Product Documentation

Using WebFront to Integrate with StoreFront

Sep 10, 2017

Overview

WebFront is a Web Application hosted on a Tomcat Container that runs on NetScaler. WebFront provides optimization and improved performance for users accessing StoreFront through Gateway using Client Browsers and Citrix Native Receivers. WebFront coexists with the Web Interface on NetScaler.

WebFront provides the following functionalities:

  • Receiver for Web Proxy
  • Transparent SSO

Receiver for Web Proxy

Receiver for Web Proxy (RfWeb) provides a way for web browsers to communicate with a store in StoreFront. Functionally, it is the same as RfWeb in StoreFront with a few optimizations like caching and packet flow optimization.

Features

For users accessing through browsers (ReceiverforWeb Proxy):

  • StoreFront’s RfWeb feature on NetScaler
  • Caches Static content and StoreFront served icons
  • Optimized packet flow for Apps/Desktop enumeration.
  • Supports HTML5 Receiver

Transparent Single Sign On (SSO)

Native Citrix Receivers currently require a minimum of 12 HTTP transactions with StoreFront to perform resource enumeration. Along with this, an authentication token size of 4K is carried along with each HTTP request. WebFront optimizes this by reducing the number of transactions from 12 to 2 and prevents the sending of the token by proxy.

Features

For users accessing through Citrix Native Receivers (Transparent SSO):

  • Caches StoreFront served icons
  • Optimized packet flow for Apps/Desktop enumeration (Data transferred over WAN reduced b1%)
  • Entire Authentication to SF is delegated to WebFront

Note

The native ICA traffic does not flow via WebFront.

Functionality

Receiver for Web Proxy

The RfWeb Proxy used with the Tomcat Web Server serves static content (HTML, CSS, JS, Static Icons, etc.) to web browsers and provides the following services:

  • Lists all applications in the store. The information returned is in JSON format.
  • Gets information for an application specified by the application ID. The information returned is in JSON format.
  • Gets an application icon specified by the icon ID. Icons are returned in PNG format.
  • Gets the launch information for a given HDX application specified by the application ID. The response is in the form of an ICA file.
  • Supports launching web/SaaS apps.
  • Powers off desktops.
  • Assigns desktops.
  • Subscribes to a given application specified by the application ID and the position in the subscribed application list.
  • Unsubscribes a given application specified by the application ID.
  • Updates subscription position for a given application specified by the application ID.

In the Workspace Control the following actions are performed:

  • Lists available sessions (includes active sessions)
  • Launches sessions
  • Disconnects user sessions
  • Loggs off user sessions
  1. Performs Single Sign On (SSO) with StoreFront using credentials from Gateway, and stores the token in the Tomcat Session cache for reuse for subsequent requests.
  2. Supports the ICA apps launch through the HTML5 Receiver client.

Icon and Static content caching

Icon and static content caching: This is done using Integrated Caching feature of NetScaler. This does not require an IC license; only a VPN license is sufficient.

Transparent SSO

Transparent SSO (single sign on) is applicable only for native Citrix Receivers.

WebFront is designed as a Java Webapp, which runs on the Tomcat v6, hosted on NetScaler. WebFront is developed using Spring MVC v3.1.2. WebFront is designed to work via Gateway with SSO on ONLY.

Installing and Configuration WebFront Using the WebFront Wizard

Installing WebFront

Prerequisites

Ensure that you have downloaded the JRE TAR files and the WebFront TAR files.

To install WebFront

  1. Navigate to System WebFront and click Install WebFront in the Getting Started section.
  2. Browse for the WebFront TAR file and the JRE TAR file that you have downloaded and then click Install.
    You can select the files from the appliance or from your local directory.
localized image

A confirmation message appears once the installation is completed successfully.

Configuring WebFront by using the WebFront Wizard

  1. Navigate to System WebFront and click WebFront Wizard in the Getting Started section.
localized image

2. Enter all mandatory details, verify, and click Continue.

3. Click Done after verifying the data.

NetScaler Gateway Virtual Server

You can either select a virtual server that is already configured for your device or you can configure a new virtual server.

To configure a virtual server

  1. Click + to add a new virtual server.
  2. Specify the NetScaler Gateway IP Address.
  3. Specify the port number.
  4. Assign a name to the virtual server.
  5. Select the Redirect requests from port 80 to secure port check box to redirect HTTP connections to an HTTPS secure connection.
  6.  Click Continue.

Trust SSL Certificate

By selecting the Browse button, you can select a certificate from the appliance or from your local directory.

From the appliance, select a certificate from the list and click Open.

Uninstalling WebFront

  1. Navigate to System>WebFront and click Uninstall WebFront in the WebFront Sites page A confirmation message appears. 
localized image

2. Click Yes.

Configuring WebFront Sites

1. Navigate to System > WebFront and click WebFront Sites in the Configuration Summary section.

localized image

2. The WebFront Sites allows the following the site operations:

Add WebFront Sites

  1. Click Add in the WebFront Sites page.
  2. Select the NetScaler virtual server to which you want to use this site.
  3. Enter all mandatory details and click Continue.
  4. Create the VPN Session Action. Enter all mandatory detail and click Continue.
  5. Click Done after verifying the configuration.

Edit WebFront Sites

  1.  Select the WebFront site and click Edit.
  2. Modify the configuration and click Continue.
  3. Enter all mandatory details and click Continue.
  4. Click Done after verifying the configuration.

Delete WebFront Sites

  1. Select the WebFront Site and  click Delete. A confirmation message appears.
  2. Click Yes.

Installing and Configuration WebFront Using the CLI Commands

Install WebFront Package

The following CLI command installs WebFront. 

command Copy

install wf package –jre <JDK location> -wf <WebFront location>

This command installs WebFront on the system. On the shell it creates a /var/wi folder if not present, and installs WebFront in the ROOT directory present in the /var/wi/tomcat/webapps folder. WebFront can coexist with Web Interface. For example, if WI is already installed, WebFront extracts itself only in the ROOT directory; all the wi sites and configuration will remain untouched. After the extraction, WebFront re-starts Tomcat if already running.

As part of the install command, WF allocates 198MB of RAM on a VPX and 576MB of RAM on an MPX, in addition to memory allocated by WI.

In order for RfWebProxy to work with CVPN, bind a ClientlessAccessPolicy, ns_cvpn_wf_policy, to VPN global during install time.

Uninstall WebFront Package

This command uninstalls WebFront from the system. 

command Copy

uninstall wf package –jre <JDK location> -wf <WebFront location>

If WI is present in the system, it will not remove the complete /var/wi directory structure - only WebFront part. If WI is not present, it will remove the whole /var/wi  folder.

Uninstall unbinds policy ns_cvpn_wf_policy from VPN global.

Show WebFront Package

This command shows the WebFront files and installation location. 

command Copy

sh wf package

This command is helpful if there is a WebFront version number change. The user sees the installed WebFront and where WebFront is installed.

Add WebFront Package

This command adds a WF site. 

command Copy

add wf site <siteName> -storefronturl <string> -storeName <string>

  [-html5Receiver <html5Receiver>] [-workspaceControl ( ON | OFF )]

   [-displayRoamingAccounts ( ON | OFF )]

  [-xframeOptions ( ALLOW | DENY )]

In PPE, a WebFront site will be created with storefront FQDN and store Name. Both the arguments are compulsory. User can change these by using the set command.

  1. It does not create a separate folder for wf site in /var/wi/tomcat/webapps directory instead it creates a soft link from /var/wi/tomcat/ROOT/<siteName> to ROOT/WEB-INF/views. This modification was done to avoid the duplication of static HTML display part. Since ever WF site is going to use the same Front End.
  2.  It also appends an entry <siteName>=<storeFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe> in the file  /var/wi/tomcat/ROOT/WEB-INF/classes/wfsite.properties. This is needed for when tomcat is restarted.
  3. Also the CLI sends HTTP POST http://127.0.0.1:8080/addsite/<SiteName> with Post body “<storeFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe>”. This instructs WF to fetch Store Service and Authentication URLs (Discovery &Endpoints) from the StoreFront.

Property Name

Description

Default Value

HTML5Receiver

Specifies whether or not to use HTML5 receiver for launching apps for all WF sites.

Possible values: 

Always – Always use only HTML5 receiver for launching apps

Fallback – Use HTML5 receiver as fallback, if launch through native receiver is not possible

Off – Never use HTML5 receiver, always use native receiver

Fallback

WorkspaceControl

Specifies whether to use or not workspace control for all WF sites.

Possible values:

On – Workspace control is enabled

Off – Workspace control is disabled

On

DisplayRoamingAccounts

Specifies whether or not to display the accounts selection screen during First Time Use of Receiver.

Possible Values:

On – Display account selection screen

Off – Do not display account selection screen.

Off

XFrameOptions

The value to be sent in the X-Frame-Options header

Possible values:

Allow - Allow displaying in a Frame

Deny - Disallow display in a Frame

Deny

rm wf site

This command removes the site (if present) from WebFront. More importantly it undoes what add wf site has done. It removes the entry from wfsite.properties and it removes the symbolic link from ROOT directory also sends http post request “POST http://127.0.0.1:8080/rmsite/<siteName>”. As always site would be removed from PPE.

command Copy

set wf site <siteName> -storeFronturl <> -storeName <>

[-html5Receiver <html5Receiver>] [-workspaceControl ( ON | OFF )]

   [-displayRoamingAccounts ( ON | OFF )]

  [-xframeOptions ( ALLOW | DENY )]

If user wants to edit the entry in already present WF site he/she can use set command. User can edit either StoreFrontFQDN or StoreName or both. It also sends http post request “POST http://127.0.0.1:8080/modsite/<SiteName>” with post body ““<storeFront URL>#<storeName>#<html5>#<workspace Control>#<session timeout>#<roamingaccounts>#<xframe>”. This change would be reflected in wfsite.properties and PPE. 

sh wf site

It will display the details of the WF site. Including the state of the WF site. The state of the site will be UP or (DOWN and reason for being DOWN, suggested remedy).

The state is got by sending a POST request to http://127.0.0.1:8080/shsite/<SiteName>. The response body will have the message to be displayed in the “Status” field.

Error Message

Cause for Failure

Suggested Remedy

INITIALIZING

WF site is still initializing

Check status of site after a few seconds

DOWN-HostUnknown

Hostname of StoreFront cannot be resolved to an IP address

Make sure the hostname is resolvable or add a dns addrec on NS

DOWN-ReqTimeout

StoreFront server cannot be reached. Request timed out while contacting SF.

Make sure SF is reachable through NSIP

DOWN-Wrong Store

StoreName specified does not exist in SF

Change the storeName to the correct storeName using the set wf site command

DOWN-SSL Error

CA used to sign SF’s server cert is not present in Java’s trusted CA store

Add the CA cert using exportcert.sh command

DOWN-SF Error

Internal Error in SF

Check error in SF through Windows Event Viewer and rectify error

DOWN-ConnReset

Connection was reset while communicating with SF

Make sure SF is reachable through NSIP

DOWN

Unknown Error occurred

Collect files described in section 13.1 and contact Tech support

Co-existence of WebFront and WebInterface(both are installed)

  1. We are disallowing the same site Name for both WF and WI. CLI will throw the error that site is already present if site by that name is already present in webapps folder and attempt is to create in its counterpart.

Steps to install and Use WF through CLI:

  1. Install WebFront on NS:
    install wf package –jre “file:///var/openjdk7.tbz” –wf “file:///var/nswf-1.0.tar”
  2. Import StoreFront’s CA cert to NS (Required only if SF is configured for https):
    shell /netscaler/wi/export_cert.sh /var/CA.cer
  3. Add a WF site: add wf site site1 –StoreFrontURL http://storefront.lab.com -storeName store 1
  4. Check status of newly added WF site and debug if state is DOWN: sh wf site site1
  5. If Site is UP, set up VPN vServer with WF: add vpn sessionaction WF_ACT –sso ON –ntDomain lab.com –wihome http://127.0.0.1:8080/site1 add vpn sessionpolicy WF_POL NS_TRUE WF_ACT
  6. Bind vpn vs VPN1 –policy WF_POL –priority 10

How to configure WF to work in the 1st pane of the 3-pane window VPN Homepage:

command Copy

Set wf site <siteName> -XFrameOptions ALLOW

This setting sets the X-Frame-Options HTTP header to Allow, making it display in an iframe (1st pane of 3-pane window).