Create or remove a store
Use the Create Store task to configure additional stores. You can create as many stores as you need; for example, you can create a store for a particular group of users or to group together a specific set of resources. You can also create an unauthenticated store that allows for anonymous, or unauthenticated store. To create this type of store, refer to the Create an unauthenticated store instruction.
To create a store, you identify and configure communications with the servers providing the resources that you want to make available in the store. Then, optionally, you configure remote access to the store through NetScaler Gateway.
Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
Add desktops and applications to the store
-
On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
-
Select the Stores node in the left pane of the Citrix StoreFront management console and, in the Actions pane, click Create Store.
-
On the Store Name page, specify a name for your store and click Next.
Store names appear in Citrix Receiver under users’ accounts, so choose a name that gives users information about the content of the store.
-
On the Delivery Controllers page, list the infrastructure providing the resources that you want to make available in the store. Click Add.
-
In the Add Delivery Controller dialog box, specify a name that will help you to identify the deployment and indicate whether the resources that you want to make available in the store are provided by XenDesktop, XenApp, or AppController. For App Controller deployments, ensure that the name you specify does not contain any spaces.
-
If you are adding details of XenDesktop or XenApp servers, continue to Step 7. To make applications managed by App Controller available in the store, enter the name or IP address of an App Controller virtual appliance in the Server box and specify the port for StoreFront to use for connections to App Controller. The default port is 443. Continue to Step 11.
-
To make desktops and applications provided by XenDesktop or XenApp available in the store, add the names or IP addresses of your servers to the Servers list. Specify multiple servers to enable fault tolerance, listing the entries in order of priority to set the failover sequence. For XenDesktop sites, give details of Delivery Controllers. In the case of XenApp farms, list servers running the Citrix XML Service.
-
Select from the Transport type list the type of connections for StoreFront to use for communications with the servers.
- To send data over unencrypted connections, select HTTP. If you select this option, you must make your own arrangements to secure connections between StoreFront and your servers.
- To send data over secure HTTP connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), select HTTPS. If you select this option for XenDesktop and XenApp servers, ensure that the Citrix XML Service is set to share its port with Microsoft Internet Information Services (IIS) and that IIS is configured to support HTTPS.
- To send data over secure connections to XenApp servers using the SSL Relay to perform host authentication and data encryption, select SSL Relay.
Note: If you are using HTTPS or the SSL Relay to secure connections between StoreFront and your servers, ensure that the names you specify in the Servers list match exactly (including the case) the names on the certificates for those servers.
-
Specify the port for StoreFront to use for connections to the servers. The default port is 80 for connections using HTTP and the SSL Relay, and 443 for HTTPS connections. In the case of XenDesktop and XenApp servers, the specified port must be the port used by the Citrix XML Service.
In a Citrix Virtual Apps and Desktops on-premises environment, Shared secret lets you allow only approved StoreFront machines to communicate with Delivery Controllers by specifying a key. For information about key generation and configuration, see Manage security keys.
In a Citrix Virtual Apps and Desktops service environment, Shared secret lets you allow only approved StoreFront machines to communicate with Citrix Cloud by specifying a key. For information about key generation and configuration, see Manage security keys.
-
If you are using the SSL Relay to secure connections between StoreFront and XenApp servers, specify the TCP port of the SSL Relay in the SSL Relay port box. The default port is 443. Ensure that all the servers running the SSL Relay are configured to monitor the same port.
-
Click OK. You can configure stores to provide resources from any mixture of XenDesktop, XenApp, and App Controller deployments. Repeat Steps 4 to 11, as necessary, to list additional deployments providing resources for the store. When you have added all the required resources to the store, click Next.
-
On the Remote Access page, specify whether and how users connecting from public networks can access the store through NetScaler Gateway.
- To make the store unavailable to users on public networks, make sure you do not check Enable Remote Access. Only local users on the internal network will be able to access the store.
- To enable remote access, check Enable Remote Access.
- To make only resources delivered through the store available through NetScaler Gateway, select No VPN tunnel. Users log on directly to NetScaler Gateway and do not need to use the NetScaler Gateway Plug-in.
- To make the store and all other resources on the internal network available through an SSL virtual private network (VPN) tunnel, select Full VPN tunnel. Users require the NetScaler Gateway Plug-in to establish the VPN tunnel.
If it is not already enabled, the pass-through from NetScaler Gateway authentication method is automatically enabled when you configure remote access to the store. Users authenticate to NetScaler Gateway and are automatically logged on when they access their stores.
-
If you enabled remote access, continue to the next procedure to specify the NetScaler Gateway deployments through which users can access the store. Otherwise, on the Remote Access page, click Create. Once the store has been created, click Finish.
Provide remote access to the store through NetScaler Gateway
Complete the following steps to configure remote access through NetScaler Gateway to the store that you created in the previous procedure. It is assumed that you have completed all the preceding steps.
-
On the Remote Access page of the Create Store wizard, select from the NetScaler Gateway appliances list the deployments through which users can access the store. Any deployments you configured previously for other stores are available for selection in the list. If you want to add a further deployment to the list, click Add. Otherwise, continue to Step 12.
-
On the Add NetScaler Gateway Appliance General Settings page, specify a name for the NetScaler Gateway deployment that will help users to identify it.
Users see the display name you specify in Citrix Receiver, so include relevant information in the name to help users decide whether to use that deployment. For example, you can include the geographical location in the display names for your NetScaler Gateway deployments so that users can easily identify the most convenient deployment for their location.
-
Enter the URL of the virtual server or user logon point for your deployment. Specify the product version used in your deployment.
The fully qualified domain name (FQDN) for your StoreFront deployment must be unique and different from the NetScaler Gateway virtual server FQDN. Using the same FQDN for StoreFront and the NetScaler Gateway virtual server is not supported.
-
Select the usage of the NetScaler Gateway from the available options.
+ Authentication and HDX routing: The NetScaler Gateway will be used for Authentication, as well as for routing any HDX sessions. + Authentication Only: The NetScaler Gateway will be used for Authentication and not for any HDX session routings. + HDX routing Only: The NetScaler Gateway will be used for HDX session routings and not for Authentication. -
On the Secure Ticket Authority (STA) page, if you are making resources provided by XenDesktop or XenApp available in the store, list all the Secure Ticket Authority page URLs for servers running the STA. Add URLs for multiple STAs to enable fault tolerance, listing the servers in order of priority to set the failover sequence.
The STA is hosted on XenDesktop and XenApp servers and issues session tickets in response to connection requests. These session tickets form the basis of authentication and authorization for access to XenDesktop and XenApp resources.
In a Citrix Virtual Apps and Desktops on-premises environment, Shared secret lets you allow only approved StoreFront machines to communicate with Secure Ticket Authority (STA) by specifying a key. For information about key generation, see Manage security keys.
In a Citrix Virtual Apps and Desktops service environment, Shared secret lets you allow only approved StoreFront machines to communicate with Citrix Cloud by specifying a key. For information about key generation, see Manage security keys.
-
Choose to set the Secure Ticket Authority to be load balanced. You can also specify the time interval after which the non-responding STAs are bypassed.
-
If you want XenDesktop and XenApp to keep disconnected sessions open while Citrix Receiver attempts to reconnect automatically, select the Enable session reliability check box. If you configured multiple STAs and want to ensure that session reliability is always available, select the Request tickets from two STAs, where available check box. StoreFront obtains session tickets from two different STAs so that user sessions are not interrupted if one STA becomes unavailable during the course of the session. If, for any reason, StoreFront is unable to contact two STAs, it falls back to using a single STA.
-
On Authentication Settings page, select the version of NetScaler gateway you want to configure.
-
Specify the VServer IP address of the NetScaler Gateway appliance, if required. A VServer IP address is required for Access Gateway 9.x appliances, but optional for more recent product versions. The VServer IP address is the IP address that NetScaler Gateway uses to represent the user device when communicating with servers on the internal network. This can also be the mapped IP address of the NetScaler Gateway appliance. Where specified, StoreFront uses the VServer IP address to verify that incoming requests originate from a trusted device.
-
Select from the Logon type list the authentication method you configured on the appliance for Citrix Receiver users. The information you provide about the configuration of your NetScaler Gateway appliance is added to the provisioning file for the store. This enables Citrix Receiver to send the appropriate connection request when contacting the appliance for the first time.
- If users are required to enter their Microsoft Active Directory domain credentials, select Domain.
- If users are required to enter a tokencode obtained from a security token, select Security token.
- If users are required to enter both their domain credentials and a tokencode obtained from a security token, select Domain and security token.
- If users are required to enter a one-time password sent by text message, select SMS authentication.
- If users are required to present a smart card and enter a PIN, select Smart card.
If you configure smart card authentication with a secondary authentication method to which users can fall back if they experience any issues with their smart cards, select the secondary authentication method from theSmart card fallback list.
-
Enter the NetScaler Gateway authentication service URL in the Callback URL box. This is an optional field. StoreFront automatically appends the standard portion of the URL. Enter the internally accessible URL of the appliance. StoreFront contacts the NetScaler Gateway authentication service to verify that requests received from NetScaler Gateway originate from that appliance.
-
Click Create to add your NetScaler Gateway deployment to the list on the Remote Access page. Repeat Steps 1 to 11, as necessary, to add more NetScaler Gateway deployments to the NetScaler Gateway appliances list. If you enable access through multiple deployments by selecting more than one entry in the list, specify the default deployment to be used to access the store.
-
On the Remote Access page, click Create. Once the store has been created, click Finish.
Your store is now available for users to access with Citrix Receiver, which must be configured with access details for the store. There are a number of ways in which you can provide these details to users to make the configuration process easier for them. For more information, see User access options.
Alternatively, users can access the store through the Receiver for Web site, which enables users to access their desktops and applications through a webpage. The URL for users to access the Receiver for Web site for the new store is displayed when you create the store.
When you create a new store, the XenApp Services URL is enabled by default. Users of domain-joined desktop appliances and repurposed PCs running the Citrix Desktop Lock, along with users who have older Citrix clients that cannot be upgraded, can access stores directly using the XenApp Services URL for the store. The XenApp Services URL has the form http[s]://serveraddress/Citrix/storename/PNAgent/config.xml, where serveraddress is the FQDN of the server or load balancing environment for your StoreFront deployment and storename is the name you specified for the store in Step 3.
Create a store for single server deployments on a nondomain-joined server
- On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
- Select the Stores node in the left pane of the Citrix StoreFront management console and, in the Actions pane, click Create Store.
-
On the Store Name page, specify a name for your store and click Next.
Store names appear in Citrix Receiver under users’ accounts, so choose a name that gives users information about the content of the store. - On the Delivery Controllers page, list the infrastructure providing the resources that you want to make available in the store. Click Add.
- In the Add Delivery Controller dialog box, specify a name that will help you to identify the deployment and indicate whether the resources that you want to make available in the store are provided by XenDesktop, XenApp, or XenMobile AppController. For App Controller deployments, ensure that the name you specify does not contain any spaces.
- If you are adding details of XenDesktop or XenApp servers, continue to Step 7. To make applications managed by App Controller available in the store, enter the name or IP address of an App Controller virtual appliance in the Server box and specify the port for StoreFront to use for connections to App Controller. The default port is 443. Continue to Step 11.
- To make desktops and applications provided by XenDesktop or XenApp available in the store, add the name or IP address of your server to the Servers box. For XenDesktop sites, give details of Delivery Controllers. In the case of XenApp farms, list the server running the Citrix XML Service.
- Select from the Transport type list the type of connections for StoreFront to use for communications with the server.
- To send data over unencrypted connections, select HTTP. If you select this option, you must make your own arrangements to secure connections between StoreFront and your server.
- To send data over secure HTTP connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), select HTTPS. If you select this option for XenDesktop and XenApp servers, ensure that the Citrix XML Service is set to share its port with Microsoft Internet Information Services (IIS) and that IIS is configured to support HTTPS.
-
To send data over secure connections to XenApp servers using the SSL Relay to perform host authentication and data encryption, select SSL Relay.
Note: If you are using HTTPS or the SSL Relay to secure connections between StoreFront and your server, ensure that the name you specify in the Servers box matches exactly (including the case) the name on the certificate for that server.
-
Specify the port for StoreFront to use for connections to the server. The default port is 80 for connections using HTTP and the SSL Relay, and 443 for HTTPS connections. In the case of XenDesktop and XenApp servers, the specified port must be the port used by the Citrix XML Service.
In a Citrix Virtual Apps and Desktops on-premises environment, Shared secret lets you allow only approved StoreFront machines to communicate with Delivery Controllers by specifying a key. For information about key generation, see Manage security keys.
In a Citrix Virtual Apps and Desktops service environment, Shared secret lets you allow only approved StoreFront machines to communicate with Citrix Cloud by specifying a key. For information about key generation, see Manage security keys.
- If you are using the SSL Relay to secure connections between StoreFront and the XenApp server, specify the TCP port of the SSL Relay in the SSL Relay port box. The default port is 443. Ensure that all the servers running the SSL Relay are configured to monitor the same port.
- Click OK. You can configure stores to provide resources from any mixture of XenDesktop, XenApp, and App Controller deployments. Repeat Steps 4 to 11, as necessary, to list additional deployments providing resources for the store. When you have added all the required resources to the store, click Next.
- On the Remote Access page, specify whether and how users connecting from public networks can access the store through NetScaler Gateway.
- To make the store unavailable to users on public networks, select None. Only local users on the internal network will be able to access the store.
- To make only resources delivered through the store available through NetScaler Gateway, select** No VPN tunnel**. Users log on directly to NetScaler Gateway and do not need to use the NetScaler Gateway Plug-in.
-
To make the store and all other resources on the internal network available through an SSL virtual private network (VPN) tunnel, select** Full VPN tunnel**. Users require the NetScaler Gateway Plug-in to establish the VPN tunnel.
If it is not already enabled, the pass-through from NetScaler Gateway authentication method is automatically enabled when you configure remote access to the store. Users authenticate to NetScaler Gateway and are automatically logged on when they access their stores.
- If you enabled remote access, continue to Provide remote access to the store through NetScaler Gateway to specify the NetScaler Gateway deployments through which users can access the store. Otherwise, on the Remote Access page, click Next.
- On the Configure Authentication Methods page, select the methods by which users will authenticate and access resources, and click Next.
- On the Configure Password Validation page, select the delivery controllers to provide the password validation, click Next.
- On the XenApp Services URL page, configure the URL for users who us PNAgent to access application and desktops and click Create.
Server Group Node in the left and Action panes is replaced by Change Base URL. The only option available is to change the base URL, because server groups are not available in nondomain-joined servers.
Remove a store
Use the Remove Store task to delete a store. When you remove a store, any associated Receiver for Web sites, Desktop Appliance sites, and XenApp Services URLs are also deleted.
Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.