Configure Citrix Gateway session policies for StoreFront
This article describes how to configure a Citrix Gateway domain only authentication with StoreFront for users who are using Citrix Workspace app or a web browser.
Minimum requirements
-
Citrix StoreFront 2.x or 3.0
-
Citrix ADC 10.5 and higher
-
Citrix Workspace app for Windows 4.x
-
Citrix Workspace app for Mac 11.8
-
Web browser (Citrix Workspace app for Web)
-
Authentication configured on the Citrix ADC appliance as outlined in CTX108876 - How to Configure LDAP Authentication on a Citrix ADC appliance
-
SSL Certificates configured for StoreFront Server and Citrix Gateway. For details on the following topics, see StoreFront Documentation.
- Install and set up for StoreFront 2.6
-
Windows 2012 Server Certificates
-
To add an SSL binding to a site
-
Installing and Managing Certificates for Citrix ADC appliance 10.5
-
Important:
Classic policy expressions are deprecated from Citrix ADC version 13.1 and later. Citrix recommends you to use Advanced policies. For more information, see Advanced Policies.
Create a session policy for web browser-based access
-
Navigate to Citrix Gateway > Policies > Session.
-
In the Session Policies tab, click Add.
-
In Name, type the name of the session policy. For example, Web_Browser_Policy.
-
In Profile, click Add.
-
In the Configure Citrix Gateway Session Profile window, add a name to the session profile.
You can check the Override Global check boxes under all tabs to overwrite the inherited values from the global Citrix Gateway parameters. In the configuration example, details about only the mandatory parameters are included.
-
In the Client Experience tab, enable the following settings:
-
Clientless Access: set to On
-
Single sign-on to Web Application: Select the check box
-
Plug-in Type: Set to Windows/MAC OS X
-
-
In the Security tab, enable Default Authorization Actions and set it to ALLOW.
-
In the Published Application tab, enable the following settings:
-
ICA Proxy: Set to ON.
-
Web Interface Address: FQDN of the StoreFront server followed by the path to the store for web
-
Single Sign-on Domain - NetBIOS name for the domain
-
-
Click Create.
-
Add an expression.
- Click Advanced Policy and then click Expression Editor.
- In Expression Editor, select the following in sequence. HTTP > REQ > HEADER and then type the parameter, such as
**CitrixReceiver**.
HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT <!--NeedCopy-->
This policy is needed for the Citrix ADC to differentiate between the web browser based and Citrix Workspace app-based connections. This policy is applied to web browser-based connections.
Create a session policy for Citrix Workspace app-based access
Perform the following steps to create a session policy for Citrix Workspace app-based access.
-
To create session policy, navigate to Citrix Gateway > Policies > Session.
-
In the Session Policies tab, click Add.
-
In Name, type the name for the session policy. For example, Workspace_app_policy.
-
In Profile, click Add.
-
In the Create Citrix Gateway Session Profile window, add a name to the session profile.
You can check the Override Global check boxes under all tabs to overwrite the inherited values from the global Citrix Gateway parameters. In the configuration example, details about only the mandatory parameters are included.
-
In the Client Experience tab, enable the following settings:
-
Home Page: Set to none
-
Split Tunnel: Set to Off
-
Clientless Access: Set to On
-
Plug-in Type: Set to Java
-
Single sign-on to Web Application: Select the check box
-
-
Click Advanced Settings clear the Client Choices check box.
-
In the Security tab, enable Default Authorization Actions and set it to ALLOW.
-
In the Published Application tab, enable the following settings:
-
ICA Proxy: Set to ON.
-
Web Interface Address: FQDN of the StoreFront server followed by the path to the store for web
-
Single Sign-on Domain - NetBIOS name for the domain
-
Account Services Address: Enter the account services address. The last back slash is important. For example,
https://sfcitrix.com/.
-
-
Click Create.
-
Add an expression.
- Click Advanced Policy and then click Expression Editor.
- In Expression Editor, select the following in sequence. HTTP > REQ > HEADER and then type the parameter, such as
**CitrixReceiver**.
HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") <!--NeedCopy-->This policy is needed for the Citrix ADC to differentiate between the Citrix Workspace app based and web browser-based connections. This policy is applied to Citrix Workspace app-based connections.
Configure authentication on the Citrix ADC appliance
For information about configuring LDAP authentication on a Citrix ADC appliance, see Configuring LDAP Authentication.
Create Citrix Gateway virtual server and bind the session policies
-
Navigate to Citrix Gateway > Virtual Server and click Add to add a new virtual server.
-
After the virtual server is created, bind the specific session policy to the virtual server based on your company’s requirements.
Configure authentication for StoreFront
-
Enable the pass-through authentication from Citrix Gateway on StoreFront. For more information, see Configure the authentication service.
StoreFront must trust the issuer of the Citrix Gateway virtual server’s bound certificate (Root and or Intermediate certificates) for the Authentication Callback service.
-
Add Citrix Gateway to StoreFront. For more information, see Add a Citrix Gateway connection.
The Gateway URL must match exactly with what the users are typing into the web browser address bar.
-
Enable remote access on the StoreFront store. For more information, see Manage remote access to stores through Citrix Gateway.