StoreFront

Create a new deployment

  1. If the Citrix StoreFront management console is not already open after installation of StoreFront, on the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.

  2. In the results pane of the Citrix StoreFront management console, click Create a new deployment.

  3. Specify the URL of the StoreFront server or the load balancing environment for a multiple server deployment in the Base URL box.

    If you have not yet set up your load balancing environment, enter the server URL. You can modify the base URL for your deployment at any time.

    You can change from HTTP to HTTPS at any time using the Change Base URL task in the StoreFront management console, provided that Microsoft Internet Information Services (IIS) is configured for HTTPS.

  4. Click Next to set up the authentication service, which authenticates users to Microsoft Active Directory.

    To use HTTPS to secure communications between StoreFront and users’ devices, you must configure Microsoft Internet Information Services (IIS) for HTTPS. In the absence of the appropriate IIS configuration, StoreFront uses HTTP for communications.

    By default, Citrix Receiver requires HTTPS connections to stores. If StoreFront is not configured for HTTPS, users must carry out additional configuration steps to use HTTP connections. HTTPS is required for smart card authentication. You can change from HTTP to HTTPS at any time after configuring StoreFront, provided the appropriate IIS configuration is in place. For more information, see Configure server groups.

    You can change from HTTP to HTTPS at any time using the Change Base URL task in the StoreFront management console, provided that Microsoft Internet Information Services (IIS) is configured for HTTPS.

  5. On the Store Name page, specify a name for your store, whether you want to allow only unauthenticated (anonymous) users access to the store, and click Next.

    StoreFront stores aggregate desktops and applications, making them available to users. Store names appear in Citrix Receiver under users’ accounts, so choose a name that gives users information about the content of the store.

  6. On the Controllers page, list the infrastructure providing the resources that you want to make available in the store. To add desktops and applications to the store, follow the appropriate procedure below. You can configure stores to provide resources from any mixture of XenDesktop, XenApp and XenMobile (App Controller) deployments. Repeat the procedures, as necessary, to add all the deployments providing resources for the store.

  7. When you have added all the required resources to the store, on the Controllers page, click Next.

  8. On the Remote Access page, specify whether and how users connecting from public networks can access the internal resources.

    • To make the store available to users on public networks, check the Enable remote access box. If you leave this box unchecked, only local users on the internal network are able to access the store.
    • To make only resources delivered through the store available through NetScaler Gateway, select Allow users to access only resources delivered through StoreFront (No VPN tunnel).
    • To make the store and all other resources on the internal network available through a Secure Sockets Layer (SSL) virtual private network (VPN) tunnel, select Allows users to access all resources on internal network (Full VPN tunnel). Users might require the NetScaler Gateway Plug-in to establish the VPN tunnel.

    If you configure remote access to the store through NetScaler Gateway, the pass-through from NetScaler Gateway authentication method is automatically enabled. Users authenticate to NetScaler Gateway and are automatically logged on when they access their stores.

  9. If you enabled remote access, list the NetScaler Gateway deployments through which users can access the store. To add a NetScaler Gateway deployment, follow the appropriate procedure below. Repeat the procedures, as necessary, to add further deployments.

  10. When you have added all your NetScaler Gateway deployments, select from the NetScaler Gateway appliances list the deployments through which users can access the store. If you enable access through multiple deployments, specify the default deployment to be used to access the store. Click Next.

  11. On the Authentication Methods page, select the methods your users will use to authenticate to the store and click Next. You can select from the following methods:

  • Username and password: Users enter their credentials and are authenticated when they access their stores.
  • SAML Authentication: Users authenticate to an Identity Provider and are automatically logged on when they access their stores.
  • Domain passthrough†: Users authenticate to their domain-joined Windows computers and their credentials are used to log them on automatically when they access their stores.
  • Smart card†: Users authenticate using smart cards and PINs when they access their stores.
  • HTTP basic: Users authenticate with the StoreFront server’s IIS web server.
  • Passthrough through NetScaler Gateway: Users authenticate to NetScaler Gateway and are automatically logged on when they access their stores. This is automatically checked when the remote access is enabled.

    Note:

    Store authentication methods which do not propagate to the store’s Citrix Receiver for Web sites. Configure these authentication methods independently for each Citrix Receiver for Web site using the Manage Receiver for Web Sites task described in Configure Citrix Receiver for Web sites.

    The other store authentication methods described here do propagate to the store’s Citrix Receiver for Web sites. (That is, a selection or deselection made here for the store dictates the setting used by all its Receiver for Web sites.)

12. On the XenApp Services URL page, configure the XenApp Service URL for users who use PNAgent to access the applications and desktops.

13. After creating the store, further options become available in the Citrix StoreFront management console. For more information, see the various management articles.

Your store is now available for users to access with Citrix Receiver, which must be configured with access details for the store. There are a number of ways in which you can provide these details to users to make the configuration process easier for them. For more information, see User access options.

Alternatively, users can access the store through the Citrix Receiver for Web site, which enables users to access their desktops and applications through a webpage. The URL for users to access the Citrix Receiver for Web site for the new store is displayed when you create the store.

When you create a new store, the XenApp Services URL is enabled by default. Users of domain-joined desktop appliances and repurposed PCs running the Citrix Desktop Lock, along with users who have older Citrix clients that cannot be upgraded, can access stores directly using the XenApp Services URL for the store. The XenApp Services URL has the form http[s]://serveraddress/Citrix/storename/PNAgent/config.xml, where serveraddress is the fully qualified domain name of the server or load balancing environment for your StoreFront deployment and storename is the name you specified for the store in Step 5.

You can quickly add more servers to your deployment by selecting the option to join an existing server group when installing further instances of StoreFront.

Add XenDesktop and XenApp resources to the store

Complete the following steps to make desktops and applications provided by XenApp and XenDesktop available in the store that you create as part of the initial configuration of your StoreFront server. It is assumed that you have completed Steps 1 to 6 in the “Create a new deployment” procedure at the top of this article.

  1. On the Controllers page of the StoreFront console Create Store UI, click Add.
  2. In the Add Controllers dialog box, specify a name that will help you to identify the deployment and indicate whether the resources that you want to make available in the store are provided by XenDesktop, XenApp, or XenMobile.
  3. Add the names or IP addresses of your servers to the Servers list. Specify multiple servers to enable fault tolerance, listing the entries in order of priority to set the failover sequence. For XenDesktop sites, give details of Controllers. In the case of XenApp farms, list servers running the Citrix XML Service.
  4. Select from the Transport type list the type of connections for StoreFront to use for communications with the servers.
    • To send data over unencrypted connections, select HTTP. If you select this option, you must make your own arrangements to secure connections between StoreFront and your servers.
    • To send data over secure HTTP connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), select HTTPS. If you select this option for XenDesktop and XenApp servers, ensure that the Citrix XML Service is set to share its port with Microsoft Internet Information Services (IIS) and that IIS is configured to support HTTPS.
    • To send data over secure connections to XenApp servers using the SSL Relay to perform host authentication and data encryption, select SSL Relay. Note: If you are using HTTPS or the SSL Relay to secure connections between StoreFront and your servers, ensure that the names you specify in the Servers list match exactly (including the case) the names on the certificates for those servers.
  5. Specify the port for StoreFront to use for connections to the servers. The default port is 80 for connections using HTTP and the SSL Relay, and 443 for HTTPS connections. In the case of XenDesktop and XenApp servers, the specified port must be the port used by the Citrix XML Service.

    In a Citrix Virtual Apps and Desktops on-premises environment, Shared secret lets you allow only approved StoreFront machines to communicate with Delivery Controllers by specifying a key. For information about key generation, see Manage security keys.

    In a Citrix Virtual Apps and Desktops service environment, Shared secret lets you allow only approved StoreFront machines to communicate with Citrix Cloud by specifying a key. For information about key generation, see Manage security keys.

  6. If you are using the SSL Relay to secure connections between StoreFront and XenApp servers, specify the TCP port of the SSL Relay in the SSL Relay port box. The default port is 443. Ensure that all the servers running the SSL Relay are configured to monitor the same port.

You can configure stores to provide resources from any mixture of XenDesktop, XenApp, and XenMobile deployments. To add further XenDesktop sites or XenApp farms, repeat the procedure above. To make applications managed by App Controller available in the store, follow the steps in Add App Controller applications to the store. When you have added all the required resources to the store, return to Step 7 in the “Create a new deployment” procedure at the top of this article.

Add App Controller applications to the store

Complete the following steps to make applications managed by App Controller available in the store that you create as part of the initial configuration of your StoreFront server. It is assumed that you have completed Steps 1 to 6 in the “Create a new deployment” procedure at the top of this article.

  1. On the Delivery Controllers page of the Create Store wizard, click Add.
  2. In the Add Delivery Controller dialog box, specify a name that will help you to identify the App Controller virtual appliance managing the applications that you want to make available in the store. Ensure that the name does not contain any spaces. Select AppController.
  3. Enter the name or IP address of the App Controller virtual appliance in the Server box and specify the port for StoreFront to use for connections to App Controller. The default port is 443.

You can configure stores to provide resources from any mixture of XenDesktop, XenApp, and App Controller deployments. To add applications managed by other App Controller virtual appliances, repeat the procedure above. To make desktops and applications provided by XenDesktop and XenApp available in the store, follow the steps in Add XenDesktop and XenApp resources to the store. When you have added all the required resources to the store, return to Step 7 in the “Create a new deployment” procedure at the top of this article.

Limitation: Apps published in AppController might not start. To work around this issue, use the StoreFront PowerShell commands to manually create a store with an authentication service located at http://sfserver/Citrix/Authentication.

Provide remote access to the store through a NetScaler Gateway appliance

Complete the following steps to configure remote access through a NetScaler Gateway appliance to the store that you create as part of the initial configuration of your StoreFront server. It is assumed that you have completed Steps 1 to 9 in the “Create a new deployment” procedure at the top of this article.

  1. On the Remote Access page of the StoreFront console Create Store UI, click Add.

  2. In the Add NetScaler Gateway Appliance dialog box, specify a name for the appliance that will help users to identify it.

    Users see the display name you specify in Citrix Receiver, so include relevant information in the name to help users decide whether to use that appliance. For example, you can include the geographical location in the display names for your NetScaler Gateway deployments so that users can easily identify the most convenient deployment for their location.

  3. Enter the URL of the virtual server or user logon point (for Access Gateway 5.0) for your appliance. Specify the product version used in your deployment.

    For information about creating a single Fully Qualified Domain Name (FQDN) to access a store internally and externally, see Create a single Fully Qualified Domain Name (FQDN) to access a store internally and externally.

  4. If you are adding an Access Gateway 5.0 appliance, select from the Deployment mode list Appliance. Otherwise, specify the subnet IP address of the NetScaler Gateway appliance, if necessary. A subnet IP address is required for Access Gateway 9.3 appliances, but optional for more recent product versions.

    The subnet address is the IP address that NetScaler Gateway uses to represent the user device when communicating with servers on the internal network. This can also be the mapped IP address of the NetScaler Gateway appliance. Where specified, StoreFront uses the subnet IP address to verify that incoming requests originate from a trusted device.

  5. If you are adding an appliance running NetScaler Gateway 10.1, Access Gateway 10, or Access Gateway 9.3, select from the Logon type list the authentication method you configured on the appliance for Citrix Receiver users.

    The information you provide about the configuration of your NetScaler Gateway appliance is added to the provisioning file for the store. This enables Citrix Receiver to send the appropriate connection request when contacting the appliance for the first time.

    • If users are required to enter their Microsoft Active Directory domain credentials, select Domain.
    • If users are required to enter a tokencode obtained from a security token, select Security token.
    • If users are required to enter both their domain credentials and a tokencode obtained from a security token, select Domain and security token.
    • If users are required to enter a one-time password sent by text message, select SMS authentication.
    • If users are required to present a smart card and enter a PIN, select Smart card.

    If you configure smart card authentication with a secondary authentication method to which users can fall back if they experience any issues with their smart cards, select the secondary authentication method from the Smart card fallback list.

  6. Complete the NetScaler Gateway authentication service URL in the Callback URL box. StoreFront automatically appends the standard portion of the URL. Click Next.

    Enter the internally accessible URL of the appliance. StoreFront contacts the NetScaler Gateway authentication service to verify that requests received from NetScaler Gateway originate from that appliance.

  7. If you are making resources provided by XenDesktop or XenApp available in the store, list on the Secure Ticket Authority (STA) page URLs for servers running the STA. Add URLs for multiple STAs to enable fault tolerance, listing the servers in order of priority to set the failover sequence.

    The STA is hosted on XenDesktop and XenApp servers and issues session tickets in response to connection requests. These session tickets form the basis of authentication and authorization for access to XenDesktop and XenApp resources.

    In a Citrix Virtual Apps and Desktops on-premises environment, Shared secret lets you allow only approved StoreFront machines to communicate with Secure Ticket Authority (STA) by specifying a key. For information about key generation, see Manage security keys.

    In a Citrix Virtual Apps and Desktops service environment, Shared secret lets you allow only approved StoreFront machines to communicate with Citrix Cloud by specifying a key. For information about key generation, see Manage security keys.

  8. If you want XenDesktop and XenApp to keep disconnected sessions open while Citrix Receiver attempts to reconnect automatically, select the Enable session reliability check box. If you configured multiple STAs and want to ensure that session reliability is always available, select the Request tickets from two STAs, where available check box.

    When the Request tickets from two STAs, where available check box is selected, StoreFront obtains session tickets from two different STAs so that user sessions are not interrupted if one STA becomes unavailable during the course of the session. If, for any reason, StoreFront is unable to contact two STAs, it falls back to using a single STA.

  9. Click Create to add your NetScaler Gateway deployment to the list on the Remote Access page.

To add further deployments, repeat the procedure above. To configure remote access to the store through an Access Gateway 5.0 cluster, follow the steps in Provide remote access to the store through an Access Gateway 5.0 cluster. When you have added all your NetScaler Gateway deployments, return to Step 10 in the “Create a new deployment” procedure at the top of this article.

Provide remote access to the store through an Access Gateway 5.0 cluster

Complete the following steps to configure remote access through an Access Gateway 5.0 cluster to the store that you create as part of the initial configuration of your StoreFront server. It is assumed that you have completed Steps 1 to 9 in the “Create a new deployment” procedure at the top of this article.

  1. On the Remote Access page of the StoreFront console Create Store UI, click Add.

  2. In the Add NetScaler Gateway Appliance dialog box, specify a name for the cluster that will help users to identify it.

    Users see the display name you specify in Citrix Receiver, so include relevant information in the name to help users decide whether to use that cluster. For example, you can include the geographical location in the display names for your NetScaler Gateway deployments so that users can easily identify the most convenient deployment for their location.

  3. Enter the URL of the user logon point for your cluster and select from the Version list 5.x.

  4. From the Deployment mode list, select Access Controller and click Next.

  5. On the Appliances page, list the IP addresses or fully qualified domain names (FQDNs) of the appliances in the cluster and click Next.

  6. On the Enable Silent Authentication page, list URLs for the authentication service running on the Access Controller servers. Add URLs for multiple servers to enable fault tolerance, listing the servers in order of priority to set the failover sequence. Click Next.

    StoreFront uses the authentication service to authenticate remote users so that they do not need to re-enter their credentials when accessing stores.

  7. If you are making resources provided by XenDesktop and XenApp available in the store, list on the Secure Ticket Authority (STA) page URLs for servers running the STA. Add URLs for multiple STAs to enable fault tolerance, listing the servers in order of priority to set the failover sequence.

    The STA is hosted on XenDesktop and XenApp servers and issues session tickets in response to connection requests. These session tickets form the basis of authentication and authorization for access to XenDesktop and XenApp resources.

    In a Citrix Virtual Apps and Desktops on-premises environment, Shared secret lets you allow only approved StoreFront machines to communicate with Secure Ticket Authority (STA) by specifying a key. For information about key generation, see Manage security keys.

    In a Citrix Virtual Apps and Desktops service environment, Shared secret lets you allow only approved StoreFront machines to communicate with Citrix Cloud by specifying a key. For information about key generation, see Manage security keys.

  8. If you want XenDesktop and XenApp to keep disconnected sessions open while Citrix Receiver attempts to reconnect automatically, select the Enable session reliability check box. If you configured multiple STAs and want to ensure that session reliability is always available, select the Request tickets from two STAs, where available check box.

    When the Request tickets from two STAs, where available check box is selected, StoreFront obtains session tickets from two different STAs so that user sessions are not interrupted if one STA becomes unavailable during the course of the session. If, for any reason, StoreFront is unable to contact two STAs, it falls back to using a single STA.

  9. Click Create to add your NetScaler Gateway deployment to the list on the Remote Access page.

To add further clusters, repeat the procedure above. To configure remote access to the store through NetScaler Gateway 10.1, Access Gateway 10, Access Gateway 9.3, or a single Access Gateway 5.0 appliance, follow the steps in Provide remote access to the store through a NetScaler Gateway appliance. When you have added all your NetScaler Gateway deployments, return to Step 10 in the “Create a new deployment” procedure at the top of this article.