StoreFront

Configure Citrix Gateways

Use Citrix Gateways to provide authentication and remote access to StoreFront and your Virtual Delivery Agents (VDAs). Citrix Gateways run on a hardware or software NetScaler ADCs. The Citrix Gateway Service is managed by Citrix and can be used for HDX routing but not authentication or remote access to StoreFront.

For more information about configuring your Gateway, see Integrate NetScaler Gateway with StoreFront.

You must configure your gateway within StoreFront before StoreFront allows access through that gateway.

View Gateways

To view the gateways configured within StoreFront, select the Stores node in the left pane of the Citrix StoreFront management console and pane, click Manage Citrix Gateways. This displays the Manage Citrix Gateways window.

Screenshot of Manage Citrix Gateways screen

PowerShell

To get a list of gateways and their configuration call Get-STFRoamingGateway.

Add Citrix Gateway appliance

  1. In the Manage Citrix Gateways window click Add.

  2. On the General Settings tab enter the settings then press Next.

    • Specify a Display name for the Citrix Gateway deployment that will help users to identify it.

      Users see the display name you specify in Citrix Workspace app, so include relevant information in the name to help users decide whether to use that deployment. For example, you can include the geographical location in the display names for your Citrix Gateway deployments so that users can easily identify the most convenient deployment for their location.

    • Set the Gateway type to Citrix Gateway appliance.

    • Enter the URL of the gateway.

      The fully qualified domain name (FQDN) for your StoreFront deployment must be unique and different from the Citrix Gateway virtual server FQDN. Using the same FQDN for StoreFront and the Citrix Gateway virtual server is not supported. The gateway adds the URL to the X-Citrix-Via HTTP header. StoreFront uses this header to determine which gateway is in use.

      Using the GUI it is only possible to add a single gateway URL. If a gateway can be access by multiple URLs then you need to add the same gateway twice with identical configuration apart from the URL. To simply configuration, you can configure a secondary URL used to access the gateway. This option is not available using the GUI so you must configure this using PowerShell. You should close the management console before running any PowerShell commands. For example if you have multiple gateways behind a global server load balancer, typically it is useful to add both the GSLB URL and a URL that can be used to access each specific regional gateway, for example for testing or troubleshooting purposes. Once you have created the gateway you can add an additional URL using Set-STFRoamingGateway, using the -GSLBurl parameter for the secondary URL. Although the parameter is called GSLBurl this can be used for any situation where you wish to add a second URL. For example:

       Set-STFRoamingGateway -Name "Europe Gateway" -GSLBurl "eugateway.example.com" -GatewayUrl "gslb.example.com"
      <!--NeedCopy-->
      

      Note:

      Counterintuitively in this example, the GSLBurl parameter contains the regional URL while the GatewayUrl parameter contains the GSLB URL. For most purposes the URLs are treated identically and if the store is only accessed through a web browser they can be configured either way around. However when accessing StoreFront through Citrix Workspace app, it reads the GatewayUrl from StoreFront and subsequently uses it for remote access and it is preferable for it to be configured to always connect to the GSLB URL.

      If you need more than two URLs then you will need to configure this as a separate gateway.

    • Select the Usage or Role:

      Usage or role Description
      Authentication and HDX routing Use the gateway for both providing remote access to StoreFront and to access the VDAs.
      Authentication only Select this if the gateway is used only for remote access to StoreFront. This option prevents Citrix Workspace launcher from working. Therefore, if you need to use hybrid launches, choose Authentication and HDX routing even when the gateway will only be used for authentication.
      HDX routing only Select this if the gateway is used only for providing HDX access to VDAs, e.g. at a site that does not have a StoreFront instance.

    Screenshot of Add Gateway Appliance screen general settings tab

  3. Fill out the settings on the Secure Ticketing Authority tab.

    The secure ticketing authority issues session tickets in response to connection requests. These session tickets form the basis of authentication and authorization for Citrix Workspace app detection and access to VDAs.

    • Enter one or more Secure Ticket Authority server URL.

      • If you are using Citrix Virtual Apps and Desktops™ then you can use the delivery controllers as STA servers.
      • If you are using Citrix Desktop as a Service then you can use your cloud connectors as STA servers. These either proxy requests to the Citrix Cloud™ Ticketing Authority, or when in LHC mode generate their own tickets. In the future this will change so that they always generate their own tickets for improved resiliency.
      • It is recommended that you use at least 2 STA servers for redundancy.
      • When using Cloud Connectors as STA servers, it is recommended that you include all cloud connectors in at least one resource location. Firstly, within a resource location, Citrix Cloud ensures that only one cloud connector is upgraded at a time so including all connectors ensures that there is always at least one connector not being upgraded. Secondly, if the resource location goes into LHC mode then only the single Cloud Connector designated as the “elected broker” can issue STA tickets. As you cannot know in advance which connector this will be, include all Cloud Connectors in the resource location.
      • Ensure that all STA servers listed in StoreFront are also listed as STA servers in the Citrix Gateway virtual server. If any servers are missing from the Citrix Gateway, this can cause launches to fail. Today when using Cloud Connectors as STAs this may not be apparent in normal use as any connector can be used to redeem tickets from the Citrix Cloud Ticking Authority. However Local Host Cache mode the connector generates its own tickets and in the future this will become the default behavior.
      • The Delivery Controller or Cloud Connector may be configured so that StoreFront must include a security key. It is not possible to add security keys using the GUI; see the later step for adding them using PowerShell.
    • Select Load balance multiple STA servers to distribute requests between the STA servers. If cleared then StoreFront will try the servers in the order in which they are listed.

    • If StoreFront cannot reach an STA server then it avoids using that server for a period of time. By default this is 1 hour but you can customize this value.

    • If you want Citrix Virtual Apps and Desktops to keep disconnected sessions open while Citrix Workspace app attempts to reconnect automatically, select Enable session reliability.

    • If you configured multiple STAs, optionally select Request tickets from two STAs, where available.

      When Request tickets from two STAs, where available is selected, StoreFront obtains session tickets from two different STAs so that user sessions are not interrupted if one STA becomes unavailable during the course of the session. If, for any reason, StoreFront is unable to contact two STAs, it falls back to using a single STA.

    Screenshot of Add Gateway Appliance screen Secure Ticket Authority tab

    Once you have completed filling out the settings press Next

  4. Fill out settings on the Authentication Settings tab.

    • Choose the NetScaler® version.

    • If there are multiple gateways with the same URL (typically when using a global server load balancer), and you have entered a callback URL then you must enter the VIP of the gateway. This allows StoreFront to determine which gateway the request came from and hence which server to contact using the Callback URL. Otherwise you can leave this blank.

    • Select from the Logon type list the authentication method you configured on the appliance for Citrix Workspace app users.

    The information you provide about the configuration of your Citrix Gateway appliance is added to the provisioning file for the store. This enables Citrix Workspace app to send the appropriate connection request when contacting the appliance for the first time.

    • If users are required to enter their Microsoft Active Directory domain credentials, select Domain.
    • If users are required to enter a tokencode obtained from a security token, select Security token.
    • If users are required to enter both their domain credentials and a tokencode obtained from a security token, select Domain and security token.
    • If users are required to enter a one-time password sent by text message, select SMS authentication.
    • If users are required to present a smart card and enter a PIN, select Smart card.

    If you configure smart card authentication with a secondary authentication method to which users can fall back if they experience any issues with their smart cards, select the secondary authentication method from the Smart card fallback list.

    • Optionally, enter the internally accessible URL of the gateway in the Callback URL box. This allows StoreFront to contact the Citrix Gateway authentication service to verify that requests received from Citrix Gateway originate from that appliance. It is required for smart access and for password-less authentication scenarios such as Smart Card or SAML otherwise you can leave it blank. If you have multiple Citrix Gateways with the same URL then this URL must be for the specific gateway server.

    Screenshot of Add Gateway Appliance screen Authentication Settings tab

    Once you have completed filling out the settings press Next

  5. Click Create to apply the configuration.

    Screenshot of Add Gateway Appliance summary screen

  6. Once the deployment has been applied, click Finish.

  7. If you have configured Security keys (recommended) then you must close the management console and configure them using PowerShell. For example:

    $gateway = Get-STFRoamingGateway -Name [Gateway name]
    $sta1 = New-STFSecureTicketAuthority -StaUrl [STA1 URL] -StaValidationEnabled $true -StaValidationSecret [secret]
    $sta2 = New-STFSecureTicketAuthority -StaUrl [STA2 URL] -StaValidationEnabled $true -StaValidationSecret [secret]
    Set-STFRoamingGateway -Gateway $gateway -SecureTicketAuthorityObjs $sta1,$sta2
    <!--NeedCopy-->
    
  8. To enable users to access your stores through the Gateway, configure remote user access.

  9. By default StoreFront uses the gateway that authenticated the user for HDX routing to their resources. You can optionally configure StoreFront to use the gateway when accessing particular resources using Optimal HDX routing.

PowerShell

To add a gateway using PowerShell run cmdlet New-STFRoamingGateway.

Add Citrix Gateway Service

If you have enabled the Citrix Gateway Service for StoreFront in Citrix Cloud then you must configure it as a gateway within StoreFront.

  1. In the Manage Citrix Gateways window click Add.

  2. On the General Settings tab enter the settings then press Next.

    • Specify a Display name for the Citrix Gateway deployment that will help users to identify it.

      Users see the display name you specify in Citrix Workspace app, so include relevant information in the name to help users decide whether to use that deployment. For example, you can include the geographical location in the display names for your Citrix Gateway deployments so that users can easily identify the most convenient deployment for their location.

    • Set the Gateway type to Citrix Gateway Service. This causes the Usage or role to be set to HDX™ routing only and disables the Citrix Gateway URL.

    • Optionally enter a Citrix Gateway Service URL. If the URL is left blank then it uses the default commercial URL https://global.g.nssvc.net which chooses the optimal point of presence for the user’s location. If you wish to use a specific gateway region, for example for a particular region, then you can enter its URL here. For a list of available gateway service URLs, see Citrix Gateway Service documentation.

    • If you have entered a Citrix Gateway Service URL then you must also enter the corresponding Citrix Gateway Service URL (STA Connector Mode). This specifies the gateway service URL to use when the cloud connector is unable to reach Citrix Cloud so issues its own STA tickets. If the URL is left blank then it uses the default URL https://global-s.g.nssvc.net.

    Screenshot of Add Gateway Appliance screen general settings tab

  3. Fill out the settings on the Cloud Connectors tab.

    Cloud connectors allow StoreFront to reach Citrix Cloud to look up Gateway configuration and to reach the cloud ticketing authority to request session tickets.

    • Enter at least one Cloud Connector server URL.

      StoreFront calls these cloud connectors to retrieve STA tickets which Citrix Workspace app can use to authenticate requests through the . In normal operation the Cloud Connectors proxy requests to the Citrix Cloud Ticketing Authority, or when in LHC mode generate their own tickets. In the future this will change so that they always generate their own tickets for improved resiliency.

      • It is recommended that you include multiple cloud connectors in the same resource location as only one Cloud Connector is upgraded at a time in each resource location, ensuring at least Cloud Connector is always available. For further redundancy add Cloud Connectors in multiple resource locations.
      • Ensure that all Cloud Connectors listed in StoreFront are also listed as STA servers in the Citrix Gateway virtual server. If any servers are missing from the Citrix Gateway, this can cause launches to fail. Today, this may not be apparent in normal use as any connector can be used to redeem tickets from the Citrix Cloud Ticking Authority. However Local Host Cache mode the connector generates its own tickets and in the future this will become the default behavior.
      • The Cloud Connector may be configured so that StoreFront must include a security key. It is not possible to add security keys using the GUI; see the later step for adding them using PowerShell.
    • Select Load balance multiple servers to distribute requests between the servers. If cleared then StoreFront will try the servers in the order in which they are listed.

    • If StoreFront cannot reach a server then it avoids using that server for a period of time. By default this is 1 hour but you can customize this value.

    • Always select Enable session reliability.

      Currently Citrix Gateway Service requires session reliability. This may change in a future release.

    • Do not select Request tickets from two cloud connectors, where available.

      There is currently no benefit in selecting Request tickets from two cloud connectors, where available. This may change in the future.

    Screenshot of Add Gateway Appliance screen cloud connectors tab

    Once you have completed filling out the settings select Next

  4. Select Create to apply the configuration.

    Screenshot of Add Gateway Appliance summary screen

  5. Once the deployment has been applied, select Finish.

  6. If you have configured Security keys (recommended) then you must close the management console and configure them using PowerShell. For example:

    $gateway = Get-STFRoamingGateway -Name [Gateway name]
    $sta1 = New-STFSecureTicketAuthority -StaUrl [STA1 URL] -StaValidationEnabled $true -StaValidationSecret [secret]
    $sta2 = New-STFSecureTicketAuthority -StaUrl [STA2 URL] -StaValidationEnabled $true -StaValidationSecret [secret]
    Set-STFRoamingGateway -Gateway $gateway -SecureTicketAuthorityObjs $sta1,$sta2
    <!--NeedCopy-->
    
  7. By default StoreFront uses the same gateway to access resources as was used to authenticate, hence the Citrix Gateway service is never used. You must use Optimal HDX routing to configure when StoreFront should use Citrix Gateway Service.

PowerShell

To add a gateway using PowerShell, run cmdlet New-STFRoamingGateway, setting -IsCloudGateway $true.

Edit Citrix Gateway

  1. In the Manage Citrix Gateways window, click on the gateway you wish to change and press Edit.

    For a description of the parameters, see Add Citrix Gateway appliance

  2. Press Save to save your changes.

PowerShell

To modify gateway configuration using PowerShell, run cmdlet Set-STFRoamingGateway.

Remove Citrix Gateway

  1. In the Manage Citrix Gateways window, click on the gateway you wish to change and press Remove.

  2. In the confirmation window press Yes.

PowerShell

To remove the gateway using PowerShell, run cmdlet Remove-STFRoamingGateway.

Configure Citrix Gateways