StoreFront

Integrate with Citrix Gateway and Citrix ADC

May 19, 2023

Contributed by:

S C

Use Citrix Gateway with StoreFront to provide secure remote access for users outside the corporate network and Citrix ADC to provide load balancing.

Plan gateway and server certificate usage

Integrating StoreFront with Citrix Gateway and Citrix ADC requires a plan for gateway and server certificate usage. Consider which Citrix components are going to require server certificate(s) within your deployment:

Plan to obtain certificates for Internet-facing servers and gateways from external certificate authorities. Client devices may not automatically trust certificates signed by an internal certificate authority.
Plan for both external and internal server names. Many organizations have separate namespaces for internal and external use—such as example.com (external) and example.net (internal). A single certificate can contain both of these kinds of name by using the Subject Alternative Name (SAN) extension. This is not normally recommended. A public certificate authority will only issue a certificate if the top-level domain (TLD) is registered with IANA. In this case, some commonly used internal server names (such as example.local) cannot be used, and separate certificates for external and internal names are required anyway.
Use separate certificates for external and internal servers, where possible. A gateway may support multiple certificates, either by binding a different certificate to each interface.
Avoid sharing certificates between Internet-facing and non-Internet-facing servers. These certificates are likely to be different—with different validity periods and different revocation policies than certificates issued by your internal certificate authorities.
Share “wildcard” certificates only between equivalent services. Avoid sharing a certificate between different types of server (for example StoreFront servers, and other kinds of servers). Avoid sharing a certificate between servers which are under different administrative control, or which have different security policies. Typical examples of servers which provided equivalent service are:
- A group of StoreFront servers and the server that performs load balancing between them.
- A group of Internet-facing gateways within GSLB.
- A group of Citrix Virtual Apps and Desktops controllers, which provide equivalent resources.
Plan for hardware-secured private key storage. Gateways and servers, including some Citrix ADC models, can store the private key securely within a hardware security module (HSM) or Trusted Platform Module (TPM). For security reasons, these configurations are not usually intended to support sharing of certificates and their private keys, Consult the documentation for the component. If implementing GSLB with Citrix Gateway, this may require each gateway within GSLB to have an identical certificate, which contains all the FQDNs you wish to use.

For more information about securing your Citrix deployment, see the white paper End-To-End Encryption with Citrix Virtual Apps and Desktops and the Citrix Virtual Apps and Desktops Secure section.

Configure StoreFront Log On when authentication is disabled on Citrix Gateway VIP

Log on to StoreFront when authentication is disabled on Citrix Gateway VIP. This procedure works in two scenarios: Internal networks. App launch fails from remote locations because STAs cannot be used when authentication is disabled on the Citrix Gateway if the X-Citrix-Gateway header is getting passed to StoreFront. Citrix Receiver for Web. Receiver clients do not authenticate if authentication is not enabled at the Citrix Gateway VIP.

Changes on the StoreFront Server

Disable the Require Token Consistency field. See Advanced store settings.
Open the Citrix StoreFront Management console.
Click Manage Receiver for Web Sites for the web.
Select the corresponding Citrix Receiver for Web site, click Configure and then select Authentication Methods.
Ensure that the Pass-through from Citrix Gateway option is cleared.

Note:

Citrix Gateway and Enable Remote Access are assumed to be set up on the StoreFront server.

Changes on the Citrix Gateway

Open the Citrix Gateway virtual server.
Click the Authentication tab and ensure that Enable Authentication check-box is cleared.
Bind the corresponding session policy to the Citrix Gateway virtual server.
Test the connection.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Integrate with Citrix Gateway and Citrix ADC

May 19, 2023

Contributed by:

S C

May 19, 2023

Contributed by:

S C

Integrate with Citrix Gateway and Citrix ADC

Plan gateway and server certificate usage

Configure StoreFront Log On when authentication is disabled on Citrix Gateway VIP

Changes on the StoreFront Server

Changes on the Citrix Gateway

In this article