StoreFront

StoreFront authenticates users to sites hosting resources and manages stores of applications and desktops that users access. It hosts your enterprise application store, which lets you give users self-service access to app and desktops you make available to them. It also keeps track of users’ application subscriptions, shortcut names, and other data to ensure they have a consistent experience across multiple devices.

When users connect from outside the corporate firewall, Citrix Cloud can use Citrix Gateway (formerly NetScaler Gateway) technology to secure these connections with SSL. Citrix Gateway or the Citrix VPX virtual appliance is an SSL VPN appliance that is deployed in the demilitarized zone (DMZ). It provides a single secure point of access through the corporate firewall.

There are three primary use cases for setting up StoreFront with Citrix Cloud:

  1. A cloud-hosted StoreFront: The applications and desktops service in Citrix Cloud hosts a StoreFront site for each customer. The benefit of the cloud-hosted StoreFront is that there is zero effort to deploy, and it is kept evergreen by Citrix. Cloud-hosted is recommended for all new customers, previews, and proofs-of-concept.
  2. An on-premises StoreFront: Customers may also use an existing StoreFront to aggregate applications and desktops in Citrix Cloud. This use case offers greater security, including support for two-factor authentication and prevents users from entering their password into the cloud service. It also allows customers to customize their domain names and URLs. This deployment type is recommended for any existing Citrix Virtual Apps and Desktops customers who already have StoreFront deployed.
  3. A combination on-premises StoreFront and cloud-hosted StoreFront.

Each scenario is laid out below.

Use Case #1: Cloud-hosted StoreFront

Important

These steps are for existing Citrix Virtual Apps and Desktops service customers.

For new (from December 2017) Citrix Virtual Apps and Desktops service customers, see Workspace Configuration.

Access to the cloud-hosted StoreFront is via https://<customername>.xendesktop.net/Citrix/StoreWeb/. There is no additional configuration needed. Cloud StoreFront is ready to be used.

To provide remote access for end-users through a cloud-hosted StoreFront, you can use either Citrix Gateway service or use your own Citrix Gateway.

Use Citrix Gateway service

  1. In the Citrix Cloud > XenApp and XenDesktop Service menu, choose Manage > Service Delivery. The Service Delivery screen appears.
  2. Enable NetScaler Gateway.
  3. Click Use cloud hosted NetScaler Gateway Service.

Use your own Citrix Gateway

  1. Set up Citrix Gateway as an ICA Proxy (No authentication or session policies are needed). Configure in Manage > Service Delivery.
  2. Bind Citrix Cloud Connectors as Secure Ticket Authority (STA) servers to Citrix Gateway.
  3. Set Citrix Gateway (FQDN:PORT) in Manage > Service Delivery. Do not add a protocol. Ports are optional. Note: Combination remote and internal access is not supported in a cloud-hosted StoreFront.

Note:

For more information on the Citrix Gateway service, and on configuring your own Citrix Gateway, see Citrix Gateway.

Manage service delivery image

Use Case #2: On-premises StoreFront

For details on configuring an on-premises StoreFront, see the StoreFront documentation.

One benefit of using an existing StoreFront is that the Citrix Cloud Connector provides encryption of user passwords. Credentials are encrypted by the connector using AES-256, using a random-generated one-time key. This key is returned directly to Citrix Workspace app and never sent to the cloud. Citrix Workspace app then supplies it to the VDA during session launch to decrypt the credentials and provide a single sign-on experience into Windows.

  • For transport, select HTTP and port 80. The StoreFront machine must be able to directly access the connector through the FQDN (fully qualified domain name) provided. The connector must be able to reach the Cloud NFuse/STA URL at (https://<customername\>.xendesktop.net/Scripts/wpnbr.dll and ctxsta.dll).
  • Add Cloud Connectors as Delivery Controllers for high availability.

Recommendation

Use the most recent version of StoreFront.

External access

To provide external access through Citrix Gateway and on-premises StoreFront:

  • Set up Citrix Gateway as in a usual deployment with authentication and session policies. See the Citrix Gateway documentation for more information.
  • Point your on-premises StoreFront Store’s Delivery Controllers to the Citrix Cloud Connectors.
  • Bind Citrix Cloud Connectors as STA servers to Citrix Gateway.
  • The Citrix Gateway must use the same STA URLs as StoreFront. If the gateway is not already configured to use the STA of an existing Citrix Virtual Apps and Desktops environment, Citrix Cloud Connectors may be used as a STA.

Internal access

To provide internal access through an on-premises StoreFront:

  • Point the on-premises StoreFront store’s Delivery Controllers to the Citrix Cloud Connectors.

External and internal access

To provide external and internal access through Citrix Gateway and on-premises StoreFront:

  • Set up Citrix Gateway as in a usual deployment (with authentication and session policies). See the Citrix Gateway documentation for more information.
  • Bind Citrix Cloud Connectors as STA servers to Citrix Gateway.
  • Point on-premises StoreFront Store’s Delivery Controllers to the Citrix Cloud Connectors.

Use Case #3: On-premises StoreFront and Cloud hosted StoreFront

To provide external access through cloud-hosted StoreFront and Citrix Gateway with on-premises StoreFront:

  • Set up Citrix Gateway as you would in a usual deployment (with authentication and session policies). See the Citrix Gateway documentation for more information.
  • Point your on-premises StoreFront Store’s Delivery Controllers to the Citrix Cloud Connectors.
  • Bind Citrix Cloud Connectors as STA servers to Citrix Gateway.
  • Set Citrix Gateway (FQDN:PORT) in Manage > Service Delivery. Do not add a protocol. Ports are optional.

To provide internal access through cloud-hosted and on-premises StoreFront:

  • Point the on-premises StoreFront Store’s Delivery Controllers to the Citrix Cloud Connectors.

To provide external and internal access:

  • Cloud-hosted StoreFront can only be used for external or internal access.
  • Use Citrix Gateway for external access and on-premises StoreFront for internal access (same as Use Case #2 with external and internal access).
    • Set up Citrix Gateway as in usual deployment (with authentication and session policies).
    • Bind Citrix Cloud Connectors as STA servers to Citrix Gateway.
    • Point on-premises StoreFront Store’s Delivery Controllers to the Citrix Cloud Connectors.