User access options
Three different methods are available for users to access StoreFront stores.
- Citrix Workspace app installed locally - Users with compatible versions of Citrix Workspace app can access StoreFront stores within the Citrix Workspace app user interface. This provides the best user experience and the greatest functionality.
- Citrix Workspace app for HTML5 - Users with compatible web browsers can access StoreFront stores by browsing to the store’s website. By default, users also require a compatible version of Citrix Workspace app to access their desktops and applications, known as hybrid launch. However, you can configure your website to enable users to access their resources through their browser without installing Citrix Workspace app.
- XenApp Services URLs - Users who have legacy Citrix clients that cannot be upgraded, can access stores using the XenApp Services URL for the store. When you create a new store, the XenApp Services URL is enabled by default.
Citrix Workspace app installed locally
Accessing stores from the locally installed Citrix Workspace app provides the best user experience. For the Citrix Workspace app versions that can be used to access stores in this way, see System Requirements.
Citrix Workspace app uses internal and external URLs as beacon points. By attempting to contact these beacon points, Citrix Workspace app can determine whether users are connected to local or public networks. When a user accesses a desktop or application, the location information is passed to the server providing the resource so that appropriate connection details can be returned to Citrix Workspace app. This enables Citrix Workspace app to ensure that users are not prompted to log on again when they access a desktop or application. For more information, see Configure beacon points.
After installation, Citrix Workspace app must be configured with connection details for the stores providing users’ desktops and applications. You can make the configuration process easier for your users by providing them with the required information in one of the following ways.
By default, Citrix Workspace app requires HTTPS connections to stores. If StoreFront is not configured for HTTPS, users must carry out additional configuration steps to use HTTP connections. Citrix strongly recommends that you do not enable unsecured user connections to StoreFront in a production environment. For more information, see Store configuration parameters in the Citrix Workspace app for Windows documentation.
Users can connect Citrix Workspace app to their store by entering the store URLs into Citrix Workspace app. For more information, see the Citrix Workspace app documentation.
You can provide users with provisioning files containing connection details for their stores. After installing Citrix Workspace app, users open the .cr file to automatically configure accounts for the stores. By default, the website offers users a provisioning file for the single store for which the site is configured. You could instruct your users to visit the websites for the stores they want to access and download provisioning files from those sites. Alternatively, for a greater level of control, you can use the Citrix StoreFront management console to generate provisioning files containing connection details for one or more stores. You can then distribute these files to the appropriate users. For more information, see Export store provisioning files for users.
For users running macOS, you can use the Citrix Workspace app for Mac Setup URL Generator to create a URL containing connection details for a store. After installing Citrix Workspace app, users click on the URL to configure an account for the store automatically. Enter details of your deployment into the tool and generate a URL that you can distribute to your users.
With email-based account discovery, instead of needing to know the access details for their stores, users enter their email addresses during the Citrix Workspace app initial configuration process. For details of how to set this up see Email based account discovery.
Use the Global App Config Service to configure Citrix Workspace app for your StoreFront stores. See Configure settings for on-premises stores.
Citrix Workspace app for HTML5
As an alternative to using a locally installed Workspace app, users can access their store through a web browser with Workspace app for HTML5. When users come to launch their resources there are two possibilities.
Resources launch within locally installed Citrix Workspace App. This is known as a hybrid launch. This gives users the best experience as it can take advantage of full operating system integration. For more details see Hybrid launch
Resources launch within the browser. This makes it possible for users to access resources without needing to install any software locally.
The default configuration is to require that Citrix Workspace app is installed locally for a hybrid launch. You can change the configuration to either always launch resources in the browser or to give the user the choice. See Deploy Workspace app.
If the admin selected Use Receiver for HTML5 if local Receiver is unavailable then when the user first opens the store website in their browser, the user has the option to click Use Light Version to launch resources within their web browser.
For users on the internal network, access through Citrix Workspace app for HTML5 to resources provided by Citrix Virtual Apps and Desktops is disabled by default. To enable local access to desktops and applications using Citrix Workspace app for HTML5, enable the ICA WebSockets connections policy on your Citrix Virtual Apps and Desktops servers. Citrix Virtual Apps and Desktops uses port 8008 for Citrix Workspace app for HTML5 connections. Ensure your firewalls and other network devices permit access to this port. For more information, see WebSockets policy settings.
For Citrix Virtual Apps and Desktops resource launches to succeed, configure the TLS connections to the VDAs that host apps and desktops. Remote connections through a Citrix Gateway can launch resources using Citrix Workspace app for HTML5 without configuring TLS connections to the VDA.
When users first open Citrix Workspace for HTML5 through their browser but launch apps within the locally installed Citrix Workspace app this is known as hybrid launch. There are a number of ways in which the web site can communicate with the locally installed Workspace app to launch resources.
When the user first goes to a StoreFront web site with a supported operating system and browser, Citrix Workspace app for HTML5 attempts to invoke the Citrix Workspace Launcher. If a supported version of Citrix Workspace app is installed then the app notifies StoreFront. Citrix Workspace app for HTML5 remembers this and when it launches an app it uses Citrix Workspace Launcher.
The store web site invokes Citrix Workspace Launcher on Windows, Mac and Linux with when using the following browsers:
- Firefox 52 or higher
- Chrome 42 or higher
- Safari 12 or higher
- Edge 25 or higher
Citrix Workspace Launcher requires the following minimum versions of Citrix Receiver or Citrix Workspace app.
- Receiver for Windows 4.3 or higher
- Receiver for Mac 12.0 or higher
- Workspace app for Linux 2003 or higher
If the Workspace app launcher is not available, or the user does not allow it to open, then it will not be able to detect the locally installed Citrix workspace app. The user has the option to try again, or to click Already Installed, in which case it falls back to launching apps using .ica files. The user can later try again by going to the Settings screen and clicking Change Citrix Workspace app.
The first time the user opens the store web site in Internet Explorer, it prompts the user to install Citrix Workspace app which includes the Citrix ICA Client Add-on for Internet Explorer. Once the plugin is installed, this is used to launch apps and desktops through the locally installed Citrix Workspace app.
If Citrix Workspace app for HTML5 is unable to detect a locally installed Citrix workspace app by any other means then when a user launches an app or desktop then it downloads a .ica file. The user can open this file with the locally installed Citrix Workspace app.
You can generate URLs that provide access to desktops and applications available in your store. Embed these links on websites hosted on the internal network to provide users with rapid access to resources. Users click on a link and are redirected to the store website, where they log on if they have not already done so. The store website automatically starts the resource. For more information about generating resource shortcuts, see Website shortcuts.
When you create an application shortcut, ensure that no other applications available from the store have the same name. Shortcuts cannot distinguish between multiple instances of an application with the same name. Similarly, if you make multiple instances of a desktop from a single desktop group available from the store, you cannot create separate shortcuts for each instance. Shortcuts cannot pass command-line parameters to applications.
To create application shortcuts, you configure StoreFront with the URLs of the internal websites that will host the shortcuts. When a user clicks on an application shortcut on a website, StoreFront checks that website against the list of URLs you entered to ensure that the request originates from a trusted website. However, for users connecting through Citrix Gateway, websites hosting shortcuts are not validated because the URLs are not passed to StoreFront. To ensure that remote users can only access application shortcuts on trusted internal websites, configure Citrix Gateway to restrict user access to only those specific sites.
Customize the user interface
XenApp Services URLs
Users with older Citrix clients that cannot be upgraded can access stores by configuring their clients with the XenApp Services URL for a store. You can also enable access to your stores through XenApp Services URLs from domain-joined desktop appliances and repurposed PCs running the Citrix Desktop Lock. Domain-joined in this context means devices that are joined to a domain within the Microsoft Active Directory forest containing the StoreFront servers.
StoreFront supports pass-through authentication with proximity cards through Citrix Workspace app to XenApp Services URLs. Citrix Ready partner products use the Citrix Fast Connect API to streamline user logons through Citrix Receiver for Windows or Citrix Workspace app for Windows to connect to stores using the XenApp Services URL. Users authenticate to workstations using proximity cards and are rapidly connected to desktops and applications provided by Citrix Virtual Apps and Desktops. For more information, see the most recent Citrix Workspace for Windows documentation.
When you create a new store, the XenApp Services URL for the store is enabled by default. The XenApp Services URL for a store has the form http[s]://serveraddress/Citrix/storename/PNAgent/config.xml, where serveraddress is the fully qualified domain name of the server or load balancing environment for your StoreFront deployment and storename is the name specified for the store when it was created. This allows Citrix Workspace apps that can only use the PNAgent protocol to connect to Storefront. For the clients that can be used to access stores through XenApp Services URLs, see User device requirements.
XenApp Services URLs are intended to support users who cannot upgrade to Citrix Workspace app and for scenarios where alternative access methods are not available. When you decide whether to use XenApp Services URLs to provide users with access to your stores, consider the following restrictions.
- You cannot modify the XenApp Services URL for a store.
- You cannot modify XenApp Services URL settings by editing the configuration file, config.xml.
- XenApp Services URLs support explicit, domain pass-through, smart card authentication, and pass-through with smart card authentication. Explicit authentication is enabled by default. Only one authentication method can be configured for each XenApp Services URL and only one URL is available per store. If you need to enable multiple authentication methods, you must create separate stores, each with a XenApp Services URL, for each authentication method. Your users must then connect to the appropriate store for their method of authentication. For more information, see XML-based authentication.
- Workspace control is enabled by default for XenApp Services URLs and cannot be configured or disabled.
- User requests to change their passwords are routed to the domain controller directly through the Citrix Virtual Apps and Desktops servers providing desktops and applications for the store, bypassing the StoreFront authentication service.