Citrix Gateway

Configure Citrix Gateway session policies for StoreFront

December 11, 2020

Contributed by:

This article describes how to configure a Citrix Gateway domain only authentication with StoreFront for users who are using Citrix Workspace app or a web browser.

StoreFront setup

Minimum requirements

Citrix StoreFront 2.x or 3.0
Citrix ADC 10.5 and higher
Citrix Workspace app for Windows 4.x
Citrix Workspace app for Mac 11.8
Web browser (Citrix Workspace app for Web)
Authentication configured on the Citrix ADC appliance as outlined in CTX108876 - How to Configure LDAP Authentication on a Citrix ADC appliance
SSL Certificates configured for StoreFront Server and Citrix Gateway. For details on the following topics, see StoreFront Documentation.

- Install and set up for StoreFront 2.6
- Windows 2012 Server Certificates
- To add an SSL binding to a site
- Installing and Managing Certificates for Citrix ADC appliance 10.5

Configure Citrix Gateway with StoreFront

Procedures to complete

Create a session policy for web browser based access

To create session policy, navigate to Citrix Gateway > Policies > Session.
In the Session Policies field, click Add.
In the Name field, type the name of the Session Policy. For example, Web_Browser_Policy.
Click the box with the + sign.
Type in the name of the new Session Profile in the Configure Citrix Gateway Session Profile window.

You can check the Override Global check boxes under all tabs to overwrite the inherited values from the global Citrix Gateway parameters. In the configuration example, details about only the mandatory parameters are included.
In the Client Experience tab, enable the following settings:
- Clientless Access: set to On
- Single sign-on to Web Application: Select the check box
- Plug-in Type: Set to Windows/MAC OS X
In the Security tab, enable Default Authorization Actions and set it to ALLOW.
In the Published Application tab, enable the following settings:
- ICA Proxy: Set to ON.
- Web Interface Address: FQDN of the StoreFront server followed by the path to the store for web
- Single Sign-on Domain - NetBIOS name for the domain
Click Create.
If you are using a Classic Policy expression, in the Expression field, add the following information and click Create.
```
REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
```
If using an Advanced Policy expression, in the Expression field, add the following information and click Create.
```
HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT
```
This policy is needed for the Citrix ADC to differentiate between web browser based and Citrix Workspace app based connections. This policy is applied to web browser based connections.

Create a session policy for Citrix Workspace app for Windows or Mac, and Mobile Devices on Citrix Gateway

Navigate to Citrix Gateway > Policies > Session.
In the Session Policies field, click Add.
In the Name field, type the name of the session policy. For example, Receiver_Policy.
Type in the name of the new session profile in the Configure Citrix Gateway Session Profile window.
In the Client Experience tab, enable the following settings:
- Home Page: Set to None
- Split Tunnel: Set to OFF
- Clientless Access: Set to On
- Single Sign-on to Web Application: Select the check box
- Plug-in Type: Set to Java

Client experience tab settings 1

In the Security tab, set Default Authorization Actions to ALLOW.
In the Published Application tab, enable the following settings:
- ICA Proxy: Set to ON.
- Web Interface Address: FQDN of the StoreFront server followed by the path to the store
- Single Sign-on Domain: NetBIOS name for the domain
- Account Services Address: Enter the account services address. The last back slash is important. For example, https://accounts.example.com/Citrix/Roaming/Accounts
Click Create.
If using a Classic Policy expression, in the Expression field, add the following information and click Create.
```
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
```
If using anAdvanced Policy expression, in the Expression field, add the following information and click Create.
```
HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")
```
This policy is needed for the Citrix ADC to differentiate between the web browser based and Citrix Workspace app based connections. This policy is applied for Citrix Workspace app based connections.

Configure authentication on the Citrix ADC appliance

For information about configuring LDAP authentication on a Citrix ADC appliance, see Configuring LDAP Authentication.

Create Citrix Gateway virtual server and bind the session policies

Navigate to Citrix Gateway > Virtual Server and click Add to add a new virtual server.
After the virtual server is created, bind the specific session policy to the virtual server based on your company’s requirements.

Configure authentication for StoreFront

Enable the pass-through authentication from Citrix Gateway on StoreFront. For more information, see Configure the authentication service.

StoreFront must trust the issuer of the Citrix Gateway virtual server’s bound certificate (Root and or Intermediate certificates) for the Authentication Callback service.
Add Citrix Gateway to StoreFront. For more information, see Add a Citrix Gateway connection.

The Gateway URL must match exactly with what the users are typing into the web browser address bar.
Enable remote access on the StoreFront store. For more information, see Manage remote access to stores through Citrix Gateway.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Configure Citrix Gateway session policies for StoreFront

December 11, 2020

Contributed by:

December 11, 2020

Contributed by:

Configure Citrix Gateway session policies for StoreFront

Minimum requirements

Configure Citrix Gateway with StoreFront

Create a session policy for web browser based access

Create a session policy for Citrix Workspace app for Windows or Mac, and Mobile Devices on Citrix Gateway

Configure authentication on the Citrix ADC appliance

Create Citrix Gateway virtual server and bind the session policies

Configure authentication for StoreFront

In this article