In VPN configuration on a Citrix Gateway appliance
In Citrix Gateway 13.1
In Citrix Gateway
In All products
Product documentation
In VPN configuration on a Citrix Gateway appliance
In Citrix Gateway 13.1
In Citrix Gateway
In All products
Citrix Gateway
Current Release 13.0 12.1
View PDF

Configure Citrix Gateway session policies for StoreFront

July 13, 2021
Contributed by: 
C

This article describes how to configure a Citrix Gateway domain only authentication with StoreFront for users who are using Citrix Workspace app or a web browser.

StoreFront setup

Minimum requirements

  • Citrix StoreFront 2.x or 3.0

  • Citrix ADC 10.5 and higher

  • Citrix Workspace app for Windows 4.x

  • Citrix Workspace app for Mac 11.8

  • Web browser (Citrix Workspace app for Web)

  • Authentication configured on the Citrix ADC appliance as outlined in CTX108876 - How to Configure LDAP Authentication on a Citrix ADC appliance

  • SSL Certificates configured for StoreFront Server and Citrix Gateway. For details on the following topics, see StoreFront Documentation.

    ​- Install and set up for StoreFront 2.6

    • Windows 2012 Server Certificates

    • To add an SSL binding to a site

    • Installing and Managing Certificates for Citrix ADC appliance 10.5

Procedures to complete

Create a session policy for web browser based access

  1. Navigate to Citrix Gateway > Policies > Session.

  2. In Session Policies tab, click Add.

  3. In Name, type the name of the session policy. For example, Web_Browser_Policy.

  4. In Profile, click Add.

    Add session policy

  5. In the Configure Citrix Gateway Session Profile window, add a name to the session profile.

    Session policy details

    You can check the Override Global check boxes under all tabs to overwrite the inherited values from the global Citrix Gateway parameters. In the configuration example, details about only the mandatory parameters are included.

  6. In the Client Experience tab, enable the following settings:

    • Clientless Access: set to On

    • Single sign-on to Web Application: Select the check box

    • Plug-in Type: Set to Windows/MAC OS X

    Client experience tab settings 1

  7. In the Security tab, enable Default Authorization Actions and set it to ALLOW.

    Security tab settings

  8. In the Published Application tab, enable the following settings:

    • ICA Proxy: Set to ON.

    • Web Interface Address: FQDN of the StoreFront server followed by the path to the store for web

    • Single Sign-on Domain - NetBIOS name for the domain

    Published applications tab settings

  9. Click Create.

  10. If you are using a classic policy expression, in the Expression field, add the following expression, and then click Create.

    REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
<!--NeedCopy-->

    Classic policy sample

  11. If using an advanced policy expression, in the Expression field, add the following expression, and then click Create.

    HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT
<!--NeedCopy-->

    Important:

    To use “NOT” in an expression, you must select the NOT operator.

    Example: HTTP.REQ.HEADER("100").CONTAINS("CitrixReceiver").NOT

    Advanced policy sample

    This policy is needed for the Citrix ADC to differentiate between the web browser based and Citrix Workspace app based connections. This policy is applied to web browser based connections.

Create a session policy for Citrix Workspace app based access

Perform the following steps to create a session policy for Citrix Workspace app based access.

  1. To create session policy, navigate to Citrix Gateway > Policies > Session.

  2. In Session Policies tab, click Add.

  3. In Name, type the name for the session policy. For example, Web_Browser_Policy.

  4. In Profile, click Add.

  5. In the Create Citrix Gateway Session Profile window, add a name to the session profile.

    You can check the Override Global check boxes under all tabs to overwrite the inherited values from the global Citrix Gateway parameters. In the configuration example, details about only the mandatory parameters are included.

  6. In the Client Experience tab, enable the following settings:

    • Home Page: Set to none

    • Split Tunnel: Set to Off

    • Clientless Access: Set to On

    • Plug-in Type: Set to Java

    • Single sign-on to Web Application: Select the check box

  7. Click Advanced Settings clear the Client Choices check box.

  8. In the Security tab, enable Default Authorization Actions and set it to ALLOW.

  9. In the Published Application tab, enable the following settings:

    • ICA Proxy: Set to ON.

    • Web Interface Address: FQDN of the StoreFront server followed by the path to the store for web

    • Single Sign-on Domain - NetBIOS name for the domain

    • Account Services Address: Enter the account services address. The last back slash is important. For example, https://sfcitrix.com/.

    Published applications tab settings

  10. Click Create.

  11. If you are using a classic policy expression, in the Expression field, add the following expression, and then click Create.

    REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
<!--NeedCopy-->

  12. If using an advanced policy expression, in the Expression field, add the following expression, and then click Create.

    HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")
<!--NeedCopy-->

    This policy is needed for the Citrix ADC to differentiate between the Citrix Workspace app based and web browser based connections. This policy is applied to Citrix Workspace app based connections.

Configure authentication on the Citrix ADC appliance

For information about configuring LDAP authentication on a Citrix ADC appliance, see Configuring LDAP Authentication.

Create Citrix Gateway virtual server and bind the session policies

  1. Navigate to Citrix Gateway > Virtual Server and click Add to add a new virtual server.

  2. After the virtual server is created, bind the specific session policy to the virtual server based on your company’s requirements.

Configure authentication for StoreFront

  1. Enable the pass-through authentication from Citrix Gateway on StoreFront. For more information, see Configure the authentication service.

    StoreFront must trust the issuer of the Citrix Gateway virtual server’s bound certificate (Root and or Intermediate certificates) for the Authentication Callback service.

  2. Add Citrix Gateway to StoreFront. For more information, see Add a Citrix Gateway connection.

    The Gateway URL must match exactly with what the users are typing into the web browser address bar.

  3. Enable remote access on the StoreFront store. For more information, see Manage remote access to stores through Citrix Gateway.

Configure Citrix Gateway session policies for StoreFront
July 13, 2021
Contributed by: 
C
July 13, 2021
Contributed by: 
C

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings
© 1999- Citrix Systems, Inc. All rights reserved.