Product Documentation

Configure Citrix Gateway Session Policies for StoreFront

This article describes how to configure NetScaler Gateway domain only authentication with StoreFront for users who are using Citrix Receiver or a web browser.

localized image

Minimum Requirements

  • Citrix StoreFront 2.x or 3.0

  • NetScaler 10.5 and higher

  • Citrix Receiver for Windows 4.x

  • Citrix Receiver for Mac 11.8 ​
  • Web browser (Receiver for Web) ​
  • Authentication configured on the NetScaler Appliance as outlined in CTX108876 - How to Configure LDAP Authentication on a NetScaler Appliance

  • SSL Certificates configured for StoreFront Server and NetScaler Gateway Appliance. For additional information on setting up SSL certificates, refer to the following Citrix Documentation: ​
    • Install and set up for StoreFront 2.6

    • Windows 2012 Server Certificates

    • To add an SSL binding to a site

    • Installing and Managing Certificates for NetScaler 10.5

Complete the following procedures to configure NetScaler Gateway with StoreFront:

localized image

NetScaler Gateway

I. The following steps details how to create the Session Policy for Web Browser Based Access.

  1. To create session policy, navigate to NetScaler Gateway > Policies > Session.

  2. In the Session Policies field, click Add.

  3. In the Name field, type the name of the Session Policy. For example, Web_Browser_Policy.

  4. Click the box with the + sign.

    localized image

  5. Type in the Name of the new Session Profile in the Configure NetScaler Gateway Session Profile window.

    localized image

  6. In the Client Experience tab, enable the following settings:

    • Enable Clientless Access and set it to Allow

    • Enable Single Sign-on to Web Application

    • Enable Plug-in Type to Windows/MAC OS X

    localized image

  7. In the Security tab, enable Default Authorization Actions and set it to ALLOW.

    localized image

  8. In the Published Application tab, enable the following settings:

    • Enable ICA Proxy and set it to ON.

    • Enable and configure Web Interface Address - FQDN of the Storefront server followed by the path to the store for web

    • Enable and configure Single Sign-on Domain - NetBIOS name for the domain

    • Click Create

      localized image

  9. If you are using Classic Policy expression, In the expression field, add the information listed below and click Create.

    REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
    

    localized image

  10. If using Advanced Policy expression, In the expression field, add the information listed below and click Create.

    HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT
    

    localized image

This policy is needed in order for the NetScaler to differentiate between web browser based and Citrix Receiver based connections. This policy will be applied to web browser based connections.

II. The following steps details how to create the Session Policy for Citrix Receiver for Windows or Mac, and Mobile Devices on NetScaler Gateway:

  1. Navigate to NetScaler Gateway > Policies > Session.

  2. In the Session Policies field, click Add.

  3. In the Name field, type the Name of the Session Policy. For example, Receiver_Policy

  4. Click the box with the + sign.

    localized image

  5. Type in the Name of the new Session Profile in the Configure NetScaler Gateway Session Profile window.

    localized image

  6. In the Client Experience tab, enable the following settings:

    localized image

    • Set the Home Page to None

    • Enable Split Tunnel and Set to OFF

    • Enable Clientless Access and set it to Allow

    • Enable Single Sign-on to Web Application

    • Set Plug-in Type to Java

    • Uncheck Client Choices

    localized image

  7. In the Security tab, enable Default Authorization Actions and set it to ALLOW.

    localized image

  8. In the Published Application tab, enable the following settings:

    • Enable ICA Proxy and set it to ON

    • Enable and configure Web Interface Address

    • FQDN of the Storefront server followed by the path to the store for web

    • Enable and configure Single Sign-on Domain - NetBIOS name for the domain

    • Enable and configure Account Services Address. The last back slash is important.

    • Click Create.

    localized image

  9. If using Classic Policy expression, In the expression field, add the information listed below and click Create.

    REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

    localized image

  10. If using Advanced Policy expression, In the expression field, add the information listed below and click Create.

    HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixReceiver”)​

    localized image

    This policy is needed in order for the NetScaler to differentiate between web browser based and Citrix Receiver based connections. This policy will be applied for Citrix Receiver based connections.

III. The following steps details how to configure authentication on the NetScaler appliance. Click on the following link for latest information on how to configure LDAP authentication on the NetScaler appliance.

IV. The following steps details how to create NetScaler Gateway Virtual Server and bind the Session Policies.

  1. Navigate to NetScaler Gateway > Virtual Server and click Add to add a new virtual server.

    localized image

  2. After the virtual server is created, bind the specific session policy to the virtual server based on your company’s requirements.

StoreFront

V. The following steps details how to configure authentication for StoreFront.

  1. Enable the pass-through authentication from NetScaler Gateway on StoreFront. For more information, refer to Citrix Documentation - Create and configure the authentication service.

    StoreFront must trust the issuer of the NetScaler Gateway virtual server’s bound certificate (Root and/or Intermediate certificates) for the Authentication Callback service.

  2. Add NetScaler Gateway to StoreFront. For more information, refer to Citrix Documentation - Add a NetScaler Gateway connection.

    The Gateway URL must match exactly what the users are typing into the web browser address bar.

  3. Enable remote access on the StoreFront store. For more information, refer to Citrix Documentation - Manage remote access to stores through NetScaler Gateway.

Configure Citrix Gateway Session Policies for StoreFront

In this article