Integrating with Citrix Endpoint Management or StoreFront

This section contains information about configuring connections from remote users through Citrix Gateway to your Endpoint Management and StoreFront deployment.

You can configure Citrix Gateway to work with Endpoint Management and StoreFront. When you configure Citrix Gateway to work with Endpoint Management or StoreFront, Citrix recommends using the Quick Configuration wizard to configure your settings. The Quick Configuration wizard configures a virtual server and the settings for session, clientless access, and authentication policies. You can also configure DNS servers for connections to StoreFront and Endpoint Management.

Integrating Citrix Gateway and Endpoint Management

If you deploy Endpoint Management in your network, you can allow user connections from remote users by integrating Citrix Gateway and Endpoint Management. This deployment allows users to connect to Endpoint Management to obtain their web, Software as a Service (SaaS), Android and iOS mobile apps, along with documents from ShareFile. Users connect by using Secure Hub, Citrix Workspace app, or the Citrix Gateway plug-in.

In this Endpoint Management deployment, Citrix Gateway resides in the DMZ and Endpoint Management resides in the internal network.

To allow connections from remote users to Endpoint Management, Citrix recommends using the Quick Configuration wizard in Citrix Gateway to configure the web address for Endpoint Management, StoreFront or the Web Interface. The wizard configures all of the policies required for users to connect to Endpoint Management, which include authentication, session, and clientless access policies. For more information about the wizard, see Configuring Settings with the Quick Configuration Wizard.

You can also configure connections to Endpoint Management by creating policies with the configuration utility, such as:

  • One session policy manages Citrix Workspace app and Secure Hub connections to StoreFront. This session policy supports Citrix Workspace app for Windows, Citrix Workspace app for Mac, Citrix Workspace app for Android, and Citrix Workspace app for iOS. If users connect with Secure Hub, Secure Mail, or WorxWeb on an iOS device, you must enable clientless access and Secure Browse to allow connections through Citrix Gateway. You need to configure Secure Browse for iOS devices only. Both iOS and Android devices use Micro VPN that establishes the VPN tunnel to the internal network.
  • One session policy manages browser connections to Citrix Workspace app for Web. Users connect by using clientless access.
  • One virtual server with SmartAccess mode enabled which also enables clientless access. This deployment requires the Universal license.
  • Custom clientless access policies. These policies define rewriting policies for XML and HTML traffic, along with how cookies are handled by Citrix Gateway.

Integrating Citrix Gateway and StoreFront

Users can connect in one of the following ways through StoreFront:

  • Clientless access and Citrix Workspace app for Web
  • Citrix Gateway plug-in
  • Citrix Workspace app for Android
  • Citrix Workspace app for iOS
  • Citrix Workspace app for Mac
  • Citrix Workspace app for Windows
  • Secure Hub

Important: The fully qualified domain name (FQDN) for StoreFront must be unique and different from the Citrix Gateway virtual server FQDN. You cannot use the same FQDN for StoreFront and the Citrix Gateway virtual server. Citrix Workspace app requires that the StoreFront FQDN is a unique address that resolves only from user devices connected to the internal network. If this is not the case, Citrix Workspace app for Windows users cannot use email-based account discovery.

When users connect, a list of available applications, desktops, and documents appear in the Citrix Workspace app window. Users can also subscribe to applications from the store. The store enumerates and aggregates desktops and applications from Citrix Virtual Desktops sites, Citrix Virtual Apps farms, and Endpoint Management, making these resources available to users.

Note: To allows users access to MDX mobile apps, you must deploy Endpoint Management in front of StoreFront. If you are not providing access to MDX mobile apps, StoreFront resides in front of Endpoint Management.

When you configure Citrix Gateway to connect to StoreFront, you configure the following:

  • One session policy to manage Secure Hub and Citrix Workspace app connections to StoreFront. This session policy supports Citrix Workspace app for Windows, Citrix Workspace app for Mac, Citrix Workspace app for Android, and Citrix Workspace app for iOS. If users connect with Citrix Workspace app for Android or Citrix Workspace app for iOS, you must enable clientless access and Secure Browse to allow connections through Citrix Gateway.
  • One session policy to manage browser connections to Citrix Workspace app for Web. Users connect by using clientless access.
  • One session policy to manage PNA Services connections made through Citrix Workspace app for Android, Citrix Workspace app for iOS, and other mobile devices if you do not enable Secure Browse. If you configure the session policy for PNA Services, Citrix Workspace app for Windows is not supported.
  • One virtual server with SmartAccess mode enabled which also enables clientless access. This deployment requires the Universal license.
  • Custom clientless access policies. These policies define rewriting policies for XML and HTML traffic, along with how cookies are handled by Citrix Gateway.

Configuring Policies for Endpoint Management and StoreFront

If you deploy Endpoint Management and StoreFront and you do not use the Quick Configuration wizard to configure settings, you need to configure the following policies. You can configure these policies for Citrix Gateway and Endpoint Management only, Citrix Gateway and StoreFront only, or a deployment that contains Citrix Gateway, Endpoint Management, and StoreFront.

  • One session policy to manage Citrix Workspace app connections to Endpoint Management or StoreFront. This session policy supports Citrix Workspace app for Windows, Citrix Workspace app for Mac, Citrix Workspace app for Android, and Citrix Workspace app for iOS. If users connect with Citrix Workspace app for Android or Citrix Workspace app for iOS, you must enable clientless access. For connections from Citrix Workspace app for iOS, you must enable Secure Browse to allow connections through Citrix Gateway.
  • One session policy to manage browser connections to Citrix Workspace app for Web. Users connect by using clientless access.
  • One virtual server with SmartAccess mode enabled which also enables clientless access. This deployment requires the Universal license.
  • Custom clientless access policies. These policies define rewriting policies for XML and HTML traffic, along with how cookies are handled by Citrix Gateway.

If you deploy StoreFront and users connect with legacy versions of Citrix Workspace app, create one session policy to manage PNA Services connections made through Citrix Workspace app for Android, Citrix Workspace app for iOS, and other mobile devices if you do not enable Secure Browse. If you configure the session policy for PNA Services, Citrix Workspace app for Windows is not supported.

Note: When you configure the StoreFront URL in Citrix Gateway, such as https://<SFLite-FQDN>/Citrix/StoreWeb, the text StoreWeb is case sensitive.