandatory details and click Continue.
- Create the VPN Session Action. Enter all mandatory detail and click Continue.
- Click Done after verifying the configuration.
- Select the WebFront site and click Edit.
- Modify the configuration and click Continue.
- Enter all mandatory details and click Continue.
- Click Done after verifying the configuration.
- Select the WebFront Site and click Delete. A confirmation message appears.
- Click Yes.
The following CLI command installs WebFront.
install wf package –jre <JDK location> -wf <WebFront location>
This command installs WebFront on the system. On the shell it creates a /var/wi folder if not present, and installs WebFront in the ROOT directory present in the /var/wi/tomcat/webapps folder. WebFront can coexist with Web Interface. For example, if WI is already installed, WebFront extracts itself only in the ROOT directory; all the wi sites and configuration remains untouched. After the extraction, WebFront restarts Tomcat if already running.
As part of the install command, WF allocates 198 MB of RAM on a VPX and 576 MB of RAM on an MPX, in addition to memory allocated by WI.
For RfWebProxy to support clientless VPN, bind a ClientlessAccessPolicy, ns_cvpn_wf_policy, to VPN global during install time.
This command uninstalls WebFront from the system.
uninstall wf package –jre <JDK location> -wf <WebFront location>
If WI is present in the system, it does not remove the complete /var/wi directory structure - only WebFront part. If WI is not present, it removes the whole /var/wi folder.
Uninstall unbinds policy ns_cvpn_wf_policy from VPN global.
This command shows the WebFront files and installation location.
sh wf package
This command is helpful if there is a WebFront version number change. The user sees the installed WebFront and where WebFront is installed.
This command adds a WF site.
add wf site <siteName> -storefronturl <string> -storeName <string> [-html5Receiver <html5Receiver>] [-workspaceControl ( ON | OFF )] [-displayRoamingAccounts ( ON | OFF )] [-xframeOptions ( ALLOW | DENY )]
In PPE, a WebFront site is created with StoreFront FQDN and store Name. Both the arguments are compulsory. User can change these by using the set command.
- It does not create a separate folder for the WebFront site in /var/wi/tomcat/webapps directory instead it creates a soft link from /var/wi/tomcat/ROOT/<siteName> to ROOT/WEB-INF/views. This modification was done to avoid the duplication of the static HTML display part. Since ever WebFront site is going to use the same Front End.
- It also appends an entry <siteName>=<StoreFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe> in the file /var/wi/tomcat/ROOT/WEB-INF/classes/wfsite.properties. This is needed for when the tomcat is restarted.
- Also the CLI sends the HTTP POST
http://127.0.0.1:8080/<addsite>\<SiteName>with Post body “<StoreFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe>”. This instructs WF to fetch Store Service and Authentication URLs (Discovery \&Endpoints) from the StoreFront.
|Property Name||Description||Default Value|
|HTML5Receiver||Specifies whether to use the HTML5 receiver for launching apps for all WF sites. Possible values: Always – Always use only the HTML5 receiver for launching apps; Fallback – Use the HTML5 receiver as fallback, if launch through native app is not possible; Off – Never use the HTML5 receiver, always use native receiver||Fallback|
|WorkspaceControl||Specifies whether to use or not workspace control for all WF sites. Possible values: On – Workspace control is enabled. Off – Workspace control is disabled||On|
|DisplayRoamingAccounts||Specifies whether or not to display the accounts selection screen during First Time Use of of Receiver. Possible Values: On – Display account selection screen. Off – Do not display account selection screen.||Off|
|XFrameOptions||The value to be sent in the X-Frame-Options header. Possible values: Allow - Allow displaying in a Frame. Deny - Disallow display in a Frame||Deny|
This command removes the site (if present) from WebFront. More importantly it undoes what add wf site has done. It removes the entry from wfsite.properties and it removes the symbolic link from the ROOT directory also sends HTTP post request “POST
http://127.0.0.1:8080/rmsite/<siteName>. As always, the site is removed from PPE.
set wf site <siteName> -storeFronturl <> -storeName <> [-html5Receiver <html5Receiver>] [-workspaceControl ( ON | OFF )] [-displayRoamingAccounts ( ON | OFF )] [-xframeOptions ( ALLOW | DENY )]
If users want to edit the entry in the already present WF site, they can use the set command. User can edit either StoreFrontFQDN or StoreName or both. It also sends HTTP post request “POST
http://127.0.0.1:8080/modsite/\<SiteName with post body ““<storeFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe>”. This change would be reflected in wfsite.properties and PPE.
It displays the details of the WF site. Including the state of the WF site. The state of the site is UP or (DOWN and reason for being DOWN, suggested remedy).
The state is obtained by sending a POST request to
http://127.0.0.1:8080/shsite/<SiteName>. The response body has the message to be displayed in the “Status” field.
|Error Message||Cause for Failure||Suggested Remedy|
|INITIALIZING||WF site is still initializing||Check status of site after a few seconds|
|DOWN-HostUnknown||Host name of StoreFront cannot be resolved to an IP address||Make sure the host name is resolvable or add a DNS addrec on NS|
|DOWN-ReqTimeout||StoreFront server cannot be reached. Request timed out while contacting SF.||Make sure SF is reachable through NSIP|
|DOWN-Wrong Store||StoreName specified does not exist in SF||Change the storeName to the correct storeName using the set wf site command|
|DOWN-SSL Error||CA used to sign SF’s server cert is not present in Java’s trusted CA store||Add the CA cert using exportcert.sh command|
|DOWN-SF Error||Internal Error in SF||Check error in SF through Windows Event Viewer and rectify error|
|DOWN-ConnReset||Connection was reset while communicating with SF||Make sure SF is reachable through NSIP|
|DOWN||Unknown Error occurred||Collect files described in section 13.1 and contact Tech support|
- We are disallowing the same site Name for both WF and WI. CLI throws the error that site is already present if a site by that name is already present in the webapps folder and an attempt is to create in its counterpart.
- Install WebFront on NS:
install wf package –jre “file:///var/openjdk7.tbz” –wf “file:///var/nswf-1.0.tar”
- Import StoreFront’s CA cert to NS (Required only if SF is configured for https):
shell /netscaler/wi/export_cert.sh /var/CA.cer
- Add a WF site: add wf site site1 –StoreFrontURL
http://storefront.lab.com-storeName store 1
- Check status of newly added WF site and debug if state is DOWN: sh wf site site1
- If Site is UP, set up VPN virtual server with WF: add vpn sessionaction WF_ACT –sso ON –ntDomain
http://127.0.0.1:8080/site1add vpn sessionpolicy WF_POL NS_TRUE WF_ACT
- Bind vpn vs VPN1 –policy WF_POL –priority 10
Set wf site <siteName> -XFrameOptions ALLOW
This setting sets the X-Frame-Options HTTP header to Allow, making it display in an iframe (1
</sup> pane of the 3-pane window).
In this article
- Receiver for Web Proxy
- Transparent Single Sign On (SSO)
- Installing and Configuration WebFront Using the WebFront Wizard
- Uninstalling WebFront
- Configuring WebFront Sites
- Installing and Configuration WebFront Using the CLI Commands
- Uninstall WebFront Package
- Show WebFront Package
- Add WebFront Package
- rm wf site
- sh wf site
- Co-existence of WebFront and WebInterface(both are installed)
- Steps to install and Use WF through the CLI
- How to configure WF to work in the first pane of the 3-pane window VPN home page
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select Do Not Agree to exit.