Manage remote access to stores through Citrix Gateway
Use the Remote Access Settings task to configure access to stores through Citrix Gateway for users connecting from public networks. Remote access through a Citrix Gateway cannot be applied to unauthenticated stores.
In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
Select the Stores node in the right pane of the Citrix StoreFront management console and, in the results pane, select a store. In the Actions pane, click Configure Remote Access Settings.
In the Configure Remote Access Settings dialog box, specify whether and how users connecting from public networks can access the store through Citrix Gateway.
- To make the store unavailable to users on public networks, do not check Enable remote access. Only local users on the internal network will be able to access the store.
- To enable remote access, check Enable Remote Access.
- To make resources delivered through the store available through Citrix Gateway, select No VPN tunnel. Users log on using either ICAProxy or clientless VPN (cVPN) to Citrix Gateway and do not need to use the Citrix Gateway plug-in to establish a full VPN.
- To make the store and other resources on the internal network available through a Secure Sockets Layer (SSL) virtual private network (VPN) tunnel, select Full VPN tunnel. Users require the Citrix Gateway plug-in to establish the VPN tunnel.
When you enable remote access to the store, the Pass-through from Citrix Gateway authentication method is automatically enabled. Users authenticate to Citrix Gateway and are automatically logged on when they access their stores.
If you enabled remote access, select from the Citrix Gateway appliances list the deployments through which users can access the store. Any deployments you configured previously for this and other stores are available for selection in the list. If you want to add a further deployment to the list, click Add. Otherwise, continue to Step 14.
On the General Settings page, specify a Display name for the Citrix Gateway appliance that will help users to identify it.
Users see the display name you specify in Citrix Workspace app, so include relevant information in the name to help users decide whether to use that gateway. For example, you can include the geographical location in the display names for your Citrix Gateway deployments so that users can easily identify the most convenient or closest gateway to their location.
For Citrix Gateway URL, type the URL:port combination of the Citrix Gateway virtual server for your deployment. If a port is not specified, then the default
https://port of 443 is used. It is not necessary to specify port 443 in the URL.
- Select the usage of the Citrix Gateway from the available options.
- Authentication and HDX routing: The Citrix Gateway will be used for Authentication, as well as for routing any HDX sessions.
- Authentication Only: The Citrix Gateway will be used for Authentication and not for any HDX session routings.
- HDX routing Only: The Citrix Gateway will be used for HDX session routings and not for Authentication.
For all deployments where you are making resources provided by Citrix Virtual Apps and Desktops or XenApp 6.5 available in the store, on the Secure Ticket Authority page list the Secure Ticket Authority (STA) URLs for servers running the STA. Add URLs for multiple STAs to enable fault tolerance, listing the servers in order of priority to set the failover sequence.
The STA is hosted on Citrix Virtual Apps and Desktops, or XenApp 6.5 servers and issues session tickets in response to connection requests. These session tickets form the basis of authentication and authorization for access to Citrix Virtual Apps and Desktops, or XenApp 6.5 resources. Use the correct STA URL (such as
HTTP://) depending on how your Delivery Controllers are configured. The STA URL must also be identical to the one configured within Citrix Gateway on your virtual server.
In a Citrix Virtual Apps and Desktops on-premises environment, Shared secret lets you allow only approved StoreFront machines to communicate with Secure Ticket Authority (STA) by specifying a key. For information about key generation and configuration, see Manage security keys.
In a Citrix Virtual Apps and Desktops service environment, Shared secret lets you allow only approved StoreFront machines to communicate with Citrix Cloud by specifying a key. For information about key generation, see Manage security keys.
Choose to set the Secure Ticket Authority to be load balanced. You can also specify the time interval after which the non-responding STAs are bypassed.
To ensure Citrix Virtual Apps and Desktops, or XenApp 6.5 keep disconnected sessions open while Citrix Workspace app attempts to reconnect automatically, select Enable session reliability.
If you configure multiple STAs and want to ensure that session reliability is always available, select Request tickets from two STAs, where available. Then StoreFront obtains session tickets from two different STAs and user sessions are not interrupted if one STA becomes unavailable during the course of the session. If, for any reason, StoreFront is unable to contact two STAs, it falls back to using a single STA.
On the Authentication Settings page, type the VServer IP address (VIP) of the Citrix Gateway appliance.
Use the private IP address for the Citrix Gateway virtual server rather than the public IP address that is NATed to the private IP address. Gateways are usually identified by StoreFront via their URLs. If you are using global server load balancing (GSLB), you must add the VIP to each gateway. This allows StoreFront to identify multiple gateways which all use the same URL (GSLB domain name) as distinct gateways. For example, three gateways may be configured for the store with the same URL such as
https://gslb.domain.combut would each have unique VIPs configured such as 10.0.0.1, 10.0.0.2 and 10.0.0.3.
If you are adding an appliance running Citrix Gateway, select from the Logon type list the authentication method you configured on the appliance for Citrix Workspace app users.
- If users are required to enter their Microsoft Active Directory domain credentials, select Domain.
- If users are required to enter a tokencode obtained from a security token, select Security token.
- If users are required to enter both their domain credentials and a tokencode obtained from a security token, select Domain and security token.
- If users are required to enter a one-time password sent by text message, select SMS authentication.
- If users are required to present a smart card and enter a PIN, select Smart card.
If you configure smart card authentication with a secondary authentication method to which users can fall back if they experience any issues with their smart cards, select the secondary authentication method from the Smart card fallback list.
If you are configuring StoreFront for Citrix Gateway and want to use Smart Access, then you must type a Callback URL. StoreFront automatically appends the standard portion of the URL. Enter the internally accessible URL of the appliance. StoreFront contacts the Citrix Gateway authentication service to verify that requests received from Citrix Gateway originate from that appliance.
When using GSLB, we recommend that you configure unique callback URLs for each of your GSLB gateways. StoreFront must be able to resolve each of the unique Callback URLs to the private VIPs configured for each of the GSLB gateway virtual servers. For example,
apacgateway.domain.comshould resolve to the correct gateway VIP.
Click Create to add your Citrix Gateway appliance to the list in the Remote Access Settings dialog box.
Information about the configuration of your Citrix Gateway appliances is saved to the .cr provisioning file for the store. This enables Citrix Workspace app to send the appropriate connection request when contacting appliances for the first time.
Repeat Steps 4 to 13, as necessary, to add more Citrix Gateway appliances to the Citrix Gateway appliances list. If you enable access through multiple appliances by selecting more than one entry in the list, specify the Default appliance to be used to access the store.
- Click OK to save the configuation and close the Configure Remote Access dialog.