Configure Citrix Gateway session policies for StoreFront
This article describes how to configure a Citrix Gateway domain only authentication with StoreFront for users who are using Citrix Workspace app or a web browser.
Minimum requirements
-
Citrix StoreFront 2.x or 3.0
-
Citrix ADC 10.5 and higher
-
Citrix Workspace app for Windows 4.x
-
Citrix Workspace app for Mac 11.8
-
Web browser (Citrix Workspace app for Web)
-
Authentication configured on the Citrix ADC appliance as outlined in CTX108876 - How to Configure LDAP Authentication on a Citrix ADC appliance
-
SSL Certificates configured for StoreFront Server and Citrix Gateway. For details on the following topics, see StoreFront Documentation.
- Install and set up for StoreFront 2.6
-
Windows 2012 Server Certificates
-
To add an SSL binding to a site
-
Installing and Managing Certificates for Citrix ADC appliance 10.5
-
Configure Citrix Gateway with StoreFront
Create a session policy for web browser based access
-
To create session policy, navigate to Citrix Gateway > Policies > Session.
-
In the Session Policies field, click Add.
-
In the Name field, type the name of the Session Policy. For example, Web_Browser_Policy.
-
Click the box with the + sign.
-
For details on configuring expressions in session policies, see To configure expressions in session policies.
-
Click Create, and then click Close.
-
Click Session Profiles in the Citrix Gateway Session Policies and Profiles page.
-
Type in the name of the new session profile in the Configure Citrix Gateway Session Profile window.
You can check the Override Global check boxes under all tabs to overwrite the inherited values from the global Citrix Gateway parameters. In the configuration example, details about only the mandatory parameters are included.
-
In the Client Experience tab, enable the following settings:
-
Clientless Access: set to On
-
Single sign-on to Web Application: Select the check box
-
Plug-in Type: Set to Windows/MAC OS X
-
-
In the Security tab, enable Default Authorization Actions and set it to ALLOW.
-
In the Published Application tab, enable the following settings:
-
ICA Proxy: Set to ON.
-
Web Interface Address: FQDN of the StoreFront server followed by the path to the store for web
-
Single Sign-on Domain - NetBIOS name for the domain
-
-
Click Create.
-
If you are using a Classic Policy expression, in the Expression field, add the following information and click Create.
REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
-
If using an Advanced Policy expression, in the Expression field, add the following information and click Create.
HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOTImportant:
To use “NOT” in an expression, you must select the NOT operator.
Example: HTTP.REQ.HEADER(“100”).CONTAINS(“CitrixReceiver”).NOT
This policy is needed for the Citrix ADC to differentiate between the web browser based and Citrix Workspace app based connections. This policy is applied for Citrix Workspace app based connections.
-
In the Name field, type the name of the session policy. For example, Receiver_Policy.
-
Type in the name of the new session profile in the Configure Citrix Gateway Session Profile window.
-
In the Client Experience tab, enable the following settings:
-
Home Page: Set to None
-
Split Tunnel: Set to OFF
-
Clientless Access: Set to On
-
Single Sign-on to Web Application: Select the check box
-
Plug-in Type: Set to Java
-
-
In the Security tab, set Default Authorization Actions to ALLOW.
-
In the Published Application tab, enable the following settings:
-
ICA Proxy: Set to ON.
-
Web Interface Address: FQDN of the StoreFront server followed by the path to the store
-
Single Sign-on Domain: NetBIOS name for the domain
-
Account Services Address: Enter the account services address. The last back slash is important. For example,
https://accounts.example.com/Citrix/Roaming/Accounts
-
-
Click Create.
-
If using a Classic Policy expression, in the Expression field, add the following information and click Create.
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
-
If using anAdvanced Policy expression, in the Expression field, add the following information and click Create.
HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")
This policy is needed for the Citrix ADC to differentiate between the web browser based and Citrix Workspace app based connections. This policy is applied for Citrix Workspace app based connections.
Configure authentication on the Citrix ADC appliance
For information about configuring LDAP authentication on a Citrix ADC appliance, see Configuring LDAP Authentication.
Create Citrix Gateway virtual server and bind the session policies
-
Navigate to Citrix Gateway > Virtual Server and click Add to add a new virtual server.
-
After the virtual server is created, bind the specific session policy to the virtual server based on your company’s requirements.
Configure authentication for StoreFront
-
Enable the pass-through authentication from Citrix Gateway on StoreFront. For more information, see Configure the authentication service.
StoreFront must trust the issuer of the Citrix Gateway virtual server’s bound certificate (Root and or Intermediate certificates) for the Authentication Callback service.
-
Add Citrix Gateway to StoreFront. For more information, see Add a Citrix Gateway connection.
The Gateway URL must match exactly with what the users are typing into the web browser address bar.
-
Enable remote access on the StoreFront store. For more information, see Manage remote access to stores through Citrix Gateway.