StoreFront

StoreFront authenticates users to sites hosting resources and manages stores of applications and desktops that users access. It hosts your enterprise application store, which lets you give users self-service access to app and desktops you make available to them. It also keeps track of users’ application subscriptions, shortcut names, and other data to ensure they have a consistent experience across multiple devices.

When users connect from outside the corporate firewall, Citrix Cloud can use Citrix Gateway (formerly NetScaler Gateway) technology to secure these connections with SSL. Citrix Gateway or the Citrix VPX virtual appliance is an SSL VPN appliance that is deployed in the demilitarized zone (DMZ). It provides a single secure point of access through the corporate firewall.

There are three primary use cases for setting up access to applications and desktops with Citrix Cloud:

  • Citrix Workspace: The Virtual Apps and Desktops service includes access to Citrix Workspace for delivering applications and desktops to end-users. The primary benefit of Workspace is that there is zero effort to deploy and it is kept evergreen by Citrix. Workspace is recommended for new and existing customers, previews, and proofs-of-concept.
  • An on-premises StoreFront: Customers may also use an existing StoreFront to aggregate applications and desktops in Citrix Cloud. This use case offers greater security, including support for two-factor authentication and prevents users from entering their password into the cloud service. It also allows customers to customize their domain names and URLs. This deployment type is recommended for any Citrix Virtual Apps and Desktops customers who already have StoreFront deployed.

Use Case #1: Citrix Workspace

Access to Workspace is via https://<customername>.cloud.com. If needed, you can customize the <customername> portion of the workspace URL. You can then configure the connectivity for each resource location you want to use so end-users can access the resources in their workspace. End-users access their workspace using the latest version of Citrix Receiver or Citrix Workspace app.

For more information about using Workspace, see the following articles:

  • Workspace Configuration: For configuring access and authentication, and customizing the appearance for end-users.
  • Workspace experience: For understanding how end-users access their workspace and how it will appear.

To provide remote access for end-users through Workspace, you can use either Citrix Gateway service or use your own Citrix Gateway.

Use Citrix Gateway service

  1. In Citrix Cloud > Resource Locations, select Gateway for the resource location you want to use.
  2. Select Gateway Service and then click Save.
  3. In Citrix Cloud > Workspace Configuration > Service Integrations, locate the Gateway service and select Enable from the ellipsis menu.

Use your own Citrix Gateway

  1. Set up Citrix Gateway as an ICA Proxy (No authentication or session policies are needed).
  2. Configure a resource location to use Citrix Gateway:
  3. In Citrix Cloud > Resource Locations, select Gateway for the resource location you want to use.
  4. Select Traditional Gateway and enter the external FQDN. Do not add a protocol. Ports are optional. Combination remote and internal access is not supported in Workspace.
  5. Bind Citrix Cloud Connectors as Secure Ticket Authority (STA) servers to Citrix Gateway. For more information, see CTX232640.

Note:

For more information on the Citrix Gateway service, and on configuring your own Citrix Gateway, see Citrix Gateway.

Use Case #2: On-premises StoreFront

For details on configuring an on-premises StoreFront, see the StoreFront documentation.

One benefit of using an existing StoreFront is that the Citrix Cloud Connector provides encryption of user passwords. The Cloud Connector encrypts credentials using AES-256, using a random-generated one-time key. This key is returned directly to Citrix Workspace app and never sent to the cloud. Citrix Workspace app then supplies it to the VDA during session launch to decrypt the credentials and provide a single sign-on experience into Windows.

  • For transport, select HTTP and port 80. The StoreFront machine must be able to directly access the Cloud Connector through the FQDN (fully qualified domain name) provided. The Cloud Connector must be able to reach the Cloud NFuse/STA URL at (https://<customername\>.xendesktop.net/Scripts/wpnbr.dll and ctxsta.dll).
  • Add Cloud Connectors as Delivery Controllers for high availability.

Recommendation

Use the most recent version of StoreFront.

External access

To provide external access through Citrix Gateway and on-premises StoreFront:

  • Set up Citrix Gateway as in a usual deployment with authentication and session policies. See the Citrix Gateway documentation for more information.
  • Point your on-premises StoreFront Store’s Delivery Controllers to the Citrix Cloud Connectors. Bind Cloud Connectors as STA servers to Citrix Gateway.
  • The Citrix Gateway must use the same STA URLs as StoreFront. If the gateway is not already configured to use the STA of an existing Citrix Virtual Apps and Desktops environment, Cloud Connectors may be used as a STA.

Internal access

To provide internal access through an on-premises StoreFront, point the on-premises StoreFront store’s Delivery Controllers to the Citrix Cloud Connectors.

External and internal access

To provide external and internal access through Citrix Gateway and on-premises StoreFront:

  • Set up Citrix Gateway as in a usual deployment (with authentication and session policies). See the Citrix Gateway documentation for more information.
  • Bind Cloud Connectors as STA servers to Citrix Gateway.
  • Point on-premises StoreFront Store’s Delivery Controllers to the Cloud Connectors.